AOS-W 6.2 Command-Line Reference Guide
0510949-01
AOS-W 6.2 Command-Line Reference Guide
PDF preview unavailable.
Open the PDF or use the Download button.
OAW-4x50 AOS-W v6.2 CLI Reference Guide AOS-W 6.2 Command-Line Interface
Reference Guide
�Copyright Information
© 2013 Alcatel-Lucent. All rights reserved.
Specifications in this manual are subject to change without notice.
Originated in the USA.
AOS-W, Alcatel 4302, Alcatel 4304, Alcatel 4306, Alcatel 4308, Alcatel 4324, Alcatel 4504, Alcatel 4604, Alcatel 4704, Alcatel 6000, OAW-AP41, OAW-AP68, OAW-AP60/61/65, OAW-AP70, OAW-AP80, OAW-AP92/93, OAWAP105, OAW-AP120/121, OAW-AP124/125, OAW-AP175, OAW-IAP92/93/105, OAW-RAP2, OAW-RAP5, and Omnivista 3600 Air Manager are trademarks of Alcatel-Lucent in the United States and certain other countries.
Any other trademarks appearing in this manual are the property of their respective companies. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox, Inc. All rights reserved. This product includes software developed by Lars Fenneberg et al.
Legal Notice
The use of Alcatel-Lucent switching platforms and software, by all individuals or corporations, to terminate Cisco or Nortel VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Alcatel- Lucent from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of Cisco Systems or Nortel Networks.
0510950-01 | March 2013
2
�Introduction
The AOS-W 6.2 command line interface (CLI) allows you to configure and manage your switches. The CLI is accessible from a local console connected to the serial port on the switches or through a Telnet or Secure Shell (SSH) session from a remote management console or workstation.
Telnet access is disabled by default. To enable Telnet access, enter the telnet cli command from a serial connection or an SSH session, or in the WebUI navigate to the Configuration > Management > General page.
What's New In AOS-W 6.2.1.0
The following commands have been modified in the AOS-W 6.2.1.0 command line interface.
Command provision-ap ap provisioning-profile
Description
AOS-W 6.2.1.0 introduces the cellular_nw_preference parameter for provisioning a multimode USB modem for a remote AP. These changes simplify modem provisioning for both 3G and 4G networks. The previous modem configuration procedure required that you define a driver for a 3G modem in the USB modem field in the AP provisioning profile, or define a driver for a 4G modem in the 4G USB type field. Starting with AOS-W 6.2.1.0, you can configure drivers for both a 3G or a 4G modem using the USB field, and the 4G USB Type field is deprecated
What's New In AOS-W 6.2.0.0
The following commands have been added in the AOS-W 6.2 command line interface.
Command
Description
aaa user monitor
This command checks to see whether an authenticated user's attributes differ from those in the SOS.
ap debug radio-event-log
Start and stops radio event log capture for debugging purposes, and sends a pktlog file to a dump server in the case of stop.
ap debug radio-registers dump
Allows you to collect all or specific radio register log files into a separate file.
ap lldp med-network-policy-pro- Define an LLDP MED network policy profile that defines DSCP
file
values and L2 priority levels for a voice or video application.
ap lldp profile
Link Layer Discovery Protocol (LLDP), is a Layer-2 protocol that allows network devices to advertise their identity and capabilities on a LAN. Wired interfaces on APs support LLDP by periodically transmitting LLDP Protocol Data Units (PDUs) comprised of typelength-value (TLV) elements.
ap packet-capture
Replaces the pcap command and includes open-port and close-
AOS-W 6.2 | Reference Guide
Introduction | 3
�Command
Description
port subcommands for allowing packet monitoring by port.
ap remove-r1-key
This command removes the r1 key from an AP.
clock append
This command enables the timestamp feature, adding a date and time to the output of show commands.
firewall-visibility
This command enables or disables policy enforcement firewall visibility feature.
interface-profile voip-profile This command creates a VoIP profile that can be applied to any interface or an interface group.
lcd-menu
This command allows you to enable or disable the LCD menu either completely or for specific operations.
show ap radio-summary
Displays AP radios registered to this switch.
show ap remote debug r1_key
This command displays all the r1 keys that are stored in an AP.
show fast-roaming-r1efficiency
This command displays the hit/miss rate of r1 keys cached on an AP before Fast BSS transition roaming.
show firewall-visibility show gap-debug show iap table
This command displays the policy enforcement firewall visibility process state and status information.
This command displays the troubleshooting information for the global AP database.
This command displays the details of the branch Instant AP network information connected to the switch.
show interface-profile voipprofile
This command displays the specified VoIP profile configuration information.
show wlan bcn-rpt-req-profile
This command shows configuration and other information about the parameters for the Beacon Report Request frames.
show wlan handover-trigger-pro- This command displays the current configuration settings for a
file
handover trigger profile.
show wlan tsm-req-profile
This command shows configuration and other information about the Traffic Stream Measurement.
threshold
This command configures switch capacity thresholds which, when exceeded, will trigger alerts.
wlan bcn-rpt-req-profile
This command configures a Beacon Report Request Profile to provide the parameters for the Beacon Report Request frames.
Description
Configure a handover trigger profile to ensure QoS for voice calls.
wlan rrm-ie-profile
This command configure an radio resource management RRM IE profile to define the information elements advertised by
4 | Introduction
AOS-W 6.2 | Reference Guide
�Command wlan tsm-req-profile
Description an AP with 802.11k support enabled. This command configures a TSM Report Request Profile.
Modified Commands
The following commands were modified in AOS-W 6.2.
Command aaa authentication mgmt aaa authentication via connection-profile
aaa authentication-server radius
aaa authentication-server tacacs copy
firewall
firewall cp
interface vlan ipv6 address ip mobile proxy mgmt-user
Parameter Description
The option to enable mschapv2 was added.
The following parameters were added: l allow-whitelist-traffic l auto-launch-supplicant l banner-message-reappear l enable-fips l enable-supplicant l whitelist
The following support was added: l enable-ipv6 and nas-ip6 parameters to specify an IPv6 host
address for the host parameter. l mac-lowercase to send MAC addresses in lowercase format.
IPv6 support was added for TACACS server. You can now specify an IPv6 host address for the host parameter.
The following parameters were added: l usb: partition <partition-number> l usb: partition <partition-number> <filename>
The following parameters were added: l enable-bridging l prevent-dhcp-exhaustion
The following parameters were added: l permit <ip-addr><ip-mask> l deny <ip-addr> l any l host l ftp, http, https, icmp, snmp, ssh, telnet and tftp
The nd parameter for configuring IPv6 neighbor discovery and IPv6 router advertizement options was introduced.
The re-home parameter is deprecated as the re-homing functionality is no longer available.
The rcp (Revocation Checkpoint) parameter was added. The rcp checks the revocation status of the SSH user's client certificate before permitting access.
AOS-W 6.2 | Reference Guide
Introduction | 5
�Command
Parameter Description
provision-apsch-mode-radio-0 | sch-mode-radio-1
If you are provisioning an 802.11n-capable AP, issue the schmode-radio-0 or command to enable single-chain mode for the selected radio. AP radios in single-chain mode will transmit and receive data using only legacy rates and single-stream HT rates up to MCS 7. This setting is disabled by default.
rf arm-profilerf arm-profile
Channel quality percentage below which ARM initiates a channel change.
rf arm-profilerf arm-profile
If channel quality is below the specified channel quality threshold for this wait time period, ARM initiates a channel change.
service
The dhcpv6 parameter is introduced. This command enables DHCPv6 service on the switch.
show ap debug counters
Added AP crash information.
show ap debug system-status
Added CPU usage statistics.
show ap remote debug mgmtframes
Added deauthentication reason explanation to output table.
show datapath
Following parameters were added: l network ingress l internal dir l error counters l debug opcode l trace-route l ip-fragment
show ap debug system-status
Added parameters to display Control-Plane security, OSPF, SAPM, Station Management low priority, syslog database, user database, and wrieless management statistics.
show mgmt-users
The Revocation Checkpoint (rcp)appears in the outpoint.
show storage
Information detailing attached USB storage devices now appear in the output. This is applicable to the OAW-4x50 Series switches only.
show user
The output now shows if IP address is from DHCP.
show vlan mapping
The Assignment Type appears in the output.
vlan-name <name> [pool|assignment {even|hash}]
Sets the assignment type as even or hash.The Even assignment type is based on an even distribution of VLAN pool assignments. The hash type means that the VLAN assignment is based on the station MAC address.
wlan dot11k-profile
The following parameters were introduced:
l bcn-req-chan-11a l bcn-req-chan-11bg l ap-chan-rpt-11a l ap-chan-rpt-11bg l handover-trigger-profile l rrm-ie-profile
6 | Introduction
AOS-W 6.2 | Reference Guide
�Command wlan ssid-profile
Parameter Description
l bcn-rpt-req-profile l tsm-req-profile
The handover trigger threshold parameter was deprecated, as the handover trigger settings are now configured using the handover trigger profile.
The following parameters were introduced:
l dot11r-profile l bSec-128 l bSec-256 l advertise-location l enforce-user-vlan
Deprecated Commands
The following commands were deprecated in AOS-W 6.2:
Command papi-security (deprecated)
pcap (deprecated) policer-profile (deprecated) firewall local-userdb-ap add local-userdb-ap del local-userdb-ap modify local-userdb-ap revoke qos-profile (deprecated) show papi-security (deprecated) show policer-profile (deprecated) show qos-profile (deprecated)
Description
The papi-security command configure a key on the master switch which then distributes it to other switches and APs, thus allowing each site to have a unique key.
Name changed to ap packet capture.
This command configures a Policer profile to manage the transmission rate of a class of traffic based on user-defined criteria
This clears the datapath sessions when roles are updated.
This command adds a Remote AP entry to the Remote AP whitelist table.
This command deletes a Remote AP entry from the Remote AP whitelist table.
This command modifies a Remote AP entry in the Remote AP whitelist table.
Revoke a lost or stolen remote AP to prevent unauthorized users from accessing the company's corporate network.
This command configures a QoS profile to assign TC/DP, DSCP, and 802.1p values to an interface or policer profile.
Shows a configured papi-security profile.
This command displays the policer profile configuration.
This command displays the QoS profile configuration.
AOS-W 6.2 | Reference Guide
Introduction | 7
�About this Guide
This guide describes the AOS-W 6.2 command syntax. The commands in this guide are listed alphabetically.
The following information is provided for each command:
l Command Syntax--The complete syntax of the command. l Description--A brief description of the command. l Syntax--A description of the command parameters, including license requirements for specific parameters if
needed. The applicable ranges and default values, if any, are also included. l Usage Guidelines--Information to help you use the command, including: prerequisites, prohibitions, and related
commands. l Example--An example of how to use the command. l Command History--The version of AOS-W in which the command was first introduced. Modifications and
changes to the command are also noted. l Command Information--This table describes any licensing requirements, command modes and platforms for
which this command is applicable. For more information about available licenses, see the Licenses chapter of the AOS-W 6.2 User Guide.
Connecting to the Switch
This section describes how to connect to the switch to use the CLI.
Serial Port Connection
The serial port is located on the front panel of the switch. Connect a terminal or PC/workstation running a terminal emulation program to the serial port on the switch to use the CLI. Configure your terminal or terminal emulation program to use the following communication settings.
Baud Rate 9600
Data Bits 8
Parity None
Stop Bits 1
Flow Control None
The Alcatel-Lucent OAW-4x50 switch supports baud rates between 9600 and 115200.
Telnet or SSH Connection
Telnet or SSH access requires that you configure an IP address and a default gateway on the switch and connect the switch to your network. This is typically performed when you run the Initial Setup on the switch, as described in the AOS-W 6.2 Quick Start Guide. In certain deployments, you can also configure a loopback address for the switch; see interface loopback on page 322 for more information.
Configuration changes on Master Switches
Some commands can only be issued when connected to a master switch. If you make a configuration change on a master switch, all connected local switches will subsequently update their configurations as well. You can manually synchronize all of the switches at any time by saving the configuration on the master switch.
8 | Introduction
AOS-W 6.2 | Reference Guide
�CLI Access
When you connect to the switch using the CLI, the system displays its host name followed by the login prompt. Log in using the admin user account and the password you entered during the Initial Setup on the switch (the password displays as asterisks). For example: (host) User: admin Password: *****
When you are logged in, the user mode CLI prompt displays. For example:
(host) >
User mode provides only limited access for basic operational testing such as running ping and traceroute.
Certain management functions are available in enable (also called "privileged") mode. To move from user mode to enable mode requires you to enter an additional password that you entered during the Initial Setup (the password displays as asterisks). For example: (host) > enable Password: ******
When you are in enable mode, the > prompt changes to a pound sign (#): (host) #
Configuration commands are available in config mode. Move from enable mode to config mode by entering configure terminal at the # prompt:
(host) # configure terminal Enter Configuration commands, one per line. End with CNTL/Z
When you are in basic config mode, (config) appears before the # prompt: (host) (config) #
There are several other sub- command modes that allow users to configure individual interfaces, subinterfaces, loopback addresses, GRE tunnels and cellular profiles. For details on the prompts and the available commands for each of these modes, see Appendix A: Command Modes on page 1250.
Command Help
You can use the question mark (?) to view various types of command help. When typed at the beginning of a line, the question mark lists all the commands available in your current mode or sub-mode. A brief explanation follows each command. For example: (host) > ?
enable logout ping traceroute
Turn on Privileged commands Exit this session. Any unsaved changes are lost. Send ICMP echo packets to a specified IP address. Trace route to specified IP address.
When typed at the end of a possible command or abbreviation, the question mark lists the commands that match (if any). For example:
(host) > c?
clear clock configure copy
Clear configuration Configure the system clock Configuration Commands Copy Files
AOS-W 6.2 | Reference Guide
Introduction | 9
�If more than one item is shown, type more of the keyword characters to distinguish your choice. However, if only one item is listed, the keyword or abbreviation is valid and you can press tab or the spacebar to advance to the next keyword.
When typed in place of a parameter, the question mark lists the available options. For example:
(host) # write ? erase file memory terminal <cr>
Erase and start from scratch Write to a file in the file system Write to memory Write to terminal
The <cr> indicates that the command can be entered without additional parameters. Any other parameters are optional.
Command Completion
To make command input easier, you can usually abbreviate each key word in the command. You need type only enough of each keyword to distinguish it from similar commands. For example: (host) # configure terminal
could also be entered as: (host) # con t
Three characters (con) represent the shortest abbreviation allowed for configure. Typing only c or co would not work because there are other commands (like copy) which also begin with those letters. The configure command is the only one that begins with con.
As you type, you can press the spacebar or tab to move to the next keyword. The system then attempts to expand the abbreviation for you. If there is only one command keyword that matches the abbreviation, it is filled in for you automatically. If the abbreviation is too vague (too few characters), the cursor does not advance and you must type more characters or use the help feature to list the matching commands.
Deleting Configuration Settings
Use the no command to delete or negate previously-entered configurations or parameters.
l To view a list of no commands, type no at the enable or config prompt followed by the question mark. For example: (host) (config) # no?
l To delete a configuration, use the no form of a configuration command. For example, the following command removes a configured user role: (host) (config) # no user-role <name>
l To negate a specific configured parameter, use the no parameter within the command. For example, the following commands delete the DSCP priority map for a priority map configuration: (host) (config) # priority-map <name> (host) (config-priority-map) # no dscp priority high
Saving Configuration Changes
Each Alcatel-Lucent switch contains two different types of configuration images.
l The running-config holds the current switch configuration, including all pending changes which have yet to be saved. To view the running-config, use the following command:
(host) # show running-config
10 | Introduction
AOS-W 6.2 | Reference Guide
�l The startup config holds the configuration which will be used the next time the switch is rebooted. It contains all the options last saved using the write memory command. To view the startup-config, use the following command:
(host) # show startup-config
When you make configuration changes via the CLI, those changes affect the current running configuration only. If the changes are not saved, they will be lost after the switch reboots. To save your configuration changes so they are retained in the startup configuration after the switch reboots, use the following command in enable mode:
(host) # write memory Saving Configuration...
Saved Configuration
Both the startup and running configurations can also be saved to a file or sent to a TFTP server for backup or transfer to another system.
Commands That Reset the Switch or AP
If you use the CLI to modify a currently provisioned and running radio profile, those changes take place immediately; you do not reboot the switch or the AP for the changes to affect the current running configuration. Certain commands, however, automatically force the switch or AP to reboot. You may want to consider current network loads and conditions before issuing these commands, as they may cause a momentary disruption in service as the unit resets. Note also that changing the lms-ip parameter in an AP system profile associated with an AP group will cause all APs in that AP group to reboot.
Table 1: Reset Commands
Commands that Reset an AP
Commands that Reset a Switch
l ap-regroup l ap-rename l apboot l provision-ap l ap wired-ap-profile <profile> forward-mode {bridge|split-
tunnel|tunnel} l wlan virtual-ap <profile-name> {aaa-profile <profile-name>
|forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel} |ssid-profile <profile-name>|vlan <vlan>...} l ap system-profile <profile> {bootstrap-threshold <number> |lms-ip <ipaddr> |} l wlan ssid-profile <profile-name> {battery-boost|denybcast|essid|opmode|strict-svp |wepkey1 <key> |wepkey2 <key>|wepkey3 <key>|wepkey4 <key>|weptxkey <index> |wmm |wmm-be-dscp <best-effort>|wmm-bk-dscp <background>|wmm-ts-min-inact-int <milliseconds>|wmmvi-dscp <video>|wmm-vo-dscp <voice>|wpa-hexkey <psk> |wpa-passphrase <string> } l wlan dotllk <profile-name> {bcn-measurementmode|dot11k-enable|force-dissasoc
l reload
Typographic Conventions
The following conventions are used throughout this manual to emphasize important concepts:
AOS-W 6.2 | Reference Guide
Introduction | 11
�Table 2: Text Conventions Type Style
Italics Boldface Commands <angle brackets>
[square brackets] {Item_A|Item_B} {ap-name <ap-name>}|{ipaddr <ipaddr>}
Description
This style is used to emphasize important terms and to mark the titles of books.
This style is used to emphasize command names and parameter options when mentioned in the text.
This fixed-width font depicts command syntax and examples of commands and command output.
In the command syntax, text within angle brackets represents items that you should replace with information appropriate to your specific situation. For example: ping <ipaddr> In this example, you would type "ping" at the system prompt exactly as shown, followed by the IP address of the system to which ICMP echo packets are to be sent. Do not type the angle brackets.
In the command syntax, items enclosed in brackets are optional. Do not type the brackets.
In the command examples, single items within curled braces and separated by a vertical bar represent the available choices. Enter only one choice. Do not type the braces or bars.
Two items within curled braces indicate that both parameters must be entered together. If two or more sets of curled braces are separated by a vertical bar, like in the example to the left, enter only one choice Do not type the braces or bars.
Command Line Editing
The system records your most recently entered commands. You can review the history of your actions, or reissue a recent command easily, without having to retype it.
To view items in the command history, use the up arrow key to move back through the list and the down arrow key to move forward. To reissue a specific command, press Enter when the command appears in the command history. You can even use the command line editing feature to make changes to the command prior to entering it. The command line editing feature allows you to make corrections or changes to a command without retyping. Table 1 lists the editing controls. To use key shortcuts, press and hold the Ctrl button while you press a letter key.
Table 3: Line Editing Keys
Key
Effect
Description
Ctrl A
Home
Move the cursor to the beginning of the line.
Ctrl B or the left arrow
Back
Move the cursor one character left.
Ctrl D
Delete Right
Delete the character to the right of the cursor.
Ctrl E
End
Move the cursor to the end of the line.
12 | Introduction
AOS-W 6.2 | Reference Guide
�Key Ctrl F or the right arrow Ctrl K Ctrl N or the down arrow Ctrl P or up arrow Ctrl T
Ctrl U Ctrl W
Ctrl X
Effect Forward Delete Right Next Previous Transpose Clear Delete Word Delete Left
Description Move the cursor one character right.
Delete all characters to the right of the cursor.
Display the next command in the command history.
Display the previous command in the command history.
Swap the character to the left of the cursor with the character to the right of the cursor.
Clear the line.
Delete the characters from the cursor up to and including the first space encountered.
Delete all characters to the left of the cursor.
Specifying Addresses and Identifiers in Commands
This section describes addresses and other identifiers that you can reference in CLI commands.
Table 4: Addresses and Identifiers
Address/Identifier Description
IP address
For any command that requires entry of an IP address to specify a network entity, use IPv4 network address format in the conventional dotted decimal notation (for example, 10.4.1.258).
Netmask address
For subnet addresses, specify a netmask in dotted decimal notation (for example, 255.255.255.0).
Media Access Control For any command that requires entry of a device's hardware address, use the
(MAC) address
hexadecimal format (for example, 00:05:4e:50:14:aa).
Service Set Identifier (SSID)
A unique character string (sometimes referred to as a network name), consisting of no more than 32 characters. The SSID is case-sensitive (for example, WLAN01).
Basic Service Set Identifier (BSSID)
This entry is the unique hard-wireless MAC address of the AP. A unique BSSID applies to each frequency-- 802.11a and 802.11g--used from the AP. Use the same format as for a MAC address.
Extended Service Set Typically the unique logical name of a wireless network. If the ESSID includes
Identifier (ESSID)
spaces, you must enclose the name in quotation marks.
Fast Ethernet or Gigabit Ethernet interface
Any command that references a Fast Ethernet or Gigabit Ethernet interface requires that you specify the corresponding port on the switch in the format <slot>/<port>: <slot> is always 1, except when referring to interfaces on the OAW-6000 switch.For the OAW-6000switch, the four slots are allocated as follows: l Slot 0: Contains an OmniAccess Supervisor Card III. l Slot 1: Contains an OmniAccess Supervisor Card III.
AOS-W 6.2 | Reference Guide
Introduction | 13
�Address/Identifier
Description
l Slot 2: Contains an OmniAccess Supervisor Card III. l Slot 3: Can contain either a OmniAccess Supervisor Card III or a line card. <port> refers to the network interfaces that are embedded in the front panel of the OAW-4x04 Series switch, OmniAccess Supervisor Card III, or a line card installed in the OAW-6000 switch. Port numbers start at 0 from the left-most position. Use the show port status command to obtain the interface information currently available from a switch.
Contacting Alcatel-Lucent
Table 5: Alcatel-Lucent Contacts
Contact Center Online
l Main Site
http://www.alcatel-lucent.com/enterprise
l Support Site
https://service.esd.alcatel-lucent.com
l Email
esd.support@alcatel-lucent.com
Service & Support Contact Center Telephone
l North America
1-800-995-2696
l Latin America
1-877-919-9526
l Europe
+33 (0) 38 855 6929
l Asia Pacific
+65 6240 8484
l Worldwide
1-818-878-4507
14 | Introduction
AOS-W 6.2 | Reference Guide
�aaa authentication captive-portal
aaa authentication captive-portal <profile> auth-protocol mschapv2|pap|chap black-list <black-list> clone <source-profile> default-guest-role <role> default-role <role> enable-welcome-page guest-logon ip-addr-in-redirection <ipaddr> login-page <url> logon-wait {cpu-threshold <percent>}|{maximum-delay <seconds>}|{minimum-delay <seconds>} logout-popup-window max-authentication-failures <number> no ... protocol-http proxy host <ipaddr> port <port> redirect-pause <seconds> redirect-url <url> server-group <group-name> show-acceptable-use-policy show-fqdn single-session switchip-in-redirection-url <ipaddr> user-logon user-vlan-in-redirection-url <vlan> welcome-page <url> white-list <white-list>
Description
This command configures a Captive Portal authentication profile.
Syntax
Parameter <profile>
authentication-protocol mschapv2|pap|chap
black-list
Description
Range
Default
Name that identifies an instance of the -- profile. The name must be 1-63 characters.
"default"
This parameter specifies the type of authentication required by this profile, PAP is the default authentication type
mschapv2 pap pap chap
Name of an existing black list on an
--
--
IPv4 or IPv6 network destination. The
black list contains websites
(unauthenticated) that a guest cannot
access.
Specify a netdestination host or subnet
to add that netdestination to the captive
portal blacklist.
AOS-W 6.2 | Reference Guide
aaa authentication captive-portal | 15
�Parameter
clone default-guest-role default-role <role>
enable-welcomepage guest-logon switchip-in-redirection-url <ipaddr>
login-page <url> logon-wait
cpu-threshold <percent> maximum-delay <seconds>
Description
Range
If you have not yet defined a netdestination, use the CLI command netdestination to define a destination host or subnet before you add it to the blacklist.
NOTE: This parameter requires the Public Access license.
Name of an existing Captive Portal
--
profile from which parameter values are
copied.
Role assigned to guest.
--
Role assigned to the Captive Portal
--
user when that user logs in. When both
user and guest logons are enabled, the
default role applies to the user logon;
users logging in using the guest
interface are assigned the guest role.
Displays the configured welcome page before the user is redirected to their original URL. If this option is disabled, redirection to the web URL happens immediately after the user logs in.
enabled/ disabled
Enables Captive Portal logon without authentication.
enabled/ disabled
Sends the switch's interface IP address -- in the redirection URL when external captive portal servers are used. An external captive portal server can determine the switch from which a request originated by parsing the `switchip' variable in the URL. This parameter requires the Public Access license.
URL of the page that appears for the
--
user logon. This can be set to any URL.
Configure parameters for the logon wait 1-100 interval.
CPU utilization percentage above which the logon wait interval is applied when presenting the user with the logon page.
1-100
Maximum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high. This works in conjunction with the Logon wait CPU utilization threshold parameter.
1-10
Default
-- guest guest
enabled
disabled --
/auth/index. html 60% 60% 10 seconds
16 | aaa authentication captive-portal
AOS-W 6.2 | Reference Guide
�Parameter minimum-delay <seconds>
logout-popupwindow
max-authentication-failures <number> no protocol-http
redirect-pause <secs>
redirect-url <url>
server-group <group-name> show-fqdn
show-acceptable-use-policy single-session switchip-in-redirection-url
Description
Range
Minimum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high. This works in conjunction with the Logon wait CPU utilization threshold parameter.
1-10
Enables a pop-up window with the Logout link that allows the user to log out. If this option is disabled, the user remains logged in until the user timeout period has elapsed or the station reloads.
enabled/ disabled
Maximum number of authentication failures before the user is blacklisted.
0-10
Negates any configured parameter.
--
Use HTTP protocol on redirection to the Captive Portal page. If you use this option, modify the captive portal policy to allow HTTP traffic.
enabled/ disabled
Time, in seconds, that the system remains in the initial welcome page before redirecting the user to the final web URL. If set to 0, the welcome page displays until the user clicks on the indicated link.
1-60
URL to which an authenticated user will -- be directed. This parameter must be an absolute URL that begins with either http:// or https://.
Name of the group of servers used to
--
authenticate Captive Portal users. See
aaa server-group on page 82.
Allows the user to see and select the fully-qualified domain name (FQDN) on the login page. The FQDNs shown are specified when configuring individual servers for the server group used with captive portal authentication.
enabled/ disabled
Show the acceptable use policy page before the logon page.
enabled/ disabled
Allows only one active user session at a -- time.
Sends the switch's IP address in the redirection URL when external captive portal servers are used. An external captive portal server can determine the switch from which a request originated by parsing the `switchip' variable in the URL.
enabled/ disabled
Default 5 seconds
enabled
0 -- disabled (HTTPS is used) 10 seconds
--
-- disabled
disabled disabled disabled
AOS-W 6.2 | Reference Guide
aaa authentication captive-portal | 17
�Parameter
Description
Range
user-logon
Enables Captive Portal with authentication of user credentials.
enabled/ disabled
user-vlan-in-redirection-url <ipaddr>
Add the user VLAN in the redirection URL. This parameter requires the Public Access license.
enabled disabled
user-vlan-redirection-url
Sends the user's VLAN ID in the
--
redirection URL when external captive
portal servers are used.
welcome-page <url>
URL of the page that appears after
--
logon and before redirection to the web
URL. This can be set to any URL.
white-list <white-list>
Name of an existing white list on an
--
IPv4 or IPv6 network destination. The
white list contains authenticated
websites that a guest can access. If you
have not yet defined a netdestination,
use the CLI command netdestination to
define a destination host or subnet
before you add it to the whitelist
Default enabled disabled
--
/auth/welcome.html --
Usage Guidelines
You can configure the Captive Portal authentication profile in the base operating system or with the Next Generation Policy Enforcement Firewall (PEFNG) license installed. When you configure the profile in the base operating system, the name of the profile must be entered for the initial role in the AAA profile. Also, when you configure the profile in the base operating system, you cannot define the default-role.
Example
The following example configures a Captive Portal authentication profile that authenticates users against the switch's internal database. Users who are successfully authenticated are assigned the auth-guest role.
To create the auth-guest user role shown in this example, the PEFNG license must be installed in the switch. aaa authentication captive-portal guestnet
default-role auth-guest user-logon no guest-logon server-group internal
Command History
Version AOS-W 3.0 AOS-W 6.0 AOS-W 6.1 AOS-W 6.2
Description Command introduced. The max-authentication-failures parameter no longer requires a license. The sygate-on-demand, black-list and white-list parameters were added. the auth-protocol parameter was added, and the user-chap parameter was deprecated.
18 | aaa authentication captive-portal
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing
Base operating system, except for noted parameters
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa authentication captive-portal | 19
�aaa authentication dot1x
aaa authentication dot1x {<profile>|countermeasures} ca-cert <certificate> cert-cn-lookup clear clone <profile> eapol-logoff enforce-suite-b-128 enforce-suite-b-192 framed-mtu <mtu> heldstate-bypass-counter <number> ignore-eap-id-match ignore-eapolstart-afterauthentication machine-authentication blacklist-on-failure|{cache-timeout <hours>}|enable| {machine-default-role <role>}|{user-default-role <role>} max-authentication-failures <number> max-requests <number> multicast-keyrotation no ... opp-key-caching reauth-max <number> reauthentication server {server-retry <number>|server-retry-period <seconds>} server-cert <certificate> termination {eap-type <type>}|enable|enable-token-caching|{inner-eap-type (eap- gtc|eapmschapv2)}|{token-caching-period <hours>} timer {idrequest_period <seconds>}|{mkey-rotation-period <seconds>}|{quiet-period <seconds>}|{reauth-period <seconds>}|{ukey-rotation-period <seconds>}|{wpa- groupkeydelay <seconds>}|{wpa-key-period <milliseconds>}|wpa2-key-delay <milliseconds> tls-guest-access tls-guest-role <role> unicast-keyrotation use-session-key use-static-key validate-pmkid voice-aware wep-key-retries <number> wep-key-size {40|128} wpa-fast-handover wpa-key-retries xSec-mtu <mtu>
Description
This command configures the 802.1X authentication profile.
Syntax
Parameter <profile>
clear
Description
Range Default
Name that identifies an instance of the profile. -- The name must be 1-63 characters.
"default"
Clear the Cached PMK, Role and VLAN
--
--
entries. This command is available in enable
mode only.
20 | aaa authentication dot1x
AOS-W 6.2 | Reference Guide
�Parameter countermeasures
ca-cert <certificate> cert-cn-lookup
eapol-logoff enforce-suite-b-128 enforce-suite-b-192 framed-mtu <MTU> heldstate-bypass-counter <number>
ignore-eap-idmatch ignore-eapol start-afterauthentication machine-authentication
blacklist-on-failure cache-timeout <hours>
Description
Range Default
Scans for message integrity code (MIC)
--
failures in traffic received from clients. If there
are more than 2 MIC failures within 60
seconds, the AP is shut down for 60 seconds.
This option is intended to slow down an
attacker who is making a large number of
forgery attempts in a short time.
disabled
CA certificate for client authentication. The CA --
--
certificate needs to be loaded in the switch.
If you use client certificates for user
--
--
authentication, enable this option to verify that
the certificate's common name exists in the
server. This parameter is disabled by default.
Enables handling of EAPOL-LOGOFF messages.
--
disabled
Configure Suite-B 128 bit or more security level authentication enforcement
disabled
Configure Suite-B 192 bit or more security level authentication enforcement
disabled
Sets the framed MTU attribute sent to the authentication server.
5001500
1100
(This parameter is applicable when 802.1X
0-3
0
authentication is terminated on the switch,
also known as AAA FastConnect.) Number of
consecutive authentication failures which,
when reached, causes the switch to not
respond to authentication requests from a
client while the switch is in a held state after
the authentication failure. Until this number is
reached, the switch responds to authentication
requests from the client even while the switch
is in its held state.
Ignore EAP ID during negotiation.
--
disabled
Ignores EAPOL-START messages after authentication.
(For Windows environments only) These parameters set machine authentication: NOTE: This parameter requires the PEFNG license.
Blacklists the client if machine authentication fails.
The timeout, in hours, for machine authentication.
--
disabled
--
disabled
1-1000 24 hours (1 day)
AOS-W 6.2 | Reference Guide
aaa authentication dot1x | 21
�Parameter
Description
Range Default
enable
Select this option to enforce machine
--
authentication before user authentication. If
selected, either the machine-default-role or
the user-default-role is assigned to the user,
depending on which authentication is
successful.
disabled
machine-default-role <role> Default role assigned to the user after
--
guest
completing only machine authentication.
user-default-role <role>
Default role assigned to the user after 802.1X -- authentication.
guest
max-authentication-failures
Number of times a user can try to login with
0-5
<number>
wrong credentials after which the user is
blacklisted as a security threat. Set to 0 to
disable blacklisting, otherwise enter a non-
zero integer to blacklist the user after the
specified number of failures.
0 (disabled)
max-requests <number>
Maximum number of times ID requests are sent to the client.
1-10
3
multicast-key rotation
Enables multicast key rotation
--
disabled
no
Negates any configured parameter.
--
--
opp-key-caching
Enables a cached pairwise master key (PMK) -- derived with a client and an associated AP to be used when the client roams to a new AP. This allows clients faster roaming without a full 802.1X authentication.
NOTE: Make sure that the wireless client (the 802.1X supplicant) supports this feature. If the client does not support this feature, the client will attempt to renegotiate the key whenever it roams to a new AP. As a result, the key cached on the switch can be out of sync with the key used by the client.
enabled
reauth-max <number>
Maximum number of reauthentication attempts.
1-10
3
reauthentication
Select this option to force the client to do a
--
802.1X reauthentication after the expiration of
the default timer for reauthentication. (The
default value of the timer is 24 hours.) If the
user fails to reauthenticate with valid
credentials, the state of the user is cleared.
If derivation rules are used to classify 802.1X-
authenticated users, then the reauthentication
timer per role overrides this setting.
disabled
reload-cert
Reload Certificate for 802.1X termination. This --
--
command is available in enable mode only.
server
Sets options for sending authentication requests to the authentication server group.
22 | aaa authentication dot1x
AOS-W 6.2 | Reference Guide
�Parameter
Description
Range Default
server-retry <number>
Maximum number of authentication requests 0-3
2
that are sent to server group.
server-retry-period <seconds> Server group retry interval, in seconds.
5-
30
65535 seconds
server-cert <certificate>
Server certificate used by the switch to authenticate itself to the client.
--
--
termination
Sets options for terminating 802.1X authentication on the switch.
eap-type <type>
The Extensible Authentication Protocol (EAP) method, either EAP-PEAP or EAP-TLS.
eappeap/ eap-tls
eappeap
enable
Enables 802.1X termination on the switch.
--
disabled
enable-token -caching
If you select EAP-GTC as the inner EAP
--
method, you can enable the switch to cache
the username and password of each
authenticated user. The switch continues to
reauthenticate users with the remote
authentication server, however, if the
authentication server is not available, the
switch will inspect its cached credentials to
reauthenticate users.
disabled
inner-eap-type eap-gtc|eapmschapv2
When EAP-PEAP is the EAP method, one of the following inner EAP types is used:
EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the switch as a backup to an external authentication server.
EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2): Described in RFC 2759, this EAP method is widely supported by Microsoft clients.
eapgtc/eapmschapv2
eapmschap v2
token-caching-period <hours>
If you select EAP-GTC as the inner EAP method, you can specify the timeout period, in hours, for the cached information.
(any)
24 hours
timer
Sets timer options for 802.1X authentication:
idrequestperiod <seconds>
Interval, in seconds, between identity request retries.
165535
30 seconds
mkey-rotation-period <seconds>
Interval, in seconds, between multicast key rotation.
60-
1800
864000 seconds
quiet-period <seconds>
Interval, in seconds, following failed authentication.
1-
30
65535 seconds
AOS-W 6.2 | Reference Guide
aaa authentication dot1x | 23
�Parameter reauth-period <seconds>
ukey-rotation-period <seconds> wpa-groupkey -delay <milliseconds> wpa-key-period <milliseconds> wpa2-key-delay <milliseconds> tls-guest-access tls-guest-role <role>
unicast-keyrotation use-session-key use-static-key validate-pmkid
voice-aware
wep-key-retries <number> wep-key-size wpa-fast-handover
Description
Range Default
Interval, in seconds, between reauthentication attempts, or specify server to use the serverprovided reauthentication period.
60864000
86400 seconds (1 day)
Interval, in seconds, between unicast key rotation.
60-
900
864000 seconds
Interval, in milliseconds, between unicast and multicast key exchanges.
0-2000
0 ms (no delay)
Interval, in milliseconds, between each WPA key exchange.
10005000
1000 ms
Set the delay between EAP-Success and unicast key exchange.
1-2000
0 ms (no delay)
Enables guest access for EAP-TLS users with -- valid certificates.
disabled
User role assigned to EAP-TLS guest.
--
NOTE: This parameter requires the PEFNG
license.
guest
Enables unicast key rotation.
--
disabled
Use RADIUS session key as the unicast WEP -- key.
disabled
Use static key as the unicast/multicast WEP
--
key.
disabled
This parameter instructs the switch to check
--
the pairwise master key (PMK) ID sent by the
client. When this option is enabled, the client
must send a PMKID in the associate or
reassociate frame to indicate that it supports
OKC or PMK caching; otherwise, full 802.1X
authentication takes place. (This feature is
optional, since most clients that support OKC
and PMK caching do not send the PMKID in
their association request.)
disabled
Enables rekey and reauthentication for
--
VoWLAN clients.
NOTE: The Next Generation Policy Enforced
Firewall license must be installed.
enabled
Number of times WPA/WPA2 key messages
1-5
3
are retried.
Dynamic WEP key size, either 40 or 128 bits.
40 or 128
128 bits
Enables WPA-fast-handover. This is only
--
applicable for phones that support WPA and
fast handover.
disabled
24 | aaa authentication dot1x
AOS-W 6.2 | Reference Guide
�Parameter wpa-key-retries
xSec-mtu <mtu>
Description
Set the Number of times WPA/WPA2 Key Messages are retried
Sets the size of the MTU for xSec.
Range Default
--
disabled
10241500
1300 bytes
Usage Guidelines
The 802.1X authentication profile allows you to enable and configure machine authentication and 802.1X termination on the switch (also called "AAA FastConnect").
In the AAA profile, specify the 802.1X authentication profile, the default role for authenticated users, and the server group for the authentication.
Examples
The following example enables authentication of the user's client device before user authentication. If machine authentication fails but user authentication succeeds, the user is assigned the restricted "guest" role: aaa authentication dot1x dot1x
machine-authentication enable machine-authentication machine-default-role computer machine-authentication user-default-role guest
The following example configures an 802.1X profile that terminates authentication on the switch, where the user authentication is performed with the switch's internal database or to a "backend" non-802.1X server: aaa authentication dot1x dot1x
termination enable
Command History
Version AOS-W 3.0 AOS-W 6.1
Description
Command introduced.
The cert-cn-lookup, enforce-suite-b-128 and enforce-suite-b-192 parameters were introduced.
Command Information
Platforms All platforms
Licensing
Command Mode
Base operating system. The voice-aware parameter requires the PEFNG license
Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa authentication dot1x | 25
�aaa authentication mac
aaa authentication mac <profile> case upper|lower clone <profile> delimiter {colon|dash|none} max-authentication-failures <number> no ...
Description
This command configures the MAC authentication profile.
Syntax
Parameter <profile> case
clone <profile> delimiter max-authentication-failures <number> no
Description
Range Default
Name that identifies an instance of the profile. -- The name must be 1-63 characters.
"default"
The case (upper or lower) used in the MAC string sent in the authentication request. If there is no delimiter configured, the MAC address in lower case is sent in the format xxxxxxxxxxxx, while the MAC address in upper case is sent in the format XXXXXXXXXXXX.
upper|lo- lower wer
Name of an existing MAC profile from which --
--
parameter values are copied.
Delimiter (colon, dash, or none) used in the MAC string.
colon|dash| none
none
Number of times a client can fail to authenticate before it is blacklisted. A value of 0 disables blacklisting.
0-10
0 (disabled)
Negates any configured parameter.
--
--
Usage Guidelines
MAC authentication profile configures authentication of devices based on their physical MAC address. MAC-based authentication is often used to authenticate and allow network access through certain devices while denying access to all other devices. Users may be required to authenticate themselves using other methods, depending upon the network privileges.
Example
The following example configures a MAC authentication profile to blacklist client devices that fail to authenticate. aaa authentication mac mac-blacklist
max-authentication-failures 3
26 | aaa authentication mac
AOS-W 6.2 | Reference Guide
�Command History
Release AOS-W 3.0 AOS-W 3.3.1.8
Modification
Command introduced
The max-authentication-failures parameter was allowed in the base operating system. In earlier versions of AOS-W, the max-authentication-failures parameter required the Wireless Intrusion Protection license
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa authentication mac | 27
�aaa authentication mgmt
aaa authentication mgmt default-role {guest-provisioning|location-api-mgmt|network-operations|no-access|readonly|root} enable no ... server-group <group>
Description
This command configures authentication for administrative users.
Syntax
Parameter default-role
default guest-provisioning location-api-mgmt network-operations no-access read-only enable
mchapv2
no server-group <group>
Description
Range
Select a predefined management role to
--
assign to authenticated administrative
users:
Default superuser role
--
Guest provisioning role
--
Location API role
--
Network operations role
--
No commands are accessible for this role --
Read-only role
--
Enables authentication for administrative users.
enabled| disabled
Enable MSCHAPv2
enabled| disabled
Negates any configured parameter.
--
Name of the group of servers used to
--
authenticate administrative users. See aaa
server-group on page 82.
Default default
-- -- -- -- -- -- disabled
disabled
-- default
Usage Guidelines
If you enable authentication with this command, users configured with the mgmt-user command must be authenticated using the specified server-group. You can configure the management authentication profile in the base operating system or with the PEFNG license installed.
Example
The following example configures a management authentication profile that authenticates users against the switch's internal database. Users who are successfully authenticated are assigned the read-only role. aaa authentication mgmt
28 | aaa authentication mgmt
AOS-W 6.2 | Reference Guide
�default-role read-only server-group internal
Command History
Release AOS-W 3.0 AOS-W 3.2 AOS-W 3.3
Modification Command introduced The network-operations role was introduced. The location-api-mgmt role was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa authentication mgmt | 29
�aaa authentication-server internal
aaa authentication-server internal use-local-switch
Description
This command specifies that the internal database on a local switch be used for authenticating clients.
Usage Guidelines
By default, the internal database in the master switch is used for authentication. This command directs authentication to the internal database on the local switch where you run the command.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
30 | aaa authentication-server internal
AOS-W 6.2 | Reference Guide
�aaa authentication-server ldap
aaa authentication-server ldap <server> admin-dn <name> admin-passwd <string> allow-cleartext authport <port> base-dn <name> clone <server> enable filter <filter> host <ipaddr> key-attribute <string> max-connection <number> no ... preferred-conn-type ldap-s|start-tls|clear-text timeout <seconds>
Description
This command configures an LDAP server.
Syntax
Parameter <server> admin-dn <name>
admin-passwd <string> allow-cleartext
authport <port>
base-dn <name> clone <server> enable filter <filter>
Description
Name that identifies the server.
Distinguished name for the admin user who has read/search privileges across all of the entries in the LDAP database (the user does not need write privileges but should be able to search the database and read attributes of other users in the database).
Password for the admin user.
Range Default
--
--
--
--
--
--
Allows clear-text (unencrypted) communication with the LDAP server.
enabled| disabled
disabled
Port number used for authentication. Port 636 will 1-65535 389 be attempted for LDAP over SSL, while port 389 will be attempted for SSL over LDAP, Start TLS operation and clear text.
Distinguished Name of the node which contains the --
--
entire user database to use.
Name of an existing LDAP server configuration
--
--
from which parameter values are copied.
Enables the LDAP server.
--
Filter that should be applied to search of the user in -- the LDAP database. The default filter string is (objectclass=*).
(objectclass=*)
AOS-W 6.2 | Reference Guide
aaa authentication-server ldap | 31
�Parameter
Description
Range Default
host <ip-addr>
IP address of the LDAP server, in dotted-decimal
--
--
format.
key-attribute <string>
Attribute that should be used as a key in search for -- the LDAP server. For Active Directory, the value is sAMAccountName.
sAMAccountName
max-connection
Maximum number of simultaneous non-admin con- --
--
nections to an LDAP server.
no
Negates any configured parameter.
--
--
preferred-conn-type
Preferred connection type. The default order of connection type is: 1. ldap-s 2. start-tls 3. clear-text The switch will first try to contact the LDAP server using the preferred connection type, and will only attempt to use a lower-priority connection type if the first attempt is not successful. NOTE: You enable the allow-cleartext option before you select clear-text as the preferred connection type. If you set clear-text as the preferred connection type but do not allow cleartext, the switch will only use ldap-s or start-tls to contact the LDAP server.
ldap-s start-tls cleartext
ldap-s
timeout <seconds>
Timeout period of a LDAP request, in seconds.
1-30
20 seconds
Usage Guidelines
You configure a server before you can add it to one or more server groups. You create a server group for a specific type of authentication (see aaa server-group on page 82).
Example
The following command configures and enables an LDAP server: aaa authentication-server ldap ldap1
host 10.1.1.243 base-dn cn=Users,dc=1m,dc=corp,dc=com admin-dn cn=corp,cn=Users,dc=1m,dc=corp,dc=com admin-passwd abc10 key-attribute sAMAccountName filter (objectclass=*) enable
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
32 | aaa authentication-server ldap
AOS-W 6.2 | Reference Guide
�aaa authentication-server radius
aaa authentication-server radius <server> acctport <port> authport <port> clone <server> enable host <ipaddr>|<FQDN> key <psk> mac-lowercase nas-identifier <string> nas-ip <ipaddr> no ... retransmit <number> service-type-framed-user source-interface vlan <vlan> timeout <seconds> use-ip-for-calling-station use-md5
Description
This command configures a RADIUS server.
Syntax
Parameter <server> acctport <port> authport <port> clone <server>
enable host
<ipaddr> <FQDN>
key <psk>
mac-lowercase nas-identifier <string>
Description
Range
Name that identifies the server.
--
Accounting port on the server.
1-65535
Authentication port on the server
1-65535
Name of an existing RADIUS server
--
configuration from which parameter values are
copied.
Enables the RADIUS server.
--
Identify the RADIUS server either by its IP
--
address or fully qualified domain name.
IPv4 of the RADIUS server.
--
Fully qualified domain name (FQDN) of the
--
RADIUS server. The maximum supported length
is 63 characters.
Shared secret between the switch and the
--
authentication server. The maximum length is
128 characters.
Send MAC addresses as lowercase.
--
Network Access Server (NAS) identifier to use in -- RADIUS packets.
Default -- 1813 1812 --
-- -- -- --
--
-- --
AOS-W 6.2 | Reference Guide
aaa authentication-server radius | 33
�Parameter
Description
Range
nas-ip <ip-addr>
NAS IP address to send in RADIUS packets.
--
You can configure a "global" NAS IP address
that the switch uses for communications with all
RADIUS servers. If you do not configure a
server-specific NAS IP, the global NAS IP is
used. To set the global NAS IP, enter the ip
radius nas-ip <ipaddr> command.
no
Negates any configured parameter.
--
retransmit <number>
Maximum number of retries sent to the server by 0-3 the switch before the server is marked as down.
service-type-framed-user Send the service-type as FRAMED-USER
--
instead of LOGIN-USER. This option is disabled
by default
source-interface vlan <vlan>
This option associates a VLAN interface with the -- RADIUS server to allow the server-specific source interface to override the global configuration.
l If you associate a Source Interface (by entering a VLAN number) with a configured server, then the source IP address of the packet will be that interface's IP address.
l If you do not associate the Source Interface with a configured server (leave the field blank), then the IP address of the global Source Interface will be used.
timeout <seconds>
Maximum time, in seconds, that the switch waits 1-30 before timing out the request and resending it.
use-ip-for-calling-station
Use an IP address instead of a MAC address for -- calling station IDs. This option is disabled by default.
use-md5
Use MD5 hash of cleartext password.
--
Default --
-- 3 disabled --
5 seconds disabled disabled
Usage Guidelines
You configure a server before you can add it to one or more server groups. You create a server group for a specific type of authentication (see aaa server-group on page 82).
Example
The following command configures and enables a RADIUS server: aaa authentication-server radius radius1
host 10.1.1.244 key qwERtyuIOp enable
34 | aaa authentication-server radius
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 3.0 AOS-W 6.0 AOS-W 6.1
Modification Command introduced. RADIUS server can be identified by its qualified domain name (FQDN). The source-interface parameter was added.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa authentication-server radius | 35
�aaa authentication-server tacacs
aaa authentication-server tacacs <server> clone <server> enable host <host> key <psk> no ... retransmit <number> session-authorization tcp-port <port> timeout <seconds>
Description
This command configures a TACACS+ server.
Syntax
Parameter
Description
Range
<server>
Name that identifies the server.
--
clone <server>
Name of an existing TACACS server configuration -- from which parameter values are copied.
enable
Enables the TACACS server.
--
host <host>
IPv4 of the TACACS server.
--
key
Shared secret to authenticate communication
--
between the TACACS+ client and server.
no
Negates any configured parameter.
--
retransmit <number> Maximum number of times a request is retried.
0-3
sessionauthorization
Enables TACACS+ authorization.Session-
--
authorization turns on the optional authorization
session for admin users.
tcp-port <port>
TCP port used by the server.
1-65535
timeout <timeout>
Timeout period of a TACACS request, in seconds. 1-30
Default -- --
-- -- -- 3 disabled
49 20 seconds
Usage Guidelines
You configure a server before you can add it to one or more server groups. You create a server group for a specific type of authentication (see aaa server-group on page 82).
Example
The following command configures, enables a TACACS+ server and enables session authorization:
aaa authentication-server tacacs tacacs1 clone default host 10.1.1.245
36 | aaa authentication-server tacacs
AOS-W 6.2 | Reference Guide
�key qwERtyuIOp enable session-authorization
Command History
Version AOS-W 3.0 AOS-W 6.0
Description Command introduced. session-authorization parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa authentication-server tacacs | 37
�aaa authentication-server windows
aaa authentication-server windows <windows_server_name> clone <source> domain <domain> enable host <ipaddr> no
Description
This command configures a windows server for stateful-NTLM authentication.
Syntax
Parameter <windows_server_name>
clone <source> domain <domain> enable host <ipaddr> no
Description Name of the windows server. You will use this name when you add the windows server to a server group. Name of a Windows Server from which you want to make a copy. The Windows domain for the authentication server. Enables the Windows server. IP address of the Windows server. Delete command.
Usage Guidelines
You must define a Windows server before you can add it to one or more server groups. You create a server group for a specific type of authentication (see aaa server-group on page 82). Windows servers are used for stateful-NTLM authentication.
Example
The following command configures and enables a windows server: aaa authentication-server windows IAS_1
host 10.1.1.245 enable
Command History
This command was available in AOS-W 3.4.1
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
38 | aaa authentication-server windows
AOS-W 6.2 | Reference Guide
�aaa authentication stateful-dot1x
aaa authentication stateful-dot1x default-role <role> enable no ... server-group <group> timeout <seconds>
Description
This command configures 802.1X authentication for clients on non-Alcatel-Lucent APs.
Syntax
Parameter
Description
default-role <role> Role assigned to the 802.1X user upon login. NOTE: The PEFNG license must be installed.
enable
Enables 802.1X authentication for clients on nonAlcatel-Lucent APs. Use no enable to disable stateful 8021.X authentication.
no
Negates any configured parameter.
server-group <group>
Name of the group of RADIUS servers used to authenticate the 802.1X users. See aaa servergroup on page 82.
timeout <seconds> Timeout period, in seconds.
Range -- --
-- --
1-20
Default guest enabled
-- --
10 seconds
Usage Guidelines
This command configures 802.1X authentication for clients on non-Alcatel-Lucent APs. The switch maintains user session state information for these clients.
Example
The following command assigns the employee user role to clients who successfully authenticate with the server group corp-rad: aaa authentication stateful-dot1x
default-role employee server-group corp-rad
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa authentication stateful-dot1x | 39
�aaa authentication stateful-dot1x clear
aaa authentication stateful-dot1x clear
Description
This command clears automatically-created control path entries for 802.1X users on non-Alcatel-Lucent APs.
Syntax
No parameters.
Usage Guidelines
Run this command after changing the configuration of a RADIUS server in the server group configured with the aaa authentication stateful-dot1x command. This causes entries for the users to be created in the control path with the updated configuration information.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
40 | aaa authentication stateful-dot1x clear
AOS-W 6.2 | Reference Guide
�aaa authentication stateful-ntlm
aaa authentication stateful-ntlm <profile-name> clone default-role <role> enable server-group <server-group> timeout <timeout>
Description
This command configures stateful NT LAN Manager (NTLM) authentication.
Syntax
Parameter clone default-role
no server-group <servergroup> timeout <timeout>
Description Create a copy of an existing stateful NTLM profile Select an existing role to assign to authenticated users. Negates any configured parameter. Name of a server group.
Range -- --
-- --
Default -- guest
-- default
Amount of time, in seconds, before the request times out.
1-20 seconds
10 seconds
Usage Guidelines
NT LAN Manager (NTLM) is a suite of Microsoft authentication and session security protocols. You can use a stateful NTLM authentication profile to configure a switch to monitor the NTLM authentication messages between clients and an authentication server. The switch can then use the information in the Server Message Block (SMB) headers to determine the client's username and IP address, the server IP address and the client's current authentication status. If the client successfully authenticates via an NTLM authentication server, the switch can recognize that the client has been authenticated and assign that client a specified user role. When the user logs off or shuts down the client machine, the user will remain in the authenticated role until the user's authentication is aged out.
The Stateful NTLM Authentication profile requires that you specify a server group which includes the servers performing NTLM authentication, and a default role to be assigned to authenticated users. For details on defining a windows server used for NTLM authentication, see aaa authentication-server windows.
Example
The following example configures a stateful NTLM authentication profile that authenticates clients via the server group "Windows1." Users who are successfully authenticated are assigned the "guest2" role. aaa authentication stateful-ntlm
default-role guest2 server-group Windows1
Command History
Command introduced in AOS-W 3.4.1
AOS-W 6.2 | Reference Guide
aaa authentication stateful-ntlm | 41
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
42 | aaa authentication stateful-ntlm
AOS-W 6.2 | Reference Guide
�aaa authentication via auth-profile
aaa authentication via auth-profile <profile> clone <source> default-role <default-role> desc <description> max-authentication-failures <max-authentication-failures> no server-group <server-group>
Description
This command configures the VIA authentication profile.
Syntax
Parameter clone <source>
default-role <default-role>
desc <description> max-authentication-failures <maxauthentication-failures>
server-group <server-group>
Description
Default
Name of an existing profile from which configuration values are copied.
Name of the default VIA authentication profile.
Description of this profile for reference. -
Number of times VIA will prompt user to 3 login due to incorrect credentials. After the maximum authentication attempts failures VIA will exit.
Server group against which the user is authenticated.
Usage Guidelines
Use this command to create VIA authentication profiles and associate user roles to the authentication profile.
Example
(host) (config) #aaa authentication via auth-profile default (host) (VIA Authentication Profile "default") #default-role example-via-role (host) (VIA Authentication Profile "default") #desc "Default VIA Authentication Profile" (host) (VIA Authentication Profile "default") #server-group "via-server-group"
Command History
Command introduced in 5.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
AOS-W 6.2 | Reference Guide
aaa authentication via auth-profile | 43
�aaa authentication via connection-profile
aaa authentication via connection-profile <profile> admin-logoff-script admin-logon-script allow-user-disconnect allow-whitelist-traffic auth_domain_suffix auth-profile <auth-profile> auth_doman_suffix auto-launch-supplicant auto-login auto-upgrade banner-message-reappear-timeout <mins> client-logging client-netmask <client-netmask> client-wlan-profile <client-wlan-profile> position <position> clone switches-load-balance csec-gateway-url <URL> csec-http-ports <comma separated port numbers> dns-suffix-list <dns-suffix-list> domain-pre-connect enable-csec enable-fips enable-supplicant ext-download-url <ext-download-url> ike-policy <ike-policy> ikev2-policy ikev2-proto ikev2auth ipsec-cryptomap map <map> number <number> ipsecv2-cryptomap lockdown-all-settings max-reconnect-attempts <max-reconnect-attempts> minimized max-timeout <value> minimized no save-passwords server split-tunneling suiteb-crypto support-email tunnel validate-server-cert whitelist windows-credentials
Description
This command configures the VIA connection profile.
44 | aaa authentication via connection-profile
AOS-W 6.2 | Reference Guide
�Syntax
Parameter admin-logoff-script admin-logon-script allow-user-disconnect allow-whitelist-traffic auth_domain_suffix
auto-launch-supplicant auth-profile <auth-profile> admin-logoff-script
admin-logon-script
auto-login auto-upgrade
banner-message-reappear-timeout client-logging client-netmask <client-netmask>
Description
Default
Enables VIA logoff script.
Disabled
Enables VIA logon script.
Disabled
Enable or disable users to disconnect their Enabled VIA sessions.
If enabled, this feature will block network access until the VIA VPN connection is established.
Disabled
Enables a domain suffix on VIA Authen-
--
tication, so client credentials are sent as
domainname\username instead of just user-
name.
Allows you to connect automatically to a configured WLAN network.
Disabled
This is the list of VIA authentication profiles -- that will be displayed to users in the VIA client.
Specify the name of the script that must be -- executed when the VIA connection is disconnected. The script must reside on the user / client system.
Specify the name of the script that must be -- executed when the VIA connection is established. The script must reside on the user / client system.
Enable or disable VIA client to auto login and establish a secure connection to the switch.
Enabled
Enable or disable VIA client to automatically upgrade when an updated version of the client is available on the switch.
Enabled
Timeout value, in minutes, after which the user session will end and the VIA Login banner message reappears.
1440 minutes
Enable or disable VIA client to auto login and establish a secure connection to the switch.
Enabled
The network mask that has to be set on the client after the VPN connection is established.
255.255.255.255
AOS-W 6.2 | Reference Guide
aaa authentication via connection-profile | 45
�Parameter client-wlan-profile <client-wlanprofile>
position <position> clone switches-load-balance
server addr <addr> <internal-ip <internal-ip> desc <description>
csec-gateway-url csec-http-ports
domain-preconnect
dns-suffix-list <dns-suffix-list>
enable-csec enable-fips enable-supplicant
Description
Default
A list of VIA client WLAN profiles that needs --
to be pushed to the client machines that
use Windows Zero Config (WZC) to
configure or manage their wireless
--
networks.
Create a copy of connection profile from an -- another VIA connection profile.
Enable this option to allow the VIA client to failover to the next available selected randomly from the list as configured in the VIA Servers option. If disabled, VIA will failover to the next in the sequence of ordered list of VIA Servers.
Disabled
l Address: This is the public IP address or --
the DNS hostname of the VIA switch.
Users will connect to remote server using this IP address or the hostname. --
l Internal IP Address: This is the IP
address of any of the VLAN interface IP -- addresses belongs to this switch.
l Description: This is a human-readable
description of the switch.
--
Specify the content security service
--
providers URL here. You must provide a
fully qualified domain name.
Specify the ports (separated by comma)
--
that will be monitored by the content
security service provider.
Do not add space before or after the
comma.
Enable this option to allow users with lost or expired passwords to establish a VIA connection to corporate network. This option authenticates the user's device and establishes a VIA connection that allows users to reset credentials and continue with corporate access.
Enabled
The DNS suffix list (comma separated) that has be set on the client once the VPN connection is established. .
None
Use this option to enable the content
--
security service.
Enable the VIA (Federal Information Processing Standard) FIPS module so VIA checks for FIPS compliance during startup.
Disabled
If enabled, VIA starts in bSec mode using L2 suite-b cryptography. This option is disabled by default.
Disabled
46 | aaa authentication via connection-profile
AOS-W 6.2 | Reference Guide
�Parameter ext-download-url <ext-download-url> ike-policy <ike-policy> ikev2-policy ikev2-proto ikev2auth
ipsec-cryptomap map <map> number <number>
ipsecv2-cryptomap lockdown-all-settings max-reconnect-attempts <maxreconnect-attempts> max-timeout value <value> minimized
save-passwords server split-tunneling
Description
Default
End users will use this URL to download
--
VIA on their computers.
List of IKE policies that the VIA Client has to -- use to connect to the switch.
List of IKE V2 policies that the VIA Client
--
has to use to connect to the switch
Enable this to use IKEv2 protocol to establish VIA sessions.
Disabled
Use this option to set the IKEv2 authentication method. By default user certificate is used for authentication. The other supported methods are EAPMSCHAPv2, EAP-TLS. The EAP authentication is done on an external RADIUS server.
User Certificates
List of IPsec crypto maps that the VIA client -- uses to connect to the switch. These IPsec
Crypto Maps are configured in the CLI
--
using the crypto-local ipsec-map
<ipsec-map-name> command.
--
List of IPSec V2 crypto maps that the VIA
--
client uses to connect to the switch.
Allows you to lockdown all user configured Disabled. settings.
The maximum number of re-connection
3
attempts by the VIA client due to
authentication failures.
The maximum time (minutes) allowed before the VIA session is disconnected.
1440 min
Use this option to keep the VIA client on a -- Microsoft WIndows operating system minimized to system tray.
Enable or disable users to save passwords Enabled entered in VIA.
Configure VIA servers.
Enable or disable split tunneling.
off
l If enabled, all traffic to the VIA tunneled
networks will go through the switch and
the rest is just bridged directly on the
client.
l If disabled, all traffic will flow through the
switch.
AOS-W 6.2 | Reference Guide
aaa authentication via connection-profile | 47
�Parameter suiteb-crypto
support-email tunnel address <address>
address <address> netmask <netmask> validate-server-cert whitelist addr
addr <addr> netmask <netmask> description <description> windows-credentials
Description
Default
Use this option to enable Suite-B cryptography. See RFC 4869 for more information about Suite-B cryptography.
Disabled
The support e-mail address to which VIA users will send client logs.
None
A list of network destination (IP address and --
netmask) that the VIA client will tunnel
through the switch. All other network destinations will be reachable directly by
--
the VIA client. Enter tunneled IP address
and its netmask.
--
Enable or disable VIA from validating the server certificate presented by the switch.
Enabled
Specify a hostname or IP address and net- -- work mask to define a whitelist of users allowed to access the networkif the allowwhitelist-traffic option is enabled
Host name of IP address of a client
--
Netmask, in dotted decimal format
--
(Optional) description of the client
--
Enable or disable the use of the Windows credentials to login to VIA. If enabled, the SSO (Single Sign-on) feature can be utilized by remote users to connect to internal resources.
Enabled
Usage Guidelines
Issue this command to create a VIA connection profile. A VIA connection profile contains settings required by VIA to establish a secure connection to the switch. You can configure multiple VIA connection profiles. A VIA connection profile is always associated to a user role and all users belonging to that role will use the configured settings. If you do not assign a VIA connection profile to a user role, the default connection profile is used.
Example
The following example shows a simple VIA connection profile:
(host) (config) #aaa authentication via connection-profile "via" (host) (VIA Connection Profile "via") #server addr 202.100.10.100 internal-ip 10.11.12.13 desc "VIA Primary" position 0 (host) (VIA Connection Profile "via") #auth-profile "default" position 0 (host) (VIA Connection Profile "via") #tunnel address 10.0.0.0 netmask 255.255.255.0 (host) (VIA Connection Profile "via") #split-tunneling (host) (VIA Connection Profile "via") #windows-credentials (host) (VIA Connection Profile "via") #client-netmask 255.0.0.0 (host) (VIA Connection Profile "via") #dns-suffix-list mycorp.com (host) (VIA Connection Profile "via") #dns-suffix-list example.com (host) (VIA Connection Profile "via") #support-email via-support@example.com
48 | aaa authentication via connection-profile
AOS-W 6.2 | Reference Guide
�Command History
Release AOS-W 5.0 AOS-W 6.1
AOS-W 6.1.3.2 AOS-W 6.2
Modification
Command introduced
The following commands were introduced: l admin-logon-script l admin-logoff-script l ikev2-policy l ikev2-proto l ikev2-auth l ipsecv2-crypto l minimized l suiteb-crypto
The auth_domain_suffix parameter was introduced.
The following commands were introduced: l allow-whitelist-traffic l banner-message-reappear-timeout l switches-load-balancing l enable-fips l enable-supplicant l whitelist
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
AOS-W 6.2 | Reference Guide
aaa authentication via connection-profile | 49
�aaa authentication via global-config
aaa authentication via global-config no ssl-fallback-enable
Description
The global config option allows to you to enable SSL fallback mode. If the SSL fallback mode is enabled the VIA client will use SSL to create a secure connection.
Syntax
Parameter no ssl-fallback-enable
Description
Default
Disable SSL fallback option
--
Use this option to enable an SSL fallback connection. Disabled
Example
(host) (config) #aaa authentication via global-config
Command History
Command introduced in 5.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
50 | aaa authentication via global-config
AOS-W 6.2 | Reference Guide
�aaa authentication via web-auth
aaa authentication via web-auth default auth-profile <auth-profile> position <position> clone <source> no
Description
A VIA web authentication profile contains an ordered list of VIA authentication profiles. The web authentication profile is used by end users to login to the VIA download page (https://<server-IP-address>/via) for downloading the VIA client. Only one VIA web authentication profile is available. If more than one VIA authentication profile is configured, users can view this list and select one during the client login.
Syntax
Parameter auth-profile <auth-profile>
position <position>
Description
The name of the VIA authentication profile
The position of the profile to specify the order of selection.
Default -- --
clone <source>
Duplicate an existing authentication profile.
--
Example
(host) (config) #aaa authentication via web-auth default (host) (VIA Web Authentication "default") #auth-profile default position 0
Command History
Command introduced in 5.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
AOS-W 6.2 | Reference Guide
aaa authentication via web-auth | 51
�aaa authentication vpn
aaa authentication vpn <profile-name> cert-cn-lookup clone <source> default-role <guest> max-authentication-failures <number> no ... server-group <group>
Description
This command configures VPN authentication settings.
Syntax
Parameter <profile-name>
cert-cn-lookup
clone <source> default-role <role> max-authentication-failures <number> no server-group <group>
Description
Default
There are three VPN profiles: default, default-rap or -- default-cap. This allows users to use different AAA servers for VPN, RAP and CAP clients. NOTE: The default and default-rap profiles are configurable. The default-cap profile is not configurable and is predefined with the default settings.
If you use client certificates for user authentication,
--
enable this option to verify that the certificate's
common name exists in the server. This parameter is
enabled by default in the default-cap and default-rap
VPN profiles, and disabled by default on all other
VPN profiles.
Copies data from another VPN authentication profile. -- Source is the profile name from which the data is copied.
Role assigned to the VPN user upon login. NOTE: This parameter requires the Policy Enforcement Firewall for VPN Users (PEFV) license.
guest
Maximum number of authentication failures before the user is blacklisted. The supported range is 1-10 failures. A value of 0 disables blacklisting. NOTE: This parameter requires the RFProtect license.
0 (disabled)
Negates any configured parameter.
--
Name of the group of servers used to authenticate VPN users. See aaa server-group on page 82.
internal
Usage Guidelines
This command configures VPN authentication settings for VPN, RAP and CAP clients.Use the vpdn group command to configure Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) or a Point-to-Point Tunneling Protocol (PPTP) VPN connection. (See vpdn group l2tp on page 1480.)
52 | aaa authentication vpn
AOS-W 6.2 | Reference Guide
�Example
The following command configures VPN authentication settings for the default-rap profile: aaa authentication vpn default-rap
default-role guest clone default max-authentication-failures 0 server-group vpn-server-group
The following message appears when a user tries to configure the non-configurable default-cap profile: (host) (config) #aaa authentication vpn default-cap Predefined VPN Authentication Profile "default-cap" is not editable
Command History
Version AOS-W 3.0 AOS-W 5.0 AOS-W 6.1
Description Command introduced. The default-cap and default-rap profiles were introduced. The cert-cn-lookup parameter was introduced.
Command Information
Platforms All platforms
Licensing
Base operating system, except for noted parameters. The default-role parameter requires the Policy Enforcement Firewall for VPN Users (PEFV) license.
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa authentication vpn | 53
�aaa authentication wired
aaa authentication wired no ... profile <aaa-profile>
Description
This command configures authentication for a client device that is directly connected to a port on the switch.
Syntax
Parameter
no
profile <aaaprofile>
Description
Negates any configured parameter.
Name of the AAA profile that applies to wired authentication. This profile must be configured for a Layer-2 authentication, either 802.1X or MAC. See aaa profile on page 73.
Usage Guidelines
This command references an AAA profile that is configured for MAC or 802.1X authentication. The port on the switch to which the device is connected must be configured as untrusted.
Example
The following commands configure an AAA profile for dot1x authentication and a wired profile that references the AAA profile: aaa profile sec-wired
dot1x-default-role employee dot1x-server-group sec-svrs aaa authentication wired profile sec-wired
Related Commands
Command vlan
Description
Assign an AAA profile to an individual VLAN to enable role-based access for wired clients connected to an untrusted VLAN or port on the switch.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
54 | aaa authentication wired
AOS-W 6.2 | Reference Guide
�aaa authentication wispr
aaa authentication wispr agent string clone default-role <role> logon-wait {cpu-threshold <cpu-threshold>}|{maximum-delay <maximum-delay>}|{minimum-delay <minimum-delay>} no ... max-authentication-failures server-group <server-group> wispr-location-id-ac <wispr-location-id-ac> wispr-location-id-cc <wispr-location-id-cc> wispr-location-id-isocc <wispr-location-id-isocc> wispr-location-id-network <wispr-location-id-network> wispr-location-name-location <wispr-location-name-location> wispr-location-name-operator-name <wispr-location-name-operator>
Description
This command configures WISPr authentication with an ISP's WISPr RADIUS server.
Syntax
Parameter agent string
clone default-role logon-wait
CPU-threshold <cpu-threshold> max-authentication-failures
maximum-delay <maximum-delay>
minimum-delay <minimum-delay>
Description
User Agent String to be registered for use in WISPR Profile. Max User Agent String len: 32 characters.Max number of User Agent string: 32.
Copy data from another WISPr Authentication Profile.
Default role assigned to users that complete WISPr authentication.
Configure the CPU utilization threshold that will trigger logon wait maximum and minimum times
Percentage of CPU utilization at which the maximum and minimum login wait times are enforced. Range: 1-100%.Default: 60%.
Maximum auth failures before user is blacklisted. Range: 0-10. Default: 0.
If the switch's CPU utilization has surpassed the CPU-threshold value, the maximum-delay parameter defines the minimum number of seconds a user will have to wait to retry a login attempt. Range: 1-10 seconds. Default: 10 seconds.
If the switch's CPU utilization has surpassed the CPU-threshold value, the minimum-delay parameter defines the minimum number of seconds a user will have to wait to retry a login attempt. Range: 1-10 seconds. Default: 5 seconds.
AOS-W 6.2 | Reference Guide
aaa authentication wispr | 55
�Parameter
wispr-location-id-ac <wispr-location-id-ac>
wispr-location-id-cc <wispr-location-id-cc>
Description The E.164 Area Code in the WISPr Location ID.
The 1-3 digit E.164 Country Code in the WISPr Location ID.
wispr-location-id-isocc <wispr-location-id- The ISO Country Code in the WISPr Location ID. isocc>
wispr-location-id-network <wispr-location- The SSID/network name in the WISPr Location ID. id-network>
wispr-location-name-location <wisprlocation-name-location>
A name identifying the hotspot location. If no name is defined, the default ap-name is used.
wispr-location-name-operator-name <wispr-location-name-operator>
A name identifying the hotspot operator.
Usage Guidelines
WISPr authentication allows a "smart client" to remain authenticated on the network when they roam between Wireless Internet Service Providers, even if the wireless hotspot uses an ISP for which the client may not have an account.
If you are hotstpot operator using WISPr authentication, and a client that has an account with your ISP attempts to access the Internet at your hotspot, then your ISP's WISPr AAA server authenticates that client directly, and allows the client access on the network. If, however, the client only has an account with a partner ISP, then your ISP's WISPr AAA server will forward that client's credentials to the partner ISP's WISPr AAA server for authentication. Once the client has been authenticated on the partner ISP, it will be authenticated on your hotspot's own ISP, as per their service agreements. Once your ISP sends an authentication message to the switch, the switch assigns the default WISPr user role to that client.
AOS-W supports the following smart clients, which enable client authentication and roaming between hotspots by embedding iPass Generic Interface Specification (GIS) redirect, proxy, authentication and logoff messages within HTLM messages to the switch.
l iPass l Bongo l Trustive l weRoam l AT&T
A WISPr authentication profile includes parameters to define RADIUS attributes, the default role for authenticated WISPr users, maximum numbers of authenticated failures and logon wait times. The WISPr-Location-ID sent from the switch to the WISPr RADIUS server will be the concatenation of the ISO Country Code, E.164 Country Code, E.164 Area Code and SSID/Zone parameters configured in this profile.
The parameters to define WISPr RADIUS attributes are specific to the RADIUS server your ISP uses for WISPr authentication; contact your ISP to determine these values. You can find a list of ISO and ITU country and area codes at the ISO and ITU websites www.iso.org and http://www.itu.int.
A Boingo smart client uses a NAS identifier in the format <CarrierID>_<VenueID> for location identification. To support Boingo clients, you must also configure the NAS identifier parameter in the Radius server profile for the WISPr server
56 | aaa authentication wispr
AOS-W 6.2 | Reference Guide
�Example
The following commands configure an WISPr authentication profile: aaa authentication wispr
default-role authuser max-authentication-failures 5 server-group wispr1 wispr-location-id-ac 408 wispr-location-id-cc 1 wispr-location-id-isocc us wispr-location-id-network <wispr-location-id-network> wispr-location-name-location <wispr-location-name-location> wispr-location-name-operator-name <wispr-location-name-location>
Command History
This command was available in AOS-W 3.4.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
AOS-W 6.2 | Reference Guide
aaa authentication wispr | 57
�aaa bandwidth-contract
aaa bandwidth-contract <name> {kbits <kbits>|mbits <mbits>}
Description
This command configures a bandwidth contract.
Syntax
Parameter <name> kbits <bits>
mbits <bits>
Description
Name that identifies this bandwidth contract.
Limit the traffic rate for this bandwidth contract to a specified number of kilobits per second.
Limit the traffic rate for this bandwidth contract to a specified number of megabits per second.
Range -- 256-2000000
1-2000
Usage Guidelines
You can apply a configured bandwidth contract to a user role or to a VLAN. When you apply a bandwidth contract to a user role (see user-role on page 1462), you specify whether the contract applies to upstream traffic (from the client to the switch) or downstream traffic (from the switch to the client). You can also specify whether the contract applies to all users in a specified user role or per-user in a user role. When you apply a bandwidth contract to a VLAN (see interface vlan on page 336), the contract limits multicast traffic and does not affect other data. This is useful because an AP can only send multicast traffic at the rate of the slowest associated client. Thus excessive multicast traffic will fill the buffers of the AP, causing frame loss and poor voice quality. Generally, every system should have a bandwidth contract of 1 Mbps or even 700 Kbps and it should be applied to all VLANs with which users are associated, especially those VLANs that pass through the upstream router. The exception are VLANs that are used for high speed multicasts, where the SSID is configured without low data rates.
Example
The following command creates a bandwidth contract that limits the traffic rate to 1 Mbps: aaa bandwidth-contract mbits 1
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
58 | aaa bandwidth-contract
AOS-W 6.2 | Reference Guide
�aaa derivation-rules
aaa derivation-rules user <name> no ... set {aaa-profile|role|vlan} condition <rule-type> <attribute> <value> set-value {<role>|<vlan>} [description <rule description>][position <number>]
Description
This command configures rules which assigns a AAA profile, user role or VLAN to a client based upon the client's association with an AP. A user role cannot be assigned by an AAA derivation rule unless the switch has an installed PEFNG license.
Syntax
Parameter <name> no set {role|vlan} condition <rule-type>
<attribute><value>
set-value <role>|<vlan> description position
Description
Name that identifies this set of user derivation rules.
Negates a configured rule.
Specify whether the action of the rule is to set the role or the VLAN.
Condition that should be checked to derive role/VLAN
For a rule that sets an AAA profile, use the user-vlan rule type. For a role or VLAN user derivation rule, select one of the following rules: l bssid: BSSID of access point. l dhcp-option: Use DHCP signature matching to assign a role or VLAN. l dhcp-option-77: Enable DHCP packet processing. l encryption-type: Encryption method used by station. l essid: ESSID of access point. l location: user location (ap name). l macaddr: MAC address of user. NOTE: If you use the dhcp-option rule type, best practices are to enable the enforce-dhcp option in the AAA profile referenced by AP group's Virtual AP profile.
Specify one of the following conditions: l contains: Check if attribute contains the string in the <value> parameter. l ends-with: Check if attribute ends with the string in the <value> parameter. l equals: Check if attribute equals the string in the <value> parameter. l not-equals: Check if attribute is not equal to the string in the <value>
parameter. l starts-with: Check if attribute starts with the string in the <value> parameter.
Specify the user role or VLAN ID to be assigned to the client if the above condition is met.
Describes the user derivation rule. This parameter is optional and has a 128 character maximum.
Position of this rule relative to other rules that are configured.
AOS-W 6.2 | Reference Guide
aaa derivation-rules | 59
�Usage Guidelines
The user role can be derived from attributes from the client's association with an AP. User-derivation rules are executed before the client is authenticated.
You configure the user role to be derived by specifying condition rules; when a condition is met, the specified user role is assigned to the client. You can specify more than one condition rule; the order of rules is important as the first matching condition is applied. You can also add a description of the rule.
The table below describes the conditions for which you can specify a user role or VLAN.
Rule Type
Condition
Value
bssid: Assign client to a role or VLAN based upon the BSSID of AP to which client is associating.
One of the following: l contains l ends with l equals l does not equal l starts with
MAC address (xx:xx:xx:xx:xx:xx)
dhcp-option: Assign client to a role or VLAN based upon the DHCP signature ID.
One of the following: l equals l starts with
DHCP signature ID. Note: This string is not case sensitive.
dhcp-option-77: Assign client to a role or VLAN based upon the user class identifier returned by DHCP server.
equals
string
encryption-type: Assign client to a role or VLAN based upon the encryption type used by the client.
One of the following: l equals l does not equal
l Open (no encryption) l WPA/WPA2 AES l WPA-TKIP (static or dynamic) l Dynamic WEP l WPA/WPA2 AES PSK l Static WEP l xSec
essid: Assign client to a role or VLAN based upon the ESSID to which the client is associated
One of the following: l contains l ends with l equals l does not equal l starts with l value of (does not
take string; attribute value is used as role)
string
location: Assign client to a role or VLAN based upon the ESSID to which the client is associated
One of the following: l equals l does not equal
string
macaddr: MAC address of the client
One of the following: l contains l ends with l equals l does not equal l starts with
MAC address (xx:xx:xx:xx:xx:xx)
60 | aaa derivation-rules
AOS-W 6.2 | Reference Guide
�The device identification feature allows you to assign a user role or VLAN to a specific device type by identifying a DHCP option and signature for that device. If you create a user rule with the DHCP-Option rule type, the first two characters in the Value field must represent the hexadecimal value of the DHCP option that this rule should match, while the rest of the characters in the Value field indicate the DHCP signature the rule should match. To create a rule that matches DHCP option 12 (host name), the first two characters of the in the Value field must be the hexadecimal value of 12, which is 0C. To create a rule that matches DHCP option 55, the first two characters in the Value field must be the hexadecimal value of 55, which is 37.
The following table describes some of the DHCP options that are useful for assigning a user role or VLAN..
DHCP Option 12 55 60 81
Description Host name Parameter Request List Vendor Class Identifier Client FQDN
Hexidecimal Equivalent 0C 37 3C 51
To identify DHCP strings used by an individual device, access the command-line interface in config mode and issue the following command to include DHCP option values for DHCP-DISCOVER and DHCP-REQUEST frames in the switch's log files:
logging level debugging network process dhcpd
Now, connect the device you want to identify to the network, and issue the CLI command show log network. The sample below is an example of the output that may be generated by this command.
Be aware that each device type may not have a unique DHCP fingerprint signature. For example, devices from different manufacturers may use vendor class identifiers that begin with similar strings. If you create a DHCP-Option rule that uses the starts-with condition instead of the equals condition, the rule may assign a role or VLAN to more than one device type.
(host) (config) #show log network all | include DISCOVER Feb 26 02:50:34 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84 Options 74:01 3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b Feb 26 02:50:42 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84 Options 74:01 3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b Feb 26 02:50:42 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84 Options 74:01 3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b Feb 26 02:53:03 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: DISCOVER 00:26:c6:52:6b:7c Options 74:01 3d:010026c6526b7c 0c:41525542412d46416c73653232 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc00 ...
(host) (config) #show log network all| include REQUEST Feb 26 02:53:04 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c reqIP=10.10.10.254 Options 3d:010026c6526b7c 36:0a0a0a02 0c:41525542412d46416c73653232 51:00000041525542412d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc0100 Feb 26 02:53:04 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c reqIP=10.10.10.254 Options 3d:010026c6526b7c 36:0a0a0a02 0c:41525542412d46416c73653232 51:00000041525542412d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc0100
AOS-W 6.2 | Reference Guide
aaa derivation-rules | 61
�Feb 26 02:56:02 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c reqIP=10.10.10.254 Options 3d:010026c6526b7c 0c:41525542412d46416c73653232 51:00000041525542412d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc0100
Examples
The following command sets the client's user role to "guest" if the client associates to the "Guest" ESSID. The rule description indicates that is was created for special customers.
aaa derivation-rules user derive1 set role condition essid equals Guest set-value guest description createdforspecialcustomers
The example rule shown below sets a user role for clients whose host name (DHCP option 12) has a value of 6C6170746F70, which is the hexadecimal equivalent of the ASCII string "laptop". The first two digits in the Value field are thehexadecimal value of 12 (which is 0C), followed by the specific signature to be matched aaa derivation-rules user device-role
set role condition dhcp-option equals 0C6C6170746F70 set-value laptop_role
Command History
Version AOS-W 3.0 AOS-W 6.0 AOS-W 6.1
Description Command introduced. Description parameter was introduced. DHCP-Option rule type was introduced.
Command Information
Platforms All platforms
Licensing
Command Mode
Base operating system. The PEFNG license must be installed for a user role to be assigned.
Config mode on master switches
62 | aaa derivation-rules
AOS-W 6.2 | Reference Guide
�aaa dns-query-interval
aaa dns-query-interval <minutes>
Description
Configure how often the switch should generate a DNS request to cache the IP address for a RADIUS server identified via its fully qualified domain name (FQDN).
Syntax
Parameter <minutes>
Description
Specify, in minutes, the interval between DNS requests sent from the switch to the DNS server. By default, DNS requests are sent every 15 minutes. Range: 1-1440 minutes
Usage Guidelines
If you define a RADIUS server using the FQDN of the server rather than its IP address, the switch will periodically generate a DNS request and cache the IP address returned in the DNS response. Issue this command to configure the frequency of these requests.
Example
This command configures a DNS query interval of 30 minutes. (host) # aaa dns-query-interval 30
Related Commands
To view the current DNS query interval, issue the command show aaa dns-query-interval.
Command History
This command was available in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config mode on local and master switches
AOS-W 6.2 | Reference Guide
aaa dns-query-interval | 63
�aaa inservice
aaa inservice <server-group> <server>
Description
This command designates an "out of service" authentication server to be "in service".
Syntax
Parameter <server-group> <server>
Description Server group to which this server is assigned. Name of the configured authentication server.
Usage Guidelines
By default, the switch marks an unresponsive authentication server as "out of service" for a period of 10 minutes (you can set a different time limit with the aaa timers dead-time command). The aaa inservice command is useful when you become aware that an "out of service" authentication server is again available before the dead-time period has elapsed. (You can use the aaa test-server command to test the availability and response of a configured authentication server.)
Example
The following command sets an authentication server to be in service: aaa inservice corp-rad rad1
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
64 | aaa inservice
AOS-W 6.2 | Reference Guide
�aaa ipv6 user add
aaa ipv6 user add <ipv6addr> authentication-method {dot1x|stateful-dot1x} mac <macaddr> name <username> profile <aaa-profile> role <role>
Description
This command manually assigns a user role or other values to a specified IPv6 client.
Syntax
Parameter <ipv6addr> authentication-method
dot1x stateful-dot1x mac <macaddr> name <username> profile <aaa-profile> role <role>
Description IPv6 address of the user to be added. Authentication method for the client. 802.1X authentication. Stateful 802.1X authentication. MAC address of the client. Name of the client. AAA profile for the client. User role for the client.
Usage Guidelines
This command should only be used for troubleshooting issues with a specific IPv6 client. This command allows you to manually assign a client to a role. For example, you can create a role "debugging" that includes a policy to mirror session packets to a specified destination for further examination, then use this command to assign the "debugging" role to a specific client. Use the aaa ipv6 user delete command to remove the client or device from the role. Note that issuing this command does not affect ongoing sessions that the client may already have. For example, if a client is in the "employee" role when you assign them to the "debugging" role, the client continues any sessions allowed with the "employee" role. Use the aaa ipv6 user clear-sessions command to clear ongoing sessions.
Example
The following commands create a role that logs HTTPS traffic, then assign the role to a specific IPv6 client: ip access-list session ipv6-log-https
any any svc-https permit log user-role ipv6-web-debug
session-acl ipv6-log-https
In enable mode: aaa ipv6 user add 2002:d81f:f9f0:1000:e409:9331:1d27:ef44 role ipv6-web-debug
AOS-W 6.2 | Reference Guide
aaa ipv6 user add | 65
�Command History
This command was available in AOS-W 3.3.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
66 | aaa ipv6 user add
AOS-W 6.2 | Reference Guide
�aaa ipv6 user clear-sessions
aaa ipv6 user clear-sessions <ipaddr>
Description
This command clears ongoing sessions for the specified IPv6 client.
Syntax
Parameter <ipaddr>
Description IPv6 address of the client.
Usage Guidelines
This command clears any ongoing sessions that the client already had before being assigned a role with the aaa ipv6 user add command.
Example
The following command clears ongoing sessions for an IPv6 client: aaa user clear-sessions 2002:d81f:f9f0:1000:e409:9331:1d27:ef44
Command History
This command was available in AOS-W 3.3.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
aaa ipv6 user clear-sessions | 67
�aaa ipv6 user delete
aaa ipv6 user delete {<ipaddr>|all|mac <macaddr>|name <username>|role <role>}
Description
This command deletes IPv6 clients, users, or roles.
Syntax
Parameter <ipv6addr> all mac name role
Description IPv6 address of the client to be deleted. Deletes all connected IPv6 clients. MAC address of the IPv6 client to be deleted. Name of the IPv6 client to be deleted. Role of the IPv6 client to be deleted.
Usage Guidelines
This command allows you to manually delete clients, users, or roles. For example, if you used to the aaa ipv6 user add command to assign a user role to an IPv6 client, you can use this command to remove the role assignment.
Example
The following command a role: aaa ipv6 user delete role web-debug
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
68 | aaa ipv6 user delete
AOS-W 6.2 | Reference Guide
�aaa ipv6 user logout
aaa ipv6 user logout <ipaddr>
Description
This command logs out an IPv6 client.
Syntax
Parameter <ipv6addr>
Description IPv6 address of the client to be logged out.
Usage Guidelines
This command logs out an authenticated IPv6 client. The client must reauthenticate.
Example
The following command logs out an IPv6 client: aaa user logout 2002:d81f:f9f0:1000:e409:9331:1d27:ef44
Command History
This command was available in AOS-W 3.3.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
aaa ipv6 user logout | 69
�aaa password-policy mgmt
aaa password-policy mgmt enable no password-lock-out password-lock-out-time password-max-character-repeat. password-min-digit password-min-length password-min-lowercase-characters password-min-special-character password-min-uppercase-characters password-not-username
Description
Define a policy for creating management user passwords.
Syntax
Parameter enable password-lock-out password-lock-out-time
password-max-characterrepeat password-min-digit
Description
enable the password management policy
The number of failed attempts within a 3 minute window that causes the user to be locked out for the period of time specified by the password-lock-out-time parameter. Range: 0-10 attempts. By default, the password lockout feature is disabled, and the default value of this parameter is 0 attempts.
The number of minutes a user who has exceeded the maximum number of failed password attempts is locked out of the network. After this period has passed, the lockout is cleared without administrator intervention. Range: 1 min to 1440 min (24 hrs). Default: 3. NOTE: When a management user gets locked out, that event is logged in the switch log file. The management user lockout warning message can have any one of the following warning IDs. l 125060 = Password policy locked out a management user
created via the mgmt-user command in the serial console CLI. l 125061 = Password policy locked out a management user
created via the WebUI or the mgmt-user command in the Telnet/SSH CLI. l 133109 = Password policy locked out a management user created via the local-userdb command in the CLI.
The maximum number of consecutive repeating characters allowed in a management user password. Range: 0-10 characters. By default, there is no limitation on the numbers of character that can repeat within a password, and the parameter has a default value of 0 characters.
The minimum number of numeric digits required in a management user password. Range: 0-10 digits. By default, there is no requirement for numerical digits in a password, and the parameter has a default value of 0.
70 | aaa password-policy mgmt
AOS-W 6.2 | Reference Guide
�Parameter password-min-length
password-min-lowercasecharacters
password-min-specialcharacter
password-min-uppercasecharacters
password-not-username
Description
The minimum number of characters required for a management user password Range: 6-64 characters. Default: 6.
The minimum number of lowercase characters required in a management user password. Range: 0-10 characters. By default, there is no requirement for lowercase letters in a password, and the parameter has a default value of 0.
The minimum number of special characters required in a management user password. Range: 0-10 characters. By default, there is no requirement for special characters in a password, and the parameter has a default value of 0. See Usage Guidelines below for a list of allowed and disallowed special characters
The minimum number of uppercase characters required in a management user password. Range: 0-10 characters. By default, there is no requirement for uppercase letters in a password, and the parameter has a default value of 0.
Password cannot be the management users' current username or the username spelled backwards.
Usage Guidelines
By default, the password for a management user has no requirements other than a minimum length of 6 alphanumeric or special characters.You do not need to configure a different management user password policy unless your company enforces a best practices password policy for management users with root access to network equipment.
The table below lists the special characters allowed and not allowed in any management user password
Allowed Characters exclamation point: ! underscore: _ at symbol: @ pound sign: # dollar sign: $ percent sign: % caret: ^ ampersand: & star: * greater and less than symbols: < >
Disallowed Characters Parenthesis: ( ) apostrophe: ' semi-colon: ; dash: equals sign: = slash: / question mark: ?
AOS-W 6.2 | Reference Guide
aaa password-policy mgmt | 71
�Allowed Characters curled braces: { } straight braces: [ ] colon : period: . pipe: | plus sign: + tilde: ~ comma: , accent mark: `
Disallowed Characters
Example
The following command sets a management password policy that requires the password to have a minimum of nine characters, including one numerical digit and one special character: aaa password-policy mgmt
enable password-min-digit 1 password-min-length 9 password-min-special-characters 1
Related Commands
Command
show aaa password-policy mgmt
Description
Use show aaa password-policy mgmt to show the current management password policy
Mode Enable mode
Command History
This command was available in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
72 | aaa password-policy mgmt
AOS-W 6.2 | Reference Guide
�aaa profile
aaa profile <profile> authentication-dot1x <dot1x-profile> authentication-mac <mac-profile> clone <profile> devtype-classification dot1x-default-role <role> dot1x-server-group <group> enforce-dhcp initial-role <role> l2-auth-fail-through mac-default-role <role> mac-server-group <group> no ... radius-accounting <group> radius-interim-accounting rfc-3576-server <ipaddr> sip-authentication-role <role> user-derivation-rules <profile> wired-to-wireless-roam xml-api-server <ipaddr>
Description
This command configures the authentication for a WLAN.
Syntax
Parameter
Description
Default
<profile>
Name that identifies this instance of the profile. The name must be 1-63 characters.
"default"
authentication-dot1x <dot1xprofile>
Name of the 802.1X authentication profile
--
associated with the WLAN. See aaa authentication
dot1x on page 20.
authentication-mac <mac-profile> Name of the MAC authentication profile associated -- with the WLAN. See aaa authentication mac on page 26.
clone <profile>
Name of an existing AAA profile configuration from -- which parameter values are copied.
devtype-classification
The device identification feature can automatically identify different client device types and operating systems by parsing the User-Agent strings in a client's HTTP packets. When the devtypeclassification parameter is enabled, the output of the show user and show user-table commands shows each client's device type, if that client device can be identified.
enabled
dot1x-default-role <role>
Configured role assigned to the client after 802.1X authentication. If derivation rules are present, the role assigned to the client through these rules take precedence over the default role.
guest
AOS-W 6.2 | Reference Guide
aaa profile | 73
�Parameter dot1x-server-group <group> enforce-dhcp
initial-role <role> l2-auth-fail-through mac-default-role <role>
mac-server-group group no radius-accounting <group> radius-interim-accounting
rfc-3576-server <ip-addr>
sip-authentication-role <role> user-derivation-rules <profile> wired-to-wireless-roam xml-api-server <ip-addr>
Description
Default
NOTE: This parameter requires the PEFNG license.
Name of the server group used for 802.1X
--
authentication. See aaa server-group on page 82.
When you enable this option, clients must complete a DHCP exchange to obtain an IP address. Best practices are to enable this option, when you use the aaa derivation-rules command to create a rule with the DHCP-Option rule type. This parameter is disabled by default.
disabled
Role for unauthenticated users.
logon
To select different authentication method if one fails disabled
Configured role assigned to the user when the device is MAC authenticated. If derivation rules are present, the role assigned to the client through these rules take precedence over the default role. NOTE: This parameter requires the PEFNG license.
guest
Name of the server group used for MAC
--
authentication. See aaa server-group on page 82.
Negates any configured parameter.
--
Name of the server group used for RADIUS
--
accounting. See aaa server-group on page 82.
By default, the RADIUS accounting feature sends only start and stop messages to the RADIUS accounting server. Issue the interim-radiusaccounting command to allow the switch to send Interim-Update messages with current user statistics to the server at regular intervals.
disabled
IP address of a RADIUS server that can send user
--
disconnect and change-of-authorization messages,
as described in RFC 3576, "Dynamic Authorization
Extensions to Remote Dial In User Service
(RADIUS)". See aaa rfc-3576-server on page 80.
NOTE: This parameter requires the PEFNG license.
Configured role assigned to a session initiation protocol (SIP) client upon registration. NOTE: This parameter requires the PEFNG license.
guest
User attribute profile from which the user role or
--
VLAN is derived.
Keeps user authenticated when roaming from the wired side of the network.
enabled
IP address of a configured XML API server. See aaa -- xml-api on page 99. NOTE: This parameter requires the PEFNG license.
74 | aaa profile
AOS-W 6.2 | Reference Guide
�Usage Guidelines
The AAA profile defines the user role for unauthenticated users, the default user role for MAC or 802.1X authentication, and user derivation rules. The AAA profile contains the authentication profile and authentication server group.
There are predefined AAA profiles available: default-dot1x, default-mac-auth, and default-open, that have the parameter values shown in the following table.
Parameter
authentication-dot1x authentication-mac dot1x-default-role dot1x-server-group initial-role mac-default-role mac-server-group radius-accounting rfc-3576-server user-derivation-rules wired-to-wireless roam
default-dot1x
default N/A authenticated N/A logon guest default N/A N/A N/A enabled
default-macauth
default-open
N/A
N/A
default
N/A
guest
guest
N/A
N/A
logon
logon
authenticated guest
default
default
N/A
N/A
N/A
N/A
N/A
N/A
enabled
enabled
Example
The following command configures an AAA profile that assigns the "employee" role to clients after they are authenticated using the 802.1X server group "radiusnet". aaa profile corpnet
dot1x-default-role employee dot1x-server-group zachjennings
Command History
Version AOS-W 3.1 AOS-W 3.4.1
AOS-W 6.1
Description
Command introduced.
License requirements changed in AOS-W 3.4.1, so the sip-authentication-role parameter required the Policy Enforcement Firewall license instead of the Voice Services Module license required in earlier versions.
The radius-interim-accounting, devtype-classification and enforce-dhcp parameters were introduced.
AOS-W 6.2 | Reference Guide
aaa profile | 75
�Command Information
Platforms All platforms
Licensing
Base operating system, except for noted parameters
Command Mode Config mode on master switches
76 | aaa profile
AOS-W 6.2 | Reference Guide
�aaa query-user
aaa query-user <ldap-server-name> <user-name>
Description
Troubleshoot an LDAP authentication failure by verifying that the user exists in the ldap server database.
Syntax
Parameter <ldap-server-name> <user-name>
Description Name of an LDAP server. Name of a user whose LDAP record you want to view.
Usage Guidelines
If the Admin-DN binds successfully but the wireless user fails to authenticate, issue this command to troubleshoot whether the problem is with the wireless network, the switch, or the ldap server. The aaa query-user <ldap_ server_name> <username> command to makes the switch send a search query to find the user. If that search fails in spite of the user being in the LDAP database, it is most probable that the base DN where the search was started was not correct. In such case, it is advisable to make the base DN at the root of the ldap tree.
Example
The example below shows part of the output for an LDAP record for the username JDOE.
(host) #aaa query-user eng JDOE objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: John Doe sn: Doe userCertificate: 0\202\005\2240\202\004|\240\003\002\001\002\002\012H\011\333K userCertificate: 0\202\005\2240\202\004|\240\003\002\001\002\002\012]\350\346F userCertificate: 0\202\005\2240\202\004|\240\003\002\001\002\002\012\023\001\017\240 userCertificate: 0\202\005\2240\202\004|\240\003\002\001\002\002\012\031\224/\030 userCertificate: 0\202\005~0\202\004f\240\003\002\001\002\002\012\031\223\246\022 userCertificate: 0\202\005\2240\202\004|\240\003\002\001\002\002\012\037\177\374\305 givenName: JDE distinguishedName: CN=John Doe,CN=Users,DC=eng,DC=net instanceType: 4 whenCreated: 20060516232817.0Z whenChanged: 20081216223053.0Z displayName: John Doe uSNCreated: 24599 memberOf: CN=Cert_Admins,CN=Users,DC=eng,DC=net memberOf: CN=ATAC,CN=Users,DC=eng,DC=net uSNChanged: 377560 department: eng name: John Doe ...
Command History
This command was available in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
aaa query-user | 77
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
78 | aaa query-user
AOS-W 6.2 | Reference Guide
�aaa radius-attributes
aaa radius-attributes add <attribute> <attribute-id> {date|integer|ipaddr|string} [vendor <name> <vendor-id>]
Description
This command configures RADIUS attributes for use with server derivation rules.
Syntax
Parameter add <attribute> <attribute-id> date integer ipaddr string vendor
Description Adds the specified attribute name (alphanumeric string), associated attribute ID (integer), and type (date, integer, IP address, or string). Adds a date attribute. Adds a integer attribute. Adds a IP address attribute. Adds a string attribute. (Optional) Display attributes for a specific vendor name and vendor ID.
Usage Guidelines
Add RADIUS attributes for use in server derivation rules. Use the show aaa radius-attributes command to display a list of the current RADIUS attributes recognized by the switch. To add a RADIUS attribute to the list, use the aaa radius-attributes command.
Example
The following command adds the VSA "Alcatel-Lucent-User-Role": aaa radius-attributes add Alcatel-Lucent-User-Role 1 string vendor Alcatel-Lucents 14823
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa radius-attributes | 79
�aaa rfc-3576-server
aaa rfc-3576-server <ipaddr> clone <server> key <psk> no ...
Description
This command configures a RADIUS server that can send user disconnect and change-of-authorization (CoA) messages, as described in RFC 3576, "Dynamic Authorization Extensions to Remote Dial In User Service (RADIUS)".
Syntax
Parameter <ipaddr> clone <server>
key <psk>
no
Description
IP address of the server.
Name of an existing RFC 3576 server configuration from which parameter values are copied.
Shared secret to authenticate communication between the RADIUS client and server.
Negates any configured parameter.
Usage Guidelines
The disconnect and change-of-authorization messages sent from the server to the switch contains information to identify the user for which the message is sent. The switch supports the following attributes for identifying the users who authenticate with a RFC 3576 server:
l user-name: Name of the user to be authenticated l framed-ip-address: User's IP address l calling-station-id: Phone number of a station that originated a call l accounting-session-id: Unique accounting ID for the user session.
If the authentication server sends both supported and unsupported attributes to the switch, the unknown or unsupported attributes will be ignored. If no matching user is found the switch will send a 503: Session Not Found error message back to the RFC 3576 server.
Example
The following command configures an RFC 3576 server: aaa rfc-3576-server 10.1.1.245
clone default key P@$$w0rD;
80 | aaa rfc-3576-server
AOS-W 6.2 | Reference Guide
�Related Commands
Command aaa profilerfc-3576-server <ip-addr> show aaa state user
Description Associate an RFC-3576 server to a AAA profile.
View information for a user whose session timeout is altered by a RFC 3576 server.
Command History
Version AOS-W 3.0
Description Comand introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa rfc-3576-server | 81
�aaa server-group
aaa server-group <group> allow-fail-through auth-server <name> [match-authstring contains|equals|starts-with <string>] [match<string>] [position <number>] [trim-fqdn] clone <group> no ... set role|vlan condition <attribute> contains|ends-with|equals|not-equals|starts-with <string> set-value <set-value-str> [position <number>]
fqdn
Description
This command allows you to add a configured authentication server to an ordered list in a server group, and configure server rules to derive a user role, VLAN ID or VLAN name from attributes returned by the server during authentication.
Syntax
Parameter <group> allow-fail-through
auth-server <name> match-authstring
contains equals starts-with
Description
Default
Name that identifies the server group. The name must be 32 -- characters or less.
When this option is configured, an authentication failure with the first server in the group causes the switch to attempt authentication with the next server in the list. The switch attempts authentication with each server in the ordered list until either there is a successful authentication or the list of servers in the group is exhausted.
disabled
Name of a configured authentication server.
--
This option associates the authentication server with a match -- rule that the switch can compare with the user/client information in the authentication request. With this option, the user/client information in the authentication request can be in any of the following formats: <domain>\<user> <user>@<domain> host/<pc-name>.<domain> An authentication request is sent to the server only if there is a match between the specified match rule and the user/client information.You can configure multiple match rules for an authentication server.
contains: The rule matches if the user/client information
--
contains the specified string.
The rule matches if the user/client information exactly
--
matches the specified string.
The rule matches if the user/client information starts with the -- specified string.
82 | aaa server-group
AOS-W 6.2 | Reference Guide
�Parameter match-fqdn <string>
position <number> trim-fqdn
clone no set role|vlan
condition contains ends-with equals not-equals starts-with set-value value-of
Description
Default
This option associates the authentication server with a
--
specified domain. An authentication request is sent to the
server only if there is an exact match between the specified
domain and the <domain> portion of the user information
sent in the authentication request. With this option, the user
information must be in one of the following formats:
<domain>\<user>
<user>@<domain>
Position of the server in the server list. 1 is the top.
(last)
This option causes the user information in an authentication -- request to be edited before the request is sent to the server. Specifically, this option: removes the <domain>\ portion for user information in the <domain>\<user> format removes the @<domain> portion for user information in the <user>@<domain> format
Name of an existing server group from which parameter
--
values are copied.
Negates any configured parameter.
--
Assigns the client a user role, VLAN ID or VLAN name based -- on attributes returned for the client by the authentication server. Rules are ordered: the first rule that matches the configured condition is applied. VLAN IDs and VLAN names cannot be listed together.
Attribute returned by the authentication server.
--
The rule is applied if and only if the attribute value contains -- the specified string.
The rule is applied if and only if the attribute value ends with -- the specified string.
The rule is applied if and only if the attribute value equals the -- specified string.
The rule is applied if and only if the attribute value is not
--
equal to the specified string.
The rule is applied if and only if the attribute value begins
--
with the specified string.
User role or VLAN applied to the client when the rule is
--
matched.
Sets the user role or VLAN to the value of the attribute
--
returned. The user role or VLAN ID returned as the value of
the attribute must already be configured on the switch when
the rule is applied.
Usage Guidelines
You create a server group for a specific type of authentication or for accounting. The list of servers in a server group is an ordered list, which means that the first server in the group is always used unless it is unavailable (in which
AOS-W 6.2 | Reference Guide
aaa server-group | 83
�case, the next server in the list is used). You can configure servers of different types in a server group, for example, you can include the internal database as a backup to a RADIUS server. You can add the same server to multiple server groups. There is a predefined server group "internal" that contains the internal database.
Example
The following command configures a server group "corp-servers" with a RADIUS server as the main authentication server and the internal database as the backup. The command also sets the client's user role to the value of the returned "Class" attribute. aaa server-group corp-servers
auth-server radius1 position 1 auth-server internal position 2 set role condition Class value-of
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
84 | aaa server-group
AOS-W 6.2 | Reference Guide
�aaa sygate-on-demand (deprecated)
aaa sygate-on-demand remediation-failure-role <role>
Description
This command configures the user role assigned to clients that fail Sygate On-Demand Agent (SODA) remediation.
Command History
Version AOS-W 3.0 AOS-W 3.4
Description Command introduced Command deprecated
AOS-W 6.2 | Reference Guide
aaa sygate-on-demand (deprecated) | 85
�aaa tacacs-accounting
aaa tacacs-accounting server-group <group> command {action|all|configuration|show} mode {enable|disable}
Description
This command configures reporting of commands issued on the switch to a TACACS+ server group.
Syntax
Parameter
Description
Range
server-group <group> The TACACS server group to which the reporting is -- sent.
command
The types of commands that are reported to the
--
TACACS server group.
action
Reports action commands only.
--
all
Reports all commands.
--
configuration
Reports configuration commands only
--
show
Reports show commands only
--
mode
Enables accounting for the server group.
enable/ disable
Default --
--
-- -- -- -- disabled
Usage Guidelines
You must have previously configured the TACACS+ server and server group (see aaa authentication-server tacacs on page 36 and aaa server-group on page 82).
Example
The following command enables accounting and reporting of configuration commands to the server-group "tacacs1": aaa tacacs-accounting server-group tacacs1 mode enable command configuration
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
86 | aaa tacacs-accounting
AOS-W 6.2 | Reference Guide
�aaa test-server
aaa test-server {mschapv2|pap} <server> <username> <passwd>
Description
This command tests a configured authentication server.
Syntax
Parameter mschapv2 pap <server> <username> <passwd>
Description Use MSCHAPv2 authentication protocol. Use PAP authentication protocol. Name of the configured authentication server. Username to use to test the authentication server. Password to use to test the authentication server.
Usage Guidelines
This command allows you to check a configured RADIUS authentication server or the internal database. You can use this command to check for an "out of service" RADIUS server.
Example
The following commands adds a user in the internal database and verifies the configuration: local-userdb add kgreen lkjHGfds aaa test-server pap internal kgreen lkjHGfds
Authentication successful
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
aaa test-server | 87
�aaa timers
aaa timers dead-time <minutes> idle-timeout <time> [seconds] logon-lifetime <0-255> stats-timeout <time> [seconds]
Description
This command configures the timers that you can apply to clients and servers.
Syntax
Parameter dead-time <minutes>
idle-timeout <1-15300>
logon-lifetime stats-timeout
Description
Range Default
Maximum period, in minutes, that the switch considers an unresponsive authentication server to be "out of service".
This timer is only applicable if there are two or more authentication servers configured on the switch. If there is only one authentication server configured, the server is never considered out of service and all requests are sent to the server.
If one or more backup servers are configured and a server is unresponsive, it is marked as out of service for the dead time; subsequent requests are sent to the next server on the priority list for the duration of the dead time. If the server is responsive after the dead time has elapsed, it can take over servicing requests from a lower-priority server; if the server continues to be unresponsive, it is marked as down for the dead time.
0-50
10 minutes
Maximum number of minutes after which a client is considered idle if there is no user traffic from the client.
The timeout period is reset if there is a user traffic. If there is no IP traffic in the timeout period or there is no 802.11 traffic as indicated in the station ageout time that is set in the wlan ssid profile, the client is aged out. Once the timeout period has expired, the user is removed immediately and no ping request is sent. If the seconds parameter is not specified, the value defaults to minutes.
1 to 255 minutes (30 to 15300 seconds)
5 minutes (300 seconds)
Maximum time, in minutes, that unauthenticated clients are allowed to remain logged on.
0-255
5 minutes
User Interim stats timeout value. If the secondssparameter is not specified, the value defaults to minutes.
5-10 minutes( 300 to 600 seconds)
10 minutes (600 seconds)
Usage Guidelines
These parameters can be left at their default values for most implementations.
88 | aaa timers
AOS-W 6.2 | Reference Guide
�Example
The following command changes the idle time to 10 minutes: aaa timers idle-timeout 10
Related Commands
(host) (config) #show aaa timers (host) (config) #show datapath user table
Command History
Version AOS-W 3.0 AOS-W 3.4
Description Command introduced Idle timeout values and defaults changed
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa timers | 89
�aaa trusted-ap
aaa trusted-ap <macaddr>
Description
This command configures a trusted non-Alcatel-Lucent AP.
Syntax
Parameter <macaddr>
Description MAC address of the AP
Usage Guidelines
This command configures a non-Alcatel-Lucent AP as a trusted AP.
Example
The following command configures a trusted non-Alcatel-Lucent AP: aaa trusted-ap 00:40:96:4d:07:6e
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
90 | aaa trusted-ap
AOS-W 6.2 | Reference Guide
�aaa user add
aaa user add <ipaddr> [<nusers>] [authentication-method {dot1x|mac|stateful-dot1x|vpn| web}] [mac-addr <macaddr>] [name <username>] [profile <aaa_profile>] [role <role>]
Description
This command manually assigns a user role or other values to a specified client or device.
Syntax
Parameter <ipaddr> <nusers> authentication-method
dot1x mac-addr stateful-dot1x vpn web mac <macaddr> name <username> profile <aaa_profile> role <role>
Description IP address of the user to be added. Number of users to create starting with <ipaddr>. Authentication method for the user. 802.1X authentication. MAC authentication. Stateful 802.1X authentication. VPN authentication. Captive portal authentication. MAC address of the user. Name for the user. AAA profile for the user. Role for the user.
Usage Guidelines
This command should only be used for troubleshooting issues with a specific client or device. This command allows you to manually assign a client or device to a role. For example, you can create a role "debugging" that includes a policy to mirror session packets to a specified destination for further examination, then use this command to assign the "debugging" role to a specific client. Use the aaa user delete command to remove the client or device from the role.
Note that issuing this command does not affect ongoing sessions that the client may already have. For example, if a client is in the "employee" role when you assign them to the "debugging" role, the client continues any sessions allowed with the "employee" role. Use the aaa user clear-sessions command to clear ongoing sessions.
Example
The following commands create a role that logs HTTPS traffic, then assign the role to a specific client: ip access-list session log-https
any any svc-https permit log user-role web-debug
session-acl log-https
In enable mode:
AOS-W 6.2 | Reference Guide
aaa user add | 91
�aaa user add 10.1.1.236 role web-debug
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
92 | aaa user add
AOS-W 6.2 | Reference Guide
�aaa user clear-sessions
aaa user clear-sessions <ipaddr>
Description
This command clears ongoing sessions for the specified client.
Syntax
Parameter <ip-addr>
Description IP address of the user.
Usage Guidelines
This command clears any ongoing sessions that the client already had before being assigned a role with the aaa user add command.
Example
The following command clears ongoing sessions for a client: aaa user clear-sessions 10.1.1.236
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
aaa user clear-sessions | 93
�aaa user delete
aaa user delete {<ipaddr>|all|mac <macaddr>|name <username>|role <role>}
Description
This command deletes clients, users, or roles.
Syntax
Parameter <ipaddr> all mac name role
Description IP address of the client to be deleted. Deletes all connected clients. MAC address of the client to be deleted. Name of the client to be deleted. Role of the client to be deleted.
Usage Guidelines
This command allows you to manually delete clients, users, or roles. For example, if you used to the aaa user add command to assign a user role to a client, you can use this command to remove the role assignment.
Example
The following command a role: aaa user delete role web-debug
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
94 | aaa user delete
AOS-W 6.2 | Reference Guide
�aaa user fast-age
aaa user fast-age
Description
This command enables fast aging of user table entries.
Syntax
No parameters.
Usage Guidelines
When this feature is enabled, the switch actively sends probe packets to all users with the same MAC address but different IP addresses. The users that fail to respond are purged from the system. This command enables quick detection of multiple instances of the same MAC address in the user table and removal of an "old" IP address. This can occur when a client (or an AP connected to an untrusted port on the switch) changes its IP address.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa user fast-age | 95
�aaa user logout
aaa user logout <ipaddr>
Description
This command logs out a client.
Syntax
Parameter <ipaddr>
Description IP address of the client to be logged out.
Usage Guidelines
This command logs out an authenticated client. The client must reauthenticate.
Example
The following command logs out a client: aaa user logout 10.1.1.236
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
96 | aaa user logout
AOS-W 6.2 | Reference Guide
�aaa user monitor
aaa user monitor <ipaddr>
Description
This command checks to see whether an authenticated user's attributes differ from those in the SOS.
Syntax
Parameter <ipaddr>
Description IP address of the user whose attributes are being checked.
Usage Guidelines
This command installs a timer that polls the SOS every 60 seconds and checks the following: l L3 ACLs l Upstream bandwidth contract l Downstream bandwidth contract
Example
The following command checks user SOS attributes: aaa user monitor 10.1.1.236
Command History
This command was available in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
aaa user monitor | 97
�aaa user stats-poll
aaa user stats-poll <secs>
Description
This command enables user statistics polling. If enabled, AOS-W will poll user data verify that user information in the switch datapath is in synchronization with the data in the switch's authentication module.
Syntax
Parameter <secs>
Description
This command enables user statistics polling, and defines the time interval between polls. The supported range is 60-600 seconds.
Example
The following command enables user statistics polling with an interval of 10 minutes: aaa user stats-poll 600
Command History
This command was introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
98 | aaa user stats-poll
AOS-W 6.2 | Reference Guide
�aaa xml-api
aaa xml-api server <ipaddr> clone <server> default-authentication-role <role> key <key> no ...
Description
This command configures an external XML API server.
Syntax
Parameter server clone
key
default-authentication-role <role> no
Description
IP address of the external XML API server.
Name of an existing XML API server configuration from which parameter values are copied.
Preshared key to authenticate communication between the switch and the XML API server.
Name of the role to be assigned to users after completing XML server authorization.
Negates any configured parameter.
Usage Guidelines
XML API is used for authentication and subscriber management from external agents. This command configures an external XML API server. For example, an XML API server can send a blacklist request for a client to the switch. The server configured with this command is referenced in the AAA profile for the WLAN (see aaa profile on page 73). Contact your Alcatel-Lucent representative for more information about using the XML API.
Example
The following configures an XML API server: aaa xml-api server 10.210.1.245
key qwerTYuiOP
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing PEFNG license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
aaa xml-api | 99
�adp
adp discovery {disable|enable} igmp-join {disable|enable} igmp-vlan <vlan>
Description
This command configures the Alcatel Discovery Protocol (ADP).
Syntax
Parameter discovery igmp-join
igmp-vlan
Description Enables or disables ADP on the switch.
Enables or disables sending of Internet Group Management Protocol (IGMP) join requests from the switches. VLAN to which IGMP reports are sent.
Range enabled/ disabled enabled/ disabled
--
Default enabled
enabled
0 (default route VLAN used)
Usage Guidelines
Alcatel-Lucent APs send out periodic multicast and broadcast queries to locate the master switch. If the APs are in the same broadcast domain as the master switch and ADP is enabled on the switch, the switch automatically responds to the APs' queries with its IP address. If the APs are not in the same broadcast domain as the master switch, you need to enable multicast on the network. You also need to make sure that all routers are configured to listen for IGMP join requests from the switch and can route the multicast packets. Use the show adp config command to verify that ADP and IGMP join options are enabled on the switch.
Example
The following example enables ADP and the sending of IGMP join requests on the switch: adp discovery enable igmp-join enable
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
100 | adp
AOS-W 6.2 | Reference Guide
�am
am scan <ipaddr> <channel> [bssid <bssid>] am test <ipaddr> {suspect-rap bssid <bssid> match-type <match-type> match-method <method>|wired-mac {add|remove {bssid <bssid>|enet-mac <enet-mac>} mac <mac>}
Description
These commands enable channel scanning or testing for the specified air monitor.
Syntax
Parameter scan <channel>
bssid test suspect-rap match-type
match-method
wired-mac
enet-mac mac
Description
Range
IP address of the air monitor to be scanned.
--
Channel to which the scanning is tuned. Set to 0 to -- enable scanning of all channels.
BSSID of the air monitor.
--
IP address of the air monitor to be tested.
--
Tests suspect-rap feature.
--
Match type.
eth-wm | ap-wm | eth-gwwm
Match method.
equal | plus-one | minusone
Tests the rogue AP classification feature.
--
Specifies the Wired MAC table.
Specifies the Ethernet MAC table.
--
Specifies the MAC entry to add/remove from either -- the Wired MAC table or the Ethernet MAC table.
Usage Guidelines
These commands are intended to be used with an Alcatel-Lucent AP that is configured as an air monitor. You should not use the am test command unless instructed to do so by an Alcatel-Lucent representative.
Example
The following command sets the air monitor to scan all channels: (host) (config) #am scan 10.1.1.244 0
Command History:
Release AOS-W 3.0 AOS-W 3.3.1
Modification Command introduced Support for the wired-mac and associated parameters was introduced.
AOS-W 6.2 | Reference Guide
am | 101
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
102 | am
AOS-W 6.2 | Reference Guide
�ap-group
ap-group <group> ap-system-profile <profile> authorization-profile <profile> clone <profile> dot11a-radio-profile <profile> dot11a-traffic-mgmt-profile <profile> dot11g-radio-profile <profile> dot11g-traffic-mgmt-profile <profile> enet0-port-profile <profile> enet1-port-profile <profile> enet2-port-profile <profile> enet3-port-profile <profile> enet4-port-profile <profile> event-thresholds-profile <profile> ids-profile <profile> mesh-cluster-profile <profile> priority <priority> mesh-radio-profile <profile> no ... regulatory-domain-profile <profile> rf-optimization-profile <profile> virtual-ap <profile> voip-cac-profile <profile>
Description
This command configures an AP group.
Syntax
Parameter <group>
ap-system-profile
authorization-profile clone dot11a-radio-profile
dot11a-traffic-mgmtprofile dot11g-radio-profile
Description
Range
Name that identifies the AP group. The name
--
must be 1-63 characters.
NOTE: You cannot use quotes (") in the AP
group name.
Configures AP administrative operations, such -- as logging levels. See ap system-profile on page 157.
Restrictive group for unauthorized AP.
--
Name of an existing AP group from which
--
profile names are copied.
Configures 802.11a radio settings and load
--
balancing for the AP group; contains the ARM
profile. See rf dot11a-radio-profile on page 525.
Configures bandwidth allocation. See wlan
--
traffic-management-profile on page 1552.
Configures 802.11g radio settings and load
--
balancing for the AP group; contains the ARM
profile. See rf dot11a-radio-profile on page 525.
Default "default"
"default"
-- -- "default"
-- "default"
AOS-W 6.2 | Reference Guide
ap-group | 103
�Parameter
Description
Range
dot11g-traffic-mgmtprofile
Configures bandwidth allocation. See wlan
--
traffic-management-profile on page 1552.
enet0-port-profile
Configures the duplex and speed of the
--
Ethernet interface 0 on the AP. For information
on how these profiles are defined, see ap
wired-port-profile on page 167.
enet1-port-profile
Configures the duplex and speed of the
--
Ethernet interface 1 on the AP. For information
on how these profiles are defined, see ap
wired-port-profile on page 167.
enet2-port-profile
Configures the duplex and speed of an
--
Ethernet interface 2 on the AP. These profiles
are defined using the command ap wired-port-
profile on page 167.
enet3-port-profile
Configures the duplex and speed of an
--
Ethernet interface 3 on the AP. These profiles
are defined using the command ap wired-port-
profile on page 167.
enet4-port-profile
Configures the duplex and speed of an
--
Ethernet 4 interface on the AP. For information
on how these profiles are defined, see ap
wired-port-profile on page 167.
event-thresholds-profile
Configures Received Signal Strength Indication -- (RSSI) metrics. See rf event-thresholds-profile on page 542.
ids-profile
Configures Alcatel-Lucent's Intrusion Detection -- System (IDS). See ids profile on page 298.
mesh-cluster-profile
Configures the mesh cluster profile for mesh
--
nodes that are members of the AP group. There
is a "default" mesh cluster profile; however, it is
not applied until you provision the mesh node.
See ap mesh-cluster-profile on page 132.
priority
Configures the priority of the mesh cluster profile. If more than two mesh cluster profiles are configured, mesh points use this number to identify primary and backup profile(s). The lower the number, the higher the priority.
1-16
mesh-radio-profile
Configures the 802.11g and 802.11a radio
--
settings for mesh nodes that are members of
the AP group. See ap mesh-ht-ssid-profile on
page 134.
Commands to configure mesh for outdoor APs
require the Outdoor Mesh license.
no
Negates any configured parameter.
--
regulatory-domain-profile Configures the country code and valid
--
channels. See ap regulatory-domain-profile on
page 148.
Default -- "default" "default" "default" "default" "default" "default" "default" "default"
1
"default"
-- "default"
104 | ap-group
AOS-W 6.2 | Reference Guide
�Parameter rf-optimization-profile
virtual-ap
voip-cac-profile
Description
Range
Configure coverage hole and interference
--
detection. See rf optimization-profile on page
547.
One or more profiles, each of which configures -- a specified WLAN. See wlan virtual-ap on page 1557.
Configures voice over IP (VoIP) call admission -- control (CAC) options. See wlan voip-cacprofile on page 1565. This parameter requires the PEFNG license.
Default "default"
"default"
"default"
Usage Guidelines
AP groups are at the top of the configuration hierarchy. An AP group collects virtual AP definitions and configuration profiles, which are applied to APs in the group.
Example
The following command configures a virtual AP profile to the "default" AP group: (host)(config) #ap-group default
virtual-ap corpnet
Related Commands
View AP group settings using the command show ap-group.
Command History:
Release AOS-W 3.0 AOS-W 3.2 AOS-W 3.4.1 AOS-W 5.0 AOS-W 6.0
Modification Command introduced Support for the mesh parameters was introduced The voip-cac-profile parameter required the PEF license. The voip-cac-profile parameter requires the PEFV license. The enet-port-profile parameters parameters were introduced.
Command Information
Platforms All platforms
Licensing
Base operating system, except for noted parameters
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ap-group | 105
�ap-leds
ap-leds {all | ap-group <ap-group> | ap-name <ap-name> | ip-addr <ip address> | wired-mac <mac address>} {global blink|normal}|{local blink|normal}
Description
This command allows you to set the behavior of an AP's LEDs.
Syntax
Parameter all ap-group <ap-group> ap-name <ap-name> ip-addr <ip-addr> wired-mac <mac-addr> global local blink normal
Description Controls the LED behavior for all APs Controls the LED behavior for APs in the specified group Controls the LED behavior for the AP with the specified name Controls the LED behavior for the AP with the specified IP address Controls the LED behavior for the AP with the specified MAC address Selects all APs on all switches Selects all APs registered on this switch Causes the LEDs to blink for identification Restores the LEDs to their normal behavior
Usage Guidelines
Use the ap-leds command to make the LEDs on a defined set of APs either blink or display in the currently configured LED operating mode. Note that if the LED operating mode defined in the AP's system profile is set to "off", then the normal parameter in the ap-leds command will disable the LEDs. If the LED operating mode in the AP system profile is set to "normal" then the normal parameter in this command will allow the LEDs light as usual.
Example
The following command causes all local APs to blink their LEDs for identification purposes: ap-leds all local blink
Command History
Release AOS-W 3.0
Modification Command introduced
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
106 | ap-leds
AOS-W 6.2 | Reference Guide
�ap-name
ap-name <name> ap-system-profile <profile> authorization-profile <profile> clone <profile> dot11a-radio-profile <profile> dot11a-traffic-mgmt-profile <profile> dot11g-radio-profile <profile> dot11g-traffic-mgmt-profile <profile> enet0-profile <profile> enet1-profile <profile> event-thresholds-profile <profile> exclude-mesh-cluster-profile-ap <profile> exclude-virtual-ap <profile> ids-profile <profile> mesh-cluster-profile <profile> priority <priority> mesh-radio-profile <profile> no ... regulatory-domain-profile <profile> rf-optimization-profile <profile> snmp-profile <profile> virtual-ap <profile> voip-cac-profile <profile>
Description
This command configures a specific AP.
Syntax
Parameter
Description
Default
<name>
Name that identifies the AP. By default, an AP's name can
--
either be the AP's Ethernet MAC address, or if the AP has
been previously provisioned with an earlier version of AOS-
W, a name in the format <building>.<floor>.<location>. The
name must be 1-63 characters.
NOTE: You cannot use quotes (") in the AP name.
ap-system-profile
Configures AP administrative operations, such as logging levels. See ap system-profile on page 157.
"default"
authorization-profile
Restrictive group for unauthorized AP.
--
clone
Name of an existing AP name from which profile names are -- copied.
dot11a-radio-profile
Configures 802.11a radio settings for the AP group; contains "default" the ARM profile. See rf dot11a-radio-profile on page 525.
dot11a-traffic-mgmt-profile Configures bandwidth allocation. See wlan traffic-
--
management-profile on page 1552.
dot11g-radioprofile
Configures 802.11g radio settings for the AP group; contains "default" the ARM profile. See rf dot11a-radio-profile on page 525.
AOS-W 6.2 | Reference Guide
ap-name | 107
�Parameter dot11g-trafficmgmt-profile enet0-profile enet1-profile event-thresholds-profile exclude-mesh-clusterprofile-ap exclude-virtual-ap ids-profile mesh-cluster-profile
priority
mesh-radio-profile
no regulatory-domain-profile rf-optimization -profile snmp-profile virtual-ap voip-cac-profile
Description
Default
Configures bandwidth allocation. See wlan traffic-
--
management-profile on page 1552.
Configures the duplex and speed of the Ethernet 0 interface on the AP. See ap enet-link-profile on page 123.
"default"
Configures the duplex and speed of the Ethernet 1 interface on the AP. See ap enet-link-profile on page 123.
"default"
Configures Received Signal Strength Indication (RSSI) metrics. See rf event-thresholds-profile on page 542.
"default"
Excludes the specified mesh cluster profile from this AP.
--
The Secure Enterprise Mesh license must be installed.
Excludes the specified virtual AP profiles from this AP.
Configures Alcatel-Lucent's Intrusion Detection System (IDS). "default" See ids profile on page 298.
Configures the mesh cluster profile for the AP (mesh node). There is a "default" mesh cluster profile; however, it is not applied until you provision the mesh node. See ap meshcluster-profile on page 132. The Secure Enterprise Mesh license must be installed.
"default"
Configures the priority of the mesh cluster profile. If more than 1 two mesh cluster profiles are configured, mesh points use this number to identify primary and backup profile(s). The supported range of values is 1-16. The lower the number, the higher the priority.
Configures the 802.11g and 802.11a radio settings for the AP (mesh node). See ap mesh-ht-ssid-profile on page 134. The Secure Enterprise Mesh license must be installed.
"default"
Negates any configured parameter.
--
Configures the country code and valid channels. See ap regulatory-domain-profile on page 148.
"default"
Configures load balancing and coverage hole and interference detection. See rf optimization-profile on page 547.
"default"
Configures SNMP-related parameters. See ap snmp-profile (deprecated) on page 152.
"default"
One or more profiles, each of which configures a specified WLAN. See wlan virtual-ap on page 1557.
"default"
Configures voice over IP (VoIP) call admission control (CAC) options. See wlan voip-cac-profile on page 1565. This parameter requires the PEFNG license.
"default"
Usage Guidelines
Profiles that are applied to an AP group can be overridden on a per-AP name basis, and virtual APs can be added or excluded on a per-AP name basis. If a particular profile is overridden for an AP, all parameters from the overriding
108 | ap-name
AOS-W 6.2 | Reference Guide
�profile are used. There is no merging of individual parameters between the AP and the AP group to which the AP belongs.
Example
The following command excludes a virtual AP profile from a specific AP: (host) (config) #ap-name 00:0b:86:c0:cf:d8
exclude-virtual-ap corpnet
Related Commands
View AP settings using the command show ap-name.
Command History
Release AOS-W 3.0 AOS-W 3.2 AOS-W 3.4.1
Modification
Command introduced
Support for mesh parameters was introduced.
License requirements changed in AOS-W 3.4.1, so the voip-cac-profile parameter required the PEF license instead of the Voice Services Module license required in earlier versions.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ap-name | 109
�ap-regroup
ap-regroup {ap-name <name>|serial-num <num>|wired-mac <macaddr>} <group>
Description
This command moves a specified AP into a group.
Syntax
Parameter ap-name serial-num wired-mac <group>
Description Name of the AP. Serial number of the AP. MAC address of the AP. Name that identifies the AP group. The name must be 1-63 characters.
Default -- -- -- "default"
Usage Guidelines
All APs discovered by the switch are assigned to the "default" AP group. An AP can belong to only one AP group at a time. You can move an AP to an AP group that you created with the ap-group command.
This command automatically reboots the AP.
Example
The following command moves an AP to the `corpnet' group: (host)(config) #ap-regroup wired-mac 00:0f:1e:11:00:00 corpnet
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
110 | ap-regroup
AOS-W 6.2 | Reference Guide
�ap-rename
ap-rename {ap-name <name>|serial-num <num>|wired-mac <macaddr>} <new-name>
Description
This command changes the name of an AP to the specified new name.
Syntax
Parameter ap-name serial-num wired-mac <new-name>
Description Current name of the AP. Serial number of the AP. MAC address of the AP. New name for the AP. The name must be 1-63 characters. NOTE: You cannot use quotes (") in the AP name.
Usage Guidelines
An AP name must be unique within your network.
This command automatically reboots the AP.
Example
The following command renames an AP: (host) (config) #ap-rename wired-mac 00:0f:1e:11:00:00 building3-lobby
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
AOS-W 6.2 | Reference Guide
ap-rename | 111
�ap debug radio-event-log
ap debug radio-event log [start|stop|show] [ap-name <name>|ip-addr <ip-addr>]| ip6-addr <ip6addr>] radio <0|1> size <size-of-log> events [all|ani|hex|rcfind|rcupdate|rx|size|text|tx {<hexformat>}]
Description
Start and stops radio event log capture for debugging purposes, and sends a pktlog file to a dump server in the case of stop.
Syntax
Parameter start stop
ap-name ip-addr ip6-addr radio size
events all ani hex rcfind rcupdate rx text tx
hex format
Description Start wifi radio event log. Stop radio event log and send file to dump server. AP for radio event log capture. IP address for radio event log capture. IPv6 address for radio event log capture. Radio index. Radio log size.
Classification of event type to capture. All events in radio. Adaptive Noise Immunity control event in radio. Hex format of event. Tx rate control event in radio. Tx Rate update event in radio. Rx status register event in radio. Text record event in radio. Tx control and Tx status register event in radio. Specify the event in hexadecimal format.
Range -- --
-- -- -- 0 or 1 102410485760 bytes(1KB10MB). -- -- -- -- -- -- -- -- -- --
Default -- --
-- -- -- -- Default:3145728 bytes(3MB)
-- -- -- -- -- -- -- -- -- --
Example
The following command starts and stops a wifi radio event log:
112 | ap debug radio-event-log
AOS-W 6.2 | Reference Guide
�#ap debug radio-event-log start ap-name 6c:f3:7f:c6:71:90 radio 0 events all #ap debug radio-event-log stop ap-name 6c:f3:7f:c6:71:90 radio 0 #show ap debug radio-event-log status ap-name 6c:f3:7f:c6:71:90
Command History
Release AOS-W 6.2
Modification Command introduced
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
ap debug radio-event-log | 113
�ap debug radio-registers dump
ap debug radio-registers dump [ap-name <name>|ip-addr <ip-addr>|ip6-addr <ip6-addr>] [filename <filename> {all|interrupt|qcu |radio}]
Description
This command allows you to collect all or specific radio register information into a separate file.
Syntax
Parameter ap-name ip-addr ip6-addr
filename all interrupt qcu radio
Description Name of Access Point Collect radio register information for this specific AP radio. Collect radio register information for the spectrum monitor assigned to this ipv6 address. Name of file where information is collected. All registers interrupted. Interrupt related registers. Collect QCU information. Radio ID (0 or 1)
Usage Guidelines
This command collects specified radio-register information for debugging purposes, dumps the registers into a local file, and will automatically transfer the file to the dump-server that is configured in 'ap-system-profile.'
Example
The following command collects all radio registers from myap1 into a file called myradioregfile.: #ap debug radio-registers dump ap-name myap1 filename myradioregfile all
Command History
Introduced in AOS-W6.2.
Command Information
Platforms 802.11n-capable APs
Licensing Base operating system
Command Mode Enable mode on master switches
114 | ap debug radio-registers dump
AOS-W 6.2 | Reference Guide
�ap packet-capture
ap packet-capture [open-port|close-port] <port>
ap packet-capture raw-start [<ap-name|ip-addr|ip6-addr>] <target-ip> <target-port> <format> radio <0|1> channel <channel> maxlen <maxlen>
ap packet-capture interactive [<ap-name|ip-addr|ip6-addr>] <filter-spec> <target-ip> <targetport> radio <0|1> channel <channel>
ap packet-capture [clear|stop|pause|resume][<ap-name|ip-addr|ip6-addr>] <pcap-id> radio <0|1>
show ap packet-capture status <ap-name|ip-addr|ip6-addr>
Description
These commands manage WiFi packet capture (PCAP) on Alcatel-Lucent APs. The WiFi packets are encapsulated in a UDP header and sent to a client running a packet analyzer like Wildpacket's Airopeek, Omnipeek, or Wireshark.
Syntax
Parameter open-port close-port raw-start
<ipaddr> <target-ipaddr> <target-port> <format>
channel maxlen interactive <filter-spec> clear pause
Description
(CPSEC CAPs and RAPs only) Enable or allow access to this UDP port on the AP for packet capture purposes.
(CPSEC CAPs and RAPs only) Close or disallow access to this UDP port on the AP for packet capture purposes.
Stream packets from the driver to a client running the packet analyzer.
IP address of the AP.
IP address of the client running the packet analyzer.
UDP port number on the client station where the captured packets are sent.
Specify a number to indicate one of the following formats for captured packets: l 0 : pcap l 1 : peek l 2 : airmagnet l 3 : pcap+radio header l 4 : ppi
(Optional/Applicable only in Air Monitor mode) Number of a radio channel to tune into to capture packets.
(Optional) Limit the length of 802.11 frames to include in the capture to a specified maximum.
Start an interactive packet capture session between an AP and a client running a packet analyzer.
Packet Capture filter specification. See Usage Guidelines for details.
Clears the packet capture session.
Pause a packet capture session.
AOS-W 6.2 | Reference Guide
ap packet-capture | 115
�Parameter stop resume
<pcap-id>
Description Stop a packet capture session. Resume a packet capture session. ID of the PCAP session.
Usage Guidelines
These commands direct an Alcatel-Lucent AP to send WiFi packet captures to a client packet analyzer utility such as Airmagnet, Wireshark and so on, on a remote client.
Before using these commands, you need to start the packet analyzer utility on the client and open a capture window for the port from which you are capturing packets. The packet analyzer cannot be used to control the flow or type of packets sent from Alcatel-Lucent APs.
The packet analyzer processes all packets. However, you can apply display filters on the capture window to control the number and type of packets being displayed. In the capture window, the timestamp displayed corresponds to the time that the packet is recevied by the client and is not synchronized with the time on the Alcatel-Lucent AP.
Filter specification (used in ap packet-capture interactive) supports the following:
- type (beacon/rts/cts/data/ack/ctrl/mgmt/all) - sta (mac address) - bss (mac address) - da (mac address) - sa (mac address) - dir (tods, fromds) - retry (1, 0) - frag (1, 0) - wep (1, 0)
Filter spec examples: (type eq beacon) or ((sta eq 000000010203) and (dir eq tods)) (type == data) && ((sta = 000000010203) || (sta == 000000010203)) (type != beacon) (wep nq 1) (type eq all)
Examples
The following command starts a raw packet capture session for the AP ly115 on radio 0, and sends the packets to the client at 10.64.102.4 on port 5000. (host) (config) #ap packet-capture raw-start ap-name ly115 10.64.102.4 5000 0 radio 0 Packet capture has started for pcap-id:1
The following commands start an interactive packet capture session for the AP ap1.
#ap packet-capture open-port 5555
116 | ap packet-capture
AOS-W 6.2 | Reference Guide
�#ap packet-capture interactive ap-name ap1 "type eq all" 192.168.0.3 5555 radio 0
The output of the command in the example below displays packet capture session statistics for the AP ap1. In this example, the output has been divided into multiple sections to better fit on the pages of this document. In the actual command-line interface, it will appear in a single, long table.
#show ap packet-capture status ap-name ap1
Packet Capture Sessions at ap1, IP 10.3.44.167
----------------------------------------------
pcap-id filter
type
intf
channel max-pkts
------- ------
----
----
------- --------
1
type eq all interactive 6c:f3:7f:ba:65:70 153
0
max-pkt-size num-pkts status
url target
Radio ID
------------ -------- ------
------
------
65536
3759
in-progress 192.168.0.3/5555 0
Related Commands
To view the status of outstanding packet capture (pcap) sessions, use show ap packet-capture status.
Command History
Version AOS-W3.0 AOS-W3.4
AOS-W6.2
Change Command Introduced
The maxlen parameter was introduced, and the pcap start command deprecated.
Name changed from pcap to ap packet capture.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Works in Access Point, Air Monitor, and Spectrum Monitor modes on all AP models in enable mode.
AOS-W 6.2 | Reference Guide
ap packet-capture | 117
�ap authorization-profile
ap authorization-profile <profile> authorization-group <profile>
Description
This command defines a temporary configuration profile for remote APs that are not yet authorized on the network.
Syntax
Parameter
authorization-profile <profile>
authorization-group <profile>
Description
Name of this instance of the profile. The name must be 1-63 characters.
Name of a configuration profile to be assigned to the group unauthorized remote APs.
Range --
--
Default "default"
"NoAuthApGroup"
Usage Guidelines
The AP authorization-profile specifies which configuration should be assigned to a remote AP that has been provisioned but not yet authenticated at the remote site. By default, these yet-unauthorized APs are put into the temporary AP group authorization-group and assigned the predefined profile NoAuthApGroup. This configuration allows a user to connect to an unauthorized remote AP via a wired port then enter a corporate username and password. Once a valid user has authorized the remote AP, the AP will be permanently marked as authorized on the network and will will then download the configuration assigned to that AP by it's permanent AP group.
Example
The following command creates a new authorization profile with a non-default configuration for unauthorized remote APs: ap authorization-profile default2
authorization-group NoAuthApGroup2
Command History
Release AOS-W 5.0
Modification Command introduced
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
118 | ap authorization-profile
AOS-W 6.2 | Reference Guide
�apboot
apboot {all [global|local]|ap-group <group> [global|local]|ap-name <name>|ip-addr <ipaddr>|wired-mac <macaddr>}
Description
This command reboots the specified APs.
Syntax
Parameter all global local
ap-group global local
ap-name ip-addr wired-mac
Description Reboot all APs. Reboot APs on all switches. Reboot only APs registered on this switch. This is the default. Reboot APs in a specified group. Reboot APs on all switches. Reboot only APs registered on this switch. This is the default. Reboot the AP with the specified name. Reboot the AP at the specified IP address. Reboot the AP at the specified MAC address.
Default all global local
ap-group global local
ap-name ip-addr wired-mac
Usage Guidelines
You should not normally need to use this command as APs automatically reboot when you reprovision them. Use this command only when directed to do so by your Alcatel-Lucent representative.
Example
The following command reboots a specific AP: (host)(config)# apboot ap-name Building3-Lobby
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
AOS-W 6.2 | Reference Guide
apboot | 119
�apconnect
apconnect {ap-name <name>|bssid <bssid>|ip-addr <ipaddr>} parent-bssid <bssid>
Description
This command instructs a mesh point to disconnect from its current parent and connect to a new parent.
Syntax
Parameter ap-name <name> bssid <bssid> ip-addr <ipaddr> parent-bssid <bssid>
Description Specify the name of the mesh point to be connected to a new parent. Specific the BSSID of the mesh point to be connected to a new parent. Specific the IP address of the mesh point to be connected to a new parent. BSSID of the parent to which the mesh point should connect.
Usage Guidelines
To maintain a mesh topology created using the apconnect command, Alcatel-Lucent suggests setting the mesh reselection-mode to reselect-never, otherwise the normal mesh reselection mechanisms could break up the selected topology.
Example
The following command connects the mesh point "meshpoint1" to a new parent with the specified BSSID. (host) (config) #apconnect ap-name meshpoint1 parent-bssid 00:12:6d:03:1c:f1
Related Commands
Command
ap mesh-radioprofilereselectionmodereselect-never
Description
Use this command to prevent the AP from reselecting a new parent.
Mode Enable or Config mode
Command History
This command was introduced in AOS-W 3.4.1
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
120 | apconnect
AOS-W 6.2 | Reference Guide
�apdisconnect
apdisconnect {ap-name <name>|bssid <bssid>|ip-addr <ipaddr>}
Description
This command disconnects a mesh point from its parent.
Syntax
Parameter ap-name bssid ip-addr
Description Specifies the name of the parent AP. Specifies the BSSID of the parent AP. Specifies the IP address of the parent AP.
Usage Guidelines
Each mesh point learns about the mesh portal from its parent (a mesh node that is part of the path to the mesh portal). This command directs a mesh point to disassociate from its parent. The mesh point will attempt to associate with another neighboring mesh node, if available. The old parent is not eligible for re-association for 60 seconds after disconnection.
Example
The following command disconnects a specific mesh point from its parent: (host) (config) #apdisconnect ap-name meshpoint1
Related Commands
Command apconnect
Description
This command connects a mesh point to a new specified parent.
Mode Enable or Config mode
Command History
This command was introduced in AOS-W 3.2
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
AOS-W 6.2 | Reference Guide
apdisconnect | 121
�apflash [deprecated]
apflash all|{ap-group <group>}|{ap-name <name>}|{ip-addr <ipaddr>}|{wired-mac <macaddr>} global|local [backup-partition] [server <ipaddr>]
Description
This command reflashes the specified AP. Starting with AOS-W 6.1, this command can only be run by AlcatelLucent Technical Support or users in support mode.
Command History
Version AOS-W 3.0 AOS-W 6.0 AOS-W 6.1
Description Command introduced The global and local parameters were introduced. Command deprecated
122 | apflash [deprecated]
AOS-W 6.2 | Reference Guide
�ap enet-link-profile
ap enet-link-profile <profile> clone <profile> dot3az duplex {auto|full|half} no ... speed {10|100|1000|auto}
Description
This command configures an AP Ethernet link profile.
Syntax
Parameter <profile> clone dot3az
duplex no speed
Description
Range
Name of this instance of the profile. The name
--
must be 1-63 characters.
Name of an existing Ethernet Link profile from
--
which parameter values are copied.
Enable support for the 803.az Energy Efficient Ethernet (EEE) standard, which allows the APs to consume less power during periods of low data activity.
Only OAW-AP130 Series APs support this feature. If this feature is enabled for an APs group, any APs in the group that do not support 803.az will ignore this setting.
The duplex mode of the Ethernet interface, either full/half/auto full, half, or auto-negotiated.
Negates any configured parameter.
--
The speed of the Ethernet interface, either 10 Mbps, 100 Mbps, 1000 Mbps (1 Gbps), or autonegotiated.
10/100/1000/auto
Default "default" --
disabled
auto
-- auto
Usage Guidelines
This command configures the duplex and speed of the Ethernet port on the AP. The configurable speed is dependent on the port type.
Example
The following command configures the Ethernet link profile for full-duplex and 100 Mbps: ap enet-link-profile enet
duplex full speed 100
AOS-W 6.2 | Reference Guide
ap enet-link-profile | 123
�Command History
Release AOS-W 3.0 AOS-W 3.3 AOS-W 6.2
Modification Command introduced Support for 1000 Mbps (1 Gbps) Ethernet port speed was introduced. Support for the dot3az parameter was introduced.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master switches
124 | ap enet-link-profile
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
ap enet-link-profile | 125
�ap lldp med-network-policy-profile
ap lldp med-network-policy-profile <profile> application-type guest-voice|guest-voice-signaling|softphone-voice|streaming-video|videoconferencing|video-signaling|voice|voice-signaling clone <profile> dscp <dscp> l2-priority <l2-priority> no ... tagged vlan <vlan>
Description
Define an LLDP MED network policy profile that defines DSCP values and L2 priority levels for a voice or video application.
Syntax
Parameter
Description
Range
application-type
Specify the type of application that this profile manages. -
guest-voice
Use this application type if the AP services a separate
-
voice network for guest users and visitors.
guest-voice-signaling Use this application type if the AP is part of a network
-
that requires a different policy for guest voice signaling
than for guest voice media. Do not use this application
type if both the same network policies apply to both
guest voice and guest voice signaling traffic.
softphone-voice streaming-video video-conferencing video-signaling voice
Use this application type if the AP supports voice
-
services using softphone software applications on
devices such as PCs or laptops.
Use this application type if the AP supports broadcast or multicast video or other streaming video services that require specific network policy treatment. This application type is not recommended for video applications that rely on TCP with buffering.
Use this application type of the AP supports video
-
conferencing equipment that provides real-time,
interactive video/audio services.
Use this application type if the AP is part of a network
-
that requires a different policy for video signaling than
for the video media. Do not use this application type if
both the same network policies apply to both video and
video signaling traffic.
Use this application type if the AP services IP
-
telephones and other appliances that support interactive
voice services.
NOTE: This is the default application type.
126 | ap lldp med-network-policy-profile
AOS-W 6.2 | Reference Guide
�Parameter voice-signaling
clone <profile> dscp
l2-priority <L2priority> no ... tagged
vlan <vlan>
Description
Range
Use this application type if the AP is part of a network
-
that requires a different policy for voice signaling than for
the voice media. Do not use this application type if both
the same network policies apply to both voice and voice
signaling traffic.
Make a copy of an existing profile by specifying that
-
profile name.
Select a Differentiated Services Code Point (DSCP) priority value for the specified application type by specifying a value from 0-63, where 0 is the lowest priority level and 63 is the highest priority.
0-63 Default is 0
Select a 802.1p priority level for the specified application type, by specifying a value from 0-7, where 0 is the lowest priority level and 7 is the highest priority.
0-7 Default is 0
Issue this command to negate any setting or return a
-
configured parameter it to its default value.
Specifies if the policy applies to a to a VLAN that is tagged with a VLAN ID or untagged. The default value is untagged.
NOTE: When an LLDP-MED network policy is defined for use with an untagged VLAN, then the L2 priority field is ignored and only the DSCP value is used.
Default is untagged
Specify a VLAN by VLAN ID (0-4094) or VLAN name.
Default is 0
Usage Guidelines
LLDP-MED (media endpoint devices) is an extension to LLDP that supports interoperability between VoIP devices and other networking clients. LLDP-MED network policy discovery lets end-points and network devices advertise their VLAN IDs (e.g. voice VLAN), priority levels, and DSCP values. AOS-W supports a maximum of eight LLDP MED Network Policy profiles.
Creating an LLDP MED network policy profile does not apply the configuration to any AP or AP interface or interface group. To apply the LLDP-MED network policy profile, you must associate it to an LLDP profile, then apply that LLDP profile to an AP wired port profile.
Example
The following commands create a LLDP MED network policy profile for streaming video applications and marks streaming video as high-priority traffic.
(host) (config) ap lldp med-network-policy-profile vid-stream (host) (AP LLDP-MED Network Policy Profile "vid-stream") dscp 48 (host) (AP LLDP-MED Network Policy Profile "vid-stream")l2-priority 6 (host) (AP LLDP-MED Network Policy Profile "vid-stream")tagged (host) (AP LLDP-MED Network Policy Profile "vid-stream")vlan 10 (host) (AP LLDP-MED Network Policy Profile "vid-stream")!
Next, the LLDP MED network policy profile is assigned to an LLDP profile, and the LLDP profile is associated with an AP wired-port profile.
(host) (config) ap lldp profile video1 (host) (AP LLDP Profile "video1")lldp-med-network-policy-profile vid-stream (host) (AP LLDP Profile "video1")! (host) (config)ap wired-port-profile corp2
AOS-W 6.2 | Reference Guide
ap lldp med-network-policy-profile | 127
�(host) (AP wired port profile "corp2")lldp-profile video1
Command History
This command was introduced in AOS-W 6.2.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master switches
128 | ap lldp med-network-policy-profile
AOS-W 6.2 | Reference Guide
�ap lldp profile
ap lldp profile <profile> clone <profile> dot1-tlvs port-vlan|vlan-name dot3-tlvs link-aggregation|mac|mfs|power lldp-med-network-policy-profile <profile> lldp-med-tlvs capabilities|inventory|network-policy no ... optional-tlvs capabilities|management-address|port-description|system-description|systemname receive transmit transmit-hold <transmit-hold> transmit-interval <transmit-interval>
Description
Define an LLDP profile that specifies the type-length-value (TLV) elements to be sent in LLDP PDUs.
Syntax
Parameter clone <profile> dot1-tlvs
port-vlan
vlan-name
dot3-tlvs link-aggregation mac
mfs power
Description
Make a copy of an existing LLDP profile.
Specify which of the following 802.1 TLVs the AP will send in LLDP PDUs. By default, the AP will send all 802.1 TLVs.
Transmit the LLDP 802.1 port VLAN TLV. If the native VLAN is configured on the port, the port-vlan TLV will send that value, otherwise it will send a value of "0".
Transmit the LLDP 802.1 VLAN name TLV. The AP sends a value of "Unknown" for VLAN 0, or "VLAN <number>" for nonzero VLAN numbers.
Specify which of the following 802.3 TLVs the AP will send in LLDP PDUs. By default, the AP will send all 802.3 TLVs.
Transmit the 802.3 link aggregation TLV to indicate that link aggregation is not supported.
Transmit the 802.3 MAC/PHY Configuration/Status TLV to indicate the AP interface's duplex and bit rate capacity and current duplex and bit rate settings.
Transmit the 802.3 Maximum Frame Size (MFS) TLV to show the AP's maximum frame size capability.
Transmit the 802.3 Power Via media dependent interface (MDI) TLV to show the power support capabilities of the AP interface. NOTE: This parameter is supported by the OAW-RAP3WNP and OAW-AP130 Series only.
AOS-W 6.2 | Reference Guide
ap lldp profile | 129
�Parameter lldp-med-network-policy-profile <profile> lldp-med-tlvs
capabilities
inventory
network-policy
optional-tlvs capabilities management-address port-description system-description system-name
receive transmit transmit-hold <transmit-hold>
transmit-interval <transmitinterval>
Description
Specify the LLDP MED Network Policy profile to be associated with this LLDP profile.
Specify which of the following LLDP-MED TLVs the AP will send in LLDP PDUs. The AP will not send any LLDP-MED TLVs by default.
Transmit the LLDP-MED capabilities TLV. The AP will automatically send this TLV if any of the other LLDP-MED TLVs are enabled.
Transmit the LLDP-MED inventory TLV. NOTE: An AP can't send this TLV unless it also sends the LLDPMED capabilities TLV.
Transmit the LLDP-MED network-policy TLV. NOTE: An AP can't send this TLV unless it also sends the LLDPMED capabilities TLV.
Specify which of the following optional TLVs the AP will send in LLDP PDUs.
Transmit the system capabilities TLV to indicate which capabilities are supported by the AP.
Transmit a TLV that indicates the AP's management IP address, in either IPv4 or IPV6 format.
Transmit a TLV that gives a description of the AP's wired port in an alphanumeric format.
Transmit a TLV that describes the AP's model number and software version
Transmit a TLV that sends the AP name or wired MAC address.
Issue this command to enable LLDP PDU reception. This parameter is enabled by default.
Issue this command to enable LLDP PDU transmission. This parameter is enabled by default.
Enter a value from 1-100. This value is multiplied by the transmit interval to determine the number of seconds to cache learned LLDP information before that information is cleared. If the transmit-hold value is at the default value of 4, and the transmit interval is at its default value of 30 seconds, then learned LLDP information will be cached for 4 x 30 seconds, or 120 seconds.
The interval between LLDP TLV transmission seconds. The supported range is 1-3600 seconds and the default value is 30 seconds.
Usage Guidelines
Link Layer Discovery Protocol (LLDP), is a Layer-2 protocol that allows network devices to advertise their identity and capabilities on a LAN. Wired interfaces on Alcatel-Lucent APs support LLDP by periodically transmitting LLDP
130 | ap lldp profile
AOS-W 6.2 | Reference Guide
�Protocol Data Units (PDUs) comprised of type-length-value (TLV) elements. Use this command to specify which TLVs should be sent by the AP interface associated with the LLDP profile.
Example
The following command configures an LLDP profile allows the AP interface to send the port-vlan and vlan-name TLVs. ap lldp profile 8021TLVs
dot1-tlvs port-vlan dot1-tlvs vlan-name
Command History
This command was introduced in AOS-W 6.2.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ap lldp profile | 131
�ap mesh-cluster-profile
ap mesh-cluster-profile <profile> clone <profile> cluster <name> no ... opmode [opensystem | wpa2-psk-aes] rf-band {a | g} wpa-hexkey <wpa-hexkey> wpa-passphrase <wpa-passphrase>
Description
This command configures a mesh cluster profile used by mesh nodes.
Syntax
Parameter <profile> clone cluster
no opmode
rf-band
Description
Range
Default
Name of this instance of the profile. The name must -- be 1-63 characters.
"default"
Name of an existing mesh cluster profile from
--
--
which parameter values are copied.
Indicates the mesh cluster name. The name can
--
have a maximum of 32 characters, and is used as
the MSSID for the mesh cluster. When you first
create a new mesh cluster profile, the profile uses
the default cluster name "Alcatel-Lucent-mesh".
Use the cluster parameter to define a new, unique
MSSID before you assign APs or AP groups to the
mesh cluster profile.
NOTE: If you want a mesh cluster to use WPA2PSK-AES encryption, do not use spaces in the mesh cluster name, as this may cause errors in mesh points associated with that mesh cluster.
To view existing mesh cluster profiles, use the CLI command show ap mesh-cluster-profile.
"AlcatelLucent-mesh"
Negates any configured parameter.
--
--
Configures one of the following types of data encryption. l opensystem--No authentication or encryption. l wpa2-psk-aes--WPA2 with AES encryption
using a pershared key. Best practices are to select wpa2-psk-aes and use the wpa-passphrase parameter to select a passphrase. Keep the passphrase in a safe place.
opensystem opensystem wpa2-psk-aes
Configures the RF band in which multiband mesh a
a
nodes should operate:
g
a = 5 GHz
g = 2.4 GHz
Best practices are to use 802.11a radios for mesh
deployments.
132 | ap mesh-cluster-profile
AOS-W 6.2 | Reference Guide
�Parameter wpa-hexkey wpa-passphrase
Description Configures a WPA pre-shared key. Sets the WPA password that generates the PSK.
Range -- --
Default -- --
Usage Guidelines
Mesh cluster profiles are specific to mesh nodes (APs configured for mesh) and provide the framework of the mesh network. You must define and configure the mesh cluster profile before configuring an AP to operate as a mesh node. You can configure multiple mesh cluster profiles to be used within a mesh cluster. You must configure different priority levels for each mesh cluster profile. See ap-group or ap-name for more information about priorities. Cluster profiles, including the "default" profile, are not applied until you provision your APs for mesh.
Example
The following command configures a mesh cluster profile named "cluster1" for the mesh cluster "headquarters:" ap mesh-cluster-profile cluster1
cluster headquarters
Related Commands
To view a complete list of mesh cluster profiles and their status, use the following command: show ap mesh-cluster-profile To view the settings of a specific mesh cluster profile, use the following command:
show ap mesh-cluster-profile <name>
Command History
This command was introduced in AOS-W 3.2.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ap mesh-cluster-profile | 133
�ap mesh-ht-ssid-profile
ap mesh-ht-ssid-profile <profile-name> 40MHz-enableba-amsdu-enable clone <source> high-throughput-enable ldpc legacy-stations max-rx-a-mpdu-size max-tx-a-mpdu-size min-mpdu-start-spacing mpdu-agg no short-guard-intvl-20Mhz short-guard-intvl-40Mhz stbc-rx-streams stbc-tx-streams supported-mcs-set txbf-comp-steering txbf-delayed-feedback txbf-explicit-enable txbf-immediate-feedback txbf-noncomp-steering txbf-sounding-interval
Description
This command configures a mesh high-throughput SSID profile used by mesh nodes.
Syntax
Parameter <profile-name>
40MHz-enable ba-amsdu-enable clone <source> high-throughputenable
Description
Range
Enter the name of an existing mesh highthroughput SSID profile to modify that profile, or enter a new name or create a new mesh highthroughput profile. The mesh high-throughput profile can have a maximum of 32 characters.
To view existing high-throughput SSID radio profiles, use the command show ap mesh-radioprofile.
Enable or disable the use of 40 MHz channels. This parameter is enabled by default.
Enable/Disable Receive AMSDU in BA negotiation.
Copy configuration information from a source profile into the currently selected profile
Enable or disable high-throughput (802.11n) features on this SSID. This parameter is enabled by default.
Default default
enabled disabled
enabled
134 | ap mesh-ht-ssid-profile
AOS-W 6.2 | Reference Guide
�Parameter ldpc legacy-stations max-tx-a-mpdu-size max-rx-a-mpdu-size min-mpdu-startspacing
mpdu-agg
short-guard-intvl20Mhz
short-guard-intvl40Mhz
Description
Range
Default
If enabled, the AP will advertise Low-density Parity Check (LDPC) support. LDPC improves data transmission over radio channels with high levels of background noise.
enabled
Allow or disallow associations from legacy (nonHT) stations. By default, this parameter is enabled (legacy stations are allowed).
enabled
Maximum size of a transmitted aggregate MPDU, 1576 -65535 in bytes.
Maximum size of a received aggregate MPDU, in bytes.
8191, 16383, 32767, 65535
Minimum time between the start of adjacent MPDUs within an aggregate MPDU, in microseconds.
0 (No restriction on MDPU start spacing), .25 µsec, .5 µsec, 1 µsec, 2 µsec, 4 µsec
0 µsec
Enable or disable MAC protocol data unit (MPDU) aggregation.
High-throughput mesh APs are able to send aggregated MAC protocol data units (MDPUs), which allow an AP to receive a single block acknowledgment instead of multiple ACK signals. This option, which is enabled by default, reduces network traffic overhead by effectively eliminating the need to initiate a new transfer for every MPDU.
enabled
Enable or disable use of short (400ns) guard interval for OAW-AP130 Series APs in 20 MHz mode.
A guard interval is a period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data.
The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. Some outdoor deployments, may, however require a longer guard interval. If the short guard interval does not allow enough time for reflections to settle in your mesh deployment, inter-symbol interference values may increase and degrade throughput.
This parameter is enabled by default.
enabled
Enable or disable use of short (400ns) guard interval in 40 MHz mode.
enabled
AOS-W 6.2 | Reference Guide
ap mesh-ht-ssid-profile | 135
�Parameter
stbc-rx-streams stbc-tx-streams supported-mcs-set
Description
Range
A guard interval is a period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data.
The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. Some outdoor deployments, may, however require a longer guard interval. If the short guard interval does not allow enough time for reflections to settle in your mesh deployment, inter-symbol interference values may increase and degrade throughput.
This parameter is enabled by default.
Controls the maximum number of spatial streams 0-1 usable for STBC reception. 0 disables STBC reception, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. (Supported on the OAW-AP90 series, OAW-AP130 Series, OAW-AP68, OAW-AP175 and OAW-AP105 only. The configured value will be adjusted based on AP capabilities.)
Controls the maximum number of spatial streams 0-1 usable for STBC transmission. 0 disables STBC transmission, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. (Supported on OAW-AP90 series, OAW-AP175, OAW-AP130 Series and OAW-AP105 only. The configured value will be adjusted based on AP capabilities.)
A list of Modulation Coding Scheme (MCS) values or ranges of values to be supported on this SSID. The MCS you choose determines the channel width (20MHz vs. 40MHz) and the number of spatial streams used by the mesh node. The default value is 1-15; the complete set of supported values. To specify a smaller range of values, enter a hyphen between the lower and upper values. To specify a series of different values, separate each value with a comma. Examples: 2-10 1,3,6,9,12 Range: 0-15.
1-15
Default
1 1 1-15
Guidelines
The mesh high-throughput profile defines settings unique to 802.11n-capable, high-throughput APs. If none of the APs in your mesh deployment are 802.11n-capable APs, you do not need to configure a high-throughput SSID profile.
If you modify a currently provisioned and running high-throughput SSID profile, your changes take effect immediately. You do not reboot the switch or the AP.
136 | ap mesh-ht-ssid-profile
AOS-W 6.2 | Reference Guide
�Example
The following command configures a mesh high-throughput SSID profile named "HT1" and sets some non-default settings for MAC protocol data unit (MPDU) aggregation: (host) (config) #ap mesh-ht-ssid-profile HT1
max-rx-a-mpdu-size 32767 max-tx-a-mpdu-size 32767 min-mpdu-start-spacing .25
Related Commands
To view a complete list of mesh high-throughput SSID profiles and their status, use the following command: (host) (config) #show ap mesh-ht-ssid-profile To view the settings of a specific mesh radio profile, use the following command:
(host) (config) #show ap mesh-ht-ssid-profile <name>
Command History
Version AOS-W 3.4 AOS-W 6.1
Description
Command introduced
The short-guard-intvl-20Mhz, ldpc, stbc-rx-streams and stbc-rx-streams parameters were introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ap mesh-ht-ssid-profile | 137
�ap mesh-radio-profile
ap mesh-radio-profile <profile> a-tx rates [6|9|12|18|24|36|48|54] allowed-vlans <vlan-list> children <children> clone <profile>eapol-rate-opt g-tx rates [1|2|5|6|9|11|12|18|24|36|48|54] heartbeat-threshold <count> hop-count <hop-count> link-threshold <count> max-retries <max-retries> mesh-ht-ssid-profile mesh-mcast-opt mesh-survivability metric-algorithm {best-link-rssi|distributed-tree-rssi} mpv <vlan-id> no ... reselection-mode {reselect-anytime|reselect-never|startup-subthreshold| subthreshold-only} rts-threshold <rts-threshold>
Description
This command configures a mesh radio profile used by mesh nodes.
Syntax
Parameter <profile> allowed-vlans
<vlan-list> a-tx rates
children clone eapol-rate-opt
Description
Range
Name of this instance of the profile. The name -- must be 1-63 characters.
Specify a list of VLAN IDs that can be used by a mesh link on APs associated with this mesh radio profile
A comma-separated list of VLAN IDs. You can also specify a range of VLAN IDs using a dash (for example, 14095)
Indicates the transmit rates for the 802.11a radio.
The AP attempts to use the highest transmission rate to establish a mesh link. If a rate is unavailable, the AP goes through the list and uses the next highest rate.
6, 9, 12, 18, 24, 36, 48, 54 Mbps
Indicates the maximum number of children a mesh node can accept.
1-64
Name of an existing mesh radio profile from which parameter values are copied.
Issue this command to choose a more conservative rate for EAPOL frames and mesh echoes.
enabled disabled
Default "default"
6, 9, 12, 18, 24, 36, 48, 54 Mbps 64
disabled
138 | ap mesh-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter g-tx rates
heartbeatthreshold hop-count link-threshold
mesh-ht-ssid-profile max-retries mesh-mcast-opt
mesh-survivability
metricalgorithm best-link-
rssi distributed-
tree-rssi
Description
Range
Indicates the transmit rates for the 802.11b/g radio.
The AP attempts to use the highest transmission rate to establish a mesh link. If a rate is unavailable, the AP goes through the list and uses the next highest rate.
1, 2, 5, 6, 9, 11, 12, 18, 24, 36, 48, 54
Indicates the maximum number of heartbeat
1-255
messages that can be lost between neighboring
mesh nodes.
Indicates the maximum hop count from the mesh portal.
1-32
Indicates the minimal RSSI value. If the RSSI value is below this threshold, the link may be considered a sub-threshold link. A subthreshold link is a link whose average RSSI value falls below the configured threshold.
If this occurs, the mesh node may try to find a better link on the same channel and cluster (only neighbors on the same channel are considered).
The supported threshold is hardware dependent, with a practical range of 10-90.
hardware dependent
High-throughput SSID Profile for the mesh feature.
Maximum number of times a mesh node can re- 0-15 send a packet.
Enables or disables scanning of all active stations currently associated to a mesh point to select the lowest transmission rate based on the slowest connected mesh child. When enabled, this setting dynamically adjusts the multicast rate to that of the slowest connected mesh child. Multicast frames are not sent if there are no mesh children. Best practices are to use the default value.
Allow mesh points and portals to become active -- even if the switch cannot be reached by bridging LAN traffic. This is a beta feature that is disabled by default; it should not be enabled unless you are instructed to do so by AlcatelLucent technical suppport.
Specifies the algorithm used by a mesh node to -- select its parent. Best practices are to use the default value distributed-tree-rssi.
Selects the parent with the strongest RSSI,
--
regardless of the number of children a potential
parent has.
Selects the parent based on link-RSSI and
--
node cost based on the number of children.
Default 1, 2, 5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps
10
8 12
default 4 times enabled
distributedtreerssi
distributedtreerssi --
--
AOS-W 6.2 | Reference Guide
ap mesh-radio-profile | 139
�Parameter mpv no reselection-mode
reselect-anytime
reselect-never startupsubthreshold
Description
Range
This option evenly distributes the mesh points over high quality uplinks. Low quality uplinks are selected as a last resort.
This parameter is experimental and reserved for 0-4094 future use.
Negates any configured parameter.
--
Specifies the method used to find a better mesh link. Best practices are to use the default value startup-subthreshold.
(see below)
Mesh points using the reselect-anytime
--
reselection mode perform a single topology
readjustment scan within 9 minutes of startup
and 4 minutes after a link is formed. If no better
parent is found, the mesh point returns to its
original parent. This initial scan evaluates more
distant mesh points before closer mesh points,
and incurs a dropout of 5-8 seconds for each
mesh point.
After the initial startup scan is completed,
connected mesh nodes evaluate mesh links
every 30 seconds. If a mesh node finds a better
uplink, the mesh node connects to the new
parent to create an improved path to the mesh
portal.
Connected mesh nodes do not evaluate other -- mesh links to create an improved path to the mesh portal.
Mesh points using the startup-subthreshold
--
reselection mode perform a single topology
readjustment scan within 9 minutes of startup
and 4 minutes after a link is formed. If no better
parent is found, the mesh point returns to its
original parent. This initial startup scan
evaluates more distant mesh points before
closer mesh points, and incurs a dropout of 5-8
seconds for each mesh point. After that time,
each mesh node evaluates alternative links if
the existing uplink falls below the configured
threshold level (the link becomes a sub-
threshold link). Best practices are to use the
default startup-subthreshold value.
NOTE: Starting with AOS-W 3.4.1, if a mesh
point using the startup-subthreshold mode
reselects a more distant parent because its
original, closer parent falls below the
acceptable threshold, then as long as that mesh
point is connected to that more distant parent, it
will seek to reselect a parent at the earlier
distance (or less) with good link quality. For
example, if a mesh point disconnects from a
mesh parent 2 hops away and subsequently
reconnects to a mesh parent 3 hops away, then
the mesh point will continue to seek a
Default 0 (disabled) -- startup-sub threshold --
-- --
140 | ap mesh-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter subthreshold-only
rts-threshold
Description
Range
connection to a mesh parent with both an acceptable link quality and a distance of two hops or less, even if the more distant parent also has an acceptable link quality.
Connected mesh nodes evaluate alternative
--
links only if the existing uplink becomes a sub-
threshold link.
NOTE: Starting with AOS-W 3.4.1, if a mesh
point using the subthreshold-only mode
reselects a more distant parent because its
original, closer parent falls below the
acceptable threshold, then as long as that mesh
point is connected to that more distant parent, it
will seek to reselect a parent at the earlier
distance (or less) with good link quality. For
example, if a mesh point disconnects from a
mesh parent 2 hops away and subsequently
reconnects to a mesh parent 3 hops away, then
the mesh point will continue to seek a
connection to a mesh parent with both an
acceptable link quality and a distance of two
hops or less, even if the more distant parent
also has an acceptable link quality.
Defines the packet size sent by mesh nodes. Mesh nodes transmitting frames larger than this threshold must issue request to send (RTS) and wait for other mesh nodes to respond with clear to send (CTS) to begin transmission. This helps prevent mid-air collisions.
256-2,346
Default --
2,333 bytes
Usage Guidelines
Mesh radio profiles are specific to mesh nodes (APs configured for mesh) and determine the radio frequency/channel used by mesh nodes to establish mesh links and the path to the mesh portal. You can configure multiple radio profiles; however, you select and deploy only one radio profile per mesh cluster. Radio profiles, including the "default" profile, are not active until you provision your APs for mesh. If you modify a currently provisioned and running radio profile, your changes take place immediately. You do not reboot the switch or the AP.
Example
The following command creates a mesh radio profile named "radio2" and associates a mesh high-throughput profile named meshHT1: (host) (config) #ap mesh-radio-profile radio2
mesh-ht-ssid-profile meshHT1
Related Commands
To view a complete list of mesh radio profiles and their status, use the following command: (host) (config) #show ap mesh-radio-profile To view the settings of a specific mesh radio profile, use the following command: (host) (config) #show ap mesh-radio-profile <name>
AOS-W 6.2 | Reference Guide
ap mesh-radio-profile | 141
�Command History
Release AOS-W 3.2 AOS-W 3.2.0.x, 3.3.1.x AOS-W 3.3 AOS-W 3.3.2 AOS-W 3.4
AOS-W 6.1
Modification
Command introduced.
The tx-power default increased from 14 to 30 dBm.
The heartbeat-threshold default increased from 5 to 10 heartbeat messages.
The mesh-mcast-opt parameter was introduced.
The mesh-ht-ssid-profile parameter was introduced The 11a-portal-channel, 11g-portal-channel, beacon-period and tx-power parameters were deprecated. These settings can now be configured via the rf dot11a-radio-profile and rf dot11g-radio-profile commands.
The eapol-rate-opt parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
142 | ap mesh-radio-profile
AOS-W 6.2 | Reference Guide
�ap provisioning-profile
ap provisioning-profile <profile> apdot1x-passwd apdot1x-username clone cellular_nw_preference g-only|4g-only|advanced|auto link-priority-cellular link-priority-ethernet master clear|{set <masterstr>} no pppoe-passwd pppoe-service-name pppoe-user remote-ap reprovision uplink-vlan <uplink-vlan> usb-dev usb-dial usb-init usb-modeswitch "-v <default_vendor> -p <default_product> -V <target_vendor> -P <target_ product> -M <message_content>" usb-passwd usb-power-mode auto|enable|disable usb-tty usb-tty-control usb-type usb-user
Description
This command defines a provisioning profile for an AP or group of APs.
Syntax
Parameter apdot1x-passwd apdot1x-username clone <source> link-priority-cellular <linkpriority-cellular>
clone <source>
Description
Range
Password of the AP to authenticate to 802.1X using -- PEAP
Username of the AP to authenticate to 802.1X using -- PEAP
Clone an existing ap provisioning profile
--
Set the priority of the cellular uplink. By default, the cellular uplink is a lower priority than the wired uplink; making the wired link the primary link and the cellular link the secondary or backup link.
Configuring the cellular link with a higher priority than your wired link priority will set your cellular link as the primary switch link.
0-255
Set the priority of the wired uplink. Each uplink type has an associated priority; wired ports having the highest priority by default.
0-255
Default -- -- -- 0
0
AOS-W 6.2 | Reference Guide
ap provisioning-profile | 143
�Parameter cellular_nw_preference g-only|4g-only| advanced|auto
link-priority-cellular <linkpriority-cellular>
Description
Range
The Cellular Network Preference setting introduced in AOS-W 6.2.1.0 allows you to select how the modem should operate.
l auto (default): In this mode, modem firmware will control the cellular network service selection; so the cellular network service failover and fallback is not interrupted by the remote AP (RAP).
l 3g_only: Locks the modem to operate only in 3G.
l 4g_only: Locks the modem to operate only in 4G.
l advanced: The RAP controls the cellular network service selection based on an Received Signal Strength Indication (RSSI) threshold-based approach. Initially the modem is set to the default auto mode. This allows the modem firmware to select the available network. The RAP determines the RSSI value for the available network type (for example 4G), checks whether the RSSI is within required range, and if so, connects to that network. If the RSSI for the modem's selected network is not within the required range, the RAP will then check the RSSI limit of an alternate network (for example, 3G), and reconnect to that alternate network. The RAP will repeat the above steps each time it tries to connect using a 4G multimode modem in this mode.
Change the FQDN or IP address for the master
--
switch.
Default --
set <masterstr>
clear
no pppoe-passwd
pppoe-servicename pppoe-user remote-ap
reprovision
reset-bootinfo
Specify the or IP address or FQDN for the master
--
--
switch.
Clear the definition for the master switch in this
--
--
profile.
Negates any configured parameter.
--
--
Point-to-Point Protocol over Ethernet (PPPoE)
--
--
password for the AP.
PPPoE service name for the AP.
--
--
PPPoE username for the AP.
--
--
Specifies that the profile is to be associated with a --
--
remote AP using certificates.
Provisions one or more APs with the values in the --
--
provisioning profile.
Restores factory default provisioning parameters to --
--
the specified AP.
NOTE: This parameter can only be used on the
144 | ap provisioning-profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
Range Default
master switch.
uplink-vlan <uplink-vlan>
If you configure an uplink VLAN on an AP
0(
0
connected to a port in trunk mode, the AP sends
dis-
and receives frames tagged with this VLAN on its
abled) to
Ethernet uplink.
4095
By default, an AP has an uplink vlan of 0, which
disables this feature.
NOTE: If an AP is provisioned with an uplink VLAN,
it must be connected to a trunk mode port or the
AP's frames will be dropped.
usb-dev
The USB device identifier.
--
--
usb-dial
The dial string for the USB modem. This parameter --
--
only needs to be specified if the default string is not
correct.
usb-init
The initialization string for the USB modem. This
--
--
parameter only needs to be specified if the default
string is not correct.
usb-modeswitch "-v <default_
USB cellular devices on remote APs typically
--
--
vendor> -p <default_product> - register as modems, but may occasionally register
V <target_vendor> -P <target_ product> -M <message_content>"
as a mass-storage device. If a remote AP cannot recognize its USB cellular modem, use the usbmodeswitch command to specify the parameters for
the hardware model of the USB cellular data-card.
NOTE: You must enclose the entire modeswitch
parameter string in quotation marks.
usb-passwd
A PPP password, if provided by the cellular service --
--
provider
usb-power-mode auto| ena-
Set the USB power mode to control the power to the --
--
ble|disable
USB port.
usb-power-mode auto| enable|disable
Set the USB power mode to control the power to the USB port.
usb-tty
The TTY device path for the USB modem. This
--
--
parameter only needs to be specified if the default
path is not correct.
usb-tty-control
The TTY device control path for the USB modem.
--
--
This parameter only needs to be specified if the
default path is not correct.
usb-type
Select one of the following USB driver types.
--
l acm : ACM driver
l airprime: Airprime driver
l beceem-wimax: Beceem driver for 4G-WiMAX
l hso: HSO driver for newer Option USB types
l none : Disable 3G or 2G network on USB
l option: Use Option driver
l pantech-3g: PANTECH USB driver for 3G/2G
devices
l sierra-evdo:EVDO Sierra Wireless driver
l sierra-gsm: GSM Sierra Wireless driver
none
AOS-W 6.2 | Reference Guide
ap provisioning-profile | 145
�Parameter usb-user
Description
Range
The PPP username provided by the cellular service -- provider
Default --
Usage Guidelines
The AP provisioning profile allows you to define a set of provisioning parameters to an AP group. These settings can be saved or assigned to an AP group via the command ap-group <group> provisioning-profile <profile>.
In order to enable cellular uplink for a remote AP (RAP), the RAP must have the device driver for the USB data card and the correct configuration parameters. AOS-W includes device drivers for the most common hardware types, but you can use the usb commands in this profile to configure a RAP to recognize and use an unknown USB modem type.
Related Commands
Command provision-ap
Description
Change provisioning parameters for an individual AP. This command does not save the provisioning parameters settings in a reusable profile.
Example
The following commands create a provisioning profile named profile_branch, in which the cellular link is the primary uplink because it has a higher priority than the Ethernet link:
(host) (config) #ap provision-profile profile_branch link-priority-cellular 2 link-priority-ethernet 1 usb-type acm usb-modeswitch "-v 0x106c -p 0x3b06 -V 0x106c -P 0x3717 -M 5534243b82e238c24000000800008ff020000000000000000000000000000"
Command History
Release AOS-W 3.0 AOS-W 3.4
AOS-W 6.0 AOS-W 6.1
Modification
Command introduced
Introduced support for the following parameters: l usb-dev l usb-dial l usb-init l usb-passwd l usb-tty l usb-type l usb-user l link-priority-cellular l link-priority-ethernet
The uplink-vlan parameter was introduced.
The following new parameters were introduced for provisioning APs for 802.1X authentication: l apdot1x-passwd
146 | ap provisioning-profile
AOS-W 6.2 | Reference Guide
�Release AOS-W 6.2.1.0
Modification
l apdot1x-username The following new parameters were introduced for provisioning Remote APs using USB modems: l usb-modeswitch l 4g-usb-type
The cellular_nw_preference parameter was introduced for provisioning multimode modems, and the 4g-usb-type parameter was deprecated. Specify a 2/3G or 4G modem type using the usb-type parameter.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ap provisioning-profile | 147
�ap regulatory-domain-profile
ap regulatory-domain-profile <profile> clone <profile> country-code <code> no ... valid-11a-40mhz-channel-pair <valid-11a-40mhz-channel-pair> valid-11a-channel <num> valid-11g-40mhz-channel-pair <valid-11g-40mhz-channel-pair> valid-11g-channel <num>
Description
This command configures an AP regulatory domain profile.
Syntax
Parameter
Description
Range
Default
<profile>
Name of this instance of the profile. The
--
--
name must be 1-63 characters.
clone
Name of an existing regulatory domain
--
--
profile from which parameter values are
copied.
country-code
Code that represents the country in which the -- APs will operate. The country code determines the 802.11 wireless transmission spectrum.
Improper country code assignment can disrupt wireless transmissions. Most countries impose penalties and sanctions for operators of wireless networks with devices set to improper country codes.
country code configured on the master switch during initial setup
no
Negates any configured parameter.
--
--
valid-11a-40mhz-channelpair
Specify a channel pair valid for 40 MHz operation in the 802.11a frequency band for the specified regulatory domain. The two channels must be separated by a dash. Example: 36-40 44-48 52-56
country code determines supported channel pairs
Note: Changing the country code causes the valid channel lists to be reset to the defaults for the country.
valid-11achannel
Enter a single 802.11a channel number for 20 MHz operation within the specified regulatory domain.
country code determines supported channels
Note: Changing the country code causes the valid channel lists to be reset to the defaults for the country.
valid-11g-40mhz-channelpair
Specify a channel pair valid for 40 MHz operation in the 802.11g frequency band for the specified regulatory domain. The two channels must be separated by a dash. Example:
country code determines supported channel pairs
148 | ap regulatory-domain-profile
AOS-W 6.2 | Reference Guide
�Parameter
valid-11gchannel
Description
1-5 2-6 7-11
Enter a single 802.11g channel number for 20 MHz operation within the specified regulatory domain.
Range
Default
Note: Changing the country code causes the valid channel lists to be reset to the defaults for the country.
country code determines supported channels
Note: Changing the country code causes the valid channel lists to be reset to the defaults for the country.
Usage Guidelines
This profile configures the country code and valid channels for operation of APs. The list of valid channels only affects the channels that may be selected by ARM or by the switch when no channel is configured. Channels that are specifically configured in the AP radio settings profile (see rf dot11a-radio-profile or rf dot11g-radio-profile) must be valid for the country and the AP model.
A switch shipped to certain countries, such as the U.S. and Israel, cannot terminate APs with regulatory domain profiles that specify different country codes from the switch. For example, if a switch is designated for the U.S., then only a regulatory domain profile with the "US" country code is valid; setting APs to a regulatory domain profile with a different country code will result in the radios not coming up. For switches in other countries, you can mix regulatory domain profiles on the same switch; for example, one switch can support APs in Japan, Taiwan, China, and Singapore.
In order for an AP to boot correctly, the country code configured in the AP regulatory domain profile must match the country code of the LMS. If none of the channels supported by the AP have received regulatory approval by the country whose country code you selected, the AP will revert to Air Monitor mode.
Examples
The following command configures the regulatory domain profile for APs in Japan: (host) (config) #ap regulatory-domain-profile rd1
country-code JP
The following command configures a regulatory domain profile for APs in the United States and specifies that the channel pair of 36 and 40, is allowed for 40 MHz mode of operation on the 5 GHz frequency band: (host) (config) #ap regulatory-domain-profile usa1
country-code US valid-11a-40mhz-channel-pair 36-40
The following command configures a regulatory domain profile for APs in the United States and specifies that the channel pair of 5 and 1, is allowed for 40 MHz mode of operation on the 2.4 GHz frequency band: (host) (config) #ap regulatory-domain-profile usa1
country-code US valid-11g-40mhz-channel-pair 1-5
Related Commands
To view the supported channels, use the show ap allowed-channels command.
AP configuration settings related to the IEEE 802.11n standard are configurable for Alcatel-Lucent's OAW-AP120 series access points, which are IEEE 802.11n standard compliant devices.
AOS-W 6.2 | Reference Guide
ap regulatory-domain-profile | 149
�Command History
Release AOS-W 3.0 AOS-W 3.3
AOS-W 5.0
Modification
Command introduced
Support for the IEEE 802.11n standard, including channel pairs for 40 MHz mode of operation, was introduced
The valid-11a-40mhz-channel-pair and valid-11g-40mhz-channel-pair parameters no longer support the + and - parameters that allowed you to define a primary and backup channel within the channel pair.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
150 | ap regulatory-domain-profile
AOS-W 6.2 | Reference Guide
�ap remove-r1-key
ap remove-r1-key <sta-mac> [ap-name <ap-name> | bssid <bssid> | ip-addr <ip-addr>]
Description
This command removes the r1 key from an AP.
Syntax
Parameter
Description
<sta-mac>
MAC address of the client.
ap-name <ap-name> Name of the AP.
bssid <bssid>
BSSID of the AP.
ip-addr <ip-addr>
IP address of the AP.
Usage Guidelines
Use this command to remove an r1 key from an AP when the AP does not have a cached r1 key during Fast BSS Transition roaming.
Examples
The following command configures the regulatory domain profile for APs in Japan: (host) #ap remove_r1_key 00:50:43:21:01:b8 ap-name MAcage-105-GL
Execute the following command to check if the r1 key is removed from the AP: (host) #show ap remote debug r1_key ap-name MAcage-105-GL Stored R1 Keys -------------Station MAC Mobility Domain ID Validity Duration R1 Key ----------- ------------------ ----------------- ------
Related Commands
To check if the r1 key is removed from an AP, use the show ap remote debug r1_key command:
Command History
Introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
ap remove-r1-key | 151
�ap snmp-profile (deprecated)
Description
This command configures an SNMP profile for APs.
Command History
Version AOS-W 3.0 AOS-W 3.4
Modification Command introduced Command deprecated
152 | ap snmp-profile (deprecated)
AOS-W 6.2 | Reference Guide
�ap snmp-user-profile (deprecated)
ap snmp-user-profile <profile> auth-passwd <password> auth-prot {md5|none|sha} clone <profile> no ... priv-passwd <password> user-name <name>
Description
This command configures an SNMPv3 user profile for APs.
Command History
Version AOS-W 3.0 AOS-W 3.4
Modification Command introduced Command deprecated
AOS-W 6.2 | Reference Guide
ap snmp-user-profile (deprecated) | 153
�ap spectrum clear-webui-view-settings
ap spectrum clear-webui-view-settings
Description
Clear a saved spectrum dashboard view.
Syntax
no parameters
Usage Guidelines
Saved spectrum view preferences may not be backwards compatible with the spectrum analysis dashboard in earlier versions of AOS-W. If you downgrade to an earlier version of AOS-W and your client is unable to load a saved spectrum view in the spectrum dashboard, access the CLI in enable mode and issue this command to delete the saved spectrum views and display default view settings in the spectrum dashboard.
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing RF Protect license
Command Mode Config mode on master or local switches
154 | ap spectrum clear-webui-view-settings
AOS-W 6.2 | Reference Guide
�ap spectrum local-override
no override ap-name <ap-name> spectrum-band 2ghz|5ghz
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Syntax
Parameter override ap-name <apname>
spectrum band
Description
Range
name of an AP whose radio -- should be converted to a spectrum monitor radio
Spectrum band or portion of the band to be monitored by the spectrum monitor radio
2GHz (channels 1-14) 5GHz(channels 36-64, 100140 and 149-165).
Default --
2Ghz
Usage Guidelines
There are two ways to change an OAW-AP104, OAW-AP105, OAW-AP175, OAW-AP120 Series, OAW-AP130 Series, or OAW-AP90 series into a spectrum monitor. You can assign that AP to a 802.11a and 802.11g radio profile that is already set to spectrum mode, or you can temporarily change the AP into a spectrum monitor using a local spectrum override profile. When you use a local spectrum override profile to override an AP's mode setting, that AP will begin to operate as a spectrum monitor, but will remain associated with its previous 802.11a and 802.11g radio profiles. If you change any parameter (other than the overridden mode parameter) in the spectrum monitor's 802.11a or 802.11 radio profiles, the spectrum monitor will immediately update with the change. When you remove the local spectrum override, the spectrum monitor will revert back to its previous mode, and remain assigned to the same 802.11a and 802.11 radio profiles as before.
Related Commands
Command
Description
Mode
show ap spectrum localoverride
This command shows a list of AP radios currently converted to spectrum monitors via the spectrum local-override list
Config mode on master or local switches
Command History
Release AOS-W 6.0 AOS-W 6.2
Modification
Command introduced
The spectrum-band parameter supports a 5ghz value, allowing an AP to monitor the entire 5 Ghz radio band. Previous versions of AOS-W supported 5ghz-lower, 5ghz-middle and 5ghz-upper settings.
AOS-W 6.2 | Reference Guide
ap spectrum local-override | 155
�Command Information
Platforms All platforms
Licensing RF Protect license
Command Mode Config mode on master switches
156 | ap spectrum local-override
AOS-W 6.2 | Reference Guide
�ap system-profile
ap system-profile <profile> aeroscout-rtls-server ip-addr <ipaddr> port <port> [include-unassoc-sta] am-scan-rf-band [a | g | all] bkup-lms-ip <ipaddr> bkup-lms-ipv6 <ipaddr> bootstrap-threshold <number> clone <profile> dns-domain <domain> double-encrypt dump-server <server> heartbeat-dscp <number> led-mode normal|off lms-hold-down-period <seconds> lms-ip <ipaddr> lms-ipv6 <ipaddr> lms-preemption maintenance-mode max-request-retries <number> mtu <bytes> native-vlan-id <vlan> no ... number_ipsec_retries rap-bw-total rap-bw-resv-1 rap-bw-resv-2 rap-bw-resv-3 rap-dhcp-default-router <ipaddr> rap-dhcp-dns-server <ipaddr> rap-dhcp-lease <days> rap-dhcp-pool-end <ipaddr> rap-dhcp-pool-netmask <netmask> rap-dhcp-pool-start <ipaddr> rap-dhcp-server-id <ipaddr> rap-dhcp-server-vlan <vlan> rap-local-network-access request-retry-interval <seconds> rf-band <band> rtls-server ip-addr <ipaddr> port <port> key <key> station-message-frequency [include-unassoc-sta] session-acl <acl> syscontact <name> telnet
<seconds>
Description
This command configures an AP system profile.
Syntax
Parameter <profile>
Description
Name of this instance of the profile. The name must be 1-63 characters.
Range --
Default "default"
AOS-W 6.2 | Reference Guide
ap system-profile | 157
�Parameter aeroscout-rtlsserver am-scan-rf-band
a g all ip-addr port bkup-lms-ip bkup-lms-ipv6 bootstrapthreshold
clone dns-domain double-encrypt
dump-server heartbeat-dscp
Description
Range
Enables the AP to send RFID tag information to -- an AeroScout real-time asset location (RTLS) server.
Scanning band for multiple RF radios
a, g, all
Set the scanning band to 802.11a only
--
Set the scanning band to 802.11g only
--
Set the scanning band to apply to all bands
--
IP address of the AeroScout server to which
--
location reports are sent.
Port number on the AeroScout server to which -- location reports are sent.
In multi-switch networks, specifies the IP
--
address of a backup to the IP address specified
with the lms-ip parameter.
In multi-switch ipv6 networks, specifies the IPv6 -- address of a backup to the IPv6 address specified with the lms-ipv6 parameter.
Number of consecutive missed heartbeats on a GRE tunnel (heartbeats are sent once per second on each tunnel) before an AP rebootstraps. On the switch, the GRE tunnel timeout is 1.5 x bootstrap-threshold; the tunnel is torn down after this number of seconds of inactivity on the tunnel.
1-65535
Name of an existing AP system profile from
--
which parameter values are copied.
Name of domain that is resolved by corporate
--
DNS servers. Use this parameter when
configuring split tunnel.
This parameter applies only to remote APs. Use -- double encryption for traffic to and from a wireless client that is connected to a tunneled SSID.
When enabled, all traffic is re-encrypted in the IPsec tunnel. When disabled, the wireless frame is only encapsulated inside the IPsec tunnel.
All other types of data traffic between the switch and the AP (wired traffic and traffic from a splittunneled SSID) are always encrypted in the IPsec tunnel.
(For debugging purposes.) Specifies the server -- to receive a core dump generated when an AP process crashes.
Define the DSCP value of AP heartbeats.
0-63
Default -- all all all all -- -- -- -- 8
-- -- disabled
-- 0
158 | ap system-profile
AOS-W 6.2 | Reference Guide
�Parameter
led-mode normal off
lms-hold-downperiod lms-ip
lms-ipv6
lms-preemption maintenancemode
Description
Range
Use this feature to prioritize AP heartbeats and prevent the AP from losing connectivity with the switch over high-latency or low-bandwidth WAN connections.
The operating mode for the AP LEDs. This option is available on all 802.11n indoor AP platforms.
Display LEDs in normal mode.
Turn off all LEDs.
Time, in seconds, that the primary LMS must be available before an AP returns to that LMS after failover.
1-3600
In multi-switch networks, this parameter
--
specifies the IP address of the local
management switch (LMS)--the Alcatel-Lucent
switch--which is responsible for terminating user
traffic from the APs, and processing and
forwarding the traffic to the wired network. This
can be the IP address of the local or master
switch.
When using redundant switchs as the LMS, set
this parameter to be the VRRP IP address to
ensure that APs always have an active IP
address with which to terminate sessions.
NOTE: If the LMS-IP is blank, the access point will remain on the switch that it finds using methods like DNS or DHCP. If an IP address is configured for the LMS IP parameter, the AP will be immediately redirected to the switch at that address.
In multi-switch ipv6 networks, specifies the IPv6 -- address of the local management switch (LMS) --the switch--which is responsible for terminating user traffic from the APs, and processing and forwarding the traffic to the wired network. This can be the IP address of the local or master switch.
When using redundant switchs as the LMS, set this parameter to be the VRRP IP address to ensure that APs always have an active IP address with which to terminate sessions.
Automatically reverts to the primary LMS IP
--
address when it becomes available.
Enable or disable AP maintenance mode. This setting is useful when deploying, maintaining, or upgrading the network.
Default normal 600 seconds --
--
disabled disabled
AOS-W 6.2 | Reference Guide
ap system-profile | 159
�Parameter
max-request-re tries
mtu native-vlan-id
no number-ipsec-retries
rap-bw-total rap-bw-resv-1 rap-bw-resv-2 rap-bw-resv-3 rap-dhcpdefault-router rap-dhcp-dnsserver rap-dhcp-lease
rap-dhcp-poolend rap-dhcp-poolnetmask rap-dhcp-poolstart
Description
Range
If enabled, APs stop flooding unnecessary traps and syslog messages to network management systems or network operations centers when deploying, maintaining, or upgrading the network. The switch still generates debug syslog messages if debug logging is enabled.
Maximum number of times to retry APgenerated requests, including keepalive messages. After the maximum number of retries, the AP either tries the IP address specified by the bkup-lms-ip (if configured) or reboots.
1-65535
MTU, in bytes, on the wired link for the AP.
10241578
Native VLAN for bridge mode virtual APs
--
(frames on the native VLAN are not tagged with
802.1q tags).
Negates any configured parameter.
--
The number of times the AP will attempt to recreate an IPsec tunnel with the master switch before the AP will reboot. A value of 0 disables the reboot.
1-1000
This is the total reserved uplink bandwidth (in
--
Kilobits per second).
Session ACLs with uplink bandwidth
--
reservation in kilobits per second. You can
specify up to three session ACLs to reserve uplink bandwidth. The sum of the three uplink
--
bandwidths should not exceed the rap-bw-
total value.
--
IP address for the default DHCP router.
--
Default
10
-- 1 -- 360
-- -- -- -- 192.168.11.1
IP address of the DNS server.
--
192.168.11.1
The amount of days that the assigned IP address is valid for the client. Specify the lease in <days>. 0 indicates the IP address is always valid; the lease does not expire.
0-30
Configures a DHCP pool for remote APs. This is -- the last IP address of the DHCP pool.
Configures a DHCP pool for remote APs. This is -- the netmask used for the DHCP pool.
Configures a DHCP pool for remote APs. This is -- the first IP address of the DHCP pool.
0
192.168.11.254 255.255.255.0 192.168.11.2
160 | ap system-profile
AOS-W 6.2 | Reference Guide
�Parameter rap-dhcp-server-id
Description IP address used as the DHCP server identifier.
Range --
Default 192.168.11.1
rap-dhcp-server-vlan
rap-local-network-access request-retryinterval
rf-band
rtls-server ip-addr port key station-messagefrequency
session-acl
syscontact telnet
VLAN ID of the remote AP DHCP server used if -- the switch is unavailable. This VLAN enables the DHCP server on the AP (also known as the remote AP DHCP server VLAN). If you enter the native VLAN ID, the DHCP server is unavailable.
Enable or disable local network access across -- VLANs in a Remote-AP.
Interval, in seconds, between the first and second retries of AP-generated requests. If the configured interval is less than 30 seconds, the interval for subsequent retries is increased up to 30 seconds.
1-65535
For APs that support both a and b/g RF bands, a/g RF band in which the AP should operate: l g = 2.4 GHz l a = 5 GHz
Enables the AP to send RFID tag information to -- an RTLS server.
IP address of the server to which location
--
reports are sent.
Port number on the server to which location
--
reports are sent.
Shared secret key.
--
Indicates how often packets are sent to the server.
5-3600
Session ACL configured with the ip access-list -- session command. NOTE: This parameter requires the PEFNG license.
SNMP system contact information.
--
Enable or disable telnet to the AP.
--
--
disabled 10 seconds
g
-- -- -- -- 30 seconds --
-- disabled
Usage Guidelines
The AP system profile configures AP administrative operations, such as logging levels.
Example
The following command sets the LMS IP address in an AP system profile: (host) (config) #ap system-profile local1
lms-ip 10.1.1.240
AOS-W 6.2 | Reference Guide
ap system-profile | 161
�Command History
Release AOS-W 3.0 AOS-W 3.2 AOS-W 3.3.2
AOS-W 5.0 AOS-W 6.0
Modification
Command introduced
Support for additional RTLS servers and remote AP enhancements was introduced.
l Maintenance-mode parameter was introduced. l Multiple remote AP DHCP server enhancements were introduced. l Support for RFprotect server and backup server configuration was introduced. l The mms-rtls-server parameter was deprecated in AOS-W 3.3.2.
The master-ip, rfprotect-server-ip and rfprotect-bkup-server parameters were deprecated.
Added support for the option to set the RF scanning band (am-scan-rf-band). The keepalive-interval parameter was deprecated.
Command Information
Platforms All platforms
Licensing
Base operating system, except for noted parameters
Command Mode Config mode on master switches
162 | ap system-profile
AOS-W 6.2 | Reference Guide
�ap wipe out flash
ap wipe out flash ap-name <ap-name> ip-addr <ip-addr>
Description
Overwrite the entire AP compact flash, destroying its contents (including the current image file).
Syntax
Parameter ap-name
ip-addr
Description
Wipe out the flash of the AP with the specified name.
Wipe out the flash of the AP with the specified IP address.
Range --
--
Default --
--
Usage Guidelines
Use this command only under the supervision of Alcatel-Lucent technical support. If you delete the current image in the AP's flash memory, the AP will not function until you reload another image.
Command History
This command was introduced in AOS-W 3.3.2.
Command Information
Platforms
All platforms running AOS-W 3.3.2.x-FIPS or later.
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ap wipe out flash | 163
�ap wired-ap-profile
ap wired-ap-profile <profile> broadcast clone <profile> forward-mode {bridge|split-tunnel|tunnel} no ... switchport access vlan <vlan> | {mode access|trunk} |trunk {allowed vlan <list>| add <list> | except <list> | remove <list>}| native vlan <vlan> trusted wired-ap-enable
Description
This command configures a wired AP profile.
Syntax
Parameter <profile> broadcast clone forward-mode
tunnel bridge
split-tunnel
no
Description
Name of this instance of the profile. The name must be 1-63 characters.
Forward broadcast traffic to this tunnel.
Name of an existing wired AP profile from which parameter values are copied.
This parameter controls whether data is tunneled to the switch using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination (corporate traffic goes to the switch, and Internet access remains local). All forwarding modes support band steering, TSPEC/TCLAS enforcement, 802.11k and station blacklisting.
In this default forwarding mode, the AP handles all 802.11 association requests and responses, but sends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the switch for processing. The switch removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual.
802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus AP is in bridge mode, the AP handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed. An AP in bridge mode supports only the 802.1X authentication type. NOTE: Virtual APs in bridge mode using static WEP should use key slots 2-4 on the switch. Key slot 1 should only be used with Virtual APs in tunnel mode.
802.11 frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the switch, and Internet access remains local). An AP in split-tunnel mode supports only the 802.1X authentication type. An AP in split-tunnel forwarding mode handles all 802.11 association requests and responses, encryption/decryption, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed. NOTE: Virtual APs in split-tunnel mode using static WEP should use key slots 2-4 on the switch. Key slot 1 should only be used with Virtual APs in tunnel mode.
Negates any configured parameter.
164 | ap wired-ap-profile
AOS-W 6.2 | Reference Guide
�Parameter switchport access mode trunk allowed
trunk native
trusted wired-ap-enable
Description
Configures the switching mode characteristics for the port.
The VLAN to which the port belongs. The default is VLAN 1.
The mode for the port, either access or trunk mode. The default is access mode.
Allows multiple VLANs on the port interface. You must define this parameter using VLAN IDs or VLAN names VLAN IDs and VLAN names cannot be listed together.
The native VLAN for the port (frames on the native VLAN are not tagged with 802.1q tags).
Sets port as either trusted or untrusted. The default setting is untrusted.
Enables the wired AP. The wired AP is disabled by default.
Usage Guidelines
This command is only applicable to Alcatel-Lucent APs that support a second Ethernet port. The wired AP profile configures the second Ethernet port (enet1) on the AP. For mesh deployments, this command is applicable to all Alcatel-Lucent APs configured as mesh nodes. If you are using mesh to join multiple Ethernet LANs, configure and enable bridging on the mesh point Ethernet port. Mesh nodes only support bridge mode and tunnel mode on their wired ports (enet0 or enet1). Split tunnel mode is not supported. Use the bridge mode to configure bridging on the mesh point Ethernet port. Use tunnel mode to configure secure jack operation on the mesh node Ethernet port. When configuring the Ethernet ports on APs with multiple Ethernet ports, note the following requirements: l If configured as a mesh portal, connect enet0 to the switch to obtain an IP address. The wired AP profile controls
enet1.Only enet1 supports secure jack operation. l If configured as a mesh point, the same wired AP profile will control both enet0 and enet1.
Example
The following command configures the enet1 port on a multi-port AP as a trunk port: (host) (config) #ap wired-ap-profile wiredap1
switchport mode trunk switchport trunk allowed 4,5
Command History
Release AOS-W 3.0 AOS-W 3.2 AOS-W 6.0
Modification Command introduced The split-tunnel forwarding mode was introduced. Wired ports on campus APs support bridge forwarding mode.
AOS-W 6.2 | Reference Guide
ap wired-ap-profile | 165
�Command Information
Platforms All platforms
Licensing
Base operating system, except for noted parameters
Command Mode Config mode on master switches
166 | ap wired-ap-profile
AOS-W 6.2 | Reference Guide
�ap wired-port-profile
ap wired-port-profile <profile> aaa-profile <profile> authentication-timeout <seconds> clone enet-link-profile <profile> lldp-profile <profile> no rap-backup shutdown wired-ap-profile <profile>
Description
This command configures a wired port profile.
Syntax
Parameter aaa-profile <profile> authentication-timeout
clone <profile> enet-link-profile <profile> lldp-profile <profile>
no rap-backup
shutdown wired-ap-profile <profile>
Description
Name of a AAA profile to be used by devices connecting to the AP's wired port.
Authentication timeout value, in seconds, for devices connecting the AP's wired port. The supported range is 1-65535 seconds, and the default value is 20 seconds.
Create a new AP wired port profile based upon the values of an existing profile.
Specify an Ethernet link profile to be used by devices associated with this wired port profile. The Ethernet link profile defines the duplex value and speed to be used by the port.
Specify an LLDP profile to be used by devices associated with this wired port profile. The LLDP profile specifies the type-length-value (TLV) elements to be sent in LLDP PDUs.
Negates any defined parameter
Use the rap-backup parameter to use the wired port on a Remote AP for local connectivity and troubleshooting when the AP cannot reach the switch. If the AP is not connected to the switch, no firewall policies will be applied when this option is enabled. (The AAA profile will be applied when the AP is connected to switch).
Disable the wired AP port.
Name of a wired AP profile to be used by devices connecting the AP's wired port. The wired AP profile defines the forwarding mode and switchport values used by the port.
Usage Guidelines
This command is only applicable to APs with Ethernet ports. Issue this command to enable or disable the wired port, define an AAA profile for wired port devices, and associate the port with an ethernet link profile that defines its speed and duplex values.
AOS-W 6.2 | Reference Guide
ap wired-port-profile | 167
�Example
The following command defines a AAA profile for wired port devices: (host) (config) #ap wired-port-profile wiredport1
aaa-profile default-open authentication-timeout 30 wired-ap-profile wiredap1
Command History
This command was introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing
Base operating system, except for noted parameters
Command Mode Config mode on master switches
168 | ap wired-port-profile
AOS-W 6.2 | Reference Guide
�arp
arp <ipaddr> <macaddr>
Description
This command adds a static Address Resolution Protocol (ARP) entry.
Syntax
Parameter <ipaddr> <macaddr>
Description IP address of the device to be added. Hardware address of the device to be added, in the format xx:xx:xx:xx:xx:xx.
Usage Guidelines
If the IP address does not belong to a valid IP subnetwork, the ARP entry is not added. If the IP interface that defines the subnetwork for the static ARP entry is deleted, you will be unable to use the arp command to overwrite the entry's current values; use the no arp command to negate the entry and then enter a new arp command.
Example
The following command configures an ARP entry: (host) (config) #arp 10.152.23.237 00:0B:86:01:7A:C0
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
arp | 169
�audit-trail
audit-trail [all]
Description
This command enables an audit trail.
Syntax
Parameter all
Description
Enables audit trail for all commands, including enable mode commands. The audit-trail command without this option enables audit trail for all commands in configuration mode.
Usage Guidelines
By default, audit trail is enabled for all commands in configuration mode. Use the show audit-trail command to display the content of the audit trail.
Example
The following command enables an audit trail: (host) (config) #audit-trail
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
170 | audit-trail
AOS-W 6.2 | Reference Guide
�backup
backup {flash|pcmcia}
Description
This command backs up compressed critical files in flash.
Syntax
Parameter flash pcmcia
Description
Backs up flash directories to flashbackup.tar.gz file.
Backs up flash images to external PCMCIA flash card. This option can only be executed on switches that have a PCMCIA slot.
Usage Guidelines
Use the restore flash command to untar and uncompress the flashbackup.tar.gz file.
Example
The following command backs up flash directories to the flashbackup.tar.gz file: (host)(config) #backup flash
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config modes on master switches
AOS-W 6.2 | Reference Guide
backup | 171
�banner motd
banner motd <delimiter> <textString>
Description
This command defines a text banner to be displayed at the login prompt when a user accesses the switch.
Syntax
Parameter <delimiter> <textString>
Description
Range
Indicates the beginning and end of the banner text. --
The text you want displayed.
up to 1023 characters
Usage Guidelines
The banner you define is displayed at the login prompt to the switch. The banner is specific to the switch on which you configure it. The WebUI displays the configured banner at its login prompt, but you cannot use the WebUI to configure the banner.
The delimiter is a single character that indicates the beginning and the end of the text string in the banner. Select a delimiter that is not used in the text string you define, because the switch ends the banner when it sees the delimiter character repeated.
There are two ways of configuring the banner message:
l Enter a space between the delimiter and the beginning of the text string. The text can include any character except a quotation mark ("). Use quotation marks to enclose your text if you are including spaces (spaces are not recognized unless your text string is enclosed in quotation marks; without quotation marks, the text is truncated at the first space). You can also use the delimiter character within quotation marks.
l Press the Enter key after the delimiter to be placed into a mode where you can simply enter the banner text in lines of up to 255 characters, including spaces. Quotation marks are ignored.
Example
The following example configures a banner by enclosing the text within quotation marks: (host)(config) #banner motd * "Welcome to my switch. This switch is in the production network, so please do not save configuration changes. Zach Jennings is awesome. Maintenance will be performed at 7:30 PM, so please log off before 7:00 PM."*
The following example configures a banner by pressing the Enter key after the delimiter: (host)(config) #banner motd * Enter TEXT message [maximum of 1023 characters]. Each line in the banner message should not exceed 255 characters. End with the character '*'.
Welcome to my switch. This switch is in the production network, so please do not save configuration changes. Zach Jennings is awesome. Maintenance will be performed at 7:30 PM, so please log off before 7:00 PM.*
The banner display is as follows: Welcome to my switch. This switch is in the production network, so please do not save configuration changes. Zach Jennings is awesome. Maintenance will be performed at 7:30 PM, so please log off before 7:00 PM.
172 | banner motd
AOS-W 6.2 | Reference Guide
�Command History
This command was introduced in AOS-W 1.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
banner motd | 173
�boot
boot cf-test [fast | read-only | read-write] config-file <filename> remote-node [all|ip-address <A.B.C.D] system partition [0 | 1] verbose
Description
Configure the boot options for the switch and the remote node.
Syntax
Parameter cf-test
fast read-only read-write config-file <filename> remote-node all ip address <A.B.C.D> system 0 | 1
verbose
Description Sets the type of compact flash test to run when booting the switch. Performs a fast test, which does not include media testing. Performs a read-only media test. Performs a read-write media test. Sets the configuration file to use when booting the switch. Specifies the name of the configuration file from which to boot the switch. Reloads the remote node switch. Reloads all remote nodes on the network. Reloads on the remote node specified by its IP address.
Enter the keyword system followed by the partition number (0 or 1) that you want the switch to use during the next boot (login) of the switch. NOTE: A switch reload is required before the new boot partition takes effect. Prints extra debugging information at boot.
Usage Guidelines
Use the following options to control the boot behavior of the switch: l cf-test--Test the flash during boot. l config-file--Set the configuration file to use during boot. l system--Specify the system partition to use during the switch's next boot (login). l verbose--Print extra debugging information during boot. The information is sent to the screen at boot time.
Printing the extra debugging information is disabled using the no boot verbose command.
Example
The following command uses the configuration file january-config.cfg the next time the switch boots: boot config-file january-config.cfg
174 | boot
AOS-W 6.2 | Reference Guide
�The following command uses system partition 1 the next time the switch boots: boot system partition 1
Command History
AOS-W 1.0 AOS-W 6.0
Modification Introduced for the first time. The remote-node parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
AOS-W 6.2 | Reference Guide
boot | 175
�cellular profile
cellular profile <profile_name> dialer <group> driver acm|hso|option|sierra import <address> modeswitch {eject <params>}|rezero no priority <1-255> serial <sernum> tty <ttyport> user <login> password <password> vendor <vend_id> product <prod_id>
Description
Create new profiles to support new USB modems or to customize USB characteristics.
Syntax
Parameter cellular profile <profile_name> dialer <group> driver acm|hso|option|sierra
import <address> modeswitch {eject <params>}|rezero
no priority <1-255>
Description
Enter the keywords cellular profile followed by your profile name. This command changes the configuration mode and the command line prompt changes to:
host (config-cellular <profile_name>)#
Enter the keyword dialer followed by a group name to specify the dialing parameters for the carrier. The parameters tend to be common between service providers on the same type of network (CDMA vs. GSM) as displayed in the show dialer group command.
Enter the keyword driver followed by one of the driver options: l acm: Linux ACM driver. l hso: Option High Speed driver. l option: Option USB data card driver (default). l sierra: Sierra Wireless driver.
Enter the keyword import followed by the USB device address as displayed in the show usb command. Import retrieves the vendor/product serial numbers from the USB device list and populates them into the profile.
Enter the keyword modeswitch followed by either: l eject followed by the CDROM device. l rezero: Send SCSI CDROM rezero command. Certain cellular devices must be modeswitched before the modem switches to data mode.
Enter the keyword no to negate the command and revert back to the defaults.
Enter the keyword priority to override the default cellular priority (100). Range: 1 to 255. Default: 100
176 | cellular profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
serial <sernum>
Enter the keyword serial followed by the USB device serial number
tty <ttyport>
Enter the keyword tty followed by the Modem TTY port (i.e. ttyUSB0, ttyACM0)
user <login> password <password>
Enter the keyword user followed by your login, and then enter the keyword password followed by your password to establish user name authentication.
vendor <vend_id> product <prod_id> in hex
Enter the keyword vendor followed by the vendor ID in hexadecimal (see show usb on page 1310) and then enter the keyword product followed by the product ID listed in the show usb command.
Usage Guidelines
The cellular modems are plug-and-play and support most native USB modems. Cellular modems are activated only if it is the uplink with the highest priority (see show uplink on page 1309). However, new profiles can be created using this command to support new data cards or to customize card characteristics.
Command History
Introduced in AOS-W 3.4.
Command Information
Platforms OAW-4306 Series switches
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
cellular profile | 177
�cfgm
cfgm {mms config {enable|disable}|set config-chunk <kbytes>|set heartbeat <seconds>|set maximum-updates <number>|snapshot-timer <minutes>|sync-command-blocks <number>|synctypecomplete|sync-type snapshot}
Description
This command configures the configuration module on the master switch.
Syntax
Parameter set config-chunk
set heartbeat set maximum-updates
snapshot-timer sync-command-blocks sync-type complete sync-type snapshot
Description
Range
Maximum packet size, in Kilobytes, that is sent every second to the local switch whenever the master switch sends a configuration to the local. If the connection between the master and local is slow or uneven, you can lower the size to reduce the amount of data that needs to be retransmitted. If the connection is very fast and stable, you can increase the size to make the transmission more efficient.
1-100
Interval, in seconds, at which heartbeats are sent. You can increase the interval to reduce traffic load.
10-300
Maximum number of local switches that can be updated at the same time with configuration changes. You can decrease this value if you have a busy network. You can increase this value to improve configuration synchronization.
2-25
Interval, in minutes, that the local switch waits for a configuration download from the master upon bootup or startup before loading the last snapshot configuration.
5-60
To configure the number of command-list blocks. 1-3 Each block contains a list of global configuration commands for each write-mem operation.
The master sends full configuration file to the
--
local.
The master sends only the incremental con-
--
figuration to the local.
NOTE: By default, this configuration is enabled.
Default 10 Kbytes
10 seconds 5
5 minutes 3 -- Enable
Usage Guidelines
By default, OV-MM-SW configuration updates on the switch are disabled to prevent any alterations to the switch configuration.
You need to explicitly enable OV-MM-SW configuration updates for the switch to accept configuration changes from OV-MM-SW. When OV-MM-SW configuration updates are enabled, global configuration changes can only be done from OV-MM-SW and are not available on the master switch. You can use the cfgm mms config disable command
178 | cfgm
AOS-W 6.2 | Reference Guide
�if the switch loses connectivity to the OmniVista Mobility Manager Software and you must enter a configuration change on the master switch.
Example
The following command allows configuration updates from the OmniVista Mobility Manager Software: (host)(config) #cfgm mms config enable
Command History
This command was introduced in AOS-W 3.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
cfgm | 179
�clear
clear aaa acl ap arp counters crypto datapath dot1x fault gab-db ip ipc ipv6 loginsession master-local-entry master-local-session port provisioning-ap-list provisioning-params rap-wml update-counter voice vpdn wms
Description
This command clears various user-configured values from your running configuration.
Syntax
Parameter aaa
authenticationserver
state
acl hits
Description
Clear all values associated with authentication profile.
Provide authentication server details to clear values specific to an authentication server or all authentication server. Parameters: l all--to clear all server statistics. l internal--to clear Internal server statistics. l radius--to clear RADIUS server statistics. l tacacs--to clear TACACS server statistics.
Clear internal status of authentication modules. Parameters: l configuration--clear all configured objects. l debug-statistics--clear debug statistics. l messages--clear authentication messages that were sent and received.
Clear ACL statistics.
Clear ACL hit statistics
180 | clear
AOS-W 6.2 | Reference Guide
�Parameter ap
arm mesh port remote arp counters fastethernet gigabitethernet tunnel vrrp datapath
dot1x
fault gap-db
Description
Clear all AP related information.
Clear information on AP.
Clear all mesh commands.
Toggle the link on the specified port.
Clear all information related to remote configuration.
Clear all ARP table information. You can either clear all information or enter the IP address of the ARP entry to clear a specific value.
Clear all interface configuration values.
Clears configuration related to fastethernet ports.
Clears configuration related to fastethernet ports.
Clears all tunnel configuration values on interface ports.
Clears all VRRP configuration values on interface ports.
Clears all configuration values and statistics for the following datapath modules. l application l bridge l bwm l crypto l dma l frame l hardware l ip-reassembly l maintenance l message-queue l route l route-cache l session l station l tunnel l user l wifi-reassembly l wmm
Clears all 802.1X specific counters and supplicant statistics. Use the following parameters: l counters l supplicant-info
Clears all SNMP fault configuration.
Clears global AP database. This command is often used to clear all stale AP records. Use the following parameters: l ap-name l lms
AOS-W 6.2 | Reference Guide
clear | 181
�Parameter ip
ipc ipv6
loginsession master-local-entry master-local-session port
provisioning-ap-list provisioning-params rap-wml update-counter voice
vpdn
wms
Description
l wired-mac
Clears all IP information from DHCP bindings, IGMP groups and IP mobility configuration. Use the following parameters: l dhcp l igmp l mobile
Clears all inter process communication statistics.
Clears all IPv6 session statistics, multicast listener discovery (MLD) group and member information, MLD statistics, and counters. Use the following parameters: l datapath session counters l mld group l mld stats-counters
Clears loginsession information for a specific login session, as identified by the session id.
Clears local switch information from the master switch LMS list. Specify the IP address of the local switch to be removed from master switch active LMS list.
Clear and reset master local TCP connection. Specify the IP address of either the master or local switch.
Clear all port statistics that includes link-event counters or all counters. Use the following parameters: l link-event l stats
Clear AP entries from the provisioning list.
Clear provisioning parameters and reset them to the default configuration values.
Clear wired MAC lookup cache for a DB server.
Clear all update counter statistics.
Clear all voice state information. Use the following parameters: l call-counters l call-status l statistics
n cac n tspec-enforcement
Clear all VPDN configuration for L2TP and PPTP tunnel. Use the following parameters: l tunnel l2tp id <l2tp-tunnel-id> l tunnel pptp id <pptp-tunnel-id>
Clear all WLAN management commands. Use the following parameters: l ap--clear all AP related commands. Specify the BSSID of the AP. l client--clear all wired client related commands. Specify the MAC address
of the client. l probe--clear all probe information. Specify the BSSID of the probe.
182 | clear
AOS-W 6.2 | Reference Guide
�Usage Guidelines
The clear command will clear the specified parameters of their current values.
Example
The following command clears all aaa counters for all authentication servers: (host) (config) #clear aaa authentication-server all
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced
The following MLD parameters are added to the ipv6 option: l mld group l mld stats-counters
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
AOS-W 6.2 | Reference Guide
clear | 183
�clear wms wired-mac
clear wms wired-mac [ all | gw-mac <mac> | monitored-ap-wm <mac> | prop-eth-mac <mac> | regap-oui <mac> | system-gw-mac <mac>| system-wired-mac <mac> | wireless-device <mac>]
Description
Clear learned and collected Wired MAC information. Optionally, enter the MAC address, in nn:nn:nn:nn:nn:nn format, of the AP that has seen the Wired Mac.
Syntax
all gw-mac <mac> monitored-ap-wm <mac> prop-eth-mac <mac> reg-ap-oui <mac> system-gw-mac <mac> system-wired-mac <mac> wireless-device <mac>]
Description Clear all the learned and collected wired Mac information. Clear the gateway wired Mac information collected from the APs. Clear monitored AP wired Mac information collected fom the APs. Clear the wired Mac information collected from the APs. Clear the registered AP OUI information collected from the APs. Clear system gateway Mac information learned at the switch. Clear system wired Mac information learned at the switch. Clear routers or potential wireless devices information.
Revision History
Release AOS-W 6.1
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master switches
184 | clear wms wired-mac
AOS-W 6.2 | Reference Guide
�clock append
clock clock append
Description
This command enables the timestamp feature, adding a date and time to the output of show commands.
Syntax
No parameters.
Usage Guidelines
When you enable the timestamp feature, the command-line interface includes a timestamp in the output of each show command indicating when the show command was issued. Note that the output of show clock and show log do not include timestamps, even when this feature is enabled. You can disable timestamps using the command no clock append.
Example
The following example enables the timestamp feature. (host)(config) #clock append
Command History
This command was introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode
AOS-W 6.2 | Reference Guide
clock append | 185
�clock set
clock clock set <year><month><day><time>
Description
This command sets the date and time.
Syntax
Parameter year month day time
Description
Range
Sets the year. Requires all 4 digits.
Numeric
Sets the month. Requires the first three letters of the month.
Alphabetic
Sets the day.
1-31
Sets the time. Specify hours, minutes, and seconds separated by Numeric spaces.
Usage Guidelines
You can configure the year, month, day, and time. You must configure all four parameters. Specify the time using a 24-hour clock. You must specify the seconds.
Example
The following example configures the clock to January 1st of 2007, at 1:03:52 AM. (host)(config) #clock set 2007 jan 1 1 3 52
Command History
This command was introduced in AOS-W 1.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
186 | clock set
AOS-W 6.2 | Reference Guide
�clock summer-time recurring
clock summer-time <WORD> [recurring] <1-4> <start day> <start month> <hh:mm> first <start day> <start month> <hh:mm> last <start day> <start month> <hh:mm> <1-4> <end day> <end month> <hh:mm> first <end day> <end month> <hh:mm> last <end day> <end month> <hh:mm> [<-23 - 23>]
Description
Set the software clock to begin and end daylight savings time on a recurring basis.
Syntax
Parameter WORD 1-4
first last start day start month hh:mm -23 - 23
Description
Range
Enter the abbreviation for your time zone. For example, PDT for Pacific 3-5 characters Daylight Time.
Enter the week number to start/end daylight savings time. For
1-4
example, enter 2 to start daylight savings time on the second week of
the month.
Enter the keyword first to have the time change begin or end on the
--
first week of the month.
Enter the keyword last to have the time change begin or end on the
--
last week of the month.
Enter the weekday when the time change begins or ends.
SundaySaturday
Enter the month when the time change begins or ends.
JanuaryDecember
Enter the time, in hours and minutes, that the time change begins or ends.
24 hours
Hours offset from the Universal Time Clock (UTC).
-23 - 23
Usage Guidelines
This command subtracts exactly 1 hour from the configured time.
The WORD can be any alphanumeric string, but cannot start with a colon (:). A WORD longer than five characters is not accepted. If you enter a WORD containing punctuation, the command is accepted, but the timezone is set to UTC.
You can configure the time to change on a recurring basis. To do so, set the week, day, month, and time when the change takes effect (daylight savings time starts). You must also set the week, day, month, and time when the time changes back (daylight savings time ends).
The start day requires the first three letters of the day. The start month requires the first three letters of the month.
You also have the option to set the number of hours by which to offset the clock from UTC. This has the same effect as the clock timezone command.
AOS-W 6.2 | Reference Guide
clock summer-time recurring | 187
�Example
The following example sets daylight savings time to occur starting at 2:00 AM on Sunday in the second week of March, and ending at 2:00 AM on Sunday in the first week of November. The example also sets the name of the time zone to PST with an offset of UTC - 8 hours. clock summer-time PST recurring 2 Sun Mar 2:00 first Sun Nov 3:00 -8
Command History
This command was introduced in AOS-W 1.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
188 | clock summer-time recurring
AOS-W 6.2 | Reference Guide
�clock timezone
clock timezone <name> <-23 to 23>
Description
This command sets the time zone on the switch.
Syntax
Parameter <name> -23 to 23
Description Name of the time zone. Hours offset from UTC.
Range 3-5 characters -23 to 23
Usage Guidelines
The name parameter can be any alphanumeric string, but cannot start with a colon (:). A time zone name longer than five characters is not accepted. If you enter a time zone name containing punctuation, the command is accepted, but the time zone is set to UTC.
Example
The following example configures the timezone to PST with an offset of UTC - 8 hours. clock timezone PST -8
Command History
This command was introduced in AOS-W 1.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
clock timezone | 189
�cluster-member-custom-cert
cluster-member-custom-cert member-mac <mac> ca-cert <ca> server-cert <cert> suite-b <gcm-128 | gcm-256>]
Description
This command sets the switch as a control plane security cluster root, and specifies a custom user-installed certificate for authenticating cluster members.
Syntax
Parameter member-mac <ca> ca-cert <ca> ca-cert <ca> server-cert <cert> suite-b
Description
MAC address of the cluster member
Name of the CA certificate uploaded via the WebUI
Name of the CA certificate uploaded via the WebUI
Name of the server certificate uploaded via the WebUI.
To use Suite-B encryption in the secure communication between the cluster root and cluster member, specify one of the following Suite-B algorithms l gcm-128: Encryption using 128-bit AES-GCM l gcm-256: Encryption using 256-but AES-GCM
Usage Guidelines
If your network includes multiple master switches each with their own hierarchy of APs and local switches, you can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master switches. Each cluster will have one master switch as its cluster root, and all other master switches as cluster members.
To define a switch as a cluster root, issue one of the following commands on that switch:
l cluster-member-custom-cert: Define the switch as a cluster root, and select a user-installed certificate to authenticate that cluster member.
l cluster-member-factory-cert: Define the switch as a cluster root, and select a factory-installed certificate to authenticate that cluster member.
l cluster-member-ip : Define the switch as a cluster root, and set the IPsec key to authenticate that cluster member.
For information on installing certificates on your switch, refer to the Management Utilities chapter of the AOS-W User Guide.
Example
The following example selects a customer installed certificate for cluster member authentication. (host)(config) # cluster-member-custom-cert member-mac 00:1E:37:CB:D4:52 ca-cert cacert1 server-cert servercert1
190 | cluster-member-custom-cert
AOS-W 6.2 | Reference Guide
�Related Commands
Parameter
Description
Mode
control-planesecurity
Configure the control plane security profile.
Config mode
show cluster-config
Show the multi-master cluster configuration for the control Enable mode plane security feature.
show cluster-switches Issue this command on a master switch using control plane security in a multi-master environment to show other the other switches to which it is connected.
Enable mode
Command History.
Introduced in AOS-W 6.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on cluster root switches
AOS-W 6.2 | Reference Guide
cluster-member-custom-cert | 191
�cluster-member-factory-cert
cluster-member-factory-cert member-mac <mac>
Description
This command sets the switch as a control plane security cluster root, and specifies a custom user-installed certificate for authenticating cluster members.
Syntax
Parameter <mac>
Description MAC address of the user-installed certificate on the cluster member
Usage Guidelines
If your network includes multiple master switches each with their own hierarchy of APs and local switches, you can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master switches. Each cluster will have one master switch as its cluster root, and all other master switches as cluster members.
To define a switch as a cluster root, issue one of the following commands on that switch:
l cluster-member-custom-cert: Define the switch as a cluster root, and select a user-installed certificate to authenticate that cluster member.
l cluster-member-factory-cert: Define the switch as a cluster root, and select a factory-installed certificate to authenticate that cluster member.
l cluster-member-ip : Define the switch as a cluster root, and set the IPsec key to authenticate that cluster member.
For information on installing certificates on your switch, refer to the Management Utilities chapter of the AOS-W User Guide.
Example
The following command sets the switch on which you issue command as a root switch, and adds the switch172.21.18.18 as a cluster member with the IPsec key ipseckey1: (host) (config) #cluster-member-factory-cert member-mac 00:1E:37:CB:D4:52
Related Commands
Parameter
Description
Mode
control-planesecurity
Configure the control plane security profile.
Config mode
show cluster-config
Show the multi-master cluster configuration for the control Enable mode plane security feature.
show cluster-switches Issue this command on a master switch using control plane security in a multi-master environment to show other the other switches to which it is connected.
Enable mode
192 | cluster-member-factory-cert
AOS-W 6.2 | Reference Guide
�Command History
Introduced in AOS-W 6.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on cluster root switches
AOS-W 6.2 | Reference Guide
cluster-member-factory-cert | 193
�cluster-member-ip
cluster-member-ip <ip-address> ipsec <key>
Description
This command sets the switch as a control plane security cluster root, and specifies the IPsec key for a cluster member.
Syntax
Parameter <ip-address>
ipsec <key>
Description
Switch IP address of a control plane security cluster member. You can also use the IP address 0.0.0.0 to set a single IPsec key for all cluster members.
Configure the value of the IPsec key for secure communication between the cluster root and the specified cluster member. The key must be between 6-64 characters.
Usage Guidelines
If your network includes multiple master switches each with their own hierarchy of APs and local switches, you can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master switches. Each cluster will have one master switch as its cluster root, and all other master switches as cluster members.
The master switch operating as the cluster root will use the control plane security feature to create a self-signed certificate, then certify it's own local switches and APs. Next, the cluster root will send the certificate to each cluster member, which in turn certifies their own local switches and APs. Since all switches and APs in the cluster get their certificates from the cluster root, they will all have the same trust anchor, and the APs can switch to any other switch in the cluster and still remain connected to the secure network.
Issue the cluster-member-ip command on the switch you want to define as the cluster root to set the IPsec key for secure communication between the cluster root and each cluster member. Use the IP address 0.0.0.0 in this command to set a single IPsec key for all member switches, or repeat this command as desired to define a different IPsec key for each cluster member.
Once the cluster root has defined an IPsec key for all cluster members, you must access each of the member switches and issue the command cluster-root-ip to define the IPsec key for communication to the cluster root.
Example
The following command sets the switch on which you issue command as a root switch, and adds the switch172.21.18.18 as a cluster member with the IPsec key ipseckey1: (host) (config) #cluster-member-ip 172.21.18.18 ipsec ipseckey1
Related Commands
Parameter control-plane-security
Description Configure the control plane security profile.
Mode Config mode
194 | cluster-member-ip
AOS-W 6.2 | Reference Guide
�Parameter show cluster-config
show cluster-switches
Description
Show the multi-master cluster configuration for the control plane security feature.
Issue this command on a master switch using control plane security in a multi-master environment to show other the other switches to which it is connected.
Mode Enable mode
Enable mode
Command History
Introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on cluster root switches
AOS-W 6.2 | Reference Guide
cluster-member-ip | 195
�cluster-root-ip
cluster-root-ip <ip-address> ipsec <key> ipsec-custom-cert root-mac1 <mac1> [root-mac2 <mac2>] ca-cert <ca> server-cert <cert> [suite-b <gcm-128 | gcm-256>] ipsec-factory-cert root-mac-1 <mac> [root-mac-1 <mac>]
Description
This command sets the switch as a control plane security cluster member, and defines the IPsec key or certificate for secure communication between the cluster member and the switch's cluster root.
Syntax
Parameter <ip-address>
ipsec <key>
ipsec-factory-cert
root-mac-1 <mac> root-mac-2 <mac> ipsec-custom-cert
root-mac-1 <mac> root-mac-2 <mac>
ca-cert <ca> server-cert <cert> suite-b
Description
The IP address of control plane security cluster root switch. To set a single IPsec key for all member switches in the cluster use the IP address 0.0.0.0.
Set the value of the IPsec pre-shared key for communication with the cluster root. This parameter must be have the same value as the IPsec key defined for the cluster member via the cluster-member-ip command.
Use a factory-installed certificate for secure communication between the cluster root and the specified cluster member by specifying the MAC address of the certificate.
Specify MAC address of the cluster root.
Specify MAC address of the redundant cluster Root.
Use a custom user-installed certificate for secure communication between the cluster root and the specified cluster member.
Specify the MAC address of the cluster-root's certificate.
(Optional) If your network has multiple master switches, use this parameter to specify he MAC address of the redundant cluster-root's certificate.
Name of the CA certificate uploaded via the WebUI
Name of the server certificate uploaded via the WebUI.
To use Suite-B encryption in the secure communication between the cluster root and cluster member, specify one of the following Suite-B algorithms l gcm-128: Encryption using 128-bit AES-GCM l gcm-256: Encryption using 256-but AES-GCM
Usage Guidelines
If your network includes multiple master switches each with their own hierarchy of APs and local switches, you can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master switches. Each cluster will have one master switch as its cluster root, and all other master switches as cluster members.
The master switch operating as the cluster root will use the control plane security feature to create a self-signed certificate, then certify it's own local switches and APs. Next, the cluster root will send the certificate to each cluster
196 | cluster-root-ip
AOS-W 6.2 | Reference Guide
�member, which in turn certifies their own local switches and APs. Since all switches and APs in the cluster get their certificates from the cluster root, they will all have the same trust anchor, and the APs can switch to any other switch in the cluster and still remain connected to the secure network. Issue the cluster-member-ip command on the switch you want to define as the cluster root to select the certificate or define the IPsec key for secure communication between the cluster root and each cluster member.
Once the cluster root has defined an IPsec key or certificate for all cluster members, you must access each of the member switches and issue the command cluster-root-ip to define the IPsec key or certificate for communication to the cluster root.
For information on installing certificates on your switch, refer to the Management Utilities chapter of the AOS-W User Guide.
Example
The following command defines the IPsec key for communication between the cluster member and the root switch172.21.45.22: (host) (config) #cluster-root-ip 172.21.45.22 ipsec ipseckey1
Related Commands
Parameter
Description
Mode
control-planesecurity
Configure the control plane security profile.
Config mode
show cluster-config
Show the multi-master cluster configuration for the control Enable mode plane security feature.
show cluster-switches Issue this command on a master switch using control plane security in a multi-master environment to show other the other switches to which it is connected.
Enable mode
Command History
Release AOS-W 5.0 AOS-W 6.1
Modification
Command introduced.
The ipsec-factory-cert and ipsec-custom-cert parameters were introduced to allow certificate-based authentication of cluster members.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on cluster member switches
AOS-W 6.2 | Reference Guide
cluster-root-ip | 197
�configure terminal
configure terminal
Description
This command allows you to enter configuration commands.
Syntax
No parameters.
Usage Guidelines
Upon entering this command, the enable mode prompt changes to: (host) (config) # To return to enable mode, enter Ctrl-Z or exit.
Example
The following command allows you to enter configuration commands: (host) # configure terminal
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
198 | configure terminal
AOS-W 6.2 | Reference Guide
�control-plane-security
control-plane-security auto-cert-allow-all auto-cert-allowed-addrs <ipaddress-start> <ipaddress-end> auto-cert-prov cpsec-enable no ...
Description
Configure the control plane security profile by identifying APs to receive security certificates.
Syntax
Parameter auto-cert-allow-all
auto-cert-allowed-addrs <ipaddress-start> <ipaddress-end>
auto-cert-prov
cpsec-enable
Description
When you issue the control-plane-security auto-certallow-all command, the switch will send a certificate to all associated APs when auto certificate provisioning is enabled. When disabled, the switch sends certificates only to APs whose IP addresses are in the ranges specified by auto-cert-allowed-addrs.
Use this command to define a specific range of AP IP addresses. The switch will send certificates to the APs in this IP range when auto certificate provisioning is enabled. Identify a range by entering the starting IP address and the ending IP address in the range, separated by a single space. You can repeat this command as many times as necessary to define multiple IP ranges.
Issue this command to enable automatic certificate provisioning. When this feature is enabled, the switch will attempt to send certificates to associated APs. To disable this feature, use the command no auto-certprov. Automatic certificate provisioning is disabled by default
Issue this command to enable control plane security. To disable this feature, use the command no cpsecenable. Control plane security is enabled by default.
Usage Guidelines
Switches enabled with control plane security will only send certificates to APs that you have identified as valid APs on the network. If you are confident that all campus APs currently on your network are valid APs, you can configure automatic certificate provisioning to send certificates from the switch to each campus AP, or to all campus APs within a specific range of IP addresses. If you want closer control over each AP that gets certified, you can manually add individual campus APs to the secure network by adding each AP's information to a campus AP whitelist.
Example
The following command defines a range of IP addresses that should receive certificates from the switch, and enables the control plane security feature: (host)(config) # control-plane-security
auto-cert-allowed-addrs 10.21.18.10 10.21.10.90
AOS-W 6.2 | Reference Guide
control-plane-security | 199
�cpsec-enable
Related Commands
Command show control-plane-security
Description
Show the current configuration of the control plane security profile.
Mode Config mode
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Config mode on master or local switches
200 | control-plane-security
AOS-W 6.2 | Reference Guide
�controller-ip
controller-ip [loopback|vlan <VLAN ID>] no ...
Description
This command sets the switch IP to the loopback interface address or a specific VLAN interface address.
Syntax
Parameter loopback vlan
VLAN ID
Description Sets the switch IP to the loopback interface. Set the switch IP to a VLAN interface. Specifies the VLAN interface ID.
Default disabled -- --
Usage Guidelines
This command allows you to set the switch IP to the loopback interface address or a specific VLAN interface address. If the switch IP command is not configured then the switch IP defaults to the loopback interface address. If the loopback interface address is not configured then the first configured VLAN interface address is selected. Generally, VLAN 1 is the factory default setting and thus becomes the switch IP address.
Example
The following command sets the switch IP address to VLAN interface 6. (host) (config) #controller-ip vlan 6
Related Commands
(host) (config) #show controller-ip
Command History
This command was introduced in AOS-W 3.4
Command Information
Platform Available on all platforms
License Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
controller-ip | 201
�controller-ipv6
controller-ipv6 [loopback|vlan <VLAN ID>] no ...
Description
This command sets the default IPv6 address of the switch to the IPv6 loopback interface address or a specific VLAN interface address.
Syntax
Parameter loopback vlan
VLAN ID
Description Sets the switch IP to the loopback interface. Set the switch IP to a VLAN interface. Specifies the VLAN interface ID.
Default disabled -- --
Usage Guidelines
This command allows you to set the default IPv6 address of the switch to the IPv6 loopback interface address or a specific IPv6 VLAN interface address. If the switch IPv6 command is not configured then the switch IP defaults to the loopback interface address. If the loopback interface address is not configured then the first configured VLAN interface address is selected. Generally, VLAN 1 is the factory default setting and thus becomes the switch IP address.
Example
The following command sets the switch IP address to VLAN interface 6. (host) (config) #controller-ipv6 vlan 6
Related Commands
(host) (config) #show controller-ipv6
Command History
This command is introduced in AOS-W 6.1.
Command Information
Platform Available on all platforms
License Base operating system
Command Mode Config mode on master switches
202 | controller-ipv6
AOS-W 6.2 | Reference Guide
�copy
copy flash: <srcfilename> {flash: <destfilename> | scp: <scphost> <username> <destfilename> tftp: <tftphost> <destfilename> | usb: partition {0|1} <destfilename>} ftp: <ftphost> <user> <filename> system: partition {0|1} | running-config {flash: <filename> | ftp: <ftphost> <user> <password> <filename>
[<remote-dir>] | startup-config | tftp: <tftphost> <filename>} | scp: <scphost> <username> <filename> {flash: <destfilename>| system: partition [0|1]}| startup-config {flash: <filename> | tftp: <tftphost> <filename>} | system: partition {<srcpartition> 0|1} [<destpartition> 0 | 1] | tftp: <tftphost> <filename> {flash: <destfilename> | system: partition [0|1]} usb: partition <partition-number> <filename> flash: <destfilename>
Description
This command copies files to and from the switch.
Syntax
Parameter flash:
srcfilename flash: destfilename tftp: tftphost usb: partition ftp: ftphost user filename 0|1 running-config flash: filename ftp:
Description Copy the contents of the switch's flash file system, the system image, to a specified destination. Full name of the flash file to be copied. Copy the file to the flash file system. Specify the new name of the copied file. Copy the file to a TFTP server. Specify the IP address or hostname of the TFTP server. Copy the file to an attached USB storage device. Specify the partition on the USB device. Copy a file from the FTP server. Specify the IP address or hostname of the FTP server. User account name required to access the FTP server. Full name of the file to be copied. Specify the system partition to save the file. Copy the active, running configuration to a specified destination. Copy the configuration to the flash file system. Specify the new name of the copied configuration file. Using FTP, copy the configuration to an FTP server.
AOS-W 6.2 | Reference Guide
copy | 203
�Parameter ftphost user password remote-dir startup-config tftp: tftphost scp:
scphost username filename flash: destfilename system: startup-config flash: filename tftp: tftphost system: srcpartition destpartition tftp:
tftphost filename flash: destfilename
Description Specify the IP address of the FTP server. User account name required to access the FTP server. Password required to access the FTP server. Specify a remote directory, if needed. Copy the active, running configuration to the start-up configuration. Using TFTP, copy the configuration to a TFTP server Specify the IP address or hostname of the TFTP server. Copy an AOS-W image file or file from the flash file system using the Secure Copy protocol. The SCP server or remote host must support SSH version 2 protocol. Specify the IP address of the SCP server or remote host. User account name required to access the SCP server or remote host. Specify the absolute path of the filename to be copied. Copy the file to the flash file system. Specify the new name of the copied file. Copy the file to the system partition. Copy the startup configuration to a specified flash file or to a TFTP server. Copy the file to the flash file system. Specify the new name of the copied startup configuration file. Using TFTP, copy the startup configuration to a TFTP server Specify the IP address or hostname of the TFTP server. Copy the specified system partition Disk partition from which to copy the system data, as either 0 or 1. Disk partition to copy the system data to, as either 0 or 1. Copy a file from the specified TFTP server to either the switch or another destination. This command is typically used when performing a system restoration, or to pull a specified file name into the wms database. Specify the IP address or hostname of the TFTP server. Full name of the file to be copied. Copy the file to the flash file system Specify the new name of the copied file.
204 | copy
AOS-W 6.2 | Reference Guide
�Parameter system usb: partition filename flash: destfilename
Description Copy the file to the system partition. Copy a file from an attached USB device to the flash file system. Specify the partition on the USB device. Full name of the file to be copied. Copy the file to the flash file system Specify the new name of the copied file.
Usage Guidelines
Use this command to save back-up copies of the configuration file to an FTP or TFTP server, or to load a saved file from an FTP or TFTP server.
Three partitions reside on the file system flash. Totalling 256MB, the three partitions provide space to hold the system image files (in partitions 1 and 2 which are 45MB each) and user files (in partition 3, which is 165MB). System software runs on the system partitions; the database, DHCP, startup configuration, and logs are positioned on the user partition.
To restore a database, copy the database from the network server and import the database.
To restore a configuration file, copy the file from network server to the switch's flash system then copy the file from the flash system to the system configuration. This ensures that you do not accidentally overwrite your system startup configuration file.
Unlike the switch's flash, the USB device has more than two partitions; not just 0 and 1. When copying a file from a USB device, you must know which partition the target file is on. Use the show storage command to identify the location of the file to identify the correct USB partition.
Example
The following commands copy the configuration file named engineering from the TFTP server to the switch's flash file system and then uses that file as the startup configuration. This example assumes the startup configuration file is named default.cfg: (host) (config) #copy tftp: 192.0.2.0 engineering flash: default.bak copy flash: default.bak flash: default.cfg
Command History
This command was introduced in AOS-W 1.0.
AOS-W 1.0 AOS-W 6.2
Modification Introduced for the first time. The USB parameters introduced.
AOS-W 6.2 | Reference Guide
copy | 205
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config modes on master switches
206 | copy
AOS-W 6.2 | Reference Guide
�cp-bandwidth-contract
cp-bandwidth-contract <name> {mbits <1..2000>}|{kbits <256..2000000>}
Description
This command configures a bandwidth contract traffic rate which can then be associated with a whitelist session ACL.
Syntax
Parameter <name> mbits <1..2000> kbits <256..2000000>
Description Name of a bandwidth contract. Set a bandwidth rate inn mbits/seconds. Set a bandwidth rate in kbits/seconds.
Example
The following example configures a bandwidth contract named "cp-rate" with a rate of 10,000Kbps. (host)(config) #cp-bandwidth-contract cp-rate kbits 10000
Related Commands
Command show cp-bwcontracts
firewall cp
Description
Mode
Display a list of Control Processor (CP) bandwidth Enable or Config modes contracts for whitelist ACLs.
This command creates a new whitelist ACL and
Enable or Config modes
can associate a bandwidth contract with that ACL.
Command History
This command was introduced in AOS-W 3.4
Command Information
Platforms All platforms
Licensing
Command Mode
This command requires the PEFNG Config mode on master switches license.
AOS-W 6.2 | Reference Guide
cp-bandwidth-contract | 207
�crypto-local ipsec sa-cleanup
crypto-local ipsec sa-cleanup
Description
Issue this command to clean IPsec security associations (SAs).
Syntax
No parameters
Usage Guidelines
Use this command to remove old IPsec security associations if remote APs on your network still use an old SA after upgrading to a newer version of AOS-W.
Command History
This command was introduced in AOS-W 6.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
208 | crypto-local ipsec sa-cleanup
AOS-W 6.2 | Reference Guide
�crypto dynamic-map
crypto dynamic-map <name> <priority> no ... set pfs {group1|group2|group19|group20} set security-association lifetime seconds <seconds> set transform-set <name1> [<name2>] [<name3>] [<name4>] version v1|v2
Description
This command configures a new or existing dynamic map.
Syntax
Parameter <name> <priority> no
set pfs
Description Range
Name of the -- map.
Priority of the 1-10000 map.
Negates a
--
configured
parameter.
Enables
--
Perfect
Forward
Secrecy
(PFS) mode.
Use one of
the following:
l group1:
768-bit
Diffie
Hellman
prime
modulus
group.
l group2:
1024-bit
Diffie
Hellman
prime
modulus
group.
l group19:
256-bit
random
Diffie
Hellman
ECP
modulus
group.
l group20:
384-bit
random
Default -- 10000 --
group1
AOS-W 6.2 | Reference Guide
crypto dynamic-map | 209
�Parameter
Description Range
Diffie Hellman ECP modulus group.
set security-association lifetime seconds <seconds>
Configures the lifetime, in seconds, for the security association (SA).
300-86400
set transform-set
Name of the -- transform set for this dynamic map. You can specify up to four transform sets. You configure transform sets with the crypto ipsec transform-set command.
version
Specify the -- version of IKE protocol the switch uses to set up a security association (SA) in the IPsec protocol suite
l v1:IKEv1
l v2: IKEv2
Default no limit defaulttransform
v1
Usage Guidelines
Dynamic maps enable IPsec SA negotiations from dynamically addressed IPsec peers. Once you have defined a dynamic map, you can optionally associate that map with the default global map using the command crypto map global-map.
Example
The following command configures a dynamic map: (host) (config)# crypto dynamic-map dmap1 100 set pfs group2 set security-association lifetime seconds 300
210 | crypto dynamic-map
AOS-W 6.2 | Reference Guide
�Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced
The version parameter was introduced. The pfs parameter was modified to support the group19 and group20 PFS group values.
Command Information
Platforms All platforms
Licensing
Command Mode
The group19 and group20 PFS options requires the Advanced Cryptography (ACR) license. All other parameters are available in the base operating system.
Config mode on master switches
AOS-W 6.2 | Reference Guide
crypto dynamic-map | 211
�crypto ipsec
crypto ipsec mtu <max-mtu> transform-set <transform-set-mtu> esp-3des|esp-aes128|esp-aes128-gcm|esp-aes192|espaes256|esp-aes256-gcm|esp-des esp-md5-hmac|esp-null-hmac|esp-sha-hmac}
Description
This command configures IPsec parameters.
Syntax
Parameter
Description
mtu <max-mtu>
Configure the IPsec Maximum Transmission Unit (MTU) size. The supported range is 1024 to 1500 and the default is 1500.
transform-set <transform-set- Create or modify a transform set. mtu>
esp-3des
Use ESP with 168-bit 3DES encryption.
esp-aes128
Use ESP with 128-bit AES encryption.
esp-aes128-gcm
Use ESP with 128-bit AES-GCM encryption.
esp-aes192
Use ESP with 192-bit AES encryption.
esp-aes256
Use ESP with 256-bit AES encryption.
esp-aes256-gcm
Use ESP with 256-bit AES-GCM encryption.
esp-des
Use ESP with 56-bit DES encryption.
esp-md5-hmac
Use ESP with the MD5 (HMAC variant) authentication algorithm
esp-null-hmac
Use ESP with no authentication. This option is not recommended.
esp-sha-hmac
Use ESP with the SHA (HMAC variant) authentication algorithm.
Usage Guidelines
Define the Maximum Transmission Unit (MTU) size allowed for network transmissions using IPsec security, and create or edit transform sets that define a specific encryption and authentication type.
Example
The following command configures 3DES encryption and MD5 authentication for a transform set named set2: (host) (config)# crypto ipsec transform-set set2 esp-3des esp-md5-hmac
212 | crypto ipsec
AOS-W 6.2 | Reference Guide
�Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced.
The esp-aes128-gcm and esp-aes256-gcm transform-set parameters were introduced.
Command Information
Platforms All platforms
Licensing
Command Mode
The esp-aes128-gcm and esp-aes56-gcm transform-set parameters require the Advanced Cryptography (ACR) license. All other parameters are available in the base OS.
Config mode on master switches
AOS-W 6.2 | Reference Guide
crypto ipsec | 213
�crypto isakmp
crypto isakmp address <peer-address> netmask <mask>} disable eap-passthrough eap-mschapv2|eap-peap|eap-tls enable groupname <name> key <keystring> address <peer-address> netmask <mask> udpencap-behind-natdevice enable|disable packet-dump
Description
This command configures Internet Key Exchange (IKE) parameters for the Internet Security Association and Key Management Protocol (ISAKMP).
Syntax
Parameter address
<peer-address> netmask
<mask> disable eap-passthrough
enable groupname
<name> key
<keystring>
address <peer-address>
netmask <mask>
Description
Configure the IP address for the group key.
IP address for the group key, in dotted-decimal format.
Configure the IP netmask for the group key.
Subnet mask for the group key.
Disable IKE processing.
Select one of the following authentication types for IKEv2 user authentication using EAP. l eap-mschapv2 l eap-peap l eap-tls
Enable IKE processing.
Configure the IKE Aggressive group name. Aggressive-mode IKE is a 3packet IKE exchange that does not provide identity-protection, but is faster, because fewer messages are exchanged.
Name of the IKE aggressive group.
Configure the IKE preshared key.
Configure the value of the IKE PRE-SHARED key. The key must be between 6-64 characters long.
Configure the IP address for the group key.
An IP for the group key, in dotted-decimal format.
Configure the netmask for the group key IP address.
A subnet mask, in dotted-decimal format
214 | crypto isakmp
AOS-W 6.2 | Reference Guide
�Parameter udpencap-behindnatdevice
enable
disable packet-dump
Description
Configure NAT-T if switch is behind NAT device. (For Windows VPN Dialer only)
Enable Nat-T. This is the recommended setting if the switch is behind a NAT device.
Disable Nat-T.
Issue this command in enable mode to troubleshoot an IPsec tunnel establishment by looking at the packet exchanges between the switch and the remote AP or the other IPsec peer. The packet dump output is saved to a file named ike.pcap. NOTE: This is a testing feature only, and should not be enabled on a production network. To disable this feature, use the command no crypto isakmp packet-dump.
Usage Guidelines
Use this command to configure the IKE pre-shared key, set the EAP authentication method for IKEv2 clients using EAP user authentication, and enable source NAT if the IP addresses of clients need to be translated to access the network.
Example
The following command configures an ISAKMP peer IP address and subnet mask. After configuring an ISAKMP address and netmask, you will be prompted to enter the IKE preshared key. (host)(config) #crypto isakmp address 10.3.14.21 netmask 255.255.255.0 Key:*******Re-Type Key:*******
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced. The eap-passthrough parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
crypto isakmp | 215
�crypto isakmp policy
crypto isakmp policy authentication pre-share|rsa-sig|ecdsa-256|ecdsa-384 encryption 3DES|AES128|AES192|AES256|DES group 1|2|19|20 hash md5|sha|sha1-96|sha2-256-128|sha2-384-192 prf PRF-HMAC-MD5|PRF-HMAC-SHA1|PRF-HMAC-SHA256|PRF-HMAC-SHA384 lifetime <seconds> version v1|v2
Description
This command configures Internet Key Exchange (IKE) policy parameters for the Internet Security Association and Key Management Protocol (ISAKMP).
Syntax
Parameter policy
<priority>
authentication pre-share
rsa-sig ecdsa-256 ecdsa-384 encryption 3DES AES128 AES192 AES256 DES group 1
2 19
Description Configure an IKE policy Specify a number from 1 to 10,000 to define a priority level for the policy. The higher the number, the higher the priority level. Configure the IKE authentication method. Use Pre Shared Keys for IKE authentication. This is the default authentication type. Use RSA Signatures for IKE authentication. Use ECDSA-256 signatures for IKE authentication. Use ECDSA-384 signatures for IKE authentication. Configure the IKE encryption algorithm. Use 168-bit 3DES-CBC encryption algorithm. This is the default encryption value. Use 128-bit AES-CBC encryption algorithm. Use 192-bit AES-CBC encryption algorithm. Use 256-bit AES-CBC encryption algorithm. Use 56-bit DES-CBC encryption algorithm. Configure the IKE Diffie Hellman group. Use the 768-bit Diffie Hellman prime modulus group. This is the default group setting. Use the 1024-bit Diffie Hellman prime modulus group. Use the 256-bit random Diffie Hellman ECP modulus group.
216 | crypto isakmp policy
AOS-W 6.2 | Reference Guide
�Parameter 20
hash md5 sha SHA1-96
Description Use the 384-bit random Diffie Hellman ECP modulus group
Use MD5 as the hash algorithm. Use SHA-1 as the hash algorithm. This is the default policy algorithm. Use SHA1-96 as the hash algorithm.
SHA2-256-128 SHA2-384-192 prf
lifetime <seconds> version
Use SHA2-256-128 as the hash algorithm.
Use SHA2-384-192 as the hash algorithm.
Set one of the following pseudo-random function (PRF) values for an IKEv2 policy: l PRF-HMAC-MD5 (default) l PRF-HMAC-SHA1 l PRF-HMAC-SHA256 l PRF-HMAC-SHA384
Specify the lifetime of the IKE security association (SA), from 300 - 86400 seconds.
Specify the version of IKE protocol for the IKE policy l v1: IKEv1 l v2: IKEv2
Usage Guidelines
To define settings for a ISAKMP policy, issue the command crypto isakmp policy <priority> then press Enter. The CLI will enter config-isakmp mode, which allows you to configure the policy values.
Example
The following command configures an ISAKMP peer IP address and subnet mask.. After configuring an ISAKMP address and netmask, you will be prompted to enter the IKE preshared key. (host)(config) #crypto isakmp policy1 (host)(config-isakmp) #auth rsa-sig Key:*******Re-Type Key:*******
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced.
The following parameters were introduced. l authentication ecdsa-256 l authentication ecdsa-384 l hash sha1-96 l hash sha2-256-128 l hash sha2-384-192 l prf
AOS-W 6.2 | Reference Guide
crypto isakmp policy | 217
�Command Information
Platforms Licensing
All platforms
The following settings require the Advanced Cryptogram (ACR) license: l hash algorithm: SHA-256-128, SHA-384-192 l Diffie-Hellman (DH) Groups: 19 and 20 l Pseudo-Random Function (PRF): PRF-HMAC-SHA256, PRF-HMAC-
SHA384 l Authentication: ecdsa-256 and ecdsa-384
All other parameters are supported in the base OS.
Command Mode
Config mode on master switches
218 | crypto isakmp policy
AOS-W 6.2 | Reference Guide
�crypto-local ipsec-map
crypto-local
crypto-local ipsec-map <map> <priority> dst-net <ipaddr> <mask> force-natt no ... local-fqdn <local_id_fqdn> peer-cert-dn <peer-dn> peer-fqdn any-fqdn|{peer-fqdn <peer-id-fqdn>} peer-ip <ipaddr> pre-connect {disable|enable} set ca-certificate <cacert-name> set pfs {group1|group2|group19|group20} set security-association lifetime seconds <seconds> set server-certificate <cert-name> set transform-set <name1> [<name2>] [<name3>] [<name4>] src-net <ipaddr> <mask> trusted {disable|enable} version v1|v2 vlan <vlan>
Description
This command configures IPsec mapping for site-to-site VPN.
Syntax
Parameter <map> <priority> dst-net force-natt
no local-fqdn <local_id_fqdn>
peer-cert-dn <peer-dn>
Description
Range
Default
Name of the IPsec map.
--
--
Priority of the entry.
1-
--
9998
IP address and netmask for the destination network.
--
--
Include this parameter to always
--
--
enforce UDP 4500 for IKE and
IPsec. This option is disabled by
default.
Negates a configured parameter.
--
--
If the local switch has a dynamic IP address, you must specify the fully qualified domain name (FQDN) of the switch to configure it as a initiator of IKE aggressive-mode.
If you are using IKEv2 to establish a site-to-site VPN to a statically addressed remote peer, identify the peer device by entering its certificate subject name in the Peer Certificate Subject Name field
AOS-W 6.2 | Reference Guide
crypto-local ipsec-map | 219
�Parameter peer-ip <ipaddr>
peer-fqdn any-fqdn fqdn-id <peer-id-fqdn>
pre-connect set ca-certificate <cacert-name> set pfs
220 | crypto-local ipsec-map
Description
Range
Default
If you are using IKEv1 to establish a --
--
site-to-site VPN to a statically
addressed remote peer, identify the
peer device by enteringIP address
of the peer gateway.
NOTE: If you are configuring an
IPsec map for a static-ip switch with
a dynamically addressed remote
peer, you must leave the peer
gateway set to its default value of
0.0.0.0.
For site-to-site VPNs with dynamically addressed peers, specify a fully qualified domain name (FQDN) for the switch.
anyfqdn fqdnid
anyfqdn
If the switch is defined as a dynamically addressed responder, you can select any-fqdn to make the switch a responder for all VPN peers,
Specify the FQDN of a peer to make the switch a responder for one specific initiator only.
Enables or disables pre-connection.
enable/ disable
disabled
User-defined name of a trusted CA --
--
certificate installed in the switch.
Use the show crypto-local pki
TrustedCA command to display the
CA certificates that have been
imported into the switch.
If you enable Perfect Forward Secrecy (PFS) mode, new session keys are not derived from previously used session keys. Therefore, if a key is compromised, that compromised key will not affect any previous session keys. To enable this feature, specify one of the following Perfect Forward Secrecy modes:
l group1 : 768-bit Diffie Hellman prime modulus group.
l group2: 1024-bit Diffie Hellman prime modulus group.
l group19: 256-bit random Diffie Hellman ECP modulus group. (For IKEv2 only)
l group20: 384-bit random Diffie Hellman ECP modulus group. (For IKEv2 only)
group1 group2 group19 group20
disabled
AOS-W 6.2 | Reference Guide
�Parameter set security-association lifetime seconds <seconds> set server-certificate <cert-name>
set transform-set <name1>
src-net <ipaddr> <mask> trusted version v1|v2
vlan <vlan>
Description
Range
Default
Configures the lifetime, in seconds, for the security association (SA).
30086400
7200 seconds
User-defined name of a server
--
--
certificate installed in the switch.
Use the show crypto-local pki
ServerCert command to display the
server certificates that have been
imported into the switch.
Name of the transform set for this
--
IPsec map. One transform set name
is required, but you can specify up
to four transform sets. Configure
transform sets with the crypto ipsec
transform-set command.
defaulttransform
IP address and netmask for the source network.
--
--
Enables or disables a trusted tunnel.
enable/ disable
disabled
Select the IKE version for the IPsec
v1
map.
l v1: IKEv1
l v2: IKEv2
VLAN ID. Enter 0 for the loopback.
1-
--
4094
Usage Guidelines
You can use switches instead of VPN concentrators to connect sites at different physical locations.
You can configure separate CA and server certificates for each site-to-site VPN. You can also configure the same CA and server certificates for site-to-site VPN and client VPN. Use the show crypto-local ipsec-map command to display the certificates associated with all configured site-to-site VPN maps; use the tag <map> option to display certificates associated with a specific site-to-site VPN map.
AOS-W supports site-to-site VPNs with two statically addressed switches, or with one static and one dynamically addressed switch. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to authenticate the IKE SA. This method uses the IP address of the peer, and therefore will not work for dynamically addressed peers.
To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with Authentication based on a Pre-Shared-Key. A switch with a dynamic IP address must be configured to be the initiator of IKE Aggressive-mode for Site-Site VPN, while the switch with a static IP address must be configured as the responder of IKE Aggressive-mode.
Examples
The following commands configures site-to-site VPN between two switches: (host) (config) #crypto-local ipsec-map sf-chi-vpn 100
src-net 101.1.1.0 255.255.255.0 dst-net 100.1.1.0 255.255.255.0
AOS-W 6.2 | Reference Guide
crypto-local ipsec-map | 221
�peer-ip 172.16.0.254 vlan 1 trusted
(host) (config) #crypto-local ipsec-map chi-sf-vpn 100 src-net 100.1.1.0 255.255.255.0 dst-net 101.1.1.0 255.255.255.0 peer-ip 172.16.100.254 vlan 1 trusted
For a dynamically addressed switch that initiates IKE Aggressive-mode for Site-Site VPN:
(host) (config)crypto-local ipsec-map <name> <priority> src-net <ipaddr> <mask> dst-net <ipaddr> <mask> peer-ip <ipaddr> local-fqdn <local_id_fqdn> vlan <id> pre-connect enable|disable trusted enable
For the Pre-shared-key: crypto-local isakmp key <key> address <ipaddr> netmask <mask>
For a static IP switch that responds to IKE Aggressive-mode for Site-Site VPN:
(host) (config)crypto-local ipsec-map <name2> <priority> src-net <ipaddr> <mask> dst-net <ipaddr> <mask> peer-ip 0.0.0.0 peer-fqdn fqdn-id <peer_id_fqdn> vlan <id> trusted enable
For the Pre-shared-key: crypto-local isakmp key <key> fqdn <fqdn-id>
For a static IP switch that responds to IKE Aggressive-mode for Site-Site VPN with One PSK for All FQDNs:
(host) (config)crypto-local ipsec-map <name2> <priority> src-net <ipaddr> <mask> peer-ip 0.0.0.0 peer-fqdn any-fqdn vlan <id> trusted enable
For the Pre-shared-key for All FQDNs: crypto-local isakmp key <key> fqdn-any
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced.
The peer-cert-dn and peer-fqdn parameters were introduced. The set pfs command introduced the group19 and group20 parameters.
222 | crypto-local ipsec-map
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing
Command Mode
The group19 and group20 PFS options requires the Advanced Cryptography (ACR) license. All other parameters are available in the base operating system.
Config mode on master switches
AOS-W 6.2 | Reference Guide
crypto-local ipsec-map | 223
�crypto-local isakmp ca-certificate
crypto-local isakmp ca-certificate <cacert-name>
Description
This command assigns the Certificate Authority (CA) certificate used to authenticate VPN clients.
Syntax
Parameter ca-certificate
Description
User-defined name of a trusted CA certificate installed in the switch. Use the show crypto-local pki TrustedCA command to display the CA certificates that have been imported into the switch.
Usage Guidelines
You can assign multiple CA certificates. Use the show crypto-local isakmp ca-certificate command to view the CA certificates associated with VPN clients.
Example
This command configures a CA certificate: crypto-local isakmp ca-certificate TrustedCA1
Command History
This command was introduced in AOS-W 3.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
224 | crypto-local isakmp ca-certificate
AOS-W 6.2 | Reference Guide
�crypto-local isakmp certificate-group
crypto-local isakmp certificate-group server-certificate <server_certificate> ca-certificate <ca_cert-name>
Description
The command configures an IKE Certificate Group for VPN Clients.
Syntax
Parameter
Description
server-certificate <server-certificate> The IKE server certificate name for VPN clients.
ca-certificate <ca-cert-name>
The IKE CA Certificate for this server certificate.
Range
1-64 characters
1-64 characters
Default --
--
Usage Guidelines
This feature allows you to create a certificate group so you can access multiple types of certificates on the same switch.
Example
This command configures a certificate group that consists of server certificate named newtest with the CA certificate TrustedCA. crypto-local isakmp certificate-group server-certificate newtest ca-certificate TrustedCA
Command History
This command was introduced in AOS-W 6.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
crypto-local isakmp certificate-group | 225
�crypto-local isakmp dpd
crypto-local isakmp dpd idle-timeout <seconds> retry-timeout <seconds> retry-attempts <number>
Description
This command configures IKE Dead Peer Detection (DPD) on the local switch.
Syntax
Parameter idle-timeout retry-timeout retry-attempts
Description Idle timeout, in seconds. Retry interval, in seconds. Number of retry attempts.
Range 10-3600 2-60 3-10
Default 22 seconds 2 seconds 3
Usage Guidelines
DPD is enabled by default on the switch for site-to-site VPN.
Example
This command configures DPD parameters: crypto-local isakmp dpd idle-timeout 60 retry-timeout 3 retry-attempts 5
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
226 | crypto-local isakmp dpd
AOS-W 6.2 | Reference Guide
�crypto-local isakmp key
crypto-local isakmp key <key> {address <peer-ipaddr> netmask <mask>}|{fqdn <ike-id-fqdn>} |fqdn-any
Description
This command configures the IKE preshared key on the local switch for site-to-site VPN.
Syntax
Parameter key <key> address <peer-ipaddr> netmask <mask> fqdn <ike-id-fqdn> fqdn-any
Description IKE preshared key value, between 6-64 characters. IP address for the preshared key. Netmask for the preshared key. Configure the PSK for the specified FQDN. Configure the PSK for any FQDN.
Usage Guidelines
This command configures the IKE preshared key.
Example
The following command configures an IKE preshared key for site-to-site VPN: crypto-local isakmp key R8nD0mK3y address 172.16.100.1 netmask 255.255.255.255
Command History
Version AOS-W 3.0 AOS-W 3.4
Modification Command introduced. The fqdn and fqdn-any parameters were introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
crypto-local isakmp key | 227
�crypto-local isakmp permit-invalid-cert
crypto-local isakmp permit-invalid-cert
Description
This command allows invalid or expired certificates to be used for site-to-site VPN.
Syntax
No parameters.
Usage Guidelines
This command allows invalid or expired certificates to be used for site-to-site VPN.
Command History
This command was introduced in AOS-W 3.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
228 | crypto-local isakmp permit-invalid-cert
AOS-W 6.2 | Reference Guide
�crypto-local isakmp sa-cleanup
crypto-local isakmp sal-cleanup
Description
This command enables the cleanup of IKE SAs.
Syntax
No parameters.
Usage Guidelines
This command removes expired ISAKMP SAs from the switch.
Command History
This command was introduced in AOS-W 6.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
crypto-local isakmp sa-cleanup | 229
�crypto-local isakmp server-certificate
crypto-local isakmp server-certificate <cert-name>
Description
This command assigns the server certificate used to authenticate the switch for VPN clients using IKEv1 or IKEv2
Syntax
Parameter server-certificate
Description
User-defined name of a server certificate installed in the switch. Use the show crypto-local pki ServerCert command to display the server certificates that have been imported into the switch.
Usage Guidelines
This certificate is only for VPN clients and not for site-to-site VPN clients. You can assign separate server certificate for use with VPN clients using IKEv1 and clients using IKEv2. Use the show crypto-local isakmp servercertificate command to view the server certificate associated with VPN clients. You must import and configure server certificates separately on master and local switches.
There is a default server certificate installed in the switch, however this certificate does not guarantee security for production networks. Best practices is to replace the default certificate with a custom certificate issued for your site or domain by a trusted CA. You can use the WebUI to generate a Certificate Signing Request (CSR) to submit to a CA and then import the signed certificate received from the CA into the switch. For more information, see "Managing Certificates" in the AOS-W User Guide.
Example
This command configures a server certificate: crypto-local isakmp server-certificate MyServerCert
Command History
This command was introduced in AOS-W 3.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
230 | crypto-local isakmp server-certificate
AOS-W 6.2 | Reference Guide
�crypto-local isakmp xauth
crypto-local isakmp xauth
Description
This command enables IKE XAuth for VPN clients.
Syntax
No parameters.
Usage Guidelines
The no crypto-local isakmp xauth command disables IKE XAuth for VPN clients. This command only applies to VPN clients that use certificates for IKE authentication. If you disable XAuth, then a VPN client that uses certificates will not be authenticated using username/password. You must disable XAuth for Cisco VPN clients using CAC Smart Cards.
Example
This command disables IKE XAuth for Cisco VPN clients using CAC Smart Cards: no crypto-local isakmp xauth
Command History
This command was introduced in AOS-W 3.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
crypto-local isakmp xauth | 231
�crypto-local pki
crypto-local pki CRL <name> <filename> IntermediateCA <name> <filename> OCSPResponderCert <certname> <filename> OCSPSignerCert <certname> <filename> PublicCert <name> <filename> ServerCert <name> <filename> TrustedCA <name> <filename> global-oscp-signer-cert rcp <name>
Issue this command to configure a local certificate, OCSP signer or responder certificate and Certificate Revocation List (CRL). You can also list revocation checkpoints and enable the responder service.
Syntax
Parameter CRL
<name> <filename> IntermediateCA <name> <filename> OCSPResponderCert <certname> <filename> OCSPSignerCert <certname> <filename> PublicCert
<certname> <filename> ServerCert
Description Specifies a Certificate Revocation list. Validation of the CRL is done when it imported through the WebUI (requires the CA to have been already present). CRLs can only be imported through the WebUI.
Name of the CRL.
Original imported filename of the CRL.
Configures an intermediate CA certificate
Name of the intermediate CA certificate.
Original imported filename of the CRL.
Configures a OCSP responder certificate.
Name of responder certificate.
Original imported filename of the responder certificate.
Configures a OCSP signer certificate.
Name of the signer certificate.
Original imported filename of the signer certificate.
Public key of a certificate. This allows an application to identify an exact certificate.
Name of the signer certificate.
Original imported filename of the signer certificate.
Server certificate. This certificate must contain both a public and a private key (the public and private keys must match). You can import a server certificate in either PKCS12 or x509 PEM format; the certificate is stored in x509 PEM DES encrypted format on the switch.
232 | crypto-local pki
AOS-W 6.2 | Reference Guide
�Parameter
Description
<certname>
Name of the signer certificate.
<filename>
Original imported filename of the signer certificate.
TrustedCA
Trusted CA certificate. This can be either a root CA or intermediate CA. AlcatelLucent encourages (but does not require) an intermediate CA's signing CA to be the switch itself.
<certname>
Name of the signer certificate.
<filename>
Original imported filename of the signer certificate.
global-ocsp-signer-cert
Specifies the global OCSP signer certificate to use when signing OCSP responses if there is no check point specific OSCP signer certificate present. If the ocsp-signer-cert is not specified, OCSP responses are signed using the global OCSP signer certificate. If this is not present, than an error message is sent out to clients.
NOTE: The OCSP signer certificate (if configured) takes precedence over the global OCSP signer certificate as this is check point specific.
rcp <name>
Specifies the revocation check point. A revocation checkpoint is automatically created when a TrustedCA or IntermediateCA certificate is imported on the switch.
service-ocsp-responder
This is a global knob that turns the OCSP responder on or off. The default is off (disabled). To enable this option a CRL must be configured for this revocation checkpoint as this is the source of revocation information in the OCSP responses.
Usage Guidelines
This command lets you configure the switch to perform real-time certificate revocation checks using the Online Certificate Status Protocol (OCSP) or traditional certificate validation using the Certificate Revocation List (CRL) client. Refer to the Certificate Revocation chapter in the AOS-W 6.2 User Guide for more information on how to configure this feature using both the WebUI and CLI.
Example
This example configures the switch as an OCSP responder.
The revocation check point is specified as CAroot. (The revocation check point CAroot was automatically created when the CAroot certificate was previously uploaded to this switch.) The OCSP signer certificate is RootCA-Ocsp_ signer. The CRL file is Security1-WIN-05PRGNGEKAO-CA-unrevoked.crl The OCSP responder is enabled. crypto-local pki service-ocsp-responder crypto-local pki rcp CARoot
ocsp-signer-cert RootCA-Ocsp_signer crl-location file Security1-WIN-05PRGNGEKAO-CA-unrevoked.crl enable-ocsp-responder
Related Commands
Command
Description
crypto-local pki rcp Specifies the certificates that are used to sign OCSP responses for this revocation check point
Mode Config mode
AOS-W 6.2 | Reference Guide
crypto-local pki | 233
�Command
show crypto-local pki
Description
This command shows local certificate, OCSP signer or responder certificate and CRL data and statistics.
Mode Config mode
Command History
Version AOS-W 3.2 AOS-W 6.1
Modification
Command introduced.
The following parameters were introduced: l CRL l Intermediate CA l OCSPResponderCert l OCSPSignerCert l global-ocsp-signer-cert l rcp l service-ocsp-responder
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
234 | crypto-local pki
AOS-W 6.2 | Reference Guide
�crypto-local pki rcp
crypto-local pki rcp <name> [crl-location <file>]|[enable-ocsp-responder]|[ocsp-responder-cert <ocsp-respondercert>]|[ocsp-signer-cert <ocsp-signer-cert>]| [ocsp-url <ocsp-url>]|[revocation-check [None|<method1>|<method2>]]
Description
Use this command to specify the certificates used to sign OCSP for the revocation check point.
Syntax
Parameter rcp
crl-location <file> enable-ocsp-responder ocsp-responder-cert <ocspresponder-cert> ocsp-signer-cert <ocsp-signercert>
ocsp-url <ocsp-url>
revocation-check None <method1> <method2>
Description
Specifies the revocation check point. A revocation checkpoint is automatically created when a TrustedCA or IntermediateCA certificate is imported on the switch.
Location of the CRL that is used for the rcp. The specified CRL filename must be previously imported onto the switch before using this option.
Enables the OCSP Responder for this revocation checkpoint. The default is disabled.
Specifies the certificate that is used to verify OCSP responses. The certificate name has to be one of the certificates shown as output when the CLI command show crypto-local pki ocsprespondercert is used.
Specifies the certificate that is used to sign OCSP responses for this revocation check point. The OCSP signer certificate must be previously imported on to the switch (using the WebUI). The OCSP signer cert can be the same trusted CA as the check point, a designated OCSP signer certificate issued by the same CA as the check point or some other local trusted authority. If the ocsp-signer-cert is not specified, OCSP responses are signed using the global OCSP signer certificate. If that is not present, than an error message is sent out to clients. NOTE: The OCSP signer certificate (if configured) takes precedence over the global OCSP signer certificate as this is check point specific.
Configures the OCSP Server URL. The URL has to be in the form of http://my.responder.com/path. This parameter can contain only one responder URL at time.
Configures the revocation check methods used for this rcp. Options include: l None (default)- No revocation checks are performed for
certificates being verified against this trusted CA. l CRL- CRL is used for the revocation check method. l OCSP- OCSP is used for the revocation check method. You can configure one fallback method.
AOS-W 6.2 | Reference Guide
crypto-local pki rcp | 235
�Usage Guidelines
This command lets you configure the check methods that are used for this revocation check point.. You can configure the switch to perform real-time certificate revocation checks using the Online Certificate Status Protocol (OCSP) or traditional certificate validation using the Certificate Revocation List (CRL) client. Refer to the Certificate Revocation chapter in the AOS-W 6.2 User Guide for more information on how to configure this feature using both the WebUI and CLI.
Example
This example configures an OCSP client with the revocation check method as OCSP with CRL configured as the back up method.
The OCSP responder certificate is configured as RootCA-Ocsp_responder. The corresponding OCSP responder service is available at http://10.4.46.202/ocsp. The revocation check method is OCSP with CRL configured as the back up method.
crypto-local pki rcp CARoot ocsp-responder-cert RootCA-Ocsp_responder ocsp-url http://10.4.46.202/ocsp crl-location file Security1-WIN-05PRGNGEKAO-CA-unrevoked.crl revocation-check ocsp crl
Related Commands
Command crypto-local pki
show crypto-local pki
Description
This command configures a local certificate, OCSP signer or responder certificate and Certificate Revocation List (CRL). You can also list revocation checkpoints and enable the responder service.
This command shows local certificate, OCSP signer or responder certificate and CRL data and statistics.
Mode Config mode
Config mode
Command History
Version AOS-W 3.2 AOS-W 6.1
Modification
Command introduced.
The following parameters were introduced: l CRL l Intermediate CA l OCSPResponderCert l OCSPSignerCert l global-ocsp-signer-cert l rcp l service-ocsp-responder
236 | crypto-local pki rcp
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
AOS-W 6.2 | Reference Guide
crypto-local pki rcp | 237
�crypto map global-map
crypto map global-map <map-number> ipsec-isakmp {dynamic <dynamic-map-name>}|{ipsec <ipsecmap-name>}
Description
This command configures the default global map.
Syntax
Parameter
Description
<map-number>
dynamic
Use a dynamic map.
<dynamic-map-name>} Name of the dynamic map.
ipsec
Use a IPsec map.
<ipsec-map-name>
Name of an IPsec map.
Usage Guidelines
This command identifies the dynamic or ipsec map used as the default global map. If you have not yet defined a dynamic or ipsec map, issue the command crypto map global-map or crypto-local ipsec-map to define map parameters.
Example
The following command configures the global map with the dynamic map named dynamic_map_2.
(host)(config) #crypto map global-map 2 ipsec-isakmp dynamic dynamic_map_2
Command History
This command was introduced in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
238 | crypto map global-map
AOS-W 6.2 | Reference Guide
�crypto pki
crypto pki csr {rsa key_len <key_val> |{ec curve-name <key_val>} common_name <common_val> country <country_val> state_or_province <state> city <city_val> organization <organization_val> unit <unit_val> email <email_val>
Description
Generate a certificate signing request (CSR) for the captive portal feature.
Syntax
Parameter
Description
rsa key_len <key_val>
Generate a certificate signing request with a Rivest, Shamir and Adleman (RSA) key with one of the following supported RSA key lengths: l 1024 l 2048 l 4096
ec curve-name <key_val>
Generate a certificate signing request with an elliptic-curve (EC) key, with one of the following EC types: l secp256r1 l secp384r1
common_name <common_val>
Specify a common name, e.g., www.yourcompany.com.
country <country_val>
Specify a country name, e.g., US or CA.
state_or_province <state>
Specify the name of a state or province.
city <city_val>
Specify the name of a city.
organization <organization_val> Specify the name of an organization unit, e.g., sales.
unit <unit_val>
Specify a unit value, e.g. EMEA.
email <email_val>
Specify an email address, in the format name@mycompany.com.
Usage Guidelines
Use this command in enable mode to generate a CSR for the Captive Portal feature. Display the CSR output by entering the command show crypto pki csr. Note that this command will only generate CSR on a switch running AOS-W 3.x or later. Earlier versions require that you generate the certificate externally.
Example
The following command configures a CSR for a user with the email address jdoe@example.com.
(host)(config) #crypto pki csr key 1024 common_name www.example.lcom country US state_or_ province ca city Sunnyvale organization engineering unit pubs email jdoe@example.com
AOS-W 6.2 | Reference Guide
crypto pki | 239
�Command History
Release AOS-W 3.1 AOS-W 6.1
Modification
Command introduced.
The ec curve-name parameter was introduced to support certificate signing requests using an elliptic-curve (EC) key
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
240 | crypto pki
AOS-W 6.2 | Reference Guide
�crypto pki-import
crypto pki-import {der|pem|pfx|pkcs12|pkcs7} {CRL|IntermediateCA|OCSPResponderCert|OCSPSignerCert|PublicCert|ServerCert|TrustedCA} <name>
Description
Import certificates for the captive portal feature.
Syntax
Parameter der
CRL <name> IntermediateCA <name> OCSPResponderCert <name> OCSPSignerCert <name> PublicCert <name> ServerCert <name> TrustedCA <name> pem
pfx
pkcs12
pkcs7
Description Import the following certificates in DER format. Import a CRL. Import an intermediate CA certificate. Import an OCSP Responder certificate.
Import an OCSP Signer certificate. Import a public certificate. Import a server certificate. Import a trusted CA certificate. Import a certificate in x509 PEM format. See certificate types under the der parameter. Import a certificate in PFX format. See certificate types under the der parameter. Import a certificate in PKCS12 format.See certificate types under the derparameter. Import a certificate in PKCS7 format. See certificate types under the der parameter.
Usage Guidelines
Use this command in enable mode to install a CSR for the Captive Portal feature.
Example
The following command installs a server certificate in DER format. (host)(config) #crypto pki-import der ServerCert cert_20
AOS-W 6.2 | Reference Guide
crypto pki-import | 241
�Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced.
The CRL, IntermediateCA, OCSPResponderCert, OCSPSignerCert parameters were added.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
242 | crypto pki-import
AOS-W 6.2 | Reference Guide
�database synchronize
database synchronize {[period <minutes>][rf-plan-data]}
Description
This command manually synchronizes the database between a pair of redundant master switches and includes RF Plan data when synchronizing with standby.
Syntax
Parameter period
<minutes> rf-plan-data
Description Configures the interval for automatic database synchronization. Interval in minutes. Range is 1 -- 25200 minutes. Includes the RF Plan data when synchronizing with standby mode.
Usage Guidelines
This command takes effect immediately. If a peer is not configured, the switch displays an error message. Use the database synchronize period command in config mode to configure the interval for automatic database synchronization. Use the database synchronize rf-plan-data command to include RF plan data when synchronizing in standby mode.
Example
The following commands cause the database on the active master switch to synchronize with the standby in 25 minute intervals. The synchronization includes RF plan data. (host) (config) #database synchronize period 25 (host) (config) #database synchronize rf-plan-data
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config modes on master switches
AOS-W 6.2 | Reference Guide
database synchronize | 243
�delete
delete {filename <filename>|ssh-host-addr <ipaddr>|ssh-known-hosts}
Description
This command deletes a file or RSA signature entry from flash.
Syntax
Parameter filename ssh-host-addr
ssh-known -hosts
Description
Name of the file to be deleted.
Deletes the entry stored in flash for the RSA host signature created when you run the copy scp command.
Deletes all entries stored in flash for the RSA host signatures created when you run the copy scp command.
Usage Guidelines
To prevent running out of flash file space, you should delete files that you no longer need. The copy scp command creates RSA signatures whenever it connects to a new host. These host signatures are stored in the flash file system.
Example
The following command deletes a file: (host) #delete filename december-config-backup.cfg The following command deletes an RSA signature entry from flash: (host) #delete ssh-host-addr 10.100.102.101 The following command deletes all RSA signature entries from flash: (host) #delete ssh-known-hosts
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
244 | delete
AOS-W 6.2 | Reference Guide
�destination
destination <STRING> <A.B.C.D> [invert]
Description
This command configures the destination name and address.
Syntax
Parameter STRING A.B.C.D invert
Description Destination name. Destination IP address or subnet. Specifies all destinations except this one.
Range Alphanumeric -- --
Usage Guidelines
You can configure the name and IP address of the destination. You can optionally configure the subnet, or invert the selection.
Example
The following example configures a destination called "Home" with an IP address of 10.10.10.10. (host) (config) #destination Home 10.10.10.10
Command History
Release AOS-W 1.0 AOS-W 3.0
Modification Command introduced Replaced with netdestination command.
Command Information
Availability Can be used only on the master switch.
License
Requires the PEF NG license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
destination | 245
�dir
dir
Description
This command displays a list of files stored in the flash file system.
Syntax
No parameters.
Usage Guidelines
Use this command to view the system files associated with the switch.
Output from this command includes the following:
l The first column contains ten place holders that display the file permissions. n First place holder: Displays - for a file or d for directory. n Next three place holders: Display file owner permissions: r for read access, w for write access permissions, x for executable. n Following three place holders: Display member permissions: r for read access or x for executable. n Last three place holders: Display non-member permissions: r for read access or x for executable.
l The second column displays the number of links the file has to other files or directories. l The third column displays the file owner. l The fourth column displays group/member information. l The remaining columns display the file size, date and time the file was either created or last modified, and the file
name.
Example
The following command displays the files currently residing on the system flash:
(host) #dir
The following is sample output from this command:
-rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--
1 root 1 root 1 root 1 root 1 root 1 root 2 root
root root root root root root root
9338 Nov 20 10:33 class_ap.csv 1457 Nov 20 10:33 class_sta.csv 16182 Nov 14 09:39 config-backup.cfg 14174 Nov 9 2005 default-backup-11-8-05.cfg 16283 Nov 9 12:25 default.cfg 22927 Oct 25 12:21 default.cfg.2006-10-25_20-21-38 19869 Nov 9 12:20 default.cfg.2006-11-09_12-20-22
Command History
Introduced in AOS-W 1.0
Command Information
Platform Available on all platforms
License
Available in the base operating system
Command Mode
Enable and Config modes on local or master switches
246 | dir
AOS-W 6.2 | Reference Guide
�dynamic-ip
dynamic-ip restart
Description
This command restarts the PPPoE or DHCP process.
Syntax
No parameters.
Usage Guidelines
This command can be used to renegotiate DHCP or PPPoE parameters. This can cause new addresses to be assigned on a VLAN where the DHCP or PPPoE client is configured.
Command History
This command was introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License
Command Mode
Available in the base operating system Enable mode on master switches
AOS-W 6.2 | Reference Guide
dynamic-ip | 247
�eject usb
eject usb:
Description
Use this command to eject a USB device from your switch.
Usage Guidelines
Use this command to safely remove an external USB device,
Example
(host) #eject usb:
Command History
Command introduced in AOS-W 6.2
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
User mode on master or local switches in enable mode.
248 | eject usb
AOS-W 6.2 | Reference Guide
�enable
enable
Description
This user mode command switches the switch into enable mode. The enable mode allows you to access privileged commands.
Usage Guidelines
To enter enable mode, you are prompted for the password configured during the switch's initial setup. Passwords display as asterisks (*) when you enter them. To change the password, use the config mode enable secret command. If you lose or forget the enable mode password, resetting the default admin user password also resets the enable mode password to "enable". See the AOS-W User Guide for more information about resetting the admin and enable mode passwords. When you are in enable mode, the CLI prompt ends with the hash (#) character.
Example
The following example allows you to enter enable mode on the switch. (host) >enable Password: ****** (host) #
Command History
Command introduced in AOS-W 1.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
User mode on master or local switches
AOS-W 6.2 | Reference Guide
enable | 249
�enable bypass
enable bypass no enable bypass
Description
This config mode command allows you to bypass the enable password prompt and go directly to the privileged command mode.
Usage Guidelines
Use this command when you want to access the privileged mode directly after logging in to the switch and not be prompted to enter an enable mode password. To restore the enable mode password prompt, use the config mode command. no enable bypass.
Example
The following example allows bypass the enable mode password prompt. (host) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #enable bypass (host) (config) #
Command History
Version AOS-W 6.0
Modification Command introduced
Command Information
Platform Available on all platforms
License
Available in the base operating system
Command Mode
Config mode on master or local switches
250 | enable bypass
AOS-W 6.2 | Reference Guide
�enable secret
enable secret
Description
This config mode command allows you to change the password for enable mode.
Usage Guidelines
Use this command to change the password for enable mode. To reset the password to the factory default of "enable", use the no enable command.
The password must not contain a space and special characters.
Example
The following example allows you to change the password for enable mode. (host) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #enable secret Password:****** Re-Type password: ****** (host) (config) #
Command History
Version AOS-W 1.0 AOS-W 3.3.2
Modification Command introduced Updated with restriction of the secret phase
Command Informatio
Platform Available on all platforms
License
Available in the base operating system
Command Mode
Config mode on master or local switches
AOS-W 6.2 | Reference Guide
enable secret | 251
�encrypt
encrypt {disable|enable}
Description
This command allows passwords and keys to be displayed in plain text or encrypted.
Syntax
Parameter disable enable
Description Passwords and keys are displayed in plain text Passwords and keys are displayed encrypted
Default -- enabled
Usage Guidelines
Certain commands, such as show crypto isakmp key, display configured key information. Use the encrypt command to display the key information in plain text or encrypted.
Example
The following command allows passwords and keys to be displayed in plain text: (host) #encrypt disable
Command History
Introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Enable mode on master or local switches
252 | encrypt
AOS-W 6.2 | Reference Guide
�esi group
esi group <name> [no]|[ping <attributes>]|[server <server>]
Description
This command configures an ESI group.
Syntax
Parameter no ping
server
Description
Negates any configured parameter.
Specify the name of a set of ping checking attributes defined via the command esi ping. Only one set is allowed.
Specify the name of a server to be added or removed from the ESI group. You define ESI servers via the command esi server.
Usage Guidelines
Use the show esi group command to show ESI group information.
Example
The following command sets up the ESI group named "fortinet." (host) (config) #esi group fortinet
ping default server forti_1
Command History
Introduced in AOS-W 2.5
Command Information
Platform Available on all platforms
License Requires the PEFNG license
Command Mode
Config mode on master or local switches
AOS-W 6.2 | Reference Guide
esi group | 253
�esi parser domain
esi parser domain <name> [no] | [peer <peer-ip>] | [server <ipaddr>]
Description
This command configures an ESI syslog parser domain.
Syntax
Parameter no peer
server
Description
Negates any configured parameter
(Optional.) Specify the IP address of an another switch in this domain. These switches are notified when the user cannot be found locally. This command is needed only when multiple switches share a single ESI server
Specify the IP address of the ESI server to which the switch listens.
Usage Guidelines
The ESI parser is a generic syslog parser on the switch that accepts syslog messages from external third-party appliances such as anti-virus gateways, content filters, and intrusion detection systems. It processes syslog messages according to user-defined rules and takes configurable actions on the corresponding system users. ESI servers (see esi server on page 261) are configured into domains to which ESI syslog parser rules (see esi parser rule on page 255) are applied. Use the show esi parser domains command to show ESI parser domain information.
Example
The following commands configure a virus syslog parser domain named "fortinet" which contains the ESI server "forti_1" with the trusted IP address configured using the command esi server. (host) (config) #esi parser domain fortinet server 10.168.172.3
Command History
Introduced in AOS-W 3.1.
Command Information
Platform Available on all platforms
License Requires the PEFNG license
Command Mode
Config mode on master or local switches
254 | esi parser domain
AOS-W 6.2 | Reference Guide
�esi parser rule
esi parser rule <rule_name> [condition <expression>] | [domain <name>] | [enable] [match {ipaddr <expression> | mac <expression> | user <expression> }] | [no] | [position <position>] | [set {blacklist | role <role>} | [test {msg <msg> | file <filename>}]
Description
This command creates or changes an ESI syslog parser rule.
Syntax
Parameter condition domain enables match
no position set
test
Description
Specifies the REGEX (regular expression) pattern that uniquely identifies the syslog.
(Optional.) Specify the ESI syslog parser domain to which this rule applies. If not specified, the rule matches with all configured ESI servers.
Enables this rule. Note: The condition, user match, and set action parameters must be configured before the rule can be enabled.
Specifies the user identifier to match, where ipaddr, mac, and user take a REGEX pattern that uniquely identifies the user.
Negates any configured parameter.
Specifies the rule's priority position.
Specifies the action to take: blacklist the user or change the user role. Note: The role entity should be configured before it is accepted by the ESI rule.
Test the regular expression output configured in the esi parser rules command. You can test the expressions against a specified syslog message, or test the expression against a sequence of syslog messages contained in a file.
Range -- --
--
--
-- 132; 1 highest --
--
Default -- -- Not enabled --
-- -- --
--
Usage Guidelines
The user creates an ESI rule by using characters and special operators to specify a pattern that uniquely identifies a syslog message. This "condition" defines the type of message and the ESI domain to which this message pertains. The rule contains three major fields:
l Condition: The pattern that uniquely identifies the syslog message type.
AOS-W 6.2 | Reference Guide
esi parser rule | 255
�l User: The username identifier. It can be in the form of a name, MAC address, or IP address. l Action: The action to take when a rule match occurs.
Once a condition match occurs, no further rule-matching will be made. For the matching rule, only one action can be defined.
For more details on the character-matching operators, repetition operators, and expression anchors used to defined the search or match target, refer to the External Services Interface chapter in the AOS-W 6.2 User Guide .
Use the show esi parser rules command to show ESI parser rule information. Use the show esi parser stats command to show ESI parser rule statistical information
Examples
The following command sets up the Fortigate virus rule named "forti_rule." This rule parses the virus detection syslog scanning for a condition match on the log_id value (log_id=) and a match on the IP address (src=).
(host) (config) #esi parser rule forti_rule condition "log_id=[0-9]{10}[ ]" match ipaddr "src=(.*)[ ]" set blacklist domain fortinet enable
In this example, the corresponding ESI expression is:
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
The following example of the test command tests a rule against a specified single syslog message.
test msg "26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4"
< 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
=====
Condition:
Matched with rule "forti_rule"
User:
ipaddr = 1.2.3.4
=====
The following example of the test command tests a rule against a file named test.log, which contains several syslog messages.
test file test.log
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
==========
Condition:
Matched with rule "forti_rule"
User:
ipaddr = 1.2.3.4
==========
< Oct 18 10:43:40 cli[627]: PAPI_Send: To: 7f000001:8372 Type:0x4 Timed out. >
==========
Condition:
No matching rule condition found
==========
< Oct 18 10:05:32 mobileip[499]: <500300> <DBUG> |mobileip| Station 00:40:96:a6:a1:a4,
10.0.100.103: DHCP FSM received event: RECEIVE_BOOTP_REPLY current: PROXY_DHCP_NO_PROXY,
next: PROXY_DHCP_NO_PROXY >
==========
Condition:
No matching rule condition found
==========
Command History
Introduced in AOS-W 3.1
256 | esi parser rule
AOS-W 6.2 | Reference Guide
�Command Information
Platform Available on all platforms.
License Requires the PEFNG license
Command Mode
Config mode on master and local switches
AOS-W 6.2 | Reference Guide
esi parser rule | 257
�esi parser rule-test
esi parser rule-test [file <filename>] | [msg <msg>]
Description
This command allows you to test all of the enabled parser rules.
Syntax
Parameter Description
file
Tests against a specified file containing more than one syslog message.
msg
Tests against a syslog message, where <msg> is the message text.
Usage Guidelines
You can test the enabled parser rules against a syslog message input, or run the expression through a file system composed of syslog messages. The command shows the match result as well as the user name parsed for each message.
Example
The following command tests against a specified single syslog message. (host) (config) #esi parser rule-test msg "26 18:30:02 log_ id=0100030101 type=virus subtype=infected src=1.2.3.4"
< 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
=====
Condition:
Matched with rule "forti_rule"
User:
ipaddr = 1.2.3.4
=====
The following command tests against a file named test.log, which contains several syslog messages. esi parser rule-test file test.log
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
==========
Condition:
Matched with rule "forti_rule"
User:
ipaddr = 1.2.3.4
==========
< Oct 18 10:43:40 cli[627]: PAPI_Send: To: 7f000001:8372 Type:0x4 Timed out. >
==========
Condition:
No matching rule condition found
==========
< Oct 18 10:05:32 mobileip[499]: <500300> <DBUG> |mobileip| Station 00:40:96:a6:a1:a4,
10.0.100.103: DHCP FSM received event: RECEIVE_BOOTP_REPLY current: PROXY_DHCP_NO_PROXY,
next: PROXY_DHCP_NO_PROXY >
==========
Condition:
No matching rule condition found
==========
258 | esi parser rule-test
AOS-W 6.2 | Reference Guide
�Command History
Introduced in AOS-W 3.1
Command Information
Platform Available on all platforms
License Requires the PEFNG license
Command Mode
Config mode on master and local switches
AOS-W 6.2 | Reference Guide
esi parser rule-test | 259
�esi ping
esi ping <ping-name> [frequency <seconds>] | [no] | [retry-count <count>] | [timeout <seconds>] |
Description
This command specifies the ESI ping health check configuration.
Syntax
Parameter frequency no retry-count timeout
Description Specifies the ping frequency in seconds. Negates any configured parameter Specifies the ping retry count Specifies the ping timeout in seconds.
Usage Guidelines
Use the show esi ping command to show ESI ping information.
Example
The following command specifies the ping health check attributes. (host) (config) #esi ping default
frequency 5 retry-count 2 timeout 2
Command History
Introduced in AOS-W 2.5
Command Information
Platform Available on all platforms
License Requires the PEFNG license
Range 165536 -- 165536 165536
Default
-- 2 2
Command Mode
Config mode on master and local switches
260 | esi ping
AOS-W 6.2 | Reference Guide
�esi server
esi server <name> [dport <tcp-udp-port>] | [mode {bridge | nat | route}] | [no] | [trusted-ip-addr <ip-addr> [health-check]] | [trusted-port <slot/port>] | [untrusted-ip-port <ip-addr> [health-check]] | [untrusted-port <slot/port>]
Description
This command configures an ESI server.
Syntax
Parameter
Description
dport
Specifies the NAT destination TCP/UDP port.
mode
Specifies the ESI server mode of operation: bridge, nat, or route
no
Negates any configured parameter.
trusted-ip-addr
Specifies the server IP address on the trusted network. As an option, you can also enable a health check on the specified address
trusted-port
Specifies the port connected to the trusted side of the ESI server; slot/port format.
untrusted-ip-addr Specifies the server IP address on the untrusted network. As an option, you can also enable a health check on the specified address
untrusted-port
Specifies the port connected to the untrusted side of the ESI server.
Usage Guidelines
Use the show esi server command to show ESI server information.
Example
The following command specifies the ESI server attributes. (host) (config) #esi server forti_1
mode route trusted-ip-addr 10.168.172.3 untrusted-ip-addr 10.168.171.3
Command History
Introduced in AOS-W 2.5.
AOS-W 6.2 | Reference Guide
esi server | 261
�Command Information
Platform Available on all platforms
License Requires the PEFNG license
Command Mode
Config mode on master and local switches
262 | esi server
AOS-W 6.2 | Reference Guide
�exit
exit
Description
This command exits the current CLI mode.
Syntax
No parameters.
Usage Guidelines
Upon entering this command in a configuration sub-mode, you are returned to the configuration mode. Upon entering this command in configuration mode, you are returned to the enable mode. Upon entering this command in enable mode, you are returned to the user mode. Upon entering this command in user mode, you are returned to the user login.
Example
The following sequence of exit commands return the user from the interface configuration sub-mode to the user login: (host) (config-if) #exit (host) (config) #exit (host) #exit (host) >exit User:
Command History
Introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License
Available in the base operating system
Command Mode
Available in the following command modes: l User l Enable l Config l Config sub-modes
AOS-W 6.2 | Reference Guide
exit | 263
�export
export gap-db <filename>
Description
This command exports the global AP database to the specified file.
Syntax
Parameter <filename>
Description Name of the file to which the global AP database is exported.
Usage Guidelines
This command is intended for system troubleshooting. You should run this command only when directed to do so by an Alcatel-Lucent support representative. The global AP database resides on a master switch and contains information about known APs on all switches in the system. You can view the contents of the global AP database with the show ap database command.
Example
The following command exports the global AP database to a file: (host) #export gap-db global-ap-db
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platform Available on all platforms
License
Available in the base operating system
Command Mode Enable mode on master switches.
264 | export
AOS-W 6.2 | Reference Guide
�firewall
firewall {allow-tri-session|amsdu|attack-rate {cp <rate>|ping <number>|session <number>}|broadcastfilter-arp|cp|bwcontracts-subnet-broadcast|cp-bandwidth-contract|tcp-syn <number>|bwcontracts-subnet-broadcast |deny-inter-user-bridging |deny-inter-usertraffic|disable-ftp-server |disable-ftp-server| disable-stateful-h323| disable-statefulsccp-processing|disable-stateful-sip-processing |disable-stateful-ua-processing|disablestateful-vocera-processing|drop-ip-fragments| |enable-per-packet-logging |enforce-tcp-handshake|enforce-tcp-sequence|gre-call-idprocessing|imm-fb|local-valid-users|log-icmp-error|prevent-dhcp-exhaustion|prohibit-arpspoofing|prohibit-ip-spoofing |prohibit-rst-replay|public-access|session-idle-timeout <seconds>|session-mirror-destination {ip-address <ipaddr>|session-tunnel-fib|port <slot>/<port>} |shape-mcastfirew|voip-wmm-content-enforcement}
Description
This command configures firewall options on the switch.
Syntax
Parameter allow-tri-session
amsdu attack-rate broadcast-filter-arp
bwcontracts-subnet-broadcast
Description
Range
Allows three-way session when performing -- destination NAT. This option should be enabled when the switch is not the default gateway for wireless clients and the default gateway is behind the switch. This option is typically used for captive portal configuration.
Aggregated Medium Access Control Service Data Units (AMSDU) packets are dropped if this option is enabled.
Sets rates which, if exceeded, can indicate -- a denial of service attack.
If enabled, all broadcast ARP requests are -- converted to unicast and sent directly to the client. You can check the status of this option using the show ap active and the show datapath tunnel command. If enabled, the output will display the letter a in the flags column.
NOTE: This parameter is deprecated. Use the virtual AP profile to configure this setting.
Applies bw contracts to local subnet
--
broadcast traffic.
Default disabled
disabled -- disabled
--
cp cp-bandwidth-contract
See firewall cp on page 270
See firewall cp-bandwidth-contract on page 272
AOS-W 6.2 | Reference Guide
firewall | 265
�Parameter deny-inter-user-bridging
deny-inter-user-traffic
Description
Range
Prevents the forwarding of Layer2 traffic
--
between wired or wireless users. You can
configure user role policies that prevent
Layer3 traffic between users or networks
but this does not block Layer2 traffic. This
option can be used to prevent traffic, such
as Appletalk or IPX from being forwarded. If
enabled, traffic (all non-IP traffic) to
untrusted port or tunnel is also blocked.
Denies downstream traffic between users in -- a wireless network (untrusted users) by disallowing layer2 and layer3 traffic. This parameter does not depend on the deny-
inter-user-bridging parameter being enabled or disabled.
Default disabled
disabled
disable-ftp-server
disable-stateful-h323processing disable-stateful-sccp-processing disable-stateful-sip-processing
disable-stateful-ua-processing disable-stateful-vocera-processing drop-ip-fragments
enable-bridging enable-per-packet-logging
Disables the FTP server on the switch.
--
Enabling this option prevents FTP transfers.
Enabling this option could cause APs to not
boot up. You should not enable this option
unless instructed to do so by an Alcatel-
Lucent representative.
Disables stateful H.323 processing.
--
Disables SCCP processing.
--
Disables monitoring of exchanges between -- a voice over IP or voice over WLAN device and a SIP server. This option should be enabled only when thee is no VoIP or VoWLAN traffic on the network.
Disables stateful UA processing.
--
Disables stateful VOCERA processing.
--
When enabled, all IP fragments are
--
dropped. You should not enable this option
unless instructed to do so by an Alcatel-
Lucent representative.
Enables bridging when the switch is in fac- -- tory default.
Enables logging of every packet if logging -- is enabled for the corresponding session rule. Normally, one event is logged per session. If you enable this option, each packet in the session is logged. You should not enable this option unless instructed to do so by an Alcatel-Lucent representative, as doing so may create unnecessary overhead on the switch.
disabled
disabled disabled disabled
disabled disabled disabled
disabled disabled
266 | firewall
AOS-W 6.2 | Reference Guide
�Parameter enforce-tcp-handshake
enforce-tcp-sequence gre-call-id-processing imm-fb local-valid-users log-icmp-error prevent-dhcp-exhaustion
prohibit-arp-spoofing prohibit-ip-spoofing
prohibit-rst-replay
Description
Range
Prevents data from passing between two
--
clients until the three-way TCP handshake
has been performed. This option should be
disabled when you have mobile clients on
the network as enabling this option will
cause mobility to fail. You can enable this
option if there are no mobile clients on the
network.
Enforces the TCP sequence numbers for all -- packets.
Creates a unique state for each PPTP
--
tunnel. Do not enable this option unless
instructed to do so by a technical support
representative.
Immediately free buffers on OAW-4x50
--
switches. Do not enable this option unless
instructed to do so by a technical support
representative.
Adds only IP addresses, which belong to a -- local subnet, to the user-table.
Logs received ICMP errors. Do not enable -- this option unless instructed to do so by a technical support representative.
Enable check for DHCP client hardware
--
address against the packet source MAC
address. This command checks the frame's
source-MAC against the DHCPv4 client
hardware address and drops the packet if it
does not match. Enabling this feature pre-
vents a client from submitting multiple
DHCP requests with different hardware
addresses, thereby preventing DHCP pool
depletion.
Detects and prohibits arp spoofing. When
--
this option is enabled, possible arp
spoofing attacks are logged and an SNMP
trap is sent.
Detects IP spoofing (where an intruder
--
sends messages using the IP address of a
trusted client). When this option is enabled,
source and destination IP and MAC
addresses are checked; possible IP
spoofing attacks are logged and an SNMP
trap is sent.
Closes a TCP connection in both directions -- if a TCP RST is received from either direction. You should not enable this option unless instructed to do so by an AlcatelLucent representative.
Default disabled
disabled disabled --
disabled disabled disabled
disabled enabled in IPv4 disabled in IPv6 disabled
AOS-W 6.2 | Reference Guide
firewall | 267
�Parameter
Description
Range
public-access
Enables a public access mode.
--
session-idle-timeout
Time, in seconds, that a non-TCP session can be idle before it is removed from the session table. You should not modify this option unless instructed to do so by an Alcatel-Lucent representative.
16-259
session-mirror-destination
Destination to which mirrored packets are -- sent. This option is used only for troubleshooting or debugging. Packets can be mirrored in multiple ACLs, so only a single copy is mirrored if there is a match within more than one ACL. You can configure the following l Ethertype to be mirrored with the
Ethertype ACL mirror option. See ip access-list eth on page 344. l IP flows to be mirrored with the session ACL mirror option. See ip access-list session on page 362. l MAC flows to be mirrored with the MAC ACL mirror option. See ip access-list mac on page 360. If you configure both an IP address and a port to receive mirrored packets, the IP address takes precedence.
session-mirror-ipsec
Configures session mirroring of all frames -- that are processed by IPsec. Frames are sent to IP address specified by the sessionmirror-destination option.This option is used only for troubleshooting or debugging.
session-tunnel-fib
Enable session-tunnel based forwarding.
--
NOTE: Best practices is to enable this
parameter only during maintenance
window or off-peak production hours. On
the M3, this parameter only enables tunnel-
based forwarding, as session-based
forwarding does not apply to this platform.
session-voip-timeout
Idle session timeout, in seconds, for sessions that are marked as voice sessions. If no voice packet exchange occurs over a voice session for the specified time, the voice session is removed.
16-300
shape-mcast
Enables multicast optimization and
--
provides excellent streaming quality
regardless of the amount of VLANs or IP
IGMP groups that are used.
voip-wmm-voip-content-enforcement If traffic to or from the user is inconsistent
--
with the associated QoS policy for voice, the
traffic is reclassified to best effort and data
path counters incremented.
This parameter requires the PEFNG
license.
Default -- 15 seconds --
disabled disabled
300 seconds disabled disabled
268 | firewall
AOS-W 6.2 | Reference Guide
�Usage Guidelines
This command configures global firewall options on the switch.
Example
The following command disallows forwarding of non-IP frames between users: firewall deny-inter-user-bridging
Related Commands
(host) (config) #show firewall
Command History
Release AOS-W 3.0 AOS-W 3.2 AOS-W 3.3 AOS-W 3.3.2 AOS-W 3.4
Modification
Command introduced.
The wmm-voip-content-enforcement parameter was introduced.
The session-mirror-destination parameter was modified.
The local-valid-users parameter was added.
The voip-proxy-arp parameter was renamed to broadcast-filter-arp and it does not require a Voice license. The prohibit-arp-spoofing parameter was added. The deny-inter-user-traffic parameter was added.
AOS-W 6.0 AOS-W 6.1
AOS-W 6.2 AOS-W 6.2.1
The shape-mcast parameter was added.
The funtionality of the prohibit-ip-spoofing feature was enhanced. In previous versions of AOS-W, this feature checked only the source IP and the source MAC address in the frame. Starting with AOS-W 6.1, this feature also checks the destination IP and the destination MAC address in the frame. The parameter amsdu was added.
The parameter clear-sessions-role-update was deprecated.
The imm-fb parameter was introduced.
Command Information
Platform Available on all platforms
License
Command Mode
Base operating system except the
public-access and voipwmm-voip-contentenforcement parameters which require the PEFNG license.
Config mode on master switches
AOS-W 6.2 | Reference Guide
firewall | 269
�firewall cp
firewall cp deny|permit <ip-addr><ip-mask>|any|{host <ip-addr>} proto{<ip-protocol-number> ports <start port number><end port number>}|ftp|http|https|icmp|snmp|ssh|telnet|tftp[bandwidth-contract <name>]
no...
Description
This command creates whitelist session ACLs. Whitelist ACLs consist of rules that explicitly permit or deny session traffic from being forwarded or not to the switch. This prohibits traffic from being automatically forwarded to the switch if it was not specifically denied in a blacklist.The maximum number of entries allowed in the whitelist is 64.
Syntax
Parameter
Description
deny|permit <ip-addr><ip-mask>
Specifies the entry to reject (deny) on the session ACL whitelist. Specifies an entry that is allowed (permit) on the session ACL whitelist.
any
Specifies any IPv4 source address.
host <ip-addr>
Indicates a specific IPv4 source address.
proto
Protocol that the session traffic is using.
IP protocol number
Specifies the IP protocol number that is permitted or denied.
start port
Specifies the starting port, in the port range, on which session traffic is running.
last port
Specifies the last port, in the port range, on which session traffic is running.
ftp
Specifies the File Transfer Protocol.
http
Specifies the Hypertext Trasfer Protocol.
https
Specifies the Secure HTTP Protocol.
icmp
Specifies the Internet Control Message Protocol.
snmp
Specifies the Simple Network Management Protocol.
ssh
Specifies the Secure Shell.
telnet
Specifies the Telnet protocol.
tftp
Specifies the Trivial File Transfer Protocol.
bandwidth-contract <name> Specify the name of a bandwidth contract defined via the cp-bandwidth-contract command.
Range --
-- -- -- 1-255
1-65535
1-65535
-- -- -- -- --
-- -- -- --
Default --
-- -- -- --
--
--
-- -- -- -- --
-- -- -- --
270 | firewall cp
AOS-W 6.2 | Reference Guide
�Usage Guidelines
This command turns the session ACL from a blacklist to a whitelist. A rule must exist that explicitly permits the session before it is forwarded to the switch and the last rule in the list denies everything else.
Example
The following command creates a whitelist ACL that allows on with the source address as 10.10.10.10 and the source mask as 2.2.2.2. The protocol is FTP and the the bandwidth contract name is mycontract. (host) (config-fw-cp) #permit 10.10.10.10 2.2.2.2 proto ftp bandwidth-contract name mycontract The following command creates a a whitelist ACL entry that denies traffic using protocol 2 on port 5000 from being forwarded to the switch: (host) (config-fw-cp) #deny proto 6 ports 5000 6000
Related Commands
Command show firewall-cp cp-bandwidth-contract
Description
Show Control Processor (CP) whitelist ACL info.
This command configures a bandwidth contract traffic rate which can then be associated with a whitelist session ACL.
Mode Enable or Config modes Enable or Config modes
Command History
AOS-W 3.4 AOS-W 6.2
Modification
Command introduced.
The permit <ip-addr><ip-mask> parameter was added. The deny <ip-addr> parameter was added. The any parameter was added. The host parameter was added. The ftp, http, https, icmp, snmp, ssh, telnet and tftp parameters were added.
Command Information
Platform Available on all platforms
License
Command Mode
Base operating system, except for noted Config mode on master
parameters
switches
AOS-W 6.2 | Reference Guide
firewall cp | 271
�firewall cp-bandwidth-contract
firewall cp-bandwidth-contract {auth|route|sessmirr|trusted-mcast|trusted-ucast |untrusted-mcast|untrusted-ucast} <Rate>
Description
This command configures bandwidth contract traffic rate limits to prevent denial of service attacks.
Syntax
Parameter auth
route sessmirr
trusted-mcast trusted-ucast untrusted-mcast untrusted-ucast
Description Specifies the traffic rate limit that is forwarded to the authentication process. Specifies the traffic rate limit that needs ARP requests. Specifies the session mirrored traffic forwarded to the switch. Specifies the trusted multicast traffic rate limit. Specifies the trusted unicast traffic rate limit. Specifies the untrusted multicast traffic rate limit. Specifies the untrusted unicast traffic rate limit.
Range 1-200 Mbps
Default 1
1-200 Mbps 1 1-200 Mbps 1
1-200 Mbps 2 1-200 Mbps 80 1-200 Mbps 2 1-200 Mbps 10
Usage Guidelines
This command configures firewall bandwidth contract options on the switch.
Example
The following command disallows forwarding of non-IP frames between users: (host) (config) #firewall deny-inter-user-bridging
Related Commands
(host) (config) #show firewall
Command History
Introduced in AOS-W 3.4
Command Information
Platform Available on all platforms
License
This command requires the PEFNG license
Command Mode
Config mode on master switches
272 | firewall cp-bandwidth-contract
AOS-W 6.2 | Reference Guide
�firewall-visibility
firewall-visibility no ...
Description
Enables or disables policy enforcement firewall visibility feature.
Syntax
No parameters.
Usage Guideline
When you enable this feature, the Firewall Monitoring page on the Dashboard tab of the WebUI displays the summary of all sessions in the switch aggregated by users, devices, destinations, applications, WLANs, and roles.
Example
The following command enables firewall visibility. (host)(config) #firewall-visibility
Related Commands
Command
Description
Mode
show firewall-visibility Displays the policy enforcement firewall visibility Config or Enable mode process state and status information
Command History
This command is introduced in AOS-W 6.2.
Command Information
Platforms
OAW-4504XM, OAW-4604, OAW-4704, OAW-6000, and OAW-4x50 switches
Licensing
This command requires the PEFNG license
Command Mode Config mode on master or local switch
AOS-W 6.2 | Reference Guide
firewall-visibility | 273
�gateway health-check disable
gateway health-check disable
Description
Disable the gateway health check.
Usage Guidelines
The gateway health check feature can only be enabled by Alcatel-Lucent Technical Support. This command disables the gateway health check, and should only be issued under the guidance of the support staff.
Related Commands
Command
show gateway healthcheck
Description
Display the current status of the gateway health-check feature
Mode
This command is available in Config and Enable mode on master and local switches
(host) (config) #show gateway health-check
History
Introduced in AOS-W 3.4
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches.
274 | gateway health-check disable
AOS-W 6.2 | Reference Guide
�guest-access-email
guest-access-email smtp-port smtp-server no...
Description
This command configures the SMTP server which is used to send guest email. Guest email is generated when a guest user account is created or when the Guest Provisioning user sends guest user account email a later time.
Syntax
Parameter smtp-port
<Port number> smtp-server
<IP-Address> no
Description
Identifies the SMTP port through which the guestaccess email is sent.
The SMTP port number.
The SMTP server to which the switch sends the guest-access email.
The SMTP server's IP address.
Deletes the command configuration
Range --
Default --
165535
25
--
--
--
--
--
--
Usage Guidelines
As part of the guest provisioning feature, the guest-access-email command allows you to set up the SMTP port and server that process guest provisioning email. This email process sends email to either the guest or the sponsor whenever a guest user account is created or when the Guest Provisioning user manually sends email from the Guest Provisioning page.
Example
The following command creates a guest-access email profile and sends guest user email through SMTP server IP address 1.1.1.1 on port 25. (host) (config) #guest-access-email (host) (Guest-access Email Profile) # (host) (Guest-access Email Profile) #smtp-port 25 (host) (Guest-access Email Profile) #smtp-server 1.1.1.1
Related Commands
(host) #show guest-access-email (host) #local-userdb-guest add (host) #local-userdb-guest modify (host) #show local-userdb-guest
Command History
AOS-W 3.4
Modification Introduced for the first time.
AOS-W 6.2 | Reference Guide
guest-access-email | 275
�Command Information
Platform Available on all platforms
License Available in the base operating system.
Command Mode Config mode on master switches.
276 | guest-access-email
AOS-W 6.2 | Reference Guide
�halt
halt
Description
This command halts all processes on the switch.
Syntax
No parameters.
Usage Guidelines
This command gracefully stops all processes on the switch. You should issue this command before rebooting or shutting down to avoid interrupting processes.
Command History
Introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License Available in the base operating system.
Command Mode
Enable mode on master and local switches.
AOS-W 6.2 | Reference Guide
halt | 277
�help
help
Description
This command displays help for the CLI.
Syntax
No parameters.
Usage Guidelines
This command displays keyboard editing commands that allow you to make corrections or changes to the command without retyping. You can also enter the question mark (?) to get various types of command help: l When typed at the beginning of a line, the question mark lists all commands available in the current mode. l When typed at the end of a command or abbreviation, the question mark lists possible commands that match. l When typed in place of a parameter, the question mark lists available options.
Example
The following command displays help: (host) #help
Command History
Available in AOS-W 3.0
Command Information
Platform
License
Available on all platforms Available in the base operating system
Command Mode
Available in the following command modes: l User l Enable l Config
278 | help
AOS-W 6.2 | Reference Guide
�hostname
hostname <hostname>
Description
This command changes the hostname of the switch.
Syntax
Parameter hostname
Description The hostname of the switch
Range 1-63
Default See below
Usage Guidelines
The hostname is used as the default prompt. You can use any alphanumeric character, punctuation, or symbol character. To use spaces, plus symbols (+), question marks (?), or asterisks (*), enclose the text in quotes. The default names for the following switches are: l OmniAccess 4306 WLAN Switch: OAW-4306 l OmniAccess 6000 WLAN Switch: OAW-6000 l OmniAccess 4504 WLAN Switch: OAW-4504 l OmniAccess 4604 WLAN Switch: OAW-4604 l OmniAccess 4704 WLAN Switch: OAW-4704
Example
The following example configures the switch hostname to "Switch 1". hostname "Switch 1"
Command History
Introduced in AOS-W 1.0
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Config mode on master and local switches
AOS-W 6.2 | Reference Guide
hostname | 279
�ids ap-classification-rule change
id-classification-rule <rule-name> check-min-discovered-aps classify-to-type [neighbor | suspected-rogue] clone conf-level-incr discovered-ap-cnt <discovered-ap-cnt> match-ssids no snr-max <value> snr-min <value> ssid <ssid>
Description
Configure the AP classification rule profile.
Syntax
Parameter <rule-name>
check-min-discovered-aps
classify-to-type [neighbor | suspectedrogue]
clone
conf-level-incr
discovered-ap-cnt <discovered-ap-cnt>
match-ssids
no snr-max <value> snr-min <value> ssid <ssid>
Description
Range
Enter the AP classification rule profile
--
name.
Have the rule check for the minimum number of APs
true false
Specify if the type the AP will be classified, -- neighbor or suspected-rogue, if the rule is matched.
Copy data from another AP classification -- rule profile
Increase the confidence level (in percentage) when the rule matches
0-100
Enter the keyword discovered-ap-cnt followed by the number of APs to be discovered.
0-100
Match SSIDs; match or do not match
true false
Negates any configured parameter
--
Use the maximum SNR value
0-100
Use the minimum SNR value
0-100
Enter the keyword ssid followed by the
--
SSID string to be matched or excluded
Default --
true
suspectedrogue --
5
0
false
-- 0 0 --
Usage Guidelines
AP classification rule configuration is performed only on a master switch. If AMP is enabled via the mobility-manager command, then processing of the AP classification rules is disabled on the master switch. A rule is identified by its
280 | ids ap-classification-rule change
AOS-W 6.2 | Reference Guide
�ASCII character string name (32 characters maximum). The AP classification rules have one of the following specifications: l SSID of the AP l SNR of the AP l Discovered-AP-Count or the number of APs that can see the AP Once you have created an AP classification rule, but must ienable it by adding it to the IDS AP Matching Rules profile: ids ap-rule-matching
rule-name <name>
SSID specification
Each rule can have up to 6 SSID parameters. If one or more SSIDs are specified in a rule, an option of whether to match any of the SSIDs, or to not match all of the SSIDs can be specified. The default is to check for a match operation.
SNR specification
Each rule can have only one specification of the SNR. A minimum and/or maximum can be specified in each rule and the specification is in SNR (db).
Discovered-AP-Count specification
Each rule can have only one specification of the Discovered-AP-Count. Each rule can specify a minimum or maximum of the Discovered-AP-count. The minimum or maximum operation must be specified if the DiscoveredAP-count is specified. The default setting is to check for the minimum discovered-AP-count.
Example
The following example configures the AP Configuration Rule Profile named "rule1", then enables the rule by adding it to the IDS AP Matching Rules profile. (host) (config) #ids ap-classification-rule rule1 (host) (IDS AP Classification Rule Profile "rule1") #check-min-discovered-aps (host) (IDS AP Classification Rule Profile "rule1") #classify-to-type neighbor (host) (IDS AP Classification Rule Profile "rule1") ! (host) (config) #ap-rule-matching rule-name rule1
Command History
Release AOS-W 6.0
Modification Command introduced
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ids ap-classification-rule change | 281
�ids ap-rule-matching
no rule-name
Description
Configure the IDS active AP rules profile by enabling an AP classification rule.
Syntax
Parameter no rule-name
Description Negates any configured parameter Name of the IDS AP classification rule
Usage Guidelines
This command activates an active AP rule created by the ids ap-classification-rule change command. You must create the rule before you can activate it.
Example
(host) (IDS Active AP Rules Profile) #rule-name rule2
Command History
Release AOS-W 6.0
Modification Command introduced
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
282 | ids ap-rule-matching
AOS-W 6.2 | Reference Guide
�ids dos-profile
ids
ids dos-profile <profile> ap-flood-inc-time <seconds> ap-flood-quiet-time <seconds> ap-flood-threshold <number> assoc-rate-thresholds <number> auth-rate-thresholds <number> block-ack-dos-quiet-time chopchop-quiet-time client-ht-40mhz-intol-quiet-time <seconds> client-flood-inc-time client-flood-quiet-time client-flood-threshold client-ht-40mhz-intolerance clone <profile> cts-rate-quiet-time cts-rate-threshold cts-rate-time-interval deauth-rate-thresholds <number> detect-ap-flood detect-block-ack-dos detect-chopchop-attack detect-client-flood detect-cts-rate-anomaly detect-disconnect-station detect-eap-rate-anomaly detect-fata-jack-attack detect-ht-40mhz-intolerance detect-invalid-address detect-malformed-association-request detect-malformed-auth-frame detect-malformed-htie detect-malformed-large-duration detect-omerta-attack detect-overflow-eapol-key detect-overflow-ie detect-power-save-dos-attack detect-rate-anomalies detect-rts-rate-anomaly detect-tkip-replay-attack disassoc-rate-thresholds <number> disconnect-deauth-disassoc-threshold disconnect-sta-assoc-resp-threshold disconnect-sta-quiet-time <seconds> eap-rate-quiet-time <seconds> eap-rate-threshold <number> eap-rate-time-interval <seconds> fata-jack-quiet-time invalid-address-combination-quiet-time malformed-association-request-quiet-time malformed-auth-frame-quiet-time malformed-htie-quiet-time malformed-large-duration-quiet-time no ... omerta-quiet-time omerta-threshold overflow-eapol-key-quiet-time overflow-ie-quiet-time power-save-dos-min-frames
AOS-W 6.2 | Reference Guide
ids dos-profile | 283
�power-save-dos-quiet-time power-save-dos-threshold probe-request-rate-thresholds <number> probe-response-rate-thresholds <number> rts-rate-quiet-time rts-rate-threshold rts-rate-time-interval spoofed-deauth-blacklist tkip-replay-quiet-time
Description
This command configures traffic anomalies for denial of service (DoS) attacks.
Syntax
Parameter <profile> ap-flood-inc-time ap-flood-quiet-time
ap-flood-threshold assoc-rate-thresholds auth-rate-thresholds block-ack-dos-quiet-time
chopchop-quiet-time client-ht-40mhz-intol-quiettime <seconds>
client-flood-inc-time
Description
Range
Name that identifies an instance of the -- profile. The name must be 1-63 characters.
Time, in seconds, during which a configured number of fake AP beacons must be received to trigger an alarm.
0-36000
After an alarm has been triggered by a fake AP flood, the time, in seconds, that must elapse before an identical alarm may be triggered.
60-360000
Number of fake AP beacons that must be received within the flood increase time to trigger an alarm.
0-100,000
Rate threshold for associate request
--
frames.
Rate threshold for authenticate frames. --
Time to wait, in seconds, after detecting an attempt to reset the receive window using a forged block ACK add.
60-360000 seconds
Time to wait, in seconds, after detecting a ChopChop attack after which the check can be resumed.
60-360000 seconds
Controls the quiet time (when to stop reporting intolerant STAs if they have not been detected), in seconds, for detection of 802.11n 40 MHz intolerance setting.
60-360000 seconds
Number of consecutive seconds over which the client count is more than the threshold.
0-36000 seconds
Default "default"
3600 seconds
900 seconds
50
--
-- 900 seconds
900 seconds
900 seconds
3 seconds
284 | ids dos-profile
AOS-W 6.2 | Reference Guide
�Parameter client-flood-quiet-time client-flood-threshold clone cts-rate-quiet-time cts-rate-threshold cts-rate-time-interval deauth-rate-thresholds detect-ap-flood
detect-block-ack-dos detect-chopchop-attack detect-client-flood detect-cts-rate-anomaly detect-disconnect-station
detect-eap-rate-anomaly
Description
Range
Time to wait, in seconds, after detecting a client flood before continuing the check.
60-360000 seconds
Threshold for the number of spurious clients in the system.
0-100000
Copy data from another IDS Denial Of -- Service Profile.
Time to wait, in seconds, after detecting a CTS rate anomaly after which the check can be resumed.
60-360000 seconds
Number of CTS control packets over the time interval that constitutes an anomaly.
0-100000
Time interval, in seconds, over which the packet count should be checked.
1-120 seconds
Rate threshold for deauthenticate
--
frames.
Enables detection of flooding with fake AP beacons to confuse legitimate users and to increase the amount of processing needed on client operating systems.
true false
Enable/disable detection of attempts to reset traffic receive windows using forged Block ACK Add messages.
true false
Enable/disable detection of ChopChop true
attack.
false
Enable/disable detection of client flood true
attack.
false
Enable/disable detection of CTS rate anomaly.
true false
In a station disconnection attack, an attacker spoofs the MAC address of either an active client or an active AP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association.
Use this command to enable the detection of disconnect station attack.
true false
Enables Extensible Authentication Protocol (EAP) handshake analysis to detect an abnormal number of authentication procedures on a channel and generate an alarm when this condition is detected.
true false
Default 900 seconds 150 -- 900 seconds 5000
5 seconds -- false
true
false disable disable enable
false
AOS-W 6.2 | Reference Guide
ids dos-profile | 285
�Parameter
Description
Range
detect-fata-jack-attack
Enable/disable detection of FATA-Jack true
attack
false
detect-ht-40mhz-intolerance
Enables or disables detection of 802.11n 40 MHz intolerance setting, which controls whether stations and APs advertising 40 MHz intolerance will be reported.
true false
detect-invalid-address
Enable/disable detection of invalid address combinations
true false
detect-malformed-associationrequest
Enable/disable detection of malformed true
association requests.
false
detect-malformed-auth-frame
Enable/disable detection of malformed true
authentication frames
false
detect-malformed-htie
Enable/disable detection of malformed true
HT IE
false
detect-malformed-large-duration Enable/disable detection of unusually large durations in frames
true false
detect-omerta-attack
Enable/disable detection of Omerta attack
true false
detect-overflow-eapol-key
Enable/disable detection of overflow EAPOL key requests
true false
detect-overflow-ie
Enable/disable detection of overflow Information Elements (IE)
true false
detect-power-save-dos-attack
Enable/disable detection of Power Save DoS attack
true false
detect-rate-anomalies
Enable/disable detection of rate anomalies
true false
detect-rts-rate-anomaly
Enable/disable detection of RTS rate anomaly
true false
detect-tkip-replay-attack
Enable/disable detection of TKIP replay attack
true false
disassoc-rate-thresholds
Rate threshold for disassociate frames. --
disconnect-deauth-disassocthreshold
Rate thresholds for Disassociate frames
1-50
disconnect-sta-assoc-respthreshold
The number of successful Association Response or Reassociation response frames seen in an interval of 10 seconds that should trigger this event.
1-30
Default enable false
false disable disable false true enable disable disable enable disable disable disable -- 8 5
286 | ids dos-profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
Range
disconnect-sta-quiet-time
After a station disconnection attack is detected, the time, in seconds, that must elapse before another identical alarm can be generated.
60360000seconds
eap-rate-quiet-time
After an EAP rate anomaly alarm has been triggered, the time, in seconds, that must elapse before another identical alarm may be triggered.
60-360000
eap-rate-threshold
Number of EAP handshakes that must be received within the EAP rate time interval to trigger an alarm.
0-100000
eap-rate-time-interval
Time, in seconds, during which the configured number of EAP handshakes must be received to trigger an alarm.
1-120 seconds
fata-jack-quiet-time
Time to wait, in seconds, after detecting a FATA-Jack attack after which the check can be resumed.
60-360000 seconds
invalid-address-combinationquiet-time
Time to wait, in seconds, after detecting an invalid address combination after which the check can be resumed.
60-360000 seconds
malformed-association-requestquiet-time
Time to wait, in seconds, after detecting a malformed association request after which the check can be resumed.
60-360000 seconds
malformed-auth-frame-quiet-time
Time to wait, in seconds, after detecting a malformed authentication frame after which the check can be resumed.
60-360000 seconds
malformed-htie-quiet-time
Time to wait, in seconds, after detecting a malformed HT IE after which the check can be resumed.
60-360000 seconds
malformed-large-duration-quiettime
Time to wait, in seconds, after detecting a large duration for a frame after which the check can be resumed.
60-360000 seconds
no
Negates any configured parameter.
--
omerta-quiet-time
Time to wait, in seconds, after detecting an Omerta attack after which the check can be resumed.
60-360000 seconds
omerta-threshold
The Disassociation packets received by a station as a percentage of the number of data packets sent, in an interval of 10 seconds.
1-100
Default 900 seconds
900 seconds
60
3 seconds
900 seconds
900 seconds
900 seconds
900 seconds
900 seconds
900 seconds
-- 900 seconds
10%
AOS-W 6.2 | Reference Guide
ids dos-profile | 287
�Parameter overflow-eapol-key-quiet-time overflow-ie-quiet-time power-save-dos-min-frames
power-save-dos-quiet-time power-save-dos-threshold
probe-request-rate-thresholds probe-response-rate-thresholds rts-rate-quiet-time rts-rate-threshold rts-rate-time-interval spoofed-deauth-blacklist
tkip-replay-quiet-time
Description
Range
Time to wait, in seconds, after detecting a overflow EAPOL key request after which the check can be resumed.
60-360000 seconds
Time to wait, in seconds, after detecting a overflow IE after which the check can be resumed.
60-360000 seconds
The minimum number of Power Management OFF packets that are required to be seen from a station, in intervals of 10 second, in order for the Power Save DoS check to be done.
1-1000
Time to wait, in seconds, after detecting a Power Save DoS attack after which the check can be resumed.
60-360000 seconds
The Power Management ON packets sent by a station as a percentage of the Power Management OFF packets sent, in intervals of 10 second, which will trigger this event.
1- 100 %
Rate threshold for probe request
--
frames.
Rate threshold for probe response
--
frames.
Time to wait, in seconds, after detecting an RTS rate anomaly after which the check can be resumed.
60-360000 seconds
Number of RTS control packets over the time interval that constitutes an anomaly.
0-100000
Time interval, in seconds, over which the packet count should be checked.
1-120 seconds
Enables detection of a deauth attack initiated against a client associated to an AP. When such an attack is detected, the client is quarantined from the network to prevent a man-in-themiddle attack from being successful.
true false
Time to wait, in seconds, after detecting a TKIP replay attack after which the check can be resumed.
60-360000 seconds
Default 900 seconds
900 seconds 120
900 seconds 80%
-- -- 900 seconds 5000
5 seconds false
900 seconds
Usage Guidelines
DoS attacks are designed to prevent or inhibit legitimate clients from accessing the network. This includes blocking network access completely, degrading network service, and increasing processing load on clients and network equipment.
288 | ids dos-profile
AOS-W 6.2 | Reference Guide
�Example
The following command enables a detection in the DoS profile named "floor2": (host) (config) #ids dos-profile floor2 (host) (IDS Denial Of Service Profile "floor2") detect-ap-flood
Command History
Release AOS-W 3.0 AOS-W 3.3 AOS-W 3.4 AOS-W 6.0 AOS-W 6.1
Modification
Command Introduced.
Updated with support for high-throughput IEEE 802.11n standard.
detect-disconnect-sta and disconnect-sta-quiet-time parameters deprecated.
Deprecated predefined profiles and added numerous DoS profile options
Added the following parameter in support of Detection of the Meiners Power Save DoS attack, including event notification to the user.
detect-power-save-dos-attack power-save-dos-min-frames power-save-dos-quiet-time power-save-dos-threshold
Deprecated Predefined Profiles
Deprecated DOS profile: l ids-dos-disabled l ids-dos-low-setting l ids-dos-medium-setting l ids-dos-high-setting
Command Information
Platform Available on all platforms
License Requires the RFprotect license
Command Mode
Config mode on master switches
AOS-W 6.2 | Reference Guide
ids dos-profile | 289
�ids general-profile
ids general-profile <profile-name> adhoc-ap-inactivity-timeout adhoc-ap-max-unseen-timeout ap-inactivity-timeout <seconds> ap-max-unseen-timeout clone <profile> ids-events [logs-and-traps | logs-only | none | traps-only] min-pot-ap-beacon-rate <percent> min-pot-ap-monitor-time <seconds> mobility-manager-rtls mon-stats-update-interval no ... send-adhoc-info-to-controller signature-quiet-time <seconds> sta-inactivity-timeout <seconds> stats-update-interval <seconds> wired-containment wired-containment-ap-adj-mac wired-containment-susp-l3-rogue wireless-containment [deauth-only | none | tarpit-all-sta | tarpit-non-valid-sta] wired-containment-ap-adj-mac wireless-containment-debug
Description
Configure an IDS general profile.
Syntax
Parameter <profile-name> adhoc-ap-inactivity-timeout
adhoc-ap-max-unseen-timeout
ap-inactivity-timeout
Description
Ran- Defge ault
Name that identifies an
--
instance of the profile. The
name must be 1-63
characters.
"default"
Ad hoc (IBSS) AP inactivity timeout in number of scans.
536000 seconds
5 seconds
Ageout time in seconds since ad hoc (IBSS) AP was last seen.
536000 seconds
5 seconds
Time, in seconds, after which an AP is aged out.
536000 seconds
5 seconds
290 | ids general-profile
AOS-W 6.2 | Reference Guide
�Parameter ap-max-unseen-timeout clone ids-events [logs-and-traps | logs-only | none | traps-only]
min-pot-ap-beacon-rate
min-pot-ap-monitor-time mobility-manager-rtls mon-stats-update-interval no send-adhoc-info-to-controller signature-quiet-time
Description
Ran- Defge ault
Ageout time, in seconds, since AP was last seen.
536000 seconds
600 seconds
Name of an existing IDS --
--
general profile from which
parameter values are
copied.
Enable or disable IDS
--
event generation from the
AP. Event generation from
the AP can be enabled for
syslogs, traps, or both.
This does not affect
generation of IDS
correlated events on the
switch.
logsandtraps
Minimum beacon rate acceptable from a potential AP, in percentage of the advertised beacon interval.
0-
25%
100
Minimum time, in seconds, a potential AP has to be up before it is classified as a real AP.
236000
2 seconds
Enable/disable RTLS communication with the configured mobilitymanager
enabled disabled
disabled
Time interval, in seconds, for AP to update the switch with stats for monitored devices. Minimum is 60.
60360000
seconds
60 seconds
Negates any configured
--
--
parameter.
Enable or disable sending ena- dis-
Adhoc information to the ble able
switch from the AP.
dis-
able
After a signature match is detected, the time to wait, in seconds, to resume checking.
60360000
seconds
900 seconds
AOS-W 6.2 | Reference Guide
ids general-profile | 291
�Parameter sta-inactivity-timeout sta-max-unseen-timeout stats-update-interval wired-containment wired-containment-ap-adj-mac wired-containment-susp-l3-rogue
292 | ids general-profile
Description
Time, in seconds, after which a station is aged out.
Ageout time, in seconds, since station was last seen. Minimum is 5.
Ran- Defge ault
30360000
seconds
60 seconds
536000 seconds
5 seconds
Interval, in seconds, for the AP to update the switch with statistics. This setting takes effect only if the OmniVista Mobility Manager Software is configured. Otherwise, statistics update to the switch is disabled.
60360000
seconds
60 seconds
Enable containment from the wired side.
true false false
Enable/disable wired containment of MACs offset by one from APs BSSID.
true false false
The basic wired
true
containment feature
enabled using the wired-
containment on page 292
command contains layer-3
APs whose wired interface
MAC addresses are either
the same as (or one
character off from) their
BSSIDs. This feature can
also identify and contain
an AP with a preset wired
MAC address that is
completely different from
the AP's BSSID if the the
MAC address that the AP
provides to wireless
clients as the `gateway
MAC' is offset by one
character from its wired
MAC address.
NOTE: This feature
requires that the following
wired-containment
parameter in the ids
general-profile is also
enabled, and that the
confidence level of the
false
AOS-W 6.2 | Reference Guide
�Parameter
Description
Ran- Defge ault
suspected rogue exceeds the level configured by the suspect-roguecontainment and suspectrogue-conf-level parameters in the ids unauthorized-deviceprofile.
wireless-containment [deauth-only | none | tarpitall-sta | tarpit-non-valid-sta]
Enable wireless
--
containment including
Tarpit Shielding. Tarpit
shielding works by
steering a client to a tarpit
so that the client
associates with it instead
of the AP that is being
contained.
deauth-only--Containment
using deauthentication
only
none--Disable wireless
containment
tarpit-all-sta--Wireless
containment by tarpit of all
stations
tarpit-non-valid-sta--
Wireless containment by
tarpit of non-valid clients
deauthonly
wireless-containment-debug
Enable/disable debug of containment from the wireless side.
Note: Enabling this debug option will cause containment to not function properly.
true false
false
Usage Guidelines
This command configures general IDS profile attributes.
Example
The following command enables containments in the general IDS profile: (host) (config) #ids general-profile floor7 (host) (IDS General Profile "floor7") #wired-containment (host) (IDS General Profile "floor7") #wireless-containment tarpit-all-sta (host) (IDS General Profile "floor7") #wireless-containment-debug
Command History
Version AOS-W 3.0
Description Command Introduced
AOS-W 6.2 | Reference Guide
ids general-profile | 293
�Version AOS-W 5.0 AOS-W 6.0
Description mobility-manager-rtls parameter introduced Deprecated predefined profiles and added numerous General profile options
Deprecated Predefined Profiles
Deprecated General profiles: l ids-general-disabled l ids-general-high-setting
Command Information
Platform
License
Available on all platforms Requires the RFprotect license.
Command Mode Config mode on master switches
294 | ids general-profile
AOS-W 6.2 | Reference Guide
�ids impersonation-profile
ids impersonation-profile <name> ap-spoofing-quiet-time beacon-diff-threshold <percent> beacon-inc-wait-time <seconds> beacon-wrong-channel-quiet-time clone <profile> detect-ap-impersonation detect-ap-spoofing detect-beacon-wrong-channel detect-hotspotter hotspotter-quiet-time no ... protect-ap-impersonation
Description
This command configures anomalies for impersonation attacks.
Syntax
Parameter <profile> ap-spoofing-quiet-tim beacon-diff-threshold beacon-inc-wait-time beacon-wrong-channel-quiettime clone detect-ap-impersonation
detect-ap-spoofing
Description
Range
Name that identifies an instance of the
--
profile. The name must be 1-63 characters.
Time to wait in seconds after detecting AP Spoofing after which the check can be resumed. Minimum is wait time is 60.
Percentage increase in beacon rates that triggers an AP impersonation event.
0-100
Time, in seconds, after the beacon
--
difference threshold is crossed before an
AP impersonation event is generated.
Time to wait, in seconds, after detecting a beacon with the wrong channel after which the check can be resumed.
60360000 seconds
Name of an existing IDS impersonation
--
profile from which parameter values are
copied.
Enables detection of AP impersonation. In -- AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection, or a honeypot attack.
Enable/disable AP Spoofing detection
--
Default "default" 60 seconds 50% 3 seconds 900 seconds --
true
enable
AOS-W 6.2 | Reference Guide
ids impersonation-profile | 295
�Parameter detect-beacon-wrong-channel detect-hotspotter hotspotter-quiet-time
no protect-ap-impersonation
Description
Enable/disable detection of beacons advertising the incorrect channel
Enable/disable detection of the Hotspotter attack to lure away valid clients.
Time to wait in seconds after detecting an attempt to Use the Hotspotter tool against clients.
Negates any configured parameter.
When AP impersonation is detected, both the legitimate and impersonating AP are disabled using a denial of service attack.
Range --
--
60360000 seconds -- --
Default disable
disable
900 seconds
-- false
Usage Guidelines
A successful man-in-the-middle attack will insert an attacker into the data path between the client and the AP. In such a position, the attacker can delete, add, or modify data, provided he has access to the encryption keys. Such an attack also enables other attacks that can learn a client's authentication credentials. Man-in-the-middle attacks often rely on a number of different vulnerabilities.
Example
The following command enables detections in the impersonation profile: (host) (config) #ids impersonation-profile floor1 (host) (IDS Impersonation Profile "floor1") #detect-beacon-wrong-channel (host) (IDS Impersonation Profile "floor1") #detect-ap-impersonation
Command History
Version AOS-W 3.0 AOS-W 3.4
AOS-W 6.0
Modification Command Introduced
detect-sequence-anomaly, sequence-diff, sequence-quiet-time, sequence-time-tolerance parameters deprecated.
Deprecated predefined profiles and added numerous Impersonation profile options
Deprecated Predefined Profiles
IDS Impersonation profile: l ids-impersonation-disabled l ids-impersonation-high-setting
Command Information
Platform
Available on all platforms
License Requires the RFprotect license
Command Mode Config mode on master switches
296 | ids impersonation-profile
AOS-W 6.2 | Reference Guide
�ids management-profile
event-correlation [logs-and-traps | logs-only | none | traps-only]
event-correlation-quiet-time <value>
Description
Mange the event correlation.
Syntax
Parameter
event-correlation logs-and-traps logs-only none traps-only
event-correlation-quiet-time <value>
Description
Range
Correlation mode for IDS event traps and syslogs (logs). Event correlation can be enabled with generation of correlated logs, traps, or both. To disable correlation, enter the keyword none.
Default
logs-andtraps
Time to wait, in seconds, after generating a correlated event after which the event could be raised again. This only applies to events that are repeatedly raised by an AP.
30360000 seconds
900 seconds
Usage Guidelines
Manage the events correlation for IDS event traps and syslogs (logs).
Example
(host) (config) #ids management-profile (host) (IDS Management Profile) #event-correlation-quiet-time 30 (host) (IDS Management Profile) #event-correlation logs-and-traps
Command History
Release AOS-W 6.0
Modification Command introduced
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ids management-profile | 297
�ids profile
ids profile <name> clone <profile> dos-profile <profile> general-profile <profile> impersonation-profile <profile> no ... signature-matching-profile <profile> unauthorized-device-profile <profile>
Description
This command defines a set of IDS profiles.
Syntax
Parameter <profile> clone dos-profile general-profile impersonation-profile
no signature-matching-profile
unauthorized-device-profile
Description
Default
Name that identifies an instance of the profile. The name must be 1-63 characters.
"default"
Name of an existing IDS profile from which parameter -- values are copied.
Name of a IDS denial of service profile to be applied to "default" the AP group/name. See ids dos-profile on page 283.
Name of an IDS general profile to be applied to the AP "default" group/name. See ids general-profile on page 290.
Name of an IDS impersonation profile to be applied to the AP group/name. See ids impersonation-profile on page 295.
"default"
Negates any configured parameter.
--
Name of an IDS signature matching profile to be applied to the AP group/name. See ids signaturematching-profile on page 302
"default"
Name of an IDS unauthorized device profile to be applied to the AP group/name. See ids unauthorizeddevice-profile on page 307.
"default"
Usage Guidelines
This command defines a set of IDS profiles that you can then apply to an AP group (with the ap-group command) or to a specific AP (with the ap-name command).
Example
The following command defines a set of IDS profiles: (host) (config) #ids profile floor2 (host) (IDS Profile "floor2") #dos-profile dos1
general-profile general1 impersonation-profile mitm1 signature-matching-profile sig1
298 | ids profile
AOS-W 6.2 | Reference Guide
�unauthorized-device-profile unauth1
Command History
Version AOS-W 3.0 AOS-W 6.0
Modification Command Introduced Deprecated predefined profiles
Deprecated Predefined Profile
Deprecated Profile for levels: disabled, high, medium, and low l ids-disabled l ids-high-setting l ids-medium-setting l ids-low-setting
Command Information
Platform Available on all platforms
License Requires the RFprotect license
Command Mode
Config mode on master switches.
AOS-W 6.2 | Reference Guide
ids profile | 299
�ids rate-thresholds-profile
ids rate-thresholds-profile <name> channel-inc-time <seconds> channel-quiet-time <seconds> channel-threshold clone <profile> no ... node-quiet-time <seconds> node-threshold <number> node-time-interval <seconds>
Description
This command configures thresholds that are assigned to the different frame types for rate anomaly checking.
Syntax
Parameter <profile> channel-inc-time channel-quiet-time
channel-threshold clone no node-quiet-time
node-threshold node-time-interval
Description
Range
Name that identifies an instance of the profile. The name -- must be 1-63 characters.
Time, in seconds, in which the threshold must be exceeded in order to trigger an alarm.
0360000 seconds
After a channel rate anomaly alarm has been triggered, the time that must elapse before another identical alarm may be triggered. This option prevents excessive messages in the log file.
60360000
Number of a specific type of frame that must be exceeded any within a specific interval in an entire channel to trigger an alarm.
Name of an existing IDS rate thresholds profile from which -- parameter values are copied.
Negates any configured parameter.
--
After a node rate anomaly alarm has been triggered, the time, in seconds, that must elapse before another identical alarm may be triggered. This option prevents excessive messages in the log file.
60360000
Number of a specific type of frame that must be exceeded within a specific interval for a particular client MAC address to trigger an alarm.
0100000 frames
Time, in seconds, in which the threshold must be exceeded in order to trigger an alarm.
1-120
Default "default"
15 seconds
900 seconds
300
--
-- 900 seconds
200
15 seconds
Usage Guidelines
A profile of this type is attached to each of the following 802.11 frame types in the IDS denial of service profile: l Association frames l Disassociation frames l Deauthentication frames
300 | ids rate-thresholds-profile
AOS-W 6.2 | Reference Guide
�l Probe Request frames l Probe Response frames l Authentication frames
Example
The following command configures frame thresholds: (host) (config) #ids rate-thresholds-profile Lobby (host) (IDS Rate Thresholds Profile "Lobby") #channel-threshold 250
Command History
Version AOS-W 3.0 AOS-W 6.0
Modification Command Introduced Deprecated predefined profiles
Deprecated Predefined Profiles
Deprecated the predefined profile with probe-request-response-threshold.
Command Information
Platform Available on all platforms
License Requires the RFprotect license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ids rate-thresholds-profile | 301
�ids signature-matching-profile
ids signature-matching-profile <name> clone <profile> no ... signature <profile>
Description
This command contains defined signature profiles.
Syntax
Parameter <profile>
clone
no signature
Description
Name that identifies an instance of the profile. The name must be 1-63 characters.
Name of an existing IDS signature matching profile from which parameter values are copied.
Negates any configured parameter.
Name of a signature profile. See ids signature-profile on page 304.
Default "default"
--
-- --
Usage Guidelines
You can include one or more predefined signature profiles or a user-defined signature profile in a signature matching profile.
Example
The following command configures a signature matching profile: (host) (config) IDS signature matching LobbyEast (host) (IDS Signature Matching Profile "LobbyEast") #signature Null-Probe-Response
Command History
Version AOS-W 3.0 AOS-W 6.0
Modification Command Introduced Deprecated predefined profiles
Deprecated Predefined Profiles
Deprecated Signature Matching profile: l factory-default-signatures
302 | ids signature-matching-profile
AOS-W 6.2 | Reference Guide
�Command Information
Platform Available on all platforms
License Requires the RFprotect license
Command Mode
Config mode on master switches
AOS-W 6.2 | Reference Guide
ids signature-matching-profile | 303
�ids signature-profile
ids signature-profile <name> bssid <macaddr> clone <profile> dst-mac <macaddr> frame-type {assoc|auth|beacon|control|data|deauth|disassoc|mgmt|probe-request|proberesponse no ... payload <pattern> [offset <number>] seq-num <number> src-mac <macaddr>
Description
This command configures signatures for wireless intrusion detection.
Syntax
Parameter <profile>
bssid clone
dst-mac frame-type
assoc auth beacon control data deauth disassoc mgmt probe-request probe-response ssid
Description
Default
Name that identifies an instance of the profile. The name must be 1-63 characters.
"default"
BSSID field in the 802.11 frame header.
--
Name of an existing IDS signature profile from which parameter -- values are copied.
Destination MAC address in the 802.11 frame header.
--
Type of 802.11 frame. For each type of frame, further parameters -- can be specified to filter and detect only the required frames.
Association frame type
Authentication frame type
Beacon frame type
All control frames
All data frames
Deauthentication frame type
Disassociation frame type
Management frame type
Frame type is probe request
Frame type is probe response
For beacon, probe-request, and probe-response frame types,
--
specify the SSID as either a string or hex pattern.
304 | ids signature-profile
AOS-W 6.2 | Reference Guide
�Parameter ssid-length
no payload <pattern>
offset seq-num src-mac
Description
For beacon, probe-request, and probe-response frame types, specify the length, in bytes, of the SSID. Maximum length is 32 bytes.
Negates any configured parameter.
Pattern at a fixed offset in the payload of an 802.11 frame. Specify the pattern to be matched as a string or hex pattern. Maximum length is 32 bytes.
When a payload pattern is configured, specify the offset in the payload where the pattern is expected to be found in the frame.
Sequence number of the frame.
Source MAC address in the 802.11 frame header.
Default --
-- --
-- -- --
Example
The following command configures a signature profile: (host) (config) #ids signature-profile floor4 (host) (IDS Signature Profile "floor4") #frame-type assoc (host) (IDS Signature Profile "floor4") #src-mac 00:00:00:00:00:00
Usage Guidelines
The following describes the configuration for the predefined signature profiles:
Signature Profile AirJack ASLEAP Deauth-Broadcast
Netstumbler Generic
Netstumbler Version 3.3.0x
Null-Probe-Response
Parameter frame-type frame-type frame-type dst-mac payload payload payload
payload frame-type
Value beacon ssid = AirJack beacon ssid = asleap deauth ff:ff:ff:ff:ff:ff offset=3 pattern=0x00601d offset=6 pattern=0x0001 offset=3 pattern=0x00601d
offset=12 pattern=0x000102 probe-response ssid length = 0
Command History
Version AOS-W 3.0
Modification Command Introduced
AOS-W 6.2 | Reference Guide
ids signature-profile | 305
�Command Information
Platform Available on all platforms
License Requires the RFprotect license
Command Mode Config mode on master switches
306 | ids signature-profile
AOS-W 6.2 | Reference Guide
�ids unauthorized-device-profile
ids unauthorized-device-profile <name> adhoc-using-valid-ssid-quiet-time <seconds> allow-well-known-mac [hsrp|iana|local-mac|vmware|vmware1|vmware2|vmware3] cfg-valid-11a-channel <channel> cfg-valid-11g-channel <channel> classification clone <profile> detect-adhoc-network detect-adhoc-using-valid-ssid detect-bad-wep detect-ht-greenfield detect-invalid-mac-oui detect-misconfigured-ap detect-sta-assoc-to-rogue detect-unencrypted-valid-client detect-valid-client-misassociation detect-valid-ssid-misuse detect-windows-bridge detect-wireless-bridge detect-wireless-hosted-network mac-oui-quiet-time <seconds> no ... oui-classification overlay-classification privacy prop-wm-classification protect-adhoc-enhanced protect-adhoc-network protect-high-throughput protect-ht-40mhz protect-misconfigured-ap protect-ssid protect-valid-sta x protect-windows-bridge protect-wireless-hosted-network require-wpa rogue-containment suspect-rogue-conf-level <level> suspect-rogue-containment unencrypted-valid-client-quiet-time valid-and-protected-ssid <ssid> valid-oui <oui> valid-wired-mac <macaddr> wireless-bridge-quiet-time <seconds> wireless-hosted-network-quiet-time
Description
This command configures detection of unauthorized devices, as well as rogue AP detection and containment.
AOS-W 6.2 | Reference Guide
ids unauthorized-device-profile | 307
�Syntax
Parameter <profile> adhoc-using-valid-ssid-quiettime allow-well-known-mac
cfg-valid-11a-channel
Description
Range Default
Name that identifies an instance of the profile. -- The name must be 1-63 characters.
"default"
Time to wait, in seconds, after detecting an adhoc network using a valid SSID, after which the check can be resumed.
60360000
900 seconds
Allows devices with known MAC addresses to --
--
classify rogues APs.
Depending on your network, configure one or
more of the following options for classifying
rogue APs:
l hsrp--Routers configured for HSRP, a Cisco-proprietary redundancy protocol,
with the HSRP MAC OUI 00:00:0c.
l iana--Routers using the IANA MAC OUI 00:00:5e.
l local-mac--Devices with locally administered MAC addresses starting with 02.
l vmware--Devices with any of the following VMWare OUIs: 00:0c:29, 00:05:69, or 00:50:56
l vmware1--Devices with VMWare OUI 00:0c:29.
l vmware2--Devices with VMWare OUI 00:05:69.
l vmware3--Devices with VMWare OUI 00:50:56.
If you modify an existing configuration, the
new configuration overrides the original
configuration. For example, if you configure
allow-well-known-mac hsrp and then
configure allow-well-known-mac iana,
the original configuration is lost. To add more
options to the original configuration, include
all of the required options, for example:
allow-well-known-mac hsrp iana.
Use caution when configuring this command. If the neighboring network uses similar routers, those APs might be classified as rogues. If containment is enabled, clients attempting to associate to an AP classified as a rogue are disconnected through a denial of service attack.
To clear the well known MACs in the system, use the following commands:
l clear wms wired-mac:This clears all of
the learned wired MAC information on the
switch.
l reload: This reboots the switch.
List of valid 802.11a channels that third-party 34-165 N/A APs are allowed to use.
308 | ids unauthorized-device-profile
AOS-W 6.2 | Reference Guide
�Parameter cfg-valid-11g-channel classification
clone detect-adhoc-network detect-adhoc-using-validssid detect-bad-wep
detect-ht-greenfield detect-invalid-mac-oui
detect-misconfigured-ap
detect-sta-assoc-to-rogue detect-unencrypted-validclient
Description
Range Default
List of valid 802.11b/g channels that thirdparty APs are allowed to use.
1-14
N/A
Enable/disable rogue AP classification. A
--
true
rogue AP is one that is unauthorized and
plugged into the wired side of the network.
Any other AP seen in the RF environment that
is not part of the valid enterprise network is
considered to be interfering -- it has the
potential to cause RF interference but it is not
connected to the wired network and thus
does not represent a direct threat.
Name of an existing IDS rate thresholds
--
--
profile from which parameter values are
copied.
Enable detection of adhoc networks.
--
false
Enable/disable detection of adhoc networks -- using valid/protected SSIDs
enable
Enables detection of WEP initialization
--
vectors that are known to be weak and/or
repeating. A primary means of cracking WEP
keys is to capture 802.11 frames over an
extended period of time and search for
implementations that are still used by many
legacy devices.
false
Enables or disables detection of high-
--
throughput devices advertising greenfield
preamble capability.
false
Enables checking of the first three bytes of a -- MAC address, known as the organizationally unique identifier (OUI), assigned by the IEEE to known manufacturers. Often clients using a spoofed MAC address do not use a valid OUI and instead use a randomly generated MAC address. Enabling MAC OUI checking causes an alarm to be triggered if an unrecognized MAC address is in use.
false
Enables detection of misconfigured APs. An -- AP is classified as misconfigured if it is classified as valid and does not meet any of the following configurable parameters:
- valid channels - encryption type - list of valid AP MAC OUIs - valid SSID list
false
Enable/disable detection of station association to rogue AP.
enable
Enable/disable detection of unencrypted valid -- clients.
enable
AOS-W 6.2 | Reference Guide
ids unauthorized-device-profile | 309
�Parameter detect-valid-client-m isassociation
detect-valid-ssid-misuse detect-windows-bridge detect-wireless-bridge detect-wireless-hosted-network
mac-oui-quiet-time no oui-classification overlay-classification privacy prop-wm-classification protect-adhoc-enhanced
Description
Range Default
Enable/disable detection of misassociation
--
between a valid client and an unsafe AP. This
setting can detect the following
misassociation types:
l MisassociationToRogueAP
l MisassociationToExternalAP
l MisassociationToHoneypotAP
l MisassociationToAdhocAP
l MisassociationToHostedAP
enable
Enable/disable detection of Interfering or
--
Neighbor APs using valid/protected SSIDs.
disable
Enables detection of Windows station bridging.
--
true
Enables detection of wireless bridging.
--
false
If enabled, this feature can detect the
--
presence of a wireless hosted network.
When a wireless hosted network is detected
this feature sends a "Wireless Hosted
Network" warning level security log message
and the wlsxWirelessHostedNetworkDetected
SNMP trap.
If there are clients associated to the hosted
network, this feature will send a "Client
Associated To Hosted Network" warning level
security log message and the
wlsxClien-
tAssociatedToHostedNetworkDetected SNMP
trap.
enable
Time, in seconds, that must elapse after an invalid MAC OUI alarm has been triggered before another identical alarm may be triggered.
60360000 seconds
900 seconds
Negates any configured parameter.
--
--
Enable/disable OUI based rogue AP classification
--
enable
Enable/disable overlay rogue AP classification
--
enable
Enables encryption as a valid AP configuration.
--
false
Enable/disable rogue AP classification through propagated wired MACs
--
true
Enables advanced protection from adhoc
--
networks, including adhoc networks in open
mode. When enhanced adhoc containment is
carried out, a new repeatable event, syslog
and SNMP trap will be generated for each
containment event.
false
310 | ids unauthorized-device-profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
Range Default
protect-adhoc-network
Enables protection from adhoc networks.
--
When adhoc networks are detected, they are
disabled using a denial of service attack.
false
protect-high-throughput
Enables or disables protection of highthroughput (802.11n) devices.
--
false
protect-ht-40mhz
Enables or disables protection of high-
--
throughput (802.11n) devices operating in 40
MHz mode.
false
protect-misconfigured-ap
Enables protection of misconfigured APs.
--
false
protect-ssid
Enables use of SSID by valid APs only.
--
false
protect-valid-sta
When enabled (true), does not allow valid
--
stations to connect to a non-valid AP.
false
protect-windows-bridge
Enable/disable protection of a windows
--
disabled
station bridging
protect-wireless-hosted-network When you enable the wireless hosted
--
network protection feature, the switch
enforces containment on a wireless hosted
network by launching a denial of service
attack to disrupt associations between a
Windows 7 software-enabled Access Point
(softAP) and a client, and disrupt associations
between the client that is hosting the softAP
and any access point to which the host
connects.
When a wireless hosted network triggers this
feature, wireless hosted network protection
sends the Wireless Hosted Network
Containment and
Host of Wireless Network Containment
warning level security log messages, and the
wlsxWirelessHostedNetworkContainment
and wlsxHostOfWirelessNetworkContainment
SNMP traps.
NOTE: The existing generic containment
SNMP traps and log messages will also be
sent when Wireless Hosted Network
Containment or Host of Wireless Network
Containment is enforced.
disabled
require-wpa
When enabled (true), any valid AP that is not -- using WPA encryption is flagged as misconfigured.
false
rogue-containment
Rogue APs can be detected (see
--
classification) but are not automatically
disabled. This option automatically shuts
down rogue APs. When this option is enabled
(true), clients attempting to associate to an AP
classified as a rogue are disconnected
through a denial of service attack.
false
suspect-rogue-conf-level
Confidence level of suspected Rogue AP to trigger containment.
50100%
60%
AOS-W 6.2 | Reference Guide
ids unauthorized-device-profile | 311
�Parameter
suspect-rogue-containment
unencrypted-valid-clientquiet-time valid-and-protected-ssid valid-oui valid-wired-mac wireless-bridge-quiet-time wireless-hosted-network-quiettime
Description
Range Default
When an AP is classified as a suspected rogue AP, it is assigned a 50% confidence level. If multiple APs trigger the same events that classify the AP as a suspected rogue, the confidence level increases by 5% up to 95%.
In combination with suspected rogue containment, this option configures the threshold by which containment should occur. Suspected rogue containment occurs only when the configured confidence level is met.
Suspected rogue APs are treated as
--
interfering APs, thereby the switch attempts to
reclassify them as rogue APs. Suspected
rogue APs are not automatically contained. In
combination with the configured confidence
level (see suspect-rogue-conf-level), this
option contains the suspected rogue APs.
false
Time to wait, in seconds, after detecting an unencrypted valid client after which the check can be resumed.
60360000 seconds
900 seconds
List of valid and protected SSIDs.
--
--
List of valid MAC OUIs.
--
--
List of MAC addresses of wired devices in the --
--
network, typically gateways or servers.
Time, in seconds, that must elapse after a wireless bridge alarm has been triggered before another identical alarm may be triggered.
60360000 seconds
900 seconds
The wireless hosted network detection feature sends a log message and trap when a wireless hosted network is detected. The quiet time defined by this parameter sets the amount of time, in seconds, that must elapse after a wireless hosted network log message or trap has been triggered before an identical log message or trap can be sent again.
60360000 seconds
900 seconds
Usage Guidelines
Unauthorized device detection includes the ability to detect and disable rogue APs and other devices that can potentially disrupt network operations.
Example
The following command copies the settings from the ids-unauthorized-device-disabled profile and then enables detection and protection from adhoc networks: (host) (config) #ids unauthorized-device-profile floor7 (host) (IDS Unauthorized Device Profile "floor7") #unauth1 (host) (IDS Unauthorized Device Profile "floor7") #clone ids-unauthorized-device-disable (host) (IDS Unauthorized Device Profile "floor7") #detect-adhoc-network (host) (IDS Unauthorized Device Profile "floor7") #protect-adhoc-network
312 | ids unauthorized-device-profile
AOS-W 6.2 | Reference Guide
�Command History
Release AOS-W 3.0 AOS-W 3.3
AOS-W 6.0 AOS-W 6.1
AOS-W 6.2
Modification
Command introduced
Update with support for the high-throughput IEEE 802.11n standard. Also, introduced allow-well-known-mac, suspect-rogue-conf-level, and suspectrogue-containment parameters.
Deprecated predefined profiles
Added the detect-valid-ssid-misuse parameter to internally generate a list of valid SSIDs to use in addition to the user configured list of Valid and Protected SSIDs.
Added the following parameters l protect-adhoc-enhanced l detect-wireless-hosted-network l wireless-hosted-network-quiet-time l protect-wireless-hosted-network
Deprecated Predefined Profiles
IDS Unauthorized Device profile: l ids-unauthorized-device-disabled l ids-unauthorized-device-medium-setting l ids-unauthorized-device-high-setting
Command Information
Platform Available on all platforms
License Requires the RFprotect license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ids unauthorized-device-profile | 313
�ids wms-general-profile
wms general adhoc-ap-ageout-interval <adhoc-ap-ageout-interval> ap-ageout-interval <ap-ageout-interval> collect-stats learn-ap learn-system-wired-macs no persistent-neighbor persistent-valid-sta poll-interval <poll-interval> poll-retries <poll-retries> propagate-wired-macs sta-ageout-interval <sta-ageout-interval> stat-update
Description
This command configures the WLAN management system (WMS).
Syntax
Parameter
Description
Range
adhoc-ap-ageoutinterval <adhoc-ap-ageoutinterval>
Time, in minutes, that an adhoc (IBSS) AP
?
remains unseen before it is deleted (ageout) from
the database.
ap-ageout-interval <ap-ageout-interval>
Time, in minutes, that an AP remains unseen by
?
any probes before it is deleted from the database.
collect-stats
Enables collection of statistics (up to 25,000
--
entries) on the master switch for monitored APs
and clients. This only applies when OV-MM-SW is
not configured.
learn-ap
Enables "learning" of non-Alcatel-Lucent APs.
--
learn-system-wired-macs Enable or disable "learning" of wired MACs at the -- switch.
no
Negates any configured parameter.
--
persistent-neighbor
Do not age out known AP neighbors.
--
persistent-valid-sta
Do not age out valid stations.
--
poll-interval <poll-interval>
Interval, in milliseconds, for communication between the switch and Alcatel-Lucent AMs. The switch contacts the AM at this interval to download AP to station associations, update policy configuration changes, and download AP and station statistics.
(any)
poll-retries <poll-retries>
Maximum number of failed polling attempts before (any) the polled AM is considered to be down.
Default 30 minutes
30 minutes
disabled
disabled disabled
-- disabled ? 60000 milliseconds (1 minute)
2
314 | ids wms-general-profile
AOS-W 6.2 | Reference Guide
�Parameter
propagate-wiredmacs
sta-ageout-interval <sta-ageout-interval>
stat-update
Description
Range
Enables the propagation of the gateway wired
--
MAC information.
Time, in minutes, that a client remains unseen by ? any probes before it is deleted from the database.
Enables statistics updating in the database.
--
Default enabled 30 minutes enabled
Usage Guidelines
By default, non-Alcatel-Lucent APs that are connected on the same wired networks as Alcatel-Lucent APs are classified as "rogue" APs. Enabling AP learning classifies non-Alcatel-Lucent APs as "valid" APs. Typically, you would want to enable AP learning in environments with large numbers of existing non-Alcatel-Lucent APs and leave AP learning enabled until all APs in the network have been detected and classified as valid. Then, disable AP learning and reclassify any unknown APs as interfering.
VLAN Trunking In deployments where Alcatel-Lucent APs are not placed on every VLAN and where it is not possible to truck all
VLANs to an Alcatel-Lucent AP, enable the parameter learned-system-wired-mac. When this is enabled, AOS-W is able to classify rogues on all the VLANs that belong to the Alcatel-Lucentswitch, as long as Alcatel-Lucent APs can see the rogues in the air. If there are VLANs in the network residing on a third party switch and if those VLANs are trunked to a port on the Alcatel-Lucentswitch, enabling this feature will allow detection of rogues on those VLANs as well.
Master/Local
When learned-system-wired-mac is enabled in a master/local deployment, the learning of Wired and Gateway MACs will happen at each local switch. For topologies with local switches in geographical locations, the local switch collects the Wired and Gateway MAC info and passes it to the APs that are connected to it. Even though the locals do the collection of Wired and Gateway MACs, the master is still be responsible for classification.
Example
The following command enables AP learning: (host)(IDS WMS General Profile) #learn-ap
To disable AP learning: (host)(IDS WMS General Profile) #no learn-ap
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced Added parameter learned-system-wired-mac
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ids wms-general-profile | 315
�316 | ids wms-general-profile
AOS-W 6.2 | Reference Guide
�Interface cellular
interface cellular ip access-group <name> session
Description
This command allows you to specify an ingress or egress ACL to the cellular interface of an EVDO modem.
Syntax
Parameter <name>
Description
Enter the name or number of the access group you want to apply to the EVDO modem.
Example
(host) (config-cell)#ip access-group 3 session
Related Command
Command
Description
show interface cellular List the Access groups configured on the cellular interface access-group
Command History
Release AOS-W 5.0
Modification Command introduced
Command Information
Platforms OAW-4306 Series
Licensing Base operating system
Command Mode Configuration Mode (config-cell)
AOS-W 6.2 | Reference Guide
Interface cellular | 317
�interface fastethernet | gigabitethernet
interface
interface {fastethernet|gigabitethernet} <slot>/<port> description <string> duplex {auto|full|half} ip access-group <acl> {in|out|session {vlan <vlanId>}} tunneled-node-port no ... poe [cisco] port monitor {fastethernet|gigabitethernet} <slot>/<port> priority-map <name> shutdown spanning-tree [cost <value>] [port-priority <value>] [portfast] speed {10|100|auto} switchport {access vlan <vlan>|mode {access|trunk}| trunk {allowed vlan {<vlans>|add <vlans>|all|except <vlans>|remove <vlans>}| native vlan <vlan>}} trusted {vlan <word>} xsec {point-to-point <macaddr> <key> allowed vlan <vlans> [<mtu>]|vlan <vlan>}
Description
This command configures a FastEthernet or GigabitEthernet interface on the switch.
Syntax
Parameter <slot> <port>
description duplex ip access-group
in out session tunneled-node-port no
Description
Range
Default
<slot> is always 1 except for the OAW-6000 switches, --
--
where the slots can be 0, 1, 2, or 3.
Number assigned to the network interface embedded --
--
in the switch.Port numbers start at 0 from the left-most
position.
String that describes this interface.
--
--
Transmission mode on the interface: full or half-duplex auto/full/half auto or auto to automatically adjust transmission.
Applies the specified access control list (ACL) to the
--
--
interface. Use the ip access-list command to configure
an ACL.
NOTE: This parameter requires the PEFNG license.
Applies ACL to interface's inbound traffic.
--
--
Applies ACL to interface's outbound traffic.
--
--
Applies session ACL to interface and optionally to a
--
--
selected VLAN associated with this port.
Enable tunneled node capability on the interface.
--
disabled
Negates any configured parameter.
--
--
318 | interface fastethernet | gigabitethernet
AOS-W 6.2 | Reference Guide
�Parameter poe
cisco port monitor priority-map
shutdown spanning-tree
cost
port-priority
portfast speed switchport
access vlan mode trunk
trusted
Description
Range
Default
Enables Power-over-Ethernet (PoE) on the interface. --
enabled
Enables Cisco-style PoE on the interface.
--
disabled
Monitors another interface on the switch.
--
--
Applies a priority map to the interface. Use the priority- --
--
map command to configure a priority map which
allows you to map ToS and CoS values into high
priority traffic queues.
Causes a hard shutdown of the interface.
--
--
Enables Rapid spanning tree or Per-VLAN spanning -- tree
enabled
Administrative cost associated with the spanning tree. 1-65535
19 (Fast Ethernet) 4 (Gigabit Ethernet)
Spanning tree priority of the interface. A lower setting 0-255
128
brings the port closer to root port position (favorable for
forwarding traffic) than does a higher setting. This is
useful if ports may contend for root position if they are
connected to an identical bridge.
Enables forwarding of traffic from the interface.
--
disabled
Sets the interface speed: 10 Mbps, 100 Mbps, or auto configuration.
10|100|auto auto
Sets switching mode parameters for the interface.
--
--
Sets the interface as an access port for the specified
--
1
VLAN. The interface carries traffic only for the specified
VLAN.
Sets the mode of the interface to access or trunk mode access|trun- access
only.
k
Sets the interface as a trunk port for the specified
--
--
VLANs. A trunk port carries traffic for multiple VLANs
using 802.1q tagging to mark frames for specific
VLANs. You can include all VLANs configured on the
switch, or add or remove specified VLANs. Specify
native to identify the native VLAN for the trunk mode
interface. Frames on the native VLAN are not 802.1q
tagged.
Set this interface and range of VLANs to be trusted.
--
VLANs not included in the trusted range of VLANs will
be, by default, untrusted.
enabled
AOS-W 6.2 | Reference Guide
interface fastethernet | gigabitethernet | 319
�Parameter
vlan <word>
xsec point-to-point allowed vlan mtu vlan
Description
Range
Trusted ports and VLANs are typically connected to internal controlled networks, while untrusted ports connect to third-party APs, public areas, or other networks to which access controls should be applied. When Alcatel-Lucent APs are attached directly to the switch, set the port to be trusted.
Sets the supplied range of VLANs as trusted. All remaining become untrusted automatically. For example, If you set a VLAN range as: vlan 1-10, 100-300, 301, 305-400, 501-4094 Then all VLANs in this range are trusted and all others become untrusted by default. You can also use the no trusted vlan command to explicitly make an individual VLAN untrusted. The no trusted vlan command is additive and adds given vlans to the existing untrusted vlan set. However, if you execute the trusted vlan <word> command, it overrides any earlier untrusted VLANs or a range of untrusted VLANs and creates a new set of trusted VLANs. NOTE: A port supports a user VLAN range from 14094. If you want to set all VLANs (1-4094) on a port as untrusted then mark the port itself as untrusted. By default the port and all its associated VLANs are trusted.
1-4094
Enables and configures the Extreme Security (xSec)
--
protocol.
NOTE: You must purchase and install the xSec
software module license in the switch.
MAC address of the switch that is the xSec tunnel
--
termination point, and the 16-byte shared key used to
authenticate the switches to each other. The key must
be the same on both switches.
VLANs that are allowed on the xSec tunnel.
--
(Optional) MTU size for the xSec tunnel.
--
xSec VLAN ID. For switch-to-switch communications, both switches must belong to the same VLAN.
1-4094
Default
--
-- -- -- -- --
Usage Guidelines
Use the show port status command to obtain information about the interfaces available on the switch.
Example
The following commands configure an interface as a trunk port for a set of VLANs: (host) (config) # interface fastethernet 1/2 (host) (config-range)# switchport mode trunk (host) (config-range)# switchport trunk native vlan 10 (host) (config-range)# switchport trunk allowed vlan 1,10,100
The following commands configure trunk port 1/2 with test-acl session for VLAN 2. (host) (config) # interface range fastethernet 1/2 (host) (config-range)# switchport mode trunk (host) (config-range)# ip access-group
320 | interface fastethernet | gigabitethernet
AOS-W 6.2 | Reference Guide
�(host) (config-range) # ip access-group test session vlan 2
Related Commands
(host) #show interface {fastethernet|gigabitethernet} <slot>/<port> (host) #show datapath port vlan-table <slot>/<port>
Command History
Release AOS-W 3.0 AOS-W 3.4
AOS-W 3.4.1 AOS-W 6.1
Modification Command introduced The trusted VLAN and ip access-group session vlan parameters were introduced. The trusted vlan <word> parameter was added.
The parameter muxport was changed to tunneled-node-port
Command Information
Platforms All platforms
Licensing
Command Mode
This command is available in the base operating system. The ip access-group parameter requires the PEFNG license. The xsec parameter requires the xSec license.
Config mode on master and local switches
AOS-W 6.2 | Reference Guide
interface fastethernet | gigabitethernet | 321
�interface loopback
interface loopback ip address <ipaddr> ipv6 address <ipv6-prefix> no ...
Description
This command configures the loopback address on the switch.
Syntax
Parameter ip address
ipv6 address no
Description Host IP address in dotted-decimal format. This address should be routable from all external networks.
Host IPv6 address that is routable from all external networks.
Negates any configured parameter.
Usage Guidelines
If configured, the loopback address is used as the switch's IP address. If you do not configure a loopback address for the switch, the IP address assigned to VLAN 1 is used as the switch's IP address. After you configure or modify a loopback address, you need to reboot the switch.
Example
The following command configures a loopback address: (host) (config) #interface loopback
ip address 10.2.22.220
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced The parameter ipv6 address was added.
Command Information
Platforms All platforms
Licensing
Command Mode
This command is available in the Config mode on master and local
base operating system
switches
322 | interface loopback
AOS-W 6.2 | Reference Guide
�interface mgmt
interface mgmt dhcp ip address <ipaddr> <netmask> ipv6 address <ipv6-prefix/prefix-length> no ... shutdown
Description
This command configures the out-of-band Ethernet management port on an OAW-6000 switch.
Syntax
Parameter
Description
dhcp
Enables DHCP on the interface.
ip address
Configures an IP address and netmask on the interface.
ipv6 address <ipv6-prefix/prefix- Configures an IPv6 address on the interface. length>
no
Negates any configured parameter.
shutdown
Causes a hard shutdown of the interface.
Usage Guidelines
This command applies to the OmniAccess Supervisor Card III. Use the show interface mgmt command to view the current status of the management port.
Example
The following command configures an IP address on the management interface: (host) (config) #interface mgmt
ip address 10.1.1.1 255.255.255.0
Platform Availability
This command is only available on the OAW-6000 switch.
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced The parameter ipv6 address was added.
AOS-W 6.2 | Reference Guide
interface mgmt | 323
�Command Information
Platforms OAW-6000 switches
Licensing Base operating system
Command Mode
Config mode on master and local switches
324 | interface mgmt
AOS-W 6.2 | Reference Guide
�interface port-channel
interface port-channel <id> add {fastethernet|gigabitethernet} <slot>/<port> del {fastethernet|gigabitethernet} <slot>/<port> ip access-group <acl> {in|out|session {vlan <vlanId>}} no ... shutdown spanning-tree [portfast] switchport {access vlan <vlan>|mode {access|trunk}| trunk {allowed vlan {<vlans>|add <vlans>|all|except <vlans>|remove <vlans>| native vlan <vlan>} trusted {vlan <word>} xsec {point-to-point <macaddr> <key> allowed vlan <vlans> [<mtu>]|vlan <vlan>}
Description
This command configures an Ethernet port channel.
Syntax
Parameter port-channel add
del ip access-group
in out session no shutdown spanning-tree portfast switchport access vlan
Description
Range
Default
ID number for this port channel.
0-7
--
Adds the specified FastEthernet or GigabitEthernet interface --
--
to the port channel.
You cannot specify both FastEthernet and GigabitEthernet
interfaces for the same port channel.
Deletes the specified Fastethernet or Gigabitethernet interface to the port channel.
--
--
Applies the specified access control list (ACL) to the
--
--
interface. Use the ip access-list command to configure an
ACL.
NOTE: This command requires the PEFNG license.
Applies ACL to interface's inbound traffic.
--
--
Applies ACL to interface's outbound traffic.
--
--
Applies session ACL to interface and optionally to a selected --
--
VLAN associated with this port.
Negates any configured parameter.
--
--
Causes a hard shutdown of the interface.
--
--
Enables spanning tree.
--
--
Enables forwarding of traffic from the interface.
--
--
Sets switching mode parameters for the interface.
--
--
Sets the interface as an access port for the specified VLAN. --
--
The interface carries traffic only for the specified VLAN.
AOS-W 6.2 | Reference Guide
interface port-channel | 325
�Parameter mode trunk native
trusted
vlan <word>
xsec point-to-point allowed vlan mtu vlan
Description
Range
Default
Sets the mode of the interface to access or trunk mode only. --
--
Sets the interface as a trunk port for the specified VLANs. A --
--
trunk port carries traffic for multiple VLANs using 802.1q
tagging to mark frames for specific VLANs. You can include
all VLANs configured on the switch, or add or remove
specified VLANs.
Specifies the native VLAN for the trunk mode interface.
--
--
Frames on the native VLAN are not 802.1q tagged.
Set this interface and range of VLANs to be trusted. VLANs -- not included in the trusted range of VLANs will be, by default, untrusted.
Trusted ports and VLANs are typically connected to internal controlled networks, while untrusted ports connect to thirdparty APs, public areas, or other networks to which access controls should be applied. When Alcatel-Lucent APs are attached directly to the switch, set the port to be trusted.
disabled
Sets the supplied range of VLANs as trusted. All remaining 1-4094 -- become untrusted automatically. For example, if you set a VLAN range as: vlan 1-10, 100-300, 301, 305-400, 501-4094 Then all VLANs in this range are trusted and all others become untrusted by default. You can also use the no trusted vlan command to explicitly make an individual VLAN untrusted. The no trusted vlan command is additive and adds given vlans to the existing untrusted vlan set. However, if you execute the trusted vlan <word>command, it overrides any earlier untrusted VLANs or a range of untrusted VLANs and creates a new set of trusted VLANs. NOTE: A port supports a user VLAN range from 1-4094. If you want to set all VLANs (1-4094) on a port as untrusted then mark the port itself as untrusted. By default the port and all its associated VLANs are trusted.
Enables and configures the Extreme Security (xSec)
--
--
protocol.
NOTE: You must purchase and install the xSec software
module license in the switch.
MAC address of the switch that is the xSec tunnel
--
--
termination point, and the 16-byte shared key used to
authenticate the switches to each other. The key must be the
same on both switches.
VLANs that are allowed on the xSec tunnel.
--
--
(Optional) MTU size for the xSec tunnel.
--
--
xSec VLAN ID. For switch-to-switch communications, both switches must belong to the same VLAN.
1-4094 --
Usage Guidelines
A port channel allows you to aggregate ports on a switch. You can configure a maximum of 8 port channels per supported switch with a maximum of 8 interfaces per port channel.
326 | interface port-channel
AOS-W 6.2 | Reference Guide
�Note the following when setting up a port channel between a switch and a Cisco switch (such as a Catalyst 6500 Series Switch): l There must be no negotiation of the link parameters. l The port-channel mode on the Cisco switch must be "on".
Example
The following command configures a port channel: (host) (config) #interface port channel 7
add fastethernet 1/1 add fastethernet 1/2
Command History
Release AOS-W 3.0 AOS-W 3.4
AOS-W 3.4.1
Modification Command introduced
The trusted VLAN and ip access-group session vlan parameters were introduced.
The trusted vlan <word> parameter was added.
Command Information
Platforms
OAW-4324 and OAW-6000 switch, and
Licensing
Command Mode
This command is available in the base operating system. The ipaccess-group parameter requires the PEFNG license. The xsec parameter requires the xSec license.
Config mode on master and local switches
AOS-W 6.2 | Reference Guide
interface port-channel | 327
�interface-profile voip-profile
interface-profile voip-profile <profile-name> clone <source> no{...} voip-dot1p <priority> voip-dscp <value> voip-mode [auto-discover | static] voip-vlan <VLAN-ID>
Description
This command creates a VoIP profile that can be applied to any interface or an interface group.
Syntax
Parameter <profile-name>
voip-dot1p <priority> voip-dscp <value> voip-mode [auto-discover | static]
voip-vlan <vlan id>
Description Name of the VoIP profile.
Specifies the dot1p priority. Specifies the DSCP value for the voice VLAN Specifies the mode of VoIP operation. l auto-discover - Operates VoIP on auto
discovery mode. l static - Operates VoIP on static mode. Specifies the Voice VLAN ID.
Range
Default
1-32
--
char-
acters;
cannot
begin
with a
numeric
char-
acter
--
--
--
--
--
static
--
--
Usage Guidelines
Use this command to create VoIP VLANs for VoIP phones. Creating a VoIP profile does not apply the configuration to any interface or interface group. To apply the VoIP profile, use the interface gigabitethernet and interface-group commands.
Example
The following command configures a VoIP profile: interface-profile voip-profile VoIP_PHONES voip-dot1p 100 voip-dscp 125 voip-mode auto-discover voip-vlan 126
328 | interface-profile voip-profile
AOS-W 6.2 | Reference Guide
�Command History
This command was introduced in AOS-W
Release AOS-W 6.2
Modification Command introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
interface-profile voip-profile | 329
�interface range
interface range {fastethernet|gigabitethernet} <slot>/<port>-<port> duplex {auto|full|half} ip access-group <acl> {in|out|session {vlan <vlanId>}} no ... poe [cisco] shutdown spanning-tree [cost <value>] [port-priority <value>] [portfast] speed {10|100|auto} switchport {access vlan <vlan>|mode {access|trunk}| trunk {allowed vlan {<vlans>|add <vlans>|all|except <vlans>|remove <vlans>}| native vlan <vlan>}} trusted {vlan <word>}
Description
This command configures a range of FastEthernet or GigabitEthernet interfaces on the switch.
Syntax
Parameter range
duplex
ip access-group
in out session
no poe
cisco shutdown spanning-tree
cost
Description
Range
Default
Range of Ethernet ports in the format <slot>/<port>-
--
--
<port>.
Transmission mode on the interface: full- or halfduplex or auto to automatically adjust transmission.
auto/full/hal- auto f
Applies the specified access control list (ACL) to the
--
--
interface. Use the ip access-list command to configure
an ACL.
Applies ACL to interface's inbound traffic.
--
--
Applies ACL to interface's outbound traffic.
--
--
Applies session ACL to interface and optionally to a
--
--
selected VLAN associated with this port.
Negates any configured parameter.
--
--
Enables Power-over-Ethernet (PoE) on the interface. --
--
Enables Cisco-style PoE on the interface.
--
--
Causes a hard shutdown of the interface.
--
--
Enables spanning tree.
--
--
Administrative cost associated with the spanning tree. 1-65535
--
330 | interface range
AOS-W 6.2 | Reference Guide
�Parameter port-priority
portfast speed switchport
access vlan mode trunk
trusted
vlan <word>
Description
Range
Default
Spanning tree priority of the interface. A lower setting brings the port closer to root port position (favorable for forwarding traffic) than does a higher setting. This is useful if ports may contend for root position if they are connected to an identical bridge.
0-255
Enables forwarding of traffic from the interface.
--
--
Sets the interface speed: 10 Mbps, 100 Mbps, or auto 10|100|aut- auto
configuration.
o
Sets switching mode parameters for the interface.
--
--
Sets the interface as an access port for the specified
--
--
VLAN. The interface carries traffic only for the
specified VLAN.
Sets the mode of the interface to access or trunk mode --
--
only.
Sets the interface as a trunk port for the specified
--
--
VLANs. A trunk port carries traffic for multiple VLANs
using 802.1q tagging to mark frames for specific
VLANs. You can include all VLANs configured on the
switch, or add or remove specified VLANs. Specify
native to identify the native VLAN for the trunk mode
interface. Frames on the native VLAN are not 802.1q
tagged.
Set this interface and range of VLANs to be trusted.
--
VLANs not included in the trusted range of VLANs will
be, by default, untrusted.
Trusted ports and VLANs are typically connected to
internal controlled networks, while untrusted ports
connect to third-party APs, public areas, or other
networks to which access controls should be applied.
When Alcatel-Lucent APs are attached directly to the
switch, set the port to be trusted.
enabled
Sets the supplied range of VLANs as trusted. All
1-4094
--
remaining become untrusted automatically.
For example, If you set a VLAN range as:
vlan 1-10, 100-300, 301, 305-400, 501-4094
Then all VLANs in this range are trusted and all others
become untrusted by default. You can also use the no
trusted vlan command to explicitly make an individual
VLAN untrusted. The no trusted vlan command is
additive and adds given vlans to the existing untrusted
vlan set.
However, if you execute the trusted vlan <word>
command, it overrides any earlier untrusted VLANs or
a range of untrusted VLANs and creates a new set of
trusted VLANs.
NOTE: A port supports a user VLAN range from 1-
4094. If you want to set all VLANs (1-4094) on a port
as untrusted then mark the port itself as untrusted. By
default the port and all its associated VLANs are
trusted.
AOS-W 6.2 | Reference Guide
interface range | 331
�Usage Guidelines
Use the show port status command to obtain information about the interfaces available on the switch.
Example
The following command configures a range of interface as a trunk port for a set of VLANs: interface range fastethernet 1/12-15
switchport mode trunk switchport trunk native vlan 10 switchport trunk allowed vlan 1,10,100
Command History
Release AOS-W 3.0 AOS-W 3.4
AOS-W 3.4.1
Modification Command introduced
The trusted VLAN and ip access-group session vlan parameters were introduced.
The trusted vlan <word> parameter was added.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
332 | interface range
AOS-W 6.2 | Reference Guide
�interface tunnel
interface tunnel <number> description <string> inter-tunnel-flooding ip address <ipaddr> <netmask> mtu <mtu> no ... shutdown trusted tunnel checksum|destination <ipaddr>|keepalive [<interval> <retries>]|key <key>|mode gre {<protocol>|ip}|source {<ipaddr>|loopback|vlan <vlan>}|vlan <vlans>
Description
This command configures a tunnel interface.
Syntax
Parameter tunnel description inter-tunnelflooding ip address mtu no shutdown trusted
tunnel checksum destination
Description Identification number for the tunnel. String that describes this interface. Enables inter-tunnel flooding.
Range
Default
1-
--
2147483647
--
Tunnel
Interface
--
enabled
IP address of the tunnel. This represents the
--
--
entrance to the tunnel.
MTU size for the interface.
1024 - 9216 --
Negates any configured parameter.
--
--
Causes a hard shutdown of the interface.
--
--
Set this interface and range of VLANs to be trusted. -- VLANs not included in the trusted range of VLANs will be, by default, untrusted.
Trusted ports and VLANs are typically connected to internal controlled networks, while untrusted ports connect to third-party APs, public areas, or other networks to which access controls should be applied. When Alcatel-Lucent APs are attached directly to the switch, set the port to be trusted.
disabled
Configures tunneling.
--
mode gre
ip
Enables end-to-end checksum of packets that pass -- through the tunnel.
disabled
Destination IP address for the tunnel endpoint.
--
--
AOS-W 6.2 | Reference Guide
interface tunnel | 333
�Parameter keepalive
<interval> <retries> key mode gre
source
vlan
Description
Range
Default
Enables sending of periodic keepalive frames on
--
the tunnel to determine the tunnel status (up or
down). You can optionally set the interval at which
keepalive frames are sent, and the number of times
the frames are resent before a tunnel is considered
to be down.
disabled
(Optional) Number of seconds at which keepalive frames are sent.
1-86400
10 seconds
(Optional) Number of consecutive times that the
0-1024
3
keepalives fail before the tunnel is considered to be
down.
Key used to authenticate packets on the tunnel.
0-
--
4294967295
Specifies generic route encapsulation (GRE) type. --
--
You configure either a 16-bit protocol number (for
Layer-2 tunnels) or ip (for a Layer-3 tunnel). The 16-
bit protocol number uniquely identifies a Layer-2
tunnel. The switches at both endpoints of the tunnel
must be configured with the same protocol number.
The local endpoint of the tunnel on the switch. This --
--
can be one of the following:
l specified IP address
l the loopback interface configured on the switch
l specified VLAN
VLANs to be included in this tunnel.
--
--
Usage Guidelines
You can configure a GRE tunnel between an Alcatel-Lucent switch and another GRE-capable device. Layer-3 GRE tunnel type is the default (tunnel mode gre ip). You can direct traffic into the tunnel using a static route (specify the tunnel as the next hop for a static route) or a session-based access control list (ACL).
Example
The following command configures a tunnel interface: (host) (config) #interface tunnel 200
ip address 10.1.1.1 255.255.2550 tunnel source loopback tunnel destination 20.1.1.242 tunnel mode gre ip
Command History
Release AOS-W 3.0 AOS-W 3.2
Modification Command introduced The keepalive parameter was introduced.
334 | interface tunnel
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config mode on master and local switches
AOS-W 6.2 | Reference Guide
interface tunnel | 335
�interface vlan
interface vlan <vlan> bandwidth-contract <name> bcmc-optimization description <string> ip address {<ipaddr> <netmask>|dhcp-client|{internal}|pppoe}|helper-address <ipaddr>|igmp|local-proxy-arp|[nat inside]|{ospf area <id>}routing}| pppoe-max-segment-site <number>| pppoe-password|pppoe-service-name|pppoe-username|routing ipv6 {address <ipv6-address> link-local | [<ipv6-prefix>/<prefix-length> | eui-64]| mld [snooping] | nd {ra [dns | enable | hop-limit | interval | life-time | managed-config-flag | mtu | other-config-flag | preference | prefix] | reachable-time <value> | retransmit-time <value>}} mtu multimode-auth no ... operstate up option-82 mac essid shutdown suppress-arp
Description
This command configures a VLAN interface.
Syntax
Parameter vlan bandwidth-contract
bcmc-optimization
description ip
address
Description
Rang- Defau-
e
lt
VLAN ID number.
1-
--
4094
Name of the bandwidth contract to be
--
--
applied to this VLAN interface. When
applied to a VLAN, the contract only limits
multicast traffic and does not affect other
data. Use the aaa bandwidth-contract
command to configure a bandwidth contract.
Enables broadcast and multicast traffic
--
optimization to prevent flooding of broadcast
and multicast traffic on VLANs. If this feature
is enabled on uplink ports, any switch-
generated Layer-2 packets will be dropped.
disabled
String that describes this interface.
--
802.1-
Q
VLAN
Configures IPv4 for this interface.
Configures the IP address for this interface, --
--
which can be one of the following:
<ipaddr> <netmask>
l dhcp-client: use DHCP to obtain the IP
address
l internal: IP address allocated from the
336 | interface vlan
AOS-W 6.2 | Reference Guide
�Parameter
helper-address
igmp local-proxy-arp nat inside ospf pppoe-max-segment-site pppoe-password pppoe-service-name pppoe-username routing
ipv6 address mld snooping nd {ra | reachable-time | retransmit-time}
AOS-W 6.2 | Reference Guide
Description
Rang- Defau-
e
lt
Remote Node Profile. l pppoe: use PPPoE to obtain the IP
address
IP address of the DHCP server for relaying --
--
DHCP requests for this interface. If the
DHCP server is on the same subnetwork as
this VLAN interface, you do not need to
configure this parameter.
Enables IGMP and/or IGMP snooping on
--
--
this interface.
Enables local proxy ARP.
--
--
Enables source network address translation --
--
(NAT) for all traffic routed from this VLAN.
Define an OSPF area. See ip ospf on page --
--
389 for complete details on this command.
Configures the TCP maximum segment size 128
--
in bytes.
Configures the PAP password on the
180 --
PPPoE Access Concentrator for the switch.
Configures the PPPoE service name.
180 --
Configures the PAP username on the
180 --
PPPoE Access Concentrator for the switch.
Enables layer-3 forwarding on the VLAN
--
interface. To disable layer-3 forwarding, you
must configure the IP address for the
interface and specify no ip routing.
(enabled)
Configures IPv6 for this interface.
--
--
Configures the link local address or the
--
--
global unicast adress for this interface.
Enables Multicast Listener Discovery (MLD) --
--
snooping on this interface.
Configures the IPv6 neighbor discovery
--
--
options.
l ra--configures the following router
advertizement options:
l dns--Configures IPv6 recursive DNS
server
l enable--Enables IPv6 RA
l hop-limit--Configures RA hop-limit
l interval--Configures RA interval
l life-time--Configures RA lifetime
l managed-config-flag--Enables hosts to
use DHCP server for stateful address
autoconfiguration
interface vlan | 337
�Parameter
no mtu multimode-auth operstate up option-82 mac
essid shutdown suppress-arp
Description
Rang- Defau-
e
lt
l mtu--Configures maximum transmission unit for RA
l other-config-flag--Enables hosts to use DHCP server for other non-address stateful autoconfiguration
l preference--Configures a router preference
l prefix--Configures IPv6 RA prefix l reachable-time--configures neighbor
discovery reachable time l retransmit-time--configures neighbor
discovery retransmit time
Negates any configured parameter.
--
--
MTU setting for the VLAN.
1024- -- 1500
MultiMode Authentication Support on VLAN --
--
Set the state of the interface to be up.
--
--
Allows a DHCP relay agent to insert circuit --
--
specific information into a request that is
being forwarded to a DHCP server.
The switch, when acting as a DHCP relay
agent, needs to be able to insert information
about the AP and SSID through which a
client is connecting into the DHCP request.
Many service providers use this mechanism
to make access control decisions. You can
include only the MAC address or MAC
address and ESSID.
ESSID is an alphanumeric name that uniquely identifies a wireless network.
--
--
Causes a hard shutdown of the interface.
--
--
Prevents flooding of ARP broadcasts on all --
--
the untrusted interfaces.
Usage Guidelines
All ports on the switch are assigned to VLAN 1 by default. Use the interface fastethernet|gigabitethernet command to assign a port to a configured VLAN. User the show interface vlan and show user commands to view DHCP option-82 related output.
Example
The following command configures a VLAN interface: (host) (config) #interface vlan 16
ip address 10.26.1.1 255.255.255.0 ip helper-address 10.4.1.22
Command History
This command was introduced in AOS-W 3.0
338 | interface vlan
AOS-W 6.2 | Reference Guide
�Release AOS-W 3.0 AOS-W 3.3 AOS-W 3.4
AOS-W 6.0
AOS-W 6.1 AOS-W 6.2
Modification
Command introduced
The ipv6 parameters were introduced.
The igmp snooping parameter was deprecated. For information on configuring IGMP snooping in AOS-W 3.4 or later, see interface vlan ip igmp proxy on page 342.
The pppoe-max-segment-site, pppoe-password, pppoe-servicename and pppoe-password parameters were introduced.
The option-82 parameter was introduced.
The nd parameter for configuring neighbor discovery and router advertizement options was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
interface vlan | 339
�interface vlan ipv6 address
interface vlan <vlan ID> ipv6 address <ipv6-address> link-local | [<ipv6-prefix>/<prefix-length> | eui-64] ipv6 {address <ipv6-address> link-local | [<ipv6-prefix>/<prefix-length> | eui-64]| mld [snooping] | nd {ra [dns | enable | hop-limit | interval | life-time | managed-config-flag | mtu | other-config-flag | preference | prefix] | reachable-time <value> | retransmit-time <value>}}
Description
This command configures the IPv6 link local address or the global unicast address, and the IPv6 router advertisement parameters for this interface.
Syntax
Parameter
Description
Range
<ipv6 address> link-local Configures the specified IPv6 address as the
--
link local address for this interface.
<ipv6-prefix>/<prefixlength>
Specify the IPv6 prefix/prefix-length to configure -- the global unicast address for this interface.
eui-64
Specify this optional parameter to configure the -- global unicast address in Extended Universal Identifier 64 bit format (EUI-64) for this interface.
nd
Configures the IPv6 neighbor discovery options --
for router advertizement functionality.
ra
Configures the following router advertisement
--
options:
l dns--Configures IPv6 recursive DNS server.
l enable--Enables IPv6 RA.
l hop-limit--Configures RA hop-limit.
l interval--Configures RA interval.
l life-time--Configures RA lifetime.
l managed-config-flag--Enables hosts to use
DHCP server for stateful address
autoconfiguration
l mtu--Configures maximum transmission unit
for RA.
l other-config-flag--Enables hosts to use
DHCP server for other non-address stateful
autoconfiguration.
l preference--Configures a router preference.
l prefix--Configures IPv6 RA prefix.
reachable-time <value>
Configures the neighbor discovery reachable time in msec.
0 - 3,600, 000
retransmit-time <value> Configures the neighbor discovery retransmit time in msec.
0 - 3,600, 000
Default -- -- -- -- --
0
Usage Guidelines
You can use this command to configure the IPv6 link local address and the global unicast address for this interface.
340 | interface vlan ipv6 address
AOS-W 6.2 | Reference Guide
�Example
The following example configures the link local address for the VLAN 1. (host) (conf)# interface vlan 1
(config-subif)#ipv6 address fe80::b:8600:50d:7700 link-local
The following example configures the global unicast address in EUI-64 format for the VLAN 1. (host) (conf)# interface vlan 1
(config-subif)#ipv6 address 2001:DB8:0:3::/64 eui-64
Command History
Release AOS-W 6.1 AOS-W 6.2
Modification
This command was introduced.
The nd parameter for configuring neighbor discovery and router advertisement options was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
interface vlan ipv6 address | 341
�interface vlan ip igmp proxy
interface vlan <vlan> ip igmp snooping|{proxy fastethernet|gigabitethernet <slot>/<port>}
Description
This command enables IGMP and/or IGMP snooping on this interface, or configures a VLAN interface for uninterrupted streaming of multicast traffic.
Syntax
Parameter snooping
proxy fastethernet gigabitethernet <slot>/<port>
Description
Enable IGMP snooping. The IGMP protocol enables an router to discover the presence of multicast listeners on directly-attached links. Enable IGMP snooping to limit the sending of multicast frames to only those nodes that need to receive them.
Enable IGMP on this interface.
Enable IGMP proxy on the FastEthernet (IEEE 802.3) interface.
Enable IGMP proxy on the GigabitEthernet (IEEE 802.3) interface.
Any command that references a Fast Ethernet or Gigabit Ethernet interface requires that you specify the corresponding port on the switch in the format <slot>/<port>. <slot> is always 1, except when referring to interfaces on the OAW-6000 switch. For the OAW-6000 switch, the four slots are allocated as follows: l Slot 0: contains a OmniAccess Supervisor Card III. l Slot 1: can contain either an OmniAccess Supervisor Card III, or a line card. l Slot 2: can contain either a OmniAccess Supervisor Card III or a line card.. l Slot 3: can contain either a OmniAccess Supervisor Card III or a line card. <port> refers to the network interfaces that are embedded in the front panel of the OAW-4x04 Series switch, OmniAccess Supervisor Card III, or a line card installed in the OAW-6000 switch. Port numbers start at 0 from the left-most position.
Usage Guidelines
The newer IGMP proxy feature and the older IGMP snooping feature cannot be enabled at the same time, as both features add membership information to multicast group table. For most multicast deployments, you should enable the IGMP Proxy feature on all VLAN interfaces to manage all the multicast membership requirements on the switch. If IGMP snooping is configured on some of the interfaces, there is a greater chance that multicast information transfers may be interrupted.
Example
The following example configures IGMP proxy for vlan 2. IGMP reports from the switch would be sent to the upstream router on fastethernet port 1/3. (host) (conf)# interface vlan 2
(conf-subif)# ip igmp proxy fastethernet 1/3
342 | interface vlan ip igmp proxy
AOS-W 6.2 | Reference Guide
�Related Commands
This release of AOS-W supports version 1 of the Multicast Listener Discovery (MLD) protocol (MLDv1). MLDv1, defined in RFC 2710, is derived from version 2 of the IPv4 Internet Group Management Protocol (IGMPv2) Issue the command interface vlan <vlan> ipv6 mld to enable the MLD protocol and allow an IPv6 router to discover the presence of multicast listeners on directly-attached links. Use the CLI command interface vlan <vlan> ipv6 mld snooping, and the IPv6 router will send multicast frames to only those nodes that need to receive them.
Command History
This command was introduced in AOS-W 3.4
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
interface vlan ip igmp proxy | 343
�ip access-list eth
ip
ip access-list eth {<number>|<name>} deny {<ethtype> [<bits>]|any} [mirror] [position} no ... permit {<ethtype> [<bits>]|any} [mirror][position]
Description
This command configures an Ethertype access control list (ACL).
Syntax
Parameter eth deny
no permit
Description
Range
Enter a name, or a number in the specified range.
200-299
Reject the specified packets, which can be one of the following:
--
l Ethertype in decimal or hexadecimal (0-65535) and optional wildcard (0-
65535)
l any: match any Ethertype
Optionally, you can configure the mirror parameter, which mirrors packets to a
datapath or remote destination, or set the position of the ACL. The default
position is last, a position of 1 puts the ACL at the top of the list.
Negates any configured parameter.
--
Allow the specified packets, which can be one of the following:
--
l Ethertype in decimal or hexadecimal (0-65535) and optional wildcard (0-
65535)
l any: match any Ethertype
Optionally, you can configure the mirror parameter, which mirrors packets to a
datapath or remote destination, or set the position of the ACL. The default
position is last, a position of 1 puts the ACL at the top of the list.
Usage Guidelines
The Ethertype field in an Ethernet frame indicates the protocol being transported in the frame. This type of ACL filters on the Ethertype field in the Ethernet frame header, and is useful when filtering non-IP traffic on a physical port. This ACL can be used to permit IP frames while blocking other non-IP protocols such as IPX or Appletalk. If you configure the mirror option, define the destination to which mirrored packets are sent in the firewall policy. For more information, see firewall on page 265.
Example
The following command configures an Ethertype ACL: (host) (config) #ip access-list eth 200
deny 809b
344 | ip access-list eth
AOS-W 6.2 | Reference Guide
�Command History
Release AOS-W 3.0 AOS-W 3.3
Modification Command introduced The mirror parameter was introduced.
Command Information
Platform Available on all platforms
License Requires the PEFNG license.
Command Mode
Config mode on master switches
AOS-W 6.2 | Reference Guide
ip access-list eth | 345
�ipv6 cp-redirect-address
ipv6 cp-redirect-address <ip6addr> | disable
Description
This command configures a redirect address for captive portal.
Syntax
Parameter <ip6addr> disable
Description This address should be routable from all external networks. Disables automatic DNS resolution for captive portal.
Usage Guidelines
This command redirects wireless clients that are on different VLANs (from the switch's IP address) to the captive portal on the switch. If you have the Next Generation Policy Enforcement Firewall (PEFNG) license installed in the switch, modify the captive portal session ACL to permit HTTP/S traffic to the destination cp-redirect-address <ip6addr> instead of mswitch. If you do not have the PEFNG license installed in the switch, the implicit captive-portal-profile ACL is automatically modified when you issue this command.
Example
The following command configures a captive portal redirect address: (host) (config) #ipv6 cp-redirect-address
Command History
Introduced in AOS-W 6.1
Command Information
Platform Available on all platforms
License
Available in the base operating system
Command Mode Config mode on master switches
346 | ipv6 cp-redirect-address
AOS-W 6.2 | Reference Guide
�ipv6 default-gateway
ipv6 default-gateway <ipv6-address> <cost>
Description
This command configures an IPv6 default gateway.
Syntax
Parameter
<ipv6address>
cost
Description Specify the IPv6 address of the default gateway.
Specify the distance metric to select the routing protocol that determines the way to learn the route.
Usage Guidelines
This command configures an IPv6 default gateway.
Example
The following command configures an IPv6 default gateway: (host) (config) #ipv6 default-gateway 2cce:205:160:100::fe 1
Command History
Introduced in AOS-W 6.1
Command Information
Platform Available on all platforms
License
Available in the base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ipv6 default-gateway | 347
�348 | ipv6 default-gateway
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
ipv6 default-gateway | 349
�ipv6 enable
ipv6 enable
Description
This command enables IPv6 packet processing globally. This option is disabled by default.
Syntax
No parameters.
Usage Guidelines
This command enables IPv6 packet processing globally.
Command History
This command was introduced in AOS-W 6.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Config mode on master switches
350 | ipv6 enable
AOS-W 6.2 | Reference Guide
�ipv6 firewall
ipv6 firewall attack-rate {ping <number>|session <number>|tcp-syn <number>} deny-inter-user-bridging | drop-ip-fragments | enable-per-packet-logging | enforce-tcp-handshake | prohibit-ip-spoofing | prohibit-rst-replay | session-idle-timeout <seconds> | session-mirror-destination {ip-address <ipaddr>}|{port <slot/<port>}
Description
This command configures firewall options on the switch for IPv6 traffic.
Syntax
Parameter attack-rate
ping
session
tcp-syn
deny-inter-userbridging
drop-ip-frag ments enable-per-pac ket-logging
Description
Range
Sets rates which, if exceeded, can indicate a denial of service attack.
Number of ICMP pings per second, which if exceeded, can indicate a denial of service attack. Recommended value is 4
1-255
Number of TCP or UDP connection requests per second, which if exceeded, can indicate a denial of service attack. Recommended value is 32.
1-255
Number of TCP SYN messages per second, which if exceeded, can indicate a denial of service attack. Recommended value is 32.
1-255
Prevents the forwarding of Layer-2 traffic between wired -- or wireless users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic. This option can be used to prevent Appletalk or IPX traffic from being forwarded.
When enabled, all IP fragments are dropped. You
--
should not enable this option unless instructed to do so
by an Alcatel-Lucent representative.
Enables logging of every packet if logging is enabled for -- the corresponding session rule. Normally, one event is logged per session. If you enable this option, each packet in the session is logged. You should not enable this option unless instructed to do so by an AlcatelLucent representative, as doing so may create unnecessary overhead on the switch.
Default -- -- -- disabled
disabled disabled
AOS-W 6.2 | Reference Guide
ipv6 firewall | 351
�Parameter
Description
Range
enforce-tcphandshake
Prevents data from passing between two clients until the -- three-way TCP handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.
prohibit-ipspoofing
Detects IP spoofing (where an intruder sends messages -- using the IP address of a trusted client). When this option is enabled, IP and MAC addresses are checked; possible IP spoofing attacks are logged and an SNMP trap is sent.
prohibit-rst-re play
Closes a TCP connection in both directions if a TCP
--
RST is received from either direction. You should not
enable this option unless instructed to do so by an
Alcatel-Lucent representative.
session-idletimeout
Time, in seconds, that a non-TCP session can be idle before it is removed from the session table. You should not modify this option unless instructed to do so by an Alcatel-Lucent representative.
16-259
session-mirrordestination
Destination to which mirrored session packets are sent. -- The destination can be either an IPv4 address or a switch port. You configure IPv6 flows to be mirrored with the mirror option of the ipv6 access-list session command. Use this option only for troubleshooting or debugging.
ip-address <ipaddr> Send mirrored session packets to the specified IP address
port <slot>/<port>
Send mirrored session packets to the specified switch port.
Default disabled
disabled
disabled 15 seconds --
Usage Guidelines
This command configures global firewall options on the switch for IPv6 traffic.
Example
The following command disallows forwarding of non-IP frames between IPv6 clients: (host) (config) #ipv6 firewall deny-inter-user-bridging
Command History
Version AOS-W 3.3 AOS-W 6.1
Description
Command introduced
The ipv6 firewall enable command was deprecated. Use the command ipv6 enable to enable/disable ipv6 packet/firewall processing on the switch.
352 | ipv6 firewall
AOS-W 6.2 | Reference Guide
�Command Information
Platform Available on all platforms
License
Command Mode
Available in the base operating system, except Config mode on master
for noted parameters
switches
AOS-W 6.2 | Reference Guide
ipv6 firewall | 353
�ipv6 mld
ipv6 mld query-interval query-response-interval robustness-variable
Description
This command configures the IPv6 MLD (Multi-listener discovery) parameters.
Syntax
Parameter
Description
query-interval
Specify the time interval in seconds (1-65535) between general queries sent by the querier. The default value is 125 seconds. By varying this value, you can tune the number of MLD messages on the link; larger values cause MLD queries to be sent less often.
query-responseinterval
Specify the maximum response delay in deciseconds (1/10 seconds) that can be inserted into the periodic general queries. The default value is 100 deciseconds. By varying this value, you can tune the burstiness of MLD messages on the link; larger values make the traffic less bursty, as node responses are spread out over a larger interval. NOTE: The number of seconds represented by this value must be less than the query interval.
robustness-variable
Specify a value between 2 to 10. The default value is 2. The robustness variable allows you to tune for the expected packet loss on a link. If a link is expected to be lossy, you can increase this value. NOTE: You must not configure the robustness variable as 0 or 1.
Usage Guidelines
You can modify the default values of the MLD parameters for IPv6 MLD snooping. You must enable IPv6 MLD snooping for these values to take effect. For more information on enabling IPv6 MLD snooping, see interface vlan on page 336.
Example
The following command configures the query interval of 200 seconds for IPv6 MLD snooping: (host) (config) #ipv6 mld (host) (config-mld) # query-interval 200
Command History
Introduced in AOS-W 6.1
Command Information
Platform Available on all platforms
License
Available in the base operating system
Command Mode Config mode on master switches
354 | ipv6 mld
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
ipv6 mld | 355
�ipv6 neighbor
ipv6 neighbor <ipv6addr> vlan <vlan#> <mac>
Description
This command configures an IPv6 static neighbor on a VLAN interface.
Syntax
Parameter <ipv6addr>
vlan <vlan#>
<mac>
Description Specify the IPv6 address of the neighbor entry. Specify the VLAN ID.
Specify the 48-bit hardware address of the neighbor entry.
Usage Guidelines
You can configure an IPv6 static neighbor on a VLAN interface.
Example
The following command configures an IPv6 static neighbor on VLAN 1: (host) (config) #ipv6 neighbor 2cce:205:160:100::fe vlan 1 00:0b:86:61:13:28
Command History
Introduced in AOS-W 6.1
Command Information
Platform Available on all platforms
License
Available in the base operating system
Command Mode Config mode on master switches
356 | ipv6 neighbor
AOS-W 6.2 | Reference Guide
�ipv6 route
ipv6 route <ipv6-prefix/prefix-length> <ipv6-next-hop> <cost>
Description
This command configures static IPv6 routes on the switch.
Syntax
Parameter <ipv6-prefix/prefixlength>
<ipv6-next-hop>
<cost>
Description Specify the IPv6 address and the prefix length of the destination.
Specify the next-hop IPv6 address or null 0 to terminate or discard the packets. Specify the distance metric to select the routing protocol that determines the way to learn the route.
Usage Guidelines
You can configure static IPv6 routes on the switch.
Example
The following command configures a static IPv6 route on the switch: (host) (config) #ipv6 route 2cce:205:160:100::fe/<64> 2cce:205:160:100::ff 1
Command History
Introduced in AOS-W 6.1
Command Information
Platform Available on all platforms
License
Available in the base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ipv6 route | 357
�ip access-list extended
ip access-list extended {<number>|<name>} deny <protocol> <source> <dest> ipv6 no ... permit <protocol> <source> <dest>
Description
This command configures an extended access control list (ACL). To configure IPv6 specific rules, use the ipv6 keyword for each rule.
Syntax
Parameter extended
Description Enter a name, or a number in the specified range.
ipv6 deny
<protocol>
<source> <dest> no permit <protocol>
<source>
Use the ipv6 keyword to add IPv6 specific rules.
Reject the specified packets.
Protocol, which can be one of the following: l Protocol number between 0-255 l any: any protocol l icmp: Internet Control Message Protocol l igmp: Internet Gateway Message Protocol l tcp: Transmission Control Protocol l udp: User Datagram Protocol
Source, which can be one of the following: l Source address (IPv4 or IPv6) and wildcard l any: any source l host: specify a single host IP address
Destination, which can be one of the following: l Destination address (IPv4 or IPv6) and wildcard l any: any destination l host: specify a single host IP address
Negates any configured parameter.
Allow the specified packets.
Protocol, which can be one of the following: l Protocol number between 0-255 l any: any protocol l icmp: Internet Control Message Protocol l igmp: Internet Gateway Message Protocol l tcp: Transmission Control Protocol l udp: User Datagram Protocol
Source, which can be one of the following: Source address (IPv4 or IPv6) and wildcard any: any source
Range 100-199, 2000-2699 -- -- --
--
--
-- --
--
358 | ip access-list extended
AOS-W 6.2 | Reference Guide
�Parameter <dest>
Description
host: specify a single host IP address
Destination, which can be one of the following: Destination address (IPv4 or IPv6) and wildcard any: any destination host: specify a single host IP address
Range --
Usage Guidelines
Extended ACLs are supported for compatibility with router software from other vendors. This ACL permits or denies traffic based on the source or destination IP address or IP protocol.
Example
The following command configures an extended ACL: (host) (config) #ip access-list extended 100
deny any host 1.1.21.245 any
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Requires the PEFNG license
Command Mode
Config mode on master switches
AOS-W 6.2 | Reference Guide
ip access-list extended | 359
�ip access-list mac
ip access-list mac {<number>|<name>} deny {<macaddr>[<wildcard>]|any|host <macaddr>} [mirror] no ... permit {<macaddr>[<wildcard>]|any|host <macaddr>} [mirror]
Description
This command configures a MAC access control list (ACL).
Syntax
Parameter mac deny
no permit
Description
Configures a MAC access list. Enter a name, or a number in the specified range.
Reject the specified packets, which can be the following: MAC address and optional wildcard any: any packets host: specify a MAC address Optionally, you can configure the mirror parameter, which mirrors packets to a datapath or remote destination.
Negates any configured parameter.
Allow the specified packets, which can be the following: MAC address and optional wildcard any: any packets host: specify a MAC address Optionally, you can configure the mirror parameter, which mirrors packets to a datapath or remote destination.
Range 700-799, 12001299 --
-- --
Usage Guidelines
MAC ACLs allow filtering of non-IP traffic. This ACL filters on a specific source MAC address or range of MAC addresses. If you configure the mirror option, define the destination to which mirrored packets are sent in the firewall policy. For more information, see firewall on page 265.
Example
The following command configures a MAC ACL: (host) (config) #ip access-list mac 700
deny 11:11:11:00:00:00
Command History
Release AOS-W 3.0 AOS-W 3.3
Modification Command introduced The mirror parameter was introduced.
360 | ip access-list mac
AOS-W 6.2 | Reference Guide
�Command Information
Platform Available on all platforms
License Requires the PEFNG license
Command Mode Config mode
AOS-W 6.2 | Reference Guide
ip access-list mac | 361
�ip access-list session
ip access-list session <accname> <source> <dest> <service> <action> [<extended action>] ipv6 [alias | any | host | network | user] no ...
Description
This command configures an access control list (ACL) session. To create IPv6 specific rules, use the ipv6 keyword.
Syntax
Parameter <accname> ipv6 <source>
<dest>
<service>
<action>
Description
Name of an access control list session.
Use the ipv6 keyword to create IPv6 specific rules.
The traffic source, which can be one of the following: alias: specify the network resource (use the netdestination command to configure aliases; use the show netdestination command to see configured aliases) any: match any traffic host: specify a single host IP address localip: specify the local IP address to match traffic network: specify the IP address and netmask user: represents the IP address of the user
The traffic destination, which can be one of the following: alias: specify the network resource (use the netdestination command to configure aliases; use the show netdestination command to see configured aliases) any: match any traffic host: specify a single host IP address localip: specify the local IP address to match traffic network: specify the IP address and netmask user: represents the IP address of the user
Network service, which can be one of the following: IP protocol number (0-255) name of a network service (use the show netservice command to see configured services) any: match any traffic tcp: specify the TCP port number (0-65535) udp: specify the UDP port number (0-65535)
Action if rule is applied, which can be one of the following: deny: Reject packets dst-nat: Performs destination NAT on packets. Forward packets from source network to destination; re-mark them with destination IP of the target network. This action functions in tunnel/decrypt-tunnel forwarding mode. User should configure the NAT pool in the switch. dual-nat: Performs both source and destination NAT on packets. Source IP and destination IP is changed as per the NAT pool configured. This action functions in tunnel/decrypttunnel forwarding mode. User should configure the NAT pool in the switch. permit: Forward packets. redirect: Specify the location to which packets are redirected, which can be one of the following: l Datapath destination ID (0-65535).
362 | ip access-list session
AOS-W 6.2 | Reference Guide
�Parameter <extended ac tion>
no
Description
l esi-group: Specify the ESI server group configured with the esi group command. l tunnel: Specify the ID of the tunnel configured with the interface tunnel command. route: Specify the next hop to which packets are routed, which can be one of the following: l dst-nat: Destination IP changes to the IP configured from the NAT pool. This action
functions in bridge/split-tunnel forwarding mode. User should configure the NAT pool in the switch. l src-nat:Source IP changes to RAP's external IP. This action functions in bridge/splittunnel forwarding mode and uses implied NAT pool. src-nat: Performs source NAT on packets. Source IP changes to the outgoing interface IP address (implied NAT pool) or from the pool configured (manual NAT pool). This action functions in tunnel/decrypt-tunnel forwarding mode.
Optional action if rule is applied, which can be one of the following: blacklist: blacklist user if ACL gets applied. classify-media: Monitors user UDP packets to classify them as media and tag accordingly.
Use this parameter only for voice and video signaling and control sessions as it causes deep packet inspection of all UDP packets from/to users.
disable-scanning: pause ARM scanning while traffic is present. Note that you must enable "VoIP Aware Scanning" in the ARM profile for this feature to work. dot1p-priority: specify 802.1p priority (0-7) log: generate a log message mirror: mirror all session packets to datapath or remote destination If you configure the mirror option, define the destination to which mirrored packets are sent in the firewall policy. For more information, see firewall on page 265. next-hop-list: Route packet to the next hop in the list. position: specify the position of the rule (1 is first, default is last) queue: assign flow to priority queue (high/low) send-deny-response: if <action> is deny, send an ICMP notification to the source time-range: specify time range for this rule (configured with time-range command) tos: specify ToS value (0-63)
Negates any configured parameter.
Usage Guidelines
Session ACLs define traffic and firewall policies on the switch. You can configure multiple rules for each policy, with rules evaluated from top (1 is first) to bottom. The first match terminates further evaluation. Generally, you should order more specific rules at the top of the list and place less specific rules at the bottom of the list. The ACL ends with an implicit deny all. To configure IPv6 rules, use the ipv6 keyword followed by the regular ACL keywords.
Example
The following command configures a session ACL that drops any traffic from 10.0.0.0 subnetwork: ip access-list session drop-from10
network 10.0.0.0 255.0.0.0 any any
The following command configures a session ACL with IPv4 and IPv6 address: (host) (config)#ip access-list session common (host) (config-sess-common)#host 10.12.13.14 any any permit (host) (config-sess-common)#ipv6 host 11:12:11:11::2 any any permit
The following example displays information for an ACL. (host) (config-sess-common)#show ip access-list common ip access-list session common
common
AOS-W 6.2 | Reference Guide
ip access-list session | 363
�-------
Priority Source
Destination Service Action ... Queue TOS 8021P ...
ClassifyMedia IPv4/6
-------- ------
----------- ------- ------ ... ----- --- ----- ... ---------
---- ------
1
10.12.13.14
any
any
permit ... Low
...
4
2
11:12:11:11::2 any
any
permit ... Low
...
6
Command History
Introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License Requires the PEFNG license
Command Mode Config mode on master switches
364 | ip access-list session
AOS-W 6.2 | Reference Guide
�ip access-list standard
ip access-list standard {<number>|<name>} deny {<ipaddr> <wildcard>|any|host <ipaddr>} no ... permit {<ipaddr> <wildcard>|any|host <ipaddr>}
Description
This command configures a standard access control list (ACL).
Syntax
Parameter standard ipv6 deny
no permit
Description
Range
Enter a name, or a number in the specified range.
1-99, 1300-1399
Use the ipv6 keyword to create IPv6 specific standard rules.
Reject the specified packets, which can be the following: -- IP address and optional wildcard any: any packets host: specify a host IP address
Negates any configured parameter.
--
Allow the specified packets, which can be the following: -- IP address and optional wildcard any: any packets host: specify a host IP address
Usage Guidelines
Standard ACLs are supported for compatibility with router software from other vendors. This ACL permits or denies traffic based on the source address of the packet.
Example
The following command configures a standard ACL: (host) (config) #ip access-list standard 1
permit host 10.1.1.244
Command History
Introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License Requires the PEFNG license
Command Mode
Config mode on master switches
AOS-W 6.2 | Reference Guide
ip access-list standard | 365
�ip cp-redirect-address
ip cp-redirect-address <ipaddr> | disable
Description
This command configures a redirect address for captive portal.
Syntax
Parameter <ipaddr>
disable
Description
Host address with a 32-bit netmask. This address should be routable from all external networks.
Disables automatic DNS resolution for captive portal.
Usage Guidelines
This command redirects wireless clients that are on different VLANs (from the switch's IP address) to the captive portal on the switch. If you have the Next Generation Policy Enforcement Firewall (PEFNG) license installed in the switch, modify the captive portal session ACL to permit HTTP/S traffic to the destination cp-redirect-address <ipaddr> instead of mswitch. If you do not have the PEFNG license installed in the switch, the implicit captive-portal-profile ACL is automatically modified when you issue this command.
Example
The following command configures a captive portal redirect address: (host) (config) #ip cp-redirect-address
Command History
Introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License
Available in the base operating system
Command Mode Config mode on master switches
366 | ip cp-redirect-address
AOS-W 6.2 | Reference Guide
�ip default-gateway
ip default-gateway <ipaddr>|{import cell|dhcp|pppoe}|{ipsec <name>} <cost>
Description
This command configures the default gateway for the switch.
Syntax
Parameter <ipaddr> import
cell dhcp pppoe ipsec <name> <cost>
Description IP address of the default gateway. Use a gateway IP address obtained through the cell interface, DHCP or PPPoE. The default gateway is imported into the routing table and removed when the uplink is no longer active.
Use a gateway IP address obtained through the cell interface.
Use a gateway IP address obtained DHCP.
Use a gateway IP address obtained through PPPoE. Define a static route using an ipsec map. Distance metric for this route.
Usage Guidelines
You can use this command to set the default gateway to the IP address of the interface on the upstream router or switch to which you connect the switch. If you define more than one dynamic gateway type, you must also define a cost for the route to each gateway. The switch will first attempt to obtain a gateway IP address using the option with the lowest cost. If the switch is unable to obtain a gateway IP address, it will then attempt to obtain a gateway IP address using the option with the next-lowest path cost.
Example
The following command configures the default gateway for the switch: (host) (config) #ip default-gateway 10.1.1.1
Command History
Introduced in AOS-W 3.0
Command Information
Platform
License
Available on all platforms Available in the base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ip default-gateway | 367
�ip dhcp excluded-address
ip dhcp excluded-address <low-ipaddr> [<high-ipaddr>]
Description
This command configures an excluded address range for the DHCP server on the switch.
Syntax
Parameter <low-ipaddr>
<high-ipaddr>
Description
Low end of range of IP addresses. For example, you can enter the IP address of the switch so that this address is not assigned.
High end of the range of IP addresses.
Usage Guidelines
Use this command to specifically exclude certain addresses from being assigned by the DHCP server. It is good practice to exclude any statically assigned addresses.
Example
The following command configures an excluded address range: ip dhcp excluded-address 192.168.1.1 192.168.1.255
Command History
Introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License Available in base operating system
Command Mode
Config mode on master switches
368 | ip dhcp excluded-address
AOS-W 6.2 | Reference Guide
�ip dhcp pool
ip dhcp pool <name> default-router <ipaddr> ... dns-server {<ipaddr> ... |import} domain-name <name> lease <days> <hours> <minutes> netbios-name-server {<ipaddr> ... |import} network <ipaddr> {<netmask>|<prefix>} no ... option <code> ip <ipaddr> pooltype ipupsell|private|public vendor-class-identifier
Description
This command configures a DHCP pool on the switch.
Syntax
Parameter default-router
dns-server <address> import
domain-name lease
netbios-nameserver
<address> import network
no option
pooltype
vendor-classidentifier
Description
IP address of the default router for the DHCP client. The client should be on the same subnetwork as the default router. You can specify up to eight IP addresses.
IP address of the DNS server, which can be one of the following:
IP address of the DNS server. You can specify up to eight IP addresses.
Use the DNS server address obtained through PPPoE or DHCP.
Domain name to which the client belongs.
The amount of time that the assigned IP address is valid for the client. Specify the lease in <days> <hours> <minutes>.
IP address of the NetBIOS Windows Internet Naming Service (WINS) server, which can be one of the following:
IP address of the WINS server. You can specify up to eight IP addresses.
Use the NetBIOS name server address obtained through PPPoE or DHCP.
Range of addresses that the DHCP server may assign to clients, in the form of <ipaddr> and <netmask> or <ipaddr> and <prefix> (/n).
Negates any configured parameter.
Client-specific option code and IP address. See RFC 2132, "DHCP Options and BOOTP Vendor Extensions".
Configure one of the following DHCP Pool types l ipupsell: Configure the DHCP pool as an IP upsell pool l private: Configure the DHCP pool as private l public: Configure the DHCP pool as public
Send the ArubaAP vendor ID to clients.
AOS-W 6.2 | Reference Guide
ip dhcp pool | 369
�Usage Guidelines
A DHCP pool should be created for each IP subnetwork for which DHCP services should be provided. DHCP pools are not specifically tied to VLANs, as the DHCP server exists on every VLAN. When the switch receives a DHCP request from a client, it examines the origin of the request to determine if it should respond. If the IP address of the VLAN matches a configured DHCP pool, the switch answers the request.
Example
The following command configures a DHCP pool: (host) (config) #ip dhcp pool floor1
default-router 10.26.1.1 dns-server 192.168.1.10 domain-name floor1.test.com lease 0 8 0 network 10.26.1.0 255.255.255.0
Command History
Introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Config mode on master switches
370 | ip dhcp pool
AOS-W 6.2 | Reference Guide
�ip domain lookup
ip domain lookup
Description
This command enables Domain Name System (DNS) hostname to address translation.
Syntax
There are no parameters for this command.
Usage Guidelines
This command is enabled by default. Use the no form of this command to disable.
Example
The following command enables DNS hostname translation: (host)(config) #ip domain lookup
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Config mode on master switches
AOS-W 6.2 | Reference Guide
ip domain lookup | 371
�ip domain-name
ip domain-name <name>
Description
This command configures the default domain name.
Syntax
Parameter domain-name
Description Name used to complete unqualified host names. Do not specify the leading dot (.).
Usage Guidelines
The switch uses the default domain name to complete hostnames that do not contain domain names. You must have at least one domain name server configured on the switch (see ip name-server on page 387).
Example
The following command configures the default domain name: (host) (config) #ip domain-name yourdomain.com
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Config mode on master switches
372 | ip domain-name
AOS-W 6.2 | Reference Guide
�ip igmp
ip igmp last-member-query-count <number> last-member-query-interval <seconds> max-members-per-group <val> query-interval <seconds> query-response-interval <.1 seconds> quick-client-convergence robustness-variable <2-10> startup-query-count <number> startup-query-interval <seconds> version-1-router-present-timeout <seconds>
Description
This command configures Internet Group Management Protocol (IGMP) timers and counters.
Syntax
Parameter last-member-query-count last-member-query-interval max-members-per-group query-interval
query-response-interval
quick-client-convergence robustness-variable startup-query-count startup-query-interval
version-1-router-presenttimeout
Description
Range Default
Number of group-specific queries that the switch 1-65535 2 sends before assuming that there are no local group members.
Maximum time, in seconds, that can elapse between group-specific query messages.
1-65535 10 seconds seconds
Configure maximum members per group.
1-65535 300
Interval, in seconds, at which the switch sends host-query messages to the multicast group address 224.0.0.1 to solicit group membership information.
1-65535 125 seconds seconds
Maximum time, in 1/10th seconds, that can elapse between when the switch sends a hostquery message and when it receives a response. This must be less than the queryinterval.
1-65535 seconds
100 (10 seconds)
Trigger IGMP reports from client during roaming. --
--
Increase this value to allow for expected packet 2-10
2
loss on a subnetwork.
Number of queries that the switch sends out on 1-65535 2 startup, separated by startup-query-interval. The default is the robustness-variable value.
Interval, in seconds, at which the switch sends general queries on startup.
1-65535 seconds
1/4 of the query interval
Timeout, in seconds, if a version 1 IGM router is 1-65535 400
detected.
seconds seconds
AOS-W 6.2 | Reference Guide
ip igmp | 373
�Usage Guidelines
IGMP is used to establish and manage IP multicast group membership. See RFC 3376, "Internet Group Management Protocol, version 3" for more information.
Example
The following command configures IGMP: (host) (config) #ip igmp
query-interval 130
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced Added parameters: max-members-per-group and quick-client-convergence
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
374 | ip igmp
AOS-W 6.2 | Reference Guide
�ip local
ip local pool <name> <start-ipaddr> [<end-ipaddr>]
Description
This command configures a local IP pool for Layer-2 Tunnel Protocol (L2TP).
Syntax
Parameter pool <start-ipaddr> <end-ipaddr>
Description Name for the address pool. Starting IP address for the pool. (Optional) Ending IP address for the pool.
Usage Guidelines
VPN clients can be assigned IP addresses from the L2TP pool.
Example
The following command configures an L2TP pool: (host) (config) #ip local pool 10.1.1.1 10.1.1.99
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ip local | 375
�ip mobile active-domain
ip mobile
ip mobile active-domain <name>
Description
This command configures the mobility domain that is active on the switch.
Syntax
Parameter active-domain
Description Name of the mobility domain.
Usage Guidelines
All switches are initially part of the "default" mobility domain. If you use the "default" mobility domain, you do not need to specify this domain as the active domain on the switch. However, once you assign a switch to a user-defined domain, the "default" mobility domain is no longer an active domain on the switch.
Example
The following command assigns the switch to a user-defined mobility domain: (host) (config) #ip mobile active-domain campus1
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
376 | ip mobile active-domain
AOS-W 6.2 | Reference Guide
�ip mobile domain
ip mobile domain <name> description <description> hat <subnetwork> <mask> <vlan> <ha-ipaddr> <desc> no ...
Description
This command configures the mobility domain on the switch.
Syntax
Parameter domain description hat
<subnetwork> <mask> <vlan>
<ha-ipaddr> <desc>
no
Description Name of the mobility domain. Description of the mobility domain. Configures a home agent table (HAT) entry. Subnet that requires mobility service. Netmask for the IP address. VLAN ID. The VLAN ID must be the VLAN number on the home agent. The supported range of VLAN IDs is 1-4096.. IP address of the home agent. Description of a HAT entry. The description can be a maximum of 30 characters (including spaces). Negates any configured parameter.
Usage Guidelines
You configure the HAT on a master switch; the mobility domain information is pushed to all local switches that are managed by the same master.
HAT entries map subnetworks or VLANs and the home agents. The home agent is typically the switch's IP address. The home agent's IP address must be routable; that is, all switches that belong to the same mobility domain must be able to reach the home agent's IP address.
The switch looks up information in the HAT to obtain the IP address of the home agent for a mobile client. Because there can be multiple home agents on a subnetwork, the HAT can contain more than one entry for the same subnetwork.
Example
The following command configures HAT entries:
(host) (mobility-domain) #ip mobile domain east_building (host) (mobility-domain) #hat 10.11.1.0 255.255.255.0 120 10.11.1.200 description "East building entries" (host) (mobility-domain) #show ip mobile domain east_building Mobility Domains:, 1 domain(s) ------------------------------
AOS-W 6.2 | Reference Guide
ip mobile domain | 377
�Domain name east_building
Home Agent Table, 1 subnet(s)
subnet
mask
VlanId Home Agent
Description
--------------- --------------- ------ --------------- -------------------------
10.11.1.0
255.255.255.0 120 10.11.1.200
East building entries
Command History
Release AOS-W 3.0 AOS-W 6.0
AOS-W 3.4.1
Modification Command available.
A new parameter, description is added for providing more information about a HAT entry.
vlan range parameter introduced.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
378 | ip mobile domain
AOS-W 6.2 | Reference Guide
�ip mobile foreign-agent
ip mobile foreign-agent {lifetime <seconds> | max-visitors <number> | registrations {interval <msecs> | retransmits <number>}}
Description
This command configures the foreign agent for IP mobility.
Syntax
Parameter lifetime max-visitors registrations
interval retransmits
Description
Range
Requested lifetime, in seconds, as per RFC 3344, "IP 10-65534 Mobility Support for IPv4".
Maximum number of active visitors.
0-5000
Frequency at which re-registration messages are sent to the home agent:
Retransmission interval, in milliseconds
100-10000
Maximum number of times the foreign agent attempts 0-5 mobile IP registration message exchanges before giving up.
Default 180 seconds 5000
1000 milliseconds 3
Usage Guidelines
A foreign agent is the switch which handles all mobile IP communication with a home agent on behalf of a roaming client.
Example
The following command configures the foreign agent: (host) (config) #ip mobile foreign-agent registration interval 10000
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ip mobile foreign-agent | 379
�ip mobile home-agent
ip mobile home-agent {max-bindings <number>|replay <seconds>}
Description
This command configures the home agent for IP mobility.
Syntax
Parameter max-bindings
replay
Description
Range Default
Maximum number of mobile IP bindings. This option is an additional limitation to control the maximum number of roaming users. When the limit is reached, registration requests from the foreign agent fail which causes a mobile client to set a new session on the visited switch, which will become its home switch.
0-5000
5000
Time difference, in seconds, for timestamp-based replay protection, as described by RFC 3344, "IP Mobility Support for IPv4". 0 disables replay.
0-300
7 seconds
Usage Guidelines
A home agent for a mobile client is the switch where the client first appears when it joins the mobility domain. The home agent is the single point of contact for the client when it roams.
Example
The following command configures the home agent: (host) (config) #ip mobile home-agent replay 100
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
380 | ip mobile home-agent
AOS-W 6.2 | Reference Guide
�ip mobile packet-trace
ip mobile packet-trace <mac-address>
Description
This command enables packet tracing for the given mac address.
Use this command with caution. It replaces the existing users with user entries from the imported file.
Syntax
Platform <mac-address>
License The MAC address of the host
Usage Guidelines
Executing this command enables packet tracing for the given mac address. This is used for troubleshooting purposes only.
Example
The following command enables packet tracing for the host: (host) (config) #ip mobile packet-trace 00:40:96:a6:a1:a4
Command History
This command was available in AOS-W 3.4.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ip mobile packet-trace | 381
�ip mobile proxy
ip mobile proxy auth-sta-roam-only | block-dhcp-release | dhcp {max-requests <number>|transaction-hold <seconds>|transaction-timeout <seconds>}| event-threshold <number> | log-trail | no-service-timeout <seconds> | on-association | refresh-stale-ip stale-timeout <seconds> | stand-alone-AP | trail-length <number> |trail-timeout <seconds>
Description
This command configures the proxy mobile IP module in a mobility-enabled switch.
Syntax
Parameter auth-sta-roamonly
block-dhcp-re lease
dhcp aggressivetransaction
ignore-options
max-requests transaction-
hold
transactiontimeout
event-threshold
Description
Range Default
Allows a client to roam only if has been authenticated. -- If a client has not been authenticated, no mobility service is offered if it roams to a different VLAN or switch.
enabled
Determines whether DHCP release packets generated -- from the client should be dropped or forwarded to the DHCP server. Blocking the packets prevents the DHCP server from assigning the same IP address to another client until the lease has expired.
disabled
Configures proxy DHCP
--
--
Terminate proxy DHCP state machine on a transaction id change. New bootp request will kick start a new DHCP state machine. NOTE: Best practices is to keep this parameter at the default setting
0-65534 25
Enables support for devices that use DHCP with zero -- options (For example, Symbol). NOTE: Best practices is to keep this parameter at the default setting
disabled
Maximum number of BOOTP packets that are allowed to be handled during one DHCP session.
0-65534 25
Hold time, in seconds, on proxy DHCP state after completion of DHCP transaction (DHCP ACK) was forwarded to the client. This option ensures that late BOOTP replies reach the station and that a retransmitted BOOTP request does not trigger a new proxy DHCP session.
1-600
5 seconds
Maximum time allowed for a proxy DHCP session to complete.
10-600
60 seconds
Maximum number of mobility events (events that can trigger mobility) handled per second. Mobility events above this threshold are ignored. This helps to control frequent mobility state changes when the client bounces back and forth on APs before settling down.
1-65535 25
382 | ip mobile proxy
AOS-W 6.2 | Reference Guide
�Parameter log-trail no-service-time out on-association
refresh-stale-ip stale-timeout
stand-alone-AP
trail-length trail-timeout
Description
Range Default
Enables logging at the notification level for mobile
--
client moves.
enabled
Time, in seconds, after which mobility service expires. If nothing has changed from the previous state, the client is given another bridge entry but it will have limited connectivity.
3060000
180 seconds
Mobility move detection is performed when the client -- associates with the switch instead of when the client sends packets. Enabled by default. Mobility on association can speed up roaming and improve connectivity for devices that do not send many uplink packets out that can trigger mobility. Downside is security; an association is all it takes to trigger mobility. This is irrelevant unless layer-2 security is enforced.
enabled
Mobility forces station to renew its stale IP (assuming its DHCP) by deauthorizing the station.
Number of seconds the mobility state is retained after the loss of connectivity. This allows authentication state and mobility information to be preserved on the home agent switch. The default is 60 seconds but can be safely increased. Note that in many case a station state is deleted without waiting for the stale timeout; user delete from management, foreign agent to foreign agent handoff, etc. (This is different from the noservice-timeout; no-service-timeout occurs up front while the stale-timeout begins when mobility service is provided but the connection is disrupted for some reason.)
30-3600
60 seconds
Enables support for third party or standalone APs.
--
When this is enabled, broadcast packets are not used
to trigger mobility and packets from untrusted
interfaces are accepted.
If mobility is enabled, you must also enable standalone
AP for the client to connect to the switch's untrusted
port. If the switch learns wired users via the following
methods, enable standalone AP:
l Third party AP connected to the switch through the
untrusted port.
l Clients connected to ENET1 on APs with two
ethernet ports.
l Wired user connected directly to the switch's
untrusted port.
disabled
Specifies the maximum number of entries (client moves) stored in the user mobility trail.
1-100
30
Specifies the maximum interval, in seconds, an inactive mobility trail is held.
12086400
3600 seconds
Usage Guidelines
The proxy mobile IP module in a mobility-enabled switch detects when a mobile client has moved to a foreign network and determines the home agent for a roaming client. The proxy mobile IP module performs the following functions:
AOS-W 6.2 | Reference Guide
ip mobile proxy | 383
�l Derives the address of the home agent for a mobile client from the HAT using the mobile client's IP address. If there is more than one possible home agent for a mobile client in the HAT, the proxy mobile IP module uses a discovery mechanism to find the current home agent for the client.
l Detects when a mobile client has moved. Client moves are detected based on ingress port and VLAN changes and mobility is triggered accordingly. For faster roaming convergence between AP(s) on the same switch, it is recommended that you keep the "on-association" option enabled. This helps trigger mobility as soon as 802.11 association packets are received from the mobile client.
Example
The following command enables the packet trace for the given MAC address: ip mobile packet-trace 00:40:96:a6:a1:a4
Command History
Version AOS-W 3.0 AOS-W 6.2
Modification
Command introduced.
The re-home parameter was deprecated as the re-homing functionality is no longer available.
Command Information
Platform Available on all platforms
License Available in the base operating system.
Command Mode Config mode on master switches
384 | ip mobile proxy
AOS-W 6.2 | Reference Guide
�ip mobile revocation
ip mobile revocation {interval <msec>|retransmits <number>
Description
This command configures the frequency at which registration revocation messages are sent.
Syntax
Parameter interval
retransmits
Description
Retransmission interval, in milliseconds.
Maximum number of times the home agent or foreign agent attempts mobile IP registration/revocation message exchanges before giving up.
Range
Default
100-10000 1000
ms
ms
0-5
3
Usage Guidelines
A home agent or foreign agent can send a registration revocation message, which revokes registration service for the mobile client. For example, when a mobile client roams from one foreign agent to another, the home agent can send a registration revocation message to the first foreign agent so that the foreign agent can free any resources held for the client.
Example
The following command configures registration revocation messages: (host) (config) #ip mobile revocation interval 2000
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system.
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ip mobile revocation | 385
�ip mobile trail (deprecated)
ip mobile trail {host IP address | host MAC address}
Description
This command configures the capture of association trail for all devices.
Command History
Version AOS-W 3.0 AOS-W 6.1
Description Command introduced Command deprecated
386 | ip mobile trail (deprecated)
AOS-W 6.2 | Reference Guide
�ip name-server
ip name-server <ipaddr>
Description
This command configures servers for name and address resolution.
Syntax
Parameter <ip-addr>
Description IP address of the server.
Usage Guidelines
You can configure up to six servers using separate commands. Specify one or more servers when you configure a default domain name (see ip domain-name on page 372).
Example
The following command configures a name server: ip name-server 10.1.1.245
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system.
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ip name-server | 387
�ip nat
ip nat pool <name> <start-ipaddr> <end-ipaddr> [<dest-ipaddr>]
Description
This command configures a pool of IP addresses for network address translation (NAT).
Syntax
Parameter pool <start-ipaddr> <end-ipaddr> <dest-ipaddr>
Description Name of the NAT pool. IP address that defines the beginning of the range of source NAT addresses in the pool. IP address that defines the end of the range of source NAT addresses in the pool. Destination NAT IP address.
Usage Guidelines
This command configures a NAT pool which you can reference in a session ACL rule (see ip access-list session on page 362).
Example
The following command configures a NAT pool: (host) (config) #ip nat pool 2net 2.1.1.1 2.1.1.125
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License
This command requires the PEFNG license.
Command Mode
Config mode on master and local switches
388 | ip nat
AOS-W 6.2 | Reference Guide
�ip ospf
ip ospf area|{authentication message-digest | cost <cost> | dead-interval <seconds> | hellointerval <seconds> | message-digest-key <keyid> <passwd> | priority <number> | retransmitinterval <seconds> |transmit-delay <seconds>
Description
Configure OSPF on the VLAN interface.
Syntax
Parameter
Description
Range
Default
area
Enable OSPF on a specific interface by entering the IP address of the router that will use OSPF.
authentication message-digest Set the OSPF authentication mode to message digest.
disabled
cost <cost>
Set the cost associated with the OSPF traffic on an interface.
1 to 65535 1
dead-interval <seconds>
Set the elapse interval (seconds) since 1 to 65535 40 the last hello-packet was received from seconds the router. After the interval elapses, the neighboring routers declare the router dead.
hello-interval <seconds>
Set the elapse interval (seconds) between hello packets sent on the interface.
1 to 65535 10 seconds
message-digest-key <keyid> <passwd>
Enable OSPF MD5 authentication and set the key identification and a character string password.
<keyid> = 1 to 256
No default
priority <number>
Set the priority number of the interface to 0 to 255
1
determine the DR.
retransmit-interval <seconds> Set the retransmission time between link 1 to 65535 5
state advertisements for adjacencies
seconds
belonging to the interface.
NOTE: Set the time interval long enough
to prevent unnecessary retransmissions.
transmit-delay <seconds>
Set the elapse time before retransmitting 1 to 65535 1
link state update packets on the
seconds
interface.
Usage Guidelines
When configuring OSPF over multiple vendors, use this command to ensure that all routers use the same cost. Otherwise, OSPF may route improperly.
AOS-W 6.2 | Reference Guide
ip ospf | 389
�Related Commands
Command show ip ospf
Description View the OSPF configuration
Command History
Release AOS-W 3.4
Modification Command introduced
Command Information
Platforms All Platforms
Licensing Base operating system
Command Mode
Configuration Interface Mode (configsubif)
390 | ip ospf
AOS-W 6.2 | Reference Guide
�ip pppoe-max-segment-size (deprecated)
ip pppoe-max-segment-size <mss>
Description
This command configures the maximum TCP segment size (mss), in bytes, for Point-to-Point Protocol over Ethernet (PPPoE) data.
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced Command deprecated
AOS-W 6.2 | Reference Guide
ip pppoe-max-segment-size (deprecated) | 391
�ip pppoe-password (deprecated)
ip pppoe-password <password>
Description
This command configures the PPP over Ethernet (PPPoE) password.
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced Command deprecated
392 | ip pppoe-password (deprecated)
AOS-W 6.2 | Reference Guide
�ip pppoe-service-name (deprecated)
ip pppoe-service-name <service_name>
Description
This command configures the PPP over Ethernet (PPPoE) service name.
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced Command deprecated
AOS-W 6.2 | Reference Guide
ip pppoe-service-name (deprecated) | 393
�ip pppoe-username (deprecated)
ip pppoe-username <username>
Description
This command configures the PPP over Ethernet (PPPoE) username.
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced Command deprecated
394 | ip pppoe-username (deprecated)
AOS-W 6.2 | Reference Guide
�ip radius
ip radius {nas-ip <ipaddr>|rfc-3576-server udp-port <port>|source-interface {loopback|vlan <vlan>}
Description
This command configures global parameters for configured RADIUS servers.
Syntax
Parameter nas-ip
rfc-3576-server
udp-port source-inter face
loopback vlan
Description
Range Default
NAS IP address to send in RADIUS packets. A server-specific --
--
NAS IP configured with the aaa authentication-server
radius command supersedes this configuration.
Configures the UDP port to receive requests from a RADIUS
--
--
server that can send user disconnect and change-of-
authorization messages, as described in RFC 3576, "Dynamic
Authorization Extensions to Remote Dial In User Service
(RADIUS)". See the aaa rfc-3576-server command to configure
the server.
NOTE: This parameter can only be used on the master switch.
UDP port to receive server requests.
0-
3799
65535
Interface for all outgoing RADIUS packets. The IP address of
--
--
the specified interface is included in the IP header of RADIUS
packets. The interface can be one of the following:
The loopback interface.
--
--
The specified VLAN.
--
--
Usage Guidelines
This command configures global RADIUS server parameters. If the aaa authentication-server radius command configures a server-specific NAS IP, the server-specific IP address is used instead.
Example
The following command configures a global NAS IP address sent in RADIUS packets: (host) (config) #ip radius nas-ip 192.168.1.245
Command History
This command was available in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
ip radius | 395
�Command Information
Platform Available on all platforms
License
Command Mode
The ip radius rfc-3576-server udp-port command requires the PEFNG license. Other commands are available in the base operating system.
Config mode on master and local switches
396 | ip radius
AOS-W 6.2 | Reference Guide
�ip route
ip route <destip> <destmask> {<nexthop> [<cost>]|ipsec <name>|null 0}
Description
This command configures a static route on the switch.
Syntax
Parameter <destip> <destmask> <nexthop> [<cost>]
ipsec <name>
null 0
Description
Enter the destination prefix address in dotted decimal format (A.B.C.D).
Enter the destination prefix mask address in dotted decimal format (A.B.C.D).
Enter the forwarding router address in dotted decimal format (A.B.C.D). Optionally, enter the distance metric (cost) for this route. The cost prioritizes routing to the destination. The lower the cost, the higher the priority.
Enter the keyword ipsec followed by the ipsec map name to use a static ipsec route map.
Enter the key word null 0 to designate a null interface.
Usage Guidelines
This command configures a static route on the switch other than the default gateway. Use the ip default-gateway command to set the default gateway to the IP address of the interface on the upstream router or switch to which you connect the switch.
Example
The following command configures a static route: (host) (config) #ip route 172.16.0.0 255.255.0.0 10.1.1.1
Command History
This command was available in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Config mode on master and local switches
AOS-W 6.2 | Reference Guide
ip route | 397
�lacp group
lacp group <group_number> mode {active | passive}
Description
Enable Link Aggregation Control Protocol (LACP) and configure LACP on the interface.
Parameter <group_number>
mode {active | passive}
Description
Enter the link aggregation group (LAG) number. Range: 0-7
Enter the keyword mode followed by either the keyword active or passive. l Active mode--the interface is in active negotiating state. LACP runs on any
link that is configured to be in the active state. The port in an active mode also automatically initiates negotiations with other ports by initiating LACP packets. l Passive mode--the interface is not in an active negotiating state. LACP runs on any link that is configured in a passive state. The port in a passive mode responds to negotiations requests from other ports that are in an active state. Ports in passive state respond to LACP packets.
Usage Guidelines
LACP is disabled by default; this command enables LACP. If the group number assigned contains static port members, the command is rejected.
Related Command
Command
Description
show lacp
View the LACP configuration status
show lacp sys-id
View the LACP system ID information
show interface port-channel View information on a specified port channel interface
Command History
Release AOS-W 3.4.1
Modification Command introduced
Command Information
Platform All Platforms
Licensing Base operating system
Command Mode
Configuration Interface Mode (config-if) for Master and Local switches
398 | lacp group
AOS-W 6.2 | Reference Guide
�lacp port-priority
lacp port-priority <priority_value>
Description
Configure the LACP port priority.
Syntax
Parameter <priority value>
Description
Enter the port-priority value. The higher the value number the lower the priority. Range: 1 to 65535 Default: 255
Usage Guidelines
Set the port priority for LACP.
Related Commands
Command
Description
lacp group
Enable LACP and configure on the interface
show lacp
View the LACP configuration status
show lacp sys-id
View the LACP system ID information
show interface port-channel View information on a specified port channel interface
Command History
Release AOS-W 3.4.1
Modification Command introduced
Command Information
Platform All Platforms
Licensing Base operating system
Command Mode
Configuration Interface Mode (config-if) for Master and Local switches
AOS-W 6.2 | Reference Guide
lacp port-priority | 399
�lacp system-priority
lacp system-priority <priority_value>
Description
Configure the LACP system priority.
Syntax
Parameter <priority_value>
Description
Enter the system priority value. The higher the value number the lower the priority. Range: 1 to 65535 Default: 32768
Usage Guidelines
Set the LACP system priority.
Related Commands
Command
Description
lacp group
Enable LACP and configure on the interface
show lacp
View the LACP configuration status
show lacp sys-id
View the LACP system ID information
show interface port-channel View information on a specified port channel interface
Command History
Release AOS-W 3.4.1
Modification Command introduced
Command Information
Platforms All Platforms
Licensing Base operating system
Command Mode
Configuration Mode (config) for Master and Local switches
400 | lacp system-priority
AOS-W 6.2 | Reference Guide
�lacp timeout
lacp timeout {long | short}
Description
Configure the timeout period for the LACP session.
Syntax
Parameter long
short
Description
Enter the keyword long to set the LACP session to 90 seconds. This is the default.
Enter the keyword short to set the LACP session to 3 seconds.
Usage Guidelines
The timeout value is the amount of time that a port-channel interface waits for a LACPDU (Link Aggregation Control Protocol data unit) from the remote system before terminating the LACP session. The default time out value is 90 seconds (long).
Related Commands
Command
Description
lacp group
Enable LACP and configure on the interface
show lacp
View the LACP configuration status
show lacp sys-id
View the LACP system ID information
show interface port-channel View information on a specified port channel interface
Command History
Release AOS-W 3.4.1
Modification Command introduced
Command Information
Platforms All Platforms
Licensing Base operating system
Command Mode
Configuration Interface Mode (config-if) for Master and Local switches
AOS-W 6.2 | Reference Guide
lacp timeout | 401
�lcd-menu
lcd-menu [no] disable menu [maintenance [factory-default| media-eject| qui-quick-setup | media-eject | system-halt | system-reboot | upgrade-image [parition0 | partition1]| upload-config]]
Description
This command allows you to enable or disable the LCD menu either completely or for specific operations.
Syntax
Parameter
Description
lcd-menu
Enters the LCD menu configuration mode.
no
Delete the specified LCD menu option.
disable
Disables (or enables) the complete LCD menu.
maintenance
Disables (or enables) the maintenance LCD menu.
factory-default Disables (or enables) the return to factory default option in the LCD menu.
media-eject
Disables (or enables) the media eject option in the LCD menu.
system-halt
Disables (or enables) the system halt option in the LCD menu.
system-reboot
Disables (or enables) the system reboot in the LCD menu.
upgrade-image
Disables (or enables) the upgrade image option in the LCD menu.
partition 0 partition 1
Disables (or enables) image upgrade on the specified partition (0 or 1).
upload-config
Disables (or enables) the upload config option in the LCD menu.
Default
Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled
Usage Guidelines
You can use this command to disable executing the maintenance operations using the LCD menu. You can use the no form of these commands to enable the specific LCD menu. For example, the following commands enable system halt and system reboot options:
(host) (config) #lcd-menu (host) (lcd-menu) #no disable menu maintenance system-halt (host) (lcd-menu) #no disable menu maintenance system-reboot
You can use the following show command to display the current LCD settings:
(host)#show lcd-menu lcd-menu -------Menu ---menu maintenance upgrade-image partition0 menu maintenance upgrade-image partition1 menu maintenance system-reboot reboot-stack menu maintenance system-reboot reboot-local
Value ----enabled enabled enabled enabled
402 | lcd-menu
AOS-W 6.2 | Reference Guide
�menu maintenance system-halt halt-stack menu maintenance system-halt halt-local menu maintenance upgrade-image menu maintenance upload-config menu maintenance factory-default menu maintenance media-eject menu maintenance system-reboot menu maintenance system-halt menu maintenance gui-quick-setup menu maintenance menu
enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled enabled
Example
The following example disables the LCD menu completely:
(host) #configure terminal (host) (config) #lcd-menu (host) (lcd-menu) #disable menu
The following example disables executing the specified maintenance operation using the LCD menu:
(host) #configure terminal
(host) (config) #lcd-menu
(host) (lcd-menu) #disable menu maintenance ?
factory-default
Disable factory default menu
gui-quick-setup
Disable quick setup menu on LCD
media-eject
Disable media eject menu on LCD
system-halt
Disable system halt menu on LCD
system-reboot
Disable system reboot menu on LCD
upgrade-image
Disable image upgrade menu on LCD
upload-config
Disable config upload menu on LCD
(host) (lcd-menu) #disable menu maintenance upgrade-image ?
partition0
Disable image upgrade on partition 0
partition1
Disable image upgrade on partition 1
Command History
Introduced in AOS-W 6.2
Command Information
Platform OAW-4x50 switch only.
License
Available in the base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
lcd-menu | 403
�license
license {add <key>|del <key>|export <filename>|import <filename>|report <filename>}
Description
This command allows you to install, delete, and manage software licenses on the switch.
Syntax
Parameter add del export import
report
Description
Installs the software license key in the switch. The key is normally sent to you via email.
Removes the software license key from the switch. The key is normally sent to you via email.
Exports the license database on the switch to the specified file in flash.
Replaces the license database on the switch with the specified file in flash. The system serial numbers referenced in the imported file must match the numbers on the switch.
Saves a license report to the specified file in flash.
Usage Guidelines
Obtain an Alcatel-Lucent software license certificate from your Alcatel-Lucent sales representative or authorized reseller. Use the certificate ID and the system serial number to obtain a software license key which you install in the switch.
Users that are not very familiar with this procedure may wish to use the License Management page in the WebUI to install and manage licenses on the switch.
Example
The following command adds a license key on the switch: license add 890BobXs-cVPCb3aJ-7FbCijhZ-BuQPtuI4-RjLJW6Pl-n5K
Command History
Introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Enable mode on master and local switches
404 | license
AOS-W 6.2 | Reference Guide
�local-custom-cert
local-custom-cert local-mac <lmac> ca-cert <ca> server-cert <cert> suite-b <gcm-128 | gcm-256>
Description
This command configures the user-installed certificate for secure communication between a local switch and a master switch.
Syntax
Parameter <lmac> ca-cert <ca>
server-cert <cert>
suite-b
Description
MAC address of the local switch's user-installed certificate.
User-defined name of a trusted CA certificate installed on the local switch. Use the show crypto-local pki TrustedCA command to display the CA certificates that have been imported into the switch.
User-defined name of a server certificate installed on the local switch. Use the show crypto-local pki ServerCert command to display the server certificates that have been imported into the switch.
If you configure your master switches to use IKEv2 and custom-installed certificates, you can optionally use Suite-B cryptographic algorithms for IPsec encryption. Specify one of the following options: l gcm-128 Use 128-bit AES-GCM Suite-B encryption l gcm-256 Use 256-bit AES-GCM Suite-B encryption
Usage Guidelines
Use this command on a master switch to configure the custom certificate for communication with a local switch. On the local switch, use the masterip command to configure the IP address and certificates for the master switch. If your master and local switches use certificates for authentication, the IPsec tunnel will be created using IKEv2.
Example
The following command configures the local switch with a user-installed certificate: (host) (config) #local-custom-cert local-mac 00:16:CF:AF:3E:E1 ca-cert cacert1 server-cert servercert1
Related Commands
Command
show local-certmac
Description
Display the IP, MAC address and certificate configuration of local switches in a master-local configuration
Mode
Config mode on master switches.
Command History
Introduced in AOS-W 6.1
AOS-W 6.2 | Reference Guide
local-custom-cert | 405
�Command Information
Platform
Available on all platforms
License
The suite-b gcm-128 and suite-b gcm-256 encryption options for IPsec custom certificates requires the Advanced Cryptography (ACR) license. All other parameters are available in the base operating system
Command Mode
Config mode on master switches
406 | local-custom-cert
AOS-W 6.2 | Reference Guide
�local-factory-cert
local-factory-cert local-mac <lmac>
Description
This command configures the factory-installed certificate for secure communication between a local switch and a master switch.
Syntax
Parameter <lmac>
Description MAC address of the local switch's factory-installed certificate.
Usage Guidelines
Use this command on a master switch to configure the factory certificate for communication with a local switch. On the local switch, use the masterip command to configure the IP address and certificates for the master switch. If your master and local switches use certificates for authentication, the IPsec tunnel will be created using IKEv2.
Example
The following command configures the local switch with a factory-installed certificate: (host) (config) #local-factory-cert local-mac 00:16:CF:AF:3E:E1
Related Commands
Command
show local-certmac
Description
Display the IP, MAC address and certificate configuration of local switches in a master-local configuration
Mode
Config mode on master switches.
Command History
Introduced in AOS-W 6.1
Command Information
Platform Available on all platforms
License
Command Mode
Available in the base operating system Config mode on master switches
AOS-W 6.2 | Reference Guide
local-factory-cert | 407
�local-userdb-ap add
local-userdb-ap add mac-address <macaddr> ap-group <group> ap-name <ap-name> description <desc> full-name <full-name> remote-ip <ip-addr>
Description
This command adds a AP entry to the remote AP database.
Syntax
Parameter mac-address <mac-address>
ap-group <ap-group> ap-name <ap-name> description <description>
full-name <full-name>
Description
MAC address of the AP whose whitelist database entry you want to modify.
AP group of the AP.
Name of the AP.
Description of the AP. If the description includes spaces, it must be enclosed within quotation marks.
Name of the client using the AP.
Usage Guidelines
You can manually change or disable entries from the remote AP whitelist to temporarily revoke an AP's secure access to the network.
Example
The following command adds a remote AP whitelist entry for an AP with the MAC address 00:16:CF:AF:3E:E1: (host) (config) #local-userdb-ap add mac-address 00:16:CF:AF:3E:E1 ap-group corp12 ap-name AP42 description "Adding new AP to first floor"
Command History
AOS-W 3.0
Modification Command introduced
408 | local-userdb-ap add
AOS-W 6.2 | Reference Guide
�local-userdb-guest add
local-userdb-guest
local-userdb-guest add {generate-username|username <name>} {generate-password|password <passwd>} [comment <g_comments>][email <email>] [expiry {duration <minutes>|time <hh/mm/yyy> <hh:mm>}] [guest-company <g_company>][guest-fullname <g_fullname>][guest-phone <g-phone>][mode disable][opt-field-1 <opt1>][opt-field-2 <opt2>][opt-field-3 <opt3>][opt-field-4 <opt4>] [sponsor-dept <sp_dept>][sponsor-mail <sp_email>][sponsor-fullname <sp_fullname>][sponsor-name <sp_name>] [start-time <mm/dd/yyyy> <hh.mm>]
Description
This command creates a guest user in a local user database.
Syntax
Parameter generate-username username generate-password password
comments email expiry duration
time guest-company
guest-fullname guest-phone mode
Description Automatically generate and add a guest username. Add the specified guest username.
Automatically generate a password for the username. Add the specified password for the username.
Comments added to the guest user account. Email address for the guest user account. Expiration for the user account. If this is not set, the account does not expire. Duration, in minutes, for the user account.
Date and time, in mm/dd/yyy and hh:mm format, that the user account expires. Name of the guest's company. NOTE: A guest is the person who needs guest access to the company's Alcatel-Lucent wireless network. The guest's full name. The guest's phone number. Enables or disables the user account,
Range --
1 64 characters
--
Default -- --
--
6 128
--
characters
--
--
--
--
--
no
expiration
1-
--
214748364-
7
--
--
--
Disable
AOS-W 6.2 | Reference Guide
local-userdb-guest add | 409
�Parameter opt-field-1
opt-field-2 opt-field-3 opt-field-4 sponsor-dept
sponsor-email sponsor-fullname sponsor-name start-time
Description
Range
This category can be used for some other purpose. -- For example, the optional category fields can be used for another person, such as a "Supervisor." You can enter username, full name, department and Email information into the optional fields.
Same as opt-field-1.
--
Same as opt-field-1.
--
Same as opt-field-1.
--
The guest sponsor's department name.
--
NOTE: A sponsor is the guest's primary contact for
the visit.
The sponsor's email address.
--
The sponsor's full name.
--
The sponsor's name.
--
Date and time, in mm/dd/yyy and hh:mm format, the -- guest account begins.
Default --
-- -- -- --
-- -- -- --
Usage Guidelines
When you specify the internal database as an authentication server, client information is checked against the user accounts in the internal database. You can modify an existing user account in the internal database with the localuserdb-guest modify command, or delete an account with the local-userdb-guest del command. By default, the internal database in the master switch is used for authentication. Issue the aaa authenticationserver internal use-local-switch command to use the internal database in a local switch; you then need to add user accounts to the internal database in the local switch.
Example
The following command adds a guest user in the internal database with an automatically-generated username and password: (host) #local-userdb-guest add generate-username generate-password expiry none
The following information is displayed when you enter the command: GuestConnect Username: guest-5433352 Password: mBgJ6764 Expiration: none
Related Commands
Command show local-userdbguest
show local-userdb
Description
Show the parametesr configured using the local-userdb-guest command.
Show the parameters configured using the local-userdb command.
Mode Enable and Config modes
Enable and Config modes
410 | local-userdb-guest add
AOS-W 6.2 | Reference Guide
�Command History
Introduced in AOS-W 3.4.
Command Information
Platform Available on all platforms
License
Available in the base operating system. The role parameter requires the PEFNG license.
Command Mode
Enable and config modes on master switches.
AOS-W 6.2 | Reference Guide
local-userdb-guest add | 411
�local-userdb-remote-node
localuserdb
local-userdb-remote-node add mac-address <mac-address> remote-node-profile <remote-node-profile>
del mac-address <mac-address>
Description
This command adds a Remote Node to the Remote Node whitelist. You can also delete the whitelist entry using this command.
Syntax
Parameter mac-address <mac-address>
remote-node-profile <remotenode-profile>
Description
MAC address of the Remote Node in colon-separated six-octet format.
The Remote Node configuration profile to be assigned to that Remote Node.
Range
--
1 64 characters
Default --
--
Usage Guidelines
A Remote Node-master can only assign a configuration profile to a Remote Node in its Remote Node whitelist. To assign a different configuration to an unprovisioned Remote Node, you must delete the whitelist entry and create a new Remote Node whitelist entry with the correct Remote Node configuration profile. A remote-node profile has to be validated before it is configured and pushed to a Remote Node.
Example
This example adds the Remote Node profile named Location-1 to the Remote Node whitelist. (remote-node-master) #local-userdb-remote-node add mac-address 00:16:CF:AF:3E:E1 remote-nodeprofile Location_1 This example removes a Remote Node from the Remote Node whitelist. (remote-node-master)(config) #local-userdb-remote-node del mac-address 00:16:CF:AF:3E:E1
Related Commands
Command remote-node-localip remote-node-masterip remote-node-profile
Description
Configures security for all Remote Node and Remote Switch control traffic
Configures security for the Remote Node master IP address.
The remote-node-profile command lets you create a Remote Node profile.
Mode Config modes Config mode Config mode
412 | local-userdb-remote-node
AOS-W 6.2 | Reference Guide
�Command
Description
Mode
show remote-node
Shows Remote Node configuration, dhcp instance, license usage and running configuration information.
Enable and Config mode
show remote-node-dhcp-pool Shows Remote Node dhcp pool configuration information.
Enable and Config mode
show remote-node-profile
Shows Remote Node profile status information.
Enable and Config mode
show local-userdb-remotenode
The output of this command lists the MAC address and assigned Remote Node-profile for of each Remote Node associated with that Remote Node master.
Enable and Config mode
Command History
AOS-W 6.0
Modification Command introduced.
Command Information
Platform Available on all platforms
License Available in the base operating system.
Command Mode Enable mode on master switches.
AOS-W 6.2 | Reference Guide
local-userdb-remote-node | 413
�local-userdb add
localuserdb
local-userdb add {generate-username|username <name>} {generate-password|password <passwd>} [comment <g_comments>][email <email>] [expiry {duration <minutes>|time <hh/mm/yyy> <hh:mm>}] [guest-company <g_company>][guest-fullname <g_fullname>][guest-phone <g-phone>][mode disable] [opt-field-1 <opt1>][opt-field-2 <opt2>][opt-field-3 <opt3>][opt-field-4 <opt4>][[remote-ip <ip-addr>][role <role>][sponsor-dept <sp_dept>][sponsor-mail <sp_email>][sponsor-fullname <sp_ fullname>][sponsor-name <sp_name>] [start-time <mm/dd/yyyy> <hh.mm>]
Description
This command creates a user account entry in the switch's internal database.
Syntax
Parameter generate-username username generate-password password
comments email expiry duration
time guest-company
guest-fullname guest-phone mode
Description Automatically generate and add a username. Add the specified username.
Automatically generate a password for the username. Add the specified password for the username.
Comments added to the user account. Email address for the user account. Expiration for the user account. If this is not set, the account does not expire. Duration, in minutes, for the user account.
Date and time, in mm/dd/yyy and hh:mm format, that the user account expires. Name of the guest's company. NOTE: A guest is the person who needs guest access to the company's Alcatel-Lucent wireless network. The guest's full name. The guest's phone number. Enables or disables the user account,
Range --
1 64 characters
--
Default -- --
--
6 128
--
characters
--
--
--
--
--
no
expiration
1-
--
214748364-
7
--
--
--
Disable
414 | local-userdb add
AOS-W 6.2 | Reference Guide
�Parameter opt-field-1
opt-field-2 opt-field-3 opt-field-4 remote-ip role
sponsor-dept
sponsor-email sponsor-fullname sponsor-name start-time
Description
Range
This category can be used for some other purpose. -- For example, the optional category fields can be used for another person, such as a "Supervisor." You can enter username, full name, department and Email information into the optional fields.
Same as opt-field-1.
--
Same as opt-field-1.
--
Same as opt-field-1.
--
IP address assigned to the remote peer.
Role for the user. This role takes effect when the
--
internal database is specified in a server group
profile with a server derivation rule. If there is no
server derivation rule configured, then the user is
assigned the default role for the authentication
method.
The guest sponsor's department name
--
NOTE: A sponsor is the guest's primary contact for
the visit.
The sponsor's email address.
--
The sponsor's full name.
--
The sponsor's name.
--
Date and time, in mm/dd/yyy and hh:mm format, the -- guest account begins.
Default --
-- -- --
guest
--
-- -- -- --
Usage Guidelines
When you specify the internal database as an authentication server, client information is checked against the user accounts in the internal database. You can modify an existing user account in the internal database with the localuserdb modify command, or delete an account with the local-userdb del command.
By default, the internal database in the master switch is used for authentication. Issue the aaa authenticationserver internal use-local-switch command to use the internal database in a local switch; you then need to add user accounts to the internal database in the local switch.
Example
The following command adds a user account in the internal database with an automatically-generated username and password: (host) #local-userdb add generate-username generate-password expiry duration 480
The following information is displayed when you enter the command: GuestConnect Username: guest4157 Password: cDFD1675 Expiration: 480 minutes
AOS-W 6.2 | Reference Guide
local-userdb add | 415
�Related Commands
Command show local-userdb
show local-userdbguest
mgmt-user
Description
Mode
Use this command to show the parameters displayed in the output of this command.
Enable and Config modes
Use this command to show the parameters displayed in the output of the local-userdb-guest add command.
Enable and Config modes
Use the webui-cacert <certificate name> command if you want an external authentication server to derive the management user role. This is helpful if there are a large number of users who need to be authenticated.
Use the mgmt-user webui-cacert <certificate_
name>serial <number> <username> <role> command if you want the authentication process to use previously configured certificate name and serial number to derive the user role.
Config mode
Command History
AOS-W 3.0 AOS-W 3.4
Modification Introduced for the first time. The guest, sponsor and optional field parameters were added.
Command Information
Platform Available on all platforms
License
Available in the base operating system. The role parameter requires the PEFNG license.
Command Mode Enable mode on master switches.
416 | local-userdb add
AOS-W 6.2 | Reference Guide
�localip
localip <ipaddr> ipsec <key>
Description
This command configures the IP address and preshared key for the local switch on a master switch.
Syntax
Parameter <ipaddr>
ipsec <key>
Description
IP address of the local switch. Use the 0.0.0.0 address to configure a global preshared key for all inter-switch communications.
To establish the master-local IPsec tunnel using IKEv1, enter a preshared key between 6-64 characters.
Usage Guidelines
Use this command on a master switch to configure the IP address and preshared key or certificates for communication with a local switch. On the local switch, use the masterip command to configure the IP address and preshared key for the master switch. If your master and local switches use a pre-shared key for authentication, they will create the IPsec tunnel using IKEv1.
Example
The following command configures the local switch with a pre-shared key: (host) (config) #localip 0.0.0.0 ipsec gw1234xyz
Command History
Command introduced in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
localip | 417
�local-userdb-ap del
local-userdb-ap del mac-address <mac-addr> ap-group ap-name description full-name mode remote-ip
Description
This command deletes a AP entry from the remote AP database.
Syntax
Parameter
mac-address <macaddr>
Description MAC address of the AP to be removed from the AP database.
Usage Guidelines
Issue this command to permanently delete any AP entries from the remote AP database. To temporarily revoke a lost or stolen remote AP to prevent unauthorized users from accessing the company's corporate network, use the command local-userdb-ap revoke.
Example
The example below deletes an AP from the remote AP whitelist. (host)(config) #local-userdb-ap del mac-addr 00:0b:86:c3:58:38
Related Commands
Command
Description
lacp group
Enable LACP and configure on the interface
show lacp
View the LACP configuration status
show lacp sys-id
View the LACP system ID information
show interface port-channel View information on a specified port channel interface
Command History
Version AOS-W 3.0 AOS-W 6.2
Modification Command introduced. Command replaced by .
418 | local-userdb-ap del
AOS-W 6.2 | Reference Guide
�local-userdb-ap modify
local-userdb-ap modify mac-address <macaddr> ap-name <ap-name> description <desc> full-name <full-name> remote-ip <ip-addr>
Description
Modify an AP entry in the remote AP whitelist.
Syntax
Parameter mac-address <mac-address>
ap-group <ap-group> ap-name <ap-name> description <description>
full-name <full-name> mode enable|disable
Description MAC address of the AP whose whitelist database entry you want to modify.
AP group of the AP.
Name of the AP.
Description of the AP. If the description includes spaces, it must be enclosed within quotation marks.
Name of the client using the AP.
Enable or disable the AP without deleting it from the database.
Usage Guidelines
You can manually change or disable entries from the AP whitelist to temporarily revoke an AP's secure access to the network.
Example
The following command modifies a AP whitelist entry for an AP with the MAC address 00:16:CF:AF:3E:E1: (host) (config) #local-userdb-ap modify mac-address 00:16:CF:AF:3E:E1
description "AP moved to second floor"
Command History
AOS-W 3.0
Modification Command introduced.
AOS-W 6.2 | Reference Guide
local-userdb-ap modify | 419
�local-userdb-ap revoke
local-userdb-ap revoke mac-address <macaddr> revoke-comment <comment>
Syntax
Parameter
Description
mac-address <macaddr>
MAC address of the AP to be removed from the AP database.
revoke-comment <com- Text string describing why the AP was revoked. ment>
Description
Revoke a lost or stolen remote AP to prevent unauthorized users from accessing the company's corporate network. To permanently remove an AP from the whitelist, use the command local-userdb-ap del.
Example
The example below revokes an A's entry from the remote AP whitelist. (host)(config) #local-userdb-ap revoke mac-addr 00:0b:86:c3:58:38 revoke-comment "removing this AP from the 1st floor"
Command History
AOS-W 3.0
Modification Command introduced.
420 | local-userdb-ap revoke
AOS-W 6.2 | Reference Guide
�local-userdb del
local-userdb {del username <name>|del-all}
Description
This command deletes entries in the switch's internal database.
Syntax
Parameter del username del-all
Description Deletes the user account for the specified username. Deletes all entries in the internal database.
Usage Guidelines
User account entries created with expirations are automatically deleted from the internal database at the specified expiration. Use this command to delete an entry before its expiration or to delete an entry that was created without an expiration.
Example
The following command deletes a specific user account entry: (host)#local-userdb del username guest4157
Command History
Introduced in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Enable mode on master switches.
AOS-W 6.2 | Reference Guide
local-userdb del | 421
�local-userdb export
local-userdb export <filename>
Description
This command exports the internal database to a file.
Use this command with caution. It replaces the existing users with user entries from the imported file.
Syntax
Parameter export
Description Saves the internal database to the specified file in flash.
Usage Guidelines
After using this command, you can use the copy command to transfer the file from flash to another location.
Example
The following command saves the internal database to a file: (host)#local-userdb export jan-userdb
Command History
Introduced in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Enable mode on master switches.
422 | local-userdb export
AOS-W 6.2 | Reference Guide
�local-userdb fix-database
local-userdb fix-database
Description
This command deletes and reinitializes the internal database.
Syntax
No parameters.
Usage Guidelines
Before using this command, you can save the internal database with the local-userdb export command.
Command History
Introduced in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Enable mode on master switches.
AOS-W 6.2 | Reference Guide
local-userdb fix-database | 423
�local-userdb-guest del
local-userdb-guest {del username <name>|del-all}
Description
This command deletes entries in the switch's internal database.
Syntax
Parameter del username del-all
Description Deletes the user account for the specified username. Deletes all entries in the internal database.
Usage Guidelines
User account entries created with expirations are automatically deleted from the internal database at the specified expiration. Use this command to delete an entry before its expiration or to delete an entry that was created without an expiration.
Example
The following command deletes a specific user account entry: (host) #local-userdb-guest del username guest4157
Command History
Introduced in AOS-W 3.4.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Enable and config modes on master switches.
424 | local-userdb-guest del
AOS-W 6.2 | Reference Guide
�local-userdb-guest modify
local-userd-guest modify username <name> [comments <g_comments>][email <email>] [expiry {duration <minutes>|time <hh/mm/yyy> <hh:mm>}] [guest-company <g_company>][guest-fullname <g_ fullname>][guest-phone <g-phone>][mode disable][opt-field-1 <opt1>][opt-field-2 <opt2>][optfield-3 <opt3>][opt-field-4 <opt4>][password <passwd][sponsor-dept <sp_dept>][sponsor-mail <sp_email>][sponsor-fullname <sp_fullname>][sponsor-name <sp_name>][start-time <mm/dd/yyyy> <hh.mm>]
Description
This command modifies an existing guest user entry in the switch's internal database.
Syntax
Parameter username
comments email expiry duration
time guest-company
guest-fullname guest-phone mode opt-field-1
opt-field-2 opt-field-3 opt-field-4 password
Description
Range
Default
Name of the existing user account entry.
1 64
--
characters
Comments added to the user account.
--
--
Email address for the use account.
--
--
Expiration for the user account. If this is not set, the
--
account does not expire.
no expiration
Duration, in minutes, for the user account.
1-
--
214748364-
7
Date and time, in mm/dd/yyy and hh:mm format, that
--
--
the user account expires.
Name of the guest's company. NOTE: A guest is the person who needs guest access to the company's Alcatel-Lucent wireless network.
The guest's full name.
The guest's phone number.
Enables or disables the user account,
--
Disable
This category can be used for some other purpose.
--
--
For example, the optional category fields can be used
for another person, such as a "Supervisor." You can
enter username, full name, department and Email
information into the optional fields.
Same as opt-field-1.
--
--
Same as opt-field-1.
--
--
Same as opt-field-1.
--
--
User's password
1 6
--
characters
AOS-W 6.2 | Reference Guide
local-userdb-guest modify | 425
�Parameter sponsor-dept
sponsor-email sponsor-fullname sponsor-name start-time
Description
Range
The guest sponsor's department name
--
NOTE: A sponsor is the guest's primary contact for the
visit.
The sponsor's email address.
--
The sponsor's full name.
--
The sponsor's name.
--
Date and time, in mm/dd/yyy and hh:mm format, the
--
guest account begins.
Default --
-- -- -- --
Usage Guidelines
Use the show local-userdb-guest command to view the current user account entries in the internal database.
Example
The following command disables an guest user account in the internal database: (host)local-userdb-guest modify username guest4157 mode disable
Command History
Introduced in AOS-W 3.4.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Enable and config modes on master switches.
426 | local-userdb-guest modify
AOS-W 6.2 | Reference Guide
�local-userdb-guest send-email
local-userdb-guest send-email <username> [to-guest][to-sponsor]
Description
This command causes the switch to send email to the guest and/or sponsor any time a guest user is created.
Syntax
Parameter <username>
to-guest to-sponsor
Description Name of the guest
Allows you to send email to the guest user's address. Allows you to send email to the sponsor's email address.
Range Default
1 64
--
characters
--
--
--
--
Usage Guidelines
This command allows the guest provisioning user or network administrator to causes the switch to send email to the guest and/or sponsor any time a guest user is created.
Example
The following command causes the switch to send an email to the sponsor alerting them that the guest user "Laura" was just created. (host)# local-userdb-guest send-email Laura to-sponsor
Command History
Introduced in AOS-W 3.4.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
local-userdb-guest send-email | 427
�local-userdb import
local-userdb import <filename>
Description
This command replaces the internal database with the specified file from flash.
Syntax
Parameter import
Description Replaces the internal database with the specified file.
Usage Guidelines
This command replaces the contents of the internal database with the contents in the specified file. The file must be a valid internal database file saved with the local-userdb export command.
Example
The following command imports the specified file into the internal database: (host)#local-userdb import jan-userdb
Command History
Introduced in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Enable mode on master switches.
428 | local-userdb import
AOS-W 6.2 | Reference Guide
�local-userdb maximum-expiration
local-userdb maximum-expiration <minutes>
Description
This command configures the maximum time, in minutes, that a guest account in the internal database can remain valid.
Syntax
Parameter maximum-expiration
Description
Maximum time, in minutes, that a guest account in the internal database can remain valid.
Range
12147483647
Usage Guidelines
The user in the guest-provisioning role cannot create guest accounts that expire beyond the configured maximum time. This command is not available to the user in the guest-provisioning role.
Example
The following command sets the maximum time for guest accounts in the internal database to 8 hours (480 minutes): (host)(config)#local-userdb maximum-expiration 480
Command History
Introduced in AOS-W 3.0.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Configuration mode on master switches.
AOS-W 6.2 | Reference Guide
local-userdb maximum-expiration | 429
�local-userdb modify
local-userdb modify username <name> [comments <g_comments>][email <email>] [expiry {duration <minutes>|time <hh/mm/yyy> <hh:mm>}] [guest-company <g_company>][guest-fullname <g_fullname>] [guest-phone <g-phone>][mode disable][opt-field-1 <opt1>][opt-field-2 <opt2>][opt-field-3 <opt3>][opt-field-4 <opt4>][remote-ip <ip-addr>][role <role>][sponsor-dept <sp_dept>][sponsormail <sp_email>][sponsor-fullname <sp_fullname>][sponsor-name <sp_name>][start-time <mm/dd/yyyy> <hh.mm>]
Description
This command modifies an existing user account entry in the switch's internal database.
Syntax
Parameter username
comments email expiry duration
time guest-company
guest-fullname guest-phone mode opt-field-1
opt-field-2 opt-field-3 opt-field-4 remote-ip role
Description
Range
Default
Name of the existing user account entry.
1 64
--
characters
Comments added to the user account.
--
--
Email address for the use account.
--
--
Expiration for the user account. If this is not set, the
--
account does not expire.
no expiration
Duration, in minutes, for the user account.
1-
--
214748364-
7
Date and time, in mm/dd/yyy and hh:mm format, that
--
--
the user account expires.
Name of the guest's company. NOTE: A guest is the person who needs guest access to the company's Alcatel-Lucent wireless network.
The guest's full name.
The guest's phone number.
Enables or disables the user account,
--
Disable
This category can be used for some other purpose.
--
--
For example, the optional category fields can be used
for another person, such as a "Supervisor." You can
enter username, full name, department and Email
information into the optional fields.
Same as opt-field-1.
--
--
Same as opt-field-1.
--
--
Same as opt-field-1.
--
--
IP address assigned to the remote peer.
Role for the user.
--
guest
430 | local-userdb modify
AOS-W 6.2 | Reference Guide
�Parameter
sponsor-dept
sponsor-email sponsor-fullname sponsor-name start-time
Description
Range
This parameter requires the PEFNG license.
The guest sponsor's department name
--
NOTE: A sponsor is the guest's primary contact for the
visit.
The sponsor's email address.
--
The sponsor's full name.
--
The sponsor's name.
--
Date and time, in mm/dd/yyy and hh:mm format, the
--
guest account begins.
Default
--
-- -- -- --
Usage Guidelines
Use the show local-userdb command to view the current user account entries in the internal database.
Example
The following command disables an existing user account in the internal database: (host)# local-userdb modify username guest4157 mode disable
Command History
AOS-W 3.0 AOS-W 3.4
Modification Introduced for the first time. The guest, sponsor and optional parameters were added.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Enable mode on master switches.
AOS-W 6.2 | Reference Guide
local-userdb modify | 431
�local-userdb send-to-guest
local-userdb send-to-guest
Description
This command automatically sends email to the guest when the guest user is created.
Syntax
No parameters.
Usage Guidelines
A guest is the person who needs guest access to the company's Alcatel-Lucent wireless network. Email is sent directly to the guest after the guest user is created. When configuring the guest provisioning feature, the guest user is generally created by Guest Provisioning user. This is the person who is responsible for signing in guests at your company.
Example
(host)(config) #local-userdb send-to-guest
Command History
Introduced in AOS-W 3.4.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Configuration mode on master switches.
432 | local-userdb send-to-guest
AOS-W 6.2 | Reference Guide
�local-userdb send-to-sponsor
local-userdb send-to-sponsor
Description
This command automatically sends email to the guest's sponsor when the guest user is created.
Syntax
No parameters.
Usage Guidelines
The sponsor is the guest's primary contact. Email is sent directly to the guest's sponsor after the guest user is created. When configuring the guest provisioning feature, the sponsor is generally created by the Guest Provisioning user. This is the person who responsible for signing in guests at your company.
Example
(host)(config)#local-userdb send-to-sponsor
Command History
Introduced in AOS-W 3.4.
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Configuration mode on master switches.
AOS-W 6.2 | Reference Guide
local-userdb send-to-sponsor | 433
�location
location <string>
Description
This command configures the location of the switch.
Syntax
Parameter location
Description A text string that specifies the system location.
Usage Guidelines
Use this command to indicate the location of the switch. You can use a combination of numbers, letters, characters, and spaces to create the name. To include a space in the name, use quotation marks to enclose the text string. To change the existing name, enter the command with a different string. To unconfigure the location, enter "" at the prompt.
Example
The following command configures the location: (host) (config) #location "Building 10, second floor, room 21E"
Command History
Introduced in AOS-W 3.0
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
434 | location
AOS-W 6.2 | Reference Guide
�logging
logging <ipaddr>[facility]|[severity]|[type>]
Description
Use this command to specify the IP address of the remote logging server, facility, severity, and the type.
Syntax
Parameter facility
severity type
Description To set the remote logging server facility.
To set the remote logging server severity. To set the remote logging server message type.
Range local 0 to local7
--
--
Default --
-- --
Usage Guidelines
The local use facilities (local0, local1, local2, local3, local4, local5, local6, and local7) are not reserved for specific message-generating sources, and can be used for sending syslog messages. Use the show logging command to verify that the device sends logging messages.
Example
The following command adds the remote logging server with the IP address 10.1.2.3 with a user log type using local4. (host) (config) #logging 1.1.1.1 user facility local4
Command History
Introduced in AOS-W 6.0
Command Information
Platform Available on all platforms
License
Command Mode
Available in the base operating system Config mode on master switches
AOS-W 6.2 | Reference Guide
logging | 435
�logging facility
logging facility <facility>
Description
Use this command to set the facility to use when logging to the remote syslog server.
Syntax
Parameter <facility>
Description The facility to use when logging to a remote syslog server.
Range local0 to local7
Usage Guidelines
The local use facilities (local0, local1, local2, local3, local4, local5, local6, and local7) are not reserved for specific message-generating sources, and can be used for sending syslog messages.
Example
The following command sets the facility to local4. (host) (config) #logging facility local4
Command History
Introduced in AOS-W 2.5
Command Information
Platform Available on all platforms
License
Command Mode
Available in the base operating system Config mode on master switches
436 | logging facility
AOS-W 6.2 | Reference Guide
�logging level
logging level <level> <category> [process <process>] [subcat <subcategory>]
Description
Use this command to set the categories or subcategories and the severity levels of messages that are logged.
Syntax
Parameter
Description
<level>
The message severity level, which can be one of the following (in order of severity level):
emergencies
(0) Panic conditions that occur when the system becomes unstable.
alerts
(1) Any condition requiring immediate attention and correction.
critical
(2) Any critical conditions, such as hard drive errors.
errors
(3) Error conditions.
warnings
(4) Warning messages.
notifications (5) Significant events of a non-critical and normal nature.
informational (6) Messages of general interest to system users.
debugging
(7) Messages containing information for debugging purposes.
<category>
Message category, which can be one of the following:
ap-debug
AP troubleshooting messages. You must specify a debug value.
network
Network messages.
security
Security messages.
system
System messages.
user
User messages.
user-debug
User troubleshooting messages. You must specify a MAC address.
wireless
Wireless messages.
process
Switch process, which can be one of the following:
aaa
AAA logging
ads
Anomaly detection
approc
AP processes
authmgr
User authentication
AOS-W 6.2 | Reference Guide
logging level | 437
�Parameter cfgm crypto cts dbsync dhcpd esi fpapps httpd l2tp licensemgr localdb mobileip packetfilter pim pppoed pptp processes profmgr publisher rfm snmp stm syslogdwrap traffic vrrpd wms
subcat
Description Configuration Manager VPN (IKE/IPsec) Transport service Database synchronization DHCP packets External Services Interface Layer 2 and 3 control Apache L2TP License manager Local database Mobile IP Packet filtering of messaging and control frames Protocol Independent Multicast PPPoE PPTP Run-time processes Profile Manager Publish subscribe service RF Troubleshooting Manager SNMP Station management Syslogd wrap Traffic VRRP Wireless management (master switch only) Message subcategory, which depends upon the message category specified. The following lists the subcategories available for each message category: l ap-debug: all l network: all, dhcp, mobility, packet-dump l security: aaa, all, dot1x, firewall, ike, mobility, packet-trace, vpn, webserver l system: all, configuration, messages, snmp, webserver
438 | logging level
AOS-W 6.2 | Reference Guide
�Parameter
Description
l user: all, captive-portal, dot1x, radius, vpn l user-debug: all, configuration l wireless: all
Usage Guidelines
There are eight logging severity levels, each with its associated types of messages. Each level also includes the levels below it. For example, if you set the logging level to informational (6), all messages from level 0 through level 5 (from emergencies through notifications) are also logged. The warnings severity level is set by default for all message categories.
Only the logging level warnings security subcat ids and logging level warnings security subcat ids-ap subcategories are enabled by default. Other subcategories are not generated by default even their severity is warning or higher. Issue the logging level command to enable all other message subcategories.
Example
The following command logs critical system messages. logging level critical system
Command History
Introduced in AOS-W 2.5
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode
Config mode on master and local switches
AOS-W 6.2 | Reference Guide
logging level | 439
�loginsession
loginsession timeout <minutes>
Description
This command configures the time management session (via Telnet or SSH) remains active without user activity.
Syntax
Parameter timeout
Description
Number of seconds or minutes that a management session remains active without any user activity.
Range
5-60 minutes or 13600 seconds, 0 to disable
Default 15 minutes
Usage Guidelines
The management user must re-login to the switch after a Telnet or SSH session times out. If you set the timeout value to 0, sessions do not time out. The TCP session timeout for wireless and wired user sessions through the switch is 15 minutes; this timeout for user sessions is not configurable.
ExampleThe following command configures management sessions on the switch to not time out:
(host) (config) #loginsession timeout 0
Command History
This command was available in AOS-W 3.0
Command Information
Platform Available on all platforms
License Requires the PEFNG license
Command Mode
Config mode on master switches
440 | loginsession
AOS-W 6.2 | Reference Guide
�logout
logout
Description
This command exits the current CLI session.
Syntax
No parameters.
Usage Guidelines
Use this command to leave the current CLI session and return to the user login.
Example
The following command exits the CLI session: (host) >logout User:
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode User mode on local or master switches
AOS-W 6.2 | Reference Guide
logout | 441
�mac-address-table
mac-address-table static <macaddr> {fastethernet|gigabitethernet} <slot>/<port> vlan <vlan>
Description
This command adds a static entry to the MAC address table.
Syntax
Parameter <macaddr> <slot> <port>
vlan
Description
Range
Media Access Control (MAC) address, in the format xx:xx:xx:xx:xx:xx. --
<slot> is always 1 except for the OAW-6000Switch, where the slots can -- be 1, 2, or 3.
Number assigned to the network interface embedded in the switchor in the line card installed in the OAW-6000Switch. Port numbers start at 0 from the left-most position.
ID number of the VLAN.
1-4094
Usage Guidelines
The MAC address table is used to forward traffic between ports on the switch. The table includes addresses learned by the switch. This command allows you to manually enter static addresses that are bound to specific ports and VLANs.
Example
The following command configures a MAC address table entry: (host) (config) #mac-address-table static 00:0b:86:f0:05:60 fastethernet 1/12 vlan 22
Command History
Available in AOS-W 3.0
Command Information
Platform
License
Available on all platforms Available in the base operating system
Command Mode Config mode on master and local switches
442 | mac-address-table
AOS-W 6.2 | Reference Guide
�master-redundancy master-vrrp
master-redundancy master-vrrp <id>
Description
This command associates a VRRP instance with master switch redundancy.
Syntax
Parameter <id>
Description
The virtual router ID for the VRRP instance configured with the vrrp command.
Range 1-255
Usage Guidelines
To maintain a highly redundant network, you can use a switch as a standby for the master switch. The underlying protocol used is VRRP which you configure using the vrrp command.
Example
The following command configures VRRP for the initially preferred master switch:
(host) (config) #vrrp 22 vlan 22 ip address 10.200.22.254 priority 110 preempt description Preferred-Master tracking master-up-time 30 add 20 no shutdown
master-redundancy master-vrrp 22 peer-ip-address 192.168.2.1 ipsec qwerTY012
The following shows the corresponding VRRP configuration for the peer switch.
(host) (config) #vrrp 22 vlan 22 ip address 10.200.22.254 priority 100 preempt description Backup-Master tracking master-up-time 30 add 20 no shutdown
master-redundancy master-vrrp 22
peer-ip-address 192.168.22.1 ipsec qwerTY012
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
master-redundancy master-vrrp | 443
�masterip
masterip <ipaddr> ipsec <key> [interface uplink|{vlan <id>}] [fqdn <fqdn>] ipsec-custom-cert master-mac1 <mac1> [master-mac2 <mac2>] ca-cert <ca> server-cert <cert> [interface uplink|{vlan <id>}] [fqdn <fqdn>] [suite-b gcm-128|gcm-256] ipsec-factory-cert master-mac1 <mac1> [master-mac2 <mac2>] [interface uplink|{vlan <id>}] [fqdn <fqdn>]
Description
This command configures the IP address and preshared key or certificate for the master switch on a local switch.
Syntax
Parameter <ipaddr> ipsec <key> ipsec-custom-cert
master-mac1 <mac1> master-mac2 <mac2> ca-cert <ca>
server-cert <cert>
interface uplink vlan <id>
fqdn <fqdn> suite-b
ipsec-factory-cert
Description
IP address of the master switch.
To establish the master-local IPsec tunnel using IKEv1, enter a preshared key between 6-64 characters.
Use a custom-installed certificate on the master switch to establish a masterlocal IPsec tunnel using IKEv2.
The MAC address of the certificate on the Master.
(Optional) the MAC address of the certificate on the backup master switch.
User-defined name of a trusted CA certificate installed on the master switch. Use the show crypto-local pki TrustedCA command to display the CA certificates that have been imported into the switch.
User-defined name of a server certificate installed on the master switch. Use the show crypto-local pki ServerCert command to display the server certificates that have been imported into the switch.
Specify the uplink or VLAN interface on the master switch to initiate IKE.
Use the master switch's current active uplink to initiate IKE.
Specify a VLAN interface on the master switch to initiate IKE. If you do not specify a VLAN, the switch IP will be used.
Identify a dynamically addressed local switch by entering the Fully Qualified Domain Name (FQDN) of the switch.
If you configure your master and local switches to use IKEv2 and custominstalled certificates, you can optionally use Suite-B cryptographic algorithms for IPsec encryption. Specify one of the following options: l gcm-128 Use 128-bit AES-GCM Suite-B encryption l gcm-256 Use 256-bit AES-GCM Suite-B encryption
Use the factory-installed certificate on the master switch to establish a masterlocal IPsec tunnel using IKEv2.
444 | masterip
AOS-W 6.2 | Reference Guide
�Parameter master-mac1 <mac1> master-mac2 <mac2> interface uplink vlan <id>
fqdn <fqdn>
Description The MAC address of the certificate on the Master.
(Optional) the MAC address of the certificate on the backup master switch.
Specify the uplink or VLAN interface on the master switch to initiate IKE.
Use the master switch's current active uplink to initiate IKE.
Specify a VLAN interface on the master switch to initiate IKE. If you do not specify a VLAN, the switch IP will be used.
Identify a dynamically addressed local switch by entering the Fully Qualified Domain Name (FQDN) of the switch.
Usage Guidelines
Use this command on a local switch to configure the IP address and preshared key or certificate for secure communication with the master switch. On the master switch, use the localip command to configure the IP address and preshared key or certificate for a local switch.
Changing the IP address of the master on a local switch requires a reboot of the local switch
If your master and local switches use a pre-shared key for authentication, they will create the IPsec tunnel using IKEv1. If your master and local switches use certificates for authentication, the IPsec tunnel will be created using IKEv2.
Example
The following command configures the master switch with a pre-shared key: (host) (config) #masterip 10.1.1.250 ipsec gw1234567
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced.
The ipsec-factory-cert and ipsec-custom-cert parameters were introduced to allow certificate-based authentication of master and local switches.
Command Information
Platform
License
Command Mode
Available on all platforms
The suite-b gcm-128 and suite-b gcm-256 encryption options for IPsec custom certificates requires the Advanced Cryptography (ACR) license. All other parameters are available in the base operating system
Available in Config mode on local switches
AOS-W 6.2 | Reference Guide
masterip | 445
�master-redundancy peer-ip
master-redundancy peer-ip <ipaddr> ipsec <key> ipsec-custom-cert master-mac <mac> ca-cert <ca> server-cert <cert> [suite-b gcm-128|gcm256] ipsec-factory-cert master-mac <mac>
Description
This command configures the IP address and preshared key or certificate for a redundant master switch on another master switch.
Syntax
Parameter <ipaddr> ipsec <key> ipsec-custom-cert
master-mac <mac> ca-cert <ca>
server-cert <cert> suite-b
ipsec-factory-cert master-mac <mac>
Description
IP address of the redundant switch. Use the 0.0.0.0 address to configure a global preshared key for all inter-switch communications.
To establish the master-master IPsec tunnel using IKEv1, enter a preshared key between 6-64 characters.
Use a custom-installed certificate on the switch to establish the master-master IPsec tunnel using IKEv2
The MAC address of the certificate on the redundant master switch.
User-defined name of a trusted CA certificate installed on the redundant master switch. Use the show crypto-local pki TrustedCA command to display the CA certificates that have been imported into the switch.
User-defined name of a server certificate installed on on the redundant master switch. Use the show crypto-local pki ServerCert command to display the server certificates that have been imported into the switch.
If you configure your master switches to use IKEv2 and custom-installed certificates, you can optionally use Suite-B cryptographic algorithms for IPsec encryption. Specify one of the following options: l gcm-128 Use 128-bit AES-GCM Suite-B encryption l gcm-256 Use 256-bit AES-GCM Suite-B encryption
Use the factory-installed certificate on the master switch to establish a master-local IPsec tunnel using IKEv2.
The MAC address of the certificate on the redundant master switch.
Usage Guidelines
Use this command on a master switch to configure the IP address and preshared key or certificates for communication with a redundant master switch. If your master switches use a pre-shared key for authentication, they will create the IPsec tunnel using IKEv1. If your master and local switches use certificates for authentication, the IPsec tunnel will be created using IKEv2.
Example
The following command configures the local switch on a master switch:
446 | master-redundancy peer-ip
AOS-W 6.2 | Reference Guide
�(host) (config) #peer-ip 10.4.62.5 ipsec-custom-cert master-mac 00:02:2D:11:55:4D ca-cert cacert1 server-cert server1
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced.
The ipsec-factory-cert and ipsec-custom-cert parameters were introduced to allow certificate-based authentication of master and local switches.
Command Information
Platform Available on all platforms
License
Command Mode
The suite-b gcm-128 and suite-b gcm-256 encryption options for IPsec custom certificates requires the Advanced Cryptography (ACR) license. All other parameters are available in the base operating system
Config mode on master switches
AOS-W 6.2 | Reference Guide
master-redundancy peer-ip | 447
�mgmt-server
wlan
mgmt-server type {amp|other} primary-server <ip-addr>
Description
Register a management server with the switch by specifying the IP address of an AirWave Management Server or any other server that should receive messages from the switch using the Application Monitoring (AMON) protocol.
Syntax
Parameter amp other primary-server <ip-addr>
Description
Define any other type of management server. IP address of the primary management server.
Example
The following command defines a primary and secondary Airwave Management server. (host) (config) #mgmt-server type amp primary-server 192.168.6.2
Command History
AOS-W 3.4 AOS-W 6.1
Modification Command introduced. The secondary-server parameter was deprecated.
Command Information
Platforms All platforms
Licensing
Command Mode Config mode on master switches
448 | mgmt-server
AOS-W 6.2 | Reference Guide
�mgmt-user
mgmt-user <username> <role> <password> mgmt-user localauth-disable mgmt-user ssh-pubkey client-cert <certificate> <username> <role> mgmt-user webui-cacert <certificate_name> serial <number> <username> <role>
Description
This command configures an administrative user.
Syntax
Parameter <username>
<role>
<password>
localauth-disable ssh-pubkey
client-cert
Description
Name of the user. You can create a maximum of 10 management users. NOTE: If you configure a root management user, you can use special characters except for double-byte characters.
Role assigned to the user. Predefined roles include: l guest-provisioning: Allows the user to create guest accounts
on a special WebUI page. l location-api-mgmt: Permits access to location API
information. You can log into the CLI; however, you cannot use any CLI commands. l network-operations: Permits access to Monitoring, Reports, and Events pages in the WebUI. You can log into the CLI; however, you can only use a subset of CLI commands to monitor the switch. l read-only: Permits access to CLI show commands or WebUI monitoring pages only. l root: Permits access to all management functions on the switch.
NOTE: You are prompted for the <password> for this user after you type in <role> and press Enter. The password must have a minimum of six characters. You can use special characters in the management user password. The restrictions are as follows: l You cannot use double-byte characters l You cannot use the question mark (?) l You cannot use white space <space >
Disables authentication of management users based on the results returned by the authentication server. To cancel this setting, use the no form of the command: no mgmt-user localauth-disable To verify if authentication of local management user accounts is enabled or disabled, use the following command: show mgmt-user local-authentication-mode
Configures certificate authentication of administrative users using the CLI through SSH.
Name of the X.509 client certificate for authenticating administrative users using SSH.
Default -- --
--
Enabled -- --
AOS-W 6.2 | Reference Guide
mgmt-user | 449
�Parameter <username> <role>
webui-cacert
<certificate_name>
serial <username> <role>
Description
Default
Name of the user.
--
Role assigned to the authenticated user.
--
The client certificate for authenticating administrative users using -- the WebUI.
The CA certificate. If configured, certificate authentication and
--
authorization are automatically completed using an
authentication server.
Serial number of the client certificate.
--
Name of the user.
--
Role assigned to the authenticated user.
--
Usage Guidelines
You can configure client certificate authentication of WebUI or SSH management users (by default, only username/password is used). To configure certificate authentication for the WebUI or SSH, use the web-server mgmt-auth certificate or ssh mgmt-auth public-key commands, respectively. Use webui-cacert <certificate name> command if you want an external authentication server to derive the management user role. This is helpful if there are a large number of users who need to be authenticated. Or, use the mgmt-user webui-cacert <certificate_name> serial <number> <username> <role> if you want the authentication process to use previously configured certificate name and serial number to derive the user role.
Example
See the web-server and ssh command descriptions for examples of certificate and public key authentication. The following command configures a management user and role: (host) (config) #mgmt-user zach_jennings root Password: ***** Re-Type password: *****
Command History
Release AOS-W 3.0 AOS-W 3.1 AOS-W 3.2 AOS-W 3.3 AOS-W 3.4
Modification Command introduced The ssh-pubkey and webui-cacert parameters were introduced. The network-operations role was introduced. The location-api-mgmt role and localauth-disable parameters were introduced. The webui-cacert <certificate name> parameter had additional functionality introduced.
Command Information
Platforms All platforms
450 | mgmt-user
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
�mobility-manager
mobility-manager <ipaddr> user <username> <password> [interval <secs>] [retrycount <number>] [udp-port <port>] [rtls <rtls-udp-port>] trap-version {1|2c|3}
Description
This command allows the switch to communicate with an OV-MM-SW server.
Syntax
Parameter <ipaddr> user
interval retrycount
udp-port rtls
trap-version
Description
Range
IP address of the OV-MM-SW server.
--
Name and SNMP password for the OV-MM-SW
--
server user.
Round-trip time, in seconds, to trap server.
1-65535
Number of retries to the OV-MM-SW server before giving up.
1-65535
UDP port number for trap server.
0-65535
UDP port number on which RSSI location data should be received from APs.
0-65535
Allows the you to specify the SNMP trap version by 1, 2c, or 3 the remote trap receiver.
Default -- --
60 seconds 3
162 8000
3
Usage Guidelines
This command needs to be configured before the switch can communicate with the OV-MM-SW server. This command performs three tasks:
l Configures the IP address of the OV-MM-SW server. In previous AOS-W releases, this was done with the mobility-server command.
l Creates an SNMP version 3 user profile with the configured <username> and <password>. This allows SNMP SETs from the OV-MM-SW server to be received by the switch. The authentication protocol is Secure Hash Algorithm (SHA) and Data Encryption Standard (DES) is used for encryption. If <username> and <password> match an existing SNMP v3 user profile, the existing one is used. Otherwise, a new profile is created. This username and password must be used when adding this switch to the OV-MM-SW server in the OV-MMSW Dashboard.
l Allows SNMP traps and notifications to be sent to the OV-MM-SW server IP address, by adding this OV-MM-SW server as a trap receiver.
l Optionally enables the OV-MM-SW server to function as a Real Time Location System (RTLS) server to receive location information via APs from RTLS tags or other devices.
Use the show mobility-manager command to check the current status of the configured OV-MM-SW servers.
Example
The following command configures the IP address and SNMP user profile for the OV-MM-SW server: (host) (config)# mobility-manager 10.2.1.245 user mms-user my-password.
AOS-W 6.2 | Reference Guide
mobility-manager | 451
�Command History
This command was introduced in AOS-W 3.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
452 | mobility-manager
AOS-W 6.2 | Reference Guide
�netdestination
netdestination <name> description <description6> host <ipaddr> [position <number>] invert name network <ipaddr> <netmask> [position <number>] no ... range <start-ipaddr> <end-ipaddr> [position <number>]
Description
This command configures an alias for an IPv4 network host, subnetwork, or range of addresses.
Syntax
Parameter <name> description host invert
network no range
Description
Name for this host or domain. Maximum length is 63 characters.
Description about the this destination up to 128 characters long.
Configures a single IPv4 host and its position in the list.
Specifies that the inverse of the network addresses configured are used. For example, if a network of 172.16.0.0 255.255.0.0 is configured, this parameter specifies that the alias matches everything except this subnetwork.
An IPv4 subnetwork consisting of an IP address and netmask.
Negates any configured parameter.
A range of IPv4 addresses consisting of sequential addresses between a lower and an upper value. The maximum number of addresses in the range is 16. If larger ranges are needed, convert the range into a subnetwork and use the network parameter.
Usage
Aliases can simplify configuration of session ACLs, as you can use an alias when specifying the traffic source and/or destination it in multiple session ACLs. Once you configure an alias, you can use it to manage network and host destinations from a central configuration point, because all policies that reference the alias will be updated automatically when you change the alias.
When using the invert option, use caution when defining multiple aliases, as entries are processed one at a time. As an example, consider a netdestination configured with the following two network hosts: netdestination dest1 invert network 1.0.0.0 255.0.0.0 network 2.0.0.0 255.0.0.0
A frame from http://1.0.0.1 would match the first alias entry, (which allows everything except for 1.0.0.0/8) so the frame would be rejected. However, it would then be compared against the second alias, which allows everything except for 2.0.0.0/8, and the frame would be permitted.
Example
The following command configures an alias for an internal network:
AOS-W 6.2 | Reference Guide
netdestination | 453
�(host) (config) #netdestination Internal network 10.1.0.0 255.255.0.0
Command History
Release AOS-W 3.0 AOS-W 6.1 AOS-W 6.2
Modification Command introduced Host functionality now only supports IPv4 subnets. Name parameter has maximum character length.
Command Information
Platforms All platforms
Licensing
Command Mode
Requires the Policy Enforcement Config mode on master switches Firewall license.
454 | netdestination
AOS-W 6.2 | Reference Guide
�netdestination6
netdestination6 <name> description <description6> host <ipaddr> [position <number>] invert name network <ipaddr> <netmask> [position <number>] no ... range <start-ipaddr> <end-ipaddr> [position <number>]
Description
This command configures an alias for an IPv6 network host, subnetwork, or range of addresses.
Syntax
Parameter Description
Default
<name>
Name of the IPv6 destination host or subnetwork up to 63 characters long.
description Description about the IPv6 netdestination up to 128 characters long.
-
host
Configures a single IPv6 host and position in the list.
--
invert
Specifies that the inverse of the network addresses configured are used. For
--
example, if a network of fe80:0:0:0:0:0:ac10:0/128 is configured, this parameter
specifies that the alias matches everything except this subnetwork.
network
An IPv6 subnetwork consisting of an IP address and netmask.
--
no
Negates any configured parameter.
--
range
A range of IPv6 addresses consisting of sequential addresses between a lower and -- an upper value. The maximum number of addresses in the range is 16. If larger ranges are needed, convert the range into a subnetwork and use the network parameter.
Usage Guidelines
Aliases can simplify configuration of session ACLs, as you can use an alias when specifying the traffic source and/or destination. Once you configure an alias, you can use it in multiple session ACLs.
When using the invert option, use caution when defining multiple aliases, as entries are processed one at a time. As an example, consider a netdestination configured with the following two network hosts: netdestination6 dest1 invert network 2002:0:0:0:0:0:100:0/128 network 2002:0:0:0:0:0:200:0/128
A frame from http://1.0.0.1 would match the first alias entry, (which allows everything except for 2002:0:0:0:0:0:100:0/128) so the frame would be rejected. However, it would then be compared against the second alias, which allows everything except for 2002:0:0:0:0:0:200:0/128, and the frame would be permitted.
Example
The following command configures an alias for an internal network: (host) (config) #netdestination6 Internal
AOS-W 6.2 | Reference Guide
netdestination6 | 455
�network fe80:0:0:0:0:0:a01:0/128
Command History
Release AOS-W 6.1 AOS-W 6.2
AOS-W 6.2
Modification Command introduced
A new field, description has been introduced to provide a description about the netdestination up to 128 characters long.
Maximum length allowed for netdestination6 <name> is now 63 characters.
Command Information
Platforms All platforms
Licensing
Command Mode
Requires the Policy Enforcement Config mode on master switches Firewall license.
456 | netdestination6
AOS-W 6.2 | Reference Guide
�netexthdr
netexthdr <alias-name> eh <eh-type> deny | permit
Description
This command allows you to edit the packet filter options in the extension header (EH).
Syntax
Parameter
Description
<alias-name> eh <ehtype>
deny permit
Specify the EH alias name.
Specify one of the following EH types: l <0-255>: Matches the IPv6 next header type l authentication: Matches the IPv6 authentication header l dest-option: Matches the IPv6 destination-option header l esp: Matches the IPv6 encapsulation security payload header l fragment: Matches the IPv6 fragment header l hop-by-hop: Matches the IPv6 hop-by-hop header l mobility: Matches the IPv6 mobility header l routing: Matches the IPv6 routing header
Denies the IPv6 packets matching the specified extended header type.
Permits the IPv6 packets matching the specified extended header type. NOTE: By default, all the EH types are supported in the default EH.
Default
default --
-- --
Usage Guidelines
AOS-W firewall is enhanced to process the IPv6 extension header (EH) to enable IPv6 packet filtering. You can filter the incoming IPv6 packets based on the EH type. You can edit the packet filter options in the default EH, using this command. By default, the default EH alias permits all EH types.
Example
The following command denies the IPv6 packets matching the specified extended header type in the default EH: (host) (config) #netexthdr default (host) (config-exthdr) #eh authentication deny
Related Commands
(host) #show netexthdr <alias-name>
Command History
Release AOS-W 6.1
Modification Command introduced
AOS-W 6.2 | Reference Guide
netexthdr | 457
�Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Config mode on master switches
458 | netexthdr
AOS-W 6.2 | Reference Guide
�netservice
netservice <name> <protocol>|tcp|udp {list <port>,<port>}|{<port> [<port>]} [ALG <service>]
Description
This command configures an alias for network protocols.
Syntax
Parameter netservice <protocol> tcp udp
list <port>, <port> <port> [<port>]
ALG <service>
Description
Range
Name for this alias.
--
IP protocol number.
0-255
Configure an alias for a TCP protocol
Configure an alias for a UDP protocol
Specify a list of non-contiguous port numbers, by entering up to six port numbers, separated by commas.
0-65535
TCP or UDP port number. You can specify a single port number, or define a port range by specifying both the lower and upper port numbers.
0-65535
Application-level gateway (ALG) for this alias.
--
Specify one of the following service types: l dhcp: Service is DHCP
l dns: Service is DNS l ftp: Service is FTP l h323: Service is H323 l noe: Service is Alcatel NOE l rtsp: Service is RTSP l sccp: Service is SCCP l sip: Service is SIP l sips: Service is Secure SIP l svp: Service is SVP l tftp: Service is TFTP l vocera: Service is VOCERA
Usage Guidelines
Aliases can simplify configuration of session ACLs, as you can use an alias when specifying the network service. Once you configure an alias, you can use it in multiple session ACLs.
Example
The following command configures an alias for a network service: (host) (config) #netservice HTTP tcp 80
AOS-W 6.2 | Reference Guide
netservice | 459
�Command History
Version AOS-W 3.0 AOS-W 6.0
Modification Command introduced. The list parameter for defining non-contiguous ports was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
460 | netservice
AOS-W 6.2 | Reference Guide
�network-printer [deprecated]
network-printer [max-clients <2-20> | max-clients-per-host <1-20> | max-jobs <1-1000>]
Description
This command allows you to configure client and print job for the USB printer connected to a OAW-4306 Seriesswitch.
Syntax
Parameter
Description
max-clients
Specify the maximum number of clients that can use the printer. Currently, the OAW-4306 Series supports a maximum of 20 concurrent clients.
max-clients-per-host Specify the maximum number of concurrent clients for a single host. Currently, the OAW-4306 Series supports a maximum of 20 concurrent clients.
max-jobs
Specify the maximum number of jobs that can be saved in the memory Currently, the OAW-4306 Seriesswitch will support a storage of 1000 jobs.
Usage Guidelines
Use this command in the config mode. In the enable mode, you can use the network-printer delete <printer-name> job <job-id> command to delete print jobs in specific printer.
Command History
Release AOS-W 3.4 AOS-W 6.2
Modification Command introduced. Command deprecated.
Command Information
Platforms OAW-4306 Series
Licensing Base operating system
Command Mode Config or enable mode
AOS-W 6.2 | Reference Guide
network-printer [deprecated] | 461
�network-storage [deprecated]
network-storage [share <share-name>] share [usb: disk <disk-name> <filesystem-path> mode {read-only | read-write} no share
Description
This command allows you to perform the following operation on a network share: l Configure a file system path for the shareThis allows users to access the share from their computer. l Remove the share access using the no share command.
Syntax
Parameter share
Description
Enter a name for the share on the switch. After you enter this command, the CLI mode will shift to operations on that share.
Usage Guidelines
To access the share, you must create a filesystem path to the share. enter: (host) (config-network-storage share)# share usb: disk <disk name> <filesystem path> mode
Where, disk name is the name of the disk. You can also specify the disk alias instead of the disk name. filesystem path is the path to access the share. This path contains the partition name and the shared folder name. mode is the permission settings. You can either specify read-only or read-write modes.
Example
The following command associates a share to a file system path and configures the access mode.
(host) (config-network-storage share)#share usb: disk Maxtor1TB Maxtor-Basics_Desktop-
2HBADMJ4_p1/documents mode read-write
(host) (config-network-storage share)#show network-storage shares
NAS Shares
----------
Disk Name Partition Name Folder Name Share Name Share Path
Share Mode Status
--------- -------------- ----------- ---------- ----------
--------- ------
Maxtor1TB MxDocs
docum
p1/documents Read-Write Active
Command History
Release AOS-W 3.4 AOS-W 6.2
Modification Command introduced. Command deprecated.
462 | network-storage [deprecated]
AOS-W 6.2 | Reference Guide
�Command Information
Platforms OAW-4306 Series
Licensing Base operating system
Command Mode Enable mode
AOS-W 6.2 | Reference Guide
network-storage [deprecated] | 463
�ntp authenticate
ntp authenticate
Description
This command enables or disables NTP authentication.
Syntax
No parameters.
Usage Guidelines
Network Time Protocol (NTP) authentication enables the switch to authenticate the NTP server before synchronizing local time with server. This helps identify secure servers from fradulent servers. This command has to be enabled for NTP authentication to work.
Example
The following command configures an NTP server: (host) (config) #ntp authenticate
Command History
Release AOS-W 6.1
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
464 | ntp authenticate
AOS-W 6.2 | Reference Guide
�ntp authentication-key
ntp authentication-key <key-id> md5 <keyvalue>
Description
This command configures a key identifier and secret key and adds them into the database. NTP authentication works with a symmetric key configured by user. The key is shared by the client (Alcatel-Lucentswitch) and an external NTP server.
Syntax
Parameter <key-id>
md5 <keyvalue>
Description
The key identifier is a string that is shared by the client (AlcatelLucentswitch) and an external NTP server. This value is added into the database.
The key value is a secret string, which along with the key identifier, is used for authentication. This is added into the database.
Default --
--
Usage Guidelines
NTP authentication works with a symmetric key configured by user. The key is shared by the client (AlcatelLucentswitch) and an external NTP server. This command adds both the key identifier and secret string into the database.
Example
The following command configures the NTP authentication key. The key identifier is 12345 and the shared secret is 67890. Both key identifier and shared secret: (host) (config) #ntp authentication-key 12345 md5 67890
Command History
Release AOS-W 6.1
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ntp authentication-key | 465
�ntp server
#ntp server <server-ip> [iburst] [key <key-id>]
Description
This command configures a Network Time Protocol (NTP) server.
Syntax
Parameter <ipaddr> iburst
key <key-id>
Description
IP address of the NTP server, in dotted-decimal format.
(Optional) This parameter causes the switch to send up to ten queries within the first minute to the NTP server. This option is considered "aggressive" by some public NTP servers.
This is the key identifier used to authenticate the NTP server. This needs to match the key identifier configured in the ntp authentication-key command.
Default -- disabled
--
Usage Guidelines
You can configure the switch to set its system clock using NTP by specifying one or more NTP servers.
Example
The following command configures an NTP server using the iburst optional parameter and using a key identifier "123456." (host) (config) #ntp server 10.1.1.245 iburst key 12345
Command History
Release AOS-W 1.0 AOS-W 3.0 AOS-W 6.1
Modification Command introduced The iburst parameter was introduced The key parameter was introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
466 | ntp server
AOS-W 6.2 | Reference Guide
�ntp trusted-key
ntp trusted-key <keyid>
Description
This command configures an additional subset of trusted keys which can be used for NTP authentication.
Syntax
Parameter <keyid>
Description An additional trusted string that can be used for authentication
Default --
Usage Guidelines
You can configure additional subset of keys which are trusted and can be used for NTP authentication.
Example
The following command configures an additional trusted key(84956) which can be used for NTP authentication. (host) (config) #ntp trusted-key 84956
Command History
Release AOS-W 6.1
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
ntp trusted-key | 467
�packet-capture
packet-capture [other {disable | enable}] [sysmsg {all | disable | <opcodes>] [tcp {all | disable | <ports>}] [udp {all | disable | <ports>]]
Description
Use this command to enable or disable packet capturing and set packet capturing options for a single packet capture session.
Syntax
Parameter other
sysmsg tcp ports
udp ports
Description
Default
Enable or disable all other types of packets. Specify up to ten comma-separated opcodes to capture; use all to sniff all opcodes; use disable to bypass the all setting. All CLI ports are always skipped.
Enabled
Enable or disable internal messaging packets.
Disabled
Enable or disable TCP packet capturing. Specify up to ten comma-separated ports to capture; use all to sniff all TCP ports; use disable to bypass the all setting. All CLI ports are always skipped.
Disabled
Enable or disable UDP packet capturing. Specify up to ten comma-separated ports to capture; use all to sniff all UDP ports; use disable to bypass the all setting. All CLI ports are always skipped.
Disabled
Usage Guidelines
This command applies to control path packets; not datapath packets. Packets can be retrieved through the tar log command; look for the filter.pcap file. This command activates packet capture options on the current switch. They are not saved and applied across switches. If you do want to enable a packet capture session without setting values that can be saved and used for another session, use the command packet-capture. The related command packet-capture-defaults lets you define a set of packet capture options that will run every time you enable the packet capture feature.
Example
The following command enables packet capturing for debugging a wireless WEP station doing VPN. This example uses the following parameters and values: l Station up/down: sysmsg opcode 30 l WEP key plumbing: sysmsg opcode 29 l DHCP: sysmsg opcode 90 l IKE: UDP port 500 and 4500 l Layer 2 Tunneling Protocol (L2TP): UDP port 1701 (host) #packet-capture sysmsg 30,29,90 udp 500,4500,1701,1812,1645
Command History
This command was introduced in AOS-W 2.3.
468 | packet-capture
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
packet-capture | 469
�packet-capture-defaults
packet-capture-defaults [other{disable|enable}] [sysmsg{all|disable|<opcodes>] [tcp {all|disable|<ports>}] [udp{all|disable|<ports>]]
Description
Use this command to enable or disable packet capturing and define a set of default packet capturing options on the control path for debugging purposes.
Syntax
Parameter other
sysmsg tcp ports
udp ports
Description
Default
Enable or disable all other types of packets. Specify up to ten comma-separated opcodes to capture; use all to sniff all opcodes; use disable to bypass the all setting. All CLI ports are always skipped.
Enabled
Enable or disable internal messaging packets.
Disabled
Enable or disable TCP packet capturing. Specify up to ten comma-separated ports to capture; use all to sniff all TCP ports; use disable to bypass the all setting. All CLI ports are always skipped.
Disabled
Enable or disable UDP packet capturing. Specify up to ten comma-separated ports to capture; use all to sniff all UDP ports; use disable to bypass the all setting. All CLI ports are always skipped.
Disabled
Usage Guidelines
This command applies to control path packets; not datapath packets. Packets can be retrieved through the tar log command; look for the filter.pcap file. This command activates packet capture options on the current switch. They are not saved and applied across switches.
Example
The following command sets the default packet capture values to debug a wireless WEP station doing VPN. Once these default settings are defined, you can use the packet-capture command to enable packet capturing with these values. This example uses the following parameters and values: l Station up/down: sysmsg opcode 30 l WEP key plumbing: sysmsg opcode 29 l DHCP: sysmsg opcode 90 l IKE: UDP port 500 and 4500 l Layer 2 Tunneling Protocol (L2TP): UDP port 1701 packet-capture-defaults sysmsg 30,29,90 udp 500,4500,1701,1812,1645
Use the show packet-capture command to show the current action and the default values. (host) show packet-capture
Current Active Packet Capture Actions(current switch) =====================================================
470 | packet-capture-defaults
AOS-W 6.2 | Reference Guide
�Packet filtering TCP with 2 port(s) enabled: 2 1
Packet filtering UDP with 1 port(s) enabled: 1
Packet filtering for internal messaging opcodes disabled. Packet filtering for all other packets disabled.
Packet Capture Defaults(across switches and reboots if saved) ============================================================ Packet filtering TCP with 2 port(s) enabled:
2 1 Packet filtering UDP with 1 port(s) enabled: 1
Command History
This command was introduced in AOS-W 2.3.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
packet-capture-defaults | 471
�page
page <length>
Description
This command sets the number of lines of text the terminal will display when paging is enabled.
Syntax
Parameter length
Description Specifies the number of lines of text displayed.
Range 24 - 100
Usage Guidelines
Use this command in conjunction with the paging command to specify the number of lines of text to display. For more information on the pause mechanism that stops the command output from printing continuously to the terminal, see paging on page 473. If you need to adjust the screen size, use your terminal application to do so.
Example
The following command sets 80 as the number of lines of text displayed: (host) (config) #page 80
Command History
This command was introduced in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config and Enable mode on master switches
472 | page
AOS-W 6.2 | Reference Guide
�paging
paging
Description
This command stops the command output from printing continuously to the terminal.
Syntax
No parameters
Usage Guidelines
By default, paging is enabled. With paging enabled, there is a pause mechanism that stops the command output from printing continuously to the terminal. If paging is disabled, the output prints continuously to the terminal. To disable paging, use the no paging command. You must be in enable mode to disable paging. The paging setting is active on a per-user session. For example, if you disable paging from the CLI, it only affects that session. For new or existing sessions, paging is enabled by default. You can also configure the number of lines of text displayed when paging is enabled. For more information, refer to the command page on page 472. If you need to adjust the screen size, use your terminal application to do so.
Example
The following command enables paging: (host) (config) #paging
Command History
This command was introduced in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config and Enable mode on master switches
AOS-W 6.2 | Reference Guide
paging | 473
�panic
panic {clear | info {file <filename> <symbolfile>|nvram <symbolfile>} | list {file <filename>|nvram} | save <filename>}
Description
This command manages information created during a system crash.
Syntax
Parameter clear info list save
Description Removes panic information from non-volatile random access memory (NVRAM). Displays the content of specified panic files. Lists panic information in the specified file in flash or in NVRAM. Saves panic information from NVRAM into the specified file in flash.
Usage Guidelines
To troubleshoot system crashes, use the panic save command to save information from NVRAM into the specified file, then use the panic clear command to clear the information from NVRAM.
Example
The following command lists panic information in NVRAM: (host) #panic list nvram
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
474 | panic
AOS-W 6.2 | Reference Guide
�papi-security (deprecated)
papi-security key <key> [enhanced-security] no...
Description
The papi-security command enforces advanced security options and provides an enhanced level of security.
The best practice is to refrain from modifying these settings unless advised to do so by Alcatel-Lucent technical support.
Syntax
Parameter key
key
Description The key authenticates the messages between systems. The key string.
enhanced-security Allows you to use the enhanced security mode. This mode causes the system to reject messages when an incorrect key is used.
no key
Reverts to the default key.
Default -- Range: 10 64 characters disabled
--
Usage Guidelines
This command allows you to use advanced options which regulate the switch and AP communication. One way PAPI messages are authenticated is through a shared secret key. The papi-security command lets you configure a key on the master switch which then distributes it to other switches and APs, thus allowing each site to have a unique key. If no key is configured, then the switch uses the default key. When enhanced-security mode is disabled, any AP can obtain the current shared secret key. When enhanced-security mode is enabled, an AP is not updated with the new shared secret key unless the AP knows the previous key and the AP is updated with the new key within one hour of the key creation.
Make sure that the enhanced-security mode is disabled before installing new APs.
If an AP cannot be authenticated because it has the wrong key, the show ap database command displays a "Bad key" status.
Example
This example sets a unique shared secret key called "testkey123" on the master switch. (host) (config) #papi-security (host) (PAPI Security Profile) # (host) (PAPI Security Profile) #key testkey123 (host) (PAPI Security Profile) #exit
AOS-W 6.2 | Reference Guide
papi-security (deprecated) | 475
�Related Commands
(host)(config) #show papi-security (host)(config) #show ap database
Command History
AOS-W 3.4 AOS-W 6.2
Modification Command introduced. Command deprecated
Command Information
Platform Available on all platforms
License Base operating system
Command Mode Config mode on master switches
476 | papi-security (deprecated)
AOS-W 6.2 | Reference Guide
�pcap (deprecated)
pcap {raw-start <ipaddr> <target-ipaddr> <target-port> <format> [bssid <bssid>] [channel <number>] [maxlen <maxlen>]}|{interactive <am-ip> <filter> <target-ipaddr> <target-port> [bssid <bssid>][channel <number>]}|{clear|pause|resume|stop <am-ip> <id> [bssid <bssid>]}
Description
These commands manage packet capture (PCAP) on Alcatel-Lucent air monitors.
Syntax
Parameter raw-start
<ipaddr> <target-ipaddr>
<target-port> <format>
bssid <bssid>
channel maxlen
<maxlen> interactive
<am-ip> <filter-spec> <target-ipaddr> <target-port> bssid
<bssid> channel
Description Stream raw packets to an external viewer. IP address of the air monitor collecting packets. IP address of the client station running Wildpacket's AiroPeek monitoring application. UDP port number on the client station where the captured packets are sent. Specify a number to indicate one of the following formats for captured packets: l 0 : pcap l 1 : peek l 2 : airmagnet l 3 : pcap+radio header l 4 : ppi (Optional) BSSID of the Air Monitor interface for the PCAP session. BSSID of the Air Monitor Interface, which is usually its MAC address. (Optional) Number of a radio channel to tune into to capture packets (Optional) Limit the length of 802.11 frames to include in the capture to a specified maximum. (Optional) Maximum number of packets to be captured. Start an interactive packet capture session. IP address of the air monitor collecting packets. Packet Capture filter specification.
(Optional) Specify the BSSID of the Air Monitor interface for the PCAP session. BSSID of the Air Monitor Interface, which is usually its MAC address. (Optional) Number of a radio channel to tune into to capture packets
AOS-W 6.2 | Reference Guide
pcap (deprecated) | 477
�Parameter clear pause resume start stop
<am-ip> <id> bssid
<bssid>
Description Clears the packet capture session. Pause a packet capture session. Resume a packet capture session. Start a new packet capture session. Stop a packet capture session. IP address of the air monitor collecting packets. ID of the PCAP session. (Optional) Specify the BSSID of the Air Monitor interface for the PCAP session. BSSID of the Air Monitor Interface, which is usually its MAC address.
Usage Guidelines
These commands direct an Alcatel-Lucent air monitor to send packet captures to the Wildpacket's AiroPeek monitoring application on a remote client. The AiroPeek application listens for packets sent by the air monitor.
The following pcap commands are available:
Command clear pause resume start stop
Description Clears the packet capture session. Pause a packet capture session. Resume a packet capture session. Start a new packet capture session. Stop a packet capture session.
Before using these commands, you need to start the AiroPeek application on the client and open a capture window for the air monitor. The AiroPeek application cannot be used to control the flow or type of packets sent from AlcatelLucent air monitors.
The AiroPeek application processes all packets, however, you can apply display filters on the capture window to control the number and type of packets being displayed. In the capture window, the time stamp displayed corresponds to the time that the packet is received by the client and is not synchronized with the time on the AlcatelLucent air monitor.
Example
The following command starts a raw packet capture session for the air monitor at 10.100.100.1 and sends the packets to the client at 192.168.22.44 on port 604 with pcap format: (host) (config) #pcap raw-start 10.100.100.1 192.168.22.44 604 0
478 | pcap (deprecated)
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 3.0 AOS-W 3.4
AOS-W 6.2
Change
Command Introduced
The maxlen parameter was introduced, and the pcap start command deprecated.
Functionality with 2 new parameters, now subsumed by the ap packet capture command.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
pcap (deprecated) | 479
�ping
ping <ipaddress> | ipv6 {<global-address> | interface vlan <vlanid> <linklocal-address>}
Description
This command sends five ICMP echo packets to the specified ip address. You can also ping the specified IPv6 address.
Syntax
Parameter <ipaddress> ipv6
<global-address> interface vlan <vlanid> <linklocal-address>
Description Destination IP Address Specify this parameter to ping an IPv6 address. Specify the IPv6 global address. Specify the IPv6 link local address of a specific VLAN interface.
Usage Guidelines
You can send five ICMP echo packets to a specified IP address. The switch times out after two seconds. You can also ping the specified IPv6 address.
Examples
The following example pings 10.10.10.5. (host) #ping 10.10.10.5 The sample switch output is: Press 'q' to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0.408/0.5434/1.073 ms
The following example pings the specified IPv6 global address:
(host) #ping ipv6 2005:d81f:f9f0:1001::14
The sample switch output is:
Press 'q' to abort. Sending 5, 100-byte ICMPv6 Echos to 2005:d81f:f9f0:1001::14, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0.309/0.3726/0.463 ms
480 | ping
AOS-W 6.2 | Reference Guide
�Command History
Release AOS-W 1.0 AOS-W 6.1
Modification Command introduced Introduced ipv6 parameter to provide support for IPv6.
This command was introduced in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
User, Enable, and Config modes on master switches
AOS-W 6.2 | Reference Guide
ping | 481
�pkt-trace
pkt-trace acl <acl-name> {enable|disable} [trace {cptrace|pktrace} [trace-mask <tmask>]]]
Description
Enable packet tracing in the datapath. Use this feature only under the supervision of Alcatel-Lucent technical support.
Syntax
Parameter <acl-name> enable disable cptrace pktrace tracemask <tmask>
Description Enable packet tracing for the specified access-control list. Enable packet tracing for the ACL. Disable packet tracing for the ACL. Send packet trace data into the Control Processor. Write packet trace data in the packet. Specify the trace mask. This value will be provided by Alcatel-Lucent technical support.
Example
The following example enables packet tracing for the traffic matching the acl stateful-dot1x. (host) #pkt-trace acl stateful-dot1x enable trace cptrace trace-mask <val>
Command History
This command was introduced in AOS-W 3.4.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
482 | pkt-trace
AOS-W 6.2 | Reference Guide
�policer-profile (deprecated)
policer-profile <profile-name> cbs {k | m | g} cir <cir> clone <source> ebs [k | m | g] exceed-action drop | permit | remark exceed-profile <policerProfile> no.. violate-action drop | permit violate-profile <profile-name>
Description
This command configures a Policer profile to manage the transmission rate of a class of traffic based on user-defined criteria.
Command History
Release AOS-W 6.2
Modification Command deprecated.
AOS-W 6.2 | Reference Guide
policer-profile (deprecated) | 483
�pkt-trace-global
pkt-trace-global {enable|disable} [trace-mask <tmask>]
Description
Enable global packet tracing in the datapath. Use this feature only under the supervision of Alcatel-Lucent technical support.
Syntax
Parameter <acl-name> enable disable tracemask <tmask>
Description Enable packet tracing for the specified access-control list. Enable global packet tracing for the ACL. Disable global packet tracing for the ACL. Specify a trace mask. Use this feature only under the supervision of Alcatel-Lucent technical support.
Example
The following command enables the global packet tracing for all traffic. (host) (config) #pkt-trace-global enable
Command History
This command was introduced in AOS-W 3.4.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
484 | pkt-trace-global
AOS-W 6.2 | Reference Guide
�pptp ip local pool
pptp ip local pool <pool> <ipaddr> [<end-ipaddr>]
Description
This command configures an IP address pool for VPN users using Point-to-Point Tunneling Protocol (PPTP).
Syntax
Parameter <pool> <ipaddr> <end-ipaddr>
Description User-defined name for the address pool. Starting IP address for the pool. Ending IP address for the pool.
Usage Guidelines
If VPN is used as an access method, you specify the pool from which the user's IP address is assigned when the user negotiates a PPTP session. Use the show vpdn pptp local command to see the used and free addresses in the pool. PPTP is an alternative to IPsec that is supported by various hardware platforms. PPTP is considered to be less secure than IPsec but also requires less configuration. You configure PPTP with the vpdn command.
Example
The following command configures an IP address pool for PPTP VPN users: (host) (config) #pptp ip local pool pptp-pool1 172.16.18.1 172.16.18.24
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
pptp ip local pool | 485
�priority-map
priority-map <name> dot1p <priority> high dscp <priority> high no ...
Description
This command configures the Type of Service (ToS) and Class of Service (CoS) values used to map traffic into high priority queues.
Syntax
Parameter <name> dot1p
dscp
no
Description
User-defined name of the priority map.
IEEE 802.1p priority value, or a range of values separated by a dash (-).
Differentiated Services Code Point (DSCP) priority value, or a range of values separated by a dash (-).
Negates any configured parameter.
Range -- 0-7
0-63
--
Usage Guidelines
This command allows you to prioritize inbound traffic that is already tagged with 802.1p and/or IP ToS in hardware queues. You apply configured priority maps to ports on the switch (using the interface fastethernet or interface gigbitethernet command). This causes the switch to inspect inbound traffic on the port; when a matching QoS tag is found, the packet or flow is mapped to the specified queue.
Example
The following commands configure a priority map and apply it to a port: (host) (config) #priority-map pri1
dscp 4-20 high dscp 60 high dot1p 4-7 high interface gigabitethernet 1/24 priority-map pri1
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
486 | priority-map
AOS-W 6.2 | Reference Guide
�process monitor
process monitor log|restart|
Description
The process monitor validates the integrity of processes every 120 seconds. If a process does not respond during three consecutive 120-second timeout intervals, that process is flagged as nonresponsive and the process monitor will create a log message, restart the process or reboot the switch
Syntax
Parameter log
restart
Description
The process monitor creates a log message when a process fails to responding properly. This is the default behavior for the process monitor
This parameter enables strict behavior for runtime processes. When you enable this option, the process monitor will restart processes that fail to responding properly.
Usage Guidelines
The CLI command process monitor log enables logging for process monitoring. By default, whenever a process does not update a required file or send a heartbeat pulse within the required time limit, the process monitor records a critical log message, but does not restart any process. If you want the configure watchdog to restart a process once it fails to respond, use the CLI command process monitor restart.
Example
The following changes the default process monitor behavior, so the process monitor restarts nonresponsive processes. (host) #process monitor restart
Related Commands
The show process monitor statistics command displays the current status of all the processes running under the process monitor watchdog. A partial example of the output of this command is shown below: host) (config) #show process monitor statistics
Process Monitor Statistics -------------------------Name
---/mswitch/bin/arci-cli-helper /mswitch/bin/fpcli /mswitch/bin/packet_filter /mswitch/bin/certmgr /mswitch/bin/dbstart /mswitch/bin/cryptoPOST /mswitch/bin/sbConsoled /mswitch/bin/pubsub /mswitch/bin/cfgm /mswitch/bin/syslogdwrap /mswitch/bin/aaa
State
----PROCESS_RUNNING PROCESS_RUNNING PROCESS_RUNNING PROCESS_RUNNING PROCESS_RUNNING PROCESS_RUNNING PROCESS_RUNNING PROCESS_RUNNING PROCESS_RUNNING PROCESS_RUNNING PROCESS_RUNNING
Restarts
-------0 0 0 0 0 0 0 0 0 0 0
Timeout Value Timeout
Chances
------------- ---------------
120
3
120
3
120
3
120
3
120
3
120
3
120
3
120
3
120
3
120
3
120
3
AOS-W 6.2 | Reference Guide
process monitor | 487
�/mswitch/bin/fpapps
PROCESS_RUNNING 0
120
3
/mswitch/bin/pim
PROCESS_RUNNING 0
120
3
/mswitch/bin/lic
Command History
Release AOS-W 3.4 AOS-W 3.4
Modification Command introduced The process restart command was deprecated.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
488 | process monitor
AOS-W 6.2 | Reference Guide
�prompt
prompt <prompt>
Description
This command changes the prompt text.
Syntax
Parameter prompt
Description The prompt text displayed by the switch.
Range 164
Default <hostname>
Usage Guidelines
You can use any alphanumeric character, punctuation, or symbol character. To use spaces, plus symbols (+), question marks (?), or asterisks (*), enclose the text in quotes. You cannot alter the parentheses that surround the prompt text, or the greater-than (>) or hash (#) symbols that indicate user or enable CLI mode.
Example
The following example changes the prompt text to "It's a new day!". (host) (config) #prompt "It's a new day!" (It's a new day!) (config) #
Command History
This command was introduced in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
prompt | 489
�provision-ap
provision-ap a-ant-bearing <bearing> a-ant-gain <gain> a-ant-tilt-angle <angle> a-antenna {1|2|both} altitude <altitude> ap-group <group> ap-name <name> apdot1x-passwd <string> apdot1x-username <name> cellular_nw_preference g-only|4g-only|advanced|auto copy-provisioning-params {ap-name <name> | ip-addr <ipaddr>} dns-server-ip <ipaddr> dns-server-ip6 <ipv6 address> domain-name <name> external-antenna fqln <name> g-ant-bearing <bearing> g-ant-gain <gain> g-ant-tilt-angle <angle> g-antenna {1|2|both} gateway <ipaddr> gateway6 <ipv6-address> ikepsk <key> installation default|indoor|outdoor ip6addr <ipv6-address> ip6prefix <ipv6-prefix> ipaddr <ipaddr> latitude <location> link-priority-cellular link-priority-ethernet longitude <location> master {<name>|<ipaddr>} mesh-role {mesh-point|mesh-portal|none|remote-mesh-portal} mesh-sae {sae-disable|sae-enable} netmask <netmask> no ... pap-passwd <string> pap-user <name> pppoe-chap-secret<key> pppoe-passwd <string> pppoe-service-name <name> pppoe-user <name> read-bootinfo {ap-name <name>|ip-addr <ipaddr>|wired-mac <macaddr>} reprovision {all|ap-name <name>|ip-addr <ipaddr>|serial-num <string>| wired-mac <macaddr>} reset-bootinfo {ap-name <name>|ip-addr <ipaddr>|wired-mac <macaddr>} server-ip <ipaddr> sch-mode-radio-0 sch-mode-radio-1 server-name <name> set-ikepsk-by-addr <ip-addr> syslocation <string> uplink-vlan <uplink-vlan> usb-dev <usb-dev> usb-dial <usb-dial> usb-init <usb-init> usb-passwd <usb-passwd>
490 | provision-ap
AOS-W 6.2 | Reference Guide
�usb-power-mode auto|enable|disable usb-tty <usb-tty> usb-tty-control <usb-tty-control> usb-type <usb-type> usb-user <usb-user>
Description
This command provisions or reprovisions an AP.
Syntax
Parameter
Description
Range
a-ant-bearing
a-ant-gain a-ant-tilt-angle
a-antenna
altitude
ap-group ap-name apdot1x-passwd apdot1x-username cellular_nw_preference g-only|4g-only| advanced|auto
Determines the horizontal coverage distance of the 802.11a (5GHz) antenna from True North. From a planning perspective, the horizontal coverage pattern does not consider the elevation or vertical antenna pattern. NOTE: This parameter is supported on outdoor APs only. If you use this parameter to configure an indoor AP, an error message is displayed.
0-360 Decimal Degrees
Antenna gain for 802.11a (5GHz) antenna.
--
Directs the angle of the 802.11a (5GHz) antenna for optimum coverage. Use a - (negative) value for downtilt and a + (positive) value for uptilt. NOTE: This parameter is supported on outdoor APs only. If you use this parameter to configure an indoor AP, an error message is displayed.
-90 to +90 Decimal Degrees
Antenna use for 5 GHz (802.11a) frequency band. l 1: Use antenna 1 l 2: Use antenna 2 l both: Use both antennas (default)
1, 2, both (default)
Altitude, in meters, of the AP.
--
NOTE: This parameter is supported on outdoor APs only. If you use
this parameter to configure an indoor AP, an error message is
displayed.
Name of the AP group to which the AP belongs.
--
Name of the AP to be provisioned.
--
Password of the AP to authenticate to 802.1X using PEAP.
--
Username of the AP to authenticate to 802.1X using PEAP.
--
The Cellular Network Preference setting introduced in AOS-W 6.2.1.0 -- allows you to select how the modem should operate.
l auto (default): In this mode, modem firmware will control the cellular network service selection; so the cellular network service failover and fallback is not interrupted by the remote AP (RAP).
l 3g_only: Locks the modem to operate only in 3G. l 4g_only: Locks the modem to operate only in 4G.
AOS-W 6.2 | Reference Guide
provision-ap | 491
�Parameter
copy-provisioning-params
dns-server-ip dns-server-ip6 domain-name external-anten na fqln g-ant-bearing
g-ant-gain g-ant-tilt-angle
g-antenna gateway gateway6 ikepsk
Description
Range
l advanced: The RAP controls the cellular network service selection based on an Received Signal Strength Indication (RSSI) threshold-based approach. Initially the modem is set to the default auto mode. This allows the modem firmware to select the available network. The RAP determines the RSSI value for the available network type (for example 4G), checks whether the RSSI is within required range, and if so, connects to that network. If the RSSI for the modem's selected network is not within the required range, the RAP will then check the RSSI limit of an alternate network (for example, 3G), and reconnect to that alternate network. The RAP will repeat the above steps each time it tries to connect using a 4G multimode modem in this mode.
Initializes the provisioning-params workspace with the current
--
provisioning parameters of the specified AP, The provisioning
parameters of the AP must have previously been retrieved with the
read-bootinfo option.
NOTE: This parameter can only be used on the master switch.
IP address of the DNS server for the AP.
--
IPv6 address of the DNS server for the AP.
--
Domain name for the AP.
--
Use an external antenna with the AP.
--
Fully-qualified location name (FQLN) for the AP, in the format
--
<APname.floor.building.campus>.
Determines the horizontal coverage distance of the 802.11g (2.4GHz) antenna from True North. From a planning perspective, the horizontal coverage pattern does not consider the elevation or vertical antenna pattern. NOTE: This parameter is supported on outdoor APs only. If you use this parameter to configure an indoor AP, an error message is displayed.
0-360 decimal degrees
Antenna gain for 802.11g (2.4GHz) antenna.
--
Directs the angle of the 802.11g (2.4GHz) antenna for optimum coverage. Use a - (negative) value for downtilt and a + (positive) value for uptilt. NOTE: This parameter is supported on outdoor APs only. If you use this parameter to configure an indoor AP, an error message is displayed.
-90 to +90 Decimal Degrees
Antenna use for 2.4 GHz (802.11g) frequency band. l 1: Use antenna 1 l 2: Use antenna 2 l both: Use both antennas
1, 2, both
IP address of the default gateway for the AP.
--
IPv6 address of the default gateway for the AP.
--
IKE preshared key for the AP.
--
492 | provision-ap
AOS-W 6.2 | Reference Guide
�Parameter installation
ip6addr ip6prefix ipaddr latitude
link-priority-cellular <link-priority-cellular>
link-priority-ethernet <link-priority-ethernet>
Description
Range
Specify the type of installation (indoor or outdoor). The default parameter automatically selects an installation mode based upon the AP model type.
default indoor outdoor
Static IPv6 address of the AP.
--
The prefix of static IPv6 address of the AP.
--
Static IP address for the AP.
--
Latitude coordinates of the AP. Use the format: Degrees, Minutes,
--
Seconds (DMS). For example: 37 22 00 N
Set the priority of the cellular uplink. By default, the cellular uplink is a -- lower priority than the wired uplink; making the wired link the primary link and the cellular link the secondary or backup link. Configuring the cellular link with a higher priority than your wired link priority will set your cellular link as the primary switch link.
Set the priority of the wired uplink. Each uplink type has an
--
associated priority; wired ports having the highest priority by default.
longitude master mesh-role mesh-sae
netmask no pap-passwd
Longitude coordinates of the AP. Use the DMS format.
--
For example: 122 02 00 W
Name or IP address of the master switch.
--
Configure the AP to operate as a mesh node. You assign one of three -- roles: mesh portal, mesh point or remote mesh point. If you select "none," the AP operates as a thin AP.
Enable or disable Simultaneous Authentication of Equals (SAE) on a -- mesh network. This option offers enhanced security over the default wpa2-psk-aes mesh security setting, and provides secure, attackresistant authentication using a pre-shared key. SAE supports simultaneous initiation of a key exchange, allowing either party to initiate an exchange or both parties to initiate a key exchange simultaneously
To use the SAE feature, you must enable this parameter on all mesh nodes (points and portals) in the network, to prevent mesh link connectivity issues.
NOTE: This is a Beta feature only. This parameter should be kept "disabled" for this release.
Netmask for the IP address.
--
Negates any configured parameter.
--
Password Authentication Protocol (PAP) password for the AP.
--
You can use special characters in the PAP password. Following are
the restrictions:
l You cannot use double-byte characters
l You cannot use a tilde (~)
l You cannot use a tick (`)
l If you use quotes (single or double), you must use the backslash
(\) before and after the password
AOS-W 6.2 | Reference Guide
provision-ap | 493
�Parameter
Description
Range
pap-user
PAP username for the AP.
--
pppoe-chap-secret
PPPoE CHAP secret key for the AP.
--
pppoe-passwd
Point-to-Point Protocol over Ethernet (PPPoE) password for the AP. --
pppoe-service-
PPPoE service name for the AP.
--
name
pppoe-user
PPPoE username for the AP.
--
read-bootinfo
Retrieves current provisioning parameters of the specified AP.
--
NOTE: This parameter can only be used on the master switch.
reprovision
Provisions one or more APs with the values in the provisioning-
--
params workspace. To use reprovision, you must use read-bootinfo
to retrieve the current values of the APs into the provisioning-ap-list.
NOTE: This parameter can only be used on the master switch.
reset-bootinfo
Restores factory default provisioning parameters to the specified AP. -- NOTE: This parameter can only be used on the master switch.
sch-mode-radio-0
If you are provisioning an 802.11n-capable AP, you can issue the sch-mode-radio-0 command to enable single-chain mode for the selected radio. AP radios in single-chain mode will transmit and receive data using only legacy rates and single-stream HT rates up to MCS 7. This setting is disabled by default.
sch-mode-radio-1
If you are provisioning an 802.11n-capable AP, you can issue the sch-mode-radio-1 command to enable single-chain mode for the selected radio. AP radios in single-chain mode will transmit and receive data using only legacy rates and single-stream HT rates up to MCS 7. This setting is disabled by default.
server-ip
IP address of the switch from which the AP boots.
server-name
DNS name of the switch from which the AP boots.
set-ikepsk-by-addr
Set a IKE preshared key to correspond to a specific IP address.
syslocation
User-defined description of the location of the AP.
uplink-vlan <uplink-vlan>
If you configure an uplink VLAN on an AP connected to a port in trunk mode, the AP sends and receives frames tagged with this VLAN on its Ethernet uplink. By default, an AP has an uplink vlan of 0, which disables this feature. NOTE: If an AP is provisioned with an uplink VLAN, it must be connected to a trunk mode port or the AP's frames will be dropped.
usb-dev
The USB device identifier, if the device is not already supported.
usb-dial
The dial string for the USB modem. This parameter only needs to be specified if the default string is not correct.
494 | provision-ap
AOS-W 6.2 | Reference Guide
�Parameter
usb-modeswitch "-v <default_vendor> -p <default_product> -V <target_vendor> -P <target_product> -M <message_content>"
Description
Range
USB cellular devices on remote APs typically register as modems, but may occasionally register as a mass-storage device. If a remote AP cannot recognize its USB cellular modem, use the usb-modeswitch command to specify the parameters for the hardware model of the USB cellular data-card.
NOTE: You must enclose the entire modeswitch parameter string in quotation marks.
usb-init
The initialization string for the USB modem. This parameter only needs to be specified if the default string is not correct.
usb-passwd
A PPP password, if provided by the cellular service provider
usb-power-mode auto| ena- Set the USB power mode to control the power to the USB port. ble|disable
usb-tty
The TTY device path for the USB modem. This parameter only needs to be specified if the default path is not correct.
usb-tty-control
The TTY device control path for the USB modem. This parameter only needs to be specified if the default path is not correct.
usb-type
Specify the USB driver type. l acm: Use ACM driver l airprime: Use Airprime driver l any: Use any USB driver that supports device l beceem-wimax: Use Beceem driver for 4G-WiMAX l ether-lte: Use CDC Ether driver for 4G-LTE l hso: Use HSO driver for newer Option l option: Use Option driver l sierra-evdo: Use EVDO Sierra Wireless driver l sierra-gsm: Use GSM Sierra Wireless driver l pantech-lte: Use Pantech driver for 4G-LTE
usb-user
The PPP username provided by the cellular service provider
Usage Guidelines
You do not need to provision APs before installing and using them. The exceptions are outdoor APs, which have antenna gains that you must provision before they can be used, and APs configured for mesh. You must provision the AP before you install it as a mesh node in a mesh deployment.
Users less familiar with this process may prefer to use the Provisioning page in the WebUI to provision an AP.
Provisioned or reprovisioned values do not take effect until the AP is rebooted. APs reboot automatically after they are successfully reprovisioned.
In order to enable cellular uplink for a remote AP (RAP), the RAP must have the device driver for the USB data card and the correct configuration parameters. AOS-W includes device drivers for the most common hardware types, but you can use the usb commands in this profile to configure a RAP to recognize and use an unknown USB modem type.
Provisioning a Single AP
To provision a single AP:
1. Use the read-bootinfo option to read the current information from the deployed AP you wish to reprovision.
AOS-W 6.2 | Reference Guide
provision-ap | 495
�2. Use the show provisioning-ap-list command to see the AP to be provisioned. 3. Use the copy-provisioning-params option to copy the AP's parameter values to the provisioning-params
workspace. 4. Use the provision-ap options to set new values. Use the show provisioning-params command to display
parameters and values in the provisioning-params workspace. Use the clear provisioning-params command to reset the workspace to default values. 5. Use the reprovision option to provision the AP with the values in provisioning-params workspace. The AP automatically reboots.
Provisioning Multiple APs at a Time
You can change parameter values for multiple APs at a time, however, note the following:
l You cannot provision the following AP-specific options on multiple APs: n ap-name n ipaddr n pap-user n pap-passwd n ikepsk If any of these options are already provisioned on the AP, their values are retained when the AP is reprovisioned.
l The values of the server-name, a-ant-gain, or g-ant-gain options are retained if they are not reprovisioned. l All other values in the provisioning-params workspace are copied to the APs.
To provision multiple APs at the same time:
1. Use the read-bootinfo to read the current information from each deployed AP that you wish to provision.
The AP parameter values are written to the provisioning-ap-list. To reprovision multiple APs, the APs must be present in the provisioning-ap-list. Use the show provisioning-ap-list command to see the APs that will be provisioned. Use the clear provisioning-ap-list command to clear the provisioning-ap-list.
2. Use the copy-provisioning-params option to copy an AP's parameter values to the provisioning-params workspace.
3. Use the provision-ap options to set new values. Use the show provisioning-params command to display parameters and values in the provisioning-params workspace. Use the clear provisioning-params command to reset the workspace to default values.
4. Use the reprovisionall option to provision the APs in the provisioning-ap-list with the values in provisioningparams workspace. All APs in the provisioning-ap-list automatically reboot.
The following are useful commands when provisioning one or more APs:
l show|clear provisioning-ap-list displays or clears the APs that will be provisioned. l show|clear provisioning-params displays or resets values in the provisioning-params workspace. l show ap provisioning shows the provisioning parameters an AP is currently using.
Example
The following commands change the IP address of the master switch on the AP: (host) (config) #provision-ap
read-bootinfo ap-name lab103 show provisioning-ap-list copy-provisioning-params ap-name lab103
496 | provision-ap
AOS-W 6.2 | Reference Guide
�master 10.100.102.210 reprovision ap-name lab103
Command History
Release AOS-W 3.0 AOS-W 3.2 AOS-W 3.4
AOS-W 5.0 AOS-W 6.0 AOS-W 6.1 AOS-W 6.2
AOS-W 6.2.1.0
Modification
Command introduced
Introduced support for the mesh parameters, additional antenna parameters, and AP location parameters.
Introduced support for the following parameters: l installation l mesh-sae l set-ikepsk-by-addr l usb-dev l usb-dial l usb-init l usb-passwd l usb-tty l usb-type l usb-user l link-priority-cellular l link-priority-ethernet
The mesh-sae parameter no longer has the sae-default option. Use the sae-disable option to return this parameter to its default disabled setting.
The uplink-vlan parameter was introduced.
The following new parameters were introduced for provisioning IPv6 APs: l dns-server-ip6 l ip6addr l ip6prefix l gateway6
The following new parameters were introduced for provisioning APs in singlechain mode: l sch-mode-radio-0 l sch-mode-radio-1 The following new parameters were introduced for provisioning APs for 802.1X authentication: l apdot1x-passwd l apdot1x-username The following new parameters were introduced for provisioning Remote APs using USB modems: l usb-modeswitch l 4g-usb-type
The cellular_nw_preference parameter was introduced for provisioning multimode modems, and the 4g-usb-type parameter was deprecated. Specify a 2/3G or 4G modem type using the usb-type parameter.
AOS-W 6.2 | Reference Guide
provision-ap | 497
�Command Information
Platforms
All platforms, except for the parameters noted in the Syntax table.
Licensing
Base operating system, except for the parameters noted in the Syntax table.
Command Mode Config mode on master switches
498 | provision-ap
AOS-W 6.2 | Reference Guide
�qos-profile (deprecated)
qos-profile <profile-name> clone <source> dot1p <priority> drop-precedence {high | low} dscp <rewrite-value> no traffic-class <traffic-class-value>
Description
This command configures a QoS profile to assign TC/DP, DSCP, and 802.1p values to an interface or policer profile.
Command History
Release AOS-W 6.2
Modification Command deprecated.
AOS-W 6.2 | Reference Guide
qos-profile (deprecated) | 499
�rap-wml
rap-wml<server-name> [ageout <period>] [cache{disable|enable}] [db-name <name>] [ip-addr<ipaddr>] [password <password>] [type {mssql|mysql}] [user <name>]
Description
Use this command to specify the name and attributes of a MySQL or an MSSQL server.
Syntax
Parameter ageout cache db-name
ip-addr no password type user
Description
Default
(Optional) Specifies the cache ageout period, in seconds.
0
(Optional) Enables the cache, or disables the cache.
Disabled
(Optional) Specifies the name of the MySQL or MSSQL
--
database.
(Optional) Specifies the IP address of the named MSSQL server. 0.0.0.0
Negates any configured parameter.
--
(Optional) Specifies the password required for database login.
--
(Optional) Specifies the server type.
--
(Optional) Specifies the user name required for database login. --
Usage Guidelines
Use the show rap-wml cache command to show the cache of all lookups for a database server. Use the show rapwml servers command to show the database server state. Use the show rap-wml wired-mac command to show wired MAC discovered on traffic through the AP.
Example
This example configures a MySQL server and sets up associated rap-wml table attributes. (host) (config) #rap-wml mysqlserver type mysql ip-addr 10.4.11.10 db-name automatedtestdatabase user sa password sa rap-wml table mysqlserver mactest_undelimited mac timestamp-column time 600 rap-wml table mysqlserver mactest_delimited mac delimiter : timestamp-column time 600
This example configures an MSSQL server and sets up associated rap-wml table attributes. (host) (config) #rap-wml mssqlserver type mssql ip-addr 10.4.11.11 db-name automatedtestdatabase user sa password sa rap-wml table mssqlserver mactest_undelimited mac timestamp-column time 600 rap-wml table mssqlserver mactest_delimited mac delimiter : timestamp-column time 600
Command History
This command was introduced in AOS-W 2.0.
500 | rap-wml
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing
Command Mode
Requires the RF Protect license. Config mode on master switches
AOS-W 6.2 | Reference Guide
rap-wml | 501
�rap-wml table
rap-wml table <server-name> <table-name> <column-name> {[delimiter <char>] | [timestamp-column <timestamp-column-name> <lookup-time>]}
Description
Use this command to specify the name and attributes of the database table to be used for lookup.
Syntax
Parameter
Description
Default
server-name
Specifies the database server name (created using the rap-wml -- <server-name> command.
table-name
Specifies the database table name.
--
column-name
Specifies the database column name with the MAC address.
--
delimiter
Specifies the optional delimiter character for the MAC address in the database.
No delimiter
no
Negates the rap-wml table for the named server.
--
timestamp-column
Specify the database column name with the timestamp last
--
seen.
timestamp-column-nam- Specify the database column name with the timestamp last
--
e
seen.
lookup-time
Specifies how far back--in seconds--to look for the MAC
0
address. Use 0 seconds to lookup everything.
Usage Guidelines
Use the rap-wml <servername> command to configure a MySQL or an MSSQL server, then use the rap-wml table command to configure the associated database table for the server.
Example
This example configures a MySQL server and sets up associated rap-wml table attributes for that server. (host) (config) #rap-wml mysqlserver type mysql ip-addr 10.4.11.10 db-name automatedtestdatabase user sa password sa rap-wml table mysqlserver mactest_undelimited mac timestamp-column time 600 rap-wml table mysqlserver mactest_delimited mac delimiter : timestamp-column time 600
This example configures an MSSQL server and sets up associated rap-wml table attributes for that server. (host) (config) # rap-wml mssqlserver type mssql ip-addr 10.4.11.11 db-name automatedtestdatabase user sa password sa rap-wml table mssqlserver mactest_undelimited mac timestamp-column time 600 rap-wml table mssqlserver mactest_delimited mac delimiter : timestamp-column time 600
Command History
This commands was introduced in AOS-W 2.0.
502 | rap-wml table
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing
Command Mode
Requires the RF Protect license. Config mode on master switches
AOS-W 6.2 | Reference Guide
rap-wml table | 503
�reload-peer-sc
reload-peer-sc
Description
This command performs a reboot of the OAW-6000 switch module.
Command History
Version AOS-W 6.1
Description Command deprecated
504 | reload-peer-sc
AOS-W 6.2 | Reference Guide
�reload
reload
Description
This command performs a reboot of the switch.
Syntax
No parameters.
Usage Guidelines
Use this command to reboot the switch if required after making configuration changes or under the guidance of Alcatel-Lucent Networks customer support. The reload command powers down the switch, making it unavailable for configuration. After the switch reboots, you can access it via a local console connected to the serial port, or through an SSH, Telnet, or WebUI session. If you need to troubleshoot the switch during a reboot, use a local console connection. After you use the reload command, the switch prompts you for confirmation of this action. If you have not saved your configuration, the switch returns the following message: Do you want to save the configuration (y/n): l Enter y to save the configuration. l Enter n to not save the configuration. l Press [Enter] to exit the command without saving changes or rebooting the switch. If your configuration has already been saved, the switch returns the following message: Do you really want to reset the system(y/n): l Enter y to reboot the switch. l Enter n to cancel this action. The command will timeout if you do not enter y or n.
Example
The following command assumes you have already saved your configuration and you must reboot the switch: (host) (config) #reload The switch returns the following messages: Do you really want to reset the system(y/n): y System will now restart! ... Restarting system.
Command History
This command was introduced in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing
Command Mode
Base operating system Enable and Config modes on master switches
AOS-W 6.2 | Reference Guide
reload | 505
�remote-node-local-factory-cert
localuserdb
remote-node-local-factory-cert
Description
Configure factory certificates for secure traffic between Remote-Node-Masters and Remote-Nodes.
Syntax
No parameters
Usage Guidelines
Issue this command on a Remote-Node Master to use a factory-installed certificate to authenticate a Remote-Node.
Example
The following command configures the local remote node on a master remote node: (host) (config) remote-node-local-factory-certs
Command History
Introduced in AOS-W 6.1
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
506 | remote-node-local-factory-cert
AOS-W 6.2 | Reference Guide
�remote-node-localip
localuserdb
remote-node-localip <remote-node-switch-ip> ipsec KEY <keyword>
Description
This command configures the switch-IP address and preshared key for the local Remote Node on a master Remote Node.
Syntax
Parameter
<remote-node-switchip>
ipsec <keyword>
Description
Switch-IP address of the local remote node. Use the 0.0.0.0 address to configure a global preshared key for all inter-switch communications.
Preshared key, which must be between 6-64 characters.
Usage Guidelines
Use this command on a master remote node to configure the switch-IP address and preshared key for communication with a local remote node. On the local remote node, the pre-shared key is configured in the setup wizard during the initial boot. The pre-shared keys for both the master and local switches must match. On the local remote node, use the remote-node-masterip command to configure the switch-IP address and preshared key for the master remote node.
Example
The following command configures the local remote node on a master remote node: (host) (config) remote-node-localip 172.16.0.254 ipsec rhyopevs
Command History
Introduced in AOS-W 6.0
Command Information
Platform Available on all platforms
License Available in the base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
remote-node-localip | 507
�remote-node-masterip
remote-node-masterip <masterip> ipsec key <pre-shared key> ipsec-factory-cert
Description
This command configures the IP address and preshared key or factory-installed certificate for the Remote-Node Master on a local Remote Node.
Syntax
Parameter
Description
<masterip>
IP address of the master Remote Node.
ipsec <key>
Secure communication between a Remote-Node and Remote-Node master by defining a preshared key, which must be between 6-64 characters.
ipsec-factory-cert Secure communication between a Remote-Node and Remote-Node master by identifying a factory-installed certificate on the Remote-Node Master.
Usage Guidelines
Use this command on a local Remote Node to configure the IP address and preshared key for communication with the master Remote Node. On the master switch, use the remote-node-localip command to configure the IP address and preshared key for a local Remote Node.
Changing the IP address of the master on a local Remote Node requires a reboot of the local Remote Switch.
Example
The following command configures the Remote-Node Master on a local Remote Node: (host) (config) #remote-node-masterip 172.16.0.254 ipsec rhyopevs
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced.
The ipsec-factory-cert parameter was introduced to allow certificate-based authentication of Remote-Node Masters.
Command Information
Platform
License
Available on all platforms Available in the base operating system
Command Mode
Config mode on local Remote Nodes.
508 | remote-node-masterip
AOS-W 6.2 | Reference Guide
�remote-node-profile
remote-node-profile <remote-node-profile-name> aaa authentication-server internal use-local-switch
cellular profile <profile-name>
clone <profile-name>
switch-ip vlan <id> ip address
dialer group <name>
instance <remote-node-mac-address>
interface cellular [{fastethernet|gigabitethernet} <slot>/<port>] |[loopback]| [port-channel <id>]|[tunnel <1-2147483647>|vlan <id>]
ip [default-gateway <ipaddr>]|{import cell|dhcp|pppoe}|{ipsec <name>} <cost>}|[domain lookup|domain-name <name>]|[name-server <ipaddr>]|[nat pool <name> <start-ipaddr> <endipaddr> <dest-ipaddr>|[radius {nas-ip <ipaddr>]|[rfc-3576-server udp-port <port>]|[sourceinterface {loopback|vlan <vlan>}]|[route <destip> <destmask> {<nexthop> [<cost>]]|[ipsec <name>|null 0}]
ipv6 enable|route <ipv6-prefix/prefix-length> <ipv6-next-hop> <cost> logging <ipaddr>|facility <facility>|level <level> <category> [process <process>] [subcat <subcategory>]
mgmt-server [type {amp|other}]|[primary-server <ip-addr>] mgmt-user [<username> <role> <password>]|[localauth-disablessh-pubkey client-cert <certificate> <username> <role>]|[webui-cacert <certificate_name> serial <number> <username> <role>]
mobility-manager <ipaddr> user <username> <password> [interval <secs>]|[retrycount <number>] [udp-port <port>] [rtls <rtls-udp-port>] trap-version {1|2c|3} model <model_type>
no
priority-map <name>
remote-node-dhcp-pool <pool-name>|pool-type {vlan <id>}|tunnel|range startip <start-ip> endip <end-ip> num_hosts
router ospf enable {area <area-id>|redistribute vlan [<vlan-ids>|add <vlan-ids>|remove <vlan-ids>] |router-id <rtr-id> |subnet exclude <addr>}
snmp-server community <string>|enable trap|engine-id|host <ipaddr> version {1 <name> udpport <port>}|2c|{3 <name>} [inform] [interval <seconds>] [retrycount <number>] [udp-port <port>]}|inform queue-length <size>|source|stats|trap enable|disable|{source <ipaddr>}|user <name> [auth-prot {md5|sha} <password>] [priv-prot {AES|DES} <password>]
spanning-tree [forward-time <value> | hello-time <value> | max-age <value> | priority <value> | vlan range <WORD>|
syscontact <syscontact>
syslocation <syslocation>
uplink {cellular priority <prior>}|disable|enable|{wired priority <prior>}|{wired vlan <id>}
AOS-W 6.2 | Reference Guide
remote-node-profile | 509
�validate
vlan <id> [<description>]|[<name> <vlan-ids>]|[range <range>]|[wired aaa-profile <profile>]
vrrp <id> {advertise <interval>|authentication <password>|description <text>|ip address <ipaddr>|preempt|priority <level>|shutdown} tracking interface {fastethernet <slot>/<port>|gigabitethernet <slot>/<port>}{sub <value>}|tracking master-up-time <duration> add <value>|tracking vlan <vlanid> {sub <value>}|tracking vrrp-master-state <vrid> add <value>|vlan <vlanid>}
Description
The remote-node-profile command lets you create a Remote Node profile. Once in Remote Node profile configuration mode, you can issue any of the following commands to define the values you want to assign to that profile.
Syntax
Parameter aaa cellular profile <name> clone <profile-name> switch-ip vlan <id> ip address
dialer group <name> instance
interface
Description
Configure authentication server using an internal server. For details, see aaa authentication-server internal on page 30.
Cellular interface profile associated with this Remote Node profile. For details, see cellular profile on page 176.
Use this command to copy a Remote Node profile to this profile.
Select one of the following parameters for the VLAN interface dhcp-client: The remote node will use DHCP to obtain IP address internal: Then remote node IP will be derived from the remote node DHCP pool. pppoe: Use PPPoE to obtain IP address
Dialer group profile associated with this Remote Node profile.
Configure the Remote Node MAC address to associate the Remote Node to this profile. When you create a new Remote Node profile, enter the remote-node profile instance command first.
Configure the Remote Node interface l cellular--Configure the cellular Interface. l fastethernet--Configure the FastEthernet (IEEE 802.3)
interface. l gigabitethernet--Configure the GigabitEthernet Interface. l loopback--Configure the Loopback Interface. l port-channel--Configure the Ethernet channel of interfaces. l tunnel--Configure the Tunnel interface. l vlan --Configure the Switch VLAN Virtual Interface. NOTE: The VLAN ID mapped using the "interface vlan <id> ip address" command can use the following parameters to define how the switch-ip is derived:
n dhcp-client: The remote node will use DHCP to obtain IP address
510 | remote-node-profile
AOS-W 6.2 | Reference Guide
�Parameter
ip
ipv6 logging mgmt-server mgmt-user mobility-manager model <model_type>
no priority-map <name> remote-node-dhcp-pool <pool_name>
Description
n internal: Then remote node IP will be derived from the remote node DHCP pool.
n pppoe: Use PPPoE to obtain IP address For details on using this command, see interface fastethernet | gigabitethernet on page 318
Configure the Interface Internet Protocol configuration sub commands. For details, see command descriptions beginning with ip default-gateway on page 367. l default-gateway l domain lookup l domain-name l name-server l nat l radius l route
Configure the Global IPv6 configuration sub commands. For details, see command descriptions beginning with ipv6 enable on page 350. l enable l route X:X:X:X::X/<0-128>
Set the logging level up to which messages are logged. l A.B.C.D l facility l level For details on using this command, see logging on page 435
Register Mgmt Server IP Address with the switch.This could be AirWave Management Server or any other server that would like to receive messages from the switch using AMON protocol. For details on using this command, see mgmt-server on page 448.
Configure a management user. For details on using this command, see mgmt-user on page 449.
Configure a mobility manager. For details on using command, see mobility-manager on page 451.
Switch model associated to the Remote Node profile, where <model-type> is one of the following switch model types: l OAW-4504XM l OAW-4604 l OAW-4704 l OAW-4306 l OAW-4306G
Delete a remote node profile.
Priority Map specification, used to prioritize the incoming packets on an interface. For details on using this command, see priority-map on page 486.
Name of the DHCP pool.
AOS-W 6.2 | Reference Guide
remote-node-profile | 511
�Parameter pool-type {vlan <id>}|tunnel <id> <start-ip> <end-ip> num_hosts
router ospf <area-id> snmp-server spanning-tree syscontact <syscontact> syslocation <syslocation> uplink validate
vlan vrrp
Description
Specify whether you are creating a pool of IP addresses for RN VLANs or RN tunnels.
The ID number of the VLAN associated with the RN.
IP addresses at the start and end of the RN's address range, in dotted-decimal format.
IP address at the end of the RN's address range, in dotteddecimal format.
Maximum number of hosts supported by an RN using this pool.
Enables and configures OSPF. Configure an OSP area, control distribution of default information, redistribute the route, configure the Router ID and specific the subnet.
Enables SNMP and modifies SNMP parameters. For details on using this command, see snmp-server on page 1433.
Create a Spanning Tree Subsystem. For details on using this command, see spanning-tree (Global Configuration) on page 1435.
Configures the name of the system contact for the switch. Enter an alphanumeric string that specifies the name of the system contact.
Configures the name of the system location for the switch. Enter an alphanumeric string that specifies the name of the system location.
Define an uplink manager configuration. For details on using this command, see uplink on page 1459.
After you have defined configuration settings for a Remote Node profile, you must activate that profile by issuing the command remote-node-profile <profile-name> validate to validate that the configuration has a correctly defined uplink, model type, and an interface type supported by the Remote Node model. You cannot assign a Remote Node configuration profile to a Remote Node until that profile has been activated.
Create a Remote Node VLAN Virtual Interface vlan. For details on using this command, see vlan on page 1469.
Define a Virtual Router Redundancy Protocol (VRRP) configuration. For details on using this command, see vrrp on page 1487.
Usage Guidelines
Use the remote-node-profile command to create a Remote Node profile. You define configuration settings for each Remote Node through a Remote Node profile on the Remote Node-master. The Remote Node-master must be a master switch.
512 | remote-node-profile
AOS-W 6.2 | Reference Guide
�Related Commands
Command
Description
Mode
remote-node-localip
Configures security for all Remote Node and Remote Switch control traffic
Enable and Config mode
remote-node-masterip
Configures security for the Remote Node master IP address.
Enable and Config mode
local-userdb-remote-node
This command adds a Remote Node to the Remote Node whitelist. You can also delete the whitelist entry using this command.
Enable and Config mode
show remote-node
Shows Remote Node configuration, dhcp instance, license usage and running configuration information.
Enable and Config mode
show remote-node-dhcp-pool Shows Remote Node dhcp pool configuration information.
Enable and Config mode
show remote-node-profile
Shows Remote Node profile status information.
Enable and Config mode
show local-userdb-remotenode
The output of this command lists the MAC address and assigned remote-node-profile for each Remote Switch associated with that Remote Switch master.
Enable and Config mode
Command History
AOS-W 6.0 AOS-W 6.1
Modification
Command introduced.
The switch-ip loopback parameter was deprecated. The following parameters were added: l ipv6 l mgmt-server l mobility-manager l snmp-server l syscontact l syslocation
Command Information
Platform Available on all platforms
License Available in the base operating system.
Command Mode
Enable and Config modes on master switches.
AOS-W 6.2 | Reference Guide
remote-node-profile | 513
�rename
rename <filename> <newfilename>
Description
This command renames an existing system file.
Syntax
Parameter filename newfilename
Description An alphanumeric string that specifies the current name of the file on the system. An alphanumeric string that specifies the new name of the file on the system.
Usage Guidelines
Use this command to rename an existing system file on the switch. You can use a combination of numbers, letters, and punctuation (periods, underscores, and dashes) to rename a file. The new name takes affect immediately. Make sure the renamed file uses the same file extension as the original file. If you change the file extension, the file may be unrecognized by the system. For example, if you have an existing file named upgrade.log, the new file must include the .log file extension. You cannot rename the active configuration currently selected to boot the switch. If you attempt to rename the active configuration file, the switch returns the following message: Cannot rename active configuration file To view a list of system files, and for more information about the directory contents, see dir on page 246.
Example
The following command changes the file named test_configuration to deployed_configuration: (host) (config) #rename test_configuration deployed_configuration
Command History
This command was introduced in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Eanble and Config modes on master switches
514 | rename
AOS-W 6.2 | Reference Guide
�restore
restore flash
Description
This command restores flash directories backed up to the flashbackup.tar.gz file.
Syntax
Parameter flash
Description Restores flash directories from the flashbackup.tar.gz file.
Usage Guidelines
Use the backup flash command to tar and compress flash directories to the flashbackup.tar.gz file.
Example
The following command restores flash directories from the flashbackup.tar.gz file: (host) #restore flash
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
restore | 515
�rf am-scan-profile
<profile-name> clone <profile> dwell-time-active-channel dwell-time-other-reg-domain-channel dwell-time-rare-channel dwell-time-reg-domain-channel no scan-mode
Description
Configure an Air Monitor (AM) scanning profile.
Syntax
Parameter <profile-name>
clone <profile>
dwell-time-active-channel
dwell-time-other-reg-domainchannel dwell-time-rare-channel dwell-time-reg-domain-channel
no scan-mode
all-reg-domain
rare
reg-domain
Description
Range
Default
Name of this instance of the profile.
1-63
--
characters
Copy data from another AM scanning --
--
profile
Dwell time (in ms) for channels where 100-32768 ms 500 ms there is wireless activity.
Dwell time (in ms) for channels not in the APs regulatory domain.
100-32768 ms 250 ms
Dwell time (in ms) for rare channels.
100-32768 ms 100 ms
Dwell time (in ms ) for AP's Regulatory 100-32768 ms 250 ms domain channels
Delete the command
--
--
Set the scanning mode for the radio. --
--
Scan channels in all regulatory
--
--
domain
Scan all channels (all regulatory
--
--
domains and rare channels)
Scan channels in the APs regulatory --
--
domain
Command History
Release AOS-W 6.0
Modification Command introduced
516 | rf am-scan-profile
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All Platforms
Licensing RFProtect
Command Mode Configuration Mode (config)
AOS-W 6.2 | Reference Guide
rf am-scan-profile | 517
�rft
rft test profile antenna-connectivity ap-name <name> [dest-mac <macaddr> [phy {a|g}| radio {0|1}]]
rft test profile link-quality {ap-name <name> dest-mac <macaddr> [phy {a|g}| radio {0|1}] | bssid <bssid> dest-mac <macaddr> | ip-addr <ipaddr> dest-mac <macaddr> [phy {a|g}|radio {0|1}]}
rft test profile raw {ap-name <name> dest-mac <macaddr> [phy {a|g}|radio {0|1}] | bssid <bssid> dest-mac <macaddr> | ip-addr <ipaddr> dest-mac <macaddr> [phy {a|g}|radio {0|1}]}
Description
This command is used for RF troubleshooting.
Syntax
Parameter ap-name dest-mac phy radio bssid ip-addr
Description Name of the AP that performs the test. MAC address of the client to be tested. 802.11 type, either a or g. Radio ID, either 0 or 1. BSSID of the AP that performs the test. IP address of the AP that performs the test.
Range -- -- a|g 0|1 --
Syntax
Usage Guidelines
This command can run predefined test profiles for antenna connectivity, link quality, or raw testing. You should only run these commands when directed to do so by an Alcatel-Lucent support representative.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
518 | rft
AOS-W 6.2 | Reference Guide
�rf arm-profile
rf rf arm-profile <profile>
40MHz-allowed-bands {All|None|a-only|g-only} acceptable-coverage-index <number> active-scan (not intended for use) assignment {disable|maintain|multi-band|single-band} backoff-time <seconds> client-aware clone <profile> error-rate-threshold <percent> error-rate-wait-time <seconds> free-channel-index <number> ideal-coverage-index <number> load-aware-scan-threshold max-tx-power <dBm> min-scan-time <# of scans> min-tx-power <dBm> mode-aware multi-band-scan no ... noise-threshold noise-wait-time ota-updates ps-aware-scan rogue-ap-aware scan-interval <seconds> scan mode all-reg-domain|reg-domain scanning video-aware-scan voip-aware-scan
Description
This command configures the Adaptive Radio Management (ARM) profile.
Syntax
Parameter <profile> 40MHz-allowed- bands
All None
Description
Range
Default
Name of this instance of the profile. The name -- must be 1-63 characters.
"default"
The specified setting allows ARM to determine if 40 MHz mode of operation is allowed on the 5 GHz or 2.4 GHz frequency band only, on both frequency bands, or on neither frequency band.
All/None/ a-only/g-only
a-only
Allows 40 MHz channels on both the 5 GHZ (802.11a) and 2.4 GHZ (802.11b/g) frequency bands.
Disallows use of 40 MHz channels.
AOS-W 6.2 | Reference Guide
rf arm-profile | 519
�Parameter a-only g-only
acceptable-cov erage-index
active-scan
assignment
disable maintain multi-band single-band backoff-time client-aware
clone error-ratethreshold error-rate-wait -time
520 | rf arm-profile
Description
Range
Default
Allows use of 40 MHz channels on the 5 GHZ (802.11a) frequency band only.
Allows use of 40 MHz channels on the 2.4 GHZ (802.11b/g) frequency band only.
The minimal coverage that the AP should try to 1-6
4
achieve on its channel. The denser the AP
deployment, the lower this value should be.
This setting applies to multi-band
implementations only.
When the Active Scan checkbox is selected, an AP initiates active scanning via probe request. This option elicits more information from nearby APs, but also creates additional management traffic on the network. Active Scan is disabled by default, and should not be enabled except under the direct supervision of Alcatel-Lucent Support.
Default: disabled
disabled
Activates one of four ARM channel/power
--
assignment modes.
single-band (new installations only)
Disables ARM channel/power assignments.
Maintains existing channel assignments.
Computes ARM assignments for both 5 GHZ (802.11a) and 2.4 GHZ (802.11b/g) frequency bands.
Computes ARM assignments for a single band.
Time, in seconds, an AP backs off after requesting a new channel or power.
120-3600
240 seconds
If the Client Aware option is enabled, the AP
--
does not change channels if there is active
client traffic on that AP. If Client Aware is
disabled, the AP may change to a more optimal
channel, but this change may also disrupt
current client traffic.
enabled
Name of an existing ARM profile from which
--
--
parameter values are copied.
The percentage of errors in the channel that triggers a channel change. Recommended value is 50%.
0-100
50%
Time, in seconds, that the error rate has to be at least the error rate threshold to trigger a channel change.
1-2,147,483, 647 Recommended Values: 1-100
30 seconds
AOS-W 6.2 | Reference Guide
�Parameter free-channelindex ideal-coverageindex load-aware-scanthreshold
max-tx-power
min-scan-time
min-tx-power
mode-aware
multi-band-scan
Description
Range
Default
The difference in the interference index
10-40
25
between the new channel and current channel
must exceed this value for the AP to move to a
new channel. The higher this value, the lower
the chance an AP will move to the new
channel. Recommended value is 25.
The coverage that the AP should try to achieve 2-20
10
on its channel. The denser the AP deployment,
the lower this value should be. Recommended
value is 10.
Load aware ARM preserves network resources during periods of high traffic by temporarily halting ARM scanning if the load for the AP gets too high.
The Load Aware Scan Threshold is the traffic throughput level an AP must reach before it stops scanning. The supported range for this setting is 0-20000000 bytes/second. (Specify 0 to disable this feature.)
1250000 bytes/second
Maximum effective isotropic radiated power (EIRP) from 3 to 33 dBm in 3 dBm increments. You may also specify a special value of 127 dBm for regulatory maximum to disable power adjustments for environments such as outdoor mesh links. This value takes into account both radio transmit power and antenna gain.
Higher power level settings may be constrained by local regulatory requirements and AP capabilities.
3, 6, 9, 12, 15, 18, 21, 24, 27, 30, 33, 127
127 dBm
Minimum number of times a channel must be scanned before it is considered for assignment. The supported range for this setting is 0-2,147, 483,647 scans. Best practices are to configure a Minimum Scan Time between 1-20 scans.
Default: 8 scans
1-2,147,483, 647 Recommended Values: 1-20
8 scans
Minimum effective isotropic radiated power (EIRP) from 3 to 33 dBm in 3 dBm increments. You may also specify a special value of 127 dBm for regulatory minimum. This value takes into account both radio transmit power and antenna gain.
Higher power level settings may be constrained by local regulatory requirements and AP capabilities.
3, 6, 9, 12, 15, 18, 21, 24, 27, 30, 33, 127
9 dBm
If enabled, ARM will turn APs into Air Monitors -- (AMs) if it detects higher coverage levels than necessary. This helps avoid higher levels of interference on the WLAN. Although this setting is disabled by default, you may want to enable this feature if your APs are deployed in close proximity (e.g. less than 60 feet apart).
disabled
When enabled, single-radio APs try to scan
--
across bands for rogue AP detection.
enabled
AOS-W 6.2 | Reference Guide
rf arm-profile | 521
�Parameter no noise-threshold noise-wait-time ota-updates
ps-aware-scan rogue-ap-aware scan-interval
scan-mode scanning
522 | rf arm-profile
Description
Range
Negates any configured parameter.
--
Maximum level of noise in a channel that triggers a channel change (-dBm).
0-2,147,483, 647
Recommended Values: 0-80 -dBm
Minimum time in seconds the noise level has to 1-3600 exceed the Noise Threshold before it triggers a seconds channel change.
The ota-updates option allows an AP to get
--
information about its RF environment from its
neighbors, even the AP cannot scan. If this
feature is enabled, when an AP on the network
scans a foreign (non-home) channel, it sends
other APs an Over-the-Air (OTA) update in an
802.11 management frame that contains
information about the scanning AP's home
channel, the current transmission EIRP value
of its home channel, and one-hop neighbors
seen by that AP.
Default: enabled
When enabled, the AP will not scan if Power
--
Save is active.
When enabled, the AP will try to contain off-
--
channel rogue APs.
If Scanning is enabled, the Scan Interval defines how often the AP will leave its current channel to scan other channels in the band.
Off-channel scanning can impact client performance. Typically, the shorter the scan interval, the higher the impact on performance. If you are deploying a large number of new APs on the network, you may want to lower the Scan Interval to help those APs find their optimal settings more quickly. Raise the Scan Interval back to its default setting after the APs are functioning as desired.
0-2,147,483, 647 Recommended Values: 0-30
Select the scan mode for the AP. l all-reg-domain: The AP scans channels
within all regulatory domains. This is the default setting. l reg-domain:Limit the AP scans to just the regulatory domain for that AP.
The Scanning checkbox enables or disables
--
AP scanning across multiple channels.
Disabling this option also disables the
following scanning features:
l Multi Band Scan
l Rogue AP Aware
l Voip Aware Scan
l Power Save Scan
Default -- 75 -dBm
120 seconds enabled
disabled disabled 10 seconds
all-regdomain
enabled
AOS-W 6.2 | Reference Guide
�Parameter video-aware-scan
voip-aware-scan
Description
Range
Do not disable Scanning unless you want to disable ARM and manually configure AP channel and transmission power.
As long as there is at least one video frame
--
every 100 mSec the AP will reject an ARM
scanning request. Note that for each radio
interface, video frames must be defined in one
of two ways:
l Classify the frame as video traffic via a
session ACL.
l Enable WMM on the WLAN's SSID profile
and define a specific DSCP value as a
video stream. Next, create a session ACL to
tag the video traffic with the that DSCP
value.
Alcatel-Lucent's VoIP Call Admission Control -- (CAC) prevents any single AP from becoming congested with voice calls. When you enable CAC, you should also enable voip-aware-scan parameter in the ARM profile, so the AP will not attempt to scan a different channel if one of its clients has an active VoIP call. This option requires that scanning is also enabled.
Default enabled
disabled
Usage Guidelines
Adaptive Radio Management (ARM) is a radio frequency (RF) resource allocation algorithm that allows each AP to determine the optimum channel selection and transmit power setting to minimize interference and maximize coverage and throughput. This command configures an ARM profile that you apply to a radio profile for the 5 GHz or 2.4 GHz frequency band (see rf dot11a-radio-profile on page 525 or rf dot11g-radio-profile on page 533).
The default ARM scanning interval is determined by the scan-interval parameter in the ARM profile. If the AP does not have any associated clients (or if most of its clients are inactive) the ARM feature will dynamically readjust this default scan interval, allowing the AP obtain better information about its RF neighborhood by scanning non-home channels more frequently. Starting with AOS-W 6.2, if an AP attempts to scan a non-home channel but is unsuccessful, the AP will make additional attempts to rescan that channel before skipping it and continuing on to other channels.
Using Adaptive Radio Management (ARM) in a Mesh Network
When a mesh portal operates on a mesh network, the mesh portal determines the channel used by the mesh feature. When a mesh point locates an upstream mesh portal, it will scan the regulatory domain channels list to determine the channel assigned to it, for a mesh point always uses the channel selected by its mesh portal. However, if a mesh portal uses an ARM profile enabled with a single-band or multi-band channel/power assignment and the scanning feature, the mesh portal will scan the configured channel lists and the ARM algorithm will assign the proper channel to the mesh portal.
If you are using ARM in your network, is important to note that mesh points, unlike mesh portals, do not scan channels. This means that once a mesh point has selected a mesh portal or an upstream mesh point, it will tune to this channel, form the link, and will not scan again unless the mesh link gets broken. This provides good mesh link stability, but may adversely affect system throughput in networks with mesh portals and mesh points. When ARM assigns optimal channels to mesh portals, those portals use different channels, and once the mesh network has formed and all the mesh points have selected a portal (or upstream mesh point), those mesh points will not be able to detect other portals on other channels that could offer better throughput. This type of suboptimal mesh network may
AOS-W 6.2 | Reference Guide
rf arm-profile | 523
�form if, for example, two or three mesh points select the same mesh portal after booting, form the mesh network, and leave a nearby mesh portal without any mesh points. Again, this will not affect mesh functionality, but may affect total system throughput.
Example
The following command configures VoIP-aware scanning for the arm-profile named "voice-arm:" (config) (host) #rf arm-profile voice-arm
voip-aware-scan
Command History
Release AOS-W 3.0 AOS-W 3.3. AOS-W 3.3.2 AOS-W 3.4.1
AOS-W 6.1
Modification Command introduced Support for the high-throughput IEEE 802.11n standard was introduced
Support for the wait-time parameter was removed.
The voip-aware-scan parameter no longer requires a license, and is available in the base OS. The ps-aware-scan parameter is now disabled by default.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
524 | rf arm-profile
AOS-W 6.2 | Reference Guide
�rf dot11a-radio-profile
rf dot11a-radio-profile <profile> am-scan-profile <profile-name> arm-profile <profile> beacon-period <milliseconds> beacon-regulate cap-reg-eirp <cap-reg-eirp> cell-size-reduction <cell-size-reduction> channel <num|num+|num-> channel-reuse {static|dynamic|disable} channel-reuse-threshold clone <profile> csa csa-count <number> disable-arm-wids-function dot11h high-throughput-enable ht-radio-profile <profile> interference-immunity maximum-distance <maximum-distance> mgmt-frame-throttle-interval <seconds> mgmt-frame-throttle-limit <number> mode {ap-mode|am-mode|spectrum-mode} no ... radio-enable slb-mode channel|radio slb-threshold slb-update-interval <secs> spectrum-load-bal-domain spectrum-load-balancing spectrum-monitoring spectrum-profile <profile> tpc-power <tpc-power> tx-power <dBm>
Description
This command configures AP radio settings for the 5 GHz frequency band, including the Adaptive Radio Management (ARM) profile and the high-throughput (802.11n) radio profile.
Syntax
Parameter <profile> am-scan-profile <name> arm-profile
Description
Name of this instance of the profile. The name must be 1-63 characters.
Configure an Air Monitor (AM) scanning profile
Configures Adaptive Radio Management (ARM) feature. See rf arm-profile on page 519.
Range -- -- --
Default "default" "default" "default"
AOS-W 6.2 | Reference Guide
rf dot11a-radio-profile | 525
�Parameter beacon-period beacon-regulate cap-reg-eirp <cap-regeirp>
cell-size-reduction <cell-size-reduction>
channel
Description
Range
Default
Time, in milliseconds, between successive beacon transmissions. The beacon advertises the AP's presence, identity, and radio characteristics to wireless clients.
60 (minimum)
100 milliseconds
Enabling this setting introduces randomness -- in the beacon generation so that multiple APs on the same channel do not send beacons at the same time, which causes collisions over the air.
disabled
Work around a known issue on Cisco 7921G telephones by specifying a cap for a radio's maximum equivalent isotropic radiated power (EIRP). When you enable this parameter, even if the regulatory approved maximum for a given channel is higher than this EIRP cap, the AP radio using this profile will advertise only this capped maximum EIRP in its radio beacons.
131 dBm.
The cell size reduction feature allows you manage dense deployments and to increase overall system performance and capacity by shrinking an AP's receive coverage area, thereby minimizing co-channel interference and optimizing channel reuse. This value should only be changed if the network is experiencing performance issues. The possible range of values for this feature is 0-55 dB. The default 0 dB reduction allows the radio to retain its current default Rx sensitivity value.
1-5 5dB
Values from 1 dB - 55 dB reduce the power level that the radio can hear by that amount. If you configure this feature to use a nondefault value, you must also reduce the radio's transmission (Tx) power to match its new received (Rx) power level. Failure to match a device's Tx power level to its Rx power level can result in a configuration that allows the radio to send messages to a device that it cannot hear.
0 dB
Channel number for the AP 802.11a/802.11n Depends on --
physical layer. The available channels
regulatory
depend on the regulatory domain (country). domain
Channel number configuration options for 20
MHz and 40 MHz modes:
l num: Entering a channel number disables
40 MHz mode and activates 20 MHz
mode for the entered channel.
l num+: Entering a channel number with a
plus (+) sign selects a primary and
secondary channel for
40 MHz mode. The number entered
becomes the primary channel and the
secondary channel is determined by
increasing the primary channel number
526 | rf dot11a-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter channel-reuse
channel-reuse-threshold clone
Description
Range
by 4. Example: 157+ represents 157 as the primary channel and 161 as the secondary channel.
l num-: Entering a channel number with a minus (-) sign selects a primary and secondary channel for 40 MHz mode. The number entered becomes the primary channel and the secondary channel is determined by decreasing the primary channel number by 4. Example: 157- represents 157 as the primary channel and 153 as the secondary channel.
NOTE: 20 MHz clients are allowed to associate when a primary and secondary channel are configured; however, the client will only use the primary channel.
When you enable the channel reuse feature, it can operate in either of the following three modes; static, dynamic or disable. (This feature is disabled by default.)
l Static mode: This mode of operation is a coverage-based adaptation of the Clear Channel Assessment (CCA) thresholds. In the static mode of operation, the CCA is adjusted according to the configured transmission power level on the AP, so as the AP transmit power decreases as the CCA threshold increases, and vice versa.
l Dynamic mode: In this mode, the Clear Channel Assessment (CCA) thresholds are based on channel loads, and take into account the location of the associated clients. When you set the Channel Reuse This feature is automatically enabled when the wireless medium around the AP is busy greater than half the time. When this mode is enabled, the CCA threshold adjusts to accommodate transmissions between the AP its most distant associated client.
l Disable mode: This mode does not support the tuning of the CCA Detect Threshold.
enabled disabled
RX Sensitivity Tuning Based Channel Reuse Threshold, in - dBm.
If the Rx Sensitivity Tuning Based Channel reuse feature is set to static mode, this parameter manually sets the AP's Rx sensitivity threshold (in -dBm). The AP will filter out and ignore weak signals that are below the channel threshold signal strength.
If the value is set to zero, the feature will automatically determine an appropriate threshold.
Depends on regulatory domain
Name of an existing radio profile from which -- parameter values are copied.
Default enabled
-- --
AOS-W 6.2 | Reference Guide
rf dot11a-radio-profile | 527
�Parameter csa
csa-count disable-arm-widsfunction
dot11h high-throughput-enable ht-radio-profile interference-immunity
Description
Range
Channel Switch Announcement (CSA), as
--
defined by IEEE 802.11h, allows an AP to
announce that it is switching to a new
channel before it begins transmitting on that
channel.
Clients must support CSA in order to track the
channel change without experiencing
disruption.
Number of CSA announcements that are sent 1-16 before the AP begins transmitting on the new channel.
Disables Adaptive Radio Management (ARM) and Wireless IDS functions. These can be disabled if a small increase in packet processing performance is desired. If a radio is configured to operate in Air Monitor mode, then these functions are always enabled irrespective of this option. CAUTION: Use carefully, since this effectively disables ARM and WIDS
1-16
Enable advertisement of 802.11d (Country
--
Information) and 802.11h (TPC or Transmit
Power Control) capabilities This parameter is
disabled by default.
Enables high-throughput (802.11n) features -- on a radio using the 5 GHz frequency band.
Name of high-throughput radio profile to use -- for configuring high-throughput support on the 5 GHz frequency band. See rf ht-radioprofile on page 545.
Set a value for 802.11 Interference Immunity. The default setting for this parameter is level 2. When performance drops due to interference from non-802.11 interferers (such as DECT or Bluetooth devices), the level can be increased up to level 5 for improved performance. However, increasing the level makes the AP slightly "deaf" to its surroundings, causing the AP to lose a small amount of range. The levels for this parameter are: l Level-0: no ANI adaptation. l Level-1: noise immunity only. l Level-2: noise and spur immunity. This is
the default setting l Level-3: level 2 and weak OFDM
immunity. l Level-4: level 3 and FIR immunity. l Level-5: disable PHY reporting. NOTE: Do not raise the noise immunity feature's default setting if the channel-reusethreshold on page 527 feature is also enabled. A level-3 to level-5 Noise Immunity setting is not compatible with the Channel
Level-0 Level-15
Default disabled
4 4
disabled enabled "default-a" Level-2
528 | rf dot11a-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter maximum-distance
mgmt-frame-throttleinterval
mgmt-frame-throttlelimit mode
ap-mode am-mode spectrum-mode
no radio-enable slb-mode channel|radio
Description
Range
Reuse feature.
Maximum distance between a client and an AP or between a mesh point and a mesh portal, in meters. This value is used to derive ACK and CTS timeout times. A value of 0 specifies default settings for this parameter, where timeouts are only modified for outdoor mesh radios which use a distance of 16km. The upper limit for this parameter varies, depending on the 20/40 MHz mode for a 5 GHz frequency band radio: l 20MHz mode: 58km l 40MHz mode: 27km Note that if you configure a value above the supported maximum, the maximum supported value will be used instead. Values below 600m will use default settings.
0-57km (40MHz mode)
0-27km (20MHz mode)
Averaging interval for rate limiting management frames in seconds. Zero disables rate limiting.
Note: This parameter only applies to AUTH and ASSOC/RE-ASSOC management frames.
0-60
Maximum number of management frames allowed in each throttle interval. NOTE: This parameter only applies to AUTH and ASSOC/RE-ASSOC management frames.
0-999999
One of the operating modes for the AP.
Device provides transparent, secure, highspeed data communications between wireless network devices and the wired LAN.
Device behaves as an air monitor to collect statistics, monitor traffic, detect intrusions, enforce security policies, balance traffic load, self-heal coverage gaps, etc.
Device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
This parameter is only available for AP models OAW-AP92, OAW-AP93, OAWAP105, OAW-AP175, OAW-AP120 Series, and the OAW-AP130 Series.
Negates any configured parameter.
--
Enables or disables radio configuration.
--
SLB Mode allows control over how to balance clients. Select one of the following options l channel: Channel-based load-balancing
balances clients across channels. This is
Default 0 meters
1 second interval 20 frames per interval ap-mode
-- enabled channel
AOS-W 6.2 | Reference Guide
rf dot11a-radio-profile | 529
�Parameter
Description
Range
Default
the default load-balancing mode l radio: Radio-based load-balancing
balances clients across APs
slb-update-interval <secs>
Specify how often spectrum load balancing calculations are made (in seconds). The default value is 30 seconds.
12147483647 seconds
30 seconds
spectrum-load-bal-domain Define a spectrum load balancing domain to --
--
manually create RF neighborhoods.
Use this option to create RF neighborhood
information for networks that have disabled
Adaptive Radio Management (ARM)
scanning and channel assignment.
l If spectrum load balancing is enabled in a
802.11a radio profile but the spectrum
load balancing domain is not defined,
AOS-W uses the ARM feature to calculate
RF neighborhoods.
l If spectrum load balancing is enabled in a
802.11a radio profile and a spectrum load
balancing domain isalso defined, AP
radios belonging to the same spectrum
load balancing domain will be considered
part of the same RF neighborhood for
load balancing, and will not recognize RF
neighborhoods defined by the ARM
feature.
spectrum-load-balancing
The Spectrum Load Balancing feature helps -- optimize network resources by balancing clients across channels, regardless of whether the AP or the switch is responding to the wireless clients' probe requests.
If enabled, the switch compares whether or not an AP has more clients than its neighboring APs on other channels. If an AP's client load is at or over a predetermined threshold as compared to its immediate neighbors, or if a neighboring Alcatel-Lucent AP on another channel does not have any clients, load balancing will be enabled on that AP. This feature is disabled by default.
NOTE: The spectrum load balancing feature available in AOS-W 3.4.x and later releases completely replaces the AP load balancing feature available in earlier versions of AOSW. When you upgrade to AOS-W 3.4.x or later, you must manually configure the spectrum load balancing settings, as the AP load balancing feature can no longer be used, and any previous AP load balancing settings will not be preserved.
disabled
530 | rf dot11a-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter spectrum-monitoring
spectrum-profile <profile> tpc-power tx-power
Description
Range
Issue this command to turn an OAW-AP130 -- Series in ap-mode into a hybrid AP. An AP in hybrid AP mode will continue to serve clients as an access point while it scans and analyzes spectrum analysis data for a single radio channel. For further details on using hybrid APs and spectrum monitors to examine the radio frequency (RF) environment in which the Wi-Fi network is operating, refer to the Spectrum Analysis chapter of the AOS-W User Guide.
Specify the rf spectrum profile used by hybrid -- APs and spectrum monitors. This profile sets the spectrum band and device ageout times used by a spectrum monitor or hybrid AP radio. For details, see rf spectrum-profile on page 549.
The transmit power advertised in the TPC IE of beacons and probe responses. Range: 051 dBm
0-51 dBm
Sets the initial transmit power (dBm) on which the AP operates, unless a better choice is available through either calibration or from RF Plan. This parameter can be set from 0 to 51 in .5 dBm increments, or set to the regulatory maximum value of 127 dBm. Transmission power may be further limited by regulatory domain constraints and AP capabilities.
0-51 dBm, 127 dBm
Default default
default 15 dBm 14 dBm
Usage Guidelines
This command configures radios that operate in the 5 GHz frequency band, which includes radios utilizing the IEEE 802.11a or IEEE 802.11n standard. Channels must be valid for the country configured in the AP regulatory domain profile (see ap regulatory-domain-profile on page 148).
To view the supported channels, use the show ap allowed-channels command.
Examples
The following command configures APs to operate in AM mode for the selected dot11a-radio-profile named "samplea:" (host) (config) #rf dot11a-radio-profile samplea mode am-mode
The following command configures APs to operate in high-throughput (802.11n) mode on the 5 Ghz frequency band for the selected dot11a-radio profile named "samplea" and assigns a high-throughout radio profile named "default-a:" (host) (config) #rf dot11a-radio-profile samplea
high-throughput-enable ht-radio-profile default-a
The following command configures a primary channel number of 157 and a secondary channel number of 161 for 40 MHz mode of operation for the selected dot11a-radio profile named "samplea:" (host) (config) #rf dot11a-radio-profile samplea
channel <157+>
AOS-W 6.2 | Reference Guide
rf dot11a-radio-profile | 531
�Command History
Release AOS-W 3.0 AOS-W 3.3.2 AOS-W 3.4
AOS-W 3.4.1 AOS-W 3.4.2 AOS-W 6.0
AOS-W 6.1 AOS-W 6.1.3.2
Modification
Command introduced
Introduced support for the high-throughput IEEE 802.11n standard.
Support for the following parameters: l Spectrum load balancing l Spectrum load balancing domain l RX Sensitivity Tuning Based Channel Reuse l RX Sensitivity Threshold l ARM/WIDS Override
The maximum-distance parameter was introduced.
The beacon-regulate parameter was introduced.
Support for the following parameters: l am-scan-profile l cap-reg-eirp l slb-mode l slb-update-interval
The spectrum-monitoring and slb-threshold parameters were introduced.
The cell-size-reduction parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
532 | rf dot11a-radio-profile
AOS-W 6.2 | Reference Guide
�rf dot11g-radio-profile
rf dot11g-radio-profile <profile> am-scan-profile <profile-name> arm-profile <profile> beacon-period <milliseconds> beacon-regulate cap-reg-eirp <cap-reg-eirp> cell-size-reduction <cell-size-reduction> channel <num|num+|num-> channel-reuse {static|dynamic|disable} channel-reuse-threshold clone <profile> csa csa-count <number> disable-arm-wids-function dot11b-protection dot11h high-throughput-enable ht-radio-profile <profile> interference-immunity maximum-distance <maximum-distance> mgmt-frame-throttle-interval <seconds> mgmt-frame-throttle-limit <number> mode {ap-mode|am-mode|spectrum-mode} no ... radio-enable slb-mode channel|radio slb-threshold slb-update-interval <secs> spectrum-load-bal-domain spectrum-load-balancing spectrum-monitoring spectrum-profile tpc-power <tpc-power> tx-power <dBm>
Description
This command configures AP radio settings for the 2.4 GHz frequency band, including the Adaptive Radio Management (ARM) profile and the high-throughput (802.11n) radio profile.
Syntax
Parameter <profile>
am-scan-profile <profilename> arm-profile
Description
Name of this instance of the profile. The name must be 1-63 characters.
Configure an Air Monitor (AM) scanning profile.
Configures Adaptive Radio Management (ARM) feature. See rf arm-profile on page 519.
Range -- -- --
Default "default" -- "default"
AOS-W 6.2 | Reference Guide
rf dot11g-radio-profile | 533
�Parameter
Description
Range
beacon-period
Time, in milliseconds, between successive beacon transmissions. The beacon advertises the AP's presence, identity, and radio characteristics to wireless clients.
60 (minimum)
beacon-regulate
Enabling this setting introduces randomness -- in the beacon generation so that multiple APs on the same channel do not send beacons at the same time, which causes collisions over the air.
cap-reg-eirp <cap-regeirp>
Work around a known issue on Cisco 7921G telephones by specifying a cap for a radio's maximum equivalent isotropic radiated power (EIRP). When you enable this parameter, even if the regulatory approved maximum for a given channel is higher than this EIRP cap, the AP radio using this profile will advertise only this capped maximum EIRP in its radio beacons.
131 dBm.
cell-size-reduction <cellsize-reduction>
The cell size reduction feature allows you manage dense deployments and to increase overall system performance and capacity by shrinking an AP's receive coverage area, thereby minimizing co-channel interference and optimizing channel reuse. This value should only be changed if the network is experiencing performance issues. The possible range of values for this feature is 0-55 dB. The default 0 dB reduction allows the radio to retain its current default Rx sensitivity value.
Values from 1 dB - 55 dB reduce the power level that the radio can hear by that amount. If you configure this feature to use a nondefault value, you must also reduce the radio's transmission (Tx) power to match its new received (Rx) power level. Failure to match a device's Tx power level to its Rx power level can result in a configuration that allows the radio to send messages to a device that it cannot hear.
1-5 5dB
clone
Name of an existing radio profile from which -- parameter values are copied.
csa
Channel Switch Announcement (CSA), as
--
defined by IEEE 802.11h, allows an AP to
announce that it is switching to a new
channel before it begins transmitting on that
channel.
Clients must support CSA in order to track
the channel change without experiencing
disruption.
Default 100 milliseconds disabled
0 dB
-- disabled
534 | rf dot11g-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter csa-count channel
channel-reuse
AOS-W 6.2 | Reference Guide
Description
Range
Default
Number of CSA announcements that are
1-16
4
sent before the AP begins transmitting on
the new channel.
Channel number for the AP 802.11g/802.11n physical layer. The available channels depend on the regulatory domain (country). Channel number configuration options for 20 MHz and 40 MHz modes:
l num: Entering a channel number disables 40 MHz mode and activates 20 MHz mode for the entered channel.
l num+: Entering a channel number with a plus (+) sign selects a primary and secondary channel for 40 MHz mode. The number entered becomes the primary channel and the secondary channel is determined by increasing the primary channel number by 4. Example: 157+ represents 157 as the primary channel and 161 as the secondary channel.
l num-: Entering a channel number with a minus (-) sign selects a primary and secondary channel for 40 MHz mode. The number entered becomes the primary channel and the secondary channel is determined by decreasing the primary channel number by 4. Example: 157- represents 157 as the primary channel and 153 as the secondary channel.
NOTE: 20 MHz clients are allowed to associate when a primary and secondary channel are configured; however, the client will only use the primary channel.
Depends on -- regulatory domain
When you enable the channel reuse feature, it can operate in either of the following three modes; static, dynamic or disable. (This feature is disabled by default.)
l Static mode: This mode of operation is a coverage-based adaptation of the Clear Channel Assessment (CCA) thresholds. In the static mode of operation, the CCA is adjusted according to the configured transmission power level on the AP, so as the AP transmit power decreases as the CCA threshold increases, and vice versa.
l Dynamic mode: In this mode, the Clear Channel Assessment (CCA) thresholds are based on channel loads, and take into account the location of the associated clients. When you set the Channel Reuse This feature is automatically enabled when the wireless medium around the AP is busy greater than half the time. When this mode is enabled, the CCA threshold adjusts to
enabled disabled
enabled
rf dot11g-radio-profile | 535
�Parameter channel-reuse-threshold
disable-arm-wids-function dot11b-protection
dot11h high-throughput-enable ht-radio-profile
Description
Range
Default
accommodate transmissions between the AP its most distant associated client. l Disable mode: This mode does not support the tuning of the CCA Detect Threshold.
RX Sensitivity Tuning Based Channel
depends on --
Reuse Threshold, in -dBm.
regulatory
If the Rx Sensitivity Tuning Based Channel domain
reuse feature is set to static mode, this
parameter manually sets the AP's Rx
sensitivity threshold (in -dBm). The AP will
filter out and ignore weak signals that are
below the channel threshold signal strength.
If the value is set to zero, the feature will
automatically determine an appropriate
threshold.
Disables Adaptive Radio Management
1-16
4
(ARM) and Wireless IDS functions. These
can be disabled if a small increase in packet
processing performance is desired. If a radio
is configured to operate in Air Monitor mode,
then these functions are always enabled
irrespective of this option. CAUTION: Use
carefully, since this effectively disables ARM
and WIDS
Enable or disable protection for 802.11b
--
clients. This parameter is enabled by default.
Disabling this feature may improve
performance if there are no 802.11b clients
on the WLAN.
WARNING: Disabling protection violates the
802.11 standard and may cause
interoperability issues. If this feature is
disabled on a WLAN with 802.11b clients,
the 802.11b clients will not detect an
802.11g client talking and can potentially
transmit at the same time, thus garbling both
frames.
enabled
Enable advertisement of 802.11d (Country -- Information) and 802.11h (TPC or Transmit Power Control) capabilities This parameter is disabled by default.
disabled
Enables high-throughput (802.11n) features -- on a radio using the 2.4 GHz frequency band.
enabled
Name of high-throughput radio profile to use -- for configuring high-throughput support on the 5 GHz frequency band. See rf ht-radioprofile on page 545.
"default-a"
536 | rf dot11g-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter interference-immunity
maximum-distance
mgmt-frame-throttleinterval mgmt-frame-throttle-limit mode
Description
Range
Set a value for 802.11 Interference Immunity. The default setting for this parameter is level 2. When performance drops due to interference from non-802.11 interferers (such as DECT or Bluetooth devices), the level can be increased up to level 5 for improved performance. However, increasing the level makes the AP slightly "deaf" to its surroundings, causing the AP to lose a small amount of range. The levels for this parameter are: l Level-0: no ANI adaptation. l Level-1: noise immunity only. l Level-2: noise and spur immunity. This is
the default setting l Level-3: level 2 and weak OFDM
immunity. l Level-4: level 3 and FIR immunity. l Level-5: disable PHY reporting. NOTE: Do not raise the noise immunity feature's default setting if the channel-reusethreshold on page 527 feature is also enabled. A level-3 to level-5 Noise Immunity setting is not compatible with the Channel Reuse feature.
Level-0 Level-5
Maximum distance between a client and an AP or between a mesh point and a mesh portal, in meters. This value is used to derive ACK and CTS timeout times. A value of 0 specifies default settings for this parameter, where timeouts are only modified for outdoor mesh radios which use a distance of 16km.
0-24km (40MHz mode)
0-54km (20MHz mode)
The upper limit for this parameter varies, depending on the 20/40 MHz mode for a 2.4GHz frequency band radio: l 20MHz mode: 54km l 40MHz mode: 24km Note that if you configure a value above the supported maximum, the maximum supported value will be used instead. Values below 600m will use default settings.
Averaging interval for rate limiting management frames in seconds. Zero disables rate limiting.
Note: This parameter only applies to AUTH and ASSOC/RE-ASSOC management frames.
0-60
Maximum number of management frames allowed in each throttle interval. NOTE: This parameter only applies to AUTH and ASSOC/RE-ASSOC management frames.
0-999999
One of the operating modes for the AP.
Default Level-2
0 meters
1 second interval 20 frames per interval ap-mode
AOS-W 6.2 | Reference Guide
rf dot11g-radio-profile | 537
�Parameter
Description
Range
Default
ap-mode
Device provides transparent, secure, highspeed data communications between wireless network devices and the wired LAN.
am-mode
Device behaves as an air monitor to collect statistics, monitor traffic, detect intrusions, enforce security policies, balance traffic load, self-heal coverage gaps, etc.
spectrum-mode
Device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
no
Negates any configured parameter.
--
--
radio-enable
Enables or disables radio configuration.
--
enabled
slb-mode channel|radio
SLB Mode allows control over how to balance clients. Select one of the following options: l channel: Channel-based load-balancing
balances clients across channels. This is the default load-balancing mode l radio: Radio-based load-balancing balances clients across APs
channel
slb-threshold
If the spectrum load balancing feature is enabled, this parameter controls the percentage difference between number of clients on a channel channel that triggers load balancing. The default value is 20%, meaning that spectrum load balancing is activated when there are 20% more clients on one channel than on another channel used by the AP radio.
1-100%
20%
slb-update-interval <secs>
Specify how often spectrum load balancing calculations are made (in seconds). The default value is 30 seconds.
12147483647 seconds
30 seconds
spectrum-load-bal-domain
Define a spectrum load balancing domain to --
--
manually create RF neighborhoods.
Use this option to create RF neighborhood
information for networks that have disabled
Adaptive Radio Management (ARM)
scanning and channel assignment.
l If spectrum load balancing is enabled in
a 802.11g radio profile but the spectrum
load balancing domain is not defined,
AOS-W uses the ARM feature to
calculate RF neighborhoods.
l If spectrum load balancing is enabled in
a 802.11g radio profile and a spectrum
load balancing domain isalso defined,
AP radios belonging to the same
spectrum load balancing domain will be
considered part of the same RF
neighborhood for load balancing, and
will not recognize RF neighborhoods
538 | rf dot11g-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
Range
defined by the ARM feature.
spectrum-load-balancing
The Spectrum Load Balancing feature helps -- optimize network resources by balancing clients across channels, regardless of whether the AP or the switch is responding to the wireless clients' probe requests.
If enabled, the switch compares whether or not an AP has more clients than its neighboring APs on other channels. If an AP's client load is at or over a predetermined threshold as compared to its immediate neighbors, or if a neighboring Alcatel-Lucent AP on another channel does not have any clients, load balancing will be enabled on that AP. This feature is disabled by default.
NOTE: The spectrum load balancing feature available in AOS-W 3.4.x and later releases completely replaces the AP load balancing feature available in earlier versions of AOSW. When you upgrade to AOS-W 3.4.x or later, you must manually configure the spectrum load balancing settings, as the AP load balancing feature can no longer be used, and any previous AP load balancing settings will not be preserved.
spectrum-monitoring
Issue this command to turn an OAW-AP130 -- Series AP in ap-mode into a hybrid AP. An AP in hybrid AP mode will continue to serve clients as an access point while it scans and analyzes spectrum analysis data for a single radio channel. For further details on using hybrid APs and spectrum monitors to examine the radio frequency (RF) environment in which the Wi-Fi network is operating, refer to the Spectrum Analysis chapter of the AOS-W User Guide.
spectrum-profile <profile> Specify the rf spectrum profile used by
--
hybrid APs and spectrum monitors. This
profile sets the spectrum band and device
ageout times used by a spectrum monitor or
hybrid AP radio. For details, see rf spectrum-
profile on page 549.
tpc-power
The transmit power advertised in the TPC IE of beacons and probe responses. Range: 051 dBm
0-51 dBm
tx-power
Sets the initial transmit power (dBm) on which the AP operates, unless a better choice is available through either calibration or from RF Plan. This parameter can be set from 0 to 51 in .5 dBm increments, or set to the regulatory maximum value of 127 dBm. Transmission power may be further limited by regulatory domain constraints and AP capabilities.
0-51 dBm, 127 dBm
Default disabled
default default 15 dBm 14 dBm
AOS-W 6.2 | Reference Guide
rf dot11g-radio-profile | 539
�Usage Guidelines
This command configures radios that operate in the 2.4 GHz frequency band, which includes radios utilizing the IEEE 802.11b/g or IEEE 802.11n standard. Channels must be valid for the country configured in the AP regulatory domain profile (see ap regulatory-domain-profile on page 148).
To view the supported channels, use the show ap allowed-channels command.
Examples
The following command configures APs to operate in AM mode for the selected dot11g-radio-profile named "sampleg:" rf dot11g-radio-profile sampleg
mode am-mode
The following command configures APs to operate in high-throughput (802.11n) mode on the 2.4 Ghz frequency band for the selected dot11g-radio profile named "sampleg" and assigns a high-throughout radio profile named "default-g:" rf dot11g-radio-profile sampleg
high-throughput-enable ht-radio-profile default-g
The following command configures a primary channel number of 1 and a secondary channel number of 5 for 40 MHz mode of operation for the selected dot11g-radio profile named "sampleg:" rf dot11g-radio-profile sampleg
channel <1+>
Command History
Release AOS-W 3.0 AOS-W 3.3.2 AOS-W 3.4
AOS-W 3.4.1 AOS-W 3.4.2 AOS-W 6.0
AOS-W 6.1 AOS-W 6.1.3.2
Modification
Command introduced
Introduced protection for 802.11b clients and support for the high-throughput IEEE 802.11n standard.
Support for the following parameters: l Spectrum load balancing l Spectrum load balancing domain l RX Sensitivity Tuning Based Channel Reuse l RX Sensitivity Threshold l ARM/WIDS Override
The maximum-distance parameter was introduced.
The beacon-regulate parameter was introduced.
Support for the following parameters: l am-scan-profile l cap-reg-eirp l slb-mode l slb-update-interval
The spectrum-monitoring and slb-threshold parameters were introduced.
The cell-size-reduction parameter was introduced.
540 | rf dot11g-radio-profile
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
rf dot11g-radio-profile | 541
�rf event-thresholds-profile
rf event-thresholds-profile <profile> bwr-high-wm <percent> bwr-low-wm <percent> clone <profile> detect-frame-rate-anomalies fer-high-wm <percent> fer-low-wm <percent> ffr-high-wm <percent> ffr-low-wm <percent> flsr-high-wm <percent> flsr-low-wm <percent> fnur-high-wm <percent> fnur-low-wm <percent> frer-high-wm <percent> frer-low-wm <percent> frr-high-wm <percent> frr-low-wm <percent> no ...
Description
This command configures the event thresholds profile.
Syntax
Parameter <profile> bwr-high-wm
bwr-low-wm
clone detect-framerate-anomalies fer-high-wm
Description
Range
Name of this instance of the profile. The name
--
must be 1-63 characters.
If bandwidth in an AP exceeds this value, a bandwidth exceeded condition exists. The value represents the percentage of maximum for a given radio. (For 802.11b, the maximum bandwidth is 7 Mbps. For 802.11 a and g, the maximum is 30 Mbps.) The recommended value is 85%.
0-100
After a bandwidth exceeded condition exists, the condition persists until bandwidth drops below this value. The recommended value is 70%.
0-100
Name of an existing radio profile from which
--
parameter values are copied.
Enable or disables detection of frame rate
--
anomalies.
If the frame error rate (as a percentage of total frames in an AP) exceeds this value, a frame error rate exceeded condition exists. The recommended value is 16%.
0-100
Default "default" 0%
0% -- disabled 0%
542 | rf event-thresholds-profile
AOS-W 6.2 | Reference Guide
�Parameter fer-low-wm ffr-high-wm ffr-low-wm flsr-high-wm
flsr-low-wm fnur-high-wm
fnur-low-wm frer-high-wm frer-low-wm frr-high-wm frr-low-wm no
Description
Range
After a frame error rate exceeded condition exists, the condition persists until the frame error rate drops below this value. The recommended value is 8%.
0-100
If the frame fragmentation rate (as a percentage of total frames in an AP) exceeds this value, a frame fragmentation rate exceeded condition exists. The recommended value is 16%.
0-100
After a frame fragmentation rate exceeded condition exists, the condition persists until the frame fragmentation rate drops below this value. The recommended value is 8%.
0-100
If the rate of low-speed frames (as a percentage of total frames in an AP) exceeds this value, a lowspeed rate exceeded condition exists. This could indicate a coverage hole. The recommended value is 16%.
0-100
After a low-speed rate exceeded condition exists, the condition persists until the percentage of lowspeed frames drops below this value. The recommended value is 8%.
0-100
If the non-unicast rate (as a percentage of total frames in an AP) exceeds this value, a nonunicast rate exceeded condition exists. This value depends upon the applications used on the network.
0-100
After a non-unicast rate exceeded condition exists, the condition persists until the non-unicast rate drops below this value.
0-100
If the frame receive error rate (as a percentage of total frames in an AP) exceeds this value, a frame receive error rate exceeded condition exists. The recommended value is 16%.
0-100
After a frame receive error rate exceeded condition exists, the condition persists until the frame receive error rate drops below this value. The recommended value is 8%.
0-100
If the frame retry rate (as a percentage of total frames in an AP) exceeds this value, a frame retry rate exceeded condition exists. The recommended value is 16%.
0-100
After a frame retry rate exceeded condition exists, the condition persists until the frame retry rate drops below this value. The recommended value is 8%.
0-100
Negates any configured parameter.
--
Default 0% 16% 8% 16%
8% 0%
0% 16% 8% 16% 8% --
AOS-W 6.2 | Reference Guide
rf event-thresholds-profile | 543
�Usage Guidelines
The event threshold profile configures Received Signal Strength Indication (RSSI) metrics. When certain RF parameters are exceeded, these events can signal excessive load on the network, excessive interference, or faulty equipment. This profile and many of the detection parameters are disabled (value is 0) by default.
Example
The following command configures an event threshold profile: (host) (config) #rf event-thresholds-profile et1
detect-frame-rate-anomalies
Command History
This command was introduced in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
544 | rf event-thresholds-profile
AOS-W 6.2 | Reference Guide
�rf ht-radio-profile
rf ht-radio-profile <profile> 40MHz-intolerance clone <profile> diversity-spreading-workaround honor-40MHz-intolerance no
Description
This command configures high-throughput AP radio settings. High-throughput features use the IEEE 802.11n standard.
Syntax
Parameter <profile>
40MHzintolerance clone honor-40MHzintolerance no diversity-spreadingworkaround
Description
Range
Name of this instance of the profile. The
--
name must be 1-63 characters.
Default Options:
l "Default-a" is generally used in
association with high-throughput devices
running on the 5 GHz frequency band,
see rf dot11a-radio-profile on page 525.
l "Default-g" is generally used in
association with high-throughput devices
running on the 2.4 GHz frequency band,
see rf dot11g-radio-profile on page 533.
l "Default" is generally used when the
same ht-radio-profile is desired for use
with both frequency bands.
Controls whether or not APs using this radio -- profile will advertise intolerance of 40 MHz operation. By default, 40 MHz operation is allowed.
Name of an existing high-throughput radio
--
profile from which parameter values are
copied.
When enabled, the radio will stop using the -- 40 MHz channels if the 40 MHz intolerance indication is received from another AP or station.
Negates any configured parameter.
--
When this feature is enabled, all legacy transmissions will be sent using a single antenna. This enables interoperability for legacy or high-throughput stations that cannot decode 802.11n cyclic shift diversity (CSD) data.
This feature is disabled by default and should be kept disabled unless necessary.
Default default-a default-g default
disabled
-- enabled
-- disabled
AOS-W 6.2 | Reference Guide
rf ht-radio-profile | 545
�Usage Guidelines
The ht-radio-profile configures high-throughput settings for networks utilizing the IEEE 802.11n standard, which supports 40 MHZ channels and operates in both the 2.4 GHZ and 5 GHZ frequency bands.
Most transmissions to high throughput (HT) stations are sent through multiple antennas using cyclic shift diversity (CSD). When you enable the single-chain-legacydisable-diversity-spreadingparameter, CSD is disabled and only one antenna transmits data, even if they are being sent to high-throughput stations. Use this feature to turn off antenna diversity when the AP must support legacy clients such as Cisco 7921g VoIP phones, or older 802.11g clients (e.g. Intel Centrino clients). Note, however, that enabling this feature can reduce overall throughput rates.
The ht-radio-profile you wish to use must be assigned to a dot11a and/or dot11g-radio-profile. You can assign the same profile or different profiles to the 2.4 GHZ and 5 GHZ frequency bands. See rf dot11a-radio-profile on page 525 and rf dot11g-radio-profile on page 533.
Example
The following command configures an ht-radio-profile named "default-g" and enables 40MHz-intolerance: (host) (config) #rf ht-radio-profile default-g
40MHz-intolerance
Command History
Release AOS-W 3.0 AOS-W 3.3.2 AOS-W 3.4 AOS-W 6.2
Modification Command introduced Support for the dsss-cck-40mhz parameterwas removed Introduced the single-chain-legacy parameter. The single-chain-legacy parameter was renamed to diversity-spreadingworkaround.
Command Information
Platforms
Licensing
All platforms, but operates with IEEE 802.11n compliant devices only
Base operating system
Command Mode Config mode on master switches
546 | rf ht-radio-profile
AOS-W 6.2 | Reference Guide
�rf optimization-profile
rf optimization-profile <profile-name> clone <profile> handoff-assist low-rssi-threshold <number> no ... rssi-check-frequency <number> rssi-falloff-wait-time <seconds>
Description
This command configures the RF optimization profile.
Syntax
Parameter <profile-name> clone handoff-assist
low-rssi-threshold no rssi-check-frequency
Description
Range
Name of this instance of the profile. The
--
name must be 1-63 characters.
Name of an existing optimization profile from -- which parameter values are copied.
Allows the switch to force a client off an AP -- when the RSSI drops below a defined minimum threshold.
Minimum RSSI, above which deauth should 1-255 never be sent.
Negates any configured parameter.
--
Interval, in seconds, to sample RSSI.
9-255
rssi-falloff-wait-time <seconds>
Time, in seconds, to wait with decreasing
0-8
RSSI before deauth is sent to the client. The
maximum value is 8 seconds.
Example
The following command configures an RF optimization profile: (host) (config) #rf optimization-profile Angela1 (host) (RF Optimization Profile "Angela1") #rssi-falloff-wait-time 3 (host) (RF Optimization Profile "Angela1") #rssi-check-frequency 2
Command History
Version AOS-W 3.0 AOS-W 3.4
Modification
Command introduced
The following parameters were deprecated: l ap-lb-max-retries <number>
Default "default"
--
disabled
0
-- 0 seconds 0 seconds
AOS-W 6.2 | Reference Guide
rf optimization-profile | 547
�Version
AOS-W 5.0 AOS-W 6.0
Modification
l ap-lb-user-high-wm <percent> l ap-lb-user-low-wm <percent> l ap-lb-util-high-wm <percent> l ap-lb-util-low-wm <percent> l ap-lb-util-wait-time <seconds l ap-load-balancing Use the command rf dot11a-radio-profilespectrum-load-balancing and rf dot11g-radio-profilespectrum-load-balancing to enable the spectrum load balancing feature.
The following parameters were deprecated: l coverage-hole-detection hole-detection-interval l hole-good-rssi-threshold l hole-good-sta-ageout l hole-idle-sta-ageout l hole-poor-rssi-threshold
The following parameters were deprecated: l detect-association-failure l detect-interference l hole-detection-interval l hole-good-rssi-threshold l hole-good-sta-ageout l hole-idle-sta-ageout l hole-poor-rssi-threshold l interference-baseline l interference-exceed-time l interference-threshold
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
548 | rf optimization-profile
AOS-W 6.2 | Reference Guide
�rf spectrum-profile
rf spectrum-profile <profile-name> age-out audio|bluetooth|cordless-ff-phone|cordless-fh-base|cordless-fh-network|genericff|generic-fh|microwave|microwave-inverter|unknown|video|wifi|xbox clone <source> no ...
Description
Define the device ageout times used by a spectrum monitor, or hybrid AP radio.
Syntax
Parameter
Description
Range
age-out
Use the age-out parameter to define the number of seconds for which a specific device type must stop sending a signal before the spectrum monitor considers that device no longer active on the network.
audio
Audio devices.
5-65535 seconds
bluetooth
Bluetooth devices. Note that this setting is applicable to 2.4GHz spectrum monitor radios only.
5-65535 seconds
cordless-ff-phone Cordless phone fixed frequency devices.
5-65535 seconds
cordless-fh-base
Cordless base frequency hopper devices.
5-65535 seconds
cordless-fh-network Cordless network frequency hopper devices.
5-65535 seconds
generic-ff
Generic fixed frequency devices.
5-65535 seconds
generic-fh
Generic frequency hopper devices.
5-65535 seconds
generic-interferer
5-65535 seconds
microwave
Microwaves. Note that this setting is applicable to 2.4GHz spectrum monitor radios only.
5-65535 seconds
microwave-inverter
Inverter-type microwaves. Note that this setting is applicable to 2.4GHz spectrum monitor radios only.
5-65535 seconds
video
Video devices.
5-65535 seconds
Default
10 sec 25 sec 10 sec 240 sec 60 sec 10 sec 25 sec 30 sec 15 sec 15 sec 60 sec
AOS-W 6.2 | Reference Guide
rf spectrum-profile | 549
�Parameter wifi xbox
clone <source> no
Description
WIFI devices.
Xbox consoles. Note that this setting is applicable to 2.4GHz spectrum monitor radios only.
Make a copy of an existing spectrum profile.
Remove a spectrum profile or negate a configured parameter.
Range
5-65535 seconds
5-65535 seconds
Default 600 sec 25 sec
600 sec
Usage Guidelines
The Spectrum Analysis software module provides visibility into RF coverage, allowing you to troubleshoot RF interference and identify the 802.11 devices on the network. APs that gather spectrum data are called Spectrum Monitors, or SMs, and reference a spectrum profile that determines the band monitored by that SM radio. Note that you can only convert a radio on an AP model OAW-RAP5WN, OAW-AP105, OAW-AP175, OAW-AP120 Series, OAW-AP130 Series or OAW-AP90 Series to a spectrum monitor, and only the OAW-AP105, OAW-AP175, OAWAP120 Series, OAW-AP130 Series or OAW-AP90 Series can be configured as a hybrid AP. The spectrum analysis feature is not supported by any other AP model. Use this profile to modify default device ageout times for spectrum monitors and hybrid APs using this profile.
Example
The following command creates the spectrum profile spectrum2. (host) (config) #rf spectrum-profile spectrum2
Related Commands
show rf spectrum-profile
Command History
Release AOS-W 6.0 AOS-W 6.2
Modification
Command introduced
The spectrum-band parameter was deprecated. The following default ageout times were changed: l cordless-fh-base default timeout is 240 seconds (was 25 sect in previous releases) l cordless-fh-network default timeout is 60 sect (was 10 sect in previous releases) l generic-interferer default timeout is 30 sect (was 25 sect in previous releases) l video default timeout is 60 sect (was 10 sect in previous releases)
Command Information
Platforms All platforms
Licensing RF Protect license
Command Mode
Config mode on master and local switches
550 | rf spectrum-profile
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
rf spectrum-profile | 551
�router mobile
router mobile
Description
This command enables Layer-3 (IP) mobility.
Syntax
No parameters.
Usage Guidelines
IP mobility is disabled by default on the switch. You need to use this command to enable IP mobility. This command must be executed on all switches (master and local) that need to provide support for layer-3 roaming in a mobility domain. You can disable IP mobility in a virtual AP profile with the wlan virtual-ap command (IP mobility is enabled by default in a virtual AP profile).
Example
This command enables IP mobility: (host) (config) #router mobile
Command History
Release AOS-W 3.0
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
552 | router mobile
AOS-W 6.2 | Reference Guide
�router ospf
router ospf area <area-id> default-cost <cost> nssa [default-information no-redistribution | no-summary] stub [no-summary] default-information originate always redistribute vlan [<vlan-ids> | add <vlan-ids> | remove <vlan-ids>] router-id <rtr-id> subnet exclude <addr> <mask>
Description
Global OSPF configuration for the upstream router.
Syntax
Parameter area <area-id>
default-cost <cost>
nssa default-information-originate no-redistribution no-summary stub [no-summary]
default-information originate always redistribute vlan <vlan-ids>
add <vlan-ids> remove <vlan-ids> router-id <rtr-id> subnet exclude <addr> <mask>
Description
Enter the keyword area followed by the area identification, in dotted decimal format, to configure an OSPF area.
Set the summary cost of a NSSA/stub area (in route metric) Range: 0 to 16777215
Set an area as a NSSA
Originate Type 7 default into the NSSA area
Set the NSSA area for no distribution into this NSSA area
Do not send summary LSA into this NSSA area
Set an area as a Total Stub Area and optionally do not send summary LSA into this area
Control distribution of default information by distributing a default route.
Redistribute the vlan user subnet.
Add the user VLANs to the list
Remove user VLANs to the list.
Enter the router ID in IP address format.
Specify the subnet that OSPF will not advertise. Enter the subnet and mask address in dotted decimal format (A.B.C.D).
Usage Guidelines
OSPFv2 is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The AOS-W implementation of OSPF allows switches to deploy effectively in a Layer 3 topology. For more detailed information, refer to the OSPF Chapter in the AOS-W User Guide.
AOS-W 6.2 | Reference Guide
router ospf | 553
�Example
By default OSPF will advertise all the user VLAN subnet addresses in the router LSA (Link-State Advertisement). To control the OSPF advertisement, execute the following command:
(host) (config) # router ospf subnet exclude 75.1.1.0 255.255.0.0 With the above command, any user VLAN subnet matching 75.1/16 will not be advertised in the router LSA. To return to the default advertisement, execute the command:
(host) (config) # no router ospf subnet exclude 75.1.1.0 255.255.0.0
Related Commands
Command show ip ospf
Description View OSPF configuration
Command History
Release AOS-W 3.4 AOS-W 6.0
Modification
Command introduced
Added the options: area, default-cost, nssa, and default-information originate always
Command Information
Platforms All Platforms
Licensing Base operating system
Command Mode Configuration Mode (config)
554 | router ospf
AOS-W 6.2 | Reference Guide
�service
service [dhcp] [network-storage] [print-server]
Description
This command enables the DHCP server on the switch.
Syntax
Parameter dhcp network-storage print-server
Description Enables the DHCP server Enables the NAS service Enables the printer service
Default disabled disabled disabled
Usage Guidelines
You can enable and configure DHCP, DHCPv6, network-storage or print server in the switch to provide the following: l DHCP: IP addresses to wireless clients if an external DHCP server is not available. l Network-storage: To provide access to the storage devices attached to the switch. l Printer-server: To provide access to printers attached to the switch.
Example
The following command enables the DHCP server in the switch: (host) (config) #service dhcp The following command enables the NAS services in the switch: (host) (config) #service network-storage The following command enables the printer services in the switch: (host) (config) #service print-server
Command History
The DHCP command was introduced in AOS-W 3.0. The network-storage and print-server options was introduced in AOS-W 3.4
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
service | 555
�show local-cert-mac
show local-cert-mac tag <mac>
Description
Display the IP, MAC address and certificate configuration of local switches in a master-local configuration.
Syntax
Parameter tag <tag>
Description IP address of the local switch or MAC address of the local switch certificate.
Usage Guidelines
By default the output of this command shows each local switch's IP and MAC address and the type of certificate used by those local switches (Custom or Factory). Use the optional tag parameter to display information for a single switch only.
Example
The output of this command shows that two local switches have a custom certificate installed.
(host) # show local-cert-mac
Local Switches configured by Local Certificate
-----------------------------------------------
Switch IP of the Local MAC address of the Local Certificate
---------------------- ------------------------------------
10.4.62.3
0B:86:F0:12:AC:15
Cert-Type ---------
CA cert -------
10.4.62.5 00:0B:86:F0:05:60 Custom Undefined
The output of this command includes the following information:
Column Switch IP of the Local MAC address of the Local Certificate Cert-Type
CA Cert
Description IP address of the local switch MAC address of the certificate on the local switch
Type of certificate used by the local switch. l Custom: User-installed, custom certificate l Factory: Factory-installed certificate Name of the Certificate Authority (CA) certificate.
556 | show local-cert-mac
AOS-W 6.2 | Reference Guide
�Related Commands
Command
Description
local-factory-cert
This command configures the factory-installed certificate for secure communication between a local switch and a master switch.
local-custom-cert
This command configures a custom certificate for secure communication between a local switch and a master switch.
Mode
Enable or Config mode on master switches.
Enable or Config mode on master or local switches.
Command History
Available in AOS-W 6.1
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show local-cert-mac | 557
�show remote-node-dhcp-pool
show remote-node-dhcp-pool <remote-node-profile-name>
Description
The output of this command lists shows Remote Node DHCP pool summary information.
Syntax
Parameter remote-node-profile-name
Description Name of the Remote Node profile
Usage Guidelines
Each Remote Node profile contains a Remote Node DHCP address pool, which defines a range of IP addresses allocated for Remote Node switches at a remote site, and the VLAN to be associated with those addresses. A remote-node dhcp pool is configured in the remote-note mode.
Use the show remote-node-dhcp-pool command to view a summary of Remote Node address pool information.
Example
This example shows a summary of Remote Node DHCP address pool information. (host) #show remote-node-dhcp-pool pool1
Remote Node Address Pools -------------------------------------Pool Name Type Start IP Address End IP Address --------- ---- ---------------- --------------
Domain Name -----------
Num Hosts ---------
The output of this command includes the following parameters:
Parameter
Description
Pool Name
Name of the new DHCP pool.
Type
Type of pool. This can be tunnel or vlan.
Start IP Address IP addresses at the start and end of the Remote Node's address range, in dotted-decimal format.
End IP Address
IP address at the end of the Remote Node's address range, in dotted-decimal format.
Domain Name
The DHCP domain name.
Num Hosts
Maximum number of hosts supported by a Remote Node using this pool.
Related Commands
Command remote-node-profile
Description
The remote-node-profile command lets you create a Remote Node profile.
Mode Config mode
558 | show remote-node-dhcp-pool
AOS-W 6.2 | Reference Guide
�Command History
Release AOS-W 6.0
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable mode on master and local switches
AOS-W 6.2 | Reference Guide
show remote-node-dhcp-pool | 559
�show remote-node-profile
show remote-node-profile
Description
The output of this command shows Remote Node profile configuration information.
Syntax
Parameter
Description
remote-node-profile-name Name of the Remote Node profile
Usage Guidelines
This show remote-node-profile command shows the configuration status of a Remote Node profile. To create a Remote Node profile, use the remote-node-profile command to create a Remote Node profile.
Example
This example shows the configuration status of Remote Node profile named "test."
(host) #show remote-node-profile ?
<remote-node-profile-name>
Profile name
|
Output Modifiers
<cr>
(host) #show remote-node-profile test
.......Vlan interface not configured for the controller-ip vlan. .......No uplink information has been configured.
remote-node-profile test remote-node-dhcp-pool newpool pool-type tunnel 0 domain-name mycorp.com range startip 0.0.0.0 endip 0.0.0.0 hosts 1 !
!
Related Commands
Command remote-node-profile
Description
The remote-node-profile command lets you create a Remote Node profile.
Mode Config mode
Command History
Release AOS-W 6.0
Modification Command introduced
560 | show remote-node-profile
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable mode on master and local switches
AOS-W 6.2 | Reference Guide
show remote-node-profile | 561
�show remote-node
Description
Shows configuration and other information about the remote node.
Syntax
Parameter
Description
config <mac-address>
Shows configuration information for the remote node.
dhcp-instance <mac-address>
Shows the remote node address pool information including pool name, DHCP pool start IP address, DHCP pool mask, DHCP pool broadcast IP address, and the DHCP pool gateway IP address.
license-usage
Shows the remote node AP license usage information including the remote node MAC address, IP address and the AP, PEF and RF Protect licenses along with the last time the licenses were updated.
running-config <macaddress>
Shows the running configuration for this remote node
Usage Guidelines
Issue this command to display configuration, DHCP pool information license usage information and running configuration information for a remote node.
Examples
This example shows a remote node configuration.
(host) #show remote-node config 00:0b:86:f0:26:e0
controller-ip vlan 2 vlan 2 vlan 3 interface fastethernet "1/7"
interface fastethernet "1/7" switchport access vlan 3 interface fastethernet "1/7" trusted interface fastethernet "1/2" interface fastethernet "1/2" switchport access vlan 2 interface fastethernet "1/2" trusted interface fastethernet "1/3" interface fastethernet "1/3" switchport access vlan 2 interface fastethernet "1/3" trusted interface fastethernet "1/1" interface fastethernet "1/1" switchport access vlan 2 interface fastethernet "1/1" trusted interface vlan 3 interface vlan 3 ip address 10.3.29.79 255.255.255.0 interface vlan 2 interface vlan 2 ip address 192.167.1.1 255.255.255.240 uplink wired vlan 4 interface tunnel 1 interface tunnel 1 tunnel destination remote-node-master-ip ip route 10.100.102.217 255.255.255.255 10.3.29.254
562 | show remote-node
AOS-W 6.2 | Reference Guide
�ip route 10.100.102.173 255.255.255.255 10.3.29.254 ip route 10.1.1.41 255.255.255.255 10.3.29.254 mgmt-user "admin" "root" "ade8c0d3890aa97914d926120279aef2" service dhcp ip dhcp pool vlanx domain-name mycorp.com ip dhcp pool vlanx ip dhcp pool vlanx default-router 192.167.1.1 ip dhcp pool vlanx dns-server 192.167.1.1 ip dhcp pool vlanx network 192.167.1.0 255.255.255.240 remote-node config-id 32
This example shows remote node AP license usage information.
(host) #show remote-node license-usage
Remote Node AP License Usage (license limit: 65)
------------------------------------------------
MAC Address
IP Address AP Lic. Used PEF Lic. Used
(secs. ago)
-----------
---------- ------------ -------------
------------
00:0b:86:f0:26:e0 192.167.1.1 0
0
RF Protect Lic. Used -------------------0
Last update ----------2
Related Commands
Command remote-node-profile remote-node-localip
remote-node-masterip
Description
Use this command to create a Remote Node profile.
Use this command to configure the switch-IP address and preshared key for the local Remote Node on a master Remote Node.
Use this command to configure the IP address and preshared key for the master Remote Node on a local Remote Node.
Mode Enable and Config modes Enable and Config modes
Enable and Config modes
Command History
Release AOS-W 6.0
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master and local switches
AOS-W 6.2 | Reference Guide
show remote-node | 563
�show aaa authentication all
show
show aaa authentication all
Description
Show authentication statistics for your switch, including authentication methods, successes and failures.
Usage Guidelines
This command displays a general overview of authentication statistics. To view authentication information for specific profiles such as a captive-portal, MAC or 801.x authentication profile, issue the commands specific to those features.
Example
The output of this command displays an authentication overview for your switch, including the authentication methods used, and the numbers of successes or failures for each method. This example shows the numbers of authentication successes and failures for a switch using TACACS+ and RADIUS authentication methods.
(host) #show aaa authentication all
Auth Method Statistics
----------------------
Method Success Failures
------ ------- --------
tacacs
12
Command History
This command was introduced in AOS-W 3.0.
Command Information
2Radius
9
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
564 | show aaa authentication all
AOS-W 6.2 | Reference Guide
�show aaa authentication captive-portal
show aaa authentication captive-portal [<profile-name>]
Description
This command shows configuration information for captive portal authentication profiles.
Syntax
Parameter <profile-name>
Description The name of an existing captive portal authentication profile.
Usage Guidelines
Issue this command without the <profile-name> parameter to display the entire Captive Portal Authentication profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
If you do not yet have any captive portal authentication profiles defined, use the command aaa authentication captive-portal to configure your captive portal profiles.
Examples
This first example shows that there are three configured captive portal profiles in the Captive Profile Authentication Profile List. The References column lists the number of other profiles with references to a captive portal authentication profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) #show aaa authentication captive-portal
Captive Portal Authentication Profile List
------------------------------------------
Name
References Profile Status
----
---------- --------------
c-portal
2
remoteuser
1
portal1
1
Total: 4
Include a captive portal profile name to display a complete list of configuration settings for that profile. The example below shows settings for the captive portal profile portal1.
Captive Portal Authentication Profile "portal1" -----------------------------------------------Parameter --------Default Role Default Guest Role Server Group Redirect Pause User Login Guest Login Logout popup window Use HTTP for authentication
Value ----guest guest default 10 sec Enabled Disabled Enabled Disabled
AOS-W 6.2 | Reference Guide
show aaa authentication captive-portal | 565
�Logon wait minimum wait Logon wait maximum wait logon wait CPU utilization threshold Max Authentication failures Show FQDN Use CHAP (non-standard) Login page Welcome page Show Welcome Page Add switch IP address in the redirection URL Adding user vlan in redirection URL Add a switch interface in the redirection URL Allow only one active user session White List Black List Show the acceptable use policy page
5 sec 10 sec 60 % 0 Disabled Disabled /auth/index.html /auth/welcome.html Yes Disabled Disabled N/A Disabled N/A N/A Disabled
The output of this command includes the following parameters:
Parameter Default Role Default Guest Role Server Group Redirect Pause
User Login Guest Login Logout popup window
Use HTTP for authentication
Logon wait minimum wait Logon wait maximum wait logon wait CPU utilization threshold Max Authentication failures
Description
Role assigned to the captive portal user upon login.
Guest role assigned to the captive portal user upon login.
Name of the group of servers used to authenticate captive portal users.
Time, in seconds, that the system remains in the initial welcome page before redirecting the user to the final web URL. If set to 0, the welcome page displays until the user clicks on the indicated link.
Shows whether the profile has enabled or disabled captive portal with authentication of user credentials.
Shows whether the profile has enabled or disabled captive portal guest login without authentication.
Shows whether the profile has enabled or disabled a pop-up window that allows a user to log out. If this is disabled, the user remains logged in until the user timeout period has elapsed or the station resets.
Shows whether the profile has enabled or disabled the ability to use the HTTP protocol to redirect users to the captive portal page.
Minimum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high.
Maximum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high.
CPU utilization percentage above which the logon wait interval is applied when directing a captive portal user with the logon page.
Maximum number of authentication failures before the user is blacklisted.
566 | show aaa authentication captive-portal
AOS-W 6.2 | Reference Guide
�Parameter
Description
Show FQDN
If enabled, the user can see and select the fully-qualified domain name (FQDN) on the captive portal login page.
Authentication Protocol
This parameter specifies the type of authentication required by this profile, PAP is the default authentication type
Login page
URL of the page that appears for the user logon.
Welcome page
URL of the page that appears after logon and before the user is redirected to the web URL.
Add switch IP address in the redirection URL
If enabled, this option sends he switch's IP address in the redirection URL when external captive portal servers are used. An external captive portal server can determine the switch from which a request originated by parsing the `switchip' variable in the URL.
Adding user vlan in redirection URL
Shows the user's VLAN ID sent in the redirection URL, if enabled
Add a switch interface in the redirection URL
Shows the IP address of a switch interface added to the redirection URL, if enabled.
Allow only one active user session If enabled, only one active user session is allowed at any time. This feature is disabled by default.
White List
Shows the configured white list on an IPv4 or IPv6 network destination. The white list contains authenticated websites that a guest can access.
Black List
Shows the configured black list on an IPv4 or IPv6 network destination. The black list contains websites (unauthenticated) that a guest cannot access.
Show the acceptable use policy page
If enabled, the captive portal page will show the acceptable use policy page before the user logon page. This feature is disabled by default.
Related Commands
Command
aaa authentication captiveportal
Description
Use aaa authentication captive-portal to configure the parameters displayed in the output of this show command.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Version AOS-W 3.0
Description Command introduced
AOS-W 6.2 | Reference Guide
show aaa authentication captive-portal | 567
�Version AOS-W 6.1
AOS-W 6.2
Description
The sygate-on-demand parameter was deprecated, and the white-list and black-list parameters were added
the Authentication Protocol parameter was added, and the Use CHAP parameter was deprecated.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
568 | show aaa authentication captive-portal
AOS-W 6.2 | Reference Guide
�show aaa authentication captive-portal customization
show aaa authentication captive-portal customization <profile-name>
Description
Display customization settings for a captive portal profile
Syntax
Parameter <profile-name>
Description The name of an existing captive portal authentication profile.
Usage Guidelines
The this command shows how a captive portal profile has been customized with non-default configuration settings. If you do not yet have any captive portal authentication profiles defined, use the command aaa authentication captiveportal to configure your captive portal profiles
Example
The output of the following command shows how the captive portal profile c-portal has been customized. If an individual parameter has not been changed from its default settings, its value entry will be blank.
(host) #show aaa authentication captive-portal customization c-portal
Captive-Portal Customization
----------------------------
Parameter
Value
---------
-----
Login page design theme
3
Login page logo image
Login page text URL
/flash/upload/custom/ssu-guest-cp/logintext.html
Login policy text URL
/upload/custom/ssu-guest-cp/acceptableusepolicy.html
Custom page background color
Custom page background image
The output of this command includes the following parameters:
/uplo
Parameters Login page design theme
Login page logo image
Login page text Login policy text Custom page background color Custom page background image
Description
Indicates whether the switch is using one of the two predefined login page designs (1 or 2) or has a custom background (3).
Path and filename for a custom captive portal logo. This option is only available if the switch has a predefined login design.
Path and filename of the page that appears for the user logon.
Path and filename of the page that displays user policy text.
Hexadecimal value for a custom background color. This option is only available if the switch has a custom login page design theme.
Path and filename for a custom JPEG captive portal background image. This option is only available if the switch has a custom login page design theme.
AOS-W 6.2 | Reference Guide
show aaa authentication captive-portal customization | 569
�Related Commands
Command
aaa authentication captiveportal
Description
If you do not yet have any captive portal profiles defined, use the command aaa authentication captive-portal to configure your captive portal profiles.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
570 | show aaa authentication captive-portal customization
AOS-W 6.2 | Reference Guide
�show aaa authentication dot1x
show aaa authentication dot1x [<profile-name>|countermeasures]
Description
This command shows information for 802.1X authentication profiles.
Syntax
Parameter <profile-name> countermeasures
Description
The name of an existing 802.1X authentication profile.
Reports if WPA/WPA2 Countermeasures have been enabled for 802.1X profiles. If enabled, the AP scans for message integrity code (MIC) failures in traffic received from clients.
Usage Guidelines
Issue this command without the <profile-name> or countermeasures options to display the entire 802.1X Authentication profile list, including profile status and the number of references to each profile. Include a profile name to display detailed dot1x authentication configuration information for that profile. The countermeasures option indicates whether the 802.1X profiles have been configured for WPA/WPS2 countermeasures. If countermeasures have not been configured, the output for this command will be blank.
Examples
The following example lists all dot1x authentication profiles. The References column lists the number of other profiles with references to a 802.1X authentication profile, and the Profile Status column indicates whether the profile is predefined. User-defined 802.1X profiles will not have an entry in the Profile Status column.
(host) #show aaa authentication dot1x
802.1X Authentication Profile List
----------------------------------
Name
References Profile Status
----
---------- --------------
default
2
default-psk 1
Predefined (editable)
dot1x
5
dot1xtest
0
Total:4
To display a complete list of parameters for an individual profile, include the <profile> parameter. The example below displays some of the profile details for the authentication profile pDotix.
(host) #show aaa authentication dot1x pDot1x
802.1X Authentication Profile "pDot1x" -------------------------------------Parameter --------Max authentication failures Enforce Machine Authentication
Value ----0 Disabled
AOS-W 6.2 | Reference Guide
show aaa authentication dot1x | 571
�Machine Authentication: Default Machine Role Machine Authentication Cache Timeout Blacklist on Machine Authentication Failure Machine Authentication: Default User Role Interval between Identity Requests Quiet Period after Failed Authentication Reauthentication Interval Use Server provided Reauthentication Interval Multicast Key Rotation Time Interval Unicast Key Rotation Time Interval ...
guest 24 hrs Disabled guest 30 sec 30 sec 86400 sec Disabled 1800 sec 900 sec
The output of the show aaa authentication dot1xcommand includes the following parameters:
Parameter Max authentication failures
Enforce Machine Authentication
Machine Authentication: Default Machine Role Machine Authentication Cache Timeout Blacklist on Machine Authentication Failure Machine Authentication: Default User Role Interval between Identity Requests Quiet Period after Failed Authentication Reauthentication Interval Use Server provided Reauthentication Interval Multicast Key Rotation Time Interval
Value
Number of times a user can try to login with wrong credentials after which the user is blacklisted as a security threat. Blacklisting is disabled if this parameter is set to 0.
Shows if machine authentication is enabled or disabled for Windows environments. If enabled, If enabled, either the machine-default-role or the user-default-role is assigned to the user, depending on which authentication is successful.
Default role assigned to the user after completing only machine authentication.
The timeout period, in hours, for machine authentication. After this period passes, the use will have to re-authenticate.
If enabled, the client is blacklisted if machine authentication fails.
Default role assigned to the user after 802.1X authentication.
Interval, in seconds, between identity request retries
Interval, in seconds, following failed authentication.
Interval, in seconds, between reauthentication attempts.
If enabled, 802.1X authentication will use the server-provided reauthentication period.
Interval, in seconds, between multicast key rotations.
Unicast Key Rotation Time Interval
Interval, in seconds, between unicast key rotations.
572 | show aaa authentication dot1x
AOS-W 6.2 | Reference Guide
�Parameter
Value
Authentication Server Retry Interval
Server group retry interval, in seconds.
Authentication Server Retry Count
The number of server group retries.
Framed MTU
Shows the framed MTU attribute sent to the authentication server.
Number of times ID-Requests are retried
Maximum number of times ID requests are sent to the client.
Maximum Number of Reauthentication Attempts
Maximum number of reauthentication attempts.
Maximum number of times Held State can be bypassed
Number of consecutive authentication failures which, when reached, causes the switch to not respond to authentication requests from a client while the switch is in a held state after the authentication failure.
Dynamic WEP Key Message Retry Count
Number of times unicast/multicast EAPOL key messages are sent to the client.
Dynamic WEP Key Size
Dynamic WEP key size, either 40 or 128 bits.
Interval between WPA/WPA2 Key Messages
Interval, in milliseconds, between each WPA key exchange.
Delay between EAP-Success and WPA2 Unicast Key Exchange
Show the delay interval between EAP-Success and unicast key exchanges, in msec. Range: 0-2000msec. Default: 0 (no delay).
Delay between WPA/WPA2 Unicast Key and Group Key Exchange
Interval, in milliseconds, between unicast and multicast key exchanges.
Time interval after which the PMKSA will be deleted
Show the PMKSA cache interval. Time interval in Hours. Range: 1-2000. Default: 8 hrs.
WPA/WPA2 Key Message Retry Count
Number of times WPA/WPA2 key messages are retried.
Multicast Key Rotation
Shows if multicast key rotation is enabled or disabled.
Unicast Key Rotation
Shows if unicast key rotation is enabled or disabled.
Reauthentication
If enabled, this option forces the client to do a 802.1X reauthentication after the expiration of the default timer for reauthentication. (The default value of the timer is 24 hours.)
Opportunistic Key Caching
If enabled, a cached pairwise master key (PMK) is derived with a client and an associated AP and used when the client roams to a new AP.
AOS-W 6.2 | Reference Guide
show aaa authentication dot1x | 573
�Parameter
Value
Validate PMKID
Shows if the Validate PMKID feature is enabled or disabled. When this option is enabled, the client must send a PMKID in the associate or reassociate frame to indicate that it supports OKC; otherwise, full 802.1X authentication takes place. (This feature is optional, since most clients that support OKC do not send the PMKID in their association request.)
Use Session Key
If enabled, the switch will use a RADIUS session key as the unicast WEP key.
Use Static Key
If enabled, the switch will use a static key as the unicast/multicast WEP key.
xSec MTU
Shows the size of the MTU for xSec.
Termination
Shows if 802.1X termination is enabled or disabled on the switch.
Termination EAP-Type
Shows the current Extensible Authentication Protocol (EAP) method, either EAP-PEAP or EAP-TLS.
Termination Inner EAP-Type
When EAP-PEAP is the EAP method, this parameter displays the inner EAP type.
Enforce Suite-B 128 bit or more security level Authentication
Shows if Suite-B 128 bit or more security level authentication enforcement is enabled or disabled.
Enforce Suite-B 192 bit security level Authentication
Shows if Suite-B 192 bit or more security level authentication enforcement is enabled or disabled.
Token Caching
If this feature enabled (and EAP-GTC is configured as the inner EAP method), token caching allows the switch to cache the username and password of each authenticated user.
Token Caching Period
Timeout period, in hours, for the cached information.
CA-Certificate
Name of the CA certificate for client authentication loaded in the switch.
Server-Certificate
Name of the Server certificate used by the switch to authenticate itself to the client.
TLS Guest Access
Shows if guest access for valid EAP-TLS users is enabled or disabled.
TLS Guest Role
User role assigned to EAP-TLS guest.
Ignore EAPOL-START after authentication
If enabled, the switch ignores EAPOL-START messages after authentication.
574 | show aaa authentication dot1x
AOS-W 6.2 | Reference Guide
�Parameter
Value
Handle EAPOL-Logoff
Shows if handling of EAPOL-LOGOFF messages is enabled or disabled.
Ignore EAP ID during negotiation
If enabled, the switch will Ignore EAP IDs during negotiation.
WPA-Fast-Handover
Shows if WPA-fast-handover is enabled or disabled. This feature is only applicable for phones that support WPA.
Disable rekey and reauthentication for clients on call
Shows if the rekey and reauthentication features for voice-over-WLAN clients has been enabled or disabled.
Check certificate common name against AAA server
If enabled, this parameter verifies that the certificate's common name exists in the server. This parameter is disabled by default dot1x profiles.
Related Commands
Command aaa authentication dot1x
Description
Mode
If you do not yet have any 802.1X authentication profiles defined, use the command aaa authentication dot1x to configure your 802.1X profiles.
Config mode
Command History
Version AOS-W 3.0 AOS-W 6.1
Description
Command introduced.
The Check certificate common name against AAA server, Enforce Suite-b-128 and Enforce Suite-b-192 parameters were introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa authentication dot1x | 575
�show aaa authentication mac
show aaa authentication mac [<profile-name>]
Description
This command shows information for MAC authentication profiles.Issue this command without the <profile-name> option to display the entire MAC Authentication profile list, including profile status and the number of references to each profile. Include a profile name to display detailed MAC authentication configuration information for that profile.
Syntax
Parameter <profile-name>
Description The name of an existing MAC authentication profile.
Examples
The output of the example below shows two MAC authentication profiles, default and macProfile1, which are referenced three times by other profiles. the Profile Status columns are blank, indicating that these profiles are both user-defined. (If a profile is predefined, the value Predefined appears in the Profile Status column.)
(host) #show aaa authentication dot1x pDot1x
802.1X Authentication Profile "pDot1x" -------------------------------------Parameter --------Max authentication failures Enforce Machine Authentication Machine Authentication: Default Machine Role Machine Authentication Cache Timeout Blacklist on Machine Authentication Failure Machine Authentication: Default User Role Interval between Identity Requests Quiet Period after Failed Authentication Reauthentication Interval Use Server provided Reauthentication Interval Multicast Key Rotation Time Interval Unicast Key Rotation Time Interval ...
Value ----0 Disabled guest 24 hrs Disabled guest 30 sec 30 sec 86400 sec Disabled 1800 sec 900 sec
The following example displays configuration details for the MAC authentication profile "MacProfile1," including the delimiter and case used in the authentication request, and the maximum number of times a client can fail to authenticate before it is blacklisted.
(host) #show aaa authentication mac MacProfile1
MAC Authentication Profile "MacProfile1"
----------------------------------------
Parameter
Value
---------
-----
Delimiter
colon
Case
upperMax Authentication failures 3
576 | show aaa authentication mac
AOS-W 6.2 | Reference Guide
�Related Commands
Command aaa authentication mac
Description
Configure MAC authentication values on your switch.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa authentication mac | 577
�show aaa authentication mgmt
show aaa authentication mgmt
Description
This command displays administrative user authentication information, including management authentication roles and servers.
Usage Guidelines
Issue this command to identify the default management role assigned to authenticated administrative users, and the name of the group of servers used to authenticate these users.
Example
The output of the following example displays management authentication information for your switch.
(host) #show aaa authentication mgmt
Management Authentication Profile
---------------------------------
Parameter
Value
---------
-----
Default Role root
Server Group ServerGroup1
Enable
Enabled
Parameter Default Role
Server Group Enable
Description
This parameter shows which of the following roles the switch uses for authentication management. l root, the super user role (default). l guest-provisioning, guest provisioning role. l network-operations, network operator role. l read-only, read only role. l location-api-mgmt, location API management role. l no-access, no commands are accessible.
The name of a server group.
The Enable parameter indicates whether or not this feature is enabled or disabled.
The output of the show aaa authentication mgmtcommand includes the following parameters: Related Commands
Command aaa authentication mgmt
Description Configure management authentication settings.
Mode Config mode
578 | show aaa authentication mgmt
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 3.0 AOS-W 6.1
Description Command introduced. The Mode parameter in the command output was renamed Enable.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa authentication mgmt | 579
�show aaa authentication stateful-dot1x
show aaa authentication stateful-dot1x [config-entries]
Description
This command displays configuration settings for 802.1X authentication for clients on non-Alcatel-Lucent APs.
Syntax
Parameter config-entries
Description Display details for the AP Server configuration list.
Usage Guidelines
Issue this command to identify the default role assigned to the 802.1X user group, name of the group of RADIUS servers used to authenticate the 802.1X users, and the 802.1X authentication timeout period, in seconds.
Example
The output of the following example displays 802.1X authentication information for your switch.
(host) #show aaa authentication stateful-dot1x
Stateful 802.1X Authentication Profile
--------------------------------------
Parameter
Value
---------
-----
Default Role guest
Server Group newgroup2
Timeout
10 sec
Mode
Enabled
Parameter Default Role
Server Group Timeout Mode
Description This parameter shows which role the switch uses for 802.1X authentication management. The name of a server group. Timeout period for an authentication request, in seconds. The Mode parameter indicates whether or not this feature is enabled or disabled.
The output of this command includes the following parameters: When you include the config-entries parameter, the output shows the AP - Server Configuration List.
(host) #show aaa authentication stateful-dot1x config-entries
AP-Server Configuration List ---------------------------Cfg-Name AP-IP
Server
Shared-Secret
580 | show aaa authentication stateful-dot1x
AOS-W 6.2 | Reference Guide
�-------- ----cfg22
Parameter Cfg-Name AP-IP Server Shared-Secret
10.3.14.6
-----RADIUS1
Description is a auto-generated name IP address of the AP. Name of the authentication server. Shared authentication secret.
------------secret-pwd
The output of this command includes the following parameters:
Related Commands
Command
aaa authentication statefuldot1x
Description
Use the command aaa authentication statefuldot1x to configure the settings displayed in the output of this show command.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa authentication stateful-dot1x | 581
�show aaa authentication stateful-ntlm
show aaa authentication stateful-ntlm
Description
This command displays configuration settings for the Stateful NTLM Authentication profile.Issue this command without the <profile-name> option to display the entire Stateful NTLM Authentication profile list, including profile status and the number of references to each profile. Include a profile name to display detailed Stateful NTLM authentication configuration information for that profile.
Syntax
Parameter <profile-name>
Description The name of an existing Stateful NTLM authentication profile.
Usage Guidelines
Issue this command to identify the default role assigned to users who have successfully authenticated using the NT LAN Manager (NTLM) authentication protocol, the name of the group of windows servers used to authenticate these users, and the NTLM authentication timeout period, in seconds.
Examples
The output of the example below shows two stateful NTLM authentication profiles, default and NTLMprofile1, which are each referenced one time by other profiles. the Profile Status columns are blank, indicating that these profiles are both user-defined. (If a profile is predefined, the value Predefined appears in the Profile Status column.)
(host) #show aaa authentication stateful-ntlm
Stateful NTLM Authentication Profile List
-----------------------------------------
Name
References Profile Status
----
---------- --------------
default
1
NTLMprofile1
1
Total:2 The following example displays configuration details for the stateful NTLM authentication profile "default".
(host) #show aaa authentication stateful-ntlm default
Stateful NTLM Authentication Profile "default"
----------------------------------------------
Parameter
Value
---------
-----
Default Role guest
Server Group default
Mode
Disabled
Timeout
10 sec
582 | show aaa authentication stateful-ntlm
AOS-W 6.2 | Reference Guide
�Parameter Default Role Server Group Mode
Timeout
Description This parameter shows the role assigned to NTLM authenticated users. The name of a windows server group. The Mode parameter indicates whether or not this authentication profile is enabled or disabled. Timeout period for an authentication request, in seconds.
The output of this command includes the following parameters:
Related Commands
Command aaa authentication stateful-ntlm
Description
Use the command aaa authentication stateful-ntlm to configure the settings displayed in the output of this show command.
Command History
This command was introduced in AOS-W 3.4.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa authentication stateful-ntlm | 583
�show aaa authentication via auth-profile
show aaa authentication via auth-profile [<profile-name>]
Description
This command displays configuration settings for the VIA Authentication profile.Issue this command without the <profile-name> option to display the entire VIA Authentication profile list, including profile status and the number of references to each profile. Include a profile name to display detailed VIA authentication configuration information for that profile.
Syntax
Parameter <profile-name>
Description The name of an existing VIA authentication profile.
Usage Guidelines
Issue this command without the <profile-name> parameter to display the entire VIA Authentication profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
If you do not yet have any VIA authentication profiles defined, use the command aaa authentication via authprofile to configure your VIA authentication profiles.
Examples
This first example shows that there are three configured captive portal profiles in the Captive Profile Authentication Profile List. The References column lists the number of other profiles with references to a VIA authentication profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) #show aaa authentication via auth-profile
VIA Authentication Profile List
-------------------------------
Name
References Profile Status
----
---------- --------------
default 0
via1
2
via2
1
Total:3
Include a VIA authentication profile name to display a complete list of configuration settings for that profile. The example below shows settings for the VIA authentication profile via1.
VIA Authentication Profile "via1"
---------------------------------
Parameter
Value
---------
-----
Default Role
default-via-role
Server Group
internal
Max Authentication failures 2
Description
VIA config for the MV office
584 | show aaa authentication via auth-profile
AOS-W 6.2 | Reference Guide
�The output of this command includes the following parameters:
Parameter Default Role Server Group Max Authentication failures Description
Description Role assigned to the captive portal user upon login. Name of the group of servers used to authenticate captive portal users. Maximum number of authentication failures before the user is blacklisted.
Description of the VIA authentication profile.
Related Commands
Command
aaa authentication via authprofile
Description
Use aaa authentication via auth-profile to configure the parameters displayed in the output of this show command.
Mode Config mode
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa authentication via auth-profile | 585
�show aaa authentication via connection-profile
show aaa authentication via connection-profile [<profile-name>]
Description
This command displays configuration settings for the VIA connection profile.Issue this command without the <profile-name> option to display the entire VIA Connection profile list, including profile status and the number of references to each profile. Include a profile name to display detailed VIA connection configuration information for that profile.
Syntax
Parameter <profile-name>
Description The name of an existing VIA connection profile.
Usage Guidelines
Issue this command without the <profile-name> parameter to display the entire VIA connection profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
If you do not yet have any VIA connection profiles defined, use the command aaa authentication via connectionprofile to configure your VIA connection profiles.
Examples
This first example shows that there are three configured connection profiles in the Captive Profile Authentication Profile List. The References column lists the number of other profiles with references to a VIA connection profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) #show aaa authentication via connection-profile
VIA Connection Profile List
---------------------------
Name
References Profile Status
----
---------- --------------
connection_1 3
connection_2 1
default
0
Total:3
Include a connection profile name to display a complete list of configuration settings for that profile. The example below shows settings for the captive portal profile connection_1.
VIA Connection Profile "default" -------------------------------Parameter --------VIA Servers Client Auto-Login VIA Authentication Profiles to provision Allow client to auto-upgrade
Value ----N/A Enabled N/A Enabled
586 | show aaa authentication via connection-profile
AOS-W 6.2 | Reference Guide
�VIA tunneled networks Enable split tunneling VIA Client WLAN profiles Allow client side logging VIA IKE V2 Policy VIA IKE Policy Use Windows Credentials Enable IKEv2 Use Suite B Cryptography IKEv2 Authentication method VIA IPSec V2 Crypto Map VIA IPSec Crypto Map Allow user to save passwords Enable Supplicant Enable FIPS Module Auto-launch Supplicant Lockdown All Settings Domain Suffix in VIA Authentication Enable Controllers Load Balance Enable Domain Pre-connect VIA Banner Message Reappearance Timeout(minutes) VIA Client Network Mask Validate Server Certificate VIA Client DNS Suffix List VIA max session timeout VIA Logon Script VIA Logoff Script VIA Support E-Mail Address Maximum reconnection attempts VIA external download URL Allow user to disconnect VIA Content Security Gateway URL Comma seperated list of HTTP ports to be inspected (apart from default port 80) Enable Content Security Services Keep VIA window minimized Block traffic until VPN tunnel is up Block traffic rules
The output of this command includes the following parameters:
N/A Disabled N/A Enabled Default Default Enabled Disabled Disabled user-cert default-ikev2-dynamicmap/10000 default-dynamicmap/10000 Enabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled 60 255.255.255.255 Enabled N/A 1440 min N/A N/A N/A 3 N/A Enabled N/A
N/A Disabled Disabled Disabled N/A
Configuration Option
Description
VIA servers
Displays the following information about the VIA server: l Switch Hostname/IP Address: This is the public IP address or the DNS
hostname of the VIA switch. Users will connect to remote server using this IP address or the hostname. l Switch Internal IP Address: This is the IP address of any of the VLAN interface IP addresses belongs to this switch. l Switch Description: This is a human-readable description of the switch.
Client Auto-Login
Enable or disable VIA client to auto login and establish a secure connection to the switch. Default: Enabled
VIA Authentication
This is the list of VIA authentication profiles that will be displayed to users in the
Profiles to provision VIA client.
Allow client to auto- Enable or disable VIA client to automatically upgrade when an updated version
upgrade
of the client is available on the switch.
AOS-W 6.2 | Reference Guide
show aaa authentication via connection-profile | 587
�Configuration Option
Description
Default: Enabled
VIA tunneled networks
A list of network destination (IP address and netmask) that the VIA client will tunnel through the switch. All other network destinations will be reachable directly by the VIA client.
Enable splittunneling
Enable or disable split tunneling. l If enabled, all traffic to the VIA tunneled networks will go through the switch
and the rest is just bridged directly on the client. l If disabled, all traffic will flow through the switch. Default: off
Allow client-side logging
Enable or disable client side logging. If enabled, VIA client will collect logs that can be sent to the support email-address for troubleshooting. Default: Enabled
VIA Client WLAN profiles
A list of VIA client WLAN profiles that needs to be pushed to the client machines that use Windows Zero Config (WZC) to configure or manage their wireless networks.
VIA IKEv2 Policy
A list of IPsec crypto maps that the VIA client uses to connect to the switch. These IPsec Crypto Maps are configured in the CLI using the crypto-local ipsecmap <ipsec-map-name> command.
VIA IKE Policy
List of IKE policies that the VIA Client has to use to connect to the switch.
Use Windows Credentials
Enable or disable the use of the Windows credentials to login to VIA. If enabled, the SSO (Single Sign-on) feature can be utilized by remote users to connect to internal resources. Default: Enabled
Enable IKEv2
Select this option to enable or disable the use of IKEv2 policies for VIA.
Use Suite B Cryptography
Select this option to use Suite B cryptography methods. You must install the Advanced Cryptography license to use the Suite B cryptography.
IKEv2 Authentication method
List of all IKEv2 authentication methods.
VIA IPSec V2 Crypto Map
List of all IPSec V2 that the VIA client uses to connect to the switch.
VIA IPsec Crypto Map
List of IPsec Crypto Map that the VIA client uses to connect to the switch. These IPsec Crypto Maps are configured in CLI using the crypto-local ipsec-map <ipsec-map-name> command.
Allow user to save passwords
Enable or disable users to save passwords entered in VIA. Default: Enabled
Enable Supplicant
If enabled, VIA starts in bSec mode using L2 suite-b cryptography. This option is disabled by default.
Enable FIPS Module
Shows if the VIA (Federal Information Processing Standard) FIPS module is enabled, so VIA checks for FIPS compliance during startup. This option is disabled by default.
Auto-Launch Supplicant
Select this option to automatically connect to a configured WLAN network.
588 | show aaa authentication via connection-profile
AOS-W 6.2 | Reference Guide
�Configuration Option
Description
Lockdown All Settings If enabled, all user options on the VIA client are disabled.
Domain Suffix in VIA Authentication
Enables a domain suffix on VIA Authentication, so client credentials are sent as domainname\username instead of just username.
Enable Switches Load Balance
This option allows the VIA client to failover to the next available selected randomly from the list as configured in the VIA Servers option. If disabled, VIA will failover to the next in the sequence of ordered list of VIA Servers.
Enable Domain PreConnect
This option allows users with lost or expired passwords to establish a VIA connection to corporate network. This option authenticates the user's device and establishes a VIA connection that allows users to reset credentials and continue with corporate access.
VIA Banner Reappearance Timeout
The maximum time (in minutes) allowed before the VIA login banner reappears. Default: 1440 min
VIA Client Network Mask
The network mask that has to be set on the client after the VPN connection is established. Default: 255.255.255.255
Validate Server Certificate
Enable or disable VIA from validating the server certificate presented by the switch. Default: Enabled
VIA Client DNS Suffix List
The DNS suffix list (comma separated) that has be set on the client once the VPN connection is established. Default: None.
VIA max session timeout
The maximum time (minutes) allowed before the VIA session is disconnected. Default: 1440 min
VIA Logon Script
Name of the logon script that must be executed after VIA establishes a secure connection. The logon script must reside in the client computer.
VIA Logoff Script
Name of the log-off script that must be executed after the VIA connection is disconnected. The logoff script must reside in the client computer.
VIA Support E-mail Address
The support e-mail address to which VIA users will send client logs. Default: None.
Maximum reconnection attempts
The maximum number of re-connection attempts by the VIA client due to authentication failures. Default: 3
VIA external download End users will use this URL to download VIA on their computers. URL
Allow user to disconnect VIA
Enable or disable users to disconnect their VIA sessions. Default: Enabled
Content Security Gateway URL
If split-tunnel forwarding is enabled, access to external (non-corporate) web sites will be verified by the specified content security service provider.
Comma Separated List of HTTP Ports
Traffic from the specified ports will be verified by the content security service provider.
AOS-W 6.2 | Reference Guide
show aaa authentication via connection-profile | 589
�Configuration Option Enable Content Security Services
Keep VIA window minimized
Block traffic until VPN tunnel is up
Block traffic rules
Description
Select this checkbox to enable content security service. You must install the Content Security Services licenses to use this option.
Enable this option to minimize the VIA client to system tray during the connection phase. Applicable to VIA client installed in computers running Microsoft Windows operating system.
If enabled, this feature will block network access until the VIA VPN connection is established.
Specify a hostname or IP address and network mask to define a whitelist of users to which the Block traffic until VPN tunnel is up setting will not apply.
Related Commands
Command aaa authentication via connection-profile
Description
Use aaa authentication via connectionprofile to configure the parameters displayed in the output of this show command.
Mode Config mode
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
590 | show aaa authentication via connection-profile
AOS-W 6.2 | Reference Guide
�show aaa authentication via web-auth
show aaa authentication via web-auth [default]
Description
A VIA web authentication profile contains an ordered list of VIA authentication profiles. The web authentication profile is used by end users to login to the VIA download page (https://<server-IP-address>/via) for downloading the VIA client. Only one VIA web authentication profile is available. If more than one VIA authentication profile is configured, users can view this list and select one during the client login.
Syntax
No parameters.
Usage Guidelines
Issue this command to view the authentication profiles associated with the default web authentication profile. Use it without the profile name to see the list of authentication profiles.
Examples
(host) #show aaa authentication via web-auth
VIA Web Authentication List
---------------------------
Name
References Profile Status
----
---------- --------------
default 2
Total:1
(host) #show aaa authentication via web-auth default
VIA Web Authentication "default"
--------------------------------
Parameter
Value
---------
-----
VIA Authentication Profiles via1
The output of this command includes the following parameters:
Parameter
VIA Authentication Profiles
Description
This is the name of the VIA authentication profile. The value column displays the order of priority in which the profiles are displayed in the VIA client login.
Related Commands
Command
Description
aaa authentication via webauth
Use aaa authentication via web-auth to configure the parameters displayed in the output of this show command.
Mode Config mode
AOS-W 6.2 | Reference Guide
show aaa authentication via web-auth | 591
�Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
592 | show aaa authentication via web-auth
AOS-W 6.2 | Reference Guide
�show aaa authentication vpn
show aaa authentication vpn [default|default-cap|default-rap]
Description
This command displays VPN authentication settings, including authentication roles and servers.
Usage Guidelines
Issue this command to identify the default role assigned to VPN users, the name of the group of servers used to authenticate the VPN users, and the maximum number of authentication failures allowed before the user is blacklisted.
Example
The following example displays configuration details for the VPN authentication profile default, default-cap and default-rap. (host) #show aaa authentication vpn default
VPN Authentication Profile "default"
------------------------------------
Parameter
Value
---------
-----
Default Role
default-vpn-role
Server Group
default
Max Authentication failures 2
(TechPubs) #show aaa authentication vpn default-cap
VPN Authentication Profile "default-cap" (Predefined)
-----------------------------------------------------
Parameter
Value
---------
-----
Default Role
ap-role
Server Group
internal
Max Authentication failures 0
(TechPubs) #show aaa authentication vpn default-rap
VPN Authentication Profile "default-rap" (Predefined (changed))
---------------------------------------------------------------
Parameter
Value
---------
-----
Default Role
default-vpn-role
Server Group
default
Max Authentication failures 0
Parameter Default Role Server Group Max Authentication failures
Description The default role to be assigned to VPN users. The name of the server group that performs the authentication. Number of times a user attempted to authenticate, but failed.
AOS-W 6.2 | Reference Guide
show aaa authentication vpn | 593
�Related Commands
Command aaa authentication via authprofile
Description
Mode
Use the command aaa authentication via authprofile to configure the settings displayed in the output of this show command.
Config mode
Command History
Version AOS-W 3.0 AOS-W 5.0 AOS-W 6.1
Description Command introduced.
The default-cap and default-rap profiles were introduced.
The Check certificate common name against AAA server parameter was introduced.
Command Information
Platforms All platforms
Licensing
The PEFV license and the base operating system.
Command Mode
Enable or Config mode on master or local switches
594 | show aaa authentication vpn
AOS-W 6.2 | Reference Guide
�show aaa authentication wired
show aaa authentication wired
Description
View wired authentication settings for a client device that is directly connected to a port onthe switch.
Usage Guidelines
This command displays the name of the AAA profile currently used for wired authentication.
Example
The following example shows the current wired profile for the switch is a profile named "secure_profile_3." (host) #show aaa authentication wired Wired Authentication Profile ---------------------------Parameter Value --------- ----AAA Profile Secure_profile_3
Related Commands
Command aaa authentication wired
Description
Use the command aaa authentication wired to configure the settings displayed in the output of this show command.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa authentication wired | 595
�show aaa authentication wispr
show aaa authentication wispr <profile-name)
Description
This command shows information for a WISPr authentication profiles.Issue this command without the <profile-name> option to display the entire WISPr Authentication profile list, including profile status and the number of references to each profile. Include a profile name to display detailed WISPr authentication configuration information for that profile.
Parameter <profile-name>
Description The name of an existing MAC authentication profile.
Examples
The output of the example below shows two WISPr authentication profiles, default and WISPR1, which are referenced two times by other profiles. the Profile Status columns are blank, indicating that these profiles are both user-defined. (If a profile is predefined, the value Predefined appears in the Profile Status column.)
(host) #show aaa authentication wispr
WISPr Authentication Profile List
-------------------------------
Name
References Profile Status
----
---------- --------------
default
2
WISPr1 2
Total:2
(host) #show aaa authentication wispr WISPr1
WISPr Authentication Profile "WISPr1"
--------------------------------------
Parameter
Value
---------
-----
Default Role
guest
Server Group
default
Logon wait minimum wait
5 sec
Logon wait maximum wait
10 sec
logon wait CPU utilization threshold 60 %
WISPr Location-ID ISO Country Code US
WISPr Location-ID E.164 Country Code 1
WISPr Location-ID E.164 Area Code
408
WISPr Location-ID SSID/Zone
Corp1
WISPr Operator Name
MyCompany
WISPr Location Name
Sunnyvale
The following example displays configuration details for the WISPr authentication profile "WISPr1".
(host) #show aaa authentication wispr WISPr1
WISPr Authentication Profile "WISPr1"
--------------------------------------
Parameter
Value
596 | show aaa authentication wispr
AOS-W 6.2 | Reference Guide
�--------Default Role Server Group Logon wait minimum wait Logon wait maximum wait logon wait CPU utilization threshold WISPr Location-ID ISO Country Code WISPr Location-ID E.164 Country Code WISPr Location-ID E.164 Area Code WISPr Location-ID SSID/Zone WISPr Operator Name WISPr Location Name
----guest default 5 sec 10 sec 60 % US 1 408 Corp1 MyCompany Sunnyvale
The output of this command includes the following parameters:
Parameter Default Role Server Group Logon wait minimum wait
Logon wait maximum wait
WISPr Location-ID E.164 Area Code WISPr Location-ID E.164 Country Code 1 WISPr Location-ID ISO Country Code WISPr Location-ID SSID/Zone WISPr Location Name WISPr Operator Name
Description
The default role to be assigned to users that have completed WISPr authentication.
The name of the server group that performs the authentication.
If the switch's CPU utilization has surpassed the Login wait CPU utilization threshold value, the Logon wait minimum wait parameter defines the minimum number of seconds a user will have to wait to retry a login attempt. Range: 1-10 seconds. Default: 5 seconds.
If the switch's CPU utilization has surpassed the logon wait CPU utilization threshold value, the Logon wait maximum wait parameter defines the maximum number of seconds a user will have to wait to retry a login attempt. Range: 1-10 seconds. Default: 10 seconds.
The E.164 Area Code in the WISPr Location ID.
The 1-3 digit E.164 Country Code in the WISPr Location ID.
The ISO Country Code in the WISPr Location ID.
The SSID/network name in the WISPr Location ID.
A name identifying the hotspot location. If no name is defined, the default ap-name is used.
A name identifying the hotspot operator.
Related Commands
Command aaa authentication wispr
Description
Configure WISPr authentication values on your switch.
Mode
Config mode on master or local switches.
Command History
This command was introduced in AOS-W 3.4.1.
AOS-W 6.2 | Reference Guide
show aaa authentication wispr | 597
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
598 | show aaa authentication wispr
AOS-W 6.2 | Reference Guide
�show aaa authentication-server all
show aaa authentication-server all
Description
View authentication server settings for both external authentication servers and the internal switch database.
Usage Guidelines
The output of this command displays statistics for the Authentication Server Table, including the name and address of each server, server type and configured authorization and accounting ports.
Examples
The following command shows information for the internal Authentication server, and another RADIUS server named RADIUS-1. (host) #show aaa authentication-server all
Auth Server Table
-----------------
Name
Type FQDN IP addr
AuthPort
----
---- ---- -------
--------
Internal Local n/a 10.4.62.11 n/a
server Ldap n/a 0.0.0.0
389
server Radius SRVR1 127.9.9.61 1812
default Tacacs n/a 127.9.10.61 49
AcctPort -------n/a n/a 1813 n/a
Status -----Enabled Enabled Enabled Enabled
The following data columns appear in the output of this command:
Requests -------0 0 0 0
Parameter Name Type
FQDN IP addr AuthPort
AcctPort AcctPort Status Requests
Description Name of the authentication server.
The type of authentication server. AOS-W supports LDAP, RADIUS and TACACS+ servers, in addition to its own local, internal authentication server.
The Fully-Qualified Domain Name of the server, if configured.
IP address of the server, in dotted-decimal format.
Port number used for authentication. An LDAP server uses port 636 for LDAP over SSL, and port 389 for SSL over LDAP, Start TLS operation andclear text. The default RADIUS authentication port is port 1812.
Accounting port on the server. The default RADIUS accounting port is port 1813.
Accounting port on the server.
Shows whether the Authentication server is enable or disabled.
Number of authentication requests received by the server.
Command History
This command was introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show aaa authentication-server all | 599
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
600 | show aaa authentication-server all
AOS-W 6.2 | Reference Guide
�show aaa authentication-server internal
show aaa authentication-server internal [statistics]
Description
View authentication server settings for the internal switch database.
Examples
The output of the command below shows that the internal authentication server has been disabled
(host) #show aaa authentication-server internal
Internal Server
---------------
Host
IP addr
----
-------
Internal 10.168.254.221
Retries ------3
Timeout ------5
Status -----Disabled
The following data columns appear in the output of this command:
Parameter Host IP addr Retries
Timeout Status
Description Name of the internal authentication server. Address of the internal server, in dotted-decimal format. Number of retries allowed before the server stops attempting to authenticate a request. Timeout period, in seconds. Shows if the server is enabled of disabled
Include the statistics parameter to display additional details for the internal server.
(host) #show aaa authentication-server internal statistics
Internal Database Server Statistics
-----------------------------------
PAP Requests
8
PAP Accepts
8
PAP Rejects
0
MSCHAPv2 Requests
0
MSCHAPv2 Accepts
0
MSCHAPv2 Rejects
0
Mismatch Response
0
Users Expired
1
Unknown Response
0
Timeouts
1
AvgRespTime (ms)
0
Uptime (d:h:m)
4:3:32
SEQ first/last/free
1,255,255
The following data columns appear in the output of this command:
AOS-W 6.2 | Reference Guide
show aaa authentication-server internal | 601
�Parameter PAP Requests PAP Accepts PAP Rejects MSCHAPv2 Requests MSCHAPv2 Accepts MSCHAPv2 Rejects Mismatch Response
Users Expired Unknown Response
Timeouts AvgRespTime (ms) Uptime (d:h:m) SEQ first/last/free
Description Number of PAP requests received by the internal server. Number of PAP requests accepted by the internal server. Number of PAP requests rejected by the internal server. Number of MSCHAPv2 requests received by the internal server. Number of MSCHAPv2 requests accepted by the internal server. Number of MSCHAPv2 requests rejected by the internal server. Number of times the server received an authentication response to a request after another request had been sent. Number of users that were deauthenticated because they stopped responding. Number of times the server did not recognize the response, possibly due to internal errors. Number of times that the switch timed out an authentication request. Time it takes the server to respond to an authentication request, in seconds. Time elapsed since the last server reboot. This internal buffer counter keeps track of the requests to the authentication server.
Related Commands
Command aaa authentication-server internal
Description
Issue the command aaa authentication-server internal to use the internal database on a local switch for authenticating clients.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
602 | show aaa authentication-server internal
AOS-W 6.2 | Reference Guide
�show aaa authentication-server ldap
show aaa authentication-server ldap [<ldap_server_name>]
Description
Display configuration settings for your LDAP servers.
Syntax
Parameter <ldap_server_name>
Description Name that identifies an LDAP server.
Examples
The output of the example below displays the LDAP server list with the names of all the LDAP servers. The References column lists the number of other profiles that reference an LDAP server, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) #aaa authentication-server ldap
LDAP Server List ---------------Name References ---- ---------ldap1 5 ldap2 3 ldap3 1
Profile Status --------------
Total:3 Include the <ldap_server_name> parameter to display additional details for an individual server. (host) #show aaa authentication-server ldap ldap1
LDAP Server "ldap1" ------------------Parameter --------Host Admin-DN Admin-Passwd Allow Clear-Text Auth Port Base-DN Filter Key Attribute Timeout Mode Preferred Connection Type
Value ----10.1.1.234 cn=corp,cn=Users,dc=1m,dc=corp,dc=com ******** Disabled 389 cn=Users,dc=1m,dc=corp,dc=com (objectclass=*) sAMAccountName 20 sec Enabled ldap-s
The output of this command includes the following parameters:
AOS-W 6.2 | Reference Guide
show aaa authentication-server ldap | 603
�Parameter host Admin-DN
Admin Passwd Allow Clear-Text
Auth Port
Base-DN Filter
Key attribute Timeout Mode Preferred Connection Type
Description
IP address of the LDAP server
Distinguished name for the admin user who has read/search privileges across all of the entries in the LDAP database.
Password for the admin user.
If enabled, this parameter allows clear-text (unencrypted) communication with the LDAP server.
Port number used for authentication. Port 636 will be attempted for LDAP over SSL, while port 389 will be attempted for SSL over LDAP, Start TLS operation and clear text.
Distinguished Name of the node which contains the required user database.
Filter that should be applied to search of the user in the LDAP database (default filter string is: ì(objectclass=*)î ).
Attribute that should be used as a key in search for the LDAP server.
Timeout period of a LDAP request, in seconds.
Shows whether this server is Enabled or Disabled.
Preferred type of connection to the server. Possible values are l Clear text l LDAP-S l START-TLS
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
604 | show aaa authentication-server ldap
AOS-W 6.2 | Reference Guide
�show aaa authentication-server radius
show aaa authentication-server radius [<rad_server_name>|statistics]
Description
Display configuration settings for your RADIUS servers.
Syntax
Parameter <rad_server_name>
Description Name that identifies a RADIUS server.
Examples
The output of the example below displays the RADIUS server list with the names of all the RADIUS servers. The References column lists the number of other profiles that reference a RADIUS server, and the Profile Status column indicates whether the profile is predefined. User-defined servers will not have an entry in the Profile Status column.
(host) #aaa authentication-server radius
RADIUS Server List
------------------
Name
References
----
----------
myserver 3
radius
0
servername 0
Profile Status --------------
Total:3
To view additional statistics for all RADIUS servers, include the statistics parameter. Include the <rad_server_ name> parameter to display additional details for an individual server.
(host) #show aaa authentication-server radius SMOKERAD
RADIUS Server "SMOKERAD" ------------------------
Parameter --------Host Key Auth Port Acct Port Retransmits Timeout NAS ID NAS IP Source Interface Use MD5 Mode
Value ----127.0.0.1 ******** 1812 1813 3 5 sec N/A N/A 5 Disabled Enabled
The output of this command includes the following information:
AOS-W 6.2 | Reference Guide
show aaa authentication-server radius | 605
�Parameter host Key Acct Port auth port Retransmits
Timeout
NAS ID NAS IP
Source Interface Use MD5 Mode
Description IP address of the RADIUS server Shared secret between the switch and the authentication server. Accounting port on the server. Authentication port on the server. Maximum number of retries sent to the server by the switch before the server is marked as down. Maximum time, in seconds, that the switch waits before timing out the request and resending it. Network Access Server (NAS) identifier to use in RADIUS packets. NAS IP address to send in RADIUS packets. If you do not configure a serverspecific NAS IP, the global NAS IP is used. The source interface VLAN ID number. If enabled, the RADIUS server will use a MD5 hash of cleartext password. Shows whether this server is Enabled or Disabled.
The output of this command includes the following parameters:
Command History
Version AOS-W 3.0 AOS-W 6.1
Description Command introduced. The Source Interface parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
606 | show aaa authentication-server radius
AOS-W 6.2 | Reference Guide
�show aaa authentication-server tacacs
show aaa authentication-server tacacs [<tacacs_server_name>]|statistics
Description
Display configuration settings for your TACACS+ servers.
Syntax
Parameter
Description
<tacacs_server_name> Name that identifies an TACACS+ server.
statistics
Displays accounting, authorization, and authentication request and response statistics for the TACACS server.
Examples
The output of the example below displays the TACACS+ server list with the names of all the TACACS+ servers. The References column lists the number of other profiles that reference a TACACS+ server, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) #aaa authentication-server tacacs
TACACS Server List
----------------
Name
----
LabAuth
5
TACACS1
3
Total:2
References Profile Status ---------- --------------
Include the <tacacs_server_name> parameter to display additional details for an individual server
(host) #show aaa authentication-server tacacs tacacs1
TACACS Server "tacacs1"
---------------------
Parameter Value
--------- -----
Host
10.1.1.16
Key
********
TCP Port
49
Retransmits 3
Timeout
20 sec
Mode
Enabled
AOS-W 6.2 | Reference Guide
show aaa authentication-server tacacs | 607
�Parameter host Key TCP Port Retransmits
Timeout
Mode
Description IP address of the TACACS+ server
Shared secret between the switch and the authentication server.
TCP port used by the server.
Maximum number of retries sent to the server by the switch before the server is marked as down.
Maximum time, in seconds, that the switch waits before timing out the request and resending it.
Shows whether this server is Enabled or Disabled.
The output of this command includes the following parameters:
Command History
Release AOS-W 3.0 AOS-W 6.0
Modification Command introduced The Statistics parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
608 | show aaa authentication-server tacacs
AOS-W 6.2 | Reference Guide
�show aaa authentication-server windows
show aaa authentication-server windows [<windows_server_name>]
Description
Display configuration settings for your Windows servers.
Syntax
Parameter
<windows_server_ name>
Description Name that identifies a Windows server.
Examples
The output of the example below displays the Windows server list with the names of all the Windows servers used for NTLM authentication. The References column lists the number of other profiles that reference a Windows server, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) #aaa authentication-server tacacs
Windows Server List ---------------Name ---NTLM Windows2
1 1
References Profile Status ---------- --------------
Total:2 Include the <windows_server_name> parameter to display additional details for an individual server.
(host) #show aaa authentication-server windows Windows2
Windows Server "windows"
------------------------
Parameter
Value
---------
-----
Host
172.21.18.170
Mode
Enabled
Windows Domain MyCompanyDomain
Parameter host Mode Windows Domain
Description IP address of the Windows server Shows whether this server is Enabled or Disabled. Name of the Windows domain to which this server is assigned.
The output of this command includes the following parameters:
AOS-W 6.2 | Reference Guide
show aaa authentication-server windows | 609
�Command History
This command was introduced in AOS-W 3.4.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
610 | show aaa authentication-server windows
AOS-W 6.2 | Reference Guide
�show aaa bandwidth-contracts
show aaa bandwidth-contracts
Description
This command shows the contract names, ID numbers and Rate limits for your bandwidth contracts.
Example
The output of the following command shows that the bandwidth contract VLAN has a configured rate of 6 Mbps, and the contract User has a rate of 2048 Kbps. (host) #show aaa bandwidth-contracts
Bandwidth Contracts
-------------------
Contract Id Rate (bits/second)
-------- -- ------------------
VLAN
User
2
2048000
1 6000000
Total contracts = 2 Per-user contract total = 4096 Per-user contract usage = 0
Related Commands
Command aaa bandwidth-contract
Description
Use this command to define contracts to limit traffic for a user or VLAN.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa bandwidth-contracts | 611
�show aaa derivation-rules
show aaa derivation-rules [server-group <group-name>|user <name>]
Syntax
Parameter <group-name> <name>
Description Name of a server group Name of a user rule group
Description
Show derivation rules based on user information or configured for server groups.
Example
The output of the following command shows that the server group group1 has the internal database configured as its authentication server, and that there is a single rule assigned to that group. You can omit the <group-name> parameter to show a table of all your server groups.
(host) #show aaa derivation-rules server-group group1
Server Group
Name
Inservice trim-FQDN match-FQDN
----
--------- --------- ----------
Internal
Yes
No
Server Rule Table
-----------------
Priority Attribute
-------- ---------
1
Filter-Id
Rule Entries: 1
Operation --------equals
Operand ------nsFilter
Action -----set vlan
Value ----111
Total Hits ---------24
New Hits --------
The following data columns appear in the output of this command:
Parameter Name Inservice trim-FDQN
match-FDQN Priority
Attribute
Description
Name of the authentication server assigned to this server group
Specifies if the server is in service or out-of-service.
If enabled, user information in an authentication request is edited before the request is sent to the server.
If enabled, the authentication server is associated with a specified domain.
The priority in which the rules are applied. Rules at the top of the list are applied before rules at the bottom.
This is the attribute returned by the authentication server that is examined for Operation and Operand match
612 | show aaa derivation-rules
AOS-W 6.2 | Reference Guide
�Parameter Operation
Operand Action Value Total Hits New Hits
Description
This is the match method by which the string in Operand is matched with the attribute value returned by the authentication server. l contains The rule is applied if and only if the attribute value contains the
string in parameter Operand. l starts-with The rule is applied if and only if the attribute value returned starts
with the string in parameter Operand. l ends-with The rule is applied if and only if the attribute value returned ends
with the string in parameter Operand. l equals The rule is applied if and only if the attribute value returned equals
the string in parameter Operand. l not-equals The rule is applied if and only if the attribute value returned is not
equal to the string in parameter Operand. l value-of This is a special condition. What this implies is that the role or VLAN
is set to the value of the attribute returned. For this to be successful, the role and the VLAN ID returned as the value of the attribute selected must be already configured on the switch when the rule is applied.
This is the string to which the value of the returned attribute is matched.
This parameter identifies whether the rule sets a server group role (set role) or a VLAN (set vlan).
Sets the user role or VLAN ID to be assigned to the client if the condition is met.
Number of times the rule has been applied since the last server reboot.
Number of times the rule has been applied since the show aaa derivation-rules command was last issued.
To display derivation rules for a user group, include the user <name> parameter. You can also display a table of all user rules by including the user parameter, but omitting the <name> parameter
(host) #show aaa derivation-rules user user44
User Rule Table
---------------
Priority Attribute Operation Operand Action
Description
-------- --------- --------- ------- ------
-
1
location equals
ap23
Value Total Hits New Hits
----- ---------- --------
set role guest 56 guestrole1
The following data columns appear in the output of this command:
------
Parameter Priority Attribute Operation
Description
The priority in which the rules are applied. Rules at the top of the list are applied before rules at the bottom.
This is the attribute returned by the authentication server that is examined for Operation and Operand match.
This is the match method by which the string in Operand is matched with the attribute value returned by the authentication server. l contains The rule is applied if and only if the attribute value contains the
string in parameter Operand. l starts-with The rule is applied if and only if the attribute value returned starts
with the string in parameter Operand.
AOS-W 6.2 | Reference Guide
show aaa derivation-rules | 613
�Parameter
Operand Action Value Total Hits New Hits Description
Description
l ends-with The rule is applied if and only if the attribute value returned ends with the string in parameter Operand.
l equals The rule is applied if and only if the attribute value returned equals the string in parameter Operand.
l not-equals The rule is applied if and only if the attribute value returned is not equal to the string in parameter Operand.
l value-of This is a special condition. What this implies is that the role or VLAN is set to the value of the attribute returned. For this to be successful, the role and the VLAN ID returned as the value of the attribute selected must be already configured on the switch when the rule is applied.
This is the string to which the value of the returned attribute is matched.
This parameter identifies whether the rule sets a server group role (set role) or a VLAN (set vlan).
Sets the user role or VLAN ID to be assigned to the client if the condition is met.
Number of times the rule has been applied since the last server reboot.
Number of times the rule has been applied since the show aaa derivation-rules command was last issued.
This optional parameter describes the rule. If no description was configured then it does not appear when you view the User Table.
Related Commands
Command aaa derivation-rules
Description
Use aaa derivation-rules to define the parameters displayed in the output of this show command.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
614 | show aaa derivation-rules
AOS-W 6.2 | Reference Guide
�show aaa dns-query-interval
show aaa dns-query-interval <minutes>
Description
View the configured interval between DNS requests sent from the switch to the DNS server.
Syntax
No parameters
Usage Guidelines
If you define a RADIUS server using the FQDN of the server rather than its IP address, the switch will periodically generate a DNS request and cache the IP address returned in the DNS response. By default, DNS requests are sent every 15 minute, but the interval can be changed using the aaa dns-query-period command. Issue the show aaa dns-query-period command to view the current DNS query interval.
Example
This command shows that the switch will send a DNS query every 30 minutes
(host) # show aaa dns-query-period DNS Query Interval = 30 minutes
Related Commands
To configure the DNS query interval, issue the command aaa dns-query-interval.
Command History
This command was available in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show aaa dns-query-interval | 615
�show aaa fqdn-server-names
show aaa fqdn-server-names
Description
Show a table of IP addresses that have been mapped to fully qualified domain names (FQDNs).
Syntax
No parameters.
Usage Guidelines
If you define a RADIUS server using the FQDN of the server rather than its IP address, the switch will periodically generate a DNS request and cache the IP address returned in the DNS response. Issue this command to view the IP addreses that currently correlate to each RADIUS server FQDN.
Example
The output of this command shows the IP addresses for two RADIUS servers.
(host) #show aaa fqdn-server-names
Auth Server FQDN names
---------------------
FQDN
IP Address
----
myhost1.example.com
Refcount ----------
--------
192.0.2.3
2myhost2.example.com
Related Commands
To configure a RADIUS authentication server using that server's fully qualified domain name, use the command aaa authentication-server radius.
Command History
This command was available in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
616 | show aaa fqdn-server-names
AOS-W 6.2 | Reference Guide
�show aaa main-profile
show aaa main-profile summary
Description
Show a summary of all AAA profiles.
Example
The output of the show aaa main-profile summary command shows roles, server group settings, and wire-towireless-roaming statistics for each AAA profile. (host) #show aaa main-profile summary
AAA Profile summary -------------------
Name ---aaa_dot1x default default guest
role ---logon logon guest
mac-auth -------macprof2 macprof2 macprof1
dot1x- rad-
UDR- ww-
enforce
auth acct XML-api RFC3576 group roam devtype -dhcp
------ ----- ------- ------- ----- ------- ------- --------
dot1x RADIUS 10.3.1.15 10.3.15.2 Usr1 Disable enabled disabled
dot1x RADIUS 10.3.1.15 10.3.15.2 Usr1 Disable enabled disabled
default RADIUS 10.3.1.15 10.3.15.2 Usr2 Disable enabled disabled
The following data columns appear in the output of this command:
Parameter Name role mac-auth dot1x-auth rad-act XML-api RFC3576
UDR-group ww-roam devtype
enforce-dhcp
Description
Name of the AAA profile.
Role for unauthenticated users.
Name of the server group used for MAC authentication.
Name of the server group used for dot1x authentication.
Name of the server group used for RADIUS authentication.
IP address of a configured XML API server.
IP address of a RADIUS server that can send user disconnect and change-ofauthorization messages, as described in RFC 3576.
Name of the user derivation rule profile.
Shows if wired-to-wireless roaming is enabled or disabled.
Shows if the device identification feature is enabled or disabled. When devtypeclassification parameter is enabled, the output of the show user and show usertable commands shows each client's device type, if that client device can be identified.
When this option is enabled, clients must complete a DHCP exchange to obtain an IP address. Best practices are to enable this option when you use the aaa derivation-rules command to create a rule with the DHCP-Option rule type. This parameter is disabled by default.
AOS-W 6.2 | Reference Guide
show aaa main-profile | 617
�Related Commands
Command aaa profile
Description
Use aaa profile define the parameters displayed in the output of this show command.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
618 | show aaa main-profile
AOS-W 6.2 | Reference Guide
�show aaa password-policy mgmt
show aaa password-policy mgmt [statistics]
Description
Show the current password policy for management users.
Syntax
Parameter statistics
Description
Include this optional parameter to show the numbers of failed login attempts and any lockout periods for management user accounts.
Examples
The output of the show aaa password-policy mgmt command below shows that the current password policy requires a management user to have a password with a minimum of 9 characters, including one numeric character and one special character
(host) #show aaa password-policy mgmt
Mgmt Password Policy
--------------------
Parameter Value
--------- -----
Enable password policy
Yes
Minimum password length required
9
Minimum number of Upper Case characters
0
Minimum number of Lower Case characters
0
Minimum number of Digits
1
Minimum number of Special characters (!, @, #, $, %, ^, &, *, <, >, {, }, [, ], :, ., comma,
|, +, ~, `)
1
Username or Reverse of username NOT in Password
No
Maximum Number of failed attempts in 3 minute window to lockout user
0
Time duration to lockout the user upon crossing the "lock-out" threshold
3
Maximum consecutive character repeats
0
The following data columns appear in the output of this command:
Parameter
Description
Enable password policy
Shows if the defined policy has been enabled
Minimum password length Minimum number of characters required for a management user password. The
required
default setting is 6 characters.
Minimum number of Upper Case characters
The maximum number of uppercase letters required for a management user password. By default, there is no requirement for uppercase letters in a password, and the parameter has a default value of 0.
AOS-W 6.2 | Reference Guide
show aaa password-policy mgmt | 619
�Parameter
Description
Minimum number of Lower Case characters
The maximum number of lowercase letters required for a management user password. By default, there is no requirement for lowercase letters in a password, and the parameter has a default value of 0.
Minimum number of Digits
Minimum number of numeric digits required in a management user password. By default, there is no requirement for digits in a password, and the parameter has a default value of 0.
Minimum number of Special characters
Minimum number of special characters required in a management user password. By default, there is no requirement for special characters in a password, and the parameter has a default value of 0.
Username or Reverse of username NOT in Password
If Yes, a management user's password cannot be the user's username or the username spelled backwards. If No, the password can be the username or username spelled backwards.
Maximum Number of failed attempts in 3 minute window to lockout user
Number of times a user can unsuccessfully attempt to log in to the switch before that user gets locked out for the time period specified by the lock-out threshold below. By default, the password lockout feature is disabled, and the default value of this parameter is 0 attempts.
Time duration to lockout the user upon crossing the "lock-out" threshold
Amount of time a management user will be "locked out" and prevented from logging into the switch after exceeding the maximum number of failed attempts setting show above. The default lockout time is 3 minutes.
Maximum consecutive character repeats
The maximum number of consecutive repeating characters allowed in a management user password. By default, there is no limitation on the numbers of character that can repeat within a password, and the parameter has a default value of 0 characters.
(host) #show aaa password-policy mgmt statistics
Management User Table --------------------USER ROLE FAILED_ATTEMPTS ---- ---- --------------admin14 root 1
STATUS -----Locked until 12/1/2009 22:28
Include the optional statistics parameter to show failed login statistics in the Management User table. The example below shows that a single failed login attempt locked out the root user admin14, and displays the time when that user can attempt to login to the switch again.
Related Commands
Command aaa profile
Description
Use aaa profile define the parameters displayed in the output of this show command.
Mode Config mode
Command History
This command was introduced in AOS-W 3.4.2.
620 | show aaa password-policy mgmt
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa password-policy mgmt | 621
�show aaa profile
show aaa profile <profile-name>
Description
Show configuration details for an individual AAA profile.
Example
The output of the following command shows roles, servers and server group settings, and wire-to-wireless-roaming statistics for each AAA profile. (host) #show aaa profile default
AAA Profile "default" --------------------Parameter --------Initial role MAC Authentication Profile MAC Authentication Default Role MAC Authentication Server Group 802.1X Authentication Profile 802.1X Authentication Default Role 802.1X Authentication Server Group L2 Authenticaion Fail Through RADIUS Accounting Server Group RADIUS Interim Accounting XML API server RFC 3576 server User derivation rules Wired to Wireless Roaming SIP authentication role Device Type Classification Enforce DHCP
Value ----guest N/A guest default default guest N/A
Disabled N/A Disabled N/A N/A N/A Enabled N/A Enabled Disabled
The following data columns appear in the output of this command:
Parameter Name Initial Role MAC Authentication Profile MAC Authentication Default Role
MAC Authentication Server Group 8021.X Authentication Profile 8021.X Authentication Default Role
Description The name of the AAA profile. Role for unauthenticated users. Name of the MAC authentication profile. Configured role assigned to the user after MAC authentication. Name of the server group used for MAC authentication. Name of the 802.1X authentication profile. Configured role assigned to the user after 802.1X authentication.
622 | show aaa profile
AOS-W 6.2 | Reference Guide
�Parameter 8021.X Authentication Server Group L2 Authentication Fail Through RADIUS Accounting Server Group RADIUS Interim Accounting
XML API server RFC 3576 server
User derivation rules Wired to Wireless Roaming SIP authentication role
device type classification
enforce DHCP
Description
Name of the server group used for 802.1X authentication.
To select the other authentication method if one fails.
Name of the server group used for RADIUS authentication.
By default, the RADIUS accounting feature sends only start and stop messages to the RADIUS accounting server. If RADIUS Interim Accounting is enabled, the switch to can also end Interim-Update messages with current user statistics to the server at regular intervals.
IP address of a configured XML API server.
IP address of a RADIUS server hat can send user disconnect and change-of-authorization messages, as described in RFC 3576.
Shows whether Wired to Wireless Roaming is Enabled or Disabled.
For switchs with an installed PEFNG license, this parameter displays the configured role assigned to a session initiation protocol (SIP) client upon registration.
Shows if the device identification feature is enabled or disabled. When devtype-classification parameter is enabled, the output of the show user and show user-table commands shows each client's device type, if that client device can be identified.
When this option is enabled, clients must complete a DHCP exchange to obtain an IP address. Best practices are to enable this option when you use the aaa derivation-rules command to create a rule with the DHCP-Option rule type. This parameter is disabled by default.
Related Commands
Command aaa profile
Description
Use the command aaa profile to define AAA profiles.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa profile | 623
�624 | show aaa profile
AOS-W 6.2 | Reference Guide
�show aaa radius-attributes
show aaa radius-attributes
Description
Show RADIUS attributes recognized by the switch.
Example
The output of the following command shows the name, currently configured value, type, vendor and RADIUS ID for each attribute. (host) #show aaa radius-attributes
Dictionary ---------Attribute --------MS-CHAP-NT-Enc-PW Suffix Menu Acct-Session-Time Framed-AppleTalk-Zone Connect-Info Acct-Ouput-Packets Aruba-Location-Id Service-Type Rad-Length CHAP-Password Aruba-Template-User Event-Timestamp Login-Service Exec-Program-Wait Tunnel-Password Framed-IP-Netmask Acct-Output-Gigawords MS-CHAP-CPW-2 Acct-Tunnel-Packets-Lost ...
Value ----6 1004 1001 46 39 77 48 6 6 310 3 8 55 15 1039 69 9 53 4 86
Type ---String String String Integer String String Integer String Integer Integer String String Date Integer String String IP Addr Integer String Integer
Vendor -----Microsoft
Aruba Aruba
Microsoft
Id -311
14823 14823
311
Related Commands
Command aaa profile
Description
Use the command aaa profile to define AAA profiles.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa radius-attributes | 625
�626 | show aaa radius-attributes
AOS-W 6.2 | Reference Guide
�show aaa rfc-3576-server
show aaa rfc-3576-server [statistics|<udp-port>]
Description
Show configuration details for an RFC-3576 server, which is a RADIUS server that can send user disconnect and change-of-authorization (CoA) messages, as described in RFC 3576.
Example
This first example shows that there are two configured servers in the RFC 3567 Server List. The References column lists the number of other profiles with references to the RFC 3567 server, and the Profile Status column indicates whether the server is predefined. User-defined servers will not have an entry in the Profile Status column.
(host) #show aaa rfc-3567-server
RFC 3576 Server List
--------------------
Name
References
----
----------
10.2.14.6 2
Profile Status --------------
To view details for all RFC 3576 servers, include the statistics parameter.
(host) #show aaa rfc-3576-server statistics
RADIUS RFC 3576 Statistics
--------------------------
Statistics
10.1.2.3 10.1.2.34
----------
-------- ---------
Disconnect Requests 13
3
Disconnect Accepts 12
3
Disconnect Rejects 1
0
No Secret
0
0
No Session ID
0
0
Bad Authenticator 0
0
Invalid Request
0
0
Packets Dropped
0
2
Unknown service
0
0
CoA Requests
1
0
CoA Accepts
1
0
CoA Rejects
0
0
No permission
0
0
Packets received from unknown clients: 0
Packets received with unknown request: 0
Total RFC3576 packets Received
:0
The output of the show aaa rfc-3576-server statistics command includes the following parameters:
Parameter Disconnect Requests
Description Number of disconnect requests sent by the server.
AOS-W 6.2 | Reference Guide
show aaa rfc-3576-server | 627
�Parameter Disconnect Accepts Disconnect Rejects No Secret No Session ID Bad Authenticator
Invalid Request Packets Dropped Unknown service CoA Requests CoA Accepts CoA Rejects No permission
Description Number of disconnect requests sent by the server that were accepted by the user. Number of disconnect requests sent by the server that were rejected by the user. Number of authentication requests that did not contain a RADIUS secret. Number of authentication requests that did not contain a session ID. Number of authentication requests that contained a missing or invalid authenticator field in the packet. Number of invalid requests. Number of packets dropped. Number of requests for an unknown service type. Number of requests for a Change of Authorization (CoA). Number of times a CoA request was accepted. Number of times a CoA request was rejected. Number of requests for a service that has been defined, but has not been administratively enabled.
Related Commands
Command aaa rfc-3576-server
Description Define RFC 3576 server profiles.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
628 | show aaa rfc-3576-server
AOS-W 6.2 | Reference Guide
�show aaa server-group
show aaa server-group [<group-name>|summary]
Description
Show configuration details for your AAA server groups.
Syntax
Parameter <group-name>
Description The name of an existing AAA server group.
Usage Guidelines
Issue this command without the ><group-name orsummary options to display the entire server group list, including profile status and the number of references to each profile. The References column lists the number of other profiles that reference a server group, and the Profile Status column indicates whether the server group is predefined. Userdefined server groups will not have an entry in the Profile Status column. Examples
This first example shows that there are five configured server groups
(host) #show aaa server-group summary
Server Group List ----------------Name ---auth-profile-2 coltrane-server-group default group1 internal
References ---------1 1 25 0 0
Profile Status --------------
Predefined
Total:5
To view additional statistics for all server groups, include the statistics parameter.
(host) #show aaa server-group summary
Server Groups
-------------
Name
Servers Rules
----
------- -----
auth-profile-2
1
0
coltrane-server-group 1
0
default
1
0
group1
1
1
internal
1
1
hits ---0 0 0 0 0
Out-of-service --------------
The output of the show aaa server-group summary command includes the following parameters:
AOS-W 6.2 | Reference Guide
show aaa server-group | 629
�Parameter name Servers Rules hits Out-of-Service
Description Name of an existing AAA server group. Number of servers in the group. Number of rules configured for the server group. Number of hits for the server's rules. Indicates whether the server is active, or out of service. Active servers may not have an entry in the Out-of-Service column.
To display detailed authorization, role and vlan statistics for an individual server group, include the name of the group for which you want more information.
(host) #show aaa server-group summary group1
Fail Through:No
Auth Servers
------------
Name
Server-Type
----
-----------
rad1
Radius
rad3
Radius
trim-FQDN --------No No
Match-Type ----------
Match-Op --------
Match-Str ---------
Role/VLAN derivation rules
---------------------------
Priority Attribute Operation
-------- --------- ---------
1
class
Operand Action Value ------- ------ -----
contains admin set role
root
The output of the show aaa server-group <group-name> command includes the following parameters:
Parameter Name Server-Type trim-FDQN Match-Type
Match-Op
Description
Specifies if the server is in service or out-of-service.
If enabled, user information in an authentication request is edited before the request is sent to the server.
If enabled, user information in an authentication request is edited before the request is sent to the server.
If the match type is authstring he authentication server associates with a match rule that the switch can compare with the user/client information in the authentication request. A fdqn match type associates the authentication server with a specified domain. An authentication request is sent to the server only if there is an exact match between the specified domain and the <domain> portion of the user information sent in the authentication request.
This is the match method by which the string in Match-Str is matched with the attribute value returned by the authentication server. l contains The rule is applied if and only if the attribute value contains the
string in parameter Operand. l starts-with The rule is applied if and only if the attribute value returned starts
630 | show aaa server-group
AOS-W 6.2 | Reference Guide
�Parameter
Match-Str Priority Attribute Operation
Operand Action Value
Description
with the string in parameter Operand. l ends-with The rule is applied if and only if the attribute value returned ends
with the string in parameter Operand. l equals The rule is applied if and only if the attribute value returned equals
the string in parameter Operand. l not-equals The rule is applied if and only if the attribute value returned is not
equal to the string in parameter Operand. l value-of This is a special condition. What this implies is that the role or VLAN
is set to the value of the attribute returned. For this to be successful, the role and the VLAN ID returned as the value of the attribute selected must be already configured on the switch when the rule is applied
This is the string to which the value of the returned attribute is matched.
The priority in which role or VLAN derivation rules are applied. Rules at the top of the list are applied before rules at the bottom.
For role or VLAN derivation rules, this is the attribute returned by the authentication server that is examined for Operation and Operand match.
For role or VLAN derivation rules, this is the match method by which the string in Operand is matched with the attribute value returned by the authentication server. l contains The rule is applied if and only if the attribute value contains the
string in parameter Operand. l starts-with The rule is applied if and only if the attribute value returned starts
with the string in parameter Operand. l ends-with The rule is applied if and only if the attribute value returned ends
with the string in parameter Operand. l equals The rule is applied if and only if the attribute value returned equals
the string in parameter Operand. l not-equals The rule is applied if and only if the attribute value returned is not
equal to the string in parameter Operand. l value-of This is a special condition. What this implies is that the role or VLAN
is set to the value of the attribute returned. For this to be successful, the role and the VLAN ID returned as the value of the attribute selected must be already configured on the switch when the rule is applied.
For role or VLAN derivation rules, this is the string to which the value of the returned attribute is matched.
This parameter identifies whether the derivation rule sets a server group role (set role) or a VLAN (set vlan).
Sets the user role or VLAN ID to be assigned to the client if the rule condition is met.
Related Commands
Command aaa server-group
Description
Use aaa server-group to configure the settings displayed in the output of this show command.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show aaa server-group | 631
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
632 | show aaa server-group
AOS-W 6.2 | Reference Guide
�show aaa state ap-group
show aaa state ap-group
Description
Show the names and ID numbers of your AP groups
Example
This first example shows that the selected switch has two defined AP groups.
(host) #show aaa state ap-group
AP Group Table
--------------
Name ID
---- --
ap1
1
ap2
2
Related Commands
Command aaa server-group
Description
Use aaa server-group to define the AP groups displayed in the output of this show command
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
.
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa state ap-group | 633
�show aaa state configuration
show aaa state configuration
Description
Display authentication state configuration information, including the numbers of successful and failed authentications.
Example
This example shows authentication settings and values for a switch with no current users.
(host) #show aaa state configuration
Authentication State -------------------Name ---Switch IP Master IP Switch Role Current/Max/Total IPv4 Users Current/Max/Total IPv6 Users Current/Max/Total User Entries Current/Max/Total Stations Captive Portal Users 802.1x Users VPN Users MAC Users Stateful 802.1x Users Tunneled users Configured user roles Configured session ACL Configured destinations Configured services Configured Auth servers Auth server in service Radius server timeouts
Value ----10.6.2.253 10.100.103.253 local 0/6/14 0/1/1 0/4/15 121/190/367550 4 119 0
0 0
0 21 41 32 77 9 9 7062
Successful authentications -------------------------Web MAC VPN 802.1x Krb --- --- --- ------ --138 0 0 10117 0
RadAcct ------0
SecureID -------0
Stateful-802.1x --------------0
Management ---------0
Failed authentications ---------------------Web MAC VPN 802.1x Krb --- --- --- ------ --48 0 0 32235 0
RadAcct ------0
SecureID -------0
Stateful-802.1x --------------0
Management ---------0
Idled users
= 3366
Mobility
= Enabled
fast age
= Disabled
Bandwidth contracts
= 2/1
IP takeovers
= 21
Ping/SYN/Session attacks = 0/0/0
634 | show aaa state configuration
AOS-W 6.2 | Reference Guide
�The output of the show aaa state configuration command includes the following parameters:
Parameter
Description
Switch IP
IP address of the local switch.
Master IP
IP address of the master switch.
Switch Role
Role assigned to the switch on which you issued the show aaa state command.
Current/Max/Total IPv4 Users
Current number of IPv4 users on the switch/Maximum number of IPv4 users that can be assigned to the switch at any time/Total number of IPv4 users that have been assigned to the switch since the last switch reboot.
Current/Max/Total IPv6 Users
Current number of IPv6 users on the switch/Maximum number of IPv6 users that can be assigned to the switch at any time/Total number of IPv6 users that have been assigned to the switch since the last switch reboot.
Current/Max/Total Users
Current number of users on the switch/Maximum number of users that can be assigned to the switch at any time/Total number of users that have been assigned to the switch since the last switch reboot.
Current/Max/Total Stations
Current number of stations registered with the switch/Maximum number of stations that can be registered with the switch at any time/Total number of stations that have registered the switch since the last switch reboot.
Captive Portal Users
Number of current users authenticated via captive portal.
802.1x Users
Number of current users authenticated via 802.1X authentication.
VPN Users
Number of current users authenticated via VPN authentication.
MAC Users
Number of current users authenticated via MAC authentication.
Stateful 802.1x Users
Number of current users authenticated via stateful 802.1X authentication.
Tunneled users
Number of stations in tunneled forwarding mode, where 802.11 frames are tunneled to the switch using generic routing encapsulation (GRE).
Configured user roles
Number of configured user roles.
Configured session ACL
Number of configured session ACLs.
Configured destinations
Number of destinations configured using the netdestination command.
Configured services
Number of service aliases configured using the netservice command.
Configured Auth servers
Number of configured authentication servers.
Auth server in service
Number of authentication servers currently in service.
Radius server timeouts
Number of times the RADIUS server did not respond to the authentication request.
AOS-W 6.2 | Reference Guide
show aaa state configuration | 635
�Parameter Web MAC VPN 802.1x Krb RadAcct SecureID
Stateful-802.1x Management Idled users Mobility fast age
Bandwidth contracts IP takeovers Ping/SYN/Session attacks
Description
Total number of captive portal authentications or authentication failures since the last switch reset.
Total number of MAC authentications or authentication failures since the last switch reset.
Total number of VPN authentications or authentication failures since the last switch reset.
Total number of 802.1X authentications or authentication failures since the last switch reset.
Total number of Kerberos authentications or authentication failures since the last switch reset.
Total number of RADIUS accounting verifications or accounting failures since the last switch reset.
Number of authentication verifications or failures using methods which use one-time passwords. (For example, EAP-GTC being used as the inner EAP protocol of EAP-PEAP.)
Total number of Stateful 802.1X authentications or authentication failures since the last switch reset.
Total number of Management user authentications or authentication failures since the last switch reset.
Total number of users that are not broadcasting data to an AP.
Shows whether the IP mobility feature has been enabled or disabled on the switch.
When the fast age feature allows the switch actively sends probe packets to all users with the same MAC address but different IP addresses. The users that fail to respond are purged from the system. This parameter shows if fast aging of user table entries has been enabled or disabled.
Number of configured bandwidth contracts on the switch.
Number of times a two different stations have attempted to use the same IP address (IP spoofing).
Number of reported ping, SYN and session attacks.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
636 | show aaa state configuration
AOS-W 6.2 | Reference Guide
�show aaa state debug-statistics
show aaa state debug statistics
Description
show debug statistics for switch authentication, authorization and accounting.
Syntax
No parameters.
Example
The following example displays debug statistics for a variety of authentication errors:
(host) #show aaa state debug-statistics user miss: ARP=47, 8021Q=5216, non-IP=0, zero-IP=0, loopback=0 user miss: mac mismatch=0, spoof=269 (74), drop=390, ncfg=0 user miss: non-auth opcode=0, no-l2-user=0, l2tp=0, vrrp=0, special mac=0, iap l3 user=0 Idled users = 3376 Idled users due to MAC mismatch = 0 Idled users due to SOS: wireless tunnel=0 wireless dtunnel=0 Idled users due to SOS: wired tunnel=0 wired dtunnel=0 Idled users due to SOS: other=0 Idled users due STM deauth: tunnel=0 dtunnel=0 Idled users from STM timeout: tunnel=0 dtunnel=0 Idled users from STM: other=0 Current users with STM idle flag = 0 Idle messages: SOS=0 STM deauth=0 STM timeout=0 Logon lifetime iterations = 4501, entries deleted = 121 SIP authentication messages received 29227, dropped 29227 Missing auth user deletes: 0 Captive-portal forced user deletes: 1 Mobility Stats
INTRA_MS 0, MAC mismatch 0, HA mismatch 0 INTER_MS 0, MAC mismatch 0, HA mismatch 0 MIP Update 0, Move 0, Del 0, TunAcl 0 AAA Done 0, Del 2 IPIP Loop forced Del: 0, Validate Visitor 0 Auth User rejects Received L2 User:0, IPV4 :0, IPV6:0 Auth User rejects Processed L2 User:0, IPV4 :0, IPV6:0
The output of this command includes the following parameters:
Parameter User Miss
ARP 8021q
Description
Number of ARP packets sent between the datapath and the controlpath. Number of 802.1q (VLAN tag) packets sent between the datapath and the controlpath.
AOS-W 6.2 | Reference Guide
show aaa state debug-statistics | 637
�Parameter
Description
non-ip
Number of non-IP type packets sent between the datapath and the controlpath.
zero-ip
Number of packets sent without an internet protocol (IP).
loopback
If 1, the switch has a defined loopback address. If 0, a loopback address has not yet been configured.
mac mismatch
Number of users that were not authenticated due to MAC mismatches.
spoof
Number of users that were not authenticated due to spoofed IP addresses.
drop
Number of user authentication attempts that were dropped.
ncfg
Number of packets sent between datapath and controlpath, where the authentication module has not completed the initialization required to process the traffic.
Non-auth opcode
Number of packets whose opcode is non-auth opcode. This is a check to find if auth is responsible for processing received packet.
No-l2-user
Number of user packets dropped due to absence ofan L2 entry for the user.
l2tp
Number of l2tp users.
vrrp
Number of VRRP users.
special mac
Number of users with a special MAC address.
iap
Number of instant AP users.
idled users
Number of inactive stations that are not broadcasting data to an AP.
idled users due to MAC mismatch
For internal use only.
Idled users due to SOS
wireless tunnel
Number of wireless users in tunnel forwarding mode that were aged out by the switch.
wireless dtunnel
Number of wireless users in decrypt tunnel forwarding mode that were aged out by the switch.
wired tunnel
Number of wired users in tunnel forwarding mode that were aged out by the switch.
wired dtunnel
Number of wired users in decrypt tunnel forwarding mode that were aged out by the switch.
Other
Number of users using modes other than tunnel or decrypt tunnel aged out by the switch.
Idled users due STM deauth
tunnel
Number of users in tunnel forwarding mode that aged out after STM deauthentication, and timer expiration.
638 | show aaa state debug-statistics
AOS-W 6.2 | Reference Guide
�Parameter
Description
dtunnel
Number of users in decrypt tunnel forwarding mode that aged out after STM deauthentication, and timer expiration.
Idled users from STM timeout
tunnel
Number of users in tunnel forwarding mode that aged out after the STM timer expired.
dtunnel
Number of users in decrypt tunnel forwarding mode that aged out after the STM timer expired.
Idled users from STM
other
Number of users in fowarding modes other than decrypt tunnel or tunnel mode that aged out after the STM timer expired.
Logon lifetime iteration
Number of users deleted for lack of activity.
SIP authentication message
Number of session initiation protocol (SIP) authentication messages received.
Missing auth user deletes
Number of users removed from the datapath by the auth module, even without a mapping entry in control path. This counter can help identify problems with messages sent between the controlpath and the datapath.
Mobility Stats
Number of different messages exchanged between the mobile IP and the auth module. NOTE: This is used for troubleshooting purposes only.
Captive-portal forced user deletes
Number of idle users deleted after captive portal authentication.
Auth User Rejects Received
L2 User
Number of authentication rejects received for L2 users from the datapath due to a failure of the operation.
IPv4
Number of authentication rejects received for IPv4 users from the datapath due to a failure of the operation.
IPv6
Number of authentication rejects received for IPv6 users from the datapath due to a failure of the operation.
Auth User Rejects Processed
L2 User
Number of authentication rejects for L2 users that were processed after the reject was received.
IPv4
Number of authentication rejects for IPv4 users that were processed after the reject was received.
IPv6
Number of authentication rejects for IPv6 users that were processed after the reject was received.
AOS-W 6.2 | Reference Guide
show aaa state debug-statistics | 639
�Command History
Release AOS-W 3.0 AOS-W 6.1 AOS-W 6.2
Modification Command introduced The Mobility Stats parameter was introduced. Additional statistics for idled users and user rejects were introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local or local switches
640 | show aaa state debug-statistics
AOS-W 6.2 | Reference Guide
�show aaa state messages
Description
Display numbers of authentication messages sent and received.
Syntax
No parameters.
Usage Guidelines
This command displays a general overview of authentication statistics. To view authentication information for specific profiles such as a captive-portal, MAC or 801.x authentication profile, issue the commands specific to those features.
Example
The output of this command displays tables of statistics for PAPI, RAW socket and Sibyte messages.
(host) #show aaa state messages
PAPI Messages
-------------
Msg ID Name
Since last Read
------ ----
---------------
5004 set master ip
2
7005 Set switch ip
1
7007 Set VLAN ip
5
66
delete xauth vpn users 1
Total ----2 1 5 1
RAW socket Messages
-------------------
Msg ID Name
------ ----
1
raw PAP req
33
captive portal config
59
TACACS ACCT config for cli
60
TACACS ACCT config for web
Since last Read --------------188 11113 1 1
Total ----188 11113 1 1
Sibyte Messages
---------------
Opcode Name
------ ----
2
bridge
4
session
11
ping
13
8021x
15
acl
16
ace
17
user
27
bwm
29
wkey
42
nat
43
user tmout
56
forw unenc
64
auth
94
aesccm key
111
dot1x term
Sent Since Last Read -------------------21 4877 768 114563 803 5519 781821 3 27109 1 4164 1787103 5268 17885 196813
Sent Total ---------21 4877 768 114563 803 5519 781821 3 27109 1 4164 1787103 5268 17885 196813
Recv Since Last Read -------------------0 0 768 229126 0 0 0 0 4 0 4160 0 5267 0 151161
Recv Total ---------0 0 768 229126 0 0 0 0 4 0 4160 0 5267 0 151161
AOS-W 6.2 | Reference Guide
show aaa state messages | 641
�114
rand
126
eapkey
114
rand
1614 1316231
2
1614 1316231
2
1612 2632462
0
1612 2632462
0
The output of this command contains the following parameters:
Parameter
Description
Msg ID
ID number for the message type
Name
Message name
Since last Read
Number of messages received since the buffer was last read.
Total
Total number of message received since the switch was last reset.
opcode
Code number of the message type.
Sent Since last Read Number of messages sent since the buffer was last read.
Sent Total
Total number of message sent since the switch was last reset.
Recv Since last Read Number of messages received since the buffer was last read.
Recv Total
Total number of message received since the switch was last reset.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
642 | show aaa state messages
AOS-W 6.2 | Reference Guide
�show aaa state station
show aaa state station <A:B:C:D:E:F>
Description
Display AAA statistics for a station.
Syntax
Parameter <A:B:C:D:E:F>
Description MAC address of a station/
Example
The example below shows statistics for a station with four associated user IP addresses. The output of this command shows station data, the AAA profiles assigned to the station, and the station's authentication method.
(host) #show aaa state station 00:21:5c:85:d0:4b Association count = 1, User count = 4 User list = 10.1.10.10 10.6.5.168 192.168.229.1 192.168.244.1 essid: ethersphere-wpa2, bssid: 00:1a:1e:8d:5b:31 AP name/group: AL40/corp1344 PHY: a, ingress=0x10e8 (tunnel 136) vlan default: 65, assigned: 0, current: 65 cached: 0, user derived: 0, vlan-how: 0 name: MYCOMPANY\tgonzales, role:employee (default:logon, cached:employee, dot1x:), role-how: 1, acl:51/0, age: 00:02:50 Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-MD5, server: vortex dot1xctx:1 sap:1 Flags: mba=0 AAA prof: default-corp1344, Auth dot1x prof: default, AAA mac prof:, def role: logon ncfg flags udr 1, mac 0, dot1x 1 Born: 1233767066 (Wed Feb 4 09:04:26 2009
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show aaa state station | 643
�show aaa state user
show aaa state user <A.B.C.D>
Description
Display statistics for an authenticated user.
Syntax
Parameter <A.B.C.D>
Description IP address of a user.
Example
The example below shows statics for a user with the IP address 10.1.10.11. The output of this command shows user data, the user's authentication method. and statistics for assigned roles, timers and flags.
(host) #show aaa state user 10.1.10.11 Name: MYCOMPANY\tsenter, IP: 10.1.10.11, MAC: 00:21:5c:85:d0:4a, Role:employee, ACL:51/0, Age: 00:01:46 Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-MD5, server: vortex Bandwidth = No Limit Bandwidth = No Limit Role Derivation: Default VLAN Derivation: Matched user rule Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0 Mobility state: Associated, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0 Flags: internal=0, trusted_ap=0, delete=0, l3auth=0, l2=1 mba=0 Flags: innerip=0, outerip=0, guest=0, station=0, download=1, nodatapath=0 Auth fails: 0, phy_type: a-HT, reauth: 0, BW Contract: up:0 down:0, user-how: 1 Vlan default: 65, Assigned: 0, Current: 65 vlan-how: 0 Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0 Tunnel=0, SlotPort=0x1018, Port=0x10e2 (tunnel 130) Role assigned: n/a, VPN: n/a, Dot1x: Name: employee role-how: 0 Essid: ethersphere-wpa2, Bssid: 00:1a:1e:11:6b:91 AP name/group: AL31/corp1344 Phy-type: a-HT RadAcct sessionID:n/a RadAcct Traffic In 0/0 Out 0/0 (0:0/0:0:0:0,0:0/0:0:0:0) Timers: arp_reply 0, spoof reply 0, reauth 0 Profiles AAA:default-corp1344, dot1x:default, mac: CP: def-role:'logon' sip-role:'' ncfg flags udr 0, mac 0, dot1x 0 Born: 1233772328 (Wed Feb 4 10:32:08 2009)
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
644 | show aaa state user
AOS-W 6.2 | Reference Guide
�show aaa sygate-on-demand (deprecated)
show aaa sysgate-on-demand
Syntax
No parameters.
Command History
Release AOS-W 3.0 AOS-W 3.4
Modification Command introduced. Command deprecated.
AOS-W 6.2 | Reference Guide
show aaa sygate-on-demand (deprecated) | 645
�show aaa tacacs-accounting
show aaa tacacs-accounting
Description
Show configuration information for TACACS+ accounting servers.
Usage Guidelines
This command displays TACACS+ data for your switch if you have previously configured a TACACS+ server and server group. The output includes the current TACACS+ accounting mode (enabled or disabled), and the name of the TACACS+ server group.
Example
The output of the show aaa accounting tacacs command displays configuration information for a TACACS+ accounting server. The output of this command includes the following parameters:
(host) #show aaa accounting tacacs
TACACS Accounting Configuration
-------------------------------
Parameter
Value
---------
-----
Mode
Enabled
Commands
configuration
Server-Group tacacs1
Parameter Mode Commands
Description
Shows whether this server group is Enabled or Disabled.
Displays the types of commands that are reported to the TACACS server group. l action reports action commands only. l all reports all commands. l configuration reports configuration commands only l show reports show commands only
Server-Group
Shows whether this server is Enabled or Disabled.
Related Commands
Command aaa authentication-server tacacs
aaa server-group
Description
Configure the TACACCS+ accounting feature.
Add a configured authentication server to an ordered list in a server group, and configure server rules to derive a user role, VLAN ID or VLAN name from attributes returned by the server during authentication
Mode
Config mode
Config mode
Command History
This command was introduced in AOS-W 3.0.
646 | show aaa tacacs-accounting
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show aaa tacacs-accounting | 647
�show aaa tacacs-accounting
Description
Show TACACS accounting configuration.
Syntax
No parameters.
Example
The example below shows that TACACS accounting has been enabled, and that the TACACS server is in the server group acct-server.
(host) #show aaa tacacs-accounting
TACACS Accounting Configuration
-------------------------------
Parameter
Value
---------
-----
Mode
Enabled
Server-Group acct-server
The output of this command includes the following parameters:
Parameter Mode Server-Group
Description Shows if the TACACS accounting feature is enabled or disable The server group that contains the active TACACS server.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
648 | show aaa tacacs-accounting
AOS-W 6.2 | Reference Guide
�show aaa timers
Description
Show AAA timer values.
Syntax
No parameters
Example
The example below shows that the switch has all default timer values:
(host) #show aaa timers User idle timeout = 6 minutes Auth Server dead time = 10 minutes Logon user lifetime = 5 minutes
Related Commands
Command aaa timers
Description
Mode
Use aaa timers to define the settings displayed in Config mode the output of this show command.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show aaa timers | 649
�show aaa web admin-port
show aaa web admin-port
Description
Show the port numbers of HTTP and HTTPS ports used for web administration.
Syntax
No parameters.
Example
The example below shows that the switch is configured to use HTTPS on port 4343 or 443, and HTTP on port 8888.
(host) #show aaa web admin-port https port = 4343 http port = 8888
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
650 | show aaa web admin-port
AOS-W 6.2 | Reference Guide
�show aaa xml-api server
show aaa xml-api server [<server_ip>]
Description
Show a list of XML servers used for authentication, authorization and accounting.
Syntax
Parameter <server_ip>
Description
IP address of an XML API server. Include this parameter to see if a secret key is configured for the specified server.
Example
The output of this command shows that the switch has two configured XML API servers that are each referenced by two different AAA profiles. Note that user-defined servers will not have an entry in the Profile Status column.
(host) #show aaa xml-api statistics
XML API Server List
-------------------
Name
References Profile Status
----
---------- --------------
10.1.2.3 2
10.4.3.2 2
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show aaa xml-api server | 651
�show aaa xml-api statistics
show aaa xml-api statistics
Description
Display statistics for an external XML API server.
Syntax
Parameter <server_ip>
Description IP address of XML API server.
Usage Guidelines
Issue this command to troubleshoot AAA problems and monitor usage on an XML server.
Example
The example below shows AAA statistics for an external XML server with the IP address 10.1.2.3. This command shows the number of times that a particular event has occurred per client. The first number is the total number of times that this event has occurred is displayed firs. The number of new events since the last time the counters were displayed is shown in parentheses.
(host) #show aaa xml-api statistics
Statistics
10.1.2.3
----------
--------
user_authenticate
0 (0)
user_add
0 (0)
user_delete
0 (0)
user_blacklist
0 (0)
user_query
0 (0)
unknown user
0 (0)
unknown role
0 (0)
unknown external agent
0 (0)
authentication failed
0 (0)
invalid command
0 (0)
invalid message authentication method 0 (0)
invalid message digest
0 (0)
missing message authentication
0 (0)
missing or invalid version number
0 (0)
internal error
0 (0)
client not authorized
0 (0)
Cant use VLAN IP
0 (0)
Invalid IP
0 (0)
Cant use Switch IP
0 (0)
missing MAC address
0 (0)
Packets received from unknown clients: 0 (0)
Packets received with unknown request: 0 (0)
Requests Received/Success/Failed : 0/0/0 (0/0/0)
The output of this command includes the following parameters:
652 | show aaa xml-api statistics
AOS-W 6.2 | Reference Guide
�Parameter
Description
user_authenticate Number of users authenticated on the XML server since the last switch reboot.
user_add
Number of users added to the switch's user table.
user_delete
Number of users removed from the switch's user table.
user_blacklist
Number of denied user association requests.
user_query
Number of user queries performed.
unknown user
Number of unknown users.
unknown role
Number of unknown user roles.
unknown external agent
Number of requests by an unknown external agent.
authentication failed
Number of failed authentication requests.
invalid command
Number of invalid XML commands
invalid message authentication method
Number of XML commands with an invalid authentication method (when a key is configured on the switch).
invalid message digest
Number of XML commands with an invalid digest type (when a key is configured on the switch).
missing message authentication
Number of XML commands with an missing authentication method (when a key is configured on the switch).
missing or invalid Number of commands with a missing or invalid version number. The version number
version number
should always be 1.0.
internal error
Number of internal server errors
client not authorized
Number of unauthorized clients
Cant use VLAN IP
Number of time a user IP is same as the VLAN IP.
Invalid IP
Number of XML commands with an invalid IP address.
Cant use Switch IP Redirection to a IP failed, possibly because the source IP has been NATted.
missing MAC address
Number of XML commands with a missing MAC address.
Packets received from unknown clients
Number of packets received from unknown clients.
Packets received with unknown request
Number of packets received with unknown request
Requests Received/Success/Failed
Total number of requests received / number of successful requests / number of failed requests
AOS-W 6.2 | Reference Guide
show aaa xml-api statistics | 653
�Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
654 | show aaa xml-api statistics
AOS-W 6.2 | Reference Guide
�show acl ace-table
show acl ace-table {ace <0-1999>}|{acl <1-2700>}
Description
Show an access list entry (ACE) table for an access control list (ACL).
Syntax
Parameter ace <0-1999> acl <1-2700>
Description Show a single ACE entry. Show all ACE entries for a single ACL.
Example
The following example shows that there are eighteen access control entries for ACL 1.
(host) #show acl ace-table acl 1 1020: any any 1 0-65535 0-65535 f80001:permit 1021: any any 17 0-65535 53-53 f80001:permit 1022: any any 17 0-65535 8211-8211 f80001:permit 1023: any any 17 0-65535 8200-8200 f80001:permit 1024: any any 17 0-65535 69-69 f80001:permit 1025: any any 17 0-65535 67-68 f80001:permit 1026: any any 17 0-65535 137-137 f80001:permit 1027: any any 17 0-65535 138-138 f80001:permit 1028: any any 17 0-65535 123-123 f80001:permit 1029: user 10.6.2.253 255.255.255.255 6 0-65535 443-443 f80001:permit 1030: user any 6 0-65535 80-80 d1f90,0000 f80021:permit dnat 1031: user any 6 0-65535 443-443 d1f91,0000 f80021:permit dnat 1032: any any 17 0-65535 500-500 f80001:permit 1033: any any 50 0-65535 0-65535 f80001:permit 1034: any any 17 0-65535 1701-1701 f80001:permit 1035: any any 6 0-65535 1723-1723 f80001:permit 1036: any any 47 0-65535 0-65535 f80001:permit 1037: any any 0 0-0 0-0 f180000:deny
Related Commands
Configure ACLs using the command ip access-list session.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
AOS-W 6.2 | Reference Guide
show acl ace-table | 655
�show acl acl-table
show acl acl-table <1-2700>
Description
Display information for a specified access control list (ACL).
Syntax
Parameter acl-table <1-2700>
Description Specify the number of the ACL for which you want to view information.
Example
The following example displays the ACL table for the switch.
(host) #show acl acl-table acl 1
AclTable -------ACL Type --- ---1 role
ACE Index --------1459
Ace Count --------18
Name ---logon
Applied ------0
Total free ACE entries = 3591 Free ACE entries at the bottom = 2552 Next ACE entry to use = 1480 (table 1) Ace entries reused 622 times ACL count 64, tunnel acl 0
Ace entries reused 373 times ACL count 64, tunnel acl 0 The output of this command displays the following parameters:
Parameter ACL Type
ACE Index ACE count
Description
Number of the specified ACL
Shows the ACL type: l role: Access list is used to define a user role. l mac: MAC ACLs allow filtering of non-IP traffic. This ACL filters on a specific
source MAC address or range of MAC addresses. l session: Session ACLs define traffic and firewall policies on the switch. l ether-type: This type of ACL filters on the Ethertype field in the Ethernet
frame header, and is useful when filtering non-IP traffic on a physical port. l standard: Standard ACLs are supported for compatibility with router
software from other vendors. This ACL permits or denies traffic based on the source address of the packet.
Starting index entry for the ACL's access control entries
Number of access control entries in the ACL
656 | show acl acl-table
AOS-W 6.2 | Reference Guide
�Parameter
Description
Name
Name of the access control list
Applied
Number of times the ACL was applied to a role.
Total free ACE entries
The total number of free ACE entries. This includes available ACE entries at the bottom of the list, as well as free ACE entries in the middle of the table from previous access list entries that were later removed.
Free ACE entries at the The total number of free ACE entries at the bottom of the list. bottom
Next ACE entry to use
Ace number of the first free entry at the bottom of the list.
ACE entries reused
For internal use only.
ACL count
Total number of defined ACLs
Tunnel ACL
Total number of defined tunnel ACLs.
The following example displays the ACL table for ACL 1.
(host) #show acl ace-table acl 1
Acl Table
--------
ACL Type ACE Index Ace Count Name
--- ---- --------- --------- ----
1 role 1020
18
logon
Applied ------0
Total free ACE entries = 3591 Free ACE entries at the bottom = 2991 Next ACE entry to use = 1041 (table 1) Ace entries reused 373 times
ACL count 64, tunnel acl 0
Related Commands
Configure ACLs using the command ip access-list session.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
AOS-W 6.2 | Reference Guide
show acl acl-table | 657
�show acl hits
show acl hits
Description
Show internal ACL hit counters.
Syntax
No parameters.
Usage Guidelines
Issue this command to see the number of times an access control list defined a user's role, or traffic and firewall policies for a user session.
Example
In the example below, the output of the User Role ACL Hits table is shown in two separate tables to allow the output to fit on a single page of this document. In the actual switch command-line interface, the User Role ACL Hits table is shown in a single, wide table.
(host) #show acl ace-table acl 1
User Role ACL Hits
------------------
Role
Policy
----
------
logon
control
logon
control
logon
visitor
vp-control
visitor
vp-control
visitor
vp-access
visitor
vp-access
visitor
vp-access
Src --any any any any any any user any
Dst --any any any any any any mswitch-master any
User Role ACL Hits------------------
Service
Action Dest/Opcode New Hits Total Hits Index
-------
------ ----------- -------- ---------- -----
svc-icmp
permit
0
6
5052
svc-dhcp
permit
0
2
5057
0
deny
0
53
5069
svc-dns
permit
9
46079
4885
svc-dhcp
permit
0
788
4886
svc-icmp
permit
0
536
4887
svc-http
permit
0
41
4889
6 9100-9100 permit
0
31
4892
Port Based Session ACL
----------------------
Policy
Src
Dst Service Action Dest/Opcode New Hits Total Hits
Index
------
---
--- ------- ------ ----------- -------- ---------- --
---
validuser 10.1.1.0 255.255.255.0 any any
deny
0
214
4655
validuser any
any any
permit
6
2502
4656
Port ACL Hits
658 | show acl hits
AOS-W 6.2 | Reference Guide
�-------------
ACL ACE New Hits Total Hits Index
--- --- -------- ---------- -----
5
22
0
The output of this command includes the following information:
Parameter Role Policy Src
Dst
Service
Action
Dest/Opcode New Hits Total Hits Index ACL ACE New Hits Total Hits Index
Description
Name of the role assigned by the ACL.
Name of the policy used by the ACL
The traffic source, which can be one of the following: l <alias>: Name of a user-defined alias for a network host, subnetwork, or
range of addresses. l any: match any traffic. l host: specify a single host IP address. l network: specify the IP address and netmask. l user: represents the IP address of the user.
The traffic destination, which can be one of the following: l <alias>: Name of a user-defined alias for a network host, subnetwork, or
range of addresses. l any: match any traffic. l host: specify a single host IP address. l network: specify the IP address and netmask. l user: represents the IP address of the user.
Network service, which can be one of the following: l IP protocol number (0-255) l name of a network service (use the show netservice command to see
configured services) l any: match any traffic l tcp: specify the TCP port number (0-65535) l udp: specify the UDP port number (0-65535)
Action if rule is applied, which can be one of the following: l deny: reject packets l dst-nat: perform destination NAT on packets l dual-nat: perform both source and destination NAT on packets l permit: forward packets l redirect: specify the location to which packets are redirected l src-nat: perform source NAT on packets
The datapath destination ID.
Number of ACL hits that occurred since this command was last issued.
Total number of ACL hits recorded since the switch last reset.
Index number of the ACL.
ACL number
ACE number
Number of times the ACL was applied since this command was last issued.
Number of times the ACL was applied since the switch was last reset.
Index number of the ACL.
AOS-W 6.2 | Reference Guide
show acl hits | 659
�Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master switches
660 | show acl hits
AOS-W 6.2 | Reference Guide
�show adp config
show adp config
Description
Show Alcatel Discovery Protocol (ADP) configuration settings.
Syntax
No parameters.
Example
The following example shows that the switch has all default settings for ADP.
(host) #show adp config
ADP Configuration
-----------------
key
value
---
-----
discovery enable
igmp-join enable
igmp-vlan 0
The output of this command includes the following parameters:
Parameter discovery
igmp-join igmp-vlan
Description
Alcatel-Lucent APs send out periodic multicast and broadcast queries to locate the master switch. If the APs are in the same broadcast domain as the master switch and ADP is enabled on the switch, the switch automatically responds to the APs' queries with its IP address. This command shows whether ADP is enabled or disabled on the switch.
Shows whether the switch has enabled or disabled the sending of Internet Group Management Protocol (IGMP) join requests.
ID of the VLAN to which IGMP reports are sent. If this value is set to 0, the switch will use the default route VLAN used.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show adp config | 661
�show adp counters
show adp counters
Description
Show Alcatel Discovery Protocol (ADP) counters.
Syntax
No parameters.
Example
The following example shows the ADP counter table for the switch.
(host) #show adp counters
ADP Counters
------------
key
value
---
-----
IGMP Join Tx 1
IGMP Drop Tx 0
ADP Tx
0
ADP Rx
0
The output of this command includes the following parameters:
Parameter IGMP Join Tx
IGMP Drop Tx
ADP Tx ADP Rx
Description
Number of Internet Group Management Protocol (IGMP) join requests sent by the switch.
Number of Internet Group Management Protocol (IGMP) drop requests sent by the switch.
Number of ADP responses sent to APs.
Number of multicast and broadcast queries received from APs trying to locate the master switch.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
662 | show adp counters
AOS-W 6.2 | Reference Guide
�show ap active
show ap active [ap-name <ap-name>|{arm-edge dot11a|dot11g|voip-only}|dot11a|dot11g|essid <essid>|ip-addr <ip-addr>|ip6-addr <ip6-addr>|{type access-point|air-monitor|(sensor dot11a|dot11g|voip-only)}|voip-only
Description
Show all active APs registered to a switch.
Syntax
Parameter ap-name <ap-name> arm-edge dot11a dot11g voip-only essid <essid>
ip-addr <ip-addr>
ip6-addr <ip6-addr> type
access-point air-monitor sensor voip-only
Description View data for an AP with a specified name.
Show the state of ARM edge APs.
Show 802.11a radio information.
Show 802.11g radio information.
Show AP information filtered by associated/active VoIP clients.
View data for a specific ESSID (Extended Service Set Identifier). An Extended Service Set Identifier (ESSID) is a alphanumeric name that uniquely identifies a wireless network. If the name includes spaces, you must enclose the ESSID in quotation marks.
View data for an AP with a specified IP address by entering an IP address in dotted-decimal format.
View data for an AP with a specified IPv6 address.
Show AP information filtered by type of AP.
Show information for Access Points only.
Show information for Air Monitors only.
Show only RFprotect Sensor information.
Show AP information filtered by associated/active VoIP clients.
Usage Guidelines
This command displays details for all active APs on the switch. If an AP on your network does not appear in this table, it may have been classified as an inactive AP for any of the following reasons:
l The AP is configured with a missing or incorrect VLAN. (For example, the AP is configured to use a tunneled SSID of VLAN 2 but the switch doesn't have a VLAN 2.)
l The AP has an unknown AP group. l The AP has a duplicate AP name. l An AP with an external antenna is not provisioned with external antenna gain settings. l Both radios on the AP are disabled. l No virtual APs are defined on the AP.
AOS-W 6.2 | Reference Guide
show ap active | 663
�l The AP has profile errors. Issue the command "show profile errors" for details. l The GRE tunnel between the AP and the switch was blocked by a firewall after the AP became active. l The AP is temporarily down while it is upgrading its software. The AP will become active again after upgrading. l An AP has conflicting configuration settings. For example, if the AP system profile on a single radio dual-band AP
configures the radio uses 802.11g, but the virtual AP profile on the AP is set to use 802.11a, the AP might not appear to be active. l A remote AP model 5WN or 2WG attempted to connect to a switch without using IPsec.
Example
The output of the command in the example below shows that the switch sees an active AP.(
host)# show ap active
Active AP Table
---------------
Name
Group IP Address 11g Clients 11g Ch/EIRP/MaxEIRP
Ch/EIRP/MaxEIRP AP Type Flags Uptime Outer IP
----
----- ---------- ----------- -------------------
--- ------- ----- ------ --------
AP1X
default 10.3.15.107 0
AP:HT:1/15/21.5
125
1E2 5m:48s N/A
11a Clients -----------
0
11a ----------------
AP:HT:44/15/21
Flags: a = Reduce ARP packets in the air; A = Enet1 in active/standby mode; B = Battery Boost On; C = Cellular; D = Disconn. Extra Calls On; d = Drop Mcast/Bcast On; E = Wired AP enabled; K = 802.11K Enabled; L = Client Balancing Enabled; M = Mesh; N = 802.11b protection disabled; P = PPPOE; R = Remote AP; X = Maintenance Mode; 1 = 802.1x authenticated AP; 2 = Using IKE version 2;
The output of this command includes the following information:
Column
Description
Name
Name of an AP
Group
The AP is associated with this AP group.
IP address
IP address of the AP, in dotted decimal format.
11g Clients
Number of 802.11g clients using the AP.
11g Ch/EIRP/MaxEIRP 802.11g radio channel used by the AP/current effective Isotropic Radiated Power (EIRP) /maximum EIRP.
11a Clients
Number of 802.11a clients using the AP.
11a Ch/EIRP/MaxEIRP 802.11a radio channel used by the AP/current EIRP/maximum EIRP.
AP Type
AP model type.
Flags
This column displays any flags for this AP. The list of flag abbreviations is also included in the output of the show ap active command.
l a = Reduce ARP packets in the air l A = Enet1 in active/standby mode l B = Battery Boost On l d = Drop Mcast/Bcast On or Disconnected Sensor l D = Disconn. Extra Calls On
664 | show ap active
AOS-W 6.2 | Reference Guide
�Column Uptime
Description
l E = Wired AP enabled l K = 802.11K Enabled l L = Client Balancing Enabled l M = Mesh l N = 802.11b protection disabled l P = PPPOE l R = Remote AP l R- = The remote AP requires captive portal authentication. Once this
authentication is successfully completed, the R- flag changes to R. l S = RFprotect Sensor l U = USB modem l X = Maintenance Mode
Number of hours, minutes and seconds since the last switch reboot or bootstrap, in the format hours:minutes:seconds.
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced The parameter ip6-addr was added to view data for an IPv6 AP.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap active | 665
�show ap-group
show ap-group [<ap-group>]
Description
Show settings for an AP group.
Syntax
Parameter <ap-group>
Description The name of an AP group.
Usage Guidelines
Issue this command without the optional <ap-group> parameter to display the entire AP group list, including profile status for each profile. Include an AP group name to display detailed configuration information for that AP group profile.
Example
This first example shows that the switch has nine configured AP groups. The Name column lists the names of all configured AP groups. the Profile Status column indicates whether the AP group is predefined. (User-defined profiles will not have an entry in the Profile Status column.)
(host) #show ap-group
AP group List
-------------
Name
Profile Status
----
--------------
corp-office
branch-office-am
corp
corp1
Corp1-AM
Corp1-AM-Ch11
Corp1-AM-Ch6
corp1-AP85
corp1-lab
Total: 9
Include an AP group name to display a complete list of configuration settings for that profile. The example below shows settings for the AP group corp1.
(host) #show ap-group corp1 AP group "corp1" ------------------Parameter --------Virtual AP Virtual AP 802.11a radio profile 802.11g radio profile Wired AP profile Ethernet interface 0 link profile
Value ----corp1-guest corp1-wpa2 default profile1-g default default
666 | show ap-group
AOS-W 6.2 | Reference Guide
�Ethernet interface 1 link profile AP system profile VoIP Call Admission Control profile 802.11a Traffic Management profile 802.11g Traffic Management profile Regulatory Domain profile SNMP profile RF Optimization profile RF Event Thresholds profile IDS profile Mesh Radio profile Mesh Cluster profile
default corp1344 default N/A N/A corp1344-channel-profile default handoff-aggressive default ids-low-setting default N/A
The output of this command includes the following parameters:
Parameter
Description
Virtual AP
Virtual AP profile that which configures a specified WLAN.
802.11a radio profile
Profile that defines 802.11a radio settings for the AP group.
802.11g radio profile
Profile that defines 802.11g radio settings for the AP group.
Wired AP profile
Profile that defines wired port settings for APs assigned to the AP group.
Ethernet interface 0 link Profile that defines the duplex and speed of the Ethernet 0 interface on the
profile
AP.
Ethernet interface 1 link Profile that defines the duplex and speed of the Ethernet 0 interface on the
profile
AP.
AP system profile
Name of the AP system profile for the AP group.
VoIP Call Admission Control profile
Name of the AP system profile for the AP group.
802.11a Traffic Management profile
Name of the 802.11a WLAN traffic management profile for the AP group.
802.11g Traffic Management profile
Name of the 802.11g WLAN traffic management profile for the AP group.
Regulatory Domain profile Name of the regulatory domain profile for the AP group.
SNMP profile
Name of the SNMP profile for the AP group.
RF Optimization profile
Name of the RF optimization profile for the AP group.
RF Event Thresholds profile
Name of the RF event thresholds profile for the AP group.
IDS profile
IDS profile for the AP group.
Mesh Radio profile
Mesh radio profile assigned to the AP group.
Mesh Cluster profile
Mesh cluster profile assigned to the AP group.
Related Commands
Configure AP group settings using the command ap-group.
AOS-W 6.2 | Reference Guide
show ap-group | 667
�Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
668 | show ap-group
AOS-W 6.2 | Reference Guide
�show ap-name
show ap-name [<ap-name>]
Description
Show a list of AP names. Include the <ap-name> parameter to display detailed configuration information for that AP.
Syntax
Parameter <ap-name>
Description The name of an AP.
Example
This first example shows that the switch has eight registered APs. The Name column lists the names of each registered AP. Note that APs are all user-defined, so they will not have an entry in the Profile Status column.
(host) #show ap-name
AP name List
------------
Name
Profile Status
----
--------------
mp3
sw-ad-ap124-11
sw-ad-ap125-13sw-ad-ap125-15sw-ad-ap125-17sw-ad-ap125-18sw-ad-ap125-19sw-ad-ap125-3
Total: 8
Include an AP name to display a complete list of configuration settings for that AP. If the AP has default settings, the value may appear as N/A. The AP in the example below has all default profile settings.
(host) #show ap-group corp1 AP name "mp3" ------------Parameter --------Virtual AP Excluded Virtual AP 802.11a radio profile 802.11g radio profile Wired AP profile Ethernet interface 0 link profile Ethernet interface 1 link profile AP system profile VoIP Call Admission Control profile 802.11a Traffic Management profile 802.11g Traffic Management profile Regulatory Domain profile RF Optimization profile RF Event Thresholds profile IDS profile Mesh Radio profile Mesh Cluster profile Excluded Mesh Cluster profile
Value ----N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
The output of this command includes the following parameters:
AOS-W 6.2 | Reference Guide
show ap-name | 669
�Parameter
Description
Virtual AP
Virtual AP profile that which configures a specified WLAN.
Excluded Virtual AP
Excludes the specified mesh cluster profile from this AP.
802.11a radio profile
Profile that defines 802.11a radio settings for the AP.
802.11g radio profile
Profile that defines 802.11g radio settings for the AP.
Wired AP profile
Profile that defines wired port settings for APs assigned to the AP.
Ethernet interface 0 link profile
Profile that defines the duplex and speed of the Ethernet 0 interface on the AP.
Ethernet interface 1 link profile
Profile that defines the duplex and speed of the Ethernet 0 interface on the AP.
AP system profile
Name of the AP system profile for the AP.
VoIP Call Admission Control profile
Name of the AP system profile for the AP.
802.11a Traffic Management profile
Name of the 802.11a WLAN traffic management profile for the AP group.
802.11g Traffic Management profile
Name of the 802.11g WLAN traffic management profile for the AP.
Regulatory Domain profile
Name of the regulatory domain profile for the AP.
RF Optimization profile Name of the RF optimization profile for the AP.
RF Event Thresholds profile
Name of the RF event thresholds profile for the AP.
IDS profile
IDS profile for the AP.
Mesh Radio profile
Mesh radio profile assigned to the AP.
Mesh Cluster profile
Mesh cluster profile assigned to the AP.
Excluded Mesh Cluster profile
Excludes the specified mesh cluster profile from this AP.
Related Commands
Configure AP settings using the command ap-name.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
670 | show ap-name
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
show ap-name | 671
�show ap allowed-channels
show ap allowed-channels [<ap-name>|<country-code>|<ip-addr>]
Description
This command shows configuration information for Captive portal authentication profiles.
Syntax
Parameter <ap-name> <country-code> <ip-addr>
Description Name of an AP. Specify a country code to display allowed channels for that country. IP address of an AP, in dotted-decimal format.
Usage Guidelines
Specify the country code for your switch during initial setup. Changing the country code causes the valid channel lists to be reset to the defaults for that country.
Examples
The output of this example shows all allowed channels for the country code US
(host)# show ap allowed-channels US
Allowed Channels for Country Code "US"
--------------------------------------
PHY Type
Allowed Channels
--------
----------------
802.11g (indoor)
1 2 3 4 5 6 7 8 9 10 11
802.11a (indoor)
36 40 44 48 149 153 157 161 165
802.11g (outdoor)
1 2 3 4 5 6 7 8 9 10 11
802.11a (outdoor)
149 153 157 161 165
802.11g 40MHz (indoor) 1-5 2-6 3-7 4-8 5-9 6-10 7-11
802.11a 40MHz (indoor) 36-40 44-48 149-153 157-161
802.11g 40MHz (outdoor) 1-5 2-6 3-7 4-8 5-9 6-10 7-11
802.11a 40MHz (outdoor) 149-153 157-161
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
672 | show ap allowed-channels
AOS-W 6.2 | Reference Guide
�show ap ap-group
show ap ap-group {ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>}
Description
Show the AP group settings for an individual AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show data for an AP with a specific name.
Show data for a specific Basic Service Set Identifier (BSSID). An AP's BSSID is usually the AP's MAC address.
Show data for an AP with a specific IP address. Enter the IP address in dotteddecimal format.
Usage Guidelines
Use this command to display the contents of an AP's group profile. If you know the name of the group whose profile settings you want to view, use the command show ap-group <profile-name>. To view a list of all configured AP groups on your switch, use the command show ap-group.
Examples
In the example below, the output of this command lists the profiles associated with the AP group Corp13.
(host) #show ap ap-group AP2 AP group "corp13" ------------------Parameter --------Virtual AP Virtual AP Virtual AP Virtual AP 802.11a radio profile 802.11g radio profile Wired AP profile Ethernet interface 0 link profile Ethernet interface 1 link profile AP system profile VoIP Call Admission Control profile 802.11a Traffic Management profile 802.11g Traffic Management profile Regulatory Domain profile SNMP profile RF Optimization profile RF Event Thresholds profile IDS profile Mesh Radio profile Mesh Cluster profile
Value ----corp13-guest corp13-ether-wpa2 corp13-ether-voip corp13-ether-comm default default default default default corp13 default N/A N/A corp13-channel-profile default handoff-aggressive default ids-low-setting default N/A
AOS-W 6.2 | Reference Guide
show ap ap-group | 673
�Related Commands
Command ap-group
Description Configure your AP groups and AP group profiles.
Mode Config mode
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
674 | show ap ap-group
AOS-W 6.2 | Reference Guide
�show ap arm history
show ap arm history {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>}
Description
For each interface on an AP, show the history of channel and power changes due to Adaptive Radio Management (ARM).
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show ARM history for an AP with a specific name.
Show ARM history for a specific Basic Service Set Identifier (BSSID) on an AP. An AP's BSSID is usually the AP's MAC address.
Show ARM history for an AP with a specific IP address. Enter the IP address in dotted-decimal format.
Examples
Adaptive Radio Management (ARM) can automatically change channel and power levels based on a number of factors such as noise levels and radio interference. The output of the show ap arm history command shows you an AP's channel and power changes over time, and the reason why those changes took place.
host)# #(ethersphere-lms3) #show ap arm history ap-name AP-16
Interface :wifi0
ARM History
-----------
Reason Old channel New channel Old Power New Power Last change
------ ----------- ----------- --------- --------- -----------
P-
153-
153-
12
9
3d:14h:56m:48s
P+
153-
153-
9
12
3d:13h:44m:7s
P+
153-
153-
12
15
3d:13h:23m:5s
P+
153-
153-
15
18
3d:13h:16m:32s
P+
153-
153-
18
21
3d:11h:42m:42s
P-
153-
153-
21
15
3d:8h:16m:12s
Interface :wifi1
ARM History
-----------
Reason Old channel New channel Old Power New Power Last change
------ ----------- ----------- --------- --------- -----------
P-
11
11
15
12
3d:18h:22m:28s
P+
11
11
12
15
3d:18h:17m:27s
P-
11
11
15
12
3d:18h:9m:9s
P+
11
11
12
15
3d:17h:48m:41s
P+
11
11
15
18
3d:17h:44m:34s
P-
11
11
18
15
3d:17h:39m:11s
P-
11
11
15
12
3d:17h:32m:39s
P+
11
11
12
15
3d:17h:26m:15s
I: Interference, R: Radar detection, N: Noise exceeded, E: Error threshold exceeded, INV:
Invalid Channel, G: Rogue AP Containment, M: Empty Channel, P+: Increase Power, P-: Decrease
Power, OFF: Turn off Radio, ON: Turn on Radio
The output of this command includes the following information:
AOS-W 6.2 | Reference Guide
show ap arm history | 675
�Parameter Reason
Old Channel New Channel Old Power New Power Last Change
Description
This column displays one of the following code to indicate why the channel or power change was made. l I: Interference l R: Radar detected l N: Noise exceeded l E: Error threshold exceeded l INV: Invalid Channel l G: Rogue AP Containment l M: Empty Channel l P+: Increase Power l P-: Decrease Power l OFF: Turn off Radio l ON: Turn on Radio The Reason key appears at the bottom of the ARM History table.
Channel number used by the AP interface before the ARM change.
Channel number used by the AP interface after the ARM change.
Power level of the AP interface before the ARM change.
Power level of the AP interface after the ARM change.
Time elapsed since the change, in the format days:hours:minutes:seconds.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
676 | show ap arm history
AOS-W 6.2 | Reference Guide
�show ap arm neighbors
show ap arm neighbors {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>}
Description
Show the ARM settings for an AP's neighbors.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show data for an AP with a specific name.
Show data for a specific Basic Service Set Identifier (BSSID). An AP's BSSID is usually the AP's MAC address.
Show data for an AP with a specific IP address. Enter the IP address in dotteddecimal format.
Examples
The output of this command shows ARM neighbor information for both the wifi1 and wifi0 interfaces on AP ap70_1. (host)# show ap arm neighbors ap70_1
Interface:wifi1 00:1b:2f:e6:1c:d0:known-interfering/SNR-1/CH-1 00:19:e3:31:55:f2:known-interfering/SNR-7/CH-1 00:1f:f3:01:4d:3f:known-interfering/SNR-1/CH-1 00:18:39:96:b4:16:known-interfering/SNR-0/CH-1 00:11:24:ec:49:05:known-interfering/SNR-0/CH-1
Interface:wifi0 00:19:7e:4d:8a:1d:known-interfering/SNR-0/CH-1 00:19:a9:ce:13:90:interfering/SNR-0/CH-4 00:19:7e:4d:80:df:known-interfering/SNR-0/CH-1 00:11:24:90:17:d4:known-interfering/SNR-0/CH-1 00:16:b6:f4:59:94:known-interfering/SNR-0/CH-1 00:14:51:6d:d1:d5:known-interfering/SNR-0/CH-1
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap arm neighbors | 677
�show ap arm rf-summary
show ap arm rf-summary {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>}
Description
Show the state and statistics for all channels being monitored by an individual AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show channel data for an AP with a specific name.
Show channel data for a specific Basic Service Set Identifier (BSSID) on an AP. An AP's BSSID is usually the AP's MAC address.
Show channel data for an AP with a specific IP address. Enter the IP address in dotted-decimal format.
Examples
The output of this command shows detailed information for the individual channels being monitored and statistics for each AP interface. Use this command verify an AP's RF health, or to determine why multiple APs in the same area are on the same channel.
(host)# show ap arm rf-summary ap-name ap21
Channel Summary
---------------
channel retry phy-err mac-err noise cov-idx
------- ----- ------- ------- ----- -------
161
0
0
9
86
0/0
1
0
0
0
65
0/0
48
0
0
2
81
0/0
165
0
0
2
90
0/0
5
0
0
0
66
0/0
6
0
0
30
70
0/0
7
0
0
0
67
0/0
149
0
0
27
87
0/0
11
0
0
16
72
8/0
36
0
0
7
81
0/0
153
0
0
0
86
0/0
40
0
0
6
81
0/0
157
0
0
12
91
0/0
44
0
0
6
85
0/0
HT Channel Summary
------------------
channel_pair Pairwise_intf_index
------------ -------------------
1-5
1054
7-11
4221
149-153
791
36-40
44
157-161
40
44-48
7
intf_idx -------0/0//0/0 553/48//0/0 71/0//0/0 0/324//0/0 0/453//0/0 268/568//0/0 0/1552//0/0 67/265//0/0 2618/51//0/0 0/0//0/0 119/340//0/0 0/44//0/0 0/40//0/0 0/0//0/0
The output of this command includes the following information:
678 | show ap arm rf-summary
AOS-W 6.2 | Reference Guide
�Parameter
Description
channel
Number of a radio channel used by the AP.
retry
Number of 802.11 retry frames sent because a client failed to send an ACK.
phy-err
Number of PHY errors on the AP's current channel seen during the last second.
mac-err
Number of MAC errors on the AP's current channel seen during the last second.
noise
Current noise level, in -dBm.
cov-idx
The AP uses this metric to measure RF coverage. The coverage index is calculated as x+y, where "x" is the AP's weighted calculation of the Signal-toNoise Ratio (SNR) on all valid APs on a specified 802.11 channel, and "y" is the weighted calculation of the Alcatel-Lucent APs SNR the neighboring APs see on that channel.
intf_idx
The AP uses this metric to measure co-channel and adjacent channel interference. The Interference Index is calculated as a/b//c/d, where: l Metric value "a" is the channel interference the AP sees on its selected
channel. l Metric value "b" is the interference the AP sees on the adjacent channel. l Metric value "c" is the channel interference the AP's neighbors see on the
selected channel. l Metric value "d" is the interference the AP's neighbors see on the adjacent
channel. l To calculate the total Interference Index for a channel add "a+b+c+d".
Interface Name
Name of the fastethernet or gigabit Ethernet interface
Current ARM Assignment Current channels assigned by the AP's ARM profile.
Target Coverage Index Ideal value of coverage index an AP tries to achieve on its channel.
Covered channels a/g
Number of channels that are currently being used by an AP's BSSIDs.
Free channels a/g
Number of channels that are available to an AP because that channel has a lower interference index.
ARM Edge State
If enabled, ARM-enabled APs on the network edge will not become Air Monitors.
Last check channel/pwr Time elapsed since the AP checked its channel and power settings, in hour:minute:second format.
Last change channel/pwr
Time elapsed since the AP changed its channel and power settings, in hour:minute:second format.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap arm rf-summary | 679
�show ap arm scan-times
show ap arm scan-times {ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>}
Description
Show AM channel scan times for an individual AP.
Syntax
Parameter
Description
ap-name <ap-name> Show channel scan data for an AP with a specific name.
bssid <bssid>
Show channel scan data for a specific Basic Service Set Identifier (BSSID) on an AP. An AP's BSSID is usually the AP's MAC address.
ip-addr <ip-addr> Show channel scan data for an AP with a specific IP address. Enter the IP address in dotted-decimal format.
Examples
The output of this command shows scan times for every channel on an AP with the IP address 10.15.10.37.
(host)# show ap arm scan-times ip-addr 10.15.10.37
Channel Scan Time
-----------------
channel assign-time scans-attempted scans-rejected dos-scans flags timer-tick
------- ----------- --------------- -------------- --------- ----- ----------
36
8579
349
0
0
DVACT 50598
40
2365
349
0
0
DVACT 50610
44
2495
349
0
0
DVACT 50621
48
9714
349
0
0
DVACT 50656
52
0
349
0
0
DA
50643
56
0
349
0
0
DA
50655
60
0
348
0
0
DA
50519
64
0
348
0
0
DA
50530
149
5546
348
0
0
DVACT 50542
153
2310
348
0
0
DVACT 50553
157
6094
348
0
0
DVACT 50565
161
3014
348
0
0
DVACT 50576
165
10538
348
0
0
DVACT 50587
1
4194
97
0
0
DVACT 50594
2
0
97
0
0
DAC 50604
3
0
97
0
0
DAC 50615
4
0
97
0
0
DAC 50627
5
0
97
0
0
DC
50638
6
4076
97
0
0
DVACT 50656
7
0
96
0
0
DAC 50538
8
0
97
0
0
DC
50549
9
0
97
0
0
DC
50561
10
0
97
0
0
DAC 50572
11
3710
97
0
0
DVACT 50583
D: Default, V: Valid, A: AP Present, C: Reg Domain Channel, O: DOS Channel, T:20MHZ Channel,
F: 40MHz Channel, L: Reg Domain 40MHz Channel (lower), U:
Reg Domain 40MHz channel (U)
680 | show ap arm scan-times
AOS-W 6.2 | Reference Guide
�WIF Scan Time
-------------
channel last-scan-channel
------- -----------------
48
56/50655
current-scan-channel -------------------56
last-dos-channel ---------------0
The output of this command includes the following parameters:
Parameter
Description
channel
A radio channel on the specified AP.
Assign-time
The amount of time that an AP has been on a channel.
scans-attempted
The number of times an AP has attempted to scan another channel
scans-rejected
The number of times an AP attempted to scan a channel, but was unable to scan because the scan was halted by the power save, VoIP aware or load aware ARM features.
dos-scans
The number of times an AP enabled with the rogue aware scanning feature had to contain a rogue device on a channel.
flags
The flags column displays additional relevant information about the channel. The flags key appears at the bottom of the Channel Scan Time table.
timer tick
Timer tick at which the last scan was attempted.
last-scan-channel
The last channel scanned by the AP
current-scan-channel The AP's current channel.
last-dos-channel
The last channel that had to be contained because a rogue device was detected on that channel.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap arm scan-times | 681
�show ap arm state
show ap arm state [ap-name <ap-name>|dot11a|dot11g|ip-addr <ip-addr>]
Description
Display Adaptive Radio Management (ARM) information for an individual AP's neighbors, or show all available data for any neighboring AP using an 802.11a or 802.11g radio type.
Syntax
Parameter ap-name <ap-name> dot11a dot11g ip-addr <ip-addr>
Description Show aggregate ARM Neighbor Information for a specific AP. Show aggregate ARM Neighbor Information for all APs using an 802.11a radio. Show aggregate ARM Neighbor Information for all APs using an 802.11g radio. Show aggregate ARM Neighbor Information for a AP with a specific IP address by entering its IP address in dotted-decimal format.
Usage Guidelines
The output of the show ap arm state command shows 802.11a and 802.11g information for all APs. Include an AP name or IP address to show data for just a single AP, or use the dot11a or dot11g keywords to show data for all APs using that radio type.
Examples
The output of this command shows 802.11a information for all neighboring APs. (host)# show ap arm state
show ap arm state ap-name AP49
AP-1249:10.100.139.233:52:21:26-Edge:disable : Client Density:13
Neighbor Data
-------------
Name
IP Address SNR Assignment Neighbor Density
----
----------
--- ---------- ----------------
AP42
10.100.139.249 41 52/21
13/17/100/76
AP09
10.100.139.224 22 56/21
3/5/23/60
AP48
10.100.139.241 36 60/21
9/11/69/81
The output of this command includes the following information:
Column Name IP address SNR
Description Name of an AP.
IP address of an AP.
Signal-to-noise (SNR) ratio. SNR is the power ratio between an information signal and the level of background noise.
682 | show ap arm state
AOS-W 6.2 | Reference Guide
�Column Assignment Neighbor Density
Description
The AP's current channel assignment.
The neighborhood density for the specified AP is listed with the values A/B/C/D, where: l A= Number of the AP's clients heard in the AP neighbor's client list l B= Number of clients in AP neighbor's client list l C= Density percentage, (AP clients heard in in the AP neighbor client list / AP
client density * 100). l D= Density Percentage (AP clients heard in the AP neighbor's client list /
neighbor client density * 100)
Command History
Version AOS-W 3.0 AOS-W 6.1
Description Command introduced The neighbor density parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap arm state | 683
�show ap association
show ap association [ap-name <ap-name>|ap-group <ap-group>|bssid <bssid>|channel <channel>|client-mac <client-mac>|essid <essid>|ip-addr <ip-addr>|phy {a|b|g}|voip-only]
Description
Show the association table for an AP group or for an individual AP.
Syntax
Parameter
Description
ap-group <ap-group>
Show AP associations for a specific AP group. You can also include the channel, essid or voip-only keywords to further filter the output of this command.
ap-name <ap-name>
Show AP associations for a specific AP. You can also include the essid, phy or voip-only keywords to further filter the output of this command.
bssid <bssid>
Show the AP associations for an specific AP Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
channel <channel>
Show AP associations for an individual channel by specifying the channel for which you want to view information.
client-mac <client-mac>
Show the AP associations for a specific MAC address by entering the MAC address of a client for which you want to view association information.
essid <essid>
Show AP associations for an Extended Service Set Identifier (ESSID). An Extended Service Set Identifier (ESSID) is a alphanumeric name that uniquely identifies a wireless network. If the name includes spaces, you must enclose the ESSID in quotation marks.
ip-addr <ip-addr>
Show AP associations for a specific AP by entering an IP address in dotted-decimal format. You can also include the essid, phy or voip-only keywords to further filter the output of this command.
phy
Include the phy [a|b|g] keywords to show associations for a specific
802.11 radio type, either 802.11a, 802.11b or 802.11g.
voip-only
Show VoIP client information only.
Usage Guidelines
Use this command to check if user is connected to an AP. This command validates whether the client is associated and indicates the last AP to which it was connected. If the flags column shows an 'A', the client is currently associated with that AP. Alternately, if the client is not currently associated, the AP with the smallest value of association time is the last AP used by the client.
Example
Use the show ap association client-mac command to verify that a user has associated with an AP, or to determine last AP to which the client was connected. The output of this command in the example below shows the association table for the client with the MAC address 00:13:fd:5c:7c:59. If the flags column in the output of this command shows
684 | show ap association
AOS-W 6.2 | Reference Guide
�an 'A', the client associated last to that AP. Alternately, the AP with the smallest value of association time is the last AP to which the client had associated.
In the example below, the output of this command has been broken into two separate tables to better fit this page. In the actual output of the command, this information is shown in a single, wide table. (host) #show ap association client-mac 00:13:fd:5c:7c:59
Flags: W: WMM client, A: Active, R: RRM client PHY Details: HT: High throughput; 20: 20MHz; 40: 40MHzss: spatial streams
Association Table
-----------------
Association Table
-----------------
-----------------
Name bssid
mac
---- -----
---
AL12 00:1a:1e:11:5f:11 00:21:5c:50:b1:ed
00:1a:1e:88:88:31 00:19:7d:d6:74:93 y
auth ---y y
assoc aid
----- ---
y
12
6 10
l-int essid
----- -----
10
ethersphere-wpa2AL5
ethersphere-wpa2
vlan-id tunnel-id phy
assoc. time num assoc Flags
------- --------- ---
----------- --------- -----
65
0x10c4
a-HT-40sgi-2ss 35m:41s
1
WA65
0x1072
a
24m:29s
1
WA
The output of this command includes the following information:
Column Name bssid mac auth
assoc
aid
1-int
essid vlan-id tunnel-id assoc. time
num assoc flags
Description
Name of an AP
The AP Basic Service Set Identifier (BSSID)
MAC address of the AP
This column displays a y if the AP has been configured for 802.11 authorization frame types. Otherwise, it displays an n.
This column displays a y if the AP has been configured for 802.11 association frame types. Otherwise, it displays an n.
802.11 association ID. A client receives a unique 802.11 association ID when it associates to an AP.
Number of beacons in the 802.11 listen interval. There are ten beacons sent per second, so a ten-beacon listen interval indicates a listen interval time of 1 second.
Name that uniquely identifies the AP's Extended Service Set Identifier (ESSID).
Identification number of the AP's VLAN.
Identification number of the AP's tunnel.
Amount of time the client has associated with the AP, in the format hours:minutes:seconds.
Number of clients associated with the AP.
This column displays any flags for this AP. The list of flag abbreviations is included in the output of the show ap association command.
AOS-W 6.2 | Reference Guide
show ap association | 685
�Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
686 | show ap association
AOS-W 6.2 | Reference Guide
�show ap association remote
show ap association remote [ap-name <ap-name>|ap-group <ap-group>|bssid <bssid>|channel <channel>|essid <essid>
Description
Display the association table for an individual AP or group of APs in bridge mode.
Syntax
Parameter ap-name <ap-name> ap-group <ap-group> bssid <bssid>
channel <channel> essid <essid>
Description
Show AP associations for a specific remote AP.
Show AP associations for a specific group of remote APs.
Show the AP associations for an specific AP Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show remote AP associations for a specific channel.
Show remote AP associations for an Extended Service Set Identifier (ESSID). An Extended Service Set Identifier (ESSID) is a alphanumeric name that uniquely identifies a wireless network. If the name includes spaces, you must enclose the ESSID in quotation marks.
Examples
The output of the command below shows the association table for clients in the AP group group1.
show ap association remote ap-group group1
Flags: W: WMM client, A: Active, R: RRM client PHY Details: HT: High throughput; 20: 20MHz; 40: 40MHz ss: spatial streams
Association Table
-----------------
Name bssid
essid vlan-id tunnel-id phy assoc.time num assoc Flags
---- -----
- ------- --------- --- ---------- --------- -----
AP71 00:0b:23:c1:d6:11 00:12:6d:03:1c:f1
y
y
1
a
23s
Num Clients:1
The output of this command includes the following information:
Column Name bssid mac
Description Name of an AP The AP Basic Service Set Identifier (BSSID) MAC address of the AP
AOS-W 6.2 | Reference Guide
show ap association remote | 687
�Column auth assoc aid 1-int essid vlan-id tunnel-id phy
assoc. time num assoc flags
Description
This column displays a y if the AP has been configured for 802.11 authorization frame types. Otherwise, it displays an n.
This column displays a y if the AP has been configured for 802.11 association frame types. Otherwise, it displays an n.
802.11 association ID. A client receives a unique 802.11 association ID when it associates to an AP.
Number of beacons in the 802.11 listen interval. There are ten beacons sent per second, so a ten-beacon listen interval indicates a listen interval time of 1 second.
Name that uniquely identifies the AP's Extended Service Set Identifier (ESSID).
Identification number of the AP's VLAN.
Identification number of the AP's tunnel.
The RF band in which the AP should operate: g = 2.4 GHz a = 5 GHz
Amount of time the client has associated with the AP, in the format hours:minutes:seconds.
Number of clients associated with the AP.
This column displays any flags for this AP. The list of flag abbreviations is included in the output of the show ap association remote command.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
688 | show ap association remote
AOS-W 6.2 | Reference Guide
�show ap authorization-profile
show ap authorization-profile [<profile-name>]
Description
This command shows information for AP authorization profiles.
Syntax
Parameter <profile-name>
Description The name of an an existing AP authorization profile.
Usage Guidelines
The AP authorization profile specifies which configuration should be assigned to a remote AP that has been provisioned but not yet authenticated at the remote site. By default, these yet-unauthorized APs are put into the temporary AP group authorization-group and assigned the predefined profile NoAuthApGroup. This configuration allows the user to connect to an unauthorized remote AP via a wired port then enter a corporate username and password. Once a valid user has authorized the AP and the remote AP will be marked as authorized on the network. The remote AP will then download the configuration assigned to that AP by it's permanent AP group.
Issue this command without the <profile-name> option to display the entire AP authorization profile list, including profile status and the number of references to each profile. Include a profile name to display the authorization group defined for that profile.
Examples
The following example lists all AP authorization profiles. The References column lists the number of other profiles with references to that authorization profile, and the Profile Status column indicates whether the profile is predefined. User-defined AP authorization profiles will not have an entry in the Profile Status column.
(host) #show ap authorization-profile
AP Authorization profile List
-----------------------------
Name
References Profile Status
----
---------- --------------
Noauthprofile 1
default
2
Predefined (editable)
Total:2
To display the authentication group for an individual profile, include the <profile> parameter. The example below shows the profile details for the AP authorization profile Default.
(host) #show ap authorization-profile default
AP Authorization profile "default" (Predefined (editable))
----------------------------------------------------------
Parameter
Value
---------
-----
AP authorization group NoAuthApGroup
The output of the show ap authorization command includes the following parameters:
AOS-W 6.2 | Reference Guide
show ap authorization-profile | 689
�Parameter AP authorization group
Value
Name of a configuration profile to be assigned to the group unauthorized remote APs.
Related Commands
Command ap authorizationprofile
Description
This command defines a temporary configuration profile for remote APs that are not yet authorized on the network.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
690 | show ap authorization-profile
AOS-W 6.2 | Reference Guide
�show ap blacklist-clients
show ap blacklist-clients
Description
Show a list of clients that have been denied access.
Usage Guidelines
Use the stm CLI command to add or remove users from a blacklist. Additionally, the dot1x authentication, VPN authentication and MAC authentication profiles allow you to automatically blacklist a client if machine authentication fails.
Examples
The output of this command shows that the switch has a single user-defined blacklisted client. (host)# show ap blacklist-clients
Blacklisted Clients
-------------------
STA
reason
---
------
00:1E:37:CB:D4:52
block-time(sec) remaining time(sec) --------------- ------------------user-defined 2480
The output of this command includes the following information:
Column STA reason
Description
MAC address of the blacklisted client.
The reason that the user was blacklisted. l user-defined: User was blacklisted due to blacklist criteria were defined by the
network administrator l mitm-attack: Blacklisted for a man in the middle (MITM) attack; impersonating
a valid enterprise AP. l ping-flood: Blacklisted for a ping flood attack. l session-flood: Blacklisted for a session flood attack. l syn-flood: Blacklisted for a syn flood attack. l session-blacklist: User session was blacklisted l IP spoofing: Blacklisted for sending messages using the IP address of a
trusted client. l ESI-blacklist: An external virus detection or intrusion detection application or
appliance blacklisted the client. l CP-flood: Blacklisting for flooding with fake AP beacons. l UNKNOWN: Blacklist reason unknown.
block-time (sec) remaining time(sec)
Amount of time the client has been blocked, in seconds.
Amount of time remaining before the client will be allowed access to the network again.
AOS-W 6.2 | Reference Guide
show ap blacklist-clients | 691
�Related Commands
Command
stm add-blacklist-client stm remove-blacklist-client <macaddr>
Description Manually add or remove clients from a blacklist.
Mode
Config mode
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
692 | show ap blacklist-clients
AOS-W 6.2 | Reference Guide
�show ap bss-table
show ap bss-table [ap-name <ap-name>|bssid <bssid>|essid <essid>|ip-addr <ip-addr>|port <port>\<slot>]
Description
Show an AP's Basic Service Set (BSS).
Syntax
Parameter ap-name <ap-name> bssid <bssid> essid <essid>
ip-addr <ip-addr> port <port>/<slot>
Description
Show the BSS table for a specific AP.
Show the BSS table for an specific AP Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show the BSS table for an Extended Service Set Identifier (ESSID). An Extended Service Set Identifier (ESSID) is a alphanumeric name that uniquely identifies a wireless network. If the name includes spaces, you must enclose the ESSID in quotation marks.
Show the BSS table for a specific AP by entering an IP address in dotted-decimal format.
Show the BSS table for a specific port and slot on an AP. The slot and port numbers should be separated by a forward slash (/).
Usage Guidelines
The output of the show ap bss-table command shows the Alcatel-Lucent AP BSS table for all APs. To filter this information and view BSS table data for an individual AP or a specific port and slot number, include the ap-name, bssid, essid, ip-addr or port keywords.
Example
The output of this command shows the BSS table for the seven active APs using the switch.
show ap bss-table
Alcatel-Lucent AP BSS Table
------------------
bss
EIRP cur-cl ap name in-t(s) tot-t
mtu acl-state
---
---
----
---
------
------
--- --------
00:0b:86:cc:d8:40 corp-ap 1/3 192.0.2.0
g
ap
ess 11/16.5/33
00:0b:86:cc:d8:41 testbed1 1/3
192.0.2.10 g
ap
11/16.5/33
3.70.17 0
50s
1500 -
00:0b:86:9b:49:c8 corp-ap 1/0 192.0.2.11
a
ap
165/15.5/36
3.85.15 0
2m:0s
1578 -
00:1a:1e:81:aa:50 corp-ap 1/0 192.0.2.12
a-HT ap
44+/19/23
14m:0s
1578 -
00:1a:1e:81:aa:40 corp-ap 1/0 192.0.2.12
g-HT ap
6/17.5/33
0
3m:55s 1578 -
00:0b:86:cc:d8:50 corp-ap 1/3 192.0.2.14
a
ap
165/19/36
0
50s
1500 -
AOS-W 6.2 | Reference Guide
show ap bss-table | 693
�00:0b:86:9b:49:c0 corp-ap 1/0 192.0.2.15
g
0
2m:0s
ap 1578 -
11/16.5/33
Channel followed by "*" indicates channel selected due to unsupported configured channel.Num APs:7 Num Associations:1
The output of this command includes the following information:
Column
Description
bss
The AP Basic Service Set Identifier (BSSID). This is usually the MAC address of the AP
ess
The AP Extended Service Set Identifier (ESSID).
s/p
The slot and port used by the switch, in the format <slot>/<port>.
<slot> is always 1, except when referring to interfaces on the OAW-6000 switch. For
the OAW-6000 switch, the four slots are allocated as follows:
l Slot 0: contains a OmniAccess Supervisor Card III.
l Slot 1: can contain an OmniAccess Supervisor Card III, or a line card.
l Slot 2: can contain an OmniAccess Supervisor Card III or a line card.
l Slot 3: can contain an OmniAccess Supervisor Card III or a line card.
<port> refers to the network interfaces that are embedded in the front panel of the
OAW-4x04 Series switch, OmniAccess Supervisor Card III, or a line card installed in
the OAW-6000 switch. Port numbers start at 0 from the left-most position.
ip
IP address of an AP.
phy
An AP radio type. Possible values are:
l a--802.11a
l a-HT--802.11a high throughput
l g-- 802.11g
l g-HT--802.11g high throughput
type
Shows whether the AP is working as an access point (AP) or air monitor (AM).
ch/EIRP/max-EIRP Radio channel used by the AP/current effective Isotropic Radiated Power (EIRP) /maximum EIRP.
cur-cl
Current number of clients on the AP.
ap name
Name of the AP.
in-t(s)
Number of seconds that an AP has been inactive.
tot-t
An AP's total active time, in seconds.
mtu
Maximum Transmission Unit (MTU) size, in bytes. This value describes the greatest
amount of data that can be transferred in one physical frame.
acl-state
An access control list (ACL) can enable or disable an AP during specific time ranges. l Disabled: An ACL with time restrictions is currently disabled (so the AP is enabled). l Enabled: An ACL with time restrictions is currently enabled (so the AP is disabled). l This data column will display a dash (-) if no ACLs are currently configured for the
AP.
Command History
Introduced in AOS-W 3.0.
694 | show ap bss-table
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap bss-table | 695
�show ap bw-report
show ap bw-report {ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>}
Description
Show the bandwidth reporting table for a specific AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show bandwidth data for an AP with a specific name.
Show bandwidth data for a specific Basic Service Set Identifier (BSSID) on an AP. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show bandwidth data for an AP with a specific IP address by entering an IP address in dotted-decimal format.
Examples
The output of the following command shows the Alcatel-Lucent AP bandwidth table for an AP with the IP address 192.0.2.170. show ap bw-report ip-addr 192.0.2.170
Bandwidth report for AP "AL16" radio 0
--------------------------------------
Virtual AP
Allocated Share
----------
---------------
corp1344-guest
0%
corp1344-ethersphere-wpa2 0%
Average Throughput:0 kbps
Actual Share -----------0% 0%
Offered Load -----------0 kbps 0 kbps
Delivered Load -------------0 kbps 0 kbps
Bandwidth report for AP "AL16" radio 1
--------------------------------------
Virtual AP
Allocated Share
----------
---------------
corp1344-guest
0%
corp1344-ethersphere-voip 0%
corp1344-ethersphere-vocera 0%
Average Throughput:0 kbps
Actual Share -----------0% 0% 0%
Offered Load -----------0 kbps 0 kbps 0 kbps
Delivered Load -------------0 kbps 0 kbps 0 kbps
The output of this command includes the following information for all radios on the AP:
Column Virtual AP Allocated Share Actual Share
Description Name of a Virtual AP Maximum percentage of total bandwidth available to that Virtual AP. Actual percentage of total bandwidth used by a Virtual AP.
696 | show ap bw-report
AOS-W 6.2 | Reference Guide
�Column Offered Load Delivered Load
Average Throughput
Description Attempted throughput for the Virtual AP, in kbps.
Actual throughput for the Virtual AP, in kbps. This value may be less than the offered load if the Virtual AP has used all its allocated bandwidth.
Average throughput for the virtual AP, in kbps.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap bw-report | 697
�show ap client status
show ap client status <client-mac>
Description
Show the current status of a specific client.
Syntax
Parameter <client-mac>
Description MAC address of a client
Examples
The output of the command shows the status of an individual client in the STA (station) table. (host) #show ap client status 00:13:fd:42:32:38
STA Table --------bssid ----00:1a:1e:a3:02:c9 State Hash Table ---------------bssid ----00:1a:1e:a3:02:c9
auth assoc aid l-int
---- ----- --- -----
y
y
7 10
state
reason
-----
------
auth-assoc 0
essid ----corp-wpa2
vlan-id ------65
tunnel-id --------0x10c0
The output of this command includes the following information:
Column bssid auth
assoc
aid
l-int
essid vlan-id tunnel-id
Description
Basic Service Set ID (BSSID) of the client.
This column displays a y if the AP has been configured for 802.11 authorization frame types. Otherwise, it displays an n.
This column displays a y if the AP has been configured for 802.11 association frame types. Otherwise, it displays an n.
Number of beacons in the 802.11 listen interval. There are ten beacons sent per second, so a ten-beacon listen interval indicates a listen interval time of 1 second.
Number of beacons in the 802.11 listen interval. There are ten beacons sent per second, so a ten-beacon listen interval indicates a listen interval time of 1 second.
Extended Service Set ID (ESSID) of the client.
VLAN ID of the VLAN used by the client
Identification number for the tunnel
698 | show ap client status
AOS-W 6.2 | Reference Guide
�Column state
Reason
Description
If the client has been both authorized and associated, this data column will display auth-assoc. If the client has only been authorized, this data column will display auth.
If the client failed to authenticate, this data column lists the reason code for 802.11 authentication failure
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap client status | 699
�show ap config
show ap config {ap-group <ap-group>}|{ap-name <ap-name>}|{essid <essid>}
Description
Show a large list of configuration settings for an ap-group or an individual AP.
Syntax
Parameter
Description
ap-group <ap-group> Display configuration settings for an AP group.
ap-name <ap-name>
Display configuration settings for an AP with a specific name.
essid <essid>
Display configuration settings for an AP with a specific Extended Service Set Identifier (ESSID). An Extended Service Set Identifier (ESSID) is a alphanumeric name that uniquely identifies a wireless network. If the name includes spaces, you must enclose the ESSID in quotation marks.
Examples
The example output below shows just some of the configuration settings displayed in the output of this command.
show ap config ap-group apgroup14
---------------------------------------------------
Parameter
802.11g
802.11a
---------
-------
-------
LMS IP
N/A
N/A
"default"
Backup LMS IP
N/A
N/A
"default"
LMS Preemption
Disabled
Disabled
"default"
LMS Hold-down Period
600 sec
600 sec
"default"
Master switch IP address
N/A
N/A
"default"
RF Band
g
g
"default"
Double Encrypt
Disabled
Disabled
"default"
Native VLAN ID
1
1
"default"
SAP MTU
N/A
N/A
"default"
Bootstrap threshold
8
8
"default"
Request Retry Interval
10 sec
10 sec
"default"
Maximum Request Retries
10
10
"default"
Keepalive Interval
60 sec
60 sec
"default"
Dump Server
N/A
N/A
"default"
Telnet
Disabled
Disabled
"default"
Source -----ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile ap system-profile
700 | show ap config
AOS-W 6.2 | Reference Guide
�FIPS enable "default" SNMP sysContact "default" RFprotect Server IP "default" RFprotect Backup Server IP "default" AeroScout RTLS Server "default" RTLS Server configuration "default" Remote-AP DHCP Server VLAN "default" Remote-AP DHCP Server Id "default" Remote-AP DHCP Default Router "default" Remote-AP DHCP Pool Start "default" Remote-AP DHCP Pool End "default" Remote-AP DHCP Pool Netmask "default" Remote-AP DHCP Lease Time "default" Heartbeat DSCP "default" Session ACL "default" Image URL "default" Maintenance Mode "default" ...
Disabled
Disabled
ap system-profile
N/A
N/A
ap system-profile
N/A
N/A
ap system-profile
N/A
N/A
ap system-profile
N/A
N/A
ap system-profile
N/A
N/A
ap system-profile
N/A
N/A
ap system-profile
192.168.11.1 192.168.11.1 ap system-profile
192.168.11.1 192.168.11.1 ap system-profile
192.168.11.2 192.168.11.2 ap system-profile
192.168.11.254 192.168.11.254 ap system-profile
255.255.255.0 255.255.255.0 ap system-profile
0 days
0 days
ap system-profile
0
0
ap system-profile
N/A
N/A
ap system-profile
N/A
N/A
ap system-profile
Disabled
Disabled
ap system-profile
The output of this command includes the following parameters.
Parameter LMS IP
LMS IPv6
Backup LMS IP Backup LMS IP
Description
The IPv4 address of the local management switch (LMS)--the Alcatel-Lucent switch which is responsible for terminating user traffic from the APs, and processing and forwarding the traffic to the wired network.
The IPv6 address of the local management switch (LMS)--the Alcatel-Lucent switch which is responsible for terminating user traffic from the APs, and processing and forwarding the traffic to the wired network.
For multi-switch networks, this parameter displays the IPv4 address of a backup to the IP address specified with the lms-ip parameter.
For multi-switch networks, this parameter displays the IPv6 address of a backup to the IP address specified with the lms-ip parameter.
AOS-W 6.2 | Reference Guide
show ap config | 701
�Parameter LMS Preemption LMS Hold-down Period Number of IPsec retries
LED operation mode Master switch IP address RF Band Double Encrypt
Native VLAN ID SAP MTU Bootstrap threshold
Request Retry Interval Maximum Request Retries
702 | show ap config
Description
When this parameter is enabled, the local management switch automatically reverts to the primary LMS IP address when it becomes available.
Time, in seconds, that the primary LMS must be available before an AP returns to that LMS after failover.
Shows the number of times the AP will attempt to recreate an IPsec tunnel with the master switch before the AP will reboot. The supported range is 0-1000 retries, and the default value is 360. A value of 0 disables the reboot.
The operating mode for the LEDs (11n APs only) l normal: Normal mode l off: All LEDs off
For multi-switch networks, this parameter displays the IP address of the master switch.
For dual-band radios, this parameter displays the RF band in which the AP should operate: l g = 2.4 GHz l a = 5 GHz
This parameter applies only to remote APs. Double encryption is used for traffic to and from a wireless client that is connected to a tunneled SSID. When enabled, all traffic is re-encrypted in the IPsec tunnel. When disabled, the wireless frame is only encapsulated inside the IPsec tunnel.
Native VLAN for bridge mode virtual APs (frames on the native VLAN are not tagged with 802.1q tags).
Maximum Transmission Unit (MTU) size, in bytes. This value describes the greatest amount of data that can be transferred in one physical frame.
Number of consecutive missed heartbeats on a GRE tunnel (heartbeats are sent once per second on each tunnel) before an AP rebootstraps. On the switch, the GRE tunnel timeout is 1.5 x bootstrap-threshold; the tunnel is torn down after this number of seconds of inactivity on the tunnel.
Interval, in seconds, between the first and second retries of AP-generated requests. If the configured interval is less than 30 seconds, the interval for subsequent retries is increased up to 30 seconds.
Maximum number of times to retry AP-generated requests, including keepalive messages. After the maximum number of retries, the AP either reboots or tries the IP address specified by the backup LMS IP address (if configured).
AOS-W 6.2 | Reference Guide
�Parameter Keepalive Interval Dump Server
Telnet SNMP sysContact AeroScout RTLS Server
RTLS Server configuration Remote-AP DHCP Server VLAN Remote-AP DHCP Server Id Remote-AP DHCP Default Router Remote-AP DHCP Pool Start Remote-AP DHCP Pool End Remote-AP DHCP Pool Netmask Remote-AP DHCP Lease Time Remote-AP uplink total bandwidth Remote-AP bw reservation
Heartbeat DSCP Session ACL Maintenance Mode
Remote-AP Local Network Access
Description
Time, in seconds, between keepalive messages from the AP
(For debugging purposes.) Displays the server to receive the core dump generated if an AP process crashes.
Reports whether telnet access the AP is enabled or disabled.
SNMP system contact information.
Displays whether or not the AP will send RFID tag information to an AeroScout real-time asset location (RTLS) server.
Displays whether or not the AP will send RFID tag information to an RTLS server.
Shows the VLAN ID of the remote-AP DHCP server used when switch is unreachable.
Shows the IP Address of the DHCP DNS Server.
Shows the IP Address of the DHCP Default Router.
Shows the IP Address used as start of DHCP Pool.
Shows the IP Address used as end of DHCP Pool.
Shows the netmask of DHCP Pool.
Shows the length of leases, in days (0 means infinite).
This is the total reserved uplink bandwidth (in Kilobits per second)
Session ACLs with uplink bandwidth reservation in kilobits per second. You can specify up to three session ACLs to reserve uplink bandwidth.
DSCP value of AP heartbeats (0-63).
Shows the access control list (ACL) applied on the uplink of a remote AP.
Shows if Maintenance mode is enabled or disabled. If enabled, APs stop flooding unnecessary traps and syslog messages to network management systems or network operations centers when deploying, maintaining, or upgrading the network. The switch still generates debug syslog messages if debug logging is enabled.
Enable or disable local network access across VLANs in a Remote-AP.
AOS-W 6.2 | Reference Guide
show ap config | 703
�Parameter Radio enable Mode
Description
Shows if the AP's radio is enabled or disabled.
Shows the operating modes for the AP. l ap-mode: Device provides transparent, secure,
high-speed data communications between wireless network devices and the wired LAN. l am-mode: Device behaves as an air monitor to collect statistics, monitor traffic, detect intrusions, enforce security policies, balance traffic load, selfheal coverage gaps, etc. l spectrum-mode: Device behaves as a spectrum monitor, sending spectrum analysis data to the switch. Spectrum monitors do not serve clients.
High throughput enable (radio)
Shows if high-throughput (802.11n) features on the 2.4 GHz frequency band are enabled or disabled.
Channel
Shows the channel number for the AP's 802.11a/802.11n physical layer.
Beacon Period
Shows the time, in milliseconds, between successive beacon transmissions. The beacon advertises the AP's presence, identity, and radio characteristics to wireless clients.
Beacon Regulate
Enabling this setting introduces randomness in the beacon generation so that multiple APs on the same channel do not send beacons at the same time, which causes collisions over the air.
Transmit EIRP
Shows the current transmission power level.
Advertise 802.11d and 802.11h Capabilities
This column reports whether or not the AP will advertise its 802.11d (Country Information) and 802.11h (TPC or Transmit Power Control) capabilities
TPC Power
The transmit power advertised in the TPC IE of beacons and probe responses. Range: 0-51 dBm
Spectrum Load Balancing
The Spectrum Load Balancing feature helps optimize network resources by balancing clients across channels, regardless of whether the AP or the switch is responding to the wireless clients' probe requests.
If enabled, the switch compares whether or not an AP has more clients than its neighboring APs on other channels. If an AP's client load is at or over a predetermined threshold as compared to its immediate neighbors, or if a neighboring AlcatelLucent AP on another channel does not have any clients, load balancing will be enabled on that AP. This feature is disabled by default.
Spectrum Load Balancing mode
Spectrum Load Balancing Mode allows control over how to balance clients. Select one of the following options l channel: Channel-based load-balancing
balances clients across channels. This is the default load-balancing mode l radio: Radio-based load-balancing balances
704 | show ap config
AOS-W 6.2 | Reference Guide
�Parameter
Description clients across APs
Spectrum load balancing update interval Advertised regulatory max EIRP Spectrum load balancing domain
Rx sensitivity tuning based channel reuse
This value determines how often spectrum load balancing calculations are made (in seconds). The default value is 30 seconds.
A cap for an radio's maximum equivalent isotropic radiated power (EIRP). Even if the regulatory approved maximum for a given channel is higher than this EIRP cap, the AP radio using this profile will advertise only this capped maximum EIRP in its radio beacons.
Define a spectrum load balancing domain to manually create RF neighborhoods. This option creates RF neighborhood information for networks that have disabled Adaptive Radio Management (ARM) scanning and channel assignment. l If spectrum load balancing is enabled in a
802.11a radio profile but the spectrum load balancing domain is not defined, AOS-W uses the ARM feature to calculate RF neighborhoods. l If spectrum load balancing is enabled in a 802.11a radio profile and a spectrum load balancing domain isalso defined, AP radios belonging to the same spectrum load balancing domain will be considered part of the same RF neighborhood for load balancing, and will not recognize RF neighborhoods defined by the ARM feature.
The channel reuse feature can operate in either of the following three modes; static, dynamic or disable. (This feature is disabled by default.) l Static mode: This mode of operation is a
coverage-based adaptation of the Clear Channel Assessment (CCA) thresholds. In the static mode of operation, the CCA is adjusted according to the configured transmission power level on the AP, so as the AP transmit power decreases as the CCA threshold increases, and vice versa. l Dynamic mode: In this mode, the Clear Channel Assessment (CCA) thresholds are based on channel loads, and take into account the location of the associated clients. When you set the Channel Reuse This feature is automatically enabled when the wireless medium around the AP is busy greater than half the time. When this mode is enabled, the CCA threshold adjusts to accommodate transmissions between the AP its most distant associated client. l Disable mode: This mode does not support the tuning of the CCA Detect Threshold.
Rx sensitivity threshold
RX Sensitivity Tuning Based Channel Reuse Threshold, in -dBm.
AOS-W 6.2 | Reference Guide
show ap config | 705
�Parameter
Non 802.11a interference Immunity
Enable CSA CSA Count Management Frame Throttle interval Management Frame Throttle Limit ARM/WIDS Override Protection for 802.11b Clients Maximum Distance
706 | show ap config
Description
If the Rx Sensitivity Tuning Based Channel reuse feature is set to static mode, this parameter manually sets the AP's Rx sensitivity threshold (in -dBm). The AP will filter out and ignore weak signals that are below the channel threshold signal strength. If the value is set to zero, the feature will automatically determine an appropriate threshold
The value for 802.11 Interference Immunity. This parameter sets the interference immunity on the 2.4 Ghz band. The default setting for this parameter is level 2. When performance drops due to interference from non802.11 interferers (such as DECT or Bluetooth devices), the level can be increased up to level 5 for improved performance. However, increasing the level makes the AP slightly "deaf" to its surroundings, causing the AP to lose a small amount of range. The levels for this parameter are: l Level-0: no ANI adaptation. l Level-1: noise immunity only. l Level-2: noise and spur immunity. This is the
default setting l Level-3: level 2 and weak OFDM immunity. l Level-4: level 3 and FIR immunity. l Level-5: disable PHY reporting.
Displays whether or not the AP has enabled channel switch announcements (CSAs) for 802.11h.
Number of channel switch announcements that must be sent before the AP will switch to a new channel.
Average interval that rate limiting management frames are sent from this radio, in seconds. If this column displays a zero (0) rate limiting is disabled for this AP.
Maximum number of management frames that can come from this radio in each throttle interval.
Shows if Adaptive Radio Management (ARM) and Wireless IDS functions are enabled or disabled. If a radio is configured to operate in Air Monitor mode, then these functions are always enabled, regardless of this option.
Displays whether or not protection for 802.11b clients is enabled or disabled.
Maximum distance between a client and an AP or between a mesh point and a mesh portal, in meters. This value is used to derive ACK and CTS timeout times. A value of 0 specifies default settings for this parameter, where timeouts are only modified for outdoor mesh radios which use a distance of 16km. The upper limit for this parameter varies, depending on the 20/40 MHz mode for a 2.4GHz frequency band radio: l 20MHz mode: 54km
AOS-W 6.2 | Reference Guide
�Parameter
Spectrum Monitoring
Assignment Allowed bands for 40MHz channels Client Aware Max Tx Power Min Tx Power Multi Band Scan Rogue AP Aware Scan Interval Active Scan
Scanning
Description
l 40MHz mode: 24km Iff you configure a value above the supported maximum, the maximum supported value will be used instead. Values below 600m will use default settings.
When this parameter is enabled, it turns an AP in apmode into a hybrid AP. An AP in hybrid AP mode will continue to serve clients as an access point while it scans and analyzes spectrum analysis data for a single radio channel.
Displays whether or not ARM channel and power assignment has been enabled or disabled.
Forty MHz channels may be used on the specified radio bands (802.11a or 802.11g).
Shows if the client aware feature has been enabled or disabled for this AP. If enabled, AP will not change channels when there are active clients.
Maximum transmission power for this AP, in dBm.
Minimum transmission power for this AP, in dBm.
Shows if the multi-band scan feature has been enabled or disabled on this AP. If enabled, singleradio APs will try to scan across bands for Rogue AP detection
Shows if the rogue AP awareness feature has been enabled or disabled on this AP. If enabled, the AP will try to contain off-channel Rogue APs
This column indicates, in seconds, how often the AP will leave its current channel to scan other channels in the band if scanning is enabled
Displays whether or not the active scan feature is enabled. NOTE: This option elicits more information from nearby APs, but also creates additional management traffic on the network. Active Scan is disabled by default, and should not be enabled except under the direct supervision of Alcatel-Lucent Support.
Shows if scanning is enabled or disabled for this AP. If this option is disabled, the following other options will also be disabled: l Multi Band Scan l Rogue AP Aware l Voip Aware Scan l Power Save Scan
AOS-W 6.2 | Reference Guide
show ap config | 707
�Parameter Scan Time VoIP Aware Scan Power Save Aware Scan Ideal Coverage Index
Acceptable Coverage Index Free Channel Index
Backoff Time Error Rate Threshold Error Rate Wait Time Noise Threshold 708 | show ap config
Description
The amount of time, in milliseconds, an AP will drift out of the current channel to scan another channel. The supported range for this setting is 0-2,147,483, 647 seconds. Best practices are to configure a scan time between 50-200 msec.
Shows if VoIP aware scanning is enabled or disabled. If you use voice handsets in the WLAN, VoIP Aware Scan should be enabled in the ARM profile so the AP will not attempt to scan a different channel if one of its clients has an active VoIP call. This option requires that Scanning is also enabled.
Shows if the power save aware scan is enabled or disabled. If enabled, the AP will not scan a different channel if it has one or more clients and is in power save mode. Default: enabled
The Alcatel-Lucent coverage index metric is a weighted calculation based on the RF coverage for all Alcatel-LucentAPs and neighboring APs on a specified channel. The Ideal Coverage Index specifies the ideal coverage that an AP should try to achieve on its channel. The denser the AP deployment, the lower this value should be.
For multi-band implementations, the Acceptable Coverage Index specifies the minimal coverage an AP it should achieve on its channel. The denser the AP deployment, the lower this value should be.
The current free channel index value. The AlcatelLucent Interference index metric measures interference for a specified channel and its surrounding channels. This value is calculated and weighted for all APs on those channels (including 3rd-party APs). An AP will only move to a new channel if the new channel has a lower interference index value than the current channel. Free Channel Index specifies the required difference between the two interference index values before the AP moves to the new channel. The lower this value, the more likely it is that the AP will move to the new channel.
After an AP changes channel or power settings, it waits for this backoff time interval before it asks for a new channel/power setting.
The minimum percentage of PHY errors and MAC errors in the channel that will trigger a channel change.
Minimum time in seconds the error rate on the AP has to exceed its defined error rate threshold before it triggers a channel change.
Maximum level of noise in a channel that triggers a channel change.
AOS-W 6.2 | Reference Guide
�Parameter Noise Wait Time Minimum Scan Time Load aware Scan Threshold
Mode Aware Arm
Scan mode 40 MHz intolerance Honor 40 MHz intolerance Legacy station workaround SSID enable ESSID Encryption DTIM Interval
AOS-W 6.2 | Reference Guide
Description
Minimum time in seconds the noise level has to exceed the Noise Threshold before it triggers a channel change on the AP.
Minimum number of times a channel must be scanned before it is considered for assignment. Best practices are to configure a Minimum Scan Time between 1-20 scans.
The Load Aware Scan Threshold is the traffic throughput level an AP must reach before it stops scanning. Load aware ARM preserves network resources during periods of high traffic by temporarily halting ARM scanning if the load for the AP gets too high.
Shows if the mode-aware ARM feature has been enabled or disabled for this AP. If enabled, ARM will turn the AP into an Air Monitors (AMs) if it detects higher coverage levels than necessary. This helps avoid higher levels of interference on the WLAN. Although this setting is disabled by default, you may want to enable this feature if your APs are deployed in close proximity (e.g. less than 60 feet apart).
Identifies the scan mode for the AP. l all-reg-domain: The AP scans channels within all
regulatory domains. This is the default setting. l reg-domain:Limit the AP scans to just the
regulatory domain for that AP.
The specified setting allows ARM to determine if 40 MHz mode of operation is allowed on the 5 GHz or 2.4 GHz frequency band only, on both frequency bands, or on neither frequency band.
Shows if 40 MHz intolerance is enabled or disabled. If enabled, the radio will stop using the 40 MHz channels if the 40 MHz intolerance indication is received from another AP or station.
Shows if interoperability for misbehaving legacy stations is enabled or disabled.
Shows if the SSID is enabled or disabled
Name that uniquely identifies the Extended Service Set Identifier (SSID).
Encryption type used on this AP.
Shows the interval, in milliseconds, between the sending of Delivery Traffic Indication Messages (DTIMs) in the beacon. This is the maximum number of beacon cycles before unacknowledged network broadcasts are flushed.
show ap config | 709
�Parameter Basic Rates Transmit Rates
Station Ageout Time Max Transmit Attempts RTS Threshold
Short Preamble
Max Associations Wireless Multimedia (WMM) Wireless Multimedia U-APSD (WMM-UAPSD) Powersave WMM TSPEC Min Inactivity Interval DSCP mapping for WMM voice AC DSCP mapping for WMM video AC DSCP mapping for WMM best-effort AC DSCP mapping for WMM background AC
Description
Lists supported 802.11a rates, in Mbps, that are advertised in beacon frames and probe responses from this AP.
Lists 802.11a rates at which the AP is allowed to send data. The actual transmit rate depends on what the client is able to handle, based on information sent at the time of association and on the current error/loss rate of the client.
Time, in seconds, that a client is allowed to remain idle before being aged out.
Maximum number of retries allowed for the AP to send a frame
Wireless clients transmitting frames larger than this threshold must issue Request to Send (RTS) and wait for the AP to respond with Clear to Send (CTS). This helps prevent mid-air collisions for wireless clients that are not within wireless peer range and cannot detect when other wireless clients are transmitting.
Shows if a short preamble for 802.11b/g radios is enabled or disabled for this AP. Network performance may be higher when short preamble is enabled. In mixed radio environments, some 802.11b wireless client stations may experience difficulty associating with the AP using short preamble. To use only long preamble, disable short preamble. Legacy client devices that use only long preamble generally can be updated to support short preamble.
Maximum number of wireless clients allowed to associate to the AP
Shows if Wireless Multimedia (WMM) is enabled or disabled for this AP. WMM provides prioritization of specific traffic relative to other traffic in the network
Shows if Wireless Multimedia (WMM) UAPSD powersave is enabled or disabled.
Displays the minimum inactivity time-out threshold of WMM traffic for this AP.
Displays the DSCP value used to map WMM voice traffic.
Displays the DSCP value used to map WMM video traffic.
Displays the DSCP value used to map WMM besteffort traffic
Displays the DSCP value used to map WMM background traffic.
710 | show ap config
AOS-W 6.2 | Reference Guide
�Parameter 902il Compatibility Mode
Hide SSID Deny_Broadcast Probes
Local Probe Response
Disable Probe Retry Battery Boost
Drop Broadcast and Multicast WEP Key 1 WEP Key 2 WEP Key 3 WEP Key 4 WEP Transmit Key Index WPA Hexkey WPA Passphrase Maximum Transmit Failures
AOS-W 6.2 | Reference Guide
Description
Shows if 902 il compatibility mode is enabled or disabled. (This parameter only needs to be enabled for APs with associated clients using NTT DoCoMo 902iL phones.)
Shows if the feature to hide a SSID name in beacon frames is enabled or disabled.
When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls whether or not the system responds for this SSID. When enabled, no response is sent and clients have to know the SSID in order to associate to the SSID. When disabled, a probe response frame is sent for this SSID.
Shows if local probe response is enabled or disabled on the AP. If this option is enabled, the AP is responsible for sending 802.11 probe responses to wireless clients' probe requests. If this option is disabled, then the switch sends the 802.11 probe responses
If disabled, the AP will not resend probes if it does not get a response.
Shows if the battery boost feature is enabled or disabled for the AP. If enabled, this feature converts multicast traffic to unicast before delivery to the client, thus allowing you to set a longer DTIM interval. The longer interval keeps associated wireless clients from activating their radios for multicast indication and delivery, leaving them in power-save mode longer and thus lengthening battery life
If this feature is enabled on an AP, it drops all downstream broadcast or multicast traffic to increase battery life.
Displays the static WEP key (1 of 4).
Displays the static WEP key (2 of 4).
Displays the static WEP key (3 of 4).
Displays the static WEP key (4 of 4).
Displays the key index that specifies which static WEP key is to be used.
Displays the WPA pre-shared key (PSK).
Displays the WPA passphrase with which the AP generates a pre-shared key (PSK).
Display the maximum number of transmission failures allowed before the client gives up.
show ap config | 711
�Parameter BC/MC Rate Optimization
Rate Optimization for delivering EAPOL frames Strict Spectralink Voice Protocol (SVP) 802.11g Beacon Rate
802.11a Beacon Rate
Advertise QBSS Load IE High throughput enable (SSID) 40 MHz channel usage MPDU Aggregation Max transmitted A-MPDU size Max received A-MPDU size Min MPDU start spacing Supported MCS set Short guard interval in 20 MHz mode Short guard interval in 40 MHz mode
Description
Shows if the AP has enabled or disabled scanning of all active stations currently associated to that AP to select the lowest transmission rate for broadcast and multicast frames. This option only applies to broadcast and multicast data frames; 802.11 management frames are transmitted at the lowest configured rate.
Shows if the AP has enabled or disabled rate optimization for delivering EAPOL frames.
Shows if strict Spectralink Voice Protocol (SVP) is enabled or disabled.
Sets the beacon rate for 802.11g for APs use a Distributed Antenna System (DAS). Using this parameter in normal operation may cause connectivity problems.
Sets the beacon rate for 802.11a for APs use a Distributed Antenna System (DAS). Using this parameter in normal operation may cause connectivity problems.
Shows if the AP has enabled or disabled the advertising of QBSS in the load IE.
Shows if the AP has enabled or disabled the use of its high-throughput SSID in 40 MHz mode.
Determines if this high-throughput SSID allows highthroughput (802.11n) stations to associate.
Shows if the AP has enabled or disabled MAC protocol data unit (MDPU) aggregation.
Shows the maximum size, in bytes, of an A-MPDU that can be sent on the AP's high-throughput SSID.
Shows the maximum size, in bytes, of an AggregatedMAC Packet Data Unit (A-MPDU) that can be received on the AP's high-throughput SSID.
Displays the minimum time between the start of adjacent MDPUs within an aggregate MDPU, in microseconds.
Comma-separated list of Modulation Coding Scheme (MCS) values or ranges of values to be supported on this high-throughput SSID.
Shows if the AP has enabled or disabled use of short guard interval in 20 MHz mode of operation.
Shows if the AP has enabled or disabled use of short guard interval in 40 MHz mode of operation.
712 | show ap config
AOS-W 6.2 | Reference Guide
�Parameter Maximum number of spatial streams usable for STBC transmission
Minimum number of spatial streams usable for STBC transmission
Legacy stations
Allow weak encryption
Virtual AP enable Allowed band
VLAN Forward mode
Description
Controls the maximum number of spatial streams usable for STBC transmission. 0 disables STBC transmission, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. (Supported on the OAWAP90, OAW-AP130 Series, OAW-AP175, OAW-AP68 and OAW-AP105 only. The configured value will be adjusted based on AP capabilities.)
Controls the maximum number of spatial streams usable for STBC reception. 0 disables STBC reception, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. (Supported on the OAWAP90, OAW-AP130 Series, OAW-AP175, OAW-AP68 and OAW-AP105 only. The configured value will be adjusted based on AP capabilities.)
Shows if the AP has enabled or disabled the legacy stations option, which controls whether or not legacy (non-HT) stations are allowed to associate with the AP's SSID. By default, legacy stations are allowed to associate. NOTE: This setting has no effect on a BSS in which HT support is not available.
Shows if the AP has enabled or disabled the weak encryption option. The use of TKIP or WEP for unicast traffic forces the use of legacy transmissions rates. Disabling this mode prevents the association of stations using TKIP or WEP for unicast traffic. This mode is disabled by default.
Wireless LAN profiles configure WLANs in the form of virtual AP profiles. This parameter shows if the AP has enabled or disabled virtual APs.
Shows the band(s) on which to use the virtual AP: l a--802.11a band only (5 GHz) l g--802.11b/g band only (2.4 GHz) l all--both 802.11a and 802.11b/g bands (5 GHz
and 2.4 GHz)
Shows the VLAN(s) into which users are placed in order to obtain an IP address.
Shows the current forward mode (tunnel, bridge, splittunnel, or decrypt-tunnel) for the virtual AP. This parameter controls whether 802.11 frames are tunneled to the switch using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination (corporate traffic goes to the switch, and Internet access remains local).
AOS-W 6.2 | Reference Guide
show ap config | 713
�Parameter
Deny time range Mobile IP HA Discovery on-association
DoS Prevention Station Blacklisting Blacklist Time Authentication Failure Blacklist Time Fast Roaming
Description
When an AP is configured to use the decrypt-tunnel forwarding mode, that AP decrypts and decapsulates all 802.11 frames from a client and sends the 802.3 frames through the GRE tunnel to the switch, which then applies firewall policies to the user traffic. When the switch sends traffic to a client, the switch sends 802.3 traffic through the GRE tunnel to the AP, which then converts it to encrypted 802.11 and forwards to the client. Only 802.1X authentication is supported when configuring bridge or split tunnel mode.
Shows the time range for which the AP will deny access for a virtual AP.
Shows if IP mobility has been enabled or disabled for the virtual AP.
If enabled, home agent discovery is triggered on client association instead of home agent discovery based on traffic from client. Mobility on association can speed up roaming and improve connectivity for clients that do not send many uplink packets to trigger mobility (VoIP clients).Best practices is to keep this parameter disabled,r as it increases IP mobility control traffic between switches in the same mobility domain. Enable this parameter only when voice issues are observed in VoIP clients. NOTE: ha-disc-onassoc parameter works only when IP mobility is enabled and configured on the switch.
Shows the status of the Dos Prevention option. If enabled, virtual APs ignore deauthentication frames from clients. This prevents a successful deauth attack from being carried out against the AP. This does not affect third-party APs.
Shows if the virtual AP has enabled or disabled detection of denial of service (DoS) attacks, such as ping or SYN floods, that are not spoofed deauth attacks.
Shows the number of seconds that a client will be quarantined from the network after being blacklisted.
Shows the time, in seconds, a client is blocked if it fails repeated authentication. If the virtual AP shows a value of 0, a blacklisted client is blocked indefinitely.
Shows if the AP has enabled or disabled fast roaming.
714 | show ap config
AOS-W 6.2 | Reference Guide
�Parameter Strict Compliance
VLAN Mobility Remote-AP Operation
Convert Broadcast ARP requests to unicast Band Steering
VoIP Call Admission Control VoIP Bandwidth based CAC VoIP Call Capacity VoIP Bandwidth Capacity (kbps)
Description
If enabled, the virtual AP denies client association requests if the AP and client station have no common rates defined. Some legacy client stations which are not fully 802.11-compliant may not include their configured rates in their association requests. Such non-compliant stations may have difficulty associating with APs unless strict compliance is disabled.
Shows if a virtual AP has enabled or disabled VLAN (Layer-2) mobility
Shows when the virtual AP operates on a remote AP: l always--Permanently enables the virtual AP. l backup--Enables the virtual AP if the remote AP
cannot connect to the switch. l persistent--Permanently enables the virtual AP
after the remote AP initially connects to the switch. l standard--Enables the virtual AP when the remote
AP connects to the switch. A remote AP should use always and backup for bridge SSIDs, and use persistent and standard for 802.1X, tunneled, and split-tunneled SSIDs.
If this option is enabled, all broadcast ARP requests are converted to unicast and sent directly to the client. You can check the status of this option using the show ap active and the show datapath tunnel command. If enabled, the output will display the letter a in the flags column.
Shows if band-steering has been enabled or disabled for a virtual AP. ARM's band steering feature encourages dual-band capable clients to stay on the 5GHz band on dualband APs. This frees up resources on the 2.4GHz band for single band clients like VoIP phones. Band steering reduces co-channel interference and increases available bandwidth for dual-band clients, because there are more channels on the 5GHz band than on the 2.4GHz band. Dual-band 802.11ncapable clients may see even greater bandwidth improvements, because the band steering feature will automatically select between 40MHz or 20MHz channels in 802.11n networks. This feature is disabled by default, and must be enabled in a Virtual AP profile.
Shows if WiFi VoIP Call Admission Control features are enabled or disabled.
Shows the maximum bandwidth that can be handled by one radio, in kbps.
Show the number of simultaneous calls that can be handled by one radio.
Shows the maximum bandwidth that can be handled by one radio, in kbps.
AOS-W 6.2 | Reference Guide
show ap config | 715
�Parameter VoIP Call Handoff Reservation
Description
Shows the percentage of call capacity reserved for mobile VoIP clients on call.
VoIP Send SIP 100 Trying
VoIP Disconnect Extra Call VOIP TSPEC Enforcement VOIP TSPEC Enforcement Period VoIP Drop SIP Invite and send status code (client)
VoIP Drop SIP Invite and send status code (server)
If enabled, the AP sends SIP 100 - trying messages to a call originator to indicate that the call is proceeding. This is useful when the SIP invite may be redirected through a number of servers before reaching the switch.
If enabled, the AP disconnects calls that exceed the high capacity threshold by sending a deauthentication frame.
Shows if validation of TSPEC requests for call admission controls is enabled or disabled.
Displays the maximum time for the station to start a call after the TSPEC request.
Displays the status code sent to the client when a SIP Invite is dropped. l 480: Temporary Unavailable l 486: Busy Here l 503: Service Unavailable l none: Don't send SIP status code
Displays the status code sent to the server when a SIP Invite is dropped. l 480: Temporary Unavailable l 486: Busy Here l 503: Service Unavailable l none: Don't send SIP status code
Related Commands
Command
ap system-profile rf dot11g-radio-profile rf arm-profile rf ht-radio-profile wlan ht-ssid-profile wlan virtual-ap wlan voip-cac-profile
Description
The output of the show ap config command displays the content of the profile settings for an individual AP or AP group. Use the commands displayed in the column to the left to configure these parameters.
Mode
Enable and Config modes
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
716 | show ap config
Command Mode Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
�show ap coverage-holes (deprecated)
show ap coverage holes
Description
Show information for APs that have detected coverage holes in the wireless network.
Command History
Version AOS-W 2.0 AOS-W 6.1
Description Command introduced Command deprecated
AOS-W 6.2 | Reference Guide
show ap coverage-holes (deprecated) | 717
�show ap database
show ap database {group <group>|inactive|indoor|local|long|outdoor|{page <page>}| sensors [disconnected]|sort-by [ap-group|ap-ip|ap-type|fqln|provisioned|status {up|down}|switch-ip] |sort-direction[ascending|descending]|start <start> |status {up|down]|switch <switch-ipaddr>|unprovisioned|usb}
Description
Show the list of access points in the switch's database.
Syntax
Parameter group <group> inactive
indoor local long
outdoor page <page>
sensors disconnected
sort-by ap-group ap-ip ap-type fqln provisioned status up|down
switch-ip
Description
Show data for a specified AP group.
Show only local APs with no active BSSIDs or wired AP interfaces.
Show only APs that have an installation mode set to "indoor."
Show only APs on this switch.
Display the following additional data columns: l Wired MAC Address, l Serial # l Slot/Port l FQLN
Show only APs that have an installation mode set to "outdoor."
Display a limited number of APs by entering the number of APs to be displayed in the output of this command.
Show only RFprotect sensors.
Show only disconnected RFprotect sensors.
Sort the output of this command by a specific data column.
Sort by AP group name.
Sort by AP group name.
Sort by AP model.
Sort by Fully Qualified Location Name (FQLN).
Sort by provisioning statistics.
If used with the sort-by keyword, status sorts the output of the command by status type (up or down.) Otherwise, use the status keyword to display APs with the specified status.
Sort by switch IP address.
718 | show ap database
AOS-W 6.2 | Reference Guide
�Parameter sort-direction
ascending descending start <start> status down up switch <switch-ip-addr>
unprovisioned usb
Description Choose sort direction of AP list:. Sort AP list in ascending order by name. Sort AP list in descending order by name. Start showing the AP index at the specified index number. Show only APS with a given status as active or inactive. Show only APs that are inactive. Show only APs that are active. Show only APs registered with a specified switch by entering a switch IP address. Show only unprovisioned APs (using modifiers). Show USB related parameters.
Usage Guidelines
Many of the parameters in this command can be used together to filter a large database of information down to just the AP data you want to see. For example, you can issue the command show ap database group <group> local status up to view a list of local APs within a specific AP group that are reporting an up status. Include the sort-by and sort-direction keywords to specify how the data is sorted in the output of this command.
Example
The output of the command show ap database shows the switch's database of information for APs in the group default. The output also includes a description of the flag types that may appear in the Flags column.
show ap database group default
AP Database
-----------
Name
Group AP Type IP Address Status
Flags Switch IP
----
----- ------- ---------- ------
----- ---------
3.125.141112 default 125
192.0.2.12 Up 1h:48m:27s
10.4.97.4
3.125.142113 default 125
192.0.2.12 Up 1h:43m:6s
10.4.97.6
3.125.242115 default 125
192.0.2.13 Up 1h:41m:18s
10.4.97.10
3.60.161112 default 60
192.0.2.14 Up 1h:43m:20s
10.4.97.4
3.60.202108 default 60
192.0.2.15 Up 8h:7m:4s R
10.4.97.4
3.61.101100 default 61
192.0.2.16 Up 7h:32m:13s R
10.4.97.4
3.61.161113 default 61
192.0.2.17 Up 1h:43m:20s
10.4.97.4
3.65.101117 default 65
192.0.2.18 Up 8h:39m:7s R
10.4.97.4
3.65.121108 default 65
192.0.2.29 Up 1h:55m:14s
10.4.97.4
3.65.292112 default 65
192.0.2.32 Up 1h:43m:42s
10.4.97.10
3.70.102116 default 70
192.0.2.43 Up 8h:23m:17s R
10.4.97.4
3.70.131107 default 70
192.0.2.44 Up 1h:55m:10s
3.70.172103 default 70
192.0.2.56 Up 1h:42m:24s
10.4.97.6
3.85.152116 default 85
192.0.2.57 Up 1h:42m:56s
10.4.97.6
3.85.252117 default 85
192.0.2.58 Up 1h:43m:18s
10.4.97.10
AP-61-20
default 61
192.0.2.59 Up 21m:36s
o
10.3.47.189
Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
R = Remote AP; I = Inactive; X = Maintenance Mode; P = PPPoE AP
S = RFprotect Sensor; d = Disconnected Sensor; H = Using 802.11n license
M = Mesh node; Y = Mesh Recovery i = Indoor; o = Outdoor
AOS-W 6.2 | Reference Guide
show ap database | 719
�Total APs:15
Related Commands
Command show ap database-summary
Description
To display a more general summary overview of the AP registered to a switch, use the command show ap database-summary.
Mode
Enable and Config modes
Command History
Version AOS-W 3.0 AOS-W 6.2
Modification Command introduced The usb parameter was introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
720 | show ap database
AOS-W 6.2 | Reference Guide
�show ap database-summary
show ap database-summary
Description
Show a general summary of access point information for this switch.
Usage Guidelines
Use this command to show the current number of active APs and Air Monitors. This command is also useful for determining how many unprovisioned APs or duplicate APs are on the network. For full details on each AP registered to a switch, use the command show ap database.
Examples
The output of this command shows that this switch can detect a total of five APs, four up, and one down.
AP Database Summary
-------------------
AP Mode
Total Up Total Down
Down RAP Upgrading* RAP Rebooting*
-------
-------- ----------
- -------------- --------------
Access Points
4
1
0
0
Air Monitors
0
0
0
0
Wired Access Points 0
0
0
0
Mesh Portals
0
0
0
0
Mesh Points
0
0
0
0
Spectrum Monitors 1
1
0
0
Total Upgrading* ---------------0 0 0 0 0 0
Total Rebooting* ---------------0 0 0 0 0 0
RAP Up -----0 0 0 0 0 0
RAP ------0 0 0 0 0 0
*Upgrading and Rebooting counts only reflect APs registered on this switch.
The output of this command includes the following information:
Column Total Up Total Down IPSEC Up IPSEC Down
Description Total number of APs with an up status. Total number of APs with a down status. Total number of APs with an active (up) IPsec tunnel. Total number of APs with an inactive (down) IPsec tunnel.
Command History
Introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show ap database-summary | 721
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
722 | show ap database-summary
AOS-W 6.2 | Reference Guide
�show ap debug association-failure (deprecated)
show ap debug association-failure [{ap-name <ap-name>}|{bssid <bssid>}|{client-mac <clientmac>}|{essid <essid>}|{ip-addr <ip-addr>}]
Description
Display association failure information that can be used to troubleshoot problems on an AP.
Command History
Platforms AOS-W 3.0 AOS-W 5.0
Licensing Command introduced Command deprecated
AOS-W 6.2 | Reference Guide
show ap debug association-failure (deprecated) | 723
�show ap debug bss-config
show ap debug bss-config [ap-name <ap-name>|bssid <bssid>||essid <essid>|ip-addr <ipaddr>|port <port>/<slot>]
Description
Show the configuration for each BSSID of an AP. This information can be used to troubleshoot problems on an AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid> essid <essid>
ip-addr <ip-addr> port <port>/<slot>
Description
Filter the AP Config table by AP name.
Filter the AP Config table by BSSID. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Filter the AP Config table by ESSID. An Extended Service Set Identifier (ESSID) is a alphanumeric name that uniquely identifies a wireless network. If the name includes spaces, you must enclose the ESSID in quotation marks.
Filter the AP Config table by IP address by entering an IP address in dotteddecimal format.
Filter the AP Config table by port and slot numbers. The slot and port numbers should be separated by a forward slash (/).
Examples
The output of this command shows the AP configuration table for a specific BSSID.
(host) #show ap debug bss-config
Alcatel-Lucent AP Config Table
---------------------
bss
ess vlan ip
phy type fw-mode max-cl rates tx-rates preamble mtu
---
--- ---- --
--- ---- ------- ------ ----- -------- -------- ---
status wmm
------ ---
00:1a:1e:11:24:c2 cera2 66 10.6.1.203 g-HT ap tunnel 64
0x3 0xfff enable 0
enable enable
00:1a:1e:8d:5b:11 wpa2 65 10.6.1.198 a-HT ap tunnel 20
0x150 0xff0 -
0
enable enable
00:0b:86:9b:e5:60 guest 63 10.6.14.79 g ap tunnel 20
0x2 0x3fe enable 0
enable enable
00:1a:1e:97:e5:41 voip 66 10.6.1.199 g-HT ap tunnel 20
0xc 0x14c enable 0
enable enable
00:1a:1e:11:74:a1 voip 66 10.6.1.197 g-HT ap tunnel 20
0xc 0x14c enable 0
enable enable
00:1a:1e:11:5f:11 wpa2 65 10.6.1.200 a-HT ap tunnel 20
0x150 0xff0 -
0
enable enable
The output of this command includes the following information:
Column bss
Description Basic Service Set (BSS) identifier, which is usually the AP's MAC address.
724 | show ap debug bss-config
AOS-W 6.2 | Reference Guide
�Column ess vlan IP phy
type fw-mode
max-cl preamble
MTU status wmm
Description
Extended Service Set (ESS) identifier; a user-defined name for a wireless network.
The BSSID's VLAN number.
The AP's IP address.
One of the following 802.11 types la l a-HT (high-throughput) lg l g-HT (high-throughput)
This column shows if the BSSID is for an access point (ap) or an air monitor (am).
The configured forward mode for the AP's virtual AP profile. l bridge: Bridge locally l split-tunnel: Tunnel to switch or NAT locally l tunnel: Tunnel to switch
The maximum number of clients allowed for this BSSID.
Shows if short preambles are enabled for 802.11b/g radios. Network performance may be higher when short preamble is enabled. In mixed radio environments, some 802.11b wireless client stations may experience difficulty associating with the AP using a short preamble.
Maximum Transmission Unit (MTU) size, in bytes. This value describes the greatest amount of data that can be transferred in one physical frame.
Shows if this BSSID is enabled or disabled.
Shows if the BSSID has enabled or disabled WMM, also known as IEEE 802.11e Enhanced Distribution Coordination Function (EDCF) WMM provides prioritization of specific traffic relative to other traffic in the network.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap debug bss-config | 725
�show ap debug bss-stats
show ap debug bss-stats [bssid <bssid>]
Description
Show debug and troubleshooting statistics from a specific BSSID of an AP.
Syntax
Parameter bssid <bssid>
Description
Show data for a specific Basic Service Set Identifier (BSSID) on an AP. An AP's BSSID is usually the AP's MAC address.
Examples
The example below shows part of the output of the command show ap debug bss-stats bssid <bssid>.
(host) #show ap debug bss-stats bssid 00:1a:1e:11:5f:11
BSSID Stats
-----------
Parameter
Value
---------
-----
------------------- General Per-radio Statistics
------------------- Transmit specific Statistics
Frames Rcvd For TX 4263
Tx Frames Dropped 613
Frames Transmitted 3650
Success With Retry 0
Tx Mgmt Frames
451975
Beacons Transmitted 447712
Tx Probe Responses 4263
Tx Data Frames
0
Multicast Data
0
Tx CTS Frames
0
Dropped After Retry 613
Dropped No Buffer 0
Missed ACKs
613
Long Preamble
4263
Short Preamble
0
Tx EAPOL Frames
0
Tx 6 Mbps
3650
Tx WMM [VO]
4263
UAPSD OverflowDrop 0
------------------- Receive specific Statistics
Last SNR
0
Last ACK SNR
23
Last ACK SNR CTL0 15
Last ACK SNR CTL1 22
Last ACK SNR CTL2 15
The output of this command includes the following information:
726 | show ap debug bss-stats
AOS-W 6.2 | Reference Guide
�Parameter Frames Rcvd For TX Tx Frames Dropped Frames Transmitted Success With Retry Tx Mgmt Frames Beacons Transmitted Tx Probe Responses Tx Data Frames Multicast Data Tx CTS Frames Dropped After Retry Dropped No Buffer Missed ACKs Long Preamble Short Preamble Tx EAPOL Frames
Tx 6 Mbps Tx 9 Mbps Tx 12 Mbps Tx 18 Mbps Tx 24 Mbps Tx 36 Mbps Tx 48 Mbps Tx 54 Mbps Tx HT 108 Mbps Tx HT 120 Mbps Tx HT 162 Mbps Tx HT 180 Mbps
Description Number of frames received for transmission. Number of transmission frames that were dropped. Number of frames successfully transmitted. Number of frames that were transmitted after being retried. Number of management frames transmitted. Number of beacons transmitted. Number of transmitted probe responses. Number of transmitted data frames. Number of multicast and broadcast frames transmitted. Number of clear-to-sent (CTS) frames transmitted. Number of frames dropped after an attempted retry. Number of frames dropped because the AP's buffer was full. Number of missed acknowledgements (ACKs). Number of frames sent with a long preamble. Number of frames sent with a short preamble. Number of Extensible Authentication Protocol over LAN (EAPOL) frames transmitted. Number of frames transmitted at 6 Mbps. Number of frames transmitted at 9 Mbps. Number of frames transmitted at 12 Mbps. Number of frames transmitted at 18 Mbps. Number of frames transmitted at 24 Mbps. Number of frames transmitted at 36 Mbps. Number of frames transmitted at 48 Mbps. Number of frames transmitted at 54 Mbps. Number of frames transmitted at 108 Mbps. Number of frames transmitted at 120 Mbps. Number of frames transmitted at 162 Mbps. Number of frames transmitted at 180 Mbps.
AOS-W 6.2 | Reference Guide
show ap debug bss-stats | 727
�Parameter Tx HT 216 Mbps Tx HT 240 Mbps Tx HT 243 Mbps Tx HT 270 Mbps Tx HT 300 Mbps Tx WMM
UAPSD OverflowDrop Last SNR Last SNR CTL0 Last SNR CTL1
Last SNR CTL2
Last ACK SNR Last ACK SNR CTL0 Last ACK SNR CTL1 Last ACK SNR CTL2 Last ACK SNR EXT0
Last ACK SNR EXT1
Last ACK SNR EXT2
Description
Number of frames transmitted at 216 Mbps.
Number of frames transmitted at 240 Mbps.
Number of frames transmitted at 243 Mbps.
Number of frames transmitted at 270 Mbps.
Number of frames transmitted at 300 Mbps.
Number of Wifi Multimedia (WMM) packets transmitted for the following access categories. If the AP has not transmitted packets in a category type, this data row will not appear in the output of the command. Tx WMM [BE]: Best Effort Tx WMM [BK]: Background Tx WMM [VO]: VoIP Tx WMM [VI]: Video
Number of Wifi Multimedia (WMM) VoIP packets transmitted.
Number of packets dropped due to Unscheduled Automatic Power Save Delivery (U-APSD) overflow.
The last recorded signal-to-noise ratio.
The signal-to-noise ratio for the last received data packet on the primary (control) channel 0. This parameter is only displayed for APs operating in 40 Mhz mode.
The signal-to-noise ratio for the last received data packet on the secondary (control) channel 1. This parameter is only displayed for APs operating in 40 Mhz mode.
The signal-to-noise ratio for the last received data packet on the secondary (control) channel 2. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet.
Signal-to-noise ratio for the last received ACK packet on the primary (control) channel 0. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the primary (control) channel 1. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the primary (control) channel 2. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 0. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 1. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 2. This parameter is only displayed for APs operating in 40 Mhz mode.
728 | show ap debug bss-stats
AOS-W 6.2 | Reference Guide
�Parameter Frames Received Rx Data Frames Null Data Frames Rx Mgmt Frames Control Frames Frames To Me Probe Requests PS Poll Frames Rx 6 Mbps Rx 9 Mbps Rx 12 Mbps Rx 18 Mbps Rx 24 Mbps Rx 36 Mbps Rx 48 Mbps Rx 54 Mbps
Description Number of frames received. Number of data frames received. Number of null data frames received. Number of management frames received. Number of control frames received. Number of wireless frames received that are addressed to the specified BSSID. Number of probe requests. Number of Power Save poll frames Number of frames received at 6 Mbps. Number of frames received at 9 Mbps. Number of frames received at 12 Mbps. Number of frames received at 18 Mbps. Number of frames received at 24 Mbps. Number of frames received at 36 Mbps. Number of frames received at 48 Mbps. Number of frames received at 54 Mbps.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap debug bss-stats | 729
�show ap debug client-mgmt-counters
show ap debug client-mgmt-counters
Description
Show the numbers of each type of message from an AP's clients. This information can be used to troubleshoot problems on an AP.
Examples
The output of the command below shows client management counters.
(host)#show ap debug client-mgmt-counters
Counters
--------
Name
Value
----
-----
Validate Client
512
AP Stats Update Message
557750
3087
6
Tunnel VLAN Membership
4493
Update STA Tunnel Request
229
Update STA Tunnel Response 229
ARM Update
808921
ARM Propagate
590567
ARM Neighbor Assigned
55396
STM SAP Down
19
AP Message
192
STA On Call Message
12164
STA Message
19750
STA SIP authenticate Message 10919
STA Deauthenticate
707
Stat Update V3
441447
VoIP CAC State Announcement 37185
Remote AP State
371330
AP Message Response
164
assoc-req
4358
assoc-resp
4358
reassoc-req
950
reassoc-resp
950
disassoc
452
deauth
5117
sapcp
351131
The output of this command includes the following information:
Parameter
Description
Validate Client
Number of times a client was validated.
AP Stats Update Message
Number of times an AP updated its statistics with the switch.
3087
(For internal use only)
Tunnel VLAN Membership
(For internal use only)
Update STA Tunnel Request (For internal use only)
730 | show ap debug client-mgmt-counters
AOS-W 6.2 | Reference Guide
�Parameter Update STA Tunnel Response ARM Update
ARM Propagate ARM Neighbor Assigned STM SAP Down AP Message STA On Call Message STA Message STA SIP authenticate Message STA Deauthenticate
Stat Update V3 VoIP CAC State Announcement
Remote AP State AP Message Response assoc-req assoc-resp reassoc-req reassoc-resp disassoc deauth sapcp
Description (For internal use only)
Number of times an AP has changed its adaptive radio management (ARM) settings. (For internal use only) (For internal use only) (For internal use only) (For internal use only) Number of counters indicating that a station has an active phone call (For internal use only) Number of messages indicating that a telephone has completed SIP registration and authentication. Number of times a station sent a message to an AP to deauthenticate a client. (For internal use only) Number of times a switch announces a call admission control (CAC) state change to the AP. Changes in CAC state could include the ability of call admission controls to accept more or fewer calls than previously configured. (For internal use only) (For internal use only) Number of 802.11 association request management frames from the switch. Number of 802.11 association responses to the switch. Number of 802.11 reassociation requests to the switch. Number of 802.11 reassociation responses from the switch. Number of 802.11 disassociation messages to the switch. Number of 802.11 deauthorization messages from the switch. (For internal use only)
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap debug client-mgmt-counters | 731
�show ap debug client-stats
show ap debug client-stats <client-mac)
Description
Show detailed statistics about a client.
Example
The command below displays statistics for packets received from and transmitted to the specified client. (host) #show ap debug client-stats 00:19:7e:89:fa:e7
Station Stats ------------Parameter --------------------------------------Frames Rcvd For TX Tx Frames Dropped Frames Transmitted Success With Retry Tx Mgmt Frames Tx Probe Responses Tx Data Frames Tx CTS Frames Dropped After Retry Dropped No Buffer Missed ACKs Long Preamble Short Preamble Tx EAPOL Frames Tx 6 Mbps Tx 48 Mbps Tx 54 Mbps Tx WMM [VO] UAPSD OverflowDrop ---------------Last SNR Last SNR CTL0 Last SNR CTL1 Last SNR CTL2 Last ACK SNR Last ACK SNR CTL0 Last ACK SNR CTL1 Last ACK SNR CTL2 Last ACK SNR EXT0 Last ACK SNR EXT1 Frames Received Rx Data Frames Null Data Frames Rx Mgmt Frames PS Poll Frames Rx 6 Mbps Rx 12 Mbps Rx 18 Mbps Rx 24 Mbps Rx 36 Mbps Rx 48 Mbps
Value ----General Per-radio Statistics Transmit specific Statistics 22 0 22 1 2 0 20 0 0 0 1 22 0 13 15 5 2 15 0 Receive specific Statistics 31 28 25 22 32 30 28 21 5 4 2932 2930 2879 1 0 14 6 5 2 13 1162
732 | show ap debug client-stats
AOS-W 6.2 | Reference Guide
�Rx 54 Mbps Rx WMM [BE]
1730 39
The output of this command includes the following information:
Parameter Frames Rcvd For TX Tx Frames Dropped Frames Transmitted Success With Retry Tx Mgmt Frames Tx Probe Responses Tx Data Frames Tx CTS Frames Dropped After Retry Dropped No Buffer Missed ACKs Long Preamble Short Preamble Tx EAPOL Frames
Tx <n> Mbps
Tx WMM
UAPSD OverflowDrop
Last SNR Last SNR CTL0
Last SNR CTL1
Description
Number of frames received for transmission.
Number of transmission frames that were dropped.
Number of frames successfully transmitted.
Number of frames that were transmitted after being retried.
Number of management frames transmitted.
Number of transmitted probe responses.
Number of transmitted data frames.
Number of clear-to-sent (CTS) frames transmitted.
Number of frames dropped after an attempted retry.
Number of frames dropped because the AP's buffer was full.
Number of missed acknowledgements (ACKs)
Number of frames sent with a long preamble.
Number of frames sent with a short preamble.
Number of Extensible Authentication Protocol over LAN (EAPOL) frames transmitted.
Number of frames transmitted at <n> Mbps, where <n> is a value between 6 and 300.
Number of Wifi Multimedia (WMM) packets transmitted for the following access categories. If the AP has not transmitted packets in a category type, this data row will not appear in the output of the command. Tx WMM [BE]: Best Effort Tx WMM [BK]: Background Tx WMM [VO]: VoIP Tx WMM [VI]: Video
Number of packets dropped due to Unscheduled Automatic Power Save Delivery (U-APSD) overflow.
The last recorded signal-to-noise ratio.
The signal-to-noise ratio for the last received data packet on the primary (control) channel 0. This parameter is only displayed for APs operating in 40 Mhz mode.
The signal-to-noise ratio for the last received data packet on the secondary (control) channel 1. This parameter is only displayed for APs operating in 40 Mhz mode.
AOS-W 6.2 | Reference Guide
show ap debug client-stats | 733
�Parameter Last SNR CTL2
Last ACK SNR Last ACK SNR CTL0 Last ACK SNR CTL1 Last ACK SNR CTL2 Last ACK SNR EXT0
Last ACK SNR EXT1
Frames Received Rx Data Frames Null Data Frames Rx Mgmt Frames PS Poll Frames Rx <n> Mbps Tx WMM
Description
The signal-to-noise ratio for the last received data packet on the secondary (control) channel 2. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet.
Signal-to-noise ratio for the last received ACK packet on the primary (control) channel 0. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the primary (control) channel 1. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the primary (control) channel 2. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 0. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 1. This parameter is only displayed for APs operating in 40 Mhz mode.
Number of frames received.
Number of data frames received.
Number of null data frames received.
Number of management frames received.
Number of power save poll frames received.
Number of frames received at <n> Mbps, where <n> is a value between 6 and 300.
Number of Wifi Multimedia (WMM) packets transmitted for the following access categories. If the AP has not transmitted packets in a category type, this data row will not appear in the output of the command. Tx WMM [BE]: Best Effort Tx WMM [BK]: Background Tx WMM [VO]: VoIP Tx WMM [VI]: Video
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
734 | show ap debug client-stats
AOS-W 6.2 | Reference Guide
�show ap debug client-table
show ap debug client-table [ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>]
Description
Show clients associated to an AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Filter the AP Config table by AP name.
Filter the AP Config table by BSSID. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Filter the AP Config table by IP address by entering an IP address in dotteddecimal format.
Usage Guidelines
The Tx_Rate, Rx_Rate, Last_ACK_SNR, and Last_Rx_SNR columns shown in the output of this command display valuable troubleshooting information for clients trying to connect to a specific AP. Use this command to verify that the transmit (Tx_Rate) and receive (Rx_Rate) rates are not too low, and that the signal-to-noise (SNR) ratio is acceptable.
Examples
The example below shows part of the AP configuration table for a specific BSSID. Additional parameters not displayed are described in the table below.
(host) #show ap debug client-table ap-name AP12
MAC
ESSID BSSID
Assoc_State HT_State AID
---
----- -----
----------- -------- ---
Pkts Rx_Pkts PS_Qlen Tx_Retr
------- ------- ------- -------
00:17:f2:4d:01:e2 wpa2 00:1a:1e:11:5f:11 Associated None
0x1
31463 22821 0
4289
00:14:a4:25:72:6d wpa2 00:1a:1e:11:5f:11 Associated None
0x2
24691 45215 0
944
00:19:7e:66:89:38 wpa2 00:1a:1e:11:5f:11 Associated None
0x4
7031
24739 0
671
00:16:cf:bc:0e:ce wpa2 00:1a:1e:11:5f:11 Associated None
0x5
3920
14797 0
286
00:19:7d:d6:74:93 wpa2 00:1a:1e:11:5f:11 Associated None
0x7
2530
8034 0
365
PS_State --------
Awake Awake Awake Awake Awake
UAPSD
-----
Tx_
(0,0,0,0,N/A,0) (0,0,0,0,N/A,0) (0,0,0,0,N/A,0) (0,0,0,0,N/A,0) (0,0,0,0,N/A,0)
UAPSD:(VO,VI,BK,BE,Max SP,Q Len) HT Flags: A - LDPC Coding; W - 40Mhz; S - Short GI; M - Max A-MSDU
D - Delayed BA; G - Greenfield; R - Dynamic SM PS Q - Static SM PS; N - A-MPDU disabled
The output of this command includes the following information:
AOS-W 6.2 | Reference Guide
show ap debug client-table | 735
�Parameter MAC ESSID BSSID Assoc_State HT_State
AID UAPSD
Tx_Pkts Rx_Pkts PS-Qlen Tx_Retries
Description
MAC address of a client.
Extended Service Set identifier (ESSID) used by the client. An ESSID is a user-defined name for a wireless network.
Basic Service Set identifier for the client.
Shows whether or not the client is currently authorized and/or associated with the AP.
Shows the client's high-throughput (802.11n) transmission type: l none: AP is a legacy AP that does not support the 802.11n standard. l 20Mhz: A high-throughput APs using a single 20 Mhz channel. l 40Mhz: A high-throughput APs using two 20 Mhz channels.
802.11 association ID. A client receives a unique 802.11 association ID when it associates to an AP.
This parameter shows the following values for Unscheduled Automatic Power Save Delivery (UAPSD) in comma-separated format: VO, VI, BK, BE, Max SP, Q Len.
l VO: If 1, UAPSD is enabled for the VoIP access category. If UAPSD is disabled for this access category, this value is 0.
l VI: If 1, UAPSD is enabled for the Video access category. If UAPSD is disabled for this access category, this value is 0.
l BK: If 1, UAPSD is enabled for the Background access category. If UAPSD is disabled for this access category, this value is 0.
l BE: If 1, UAPSD is enabled for the Best Effort access category. If UAPSD is disabled for this access category, this value is 0.
l Max SP: The maximum service period is the number of frame sent per trigger packet. This value is value can be 0, 2, 4 or 8.
l Q Len: The number of frames currently queued for the client, from 0 to 16 frames.
Number of packets transmitted by the client.
Number of packets received by the client.
Power save queue length, in bytes.
Number of packets that the client had to resend due to an initial transmission failure.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
736 | show ap debug client-table
AOS-W 6.2 | Reference Guide
�show ap debug counters
show ap debug counters {ap-name <ap-name>|bssid <bssid>|group <group>|ip-addr <ip-addr>}
Description
Show AP reboot/bootstrap counters, and crash information for an individual AP or AP group, or all APs referenced on the switch.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
group <group> ip-addr <ip-addr>
Description
Show debug counters for an AP with a specified name.
Show debug counters for a specific Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show debug counters for an AP group.
Show debug counters for an AP with a specified IP address by entering an IP address in dotted-decimal format.
Example
The output of this command shows how many times each AP has rebooted (a hard boot) or bootstrapped (a soft boot), the number of configuration changes sent and acknowledged by that AP, and whether or not the AP rebooted due to a kernel crash.
In this example, the output has been divided into multiple sections to better fit on the pages of this document. In the actual command-line interface, it will appear in a single, long table.
(host) #show ap debug counters group corp1
AP Counters
-----------
Name Group IP Address Configs Sent Configs Acked
---- ----- ---------- ------------ -------------
AL1 corp1 10.6.1.209 1597
1597
AL10 corp1 10.6.1.198 165
165
AL12 corp1 10.6.1.200 195
195
AL15 corp1 10.6.1.197 1580
1580
AL16 corp1 10.6.1.199 73
73
AL19 corp1 10.6.1.212 8
8
AP Boots Sent -------------
0 0 0 0 0 0
AP Boots Acked -------------0 0 0 0 0 0 Total APs :6
Bootstraps (Total)
------------------
1
(1)
2
(2)
1
(1)
1
(1)
1
(1)
1
(1)
Reboots -------
0 1 0 0 0 0
Crash -----
N Y N N N N
The output of this command includes the following information:
AOS-W 6.2 | Reference Guide
show ap debug counters | 737
�Column Name Group IP Address Configs sent Configs Acked AP Boots Sent AP Boots Acked Bootstraps
Total Bootstraps Reboots
Crash
Description Name of the AP. Name of the AP's group. IP address of the AP. Number of times configuration changes have been sent to the AP. Number of times that the AP has acknowledged receiving a configuration change. Number of times reboot requests have been sent to the AP.
Number of times that the AP has acknowledged receiving a reboot request.
Number of times the AP bootstrapped since AP reboot. Bootstraps are also known as "soft" restarts. Total number of times the AP bootstrapped since AP image upgrade.
Number of times power to the AP cycled off and then on again since image upgrade. Reboots also known as "hard" restarts. Indicates whether or not the AP was rebooted due to a kernel crash. Use show ap debug crash-info to view the crash signature.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
738 | show ap debug counters
AOS-W 6.2 | Reference Guide
�show ap debug crash-info
show ap debug crash-info {ap-name <ap-name>|ip-addr <ip-addr>}
Description
Show crash log information (if it exists) for an individual AP. The stored information is cleared from the flash after the AP reboots.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
Description
Show crash information for an AP with a specified name.
Show crash information for an AP with a specified IP address by entering an IP address in dotted-decimal format.
Example
The output of this command shows a partial sample crash log information for an AP named MyAP
(host) #show ap debug crash-info ap-name MyAP
<4>AOS-W Version x.x.x.x (build xxxx / label #xxxx) <4>Built by p4build@cartman on 2012-07-29 at 14:44:06 PST (gcc version x.x.x Cavium Networks Version: 1.4.0, build 58) <4>CVMSEG size: 2 cache lines (256 bytes) <4>Setting flash physical map for 16MB flash at 0x1ec00000 <4>Determined physical RAM map: <7>On node 0 totalpages: 16384 <7> DMA zone: 16384 pages, LIFO batch:3 <7> DMA32 zone: 0 pages, LIFO batch:0 <7> Normal zone: 0 pages, LIFO batch:0 <7> HighMem zone: 0 pages, LIFO batch:0 <4>Primary instruction cache 32kB, virtually tagged, 4 way, 64 sets, linesize 128 bytes. <4>Primary data cache 16kB, 64-way, 2 sets, linesize 128 bytes. <4>Using 500.000 MHz high precision timer. cycles_per_jiffy=1000000 <6>Memory: 56636k/65536k available (1925k kernel code, 8840k reserved, 575k data, 2716k init, 0k highmem) <4>Calibrating delay using timer specific routine.. 1000.32 BogoMIPS (lpj=1000322) <4> available. <4>Checking for the multiply/shift bug... no. <4>Checking for the daddi bug... no. <4>Checking for the daddiu bug... no. <5>detected lzma initramfs <5>initramfs: LZMA lc=3,lp=0,pb=2,dictSize=8388608,origSize=15217664 <5>LZMA initramfs
Command History
Introduced in AOS-W 5.0.
AOS-W 6.2 | Reference Guide
show ap debug crash-info | 739
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
740 | show ap debug crash-info
AOS-W 6.2 | Reference Guide
�show ap debug datapath
show ap debug datapath {ap-group <ap-group>|ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>}
Description
Show datapath tunnel parameters of an AP or AP group.
Syntax
Parameter ap-group <ap-group> ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show data path information for a specific AP group.
Show data path information for an AP with a specific name.
Show data path information for a specific Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show data path information for an AP with a specific IP address by entering an IP address in dotted-decimal format.
Example
The output of the following command shows datapath tunnel parameters for an AP with the IP address 192.0.2.32. (host) #show ap debug datapath 192.0.2.32
Datapath Parameters Table
-------------------------
essid encr-alg
client-vlan-id
----- --------
--------------
guest Open
63
voip WPA2 8021X AES 66
corp WPA2 PSK AES
66
guest Open
63
wpa2 WPA2 8021X AES 65
tunnel-id --------0x10f6 0x1103 0x10f1 0x10f7 0x10be
The output of this command includes the following information:
gre-type -------0x8300 0x8310 0x8320 0x8200 0x8210
deny-bcast ---------disable disable disable disable enable
num-clients ----------0 7 0 1 15
Column ESSID
encr-alg client-vlan-id tunnel-id gre-type deny-bcast
num-clients
Description The Extended Service Set Identifier is a unique name that identifies a wireless network Encryption algorithm used by the network ID of the network VLAN Identification number of the AP's tunnel. GRE tunnel type. If enabled, the AP will respond to broadcast probe requests. If disabled, the AP will not respond to these requests. Number of clients currently using the network.
AOS-W 6.2 | Reference Guide
show ap debug datapath | 741
�Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
742 | show ap debug datapath
AOS-W 6.2 | Reference Guide
�show ap debug driver-log
show ap debug driver-log {ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>}
Description
Show an AP's driver logs.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show log information for an AP with a specific name.
Show log information for a specific Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show log information for an AP with a specific IP address by entering an IP address in dotted-decimal format.
Usage Guidelines
Use this command to review configuration changes made since the AP was last reset.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap debug driver-log | 743
�show ap debug log
show ap debug log {ap-group <ap-group>|ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>}
Description
Show an AP's debug log.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show log information for an AP with a specific name.
Show log information for a specific Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show log information for an AP with a specific IP address by entering an IP address in dotted-decimal format.
Usage Guidelines
An AP's log files show configuration changes since the AP was last reset.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
744 | show ap debug log
AOS-W 6.2 | Reference Guide
�show ap debug mgmt-frames (deprecated)
Description
Show traced 802.11 management frames.
Command History
Version AOS-W 3.0 AOS-W 5.0
Modification Command Introduced Command deprecated
AOS-W 6.2 | Reference Guide
show ap debug mgmt-frames (deprecated) | 745
�show ap debug radio-stats
show ap debug radio-stats {ap-name <ap-name>|ip-addr <ip-addr>} radio {0|1} [advanced]
Description
Show aggregate radio debug statistics of an AP.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
radio {0|1} advanced
Description Show log information for an AP with a specific name. Show log information for an AP with a specific IP address by entering its IP address in dotted-decimal format. Specify the ID number of the radio for which you want to view statistics. Include this parameter to display additional radio statistics.
Example
The output of this command displays general statistics for the radio, as well as statistics for transmitted and received frames.
(host) #show ap debug radio-stats ap-name AP12 radio 1
RADIO Stats
-----------
Parameter
Value
---------
-----
------------------- General Per-radio Statistics
Total Radio Resets 0
Resets Beacon Fail 0
TX Power Changes
5
Channel Changes
2
Radio Band Changes 0
Current Noise Floor 95
11g Protection
0
------------------- Transmit specific Statistics
Frames Rcvd For TX 2452151
Tx Frames Dropped 1736429
Frames Transmitted 4247212
...
If you include the advanced option at the end of the show ap debug radio-stats command, the output of this command will include all the following parameters. If you omit the advanced option, the output will include less information, and the data will be displayed in a different order.
Parameter Total Radio Resets Resets Beacon Fail
Description Total number of times the radio reset. Number of times the radio reset due to beacon failure.
746 | show ap debug radio-stats
AOS-W 6.2 | Reference Guide
�Parameter Resets BeacQ Stuck
Resets Fatal Intr Resets RX Overrun Resets RF Gain Resets MTU Change Resets TX Timeouts POE-Related Resets
External Reset TX Power Changes Channel Changes Radio Band Changes Current Noise Floor
Avail TX Buffers
11g Protection Last TX Antenna
Last RX Antenna Scan Requests Scan Rejects
Description
An AP's radio typically sends a beacon every 100 milliseconds. If beacons are not sent at a regular interval or the radio experiences excessive noise, the beacon queue will reset. This parameter indicates the number of queue resets.
Number of time the radio was reset because the AP hardware was unresponsive.
The number of radio resets due to Receive FIFO overruns.
Number of radio resets due to gain changes.
Number of times the radio reset due to a change in the Maximum Transmission Unit (MTU) value.
Number of radio resets due to transmission timeouts (the radio doesn't transmit a signal within the required time frame.)
If the radio power profile drops, an OAW-AP125 may not be able to support three transmit chains, and may drop to two chains only. This parameter displays the number of resets due to this type of power change.
Number of times the AP has been reset because it was unplugged or its reset button was pressed.
Number of times the radio's transmission power changed.
Number of times the radio's channel changed.
Number of time the radio's band changed.
The residual background noise detected by an AP. NOTE: Noise seen by an AP is reported as -dBm. Therefore, a noise floor of 100 dBm is smaller (lower) than a noise floor of -50 dBm. For most environments, the noise floor should be no greater than -80 dBm. Anything larger may indicate an interference problem which is drowning out good signals (data) in background noise.
An AP has a set number of buffers which it can use to buffer frames for nonresponsive power save clients. The total number of buffer frames depends upon the AP model type.
This parameter shows whether 802.11g protection has been enabled or disabled.
This parameter indicates whether the last frame transmitted was sent on antenna 1 or antenna 0. This parameter can be useful for troubleshooting external antennas.
This parameter indicates whether the last frame received was via antenna 1 or antenna 0. This parameter can be useful for troubleshooting external antennas.
Total number of scan requests received by the AP.
Total number of scan rejected by the AP.
AOS-W 6.2 | Reference Guide
show ap debug radio-stats | 747
�Parameter
Description
Load aware Scan Rejects
Load aware ARM preserves network resources during periods of high traffic by temporarily halting scanning if the load for the AP gets too high. The load aware Scan Rejects parameter shows the number of times the AP has rejected a scan because of the load aware scan feature.
PS aware Scan Rejects
If the ARM power-save aware scan feature is enabled, the AP will not scan a different channel if it has one or more clients and is in power save mode. The ps aware Scan Rejects parameter shows the number of times the AP has rejected a scan because of the power-save aware scan feature.
Voice aware Scan Rejects
If you enable the VoIP Aware Scan feature in the AP's ARM profile, the AP will not attempt to scan a different channel if one of its clients has an active VoIP call. This Voice aware scan Rejects parameter shows the number of times the AP has rejected a scan because of the Voip aware scan feature.
Scan Success
Number of successful scans. To view scan details, use the command show ap arm scan-times.
EIRP
The value of this parameter is the transmission power level (in dBm) + the antenna gain value.
MAX EIRP
The max EIRP depends on AP capability and the regulatory domain constraint for the channel of operation. For example, in the US, Channels 36-48 have max EIRP of 23dBm
UAPSD Flush STA Wake
Number of times a client wakes from power-save mode and flushes the UAPSD queue.
UAPSD SP Set
The number of unique UAPSD Scheduled Period is started in response to UAPSD trigger frames.
UASPD Dup Trig
The number of times duplicate UAPSD trigger frames are received (i.e., retried UAPSD triggers that were received by the AP more than once).
UAPSD Recv frame for TX The number of frames received for transmission over the air interface using UAPSD
UAPSD Ageout Drain
The number of time UAPSD queue is drained (i.e. frames are dropped) due to ageout.
UAPSD TX proc comp
The number of UAPSD frames that were successfully transmitted
UAPSD SP In prog
The number of times a trigger frame was received while a Scheduled Period (SP) was already in progress based on an earlier trigger frame.
UAPSD QOS NULL TX
The number of times the AP had to respond with a QoS Null Data frame in response to a UAPSD trigger because AP did not have Data frame queued for that client
UAPSD TX HW Queued
The number of frames (Data and Null Data) that were transferred to the radio HW for transmission, in response to UAPSD triggers.
UAPSD SP Reset
The number of times the UAPSD Scheduled Period (SP) in progress is reset or cancelled.
Frames Rcvd For TX
Number of frames received for transmission.
Tx Frames Dropped
Number of transmission frames that were dropped.
748 | show ap debug radio-stats
AOS-W 6.2 | Reference Guide
�Parameter Frames Transmitted PS Unicast DTIM Broadcast Success With Retry Tx Mgmt Frames Beacons Transmitted Tx Probe Responses Tx Data Frames Multicast Data Tx CTS Frames DTIM Timeouts Dropped After Retry Dropped No Buffer Dropped UAPSD
Missed ACKs Failed Beacons
Multi-Beacon Fail Long Preamble Short Preamble Beacon Interrupts TX Interrupts FIFO Underrun Allocated Desc Freed Desc Tx EAPOL Frames
Tx AGGR Good Tx AGGR Unaggr
Description Number of frames successfully transmitted. Number of power save unicast frames Number of broadcast frames with DTIM values. Number of frames that were transmitted after being retried. Number of management frames transmitted. Number of beacons transmitted. Number of transmitted probe responses. Number of transmitted data frames. Number of multicast and broadcast frames transmitted. Number of clear-to-sent (CTS) frames transmitted. Number of broadcast frames with DTIM data that were not answered by a client. Number of frames dropped after an attempted retry. Number of frames dropped because the AP's buffer was full. Number of dropped Unscheduled Automatic Power Save Delivery (UAPSD) frames. Number of missed acknowledgement frames. Number of times a radio failed to transmit a beacon at the scheduled interval (100ms). Number of times multiple consecutive beacons failed to transmit. Number of frames sent with a long preamble. Number of frames sent with a short preamble. Number of broadcast beacons that were interrupted. Number of transmission interrupts. The number of Receive FIFO overruns. Number of allocated transmit descriptors. Number of freed transmit descriptors. Number of Extensible Authentication Protocol over LAN (EAPOL) frames transmitted Number of aggregated frames successfully transmitted. Number of non-aggregate frames transmitted due to unavailability of additional frames for aggregation at the time of transmission.
AOS-W 6.2 | Reference Guide
show ap debug radio-stats | 749
�Parameter
Description
Tx <number> Mbps
Number of frames transmitted at the specified rate (in Mbps).
Tx <number> Mbps [Long] Number of frames with a long preamble transmitted at the specified rate.
Tx <number> Mbps [Short]
Number of frames with a short preamble transmitted at the specified rate.
Tx HT <number> Mbps
Number of high-throughput frames transmitted at the specified rate.
Tx WMM
Number of Wifi Multimedia (WMM) packets transmitted for the following access categories. If the AP has not transmitted packets in a category type, this data row will not appear in the output of the command. Tx WMM [BE]: Best Effort Tx WMM [BK]: Background Tx WMM [VO]: VoIP Tx WMM [VI]: Video
UAPSD OverflowDrop
Number of packets dropped due to Unscheduled Automatic Power Save Delivery (U-APSD) overflow.
TX Timeouts
Number of transmission timeouts
Lost Carrier Events
Number of carrier sense timeouts.
Last SNR
The last recorded signal-to-noise ratio.
Last SNR CTL0
The signal-to-noise ratio for the last received data packet on the primary (control) channel 0. This parameter is only displayed for APs operating in 40 Mhz mode.
Last SNR CTL1
The signal-to-noise ratio for the last received data packet on the secondary (control) channel 1. This parameter is only displayed for APs operating in 40 Mhz mode.
Last SNR CTL2
The signal-to-noise ratio for the last received data packet on the secondary (control) channel 2. This parameter is only displayed for APs operating in 40 Mhz mode.
Last SNR EXT0
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 0. This parameter is only displayed for APs operating in 40 Mhz mode.
Last SNR EXT1
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 1. This parameter is only displayed for APs operating in 40 Mhz mode.
Last SNR EXT2
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 2. This parameter is only displayed for APs operating in 40 Mhz mode.
Last ACK SNR
Signal-to-noise ratio for the last received ACK packet.
Last ACK SNR CTL0
Signal-to-noise ratio for the last received ACK packet on the primary (control) channel 0. This parameter is only displayed for APs operating in 40 Mhz mode.
Last ACK SNR CTL1
Signal-to-noise ratio for the last received ACK packet on the primary (control) channel 1. This parameter is only displayed for APs operating in 40 Mhz mode.
750 | show ap debug radio-stats
AOS-W 6.2 | Reference Guide
�Parameter Last ACK SNR CTL2
Last ACK SNR EXT0
Last ACK SNR EXT1
Last ACK SNR EXT2
Frames Received Good Frames Bad Frames Rx Clear 1s Rx Clear 4s Rx Clear 64s Discarded Events
ARM Scan Frames Rx Data Frames Null Data Frames Rx Mgmt Frames Control Frames Frames To Me Broadcast Frames Beacons Received Probe Requests Rx Probe Responses Rx RTS Frames
Rx CTS Frames
ACK Frames
Description
Signal-to-noise ratio for the last received ACK packet on the primary (control) channel 2. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 0. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 1. This parameter is only displayed for APs operating in 40 Mhz mode.
Signal-to-noise ratio for the last received ACK packet on the secondary (extension) channel 2. This parameter is only displayed for APs operating in 40 Mhz mode.
Number of frames received.
Number of frames received with no errors.
Number of bad or error frames received.
The percentage of time no activity was seen on the air in the last 1 second.
The percentage of time no activity was seen on the air in the last 4 seconds.
The percentage of time no activity was seen on the air in the last 64 seconds.
Number of non-802.11 events that were detected and discarded during normal operation.
Number of scan frames sent for the adaptive radio management (ARM) feature.
Data frames received
Null data frames received
Management frames received
Control frames received.
Number of wireless frames received that are addressed to the specified BSSID.
Number of broadcast frames received.
Number of beacons received
Number of Probe requests received.
Number of Probe responses received.
Ready To Send (RTS) frames received. These frames are sent when a computer has data to transmit.
Clear To Send (CTS) frames received. This type of frame are used to verify that a client is ready to receive information.
Number of acknowledgement frames received.
AOS-W 6.2 | Reference Guide
show ap debug radio-stats | 751
�Parameter
Description
PS Poll Frames
Power-Save Poll (PS-Poll) frames received. When a client exits a power-saving mode, it transmits a PS-Poll frame to the AP to retrieve any frames buffered while it was in power-saving mode.
CRC Errors
Cyclic Redundancy Check (CRC) is a data sequence that is sent with a frame to help verify if all the data received correctly. Possible CRC error causes include: l Hardware malfunction l Loose or unconnected cables l RF interference, such as overlapping access point coverage on a channel
or interfering 2.4-GHz signals from devices like microwave ovens l and wireless handset phones
PLCP Errors
Physical Layer Convergence Protocol (PLCP) errors.
Rx Frames Dropped
Number of received frames that were dropped.
PHY Events
The number of Physical Layer Events, that are not 802.11 packets, detected by radio as part of its normal receive operation.
RADAR Events
Number of times an AP detects a radar signature. Alcatel-Lucent APs are DFScompliant detects a radar signature, it will change its channel.
RX Interrupts
The number of receive interrupts received by the CPU from the radio.
RX Overrun
The number of Receive FIFO overruns.
Rx <number> Mbps
Packets received at the specified rate (in Mbps).
Rx <number> Mbps (Long) Packets with a long preamble received at the specified rate.
Rx <number> Mbps (Short)
Packets with a short preamble received at the specified rate.
Rx HT <number> Mbps
Number of high-throughput packets received at the specified rate.
Rx WMM [BE]
Number of Wifi Multimedia (WMM) packets received for the following access categories. If the AP has not transmitted packets in a category type, this data row will not appear in the output of the command. Rx WMM [BE]: Best Effort Rx WMM [BK]: Background Rx WMM [VO]: VoIP Rx WMM [VI]: Video
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
752 | show ap debug radio-stats
AOS-W 6.2 | Reference Guide
�show ap debug received-config
show ap debug received-config {ap-group <ap-group>|ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>}
Description
Show the configuration the AP downloaded from the switch.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show log information for an AP with a specific name.
Show log information for a specific Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show log information for an AP with a specific IP address by entering an IP address in dotted-decimal format.
Example
The output of this command displays configuration information for each interface. The example below shows only part of the output for this command. Additional parameters not displayed are described in the table below. (host) #show ap debug received-config ap-name AP12
Downloaded Config for WIFI 0 ---------------------------Item ---BSSID LMS IP Master IP Mode QBSS Probe Response Native VLAN ID SAP MTU Heartbeat DSCP High throughput enable (radio) Channel Beacon Period Transmit Power Advertise TPC Capability Enable CSA CSA Count Management Frame Throttle interval Management Frame Throttle Limit Active Scan VoIP Aware Scan Power Save Aware Scan Load aware Scan Threshold 40 MHz intolerance Honor 40 MHz intolerance Legacy station workaround Country Code ESSID
Value -----
10.6.2.250 10.100.103.2 AP Mode Allow Access 1 1500 bytes 0 Enabled 40100 msec 15 dBm Disabled Disabled 4 1 sec 20 Disabled Enabled Enabled 1250000 Bps Disabled Enabled Disabled US guest
AOS-W 6.2 | Reference Guide
show ap debug received-config | 753
�... The output of this command includes the following information:
Parameter BSSID LMS IP Master IP Mode
QBSS Probe Response Native VLAN ID SAP MTU Heartbeat DSCP High throughput enable (radio) Channel Beacon Period
Transmit Power Advertise TPC Capability Enable CSA CSA Count Management Frame Throttle interval Management Frame Throttle Limit Active Scan
Description
The BSSID of the AP.
The LMS IP is the IP address of the local switch used by the AP for client data processing.
For environments with multiple switches, the master switch is the central configuration and management point for all local switches.
Shows the operating modes for the AP. ap-mode: Device provides transparent, secure, high-speed data communications between wireless network devices and the wired LAN. am-mode: Device behaves as an air monitor to collect statistics, monitor traffic, detect intrusions, enforce security policies, balance traffic load, self-heal coverage gaps, etc.
Quality-of-service BSS (QBSS).
The ID number of the Native VLAN.
The Maximum Transmission Unit (MTU) for the GRE tunnel.
DSCP value for the heartbeat traffic between the AP and the switch.
Shows if high-throughput (802.11n) features on tare enabled or disabled on the radio.
Shows the channel number for the AP's 802.11a/802.11n physical layer.
Shows the time, in milliseconds, between successive beacon transmissions. The beacon advertises the AP's presence, identity, and radio characteristics to wireless clients.
Shows the current transmission power level.
If enabled, the AP will advertise its Transmit Power Control (TPC) capability.
Displays whether or not the AP has enabled channel switch announcements (CSAs) for 802.11h.
Number of channel switch announcements that must be sent before the AP will switch to a new channel.
Average interval that rate limiting management frames are sent from this radio, in seconds. If this column displays a zero (0), rate limiting is disabled for this AP.
Maximum number of management frames that can come from this radio in each throttle interval.
Displays whether or not the active scan feature is enabled.
754 | show ap debug received-config
AOS-W 6.2 | Reference Guide
�Parameter
VoIP Aware Scan
Power Save Aware Scan Load aware Scan Threshold
40 MHz intolerance Honor 40 MHz intolerance Legacy station workaround Country Code ESSID Encryption WPA2 Pre-Auth DTIM Interval 802.11a Basic Rates 802.11a Transmit Rates Station Ageout Time Max Transmit Attempts RTS Threshold
Description
This option elicits more information from nearby APs, but also creates additional management traffic on the network. Active Scan is disabled by default, and should not be enabled except under the direct supervision of Alcatel-Lucent Support.
Shows if VoIP aware scanning is enabled or disabled. If you use voice handsets in the WLAN, VoIP Aware Scan should be enabled in the ARM profile so the AP will not attempt to scan a different channel if one of its clients has an active VoIP call. This option requires that Scanning is also enabled.
Shows if the power save aware scan is enabled or disabled. If enabled, the AP will not scan a different channel if it has one or more clients and is in power save mode.
The Load Aware Scan Threshold is the traffic throughput level an AP must reach before it stops scanning. Load aware ARM preserves network resources during periods of high traffic by temporarily halting ARM scanning if the load for the AP gets too high.
The specified setting allows ARM to determine if 40 MHz mode of operation is allowed on the 5 GHz or 2.4 GHz frequency band only, on both frequency bands, or on neither frequency band.
Shows if 40 MHz intolerance is enabled or disabled. If enabled, the radio will stop using the 40 MHz channels if the 40 MHz intolerance indication is received from another AP or station.
Shows if interoperability for misbehaving legacy stations is enabled or disabled.
Display the country code for the AP. The country code specifies allowed channels for that country.
An Extended Service Set Identifier (ESSID), for the AP.
Encryption type used on this AP.
802.11x settings are enabled or disabled.
Number of beacons that should elapse before an AP sends beacon broadcasts for power save clients.
Minimum data rate required for a client to associate with the AP. For an 802.11a radio, this value can be 6, 12 and 24 802.11 data rates. 802.11b/g radios will report a value of 1 and 2 802.11 data rates.
802.11 data rate at which the AP will transmit data to its clients. This value can be 6-54 for 802.11a radios, and 1-54 for 802.11b/g radios.
Number of seconds a station may be idle before it is deauthorized from an AP.
maximum number of times the AP will attempt to retransmit data.
The minimum packet size at which the AP will issue a request-to-send (RTS) before sending the packet.
AOS-W 6.2 | Reference Guide
show ap debug received-config | 755
�Parameter
Description
Max Associations
The maximum number of clients allowed to associated with the AP
Wireless Multimedia (WMM)
Shows if Wireless Multimedia (WMM) is enabled or disabled for this AP. WMM provides prioritization of specific traffic relative to other traffic in the network.
WMM TSPEC Min Inactivity Interval
Displays the minimum inactivity time-out threshold of WMM traffic for this AP.
DSCP mapping for WMM voice AC Displays the DSCP value used to map WMM voice traffic.
DSCP mapping for WMM video AC Displays the DSCP value used to map WMM video traffic.
DSCP mapping for WMM besteffort AC
Displays the DSCP value used to map WMM best-effort traffic
DSCP mapping for WMM background AC
Displays the DSCP value used to map WMM background traffic.
Hide SSID
Shows if the feature to hide a SSID name in beacon frames is enabled or disabled.
Deny_Broadcast Probes
When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls whether or not the system responds for this SSID. When enabled, no response is sent and clients have to know the SSID in order to associate to the SSID. When disabled, a probe response frame is sent for this SSID.
Local Probe Response
Shows if local probe response is enabled or disabled on the AP. If this option is enabled, the AP is responsible for sending 802.11 probe responses to wireless clients' probe requests. If this option is disabled, then the switch sends the 802.11 probe responses
Disable Probe Retry
Shows if the AP has enabled or disabled MAC-level retries for probe response frames. By default this parameter is enabled, which mean that MAC level retries for probe response frames is disabled.
Maximum Transmit Failures
Display the maximum number of transmission failures allowed before the client gives up.
BC/MC Rate Optimization
Shows if the AP has enabled or disabled scanning of all active stations currently associated to that AP to select the lowest transmission rate for broadcast and multicast frames. This option only applies to broadcast and multicast data frames; 802.11 management frames are transmitted at the lowest configured rate.
High throughput enable (SSID) Shows if the AP has enabled or disabled the use of its highthroughput SSID in 40 MHz mode.
40 MHz channel usage
Determines if this high-throughput SSID allows high-throughput (802.11n) stations to associate.
MPDU Aggregation
Shows if the AP has enabled or disabled MAC protocol data unit (MDPU) aggregation.
Max transmitted A-MPDU size
Shows the maximum size, in bytes, of an A-MPDU that can be sent on the AP's high-throughput SSID.
756 | show ap debug received-config
AOS-W 6.2 | Reference Guide
�Parameter Max received A-MPDU size Min MPDU start spacing Supported MCS set Short guard interval in 40 MHz mode VLAN Forward mode
Band Steering
Description
Shows the maximum size, in bytes, of an Aggregated-MAC Packet Data Unit (A-MPDU) that can be received on the AP's high-throughput SSID.
Displays the minimum time between the start of adjacent MDPUs within an aggregate MDPU, in microseconds.
Comma-separated list of Modulation Coding Scheme (MCS) values or ranges of values to be supported on this high-throughput SSID.
Shows if the AP has enabled or disabled use of short guard interval in 40 MHz mode of operation.
VLAN ID used by the SSID.
Shows the current forward mode (bridge, split-tunnel, or tunnel) for the virtual AP. This parameter controls whether 802.11 frames are tunneled to the switch using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination (corporate traffic goes to the switch, and Internet access remains local). Only 802.1X authentication is supported when configuring bridge or split tunnel mode.
Shows if band-steering has been enabled or disabled for a virtual AP. ARM's band steering feature encourages dual-band capable clients to stay on the 5GHz band on dual-band APs. This frees up resources on the 2.4GHz band for single band clients like VoIP phones. Band steering reduces co-channel interference and increases available bandwidth for dual-band clients, because there are more channels on the 5GHz band than on the 2.4GHz band. Dual-band 802.11n-capable clients may see even greater bandwidth improvements, because the band steering feature will automatically select between 40MHz or 20MHz channels in 802.11n networks. This feature is disabled by default, and must be enabled in a Virtual AP profile.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap debug received-config | 757
�show ap remote debug association-failure
show ap remote debug association-failure [{ap-name <ap-name>}|{bssid <bssid>}{essid <essid>}]
Description
Display association failure information that can be used to troubleshoot problems on an AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
essid <essid>
Description
Filter the Association Failure Table by AP name.
Filter the Association Failure Table by Basic Service Set Identifier (BSSID). The BSSID is usually the AP's MAC address.
Filter the Association Failure Table by Extended Service Set Identifier (ESSID) of an AP.
Usage Guidelines
Use this command to determine whether the client is associated, and identify the last AP to which it was connected.
Example
The output of the command show ap remote debug association-failure displays the Association Failure Table show below. If the Idle time column in the output of this command is a low value, reason column will describe why association failed.
(host)#show ap remote debug association-failure ap-name AP-65-port3
Association Failure Table
-------------------------
MAC Address
AP Name BSSID
ESSID State Radio
-----------
------- -----
----- ----- -----
00:16:6f:09:54:3e AL29
00:1a:1e:11:6f:00 guest
802.11g
Going Down
00:16:6f:09:54:3e AL33
00:1a:1e:11:6e:60 guest auth 802.11g
Unspecified Failure
00:16:6f:09:54:3e AL40
00:1a:1e:8d:5b:20 guest
802.11g
Ageout
Num Association Failures:3
Idle Time Reason --------- -----20h:39m:33s Denied; AP
20h:39m:33s
20h:39m:33s Denied;
The output of this command includes the following parameters:
Column MAC address AP Name BSSID ESSID
Description MAC address of the client that failed to associate with an AP. Name of an AP to which the client attempted to associate. Basic Service Set Identifier of an AP. Extended Service Set Identifier of an AP.
758 | show ap remote debug association-failure
AOS-W 6.2 | Reference Guide
�Column State
Radio Idle Time Reason
Description This data column shows if the client is currently authorized or both authorized and associated with an AP. The AP radio type. Amount of time that the client has been idle, in the format hours:minutes:seconds. A brief description of the reason why the client failed to associate.
Command History
Introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap remote debug association-failure | 759
�show ap debug shaping-table
show ap debug shaping-table {ap-name <ap-name>|ip-addr <ip-addr>}
Description
Show shaping information for clients associated to an AP.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
Description
Show shaping table information for a specific AP.
Show shaping table information for a specific AP IP address by entering its IP address in dotted-decimal format.
Example
The following command shows the shaping table of an AP named ap22. (host) #show ap debug shaping-table ap-name ap22
VAP station000
pktin pktout pktdrop pktqd
0
0
0
0
cmn[C:O:H] 0-0-0 0-0
drop Numcl TotCl BWmgmt
0-0-0 0
0
d1
d2
d3
d4
d5
d6
d7
d8
d9
0
0
0
0
0
0
0
0
0
idx
tokens last-t in
out
drop q
tx-t rx-t al-t rate
idx
d1
d2
d3
d4
d5
d6
d7
d8
d9
0
0
0
0
0
0
0
0
0
0
VAP station001
pktin pktout pktdrop pktqd
0
8144 0
0
cmn[C:O:H] 0-0-0 0-0
drop Numcl TotCl BWmgmt
0-2-0 2
0
d1
d2
d3
d4
d5
d6
d7
d8
d9
0
0
0
0
0
0
0
0
0
idx
tokens last-t in
1
0
0
0
3
0
0
0
out
drop q
2966 0
0
31
0
0
tx-t 716 8
rx-t 0 0
al-t 0 0
rate 0 0
idx
d1
d2
d3
d4
d5
d6
d7
d8
d9
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
3
0
0
0
0
0
0
0
0
0
The output of this command includes the following information:
Column pktin
Description Number of packets received by the AP.
760 | show ap debug shaping-table
AOS-W 6.2 | Reference Guide
�Column pktout pktdrop pktqd cmn [C:O:H] drop Numcl TotCl Bwmgmt
d<n> idx tokens last-t
in out drop q tx-t rx-t al-t rate
Description Number of packets sent by the AP. Number of packets dropped by the AP. Number of packets queued. (For internal use only.) Number of CCK (802.11b) and OFDM (802.11a/g) packets dropped. Number of CCK (802.11b) and OFDM (802.11a/g) packets dropped. Total number of clients associated with the AP This data column displays a 1 if the bandwidth management feature has been enabled. Otherwise, it displays a 0. (For internal use only.) Association ID. This value represents the credits the station has to transmit tokens. Number of tokens that were allocated to the station last time token allocation algorithm ran. Number of packets received. Number of packets sent. Number of dropped packets. Number of queued packets Total time spent transmitting data. Total time spent receiving data. Total time allocated for transmitting data to this station. (For internal use only.)
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap debug shaping-table | 761
�show ap debug system-status
show ap debug system-status {ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>}
Description
Show detailed system status information for an AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show system status data for an AP with a specific name.
Show system status data for a specific Basic Service Set Identifier (BSSID) on an AP. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show system status data for an AP with a specific IP address by entering an IP address in dotted-decimal format.
Usage Guidelines
The output of this command displays the following types of information (if it exists) for the selected AP:
l Bootstrap information l Descriptor Usage l Interface counters l MTU discovery l ARP cache l Route table l Interface Information
l Per-radio statistics l Encryption statistics l AP uptime l memory usage l Kernel slab statistics l Interrupts l Crash Information
l Ethernet duplex/speed settings l Tunnel heartbeat stats l Boot version l LMS information l Power status l CPU type l CPU usage statistics
The following parameters are included in the output of this command, and can help troubleshoot problems on an AP or wireless network.
Parameter
Description
The Failed column in the Descriptor This parameter can tell you if the AP is dropping packets. Usage section
Interface Information table
This parameter can tell you if the Ethernet network is working properly. This table should not show an excessive number of errors.
AP Uptime table
Low values in this table can indicate problems with the wired network, or with the AP itself.
Tunnel Heartbeat table
This table can indicate the health of the underlying wired network.
Rebootstrap Information table /Reboot Information table
A large number of reboots can mean that the AP has hardware problems.
762 | show ap debug system-status
AOS-W 6.2 | Reference Guide
�Command History
Release AOS-W 5.0 AOS-W 3.0
Modification Crash information parameter was introduced. Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap debug system-status | 763
�show ap debug trace-addr
show ap debug trace-addr
Description
Show MAC addresses in the trace buffer.
Usage Guidelines
Use this command to troubleshoot wireless clients that are being traced for 802.11 communication
Examples
The output of the command shows the Trace List table. If no wireless clients are being traced, this table will be empty. (host) #show ap debug trace-addr
Trace List ---------MAC Address ----------00:1a:1e:c5:ca:b4 00:1a:1e:c5:d6:46 00:1a:1e:c5:d7:40 00:1a:1e:c5:d7:64 00:1a:1e:c5:d9:56 00:1a:1e:c5:d9:b0
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
764 | show ap debug trace-addr
AOS-W 6.2 | Reference Guide
�show ap debug usb ap-name
show ap debug usb ap-name <ap-name>
Description
This command displays the USB information provisioned on the RAP.
Usage Guidelines
Use this command to view the USB information provisioned on the RAP.
Examples
The output of the command shows the USB information provisioned on the RAP.
(host) #show ap debug usb ap-name RAP-2
USB Information
---------------
Parameter
Value
---------
-----
Manufacturer
Pantech,
Product
PANTECH
Serial Number
Driver
ptuml_cdc_ether
Vendor ID
106c
Product ID
3718
USB Modem State
Active
USB Uplink RSSI(in dBm)
-73
Supported Network Services CDMA GSM LTE
Firmware Version
L0290VWB522F.242
ESN Number
990000472325325Current Network Service
Command History
Introduced in AOS-W 6.2.
Command Information
4G-LTE
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap debug usb ap-name | 765
�show ap details
show ap details [advanced]{ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>|ip6-addr <ip6addr>}
Description
Show detailed provisioning parameters, hardware, and operating information for a specific AP.
Syntax
Parameter advanced
ap-name <ap-name> bssid <bssid> ip-addr <ip-addr> ip6-addr <ip6-addr>
Description
Include the following additional data in the output of this command: l switch message counts l AP group information l Virtual AP operating information
Show data for a specific AP by entering the name of the AP for which you want to display information.
Show data for an AP with the specified BSSID. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show data for an AP with the specified IP address.
Show data for an AP with the specified IPv6 address.
Examples
The example below shows part of the output for the command show ap details ap-name <ap-name>.
(host) # show ap details ap-name AP32
AP "AL39" Basic Information
---------------------------
Item
Value
----
-----
AP IP Address 10.6.1.206
LMS IP Address 10.6.2.253
Group
corp1344
Location Name N/A
Status
Up
Up time
4d:12h:47m:32s
AP "AL39" Hardware Information
------------------------------
Item
Value
----
-----
AP Type
125
Serial #
AD0054972
Wired MAC Address 00:1a:1e:c9:17:38
Radio 0 BSSID
00:1a:1e:11:73:90
Radio 1 BSSID
00:1a:1e:11:73:80
Enet 1 MAC Address 00:1a:1e:c9:17:39
AP "AL39" Operating Information
-------------------------------
Item
Value
----
-----
766 | show ap details
AOS-W 6.2 | Reference Guide
�AP State Entry created Last activity Reboots Bootstraps Bootstrap Threshold
Running 2008-10-23 20:04:53 2008-10-28 08:07:48 0 1 7Slot/Port
2/24
The output of this command includes the following information:
Column AP IP Address LMS IP Address
Group Location Name Status Up time
Installation
AP Type Serial # Wired MAC address Radio 0 BSSID
Radio 1 BSSID
Enet 1 MAC address AP State Entry created Last activity
Reboots
Bootstraps
Description
IP address of the AP
The IP address of the local management switch (LMS)--the AlcatelLucent switch which is responsible for terminating user traffic from the APs, and processing and forwarding the traffic to the wired network.
Name of the AP's AP group.
Location of the AP.
Current status of the AP, either Up or Down.
Number of hours, minutes and seconds since the last switch reboot or bootstrap, in the format hours:minutes:seconds.
AP Installation mode. The AP can be default (the factory set AP installation type, indoor or outdoor.
AP model
Serial number for the AP
MAC address of the wired interface.
Basic Service Set Identifier (BSSID) of the AP's radio 0. This is usually the radio's MAC address.
Basic Service Set Identifier (BSSID) of the AP's radio 1. This is usually the radio's MAC address.
MAC address of the AP's Ethernet port.
Displays the AP's current operational state.
Timestamp showing the time the AP registered with the switch.
Timestamp showing the last time the AP communicated with the switch. An AP typically sends keepalive messages every minute.
Number of times power to the AP cycled off and then on again. Reboots also known as "hard" restarts.
Number of times the AP restarted. Bootstraps are also known as "soft" restarts.
AOS-W 6.2 | Reference Guide
show ap details | 767
�Column Bootstrap threshold
Slot/Port
High throughput Mode
Band Channel Secondary Channel
EIRP AP Name AP Group Location name SNMP sysLocation Master
768 | show ap details
Description
Number of consecutive missed heartbeats on a GRE tunnel (heartbeats are sent once per second on each tunnel) before an AP rebootstraps. On the switch, the GRE tunnel timeout is 1.5 x bootstrap-threshold; the tunnel is torn down after this number of seconds of inactivity on the tunnel.
The switch port used by the AP, in the format <slot>/<port>. . <slot> is always 1, except when referring to interfaces on the OAW6000 switch. For the OAW-6000 switch, the four slots are allocated as follows: l Slot 0: contains a OmniAccess Supervisor Card III. l Slot 1: can contain an OmniAccess Supervisor Card III, or a line
card. l Slot 2: can contain an OmniAccess Supervisor Card III or a line
card. l Slot 3: can contain either an OmniAccess Supervisor Card III or a
line card. <port> refers to the network interfaces that are embedded in the front panel of the OAW-4x04 Series switch, OmniAccess Supervisor Card III, or a line card installed in the OAW-6000 switch. Port numbers start at 0 from the left-most position.
Shows if high-throughput (802.11n) features are enabled or disabled.
Shows the operating modes for the AP. l AP: Device provides transparent, secure, high-speed data
communications between wireless network devices and the wired LAN. l AM: Device behaves as an air monitor to collect statistics, monitor traffic, detect intrusions, enforce security policies, balance traffic load, self-heal coverage gaps, etc.
The RF band in which the AP should operate: l 802.11g = 2.4 GHz l 802.11a = 5 GHz
Channel number for the AP 802.11a/802.11n physical layer. The available channels depend on the regulatory domain (country).
The secondary channel number for the AP. The secondary channel is a 20 MHz channel used in conjunction with the primary channel to create a 40 MHz channel for high-throughput clients. High-throughput capable APs use only the primary channel to communicate with 20 MHz clients. The secondary channel is used for transmissions with 40 MHz capable high-throughput clients.
Current effective Isotropic Radiated Power (EIRP).
Name of the AP.
AP group to which the AP belongs.
Fully-qualified location name (FQLN) for the AP.
User-defined description of the location of the AP, as defined with the command provision-ap syslocation.
Name or IP address for the master switch.
AOS-W 6.2 | Reference Guide
�Column Gateway Netmask IP Addr Dns IP Domain Name Server Name Server IP Antenna gain for 802.11a Antenna gain for 802.11g Antenna for 802.11a
Antenna for 802.11g
IKE PSK PPPOE User Name PPPOE Password PPPOE Service Name USB User Name USB Password USB Device Type USB Device Identifier USB Dial String USB Initialization String USB TTY device path Mesh Role
Installation
Description
IP address of the default gateway for the AP.
Netmask for the AP's IP address.
IP address for the AP.
IP address of the DNS server.
Domain name used by the AP.
DNS name of the switch from which the AP boots.
IP address of the switch from which the AP boots
Antenna gain for 802.11a (5GHz) antenna.
Antenna gain for 802.11g (2.4GHz) antenna.
Antenna use for 5 GHz (802.11a) frequency band. l 1: AP uses antenna 1 l 2: AP uses antenna 2 l both: AP uses both antennas
Antenna use for 2.4 GHz (802.11g) frequency band. l 1: AP uses antenna 1 l 2: AP uses antenna 2 l both: AP uses both antennas
The IKE pre-shared key.
Point-to-Point Protocol over Ethernet (PPPoE) user name for the AP.
PPPoE password for the AP.
PPPoE service name for the AP.
The PPP username provided by the cellular service provider.
A PPP password, if provided by the cellular service provider.
The USB driver type.
The USB device identifier.
The dial string for the USB modem.
The initialization string for the USB modem.
The TTY device path for the USB modem.
If the mesh role is "none," the AP is operating as a thin AP. An AP operating as a mesh node can have one of two roles: mesh portal or mesh point.
The type of installation (indoor or outdoor). The default parameter indicates that the AOS-W automatically selects an installation mode based upon the AP's model type.
AOS-W 6.2 | Reference Guide
show ap details | 769
�Column Latitude Longitude Altitude
Antenna bearing for 802.11a
Antenna bearing for 802.11g
Antenna tilt angle for 802.11a Antenna tilt angle for 802.11g Mesh SAE
Description
Latitude coordinates of the AP, in the format Degrees Minutes Seconds (DMS).
Longitude coordinates of the AP, in the format Degrees Minutes Seconds (DMS).
Altitude, in meters, of the AP. This parameter is supported on outdoor APs only.
Horizontal coverage distance of the 802.11a (5GHz) antenna from true north, from 0-360 degrees. NOTE: This parameter is supported on outdoor APs only. The horizontal coverage pattern does not consider the elevation or vertical antenna pattern.
Horizontal coverage distance of the 802.11g (2.4GHz) antenna from true north, from 0-360 degrees. NOTE: This parameter is supported on outdoor APs only. The horizontal coverage pattern does not consider the elevation or vertical antenna pattern.
The angle of the 802.11a (5GHz) antenna. This parameter can range from between -90 degrees and 0 degrees for downtilt, and between +90 degrees and 0 degrees for uptilt.
The angle of the 802.11g (2.4GHz) antenna. This parameter can range from between -90 degrees and 0 degrees for downtilt, and between +90 degrees and 0 degrees for uptilt.
Shows if the AP has enabled or disabled Secure Attribute Exchange (SAE) on a mesh network. This setting is disabled by default.
Command History
Release AOS-W 3.0 AOS-W 3.2 AOS-W 3.4
AOS-W 5.0 AOS-W 6.1 770 | show ap details
Modification
Command introduced
Introduced support for mesh parameters, additional antenna parameters, and AP location parameters.
Introduced support for the following parameters: l installation l mesh-sae l set-ikepsk-by-addr l usb-dev l usb-dial l usb-init l usb-passwd l usb-tty l usb-type l usb-user
The mesh-sae parameter no longer displays the sae-default setting if the parameter is disabled. Only the sae-disable option indicates that this parameter is currently in its default disabled state.
The parameter ip6-addr was added to show data for an IPv6 AP.
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap details | 771
�show ap enet-link-profile
show ap enet-link-profile [<profile>]
Description
Show a list of all Ethernet Link profiles.
Usage Guidelines
Include a profile name to display details for the specified Ethernet Link Profile, or omit the <profile> parameter to display a list of all Ethernet Link profiles.
Example
This command shows the speed of the Ethernet interface and the current duplex mode for the Ethernet Link profile "default": (host) #show ap enet-link-profile default
AP Ethernet Link profile "default"
----------------------------------
Parameter Value
--------- -----
Speed
auto
Duplex
auto
The output of this command includes the following parameters:
Parameter Speed
Duplex
Description
The speed of the Ethernet interface. This value can be either 10 Mbps, 100 Mbps, 1000Mbps (1 Gbps), or auto (auto-negotiated).
The duplex mode of the AP's Ethernet interface. This value can be either full, half, or auto (auto-negotiated).
Related Commands
Command ap enet-link-profile
Description
This command configures an AP Ethernet link profile.
Mode Config mode
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
772 | show ap enet-link-profile
AOS-W 6.2 | Reference Guide
�show ap essid
show ap essid
Description
Show a Extended Service Set Identifier (ESSID) summary for the switch, including the numbers of APs and clients associated with each ESSID.
Examples
The output of the command in the example below shows statistics for four configured ESSIDs.
(host) #show ap essid
ESSID Summary
-------------
ESSID
APs Clients
-----
--- -------
vocera 21 0
66
voip 23 52
66,64
guest
49 6
wpa2 26 88
65,64
Num ESSID:4
VLAN(s) Encryption
------- ----------
WPA2 PSK AES
WPA2 8021X AES
63
Open
WPA2 8021X AES
The output of this command includes the following information:
Column ESSID
APs VLAN(s) Encryption
Description
An Extended Service Set Identifier (ESSID) is the identifying name of an 802.11 wireless network.
Number of APs associated with the ESSID.
VLAN IDs of the VLANs for the ESSID.
The layer-2 authentication and encryption used on this ESSID to protect access and ensure the privacy of the data transmitted to and from the network.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap essid | 773
�show ap ht-rates
show ap ht-rates bssid <bssid>
Description
Show high-throughput rate information for a basic service set (BSS).
Syntax
Parameter bssid <bssid>
Description
Show data for a specific Basic Service Set Identifier (BSSID) on an AP. An AP's BSSID is usually the AP's MAC address.
Examples
The output of this command shows high-throughput rates for each supported MCS value. These values are applicable to high-throughput (802.11n-capable) APs only. (host) #show ap ht-rates bssid 00:1a:1e:1e:5a:10
AP "AL12" Radio 0 BSSID 00:1a:1e:1e:5a:10 High-throughput Rates (Mbps)
----------------------------------------------------------------------
MCS Streams 20 MHz 40 MHz 40 MHz SGI
--- ------- ------ ------ ----------
01
6.5 13.5 15.0
11
13.0 27.0 30.0
21
19.5 40.5 45.0
31
26.0 54.0 60.0
41
39.0 81.0 90.0
51
52.0 108.0 120.0
61
58.5 121.5 135.0
71
65.0 135.0 150.0
82
13.0 27.0 30.0
92
26.0 54.0 60.0
10 2
39.0 81.0 90.0
11 2
52.0 108.0 120.0
12 2
78.0 162.0 180.0
13 2
104.0 216.0 240.0
14 2
117.0 243.0 270.0
15 2
130.0 270.0 300.0
The output of this command includes the following information:
Column MCS Streams 20 MHz 40 MHz 40 MHz SGI
Description A Modulation Coding Scheme (MCS) values supported on this high-throughput SSID. Number of spatial streams used by the MCS index value. 802.11n data rates for the MCS for 20 Mhz transmissions. 802.11n data rates for the MCS for 40 Mhz transmissions. 802.11n data rates for the MCS for 40 Mhz transmissions using a short guard interval.
774 | show ap ht-rates
AOS-W 6.2 | Reference Guide
�Command History
Introduced in AOS-W 3.3.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap ht-rates | 775
�776 | show ap ht-rates
AOS-W 6.2 | Reference Guide
�The example below shows the number of APs that have successfully preloaded their new software images, the number of preload attempts that failed, and the total number of preload attempts (both successful and unsuccessful).
AOS-W 6.2 | Reference Guide
show ap ht-rates | 777
�show ap image version
show ap image version [ap-name <ap-name>|ip-addr <ip-addr>]
Description
Display an AP's image version information.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
Description
View image version information for an AP with a specific name.
View image version information for an AP with a specific IP address. Enter the address of the AP in dotted-decimal format.
Usage Guidelines
By default, this command displays image version information for all APs associated with the switch. To view image version information for a single AP, specify an AP using the ap-name or ip-addr parameters
Example
The output in the example below shows the current running image version as well as the image version stored in the switch's flash memory.
(host) #show ap image version ip-addr 192.0.2.45
Access Points Image Version
---------------------------
AP
Running Image Version String
--
----------------------------
10.6.1.200
3.3.2.5 Wed Oct 22 10:46:42 PDT 2008
Flash Image Version String
Checksums Image Load Status
----------------------------
-------
----- ----------------
3.3.2.5 Wed Oct 22 10:46:42 PDT 2008 Yes
3
0
Done
The output of this command includes the following information:
Column AP
Running Image Version String
Flash Image Version String
Matches
Description
Name or IP address of an AP
String identifying the number of the image version currently running on the AP, as well as the date on which that version was created.
String identifying the number of the image version in the AP's flash memory, as well as the date on which that version was created.
If yes, the running image version matches the image version currently in the AP's flash memory. If no, the two image versions do not match.
778 | show ap image version
AOS-W 6.2 | Reference Guide
�Column Num Matches Num Mismatches
Bad Checksums Image Load Status
Description
Number of times the running image version matched the flash image version after a reboot.
Number of times the running image version did not match the flash image version after a reboot. If the images do not match, the AP will upgrade to the flash image.
Number of bad checksum calculations due to an invalid or corrupted image file.
Current status of the AP following an upgrade. Done: This status indicates that the switch reset after the upgrade was performed, or the upgrade was performed after the AP first registered with the switch. Completed: The AP was updated after it was registered to the switch, and after the switch's last reset. If AP shows a status of completed, it will also display the time it took it update that AP. In progress: The AP is currently updating its image.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap image version | 779
�show ap license-usage
show ap license-usage
Description
Show AP license usage information.
Examples
The output of the command below shows that switch has 13 associated campus APs using licenses, with 3 unused campus AP licenses remaining. (host) #show ap license-usage
AP Licenses ----------Type ---AP Licenses RF Protect Licenses PEF Licenses Overall AP License Limit
Number -----64 64 64 64
AP Usage -------Type ---CAPs RAPs Remote-node APs Tunneled nodes Total APs
Count ----13 2 0 0 0
Remaining AP Capacity --------------------Type Number ---- -----CAPs 3 RAPs 62
The output of this command includes the following information:
Parameter AP Licenses RF Protect Licenses PEF Licenses
Overall AP Licenses CAPs RAPs
Description Number of AP licenses currently available on the switch. Number of RF Protect licenses currently available on the switch. Number of Policy Enforcement Firewall (PEF) licenses currently available on the switch. Total number of APs supported by licenses on the switch. Number of campus APs currently using a license on the switch. Number of remote APs currently using a license on the switch.
780 | show ap license-usage
AOS-W 6.2 | Reference Guide
�Parameter Remote-Node APs Tunneled Nodes CAPs RAPs
Description Number of remote node APs currently using a license on the switch. Number of tunneled nodes currently using a license on the switch. Number of unused campus APs licenses remaining on the switch. Number of unused remote APs licenses remaining on the switch.
Command History
Release AOS-W 3.0 AOS-W 3.3
Modification
Command Introduced.
The following parameters were introduced: l Total 802.11n-120abg Licenses l 802.11n-120abg Licenses Used l Total 802.11n-121abg Licenses l 802.11n-121abg Licenses Used l Total 802.11n-124abg Licenses l 802.11n-124abg Licenses Used l Total 802.11n-125abg Licenses l 802.11n-125abg Licenses Used
AOS-W 6.2
The output of this command was reorganized to reflect updated the newest license scheme.
Command Information
Platforms All platforms
Licensing
Base operating system. The output of this command varies, according to the licenses currently installed on the switch.
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap license-usage | 781
�show ap lldp
show ap lldp [<profile>]
Description
Display a list of LLDP-MED Network Policy profiles, or display the current configuration settings of an individual profile.
Syntax
Parameter <profile>
Description Specify a LLDP profile name to view configuration settings for that profile.
Examples
The following example lists all LLDP profile profiles. The References column lists the number of other profiles with references to that LLDP-MED Network policy profile profile, and the ProfileStatus column indicates whether the profile is predefined.
The output of the command below shows that the switch has two LLDP profiles.
(host) #show ap lldp med-network-policy-profile
AP LLDP Profile List
---------------------------------------
Name
References Profile Status
----
---------- --------------
default 0
video 2
Total:2
The following command displays configuration details for the LLDP profile named default.
(host) #show ap lldp med-network-policy-profile video
AP LLDP Profile "new"
---------------------
Parameter
Value
---------
-----
PDU transmission
Enabled
Reception of LLDP PDUs
Enabled
Transmit interval (seconds)
30
Transmit hold multiplier
4
Optional TLVs
port-description system-description system-name capabilities
management-address
802.1 TLVs
port-vlan vlan-name
802.3 TLVs
mac link-aggregation mfs power
LLDP-MED TLVs
LLDP-MED network policy profile N/A
The output of this command includes the following information:
Parameter PDU transmission
Description Shows if LLDP PDU transmission is enabled on the AP.
782 | show ap lldp
AOS-W 6.2 | Reference Guide
�Parameter Reception of LLDP PDUs Transmit interval (seconds) Transmit hold multiplier
Optional TLVs 802.1 TLVs 802.3 TLVs LLDP-MED TLVs LLDP-MED network policy profile
Description
Shows if LLDP PDU reception is enabled on the AP.
The interval between LLDP TLV transmission seconds. The supported range is 1-3600 seconds and the default value is 30 seconds.
This value is multiplied by the transmit interval to determine the number of seconds to cache learned LLDP information before that information is cleared. If the transmit-hold value is at the default value of 4, and the transmit interval is at its default value of 30 seconds, then learned LLDP information will be cached for 4 x 30 seconds, or 120 seconds.
The AP sends the listed optional TLVs in LLDP PDUs.
The AP sends the listed 802.1 TLVs in LLDP PDUs. By default, the AP will send all 802.1 TLVs.
The AP sends the listed 802.3 TLVs in LLDP PDUs. By default, the AP will send all 802.3 TLVs.
Lists the LLDP-MED TLVs the AP will send in LLDP PDUs. By default, the AP will not send any LLDP-MED TLVs
Specifies the LLDP MED Network Policy profile to be associated with this LLDP profile.
Command History
Command introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap lldp | 783
�show ap lldp counters
show ap lldp counters ap-name <ap-name> ip-addr <ip-addr> ip6-addr (ipv6-addr>
Description
Show LLDP counters for a specific AP, or all APs sending or receiving LLDP Protocol Data Units (PDUs).
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
ip6-addr <ip-addr>
Description Show counter statistics for an AP with a specific name.
View counter statistics for an AP with a specific IP address. Enter the IP address of the AP in dotted-decimal format.
View counter statistics for an AP with a specific IPv6 address.
Examples
The output of the command below shows LLDP counter information for two interfaces.
(host) #show ap lldp counters
AP LLDP Counters (Updated every 60 seconds)
-------------------------------------------
AP
Interface Received Unknown TLVs
--
--------- -------- ------------
00:1a:1e:ce:fb:bf bond0
0
0
00:24:6c:c0:00:86 bond0
0
0
Malformed --------0 0
Overflow -------0 0
Transmitted ----------68159 68153
The output of this command includes the following information:
Parameter AP Interface Received Unknown TLVs
Number of Malformed packets Overflow
Description Name of the AP sending or receiving LLDP PDUs. Name of the AP interface sending or re ce vi ng LLDP PDUs. Number of packets received on the specified interface. Number of LLDP Protocol Data Units (PDUs) with an unknown type-length-value (TLV). Number of malformed packets received on that interface
Number of times that an LLDP neighbor could not be added to the neighbor table (there is a limit of 8 per port)
Transmitted
Number of packets transmitted from that interface
Command History
Command introduced in AOS-W 6.2.
784 | show ap lldp counters
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap lldp counters | 785
�show ap lldp med-network-policy-profile
show ap lldp med-network-policy-profile [<profile>]
Description
Display a list of LLDP-MED Network Policy profiles, or display the current configuration settings of an individual profile.
Syntax
Parameter <profile>
Description
Specify a LLDP-MED Network Policy profile name to view configuration settings for that profile.
Usage Guidelines
The LLDP-MED Network policy profile allows you to configure an extension to LLDP that supports interoperability between VoIP devices and other networking clients. LLDP-MED network policy discovery lets end-points and network devices advertise their VLAN IDs (e.g. voice VLAN), priority levels, and DSCP values.allows you to define a set of provisioning parameters to an AP group.
Issue this command without the <profile-name> option to display the entire LLDP-MED Network policy profile list, including profile status and the number of references to each profile. Include a profile name to display the configuration settings for that profile.
Examples
The following example lists all LLDP-MED Network policy profile profiles. The References column lists the number of other profiles with references to that LLDP-MED Network policy profile, and the ProfileStatus column indicates whether the profile is predefined.
The output of the command below shows that the switch has three LLDP-MED network profiles.
(host) #show ap lldp med-network-policy-profile
AP LLDP-MED Network Policy Profile List
---------------------------------------
Name
References Profile Status
----
---------- --------------
default 0
video 2
voice 1
Total:2
The following command displays configuration details for the LLDP-MED Network Policy profile
named video.
(host) #show ap lldp med-network-policy-profile video
AP LLDP-MED Network Policy Profile "default" -------------------------------------------Parameter --------LLDP-MED application type LLDP-MED application VLAN LLDP-MED application VLAN tagging LLDP-MED application Layer-2 priority LLDP-MED application Differentiated Services Code Point
Value ----streaming-video 16 Tagged 0 0
The output of this command includes the following information:
786 | show ap lldp med-network-policy-profile
AOS-W 6.2 | Reference Guide
�Parameter LLDP-MED application type
LLDP-MED application VLAN LLDP-MED application VLAN tagging LLDP-MED application Layer-2 priority LLDP-MED application Differentiated Services Code Point
Description
Type of application that this profile manages. This profile supports the following options: l guest-voice : The AP services a separate voice
network for guest users and visitors. l guest-voice-signaling : The AP is part of a network that
requires a different policy for guest voice signaling than for guest voice media. Do not use this application type if both the same network policies apply to both guest voice and guest voice signaling traffic. l softphone-voice : The AP supports voice services using softphone software applications on devices such as PCs or laptops. l streaming-video : T The AP supports broadcast or multicast video or other streaming video services that require specific network policy treatment. This application type is not recommended for video applications that rely on TCP with buffering. l video-conferencing : T The AP supports video conferencing equipment that provides real-time, interactive video/audio services. l video-signaling : T The AP is part of a network that requires a different policy for video signaling than for the video media. Do not use this application type if both the same network policies apply to both video and video signaling traffic. l voice : T he AP services IP telephones and other appliances that support interactive voice services. This is the default application type. l voice-signaling : T The AP is part of a network that requires a different policy for voice signaling than for the voice media. Do not use this application type if both the same network policies apply to both voice and voice signaling traffic.
Indicates the VLAN ID (0-4094) or VLAN name of the VLAN used by the application.
Indicates if the policy applies to a to a VLAN that is tagged with a VLAN ID or untagged. The default value is untagged. NOTE: When an LLDP-MED network policy is defined for use with an untagged VLAN, then the L2 priority field is ignored and only the DSCP value is used.
Displays a configured 802.1p priority level for the specified application type, where 0 is the lowest priority level and 7 is the highest priority.
Displays a configured Differentiated Services Code Point (DSCP) priority value for the specified application type, where 0 is the lowest priority level and 63 is the highest priority.
Command History
Command introduced in AOS-W 6.2.
AOS-W 6.2 | Reference Guide
show ap lldp med-network-policy-profile | 787
�Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Enable or Config mode on master or local switches
788 | show ap lldp med-network-policy-profile
AOS-W 6.2 | Reference Guide
�show ap lldp neighbors
show ap lldp neighbors ap-name <ap-name> ip-addr <ip-addr> ip6-addr (ipv6-addr>
Description
Show LLDP neighbors for a specific AP, or all APs sending or receiving LLDP Protocol Data Units (PDUs).
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
ip6-addr <ip-addr>
Description Show LLDP neighbor statistics for an AP with a specific name.
View LLDP neighbor statistics for an AP with a specific IP address. Enter the IP address of the AP in dotted-decimal format.
View LLDP neighbor statistics for an AP with a specific IPv6 address.
Usage Guidelines
The LLDP protocol allows switches, routers, and wireless LAN access points to advertise information about themselves such as identity, capabilities, and neighbors to other nodes on the network. Use this command to display information about the AP's LLDP peers.
By default, this command displays LLDP neighbors for the entire list of LLDP interfaces. Include a the name of IP address of an AP to display neighbor information only for that one device.
Examples
The output of the command below shows the LLDP neighbor list for an AP named ap12.
(host) show ap lldp neighbors ap-name ap12
AP LLDP Neighbors (Updated every 60 seconds)
--------------------------------------------
AP Interface Neighbor Chassis Name/ID Port Name/ID Mgmt. Address Capabilities
-- --------- -------- --------------- ------------ ------------- ------------
uc bond0
0
d8:c7:c8:c4:4f:4e bond0
10.3.44.193
Capability codes: (R)Router, (B)Bridge, (A)Access Point, (P)Phone, (O)Other
The output of this command includes the following information:
Parameter AP Interface Neighbor Chassis Name/ID Port Name/ID
Description Name of the LLDP neighbor Interface on the AP sending or receiving LLDP PDUs. LLDP neighbor number The name of the LLDP neighbor AP Port name or ID if the interface sending LLDP PDUs.
AOS-W 6.2 | Reference Guide
show ap lldp neighbors | 789
�Parameter Mgmt. Address Capabilities
Description
Management address of the LLDP neighbor
This data column can list any of the following data codes to indicate LLDP neighbor capabilities. l R: Router l B: Bridge l A: Access Point l P: Phone l O: Other
Command History
Command introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Enable or Config mode on master or local switches
790 | show ap lldp neighbors
AOS-W 6.2 | Reference Guide
�show ap load-balancing
show ap load balancing
Description
Show the load-balancing information for each AP with load balancing enabled.
Examples
The output of the command in the example below shows details for a single AP enabled with the load-balancing feature.
(host) #show ap load-balancing
Load Balance Enabled Access Point Table
---------------------------------------
bss
cur-cl util(kbps)
---
------ ----------
00:0b:86:cc:8e:4e
Wireless_1
mp22 2/24 10.3.148.12 a-HT
413
The output of this command includes the following information:
Column BSS ESS s/p
ip phy
chan cur-cl util (kbps)
Description
The Basic Service Set (BSS) Identifier for the AP. This is usually the APs MAC address.
The Extended Service Set (ESS) Identifier is the user-defined name of an 802.11 wireless network.
The switch slot and port used by the AP, in the format <slot>/<port>. .<slot> is always 1, except when referring to interfaces on the OAW-6000 switch. For the OAW-6000 switch, the four slots are allocated as follows: l Slot 0: contains a OmniAccess Supervisor Card III. l Slot 1: can contain an OmniAccess Supervisor Card III, or a line card. l Slot 2: can contain an OmniAccess Supervisor Card III or a line card. l Slot 3: can contain either an OmniAccess Supervisor Card III or a line card. <port> refers to the network interfaces that are embedded in the front panel of the OAW-4x04 Series switch, OmniAccess Supervisor Card III, or a line card installed in the OAW-6000 switch. Port numbers start at 0 from the left-most position.
IP address of the AP
One of the following 802.11 types la l a-HT (high-throughput) lg l g-HT (high-throughput)
Channel number for the AP 802.11a/802.11n physical layer. The available channels depend on the AP's regulatory domain (country).
Current number of clients on the AP.
Current bandwidth utilization, in kbps.
AOS-W 6.2 | Reference Guide
show ap load-balancing | 791
�Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
792 | show ap load-balancing
AOS-W 6.2 | Reference Guide
�show ap mesh active
show ap mesh active [<mesh-cluster>|{page <page>}|{start <start>}]
Description
Show active mesh cluster APs currently registered on this switch.
Syntax
Parameter <mesh-cluster> page <page>
start <start>
Description
Name of a mesh cluster profile.
Limit the output of this command to a specific number of entries by entering the number of entries you want to display.
Start displaying the index of mesh APs at a chosen index number by entering the index number of the AP at which command output should start.
Examples
The output of this command displays a list of all active mesh points and mesh portals.
(host) #show ap mesh active
Mesh Cluster Name: meshprofile1
------------------------------
Name Group IP Address BSSID
Mesh Role
---- ----- ---------- -----
--------
mp1 mp1
10.3.148.245 00:1a:1e:85:c0:30
Point
mp2 mp2
10.3.148.250 00:1a:1e:88:11:f0
mp3 mp3
10.3.148.253 00:1a:1e:88:01:f0
mpp mpp125 10.3.148.252 00:1a:1e:88:05:50
Portal
Band/Ch/EIRP/MaxEIRP MTU
-------------------- ---
802.11a/157/19/36
802.11a/157/19/36
Bridge/Bridge Point
802.11a/157/19/36
802.11a/157/19/36
1578
Enet 0/1 -------Off/Off
Bridge/Bridge Point -/Bridge
Parent #Children AP Type Uptime
------ --------- ------- ------
mp3
0
125
13d:2h:25m:19s
mpp
1
125
14d:21h:23m:49s
mp2
1
125
14d:21h:14m:55s
-
1
125
14d:19h:5m:3s
The output of this command includes the following information:
Column Name Group IP Address
Description Name of an AP. AP group which includes the specified AP. IP address of the AP.
AOS-W 6.2 | Reference Guide
show ap mesh active | 793
�Column
Description
BSSID
Basic Service Set Identifier (BSSID) for the AP. This is usually the AP's MAC address.
Band/Ch/EIRP/MaxEIRP The RF band in which the AP should operate (a or g)/ Radio channel used by the AP/Current effective Isotropic Radiated Power (EIRP) /maximum EIRP
MTU
Maximum Transmission Unit (MTU) size, in bytes. This value describes the greatest
amount of data that can be transferred in one physical frame.
Enet 0/1
Shows the current mode of each wired interface. l Bridge: 802.11 frames are bridged into the local Ethernet LAN. l Tunnel: 802.11 frames are tunneled to the switch using generic routing
encapsulation (GRE). l Split-tunnel: 802.11 frames are either bridged into the local Ethernet LAN or
tunneled to the switch, depending upon their destination. l Off: Interface is not available for serving clients. If an AP has only one wired interface, the output of this command will display a dash (-) for the unavailable port.
Mesh Role
An AP operating as a mesh node can have one of two roles: mesh portal or mesh point.
Parent
If the AP is operating as a mesh point, this parameter displays the name of its parent mesh portal. Mesh portals will display a dash (-).
#Children
If the AP is operating as a mesh portal, this parameter shows the number of mesh point children associated with that mesh portal.
AP type
The AP model type.
Uptime
Number of hours, minutes and seconds since the last switch reboot or bootstrap, in the format hours:minutes:seconds.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the secure enterprise mesh solution for outdoor APs require the Outdoor Mesh license.
Enable or Config mode on master switches
794 | show ap mesh active
AOS-W 6.2 | Reference Guide
�show ap mesh-cluster-profile
show ap mesh-cluster-profile [<profile>]
Description
Show configuration settings for a mesh cluster profile.
Syntax
Parameter <profile>
Description Name of a mesh cluster profile
Usage Guidelines
The command show ap mesh-cluster-profile displays a list of all mesh cluster profiles configured on the switch, including the number of references to each profile and each profile's status. Include the optional <profile> parameter to show detailed settings for an individual mesh cluster profile.
Examples
The example below shows the configuration settings for the mesh cluster profile "meshcluster2". (host) #show ap mesh-cluster-profile meshcluster2
Mesh Cluster profile "meshcluster2"
------------------------------
Parameter
Value
---------
-----
Cluster Name company-mesh
RF Band
a
Encryption
opensystem
WPA Hexkey
N/A
WPA Passphrase N/A
The output of this command includes the following information:
Parameter Cluster Name RF band
Encryption
WPA Hexkey WPA Passphrase
Description
Name of the mesh cluster using this profile
The RF band in which the AP should operate: l g = 2.4 GHz l a = 5 GHz
Data encryption setting for the mesh cluster profile. l opensystem--No authentication and encryption. l wpa2-psk-aes--WPA2 with AES encryption using a preshared key.
The WPA pre-shared key (only for mesh cluster profiles using WPA2 with AES encryption).
The WPA password that generates the preshared key (only for mesh cluster profiles using WPA2 with AES encryption).
AOS-W 6.2 | Reference Guide
show ap mesh-cluster-profile | 795
�Command History
Introduced in AOS-W 3.2.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the mesh feature require the Mesh license.
Enable or Config mode on master switches
796 | show ap mesh-cluster-profile
AOS-W 6.2 | Reference Guide
�show ap mesh debug counters
show ap mesh debug counters {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>}
Description
Show counters statistics for a mesh node.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show counter statistics for an AP with a specific name.
Show counter statistics for a specific Basic Service Set Identifier (BSSID) on an AP. An AP's BSSID is usually the AP's MAC address.
View counter statistics for an AP with a specific IP address. Enter the IP address of the AP in dotted-decimal format.
Example
The example below shows the Mesh Packet Counters table for an AP named meshpoint1. The Probe Resp, Assoc Req, and Assoc Resp data columns show both the total number of counters and, in parenthesis, the number of requests or responses with high-throughput information elements (HE IEs).
(host) #show ap mesh debug counters ap-name meshpoint1
Mesh Packet Counters
--------------------
Interface Echo Sent Echo Recv Probe Req Probe Resp Assoc Req Assoc Resp Assoc Fail
--------- --------- --------- --------- ---------- --------- ---------- ----------
Link up/down Resel. Switch Other
------------ ------ ------ -----
Parent
68865
68755
24
8(8 HT)
3(1 HT) 3(1 HT)
1
1
-
-
0
Child
68913
67373
6
8
2
1
2
0
2618886
Received Packet Statistics: Total 2890717, Mgmt 2618946 (dropped non-mesh 0), Data 271771 (dropped unassociated 1)HT: pns=8 ans=1 pnr=0 ars=0 arr=1 anr=0
Recovery Profile Usage Counters
-------------------------------
Item
Value
----
-----
Enter recovery mode
0
Exit recovery mode
0
Total connections to switch 0
Mesh loop-prevention Sequence No.:1256947 Mesh timer ticks:68930
The output of this command includes the following information:
AOS-W 6.2 | Reference Guide
show ap mesh debug counters | 797
�Column Interface
Echo Sent Echo Recv Probe Req
Probe Resp
Description
Indicates whether the mesh interface connects to a Parent AP or a Child AP. Each row of data in the Mesh Packet Counters table shows counter values for an individual interface.
Number of echo packets sent.
Number of echo packets received.
Number of probe request packets sent from the interface specified in the Mesh-IF parameter.
Number of probe response packets sent to the interface specified in the Interface parameter.
Assoc Req
Assoc Resp
Assoc Fail
Link up/down Resel. Switch Other Mgmt
Number of association request packets from the interface specified in the Interface parameter.
Number of association response packets from the interface specified in the Interface parameter. This number includes valid responses and fail responses.
Number of fail responses received from the interface specified in the Interface parameter.
Number of times the link up or link down state has changed.
Number of times a mesh point attempted to reselect a different mesh portal.
Number of times a mesh point successfully switched to a different mesh portal.
Management frames of any type other than association and probe frames, either received on child interface, or sent on parent interface.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the mesh feature require the Mesh license.
Enable or Config mode on master switches.
798 | show ap mesh debug counters
AOS-W 6.2 | Reference Guide
�show ap mesh debug current-cluster
show ap mesh debug current-cluster {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>}
Description
Display information for the mesh cluster currently used by a mesh point or mesh portal.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show mesh cluster data for an AP with a specific name.
Show mesh cluster data for a specific Basic Service Set Identifier (BSSID) on an AP. An AP's BSSID is usually the AP's MAC address.
Show mesh cluster data for an AP with a specific IP address. Enter the IP address in dotted-decimal format.
Examples
The output of the command below shows mesh cluster profile configuration parameters for the mesh cluster currently used by an AP named "mp2." (host) #show ap mesh debug current-cluster ap-name mp2
AP "mp2" Current Cluster Profile: default
-----------------------------------------
Item
Value
----
-----
Cluster Name smettu-mesh
RF Band
a
Encryption
opensystem
WPA Hexkey
N/A
WPA Passphrase ********
The output of this command includes the following information:
Column Cluster Name RF band
Encryption
WPA Hexkey WPA Passphrase
Description
Name of the mesh cluster using this profile
The RF band in which the mesh point or mesh portal operates: l g = 2.4 GHz l a = 5 GHz
Data encryption setting for the mesh cluster profile. l opensystem--No authentication and encryption. l wpa2-psk-aes--WPA2 with AES encryption using a preshared key.
The WPA pre-shared key (only for mesh cluster profiles using WPA2 with AES encryption).
The WPA password that generates the preshared key (only for mesh cluster profiles using WPA2 with AES encryption).
AOS-W 6.2 | Reference Guide
show ap mesh debug current-cluster | 799
�Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the mesh feature require the Mesh license.
Enable or Config mode on master switches
800 | show ap mesh debug current-cluster
AOS-W 6.2 | Reference Guide
�show ap mesh debug forwarding-table
show ap mesh forwarding-table {ap-name <ap-name>}|{ip-addr <ip-addr>}
Description
Show the forwarding table for a remote mesh point or remote mesh portal.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
Description
Show data for a remote mesh node with a specific name.
Show data for a remote mesh node with a specific IP address by entering its IP address in dotted-decimal format.
Usage Guidelines
This is an internal technical support command. Alcatel-Lucent technical support may request that you issue this command to help analyze and troubleshoot problems with your mesh network.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the mesh feature require the Mesh license.
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap mesh debug forwarding-table | 801
�show ap mesh debug hostapd-log
show ap mesh debug hostapd-log {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>}
Description
Show the debug log messages for the hostapd process.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show data for an AP with a specific name.
Show data for a specific Basic Service Set Identifier (BSSID) on an AP. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show data for an AP with a specific IP address by entering an IP address in dotted-decimal format.
Usage Guidelines
This is an internal technical support command. Alcatel-Lucent technical support may request that you issue this command to help analyze and troubleshoot problems with the hostapd process or your mesh network.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the mesh feature require the Mesh license.
Enable or Config mode on master switches
802 | show ap mesh debug hostapd-log
AOS-W 6.2 | Reference Guide
�show ap mesh debug meshd-log
show ap mesh debug meshd-log {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>} [<page>]
Description
Show the debug log messages for the meshd process.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
<page>
Description
Show data for an AP with a specific name.
Show data for a specific Basic Service Set Identifier (BSSID) on an AP. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show data for an AP with a specific IP address by entering an IP address in dotted-decimal format.
Display page number 0, 1 or 2, where page 0 has the newest information and page 2 has the oldest. If this parameter is omitted, this command will display all meshd log information, oldest first.
Usage Guidelines
This is an internal technical support command. Alcatel-Lucent technical support may request that you issue this command to help analyze and troubleshoot problems with the meshd process or your mesh network.
Command History
Release AOS-W 3.0 AOS-W 3.4
Modification Command introduced. The page parameter was introduced.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the mesh feature require the Mesh license.
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap mesh debug meshd-log | 803
�show ap mesh debug provisioned-clusters
show ap mesh debug provisioned-clusters {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ipaddr>}
Description
Show cluster profiles provisioned on a mesh portal or mesh point.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show data for a mesh node with a specific name.
Show data for a mesh node with a specific Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show data for a mesh node with a specific IP address by entering an IP address in dotted-decimal format.
Example
The output of the command below shows statistics for the AP's mesh cluster profile and recovery cluster profile.
(host) #show ap mesh debug provisioned-clusters ap-name portal2
AP Portal Cluster Profile: mesh-cluster-profile
-------------------------------------------------
-------------------------
Parameter
Value
---------
-----
Cluster Name sw-ad-GB32
RF Band
a
Encryption
opensystem
WPA Hexkey
N/A
WPA Passphrase ********
AP "Portal" Cluster Profile: Recovery Cluster Profile
-----------------------------------------------------
Item
Value
----
-----
Cluster Name Recovery-ZF-xAPl5z-g15VN
RF Band
a
Encryption
pa2-psk-aes
WPA Hexkey
********
WPA Passphrase N/A
The output of this command displays the following information for the AP's mesh cluster profile and recovery cluster profiles:
Column Cluster Name RF band
Description
Name of the mesh cluster using this profile
The RF band in which the AP should operate: l g = 2.4 GHz l a = 5 GHz
804 | show ap mesh debug provisioned-clusters
AOS-W 6.2 | Reference Guide
�Column Encryption
WPA Hexkey WPA Passphrase
Description
Data encryption setting for the mesh cluster profile. l opensystem--No authentication and encryption. l wpa2-psk-aes--WPA2 with AES encryption using a preshared key.
The WPA pre-shared key (only for mesh cluster profiles using WPA2 with AES encryption).
The WPA password that generates the preshared key (only for mesh cluster profiles using WPA2 with AES encryption).
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the mesh feature require the Mesh license.
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap mesh debug provisioned-clusters | 805
�show ap mesh-ht-ssid-profile
show ap mesh-ht-ssid-profile [<profile>]
Description
Show configuration settings for a mesh high-throughput Service Set Identifier (SSID) profile.
Syntax
Parameter <profile>
Description Name of a mesh high-throughput SSID profile.
Usage Guidelines
High-throughput APs support additional settings not available in legacy APs. A mesh high-throughput SSID profile can enable or disable high-throughput (802.11n) features and 40 Mhz channel usage, and define values for aggregated MAC protocol data units (MDPUs) and Modulation and Coding Scheme (MCS) ranges.
The command show ap mesh-ht-ssid-profile displays a list of all mesh high-throughput SSID profiles configured on the switch, including the number of references to each profile and each profile's status. Include the optional <profile> parameter to show detailed settings for an individual mesh high-throughput SSID profile.
Examples
The example below shows the configuration settings for the mesh high-throughput radio profile "default". (host) #show ap mesh-ht-ssid-profile default
Mesh High-throughput SSID profile "default" ------------------------------------------Parameter --------40 MHz channel usage BA AMSDU Enable High throughput enable (SSID) Legacy stations Low-density Parity Check Maximum number of spatial streams usable for STBC reception Maximum number of spatial streams usable for STBC transmission MPDU Aggregation Max received A-MPDU size Max transmitted A-MPDU size Min MPDU start spacing Short guard interval in 20 MHz mode Short guard interval in 40 MHz mode Supported MCS set
Value ----Enabled Enabled Enabled Allowed Enabled 1 1 Enabled 65535 bytes 65535 bytes 8 usec Enabled Enabled 0-23
The output of this command includes the following information:
Column 40 MHz channel usage
Description
This parameter shows if the profile enables or disables the use of 40 MHz channels.
806 | show ap mesh-ht-ssid-profile
AOS-W 6.2 | Reference Guide
�Column BA AMSDU Enable High throughput enable (SSID)
Legacy stations Low-density Parity Check
Maximum number of spatial streams usable for STBC reception
Maximum number of spatial streams usable for STBC transmission
MPDU Aggregation Max received A-MPDU size Max transmitted A-MPDU size
Description
Shows of the AP has enabled or disabled the ability to receive AMSDU in BA negotiation.
Shows if 802.11n high-throughput features are enabled or disabled for this profile. By default, highthroughput features are enabled.
Allow or disallow associations from legacy (non-HT) stations. By default, this parameter is enabled (legacy stations are allowed).
If enabled, the AP will advertise Low-density Parity Check (LDPC) support. LDPC improves data transmission over radio channels with high levels of background noise.
Shows the maximum number of spatial streams usable for STBC reception. 0 disables STBC reception, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. (Supported on the OAWAP90 series, OAW-AP130 Series, OAW-AP68, OAW-AP175 and OAW-AP105 only. The configured value will be adjusted based on AP capabilities.)
Shows the maximum number of spatial streams usable for STBC transmission. 0 disables STBC transmission, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. (Supported on OAWAP90 series, OAW-AP175, OAW-AP130 Series and OAW-AP105 only. The configured value will be adjusted based on AP capabilities.)
Shows if the profile enables or disables MAC protocol data unit (MPDU) aggregation.
Configured maximum size of a received aggregate MPDU, in bytes.
Configured maximum size of a transmitted aggregate MPDU, in bytes.
Min MPDU start spacing Supported MCS set
Short guard interval in 20 MHz mode Short guard interval in 20 MHz mode
Configured minimum time between the start of adjacent MPDUs within an aggregate MPDU, in microseconds.
Displays a list of Modulation Coding Scheme (MCS) values or ranges of values to be supported on this SSID. The MCS you choose determines the channel width (20MHz vs. 40MHz) and the number of spatial streams used by the mesh node.
Shows if the profile enables or disables use of short (400ns) guard interval in 20 MHz mode.
Shows if the profile enables or disables use of short (400ns) guard interval in 40 MHz mode.
AOS-W 6.2 | Reference Guide
show ap mesh-ht-ssid-profile | 807
�Command History
Version AOS-W 3.4 AOS-W 6.1
Description
Command introduced
The allow weak encryption parameter was deprecated. The following parameters were introduced: l Short guard interval in 20 MHz mode l Low-density Parity Check l Maximum number of spatial streams usable for STBC reception l Maximum number of spatial streams usable for STBC transmission
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
808 | show ap mesh-ht-ssid-profile
AOS-W 6.2 | Reference Guide
�show ap mesh neighbors
show ap mesh neighbors {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>} [names]
Description
Show all mesh neighbors for an AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
names
Description
Show mesh neighbors for an AP with a specific name.
Show mesh neighbors for a specific Basic Service Set Identifier (BSSID) on an AP. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show mesh neighbors for an AP with a specific IP address by entering its IP address in dotted-decimal format.
If you include this optional parameter, the Portal column in the output of this command will translate the BSSIDs of mesh parent and child APs to AP names (where available).
Example
In the example below, the output has been split into two tables to better fit on the page. In the actual command-line interface, the output appears in a single, wide table. The Flags column the output of this command indicates the high-throughput (HT) properties of the mesh node. In the example below, the string "HT-40MHzsgi-2ss" indicates that the node uses a 40MHz channel with a short guard interval (sgi) and sends 2 spatial streams (ss).
(host) #show ap mesh neighbors ap-name portal
Neighbor list
-------------
MAC
Portal
Channel Age Hops Cost Relation
Flags RSSI
Rate Tx/Rx
---
------
------- --- ---- ---- --------
----- ---- --
--------
00:0b:86:e8:09:d1 00:1a:1e:88:01:f0 157
01
11.00 C 3h:15m:42s -
65
54/54
00:1a:1e:88:02:91 00:1a:1e:88:01:f0 157
01
4.00 C 3h:35m:30s HL
59
300/300
00:0b:86:9b:27:78 Yes
157
00
12.00 N 3h:22m:46s -
26 -
00:0b:86:e8:09:d0 00:1a:1e:88:01:f0 157
01
11.00 N 3h:15m:36s -
65 -
00:1a:1e:88:02:90 00:1a:1e:88:01:f0 157+
01
2.00 N 3h:35m:6s HL
59 -
A-Req ----1 1 0 0 0
A-Resp -----1 1 0 0 0
A-Fail -----0 0 0 0 0
HT-Details ---------Unsupported HT-40MHzsgi-2ss Unsupported Unsupported HT-40MHzsgi-2ss
Cluster ID ---------sw-ad-GB32 sw-ad-GB322 mc1 sw-ad-GB32 sw-ad-GB32
Total count: 5, Children: 2
AOS-W 6.2 | Reference Guide
show ap mesh neighbors | 809
�Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; L = Legacy allowed
The output of this command includes the following information:
Column MAC Portal
Channel Age Hops
Cost
Relation
Flags RSSI
Rate Tx/Rx A-Req A-Resp A-Fail Cluster
Description
MAC address of the mesh node.
By default, this column displays the BSSID of the mesh point. If you include the optional names parameter, this column will display AP names, if available. The AP names will include [p] (parent), or [c] (child) suffixes to indicate the role of the mesh BSSID.
Number of a radio channel used by the AP.
Number of seconds elapsed since the AP heard from the neighbor.
Indicates the number of hops it takes traffic from the mesh node to get to the mesh portal. The mesh portal advertises a hop count of 0, while all other mesh nodes advertise a cumulative count based on the parent mesh node
A relative measure of the quality of the path from the AP to the switch. A lower number indicates a better quality path, where a higher number indicates a less favorable path (e.g, a path which may be longer or more congested than a path with a lower value.) For a mesh point, the path cost is the sum of the (parent path cost) + (the parent node cost) + (the link cost).
Shows the relationship between the specified AP and the AP on the neighbor list and the amount of time that relationship has existed. l P = Parent l C = Child l N = Neighbor l B = Blacklisted-neighbor
This parameter shows additional information about the mesh neighbor. The key describing each flag appears at the bottom of the neighbor list.
The Receive Signal Strength Indicator (RSSI) value displayed in the output of this command represents signal strength as a signal to noise ratio. For example, a value of 30 would indicate that the power of the received signal is 30 dBm above the signal noise threshold.
The rate, in Mbps, that a neighbor transmits data to or receives data from the mesh-node specified by the command.
Number of association requests from clients
Number of association responses from the mesh node
Number of association failures
Name of the Mesh cluster that includes the specified AP or BSSID.
810 | show ap mesh neighbors
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 3.0 AOS-W 3.4.1
Modification
Command introduced
The names parameter was introduced. The output of this command was also modified to include the Rate Tx/Rx column.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the mesh feature require the Mesh license.
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap mesh neighbors | 811
�show ap mesh-radio-profile
show ap mesh-radio-profile [<profile>]
Description
Show configuration settings for a mesh radio profile.
Syntax
Parameter <profile>
Description Name of a mesh radio profile.
Usage Guidelines
The radio profile determines the radio frequency/channel used only by mesh nodes to establish mesh links. Mesh nodes operating in different cluster profiles can share the same radio profile. Conversely, mesh portals using the same cluster profile can be assigned different mesh radio profiles to achieve frequency separation.
The command show ap mesh-radio-profile displays a list of all mesh radio profiles configured on the switch, including the number of references to each profile and each profile's status. Include the optional <profile> parameter to show detailed settings for an individual mesh radio profile.
Example
The example below shows the configuration settings for the mesh cluster profile "default".
(host) #show ap mesh-radio-profile default Mesh Radio profile "default" ---------------------------Parameter --------802.11a Transmit Rates 802.11g Transmit Rates Allowed VLANs on mesh link BC/MC Rate Optimization Heartbeat threshold Link Threshold Maximum Children Maximum Hop Count Mesh Private Vlan Mesh High-throughput SSID Profile Mesh Survivability Metric algorithm Rate Optimization for delivering EAPOL frames and mesh echoes Reselection mode Retry Limit RTS Threshold
Value ----6 9 12 18 24 36 48 54 1 2 5 6 9 11 12 18 24 36 48 54 1-4094 Enabled 10 12 64 8 0 default Disabled distributed-tree-rssi Disabled startup-subthreshold 8 2333 bytes
The output of this command includes the following information:
812 | show ap mesh-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter 802.11a Transmit Rates
802.11g Transmit Rates
Allowed VLANs on mesh link BC/MC Rate Optimization Heartbeat Threshold
Link Threshold
Maximum Children Maximum Hop Count Mesh Private Vlan Mesh High-throughput SSID Profile Mesh Survivability
Metric algorithm Rate Optimization for delivering EAPOL frames and mesh echoes Reselection Mode
Description
Indicates the transmit rates for the 802.11a radio. The AP attempts to use the highest transmission rate to establish a mesh link. If a rate is unavailable, the AP goes through the list and uses the next highest rate.
Indicates the transmit rates for the 802.11g radio. The AP attempts to use the highest transmission rate to establish a mesh link. If a rate is unavailable, the AP goes through the list and uses the next highest rate.
Specify a list of VLAN IDs that can be used by a mesh link on APs associated with this mesh radio profile
If enabled, the mesh node will use the slowest associated mesh-point rate for broadcast/multicast data (rather than minimum).
Indicates the maximum number of heartbeat messages that can be lost between neighboring mesh nodes before the mesh node is considered inactive and is dropped as a mesh neighbor.
Indicates the threshold for the lowest acceptable Receive Signal Strength Indicator (RSSI) value. Links that drop below this threshold will have an increased link cost. Default: 12.
The maximum number of children a mesh portal can accept.
The maximum number of hops allowed between a mesh point and a mesh portal.
This parameter is experimental and reserved for future use.
The High-throughput SSID Profile associated with this mesh radio profile.
This parameter shows if mesh points and portals can become active even if the switch cannot be reached by bridging LAN traffic. This is a beta feature that is disabled by default; it should not be enabled unless you are instructed to do so by Alcatel-Lucent technical support.
Algorithm used by a mesh node to select its parent.
If this option is enabled, mesh APs will to choose a more conservative rate for EAPOL frames and mesh echoes.
Specifies the one of the following methods used to find a better mesh link. l startup-sub-threshold: When bringing up the mesh
network, mesh nodes have 3 minutes to find a better uplink. After that time, each mesh node evaluates alternative links only if the existing uplink falls below the configured threshold level (the link becomes a sub-threshold link). The reselection process is
AOS-W 6.2 | Reference Guide
show ap mesh-radio-profile | 813
�Parameter
Retry Limit RTS Threshold
Description
canceled if the average RSSI rises on the existing uplink rises above the configured link threshold. l reselect-any-time: Connected mesh nodes evaluate alternative mesh links every 30 seconds. If a mesh node finds a better uplink, the mesh node connects to the new parent to create an improved path to the mesh portal. l reselect-never: Connected mesh nodes do not evaluate other mesh links to create an improved path to the mesh portal. l subthreshold-only: Connected mesh nodes evaluate alternative links only if the existing uplink becomes a sub-threshold link.
Maximum number of times a mesh node can re-send a packet.
The packet size sent by mesh nodes. Mesh nodes transmitting frames larger than this threshold must issue request to send (RTS) and wait for other mesh nodes to respond with clear to send (CTS) to begin transmission. This helps prevent mid-air collisions.
Command History
Release AOS-W 3.2 AOS-W 3.4
AOS-W 6.2
Modification
Command Introduced.
The 802.11g Portal channel and 802.11a Portal channel parameters were deprecated, and the Mesh High-throughput SSID Profile parameter was introduced.
The Rate Optimization for delivering EAPOL frames and mesh echoes parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
814 | show ap mesh-radio-profile
AOS-W 6.2 | Reference Guide
�show ap mesh tech-support
show ap mesh tech-support ap-name <ap-name> <filename>
Description
Display all information for an AP, and save that information in a file on the switch
Syntax
Parameter <ap-name> <filename>
Description
Name of an AP for which you want to create a report
Filename for the report created by this command. The file can only be saved in the flash directory. If desired, you can use FTP or TFTP to copy the file to another destination.
Usage Guidelines
This command displays the output of the multiple mesh and debug CLI commands, then saves that data into a report file on the switch's flash drive, where it can be analyzed for debugging purposes. The information in this report includes the output of the following commands: l show ap mesh neighbors l show ap mesh debug current-cluster l show ap mesh debug provisioned-clusters l show ap mesh debug counters l show ap mesh debug forwarding-table l show ap mesh debug meshd-log l show ap mesh debug hostapd-log
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the mesh feature require the Mesh license.
Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap mesh tech-support | 815
�show ap mesh topology
show ap mesh topology [long] [page <page>] [start <start>]
Description
Show the mesh topology tree.
Syntax
Parameter long page <page>
start <start>
Description
Include the names of a mesh portal's children in the output of this command
Limit the output of this command to a specific number of entries by entering the number of entries you want to display.
Start displaying the mesh topology tree at a chosen index number by entering the index number of the AP at which command output should start.
Example
An (N) in the Mesh Role column indicates the node is 11N capable. An (N) beside the parent name in the Parent column indicates that the mesh node's the parent is also 11N capable. (host) #show ap mesh topology
Mesh Cluster Name: sw-ad-GB32 ----------------------------Name Mesh Role Parent Path Cost Node Cost Link Cost Hop Count RSSI Rate Tx/Rx
---- --------- ------ --------- --------- --------- --------- ---- ----------
Last Update Uplink Age #Children
----------- ---------- ---------
ad-ap Point (N) mp3
2
0
0
1
61 300/270
6m:12s
3h:8m:7s 0
msc-1 Point
mp3
2
0
0
1
64 54/54
6m:36s
2h:48m:12s 0
Total APs :2 (R): Recovery AP. (N): 11N Enabled. For Portals 'Uplink Age' equals uptime.
The output of this command includes the following information:
Column Name Mesh Role
Description
Name of the mesh node.
An AP operating as a mesh node can have one of two roles: mesh portal or mesh point.
816 | show ap mesh topology
AOS-W 6.2 | Reference Guide
�Column Parent Path Cost
Node Cost
Link Cost Hop Count RSSI
Rate Tx/Rx Last Update Uplink Age #Children
Description
If the AP is operating as a mesh point, this parameter displays the name of its parent mesh portal.
A relative measure of the quality of the path from the AP to the switch. A lower number indicates a better quality path, where a higher number indicates a less favorable path (e.g, a path which may be longer or more congested than a path with a lower value.) For a mesh point, the path cost is the sum of the (parent path cost) + (the parent node cost) + (the link cost).
A relative measure of the quality of the node, where a lower number of is more favorable than a higher number. This cost is related to the number of children on the specified node.
A relative measure of the quality of the link. For example, a more congested link will have a higher link cost than a similar, less-congested link.
Number of hops to the mesh portal.
The Receive Signal Strength Indicator (RSSI) value displayed in the output of this command represents signal strength as a signal to noise ratio. For example, a value of 30 would indicate that the power of the received signal is 30 dBm above the signal noise threshold.
The rate, in Mbps, that a mesh point transmits and receives at on its uplink. Note that the rate information is only as current as indicated in the Last Update column.
Time elapsed since the mesh node last updated its statistics.
Time elapsed since the mesh node became active in the mesh topology.
Number of children associated with a parent mesh point.
Command History
Version AOS-W 3.0 AOS-W 3.4.1
Modification Command introduced The output of this command was also modified to include the Rate Tx/Rx column.
Command Information
Platforms All platforms
Licensing
Command Mode
This show command is available in the base operating system. Commands to configure the mesh feature require the Mesh license.
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap mesh topology | 817
�show ap monitor
show ap monitor active-laser-beams|ap-list|channel|client-list|containment-info|idsstate|mesh-list|pot-ap-list|pot-client-list|routers|wired-mac {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>} {ap-bssid <ap-bssid>}|{enet-mac <enet-mac>}
Description
Show information for Alcatel-Lucent Air Monitors.
Syntax
Parameter active-laser-beams
ap-list arp-cache channel client-list containment-info
Description
Show active laser beam generators. The output of this command shows a list of all APs that are actively performing policy enforcement containment such as rogue containment. This command can tell us which AP is sending out deauthorization frames, although it does not specify which AP is being contained.
Show list of APs being monitored.
Show ARP Cache of learned IP to MAC binding
Show state and stats of a specific channel.
Show list of client being monitored.
Show containment events and counters triggered by the wired containment and wireless containment features configured in the ids general-profile. The output of this command shows device and target data for wired containment activity, a well as data for the following counters. Wireless Containment Counters: l Last Deauth Timer Tick l Deauth frames to AP l Deauth frames to Client l Last Tarpit Timer Tick l Tarpit Frames: Probe Response l Tarpit Frames: Association Response l Tarpit Frames: Authentication l Tarpit Frames: Data from AP l Tarpit Frames: Data from Client l Last Enhanced Adhoc Containment Timer Tick l Enhanced Adhoc Containment: Frames To Data Sender l Enhanced Adhoc Containment: Frames To Data Receiver l Enhanced Adhoc Containment: Response to Request l Enhanced Adhoc Containment: Replay Response Wired Containment Counters: l Last Wired Containment Timer Tick l Last Tagged Wired Containment Timer Tick l Spoof frames sent l Spoof frames sent on tagged VLAN
ids-state ap-name
Show IDS State. Name of Access Point
818 | show ap monitor
AOS-W 6.2 | Reference Guide
�Parameter bssid ip-addr
mesh-list pot-ap-list
pot-client-list
routers wired-mac ap-name <ap-name> bssid <bssid> ip-addr <ip-addr>
ap-bssid <apbssid> enet-mac <enetmac>
Description
BSSID of Access Point
IP Address of Access Point
Show list of Mesh APs being monitored.
Display the Potential AP table. The Potential AP table shows the following data: l bssid: the AP's Basic Service Set Identifier. l channel: The AP's current radio channel l phy type: The radio's PHY type. Possible values are 802.11a, 802.11a-HT-40,
802.11b/g, 802.11b/g-HT-20. l num-beacons: Number of beacons seen during a 10-second scan l tot-beacons: Total number of beacons seen since the last reset. l num-frames: Total number of frames seen since the last rest. l mt: Monitor time; the number of timer ticks elapsed since the switch first
recognized the AP. l at: Active time, in timer ticks. l ibss: Shows if ad-hoc BSS is enabled or disabled. It will be enabled if the
bssid has detected an ad-hoc BSS (an ibss bit in an 802.11 frame). l rssi: The Receive Signal Strength Indicator (RSSI) value displayed in the
output of this command represents signal strength as a signal to noise ratio. For example, a value of 30 would indicate that the power of the received signal is 30 dBm above the signal noise threshold.
Display the Potential client table. The Potential Client table shows the following values: l last-bssid: the Last BSSID to which the client associated. l from-bssid, l to-bssid l mt:Monitor time; the number of timer ticks elapsed since the switch first
recognized the client. l it: Client Idle time, expressed as a number of timer ticks.
Show Router MAC Addresses learned. The output of this command includes the router's MAC address, IP address and uptime.
Show Wired MAC Addresses learned.
Show data for an AP with a specific name.
Show data for a specific Basic Service Set Identifier (BSSID) on an AP. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show data for an AP with a specific IP address by entering its IP address in dotted-decimal format.
Include the optional ap-bssid <ap-bssid> parameters to show how the AP is monitoring information for another AP with a specific BSSID.
Include the optional enet-mac <enet-mac> parameters to show how the AP is monitoring information for an interface with a specific Ethernet MAC address.
Examples
The output of the command displays the Monitored AP table, which lists all the APs monitored by a specified AP or BSSID. (host) #show ap monitor ap-list ap-name al12
Monitored AP Table
AOS-W 6.2 | Reference Guide
show ap monitor | 819
�------------------
bssid
essid
chan ap-type phy-type
dos
mt
it
load-balance
-----
-----
---- ------- --------
---
--
-- ---
---------
00:1a:1e:11:5f:02 ethersphere-vocera 6
valid 80211b/g-HT-20 disable 787272 0
disable
00:1a:1e:11:5f:00 guest
6
valid 80211b/g-HT-20 disable 787272 0
disable
00:1a:1e:11:5f:11 ethersphere-wpa2 48 valid 80211a-HT-40 disable 786835 0
disable
00:1a:1e:11:5f:10 guest
48 valid 80211a-HT-40 disable 786835 0
disable
00:1a:1e:11:5f:01 ethersphere-voip 6
valid 80211b/g-HT-20 disable 787272 0
disable
00:1a:1e:11:6e:70 guest
48 valid 80211a-HT-40 disable 18543 0
disable
00:1a:1e:11:6e:71 ethersphere-wpa2 48 valid 80211a-HT-40 disable 18543 0
disable
00:1a:1e:88:90:42 employee4a
6
unknown 80211b/g
disable 3160 0
disable
00:1a:1e:88:90:41 guest4
6
unknown 80211b/g-HT-20 disable 3160 0
disable
00:1a:1e:88:90:40 employee4
6
unknown 80211b/g-HT-20 disable 3159 0
disable
00:1a:1e:8e:73:e1 guest10
6
unknown 80211b/g-HT-20 disable 941
0
disable
00:1a:1e:8e:73:e0 emplyee10
6
unknown 80211b/g-HT-20 disable 910
0
disable
00:1a:1e:8e:73:f0 emplyee10
48 unknown 80211a-HT-40 disable 252
0
disable
00:1a:1e:8e:73:f1 guest10
48 unknown 80211a-HT-40 disable 252
0
disable
00:1a:1e:8d:5b:30 guest
48 valid 80211a-HT-40 disable 189
0
disable
00:1a:1e:8d:5b:31 ethersphere-wpa2 48 valid 80211a-HT-40 disable 189
0
disable
00:1a:1e:85:89:20 employee8
11 unknown 80211b/g-HT-20 disable 9
9
disable
The output of this command includes the following information:
Column bssid essid chan phy-type
dos mt
Description
Basic Service Set Identifier for an AP. This is usually the AP's MAC address.
Extended service set identifier that names a wireless network.
Radio channel used by the BSSID
Radio phy type. Possible types include: l 802.11a l 802.11a-HT-40 l 802.11b/g l 802.11b/g-HT-20
Shows if the feature to contain DoS attacks has been enabled or disabled.
Monitor time; the number of elapsed timer ticks since the AP first recognized the monitored AP.
820 | show ap monitor
AOS-W 6.2 | Reference Guide
�Column it load-balance
Command History
Description
AP idle time, the number of timer-ticks since the AP last saw any frames from the monitored AP.
Shows if the load-balancing feature has been enabled on the AP.
Version AOS-W 3.0. AOS-W 3.4.
AOS-W 6.1
Modification
Command introduced
The ap-bssid and enet-mac parameters were added to the show ap monitor wired-mac command.
Added the following parameter to ids-state: ap-name bssid ip-addr
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap monitor | 821
�show ap monitor association
show ap monitor association {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>} <ap-bssid>
Description
Show the association table for an Air Monitor (AM).
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
<ap-bssid>
Description
Show data for an AM with a specific name.
Show data for an AM with a specific Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AM's MAC address.
Show data for an AM with a specific IP address by entering its IP address in dotted-decimal format.
BSSID of an AP.
Examples
The output of the command lists the MAC addresses associated with the Air Monitor BSSID.
(host) #show ap monitor association ap-name ap9 00:1a:1e:11:74:a1
Association Table
-----------------
mac
rsta-type auth phy-type
---
--------- ---- --------
00:1d:d9:01:c4:50 valid
yes 80211a
00:17:f2:4d:01:e2 valid
yes 80211a
00:1f:3b:8c:28:89 valid
yes 80211a
00:1d:d9:05:05:d0 valid
yes 80211a
00:14:a4:25:72:6d valid
yes 80211a
00:19:7d:d6:74:8d valid
yes 80211a
The output of this command includes the following information:
Column mac rsta-type
auth phy-type
Description
MAC address associated with the Air Monitor BSSID
Rogue station type: l interfering: Interfering station. l valid: Station is not a rogue station. l DoS: Station may have attempted a DoS attack.
Displays a yes if the client has been authenticated.
The RF band in which the AP should operate: 802.11g = 2.4 GHz 802.11a = 5 GHz
822 | show ap monitor association
AOS-W 6.2 | Reference Guide
�Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap monitor association | 823
�show ap monitor debug
show ap monitor debug counters|status {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>} show ap monitor debug profile-config {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>} ap-radio|ap-system|arm|event-thresholds|ids-dos|ids-general|ids-impersonation|ids-signaturematching|ids-unauthorized-device|interference|regulatory-domain|rf-behavior
Description
Show information for an Air Monitor's current status, message counters, or profile settings.
Syntax
Parameter counters status ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr> profile-config
ap-radio ap-system arm event-thresholds ids-dos ids-general ids-impersonation ids-signature-matching ids-unauthorized-device
Description
Show Air Monitor (AM) message counters.
Show the status of an Air Monitor.
Show data for an AM with a specific name.
Show data for an AM with a specific Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show data for an AM with a specific IP address by entering its IP address in dotted-decimal format.
Show an Air Monitor profile configuration.
Show the Air Monitor radio configuration parameters, as defined in the AM's 802.11a, 802.11b, or high-throughput radio profiles.
Show an Air Monitor's system configuration settings, as defined in it's AP System profile.
Show an Air Monitor's Adaptive Radio Management (ARM) settings, as defined in its current ARM profile
Show an Air Monitor Event Thresholds settings, as defined in its current RF Event Thresholds profile
Show an Air Monitor IDS DoS settings, as defined in its current IDS DoS profile.
Show an Air Monitor IDS General Configuration settings, as defined in its IDS General profile.
Show an Air Monitor IDS Impersonation Configuration settings, as defined in its IDS Impersonation profile.
Show an Air Monitor IDS Signature Matching configuration settings, as defined in its IDS Signature Matching profile
Show an Air Monitor IDS Unauthorized Device configuration settings, as defined in its IDS Unauthorized Device profile.
824 | show ap monitor debug
AOS-W 6.2 | Reference Guide
�Parameter interference regulatory-domain rf-behavior
Description
Show an Air Monitor's interference configuration settings, as defined in its current RF Optimization profile.
Show an Air Monitor's Regulatory Domain configuration settings, as defined in its Regulatory Domain profile.
Show an Air Monitor RF Behavior Configuration
Examples
The output of the following command includes the WLAN Interface, Data Structures, WLAN InterfaceSwitch Status and RTLS Configuration tables for the specified AP.
(host) #show ap monitor debug status ap-name ap12
WLAN Interface
--------------
bssid
scan monitor probe-type phy-type
-----
---- ------- ---------- --------
00:1a:1e:11:5f:10 enable enable sap
80211a-HT-40
00:1a:1e:11:5f:00 enable enable sap
80211b/g-HT-20
task ---tuned tuned
channel ------153 6
pkts ---496970814 391278179
Wired Interface
---------------
mac
ip
---
--
macs gw-macs tagged-pkts vlan
---- ------- ----------- ----
00:1a:1e:c9:15:f0 192.0.2.32.200
2
3
1
03
Global Counters
---------------
key
value
---
-----
Packets Read
888248993
Bytes Read
2819670134
Num Interrupts
681037971
Num Buffer Overflows 591393
Max PPS
16239
Cur PPS
1130
Max PPI
20
Cur PPI
2
Uptime
3323085
AP Name
AL12
LMS IP
Master IP
AP Type
125
Country Code
2
gw-ip -----
gw-mac ------
status pkts ------ ----
192.0.2.32.254 00:0b:86:08:e1:00 enable 101960
Data Structures
----------------
ap sta pap psta ch msg-hash ap-l
-- --- --- ---- -- -------- ----
20 40 17 55 24 21
20
Other Parameters ----------------key --WMS on Master
value ----disabled
AOS-W 6.2 | Reference Guide
show ap monitor debug | 825
�Stats Update Interval Poll Interval Num Switches Collect Stats
60 174000 1 enabled
WLAN Interface Switch Status
-----------------------------
Bssid
Type Status
ack
-----
---- ------
--
00:1a:1e:11:5f:10 local up
3322965
00:1a:1e:11:5f:00 local up
3322965
Last-reg -------3321891 3321891
N-reg ----3821 3821
Last-update ----------3322965 3322917
Next-update ----------197 187
N-updates --------10368 10378
Last------
RTLS configuration
-------------------
Type
Server IP
----
---------
MMS
102.0.2.19
Aeroscout 192.0.2.199
RTLS
192.0.2.19
Port Frequency Active
---- --------- ------
8000 N/A
1144 N/A
5050 30
*
The output of this command includes the following information:
Column bssid scan monitor probe-type
task
channel pkts mac ip gw-ip gw-mac
Description
The Basic Service Set Identifier (BSSID) for the AP. This is usually the AP's MAC address.
Indicates whether or not if active scanning is enabled on this AP.
Indicates whether the AP radio is currently enabled or disabled.
This parameter displays one of the following options to show the AP is configured. l sap: Default AP setting. l am: AP is configured as an Air Monitor. l m-portal: AP is configured as a Mesh portal. l m-point: AP is configured as a Mesh point.
This parameter displays one of the following options to show the radio's current task: l scan: AP is scanning other channels. l tuned: AP is tuned on one channel. l locate: AP has been asked to locate a specific AP or client. l pcap: The AP is enabled with the Packet Capture feature.
The radio channel currently used by an AP's WLAN interface.
Number of packets seen on the interface.
MAC address for the AP's wired interface.
The AP's IP address.
IP address for the AP's gateway.
MAC address for the AP's gateway.
826 | show ap monitor debug
AOS-W 6.2 | Reference Guide
�Column status pkts macs gw-macs tagged-pkts vlan Packets read Bytes read Num Intercepts Num Buffer Overflows Max PPS Cur PPS Max PPI Cur PPI Uptime LMS IP Master IP AP type Country Code
ap sta pap
psta
ch msg-hash ap-l WMS on Master
Description Shows if the interface is currently enabled or disabled. Number of packets seen on the AP's wired interface. Number of MAC addresses in the Wired MAC table for that interface. Number of MAC addresses in the Wired MAC table for that interface. Number VLAN-tagged packets sent to that interface. The VLAN ID for the packets sent to that interface. Number of packets read by the AP since it was last reset. Number of bytes read by the AP since it was last reset. Number of interrupts from the AP's driver. Number of times excessive traffic has filled the AP's buffers. Maximum throughput rate seen on the interface, in packets per second. Current throughput rate seen on the interface, in packets per second. Maximum interrupt rate seen on the interface, in interrupts per second. Current interrupt rate seen on the interface, in interrupts per second. Number of seconds since the AP was last reset. IP address of the AP's local switch. IP address of the AP's master switch. AP model type. The AP's country code. Valid radio channels for your wireless network are based on your country code. If you change the AP's country code, the valid channels will be reset to the defaults for the new country. Number of other APs monitored by this AP. Number of clients and APs seen by this AP. Number of potential APs; APs which have transmitted a beacon, but have not yet been registered. Number of potential stations; AP has seen a MAC address from the station but hasn't yet received traffic from it. Number of channel entries in the channel table. Number of different message types seen on the interface. (For internal use only) Indicates if the AP communicates to the wms process on a master or local switch. enabled: Communicates with a master switch.
AOS-W 6.2 | Reference Guide
show ap monitor debug | 827
�Column
Stats Update Interval
Poll Interval
Num Switches
Collect Stats Bssid Type Status Last-reg N-reg Last-update Next-update N-updates Last-ack
Type Server IP Port Frequency Active
Command History
Version AOS-W 3.0. AOS-W 3.4.
Description disabled: Communicates with a local switch only. If the AP is collecting statistics, this value is the interval in seconds in which the AP sends statistics to the WMS process on a switch. Interval, in milliseconds, that the AP sends RSSI updates to the WMS process on a switch. Number of switches to which this AP has access. If the value is 1, the AP has access to a master or a local switch. If the value is 2, the AP has access to a master and a local switch. If enabled, the AP will collect statistics to send the WMS process on its switch. BSSID of the radio. Indicates whether the switch type is master or local. If up, the AP can reach the switch. If down, the AP cannot reach the switch. The time the AP last registered with the WMS process. Number of times the AP has registered with the WMS process. The last timer tick time the AP updated the WMS process. Interval between the last update and the next scheduled update. Number of updates sent to the WMS process. Number of timer ticks since the AP received an acknowledgement from the WMS process. Type of RTLS server used by the AP, such as MMS or Aeroscout. IP address of the RTLS server. Port used by the RTLS server. Rate, in seconds, at which RTLS messages are sent to the server. Indicates if the server is active on the AP.
Modification Command introduced The tagged-pkts and vlan parameters were added to the Wired Interface table in the output of the show ap monitor debug status command.
828 | show ap monitor debug
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap monitor debug | 829
�show ap monitor stats
show ap monitor stats advanced {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>} clientmac <client-mac>
show ap monitor stats {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>} mac <mac>
Description
Show packet, signal and channel statistics for an AP or a client.
Syntax
Parameter
Description
advanced
Show advanced statistics for an AP or client.
ap-name <ap-name>
Show statistics for an AP with a specific name.
bssid <bssid>
Show data for a specific Basic Service Set Identifier (BSSID) on an AP. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
ip-addr <ip-addr>
Show data for an AP with a specific IP address by entering its IP address in dotted-decimal format.
mac <mac>
Show data for a specific MAC address by entering the MAC address of a client or AP.
client-mac <client-mac> Show data for a specific client MAC address by entering the MAC address of a client.
Example
The output of the following command shows monitoring statistics for the AP al12, and a client with the MAC address 00:03:2a:02:6a:d7. (host) #show ap monitor stats ap-name al12 mac 00:03:2a:02:6a:d7
Aggregate Stats
---------------
retry low-speed non-unicast recv-error frag bwidth
----- --------- ----------- ---------- ---- ------
0
0
0
0
0
0
RSSI
----
avg-signal low-signal high-signal count duration (sec)
---------- ---------- ----------- ----- --------------
51
51
51
4
50
Monitored Time:6626
Last Packet Time:585500
Uptime:585502
DoS Frames
----------
tx old-tx rx old-rx
-- ------ -- ------
00
00
Interference Baseline
---------------------
830 | show ap monitor stats
AOS-W 6.2 | Reference Guide
�FRR FRER
--- ----
17 4
Handoff Assist
--------------
rssi-index cur-signal old-cur-signal
---------- ---------- --------------
0
51
0
High Throughput Parameters
--------------------------
ht-type primary-channel sec-channel gf-supported
------- --------------- ----------- ------------
none
0
0
0
40mhz-intolerance ----------------0
The output of this command includes the following information:
Column retry Low-speed non-unicast recev-error frag bwth avg-signal Low-signal high-signal count Duration tx
old-tx
rx
old-rx
FRR FRER rssi-index
Description Percent of 802.11 retry frames sent because a client failed to send an ACK.
Percent of frames sent at a data rate of 18 Mbps or slower.
Percent of non-unicast frames
Percent of error frames of all frames seen in the last second.
Rate of fragmented packets, in frames per second
Current bandwidth, in bps.
Average signal-to-noise ratio over the interval since the AP's last reset.
Lowest signal-to-noise ratio over the interval since the AP's last reset.
Highest signal-to-noise ratio over the interval since the AP's last reset.
Number of packets seen on the AP over the interval since the AP's last reset.
Time over which the AP has measured RSSI values.
The total number of deauthorization frames sent to this MAC address for containment in the interval from the AP's last reset until the current timer tick.
The total number of deauthorization frames sent to this MAC address for containment until the previous timer tick.
The total number of deauthorization frames spoofing the MAC address in the interval from the AP's last reset until the current timer tick.
The total number of deauthorization frames sent to this MAC address for containment until the previous timer tick.
Frame retry rate, in frames per second.
Frame error retry rate, in frames per second.
This value indicates the number of consecutive timer ticks over which the value of the Receive Signal Strength Indicator (RSSI) of the client has reduced by more than 3 units.
AOS-W 6.2 | Reference Guide
show ap monitor stats | 831
�Column
cur-signal old-cur-signal
ht-type
primary-channel sec-channel gf-supported 40mhz-intolerance
Description
NOTE: This value is updated only if 'handoff-assist' is enabled in the AP's RF Optimization profile.
The Receive Signal Strength Indicator (RSSI) of the most recent frame received from the specified MAC address.
The most recent Receive Signal Strength Indicator (RSSI) of the MAC which is 3 lower or 5 higher than the current RSSI. NOTE: This value is updated only if 'handoff-assist' is enabled in the AP's RF Optimization profile
This parameter indicates support for the following HT types: no: No support for high-throughput. HT-20: Support for 20 Mhz high-throughput only. HT-40: Support for 40 Mhz high-throughput.
Primary radio channel.
Secondary radio channel
If 1, this AP supports greenfield mode. If 0, greenfield is not supported.
Indicates whether the specified MAC address is 40 Mhz intolerant.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
832 | show ap monitor stats
AOS-W 6.2 | Reference Guide
�show ap packet-capture status
show ap packet-capture status <ap-name|ip-addr|ip6-addr>
Description
This command shows detailed packet capture (PCAP) session information for Alcatel-Lucent APs.
Syntax
Parameter ap-name ip-addr
ip6-addr
Description
AP name for which you are requesting packet capture status information.
IP address of the AP for which you are requesting packet capture status information.
IP6 address of the AP for which you are requesting packet capture status information.
Usage Guidelines
This is the show version for the ap packet-capture commands, used to direct an Alcatel-Lucent AP to send packet captures to a client packet capture utility such as Airmagnet, Wireshark and so on, on a remote client.
Example
#show ap packet-capture status ap-name ap1
Packet Capture Sessions at ap1, IP 10.3.44.167
----------------------------------------------
pcap-id filter
type
intf
channel max-pkts
------- ------
----
----
------- --------
1
type eq all interactive 6c:f3:7f:ba:65:70 153
0
max-pkt-size num-pkts status
url target
Radio ID
------------ -------- ------
------
------
65536
3759
in-progress 192.168.0.3/5555 0
Related Commands
For a complete list of packet capture (pcap) commands and usage guidelines, see ap packet-capture .
Command History
Version AOS-W6.2
Change Name changed from pcap to ap packet capture.
AOS-W 6.2 | Reference Guide
show ap packet-capture status | 833
�show ap profile-usage
show ap profile-usage {ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>}
Description
Show a complete list of all profiles referenced by an individual AP or an AP BSSID.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show data for an AP with a specific name.
Show data for a specific Basic Service Set Identifier (BSSID) on an AP. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show data for an AP with a specific IP address by entering its IP address in dotted-decimal format.
Usage Guidelines
Use this command to monitor the configuration profiles in use by an AP or a specific BSSID. The output of this command shows the name of each profile type that is associated with the AP or BSSID, as well as the source that associates the profile with the AP.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
834 | show ap profile-usage
AOS-W 6.2 | Reference Guide
�show ap provisioning
show ap provisioning {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>}
Description
Show provisioning parameters currently used by an AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description Show data for an AP with a specific name.
Show data for a specific Basic Service Set Identifier (BSSID) on an AP. An AP's BSSID is usually the AP's MAC address.
Show data for an AP with a specific IP address.
Example
The output of this command shows that the AP named AP8 has mostly default parameters. These
appear with the value N/A.
(host) #show ap provisioning ap-name AP8
AP "mp2" Provisioning Parameters
--------------------------------
Item
Value
----
-----
(host) (config) #show ap provisioning ap-name 00:24:6c:c7:d5:c8
AP "00:24:6c:c7:d5:c8" Provisioning Parameters ---------------------------------------------Item ---AP Name AP Group Location name SNMP sysLocation Master Gateway IPv6 Gateway Netmask IP Addr IPv6 Addr IPv6 Prefix DNS IP DNS IPv6 Domain Name Server Name Server IP Antenna gain for 802.11a Antenna gain for 802.11g Antenna for 802.11a Antenna for 802.11g Single chain mode for Radio 0 Single chain mode for Radio 1 IKE PSK PAP User Name
Value ----00:24:6c:c7:d5:c8 default N/A N/A 10.4.62.9 N/A N/A N/A N/A N/A 64 N/A N/A N/A aruba-master 10.4.62.9 N/A N/A both both 0 0 N/A N/A
AOS-W 6.2 | Reference Guide
show ap provisioning | 835
�PAP Password
N/A
PPPOE User Name
N/A
PPPOE Password
N/A
PPPOE Service Name
N/A
PPPOE CHAP Secret
N/A
USB User Name
N/A
USB Password
N/A
USB Device Type
any
The output of this command includes the following information:
Column AP Name AP Group Location name SNMP sysLocation
Master Gateway Netmask IP Addr IPv6 IPv6 Prefix Dns IP DNS IPv6 Domain Name Server Name Server IP Antenna gain for 802.11a Antenna gain for 802.11g Antenna for 802.11a
Antenna for 802.11g
Description Name of the AP.
AP group to which the AP belongs.
Fully-qualified location name (FQLN) for the AP.
User-defined description of the location of the AP, as defined with the command provision-ap syslocation.
Name or IP address for the master switch.
IP address of the default gateway for the AP.
Netmask for the AP's IP address.
IP address for the AP.
The static IP6 address of the AP.6
The prefix of static IPv6 address of the AP.
IP address of the DNS server.
The prefix of static IPv6 address of the AP.
Domain name used by the AP.
DNS name of the switch from which the AP boots.
IP address of the switch from which the AP boots
Antenna gain for 802.11a (5GHz) antenna.
Antenna gain for 802.11g (2.4GHz) antenna.
Antenna use for 5 GHz (802.11a) frequency band. l 1: AP uses antenna 1 l 2: AP uses antenna 2 l both: AP uses both antennas
Antenna use for 2.4 GHz (802.11g) frequency band. l 1: AP uses antenna 1 l 2: AP uses antenna 2 l both: AP uses both antennas
836 | show ap provisioning
AOS-W 6.2 | Reference Guide
�Column
Description
Single chain mode for Radio 0
If this parameter is set to 1 for an 802.11n-capable radio, the radio will operate in single-chain mode, and will transmit and receive data using only legacy rates and single-stream HT rates up to MCS 7. This parameter is set to 0 (disabled) by default.
Single chain mode for Radio 1
If this parameter is set to 1 for an 802.11n-capable radio, the radio will operate in single-chain mode, and will transmit and receive data using only legacy rates and single-stream HT rates up to MCS 7. This parameter is set to 0 (disabled) by default.
IKE PSK
IKE PSK The IKE pre-shared key.
PAP password
Password Authentication Protocol (PAP) password for the AP.
PAP User Name
PAP username for the AP.
PPPOE User Name
Point-to-Point Protocol over Ethernet (PPPoE) user name for the AP.
PPPOE Password
PPPoE password for the AP.
PPPOE Service Name
PPPoE service name for the AP.
PPPOE CHAP secret
PPPoE CHAP secret key for the AP.
USB User Name
The PPP username provided by the cellular service provider
USB Password
A PPP password, if provided by the cellular service provider
USB Type
The USB driver type.
USB Device Identifier
The USB device identifier.
USB Dial String
The dial string for the USB modem. This parameter only needs to be specified if the default string is not correct.
USB Initialization String
The initialization string for the USB modem. This parameter only needs to be specified if the default string is not correct.
USB TTY device data path
The TTY device path for the USB modem. This parameter only needs to be specified if the default path is not correct.
USB TTY device control path The TTY device control path for the USB modem. This parameter only needs to be specified if the default path is not correct.
Uplink VLAN
If you configured an uplink VLAN on an AP connected to a port in trunk mode, the AP sends and receives frames tagged with this VLAN on its Ethernet uplink. By default, an AP has an uplink vlan of 0, which disables this feature.
Link Priority Ethernet
Set the priority of the wired uplink, from 0-255. Each uplink type has an associated priority; wired ports having the highest priority by default.
Link Priority Cellular
The priority of the cellular uplink, from 0-255. By default, the cellular uplink is a lower priority than the wired uplink; making the wired link the primary link and the cellular link the secondary or backup link.
AOS-W 6.2 | Reference Guide
show ap provisioning | 837
�Column
Description
Mesh Role
If the mesh role is "none," the AP is operating as a thin AP. An AP operating as a mesh node can have one of two roles: mesh portal or mesh point.
Installation
Indicates the type of installation (indoor or outdoor). The default parameter indicates that the installation mode is determined by the AP model type.
Latitude
Latitude coordinates of the AP, in the format Degrees Minutes Seconds (DMS).
Longitude
Longitude coordinates of the AP, in the format Degrees Minutes Seconds (DMS).
Altitude
Altitude, in meters, of the AP. This parameter is supported on outdoor APs only.
Antenna bearing for 802.11a
Horizontal coverage distance of the 802.11a (5GHz) antenna from true north, from 0-360 degrees. NOTE: This parameter is supported on outdoor APs only. The horizontal coverage pattern does not consider the elevation or vertical antenna pattern.
Antenna bearing for 802.11g
Horizontal coverage distance of the 802.11g (2.4GHz) antenna from true north, from 0-360 degrees. NOTE: This parameter is supported on outdoor APs only. The horizontal coverage pattern does not consider the elevation or vertical antenna pattern.
Antenna tilt angle for 802.11a
The angle of the 802.11a (5GHz) antenna. This parameter can range from between -90 degrees and 0 degrees for downtilt, and between +90 degrees and 0 degrees for uptilt.
Antenna tilt angle for 802.11g
The angle of the 802.11g (2.4GHz) antenna. This parameter can range from between -90 degrees and 0 degrees for downtilt, and between +90 degrees and 0 degrees for uptilt.
Mesh SAE
Shows if the AP has enabled or disabled Secure Attribute Exchange (SAE) on a mesh network.
Related Commands
Command
Description
provision-ap
Change provisioning parameters for an individual AP. This command does not save the provisioning parameters settings in a reusable profile.
ap provisioning-profile This command defines a provisioning profile for an AP or group of APs.
Command History
Release AOS-W 3.0
Modification Command introduced
838 | show ap provisioning
AOS-W 6.2 | Reference Guide
�Release AOS-W 3.2 AOS-W 3.4
AOS-W 5.0
Modification
Introduced support for mesh parameters, additional antenna parameters, and AP location parameters.
Introduced support for the following parameters: l Installation l Mesh SAE l USB User Name l USB Password l USB Device Type l USB Device Identifier l USB Dial String l USB Initialization String l USB TTY device path
The mesh-sae parameter no longer displays the sae-default setting if the parameter is disabled. Only the sae-disable option indicates that this parameter is currently in its default disabled state.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap provisioning | 839
�show ap provisioning-profile
ap provisioning-profile [<profile-name>]
Description
This command shows information for AP provisioning profiles.
Syntax
Parameter <profile-name>
Description The name of an an existing AP provisioning profile.
Usage Guidelines
The AP provisioning profile allows you to define a set of provisioning parameters to an AP group. These settings can be saved or assigned to an AP group via the command ap-group <group> provisioning-profile <profile>.
Issue this command without the <profile-name> option to display the entire AP provisioning profile list, including profile status and the number of references to each profile. Include a profile name to display the authorization group defined for that profile.
Examples
The following example lists all AP provisioning profiles. The References column lists the number of other profiles with references to that provisioning profile, and the Profile Status column indicates whether the profile is predefined. User-defined AP provisioning profiles will not have an entry in the Profile Status column.
(host) #show ap provisioning-profile
Provisioning profile List
-------------------------
Name
References Profile Status
----
---------- --------------
default 12
outdoor 3
To display the configuration settings for an individual profile, include the <profile> parameter. The example below shows the profile details for the AP provisioning profile Default.
(host) #show ap provisioning-profile default Provisioning profile "default" -----------------------------Parameter --------Remote-AP Master IP/FQDN PPPOE User Name PPPOE Password PPPOE Service Name USB User Name USB Password USB Device Type USB Device Identifier USB Dial String USB Initialization String USB TTY device data path USB TTY device control path
Value ----No N/A N/A N/A N/A N/A N/A any N/A N/A N/A N/A N/A
840 | show ap provisioning-profile
AOS-W 6.2 | Reference Guide
�Link Priority Ethernet
0
Link Priority Cellular
0
Username of AP so that AP can authenticate to 802.1x using PEAP N/A
Description
This command defines a provisioning profile for an AP or group of APs.
Syntax
Parameter Remote-AP Master IP/FQDN PPPOE User Name PPPOE Password PPPOE Service Name USB User Name USB Password USB Type USB Device Identifier USB Dial String USB Initialization String
USB TTY device data path
USB TTY device control path
Link Priority Ethernet
Link Priority Cellular
Description
Indicates that the profile is associated with a remote AP using certificates.
The FQDN or IP address for the master switch.
PPPoE username for the AP.
Point-to-Point Protocol over Ethernet (PPPoE) password for the AP.
PPPoE service name for the AP.
The PPP username provided by the cellular service provider
A PPP password, if provided by the cellular service provider
The USB driver type.
The USB device identifier.
The dial string for the USB modem. This parameter only needs to be specified if the default string is not correct.
The initialization string for the USB modem. This parameter only needs to be specified if the default string is not correct.
The TTY device path for the USB modem. This parameter only needs to be specified if the default path is not correct.
The TTY device control path for the USB modem. This parameter only needs to be specified if the default path is not correct.
Set the priority of the wired uplink, from 0-255. Each uplink type has an associated priority; wired ports having the highest priority by default.
The priority of the cellular uplink, from 0-255. By default, the cellular uplink is a lower priority than the wired uplink; making the wired link the primary link and the cellular link the secondary or backup link.
AOS-W 6.2 | Reference Guide
show ap provisioning-profile | 841
�Parameter
Description
Username of AP so that AP can authenticate to If your AP uses PEAP authentication, this field displays
802.1x using PEAP
the AP username.
Password of AP so that AP can authenticate to If your AP uses PEAP authentication, this field displays
802.1x using PEAP
the AP password.
Uplink VLAN
If you configured an uplink VLAN on an AP connected to a port in trunk mode, the AP sends and receives frames tagged with this VLAN on its Ethernet uplink. By default, an AP has an uplink vlan of 0, which disables this feature.
Usage Guidelines
The AP provisioning profile allows you to define a set of provisioning parameters to an AP group. These settings can be saved or assigned to an AP group via the command ap-group <group> provisioning-profile <profile>.
Related Commands
Command provision-ap
Description
Change provisioning parameters for an individual AP. This command does not save the provisioning parameters settings in a reusable profile.
Command History
Release AOS-W 3.0 AOS-W 6.0
Modification Command introduced The uplink-vlan parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
842 | show ap provisioning-profile
AOS-W 6.2 | Reference Guide
�show ap radio-database
show ap radio-database [band a|g] [group <group>] [mode access-point|airmonitor|disabled|ht|ht-40mhz|legacy|sap-monitor] [sort-by ap-group|ap-ip|ap-name|aptype|switch-ip] [sort-direction ascending|descending] [start <start>] [switch <switch-ipaddr>]
Description
Show radio information for Access Points visible to this switch.
Syntax
Parameter band
a g group <group> mode access-point air-monitor disabled ht ht-40mhz legacy sap-monitor sort-by ap-group ap-ip ap-name ap-type switch-ip sort-direction ascending descending
Description Show only APs with a radio operating in the specified band. Show only APs with a radio operating in the 802.11a band (5 GHz). Show only APs with a radio operating in the 802.11g band (2.4 GHz). Show only APs associated with the specified AP group Show only APs with a radio operating in the specified mode. Show only APs operating as access points Show only APs operating as air monitors. Show only disabled APs. Show only high-throughput APs. Show only 40 Mhz high-throughput APs Show only legacy (not high-throughput) APs. Show only APs operating as SAP monitors Sort the output of this command by a specific data column Sort the output of this command by AP group name Sort the output of this command by AP IP address Sort the output of this command by AP name Sort the output of this command by AP model type. Sort the output of this command by switch ip address Select a sort direction for the output of this command Sort the output in ascending order. Sort the output in descending order.
AOS-W 6.2 | Reference Guide
show ap radio-database | 843
�Parameter start
switch <switch-ipaddr>
Description
Start displaying the output of this command at a chosen index number by entering the index number of the AP at which command output should start.
Display information for APs associated with a specific switch by entering the IP address of that switch.
Example
The output of the command shows that the AP is aware of five other access points, three of which are active.
(host) #show ap radio-database
AP Radio Database
-----------------
Name
Group AP Type IP Address
Mode/Chan/EIRP/Cli 11a Mode/Chan/EIRP/Cli
----
----- ------- ----------
------------ ----------------------
mp3
default 125
10.3.129.96
/10/0/0
AP(HT)/100/4/0
sw-ad-ap124-11 default 124
10.3.129.99
/10/0/0
AP(HT)/100+/2/0
sw-ad-ap125-13 default 125
10.3.129.98
/10/2.5/0
AP(HT)/100/4/0
sw-ad-ap65-19 default 65
10.3.129.95
Status -----Up 14h:45m:0s Up 14h:43m:18s Up 14h:49m:36s Down
Flags ----M M M
Switch IP --------10.3.129.232 10.3.129.232 10.3.129.232 10.3.129.232
11g ---------AP(HT) AP(HT) AP(HT)
Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed R = Remote AP; I = Inactive; X = Maintenance Mode; P = PPPoE AP; B = Built-in AP S = RFprotect Sensor; d = Disconnected Sensor; H = Using 802.11n license
M = Mesh node; Y = Mesh Recovery
The output of this command includes the following information:
Column Name Group AP Type IP address Status Flags
Switch IP 11g Mode/Chan/EIRP/Cli
11a Mode/Chan/EIRP/Cli
844 | show ap radio-database
Description
Name of the AP.
AP group to which the AP is associated.
AP model type.
IP address of the AP.
Current AP status. If the AP is currently up, this data column also shows the amount of time for which the AP has been active.
This column displays a letter that corresponds to some type of additional information for the AP. The key to the list of possible flags appears at the bottom of the output of this command.
IP address of the AP's switch.
802.1g radio type and mode/802.11g radio channel used by the AP/current Effective Isotropic Radiated Power (EIRP)/Number of Clients associated with the radio
802.1a radio type and mode/802.11a radio channel used by the AP/current Effective Isotropic Radiated Power (EIRP)/Number of Clients associated with the radio.
AOS-W 6.2 | Reference Guide
�Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap radio-database | 845
�show ap radio-summary
show ap radio-summary {ap-name <ap-name>|dot11a|dot11g||ip-addr <ip-addr>|ip6-addr <ip6-addr>}
Description
Show AP radios registered to this switch.
Syntax
Parameter ap-name <ap-name> dot11a dot11g ip-addr <ip-addr> ip6-addr <ip-addr>
Description Allows you to filter radio information by AP name. Allows you to filter 802.11a radio information. Allows you to filter 802.11g radio information. Allows you to filter radio information by IP address. Allows you to filter radio information by IPv6 address.
Example
The output of the command in the example below displays statistics for the AP's radio, as well as statistics for transmitted and received frames.
In the actual command-line interface, it will appear in a single, long table.
(host) #show ap radio-summary
APs Radios information
----------------------
Name
Group
----
-----
172.17.153-7
172.17.153
172.17.150-5
172.17.150
172.17.153-13 172.17.153
172.17.151-42 172.17.151
172.17.151-34 172.17.151
172.17.155-26 172.17.155
AP Type ------104 104 104 104 104 104
IP Address ---------55.55.57.44 55.55.57.42 55.55.57.35 55.55.57.34 55.55.57.33 55.55.57.22
Band ---2.4 2.4 2.4 2.4 2.4 2.4
Mode ---AP:1 AP:6 AP:6 AP:11 AP:11 AP:1
EIRP/MaxEIRP NF/U/I
TD
------------ ------
--
28/29.5
-96/ 67/ 5 0/0/0/0/0/0
29.5/29.5
-96/ 27/ 3 0/0/0/0/0/0
29.5/29.5
-96/ 31/ 3 0/0/0/0/0/0
25/29.5
-96/ 28/ 6 0/0/0/0/0/0
25/29.5
-96/ 32/ 7 0/0/0/0/0/0
28/29.5
-96/ 70/ 4 0/0/0/0/0/0
TM -33/33/33/32/32/32 12/11/12/12/12/11 13/13/14/14/12/14 10/10/10/9/11/10 10/11/11/10/11/11 27
TC -0/0/0/0/0/0 0/0/0/0/0/0 0/0/0/0/0/0 0/0/0/0/0/0 0/0/0/0/0/0
NF: Noise Floor(dBm); U: Utilization(%); I: Interference(%) TD: Time used by data frames (%); TM: time used by mgnt frames(%); time used by ctrl frames (%) Total Radios:6
The output of this command includes the following information:
846 | show ap radio-summary
AOS-W 6.2 | Reference Guide
�Parameter Name Group AP Type IP Address Band Mode
EIRP/Max EIRP NF/U/I TD TM TC
Description Name of the AP. Group to which AP radio is assigned. AP model. Radio IP address. Band on which radio is operating on (2.4 or 5 GHz). Mode on which radio is operating; AP: AP Mode; AM: Air Monitor Mode, Spectrum: Spectrum Monitor Mode. Optionally, you can also specify the channel number. Current EIRP output and maximum EIRP allowed for this radio (dBm). Noise Floor (dBm)/Utilization (%)/Interference (%). Time used by data frames (%). Time used by mgmt frames(%). Time used by ctrl frames (%).
Command History
Introduced in AOS-W6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap radio-summary | 847
�show ap regulatory-domain-profile
show ap regulatory-domain-profile [<profile-name>]
Description
Show the list of regulatory domain profiles, or the settings in an individual regulatory domain profile
Syntax
Parameter <profile-name>
Description Show data for a specific regulatory domain profile
Usage Guidelines
Issue this command without the <profile>parameter to display the entire regulatory domain profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has three regulatory domain profiles. The References column lists the number of other profiles with references to the regulatory domain profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column
(host) # show ap regulatory-domain-profile
Regulatory Domain profile List
------------------------------
Name
References
----
----------
corp-channel-profile
8
default
10
channel-test
1.
Profile Status --------------
This example displays the configuration settings for the profile corp-channel-profile. The output of this command shows the profile's country code and the valid channel and channel pairs for that profile.
host) #show ap regulatory-domain-profile corp-channel-profile
Regulatory Domain profile "corp-channel-profile"
------------------------------------------------
Parameter
Value
---------
-----
Country Code
US
Valid 802.11g channel
1
Valid 802.11g channel
6
Valid 802.11a channel
36
Valid 802.11a channel
40
Valid 802.11a channel
44
Valid 802.11a channel
48
Valid 802.11a channel
149
Valid 802.11a channel
153
Valid 802.11g 40MHz channel pair N/A
Valid 802.11a 40MHz channel pair 36-40
Valid 802.11a 40MHz channel pair 44-48
Valid 802.11a 40MHz channel pair 149-153
The output of this command includes the following information:
848 | show ap regulatory-domain-profile
AOS-W 6.2 | Reference Guide
�Column Country Code
Valid 802.11g channel
Valid 802.11a channel
Valid 802.11g 40MHz channel pair
Valid 802.11a 40MHz channel pair
Description
Code that represents the country in which the APs will operate. The country code determines the 802.11 wireless transmission spectrum.
Selected 802.11b/g channel available for use by an AP using the specified regulatory domain profile. These channels are limited to those valid for the profile's country code.
Selected 802.11a channel available for use by an AP using the specified regulatory domain profile. These channels are limited to those valid for the country code.
Selected 802.11b/g 40 MHz channel pair available for use by an AP using the specified domain profile. These channels are limited to those valid for the profile's country code.
Selected 802.11a 40 MHz channel pair available for use by an AP using the specified domain profile. These channels are limited to those valid for the profile's country code.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap regulatory-domain-profile | 849
�show ap remote counters
show ap remote counters {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>}
Description
Show the numbers of message counters for Remote APs
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description Show data for an AP with a specific name.
Show data for a specific Basic Service Set Identifier (BSSID) on an AP. You must specify an AP's BSSID, which is usually the AP's MAC address
Show data for an AP with a specific IP address.
Examples
Use this command to determine the number of message counters recorded for each counter type seen by the remote AP. The output of the command in the example below shows counters for Remote AP State and VoIP CAC State Announcements.
(host) #show ap remote counters ap-name al22
Counters -------Name ---Remote AP State VoIP CAC State Announcement
Value ----62851 13605
The output of this command includes the following information:
Column Name Value
Description Name of the counter type. Number of counters recorded since the AP was last reset.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
850 | show ap remote counters
AOS-W 6.2 | Reference Guide
�show ap remote debug association
show ap remote debug association [ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>]
Description
Show the association table of the AP to identify the clients associated to each AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show client associations for a specific AP name.
Show client associations for an specific AP Basic Service Set Identifier (BSSID). The BSSID is usually the AP's MAC address.
Show client associations for an AP with a specific IP address. Enter the IP address in dotted-decimal format.
Usage Guidelines
Use this command to verify if a remote user is connected to an AP, and to validate the AP to which is connected.
Example
The output of this command displays information about the remote clients associated with an AP with the IP address 192.0.2.32. (host) #show ap remote debug association ip-addr 192.0.2.32
Flags: W: WMM client, A: Active, R: RRM client
PHY Details: HT: High throughput; 20: 20MHz; 40: 40MHz <n>ss: <n> spatial streams
Association Table
-----------------
Name bssid
mac
auth assoc aid l-int essid
---- -----
---
---- ----- --- ----- -----
AP71 00:0a:23:c1:d4:11 00:16:6d:08:1s:f1 y
y
1 10
t-lab
vlan-id tunnel-id phy assoc. time num assoc Flags
------- --------- --- ----------- --------- -----
111
0x108e
a 23s
1
A
Num Clients:1
The output of this command includes the following information:
Column Name bssid mac
Description Name of an AP. The AP Basic Service Set Identifier (BSSID). MAC address of the client.
AOS-W 6.2 | Reference Guide
show ap remote debug association | 851
�Column auth assoc aid 1-int essid vlan-id tunnel-id phy
assoc. time num assoc flags
Description
This column displays a y if the AP has been configured for 802.11 authorization frame types. Otherwise, it displays an n.
This column displays a y if the AP has been configured for 802.11 association frame types. Otherwise, it displays an n.
802.11 association ID. A client receives a unique 802.11 association ID when it associates to an AP.
Number of beacons in the 802.11 listen interval. There are ten beacons sent per second, so a ten-beacon listen interval indicates a listen interval time of 1 second.
Name that uniquely identifies the AP's Extended Service Set Identifier (ESSID).
Identification number of the AP's VLAN.
Identification number of the AP's tunnel.
The RF band in which the AP operates: a = 5 GHz b, g = 2.4 GHz
Amount of time the client has associated with the AP, in the format hours:minutes:seconds.
Number of clients associated with the AP.
This column displays any flags for this AP. The list of flag abbreviations is included in the output of the show ap association command.
Command History
Introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
852 | show ap remote debug association
AOS-W 6.2 | Reference Guide
�show ap remote debug association
show ap remote debug association [ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>
Description
Show the association table for an AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show AP associations for a specific AP. You can also include the essid, phy or voip-only keywords to further filter the output of this command.
Show the AP associations for an specific AP Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show AP associations for a specific AP by entering an IP address in dotted-decimal format. You can also include the essid, phy or voip-only keywords to further filter the output of this command.
Usage Guidelines
Use this command to check if user is connected to an AP. This command validates whether the client is associated and indicates the last AP to which it was connected. If the flags column shows an 'A', the client is currently associated with that AP. Alternately, if the client is not currently associated, the AP with the smallest value of association time is the last AP used by the client.
Example
Use the show ap association bssid command to verify that a user has associated with an AP, or to determine last AP to which the client was connected. The output of this command in the example below shows the association table for the client with the MAC address 00:13:fd:5c:7c:59. If the flags column in the output of this command shows an 'A', the client associated last to that AP. Alternately, the AP with the smallest value of association time is the last AP to which the client had associated.
In the example below, the output of this command has been broken into two separate tables to better fit this page. In the actual output of the command, this information is shown in a single, wide table.
host) #show ap association bssid 00:13:fd:5c:7c:59
Flags: W: WMM client, A: Active, R: RRM client PHY Details: HT: High throughput; 20: 20MHz; 40: 40MHz
ss: spatial streams
Association Table -----------------
Association Table
-----------------
-----------------
Name bssid
mac
auth assoc aid l-int essid
---- -----
---
---- ----- --- ----- -----
AL12 00:1a:1e:11:5f:11 00:21:5c:50:b1:ed y
y
12 10
ethersphere-wpa2
AL5 00:1a:1e:88:88:31 00:19:7d:d6:74:93 y
y
6 10
ethersphere-wpa2
AOS-W 6.2 | Reference Guide
show ap remote debug association | 853
�vlan-id ------65 65
tunnel-id --------0x10c4 0x1072
phy --a-HT-40sgi-2ss a
assoc. time ----------35m:41s 24m:29s
num assoc --------1 1
Flags ----WA WA
The output of this command includes the following information:
Column Name bssid mac auth
assoc
aid
1-int
essid vlan-id tunnel-id assoc. time
num assoc flags
Description
Name of an AP
The AP Basic Service Set Identifier (BSSID)
MAC address of the AP
This column displays a y if the AP has been configured for 802.11 authorization frame types. Otherwise, it displays an n.
This column displays a y if the AP has been configured for 802.11 association frame types. Otherwise, it displays an n.
802.11 association ID. A client receives a unique 802.11 association ID when it associates to an AP.
Number of beacons in the 802.11 listen interval. There are ten beacons sent per second, so a ten-beacon listen interval indicates a listen interval time of 1 second.
Name that uniquely identifies the AP's Extended Service Set Identifier (ESSID).
Identification number of the AP's VLAN.
Identification number of the AP's tunnel.
Amount of time the client has associated with the AP, in the format hours:minutes:seconds.
Number of clients associated with the AP.
This column displays any flags for this AP. The list of flag abbreviations is included in the output of the show ap association command.
Command History
Introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
854 | show ap remote debug association
AOS-W 6.2 | Reference Guide
�show ap remote debug bss-config
show ap remote debug bss-config [ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>Description Show the configuration for each BSSID of an AP. This information can be used to troubleshoot problems on an AP.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
Description
Filter the AP Config Table by AP name.
Filter the AP Config Table by IP address by entering an IP address in dotteddecimal format.
Examples
The output of this command shows the AP configuration table for a specific BSSID.
host) #show ap remote debug bss-config ap-name ap93-3
Alcatel-Lucent AP Config Table
---------------------
bss
ess
vlan ip
phy type
status wmm
---
---
---- --
--- ----
---- ---
00:1a:1e:11:24:c2
cera2
enable enable
00:1a:1e:8d:5b:11 wpa2
65 10.6.1.198 a-HT ap
enable enable
00:0b:86:9b:e5:60 guest
63 10.6.14.79 g
ap tunnel
enable enable
00:1a:1e:97:e5:41
voip 66 10.6.1.199 g-HT ap tunnel
enable enable
00:1a:1e:11:74:a1
voip 66 10.6.1.197 g-HT ap tunnel
enable enable
00:1a:1e:11:5f:11
wpa2 65 10.6.1.200 a-HT ap tunnel
enable enable
fw-mode max-cl rates tx-rates preamble mtu
------- ------ ----- -------- -------- ---
66 10.6.1.203 g-HT ap tunnel 64
tunnel 20
0x150 0xff0
-
0
20
0x2 0x3fe
enable 0
20
0xc 0x14c
enable 0
20
0xc 0x14c
enable 0
20
0x150 0xff0
-
0
The output of this command includes the following information:
Column bss ess vlan IP phy
type fw-mode
Description
Basic Service Set (BSS) identifier, which is usually the AP's MAC address.
Extended Service Set (ESS) identifier; a user-defined name for a wireless network.
The BSSID's VLAN number.
The AP's IP address.
One of the following 802.11 types la l a-HT (high-throughput) lg l g-HT (high-throughput)
This column shows if the BSSID is for an access point (ap) or an air monitor (am).
The configured forward mode for the AP's virtual AP profile. l bridge: Bridge locally l split-tunnel: Tunnel to switch or NAT locally
AOS-W 6.2 | Reference Guide
show ap remote debug bss-config | 855
�Column
max-cl preamble
MTU status wmm
Description
l tunnel: Tunnel to switch
The maximum number of clients allowed for this BSSID.
Shows if short preambles are enabled for 802.11b/g radios. Network performance may be higher when short preamble is enabled. In mixed radio environments, some 802.11b wireless client stations may experience difficulty associating with the AP using a short preamble.
Maximum Transmission Unit (MTU) size, in bytes. This value describes the greatest amount of data that can be transferred in one physical frame.
Shows if this BSSID is enabled or disabled.
Shows if the BSSID has enabled or disabled WMM, also known as IEEE 802.11e Enhanced Distribution Coordination Function (EDCF) WMM provides prioritization of specific traffic relative to other traffic in the network.
Command History
Introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
856 | show ap remote debug bss-config
AOS-W 6.2 | Reference Guide
�show ap remote debug client-mgmt-counters
show ap remote debug client-mgmt-counters
Description
Show the numbers of each type of message from an AP's clients. This information can be used to troubleshoot problems on an AP.
Examples
The output of this command shows client management counters for the specified AP
host)#show ap remote debug client-mgmt-counters ap-name ap120-3
Counters
--------
Name
Value
----
-----
Validate Client
512
AP Stats Update Message
557750
3087
6
Tunnel VLAN Membership
4493
Update STA Tunnel Request
229
Update STA Tunnel Response 229
ARM Update
808921
ARM Propagate
590567
ARM Neighbor Assigned
55396
STM SAP Down
19
AP Message
192
STA On Call Message
12164
STA Message
19750
STA SIP authenticate Message 10919
STA Deauthenticate
707
Stat Update V3
441447
VoIP CAC State Announcement 37185
Remote AP State
371330
AP Message Response
164
assoc-req
4358
assoc-resp
4358
reassoc-req
950
reassoc-resp
950
disassoc
452
deauth
5117
sapcp
351131
The output of this command includes the following information:
Parameter Validate Client AP Stats Update Message 3087 Tunnel VLAN Membership
Description Number of times a client was validated. Number of times an AP updated its statistics with the switch. (For internal use only) (For internal use only)
AOS-W 6.2 | Reference Guide
show ap remote debug client-mgmt-counters | 857
�Parameter
Description
Update STA Tunnel Request (For internal use only)
Update STA Tunnel Response
(For internal use only)
ARM Update
Number of times an AP has changed its adaptive radio management (ARM) settings.
ARM Propagate
(For internal use only)
ARM Neighbor Assigned
(For internal use only)
STM SAP Down
(For internal use only)
AP Message
(For internal use only)
STA On Call Message
Number of counters indicating that a station has an active phone call
STA Message
(For internal use only)
STA SIP authenticate Message
Number of messages indicating that a telephone has completed SIP registration and authentication.
STA Deauthenticate
Number of times a station sent a message to an AP to deauthenticate a client.
Stat Update V3
(For internal use only)
VoIP CAC State Announcement
Number of times a switch announces a call admission control (CAC) state change to the AP. Changes in CAC state could include the ability of call admission controls to accept more or fewer calls than previously configured.
Remote AP State
(For internal use only)
AP Message Response
(For internal use only)
assoc-req
Number of 802.11 association request management frames from the switch.
assoc-resp
Number of 802.11 association responses to the switch.
reassoc-req
Number of 802.11 reassociation requests to the switch.
reassoc-resp
Number of 802.11 reassociation responses from the switch.
disassoc
Number of 802.11 disassociation messages to the switch.
deauth
Number of 802.11 deauthorization messages from the switch.
sapcp
(For internal use only)
Command History
Introduced in AOS-W 5.0.
858 | show ap remote debug client-mgmtcounters
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap remote debug client-mgmt-counters | 859
�show ap remote debug flash-config
show ap remote debug flash-config {ap-name <ap-name>|bssid <bssid>|ip-addr <ip-addr>} acls| {vap <vap>|vaps
Description
Show the remote AP configuration stored in flash memory.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
acls vap <vap>
vaps
Description
Show debugging data for an AP with a specific name.
Show data for a specific Basic Service Set Identifier (BSSID) on an AP. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show data for an AP with a specific IP address by entering its IP address in dotted-decimal format.
Display ACLs of offline Virtual APs (VAPs).
Display the configuration of a specific offline VAP by entering the name of an VAP.
Display the current number of offline VAPs.
Example
The output of this command can be used to debug problems with a remote AP. The command below shows statistics for an AP with the IP address 192.0.2.64.
(host) #show ap remote debug flash-config ip-addr 192.0.2.64 acls
Offline ACLs
------------
Item
Value
----
-----
Native VLAN
1
DHCP VLAN
N/A
DHCP ADDR
DHCP POOL NETMASK
DHCP POOL START
192.168.11.2
DHCP POOL END
192.168.11.254
DHCP DNS SERVER 0.0.0.0
DHCP ROUTER
192.168.11.1
DHCP DNS DOMAIN mycompany
DHCP LEASE
0
Session ACL
N/A
Session ACL Name N/A
Session ACL Count N/A
Session Aces
N/A
ACL 1
1
ACL 1 Name
logon
ACL 1 Count
21
Aces 1
16 1 4294
...
192.168.11.1
The output of this command includes the following information:
860 | show ap remote debug flash-config
AOS-W 6.2 | Reference Guide
�Column Native VLAN DHCP VLAN
DHCP ADDR DHCP POOL NETMASK
Description VLAN ID of the native VLAN. VLAN ID of Remote AP DHCP server used when the switch is unreachable. IP Address used as DHCP Server Identifier. Netmask of the DHCP server pool.
DHCP POOL START
DHCP POOL END
DHCP DNS SERVER DHCP ROUTER DHCP DNS DOMAIN DHCP LEASE
Session ACL Session ACL name Session ACL count Session Aces ACL 1 ACL1 Name ACL1 Count ACL1 Aces
IP Address used as the start of a range of addresses for a DHCP pool. IP Address used as the end of a range of addresses for a DHCP pool. IP Address for the DHCP DNS server. IP Address for the DHCP default router. Domain name for the DHCP DNS server. Length of DHCP DNS leases in days. If this parameter displays a zero (0) the DHCP lease is has no defined end. Name of the ACL applied to the user session. Name of the ACL applied to the user session. Number of rules in the applied to the user session. A list of the individual rules in the session ACL. This parameter shows the position of an individual ACL. Name of the ACL in the first position. Number of rules in the specified ACL. A list of the individual rules in the specified ACL.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap remote debug flash-config | 861
�show ap remote debug mgmt-frames
show ap remote debug mgmt-frames {ap-name <ap-name>}|{bssid <bssid>|{ip-addr <ip-addr>} [client-mac <client-mac>] [count <count>]
Description
Show traced 802.11 management frames for a remote AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid> ip-addr client-mac count <count>
Description
Show debugging information for a specific AP.
Show debugging information for a specific Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address
Show debugging information for an AP with a specific IP address by entering its IP address in dotted-decimal format.
Show the AP associations for a specific MAC address by entering the MAC address of the client.
Limit the amount of information displayed by specifying number of frames to appear in the output of this command.
Examples
Use this command to debug 802,1 authentication on a remote AP. The example below shows that a client successfully associated with the remote AP, then was later deauthenticated. (host) #show ap remote debug mgmt-frames ap-name AP32
Traced 802.11 Management Frames
-------------------------------
Timestamp
stype
SA
DA
BSS
signal Misc
---------
-----
--
--
---
------ ----
Oct 30 11:20:19 deauth
00:23:6c:2f:9a:85 00:1a:1e:11:56:40
STA has left and is deauthenticated
Oct 30 11:04:39 assoc-resp
00:1a:1e:11:56:40
00:23:6c:2f:9a:85 00:1a:1e:11:56:40 15
Success
Oct 30 11:04:39 assoc-req 00:23:6c:2f:9a:85 00:1a:1e:11:56:40 00:1a:1e:11:56:40 0
-
The output of this command includes the following information:
Column Timestamp stype
Description
The time the management frame was sent
One of the following 802.11 frame types: auth: Authorization frame deauth: Deauthorization frame assoc-resp: Association response
862 | show ap remote debug mgmt-frames
AOS-W 6.2 | Reference Guide
�Column
SA DA BSS signal
Misc
Description
assoc-req: Association request
Source MAC address.
Destination MAC address.
Basic Service Set Identifier (BSSID) of the AP
Signal strength as a signal to noise ratio. For example, a value of 30 would indicate that the power of the received signal is 30 dBm above the signal noise threshold.
Additional information describing the client's action. In the case of deauthentication, a reason associated with the event will be displayed in this column.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap remote debug mgmt-frames | 863
�show ap remote debug r1_key
show ap remote debug r1_key [ap-name <ap-name> | bssid <bssid> | ip-addr <ip-addr>]
Description
This command displays all the r1 keys that are stored in an AP.
Syntax
Parameter ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description
Show debugging information for a specific AP.
Show debugging information for a specific Basic Service Set Identifier (BSSID). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address
Show debugging information for an AP with a specific IP address by entering its IP address in dotted-decimal format.
Examples
Use this command to view all the r1 keys that are stored in an AP. You can filter the output based on the AP name, BSSID, or IP address. (host) #show ap remote debug r1_key ap-name MAcage-105-GL
Stored R1 Keys
--------------
Station MAC
Mobility Domain ID Validity Duration R1 Key
-----------
------------------ ----------------- ------
00:50:43:21:01:b8 1
3568
(32): 94 ff 18 0a 5f 47 8b 3e 95 2b
93 31 bd 44 58 fe fe 6a ad aa 1d d7 29 94 fb 5b 7c 15 76 66 d2 1f
Command History
Introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
864 | show ap remote debug r1_key
AOS-W 6.2 | Reference Guide
�show ap spectrum ap-list
show ap spectrum ap-list {ap-name <ap-name>}|{ip-addr <ip-addr>} ap-bssid <bssid> channel <channel> essid <essid> limit <number> or page <number> freq-band 2.4ghz|5ghz sort <sort> start <index>
Description
This command shows spectrum data seen by an access point that has been converted to a spectrum monitor.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
channel <channel> essid <essid> limit <number> or
page <number>
freq-band 2.4ghz|5ghz sort <sort> start <index>
Description
Name of the spectrum monitor for which you want to view spectrum information.
IP address of the spectrum monitor for which you want to view spectrum information.
View spectrum information for a specific radio channel.
View spectrum information for a specific ESSID.
Limit the displayed output to the specified number of entries
Use this parameter to display information that meets either of two criteria, such as a specified ESSID or channel.
Enter a number from 10-100 (inclusive) to specify the number of entries that should appear in each page of the output for this command. For example, if the output of this command has 100 entries and you select a page value of 20, the output will appear in 5 pages each with 20 entries. If you selected a page value of 10, the output would appear in 10 pages with 10 entries.
View information for a specific radio type, either 2.4 GHz or 5 Ghz.
Sort the output by the specified data column
Start displaying the output at specific spectrum index value.
Usage Guidelines
The Spectrum Analysis feature provides visibility into RF coverage, allowing you to troubleshoot RF interference and identify 802.11 devices on the network. Issue this command to display and sort APs seen by a specific spectrum monitor.
AOS-W 6.2 | Reference Guide
show ap spectrum ap-list | 865
�Examples
The output of this example shows spectrum data seen by spectrum monitor ap123. The output in the example below has been divided into two tables to better fit this document. In the AOS-W CLI, the output appears as a single, long table.
(host)# show ap spectrum ap-list ap-name ap123
Spectrum AP Table ----------------bssid ----00:0b:86:cd:22:d0 00:0b:86:cb:cf:30 00:0b:86:f6:f6:a0 00:0b:86:f6:f6:a1 00:0b:86:f6:f6:a2
essid ----ECSD Wireless ECSD Wireless osuwireless osuvoice osuguest
spectrum-id ----------2 3 3 4 5
chan ---161 157 1 1 1
phy-type -------80211a 80211a 80211b/g 80211b/g 80211b/g
signal(dBm) --------------62 68 48 47 45
avg-rssi(dB) curr-rssi(dB) ibss
--------
---------
----
29
31
no
24
25
no
37
38
no
38
38
no
37
40
no
add-time -------2010-05-16 17:41:36 2010-05-16 17:41:36 2010-05-16 17:41:36 2010-05-16 17:41:36 2010-05-16 17:41:36
last-seen ----------2010-05-18 13:39:38 2010-05-18 14:19:03 2010-05-18 15:06:02 2010-05-18 15:04:23 2010-05-18 15:07:32
The output of this command includes the following information:
Column bssid essid spectrum-id chan freq-band
signal (dBm) avg-rssi curr-rssi ibss
add-time last-seen
Description Basic Service Set Identifier for an AP. This is usually the AP's MAC address. Extended service set identifier that names a wireless network. Identifier assigned to the device by the spectrum monitor Radio channel used by the BSSID Radio phy type. Possible types include: l 2.4 GHz l 5 GHz Strength of the signal received by the device, in dBm. The average signal-to-noise ratio seen by the AP. Most recent signal-to-noise ratio seen by the AP. Shows if ad-hoc BSS is enabled or disabled. It will be enabled if the bssid has detected an ad-hoc BSS (an ibss bit in an 802.11 frame). Time when the AP was first detected by the spectrum monitor. Time when the AP was last seen by the spectrum monitor.
866 | show ap spectrum ap-list
AOS-W 6.2 | Reference Guide
�Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap spectrum ap-list | 867
�show ap spectrum channel-metrics
show ap spectrum channel-metrics {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band 2.4ghz|5ghz
Description
This command shows channel quality, availability and utilization metrics as seen by a spectrum monitor.
Syntax
Parameter ap-name <ap-name>
ip-addr <ip-addr>
freq-band 2.4ghz|5ghz
Description Name of the spectrum monitor for which you want to view spectrum information. IP address of the spectrum monitor. View information for a specific radio type, either 2.4 GHz or 5 GHz.
Usage Guideline
This chart displays channel utilization data, showing the percentage of each channel that is currently being used by Wi-Fi devices, and the percentage of each channel being used by non-Wi-Fi devices and 802.11 adjacent channel interference (ACI).
ACI refers to the interference on a channel created by a transmitter operating in an adjacent channel. A transmitter on a nonadjacent or partially overlapping channel may also cause interference, depending on the transmit power of the interfering transmitter and/or the distance between the devices. In general, ACI may be caused by a Wi-Fi transmitter or a non-Wi-Fi interferer. However, whenever the term ACI appears in Spectrum Analysis graphs, it refers to the ACI caused by Wi-Fi transmitters. The channel utilization option in the Channel Metrics Chart shows the percentage of the channel utilization due to both ACI and non-Wi-Fi interfering devices. Unlike the ACI shown in the show ap spectrum interference-power output, the ACI shown in this graph indicates the percentage of channel time that is occupied by ACI or unavailable for Wi-Fi communication due to ACI.
The Channel Metrics table can also show channel availability, the percentage of each channel that is available for use, or display the current relative quality of selected channels in the 2.4 GHz or 5 GHz radio bands. In the spectrum analysis feature, channel quality is a relative measure that indicates the ability of the channel to support reliable WiFi communication. Channel quality, which is represented as a percentage in this chart, is a weighted metric derived from key parameters that can affect the communication quality of a wireless channel, including noise, non-Wi-Fi (interferer) utilization and duty-cycles, and certain types of retries. Note that channel quality is not directly related to Wi-Fi channel utilization, as a higher quality channel may or may not be highly utilized.
A hybrid AP on a 20 MHz channel will see 40 MHz Wi-Fi data as non-Wi-Fi data.
Examples
The output of this example shows part of the channel metrics table for channels seen by the spectrum monitor ap123. (host)# show ap spectrum channel-metrics ap-name ap123 freq-band 2.4GHz
Channel Metrics Table
868 | show ap spectrum channel-metrics
AOS-W 6.2 | Reference Guide
�---------------------
Channel Quality(%) Availability(%)
------- ---------- ---------------
1
97
57
2
80
58
3
63
58
4
71
57
5
88
54
6
98
51
7
88
54
8
69
56
9
60
57
10
30
29
11
0
0
12
25
50
13
50
99
14
99
99
1+/5- 63
54
2+/6- 63
51
3+/7- 63
51
4+/8- 69
51
5+/9- 60
51
6+/10- 30
29
7+/11- 0
0
Utilization(%) -------------43 42 42 43 46 49 46 44 43 71 100 50 1 1 46 49 49 49 49 71 100
WiFi Util(%) -----------40 22 5 16 36 47 35 14 3 1 0 0 0 0 36 47 47 47 47 1 0
Interference Util(%) -------------------3 20 37 27 10 2 11 30 40 70 100 50 1 1 10 2 2 2 2 70 100
The output of this command includes the following information:
Column
Description
channel
An 802.11a or 82.11g radio channel.
Quality(%)
Current relative quality of selected channels in the 802.11a or 802.11g radio bands, as determined by the percentage of packet retries, the current noise floor, and the duty cycle for non-Wi-Fi devices on that channel.
Availability(%) The percentage of the channel currently available for use.
Utilization(%) The percentage of the channel being used.
WiFi Util(%)
The percentage of the channel currently being used by wifi devices.
Interference Util(%)
The percentage of the channel currently being used by non-Wi-Fi interference + wifi ACI (Adjacent Channel Interference)
Related Commands
Command
Description
Mode
ap spectrum local-override
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Config mode on master or local switches
rf dot11a-radio-profilemodespectrummode
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap spectrum channel-metrics | 869
�Command
Description
rf dot11g-radio-profilemodespectrummode
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
rf dot11a-radio-profilemodespectrummode
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
rf dot11g-radio-profilemodespectrummode
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
870 | show ap spectrum channel-metrics
AOS-W 6.2 | Reference Guide
�show ap spectrum channel-summary
show ap spectrum channel-summary {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band 2.4ghz|5ghz
Description
This command displays a summary of the 802.11a or 802.11g channels seen by a spectrum monitor.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
freq-band 2.4ghz|5ghz
Description Name of the spectrum monitor for which you want to view spectrum information.
IP address of the spectrum monitor for which you want to view spectrum information.
View information for a specific radio type, either 2.4 GHz or 5 GHz.
Usage Guidelines
This table can display data aggregate data for each channel seen by the spectrum monitor radio, including the maximum AP power, interference and the signal-to-noise-and-interference Ratio (SNIR). SNIR is the ratio of signal strength to the combined levels of interference and noise on that channel. This value is calculated by determining the maximum noise-floor and interference-signal levels, and then calculating how strong the desired signal is above this maximum.
A hybrid AP on a 20 MHz channel will see 40 MHz Wi-Fi data as non-Wi-Fi data.
Examples
The output of the example below shows information for 802.11a radio channels seen by the spectrum monitor ap999. (host)# show ap spectrum channel-summary ap-name ap999 freq-band 5ghz
Channel Summary Table
---------------------
Channel KnownAPs UnknownAPs
------- -------- ----------
149
69
0
153
20
0
157
56
0
161
54
0
165
32
0
149+
69
0
157+
20
0
Util(%) ------5 100 6 4 3 100 6
MaxAPSignal(dBm) ----------------39 -42 -53 -43 -27 -39 -43
MaxInterference(dBm) --------------------69 -60 -59 -71 -70 -60 -59
SNIR(dB) ------30 18 6 28 43 21 16
The output of this command includes the following information:
AOS-W 6.2 | Reference Guide
show ap spectrum channel-summary | 871
�Column Channel Known APs UnKnown APs Channel Util (%) Max AP Signal (dBm) Max Interference (dBm) SNIR (db)
Description An 802.11a or 802.11g radio channel. Number of valid APs identified on the radio channel. Number of invalid or rogue APs identified on the radio channel. Percentage of the channel currently in use. Signal strength of the AP that has the maximum signal strength on a channel.
Signal strength of the non-Wi-Fi device that has the highest signal strength.
The ratio of signal strength to the combined levels of interference and noise on that channel. This value is calculated by determining the maximum noise-floor and interference-signal levels, and then calculating how strong the desired signal is above this maximum.
Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
872 | show ap spectrum channel-summary
AOS-W 6.2 | Reference Guide
�show ap spectrum client-list
show ap spectrum client-list {ap-name <ap-name>}|{ip-addr <ip-addr>} ap-bssid <bssid> channel <channel> essid <essid> limit <limit> mac <mac-addr> or page <page> freq-band 2.4ghz|5ghz start <start>
Description
This command shows details for clients seen by a specified spectrum monitor.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
ap-bssid <bssid> channel <channel> essid <essid> limit <limit> mac <mac-addr> start <start>
limit <number> or
page <number>
freq-band 2.4ghz|5ghz
Description
Name of the spectrum monitor for which you want to view spectrum information.
IP address of the spectrum monitor for which you want to view spectrum information.
View information for a client with a specific BSSID.
view information for clients on a specific radio channel.
View information for clients using a specific ESSID.
Limit the output of this command to the specified number of clients.
View information for a client with a specific MAC address.
Limit the output of this command to clients that with the specified index number or lower.
Limit the displayed output to the specified number of entries
Use this parameter to display information that meets either or two criteria, such as a specified ESSID or channel.
Enter a number from 10-100 (inclusive) to specify the number of entries that should appear in each page of the output for this command. For example, if the output of this command has 100 entries and you select a page value of 20, the output will appear in 5 pages each with 20 entries. If you selected a page value of 10, the output would appear in 10 pages with 10 entries.
View information for a specific radio type, either 2.4 GHz or 5 GHz.
Usage Guidelines
Use this command to view channel and signal information for wireless clients seen by the spectrum monitor.
AOS-W 6.2 | Reference Guide
show ap spectrum client-list | 873
�Examples
The example shows that the spectrum monitor ap999 sees eight different clients on channel 149. The output in the example below has been divided into two tables to better fit this document. In the AOS-W CLI, the output appears as a single, long table.
(host)# show ap spectrum client-list ap-name ap999 channel 149
Spectrum Client Table
---------------------
mac
bssid
---
-----
00:14:a4:d1:34:63 00:24:6c:80:48:79
00:19:7d:3a:96:d9 00:24:6c:80:7b:c9
00:16:cf:af:3e:e1 00:24:6c:80:48:79
00:1c:26:5b:a7:ac 00:24:6c:81:8b:19
00:21:6b:c6:b2:12 00:24:6c:80:48:79
00:21:6a:9c:0e:36 00:24:6c:81:8b:19
00:21:6a:51:e4:30 00:1a:1e:87:c1:91
00:24:d6:65:a9:e6 00:24:6c:80:48:7a
essid ----ethersphere-wpa2 ethersphere-wpa2 ethersphere-wpa2 ethersphere-wpa2 ethersphere-wpa2 ethersphere-wpa2 ethersphere-wpa2 ethersphere-voip
spectrum-id ----------14 198 80 125 118 121 164 222
channel ------149 149 149 149 149 149 149 149
phy-type -------80211a 80211a 80211a 80211a 80211a-HT-40 80211a 80211a-HT-40 80211a-HT-40
signal(dBm) ---------------71 -66 -74 -79 -66 -72 -63 -69
add-time
last-seen
--------
-----------
2010-05-17 09:53:47 2010-05-17 12:36:54
2010-05-17 12:01:01 2010-05-17 12:36:42
2010-05-17 09:54:59 2010-05-17 12:35:55
2010-05-17 10:23:29 2010-05-17 12:37:28
2010-05-17 10:17:05 2010-05-17 12:31:58
2010-05-17 10:20:05 2010-05-17 12:37:30
2010-05-17 11:07:21 2010-05-17 12:29:01
2010-05-17 12:37:25 2010-05-17 12:37:25
start:0 Length:8 Total:8
The output of this command includes the following information:
Column mac bssid
essid spectrum-id chan phy-type
Description
MAC address of the client.
Basic Service Set Identifier for a client. This is usually the device's MAC address.
Extended service set identifier that names a wireless network.
Identifier assigned to the client by the spectrum monitor.
Radio channel used by the BSSID
Radio phy type. Possible types include: l 802.11a l 802.11a-HT-40 l 802.11b/g l 802.11b/g-HT-20
874 | show ap spectrum client-list
AOS-W 6.2 | Reference Guide
�Column signal(dBm) add-time last-seen
Description Client signal strength, in dBm. Time when the client was first detected by the spectrum monitor. Time when the spectrum monitor last detected that the client was active.
Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap spectrum client-list | 875
�show ap spectrum debug
show ap spectrum debug {channel-info|channel-quality|classify|classify-fft|devicedetails|device-info|devices-seen} {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band {2.4ghz|5ghz}
Description
This command saves spectrum analysis channel information to a file on the spectrum monitor.
Syntax
Parameter channel-info channel-quality classify classify-fft device-details device-info devices-seen ap-name <ap-name>
ip-addr <ip-addr>
freq-band 2.4ghz|5ghz
Description Save channel information for later analysis. Save channel quality information for later analysis Save information on classification for later analysis. Save information on classification and FFT data for later analysis. Save device details for later analysis. Save device information for later analysis. Save information on devices seen by the spectrum monitor. Name of the spectrum monitor for which you want to view spectrum information. IP address of the spectrum monitor for which you want to view spectrum information. Save information for a specific radio type, either 2.4 GHz or 5 GHz.
Usage Guidelines
Use this command under the supervision of your Alcatel-Lucent technical support representative to troubleshoot spectrum analysis issues or errors.
Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
876 | show ap spectrum debug
AOS-W 6.2 | Reference Guide
�Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap spectrum debug | 877
�show ap spectrum debug fft
show ap spectrum debug fft {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band {2.4ghz|5ghz} avg duty-cycle fft-to-controller max normalized raw raw-normalized
Description
Save FFT (Fast Fourier Transform) power data to a file on the spectrum monitor.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr> freq-band 2.4ghz|5ghz avg duty-cycle fft-to-controller max
normalized raw raw-normalized
Description Name of the spectrum monitor for which you want to view spectrum information. IP address of the spectrum monitor. Save information for a specific radio type, either 2.4 GHz or 5 GHz.
Save FFT average information. Save FFT duty-cycle data Save the FFT max, average and duty-cycle data Save the maximum FFT power measured for all samples taken over the last second. Save normalized FFT information Save the raw FFT information received from driver Save FFT information received from driver and its normalized FFT
Usage Guidelines
Use this command under the guidance of an Alcatel-Lucent technical support representative to troubleshoot FFT power issues seen on AP models AP-104, AP-92, AP-93, AP-93H, AP-175 and the AP-130 Series.
Related Commands
Command ap spectrum local-override
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Mode
Config mode on master or local switches
878 | show ap spectrum debug fft
AOS-W 6.2 | Reference Guide
�Command rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing
Command Mode
Base operating system Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap spectrum debug fft | 879
�show ap spectrum debug monitors
show ap spectrum debug monitors
Description
Show a detailed description of all spectrum monitors on the switch.
Syntax
No parameters
Examples
The output of this command shows a list of available spectrum monitor or hybrid AP devices, a list of spectrum devices currently subscribed to a spectrum client, message counters for subscribed spectrum devices and the subscription history.
(host)# show ap spectrum debug monitors
List of Available Sensors
-----------------------------------
AP name Phy Band
------- --- ----
ap999 G 2GHz
ap999 A 5GHz
Total: 2
List of Subscriptions
---------------------
AP name Band
Client IP
Subscribe Time
HTTPD pid Last Data Sent Send
Failed
------- ----
---------
--------------
--------- -------------- -------
----
ap123 2GHz
10.100.100.67 2010-05-18 03:49:44 PM 1711
1s
0
ap123 5GHz
10.100.100.67 2010-05-18 03:49:51 PM 1711
1s
0
Num Subscriptions: 2
Current Time: 2010-05-18 03:49:54 PM
Message Counters
----------------
AP name Band
FFT Data FFT Duty Cycle Device Info Device Details Devices Seen
Channel Info
------- ----
-------- -------------- ----------- -------------- ------------ ----
--------
ap123 2GHz
4
4
1
194
1
1
ap123 5GHz
0
0
0
0
0
0
Subscription History
--------------------
Message
AP/Radio/Band
Client IP
HTTPD Timestamp
Result
pid
-------
-------------
---------
------ ---------
------
Subscribe
"ap123"/1/2GHz
10.240.16.165 1701 2010-05-17 01:29:16 PM Success
Re-subscribe
"ap123"/0/5GHz
10.240.16.165 1700 2010-05-17 01:29:16 PM Success
Unsubscribe-All "ap123"/-/-
10.240.16.165 1701 2010-05-17 02:44:18 PM Client
Not found
Subscribe
"ap123"/1/2GHz
10.100.100.67 1716 2010-05-18 03:44:28 PM Success
880 | show ap spectrum debug monitors
AOS-W 6.2 | Reference Guide
�Usage Guidelines
Use this command under the guidance of an Alcatel-Lucent technical support representative to troubleshoot spectrum analysis errors.
Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap spectrum debug monitors | 881
�show ap spectrum debug status
show ap spectrum debug status {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band 2.4ghz|5ghz
Description
This command shows detailed status and statistics for a spectrum monitor or hybrid AP.
Syntax
Parameter ap-name <ap-name>
ip-addr <ip-addr>
freq-band 2.4ghz|5ghz
Description Name of the spectrum device for which you want to view status information. IP address of the spectrum device for which you want to view status information. View information for a specific radio type, either 2.4 GHz or 5 GHz.
Usage Guidelines
Use this command under the guidance of an Alcatel-Lucent technical support representative to troubleshoot spectrum analysis errors.
Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
882 | show ap spectrum debug status
AOS-W 6.2 | Reference Guide
�show ap spectrum device-duty-cycle
show ap spectrum device-duty-cycle {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band 2.4ghz|5ghz
Description
Shows the current duty cycle for devices on all channels being monitored by the spectrum monitor or hybrid AP radio.
Syntax
Parameter
Description
ap-name <ap-name>
Name of the spectrum device for which you want to view spectrum information.
ip-addr <ip-addr>
IP address of the spectrum device for which you want to view spectrum information.
freq-band 2.4ghz|5ghz View information for a specific radio type, either 2.4 GHz or 5 GHz.
Usage Guidelines
The FFT Duty Cycle table in the output of this command shows the duty cycle for each radio channel. The duty cycle is the percentage of time each device type operates or transmits on that channel. For additional details about non-WiFi device types shown in this table, see Non-Wi-Fi Interferers on page 886.
This chart is not available for OAW-AP120 Series or OAW-AP68 or OAW-RAP5 access points. A hybrid AP on a 20 MHz channel will see 40 MHz Wi-Fi data as non-Wi-Fi data.
Examples
The output of this command shows that video devices sent a signal on channels 153 and 157 during 99% of the last sample interval.
Device Duty Cycle Table (in %)
------------------------------
Device Type
149 153 157 161 165 149+ 157+
-----------
--- --- --- --- --- ---- ----
Generic Interferer 0 0 0 0 0 0
0
WIFI
5 0 5 12 8 0
12
Microwave
000000
0
Bluetooth
000000
0
Generic Fixed Freq 0 0 0 0 0 0
0
Cordless Phone FF 0 0 0 0 0 0
0
Video
0 99 99 0 0 0
0
Audio
000000
0
Generic Freq Hopper 0 0 0 0 0 0
0
Cordless Network FH 0 0 0 0 0 0
0
Xbox
000000
0
Microwave Inverter 0 0 0 0 0 0
0
Cordless Base FH
555550
0
Total:7
AOS-W 6.2 | Reference Guide
show ap spectrum device-duty-cycle | 883
�Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
884 | show ap spectrum device-duty-cycle
AOS-W 6.2 | Reference Guide
�show ap spectrum device-history
show ap spectrum device-history {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band 2.4ghz|5ghz [type audio-ff|bluetooth|cordless-base-fh|cordless-network-fh|cordless-phone-ff|genericff|generic-fh|generic-interferer|microwave|microwave-inverter|video|xbox]
Description
This command shows the history of the last 256 non-Wi-Fi devices.
Syntax
Parameter
Description
ap-name <ap-name>
Name of the spectrum monitor or hybrid AP for which you want to view spectrum information.
ip-addr <ip-addr>
IP address of the spectrum monitor or hybrid AP for which you want to view spectrum information.
freq-band 2.4ghz|5ghz View information for a specific radio type, either 2.4 GHz or 5 GHz.
type
Show information for one type of device only by specifying a non-Wi-Fi device.
audio-ff
View information for audio devices seen by the spectrum device.
bluetooth
View information for bluetooth devices seen by the spectrum device. NOTE: This option is available only for 2.4 GHz spectrum devices.
cordless-base-fh
View information for frequency-hopping cordless phone bases seen by the spectrum device.
cordless-phone-ff
View information for frequency-hopping cordless phones seen by the spectrum device.
cordless-networkfh
View information for frequency-hopping cordless network devices seen by the spectrum device.
generic-ff
View information for generic fixed-frequency devices seen by the spectrum device.
generic-fh
View information for generic frequency-hopping devices seen by the spectrum device.
generic-interferer Show only generic interfering devices.
microwave
View information for microwave-emitting devices seen by the spectrum device. NOTE: This option is available only for 2.4 GHz spectrum devices.
microwave-inverter View information for inverter microwave devices seen by the spectrum device. NOTE: This option is available only for 2.4 GHz spectrum devices.
video
View information for video devices seen by the spectrum device.
xbox
View information for Xbox devices seen by the spectrum device. NOTE: This option is available only for 2.4 GHz spectrum devices.
AOS-W 6.2 | Reference Guide
show ap spectrum device-history | 885
�Usage Guidelines
Use this command to view channel, signal and duty-cycle information and add/delete times for the last 256 devices seen by a spectrum monitor or hybrid AP.
Non-Wi-Fi Interferers
The following table describes each type of of non-Wi-Fi interferer detected by a spectrum monitor or hybrid AP. Note also that a hybrid AP on a 20 MHz channel will see 40 MHz Wi-Fi data as non-Wi-Fi data.
Non-Wi-Fi Interferer Type
Description
Bluetooth
Any device that uses the Bluetooth protocol to communicate in the 2.4 GHz band is classified as a Bluetooth device. Bluetooth uses a frequency hopping protocol.
Fixed Frequency (Audio)
Some audio devices such as wireless speakers and microphones also use fixed frequency to continuously transmit audio. These devices are classified as Fixed Frequency (Audio).
Fixed Frequency (Cordless Phones)
Some cordless phones use a fixed frequency to transmit data (much like the fixed frequency video devices). These devices are classified as Fixed Frequency (Cordless Phones).
Fixed Frequency (Video)
Video transmitters that continuously transmit video on a single frequency are classified as Fixed Frequency (Video). These devices typically have close to a 100% duty cycle. These types of devices may be used for video surveillance, TV or other video distribution, and similar applications.
Fixed Frequency (Other)
All other fixed frequency devices that do not fall into one of the above categories are classified as Fixed Frequency (Other). Note that the RF signatures of the fixed frequency audio, video and cordless phone devices are very similar and that some of these devices may be occasionally classified as Fixed Frequency (Other).
Frequency
Frequency hopping cordless phone base units transmit periodic beacon-like frames at all
Hopper
times. When the handsets are not transmitting (i.e., no active phone calls), the cordless base
(Cordless Base) is classified as Frequency Hopper (Cordless Base).
Frequency Hopper (Cordless Network)
When there is an active phone call and one or more handsets are part of the phone conversation, the device is classified as Frequency Hopper (Cordless Network). Cordless phones may operate in 2.4 GHz or 5 GHz bands. Some phones use both 2.4 GHz and 5 GHz bands (for example, 5 GHz for Base-to-handset and 2.4 GHz for Handset-to-base). These phones may be classified as unique Frequency Hopper devices on both bands.
Frequency Hopper (Xbox)
The Microsoft Xbox device uses a frequency hopping protocol in the 2.4 GHz band. These devices are classified as Frequency Hopper (Xbox).
Frequency Hopper (Other)
When the classifier detects a frequency hopper that does not fall into one of the above categories, it is classified as Frequency Hopper (Other). Some examples include IEEE 802.11 FHSS devices, game consoles and cordless/hands-free devices that do not use one of the known cordless phone protocols.
Microwave
Common residential microwave ovens with a single magnetron are classified as a Microwave. These types of microwave ovens may be used in cafeterias, break rooms, dormitories and similar environments. Some industrial, healthcare or manufacturing environments may also have other equipment that behave like a microwave and may also be classified as a Microwave device.
886 | show ap spectrum device-history
AOS-W 6.2 | Reference Guide
�Non-Wi-Fi Interferer Type Microwave (Inverter)
Generic Interferer
Description
Some newer-model microwave ovens have the inverter technology to control the power output and these microwave ovens may have a duty cycle close to 100%. These microwave ovens are classified as Microwave (Inverter). Dual-magnetron industrial microwave ovens with higher duty cycle may also be classified as Microwave (Inverter). As in the Microwave category described above, there may be other equipment that behave like inverter microwaves in some industrial, healthcare or manufacturing environments. Those devices may also be classified as Microwave (Inverter).
Any non-frequency hopping device that does not fall into one of the other categories described in this table is classified as a Generic Interferer. For example a Microwave-like device that does not operate in the known operating frequencies used by the Microwave ovens may be classified as a Generic Interferer. Similarly wide-band interfering devices may be classified as Generic Interferers.
Example
The output of this example shows details for fixed-frequency video devices seen by a spectrum monitor or hybrid AP radio. host)# show ap spectrum device-history ap-name ap123 freq-band 5ghz type video
Non-Wifi Device History Table
-----------------------------
Type ID Cfreq(Khz) Bandwidth(KHz) Channels-affected
---- -- -----
---------
-----------------
Add-time
Delete-time
--------
-----------
Video 1 5745312 6000
149
2010-05-16 20:07:08 -
Video 2 5745312 6000
149
2010-05-16 20:07:39 2010-05-17 16:50:24
Video 3 5745312 6000
149
2010-05-16 20:20:25 2010-05-16 20:20:36
Video 4 5745312 6000
149
2010-05-16 20:32:44 2010-05-16 20:33:07
Video 5 5742031 6000
149
2010-05-16 20:33:43 2010-05-16 20:33:53
Video 6 5745312 6000
149
2010-05-16 20:34:08 2010-05-16 20:34:20
Signal-strength ---------------
76 75 74 76 79 75
Duty-cycle ----------
99 99 99 99 99 99
The output of this command includes the following information:
Column Type
Description
Device type. This parameter can be any of the following: l audio FF (fixed frequency) l bluetooth l cordless base FH (frequency hopper) l cordless phone FF (fixed frequency l cordless network FH (frequency hopper) l generic FF (fixed frequency l generic FH (frequency hopper) l generic interferer
AOS-W 6.2 | Reference Guide
show ap spectrum device-history | 887
�Column
ID Cfreq Bandwidth Channelsaffected Signal-strength Duty-cycle Add-time Delete-time
Description
l microwave l microwave inverter l video l xbox NOTE: For additional details about non-Wi-Fi device types shown in this table, see Non-Wi-Fi Interferers on page 886
ID number assigned to the device by the spectrum monitor or hybrid AP radio. Spectrum monitors and hybrid APs assign a unique spectrum ID per device type.
Center frequency of the signal sent from the device.
Channel bandwidth used by the device, in Kilohertz.
Radio channels affected by the wireless device, in Kilohertz.
Strength of the signal sent from the device, in dBm.
Device duty cycle. This value represents the percent of time the device broadcasts on the specified channel or frequency.
Time at which the device was first detected.
Time at which the device was aged out.
Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or Config mode on master or local switches
888 | show ap spectrum device-history
AOS-W 6.2 | Reference Guide
�show ap spectrum device-list
show ap spectrum device-list {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band 2.4ghz|5ghz [type audio-ff|bluetooth|cordless-base-fh|cordless-network-fh|cordless-phone-ff|genericff|generic-fh|generic-interferer|microwave|microwave-inverter|video|xbox]
Description
Show a device summary table and channel information for non-Wi-Fi devices currently seen by a spectrum monitor or hybrid AP radio.
Syntax
Parameter
Description
ap-name <ap-name>
Name of the spectrum monitor or hybrid AP for which you want to view spectrum information.
ip-addr <ip-addr>
IP address of the spectrum monitor or hybrid AP for which you want to view spectrum information.
freq-band 2.4ghz|5ghz View information for a specific radio type, either 2.4 GHz or 5 GHz.
type
Show data for a specific device type only.
audio-ff
Show only audio fixed frequency devices.
bluetooth
Show only bluetooth devices. NOTE: This option is available only for 2.4 GHz spectrum devices.
cordless-base-fh
View information for frequency-hopping cordless phone bases seen by the spectrum device.
cordless-phone-ff
View information for frequency-hopping cordless phones seen by the spectrum device.
cordless-networkfh
View information for frequency-hopping cordless network devices seen by the spectrum device.
generic-ff
View information for generic fixed-frequency devices seen by the spectrum device.
generic-fh
View information for generic frequency-hopping devices seen by the spectrum device.
generic-interferer Show only generic interfering devices.
microwave
Show only microwave devices. NOTE: This option is available only for 2.4 GHz spectrum devices.
microwave-inverter Show only microwave inverter devices. NOTE: This option is available only for 2.4 GHz spectrum devices.
video
Show only video fixed frequency devices.
xbox
Show only xbox frequency hopper devices. NOTE: This option is available only for 2.4 GHz spectrum devices.
AOS-W 6.2 | Reference Guide
show ap spectrum device-list | 889
�Usage Guidelines
Issue this command to view detailed information about currently active non-Wi-Fi devices on the network. Use the optional type parameter to display data for one specific device type only. For additional details about non-Wi-Fi device types shown in this table, see Non-Wi-Fi Interferers on page 886.
A hybrid AP on a 20 MHz channel will see 40 MHz Wi-Fi data as non-Wi-Fi data.
Examples
The output of this example shows that the spectrum monitor ap123 is able to see data for a single non-Wi-Fi device on its 802.11a radio. Note that the output below is divided into two sections to better fit on the page of this document. In the AOS-W CLI, this information is displayed in a single long table.
(host) #show ap spectrum device-list ap-name ap123 freq-band 5ghz
Non-Wifi Device List Table
--------------------------
Type
ID Cfreq Bandwidth Channels-affected Signal-strength
----
-- ----- --------- ----------------- ---------------
Cordless Phone FH 3 5826093 80000
149 157 161 165 49
Duty-cycle Add-time
Update-time
---------- --------
-----------
5
2010-05-17 10:04:53 2010-05-17 10:04:55
Total:1
Current Time:2010-05-17 10:04:56
The output of this command includes the following information:
Column Type
ID Cfreq Bandwidth Channels-affected
Description
Device type. This parameter can be any of the following: l audio FF (fixed frequency) l bluetooth l cordless base FH (frequency hopper) l cordless phone FF (fixed frequency l cordless network FH (frequency hopper) l generic FF (fixed frequency l generic FH (frequency hopper) l generic interferer l microwave l microwave inverter l video l xbox NOTE: For additional details about non-Wi-Fi device types shown in this table, see Non-Wi-Fi Interferers on page 886
ID number assigned to the device by the spectrum monitor or hybrid AP radio. Spectrum monitors and hybrid APs assign a unique spectrum ID per device type.
Center frequency of the signal sent from the device.
Channel bandwidth used by the device.
Radio channels affected by the wireless device.
890 | show ap spectrum device-list
AOS-W 6.2 | Reference Guide
�Column Signal-strength Duty-cycle
Add-time Update-time
Description Strength of the signal sent from the device, in dBm. Device duty cycle. This value represents the percent of time the device broadcasts a signal. Time at which the device was first detected. Time at which the device's status was updated.
Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap spectrum device-list | 891
�show ap spectrum device-log
show ap spectrum device-log {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band 2.4ghz|5ghz [type audio-ff|bluetooth|cordless-phone-ff|cordless-phone-fh| generic-ff|generic-fh|generic-interferer|microwave|microwave-inverter|video|xbox]
Description
This command shows a time log of add and delete events for non-Wi-Fi devices.
Syntax
Parameter
Description
ap-name <ap-name>
Name of the spectrum monitor for hybrid AP or which you want to view spectrum information.
ip-addr <ip-addr>
IP address of the spectrum monitor or hybrid AP for which you want to view spectrum information.
freq-band 2.4ghz|5ghz View information for a specific radio type, either 2.4 GHz or 5 GHz.
type
Show data for a specific device type only.
audio-ff
Show only audio fixed frequency devices.
bluetooth
Show only bluetooth devices. NOTE: This option is available only for 2.4 GHz spectrum device radios.
cordless-base-fh
View information for frequency-hopping cordless phone bases seen by the spectrum device.
cordless-phone-ff
View information for frequency-hopping cordless phones seen by the spectrum device.
cordless-networkfh
View information for frequency-hopping cordless network devices seen by the spectrum device.
generic-ff
View information for generic fixed-frequency devices seen by the spectrum device.
generic-fh
View information for generic frequency-hopping devices seen by the spectrum device.
generic-interferer Show only generic interfering devices.
microwave
Show only microwave devices. NOTE: This option is available only for 2.4 GHz spectrum device radios.
microwave-inverter Show only microwave inverter devices. NOTE: This option is available only for 2.4 GHz spectrum device radios.
video
Show only video fixed frequency devices.
xbox
Show only xbox frequency hopper devices. NOTE: This option is available only for 2.4 GHz spectrum device radios.
892 | show ap spectrum device-log
AOS-W 6.2 | Reference Guide
�Usage Guidelines
Use this table to show a time log of when non-Wi-Fi devices were added to and deleted from the Wi-fi Device log table. For additional details about non-Wi-Fi device types shown in this table, see Non-Wi-Fi Interferers on page 886.
A hybrid AP on a 20 MHz channel will see 40 MHz Wi-Fi data as non-Wi-Fi data.
Examples
The output of this example shows that the spectrum monitor ap123 logged data for four frequency-hopping cordless base devices seen by its 802.11g radio. Note that the output below is divided into two sections to better fit on the page of this document. In the AOS-W CLI, this information is displayed in a single long table.
(host) #show ap spectrum device-log ap-name ap123 freq-band 5ghz cordless-base-fh
Non-Wifi Device Log Table
-------------------------
Device Type
ID Added/Deleted
-----------
-- -------------
Cordless Base FH 1 Added
Cordless Base FH 1 Deleted
Cordless Base FH 2 Added
Cordless Base FH 2 Deleted
Cordless Base FH 3 Added
Cordless Base FH 3 Deleted
Cordless Base FH 4 Added
Signal Strength --------------78 78 78 78 80 80 80
Duty Cycle ---------5 5 5 5 5 5 5
Center Freq ----------5773281 5747343 5757656 5760469 5802813 5802813 5770781
Start Freq ---------5733281 5707343 5717656 5720469 5762813 5762813 5730781
End Freq -------5813281 5787343 5797656 5800469 5842813 5842813 5810781
Channels Affected ----------------153 149 153 157 161 165 153 153 157 161 165 161 161 153
Bandwidth --------80000 80000 80000 80000 80000 80000 80000
Total:7 Current Time:2012-09-25 12:04:54
The output of this command includes the following information:
Column Device Type ID
Added/Deleted
Signal Strength Duty Cycle
Description
Type of non-Wi-Fi device detected by the spectrum monitor or hybrid AP
The spectrum ID number assigned to that device. Spectrum monitors and hybrid APs assign a unique spectrum ID per device type.
The non-Wi-Fi Device Log table can show signal data for a device when that device was added or removed from the log table.
Strength of the signal sent by the device.
Device duty cycle. This value represents the percent of time a signal is broadcast on a specific channel or frequency.
AOS-W 6.2 | Reference Guide
show ap spectrum device-log | 893
�Column Center Freq Start Freq End Freq Channels affected Bandwidth
Description Center frequency of the signal sent by the device. Lowest signal frequency sent by the device. Highest signal frequency sent by the device. Radio channels affected by the device signal. Amount of signal bandwidth used by the device, in kilohertz.
Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
894 | show ap spectrum device-log
AOS-W 6.2 | Reference Guide
�show ap spectrum device-summary
show ap spectrum device-summary {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band 2.4ghz|5ghz
Description
This command shows the numbers of wi-fi and non-Wi-Fi device types on each channel monitored by a spectrum monitor or hybrid AP
Syntax
Parameter ap-name <ap-name>
ip-addr <ip-addr>
freq-band 2.4ghz|5ghz
Description
Name of the spectrum monitor or hybrid AP for which you want to view spectrum information.
IP address of the spectrum monitor or hybrid APfor which you want to view spectrum information.
View information for a specific radio type, either 2.4 GHz or 5 GHz.
Usage Guidelines
Use this command to show the types of devices that the spectrum device can detect on each channel it monitors. For additional details about non-Wi-Fi device types shown in this table, see Non-Wi-Fi Interferers on page 886.
Examples
The output of this example shows that the spectrum monitor ap123 is able to detect 61wi-fi devices on channel 149g. (host) #show ap spectrum device-summary ap-name ap123 freq-band 5ghz
Device Summary Table
--------------------
Device
149 153 157 161 165
-------
--- --- --- --- ---
Unknown
00000
WIFI
61 6 14 29 9
Microwave
00000
Bluetooth
00000
Generic Fixed Freq 0 0 0 0 0
Cordless Phone FF 0 0 0 0 0
Video
00000
Audio
00000
Generic Freq Hopper 0 0 0 0 0
Cordless Phone FH 0 0 0 0 0
Xbox
00000
Microwave Inverter 0 0 0 0 0
Total:12
AOS-W 6.2 | Reference Guide
show ap spectrum device-summary | 895
�Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
896 | show ap spectrum device-summary
AOS-W 6.2 | Reference Guide
�show ap spectrum interference-power
show ap spectrum interference-power {ap-name <ap-name>}|{ip-addr <ip-addr>} freq-band 2.4ghz|5ghz [<chan-width>]
Description
This command shows the interference power detected by a 802.11a or 80211g radio on a spectrum monitor or hybrid AP.
Syntax
Parameter ap-name <ap-name>
ip-addr <ip-addr>
freq-band 2.4ghz|5ghz <chan-width>
Description
Name of the spectrum monitor or hybrid AP for which you want to view spectrum information.
IP address of the spectrum monitor or hybrid AP for which you want to view spectrum information.
View information for a specific radio type, either 2.4 GHz or 5 GHz.
Specify 20MHz or 40MHz to select the channel width for which you want to view information. If you do not specify a channel width, the output of this command will display the default 20MHz setting.
Usage Guidelines
This table displays information about AP power levels, channel noise and adjacent channel interference seen on each channel by a spectrum monitor or hybrid AP radio.
The output of this command displays the noise floor of each selected channel in dBm. The noise floor of a channel depends on the noise figure of the RF components used in the radio, temperature, presence of certain types of interferers or noise, and the width of the channel. For example, in a clean environment, the noise floor of a 20 MHz channel will be around -95 dBm and that of a 40 MHz channel will be around -92 dBm. Certain types of fixed frequency continuous transmitters such as video bridges, fixed frequency phones, and wireless cameras typically elevate the noise floor as seen by the Wi-Fi radio. Other interferers such as the frequency hopping phones, Bluetooth and Xbox devices may not affect the noise floor of the radio. A Wi-Fi radio can only reliably decode Wi-Fi signals that are a certain dB above the noise floor and therefore estimating and understanding the actual noise floor of the radio is critical to understanding the reliability of the RF environment.
The ACI column displayed in the Interference Power Chart displays adjacent-channel interference (ACI) power levels based on the signal strength(s) of the Wi-Fi APs on adjacent channels. A higher ACI value in Interference Power Chart does not necessarily mean higher interference since the AP that is contributing to the maximum ACI may or may not be very actively transmitting data to other clients at all times. The ACI power levels are derived from the signal strength of the beacons.
Examples
The output of this example shows interference power levels for each channel seen by the spectrum monitor ap123. (host)# show ap spectrum interference-power ap-name ap123 freq-band 5ghz
Interference Power Table -----------------------Channel Noise Floor(dBm) Max Interference(dBm)
Max AP Signal(dBm)
Max AP SSID
Max AP BSSID
ACI(dBm)
AOS-W 6.2 | Reference Guide
show ap spectrum interference-power | 897
�------- ----------------
---------------------
149
-91
-71
153
-63
-58
157
-92
-60
161
-94
-70
165
-93
-69
149+
-60
-58
157+
-89
-60
------------------40 -42 -48 -39 -26 -40 -39
----------ethersphere-wpa2 guest alpha 00:24:6C:C0:15:EB sw-jfb-attack ethersphere-wpa2 00:24:6C:C0:15:EB
-----------00:24:6c:80:7b:c9 00:1a:1e:87:c1:90 00:1a:1e:50:01:30 00:24:6c:81:57:c8 00:1a:1e:9b:1d:c8 00:24:6c:80:7b:c9 00:24:6c:81:57:c8
--------77 -63 -74 -61 -74 -0 -0
The output of this command includes the following information:
Column Channel Noise Floor (dBm) Max AP Signal (dBm) Max AP SSID Max AP BSSID ACI (dBm) Max Interference Power (dBm)
Description An 802.11a or 802.11g radio channel. Current noise floor recorded on the channel. Power level of the AP on the channel with the highest signal power. SSID of the AP on the channel with the highest signal power. BSSID of the AP on the channel with the highest signal power. Adjacent channel interference level detected by the spectrum device. Signal strength of the non-Wi-Fi device that has the highest signal strength.
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
898 | show ap spectrum interference-power
AOS-W 6.2 | Reference Guide
�show ap spectrum-load-balancing
show ap spectrum-load-balancing [group <group>]
Description
Show spectrum load balancing information for an AP with this feature enabled.
Syntax
Parameter group <group>
Description
Filter this information to show only data for the specified spectrum load balancing domain.
Examples
The output of the command below shows the APs currently using the spectrum load-balancing domain default-1. (host) #show ap spectrum-load-balancing group default-1
Spectrum Load Balancing Group
-----------------------------
Name
IP Address
Domain
----
----------
------
ap121-1 192.168.151.253 default-1
ap124-1 192.168.151.254 default-1
ap125-1 192.168.151.251 default-1
Assignment ---------149/21 48/15 44/15
Clients ------3 3 2
The output of this command includes the following information:
Column Name IP address Domain Assignment Clients
Description Name of an AP AP IP address Name of the spectrum load balancing domain assigned to the AP Current channel and power assignment for the AP. Number of clients currently using the AP.
Command History
Introduced in AOS-W 3.3.2.14.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap spectrum-load-balancing | 899
�show ap spectrum local-override
show ap spectrum local-override
Description
This command shows a list of AP radios currently converted to spectrum monitors via the spectrum local-override list
Syntax
No parameters
Examples
The output of this example shows that three APs each have two radios defined as spectrum monitors.
(host) #show ap spectrum local-override
Spectrum Local Override Profile
-------------------------------
Parameter
Value
---------
-----
Override Entry AP ap125 band 2ghz
Override Entry AP ap125 band 5ghz
Override Entry AP ap105 band 2ghz
Override Entry AP ap105 band 5ghz
Override Entry AP apcorp1 band 2ghz
Override Entry AP APcorp1 band 5ghz
The Value column in the output of this command includes the following information:
Parameter Override Entry Value
Description Indicates that an AP radio has been added to the local override list Radio that has been added to the override list, and the band used by that radio.
Related Commands
Command ap spectrum local-override
rf dot11a-radioprofilemodespectrum-mode
rf dot11g-radioprofilemodespectrum-mode
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Set a 802.11a radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Set a 802.11g radio so the device operates as an spectrum monitor, and can send spectrum analysis data to a desktop or laptop client.
Mode Config mode on master or local switches
Config mode on master or local switches
Config mode on master or local switches
Command History
Introduced in AOS-W 6.0.
900 | show ap spectrum local-override
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap spectrum local-override | 901
�show ap spectrum monitors
show ap spectrum monitors
Description
This command shows a list of APs terminating on the switch that are currently configured as spectrum monitors or hybrid APs
Syntax
No parameters
Examples
The output of this example shows that the 802.11a radio on a spectrum monitor named ap123 is sending spectrum analysis data to a client with the IP address 10.240.16.177. (host)#show ap spectrum monitors
List of Sensors
---------------
AP name
Group AP Type Phy Band
Subscribe Time
-------
----- ------- --- ----
--------------
00:24:6c:c0:0c:89 default 105
G 2GHz
10.240.16.177 2011-01-21 07:09:32 AM
00:24:6c:c0:0c:89 default 105
A 5GHz
2011-01-21 07:17:57 AM
00:24:6c:c7:d6:1c default 93
A 5GHz
2011-01-21
07:18:22 AM
The output of this command includes the following information:
Channel Mode
------- ----
-----
1
Access Point
44+
Access Point
10.240.16.177
-
Spectrum Monitor 10.240.16.177
Column AP name Group Ap Type Phy Band
Mode
Client IP
Subscribe time
Description
Name of an AP configured as a spectrum monitor or hybrid AP
Name of the spectrum device's AP group
the AP model number
The radio's PHY type. Possible values are A for 802.11a and G for 802.11b/g,
Spectrum band that the spectrum monitor or hybrid AP radio s currently monitoring.
This column shows whether the device is an access point configured as a hybrid AP, or a spectrum monitor.
IP address of the client to which the spectrum monitor or hybrid AP is sending data.
Time at which the spectrum monitor or hybrid AP was connected to the client.
Command History
Introduced in AOS-W 6.0.
902 | show ap spectrum monitors
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ap spectrum monitors | 903
�show ap spectrum technical-support
show ap spectrum technical-support ap-name <ap-name> <filename>
Description
Save spectrum data for later analysis by technical support.
Syntax
Parameter <ap-name> <filename>
Description
Save technical support information for a specific spectrum monitor.
Name of the file to which this data should be saved. This file does not have to already exist on the switch, the show ap spectrum technical-support command will create this file.
Usage Guidelines
Use this command under the supervision of your Alcatel-Lucent technical support representative to troubleshoot spectrum analysis issues or errors.
Command History
Introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
904 | show ap spectrum technical-support
AOS-W 6.2 | Reference Guide
�show ap system-profile
show ap system-profile <profile>
Description
Show an AP's system profile settings.
Syntax
Parameter <profile>
Description Name of a system profile.
Examples
The output of the command below shows the current configuration settings for the default system profile. (host) #show ap system-profile default
AP system profile "default"
---------------------------
Parameter
Value
---------
-----
RF Band
g
RF Band for AM mode scanning
all
Native VLAN ID
1
Corporate DNS Domain
N/A
SNMP sysContact
N/A
LED operating mode (11n APs only) normal
SAP MTU
N/A
LMS IP
N/A
Backup LMS IP
N/A
LMS IPv6
N/A
Backup LMS IPv6
N/A
LMS Preemption
Disabled
LMS Hold-down Period
600 sec
Remote-AP DHCP Server VLAN
N/A
Remote-AP DHCP Server Id
192.168.11.1
Remote-AP DHCP Default Router
192.168.11.1
Remote-AP DHCP DNS Server
N/A
Remote-AP DHCP Pool Start
192.168.11.2
Remote-AP DHCP Pool End
192.168.11.254
Remote-AP DHCP Pool Netmask
255.255.255.0
Remote-AP DHCP Lease Time
0 days
Remote-AP uplink total bandwidth 0 kbps
Remote-AP bw reservation 1
N/A
Remote-AP bw reservation 2
N/A
Remote-AP bw reservation 3
N/A
Remote-AP Local Network Access
Disabled
Bootstrap threshold
8
Double Encrypt
Disabled
Dump Server
N/A
Heartbeat DSCP
0
Maintenance Mode
Disabled
Maximum Request Retries
10
Request Retry Interval
10 secNumber of IPSEC retries
85
Root AP
Disabled
AeroScout RTLS Server
N/A
AOS-W 6.2 | Reference Guide
show ap system-profile | 905
�RTLS Server configuration Telnet
N/A Disabled
The output of this command includes the following information:
Column RF Band RF Band for AM mode scanning
Native VLAN ID Session ACL Corporate DNS Domain SNMP sysContact LED operating mode SAP MTU LMS IP
Backup LMS IP
Description
For dual-band radios, this parameter displays the RF band in which the AP should operate: l g = 2.4 GHz l a = 5 GHz
Scanning band for multiple RF radios. l g = 2.4 GHz l a = 5 GHz l all = Radio scans both bands. This is the
default setting.
Native VLAN for bridge mode virtual APs (frames on the native VLAN are not tagged with 802.1q tags).
Shows the access control list (ACL) applied on the uplink of a remote AP.
DNS name used by the corporate network.
SNMP system contact information.
Displays the LED operating mode for indoor 802.11n APs. LEDs display as usual in the default normal operating mode, but are all turned off in off mode.
Maximum Transmission Unit (MTU) size, in bytes. This value describes the greatest amount of data that can be transferred in one physical frame.
The IP address of the local management switch (LMS)--the Alcatel-Lucent switch which is responsible for terminating user traffic from the APs, and processing and forwarding the traffic to the wired network. NOTE: If the LMS-IP is blank, the access point will remain on the switch that it finds using methods like DNS or DHCP. If an IP address is configured for the LMS IP parameter, the AP will be immediately redirected to the switch at that address.
For multi-switch networks, this parameter displays the IP address of a backup to the IP address specified with the lms-ip parameter.
906 | show ap system-profile
AOS-W 6.2 | Reference Guide
�Column LMS IPv6
Backup LMS IPv6
LMS Preemption
LMS Hold-down Period
Remote-AP DHCP Server VLAN
Remote-AP DHCP Server ID Remote-AP DNS Server Remote-AP DHCP Default Router Remote-AP DHCP Pool Start Remote-AP DHCP PoolEn d Remote-AP DHCP PoolNe tmask Remote-AP uplink total bandwidth Remote-AP bw reservation 1Remote-AP bw reservation 2Remote-AP bw reservation 3
Description
In multi-switch ipv6 networks, this parameter specifies the IPv6 address of the local management switch (LMS)--the Alcatel-Lucent switch--which is responsible for terminating user traffic from the APs, and processing and forwarding the traffic to the wired network. This can be the IP address of the local or master switch.
In multi-switch ipv6 networks, this parameter specifies the IPv6 address of a backup to the IPv6 address specified with the LMS IPv6 setting.
When this parameter is enabled, the local management switch automatically reverts to the primary LMS IP address when it becomes available.
Time, in seconds, that the primary LMS must be available before an AP returns to that LMS after failover.rap-dhcp-server-vlan VLAN ID of the remote AP DHCP server used if the switch is unavailable. This VLAN enables the DHCP server on the AP (also known as the remote AP DHCP server VLAN). If you enter the native VLAN ID, the DHCP server is unavailable.
VLAN ID of the remote AP DHCP server used if the switch is unavailable. This VLAN enables the DHCP server on the AP (also known as the remote AP DHCP server VLAN).
IP address used as the DHCP server identifier.
IP address of the DNS server.
IP address for the default DHCP router.
This parameter defines the starting IP address in the DHCP pool for remote APs.
This parameter defines the last IP address in the DHCP pool for remote APs.
Configures a DHCP pool for remote APs. This is the netmask used for the DHCP pool.
This is the total reserved uplink bandwidth (in Kilobits per second).
Session ACLs with uplink bandwidth reservation in kilobits per second. You can specify up to three session ACLs to reserve uplink bandwidth. The sum of the three uplink bandwidths should not exceed the rap-bwtotal value.
AOS-W 6.2 | Reference Guide
show ap system-profile | 907
�Column Remote-AP Local Network Access
Bootstrap threshold
Double Encrypt
Dump Server Heartbeat DSCP Maintenance Mode
Maximum Request Retries Request Retry Interval Number of IPSEC retries Root AP 908 | show ap system-profile
Description
Shows if Remote-AP Local Network Access is enabled or disabled. By enabling this option, the clients that are connected to a RAP can communicate.
Note: By default, the Remote-AP Local Network Access will be disabled.
Number of consecutive missed heartbeats on a GRE tunnel (heartbeats are sent once per second on each tunnel) before an AP rebootstraps. On the switch, the GRE tunnel timeout is 1.5 x bootstrap-threshold; the tunnel is torn down after this number of seconds of inactivity on the tunnel.
This parameter applies only to remote APs. Double encryption is used for traffic to and from a wireless client that is connected to a tunneled SSID. When enabled, all traffic is reencrypted in the IPsec tunnel. When disabled, the wireless frame is only encapsulated inside the IPsec tunnel.
(For debugging purposes.) Displays the server to receive the core dump generated if an AP process crashes.
DSCP value of AP heartbeats (0-63).
Shows if Maintenance mode is enabled or disabled. If enabled, APs stop flooding unnecessary traps and syslog messages to network management systems or network operations centers when deploying, maintaining, or upgrading the network. The switch still generates debug syslog messages if debug logging is enabled.
Maximum number of times to retry APgenerated requests, including keepalive messages. After the maximum number of retries, the AP either tries the IP address specified by the bkup-lms-ip (if configured) or reboots.
Interval, in seconds, between the first and second retries of AP-generated requests. If the configured interval is less than 30 seconds, the interval for subsequent retries is increased up to 30 seconds.
The number of times the AP will attempt to recreate an IPsec tunnel with the master switch before the AP will reboot. A value of 0 disables the reboot.
This parameter identifies the root AP in a hierarchy of Remote APs.
AOS-W 6.2 | Reference Guide
�Column AeroScout RTLS Server RTLS Server configuration
Telnet
Description
IP address of an AeroScout real-time asset location (RTLS) server.
This parameter contains the following information, separated by colons. l The IP address of the RTLS server to which
the AP sends RFID tag information. l Number of the RTLS server port to which
the AP sends RFID tag information l Shared secret key for the server l Frequency at which packets are sent to the
server, in seconds
Reports whether telnet access the AP is enabled or disabled.
Command History
Release AOS-W 3.0 AOS-W 3.2 AOS-W 3.3.2
AOS-W 5.0 AOS-W 6.0
Modification
Command introduced
Support for additional RTLS servers and remote AP enhancements was introduced.
l Maintenance-mode parameter was introduced. l Multiple remote AP DHCP server enhancements were introduced. l Support for RFprotect server and backup server configuration was introduced. l The mms-rtls-server parameter was deprecated in AOS-W 3.3.2.
The master-ip, rfprotect-server-ip and rfprotect-bkup-server parameters were deprecated.
Added support for the option to set the RF scanning band (am-scan-rf-band). The keepalive-interval parameter was deprecated.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap system-profile | 909
�show ap tech-support
show ap tech-support ap-name <name> [<filename>]
Description
Display all information for an AP, or save that information to a file on the switch. This information can be used by Alcatel-Lucent technical support to diagnose a problem with an AP.
Syntax
Parameter <name> <filename>
Description
Name of the AP for which you want to view tech support data.
Save the output of this command into a file on the switch with the specified filename.
Usage Guidelines
This is an internal technical support command. Alcatel-Lucent technical support may request that you issue this command to help analyze and troubleshoot problems with an AP or your wireless network.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
910 | show ap tech-support
AOS-W 6.2 | Reference Guide
�show ap vlan-usage
show ap vlan-usage [{ap-name <ap-name>}|{bssid <bssid>|{essid <essid>|{ip-addr <ip-addr>}]
Description
Show the numbers of clients on each VLAN.
Syntax
Parameter ap-name <ap-name> bssid <bssid> essid <essid>
ip-addr <ip-addr>
Description
Show VLAN data for an AP with a specific name.
Show VLAN data for a specific Basic Service Set Identifier (BSSID) on an AP. The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
Show VLAN data for a specific Extended Service Set Identifier (ESSID). An Extended Service Set Identifier (ESSID) is a alphanumeric name that uniquely identifies a wireless network. If the name includes spaces, you must enclose the ESSID in quotation marks.
Show VLAN data for an AP with a specific IP address by entering an IP address in dotted-decimal format.
Examples
The output of this command displays the VLAN Usage table.
(host) #show ap vlan-usage
VLAN Usage Table
----------------
VLAN ID Clients
------- -------
64
1
65
32
66
44
The output of this command includes the following information:
Column VLAN ID Clients
Description ID number of the wireless VLAN. Number of clients currently using the specified VLAN.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap vlan-usage | 911
�show ap wired-ap-profile
show ap wired-ap-profile [<profile>]
Description
Show a list of all wired AP profiles, or display the configuration parameters in a specific wired AP profile.
Syntax
Parameter <profile>
Description Name of a wired AP profile.
Usage Guidelines
The command show ap wired-ap-profile displays a list of all wired AP profiles, including the number of references to each profile and the profile status. If you include the optional <profile> parameter, the command will display detailed information for that one profile.
Example
The output of this command shows the configuration parameters for the wired AP profile "default". (host) #show ap wired-ap-profile default
Wired AP profile "default"
--------------------------
Parameter
Value
---------
-----
Wired AP enable
Disabled
Forward mode
tunnel
Switchport mode
access
Access mode VLAN
1
Trunk mode native VLAN 1
Trunk mode allowed VLANs 1-4094
Trusted
Not Trusted
Broadcast
Broadcast
The output of this command includes the following information:
Column Wired AP enable Forward mode
Switchport mode
Access mode VLAN
Description
Indicates whether the wired AP profile is enabled or disabled.
The configured forward mode for the profile. l bridge: Bridge locally l split-tunnel: Tunnel to switch or NAT locally l tunnel: Tunnel to switch
The profile's switching mode. l access: Set access mode characteristics of the interface. l mode: Set trunking mode of the interface. l trunk: Set trunk mode characteristics of the interface.
VLAN ID of the access mode VLAN.
912 | show ap wired-ap-profile
AOS-W 6.2 | Reference Guide
�Column Trunk mode native VLAN Trunk mode allowed VLANs Trusted
Broadcast
Description
VLAN ID of the native VLAN.
Range of allowed VLAN IDs for the native VLAN.
Shows if the wired port on an AP using this profile is a trusted port. Possible values are Trusted or Not Trusted.
If set to broadcast, the wired AP port will forward broadcast traffic. If the parameter displays Do Not Broadcast, broadcast traffic will not be forwarded.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap wired-ap-profile | 913
�show ap wired-port-profile
show ap wired-port-profile
Description
Shows all AP wired port profiles and their status.
Syntax
No parameters.
Example
The example below shows that the switch has three wired port profiles. The References column lists the number of other profiles with references to the wired port profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) (config) #show ap wired-port-profile
AP wired port profile List
--------------------------
Name
References
----
----------
default
3
NoAuthWiredPort 4
shutdown
3
Total:3
Profile Status --------------
Predefined (editable) Predefined
The following command displays information for an individual wired port profile:
(host)#show ap wired-port-profile default
AP wired port profile "default" ------------------------------Parameter --------Wired AP profile Ethernet interface link profile AP LLDP profile Shut down? Remote-AP Backup AAA Profile Time to wait for authentication to succeed
Value ----default default default No Enabled N/A 20 sec
The output of this command includes the following information:
Parameter Wired AP profile
Ethernet interface link profile
Description
Name of a wired AP profile to be used by devices connecting the AP's wired port. The wired AP profile defines the forwarding mode and switchport values used by the port.
An Ethernet Link profile to be used by devices connecting to the AP's wired port profile. This profile defines the duplex value and speed to be used by the port.
914 | show ap wired-port-profile
AOS-W 6.2 | Reference Guide
�Parameter AP LLDP Profile Shut Down? Remote AP Backup
AAA Profile Time to wait for authentication to succeed
Description
Name of an LLDP Profile associated with this wired port.
Shows if the the wired AP port is enabled (no) or disabled (yes).
Use the rap-backup parameter to use the wired port on a Remote AP for local connectivity and troubleshooting when the AP cannot reach the switch. If the AP is not connected to the switch, no firewall policies will be applied when this option is enabled. (The AAA profile will be applied when the AP is connected to switch).
Name of a AAA profile to be used by devices connecting to the AP's wired port.
Authentication timeout value, in seconds, for devices connecting the AP's wired port. The supported range is 1-65535 seconds, and the default value is 20 seconds.
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap wired-port-profile | 915
�show ap wired stats
show ap wired stats {ap-name <ap-name>} | {ip-addr <ip-addr>}|{client-ip <client-ip>} | {client-mac <client-mac>}
Description
Shows statistics for RAP wired clients.
Syntax
Parameter ap-name <ap-name> ip-addr <ip-addr>
client-ip <client-ip> client-mac <clientmac>
Description Show wired RAP statistics for a specified AP name. Show wired RAP statistics for a specified AP by entering an IP address in dotted-decimal format. Show wired RAP statistics for a specified client IP address. Show wired RAP statistics for a specified client MAC address
Example
(host) #show ap wired stats ap-name rap5wn client-mac 00:14:d1:19:3c:0b
RAP Wired User Statistics
-------------------------
Counter
Value
-------
-----
Slot
0
Port
1
VLAN
1
TX Packets
78
TX Bytes
7894
RX Packets
37
RX Bytes
5352
TX Broadcast Packets 36
TX Broadcast Bytes 4410
TX Multicast Packets 22
TX Multicast Bytes 1990
The output of this command includes the following information:
Column Slot Port VLAN TX Packets TX Bytes
Description Slot number Port number Associated VLAN number Number of packets sent Number of bytes sent
916 | show ap wired stats
AOS-W 6.2 | Reference Guide
�Column
Description
RX Packets
Number of packets received
RX Bytes
Number of bytes received
TX Broadcast Packets Number of broadcast packets sent
TX Broadcast Bytes
Number of broadcast bytes sent
TX Multicast Packets Number of multicast packets sent
TX Multicast Bytes
Number of multicast bytes sent
Command History
Introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap wired stats | 917
�show ap wmm-flow
show ap wmm-flow [{ap-name <ap-name>}|{bssid <bssid>}|{essid <essid>}|{ip-addr <ip-addr>}] dotlla|dotllg
Description
Show the Wireless Multimedia (WMM) flow table.
Syntax
Parameter ap-name <ap-name> bssid <bssid> essid <essid>
ip-addr <ip-addr> dot11a dot11g
Description
View an AP with a specified name.
View data for an AP with a specific BSSID (Basic Service Set Identifier). The Basic Service Set Identifier (BSSID) is usually the AP's MAC address.
View data for a specific ESSID (Extended Service Set Identifier). An Extended Service Set Identifier (ESSID) is a alphanumeric name that uniquely identifies a wireless network. If the name includes spaces, you must enclose the ESSID in quotation marks.
View an AP with a specified IP address by entering an IP address in dotteddecimal format.
Show the WMM flow table for a 802.11a radio.
Show the WMM flow table for a 802.11g radio.
Usage Guidelines
WMM, or Wireless Multimedia Extensions, are a subset of the 802.11e standard. WMM provides for four different types of traffic classification: voice, video, best effort, and background, with voice having the highest priority and background the lowest. Issue the show ap wmm-flow command to view WMM flow data for all APs. Include any of the optional parameters described in the table above to filter the table by a specific AP, radio channel (a or g), or both an ap and radio type.
Example
The example below shows WMM flow data for all APs. (host) #show ap wmm-flow
WMM Flow Table
--------------
AP Name ESSID Client
Description
------- ----- ------
-----------
AP125-srk NOE 00:90:7a:06:1f:5b tsid 6:prio 6:inactivity 2157352960
us:bidir:apsd:normalack:tclas prio 6 ip DIP-192.168.101.194 DP-32514 DSCP-48:one-match
AP125-srk NOE 00:90:7a:06:1f:5b tsid 0:prio 0:inactivity 100000000
us:bidir:apsd:normalack:no-match
Num Flows:0
The output of this command includes the following parameters:
918 | show ap wmm-flow
AOS-W 6.2 | Reference Guide
�Column AP name ESSID Client Description
Description
Name of an AP with recorded WMM flows
Extended Service Set Identifier (ESSID) of a wireless network.
MAC address of the client.
The description is a long string that includes the following information. TSID: Traffic Stream Identifier. The TSID should match the priority level for each flow. Priority: One of the following IEEE 802.1p priority values: l 0,3 = Best Effort l 1,2 = Background l 4-5 = Video l 6-7 = Voice Inactivity: Tspec inactivity threshold, in microseconds. <country code>: AP country code, e.g. US. bdir: flow is bidirectional. apsd: flow has enabled auto power save delivery. <ack>: Displays the ack policy negotiated for the flow. Possible values are: l normalack l noack l blockack l resack (reserved ack) Tclas: traffic classification element. Tclas information includes one of the following classification types, the 802.1p priority and IP version (ver-4 or ver-6) l type0 - Classification based on Ethernet parameters l type1 - Classification based on TCP/UDP or IP parameters (IPv4 or IPv6) l type2 - Classification based on based on IEEE802.1Q DIP: Destination IP address for the flow. DP: Destination IP Port specified in the TCLAS for flow negotiation. DCSP: The Differentiated Services Code Point (DSCP) priority value that matches the flows 802.1p priority.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show ap wmm-flow | 919
�show arp
show arp
Description
Show Address Resolution Protocol (ARP) entries for the switch.
Syntax
No parameters
Example
This example shows configured static ARP entries for the switch.
(host) #show arp
Protocol
Address
Internet
10.3.129.98
Internet
10.3.129.253
Internet
10.3.129.250
Internet
10.3.129.99
Internet
10.3.129.96
Internet
10.3.129.254
Hardware Address 00:1A:1E:C0:80:28 00:0B:86:42:35:80 00:1A:92:45:DB:00 00:1A:1E:C0:1C:60 00:1A:1E:C0:80:1E 00:0B:86:02:EE:00
Interface vlan1 vlan1 vlan1 vlan65 vlan65 vlan1
The output of this command includes the following parameters:
Parameter Protocol
Address Hardware Address Interface
Description
Protocol using ARP. Although the switch will most often use ARP to translate IP addresses to Ethernet MAC addresses, ARP may also be used for other protocols, such as Token Ring, FDDI, or IEEE 802.11, and for IP over ATM.
IP address of the device.
MAC address of the device.
Interface used to send ARP requests and replies.
Related Commands
Add a static Address Resolution Protocol (ARP) entry using the command show arp.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master and local switches
920 | show arp
AOS-W 6.2 | Reference Guide
�show audit-trail
show audit-trail {<number>]
Description
Show the switch's audit trail log.
Syntax
Parameter <number>
Description
Start displaying the log output from the specified number of lines from the end of the log.
Example
By default, the audit trail feature is enabled for all commands in configuration mode. The example below shows the most recent ten audit log entries for the switch.
(host) # show audit-trail 10 Feb 5 06:13:17 cli[1239]: USER: admin has logged in from 10.240.16.118. Feb 5 06:20:13 cli[1239]: USER: admin connected from 10.240.16.118 has logged out. Feb 5 06:24:37 cli[1239]: USER: admin has logged in from 10.240.16.118. Feb 5 06:37:01 cli[1239]: USER:admin@10.3.129.250 COMMAND:<wlan virtual-ap "mp-only" no vapenable > -- command executed successfully Feb 5 06:37:14 cli[1239]: USER:admin@10.3.129.250 COMMAND:<wlan virtual-ap "mp-a-only" no vap-enable > -- command executed successfully Feb 5 06:37:20 cli[1239]: USER:admin@10.3.129.250 COMMAND:<wlan virtual-ap "default" no vapenable > -- command executed successfully Feb 5 06:37:29 cli[1239]: USER:admin@10.3.129.250 COMMAND:<wlan virtual-ap "mpp-a-only" no vap-enable > -- command executed successfully Feb 5 06:46:10 cli[1239]: USER:admin@10.3.129.250 COMMAND:<interface gigabitethernet "1/2" port monitor igigabitethernet "1/1" > -- command executed successfully Feb 5 06:57:44 cli[1239]: USER:admin@10.3.129.250 COMMAND:<ap system-profile "default" heartbeat-dscp 12 > -- command executed successfully Feb 5 07:05:48 cli[1239]: USER:admin@10.3.129.250 COMMAND:<wlan virtual-ap "mp-a-only" vapenable > -- command executed successfully
Related Commands
Enable or disable the audit trail feature using the command audit-trail.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Enable and Config modes. Audit trails can only be enabled on master switches
AOS-W 6.2 | Reference Guide
show audit-trail | 921
�show auth-tracebuf
show auth-tracebuf [count <1-250] [failures] [mac <address>]
Description
Show the trace buffer for authentication events.
Syntax
Parameter count <1-250> failures mac <address>
Description limit the output of the command to the specified number of packets.
Filter the output of this command to display only authentication failures
Filter the output of this command to display only information for a specified MAC address.
Usage Guidelines
Use the output of this command to troubleshoot 802.1X authentication errors. Include the <address> parameter to filter data by the MAC address of the client which is experiencing errors. This command can tell you, for example, when 802.1X authentication completed and when keys were plumbed correctly.
Example
The example below shows the most recent ten trace buffer entries for the switch. Each row includes the following information:
(host) # show auth-tracebuf count 10 Auth Trace Buffer ----------------Feb 5 08:08:29 wpa2-key2 failure Feb 5 08:08:30 wpa2-key1 Feb 5 08:08:30 wpa2-key2 failure Feb 5 08:08:31 wpa2-key1 Feb 5 08:08:31 station-down Feb 5 08:08:31 station-up psk aes Feb 5 08:08:31 station-data-ready Feb 5 08:08:31 wpa2-key1 Feb 5 08:08:31 wpa2-key2 failure Feb 5 08:08:32 wpa2-key1 Feb 5 08:08:32 wpa2-key2 failure Feb 5 08:08:33 wpa2-key1 Feb 5 08:08:33 wpa2-key2 failure Feb 5 08:08:34 wpa2-key1 Feb 5 08:08:34 wpa2-key2 failure Feb 5 08:08:35 wpa2-key1 Feb 5 08:08:35 station-down
-> 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 119 mic
<- 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 117 -> 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 119 mic
<- 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 * 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 * 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 -
117 - wpa2
* 00:09:ef:05:1e:b2 00:00:00:00:00:00 66 <- 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 117 -> 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 119 mic
<- 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 117 -> 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 119 mic
<- 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 117 -> 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 119 mic
<- 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 117 -> 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 119 mic
<- 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - 117 * 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - -
922 | show auth-tracebuf
AOS-W 6.2 | Reference Guide
�Feb 5 08:08:35 station-up psk aes Feb 5 08:08:35 station-data-ready
* 00:09:ef:05:1e:b2 00:1a:1e:97:e5:42 - * 00:09:ef:05:1e:b2 00:00:00:00:00:00 66 -
wpa2
Each row in the output of this table may include some or all of the following information: l A timestamp that indicates when the entry was created. l The type of exchange that was made. l The direction the packet was sent. l The source MAC address. l The destination MAC address. l BSSID/Server Name. l The packet number. l The packet length. l Additional information (if available), e.g.username, encryption and WPA type, or reason for failure.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Enable or Config modes on master or local switches
AOS-W 6.2 | Reference Guide
show auth-tracebuf | 923
�show banner
show banner
Description
Show the current login banner
Syntax
No parameters
Usage Guidelines
Issue this command to review the banner message that appears when you first log in to the switch's command-line or browser interfaces.
Example
(host) # show banner This testlab switch is scheduled for maintenance starting Saturday night at 11 p.m.
Related Commands
Configure a banner message using the command banner motd.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
924 | show banner
AOS-W 6.2 | Reference Guide
�show boot
show boot
Description
Display boot parameters, including the boot partition and the configuration file to use when booting the switch.
Syntax
No parameters.
Example
(host) # show bootConfig File: default.cfg Boot Partition: PARTITION 1
Related Commands
Configure boot parameters using the command boot.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show boot | 925
�show cellular profile
show cellular profile [<name>] | [factory]
Description
Display the cellular profiles and profile settings.
Syntax
Parameter <name> factory
Description Enter the name of an existing cellular profile Display a list of factory supported cellular profiles.
Usage Guidelines
Issue this command without the <name> parameter to display configuration parameters for the entire list of available cellular profiles. Include a profile name to display configuration information for that one profile.
Example
The output of this command displays the Cellular Profile table. The example below shows eight preconfigured cellular profiles.
(host) #show cellular profile
Cellular Profile Table
----------------------
Name
Vend
Modeswitch
----
----
--
Novatel_U720
1410
Novatel_U727
1410
Kyocera_KPC680
0c88
Sierra_Compass_597 1199
Pantech_UM175
106c
Sierra_USBConn_881 1199
USBConn_Mercury_C885 1199
Globetrotter_Icon322 0af0
Default cellular priority:
Prod
----
2110 4100 180a 0023 3714 6856 6880 d033 100
Serial Dialer Tty
Driver Priority
------ ------ ---
------ -------- --------
evdo_us evdo_us evdo_us evdo_us evdo_us gsm_us gsm_us gsm_us
ttyUSB0 ttyUSB0 ttyUSB0 ttyUSB0 ttyUSB1 ttyUSB0 ttyUSB3 ttyHS3
option option option sierra option option option hso
default default default default default default default default
The output of this command includes the following parameters:
Parameters Name Vend Prod
Description Name of a cellular profile. Vendor ID in hexadecimal USB product ID in hexadecimal
926 | show cellular profile
AOS-W 6.2 | Reference Guide
�Parameters Serial Dialer TTY Driver
Priority
Modeswitch
Description
USB device serial number.
Name of a dialer group profile.
Modem TTY port.
One of the following cellular modem drivers: l acm: Linux ACM driver. l hso: Option High Speed driver. l option: Option USB data card driver (default). l sierra: Sierra Wireless driver.
Displays the cellular profile priority; profiles with the default priority of 100 will display the word default in the Priority column Range: 1 to 255. Default: 100
One of two USB device modeswitch settings: l eject: Eject the CDROM device. l rezero: Send SCSI CDROM rezero command.
Command History
Introduced in AOS-W 3.4.
Command Information
Platforms 600 Series
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show cellular profile | 927
�show clock
show clock [summer-time|timezone|append]
Description
Display the system clock.
Syntax
Parameter summer-time timezone append
Description Show summer (daylight savings) time settings.
Show the configured timezone for the switch.
If the timestamp feature is enabled, including a timestamp in show command output.
Usage Guidelines
Include the optional summer-time parameter to display configured daylight savings time settings. The timezone parameter shows the current timezone, with its time offset from Greenwich Mean Time.
Example
The output below shows the current time on the switch clock.
(host) # show clock Thu Feb 5 16:52:28 PST 2009
Related Commands
Configure clock settings using the commands clock append, clock summer-time recurring, and clock timezone.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
928 | show clock
AOS-W 6.2 | Reference Guide
�show cluster-config
show cluster-config
Description
Show the multi-master cluster configuration for the control plane security feature.
Usage Guidelines
When you issue this command from the cluster root, the output of this command shows the cluster role of the switch, and the IP address of each member switch in the cluster. When you issue this command from a cluster member, the output of this command shows the cluster role of the switch, and the IP address of the cluster root.
Example
In the example below, the Cluster Role section in the output of this command shows that the switch on which the command was issued is the cluster root. The Cluster IPSEC Switches section of the output shows the IP address of each cluster member. (host) (config) #show cluster-config
Cluster Role -----------Root ----
Cluster IPSEC Switches -------------------------Switch IP address of Cluster-Members Key ------------------------------------ --172.21.18.18 ******** 172.21.18.19 ********
Related Commands
Command
Description
Mode
control-plane-security Configure the control plane security profile.
Config mode
cluster-member-ip
This command sets the switch as a control plane security
Config mode on
cluster root, and specifies the IPsec key for a cluster member. cluster root switches
cluster-root-ip
This command sets the switch as a control plane security cluster member, and defines the IPsec key for communication between the cluster member and the switch's cluster root.
Config mode on cluster member switches
Command History
This command was introduced in AOS-W 5.0.
AOS-W 6.2 | Reference Guide
show cluster-config | 929
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable mode on cluster member or cluster root switches
930 | show cluster-config
AOS-W 6.2 | Reference Guide
�show cluster-switches
show cluster-switches
Description
Issue this command on a master switch using control plane security in a multi-master environment to show other the other switches to which it is connected.
Usage Guidelines
When you issue this command from the cluster root, the output of this command displays the IP address of the VLAN used by the cluster member to connect to the cluster root.
If you issue this command from a cluster member ,the output of this command displays the IP address of the VLAN used by the cluster root to connect to the cluster member.
Example
In the example below, the show cluster-switches command was issued on a cluster member. The Switch-IP section of the output shows the IP address of a VLAN on cluster root, indicating that the cluster member can currently communicate with the cluster root. If the member switch cannot communicate with the cluster root, this table will be blank.
(host) (config) #show cluster-switches
SWITCH-IP
CLUSTER-ROLE
-----------------------------
172.21.18.18
ROOT
In this example, the show cluster-switches command was issued on a cluster root. The Switch-IP section of the output shows the IP address of a VLAN on each cluster member that can currently communicate with the cluster root.
(host) (config) #show cluster-switches
SWITCH-IP
CLUSTER-ROLE
-----------------------------
172.21.18.18 MEMBER
172.21.18.19 MEMBER
Related Commands
Parameter
Description
Mode
control-plane-security Configure the control plane security profile.
Config mode
cluster-member-ip
This command sets the switch as a control plane security
Config mode on
cluster root, and specifies the IPsec key for a cluster member. cluster root switches
cluster-root-ip
This command sets the switch as a control plane security cluster member, and defines the IPsec key for communication between the cluster member and the switch's cluster root.
Config mode on cluster member switches
Command History
This command was introduced in AOS-W 5.0.
AOS-W 6.2 | Reference Guide
show cluster-switches | 931
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable mode on cluster member or cluster root switches
932 | show cluster-switches
AOS-W 6.2 | Reference Guide
�show command-mapping
show command-mapping [reverse]
Description
Show the mapping new commands to deprecated commands.
Syntax
Parameter reverse
Description
Sort the command map by deprecated command syntax. This command is useful to find the current command syntax for a deprecated command.
Usage Guidelines
The syntax of many commands changed after the release of AOS-W 3.0. Use this command to display a list of current commands and their deprecated command equivalents. Include the reverse parameter sort the output of this table by the deprecated command syntax.
Example
The example below shows part of the output for this command. Note that a single new command may have replaced several older commands.
(host) # show command-mappingCommand Map
-----------
New Command
Old Command
-----------
-----------
show ap active
show wlan ap
show ap arm neighbors
show ap arm-neighbors
show ap arm rf-summary
show am rf-summary
show ap arm scan-times
show am scan-times
show ap arm state
show wlan arm
show ap association
show stm association
show wlan client
show wlan remote-client
show ap blacklist-clients
show stm dos-sta
show ap bss-table
show stm connectivity
show ap client status
show stm state
show ap coverage-holes
show rfsm coverage-holes
show ap database
show ap global-list
show sapm ap search
show ap registered
show ap debug association-failure show wlan association-failure
....
Command History
This command was available in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show command-mapping | 933
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
934 | show command-mapping
AOS-W 6.2 | Reference Guide
�show configuration
show configuration
Description
Show the saved configuration on the switch.
Syntax
No parameters.
Usage Guidelines
Issue this command to view the entire configuration saved on the switch, including all profiles, ACLs, and interface settings.
Example
The example below shows part of the output for this command. (host) # show configuration version 6.2 enable secret "01270adf012bf3faf1a26a5987a53d78041a4287c0b62cb36a" telnet cli telnet soe hostname "TechPubs650" clock timezone PST -8 location "Building1.floor1" controller config 7
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0 ip access-list eth validuserethacl
permit any ! netservice svc-netbios-dgm udp 138 netservice svc-snmp-trap udp 162
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show configuration | 935
�show controller-ip
show controller-ip
Description
Show switch's country and domain upgrade trail.
Syntax
No parameters.
Example
The output of this command shows the switch's IP address and VLAN interface ID.
(host) # show controller-ip Switch IP Address: 10.168.254.221 Switch IP is configured to be Vlan Interface: 1
Command History
This command was available in AOS-W 3.4
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
936 | show controller-ip
AOS-W 6.2 | Reference Guide
�show controller-ipv6
show controller-ipv6
Description
Show switch's IPv6 address and VLAN interface ID.
Syntax
No parameters.
Example
(host) # show controller-ipv6
Switch IPv6 Address: 2005:d81f:f9f0:1001::14 Switch IPv6 address is from Vlan Interface: 1 The output of this command shows the switch's IPv6 address and VLAN interface ID.
Command History
This command is introduced in AOS-W 6.1
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show controller-ipv6 | 937
�show control-plane-security
show control-plane-security
Description
Show the current configuration of the control plane security profile.
Syntax
No parameters.
Usage Guidelines
The control plane security profile enables and disables the control plane security feature and identifies campus APs to receive security certificates. Issue this command to view current control plane security settings.
Example
The following command shows the control plane security and auto certificate provisioning features are enabled in the control plane security profile, and that the switch will send certificates to a range of IP addresses:
(host)(config) #show control-plane-security
Control Plane Security Profile
------------------------------
Parameter
Value
---------
-----
Control Plane Security
Enabled
Auto Cert Provisioning
Enabled
Auto Cert Allow All
Disabled
Auto Cert Allowed Addresses 10.1.1.16 - 10.1.42.55
Related Commands
Command control-plane-security
Description
Configure the control plane security profile by identifying APs to receive security certificates.
Mode Config mode
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Enable mode on master or local switches
938 | show control-plane-security
AOS-W 6.2 | Reference Guide
�show country
show country [trail]
Description
Show switch's country and domain upgrade trail.
Syntax
Parameter trail
Description
Display the record showing how the switch was reconfigured for it's current country domain when the switch hardware was upgraded.
Usage Guidelines
A switch's country code sets the regulatory domain for the radio frequencies that the APs use. This value is typically set during the switch's initial setup procedure. Use this command to determine the country code specified during setup.
Example
The output of this command shows the switch's country, model and hardware types.
(host) # show country
Country:US Model:Alcatel-LucentOAW-4306G-US Hardware:Restricted US
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show country | 939
�show cp-bwcontracts
show cp-bwcontract
Description
Display a list of Control Processor (CP) bandwidth contracts for whitelist ACLs.
Syntax
No parameters.
Example
The CP bw contracts table lists the contract names, the ID number assigned to each contract, and its defined traffic rate in bits per second.
(host) #show cp-bwcontracts
CP bw contracts
---------------
Contract
Id
--------
--
limit
4098
newcontract 4097
Rate (bits/second) -----------------2000000000 1000000000
Related Commands
Command cp-bandwidth-contract
firewall cp
Description
This command configures a bandwidth contract traffic rate which can then be associated with a whitelist session ACL.
This command creates a new whitelist ACL and can associate a bandwidth contract with that ACL.
Mode Enable or Config modes
Enable or Config modes
Command History
This command was introduced in AOS-W 3.4
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license.
Command Mode Config mode on master switches
940 | show cp-bwcontracts
AOS-W 6.2 | Reference Guide
�show cpuload
show cpuload [current]
Description
Display the switch CPU load for application and system processes.
Syntax
Parameter current
Description
Include this optional parameter at the request of Alcatel-Lucent technical support to display additional CPU troubleshooting statistics.
Example
This example shows that the majority of the switch's CPU resources are not being used by either application (user) or system processes. (host) #show cpuload user 6.9%, system 7.7%, idle 85.4%
The output of this command includes the following parameters:
Parameter user system idle
Description Percentage of switch CPU resources used by application processes. Percentage of switch CPU resources used by system processes. Percentage of unused switch CPU resources.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show cpuload | 941
�show crypto-local ipsec-map
show crypto-local ipsec [tag <ipsec-map-name>]
Description
Displays the current IPsec map configuration on the switch.
Syntax
Parameter tag <ipsec-map-name>
Description Display a specific IPsec map.
Usage Guidelines
The command show crypto-local ipsec displays the current IPsec configuration on the switch.
Examples
The command show crypto-local ipsec-map shows the default map configuration along with any specific IPsec map configurations.
(host) #show crypto-local ipsec-map
Crypto Map Template"default-local-master-ipsecmap" 9999 IKE Version: 1 lifetime: [300 - 86400] seconds, no volume limit PFS (Y/N): N Transform sets={ default-ml-transform } Peer gateway: 0.0.0.0 Interface: VLAN 0 Source network: 0.0.0.0/0.0.0.0 Destination network: 0.0.0.0/0.0.0.0 Pre-Connect (Y/N): N Tunnel Trusted (Y/N): Y Forced NAT-T (Y/N): N
Crypto Map Template"testmap" 3 IKE Version: 1
lifetime: [300 - 86400] seconds, no volume limit PFS (Y/N): N Transform sets={ default-transform } Peer gateway: 0.0.0.0 Interface: VLAN 0 Source network: 0.0.0.0/0.0.0.0 Destination network: 0.0.0.0/0.0.0.0 Pre-Connect (Y/N): N Tunnel Trusted (Y/N): N Forced NAT-T (Y/N): N
Related Commands
Command crypto-local ipsec-map
Description
Mode
Use this command to configure IPsec mapping for Config mode site-to-site VPN.
942 | show crypto-local ipsec-map
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 3.4 AOS-W 6.1
Modification Command introduced. The output of this command displays the configured IKE version.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show crypto-local ipsec-map | 943
�show crypto dp
show
show crypto dp [peer <source-ip>]
Descriptions
Displays crypto data packets.
Syntax
Parameter dp
peer <source-ip>
Description Shows crypto latest datapath packets. The output is sent to crypto logs. Clears crypto ISAKMP state for this IP.
Usage Guidelines
Use this command to send crypto data packet information to the switch log files, or to clear a crypto ISAKMP state associated with a specific IP address.
Examples
The command show crypto dp sends debug information to CRYTPO logs.
(host) # show crypto Datapath debug output sent to CRYPTO logs.
Related Commands
Command crypto isakmp
Description
Use this command to configure Internet Key Exchange (IKE) parameters for the Internet Security Association and Key Management Protocol (ISAKMP)
Mode Enable and Config modes
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
944 | show crypto dp
AOS-W 6.2 | Reference Guide
�show crypto dynamic-map
show crypto dynamic-map [tag <dynamic-map-name>]
Descriptions
Displays IPsec dynamic map configurations.
Syntax
Parameter
dynamic-map
tag <dynamic-mapname>
Description IPsec dynamic maps configuration. A specific dynamic map.
Usage Guidelines
Dynamic maps enable IPsec SA negotiations from dynamically addressed IPsec peers. Once you have defined a dynamic map, you can associate that map with the default global map using the command crypto map global-map.
Examples
The command show crypto dynamic-map shows IPsec dynamic map configuration.
(host) #show crypto dynamic-map
Crypto Map Template"default-dynamicmap" 10000 IKE Version: 1
lifetime: [300 - 86400] seconds, no volume limit PFS (Y/N): N Transform sets={ default-transform }
Related Commands
Command crypto dynamic-map
Description Use this command to configure a dynamic map.
Mode Config mode
Command History
Version AOS-W 3.0 AOS-W 6.1
Modification Command introduced. The output of this command displays the configured IKE version.
AOS-W 6.2 | Reference Guide
show crypto dynamic-map | 945
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
946 | show crypto dynamic-map
AOS-W 6.2 | Reference Guide
�show crypto ipsec
show crypto ipsec {mtu|sa[peer <peer-ip>]|transform-set [tag <transform-set-name>]}
Descriptions
Displays the current IPsec configuration on the switch.
Syntax
Parameter mtu sa
peer <peer-ip> transform-set
tag <transform-setname>
Description IPsec maximum mtu. Security associations.
IPsec security associations for a peer. IPsec transform sets. A specific transform set.
Usage Guidelines
The command show crypto ipsec displays the Maximum Transmission Unit (MTU) size allowed for network transmissions using IPsec security. It also displays the transform sets that define a specific encryption and authentication type.
Examples
The command show crypto transform-set shows the settings for both preconfigured and manually configured transform sets.
(host) #show crypto ipsec transform-set
Transform set default-transform: { esp-3des esp-sha-hmac } will negotiate = { Transport, Tunnel }
Transform set default-ml-transform: { esp-3des esp-sha-hmac } will negotiate = { Transport, Tunnel }
Transform set default-boc-bm-transform: { esp-3des esp-sha-hmac } will negotiate = { Transport, Tunnel }
Transform set default-cluster-transform: { esp-aes256 esp-sha-hmac } will negotiate = { Transport, Tunnel }
Transform set default-1st-ikev2-transform: { esp-aes256 esp-sha-hmac } will negotiate = { Transport, Tunnel }
Transform set default-3rd-ikev2-transform: { esp-aes128 esp-sha-hmac } will negotiate = { Transport, Tunnel }
Transform set default-gcm256: { esp-aes256-gcm esp-null-hmac } will negotiate = { Transport, Tunnel }
Transform set default-gcm128: { esp-aes128-gcm esp-null-hmac } will negotiate = { Transport, Tunnel }
Transform set default-rap-transform: { esp-aes256 esp-sha-hmac } will negotiate = { Transport, Tunnel }
Transform set default-remote-node-bm-transform: { esp-3des esp-sha-hmac } will negotiate = { Transport, Tunnel }
Transform set default-aes: { esp-aes256 esp-sha-hmac }
AOS-W 6.2 | Reference Guide
show crypto ipsec | 947
�will negotiate = { Transport, Tunnel } Transform set newset: { esp-3des esp-sha-hmac }
will negotiate = { Transport, Tunnel } Transform set name: { esp-aes256-gcm esp-sha-hmac }
will negotiate = { Transport, Tunnel }
Related Commands
Command crypto ipsec
Description
Mode
Use this command to configure IPsec parameters. Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
948 | show crypto ipsec
AOS-W 6.2 | Reference Guide
�show crypto isakmp
show crypto isakmp eap-passthrough groupname key policy sa stats transports udpencap-behind-natdevice
Descriptions
This command displays Internet Key Exchange (IKE) parameters for the Internet Security Association and Key Management Protocol (ISAKMP).
Syntax
Parameter eap-passthrough groupname key policy
sa peer <peer-ip>
stats
Description
Display configured IKEv2 EAP Methods.
Show the IKE Aggressive group name.
Show the IKE pre-shared keys.
Show the following information for predefined and manually configured IKE policies: l IKE version l encryption and hash algorithms l authentication method l PRF methods, l DH group l lifetime settings
Show the security associations
Shows crypto isakmp security associations for this IP.
Show detailed IKE statistics. This information can be very useful for troubleshooting problems with ISAKMP.
Usage Guidelines
Use the show crypto isakmp command to ver ISAKMP settings, statistics and policies.
Examples
The command show crypto isakmp stats shows the IKE statistics.
(host) #show crypto isakmp stats
Default protection suite 10001 Version 1 encryption algorithm: 3DES - Triple Data Encryption Standard (168 bit keys) hash algorithm: Secure Hash Algorithm 160
AOS-W 6.2 | Reference Guide
show crypto isakmp | 949
�authentication method: Pre-Shared Key Diffie-Hellman Group: #2 (1024 bit) lifetime: [300 - 86400] seconds, no volume limit Default RAP Certificate protection suite 10002 Version 1 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys) hash algorithm: Secure Hash Algorithm 160 authentication method: Rivest-Shamir-Adelman Signature Diffie-Hellman Group: #2 (1024 bit) lifetime: [300 - 86400] seconds, no volume limit Default RAP PSK protection suite 10003 Version 1 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys) hash algorithm: Secure Hash Algorithm 160 authentication method: Pre-Shared Key Diffie-Hellman Group: #2 (1024 bit) lifetime: [300 - 86400] seconds, no volume limit
Related Commands
Command crypto isakmp
Description
Use this command to configure Internet Key Exchange (IKE) parameters for the Internet Security Association and Key Management Protocol (ISAKMP).
Mode Config mode
Command History
Version AOS-W 3.0 AOS-W 6.1
Modification
Command introduced.
The eap-passthrough parameter was introduced. The output of the show crypto isakmp policy command displays the configured IKE version.
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
950 | show crypto isakmp
AOS-W 6.2 | Reference Guide
�show crypto-local isakmp
show crypto isakmp {ca-certificates}|{dpd}|{key}|{server-certificate}|{xauth}
Descriptions
This command displays Internet Key Exchange (IKE) parameters for the Internet Security Association and Key Management Protocol (ISAKMP).
Syntax
Parameter ca-certificate certificate-group dpd key
server-certificate xauth
Description
Shows all the Certificate Authority (CA) certificate associated with VPN clients.
Shows the existing certificate groups by server certificate name and CA certificate.
Shows the IKE Dead Peer Detection (DPD) configuration on the local switch.
Shows the IKE preshared key on the local switch for site-to-site VPN. This is includes keys configured by Fully Qualified Domain Name (FQDN) and local and global keys configured by address.
Shows all the IKE server certificates used to authenticate the switch for VPN clients.
Shows the IKE XAuth configuration for VPN clients.
Usage Guidelines
Use the show crypto-local isakmp command to view IKE parameters.
Examples
This example shows sample output for the show crypto-local ca-certificate, show crypto-local dpd, show crypto-local key, show crypto-local server-certificate and show crypto-local xauth commands:
(host) #show crypto-local isakmp ca-certificate
ISAKMP CA Certificates
-----------------------
CA certificate name Client-VPN # of Site-Site-Maps
------------------- ---------- -------------------
Alcatel-Lucent-Factory-CA
Y
0
(host) #show crypto-local isakmp certificate-group
ISAKMP Certificate Groups -------------------------Server certificate name CA certificate name ----------------------- -------------------
(host) #show crypto-local isakmp dpd DPD is Enabled: Idle-timeout = 22 seconds, Retry-timeout = 2 seconds, Retry-attempts = 3
AOS-W 6.2 | Reference Guide
show crypto-local isakmp | 951
�(host) #show crypto-local isakmp key ISAKMP Local Pre-Shared keys configured for ANY FQDN ----------------------------------------------------Key --ISAKMP Local Pre-Shared keys configured by FQDN -----------------------------------------------FQDN of the host Key ---------------- --servers.mycorp.com ********
ISAKMP Local Pre-Shared keys configured by Address
---------------------------------------------------
IP address of the host Subnet Mask Length Key
---------------------- ------------------ ---
10.4.62.10
32
********
ISAKMP Global Pre-Shared keys configured by Address
----------------------------------------------------
IP address of the host Subnet Mask Length Key
---------------------- ------------------ ---
0.0.0.0
0
********
(host) (config) #show crypto-local isakmp server-certificate
ISAKMP Server Certificates
---------------------------
Server certificate name
Client-VPN # of Site-Site-Maps
-----------------------
---------- -------------------
Alcatel-Lucent-Factory-Server-Cert-Chain RAP-only 0
(host) #show crypto-local isakmp xauth IKE XAuth Enabled.
Related Commands
Command
Description
Mode
crypto-local isakmp ca-certificate
Use this command to assign the Certificate Authority (CA) certificate used to authenticate VPN clients.
Config mode
crypto-local isakmp ca-certificate
Use this command to assign a certificate group so you can access multiple types of certificates on the same switch.
Config mode
crypto-local isakmp dpd
Use this command to configure IKE Dead Peer Detection (DPD) on the local switch.
Config mode
crypto-local isakmp key
Use this command to configure the IKE preshared key on the local switch for site-tosite VPN.
Config mode
crypto-local isakmp servercertificate
Use this command to assign the server certificate used to authenticate the switch for VPN clients.
Config mode
crypto-local isakmp xauth
Use this command to enable the IKE XAuth for VPN clients.
Config mode
952 | show crypto-local isakmp
AOS-W 6.2 | Reference Guide
�Command History
Release AOS-W 3.4 AOS-W 6.1
Modification Command introduced. The show crypto-local isakmp certificate-group command was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show crypto-local isakmp | 953
�show crypto-local pki
show crypto-local pki CRL [<name> ALL|crlnumber|fingerprint|hash|issuer|lastupdate|nextupdate] IntermediateCA [<name>ALL|alias|dates|fingerprint|hash|issuer|modulus|purpose|serial|subject]
OCSPResponderCert [<name>ALL|alias|dates|fingerprint|hash|issuer|modulus|purpose|serial|subject]
OCSPSignerCert [<name>ALL|alias|dates|fingerprint|hash|issuer|modulus|purpose|serial|subject]
PublicCert [<name>ALL|alias|dates|fingerprint|hash|issuer|modulus|purpose|serial|subject]
ServerCert [<name>ALL|alias|dates|fingerprint|hash|issuer|modulus|purpose|serial|subject]
TrustedCA [<name>ALL|alias|dates|fingerprint|hash|issuer|modulus|purpose|serial|subject]
crl-stats ocsp-client-stats rcp service-ocsp-responder [stats]
Descriptions
Issue this command to show local certificate, OCSP signer or responder certificate and CRL data and statistics.
Syntax
Parameter CRL
<CRL name> ALL <CRL name> crlnumber <CRL name> fingerprint <CRL name> hash <CRL name> issuer <CRL name> lastupdate <CRL name> nextupdate
IntermediateCA
Description
Shows the name, original filename, reference count and expiration status of all CRLs on this switch.
Shows the version, signature algorithm, issuer, last update, next update, and CRL extensions and all other attributes of this CRL.
Shows the number of this CRL.
Shows the fingerprint of this CRL.
Shows the hash number of this CRL.
Shows the issuer of this CRL.
Shows the last update (date and time) at which the returned status is known to be correct.
Shows the next date and time (date and time) where the responder retrieves updated status information for this certificate. If this information is not present, then the responder always holds up to date status information.
Shows the name, original filename, reference count and expiration status of this certificate.
954 | show crypto-local pki
AOS-W 6.2 | Reference Guide
�Parameter
OSCPResponderCert
OCSPSignerCert
PublicCert
ServerCert
TrustedCA
<name> ALL <name> alias <name> dates <name> fingerprint <name> hash <name> issuer <name> modulus <name> purpose <name> serial <name> subject crl-stats ocsp-client-stats rcp service-ocsp-responder [stats]
Description
NOTE: IntermediateCA has the identical sub-parameters as those listed under the TrustedCA parameter in this table.
Shows the name, original filename, reference count and expiration status of all ocsprespondercert certificates on this switch. NOTE: OCSPResponderCert has the identical sub-parameters as those listed under the TrustedCA parameter in this table.
Shows the OCSP Signer certificate. NOTE: OCSPSignerCert has the identical sub-parameters as those listed under the TrustedCA parameter in this table.
Shows Public key information of a certificate. This certificate allows an application to identify an exact certificate. NOTE: PublicCert has the identical sub-parameters as those listed under the TrustedCA parameter in this table.
Shows Server certificate information. This certificate must contain both a public and a private key (the public and private keys must match). You can import a server certificate in either PKCS12 or x509 PEM format; the certificate is stored in x509 PEM DES encrypted format on the switch. NOTE: ServerCert has the identical sub-parameters as those listed under the TrustedCA parameter in this table.
Shows trusted CA certificate information. This certificate can be either a root CA or intermediate CA. Alcatel-Lucent encourages (but does not require) an intermediate CA's signing CA to be the switch itself.
Shows the version, signature algorithm, issuer, last update, next update, and CRL extensions and all other attributes of this certificate.
Shows this certificate's alias, if it exists.
Shows the dates for which this certificate is valid.
Shows the certificate's fingerprint.
Shows the hash number of this certificate.
Shows the certificate issuer.
Shows the modulus which is part of the public key of the certificate.
Shows the certificate's purposes such as if this is an SSL server, SSL server CA and so on.
Shows the certificate's serial number.
Shows the certificate's subject identification number.
Shows the CRL request statistics.
Shows the OCSP client statistics.
Shows the revocation check point.
Shows if OCSP responder service is enabled and shows statistics.
AOS-W 6.2 | Reference Guide
show crypto-local pki | 955
�Usage Guidelines
Use the show crypto-local pki command to view all CRL and certificate status, OCSP client and OCSP responder status and statistics.
Example
This example displays a list of all OCSP responder certificates on this switch.
(host) (config) #show crypto-local pki OCSPResponderCert
Certificates -----------Name -------------ocspJan28 ocspresp-standalone-feb21 ocsprespFeb02 OCSPresponder1 ocspresponder2 OCSPresponderlatest
Original Filename ----------------ocspresp-jan28.cer ocspresp-feb21.cer ocspresp-feb2.cer ocspresponder-new1.cer subsubCA-ocsp-res-2.cer ocspresponder-latest.cer
The output of this command includes the following parameters:
Reference Count --------------0 0 1 0 0 0
Expired ------No No No No No No
Parameter Name Original Filename Reference Count
Expired
Description
Name of the OCSP responder certificate.
Name of the original certificate when it was added to the switch.
Number of RCPs that reference this OCSP responder certificate, signer certificate or CRL.
Shows whether the switch has enabled or disabled client remediation with Sygate-on-demand-agent.
This example shows the dates for which this OCSP responder certificate is valid.
(host) (config) #show crypto-local pki OCSPResponderCert ocspJan28 dates notBefore=Jan 21 02:37:47 2011 GMT notAfter=Jan 20 02:37:47 2013 GMT
This example displays the certificate's hash number. (host) (config) #show crypto-local pki OCSPResponderCert ocspJan28 hash 91dcb1b3
This example shows the purpose and information about this certificate. (host) (config) #show crypto-local pki OCSPResponderCert ocspJan28 purpose Certificate purposes:For validation SSL client : No SSL client CA : No SSL server : No SSL server CA : No Netscape SSL server : No Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No
956 | show crypto-local pki
AOS-W 6.2 | Reference Guide
�CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No
This example displays the certificate's subject.
(host) (config) #show crypto-local pki OCSPResponderCert ocspJan28 subject subject= /CN=WIN-T1BQQFMVDED.security1.qa.mycorp.com
Related Commands
Command crypto-local pki
crypto-local pkircp <name>
Description
Mode
This command is saved in the configuration file and verifies the presence of the certificate in the switch's internal directory structure.
Config mode
Specifies the certificates that are used to sign OCSP responses for this revocation check point
Config mode
Command History
Version AOS-W 3.2 AOS-W 6.1
Modification
Command introduced.
The following parameters were introduced: l CRL l Intermediate CA l OCSPResponderCert l OCSPSignerCert l global-ocsp-signer-cert l rcp l service-ocsp-responder
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode
AOS-W 6.2 | Reference Guide
show crypto-local pki | 957
�show crypto map
show crypto ipsec map
Descriptions
This command displays the IPsec map configurations.
Syntax
Parameter map
Description
Usage Guidelines
Use the show crypto map command to view configuration for global, dynamic and default map configurations.
Examples
The command show crypto map shows statistics for the global, dynamic and default maps.
(host) #show crypto map
Crypto Map "GLOBAL-MAP" 10000 ipsec-isakmp Crypto Map Template"default-dynamicmap" 10000
IKE Version: 1 lifetime: [300 - 86400] seconds, no volume limit PFS (Y/N): N Transform sets={ default-transform, default-aes } Crypto Map "GLOBAL-IKEV2-MAP" 10000 ipsec-isakmp Crypto Map "default-local-master-ipsecmap" 9999 ipsec-isakmp Crypto Map Template"default-local-master-ipsecmap" 9999 IKE Version: 1 lifetime: [300 - 86400] seconds, no volume limit PFS (Y/N): N Transform sets={ default-ml-transform } Peer gateway: 10.4.62.9 Interface: VLAN 0 Source network: 172.16.0.254/255.255.255.255 Destination network: 10.4.62.9/255.255.255.255 Pre-Connect (Y/N): Y Tunnel Trusted (Y/N): Y Forced NAT-T (Y/N): N
Related Commands
Command
crypto map globalmap
Description
Use this command to configure the default global map.
Mode Config mode
958 | show crypto map
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 3.0 AOS-W 6.1
Modification Command introduced. The output of this command displays the configured IKE version for the map.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show crypto map | 959
�show crypto pki
show crypto pki csr
Descriptions
This command displays the certificate signing request (CSR) for the captive portal feature.
Syntax
Parameter csr
Description
Usage Guidelines
Use the show crypto pki command to view the CSR output.
Examples
The command show crypto pki shows output from the crypto pki csr command.
(host) #show crypto pki csr
Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=CA, L=Sunnyvale, O=sales, OU=EMEA,
CN=www.mycompany.com/emailAddress=myname@mycompany.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e6:b0:f2:95:37:d0:18:c4:ee:f7:bd:5d:96:85: 49:a3:56:63:76:ee:99:82:fe:4b:31:6c:80:25:c4: ed:c7:9e:8e:5e:3e:a2:1f:90:62:b7:91:69:75:27: e8:29:ba:d1:76:3c:0b:14:dd:83:3a:0c:62:f2:2f: 49:90:47:f5:2f:e6:4e:dc:c3:06:7e:d2:51:29:ec: 52:8c:40:26:de:ae:c6:a0:21:1b:ee:46:b1:7a:9b: dd:0b:67:44:48:66:19:ec:c7:f4:24:bd:28:98:a2: c7:6b:fb:b6:8e:43:aa:c7:22:3a:b8:ec:9a:0a:50: c0:29:b7:84:46:70:a5:3f:09 Exponent: 65537 (0x10001) Attributes: a0:00
Signature Algorithm: sha1WithRSAEncryption 25:ce:0f:29:91:73:e9:cd:28:85:ea:74:7c:44:ba:b7:d0:5d: 2d:53:64:dc:ad:07:fd:ed:09:af:b7:4a:7f:14:9a:5f:c3:0a: 8a:f8:ff:40:25:9c:f4:97:73:5b:53:cd:0e:9c:d2:63:b8:55: a5:bd:20:74:58:f8:70:be:b9:82:4a:d0:1e:fc:8d:71:a0:33: bb:9b:f9:a1:ee:d9:e8:62:e4:34:e4:f7:8b:7f:6d:3c:70:4c: 4c:18:e0:7f:fe:8b:f2:01:a2:0f:00:49:81:f7:de:42:b9:05: 59:7c:e4:89:ed:8f:e1:3b:50:5a:7e:91:3b:9c:09:8f:b7:6b: 98:80
-----BEGIN CERTIFICATE REQUEST----MIIB1DCCAT0CAQAwgZMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UE BxMJU3Vubnl2YWxlMQ4wDAYDVQQKEwVzYWxlczENMAsGA1UECxMERU1FQTEaMBgG A1UEAxMRd3d3Lm15Y29tcGFueS5jb20xKDAmBgkqhkiG9w0BCQEWGXB3cmVkZHlA
960 | show crypto pki
AOS-W 6.2 | Reference Guide
�YXJ1YmFuZXR3b3Jrcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOaw 8pU30BjE7ve9XZaFSaNWY3bumYL+SzFsgCXE7ceejl4+oh+QYreRaXUn6Cm60XY8 CxTdgzoMYvIvSZBH9S/mTtzDBn7SUSnsUoxAJt6uxqAhG+5GsXqb3QtnREhmGezH 9CS9KJiix2v7to5DqsciOrjsmgpQwCm3hEZwpT8JAgMBAAGgADANBgkqhkiG9w0B AQUFAAOBgQAlzg8pkXPpzSiF6nR8RLq30F0tU2TcrQf97Qmvt0p/FJpfwwqK+P9A JZz0l3NbU80OnNJjuFWlvSB0WPhwvrmCStAe/I1xoDO7m/mh7tnoYuQ05PeLf208 cExMGOB//ovyAaIPAEmB995CuQVZfOSJ7Y/hO1BafpE7nAmPt2uYgA==
-----END CERTIFICATE REQUEST-----
Related Commands
Command crypto pki
crypto pki-import
Description
Use this command to generate a certificate signing request (CSR) for the captive portal feature.
Use this command to import certificates for the captive portal feature.
Mode Enable mode
Enable mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show crypto pki | 961
�show database
show database synchronization
Description
Shows database synchronization status.
Syntax
No parameters.
Usage Guidelines
Issue this command to show the status database synchronization status.
Example
This example shows a database synchronization status. (host) #show database synchronize Last synchronization time: Not synchronized since last reboot Periodic synchronization is enabled and runs every 25 minutes Synchronization includes RF plan data
Related Commands
Command
Description
database synchronize Show the output of the database synchronize command.
Mode Enable and Config modes
Command History
Release AOS-W 3.0
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master and local switches
962 | show database
AOS-W 6.2 | Reference Guide
�show datapath
show
acl id <id-name> {ap-name <ap-name>}|{ip-addr <ip-address>} application {ap-name <ap-name>|counters|ip-addr <ip-address>} bridge {ap-name <ap-name>|counters|ip-addr <ip-address>|table} bwm table cp-bwm crypto debug {dma counters|epa|opcode|performance|pkttrace-buffer| trace-buffer|trace-route} dhcp {vm-mac} error [counters] esi table exthdr firewall-agg-sess [counters] fqdn frame {ap-name <ap-name>|counters|ip-addr <ip-address>} hardware {counters|statistics} internal dir <dir>|file <file> ip-fragment-table {ipv4|ipv6} ip-mcast ip-reassembly {ap-name <ap-name>|counters|ip-addr <ip-address>|ipv4|ipv6} ipv6-mcast lag table maintenance counters message-queue counters nat {ap-name <ap-name>|counters|ip-addr <ip-address>} network ingress papi port rap-bw-resv rap-css rap-pkt-trace rap-stats route {ap-name <ap-name>|counters|ip-addr <ip-address>]|ipv4|ipv6|table|verbose} route-cache {ap-name <ap-name>|counters|ip-addr <ip-address>|ipv4|ipv6|table|verbose} services session {ap-name <ap-name>|counters}|{ip-addr <ip-address>|ipv6|table} station [counters|mac <macaddr>|table] tcp {app <app>|counters|tunnel} tunnel [counters|ipv4|ipv6|station-list|table] user {ap-name <ap-name>|counters|ip-addr <ip-address>|ipv4|ipv6|table} utilization vlan {ap-name <ap-name>}|{ip-addr <ip-address>|table} vlan-mcast wifi-reassembly counters wmm counters
Descriptions
Displays system statistics for your switch.
AOS-W 6.2 | Reference Guide
show datapath | 963
�Syntax
Parameter acl id <id-name>
ap-name <ap-name> ip-addr <ip-address> application counters
ap-name <ap-name> ip-addr <ip-address> bridge ap-name <ap-name> counters
ip-addr <ip-address> table <macaddr> bwm table cp-bwm crypto counters
debug dma counters eap opcode performance pkttrace-buffer
Description
Displays datapath statistics associated with a specified ACL. The ACL index is found in the show rights command.
Name of the AP.
IP address of the AP
Shows application counters and errors generated by applications running on a particular AP. These include stateful firewall application layer statistics.
Name of the AP.
IP address of the AP.
Shows bridge table entry statistics including MAC address, VLAN, assigned VLAN, Destination and flag information for an AP.
Name of the AP. Shows MAC address, VLAN, assigned VLANs, destination and flags information.
Shows datapath bridge table statistics such as current entries, high water mark, maximum entries, total entries, allocation failures and max link length.
IP address of the AP. Shows MAC address, VLAN, assigned VLANs, destination and flags information.
Displays the current high, maximum, and total number of bridge table entries for the Alcatel-Lucent switch.
Shows bandwidth management table entry statistics such as CPU, contract, Bits/sec, policed, available bytes, queued bytes and packets.
Displays the data path CP bandwidth management table information.
Displays crypto parameter statistics including crypto, IPsec, PPTP, WEP, TKIP, AESCCM encryption and decryptions, WEP CRC, crypto hardware, XSEC, DOT1X and L2TP information.
Displays datapath debug details. These are low-level datapath details.
DMA counters are displayed.
EAP termination statistics displayed.
Displays datapath debugging information. Use this command only under the supervision of Alcatel-Lucent technical support.
Datapath performance counters. By default, combined statistics of all CPUs are shown.
Packet trace buffer statistics.
964 | show datapath
AOS-W 6.2 | Reference Guide
�Parameter trace-buffer trace-route
dhcp vm-mac
error counters
esi table exthdr
firewall-agg-sess counters
fqdn frame counters
ap-name <ap-name> ip-addr <ip-address> hardware internal dir <dir> file <file> ip-fragment-table ipv4 ipv6
Description
Debug trace-buffer tables are displayed.
Route cache tracing statistics are displayed.
Datapath DHCP -related information.
Datapath of the VM to host client mac
Datapath error statistic errors.
Show datapath errors including SUM, CPU, Addr and description information.
Displays the contents of the datapath ESI server table entries including server, IP, MAC, destination, VLAN, type, session and flag information.
Displays the datapath default IPv6 Extended Header Map.
Displays the datapath firewall aggregated sessions table.
Displays the datapath aggregate session statistics.
Displays datapath FQDN entries.
Displays frame statistics that are received and transmitted from the data path of the switch. Several output fields include the following descriptions: l Descr failures-This is the number of times a packet descriptor was not
available and the packet dropped. l Dot1QDiscards-The number of packets received on a trunk port where
the VLAN presented did not match any configured on the switch and the packet dropped. l Dot1d Discards-Spanning tree is disabled and each BPDU frame is counted and dropped. l Denied Frames-Frames that are denied by the ACL's data path of the switch.
Name of the AP.
IP address of the AP.
Displays datapath hardware counters and hardware packet statistics information.
Internal details are displayed.
Hardware directory
File in the directory.
Displays ip-fragment statistics including CPU, current entries, high water mark, max , total, and aged entries.
Displays IPv4 fragment statistics.
Displays IPv6 fragment statistics.
AOS-W 6.2 | Reference Guide
show datapath | 965
�Parameter counters statistics
ip-mcast destination group
ip-reassembly ap-name <ap-name> counters ip-addr <ip-address> ipv4 ipv6
ipv6-mcast destination group
lag table
message-queue counters
maintenance counters nat
network ingress ap-name <ap-name> counters ip-addr <ip-address>
port
link-event
Description
Hardware counters.
Hardware packet statistics.
Displays the data path IP multicast table statistics. These include source, group. VLAN and destination.
Displays the contents of the IP Reassembly statistics tables.
Name of the AP.
IP reassembly counters.
IP address of the AP
Displays the IPv4 contents of the IP Reassembly statistics table.
Displays the IPv6 contents of the IP Reassembly statistics table.
Displays the data path IP multicast table statistics. These include source, group. VLAN and destination.
Displays contents of the datapath link aggregation group (LAG) or port channel table.
Displays statistics of messages received by a CPU from other datapath CPUs (only CPUs that receive messages and non-zero statistics are shown).
Displays datapath maintenance statistics.
Displays the contents of the datapath NAT entries table. It displays NAT pools as configured in the datapath. Statistics include pool, SITP start, SIP end and DIP.
Displays ingress queue counters.
Name of AP.
Nat counters.
IP address of the AP.
Displays the datapath port table information. This includes the port number, PVID, Ingress ACL, Egress ACL, Session ACL, and the following flags: l Q: trunk l T: trusted l B: blocked by the Spanning Tree protocol l L: LSG l M: tunneled node l X: xSec l Z: QinQ
Displays port link up and link down event counters.
966 | show datapath
AOS-W 6.2 | Reference Guide
�Parameter monitor stats <slot/port> status <slot/port> trusted tunneled-node untrusted-vlan <slot/port> xsec
rap-bw-resv ap-name ip-addr
rap-pkt-trace ap-name ip-addr
rap-stats ap-name ip-addr
route ap-name <ap-name> counters
ip-addr <ip-address> ipv4 ipv6 table
verbose
route-cache ap-name <ap-name> counters
ip-addr <ip-address> ipv4
Description Displays the monitor port configuration. Displays the physical port statistics. Displays the physical port status. Displays the the trusted ports. Displays the the tunneled node ports. Show if there are untrusted vlan entries for the indicated slot and port.
Displays the xsec ports. Displays the remote AP uplink BW reservation statistics of the RAP only.
Displays the remote AP packet-trace statistics of the RAP only.
Displays the remote AP statistics of the RAP only.
Displays datapath route table statistics. Name of the AP. Displays route table statistics such as current entries, high water mark, maximum entries, total entries, allocation failures and max link length. IP address of the AP. Displays datapath IPv4 routing table. Displays datapath IPv6 routing table. Displays route table entries such as IP, mask, gateway, cost, VLAN and flags. Displays all detailed route table entries including IP, mask, gateway, cost, VLAN, flags, Internal VerNum Index. Displays datapath route cache table statistics. Name of the AP. Displays route cache table statistics such as current entries, high water mark, maximum entries, total entries, allocation failures and max link length. Address of IP. Displays datapath IPv4 route cache.
AOS-W 6.2 | Reference Guide
show datapath | 967
�Parameter ipv6 table verbose
services session
ap-name <ap-name> counters
ip-addr <ip-address> ipv6
table
station counters
mac <macaddr> tcp
app <app> counters tunnel table
Description
Displays datapath IPv6 route cache.
Displays route cache table entries such as IP, mask, gateway, cost, VLAN and flags.
Displays all detailed route cache table entries including IP, mask, gateway, cost, VLAN, flags, Internal VerNum Index.
Displays the datapath services table statistics including protocol, port and service.
Displays datapath session statistics
Name of AP
Displays counters statistics including current entries, high water mark, maximum entries, total entries, allocation failures, duplicate entries, cross linked entries, number of reverse entries and maximum link length.
IP address of the AP.
Displays datapath IPv6 session entries and statistics including current entries, high water mark, maximum entries, total entries, allocation failures, duplicate entries, cross linked entries, number of reverse entries and maximum link length.
Displays all the IP flows of a wireless device or Alcatel-Lucent AP. Statistics include table entries including source IP, destination IP, protocol, SPort, DPort, Cntr, priority, ToS, age, destination, TAge and flags.
Displays datapath station association table statistics.
Display the current and high water mark amount of 802.11 associated wireless devices on an Alcatel-Lucentswitch. Values output from this command represent the water-marks since the last boot of the switch. This is the same value obtainable from the Num Associations output from the show stm connectivity command.
Hardware address, in hexadecimal format.
Displays contents of the tcp tunnel table. This command displays all tcp tunnels that are terminated by the switch,
Name of the application.
Displays the tcp tunnel statistics.
Displays the tcp tunnel table.
This command displays the Datapath Station Table Statistics detail. Display all associated wireless devices on the Alcatel-Lucentswitch with their corresponding AP BSSID and VLAN ID. Displays the wireless device is associated with the correct encryption type (if the device is associated to an AP BSSID that has encryption enabled and verifies whether the Alcatel-Lucentswitch is having a problem in decrypting the wireless device's frames.
968 | show datapath
AOS-W 6.2 | Reference Guide
�Parameter tunnel
counters ipv4 ipv6 station-list table user
ap-name <ap-name> counters ip-addr <ip-address> ipv4
ipv6
table utilization vlan
ap-name <ap-name> ip-addr <ip-address> table vlan-mcast ap-name <ap-name> ip-addr <ip-address> table wifi-reassembly counters
wmm counters
Description
Displays contents of the datapath tunnel table. This command displays all the tunnels that are terminated by the switch, including Alcatel-Lucent APs' GRE tunnels. For example, a GRE tunnel is created and terminated on the Alcatel-Lucentswitch for every SSID/BSSID configured on the Alcatel-Lucent AP.
Tunnel counters.
Displays the tcp tunnel table filtered on IPv4 entries.
Displays the tcp tunnel table filtered on IPv6 entries.
Displays the list of stations on the tunnel.
Tunnel table statistics.
Displays datapath user statistics such as current entries, pending deletes, high water mark, maximum entries, total entries, allocation failures, invalid users and maximum link length.
Name of AP.
User counters.
IP address of the AP.
Displays datapath IPv4 user entries and statistics such as current entries, pending deletes, high water mark, maximum entries, total entries, allocation failures, invalid users, and maximum link length.
Displays datapath IPv6 user entries and statistics such as current entries, pending deletes, high water mark, maximum entries, total entries, allocation failures, invalid users, and maximum link length.
User table statistics.
Displays the current CPU utilization of all datapath CPUs.
Displays VLAN table information such as VLAN memberships inside the datapath including L@ tunnels which tunnel L2 traffic.
Name of the AP.
IP address of AP.
Displays VLAN number, flag, port and datapath VLAN multicast entries.
Displays the datapath VLAN multicast table.
Name of the AP.
IP address of AP.
Displays datapath VLAN Multicast table entries.
Displays wifi reassembly counters including CPU, current entries, high water-mark, maximum entries, total entries and allocation failures.
Displays VOIP statistics including the number of uplink and downlink resets.
AOS-W 6.2 | Reference Guide
show datapath | 969
�Usage Guidelines
Use the show datapath command to display various datapath statistics for debugging purposes.
Example
The following example displays a partial list of cyrpto parameter statistics. .(host) (config) #show datapath crypto counters
Datapath Crypto Statistics
--------------------------
Crypto Accelerator
Present
Crypto Cores In Use
1
Crypto Cores Total
4
Crypto Requests Total
16
Crypto Requests Queued
0
Crypto Requests Failed
0
Crypto Timeouts
0
Crypto NoCoreFree
0
Crypto BadNPlus
0
Crypto SendNPlusFailed
0
IPSec Encryption Failures 0
IPSec Decryption Failures 0
IPSec Decryption Loops
0
IPSec Decryption BufFail 0
IPSec Decr SPI(client) ERR 0
IPSec Decrypt SA Not Ready 0
IPSec Frag Failures
0
IPSec Bad Pad Length
0
IPSec Invalid TCP Index 0
IPSec Invalid Length
0
IPSec Invalid Head-Room 0
IPSec Invalid Protocol
0
PPTP Encryption Failures 0
PPTP Decryption Failures 0
WEP Encryption Failures 0
WEP Decryption Failures 0
WEP No Key (not serious) 0
TKIP Encryptions
0
TKIP Encryption Failures 0
TKIP Decryptions
0
TKIP Decryption Failures 0
TKIP MIC Failures 0
TKIP Decrypt Bad Counter 0
TKIP P1Key Not Ready
0
...
Command History
Version AOS-W 3.0 AOS-W 5.0
Description Command introduced. The tcp parameter was introduced.
970 | show datapath
AOS-W 6.2 | Reference Guide
�Version AOS-W 6.1
AOS-W 6.1.3.2 AOS-W 6.2
Description
The crypto counters parameter now displays a number of TKIP/AESCCM/AESGCM decriptions per priority level along with any counter errors per priority. The ipv6 filter option is added to the following parameters in the command: l session l tunnel l user l route-cache l route l ip-reassembly
The debug opcode parameter was introduced. Issue this command only under the supervision of Alcatel-Lucent technical support.
The firewall-agg-sess parameter is introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show datapath | 971
�show destination
show destination <string>
Description
Display the aliases for default and user-defined network destinations.
Syntax
Parameter string
Description Optional parameter to view details of a specific destination alias.
Example
This example displays the network destinations configured in the switch.
(host) #show destination
switch
----------
Position Type IP addr
-------- ---- -------
1
host 10.16.15.1
Mask/Range ----------
user ---Position -------1
Type ---network
IP addr ------255.255.255.255
Mask/Range ---------0.0.0.0
mswitch ------Position -------1
Type ---host
IP addr ------10.16.15.1
Mask/Range ----------
any --Position -------1
Type ---network
IP addr ------0.0.0.0
Mask/Range ---------0.0.0.0
The output of this command includes the following parameters:
Parameter Position Type IP addr
Mask/Range
Description Displays the priority position of the alias. The rule type of the destination alias. The IP address configured in the alias. This can be a network address, host address or a range. Network mark or the IP address range.
972 | show destination
AOS-W 6.2 | Reference Guide
�Command History
This command was available in AOS-W 1.0. Replaced with netdestination in 3.0.
Command Information
Platforms All platforms
Licensing
Command Mode
You must have a PEFNG license to configure or view a destination.
Enable or Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show destination | 973
�show dialer group
crypto-local show dialer group
Description
Display dialer group information.
Syntax
No parameters.
Usage Guidelines
Displays the Dialer Group Table with the current dialing parameters.
Example
(host) #show dialer group
Dialer Group Table
------------------
Name
Init String
----
-----------
evdo_us ATQ0V1E0
gsm_us AT+CGDCONT=1,"IP","ISP.CINGULAR"
Dial String ----------ATDT#777 ATD*99#
Command History
Introduced in AOS-W 3.4.
Command Information
Platforms OAW-4306 Series switches
Licensing Base operating system
Command Mode Config mode on master and local switches
974 | show dialer group
AOS-W 6.2 | Reference Guide
�show dir
crypto-local show dir usb: disk <disk-name><filesystem-path>
Description
Display the list of directories in the specified disk and the filesystem path.
Syntax
Parameter <disk-name>
<filesystem-path>
Description
Name of the USB device. If you do not know the name of the USB disk, issue the command show usb-storage to view a list of device names.
The USB file system path.
Example
The command below displays the USB directory list for a device named SEGATE-HJ1235_p1.
(host) #(show dir usb: SEGATE-HJ1235_p1/docs
USB directory list
------------------
Permission
Size
----------
----
drwxr-xr-x
0
Time Stamp Directory Name -------------- --------------
May 13 09:39 samba
The output of this command includes the following parameters:
Parameter Permission Size Time Stamp Directory Name
Description Read, write and execute permissions for the directory. Size of the directory. Date and time that the directory was last modified. Name of the directory on the USB device.
Command History
This command was introduced in AOS-W 3.4.
Command Information
Platforms OAW-4306 Series switches
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show dir | 975
�show dot1x ap-table
show dot1x ap-table
Description
Shows the 802.1X AP table.
Syntax
No parameters.
Example
Issue this command to display details from the AP table.
AP Table
--------
MAC
IP
Essid
Type AP name
Vlan Enc
Stations
Forwarding-Mode
Profile
Acl
---
--
-----
---- -------
---- ---
-------- ---
------------
-------
---
00:1a:1e:87:ff:c0 10.3.9.242
AP 00:1a:1e:c0:7f:fc 0 -
0
FORWARD_TUNNEL_80211 default/
1
00:1a:1e:87:ff:d0 10.3.9.242 sw-pn-nokia AP 00:1a:1e:c0:7f:fc 0 WPA2-AES
0
FORWARD_TUNNEL_80211 default/default 1
00:1a:1e:82:ab:a0 10.3.9.220
AP monitor-124
0-
0
FORWARD_TUNNEL_80211 default/
1
00:1a:1e:82:ab:b0 10.3.9.220
AP monitor-124
0-
0
FORWARD_TUNNEL_80211 default/
1
00:1a:1e:87:ff:d1 10.3.9.242 sw-pn-t2 AP 00:1a:1e:c0:7f:fc 0 WPA2-PSK-AES 0
FORWARD_TUNNEL_80211 default/default 1
Num APs: 5
The output of this command includes the following parameters:
Parameter MAC IP Essid Type AP name Vlan Enc Stations Forwarding Mode Profile Acl
Description The MAC address of the AP The IP address of the AP The AP's ESSID Device type Name of the AP Number of VLANs associated with the specified AP AP's encryption method Number of stations associated with the specified AP Forwarding mode used by the specified AP AP profile Number of ACLs this AP belongs to
976 | show dot1x ap-table
AOS-W 6.2 | Reference Guide
�Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
AOS-W 6.2 | Reference Guide
show dot1x ap-table | 977
�show dot1x ap-table aes
show dot1x ap-table aes
Description
Shows the AES keys of all APs.
Syntax
No parameters.
Example
Issue this command to display AES keys of all APs.
AP Table Showing AES Keys
-------------------------
AP-MAC
GTK/Size/Slot
------
-------------
00:1a:1e:87:ff:d0 * * * * * * * */128-Bit/1
00:1a:1e:87:ff:d1 * * * * * * * */128-Bit/1
The output of this command includes the following parameters:
Parameter AP-MAC GTK/Size/Slot
Description
AP MAC address
GTK: The group temporal key Size: Size of the AES key Slot: Slot number
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
978 | show dot1x ap-table aes
AOS-W 6.2 | Reference Guide
�show dot1x ap-table dynamic-wep
show dot1x ap-table dynamic-wep
Description
Shows the dynamic WEP keys of all APs.
Syntax
No parameters.
Example
Issue this command to display dynamic keys of all APs. Dynamic-WEP Key Information --------------------------AP-MAC Key1/Size/Slot Key2/Size/Slot ------ -------------- -------------Num APs: 0
The output of this command includes the following parameters:
Parameter AP-MAC Key1/Size/Slot
Key12/Size/Slot
Description
AP MAC address
Key1: The WEP key Size: Size of the WEP key Slot: Slot number
Key2: The WEP key Size: Size of the WEP key Slot: Slot number
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
AOS-W 6.2 | Reference Guide
show dot1x ap-table dynamic-wep | 979
�show dot1x ap-table static-wep
show dot1x ap-table static-wep
Description
Shows the static WEP keys of all APs.
Syntax
No parameters.
Example
Issue this command to display the static WEP keys of all APs.
Static-WEP Key Information -------------------------AP-MAC Key1/Size Key2/Size ------ --------- --------Num APs: 0
Key3/Size ---------
Key3/Size ---------
The output of this command includes the following parameters:
Parameter AP-MAC Key1/Size Key2/Size Key3/Size Key3/Size
Description AP's MAC address WEP key 1 and its size WEP key 2 and its size WEP key 3 and its size WEP key 3 and its size
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
980 | show dot1x ap-table static-wep
AOS-W 6.2 | Reference Guide
�show dot1x ap-table tkip
show dot1x ap-table tkip
Description
Displays a table of TKIP keys on the switch.
Syntax
No parameters.
Example
Issue this command to display all TKIP keys.
AP Table Showing TKIP Keys
--------------------------
AP-MAC
GTK/Size/Slot
------
-------------
00:1a:1e:6f:e5:10 * * * * * * * */256-Bit/1
Num APs: 1
The output of this command includes the following parameters:
Parameter AP-MAC GTK/Size/Slot
Description
AP MAC Address
GTK: The group temporal key Size: Size of the AES key Slot: Slot number
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
AOS-W 6.2 | Reference Guide
show dot1x ap-table tkip | 981
�show dot1x counters
show dot1x counters
Description
Displays a table of dot1x counters.
Example
Issue this command to display all 802.1X counter information. 802.1x Counters
AP Sync Request...................4 Sync Response..................3 Up.............................4 Down...........................1 Resps..........................4 Acl............................53
Station Sync Request...................9 Sync Response..................9 Up.............................2321 Down...........................2272 Unknown........................72
EAP RX Pkts........................4811 Dropped Pkts...................4497 TX Pkts........................5253
WPA Message-1......................2484 Message-2......................63 Message-3......................63 Message-4......................63 Group Message-1................63 Group Message-2................63 Rx Failed......................2418 IE Mismatches..................4836 Key Exchange Failures..........602
WPA2 Message-1......................2630 Message-2......................13 Message-3......................13 Message-4......................13 Rx Failed......................2079 IE Mismatches..................4158 Key Exchange Failures..........549
Radius Accept.........................1217
Station Deauths.................1151
The output of this command includes the following parameters:
982 | show dot1x counters
AOS-W 6.2 | Reference Guide
�Parameter
AP l Sync Request l Sync Response l Up l Down l Resps l Acl
Station l Sync Request l Sync Response l Up l Down l Unknown
EAP l RX Pkts l Dropped Pkts l TX Pkts
WPA l Message-1 l Message-2 l Message-3 l Message-4 l Group Message-1 l Group Message-2 l Rx Failed l IE Mismatches l Key Exchange
Failures
WPA2 l Message-1 l Message-2 l Message-3 l Message-4 l Rx Failed l IE Mismatches l Key Exchange
Failures
Radius Accept
Station Deauths
Description
l Number of sync requests sent l Number of sync responses sent l Number of times an AP has come up l Number of times an has gone down l Number of response messages sent to the AP due to an AP up message l Number of access control lists
l Number of sync requests sent to find all APs and stations that are connected l Number of sync responses received l Number of times a station (any station) connected to the AP l Number of times a station (any station) disconnected from the AP l Number of times a station attempted to start an EAP exchange before
associating to an AP. In other words, the number of times the auth module saw the start of an EAP exchange before auth was notified that a station has associated an AP
l Number of EAP packets received l Number of EAP packets dropped (ignored) for any reason, such as bad packet,
length, EAP ID mismatch, etc. l Number of EAP packets sent
l Number of WPA message-1s sent l Number of WPA message-2s sent l Number of WPA message-3s sent l Number of WPA message-4s sent l Number of WPA group message-1s sent l Number of WPA group message-2s sent l Number of WPA related EAP packets dropped for any reason l Number of WPA related EAP packets dropped because the station and switch
have a different perception of what the connection details are l Number of key exchange failures
l Number of WPA2 message-1s sent l Number of WPA2 message-2s sent l Number of WPA2 message-3s sent l Number of WPA2 message-4s sent l Number of WPA2 related EAP packets dropped for any reason l Number of WPA2 related EAP packets dropped because the station and switch
have a different perception of what the connection details are l Number of key exchange failures
Number of RADIUS accepts
Number of stations deaths
Command History
This command was introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show dot1x counters | 983
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
984 | show dot1x counters
AOS-W 6.2 | Reference Guide
�show dot1x supplicant-info
show dot1x supplicant-info <supplicant-mac> <ap-mac>
Description
Shows the details about a specific supplicant.
Example
Issue this command to display the details about a supplicant.
Name MAC Address AP MAC Address Status Unicast Cipher Multicast Cipher EAP-Type Packet Statistics: EAPOL Starts EAP ID Requests EAP ID Responses EAPOL Logoffs from station EAP pkts to the station EAP pkts from station Unknown EAP pkts from station EAP Successes sent EAP Failures sent Station failed to respond Station NAKs Radius pkts to the server Radius pkts from the server Server failed to respond Server rejects WPA/WPA2-Key Message1 WPA/WPA2-Key Message2 WPA/WPA2-Key Message3 WPA/WPA2-Key Message4 WPA-GKey Message1 WPA-GKey Message2 ID of the last EAP request Length of the last EAP request ID of the last EAP response Length of the last EAP response ID of the last radius request Length of the last radius request ID of the last radius response
MYCORPNETWORKS\ccutler 00:19:7e:a9:8e:b0 00:1a:1e:11:5f:11 Authentication Success WPA2-AES WPA2-AES EAP-PEAP
0 0 0 0 2 2 0 0 0 0 0 0 0 0 0 1 1 1 1 0 0 0 151 0 0 0 0 0
The output of this command includes the following parameters:
Parameter Name MAC Address
Description Supplicant name. Supplicant MAC address.
AOS-W 6.2 | Reference Guide
show dot1x supplicant-info | 985
�Parameter
Description
AP MAC Address
AP MAC address.
Status
Supplicant's status.
Unicast Cipher
Supplicant's unicast cipher.
Multicast Cipher
Supplicant's multicast cipher.
EAP-Type
Supplicant's EAP-Type.
EAPOL Starts
Number of EAPOL starts.
EAP ID Requests
Number of EAP ID requests.
EAP ID Responses
Number of EAP ID responses.
EAPOL Logoffs from station
Number of EAPOL logoffs from the station.
EAP pkts to the station
Number of EAP packets sent to the station.
EAP pkts from station
Number of EAP packets sent from the station.
Unknown EAP pkts from station Number of unknown EAP packets sent from the station.
EAP Successes sent
Number of EAP successes sent.
EAP Failures sent
Number of EAP failures sent.
Station failed to respond
Number of times the station failed to respond.
Station NAKs
Number of station negative-acknowledgement characters.
Radius pkts to the server
Number of radius packets set to the server.
Radius pkts from the server
Number of radius packets sent from the server.
Server failed to respond
Number of times the server failed to respond.
Server rejects
Number of times ac connection was rejected by the server.
WPA/WPA2-Key Message1
Number of WPA message-1s sent.
WPA/WPA2-Key Message2
Number of WPA message-2s sent.
WPA/WPA2-Key Message3
Number of WPA message-3s sent.
WPA/WPA2-Key Message4
Number of WPA message-4s sent.
WPA-GKey Message1
Number of WPA group message-1s sent.
WPA-GKey Message2
Number of WPA group message-2s sent.
ID of the last EAP request
The ID of the last EAP request.
Length of the last EAP request The length of the last EAP request.
ID of the last EAP response
The ID of the last EAP response.
986 | show dot1x supplicant-info
AOS-W 6.2 | Reference Guide
�Parameter
Length of the last EAP response
ID of the last radius request
Length of the last radius request
ID of the last radius response
Length of the last radius response
Description The length of the last EAP response.
The ID of the last radius request. The length of the last radius request.
The ID of the last radius response. The length of the last radius response.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
AOS-W 6.2 | Reference Guide
show dot1x supplicant-info | 987
�show dot1x supplicant-info list-all
show dot1x supplicant-info list all
Description
Shows all 802.1X supplicants.
Syntax
No parameters.
Example
Issue this command to display all 802.1X supplicants as well as additional relevant information.
802.1x User Information
-----------------------
MAC
Name
EAP-Type Remote
------------
--------
--------- ------
00:15:00:26:f8:f5 user1
EAP-PEAP No
Auth ---Yes
AP-MAC -----00:0b:86:8b:68:68
Enc-Key/Type ------------------* * * * * * * */WPA2-AES
Auth-Mode -----------Explicit Mode
Station Entries: 1
The output of this command includes the following parameters:
Parameter MAC Name Auth AP-MAC Enc-Key/Type
Auth-Mode EAP-Type Remote
Description Supplicant MAC address Supplicant name Shows if the supplicant authenticated successfully AP MAC address Enc-Key: Supplicant's encryption key Type: Encryption type used by the supplicant Authentication mode EAP type Is the supplicant remote
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
988 | show dot1x supplicant-info list-all
AOS-W 6.2 | Reference Guide
�show dot1x supplicant-info pmkid
show dot1x supplicant-info pmkid <supplicant-mac>
Description
Shows the PMKIDs of the various stations on the switch.
Syntax
No parameters.
Example
Issue this command to display the PMKIDs of the various stations on the switch.
PMKID Table
-----------
Mac
Name
AP
---
----
--
00:03:7f:bf:12:ac zoobar22 00:0b:86:a0:57:60
c2:7d:12:1a:1c:5b:40:f8:89:46:22:a5:ec:9b:fb:a6
00:03:7f:bf:12:ac zoobar22 00:0b:86:c0:04:88
bb:2d:e1:57:e1:b8:9b:a2:71:f5:98:ad:61:db:47:e7
PMKID -----
The output of this command includes the following parameters:
Parameter MAC Name AP PMKID
Description Supplicant MAC address Supplicant name AP MAC address Station PMKID
Command History
This command was introduces in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
AOS-W 6.2 | Reference Guide
show dot1x supplicant-info pmkid | 989
�show dot1x supplicant-info statistics
show dot1x supplicant-info statistics
Description
Shows the 802.1X statistics of the users.
Syntax
No parameters.
Example
Issue this command to display the 802.1X statistics of the users.
802.1x Statistics
-----------------
Mac
Name AP
Auth-Succs Auth-Fails Auth-Tmout Re-Auths
Supp-Naks UKeyRotations MKeyRotations
---
---- --
---------- ---------- ---------- -------- ---
------ ------------- -------------
00:15:00:26:f8:f5 user1 00:0b:86:8b:68:68 1
0
0
0
0
0
0
Total:
2
0
0
0
0
0
0
Station Entries: 1 The output of this command includes the following parameters:
Parameter MAC Name AP Auth-Succs Auth-Fails Auth-Tmout Re-Auths Supp-Naks UKeyRotations MKeyRotations
Description Supplicant MAC address. Supplicant name. AP MAC address. Number of successful authentications. Number of authentication failures. Number of authentication timeouts. Number of reauthentications. Number of negative-acknowledgement characters sent by the supplicant. Number of unicast key rotations. Number of multicast key rotations.
Command History
This command was introduced in AOS-W 3.0.
990 | show dot1x supplicant-info statistics
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
AOS-W 6.2 | Reference Guide
show dot1x supplicant-info statistics | 991
�show esi groups
show esi groups [{group-name <groupname>|{ping-name <ping-name>}]
Description
Show ESI group information.
Syntax
Parameter
Description
group-name <groupname> View the facility used when logging messages into the remote syslog server.
ping-name <ping-name>
Enter the name of a set of ping values to how the names of ESI groups using that set of ping attributes. Define a set of ESI ping values using the command esi ping.
server
Show the IP address of a remote logging server.
Usage Guidelines
The ESI parser is a mechanism for interpreting syslog messages from third party appliances such as anti-virus gateways. Use this command to view configured ESI server groups.
Example
This example below displays the name of each configured ESI group, including its ping definitions and ESI server.
(host) #show esi groups
ESI Group Table
---------------
Name
Tunnel ID Ping
Flags
----
--------- ----
-----
anything 0x1042
pingset_1 C
cupertino 0x1043
-
C
Flags:
C:Datapath Download complete
Servers ------0 0
Related Commands
Platforms Licensing
Command Mode
esi parser This command configures an ESI syslog parser
domain
domain.
Config mode on master or local switches.
esi parser This command creates or changes an ESI syslog
rule
parser rule.
Config mode on master or local switches.
esi parser This command allows you to test all of the enabled Config mode on master or local switches. rule-test parser rules.
Command History
This command was introduced in AOS-W 2.5.
992 | show esi groups
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
AOS-W 6.2 | Reference Guide
show esi groups | 993
�show esi parser
show esi parser domains|rules|stats
Description
Show ESI parser information.
Syntax
Parameter domains rules stats
Description Show ESI parser domain information. Show ESI parser rule information. Show ESI parser rule stats.
Usage Guidelines
The ESI parser is a generic syslog parser on the switch that accepts syslog messages from external third-party appliances such as anti-virus gateways, content filters, and intrusion detection systems. It processes syslog messages according to user-defined rules and takes configurable actions on the corresponding system users.
ESI servers are configured into domains to which ESI syslog parser rules are applied.
Use the show esi parser domains command to show ESI parser domain information.
Example
The ESI Parser Domain table in the example below shows that the switch has two ESI domains and two ESI servers. (host) #show esi parser domains
ESI Parser Domain Table
-----------------------
Domain
ESI Servers
------
-----------
corp_domain 172.21.5.50
remote_domain 192.84.66.30
Peer Switches ---------------10.3.132.14
Total number of servers configured: 2
Related Commands
Platforms esi parser domain esi parser rule esi parser rule-test
Licensing
Command Mode
This command configures an ESI syslog parser domain.
Config mode on master or local switches.
This command creates or changes an ESI syslog parser rule.
Config mode on master or local switches.
This command allows you to test all Config mode on master or local switches. of the enabled parser rules.
994 | show esi parser
AOS-W 6.2 | Reference Guide
�Command History
This command was introduced in AOS-W 3.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
AOS-W 6.2 | Reference Guide
show esi parser | 995
�show esi ping
show esi ping [ping-name <ping-name>]
Description
Show settings for ESI ping health check attributes.
Syntax
Parameter
Description
ping-name <ping-name> Include the optional ping-name <ping-name> parameters to display settings for one specified set of ping settings.
Example
This example below shows that the switch has three defined sets of ping attributes. (host) #show esi groups
ESI Ping Table
--------------
Name
Frequency (sec) Timeout (sec) Retry Count ID Num Groups
----
--------------- ------------- ----------- -- ----------
ping_att1
5
2
2
ESIping
5
2
2
ESIping2
50000
2
2
01 10 22
The output of this command includes the following information:
Column Name frequency timeout retry-count ID Num Groups
Description Name of a group of ping settings. Specifies the ping frequency in seconds. Specifies the ping timeout in seconds. Specifies the ping retry count ID number assigned to the ping attributes when that set of attributes was defined. Number of ESI groups to which this set of ping attributes is assigned.
Related Commands
Platforms esi ping
Licensing
This command specifies the ESI ping health check configuration.
Command Mode Config mode on master or local switches.
Command History
This command was introduced in AOS-W 2.5.
996 | show esi ping
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
AOS-W 6.2 | Reference Guide
show esi ping | 997
�show esi servers
show esi servers [{group-name <groupname>|{server-name <server-name>}]
Description
Show configuration information for ESI servers.
Syntax
Parameter
group-name <groupname>
server-name <server-name>
Description
Include this optional parameter to display information for all ESI servers assigned to a specific ESI group.
Specify an ESI server name to view configuration information for just that server.
Usage Guidelines
By default, this command displays configuration settings for all ESI servers. You can include the name of an ESI group to view servers assigned to just that group, or specify a server name to view information for that server only.
Example
This example below displays configuration details for the ESI server name forti_1.
(host) #show esi servers server-name forti_1
ESI Server Table
----------------
Name
Trusted IP Untrusted IP Trusted s/p Untrusted s/p Group Mode NAT Port ID
----
---------- ------------ ----------- ------------- ----- ---- -------- --
forti_1 10.168.173.2 10.168.171.3 -/-
-/-
default route 0
4
Flags ----U
Flags: C :Datapath Download complete U :Server Up D :Server Down PT:Trusted Ping response outstanding PU:Untrusted Ping response outstanding HT:Health Check Trusted IP HU:Health Check Untrusted IP FT:Trusted Ping failed FU:Untrusted Ping failed
The output of this command includes the following information:
Column Name
Description Name of the ESI server.
998 | show esi servers
AOS-W 6.2 | Reference Guide
�Column Trusted IP
Untrusted IP
Trusted s/p
Untrusted s/p Group
Mode Nat Port ID Flags
Description
Displays the server IP address on the trusted network. As an option, you can also enable a health check on the specified address
Displays the server IP address on the untrusted network. As an option, you can also enable a health check on the specified address
Shows the slot and port connected to the trusted side of the ESI server; slot/port format.
Shows the slot and port connected to the untrusted side of the ESI server.
Name of the ESI group to which this server is assigned. If the server has not yet been assigned to a group, this column will be blank.
Specifies the ESI server mode of operation: bridge, nat, or route
Displays the NAT destination TCP/UDP port.
ID number assigned to the server when it was first defined.
This data column displays any flags associated with this server. The flag key appears below the ESI Server Table.
Related Commands
Platforms Licensing esi server This command configures an ESI server.
Command Mode Config mode on master or local switches.
Command History
This command was introduced in AOS-W 2.5.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
AOS-W 6.2 | Reference Guide
show esi servers | 999
�show fast-roaming-r1-efficiency
show fast-roaming-r1-efficiency <client-mac>
Description
This command displays the hit/miss rate of r1 keys cached on an AP before a Fast BSS Transition roaming.
Syntax
Parameter <client-mac>
Description MAC address of the client.
Usage Guidelines
Use this command to view the hit/miss rate of r1 keys cached on an AP before a Fast BSS Transition roaming. This counter helps to verify if enough r1 keys are pushed to the neighboring APs.
Example
(host) #show fast-roaming-r1-efficiency
Fast Roaming R1 Key Efficiency
------------------------------
Client MAC
Hit (%) Miss (%)
----------
------- --------
00:50:43:21:01:b8 0 (0%) 0 (0%)
Command History
This command was introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1000 | show fast-roaming-r1-efficiency
AOS-W 6.2 | Reference Guide
�show faults
show fault [history]
Description
Display a list of faults, which are any problematic conditions of the AOS-W software or hardware.
Syntax
Parameter history
Description Include this parameter to display a history of faults cleared by the switch or the operator.
Usage Guidelines
A switch can maintain a list of up to 100 faults. Once 100 faults have been logged, any faults arising after that are dropped. The switch maintains a history of the last 100 faults that have cleared. Every time a new fault clears clear, the oldest fault in the fault history is purged from the list.
Example
This example below shows all active faults the switch, including the time the fault occurred, the fault ID number, and a description of the problem.
(host) #show faults
Active Faults ------------Time ---2009-03-02 18:13:08 2009-03-02 18:13:08 2009-03-02 18:13:08 2009-03-02 18:13:08 2009-03-02 18:13:08 2009-03-02 18:13:08 back in service. 2009-03-02 18:13:08 2009-03-02 18:13:08 back in service. 2009-03-02 18:13:08 2009-03-02 18:13:08 back in service. 2009-03-02 18:13:08 2009-03-02 18:13:08 back in service. 2009-03-02 18:13:08 2009-03-02 18:13:08 back in service. 2009-03-02 18:13:09 2009-03-02 18:13:09 back in service. 2009-03-02 18:13:09 2009-03-02 18:13:09 back in service. 2009-03-02 18:13:09
Number -----93 94 95 96 97 98
99 100
101 102
103 104
105 106
107 108
109 110
111
Description ----------Authentication Server vortex is down. Authentication Server vortex is down. Authentication Server vortex is down. Authentication Server vortex is down. Authentication Server corp1-supersvr is down. All authentication servers in server group sg-auth2 are brought
Authentication Server corp1-supersvr is down. All authentication servers in server group sg-auth2 are brought
Authentication Server corp1-supersvr is down. All authentication servers in server group sg-auth2 are brought
Authentication Server corp1-supersvr is down. All authentication servers in server group sg-auth2 are brought
Authentication Server corp1-supersvr is down. All authentication servers in server group sg-auth2 are brought
Authentication Server corp1-supersvr is down. All authentication servers in server group sg-auth2 are brought
Authentication Server corp1-supersvr is down. All authentication servers in server group sg-auth2 are brought
Authentication Server corp1-supersvr is down.
AOS-W 6.2 | Reference Guide
show faults | 1001
�2009-03-02 18:13:09 112
All authentication servers in server group sg-auth2 are brought
back in service.
2009-03-02 18:13:09 113
Authentication Server corp1-supersvr is down.
2009-03-02 18:13:09 114
All authentication servers in server group sg-auth2 are brought
back in service.
2009-03-02 18:13:09 115
Authentication Server corp1-supersvr is down.
Total number of entries in the queue :23
Related Commands
Command clear fault <id>|all
Description
Manually clear a single fault by specifying the fault ID number, or clear all faults by including the all parameter.
Mode Config mode
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
1002 | show faults
AOS-W 6.2 | Reference Guide
�show firewall
show firewall
Description
Display a list of global firewall policies.
Syntax
No parameters
Example
This example below shows all firewall policies currently configured on the switch. (host) (config) #show firewall
Global firewall policies -----------------------Policy -----Enforce TCP handshake before allowing data Prohibit RST replay attack Deny all IP fragments Prohibit IP Spoofing Monitor ping attack Monitor TCP SYN attack Monitor IP sessions attack Deny inter user bridging Log all received ICMP errors Per-packet logging Session mirror destination Stateful SIP Processing Allow tri-session with DNAT Disable FTP server GRE call id processing Session Idle Timeout Broadcast-filter ARP WMM content enforcement Session VOIP Timeout Stateful H.323 Processing Stateful SCCP Processing Only allow local subnets in user table Monitor/police CP attacks Rate limit CP untrusted ucast traffic Rate limit CP untrusted mcast traffic Rate limit CP trusted ucast traffic Rate limit CP trusted mcast traffic Rate limit CP route traffic Rate limit CP session mirror traffic Rate limit CP auth process traffic Deny inter user traffic Prohibit ARP Spoofing Stateful VOCERA Processing Stateful UA Processing Enforce bw contracts for broadcast traffic Multicast automatic shaping Enforce TCP Sequence numbers AMSDU Session-tunnel FIB
Action -----Disabled Disabled Disabled Enabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled Disabled No Disabled Disabled Disabled Disabled Disabled Enabled Enabled Disabled Disabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Disabled Disabled Enabled Enabled Disabled Disabled Disabled Enabled Enabled
Rate ----
20 Mbps 4 Mbps 160 Mbps 4 Mbps 2 Mbps 2 Mbps 2 Mbps
Slot/Port ---------
AOS-W 6.2 | Reference Guide
show firewall | 1003
�Prevent DHCP exhaustion Session mirror IPSEC
Disabled Disabled
The output of this command includes the following information:
Parameter Enforce TCP handshake before allowing data
Prohibit RST replay attack Deny all IP Fragments Prohibit IP Spoofing Monitor ping attack Monitor TCP SYN attack
Monitor IP sessions attack
Deny inter user bridging
Log all received ICMP errors
Description
If enabled, this feature prevents data from passing between two clients until the three-way TCP handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.
If enabled, this setting closes a TCP connection in both directions if a TCP RST is received from either direction.
If enabled, all IP fragments are dropped.
When this option is enabled, source and destination IP and MAC addresses are checked; possible IP spoofing attacks are logged and an SNMP trap is sent.
If enabled, the switch monitors the number of ICMP pings per second. If this value exceeds the maximum configured rate, the switch will register a denial of service attack.
If enabled, the switch monitors the number of TCP SYN messages per second. If this value exceeds the maximum configured rate, the switch will register a denial of service attack.
If enabled, the switch monitors the number of TCP sessions requests per second. If this value exceeds the maximum configured rate, the switch will register a denial of service attack sessions.
If enabled this setting prevents the forwarding of Layer-2 traffic between wired or wireless users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic.
Shows if the switch will log received ICMP errors.
Per-packet logging Session mirror destination
If active, and logging is enabled for the corresponding session rule, this feature logs every packet.
Destination to which mirrored packets are sent.
Stateful SIP Processing
Allow tri-session with DNAT Disable FTP server
Shows if the switch has enabled or disabled monitoring of exchanges between a voice over IP or voice over WLAN device and a SIP server. This option should be enabled only when thee is no VoIP or VoWLAN traffic on the network
Shows if the switch allows three-way session when performing destination NAT.
If active, this feature disables the FTP server on the switch.
1004 | show firewall
AOS-W 6.2 | Reference Guide
�Parameter GRE call id processing
Description If active the switch creates a unique state for each PPTP tunnel.
Session Idle Timeout
Shows if a session idle timeout interval has been defined.
Broadcast-filter ARP
If enabled, this feature reduces the number of broadcast packets sent to VoIP clients, thereby improving the battery life of voice handsets.
WMM content enforcement
If traffic to or from the user is inconsistent with the associated QoS policy for voice, this feature reclassifies traffic to best effort and data path counters are incremented.
Session VOIP Timeout
If enabled, a idle session timeout is defined for sessions that are marked as voice sessions.
Stateful H.323 Processing
Shows if the switch has enabled or disabled stateful H.323 processing.
Stateful SCCP Processing
Shows if the switch has enabled or disabled stateful SCCP processing.
Only allow local subnets in user table
If enabled, the switch only adds IP addresses which belong to a local subnet to the user table.
Monitor/police CP attacks
If enabled, the switch monitors a misbehaving user's inbound traffic rate. If this rate is exceeded, the switch can register a denial of service attack.
Rate limit CP untrusted ucast traffic
Shows the inbound traffic rate
Rate limit CP untrusted mcast traffic
Displays the untrusted multicast traffic rate limit.
Rate limit CP trusted ucast traffic Displays the trusted unicast traffic rate limit.
Rate limit CP trusted mcast traffic Displays the trusted multicast traffic rate limit.
Rate limit CP route traffic Rate limit CP session mirror traffic Rate limit CP auth process traffic Deny inter user traffic
Prohibit ARP Spoofing
Displays the traffic rate limit for traffic that needs generated ARP requests.
Displays the traffic rate limit for session mirrored traffic forwarded to the switch.
Displays the traffic rate limit for traffic forwarded to the authentication process.
If enabled, this setting disables traffic between all untrused users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer2 traffic.
When this option is enabled, possible arp spoofing attacks are logged and an SNMP trap is sent.
AOS-W 6.2 | Reference Guide
show firewall | 1005
�Parameter
Description
Stateful VOCERA Processing
VOCERA processing is disabled by default.
Stateful UA Processing
UA processing is disabled by default.
Enforce bw contracts for broadcast If enabled, bw contracts are applied ot local subnet broadcast
traffic
traffic.
Multicast automatic shaping
If enabled, enables multicast optimization and provides excellent streaming quality regardless of the amount of VLANs or IP IGMP groups that are used.
Clear Sessions on Role Update
If enabled, this setting clears all existing user role sessions after a user or client roles is modified.
Enforce TCP Sequence numbers
If enabled, prevents data from passing between two clients until the three-way TCP handshake has been performed.
AMSDU
Aggregated Medium Access Control Service Data Units (AMSDU) packets are dropped if this option is enabled.
Session-tunnelFIB
Enables session tunnel based forwarding.
Prevent DHCP Exhaustion
If enabled, this option checks for DHCP client hardware address against the packet source MAC address. This command checks the frame's source-MAC against the DHCPv4 client hardware address and drops the packet if it does not match. This feature prevents a client from submitting multiple DHCP requests with different hardware addresses, thereby preventing DHCP pool depletion.
Session mirror IPsec
If enabled, frames are sent to IP address specified by the session-mirror-destination option.
Related Commands
Command firewall
firewall cp
firewall cp-bandwidthcontract
Description
Mode
This command configures firewall options on the switch.
Config mode
This command creates whitelist session ACLs
Config mode
This command configures bandwidth contract traffic rate limits to prevent denial of service attacks.
Config mode
Command History
This command was introduced in AOS-W 3.4.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches
1006 | show firewall
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
show firewall | 1007
�show firewall-cp
show firewall-cp [internal]
Description
Displays the captive-portal (CP) firewall policies on the switch.
Syntax
No Parameters
Example
The output of this command shows the CP firewall policies.
(host) #show firewall-cp
CP firewall policies
--------------------
IP Version Source IP
contract
---------- ---------
---
ipv4
any
ipv4
10.10.10.10
ipv4
2:2:2:2::2
Source Mask -----------
2.2.2.2
Protocol
--------
6 6 1
Start Port
----------
21 8 1
End Port
--------
21 9 2
Permit/Deny
-----------
Permit Permit Permit
hits
----
0 0 0
----test
Command History
Release AOS-W 3.4 AOS-W6.2
Modification Command introduced. The IP Version parameter was added.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1008 | show firewall-cp
AOS-W 6.2 | Reference Guide
�show firewall-visibility
show firewall-visibility {debug|status}
Description
Displays the policy enforcement firewall visibility process state and status information.
Syntax
Parameter debug status
Description Displays process state information for debugging firewall visibility. Displays the status of firewall visibility as enabled or disabled.
Example
The output of this command shows the status of firewall visibility. (host) #show firewall-visibility status enabled
Command History
This command is introduced in AOS-W 6.2.
Command Information
Platforms
OAW-4504XM, OAW-4604, OAW-4704, OAW-6000, and OAW-4x50 switches
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switch
AOS-W 6.2 | Reference Guide
show firewall-visibility | 1009
�show gap-debug
show gap-debug
Description
Displays the troubleshooting information for the global AP database.
Usage Guidelines
Use this command to identify any issues with the global AP database. This command displays the troubleshooting information for the global AP database.
Example
The following is a sample output of this command:
(host)# show gap-debug
GAP Master LMS Table
--------------------
IP
Master Cookie
Master Seq LMS Cookie
LMS Seq Activity
Status Msg In Prog Msg Len Attempts
--
-------------
---------- ----------
------- -------- -
----- ----------- ------- --------
172.20.1.109 0.0.0.0,50b790c0
0
172.20.1.109,50b79139 1640
46
up
no
-
-
172.20.1.202 0.0.0.0,50b79102
26
172.20.1.202,50b79188 1804
57
up
no
-
-
172.20.1.203 172.20.1.212,50b7ed3e 0
172.20.1.203,50b7ed42 1244
40
up
no
-
-
172.20.1.205 0.0.0.0,50b80053
31
172.20.1.205,50b800d2 1252
20
up
no
-
-
172.20.1.206 0.0.0.0,50b80054
31
172.20.1.206,50b800d4 1359
10
up
no
-
-
172.20.1.210 0.0.0.0,50b79631
0
172.20.1.210,50b796a9 1617
41
up
no
-
-
172.20.1.216 0.0.0.0,50b80055
0
0.0.0.0,00000000
0
--
up
no
-
-
192.169.1.207 0.0.0.0,50b791ef
0
192.169.1.207,50b7920c 1633
20
up
no
-
-
192.169.1.208 0.0.0.0,50b791e7
0
192.169.1.208,50b7920e 1632
46
up
no
-
-
The output of this command includes the following information:
Column IP Master Cookie
Master Seq
Description
The IP address of the local management switch (LMS).
The cookie information on the master switch that is used to communicate with the LMS.
The sequence number used by the master switch to sync up with the LMS. This tracks the number of times the master switch has communicated with the LMS.
1010 | show gap-debug
AOS-W 6.2 | Reference Guide
�Column LMS Cookies
LMS Seq
Activity Status Msg in Prog
Msg Len Attempts
Description
The cookie information on the LMS that is used to communicate with the master switch.
The sequence number used by the LMS to sync up with the master switch.This tracks the number of times the LMS has communicated with the master switch.
The time at which the last activity happened on the LMS.
Indicates if the status of the LMS is up or down.
Indicates if an active communication is happening between the LMS and the master switch. It can be Yes or No. If it is yes, then the Msg Len and Attempt fields are set.
The length of the message that the master switch is syncing with the LMS.
Number of times the master switch has attempted to sync with the LMS.
Command History
This command is introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or Config mode on master switches.
AOS-W 6.2 | Reference Guide
show gap-debug | 1011
�show gateway health-check
show gateway health-check
Description
Display the current status of the gateway health-check feature.
Syntax
No parameters.
Usage Guidelines
The gateway health check feature can only be enabled by Alcatel-Lucent Technical Support.
Example
This example below shows that the gateway health-check feature has not been enabled on the switch. (host) #show gateway health-check Gateway health check not enabled
Related Commands
Command gateway health-check disable
Description Disable the gateway health check
Mode Config mode
Command History
This command was introduced in AOS-W 3.4.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches
1012 | show gateway health-check
AOS-W 6.2 | Reference Guide
�show global-user-table count
show global-user-table
show global-user-table count [current-switch] <IP address> [authentication-method] {dot1x | mac | stateful-dot1x | vpn | web} [role] <role name> [bssid] <bssid MAC> [essid] <essid> [ap-name] <AP name> [phy-type] {a | b | g} [age] <starting time dd:hh:mm> <ending time dd:hh:mm>
Description
This command displays a count of global user based on the specified criteria.
Syntax
Parameter current-switch authenticationmethod role bssid essid
ap-name phy-type age
Description Match IP address of the switch where the user is currently associated Count users matching the specified authentication method
Count users matching the specified role Count users matching the specified BSSID Count users matching the specified ESSID. If the ESSID includes spaces, you must enclose it in quotation marks. Count users matching the specified AP name Count users matching the specified Phy type Count users matching the specified age
Example
Issue this command to display a global user count. The output shown below is a result of the command show global-user-table count current-switch <ip-address>. Complete results. The number of global users : 2
The output includes the following parameters:
Parameter
The number of global users:
Description Total number of global users meeting the specified criteria.
Command History
This command was introduced in AOS-W 3.4.
AOS-W 6.2 | Reference Guide
show global-user-table count | 1013
�Command Information
Platforms
All platforms Master switch only
Licensing Base operating system
Command Mode Enable or config mode on master switches
1014 | show global-user-table count
AOS-W 6.2 | Reference Guide
�show-global-user-table list
show global-user-table list current-switch] <IP address> authentication-method] {dot1x | mac | stateful-dot1x | vpn | web} role <role name> bssid <bssid MAC> devtype <device> essid <essid> ap-name <AP name> phy-type a|b|g age <starting time dd:hh:mm> <ending time dd:hh:mm> not or rows sort {sort_by_ap-name | sort_by_authtype | sort_by_bssid | sort_by_current-switch | sort_ by_essid | sort_by_ip | sort_by_mac | sort_by_name | sort_by_phy-type | sort_by_role}{asc | desc} start
Description
This command displays a list of current users on a specified switch.
Syntax
Parameter current-switch authenticationmethod role bssid essid
ap-name phy-type age current-switch authenticationmethod role not or rows
Description Match IP address of the switch where the user is currently associated Count users matching the specified authentication method
Count users matching the specified role Count users matching the specified BSSID Count users matching the specified ESSID. If the ESSID includes spaces, you must enclose it in quotation marks. Count users matching the specified AP name Count users matching the specified Phy type Count users matching the specified age Match IP address of the switch where the user is currently associated Count users matching the specified authentication method
Count users matching the specified role Show users that do not satisfy the given criteria Show users that satisfy any of the given criteria Number of rows to show
AOS-W 6.2 | Reference Guide
show-global-user-table list | 1015
�Parameter sort start
Description Sort the list based on a specified criteria, in ascending or descending order Show user table starting from a specific row
Example
Issue this command to display a global user count. The output of this command is split into two tables in this document, however it appears in one table in the CLI.
(host) (config) show user role employee
Global Users
-----
IP
MAC
Name
name
----------
------------
------
---
192.168.160.1 00:23:6c:80:3d:bc madisonQ
10.100.105.100 00:05:4e:45:5e:c8 CorpNetwork2
wlanAP
10.100.105.102 00:14:a5:30:c2:7f fdedhia
10.100.105.97 00:1b:77:c4:a2:fa CorpNetwork2
10.100.105.109 00:21:5c:02:16:bb melindayao
Role
Age(d:h:m) Auth VPN link AP
----
---------- ---- -------- ----
employee 01:05:50 employee 00:02:22
802.1x 802.1x
AP63
employee 01:20:09 employee 00:02:18 employee 00:05:40
802.1x 802.1x 802.1x
AP98 AP98 AP09
users ----Roaming
------Associated Associated Associated Associated Associated
Essid
Bssid
Phy
---------------- -------
wirelessint-wpa2 00:1a:1e:85:d3:b1 a-HT
wirelessint-wpa2 00:1a:1e:6f:e5:51 a
wirelessint-wpa2 00:1a:1e:87:ef:f1 a
wirelessint-wpa2 00:1a:1e:87:ef:f1 a
wirelessint-wpa2 00:1a:1e:85:c2:11 a-HT
Profile
default default default default default
The output of this command includes the following parameters:
---------- --- -----
Parameter IP MAC Name Current Switch Role Age Auth VPN Link AP name Roaming
Description IP address of user. MAC address of user. User name. IP address of the switch where the user is currently associated. User role. User age, displayed as days:hours:minutes. Authentication method used by user. IP address of the client VPN gateway. AP name. Roaming status.
1016 | show-global-user-table list
AOS-W 6.2 | Reference Guide
�Parameter Essid Bssid Phy Profile Forward mode
Type
Description User's extended service set identifier (ESSID). User's basic service set identifier (BSSID). User Phy type (a, b or g). Profile name Forwarding mode assigned to the user (tunnel, split-tunnel, decrypt-tunnel or bridge). Type of client device, if identified.
Command History
Release AOS-W 3.4 AOS-W 6.1
Modification
Command introduced
The devtype parameter was introduced, and the output of this command expanded to include the Type column.
Command Information
Platforms
All platforms Master switch only
Licensing Base operating system
Command Mode Enable or config mode on master switches
AOS-W 6.2 | Reference Guide
show-global-user-table list | 1017
�show guest-access-email
show guest-access-email
Description
This command shows a guest access email profile configuration. The guest access email process sends email to either the guest or the sponsor whenever a guest user account is created or when the Guest Provisioning user manually sends email from the Guest Provisioning page.
Syntax
No parameters.
Usage Guidelines
Issue this command to show the current guest access email profile parameters. The Parameter and Value columns show the configured SMTP server and SMTP ports. that process guest email. (host) #show guest-access-email
Guest-access Email Profile -------------------------Parameter Value --------- ----SMTP Server 10.1.1.4 SMTP Port 25
Related Commands
Command guest-access-email
local-userdb-guest add
Description
This command shows a guest access email profile configuration.
This command creates a guest user in a local user database.
Mode Enable or Config modes
Enable or Config modes
Command History
This command was introduced in AOS-W 3.4.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
1018 | show guest-access-email
AOS-W 6.2 | Reference Guide
�show hostname
show hostname
Description
Show the hostname of the switch.
Syntax
No parameters.
Example
The output of this command shows the hostname configured for the switch. A hostname can contain alphanumeric characters, spaces, punctuation, and symbol characters.
(host) # show hostname hostname is SampleHost
Related Commands
Configure the switch's hostname using the command hostname.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available on master or local switches
AOS-W 6.2 | Reference Guide
show hostname | 1019
�show iap table
show iap table [branch-key <brkey>]
Description
Shows the details of the branches connected to the switch.
Syntax
Parameter branch-key <brkey>
Description Key for the branch, which is unique to each branch.
Example
This example shows the details of the branches connected to the switch: (host) (config) #show iap table
Branch Key
Index Status Inner IP
MAC Address
----------
----- ------ --------
-----------
d8f6095a01f89b7aea4340c080c3e3c8bd062758461c32c92d 8 DOWN 0.0.0.0
d8:c7:c8:c0:01:6c
4619fa8b014ff058d99e9fe63286c19851e61466627d054968 16 DOWN 0.0.0.0
00:1a:1e:08:21:e1
0e26e65a01732247f98b5d463f1fb56c0200d0944fab521e57 3 DOWN 0.0.0.0
d8:c7:c8:c0:01:6c
cc0b838d014df7db3eb453ef4f513204df4d74bb4063e46587 7 DOWN 0.0.0.0
d8:c7:c8:c0:b8:d0
6bccde5901997e534d14b10580371792ef4c13ca868c929150 15 DOWN 0.0.0.0
d8:c7:c8:c0:01:6c
764f6038018f2c2765292911e55fedc0c98f86cf79331d8905 6 UP 10.15.207.206 00:24:6c:c9:27:cf
c2b46b530119844dcbdb55ddb94ff308d1f08ec7cb4eda113c 0 DOWN 0.0.0.0
d8:c7:c8:c0:b8:d6
9deb828c0106f4562b50c8141cfa28ad5c1a3f89b3e171efcc 14 DOWN 0.0.0.0
00:1a:1e:08:23:f4
be5ffcf801eedd92a76b978ceee53f4e2284c8e8f3dbd84457 5 DOWN 0.0.0.0
00:24:6c:c9:27:cf
b5d279460166c39a5fb9462a65559eb91266b9ac9f8e2356a0 13 DOWN 0.0.0.0
d8:c7:c8:c0:01:6c
0f7057990174cde7901a0c8779baeb7393b26d974a45eb8602 10 DOWN 0.0.0.0
00:24:6c:c0:41:f2
a1e23c1201cfb76a50fb3328e58c9825e716a259dd71874c67 4 UP 10.15.207.207 00:24:6c:c9:18:64
47f930fc019317069d04fd1c2ffdf6a49a6e51c148c2164ed0 9 DOWN 0.0.0.0
d8:c7:c8:c0:01:6c
0c478ce101df81e3c0a46fe4f3ab6eca9bb012151dea99a82f 1 DOWN 0.0.0.0
d8:c7:c8:c0:01:6c
747c20ac0155736c3b11bd972c967ebdf7c9883e69ec2a01fb 2 DOWN 0.0.0.0
d8:c7:c8:c0:b8:d0
0e40138601b34eb33fb57d94208848b0f8e37bba0a6a0d43ca 12 DOWN 0.0.0.0
00:24:6c:c9:18:64
de293919019196d7c8ac8f04a50fbd5b96c2af3d3576aa1dc2 11 DOWN 0.0.0.0
d8:c7:c8:c0:b8:d8
208c416e01e1cfaf0fdc11190349ad43334879f39ba9e19188 17 DOWN 0.0.0.0
d8:c7:c8:c0:01:6c
The output of this command includes the following parameters:
Parameter Branch Key Index Status Inner IP MAC Address
Description Key for the branch, which is unique to each branch. Index assigned to the branch. Current status of the branch (UP/DOWN). Internal VPN IP of the branch. MAC address of the Virtual Switch of the branch.
1020 | show iap table
AOS-W 6.2 | Reference Guide
�Command History
Introduced in AOS-W 6.2
AOS-W 6.2 | Reference Guide
show iap table | 1021
�show ids ap-classification-rule
id-classification-rule <rule-name>
Description
Display the IDS AP classification rule profile.
Syntax
Parameter <rule-name>
Description Enter the AP classification rule profile name.
Usage Guidelines
Issue this command without the <rule-name>option to view the AP Classification Rule Profile list. Add the rule name option to display values for the rule.
Example
Below is the show command without the rule name option:
(host) (config) #show ids ap-classification-rule
IDS AP Classification Rule Profile List
---------------------------------------
Name
References Profile Status
----
---------- --------------
exclude-ssid-rule 1
rule1
1
rule2
1
Total:3
In the example above, the Reference column indicates the number of references to the rule named in the Name column. The Profile Status column is blank unless the rule is predefined. Optionally, you can enter a rule name to view the parameters for that rule. For example:
(host) (config) # show ids ap-classification-rule rule1
IDS AP Classification Rule Profile "rule1"
------------------------------------------
Parameter
Value
---------
-----
SSID
Alcatel-Lucent-ap
Match SSIDs
true
Min SNR value
0
Max SNR value
255
Discovered APs count
2
Check for Min Discovered APs true
Classify To AP Type
suspected-rogue
Confidence level increase
5
Command History
Release AOS-W 6.0
Modification Command introduced
1022 | show ids ap-classification-rule
AOS-W 6.2 | Reference Guide
�Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
show ids ap-classification-rule | 1023
�show ids ap-rule-matching
Description
Display the IDS active AP rules profile.
Example
(host) (config) #show ids ap-rule-matching
IDS Active AP Rules Profile
---------------------------
Parameter
Value
---------
-----
AP Rule name snr0
AP Rule name rule1
AP Rule name rule2
AP Rule name exclude-ssid-rule
In the above example, the rule names in the Value column have been activated by the ids ap-rule-matching command.
Command History
Release AOS-W 6.0
Modification Command introduced
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
1024 | show ids ap-rule-matching
AOS-W 6.2 | Reference Guide
�show ids dos-profile
show ids dos-profile <profile-name>
Description
Show an IDS Denial Of Service (DoS) Profile
Syntax
Parameter <profile-name>
Description Name of an IDS DoS profile.
Usage Guidelines
Issue this command without the <profile-name>parameter to display an IDS DoS profile.
Examples
The example below shows that the switch has four configured DoS profiles. ((host) (config) #show ids dos-profile
IDS Denial Of Service Profile List
----------------------------------
Name
References Profile Status
----
---------- --------------
default
4
test
0
test1
1
Wizard-test 1
Wizard-test2 1
Total:5
In the example above, the Reference column indicates the number of references to the profile named in the Name column. The Profile Status column is blank unless the rule is predefined. The example below displays a partial output for the profile "test1".
(host) (config) #show ids dos-profile test1 Parameter --------Detect Disconnect Station Attack Disconnect STA Assoc Response Theshold Disconnect STA Deauth and Disassoc Theshold Disconnect STA Detection Quiet Time Spoofed Deauth Blacklist Detect AP Flood Attack AP Flood Threshold AP Flood Increase Time AP Flood Detection Quiet Time Detect Client Flood Attack Client Flood Threshold Client Flood Increase Time Client Flood Detection Quiet Time Detect EAP Rate Anomaly EAP Rate Threshold
Value ----true 5 8 900 sec Disabled false 50 3 sec 900 sec false 150 3 sec 900 sec false 60
AOS-W 6.2 | Reference Guide
show ids dos-profile | 1025
�EAP Rate Time Interval EAP Rate Quiet Time Detect CTS Rate Anomaly CTS Rate Threshold CTS Rate Time Interval CTS Rate Quiet Time Detect RTS Rate Anomaly RTS Rate Threshold RTS Rate Time Interval RTS Rate Quiet Time Detect Rate Anomalies Rate Thresholds for Assoc Frames Rate Thresholds for Disassoc Frames Rate Thresholds for Deauth Frames ...
3 sec 900 sec false 5000 5 sec 900 sec false 5000 5 sec 900 sec false default default default
For a detailed explanation of the output shown above, see the ids dos-profile command.
Related Commands
Configure IDS DoS profiles using the command ids dos-profile.
Command History
Release AOS-W 6.0
Modification Command introduced
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
1026 | show ids dos-profile
AOS-W 6.2 | Reference Guide
�show ids general-profile
show ids general-profile <profile-name>
Description
Display an IDS General profile.
Syntax
Parameter <profile-name>
Description Name of an IDS General profile.
Usage Guidelines
Issue this command without the <profile-name>parameter to display the IDS General profile list. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has four configured General profiles.
(host) (config) # show ids general-profile
IDS General Profile List
------------------------
Name
References Profile Status
----
---------- --------------
default
2
helen
0
wired-lb
1
Wizard-test2 1
Total:4
In the example above, the Reference column indicates the number of references to the profile named in the Name column. The Profile Status column is blank unless the rule is predefined.
The example below displays the settings for the profile Michael.
(host) (config) #show ids general-profile Michael
IDS General Profile "Michael" --------------------------Parameter --------Stats Update Interval Monitored Device Stats Update Interval AP Inactivity Timeout Adhoc (IBSS) AP Inactivity Timeout AP Max Unseen Timeout Adhoc AP Max Unseen Timeout STA Inactivity Timeout STA Max Unseen Timeout Min Potential AP Beacon Rate Min Potential AP Monitor Time Signature Quiet Time Wireless Containment Debug Wireless Containment Wired Containment
Value ----60 sec 0 sec 20 sec 5 sec 600 sec 180 sec 60 sec 600 sec 25 % 2 sec 900 sec deauth-only false false
AOS-W 6.2 | Reference Guide
show ids general-profile | 1027
�Wired Containment of AP's Adj MACs Mobility Manager RTLS IDS Event Generation on AP Send Adhoc Info to Controller
false false none true
The output of this command includes the following parameters:
Parameter Stats Update Interval
Monitored Device Stats Update Interval AP Inactivity Timeout Adhoc (IBSS) AP Inactivity Timeout AP Max Unseen Timeout STA Inactivity Timeout STA Max Unseen Timeout Min Potential AP Beacon Rate
Min Potential AP Monitor Time
Signature Quiet Time
Wireless Containment
Debug Wireless Containment
Wired Containment
Wired Containment of AP's Adj MACs Mobility Manager RTLS
IDS Event Generation on AP
Send Adhoc Info to Controller
Description
Interval, in seconds, for the AP to update the switch with statistics. This setting takes effect only if the Alcatel-Lucent Mobility Manager is configured. Otherwise, statistics update to the switch is disabled.
Time interval, in seconds, for AP to update the switch with stats for monitored devices. Minimum is 60.
Time, in seconds, after which an AP is aged out.
Ad hoc (IBSS) AP inactivity timeout in number of scans.
Ageout time, in seconds, since AP was last seen.
Time, in seconds, after which a station is aged out.
Time, in seconds, after which an AP is aged out.
Minimum beacon rate acceptable from a potential AP, in percentage of the advertised beacon interval.
Minimum time, in seconds, a potential AP has to be up before it is classified as a real AP.
After a signature match is detected, the time to wait, in seconds, to resume checking.
Shows if the profile has enabled or disabled containment from the wireless side.
Shows if the profile has enabled or disable debugging of containment from the wireless side.
Shows if the profile has enabled or disable containment from the wired side.
Enable/disable wired containment of MACs offset by one from APs BSSID.
Shows if RTLS communication with the configured mobilitymanager is enabled or disabled.
Enable or disable IDS event generation from the AP. Event generation from the AP can be enabled for syslogs, traps, or both. This does not affect generation of IDS correlated events on the switch.
Enable or disable sending Adhoc information to the switch from the AP.
Related Commands
Configure IDS General profiles using the command ids general-profile.
1028 | show ids general-profile
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 3.0 AOS-W 5.0 AOS-W 6.0
Description Command Introduced Mobility Manager RTLS parameter introduced Refreshed show output
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
show ids general-profile | 1029
�show ids impersonation-profile
show ids impersonation-profile <profile-name>
Description
Display an IDS Impersonation Profile.
Syntax
Parameter <profile-name>
Description Name of an IDS Impersonation profile.
Usage Guidelines
Issue this command without the <profile-name>parameter to display the IDS Impersonation profile list. Include a profile name to display detailed configuration information for that profile.
Examples
The example below displays that the switch has five configured Impersonation profiles. (host) (config) #show ids impersonation-profile
IDS Impersonation Profile List
------------------------------
Name
References Profile Status
----
---------- --------------
default
4
test
0
test1
1
Wizard-test 1
Wizard-test2 1
Total:5
In the example above, the Reference column indicates the number of references to the profile named in the Name column. The Profile Status column is blank unless the rule is predefined.
The example below displays the configuration settings for the profile test1. (host) (config) #show ids impersonation-profile test1
IDS Impersonation Profile "test1" --------------------------------Parameter --------Detect AP Impersonation Protect from AP Impersonation Beacon Diff Threshold Beacon Increase Wait Time Detect AP Spoofing Detect Beacon Wrong Channel Beacon Wrong Channel Detection Quiet Time Detect Hotspotter Attack Hotspotter Quiet Time
Value ----false false 50 % 3 sec true false 900 sec true 900 sec
The output of this command includes the following parameters:
1030 | show ids impersonation-profile
AOS-W 6.2 | Reference Guide
�Parameter Detect AP Impersonation
Protect from AP Impersonation
Beacon Diff Threshold
Beacon Increase Wait Time
Detect AP Spoofing Detect Beacon Wrong Channel Beacon Wrong Channel Detection Quiet Time Detect Hotspotter Attack
Hotspotter Quiet Time
Description
Shows of the profile has enabled or disabled detection of AP impersonation.
Shows if AP impersonation is enabled or disabled for the profile. When AP impersonation is detected, both the legitimate and impersonating AP are disabled using a denial of service attack.
Percentage increase in beacon rates that triggers an AP impersonation event.
Time, in seconds, after the beacon difference threshold is crossed before an AP impersonation event is generated.
AP Spoofing detection is enabled
Disable detection of beacons advertising the incorrect channel
Wait 90 seconds after detecting a beacon with the wrong channel after which the check can be resumed.
Enable detection of the Hotspotter attack to lure away valid clients.
Wait 90 seconds after detecting an attempt to Use the Hotspotter tool against clients.
Related Commands
Configure IDS impersonation profiles using the command ids impersonation-profile.
Command History
Version AOS-W 3.0 AOS-W 6.0
Description Command Introduced Refreshed show output
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
show ids impersonation-profile | 1031
�show ids management-profile
Description
Displays the management event correlation for IDS event traps and sylogs (logs).
Example
The following example displays the current management status. (host) (config) #show ids management-profile
IDS Management Profile ---------------------Parameter --------IDS Event Correlation Event Correlation Quiet Time
Value ----logs-and-traps 900 sec
The display output of the above command includes:
Parameter
IDS Event Correlation
Event Correlation Quiet Time
Description Management profile is set for logs-and-traps. The time to wait, 900 seconds, before the event can be raised again.
Command History
Version AOS-W 6.0
Description Command Introduced
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
1032 | show ids management-profile
AOS-W 6.2 | Reference Guide
�show ids profile
show ids profile <profile-name>
Description
Display all ids profiles or display a specific profile name.
Syntax
Parameter <profile-name>
Description Name of an IDS profile.
Usage Guidelines
Issue this command without the <profile-name>parameter to display the list of IDS profiles. Include a profile name to display detailed information for that profile.
Examples
The example below shows that the switch has seven configured IDS Profiles. (host) (config) #show ids profile
IDS Profile List
----------------
Name
References
----
----------
default
5
test
0
test-tarpit 1
test-wired-lb 0
test1
0
Wizard-test 0
Wizard-test2 0
Profile Status --------------
Total:7 In the example above, the Reference column indicates the number of references to the profile named in the Name column. The Profile Status column is blank unless the rule is predefined. This example displays the configuration settings for the profile test1. (host) (config) #show ids profile test1
IDS Profile "test1" ------------------Parameter --------IDS General profile IDS Signature Matching profile IDS DOS profile IDS Impersonation profile IDS Unauthorized Device profile
Value ----test1 test1 test1 test1 test1
The output of this command includes the following parameters:
AOS-W 6.2 | Reference Guide
show ids profile | 1033
�Parameter IDS General profile IDS Signature Matching profile IDS DOS profile
IDS Impersonation profile
IDS Unauthorized Device profile
Description
Name of a IDS General profile to be applied to an AP or AP group.
Name of a IDS Signature Matching profile to be applied to an AP or AP group.
Name of a IDS Denial of Service profile to be applied to an AP or AP group.
Name of a IDS Impersonation profile to be applied to an AP or AP group.
Name of a IDS Unauthorized Device profile to be applied to an AP or AP group.
Related Commands
Configure the IDS profile using the command ids profile.
Command History
Version AOS-W 3.0 AOS-W 6.0
Description Command Introduced Refreshed show output
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
1034 | show ids profile
AOS-W 6.2 | Reference Guide
�show ids rate-thresholds-profile
show ids rate-thresholds-profile <profile-name>
Description
Show an IDS Rate Thresholds profile.
Syntax
Parameter <profile-name>
Description Name of an IDS Rate Threshold profile.
Usage Guidelines
Issue this command without the <profile-name>parameter to display the IDS Rate Threshold profile list. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has three configured IDS Rate Threshold profiles. (host) (config) #show ids rate-thresholds-profile
IDS Rate Thresholds Profile List -------------------------------Name ---default probe-request-response-thresholds test
References ---------20 10 0
Profile Status --------------
Predefined
Total:3
In the example above, the Reference column indicates the number of references to the profile named in the Name column. The Profile Status column is blank unless the rule is predefined.
This example displays the configuration settings for the profile test.\ (host) (config) #show ids rate-thresholds-profile test
IDS Rate Thresholds Profile "test"
----------------------------------
Parameter
Value
---------
-----
Channel Increase Time 15 sec
Channel Quiet Time
900 sec
Channel Threshold
300
Node Time Interval
15 sec
Node Quiet Time
900 sec
Node Threshold
200
The output of this command includes the following parameters:.
Parameter Channel Increase Time
Description Time, in seconds, in which the threshold must be
AOS-W 6.2 | Reference Guide
show ids rate-thresholds-profile | 1035
�Parameter Channel Quiet Time Channel Threshold Node Time Interval Node Quiet Time Node Threshold
Description
exceeded in order to trigger an alarm.
The time that must elapse after a channel rate alarm before another identical alarm may be triggered. This option prevents excessive messages in the log file.
Number of a specific type of frame that must be exceeded within a specific interval in an entire channel to trigger an alarm.
Time, in seconds, in which the threshold must be exceeded in order to trigger an alarm.
The time that must elapse after a node rate alarm before another identical alarm may be triggered. This option prevents excessive messages in the log file.
Number of a specific type of frame that must be exceeded within a specific interval for a particular client MAC address to trigger an alarm.
Related Commands
Configure the IDS Rate Threshold profile using the command ids rate-thresholds-profile.
Command History
Version AOS-W 3.0 AOS-W 6.0
Description Command Introduced Refreshed show output
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
1036 | show ids rate-thresholds-profile
AOS-W 6.2 | Reference Guide
�show ids signature-matching-profile
show ids signature-matching-profile <profile-name>
Description
Show an IDS Signature Matching profile.
Syntax
Parameter <profile-name>
Description Name of an IDS Signature Matching profile.
Usage Guidelines
Issue this command without the <profile-name>parameter to display the entire IDS Signature Matching profile list. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has four configured Signature Matching profiles. (host) (config) #show ids signature-matching-profile
IDS Signature Matching Profile List
-----------------------------------
Name
References Profile Status
----
---------- --------------
default
4
test1
1
Wizard-test 1
Wizard-test2 1
Total:4 In the example above, the Reference column indicates the number of references to the profile named in the Name column. The Profile Status column is blank unless the rule is predefined. This example displays the configuration settings for the profile test1. (host) (config) #show ids signature-matching-profile test1
IDS Signature Matching Profile "test1"
--------------------------------------
Parameter
Value
---------
-----
IDS Signature Deauth-Broadcast
IDS Signature Disassoc-Broadcast
The output of this command includes the following parameters:
Parameter IDS Signature IDS Signature
Value Broadcast is not authorized Disassociate broadcast
AOS-W 6.2 | Reference Guide
show ids signature-matching-profile | 1037
�Related Commands
Configure the Signature Matching profile using the command ids signature-matching-profile.
Command History
Version AOS-W 3.0 AOS-W 6.0
Description Command Introduced Refreshed show output
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
1038 | show ids signature-matching-profile
AOS-W 6.2 | Reference Guide
�show ids signature-profile
show ids signature-profile <profile-name>
Description
Show an IDS signature profile.
Syntax
Parameter <profile-name>
Description Name of an IDS Signature profile.
Usage Guidelines
Issue this command without the <profile>parameter to display the entire IDS Signature profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has eight configured Signature profiles.
(host) # show ids signature-profile
IDS Signature Profile List -------------------------Name ---AirJack ASLEAP Deauth-Broadcast default Netstumbler Generic Netstumbler Version 3.3.0x Null-Probe-Response sample
References ---------1 1 1 1 1 1 1 0
Profile Status -------------Predefined Predefined Predefined
Predefined Predefined Predefined
Total:8 This example displays the configuration settings for the profile AirJack.
(host) # show ids signature-profile IDS Signature Profile "AirJack" (predefined) --------------------------------------------Parameter Value --------- ----Frame Type beacon SSID = AirJack
The output of this command includes the following parameters:
AOS-W 6.2 | Reference Guide
show ids signature-profile | 1039
�Parameter Frame Type
Description
Type of 802.11 frame. For each type of frame, further parameters may be included to filter and detect only the required frames. l assoc: Association frame type. l auth: Authentication frame type. l beacon: Beacon frame type. l control: All control frames. l data: All data frames. l deauth: Deauthentication frame type. l disassoc: Disassociation frame type. l mgmt: Management frame type. l probe-request: Probe request frame type. l probe-response: Probe response frame type. l ssid: For beacon, probe-request, and probe-response frame types, the
SSID as either a string or hex pattern. l ssid-length: For beacon, probe-request, and probe-response frame types,
the length, in bytes, of the SSID.
payload sequence number src- mac dst- mac bssid
Pattern at a fixed offset in the payload of an 802.11 frame. Sequence number of the frame. Source MAC address in the 802.11 frame header. Source MAC address in the 802.11 frame header. BSSID field in the 802.11 frame header.
Related Commands
Configure the Signature profile using the command ids signature-profile.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Enable and Config mode on master or local switches
1040 | show ids signature-profile
AOS-W 6.2 | Reference Guide
�show ids unauthorized-device-profile
show ids unauthorized-device-profile <profile-name>
Description
Show an IDS Unauthorized Device Profile.
Syntax
Parameter <profile-name>
Description Name of an IDS Unauthorized Device profile
Usage Guidelines
Issue this command without the <profile-name>parameter to display the IDS Unauthorized Device profile list. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has five configured Unauthorized Device profiles. (host) (config) #show ids unauthorized-device-profile
IDS Unauthorized Device Profile List
------------------------------------
Name
References Profile Status
----
---------- --------------
default
4
test
0
test1
1
Wizard-test 1
Wizard-test2 1
Total:5
In the example above, the Reference column indicates the number of references to the profile named in the Name column. The Profile Status column is blank unless the rule is predefined. This example displays the configuration settings for the profile test1.
(host) (config) #show ids unauthorized-device-profile test1
IDS Unauthorized Device Profile "test1" --------------------------------------Parameter --------Detect Adhoc Networks Protect from Adhoc Networks Detect Windows Bridge Protect Windows Bridge Detect Wireless Bridge Detect Devices with an Invalid MAC OUI MAC OUI detection Quiet Time Wireless Bridge detection Quiet Time Rogue AP Classification Overlay Rogue AP Classification OUI-based Rogue AP Classification
Value ----false false true false false false 900 sec 900 sec true true true
AOS-W 6.2 | Reference Guide
show ids unauthorized-device-profile | 1041
�Propagated Wired MAC based Rogue AP Classification Valid Wired MACs Allow Well Known MAC Rogue Containment Suspected Rogue Containment Suspected Rogue Containment Confidence Level Protect Valid Stations Detect Station Association To Rogue AP Detect Bad WEP Detect Misconfigured AP Protect Misconfigured AP Detect Valid SSID Misuse Protect SSID Privacy Require WPA Detect Unencrypted Valid Clients Unencrypted Valid Client Detection Quiet Time Valid 802.11g channel for policy enforcement Valid 802.11a channel for policy enforcement Valid MAC OUIs Valid and Protected SSIDs Protect 802.11n High Throughput Devices Protect 40MHz 802.11n High Throughput Devices Detect Active 802.11n Greenfield Mode Detect Adhoc Network Using Valid SSID Adhoc Network Using Valid SSID Quiet Time Detect Valid Client Misassociation
true N/A N/A false false 60 false true false true false false false false false true 900 sec N/A N/A N/A N/A false false false true 900 sec true
The output of this command includes the following parameters:
Parameter Detect AdHoc Networks Protect from Adhoc Networks Detect Windows Bridge Protect Windows Bridge Detect Wireless Bridge Detect Devices with an Invalid MAC OUI
MAC OUI detection Quiet Time
Wireless Bridge detection Quiet Time
Description
Shows if the profile has enabled or disabled detection of adhoc networks.
Shows if the profile has enabled or disabled protection from adhoc networks.
Shows if the profile has enabled or disabled detection of Windows station bridging.
Shows if the profile has enabled or disabled protection of Windows station bridging.
Shows if the profile has enabled or disabled detection of wireless bridging.
Shows if the profile has enabled or disabled checking of the first three bytes of a MAC address, known as the organizationally unique identifier (OUI), assigned by the IEEE to known manufacturers.
Time, in seconds, that must elapse after an invalid MAC OUI alarm has been triggered before another identical alarm may be triggered.
Time, in seconds, that must elapse after a wireless bridge alarm has been triggered before another identical alarm may be triggered.
1042 | show ids unauthorized-device-profile
AOS-W 6.2 | Reference Guide
�Parameter Rogue AP Classification
Overlay Rogue AP Classification
Valid Wired MACs Allow Well Known MAC
Rogue Containment Suspected Rogue Containment
Suspected Rogue Containment Confidence Level Protect Valid Stations
Detect Bad WEP
Detect Misconfigured AP
Protect Misconfigured AP
Detect Valid SSID Misuse
Protect SSID
Privacy
Require WPA
Valid 802.11g channel for policy enforcement Valid 802.11a channel for policy enforcement Valid MAC OUIs Valid and Protected SSIDs Protect 802.11n High Throughput Devices
Description
Shows if the profile has enabled or disabled rogue AP classification.
Shows if the switch allows APs that are plugged into the wired side of the network to be classified as "suspected rogue" instead of "rogue".
List of valid and protected SSIDs.
Shows if the profile allows devices with known MAC addresses to classify rogue APs.
Shows if the switch will automatically shut down rogue APs.
Shows if the switch will automatically treat suspected rogue APs as interfering APs.
Confidence level of suspected Rogue AP to trigger containment, expressed as a percentage.
Shows if the switch will allow valid stations to connect to a non-valid AP.
Shows if the profile has enabled or disabled detection of WEP initialization vectors that are known to be weak and/or repeating.
Shows if the profile has enabled or disabled detection of misconfigured APs.
Shows if the profile has enabled or disabled protection of misconfigured APs.
Shows if the detect valid SSID minuse is enabled (true) or disabled (false).
Shows if the profile has enabled or disabled use of SSID by valid APs only.
Shows if the profile has enabled or disabled encryption as a valid AP configuration.
Shows if the switch will flag any valid AP not using WPA as a misconfigured AP.
A list of valid 802.1b/g channels that third-party APs are allowed to use.
A list of valid 802.11a channels that third-party APs are allowed to use.
A list of valid MAC Organizationally Unique Identifiers (OUIs).
A list of valid and protected SSIDs.
Shows if the profile enables or disables protection of highthroughput (802.11n) devices.
AOS-W 6.2 | Reference Guide
show ids unauthorized-device-profile | 1043
�Parameter
Protect 40MHz 802.11n High Throughput Devices
Detect Active 802.11n Greenfield Mode
Description
Shows if the profile enables or disables protection of highthroughput (802.11n) devices operating in 40 MHz mode.
Shows if the profile enables or disables detection of highthroughput devices advertising greenfield preamble capability.
Related Commands
Configure the Unauthorized Device profile using the command ids unauthorized-device-profile.
Command History
Version AOS-W 3.0 AOS-W 6.0
Description Command Introduced Refreshed show output
Command Information
Platforms Available on all platforms
Licensing Requires the RFprotect license
Command Mode Config mode on master switches
1044 | show ids unauthorized-device-profile
AOS-W 6.2 | Reference Guide
�show ids wms-general-profile
show ids wms-general-profile
Description
Display general statistics for the wms configuration.
Syntax
No parameters.
Example
This example shows per-channel statistics for all monitored APs.
(host) #show ids wms-general-profile
IDS WMS General Profile ----------------------Parameter --------AP poll interval AP poll retries AP ageout interval Adhoc AP ageout interval Station ageout interval Statistics update Persistent Neighbor APs Persistent Valid STAs AP learning Propagate Wired Macs Collect Stats for Monitored APs and Clients Learn System Wired Macs
Value ----60000 msec 3 0 minutes 31 minutes 100 minutes true true false false true false false
Column
Description
AP poll interval
Interval, in milliseconds, for communication between the switch and AMs. The switch contacts the AM at this interval to download AP to station associations, update policy configuration changes, and download AP and station statistics.
AP poll retries
Maximum number of failed polling attempts before the polled AM is considered to be down.
AP ageout interval
Time, in minutes, that an AP must remain unseen by any probes before it is deleted from the database.
Adhoc AP ageout interval
Time, in minutes, that an adhoc (IBSS) AP remains unseen before it is deleted (ageout) from the database.
Station ageout interval Time, in minutes, that an client must unseen by any probes before it is deleted from the database.
Statistics update
Shows the status of the statistics updates in the database.
Persistent Neighbor APs Shows the status of known AP neighbors.
AOS-W 6.2 | Reference Guide
show ids wms-general-profile | 1045
�Column
Description
Persistent Valid STAs Shows the status of known AP neighbors.
AP learning
Shows the status of "learning" of non-Alcatel-Lucent APs.
Propagate Wired Macs
Shows if the switch has enabled or disabled the propagation of the gateway wired MACs.
Collect Stats for Mon- Shows if the master switch will collect up to 25,000 statistic entries for monitored itored APs and Clients APs and clients.
Learn System Wired Macs Shows the status of "learning" of wired MACs at the switch.
The output of this command includes the following information:
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced
Added the following parameters adhoc-ap-ageout-interval debug persistent-neighbor event-correlation event-correlation-quiet-time Minutes Tick
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
1046 | show ids wms-general-profile
AOS-W 6.2 | Reference Guide
�show image version
Description
Display the current system image version on both partition 0 and 1.
Syntax
No parameters.
Example
The following example shows that the switch is running AOS-W 3.4 and booting off partition 0:0.
(host) #show image version
----------------------------------
Partition
: 0:0 (/dev/hda1) **Default boot**
Software Version
: AOS-W 3.3.2.0
Build number
: 18661
Label
: 18661
Built on
: 2008-06-12 04:24:34 PDT
----------------------------------
Partition
: 0:0 (/dev/hda1)
Software Version
: AOS-W 3.3.2.0
Build number
: 18661
Label
: 18661
Built on
: 2008-06-12 04:24:34 PDT
The output of this command includes the following parameters:
Parameter Partition
Software Version Build number Label
Built on
Description
Partition number and name. The default boot partition will display a **Default boot** notice by the partition name.
Version of AOS-W software running on the partition.
Build number for the software version.
The label parameter can display additional information for the build. By default, this value is the software build number.
Date the software build was created.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show image version | 1047
�show interface cellular access-group
show interface cellular access-group
Description
List the Access groups configured on the cellular interface.
Example
(host) (config-cell)#show interface cellular access-group
Cell Interface: session access list 3 is configured
Command History
Release
AOS-W 5.0
Modification
Command introduced
Command Information
Platforms
OAW-4306 Series
Licensing
Base operating system
Command Mode
Configuration Mode (config-cell)
1048 | show interface cellular access-group
AOS-W 6.2 | Reference Guide
�show interface counters
show interface counters
Description
Displays a table of L2 interfaces counters.
Syntax
No parameters
Example
The example below shows the output of show interface counters on an OAW-4306Gswitch.
Port GE1/0 GE1/1 GE1/2 GE1/3 GE1/4 GE1/6 GE1/7
InOctets 250559459 1615683022
204909 2964355 1612815178 23571170611 23562566444
InUcastPkts 1664878 1230973 1511 22155
12509415 15545404 15530432
InMcastPkts 0 0 0 0 0 0
8236
InBcastPkts 16 16 16 17
228 4
146
Port GE1/0 GE1/1 GE1/2 GE1/3 GE1/4 GE1/6 GE1/7
OutOctets 2504472376
169128719 1881584 5247669
26893373267 539935348
23563612641
OutUcastPkts 2645877 820198 25785 47718
20838930 8160008
15531317
OutMcastPkts 8243 8243 8243 8245 8243 8139 7
The output of this command includes the following parameters:
OutBcastPkts 16770 17083 16771 16813 16561 461 336
Parameter Port InOctets InUcastPkts InMcastPkts InBcastPkts OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Description Port number. Number of octets received through the port. Number of unicast packets received through the port. Number of multicast packets received through the port. Number of broadcast packets received through the port. Number of octets sent through the port. Number of unicast packets sent through the port. Number of multicast packets sent through the port. Number of broadcast packets sent through the port.
Command History
This command was introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show interface counters | 1049
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master switches
1050 | show interface counters
AOS-W 6.2 | Reference Guide
�show interface fastethernet
show interface fastethernet <slot/port>
Description
Displays information about a specified fast Ethernet port.
Syntax
Parameter access-group counters switchport untrusted-vlan xsec
Description Displays access groups configured on this interface. Displays L2 interface counters for the specified interface. Displays L2 interface information. Displays port member vlan untrusted status. Displays xsec configuration.
Examples
The example below shows the output of show interface fastethernet 1/0.
FE 1/0 is up, line protocol is up Hardware is FastEthernet, address is 00:0B:86:51:14:D1 (bia 00:0B:86:51:14:D1) Description: fe1/0 Encapsulation ARPA, loopback not set Configured: Duplex ( AUTO ), speed ( AUTO ) Negotiated: Duplex (Full), speed (100 Mbps) MTU 1500 bytes, BW is 100 Mbit Last clearing of "show interface" counters 15 day 21 hr 34 min 53 sec link status last changed 15 day 21 hr 32 min 16 sec
1122463 packets input, 196293018 bytes Received 661896 broadcasts, 0 runts, 0 giants, 0 throttles 0 input error bytes, 0 CRC, 0 frame 661881 multicast, 460567 unicast 191428 packets output, 97063150 bytes 0 output errors bytes, 0 deferred 0 collisions, 0 late collisions, 0 throttles This port is TRUSTED POE Status of the port is OFF
The output of this command includes the following parameters:
Parameter FE 1/0 is... line protocol is... Hardware is.... address is... Description Encapsulation
Description Displays the status of the specified port. Displays the status of the line protocol on the specified port. Describes the hardware interface type. Displays the MAC address of the hardware interface. The port type, name, and connector type. Encapsulation method assigned to this port.
AOS-W 6.2 | Reference Guide
show interface fastethernet | 1051
�Parameter loopback... Configured Negotiated MTU bytes BW is... Last clearing of "show interface counters"
This port is... POE status of the port is...
Description Displays whether or not loopback is set. Configured transfer operation and speed. Negotiated transfer operation and speed. MTU size of the specified port in bytes. Bandwidth of the link. Time since "show interface counters" was cleared. Below the time, all current counters related to the specified port are listed. Whether or not this port is trusted. The POE status of the specified port.
#show interface fastethernet 1/0 access-group
FE 1/0:
Port-Vlan Session ACL
---------------------
SessionACL
Vlan
----------
----
Status ------
The output of this command includes the following parameters:
Parameter SessionACL Vlan Status
Description Session ACL name. VLAN number. ACL status.
#show interface fastethernet 1/0 counters
Port FE1/0
InOctets 196310364
InUcastPkts 460655
InMcastPkts 661932
InBcastPkts 15
Port FE1/0
OutOctets 97074242
OutUcastPkts 191401
OutMcastPkts 3
OutBcastPkts 72
The output of this command includes the following parameters:
Parameter Port InOctets InUcastPkts
Description Port number. Number of octets received through the port. Number of unicast packets received through the port.
1052 | show interface fastethernet
AOS-W 6.2 | Reference Guide
�Parameter InMcastPkts InBcastPkts OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Description Number of multicast packets received through the port. Number of broadcast packets received through the port. Number of octets sent through the port. Number of unicast packets sent through the port. Number of multicast packets sent through the port. Number of broadcast packets sent through the port.
#show interface fastethernet 1/0 switchport Name: FE1/0 Switchport: Enabled Administrative mode: trunk Operational mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Access Mode VLAN: 0 ((Inactive)) Trunking Native Mode VLAN: 1 (Default) Trunking Vlans Enabled: ALL Trunking Vlans Active: 1-3
The output of this command includes the following parameters:
Parameter Name Switchport Administrative mode Operational mode Administrative Trunking Encapsulation Operational Trunking Encapsulation Access Mode VLAN Trunking Native Mode VLAN Trunking Vlans Enabled Trunking Vlans Active
Description Port name. Whether or not switchport is enabled. Administrative mode. Operational mode. Encapsulation method used for administrative trunking.
Encapsulation method used for operational trunking.
The access mode VLAN for the specified port. The trunking native mode VLAN for the specified port. Number of trunking VLANs currently enabled. Number of trunking VLANs currently active.
#show interface fastethernet 1/0 untrusted-vlan
Name: FE1/0 Untrusted Vlan(s)
The output of this command includes the following parameters:
Parameter Name Untrusted Vlan(s)
Description Name of the specified port. List of untrusted VLANs.
AOS-W 6.2 | Reference Guide
show interface fastethernet | 1053
�#show interface fastethernet 1/1 xsec xsec vlan 7 is ACTIVE
The output of this command includes the following parameters:
Parameter
xsec vlan 7 is ACTIVE
Description
This states that xsec is active on the specified port as well as the associated VLAN.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
1054 | show interface fastethernet
AOS-W 6.2 | Reference Guide
�show interface gigabitethernet
show interface gigabitethernet <slot/port>
Description
Displays information about a specified Gigabit Ethernet port.
Syntax
Parameter counters switchport untrusted-vlan xsec
Description Displays L2 interface counters for the specified interface. Displays L2 interface information. Displays port member vlan untrusted status. Displays xsec configuration.
Examples
The example below shows the output of show interface gigabitethernet 1/0.
(host)# show interface gigabitethernet 1/0
GE 1/0 is up, line protocol is up Hardware is Gigabit Ethernet, address is 00:0B:86:F0:33:E1 (bia 00:0B:86:F0:33:E1) Description: GE1/0 (RJ45 Connector) Encapsulation ARPA, loopback not set Configured: Duplex ( AUTO ), speed ( AUTO ) Jumbo Support is enabled on this interface MTU 9216 Negotiated: Duplex (Full), speed (100 Mbps) MTU 1500 bytes, BW is 100 Mbit Last clearing of "show interface" counters 23 day 4 hr 27 min 54 sec link status last changed 15 day 3 hr 15 min 21 sec
2049219 packets input, 112651020 bytes Received 911909 broadcasts, 0 runts, 0 giants, 0 throttles 26 input error bytes, 0 CRC, 0 frame 906926 multicast, 1137310 unicast 185897 packets output, 58327172 bytes 0 output errors bytes, 0 deferred 0 collisions, 0 late collisions, 0 throttles This port is TRUSTED POE Status of the port is ON Jumbo frame support is enabled
The output of this command includes the following parameters:
Parameter GE 1/0 is... line protocol is... Hardware is.... address is... Description Encapsulation
Description Displays the status of the specified port. Displays the status of the line protocol on the specified port. Describes the hardware interface type. Displays the MAC address of the hardware interface. The port type, name, and connector type. Encapsulation method assigned to this port.
AOS-W 6.2 | Reference Guide
show interface gigabitethernet | 1055
�Parameter loopback... Configured Jumpo support... Negotiated MTU bytes BW is... Last clearing of "show interface counters" link status last changed...
This port is... POE status of the port is...
Description Displays whether or not loopback is set. Configured transfer operation and speed. Jumbo frame support is enabled. Negotiated transfer operation and speed. MTU size of the specified port in bytes. Bandwidth of the link. Time since "show interface counters" was cleared.
Time since "show interface counters" was cleared. Below the time, all current counters related to the specified port are listed. Whether or not this port is trusted. The POE status of the specified port.
(host)#show interface gigabitethernet 1/0
Port GE1/0
InOctets 112670646
InUcastPkts 1137507
InMcastPkts 907019
Port GE1/0
OutOctets 58342401
OutUcastPkts 170490
OutMcastPkts 104
InBcastPkts 4983
OutBcastPkts 15373
The output of this command includes the following parameters:
Parameter Port InOctets InUcastPkts InMcastPkts InBcastPkts OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Description Port number. Number of octets received through the port. Number of unicast packets received through the port. Number of multicast packets received through the port. Number of broadcast packets received through the port. Number of octets sent through the port. Number of unicast packets sent through the port. Number of multicast packets sent through the port. Number of broadcast packets sent through the port.
#show interface gigabitethernet 1/0 switchport
Name: GE1/0 Switchport: Enabled Administrative mode: static access Operational mode: static access Administrative Trunking Encapsulation:
dot1q
1056 | show interface gigabitethernet
AOS-W 6.2 | Reference Guide
�Operational Trunking Encapsulation: dot1q Access Mode VLAN: 62 (VLAN0062) Trunking Native Mode VLAN: 1 (Default) Trunking Vlans Enabled: NONE Trunking Vlans Active: NONE
The output of this command includes the following parameters:
Parameter Name Switchport Administrative mode Operational mode Administrative Trunking Encapsulation Operational Trunking Encapsulation Access Mode VLAN Trunking Native Mode VLAN Trunking Vlans Enabled Trunking Vlans Active
Description Port name. Whether or not switchport is enabled. Administrative mode . Operational mode. Encapsulation method used for administrative trunking.
Encapsulation method used for operational trunking.
The access mode VLAN for the specified port. The trunking native mode VLAN for the specified port. Number of trunking VLANs currently enabled. Number of trunking VLANs currently active.
(host) #show interface gigabitethernet 1/0 untrusted-vlan
Name: GE1/0 Untrusted Vlan(s)
The output of this command includes the following parameters:
Parameter Name Untrusted Vlan(s)
Description Name of the specified port. List of untrusted VLANs.
(host)# show interface gigabitethernet 1/1 xsec xsec vlan 7 is ACTIVE
The output of this command includes the following parameters:
Parameter
xsec vlan 7 is ACTIVE
Description
This states that xsec is active on the specified port as well as the associated VLAN.
Command History
This command was introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show interface gigabitethernet | 1057
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
1058 | show interface gigabitethernet
AOS-W 6.2 | Reference Guide
�show interface loopback
show interface loopback
Description
Displays information about the loopback IP interface.
Syntax
No parameters
Example
The example below shows the output of show interface loopback on a OAW-4306Gswitch. #show interface loopback loopback interface is up line protocol is up Hardware is Ethernet, address is 00:0B:86:51:14:D0 Internet address is 10.3.49.100 255.255.255.255 The output of this command includes the following parameters:
Parameter
Description
loopback interface is...
Status of the loopback interface.
line protocol is...
Status of the line protocol on the specified port.
Hardware is...
Hardware interface type.
address is...
MAC address of the loopback interface.
Internet address is... IP address and subnet mask of the loopback interface.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
AOS-W 6.2 | Reference Guide
show interface loopback | 1059
�show interface mgmt
show interface mgmt
Description
Displays information about mgmt interfaces.
Syntax
No parameters
Example
The example below shows the output of show interface mgmt on a switch. # show interface mgmt mgmt is up line protocol is up Hardware is Ethernet, address is 00:0B:86:61:00:5D Internet address is 10.4.71.10 255.255.255.0
he output of this command includes the following parameters:
Parameter mgmt is... line protocol is... Hardware is... address is... Internet address is...
Description Status of the mgmt interface. Status of the line protocol on the specified port. Describes the hardware interface type. Interface's MAC address. Interface's IP address and subnet mask.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms
Licensing
Only available on an M3 with Base operating system a management port
Command Mode Enable or config mode on master switches
1060 | show interface mgmt
AOS-W 6.2 | Reference Guide
�show interface port-channel
show interface port-channel
Description
Displays information about a specified port-channel interface.
Syntax
Parameter access-group counters untrusted-vlan xsec
Description Displays access groups configured on this interface. Displays L2 interface counters for the specified interface. Displays port member vlan untrusted status. Displays xsec configuration.
Example
The example below shows the output of show interface port-channel 0 on a switch.
Port-Channel 0 is administratively up
Hardware is Port-Channel, address is 00:00:00:00:00:00 (bia 00:0B:86:F0:36:B1)
Description: Link Aggregate (LACP)
Spanning Tree is disabled
VLAN membership:
1
Switchport priority: 0
Member port:
Last clearing of "show interface" counters 3 day 21 hr 23 min 6 sec
link status last changed 3 day 21 hr 23 min 6 sec
0 packets input, 0 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input error bytes, 0 CRC, 0 frame
0 multicast, 0 unicast
0 packets output, 0 bytes
0 output errors bytes, 0 deferred
0 collisions, 0 late collisions, 0 throttles
Port-Channel 0 is NOT TRUSTED
The output of this command includes the following parameters:
Parameter Port-Channel 0 is... line protocol is... Hardware is.... address is...
Description Status of the specified port. Status of the line protocol on the specified port. Hardware interface type. MAC address of the hardware interface.
AOS-W 6.2 | Reference Guide
show interface port-channel | 1061
�Parameter Description
Spanning Tree is... VLAN membership Switchport priority Last clearing of "show interface counters"
Port-channel 0 is...
Description
The port type, name, and connector type. If the LAG is created by LACP, it is indicated as shown in the display output above. If the LAG is created by LACP, you can not statically add or delete any ports under that port channel. All other commands are allowed. If LACP is not shown, then the LAG is created by static configuration.
Spanning tree status on the specified port-channel.
Number of VLANs the specified port-channel is associated with.
Switchport priority of the specified port-channel.
Time since "show interface counters" was cleared.
Below the time, all current counters related to the specified port are listed.
Whether or not this port-channel is trusted.
#show interface port-channel 0 access-group
Port-Channel 0:
Port-Vlan Session ACL
---------------------
SessionACL
Vlan
Status
----------
----
------
The output of this command includes the following parameters:
Parameter SessionACL Vlan Status
Description Session ACL name. VLAN number. ACL status.
#show interface port-channel 0 counters
Port
InOctets
InUcastPkts
PC 0:
0
0
Port
OutOctets OutUcastPkts
PC 0:
0
0
InMcastPkts 0
OutMcastPkts 0
InBcastPkts 0
OutBcastPkts 0
The output of this command includes the following parameters:
Parameter PC InOctets InUcastPkts
Description Port number. Number of octets received through the port. Number of unicast packets received through the port.
1062 | show interface port-channel
AOS-W 6.2 | Reference Guide
�Parameter InMcastPkts InBcastPkts OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Description Number of multicast packets received through the port. Number of broadcast packets received through the port. Number of octets sent through the port. Number of unicast packets sent through the port. Number of multicast packets sent through the port. Number of broadcast packets sent through the port.
#show interface port-channel 0 untrusted-vlan
Name: FE1/0 Untrusted Vlan(s)
The output of this command includes the following parameters:
Parameter Name Untrusted Vlan(s)
Description Name of the specified port. List of untrusted VLANs.
#show interface port-channel 0 xsec
xsec vlan 7 is ACTIVE
The output of this command includes the following parameters:
Parameter
xsec vlan 7 is ACTIVE
Description This states that xsec is active on the specified port as well as the associated VLAN.
Command History
Release AOS-W 3.4.1 AOS-W 3.0.
Modification Modified to display LACP when applicable. Command introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
AOS-W 6.2 | Reference Guide
show interface port-channel | 1063
�show interface-profile voip-profile
show interface-profile voip-profile <profile-name>
Description
This command displays the specified VoIP profile configuration information.
Syntax
Parameter <profile-name>
Description Name of the VoIP profile.
Examples
The following example shows configuration details for the VoIP profile:
(host) #show interface-profile voip-profile profile1
VOIP profile "profile1"
-----------------------
Parameter Value
--------- -----
VOIP VLAN 1
DSCP
0
802.1 UP 0
VOIP Mode auto-discover
The output of this command includes the following information:
Parameter VOIP VLAN DSCP 802.1 UP VOIP Mode
Description The Voice VLAN ID. The DSCP value for the voice VLAN. The 802.11p priority level. The mode of VoIP operation. It can be auto-discover or static.
Command History
Command introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Enable or Config mode on master or local switches
1064 | show interface-profile voip-profile
AOS-W 6.2 | Reference Guide
�show interface tunnel
show interface tunnel
Description
Displays information about tunnel interfaces.
Syntax
No parameters
Example
The example below shows the output of show interface tunnel. #show interface tunnel 2000
Tunnel 2000 is up line protocol is up Description: Tunnel Interface Internet address is 3.3.3.1 255.255.255.0 Source 192.168.203.1 Destination 192.168.202.1 Tunnel mtu is set to 1100 Tunnel is an IP GRE TUNNEL Tunnel is Trusted Inter Tunnel Flooding is enabled Tunnel keepalive is disabled he output of this command includes the following parameters:
Parameter Tunnel 2000 is... line protocol is... Description Internet address is... Source Destination Tunnel mtu is set to... Tunnel is an... Tunnel is... Inter tunnel flooding is... Tunnel keepalive is...
Description Status of the specified tunnel. Displays the status of the line protocol on the specified tunnel. Description of the specified interface. IP address and subnet mask of the specified interface. IP address of the tunnel's source. IP address of the tunnel's source. Size of the specified tunnel's MTU. Description of the specified tunnel. Whether or not the specified tunnel is trusted. Status of inter tunnel flooding on the specified tunnel.
Status of tunnel keepalive on the specified tunnel.
Command History
This command was introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show interface tunnel | 1065
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
1066 | show interface tunnel
AOS-W 6.2 | Reference Guide
�show interface vlan
show interface vlan
Description
Displays information about a specified VLAN interface.
Syntax
No parameters
Example
The example below shows the output of show interface vlan 1 on a OAW-4306G switch. #show interface vlan 1
VLAN1 is up line protocol is down Hardware is CPU Interface, Interface address is 00:0B:86:61:82:40 (bia 00:0B:86:61:82:40) Description: 802.1Q VLAN Internet address is 10.3.49.50 255.255.255.0 Routing interface is enable, Forwarding mode is enable Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP disabled Encapsulation 802, loopback not set MTU 1500 bytes Last clearing of "show interface" counters 4 day 0 hr 28 min 58 sec link status last changed 4 day 0 hr 28 min 58 sec Proxy Arp is disabled for the Interface DHCP Option-82 mac and essid are configured on this Interface
The output of this command includes the following parameters:
Parameter VLAN1 is... line protocol is... Hardware is... Interface address is... Description Internet address is... Routing interface is... Forwarding mode is... Directed broadcast is... Encapsulation loopback...
Description Status of the specified VLAN Displays the status of the line protocol on the specified port Describes the hardware interface type Displays the MAC address of the hardware interface Description of the specified VLAN IP address and subnet mask of the specified VLAN Status of the routing interface Status of the forwarding mode Displays whether or not directed broadcast is enabled Encapsulation type Loopback status
AOS-W 6.2 | Reference Guide
show interface vlan | 1067
�Parameter MTU Last clearing of "show interface counters" link status last changed Proxy ARP is... DHCP Option-82 is...
Description MTU size of the specified port in bytes Time since "show interface counters" was cleared
Time since link status last changed Status of proxy ARP on the specified interface Status of DHCP Option 82. If the MAC address and ESSID are configured on this interface
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
1068 | show interface vlan
AOS-W 6.2 | Reference Guide
�show inventory
show inventory
Description
Displays hardware inventory of the switch.
Syntax
No parameters.
Example
Issue this command to display the hardware component inventory of the switch. The output of this command will vary, depending upon switch type.
Supervisor Card slot
Mobility Processor
Mobility Processor Assembly#
Mobility Processor Serial#
SC
Assembly#
SC
Serial#
SC
Model#
Mgmt Port HW MAC Addr
HW MAC Addr
FXPLD Version
PEER Supervisor Card
Line Card 0
Line Card 1
Line Card 2
Line Card 2 FPGA
Line Card 2 Switch Chip
Line Card 2 Mez Card
Line Card 2 SPOE
Line Card 2 Sup Card 0
Line Card 2 Sup Card 1
Line Card 2 Assembly#
Line Card 2 Serial#
Line Card 2 SPOE Assembly#
Line Card 2 SPOE Serial#
Line Card 2 MEZZ Assembly#
Line Card 2 MEZZ Serial#
Line Card 3
Line Card 3 FPGA
Line Card 3 Switch Chip
Line Card 3 Mez Card
Line Card 3 SPOE
Line Card 3 Sup Card 0
Line Card 3 Sup Card 1
Line Card 3 Assembly#
Line Card 3 Serial#
Line Card 3 SPOE Assembly#
Line Card 3 SPOE Serial#
Line Card 3 MEZZ Assembly#
Line Card 3 MEZZ Serial#
FAN 0
FAN 1
FAN 2
Fan Tray Assembly#
:1 : FPGA Rev 0x30030920 : 2010027B : F00488202 : 2010032B (Rev:02.00) : FP0001470 (Date:07/01/24) : M3mk1 : 00:0B:86:F0:23:02 : 00:0B:86:01:C5:00 to 00:0B:86:01:C5:7 : (Rev: 20) : Absent : Absent : Not accessible from this SC : Present : LCCI Rev 0x6 : Broadcom 56308 Rev 0x3 : Present : Present : Absent : Present ( Active ) : 2000001C (Rev:03.00) (24FE+2GE) : C00000277 (Date:02/22/05) : 2000020B (Rev:01.00) (SPOE-2) : FP0000100 : 2000002A (Rev:01.00) : S00000540 : Present : LCCI Rev 0x6 : Broadcom 56308 Rev 0x3 : Present : Present : Absent : Present ( Active ) : 2000001C (Rev:03.00) (24FE+2GE) : C00007293 (Date:09/27/05) : 2000003B (Rev:02.00) (SPOE-1) : S00001750 : 2000002A (Rev:01.00) : C00007172 : OK, Speed High : OK, Speed High : OK, Speed High : 2000007C (Rev:01.00)
AOS-W 6.2 | Reference Guide
show inventory | 1069
�Fan Tray Serial# Back Plane Assembly# Back Plane Serial# Power Supply type Power Supply 0 Power Supply 1 Power Supply 2 M3mk1 Card Temperatures
AMP Card Temperatures
M3mk1 Card Voltages
: C00013879 (Date:12/18/04)
: 2000006B (Rev:01.00)
: A00000250 (Date:12/18/04)
: Power One (400W)
: OK (400W)
: FAILED
: Absent
: M3mk1 card
47 C
: CPU
47 C
: Processor Card
41 C
: Mobility Processor
56 C
: M3mk1 5000mV
5010 mV
: M3mk1 3300mV
3340 mV
: M3mk1 2500mV
2432 mV
: M3mk1 1800mV
1790 mV
: M3mk1 1500mV
1490 mV
: M3mk1 1250mV
1260 mV
: M3mk1 1200mV
1200 mV
: M3mk1 IBC 12000mV
11815 mV
: M3mk1 CPU Fan Speed
6887 RPMs
: M3mk1 CPU CORE 1200mV 1080 mV
: M3mk1 XGMII VTT 750mV
750 mV
: M3mk1 VTT0(a&b) 900mV
900 mV
: M3mk1 VTT1(c&d) 900mV
900 mV
: AMP 3300mV
3320 mV
: AMP 2500mV
2480 mV
: AMP 1800mV
1800 mV
: AMP 1500mV
1500 mV
: AMP BCM 1200mV
1200 mV
: AMP FPGA 1200mV(1)
1200 mV
: AMP FPGA 1200mV(2)
1200 mV
The output includes the following parameters:
Parameter Supervisor Card Slot Mobility Processor
Mobility Processor Assembly#
Mobility Processor Serial#
SC Assembly# SC Serial# SC Model# Mgmt Port HW MAC Address HW MAC Address FXPLD Version PEER Supervisor Card
Description Supervisor card slot number Revision of the image downloaded to the FPGA. This can change if a newer image is included in a newer release. Assembly number of the mobility processor. This only applies to OAW-S3 cards. Serial number of the mobility processor. This only applies to OAWS3 cards. Assembly number of the supervisor card. Serial number of the supervisor card. Model number of the supervisor card. MAC address of the mgmt port MAC address Revision of programmable logic device on supervisor card. States whether or not a PEER supervisor card is present.
1070 | show inventory
AOS-W 6.2 | Reference Guide
�Parameter
Description
Line Card <slot number>
States whether or not a line card is present in the specified slot
Line Card <slot number> FPGA
Name/type of FPGA associated with the specified line card slot
Line Card <slot number> Switch Chip
Name/type of switch card associated with the specified line card slot
Line Card <slot number> Mez Card
States whether or not a mezzanine card is present in the specified slot
Line Card <slot number> SPOE
States whether or not a SPOE card is present in the specified slot
Line Card <slot number> Sup Card 0
States whether or not a supervisor card 0 is present in the specified slot
Line Card <slot number> Sup Card 1
States whether or not a supervisor card 1 is present in the specified slot
Line Card <slot number> Assembly#
Assembly number of the line card in the specified slot
Line Card <slot number> Serial# Serial number of the line card in the specified slot
Line Card <slot number> SPOE Assembly#
Assembly number of SPOE line card in the specified slot
Line Card <slot number> SPOE Serial#
Serial number of SPOE line card in the specified slot
Line Card <slot number> MEZZ Assembly#
Assembly number of the mezzanine card in the specified slot
Line Card <slot number> MEZZ Serial#
Serial number of the mezzanine card in the specified slot
FAN <Fan number>
Status of the specified fan
Fan Tray Assembly#
Assembly number of the fan tray
Fan Tray Serial#
Serial number of fan tray
Back Plane Assembly#
Assembly number of the back plane
Back Plane Serial#
Serial number of the back plane
Power Supply Type
Power supply type
Power Supply <power supply number>
Power supply status
M3mk1 Card Temperatures l M3mk1 card l CPU
l The temperature from the sensor on the supervisor card l The temperature from the CPU die
AMP Card Temperatures l Processor Card l Mobility Processor
l The temperature from the sensor on the Mobility Processor card l The temperature from the FPGA die
AOS-W 6.2 | Reference Guide
show inventory | 1071
�Parameter M3mk1 Card Voltages
Description
This parameter displays to columns of voltages for many components displayed previously by this command. The voltage displayed in the right column should match the corresponding value in the left column, generally with +/- 5%.
Command History
This command was introduced in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
1072 | show inventory
AOS-W 6.2 | Reference Guide
�show iostat
show iostat
Description
Displays IO statistics information. This command reports Central Processing Unit (CPU) statistics and input/output statistics for devices and partitions.
Syntax
No parameters.
Example
Issue this command to display the IO statistics of the switch. cpu 290556 0 4305598 107533173 cpu0 290556 0 4305598 107533173 page 46291 249539 swap 0 0 intr 17959116 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 17950877 0 8148 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000 0 0 0 0 0 0 0 0 30 61 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00000000000000000000000000000000000000000000000 00000000000000000000
0000000000000 disk_io: (3,0):(679,460,7196,219,950) ctxt 135640513 btime 1241728432 processes 357519
The output includes the following parameters:
Parameter cpu
page
swap intr disk_io
ctxt btime processes
Description
The number of jiffies (1/100th of a second) that the system spent in user mode, user mode with low priority, system mode, and the idle task, respectively.
The number of pages the system paged in and the number that were paged out (from disk).
The number of swap pages that have been brought in an out.
The number of interrupts received from the system boot.
(x,y) is (major, minor):(xx, xx, xxxx, x, x) is (noinfo, read_io_ops, blks_read, write_ io_ops, blks_written)
The number of context switches that the system underwent.
The boot time, in seconds.
The number of forks since boot.
Command History
This command was introduced in AOS-W 1.0.
AOS-W 6.2 | Reference Guide
show iostat | 1073
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master switches
1074 | show iostat
AOS-W 6.2 | Reference Guide
�show ip access-group
show ip access-group
Description
Display access control lists (ACLs) configured for each port on the switch.
Syntax
No parameters.
Examples
The example below shows part of the output of this command. If a port does not have a defined session ACL, the Port-Vlan Session ACL table will be blank.
(host) # show ip access-group FE 1/0: Rx access list 200 is applied session access list User14 is applied
Port-Vlan Session ACL
---------------------
SessionACL
Vlan
----------
----
coltrane
22
Status -----configured
The output of this command includes the following parameters:
Parameter Description
Session ACL Name of the ACL applied to the interface.
VLAN
If the ACL was applied to a VLAN associated with this port, this column will show the VLAN ID.
Status
Shows whether or not the session ACL is configured.
Related Commands
Command interface fastethernet | gigabitethernetip accessgroup
Description
Configure an access group for an interface.
Command History
Release AOS-W 3.0 AOS-W 3.4
Modification Command introduced The VLAN output parameters was introduced.
AOS-W 6.2 | Reference Guide
show ip access-group | 1075
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
1076 | show ip access-group
AOS-W 6.2 | Reference Guide
�show ip access-list
show ip access-list {brief|<string>}
Description
Display a table of all configured access control lists (ACLs), or show details for a specific ACL.
Syntax
Parameter Description
brief
Display a table of information for all ACLs.
<string>
Specify the name of a single ACL to display detailed information on that ACL.
Examples
The example below shows general information for all ACLs in the Access List table. (Host) #show ip access-list brief
Access list table ----------------Name ---200 33 allowall ap-acl captiveportal captiveportal6 control test-logon logon cplogout default guest log-https srcnat stateful-dot1x stateful-kerberos validuser
Type ---eth standard session session session
session session
session session session session session session session session
Use Count ---------
2 2 4
2 7 1
2 1
Roles -----
trusted-ap default-vpn-role rap_role ap-role coltrane-logon wizardtest-logon test-logon logon
guest-logon logon ap-role coltrane-logon wizardtest-logon guest stateful guest
stateful-dot1x logon test-24325
The output of this command includes the following parameters:
Parameter Description
Name
Name of an access-control list (ACL).
Type
Shows that the ACL is one of the following ACL policy types: l Ethertype l Standard l Session l MAC l Extended
AOS-W 6.2 | Reference Guide
show ip access-list | 1077
�Parameter Description
Use Count Number of rules defined in the ACL.
Roles
Names of user roles associated with the ACL.
Include the name of a specific ACL to show detailed configuration information for that ACL. The output in the example below has been divided into two sections to better fit int this document. The output in the command-line interface will appear in a single, long table.
(host)# show ip access-list captiveportal6
ip access-list session captiveportal6
captiveportal6
--------------
Priority Source Destination Service
Action TimeRange Log Expired Queue
-------- ------ ----------- -------
------ --------- --- ------- -----
1
user controller6 svc-https
captive
Low
2
user any
svc-http
captive
Low
3
user any
svc-https
captive
Low
4
user any
svc-http-proxy1 captive
Low
5
user any
svc-http-proxy2 captive
Low
6
user any
svc-http-proxy3 captive
Low
6
TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 --- ----- --------- ------ ------- ------------- ------
6 6 6 6 6 6
The output of this command may include some or all of the following parameters:
Parameter Priority Source
Destination
Description
Name of an access-control list (ACL).
The traffic source, which can be one of the following: l alias: The network resource (use the netdestination command to configure aliases; use the
show netdestination command to see configured aliases) l any: Matches any traffic. l host: A single host IP address. l network: The IP address and netmask. l user: The IP address of the user.
l localip: The set of all local IP addresses on the system, on which the ACL is applied.
The traffic destination, which can be one of the following: l alias: The network resource (use the netdestination command to configure aliases; use the
show netdestination command to see configured aliases) l any: Matches any traffic. l host: A single host IP address. l network: An IP address and netmask. l user: The IP address of the user.
l localip: The set of all local IP addresses on the system, on which the ACL is applied.
1078 | show ip access-list
AOS-W 6.2 | Reference Guide
�Parameter Service
Action
Timerange Log Expired Queue Tos 8021.p Blacklist Mirror DisScan IPv4/6
Description
Network service, which can be one of the following: l An IP protocol number (0-255). l The name of a network service (use the show netservice command to see configured
services). l any: Matches any traffic. l tcp: A TCP port number (0-65535). l udp: A UDP port number (0-65535).
Action if rule is applied, which can be one of the following: deny: Reject packets. dst-nat: Perform destination NAT on packets. dual-nat: Perform both source and destination NAT on packets. permit: Forward packets. redirect: Specify the location to which packets are redirected, which can be one of the following: l Datapath destination ID (0-65535). l esi-group: Specify the ESI server group configured with the esi group command l opcode: Specify the datapath destination ID (0x33, 0x34, or 0x82). Do not use this
parameter without proper guidance from Alcatel-Lucent. tunnel: Specify the ID of the tunnel configured with the interface tunnel command. src-nat: Perform source NAT on packets.
Any defined time range for this rule.
Shows if the rule was configured to generate a log message when the rule is applied.
Shows if the rule has expired.
Shows if the rule assigns a matching flow to a priority queue (high/low).
802.11p priority level applied by the rule (0-7).
Shows if the rule should blacklist any matching user.
Shows if the rule was configured to mirror all session packets to datapath or remote destination.
Shows if the rule was configured to pause ARM scanning while traffic is present.
Shows the IP version.
Related Commands
Command ip access-list session
Description Configure an access list for an interface.
Command History
Introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show ip access-list | 1079
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
1080 | show ip access-list
AOS-W 6.2 | Reference Guide
�show ip cp-redirect-address
show ip cp-redirect-address
Description
Show the captive portal automatic redirect IP address.
Syntax
No parameters.
Examples
The example below shows the IP address to which captive portal users are automatically directed. (host) # show ip cp-redirect-address Captive Portal redirect Address... 10.3.63.11
Related Commands
Command ip cp-redirect-address
Description This command configures a redirect address for captive portal.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show ip cp-redirect-address | 1081
�show ip dhcp
show ip dhcp {binding|database|statistics}
Description
Show DHCP Server Settings.
Syntax
Parameter binding database statistics
Description Show DHCP server bindings. Show DHCP server settings. Show DHCP pool statistics.
Examples
The example below shows DHCP statistics for two configured networks. (host) # show ip dhcp statistics
Network Name Free leases Active leases Expired leases Abandoned leases
172.19.42.0/24 137 115 0 0
Network Name Free leases Active leases Expired leases Abandoned leases
10.14.86.0/24 126 126 0 0
The output of this command includes the following parameters:
Parameter Network Name Free leases Expired leases
Abandoned leases
Description
Range of addresses that the DHCP server may assign to clients.
Number of available DHCP leases.
Number of leases that have expired because they have extended past their valid lease period.
Number of abandoned leases. Abandoned leases will not be reassigned unless there are no free leases available.
Related Commands
Command ip dhcp pool
Description This command configures a DHCP pool on the switch.
1082 | show ip dhcp
AOS-W 6.2 | Reference Guide
�Command History
Introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show ip dhcp | 1083
�show ip domain-name
show ip domain-name
Description
Show the full domain name and server.
Syntax
No parameters.
Examples
The example below shows that the IP domain lookup feature is enabled, but that no DNS server has been configured on the switch. (host) #show ip domain-name
IP domain lookup: IP Host.Domain name:
Enabled MyCompany2400.
No DNS server configured
Related Commands
Command
Description
ip domain lookup This command enables Domain Name System (DNS) hostname to address translation.
ip domain-name
This command configures the default domain name.
ip dhcp pool
This command configures a DHCP pool on the switch.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
1084 | show ip domain-name
AOS-W 6.2 | Reference Guide
�show ip igmp
show ip igmp config|counters|{group maddr <maddr>}|{interface [vlan <vlan>]}|{proxy-group vlan <vlan>}|{proxy-mobility-group maddr <maddr>}|proxy-mobiity-stats|proxy-stats
Description
Display Internet Group Management Protocol (IGMP) timers and counters.
Syntax
Parameter config counters
group maddr <maddr> interface vlan <vlan> proxy-group vlan <vlan> proxy-mobility-group maddr <maddr> proxy-mobiity-stats proxy-stats
Description
Show the current IGMP configuration
Display a list counters for the following IGMP queries: l received-total l received-queries l received-v1-reports l received-v2-reports l received-leaves l received-unknown-types l len-errors l checksum-errors l not-vlan-dr l transmitted-queries l forwarded
Show IGMP group information
Show IGMP interface information
Show IGMP proxy group information for a specific interface.
Display the IGMP proxy group information stored for mobile clients which are away from the switch.
Display the most important messages exchanged between the mobility process and the IGMP proxy.
Display the number of messages transmitted and received by the IGMP proxy on the upstream interface
Examples
The example below displays the IGMP interface table for all VLANs on the switch.
(host) # show ip igmp interface vlan 2
IGMP Interface Table
--------------------
VLAN Addr
Netmask
MAC Address
Destination IGMP Proxy
---- ----
-------
-----------
- -----------
64 10.6.4.252 255.255.255.0 00:0b:86:01:99:00
65 10.6.5.252 255.255.255.0 00:0b:86:01:99:00
IGMP ---disabled disabled
Snooping Querier
-------- -------
disabled 10.6.4.252 disabled
disabled 10.6.5.252 disabled
---------CP
CP
AOS-W 6.2 | Reference Guide
show ip igmp | 1085
�1
10.6.2.252 255.255.255.0 00:0b:86:01:99:00 disabled disabled 10.6.2.252
CP
disabled
66 10.6.6.252 255.255.255.0 00:0b:86:01:99:00 disabled disabled 10.6.6.252
CP
disabled
63 10.6.3.252 255.255.255.0 00:0b:86:01:99:00 disabled disabled 10.6.3.252
CP
disabled
The output of this command includes the following parameters:
Parameter Description
VLAN
A VLAN ID number.
Addr
IP address of a VLAN router.
Netmask
Subnet mask for the IP address.
MAC Address MAC destination address.
IGMP
Indicates if IGMP is enabled (or disabled) on the interface.
Snooping
Indicates if IGMP snooping is enabled (or disabled).
Querier
IP address of an IGMP querier.
Destination Traffic destination.
IGMP Proxy Indicates if IGMP proxy is enabled (or disabled).
The following example displays the current IGMP configuration settings for the switch. (host) #show ip igmp config
IGMP Config ----------Name ---robustness-variable query-interval query-response-interval startup-query-interval startup-query-count last-member-query-interval last-member-query-count version-1-router-present-timeout
Value ----2 125 100 31 2 10 2 400
The output of this command includes the following parameters:
Parameter robustness-variable
query-interval
Description
This variable is increased from its default level of 2 to allow for expected packet loss on a subnetwork.
Interval, in seconds, at which the switch sends host-query messages to the multicast group address 224.0.0.1 to solicit group membership information.
1086 | show ip igmp
AOS-W 6.2 | Reference Guide
�Parameter
Description
query-response-interval
Maximum time, in .1 second intervals, that can elapse between when the switch sends a host-query message and when it receives a response. This must be less than the query-interval.
startup-query-count
Number of queries that the switch sends out on startup, separated by startup-query-interval. The default setting is the value of the robustness-variable parameter.
startup-query-interval
Interval, in seconds, at which the switch sends general queries on startup. The default value of this parameter is 1/4 of the queryinterval.
last-member-query-count
Number of group-specific queries that the switch sends before assuming that there are no local group members.
last-member-query-interval
Maximum time, in seconds, that can elapse between groupspecific query messages.
version-1-router-present-timeout Timeout, in seconds, if the switch detects a version 1 IGM router.
Related Commands
Command ip igmp
Description
This command configures Internet Group Management Protocol (IGMP) timers and counters.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing
Command Mode
Base operating system Available in Config or Enable mode on master switches.
AOS-W 6.2 | Reference Guide
show ip igmp | 1087
�show ip mobile
show ip mobile active-domains binding [<host-ip>|<host-macaddr>|brief] domain [<name>] global hat host [<host-ip>|<host-macaddr>|brief] packet-trace [<count>] remote <host-ip>|<host-macaddr> trace <ip-addr>|<mac-addr>|{force <ip-addr>|<mac-addr>} traffic dropped|foreign-agent|home-agent|proxy|proxy-dhcp trail <host-ip>|<host-macaddr> tunnel visitor [<host-ip>|<host-macaddr>|brief]
Description
Display statistics and configuration information for the mobile protocol.
Syntax
Parameter active domains binding
[<host-ip>]
[<host-macaddr>]
[brief] domain [<name>]
global hat host
[<host-ip>] [<host-macaddr>]
[brief] packet-trace [<count>]
Description
IP mobility domains active on this switch
Display a list of Home Agent Bindings
Filter the Home Agent Bindings list to display data for a specific host IP address.
Filter the Home Agent Bindings list to display data for a specific host MAC address.
Limit the output of this command to show just two lines of data.
Display subnet, VLAN and home agent information for all mobility domains, or specify a mobility domain name to view data for that domain only.
View the current Mobility Agents global configuration
Display the Active Home Agent Table
Display a list of Mobile IP hosts.
Filter the Mobile Host List to display data for a specific host IP address.
Filter the Mobile Host List to display data for a specific host MAC address.
Limit the output of this command to show just two lines of data.
The output of this command shows when packets of different types were sent between a source IPor MAC address and a destination IP or MAC
1088 | show ip mobile
AOS-W 6.2 | Reference Guide
�Parameter
remote <host-ip>|<hostmacaddr>
trace <ip-addr> <mac-addr> force <ip-addr>|<macaddr>
traffic
dropped foreign-agent
home-agent
proxy proxy-dhcp trail <host-ip>|<hostmacaddr> tunnel visitor [<host-ip>] [<host-macaddr>] [brief]
Description
address.
This is a debug command which can be used to identify the switch associated with the specified client IP address or MAC address. The output of this command shows the home agent (HA) and foreign agent (FA) for a mobile client, as well as the client's roaming status.
Show if the Mobile IP feature will poll remote switches for mobility status of station
Host IP address
Host MAC address
Show if the Mobile IP feature will poll remote switches for mobility status of station.
Display mobile IP protocol statistics for: l Proxy DHCP l Proxy Mobile IP l Home Agent Registrations l Foreign Agent Registrations l Registration Revocations
Show only counters for dropped mobility traffic.
Show only mobile IP foreign agent statistics. A foreign agent is the switch which handles all mobile IP communication with a home agent on behalf of a roaming client.
Show only mobile IP home agent statistics. A home agent for a mobile client is the switch where the client first appears when it joins the mobility domain.
Show only counters for mobile IP proxy traffic.
Show only counters for mobile IP proxy DHCP traffic.
Show the mobile IP roaming trail by entering a host's IP or MAC address.
Show the Mobile Tunnel Table for IPIP Tunnels.
Display a list of mobile nodes visiting a foreign agent.
Filter the Foreign Agent Visitor list to display data for a specific host IP adddress.
Filter the Foreign Agent Visitor list to display data for a specific host MAC adddress.
Limit the output of this command to show just two lines of data.
Examples
The example below lists mobility domains configured on the switch, and shows information for any subnets defined on these domains.
(host) #show ip mobile domain Mobility Domains:, 2 domain(s)
AOS-W 6.2 | Reference Guide
show ip mobile | 1089
�------------------------------
Domain name default Home Agent Table, 0 subnet(s)
Domain name newdomain
Home Agent Table, 2 subnet(s)
subnet
mask
VlanId Home Agent
--------------- --------------- ------ ---------------
10.2.124.76
255.255.255.255 1
10.4.62.2
172.21.5.50
255.255.255.255 1
10.4.62.2
The output of this command includes the following parameters:
Description ----------------------Corporate mobility entry Reserved entries
Parameter Description
subnet
Subnet configured for the IP mobility service.
mask
Subnet mask
VLAN ID
VLAN ID of the VLAN used by the subnet.
Home Agent IP address of the home agent or mobility agent.
Description Description of the HAT entry.
Use the show ip mobile host command to track mobile users. (host) #show ip mobile host
Mobile Host List, 1 host(s) --------------------------9c:b7:0d:3f:a4:8a 10.15.26.162 test
Roaming Status: Home Switch/Home VLAN, Service time 0 days 00:09:05 Home VLAN 3 on network 10.15.26.0/24 DHCP lease for Harsha-PC at Fri Apr 27 02:15:49 2012 for 240 secs from 10.15.24.11
The output of this command includes the following parameters:
Parameter <mac-addr> <ip-addr> Roaming Status Home VLAN DHCP lease
Description MAC and IP addresses of the host Displays how long the host has used its current switch and VLAN. VLAN ID, IP address and subnet of the home VLAN. Displays the amount of time the station has had its current DHCP lease.
Related Commands
Command ip mobile active-domain ip mobile domain
Description This command configures the mobility domain that is active on the switch. This command configures the mobility domain on the switch.
1090 | show ip mobile
AOS-W 6.2 | Reference Guide
�Command ip mobile foreign-agent ip mobile home-agent ip mobile proxy
ip mobile revocation
ip mobile trail (deprecated)
Description
This command configures the foreign agent for IP mobility.
This command configures the home agent for IP mobility.
This command configures the proxy mobile IP module in a mobilityenabled switch.
This command configures the frequency at which registration revocation messages are sent.
This command configures the capture of association trail for all devices.
Command History
Command introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show ip mobile | 1091
�show ip nat pool
show ip nat pool
Description
Display pools of IP addresses for network address translation (NAT.
Syntax
No parameters
Examples
The example below shows the current NAT pool configuration on the switch.
(host) # show ip nat pools
NAT Pools
---------
Name Start IP End IP
---- -------- ---------
2net
2.1.1.1
DNAT IP ------2.1.1.125
The output of this command includes the following parameters:
Parameter Name Start IP End IP DNAT IP
Description Name of the NAT pool. IP address that defines the beginning of the range of source NAT addresses in the pool. IP address that defines the end of the range of source NAT addresses in the pool. Destination NAT IP address, if defined.
Related Commands
Command ip nat
Description This command configures a pool of IP addresses for network address translation (NAT).
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing
Though this command is available in the operating system, you must have a PEFNG license to configure a NAT pool.
Command Mode
Available in Config or Enable mode on master or local switches
1092 | show ip nat pool
AOS-W 6.2 | Reference Guide
�show ip ospf
show ip ospf [database]|[debug route]|[interface tunnel|vlan <id>]|[neighbor]| [redistribute]| [subnet]
Description
Display statistics and configuration information for the Open Shortest Path First (OSPF) routing protocol.
Syntax
Parameter
Description
database
Show database information for the OSPF protocol.
debug route
Show debugging information for OSPF routes.
interface tunnel|vlan <id> Display the status of OSPF on an individual interface by specifying a tunnel or VLAN ID number.
neighbor
Display data for OSPF neighboring routers.
redistribute
Display OSPF route distribution information.
subnet
Display the subnets manually added to the Subnet Exclude List via the router ospf subnet exclude <addr> <mask> command.
Example
If you issue this command without any of the optional parameters described in the table above, the show ip ospf command will display general router and area settings for the OSPF.
(host) (config-subif)# show ip ospf OSPF is currently running with Router ID 123.45.110.200 Number of areas in this router is 1 Area 10.1.1.0
Number of interfaces in this area is 2 Area is totally stub area
SPF algorithm executed 0 times
The output of this command includes the following parameters.
Parameter OSPF Router ID Number of areas Area
Description
Verifies that OSPF is running and the router ID that OSPF is running on.
List the number of areas configured in the router.
Displays the Area ID followed by: l number of interfaces in the area l indicates if the area is a totally stub area l number of times the SPF algorithm has been executed
To display OSPF settings for an individual interface, you must specify a VLAN or tunnel ID number. The example below displays part of the output of the show ip ospf interface vlan command.
(host) # show ip ospf interface vlan 10 Vlan 3 is up, line protocol is up
AOS-W 6.2 | Reference Guide
show ip ospf | 1093
�Internet Address 3.3.3.1, Mask 255.255.255.0, Area 10.1.1.1 Router ID 10.4.131.227, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State WAIT, Priority 1 Designated Router id 0.0.0.0, Interface Address 3.3.3.1 Backup designated Router id 0.0.0.0, Interface Address 3.3.3.1 Timer intervals configured, Hello 10, Dead 40, Retransmit 5 Neighbor Count is 0 Tx Stat: Hellos 1 DbDescr 0 LsReq 0 LsUpdate 0 LsAck 0 Pkts 1 Rx Stat: Hellos 0 DbDescr 0 LsReq 0 LsUpdate 0 LsAck 0 Pkts 0
DisCd 0 BadVer 0 BadNet 0 BadArea 0 BadDstAdr 0 BadAuType 0 BadAuth 0 BadNeigh 0 BadPckType 0 BadVirtLink 0
...
The output may include some or all of the following parameters.
Parameter Vlan <number> Internet Address Router ID Transmit Delay Designated Router Backup Designated Router ID Timer intervals configured Neighbor Count Tx Stat
Rx Stat
DisCd BadVer BadNet
Description
Identifies that the interface type and ID are up and functional.
Internet address, network mask, and area assigned to the interface.
Displays the router ID, that the network type is Broadcast, and the cost value.
Details of the transmit delay, state, and priority.
Details of the designated router ID and interface address.
Details of the backup router ID and interface address.
Details of elapse time intervals for Hello, Dead, Transmit (wait), and retransmit.
Details the number of neighbors and adjacent neighbors.
Counters and statistics for transmitted data. l Hellos: Number of transmitted hello packets. These packets are sent
every hello interval. l DbDescr: Number of transmitted database description packets. l LsReq: Number of transmitted link state request packets. l LsUpdate: Number of transmitted link state update packets. l LsAck: Number of transmitted link state acknowledgment packets l Pkts: Total number of transmitted packets.
Counters and statistics for received data. l Hellos: Number of received hello packets. These packets are sent every
hello interval. l DbDescr: Number of received database description packets. l LsReq: Number of received link state request packets. l LsUpdate: Number of received link state update packets. l LsAck: Number of received link state acknowledgment packets l Pkts: Total number of received packets.
Number of received packets that are discarded.
Number of received packets that have bad OSPF version number.
Number of received packets that belong to different network than the local interface.
1094 | show ip ospf
AOS-W 6.2 | Reference Guide
�Parameter BadArea
BadDstAdr BadAuType
BadAuth BadNeigh BadPckType BadVirtLink
Description Number of received packets that belong to different area than the local interface. Number of received packets that have wrong destination address. Number of received packets that have different authentication type than the local interface. Number of received packets where authentication failed. Number of received packets which didn't have a valid neighbor. Number of received packets that have wrong OSPF packet type. Number of received packets that didn't match have a valid virtual link.
Related Commands
Command ip ospf router ospf
Description Configure OSPF on the interface Configure OSPF on the router
Command History
Introduced in AOS-W 3.4.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show ip ospf | 1095
�show ip pppoe-info
show ip pppoe-info
Description
Display configuration settings for Point-to-Point Protocol over Ethernet (PPPoE).
Syntax
No parameters.
Examples
The example below shows the current PPPoE configuration. (host) #show ip pppoe-info
PPPoE username: rudolph123 PPPoE password: <HIDDEN> PPPoE service name: ppp2056 PPPoE VLAN: 22
The output of this command includes the following parameters:
Parameter PPPoE username PPPoE password
PPPoE service name PPPoE VLAN
Description
PAP username configured on the PPPoE access concentrator.
If this parameter displays the word <HIDDEN>, a PAP password is configured on the PPPoE access concentrator. If this parameter is <NONE>, there is no PPOE password configured.
PPPoE service name.
VLAN configured to use PPPoE to obtain an IP address via the command interface vlan <id> ip address pppoe.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
1096 | show ip pppoe-info
AOS-W 6.2 | Reference Guide
�show ip radius
show ip radius nas-ip|source-interface
Description
Display global parameters for configured RADIUS servers.
Syntax
Command nas-ip
source-interface
Description
Show the Network Access Server (NAS) IP address attribute sent in outgoing RADIUS requests
Show the source address of outgoing RADIUS requests
Examples
The example below shows the RADIUS client NAS IP address. (host) #show ip radius nas-ip
RADIUS client NAS IP address = 10.168.254.221
Related Commands
Command ip radius
Description
This command configures global parameters for configured RADIUS servers.
Command History
Introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show ip radius | 1097
�show ip route
show ip route [static]
Description
View the Alcatel-Lucentswitch routing table.
Syntax
Command static
Description Include this optional parameter to display only static routes.
Usage Guidelines
This command displays static routes configured on the switch via the ip route command. Use the ip default-gateway command to set the default gateway to the IP address of the interface on the upstream router or switch to which you connect the switch.
Examples
The example below shows the ip address of routers and the VLANs to which they are connected.
(host) #show ip route
Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default
Gateway of last resort is 10.6.2.254 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.6.2.254* C 10.9.2.0 is directly connected, VLAN1 C 10.9.3.0 is directly connected, VLAN63 C 10.9.4.0 is directly connected, VLAN64 C 10.9.5.0 is directly connected, VLAN65 C 10.9.6.0 is directly connected, VLAN66 C 0.0.0.0 is directly connected, Tunnel 1 C 10.100.103.253 is an ipsec map default-local-master-ipsecmap
Related Commands
Command ip radius
Description This command configures global parameters for configured RADIUS servers.
Command History
Introduced in AOS-W 3.0.
1098 | show ip route
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show ip route | 1099
�show ipc statistics app-ap
show ipc statistics app-ap {am|sapd|sta} {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ipaddr>}
Description
Display Inter Process Communication (IPC) statistics for a specific AP or BSSID.
Syntax
Parameter am sapd stm ap-name <ap-name> bssid <bssid>
ip-addr <ip-addr>
Description Show IPC statistics for an air monitor.
Show IPC statistics for the SAPD process.
Show IPC statistics for station management communications.
Show IPC statistics for an AP with a specific name.
Show IPC statistics for a specific Basic Service Set Identifier (BSSID). An AP's BSSID is usually the AP's MAC address.
Show IPC statistics for an AP with a specific IP address. Enter the IP address in dotted-decimal format.
Usage Guidelines
Issue this command at the request of Alcatel-Lucent support to troubleshoot application errors.
Example
The following example shows IPC statistics for the SAPD process on an AP named mpp125.
(host) #show ipc statistics app-ap sapd ap-name mpp125
Local Statistics
To application
Tx Msg Tx Blk Tx Ret Tx Fail Rx Ack Rx Msg Rx Drop Rx Err Tx
Ack
MESH
3
0
1
0
3
1
1
0
1
RF Client
1
0
0
0
1
1
0
0
1
STM
1
0
0
0
1
0
0
0
0
Nanny
1
0
0
0
1
0
0
0
0
Remote Statistics
To application
Tx Msg Tx Blk Tx Ret Tx Fail Rx Ack Rx Msg Rx Drop Rx Err Tx
Ack
AMAPI CLI Client
0
0
0
0
0
1
0
0
1
STM
248
0
0
0
0
248
0
0
0
Allocated Buffers 0
Static Buffers
1
Static Buffer Size 1444
1100 | show ipc statistics app-ap
AOS-W 6.2 | Reference Guide
�The output of this command includes the following data columns:
Parameter Tx Msg Tx Blk Tx Ret Tx Fail Rx Ack Rx Msg Rx Drop Rx Err Tx Ack Allocated Buffers Static Buffers Static Buffer Size
Description Number of transmitted messages. Number of blocking messages transmitted. Number of transmitted messages that were returned. Number of failure messages that were transmitted. Number of received acknowledgements. Number of received messages. Number of received messages that were dropped. Number of received messages with errors. Number of transmitted acknowledgements. Number of allocated buffers for IPC messages. Number of static buffers for IPC messages. Size of the static buffer.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show ipc statistics app-ap | 1101
�show ipc statistics app-id
show ipc statistics app-id <app-id>
Description
Display Inter Process Communication (IPC) statistics for a specific AP or BSSID.
Syntax
Parameter <app-id>
Description
Application ID number. This number must be obtained from Alcatel-Lucent support.
Usage Guidelines
Issue this command at the request of Alcatel-Lucent support to troubleshoot application errors.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
1102 | show ipc statistics app-id
AOS-W 6.2 | Reference Guide
�show ipc statistics app-name
show ipc statistics app-name <name>
Description
Display Inter Process Communication (IPC) statistics for a specific application.
Syntax
Parameter
Description
<name>
One of the following application names: l aaa: Administrator Authentication l ads: Anomaly Detection l authmgr: User Authentication l certmgr: Certificate Manager l cfgm: Config Manager l cpsec: Control-Plane Security
Manager l cts: Transport Service l dbsync: Database Synchronization l dhcp: DHCP Server l esi: Server Load Balancing l fpapps: Layer 2,3 control l httpd: HTTPD l ike: IKE Daemon
l l2tp: L2TP l licensemgr: License Manager l mobileip: Mobile IP l ntp: NTP Daemon l ospf: OSPF l pim: Protocol Independent Multicast l pktfilter: Packet Filter l pptp: PPTP l profmgr: Profile Manager l publisher: Publish subscribe service l resolver: Resolver l sapm: SAPM l snmp: SNMP agent l stm: Station Management l stm-lopri: Station Management Low
Priority l stm: Station Management l syslogd: Syslog Manager l userdb: User Database Server l wms: Wireless Management
Example
The following example shows IPC statistics for the STM process. (host) #show ipc statistics app-name stm
Local Statistics
To application
Tx Msg Tx Blk Tx Ret Tx Fail Rx Ack Rx Msg Rx Drop Rx Err Tx
Ack
AMAPI Web Client
0
0
0
0
0 34405
0
0
34405
Layer2/3
233098
1
0
0 233095
12
0
0
12
Authentication Se 1076236
0
0
0 1076236
0
0
0
0
Authentication
54494
7448
54
1 54050 468811
0
0
0
Publisher
4
0
0
0
4
2
52
0
2
AMAPI CLI Client
1
0
0
0
1
702
0
0
702
Profile Manager
1
1
0
0
1
0
0
0
0
AOS-W 6.2 | Reference Guide
show ipc statistics app-name | 1103
�Mobile IP
1120303
0
0
0 1076236
1
0
0
0
Syslog Manager
2
2
0
0
2
0
0
0
0
WMS
0
0
0
0
0
19
0
0
19
PIM
2
1
0
0
2
1
1
0
1
Configuration Man
2
1
0
0
2
13
0
0
12
License Manager
1
1
0
0
1
0
0
0
0
Datapath
3281237 66425
1
0 1907552 1382289
104
6
0
Nanny
1
0
0
0
0
0
0
0
0
Remote Statistics
To application
Tx Msg Tx Blk Tx Ret Tx Fail Rx Ack Rx Msg Rx Drop Rx Err Tx
Ack
WMS
59
0
0
0
59
0
0
0
0
STM
54983
0
0
0
0 1527435
0
0
0
Allocated Buffers 0
Static Buffers
4
Static Buffer Size 1400
The output of this command includes the following data columns:
Parameter Tx Msg Tx Blk Tx Ret Tx Fail Rx Ack Rx Msg Rx Drop Rx Err Tx Ack Allocated Buffers Static Buffers Static Buffer Size
Description Number of transmitted messages. Number of blocking messages transmitted. Number of transmitted messages that were returned. Number of failure messages that were transmitted. Number of received acknowledgements. Number of received messages. Number of received messages that were dropped. Number of received messages with errors. Number of transmitted acknowledgements. Number of allocated buffers for IPC messages. Number of static buffers for IPC messages. Size of the static buffer.
Command History
This command was available in AOS-W 3.0.
1104 | show ipc statistics app-name
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show ipc statistics app-name | 1105
�show ipv6 access-list (deprecated)
show ipv6 access-list [<string> | brief]
Description
Displays IPv6 access list configured in the switch.
Syntax
Parameter string brief
Description To view details of a specific ACL. To view a summary of all IPv6 ACLs.
Command History
Version AOS-W 3.3 AOS-W 6.1
Modification
Command introduced
Command deprecated. This command has been replaced by the show ip access-list command.
1106 | show ipv6 access-list (deprecated)
AOS-W 6.2 | Reference Guide
�show ipv6 datapath session counters (deprecated)
show ipv6 datapath session counters
Description
Displays datapath session table statistics.
Command History
Version AOS-W 1.0 AOS-W 6.1
Modification
Command introduced
Command deprecated. This command has been replaced by the show datapath session ipv6 counters command.
AOS-W 6.2 | Reference Guide
show ipv6 datapath session counters (deprecated) | 1107
�show ipv6 datapath session table (deprecated)
show ipv6 datapath session table <IPv6 Address>
Description
Displays current IPv6 session on the switch.
Syntax
Parameter <IPv6 IP Address>
Description
Optional parameter. If specified, displays IPv6 datapath session table for that IP address. By default, displays session table for all IPv6 addresses.
Command History
Version AOS-W 3.0 AOS-W 6.1
Modification
Command introduced
Command deprecated. This command has been replaced by the show datapath session ipv6 table command.
1108 | show ipv6 datapath session table (deprecated)
AOS-W 6.2 | Reference Guide
�show ipv6 datapath user counters (deprecated)
show ipv6 datapath user counters
Description
Displays datapath user table statistics.
Command History
Version AOS-W 3.0 AOS-W 6.1
Modification
Command introduced
Command deprecated. This command has been replaced by the show datapath user ipv6 command.
AOS-W 6.2 | Reference Guide
show ipv6 datapath user counters (deprecated) | 1109
�show ipv6 datapath user table (deprecated)
show ipv6 datapath user table
Description
Displays ipv6 datapath user table entries.
Command History
Version AOS-W 3.0 AOS-W 6.1
Modification
Command introduced
Command deprecated. This command has been replaced by the show datapath user ipv6 command.
1110 | show ipv6 datapath user table (deprecated)
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
show ipv6 datapath user table (deprecated) | 1111
�show ipv6 firewall
show ipv6 firewall
Example
This example displays the status of all firewall configurations.
(host) #show ipv6 firewall
Global IPv6 firewall policies ----------------------------Policy -----Monitor ping attack Monitor TCP SYN attack Monitor IPv6 sessions attack Deny inter user bridging Deny all IPv6 fragments Per-packet logging Enforce TCP handshake before allowing data Prohibit RST replay attack Session Idle Timeout Session mirror destination Prohibit IPv6 Spoofing Enable IPv6 Stateful Firewall
Action -----Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled
Rate ----
Slot/Port ---------
The output of this command includes the following parameters:
Parameter Monitor ping attack
Monitor TCP SYN attack
Monitor IPv6 sessions attack
Deny inter user bridging
Deny all IPv6 fragments Per-packet logging Enforce TCP handshake before allowing data
Description
If enabled, the switch monitors the number of ICMP pings per second. If this value exceeds the maximum configured rate, the switch will register a denial of service attack.
If enabled, the switch monitors the number of TCP SYN messages per second. If this value exceeds the maximum configured rate, the switch will register a denial of service attack.
If enabled, the switch monitors the number of TCP session requests per second. If this value exceeds the maximum configured rate, the switch will register a denial of service attack sessions.
If enabled this setting prevents the forwarding of Layer-2 traffic between wired or wireless users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic.
If enabled, all IPv6 fragments are dropped.
If active, and logging is enabled for the corresponding session rule, this feature logs every packet.
If enabled, this feature prevents data from passing between two clients until the three-way TCP handshake has been performed. Enabling this option causes mobility to fail. So, disable this option if you have mobile clients on the network as.
1112 | show ipv6 firewall
AOS-W 6.2 | Reference Guide
�Parameter Prohibit RST replay attack Session Idle Timeout Session mirror destination Prohibit IPv6 Spoofing
Enable IPv6 Stateful Firewall
Description
If enabled, this setting closes a TCP connection in both directions if a TCP RST is received from either direction.
Shows if a session idle timeout interval has been defined.
Destination to which mirrored packets are sent.
Status on IPv6 spoofing. When this option is enabled, IP and MAC addresses are checked; possible IP spoofing attacks are logged and an SNMP trap is sent.
Shows if IPv6 stateful firewall is enabled.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show ipv6 firewall | 1113
�show ipv6 interface
show ipv6 interface [brief]
Description
View IPv6-related information on all interfaces.
Syntax
Parameter brief
Description
Optional parameter. If specified, displays the IPv6-related information on all the interfaces in a summary format.
Example
host) #show ipv6 interface brief
Interface
[Status/Protocol]
vlan 1
[ up/up ]
fe80::b:8600:161:1328/64
loopback
[ up/up ]
fe80::b:860f:ff61:1328/64
mgmt
[down/down]
unassigned
IPv6 is disabled
The following table details the columns and content in the show command.
Column Interface
Status/Protocol
Description
List the interface and interface identification with the IPv6 address and netmask for the interface, if configured.
States the administrative status and the IPv6 status on the interface. Enabled--up Disabled--down
Command History
Release AOS-W 6.1
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master switches.
1114 | show ipv6 interface
AOS-W 6.2 | Reference Guide
�show ipv6 mld config
show ipv6 mld config
Description
Displays Multicast Listener Discover (MLD) configuration details.
Example
This example displays the current MLD configuration values.
(host) #show ipv6 mld config
MLD Config ---------Name ---robustness-variable query-interval query-response-interval
Value ----2 125 100
The output of this command includes the following parameters:
Parameter robustness-variable
query-interval query-response-interval
Description
Denotes the value that is used to calculate the timeout value of an MLD client.
Denotes the time interval at which the MLD query is sent.
Denotes the time interval at which the MLD query response should be received.
Command History
This command was available in AOS-W 3.3.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show ipv6 mld config | 1115
�show ipv6 mld counters
show ipv6 mld counters
Description
Displays the statistics of MLD.
Example
This example displays the MLD statistics for the following values.
(host) #show ipv6 mld counters
MLD Statistics -------------Name ---received-total received-queries received-v1-reports received-leaves received-unknown-types len-errors checksum-errors not-vlan-dr transmitted-queries forwarded
Value ----0 0 0 0 0 0 0 0 0 0
The output of this command includes the following parameters:
Parameter received-total received-queries received-v1-reports received-leaves received-unknown-types len-errors checksum-errors not-vlan-dr
transmitted-queries forwarded
Description The total number of MLD messages. The total number of MLD queries. The total number of MLD v1 reports received. The total number of MLD v1 leave messages received. The total number of unrecognized messages received. The total number of error message where the length check has failed. The total number of error message where the checksum has failed. The number of messages received for which the current switch is not the designated router. The total number of transmitted MLD queries. The total number of MLD messages forwarded.
Command History
This command was available in AOS-W 3.3.
1116 | show ipv6 mld counters
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show ipv6 mld counters | 1117
�show ipv6 mld group
show ipv6 mld group
Example
This example displays MLD group details.
(host) #show ipv6 mld group
MLD Group Table --------------Group Members ----- -------
The output of this command includes the following parameters:
Parameter Group Members
Description Name of MLD groups. Number of members in an MLD group.
Command History
This command was available in AOS-W 3.3.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
1118 | show ipv6 mld group
AOS-W 6.2 | Reference Guide
�show ipv6 mld interface
show ipv6 mld interface
Example
This example displays MLD status on VLANs. To view details for a specific VLAN, you can specify the VLAN ID.
(host) #show ipv6 mld interface
MLD Interface Table
-------------------
VLAN Addr
Netmask
---- ----
-------
224 10.224.224.1 255.255.255.0
1
10.15.44.10 255.255.255.0
50 156.1.50.1 255.255.255.0
211 211.1.1.1
255.255.255.0
51 156.1.51.1 255.255.255.0
999 99.1.1.2
255.255.255.0
7
7.7.7.1
255.255.255.0
170 192.170.1.1 255.255.255.0
MAC Address ----------00:0b:86:f0:20:20 00:0b:86:f0:20:20 00:0b:86:f0:20:20 00:0b:86:f0:20:20 00:0b:86:f0:20:20 00:0b:86:f0:20:20 00:0b:86:f0:20:20 00:0b:86:f0:20:20
MLD --disabled disabled disabled disabled disabled disabled disabled disabled
Snooping -------disabled disabled disabled disabled disabled disabled disabled disabled
Querier ------:: :: :: :: :: :: :: ::
Destination ----------CP CP CP CP CP CP CP CP
The output of this command includes the following parameters:
Parameter VLAN Addr Netmask MAC Address MLD Snooping Querier Destination
Description Denotes the VLAN ID. IP address of the VLAN interface. Network mask of the VLAN interface IP address. MAC address of VLAN interface. Status of MLD. Status of MLD snooping. IPv6 address of the MLD querier for the VLAN. Denotes the destination of the MLD messages.
Command History
This command was available in AOS-W 3.3.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show ipv6 mld interface | 1119
�show ipv6 neighbors
show ipv6 neighbors
Description
Displays the IPv6 neighbors configured on a VLAN interface.
Usage Guidelines
This command displays the IPv6 neighbors configured on a VLAN interface via the ipv6 neighbor command.
Examples
The example below shows the ipv6 neighbors configured on VLAN 1 .
(host) #show ipv6 neighbors vlan 1
IPv6 Neighbors
--------------
IPv6 Address
Age Link-layer Addr State
Interface
------------
--- --------------- -----
---------
2cce:205:160:100::fe - 00:0b:86:61:13:28 PERMANENT vlan 1
Command History
Introduced in AOS-W 6.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
1120 | show ipv6 neighbors
AOS-W 6.2 | Reference Guide
�show ipv6 ra status
show ipv6 ra status
Description
Displays the IPv6 RA status on the VLAN interfaces.
Usage Guidelines
This command displays the IPv6 RA status on the VLAN interfaces.
Examples
The example below shows the IPv6 RA status on the VLAN interfaces .
(host) #show ipv6 ra status
IPv6 RA Status
--------------
VlanId State
------ -----
1
enabled
220
enabled
230
enabled
7
enabled
Prefix(es) ---------2001:abcd:1234:dead::/64 2200:eab:feed:12::/64 2300:eab:feed::/64 2001:470:faca:2::/64 2001:470:faca:3::/64 2001:470:faca:4::/64
Command History
Introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show ipv6 ra status | 1121
�show ipv6 route
show ipv6 route [static]
Description
Displays the Alcatel-Lucent switch IPv6 routing table.
Syntax
Command static
Description Include this optional parameter to display only static IPv6 routes.
Usage Guidelines
This command displays static IPv6 routes configured on the switch via the ipv6 route command. Use the ipv6 default-gateway command to set the default gateway to the IPv6 address of the interface on the upstream router or switch to which you connect the switch.
Examples
The examples below show the ipv6 address of routers and the VLANs to which they are connected.
(host) #show ipv6 route
Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default
Gateway of last resort is 2001::3 to network ::/128 at cost 1 S* ::/0 [1/0] via 2001::3* C 2001::/64 is directly connected, VLAN1 C 2010:abcd:1234:dead::/64 is directly connected, VLAN10
(host) #show ipv6 route static
Gateway of last resort is 2001::3 to network ::/128 at cost 1 S* ::/0 [1/0] via 2001::3*
Command History
Introduced in AOS-W 6.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master or local switches
1122 | show ipv6 route
AOS-W 6.2 | Reference Guide
�show ipv6 user-table
show ipv6 user-table [authentication-method {dot1x | mac | stateful-dot1x | vpn | web} | bssid <bssid> | debug {rows | unique} | essid <essid-name> | internal {rows} | ip <IPv6-address> | location <ap-group-name> | mac <mac-address> | mobile {bindings | rows | unique | visitors} | name <user-name> | phy-type {a | b} | role <role-name> | rows | station | verbose ]
Description
Displays IPv6 user table entries. You can filter the output based on various parameters are described in table.
Syntax
Parameter
Description
authentication-method
Displays entries in the IPv6 user-table that matches the following authentication methods: l dot1x l mac l stateful-mac l vpn l web
bssid
Displays entries in the IPv6 user-table that are associated to the specified BSSID.
debug
Displays entries in the IPv6 user-table that are in debug mode.
essid
Displays entries in the IPv6 user-table that are associated to the specified ESSID. If the ESSID includes spaces, you must enclose it in quotation marks.
internal
Displays internal IPv6 users.
ip
Displays IPv6 users that match the specified IPv6 IP address.
location
This value refers to the AP-group of the IPv6 client. Use the show aaa state ap-group to get the AP group and the location ID mapping.
mac
Displays users with the specified MAC address.
mobile
Displays list of mobile users in the IPv6 user table. The following filters are available for this parameter: l bindings--list of users that have moved away from the current switch. l rows--displays entries that match the specified row number. l unique--displays unique entries in the IPv6 user-table. l visitors--displays users that have associated with the current switch.
AOS-W 6.2 | Reference Guide
show ipv6 user-table | 1123
�Parameter name phy-type role rows
station verbose
Description Displays IPv6 user table entries that match the specified name. Displays IPv6 user table entries that match a or b phy-type. Displays IPv6 user table entries that match the specified role. Displays specific rows in the IPv6 user table. Enter the starting row number and the number of rows to be displayed. Displays the station table information for the IPv6 user table entries. Displays the complete IPv6 user table with all details.
Example
This example displays dot1x authenticate users in IPv6 user table.
(host) show ipv6 user-table authentication-method dot1x
Users
-----
IP
MAC
Name
Role
Age(d:h:m)
Auth VPN link AP name
Roaming Essid/Bssid/Phy
Profile
----------
------------
------ ----
---------- --
-- -------- -------
------- ---------------
-------
fe80::216:ceff:fe2c:b485
00:16:ce:2c:b4:85 Wing-A logon
00:00:06
802.1x
00:0b:86:c1:0e:8c Wireless Wing-A/00:0b:86:90:e8:c0/g default-dot1x
2003:d81f:f9f0:1001:617c:9151:6d25:f754 00:16:ce:2c:b4:85 Wing-A logon
00:00:06
802.1x
00:0b:86:c1:0e:8c Wireless Wing-A/00:0b:86:90:e8:c0/g default-dot1x
The output of this command includes the following parameters:
Parameter IP MAC Name Role Age (d:h:m) Auth AP name Roaming Essid/Bssid/Phy Profile
Description IP address of the client in that row that authenticating using dot1x MAC address of the client. Name of the client. The role assigned to the client. Total time that client is connected to switch. Authentication type. Name of the AP associated with the client. Current roaming status of the client. ESSID/BSSID/Phy to which the client is associated. Displays the AAA profile.
Command History
This command was available in AOS-W 3.3.
1124 | show ipv6 user-table
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show ipv6 user-table | 1125
�show keys
show keys [all]
Description
Show whether optional keys and features are enabled or disabled on the switch.
Syntax
Parameter
all
Description
Include this optional parameter to display the status of all optional keys and features. If this parameter is omitted, the output displays the status of the most commonly used features and keys.
Example
The following example displays the status of the most commonly used keys and features on the switch.
(host) #show keys Licensed Features ----------------Feature ------Access Points Remote Access Points Outdoor Mesh Access Points RF Protect Voice Service Module VPN Server Module xSec Module Next Generation Policy Enforcement Firewall Module Advanced Cryptography Service provider AP RF Protect Policy Enforcement Firewall Remote APs External Services Interface Client Integrity Module VPN Server Wired 802.1X xSec Module MMC AP Netgear AP Voice Services Module Mesh Point APs AP Developers Module Power Over Ethernet Internal Test Functions Public Access Policy Enforcement Firewall for VPN users Advanced Cryptography Service Provider Access Point L2/L3 Switching Maritime Regulatory Domain
Status -----64 64 64 64 Unlimited 512 96 64 2024 0 ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED DISABLED DISABLED ENABLED ENABLED DISABLED ENABLED DISABLED ENABLED ENABLED ENABLED DISABLED DISABLED ENABLED
1126 | show keys
AOS-W 6.2 | Reference Guide
�Related Commands
To view the license usage database (including the license key strings) use the command show license on page 1132.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show keys | 1127
�show lacp
show lacp <group_number> {counters | internal | neighbor}
Description
View the LACP configuration status.
Syntax
Parameter <group_number>
counters internal neighbor
Description Enter the Link aggregation group number. Range: 0-7 Enter the keyword counters to view the LACP traffic. Enter the keyword internal to view the LACP internal information. Enter the keyword neighbor to view the LACP neighbor information.
Example
The port uses the group number +1 as its "actor admin key". By default, all the ports use the long timeout value (90 seconds).
(Host)#show lacp 0 neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting fast LACPDUs
A - Device is in active mode P - Device is in passive mode
Partner's information
---------------------
Port Flags Pri OperKey State Num Dev Id
---- ----- ---- ------- ----- ---- ----------------
FE 1/1 SA
1 0x10
0x45 0x5 00:0b:86:51:1e:70
FE 1/2 SA
1 0x10
0x45 0x6 00:0b:86:51:1e:70
When a port, in a LAG, is misconnected (that is, the partner device is different than the other ports or the neighborship times out or can not exchange LACPDUs with the partner), the port status is displayed as "DOWN" (see the following example).
(Host)#show lacp 0 internal Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting fast LACPDUs A - Device is in active mode P - Device is in passive mode
Port ---FE 1/1 FE 1/2
Flags ----SA SA
Pri AdminKey ---- -------1 0x1 1 0x1
OperKey State Num Status
-------- ----- ---- -------
0x1
0x45 0x2 DOWN
0x1
0x45 0x3 UP
The "counters" option allows you to view LACP received (Rx) traffic, transmitting (Tx) traffic, data units (DU) received and transmitted by port.
(Host)#show lacp 0 counters Port LACPDUTx LACPDURx MarkrTx MarkrRx MrkrRspTx MrkrRspRx
1128 | show lacp
AOS-W 6.2 | Reference Guide
�---- -------- -------- ------- -------- --------- ---------
FE 1/1 10
10
0
0
0
0
FE 1/2 12
12
0
0
0
0
Related Command
Command lacp group show interface port-channel show lacp sys-id
Description Enable LACP and configure on the interface View information on a specified port-channel interface View the LACP system ID information
Command History
Release AOS-W 3.4.1
Modification Command introduced
Command Information
Platform All Platforms
Licensing Base operating system
Command Mode
Enable and Configuration modes for Master and Local switches
AOS-W 6.2 | Reference Guide
show lacp | 1129
�show lacp sys-id
show lacp sys-id
Description
View the LACP system MAC address and port priority.
Example
This command returns the port priority and the MAC address (comma separated). In the example below, the port priority is the default value 32768 followed by the MAC address 00:0B:86:40:37:C0.
(Host)#show lacp sys-id 32768,00:0B:86:40:37:C0
Related Commands
Command lacp group lacp port-priority show lacp show interface port-channel
Description Enable LACP and configure on the interface Configure the LACP port priority View the LACP configuration status View information on a specified port channel interface
Command History
Release AOS-W 3.4.1
Modification Command introduced
Command Information
Platform All Platforms
Licensing Base operating system
Command Mode
Enable and Configuration modes (config) for Master and Local switch
1130 | show lacp sys-id
AOS-W 6.2 | Reference Guide
�show lcd-menu
show lcd-menu
Description
Displays the current LCD Menu configuration.
Syntax
None.
Example
An example output of the show lcd-menu command.
lcd-menu
--------
Parameter
Value
---------
-----
menu maintenance upgrade-image partition0 enabled
menu maintenance upgrade-image partition1 enabled
menu maintenance upgrade-image
enabled
menu maintenance upload-config
enabled
menu maintenance factory-default
enabled
menu maintenance media-eject
enabled
menu maintenance reload-system
enabled
menu maintenance halt-system
enabled
menu maintenance
enabled
menu
enabled
Related Commands
Command History
Release AOS-W 6.2
Modification Command introduced.
Command Information
Platforms OAW-4x50
Licensing Base operating system
Command Mode
Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show lcd-menu | 1131
�show license
show license [limits]
Description
Displays the license table.
Syntax
Parameter Description
limits
Enter the keyword limit to display the current license limits.
Example
An example output of the show license command.
(host) # show license
License Table ------------Key --x7kbiBm5-3jI5MiBY-HVTAH/ci-llxPiKBV-dY8QGBMg-240 1024
itY24Hca-HSQlvJhi-yZtW6RB7-HGuBXzIq-N6hd6TNV-nZk 128
oqdLOxZ6-+FS5DT2P-iNmtvc3o-NFyasYrO-ixGUrszE-4uo 128
GIleLrCX-d8lxt3z5-vQC50n60-f31amOxu-Rf0uEoTn-qXQ 128
ldsXG7ik-pj/HVm4t-Qt3541UC-3wzC+Efj-yn08g/HF-/Dg 128
sJvaPL88-gWDdlMpj-LZMZ2YKK-2fU8NV6l-XIH4wRk8-44I
QtemJpLj-Qm5D9WvK-8c9lbaL6-t2nU6/Pj-LSNd00FZ-tJo
WNx6RasB-Qn9YVZ+5-giraq0Uy-aoIqS3as-FXmFh5dY-cSs 1024
u/GdQHWa-m4bzUCMC-ydMsWTif-hDMDajyB-qAlIMwnN-pGM Enforcement Firewall for VPN users
F9dGNdjV-EmwLhqlI-oKMQQepZ-b9Jl3OB2-HQjwmc+r-vhI Policy Enforcement Firewall Module: 128
License Entries: 11
Installed --------2010-01-21
21:00:22 2010-01-21
21:01:03 2010-01-21
21:01:13 2010-01-21
21:01:22 2010-01-21
21:01:3 2010-05-05 08:51:57 2010-05-05 08:52:07 21:18:55 2010-01-21
21:20:56 2010-01-25
18:44:19 2010-01-25
18:44:19
Expires ------Never Never Never Never Never Never Never
Never Never Never
Flags -----
E E E E E E E E E
Service Type ------- ----Access Points: 120abg Upgrade: 121abg Upgrade: 124abg Upgrade: 125abg Upgrade: RF Protect: 512 RF Protect: 1024
xSec Module: Policy Next Generation
Flags: A - auto-generated; E - enabled; R - reboot required to activate
The output of this command includes the following data columns:
1132 | show license
AOS-W 6.2 | Reference Guide
�Parameter Key Installed Expires
Flags
Service Type
Description
The license key.
The license installation date and time.
The date that your evaluation license expires is listed in this column. Permanent license will always have a "Never" in this column. Expired evaluation licenses will also be indicated in this column.
This column displays some status about your license. The legend for this column appears at the bottom of the display output. They are: A: The license is auto-generated. E: The license if fully enabled. R: You must reboot your switch to fully enable this license.
The license name (feature).
Related Commands
To view additional statistics for license key usage, use the command show keys.
Command History
Release AOS-W1.0 AOS-W 3.4
Modification
Command introduced.
Verbose parameter was deprecated. This command now displays the entire license key by default.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show license | 1133
�show license-usage
show license-usage acr | ap | user | xsec
Description
Display license usage information.
Syntax
Parameter acr ap user xsec
Description Show ACR license usage Show AP license usage information. Show Policy Enforcement Firewall (PEF) user license usage. Show Extreme Security (xSec) user and tunnel license usage.
Examples
The following example displays the user license usage. (host) #show license-usage user
User License Usage -----------------Name ---License Limit License Usage License Available License Exceeded
Value ----2048 12 2036 0
The AP license usage is displayed below: (host) #show license-usage acr
AP Licenses ----------Type ---AP Licenses RF Protect Licenses PEF Licenses Overall AP License Limit
Number -----128 128 128 128
AP Usage -------Type ---CAPs RAPs Remote-node APs Tunneled nodes Total APs
Count ----0 0 0 0 0
1134 | show license-usage
AOS-W 6.2 | Reference Guide
�Remaining AP Capacity --------------------Type Number ---- -----CAPs 32 RAPs 128
Command History
Release AOS-W 3.0 AOS-W 3.3
AOS-W 5.0 AOS-W 6.1 AOS-W 6.2
Modification
Command Introduced.
The following parameters were introduced in the output of show license-usage ap. l Total 802.11n-120abg Licenses l 802.11n-120abg Licenses Used l Total 802.11n-121abg Licenses l 802.11n-121abg Licenses Used l Total 802.11n-124abg Licenses l 802.11n-124abg Licenses Used l Total 802.11n-125abg Licenses l 802.11n-125abg Licenses Used
Deprecated the option "vpn"
Added option for ACR license
The output of the show license-usage ap and show license-usage user commands was reorganized to reflect the newest license scheme.
Command Information
Platforms All platforms
Licensing
Base operating system. The output of this command varies, according to the licenses currently installed on the switch.
Command Mode
Enable or Config mode on master switches
AOS-W 6.2 | Reference Guide
show license-usage | 1135
�show local-userdb-ap
local-userdb-ap mac-address <macaddr> start
Description
View detailed information for the obsolete RAP whitelist database used in AOS-W 6.1 and earlier.
Syntax
Parameter
mac-address <macaddr>
start <offset>
Description MAC address of the remote AP to be removed from the Remote AP Whitelist table.
Start displaying the table at the specified record in the database
Usage Guidlines
When you upgrade from AOS-W 5.0-6.1 to AOS-W 6.2 or later, the remote AP whitelist table will automatically move from the legacy Remote AP whitelist to the newer Remote AP whitelist. Issue the show local-userdb-ap command to view and troubleshoot any AP entries that did not properly move to the new table during the upgrade procedure. In the example below, the command output has been divided into two tables to fit on a single page of this document. In the command-line interface, this output would appear in a single, wide table.
(host) #show local-userdb-ap
AP-entry Details ----------------
Name ---00:0b:86:c3:58:38 00:0b:86:66:01:aa anymore 00:1a:1e:c0:1b:e0 00:0b:86:66:03:3f 00:0b:86:66:02:09
AP-Group -------local default
default default default
AP-Name ------chuck rap2
00:1a:1e:c0:1b:e0 rap 00:0b:86:66:02:09
Full-Name --------chuck moscato
moscato-rap
Authen-Username --------------naveen
naveen INDIAQA\naveen
Revoke-Text -----------
AP is not valid
AP_Authenticated ---------------Authenticated Provisioned Authenticated Authenticated Provisioned
Description -----------
Date-Added ---------Thu Mar 5 21:25:36 2009 Thu Mar 5 21:25:49 2009 Wed Mar 4 20:16:16 2009 Tue May 19 07:53:29 2009 Fri May 8 10:37:40 2009
Enabled ------Yes No Yes Yes Yes
AP Entries: 5
The output of this command includes the following information:
1136 | show local-userdb-ap
AOS-W 6.2 | Reference Guide
�Parameter Name AP-Group AP-name Full-name Authen-Username
Revoke-Text
AP_Authenticated
Description Date-Added Enabled
Description
MAC address of the AP.
Name of the AP group to which the AP has been assigned.
Name of the AP. If no name has been specified, this column will display the AP's MAC address
Text string used to identify the AP. This field often describes the AP's user, and corresponds to the User Name field in the RAP whitelist in the WebUI.
User name of the user who authenticated the remote AP. This parameter holds the user name of the user who authenticated the remote AP. This is related to the zero touch authentication feature, as a user needs authenticate an AP before it gets its complete configuration. Before the AP is authenticated, it is given a restricted configuration to allow users to perform captive portal authorization via the remote AP's ENET ports to authenticate the remote AP. The username used during captive portal authentication will be stored in this field. This cannot be added manually when creating a local-userdb-ap entry.
The command local-userdb-aprevoke includes an optional revoke-comment parameter that allows network administrators to explain why the AP was revoked. If an AP is revoked, and a revoke comment entered, this text appears in the revoke-text column in the show local-userdb-ap command. When a local DB entry is reenabled via the command local-userdb-ap modify mac-addr mode enable, this field is cleared.
This column indicates the authorization status of the AP. An AP can either be Authenticated or Provisioned. Remote APs that do not support certificated-based provisioning will always display a Provisioned status. Remote APs that support certificated-based provisioning can display either a Authenticated or Provisioned status, depending on their configuration and authentication status. l If the remote AP has a defined AP authorization profile, the remote AP will
be in a "Provisioned" state with a limited configuration until it is authenticated. After it the remote AP has been authenticated, it will be in an "Authenticated" state. l If the remote AP does not have a defined AP authorization profile, the remote AP will be in a"Provisioned" state, but will still receive the full configuration assigned to that AP and its AP group.
A text string used to further identify the remote AP.
Date and time that the AP was added to the local user database
This column shows if the entry in the database is enabled or disabled. Database entries can be enabled or disabled using the CLI commands:
local-userdb-ap {add|modify} mac-address <mac-addr> mode {enable|disable}
and
local-userdb-ap revoke mac-address <mac-addr>
Related Commands
Command local-userdb-ap del
Description
Delete Remote AP entries from the obsolete remote AP whitelist table.
Add, delete, modify or revoke remote AP entries in the current emote AP whitelist table.
AOS-W 6.2 | Reference Guide
show local-userdb-ap | 1137
�Command History
AOS-W 5.0 AOS-W 6.2
Modification Command introduced. Command replaced by show whitelist-db rap.
1138 | show local-userdb-ap
AOS-W 6.2 | Reference Guide
�show local-userdb-guest
show local-userdb-guest
Description
Shows information about guest accounts in the local user database.
Syntax
Parameter maximum-expiration
<offset> <page_size>
Description How long the account is valid, in minutes, in the internal database. The user account record's location (by number) as it is listed in the database. The number of user account records that display on one page.
Usage Guidelines
Issue this command without any parameters to display a general overview of guest accounts in the database. Use the maximum-expiration parameter to show how long the account is valid for in minutes. Use the start <offset> page <page_size> parameters to control which guest account records in the database display initially and the number of account records displayed on a page.
Example
This example shows the basic summary of a user accounts in the database.
(host) #show local-userdb-guest maximum-expiration start 5 page 4
local-userdb-guest maximum-expiration 90
Guest UserSummary
-----------------
Name
Password
----
--------
guest-0657984 ********
guest-8330301 ********
guest-5433352 ********
guest-3469360 ********
Role ---guest guest guest guest
E-Mail ------
Enabled ------Yes Yes Yes Yes
Expiry ------
Status -----Active Active Active Active
Sponsor-Name ------------
Grantor-Name -----------admin admin admin admin
User Entries: 11
The output of this command includes the following parameters:
Parameter Name Password
Description Name of the user. The user's password.
AOS-W 6.2 | Reference Guide
show local-userdb-guest | 1139
�Parameter Role
E-mail Enabled Expiry Status Sponsor-Name Grantor-Name User Entries
Description
Role for the user. This role takes effect when the internal database is specified in a server group profile with a server derivation rule. If there is no server derivation rule configured, then the user is assigned the default role for the authentication method.
Shows the email address of the user account.
Shows whether the account is enabled or disabled.
Shows the expiration date for the user account. If this is not set, the account does not expire.
Shows whether the profile has enabled or disabled the ability to use the HTTP protocol to redirect users to the captive portal page.
Shows the sponsor's name.
Shows the grantor's name.
Shows the number of user accounts in the database.
Related Commands
Command
Description
local-userdb add
Use this command to configure the parameters displayed in the output of this show command.
local-userdb-guest add Use this command to configure parameters for a guest user account.
Mode Enable and Config modes
Enable and Config modes
Command History
Release AOS-W 3.0 AOS-W 3.4
Modification Command introduced The Expiry, Status, Sponsor-name and Grantor-name were introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master and local switches
1140 | show local-userdb-guest
AOS-W 6.2 | Reference Guide
�show local-userdb-remote-node
show local-userdb-remote-node mac-address <mac-addr> start <offset>
Description
The output of this command lists the MAC address and assigned Remote Node profile for of each Remote Node Controller associated with that Remote Node Controller master.
Syntax
Parameter mac-address <macaddr>
start
<page_size>
Description How long the account is valid, in minutes, in the internal database.
The user account record's location (by number) as it is listed in the database. The number of user account records that display on one page.
Usage Guidelines
If your network incudes multiple Remote Node Controller-masters under a single master switch the output of this command shows all Remote Node Controllers and Remote Node Controller-masters on the network.By default, this command displays all entries in the whitelist. To display only part of the Remote Node Controller whitelist, include the start <offset> parameters to start displaying the Remote Node Controller whitelist at the specified entry value. You can also include the optional mac-address <mac-addr> parameters to display values for a single Remote Node Controller entry.
Example
This example shows the basic summary of a user accounts in the database.
(host) #show local-userdb-remote-node mac-address 00:16:CF:AF:3E:E1
Remote-Node-entry Details
-----------------
Name
Remote-Node-Profile
----
-----------
00:16:cf:af:3e:e1 Myremotenode
Remote-Node Entries: 1
The output of this command includes the following parameters:
Parameter Name
remote-node profile
Remote Node Controller Entries
Description Mac address of the Remote Node Controller. Name of the Remote Node Controller profile Number of Remote Node Controller entries on this switch.
AOS-W 6.2 | Reference Guide
show local-userdb-remote-node | 1141
�Related Commands
Command remote-node-profile
Description
The remote-node-profile command lets you create a Remote Node Controller profile.
Mode Config mode
Command History
Release AOS-W 6.0
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable mode on master and local switches
1142 | show local-userdb-remote-node
AOS-W 6.2 | Reference Guide
�show local-userdb
show local-userdb {[maximum-expiration][start <offset> page <page_size]}
Description
Shows information about user's accounts in the local user database.
Syntax
Parameter maximum-expiration
<offset> <page_size>
Description How long the account is valid, in minutes, in the internal database. The user account record's location (by number) as it is listed in the database. The number of user account records that display on one page.
Usage Guidelines
Issue this command without any parameters to display a general overview of user's accounts in the database. Use the maximum-expiration parameter to show how long the account is valid for in minutes. Use the start <offset> page <page_size> parameters to control which user account records in the database display initially and the number of account records displayed on a page.
Example
This example shows the basic summary of a user accounts in the database.
(host) #show local-userdb maximum-expiration start 5 page 4
local-userdb maximum-expiration 90
User Summary -----------Name ---guest-0657984 guest-8330301 guest-5433352 guest-3469360
Password -------******** ******** ******** ********
Role ---guest guest guest guest
E-Mail ------
Enabled ------Yes Yes Yes Yes
Expiry ------
Status -----Active Active Active Active
Sponsor-Name ------------
Grantor-Name -----------admin admin admin admin
User Entries: 11
The output of this command includes the following parameters:
Parameter Name Password
Description Name of the user. The user's password.
AOS-W 6.2 | Reference Guide
show local-userdb | 1143
�Parameter Role
E-mail Enabled Expiry Status Sponsor-Name Grantor-Name User Entries
Description
Role for the user. This role takes effect when the internal database is specified in a server group profile with a server derivation rule. If there is no server derivation rule configured, then the user is assigned the default role for the authentication method.
Shows the email address of the user account.
Shows whether the account is enabled or disabled.
Shows the expiration date for the user account. If this is not set, the account does not expire.
Shows whether the profile has enabled or disabled the ability to use the HTTP protocol to redirect users to the captive portal page.
Shows the sponsor's name.
Shows the grantor's name.
Shows the number of user accounts in the database.
Related Commands
Command local-userdb add
local-userdb-guest add
Description
Use this command to configure the parameters displayed in the output of this show command.
Use this command to configure parameters for a guest user account.
Mode Enable and Config modes
Enable and Config modes
Command History
Release AOS-W 3.0 AOS-W 3.4
Modification Command introduced The Expiry, Status, Sponsor-name and Grantor-name were introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master and local switches
1144 | show local-userdb
AOS-W 6.2 | Reference Guide
�show local-userdb username
show local-userdb username <name>
Description
Shows information about specific user account in the internal switch database.
Usage Guidelines
Issue this command to display an overview of a particular user account in the database.
Example
This example shows the basic summary of a user account Paula in the database.
(host) #show local-userdb username Paula
User Summary -----------Name Password ---- -------paula ********
Role ---guest
E-Mail ------
Enabled ------Yes
Expiry ------
Status -----Inactive
Sponsor-Name ------------
Grantor-Name -----------admin
User Entries: 1
Command History
Release AOS-W 3.0
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master and local switches
AOS-W 6.2 | Reference Guide
show local-userdb username | 1145
�show local-userdb username
show local-userdb username <name>
Description
Shows information about specific user account in the internal switch database.
Usage Guidelines
Issue this command to display an overview of a particular user account in the database.
Example
This example shows the basic summary of a user account Paula in the database.
(host) #show local-userdb username Paula
User Summary -----------Name Password ---- -------paula ********
Role ---guest
E-Mail ------
Enabled ------Yes
Expiry ------
Status -----Inactive
Sponsor-Name ------------
Grantor-Name -----------admin
User Entries: 1
Command History
Release AOS-W 3.0
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master and local switches
1146 | show local-userdb username
AOS-W 6.2 | Reference Guide
�show localip
show localip
Description
Displays the IP address and VPN shared key between master and local.
Syntax
No parameters.
Example
The output of this command shows the switch's IP address and shared key between master and local switches. (host) # show localip
Local Switches configured by Local Switch IP
---------------------------------------------
Switch IP address of the Local Key
------------------------------ ---
0.0.0.0
********
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show localip | 1147
�show log all
show log all [<number>]
Description
Show the switch's full log.
Syntax
Parameter <number>
Description
Start displaying the log output from the specified number of lines from the end of the log.
Example
This example shows the most ten recent log entries for the switch.
(host) #show log all 10
Mar 3 13:26:20 Mar 3 13:26:20 Mar 3 13:26:20 database Mar 3 13:26:20 database Mar 3 13:46:54 Mar 3 13:57:53 Mar 3 13:57:53 Mar 3 13:57:53 Mar 3 13:57:53 database Mar 3 13:57:53 database
localdb[567]: <133006> <ERRS> |localdb| User admin Failed Authentication localdb[567]: <133006> <ERRS> |localdb| User admin Failed Authentication localdb[567]: <133019> <ERRS> |localdb| User admin was not found in the
localdb[567]: <133019> <ERRS> |localdb| User admin was not found in the
fpcli: USER: admin connected from 10.100.100.66 has logged out. fpcli: USER: admin has logged in from 10.100.100.66. localdb[567]: <133006> <ERRS> |localdb| User admin Failed Authentication localdb[567]: <133006> <ERRS> |localdb| User admin Failed Authentication localdb[567]: <133019> <ERRS> |localdb| User admin was not found in the
localdb[567]: <133019> <ERRS> |localdb| User admin was not found in the
Command History
This command was introduced in AOS-W 3.4.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
1148 | show log all
AOS-W 6.2 | Reference Guide
�show log ap-debug
show log ap-debug{[<number>][all]}
Description
Show the switch's AP debug logs.
Syntax
Parameter <number>
all
Description
Start displaying the log output from the specified number of lines from the end of the log.
Shows all the AP debug logs for the switch.
Example
This example shows the ten most recent AP debug logs for the switch.
(host) #show log ap-debug 10
Nov 24 20:54:24 KERNEL(AP39@10.6.1.21): Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved Nov 24 20:54:24 KERNEL(AP39@10.6.1.21): wifi0: Base BSSID 00:1a:1e:25:97:d0, 16 available BSSID(s) Nov 24 20:54:24 KERNEL(AP39@10.6.1.21): edev->dev_addr=00:1a:1e:ca:59:7c Nov 24 20:54:24 KERNEL(AP39@10.6.1.21): wifi1: Base BSSID 00:1a:1e:25:97:c0, 16 available BSSID(s) Nov 24 20:54:24 KERNEL(AP39@10.6.1.21): edev->dev_addr=00:1a:1e:ca:59:7c Nov 24 20:54:24 KERNEL(AP39@10.6.1.21): ^H<6>Ethernet Channel Bonding Driver: v3.0.1 (January 9, 2006) Nov 24 20:54:24 KERNEL(AP39@10.6.1.21): secure_jack_link_state_change: Error finding device eth0 Nov 24 20:54:25 KERNEL(AP39@10.6.1.21): Kernel watchdog refresh ended.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
AOS-W 6.2 | Reference Guide
show log ap-debug | 1149
�show log bssid-debug
show log bssid-debug{[<number>][all]}
Description
A Basic Service Set Identifier (BSSID) uniquely defines each wireless client and Wireless Broadband Router. This command shows the switch's BSSID debug logs.
Syntax
Parameter <number>
all
Description
Start displaying the log output from the specified number of lines from the end of the log.
Shows all the BSSID debug logs for the switch.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes
1150 | show log bssid-debug
AOS-W 6.2 | Reference Guide
�show log errorlog
show log errorlog{[<number>][all]}
Description
Show the switch's system errors and other critical information.
Syntax
Parameter <number>
all
Description
Start displaying the log output from the specified number of lines from the end of the log.
Shows all the error logs for the switch.
Example
This example shows the ten most recent system log errors.
(host) #show log errorlog 10
Mar 5 10:30:34 <sapd 106007> <ERRS> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Rogue AP detected with SSID cto-dnh-blah, BSSID 00:0b:86:b5:86:c0, Wired MAC 00:0b:86:02:ee:00, and IP 10.3.49.254 Mar 5 10:31:39 <sapd 404080> <ERRS> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: ADHOC network detected with Src 00:13:ce:45:91:a0, BSSID 02:13:ce:2d:37:50, ESSID adhoc_ap70 Channel 11 and RSSI 22 Mar 5 10:32:12 <sapd 106007> <ERRS> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Rogue AP detected with SSID cto-dnh-blah, BSSID 00:0b:86:b5:86:c0, Wired MAC 00:0b:86:02:ee:00, and IP 10.3.49.254 Mar 5 10:32:46 <sapd 106007> <ERRS> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Rogue AP detected with SSID cto-dnh-blah, BSSID 00:0b:86:b5:86:c0, Wired MAC 00:0b:86:02:ee:00, and IP 10.3.49.254 Mar 5 10:40:32 <localdb 133019> <ERRS> |localdb| User admin was not found in the database Mar 5 10:40:32 <localdb 133006> <ERRS> |localdb| User admin Failed Authentication Mar 5 10:41:10 <sapd 106007> <ERRS> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Rogue AP detected with SSID sw-rlo-open, BSSID 00:0b:86:c9:9e:20, Wired MAC 00:00:00:00:00:00, and IP 0.0.0.0 Mar 5 10:41:31 <sapd 106007> <ERRS> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Rogue AP detected with SSID QA_MARORA_VOCERA, BSSID 00:0b:86:c9:9e:21, Wired MAC 00:0b:86:02:ee:00, and IP 10.3.49.254 Mar 5 10:48:01 <sapd 404080> <ERRS> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: ADHOC network detected with Src 00:13:ce:45:d9:4d, BSSID 02:13:ce:28:40:48, ESSID adhoc_ap70 Channel 11 and RSSI 8 Mar 5 11:04:21 <sapd 404080> <ERRS> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: ADHOC network detected with Src 00:13:ce:45:d9:4d, BSSID 02:13:ce:2d:37:50, ESSID adhoc_ap70 Channel 11 and RSSI 9
Command History
This command was available in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show log errorlog | 1151
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
1152 | show log errorlog
AOS-W 6.2 | Reference Guide
�show log essid-debug
show log essid-debug{[<number>][all]}
Description
Show the switch's ESSID debug logs. An Extended Service Set Identifier (ESSID) is used to identify the wireless clients and Wireless Broadband Routers in a WLAN. All wireless clients and Wireless Broadband Routers in the WLAN must use the same ESSID.
Syntax
Parameter <number>
all
Description
Start displaying the log output from the specified number of lines from the end of the log.
Shows all the ESSID debug logs for the switch.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
AOS-W 6.2 | Reference Guide
show log essid-debug | 1153
�show log network
show log network{[<number>][all]}
Description
Show the switch's system network errors.
Syntax
Parameter <number>
all
Description
Start displaying the log output from the specified number of lines from the end of the log.
Shows all the network logs for the switch.
Example
This example shows the switch's recent network log errors (host) #show log network all
Feb 17 14:47:14 :209801: <WARN> |fpapps| Physical link down: port 1/1 Feb 17 14:48:04 :209801: <WARN> |fpapps| Physical link down: port 1/1
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
1154 | show log network
AOS-W 6.2 | Reference Guide
�show log security
show log security{[<number>][all]}
Description
Show the switch's security logs.
Syntax
Parameter <number>
all
Description
Start displaying the log output from the specified number of lines from the end of the log.
Shows all the security logs for the switch.
Example
This example shows the switch's last seven security logs.
(host) #show log security 7
Mar 5 11:53:43 :124004: <DBUG> |authmgr| Local DB auth failed for user admin, error (User not found in UserDB) Mar 5 11:53:43 :124003: <INFO> |authmgr| Authentication result=Authentication failed(1), method=Management, server=Internal, user=10.100.100.66 Mar 5 11:53:43 :124004: <DBUG> |authmgr| Auth server 'Internal' response=1 Mar 5 11:53:43 :125027: <DBUG> |aaa| mgmt-auth: admin, failure, , 0 Mar 5 11:53:43 :125024: <NOTI> |aaa| Authentication Succeeded for User admin, Logged in from 10.100.100.66 port 1778, Connecting to 10.3.49.100 port 22 connection type SSH Mar 5 11:53:58 :103060: <DBUG> |ike| ipc.c:ipc_get_cfgm_role:2826 Sending REQUEST for CFGM Role Mar 5 11:53:58 :103060: <DBUG> |ike| ipc.c:get_local_cfg_trigger_ike:2653 IKE got trigger from CFGM : state :3
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
AOS-W 6.2 | Reference Guide
show log security | 1155
�show log system
show log system{[<number>][all]}
Description
Show the switch's system logs.
Syntax
Parameter <number>
all
Description
Start displaying the log output from the specified number of lines from the end of the log.
Shows all the system logs for the switch.
Example
This example shows the switch's last ten system logs.
(host) #show log system 10
Mar 5 11:55:59 :316073: <DBUG> |wms| Received New AP Message: AP 00:0b:86:b5:87:c2 Status 1 Num-WM 0 Mar 5 11:55:59 :316083: <DBUG> |wms| mysql: UPDATE ap_table SET ssid='qa-abu-customerissue', current_channel='11', type='generic-ap', ibss='no', phy_type='80211g', rap_type='interfering', match_mac='00:00:00:00:00:00', power_level='255', status='up' WHERE id='71575' ; Mar 5 11:55:59 :316029: <DBUG> |wms| Sending message to Probe: IP:10.3.49.253 MsgType:PROBE_RAP_TYPE AP 00:0b:86:b5:87:c2 Type:1 Mar 5 11:55:59 :316036: <DBUG> |wms| Received New STA Message: MAC 00:0b:86:b5:87:c2 Status 0 Mar 5 11:55:59 :316032: <DBUG> |wms| STA Probe: ADD Probe 00:0b:86:a2:e7:40 for STA 00:0b:86:b5:87:c2 Mar 5 11:56:00 :399814: <DBUG> |fpapps| PoE: RAN THRU ITERATION 2 Mar 5 11:56:00 :326001: <DBUG> |AP 1.1.1@10.3.49.253 sapd| AM: am_read_bss_data_stats: radio 0: pktsIn 0 pktsOut 0 bytesIn 0 bytesOut 0 Mar 5 11:56:00 :326001: <DBUG> |AP 1.1.1@10.3.49.253 sapd| AM: am_read_bss_data_stats: radio 0: pktsIn 0 pktsOut 52107 bytesIn 0 bytesOut 18143486 Mar 5 11:56:01 :326001: <DBUG> |AP 1.1.1@10.3.49.253 sapd| AM: MPPS 2722 CPPS 338 PKTS 452036609 BYTES 2062458092 INTR 334327351 Mar 5 11:56:02 :399814: <DBUG> |fpapps| PoE: Evaluating port 1/5 rv is 0 and crv is 1 state :3
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
1156 | show log system
AOS-W 6.2 | Reference Guide
�show log user
show log user{[<number>][all]}
Description
Show the switch's user logs.
Syntax
Parameter <number>
all
Description
Start displaying the log output from the specified number of lines from the end of the log.
Shows all the user logs for the switch.
Example
This example shows the switch's last ten user logs.
(host) #show log user 10
Mar 5 13:29:57 :501083: <WARN> |stm| Probe request: 00:0b:86:cd:1a:00: Invalid Station MAC address from AP 10.3.49.253-00:0b:86:a2:e7:40-1.1.1 Mar 5 13:32:08 :501083: <WARN> |stm| Probe request: 00:0b:86:cd:1a:00: Invalid Station MAC address from AP 10.3.49.253-00:0b:86:a2:e7:40-1.1.1 Mar 5 13:36:41 :501083: <WARN> |stm| Probe request: 00:0b:86:cd:1a:00: Invalid Station MAC address from AP 10.3.49.253-00:0b:86:a2:e7:40-1.1.1 Mar 5 13:38:42 :501083: <WARN> |stm| Probe request: 00:0b:86:cd:1a:00: Invalid Station MAC address from AP 10.3.49.253-00:0b:86:a2:e7:40-1.1.1 Mar 5 13:40:41 :501083: <WARN> |stm| Probe request: 00:0b:86:cd:1a:00: Invalid Station MAC address from AP 10.3.49.253-00:0b:86:a2:e7:40-1.1.1 Mar 5 13:42:51 :501083: <WARN> |stm| Probe request: 00:0b:86:cd:1a:00: Invalid Station MAC address from AP 10.3.49.253-00:0b:86:a2:e7:40-1.1.1 Mar 5 13:47:03 :501083: <WARN> |stm| Probe request: 00:0b:86:cd:1a:00: Invalid Station MAC address from AP 10.3.49.253-00:0b:86:a2:e7:40-1.1.1 Mar 5 13:49:07 :501083: <WARN> |stm| Probe request: 00:0b:86:cd:1a:00: Invalid Station MAC address from AP 10.3.49.253-00:0b:86:a2:e7:40-1.1.1 Mar 5 13:53:08 :501083: <WARN> |stm| Probe request: 00:0b:86:cd:1a:00: Invalid Station MAC address from AP 10.3.49.253-00:0b:86:a2:e7:40-1.1.1 Mar 5 13:55:14 :501083: <WARN> |stm| Probe request: 00:0b:86:cd:1a:00: Invalid Station MAC address from AP 10.3.49.253-00:0b:86:a2:e7:40-1.1.1
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
AOS-W 6.2 | Reference Guide
show log user | 1157
�show log user-debug
show log user-debug{[<number>][all]}
Description
Show the switch's user debug logs.
Syntax
Parameter <number>
all
Description
Start displaying the log output from the specified number of lines from the end of the log.
Shows all the user debug logs for the switch.
Example
This example shows the switch's last ten user debug logs.
(host) #show log user-debug 10
Mar 5 13:57:24 :501090: <DBUG> |stm| 00:0b:86:a2:e7:40-1.1.1 SSID Mar 5 13:57:24 :501090: <DBUG> |stm| 00:0b:86:a2:e7:41-1.1.1 SSID Mar 5 13:58:26 :501082: <DBUG> |stm| 00:0b:86:a2:e7:40-1.1.1 Mar 5 13:58:26 :501085: <DBUG> |stm| 00:0b:86:a2:e7:40-1.1.1 SSID Mar 5 13:58:26 :501090: <DBUG> |stm| 00:0b:86:a2:e7:40-1.1.1 SSID Mar 5 13:58:26 :501090: <DBUG> |stm| 00:0b:86:a2:e7:41-1.1.1 SSID Mar 5 13:58:27 :501082: <DBUG> |stm| 00:0b:86:a2:e7:40-1.1.1 Mar 5 13:58:27 :501085: <DBUG> |stm| 00:0b:86:a2:e7:40-1.1.1 SSID Mar 5 13:58:27 :501090: <DBUG> |stm| 00:0b:86:a2:e7:40-1.1.1 SSID Mar 5 13:58:27 :501090: <DBUG> |stm| 00:0b:86:a2:e7:41-1.1.1 SSID
Probe response: 00:18:f8:ab:77:a4: AP 10.3.49.253Probe response: 00:18:f8:ab:77:a4: AP 10.3.49.253Probe request: 00:18:f8:ab:77:a4: AP 10.3.49.253Probe request: 00:18:f8:ab:77:a4: AP 10.3.49.253Probe response: 00:18:f8:ab:77:a4: AP 10.3.49.253Probe response: 00:18:f8:ab:77:a4: AP 10.3.49.253Probe request: 00:18:f8:ab:77:a4: AP 10.3.49.253Probe request: 00:18:f8:ab:77:a4: AP 10.3.49.253Probe response: 00:18:f8:ab:77:a4: AP 10.3.49.253Probe response: 00:18:f8:ab:77:a4: AP 10.3.49.253-
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
1158 | show log user-debug
AOS-W 6.2 | Reference Guide
�show log wireless
show log wireless{[<number>][all]}
Description
Show the switch's wireless logs.
Syntax
Parameter <number>
all
Description
Start displaying the log output from the specified number of lines from the end of the log.
Shows all the wireless logs for the switch.
Example
This example shows the switch's last ten wireless logs.
(host) #show log wireless 10
Mar 5 13:59:31 :404003: <WARN> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Interfering AP detected with SSID mak-cp-psk and BSSID 00:0b:86:8b:70:20 Mar 5 13:59:35 :404003: <WARN> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Interfering AP detected with SSID and BSSID 00:0b:86:c0:06:83 Mar 5 13:59:38 :404003: <WARN> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Interfering AP detected with SSID and BSSID 00:0b:86:c0:06:85 Mar 5 13:59:41 :404003: <WARN> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Interfering AP detected with SSID and BSSID 00:0b:86:89:f9:42 Mar 5 13:59:41 :404003: <WARN> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Interfering AP detected with SSID QA-SANJAY-OSUWIRELESS and BSSID 00:0b:86:89:f9:40 Mar 5 13:59:44 :404003: <WARN> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Interfering AP detected with SSID QA-SANJAY-OSUVOICE and BSSID 00:0b:86:8c:fb:c0 Mar 5 13:59:44 :404003: <WARN> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Interfering AP detected with SSID Google and BSSID 00:0b:86:4f:82:c0 Mar 5 13:59:47 :404003: <WARN> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Interfering AP detected with SSID QA-SANJAY-OSUVOICE and BSSID 00:0b:86:89:f9:41 Mar 5 13:59:50 :404003: <WARN> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Interfering AP detected with SSID and BSSID 00:0b:86:c0:06:86 Mar 5 13:59:50 :404003: <WARN> |AP 1.1.1@10.3.49.253 sapd| AM 00:0b:86:a2:e7:40: Interfering AP detected with SSID cto-dnh-blah and BSSID 00:0b:86:60:b8:80
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
AOS-W 6.2 | Reference Guide
show log wireless | 1159
�show logging
show logging facility|server|{level [verbose]}
Description
the IP address of the remote logging server, as well as facility log types and their associated facility levels.
Syntax
Parameter facility server level [verbose]
Description View the facility used when logging messages into the remote syslog server.
Show the IP address of a remote logging server.
Show logging levels at which the messages are logged. Include the optional verbose parameter to display additional data for logging subcategories and processes.
Usage Guidelines
The AOS-W logging levels follow syslog convention: l level 7: Emergency l level 6: Alert l level 5: Critical l level 4: Errors. l level 3: Warning l level 2:Notices l level 1:Informational l level 0: Debug The default logging level is leve1 1. You can change this setting via the logging command.
Example
This example below displays defined logging levels for each logging facility.
(host) #show logging level
LOGGING LEVELS
--------------
Facility Level
-------- -----
network warnings
security warnings
system warnings
user
warnings
wireless warnings
This example below displays the IP address of a remote log server. If a remote log server has not yet been defined, this command will not display any output.
(host) #show logging server
1160 | show logging
AOS-W 6.2 | Reference Guide
�Remote Server: 1.1.1.1
FACILITY MAPPING TABLE
----------------------
local-facility severity
-------------- --------
user
debugging
remote-facility --------------local1
Related Commands
Command Description
logging
Use this command to specify the IP address of the remote logging server, as well as facility log types and their associated facility levels.
Mode
Config mode on master and local switches
Command History
This command was introduced in AOS-W 2.5.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches
AOS-W 6.2 | Reference Guide
show logging | 1161
�show loginsessions
show loginsessions
Description
Displays the current administrator login sessions statistics.
Syntax
No parameters.
Example
Issue this command to display the admin login session statistics.
Session Table ------------ID User Name -- --------1 admin
User Role --------root
Connection From --------------10.100.102.43
Idle Time --------00:00:00
Session Time -----------00:27:59
The output includes the following parameters:
Parameter ID User Name User Role Connection From Idle Time Session Time
Description Sessions identification number Administrator's user name Administrator's role The IP address from which the administrator is connecting Amount of time the user has been idle Total time the session has been open
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
1162 | show loginsessions
AOS-W 6.2 | Reference Guide
�show mac-address-table
show mac-address-table
Description
Displays a MAC forwarding table.
Syntax
No parameters.
Example
Issue this command to display the MAC forwarding table.
Dynamic Address Count:
0
Static Address (User-defined) Count:
System Self Address Count:
Total MAC Addresses :
6
Maximum MAC addresses :
MAC Address Table
------------------
Destination Address Address Type VLAN
------------------- ------------ ----
00:0b:86:00:00:00 Mgmt
1
00:0b:86:f0:05:60 Mgmt
1
00:0b:86:00:00:00 Mgmt
62
00:0b:86:f0:05:60 Mgmt
62
00:0b:86:00:00:00 Mgmt
4095
00:0b:86:f0:05:60 Mgmt
4095
0 0
6
Destination Port ---------------vlan 1 vlan 1 vlan 62 vlan 62 vlan 4095 vlan 4095
The output includes the following parameters:
Parameter Dynamic Address Count Static Address (User-defined) Count System Self Address Count Total MAC Addresses Maximum MAC Addresses Destination Address Address Type VLAN Destination Port
Description Count of dynamic addresses currently associated with the switch Count of static, user-defined addresses associated with the switch
Number of self system addresses Total number of MAC addresses associated with the switch Maximum number of MAC addresses Destination MAC address Destination address type Associated VLAN Destination port
Command History
This command was introduced in AOS-W 1.0.
AOS-W 6.2 | Reference Guide
show mac-address-table | 1163
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
1164 | show mac-address-table
AOS-W 6.2 | Reference Guide
�show master-configpending
show master-configpending
Description
Displays the list of global commands which are not saved and are not sent to the local switch.
Syntax
No parameters.
Example
This example below displays the commands which are not saved and are not sent to the local switch. (host) #show master-configpending
aaa profile "default-xml-api" aaa xml-api server "10.17.93.2" aaa xml-api server "10.17.93.2" aaa xml-api server "10.17.93.2" key "12345678" aaa profile "default-xml-api" aaa profile "default-xml-api" xml-api-server "10.17.93.2" user-role "logon" user-role "logon" captive-portal "default" user-role "logon" user-role "logon" no captive-portal "default" user-role "logon" user-role "logon" captive-portal "default" voice rtp-analysis-config voice rtp-analysis-config rtp-analysis voice rtp-analysis-config rtp-analysis voice rtp-analysis-config no rtp-analysis voice rtp-analysis-config rtp-analysis
Related Commands
Command master-redundancy master-local
switches
Description
This command associates a VRRP instance with master switch redundancy.
This command displays the statistics between the local and the master switches.
This command provides the details on the switches connected to the master switch, including the master switch itself.
Command History
This command was introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master switches.
AOS-W 6.2 | Reference Guide
show master-configpending | 1165
�show master-local stats
show master-local stats [<ip-addr>] [<page>]
Description
Display statistics for communication between master and local switches.
Syntax
Parameter <ip-addr> <page>
Description Include the IP address of a switch to display statistics that switch only. Start displaying the output of this command at the specified page number.
Usage Guidelines
By default, master and Local switchs exchange heartbeat messages every 10 seconds. These "Heartbeats" a include configuration timestamp. If a master switch has later timestamp than the local switch, the state of the local switch changes from `Update Successful' to `Update Required'.
Example
This example below shows statistics for all communications between the master and local switch. (host) #show master-local stats
Missed -> HB Resp from Master
-----------------------------
IP Address HB Req
HB Resp
Last Synced
---------- ------
-------
-----------
10.6.2.252 194721
194208
Thu Feb 26 21:12:04 2009
Total Missed Last Sent Missed Peer Reset Cfg Terminate
------------ ---------------- ---------- -------------
926
0
105
1
The output of this command includes the following data columns:
Parameter IP Address HB Req HB Resp Total Missed Last Sent Missed
Description
IP address of the local switch.
Heartbeat requests sent from the local switch.
Heartbeat responses sent from the master switch.
Total number of heartbeats that were not received by the local switch.
This counter will increment if switch misses the last heartbeat from the peer switch. This counter will keep on incrementing until the heartbeat message is received from peer.
1166 | show master-local stats
AOS-W 6.2 | Reference Guide
�Parameter Peer Reset
Cfg Terminate Last Synced
Description
The number of times the connection to peer is been reset. The connection could reset due to network connectivity problems or when the peer switch reboots.
Number of times the switch has failed to upgrade to a new configuration
Timestamp showing the last time the local switch synched its configuration from the master switch.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
AOS-W 6.2 | Reference Guide
show master-local stats | 1167
�show master-redundancy
show master-redundancy
Description
Display the master switch redundancy configuration.
Syntax
No parameters.
Example
This example below shows the current master redundancy configuration, including the ID number of the master VRRP virtual router and the IP address of the peer switch for master redundancy. (host) #show master-redundancy Master redundancy configuration:
VRRP Id 2 current state is MASTER Peer's IP Address is 2.1.1.4
Related Commands
Command
master-redundancy master-vrrp
vrrp
Description This command associates a VRRP instance with master switch redundancy.
This command configures the Virtual Router Redundancy Protocol (VRRP).
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master switches.
1168 | show master-redundancy
AOS-W 6.2 | Reference Guide
�show memory
show memory [ap {meshd|rfd|sapd} {ap-name <ap-name>}|{bssid <bssid>}|{ip-addr <ip-addr>}]| [auth | cfgm |debug [[verbose]]|dbsync |fpapps | fpcli| isakmpd | l2tpd | mobileip | ospf | pim | pptpd | profmgr | slb| snmpd | stm | udbserver |wms]
Description
Show the amounts of free and available memory on the switch, or include a process name to show memory information for a process on the AP or switch.
Syntax
Parameter
Description
ap
Show memory information for a process running on a specific AP.
meshd
Display memory information for the meshd process on the specified AP.
rfd
Display memory information for the rfd process on the specified AP.
sapd
Display memory information for the rfd process on the specified AP.
ap-name <ap-name> Display memory information for an AP with the specified AP name.
bssid <bssid>
Display memory information for an AP with the specified BSSID.
ip-addr <ip-addr> Display memory information for an AP with the specified IP address.
auth
Display memory information for the auth process on the switch.
cfgm
Display memory information for the cfgm process on the switch.
debug [verbose]
Display detailed memory information to debug memory errors the switch. This command should only be used under the supervision of Alcatel-Lucent Technical Support.
dbsync
Display memory information for the dbsync process on the switch.
fpapps
Display memory information for the fpapps process on the switch.
fpcli
Display memory information for the fpcli process on the switch.
isakmpd
Display memory information for the isakmpd process on the switch.
l2tpd
Display memory information for the l2tpd process on the switch.
mobileip
Display memory information for the mobileip process on the switch.
ospf
Display memory information for the ospf process on the switch.
pim
Display memory information for the pim process on the switch.
pptpd
Display memory information for the pptpd process on the switch.
profmgr
Display memory information for the profmgr process on the switch.
AOS-W 6.2 | Reference Guide
show memory | 1169
�Parameter slb apsnmpd stm udbserver wms
Description Display memory information for the slb process on the switch. Display memory information for the apsnmpd process on the switch. Display memory information for the auth process on the switch. Display memory information for the udbserver process on the switch. Display memory information for the wms process on the switch.
Usage Guidelines
Include the name of a process to show memory information for that process. Use this command under the supervision of Alcatel-Lucent technical support to help debug process errors.
Example
The command show memory displays, in Kilobytes, the total memory on the switch, the amount of memory currently being used, and the amount of free memory. (host) # show memory Memory (Kb): total: 256128, used: 162757, free: 93371
Include the name of a process to show memory statistics for that process. The example below shows memory statistics for mobileip.
(host) # show memory mobileip
Type
Num Allocs
default
92
Size Allocs
Total Allocs 145622
0x1000be14 0x10016cb0 0x10021604 0x10032e34 0x30019a24 0x30019bd8 0x30019bf0 0x30019c28 0x3001b134 0x300326b8 0x30032738 0x3019dfdc 0x3019ee60 0x3019ef18 0x301b63bc 0x301b6470 0x301b648c 0x301b7614 0x301b7770 0x301bd460
PC
1
64
1
41000
1
80
1
24
1
2200
1
41000
1
41000
1
11263
2
1967
9
72
4
64
1
44
3
48
1
784
13
312
10
200
10
920
3
36
8
128
3
60
Total Size
The output of this command includes the following columns:
1170 | show memory
AOS-W 6.2 | Reference Guide
�Column Type
Num Alloc Size Allocs Total Allocs Total Size PC Allocs Size
Description The show memory command currently shows information for predefined processes only, so this column always displays the parameter default. Current number of memory allocations. Total size of all memory allocations, in bytes. Maximum number of allocations used throughout in the life of the process. Maximum size of allocations used throughout in the life of the process, in bytes. Program counter: the address of a memory allocation. (For internal use only.) Number of memory allocations at that program counter. (For internal use only.) Size of all memory allocations at that program counter. (For internal use only.)
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show memory | 1171
�show mgmt-role
show mgmt-role
Description
This command allows the user to view a list of management role configurations.
Syntax
No parameters.
Example
Issue this command to display a list of management user roles.
Management User Roles
---------------------
ROLE
DESCRIPTION
----
-----------
root
Super user role
read-only
Read only commands
network-operations network-operations
guest-provisioning guest-provisioning
location-api-mgmt location-api-mgmt
no-access
Default role, no commands are accessible for this role
location-api-mgmt location-api-mgmt
The output includes the following parameters:
Parameter ROLE DESCRIPTION
Description Name of the management user role Description of the management user role
Command History
This command was introduced in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable or config mode on master switches
1172 | show mgmt-role
AOS-W 6.2 | Reference Guide
�show mgmt-users
show mgmt-users [ <username> | local-authentication-mode <username> | ssh-pubkey <username> | webui-cacert <username> ]
Description
Displays list of management users on the switch and also details of each management users.
Syntax
Parameter username local-authentication-mode ssh-pubkey webui-cacert
Description To view details of a specific management user. Status of local-authentication mode. Number of management users using the ssh-pubkey. Number of management users using web CA certificates.
Example
The output of this command shows the client certificate name, username, user role, and revocation checkpoint for management users using the ssh-pubkey in the switch. (host) #show mgmt-user ssh-pubkey
SSH Public Key Management User Table -----------------------------------CLIENT-CERT USER ROLE STATUS ----------- ---- ---- ------ --------------------client1-rg test1 root ACTIVE client2-rg test2 root ACTIVE client3-rg test3 root ACTIVE client1-rg test4 root ACTIVE
Command History
Release AOS-W 3.3.2
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show mgmt-users | 1173
�show tunneled-node config
show tunneled-node config
Description
Displays wired tunneled node configuration details.
Syntax
No parameters.
Example
The output of this command shows the tunneled node configuration details. (host) # show tunneled-node config
Tunneled Node:Enabled Tunneled Node Server:4.4.4.1 Tunnel Loop Prevention:Disabled Tunnel Node MTU:5000
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced The command name was changed to show tunneled-node config.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1174 | show tunneled-node config
AOS-W 6.2 | Reference Guide
�show netdestination
show netdestination <netdestination name>
Description
Displays IPv4 and IPv6 network destination information.
Syntax
No parameters.
Example
Issue this command to display all netdestination configured on this switch. The output below displays information for all configured IPv4 and IPv6 netdestinations. To display additional detailed information for an individual netdestinations, include the name of the netdestination at the end of the command.
(host) >enable
Password:******
(host) #show netdestination
Name: white-list
Position Type IP addr Mask-Len/Range
-------- ---- ------- --------------
Name: localnetwork
Position Type
IP addr Mask-Len/Range
-------- ----
------- --------------
1
network 0.0.0.2 0.0.0.0
The output includes the following parameters:
Parameter Name Position Type IP addr Mask/Range
Description Network destination name Network destination position Network destination type IP address of the network destination Network destination subnet mask and range
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing
Command Mode
You must have a PEFNG license to configure or view a netdestination.
Enable or config mode on master switches
AOS-W 6.2 | Reference Guide
show netdestination | 1175
�show netexthdr
show netexthdr <alias-name>
Description
This command displays the IPv6 extension header (EH) types that are denied.
Syntax
Parameter
<aliasname>
Description Specify the EH alias name.
Default
default
Usage Guidelines
Example
The following command displays the denied extended header types in the default EH: (host) #show netexthdr default
Extended Header type(s) Denied -----------------------------51,
Command History
Release AOS-W 6.1
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on the master switches
1176 | show netexthdr
AOS-W 6.2 | Reference Guide
�show netservice
show netservice [<string>]
Description
Show network services
Syntax
Parameter <string>
Description Name of a network service.
Usage guidelines
Issue this command without the optional <string> parameter to view a complete table of network services on the switch. Include the <string> parameter to display settings for a single network service only.
Example
The following example shows the protocol type, ports and application-level gateway (ALG) for the DHCP service.
(host) #show netservice svc-dhcp
Services
--------
Name
Protocol Ports ALG
----
-------- ----- ---
svc-dhcp udp
67
68
Related Commands
To configure an alias for network protocols, use the command netservice.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show netservice | 1177
�show netstat
show netstat [stats]
Description
Show current active network connections.
Syntax
Parameter <string>
Description Show network statistics, filtered by protocol type.
Usage guidelines
Issue this command without the optional stats parameter to view a complete table of active network connections. Include the stats parameter to display aggregate statistics for IP, ICMP, TCP and UDP protocols.
Example
The following example shows incoming and outgoing packet statistics for the switch.
(host) #show netstat stats Ip:
1084012095 total packets received 2 with invalid headers 3 forwarded 426940 incoming packets discarded 932097114 incoming packets delivered 1004595164 requests sent out 52847 fragments dropped after timeout 201323411 reassemblies required 50179757 packets reassembled ok 53204 packet reassembles failed 136827034 fragments created Icmp: 1969625 ICMP messages received 5 input ICMP message failed. ICMP input histogram:
destination unreachable: 1752058 timeout in transit: 1684 redirects: 70805 echo requests: 145073 echo replies: 5 249806 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 51944 time exceeded: 52796 redirect: 2 echo replies: 145064 Tcp: 3 active connections openings 0 passive connection openings 0 failed connection attempts 0 connection resets received 2 connections established 1006383 segments received
1178 | show netstat
AOS-W 6.2 | Reference Guide
�1147229 segments send out 9603 segments retransmitted 0 bad segments received. 2568 resets sent Udp: 928478757 packets received 40767 packets to unknown port received. 426937 packet receive errors 910267627 packets sent
Related Commands
To configure an alias for network protocols, use the command netservice.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show netstat | 1179
�show network-printer
show network-printer [config | job <printer-name> | status]
Description
Displays configuration, job status details, and printer status of USB printers connected to a OAW-4306 Seriesswitch.
Syntax
Parameter config job status
Description Displays the configuration details of the printer service on the switch. Displays the list of job in queue in all printers connected to the switch. Displays the status of all printers connected to the switch.
Example
The output of this command shows the status of all printers connected to the switch. (host) #show network-printer status
Networked Printer Status -----------------------Printer Name -----------usblp_Hewlett-Packard_HP_Color_LaserJet_CP3505_CNBJ8B1003 usblp_HP_Officejet_Pro_L7500_MY872231FX
Printer Alias ------------HPLJ_P3005 HPOJ_L7500
Status -----idle idle
Comment ------enabled enabled
Command History
This command was available in AOS-W 3.4
Command Information
Platforms OAW-4306 Series switch
Licensing Base operating system
Command Mode Enable mode
1180 | show network-printer
AOS-W 6.2 | Reference Guide
�show network-storage
show network-storage [ files opened | shares {<file-system-path> | disk | status | users {disk <disk-name>} ]
Description
Displays details about the USB storage device connect to a OAW-4306 Seriesswitch.
Syntax
Parameter files opened shares
status users
Description
Displays the list of opened files in the USB storage device connected to the switch.
Displays the list of shares that are created in the USB storage device. This option provides the following details: l name of the share l name of the disk by alias. l the folder associated with the share, l the access mode
Displays the status of the storage service on the switch.
Displays the list of users by IP address, connected share name and connection time.
Example
The output of this command shows the status of all printers connected to the switch. (host) #show network-storage users
NAS Users --------Share Name ---------Documents Documents
Machine -------
Connected at -----------192.168.1.4 Fri Apr 21 14:28:59 2009 192.168.1.5 Fri Apr 21 14:17:09 2009
Command History
This command was available in AOS-W 3.4
Command Information
Platforms OAW-4306 Series switch
Licensing Base operating system
Command Mode Enable mode
AOS-W 6.2 | Reference Guide
show network-storage | 1181
�show ntp peer
show ntp peer <a.b.c.d>
Description
Show NTP peer information.
Syntax
Parameter <a.b.c.d>
Description IP address of an NTP peer
Usage guidelines
The show ntp peer command is used for NTP server troubleshooting, and should only be used under the supervision of Alcatel-Lucent technical support. Issue the show ntp servers command to view basic settings for currently configured NTP servers.
Related Commands
To configure an NTP server, use the command ntp server.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
1182 | show ntp peer
AOS-W 6.2 | Reference Guide
�show ntp servers
show rft servers [brief]
Description
Show information for Network Time Protocol (NTP) servers.
Syntax
Parameter brief
Description Display the IP address of the defined NTP servers, iburst and key settings.
Examples
The following example shows values for the primary and backup NTP servers. The primary server is marked with an asterisk (*) and the backup server is marked with an equals sign (=). Note that a backup server will not display delay, offset or dispersion data, as it is not currently in use.
(host) #show ntp servers
remote
local
st poll reach delay offset disp
=======================================================================
=10.4.0.21
10.6.2.253
16 1024 0 0.00000 0.000000 0.00000
*10.1.1.250
10.6.2.253
2 1024 377 0.00081 -0.010376 0.03040
The output of this command includes the following parameters:
Parameter Description
remote
IP address of the remote NTP server defined using the cli command ntp server.
local
IP address of the local clock.
st
NTP uses hierarchical levels of clock sources, or strata, and assigns each layer a number
starting with zero at the root. The st column in the output of this command represents the
number of servers between the configured NTP server and the root reference clock.
poll
Interval, in seconds, between the local NTP server's attempt to poll the remote NTP server.
reach
An index that measures whether or not the remote NTP server could be reached at eight most recent polling intervals. If the NTP server has just been configured and hasn't yet been polled successfully, the value will be zero (0). A value of 377 indicates that the last eight poll queries were successful.
delay
Delay, in seconds, between the time that the local clock polls the NTP server and the NTP server returns a reply.
offset
The difference in time, in seconds, between the local clock and the NTP server.
disp
Dispersion represents the maximum error of the local clock relative to the reference clock, and is a measurement of the time server and network quality. Lower dispersion values are preferred over higher dispersion values.
AOS-W 6.2 | Reference Guide
show ntp servers | 1183
�The following example shows the ntp servers configuration. The NTP server IP address, key ID and iburst status are shown when the ntp servers brief command is used. (host) (config) #show ntp servers brief server 1.1.1.1 key 1234 server 10.1.1.245 iburst key 12345
Related Commands
To configure an NTP server, use the command ntp server.
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced
The key-id parameter output displays when the ntp servers brief command is used.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
1184 | show ntp servers
AOS-W 6.2 | Reference Guide
�show ntp status
show ntp status
Description
Show information for a NTP server.
Syntax
No parameters.
Example
The following example shows values for the primary NTP server. (host) #show ntp status
system uptime:
7594
time since reset:
7594
bad stratum in packet: 0
old version packets: 113
new version packets: 0
unknown version number: 0
bad packet format:
0
packets processed:
110
bad authentication:
0
packets rejected:
0
system peer:
10.1.1.250
system peer mode:
client
leap indicator:
00
stratum:
3
precision:
-18
root distance:
0.03236 s
root dispersion:
0.06728 s
reference ID:
[10.1.1.250]
reference time:
cd45b701.bcbc05d5 Tue, Feb 17 2009 14:21:53.737
system flags:
auth monitor ntp kernel stats
jitter:
0.005020 s
stability:
0.866 ppm
broadcastdelay:
0.003998 s
authdelay:
0.000000 s
The output of this command includes the following parameters:
Parameter system uptime
time since reset bad stratum in packet old version packets
new version packets
Description
The number of seconds the local NTP server has been associated with the switch.
The number of seconds since the last time the local NTP server was restarted.
The number of NTP packets with a corrupted stratum bit.
Number of packets that match the previous NTP version. A version number is in every NTP packet.
Number of packets that match the current NTP version.
AOS-W 6.2 | Reference Guide
show ntp status | 1185
�Parameter unknown version number bad packet format packets processed bad authentication packets rejected system peer system peer mode
leap indicator
stratum precision root distance root dispersion
reference ID reference time system flags jitter stability broadcastdelay authdelay
Description
Number of packets with an unknown NTP version.
Number of NTP packets dropped due to an invalid packet format.
Number of NTP packets received and processed by the switch.
Number of NTP packets that failed to be authenticated.
Number of NTP packets rejected because they had an invalid format.
The IP address of the peer NTP server.
The peer mode of this remote association: l Symmetric Active l Symmetric Passive l Client l Server l Broadcast
This parameter indicates whether or not a leap-second should be inserted or removed at the end of the last day of the current month. l 00 no warning l 01 +1 second (following minute has 61 seconds) l 10 -1 second (following minute has 59 seconds)
The stratum level of the peer
The advertised precision of the switch. This value can range from -4 and -20, inclusive.
Total round trip delay to the stratum 1 reference clock.
Total dispersion to the stratum 1 reference clock. This value is a cumulative measure of all errors associated with the network hops and servers between the NTP server and its stratum 1 server.
IP address of the remote NTP server
Time when the local system clock was last set or corrected, in NTP timestamp format.
This parameter displays any flags configured for this NTP entity.
The average magnitude of jitter between several time queries.
The average magnitude of offset between several time queries
The broadcast delay of this NTP server association, in seconds.
The authentication delay of this NTP server association, in seconds.
Related Commands
To configure an NTP server, use the command ntp server.
Command History
This command was available in AOS-W 3.0.
1186 | show ntp status
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show ntp status | 1187
�show packet-capture
show packet-capture
Description
Displays packet capture status on the switch.
Syntax
No parameters.
Example
The output of this command shows the packet capture configuration details. (host) # show packet-capture
Current Active Packet Capture Actions(current switch) ===================================================== Packet filtering TCP with 1 port(s) enabled:
2 Packet filtering UDP with 1 port(s) enabled:
5 Packet filtering for internal messaging opcodes disabled. Packet filtering for all other packets enabled.
Packet Capture Defaults(across switches and reboots if saved) ============================================================ Packet filtering TCP with 1 port(s) enabled:
2 Packet filtering UDP with 1 port(s) enabled:
5 Packet filtering for internal messaging opcodes disabled. Packet filtering for all other packets enabled.
Command History
This command was available in AOS-W 3.3.2
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1188 | show packet-capture
AOS-W 6.2 | Reference Guide
�show packet-capture-defaults
show packet-capture-defaults
Description
Displays the status of default packet capture options.
Syntax
No parameters.
Example
The output of this command shows packet capture status. (host) # show packet-capture-defaults
Current Active Packet Capture Actions(current switch) ===================================================== Packet filtering for TCP ports disabled. Packet filtering for UDP ports disabled. Packet filtering for internal messaging opcodes disabled. Packet filtering for all other packets disabled.
Packet Capture Defaults(across switches and reboots if saved) ============================================================ Packet filtering for TCP ports disabled. Packet filtering for UDP ports disabled. Packet filtering for internal messaging opcodes disabled. Packet filtering for all other packets disabled.
Command History
This command was available in AOS-W 3.3.2
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show packet-capture-defaults | 1189
�show papi-security (deprecated)
show papi-security
Description
This command shows a configured papi-security profile.
Syntax
Parameter PAPI Key
Enhanced security mode
Description
The key string. The key authenticates the messages between systems.
Indicates if the enhanced security mode is enabled or disabled. This mode causes the system to reject messages when an incorrect key is used.
Range
Default
Range: 1064 -- characters
--
disabled
Usage Guidelines
Issue this command to show the selected papi-security profile configuration. The papi-security command is used to enforce advanced security options and provides an enhanced level of security.
The Parameter column displays the PAPI Key and Enhanced security mode parameters. The Value column displays a Papi key value (encrypted) and indicates whether the Enhanced security mode is enabled or disabled. If an AP cannot be authenticated because it has the wrong key, the show ap database command displays a "Bad key" status.
(host) #show papi-security
PAPI Security Profile --------------------Parameter --------PAPI Key Enhanced security mode
Value ----******** Enabled
Related Commands
Use the command papi-security (deprecated) to configure a papi-security profile.
Command History
AOS-W 3.4 AOS-W 6.2
Modification Command introduced. Command deprecated
1190 | show papi-security (deprecated)
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master or local switches
AOS-W 6.2 | Reference Guide
show papi-security (deprecated) | 1191
�show phonehome
show phonehome global history report-status stats
Description
Use this command to view current configuration settings and debugging statistics for the phonehome automatic reporting feature.
Syntax
Parameter global history report-status status
Description
Show whether the phonehome service and auto-reporting is enabled or disabled, and display current SMTP settings for this feature.
Issue this command under the guidance of Alcatel-Lucent support troubleshoot phonehome automatic reporting.
Issue this command under the guidance of Alcatel-Lucent support troubleshoot phonehome automatic reporting.
Include this parameter to show the number of reports successfully sent to the SMTP server, the number of times the switch attempted to retry sending a report to the SMTP server and the number of reports that failed to reach the SMTP server after one or more retry attempts, and
Usage Guidelines
The automatic reporting feature, also known as PhoneHome, allows a switch to securely contact Alcatel-Lucent support servers over the Internet to report events such as hardware failures, software malfunctions, and other critical events. When the PhoneHome automatic reporting feature is enabled, the switch sends Alcatel-Lucent support weekly reports about the switch's configuration, licenses, software and hardware versions, and any software malfunctions via a secure email.
This feature requires that your network has a local SMTP server capable of relaying email. When the switch generates the report email with the phonehome data file attachment, it forwards the email to the SMTP server configured on your local network, which then delivers the message to Alcatel-Lucent. If your email server requires the sender to be authenticated before message delivery, the switch can connect to the SMTP by supplying the sender's user name and password.
Each PhoneHome report attachment is encrypted before it is transmitted to the SMTP server, and is decrypted by Alcatel-Lucent support when it is received. If the PhoneHome status report email is larger than the maximum email size supported by your SMTP server, the switch will divide the PhoneHome attachment into multiple smaller attachments and send the report to Alcatel-Lucent in multiple emails.
In the event that you need to contact Alcatel-Lucent support with a question about your switch, you can use the phonehome now command in enable mode to generate and immediately send a status report, so that AlcatelLucent support can diagnose the issue with the most current switch data.
1192 | show phonehome
AOS-W 6.2 | Reference Guide
�Example
The following command turns on the PhoneHome feature, enables weekly auto-reports, and identifies the SMTP server to be used by this feature:
(host) #show phonehome global
PhoneHome information:
PhoneHome Service:
Disabled
PhoneHome Auto-Report: Disabled
Local SMTP server:
172.21.18.170:25
SMTP From Email:
admin@mycorp.com
Max Attachment Size: 10 MB
Command History
This command was introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches.
AOS-W 6.2 | Reference Guide
show phonehome | 1193
�show poe
show poe [slot/port]
Description
Displays the PoE status of all or a specific port on the switch.
Syntax
No parameters.
Example
The output of this command shows the PoE status of port 10 in slot 1. (host) # show poe 1/10
PoE Status
----------
Port
Status
----
------
FE 1/10 Off
Voltage(mV) ----------N/A
Current(mA) ----------N/A
Power (mW) ---------N/A
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1194 | show poe
AOS-W 6.2 | Reference Guide
�show policer-profile (deprecated)
show policer-profile <profile-name>
Description
Displays the policer profile configuration.
Command History
This command was deprecated in AOS-W 6.2.
AOS-W 6.2 | Reference Guide
show policer-profile (deprecated) | 1195
�show port link-event
show port link-event
Description
Displays the link status on each of the port on the switch.
Syntax
No parameters.
Example
The output of this command shows the link status on all ports in the switch. (host) # show port link-event
Slot/Port ---------
2/ 0 2/ 2 2/ 4 2/ 6 2/ 8 2 / 10 2 / 12 2 / 14 2 / 16 2 / 18 2 / 20 2 / 22 2 / 24 3/ 0 3/ 2 3/ 4 3/ 6 3/ 8 3 / 10 3 / 12 3 / 14 3 / 16 3 / 18 3 / 20 3 / 22 3 / 24
UP -0 0 0 0 0 10 1 1 5 1 0 2 0 24 0 1 0 94 0 49751 2589 2 8245 74 1 0
DOWN ---0 0 0 0 0 9 0 0 4 0 0 2 0 23 0 0 0 94 0
49750 2588 1 8244 73 0 0
Slot/Port ---------
2/ 1 2/ 3 2/ 5 2/ 7 2/ 9 2 / 11 2 / 13 2 / 15 2 / 17 2 / 19 2 / 21 2 / 23 2 / 25 3/ 1 3/ 3 3/ 5 3/ 7 3/ 9 3 / 11 3 / 13 3 / 15 3 / 17 3 / 19 3 / 21 3 / 23 3 / 25
UP -0 1 0 1 0 2 0 6 9 5 4 9 0 0 0 1 0 0 5886 50 228 2423 5098 2 0 0
DOWN ---0 1 0 1 0 1 0 5 8 4 4 9 0 0 0 0 0 0 5886 49 227 2423 5098 2 0 0
Command History
This command was available in AOS-W 3.3.2
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1196 | show port link-event
AOS-W 6.2 | Reference Guide
�show port monitor
show port monitor
Description
Displays the list of ports that are configured to be monitored.
Syntax
No parameters.
Example
The output of this command shows the link status on all ports in the switch. (host) # show port monitor
Monitor Port Port being Monitored
------------ --------------------
FE 1/10
FE 1/20
Command History
This command was available in AOS-W 3.3.2
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show port monitor | 1197
�1198 | show port monitor
AOS-W 6.2 | Reference Guide
�show port stats
show port status
Description
Displays the activity statistics on each of the port on the switch.
Syntax
No parameters.
Example
The output of this command shows the link status on all ports in the switch. (host) # show port stats
Port Statistics
---------------
Port
PacketsIn
CRCErrors
----
---------
----
FE1/4 0
FE1/5 0
FE1/6 0
FE1/7 0
FE1/8 0
FE1/9 0
FE1/10 0
FE1/11 0
FE1/12 0
FE1/13 0
FE1/14 0
FE1/15 0
FE1/16 2937495
FE1/17 0
FE1/18 591066
FE1/19 0
FE1/20 1205264
FE1/21 0
FE1/22 0
...
PacketsOut
----------
0 0 0 0 0 0 2041530 0 0 0 3 0 1861880 0 1220117 0 836266 0 0
BytesIn
-------
0 0 0 0 0 0 0 0 0 0 0 0 582814945 0 67049881 0 211330696 0 0
BytesOut
--------
0 0 0 0 0 0 296644355 0 0 0 138 0 244607030 0 143261677 0 85313659 0 0
InputErrorBytes
---------------
0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 0 80 0 0
OutputErrorBytes
----------------
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
-----
0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 5 0 0
Command History
This command was available in AOS-W 3.3.2
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show port stats | 1199
�show port status
show port status
Description
Displays the status of all ports on the switch.
Syntax
No parameters.
Example
The output of this command shows the status of all ports in the switch. (host) # show port status
Port Status
-----------
Slot-Port PortType
--------- --------
1/0
FE
1/1
FE
1/2
FE
1/3
FE
1/4
FE
1/5
FE
1/6
FE
1/7
FE
1/8
FE
1/9
FE
1/10
FE
1/11
FE
1/12
FE
1/13
FE
1/14
FE
1/15
FE
1/16
FE
...
adminstate ---------Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled
operstate --------Up Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Up
poe --Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled
Trusted ------Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
SpanningTree -----------Forwarding Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Forwarding
PortMode -------Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access
Command History
This command was available in AOS-W 3.3.2
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1200 | show port status
AOS-W 6.2 | Reference Guide
�show port trusted
show port trusted
Description
Displays the list of ports configured with trusted profiles.
Syntax
No parameters.
Example
The output of this command shows the list of ports with trusted profile. (host) # show port trusted
FE 1/0 FE 1/1 FE 1/2 FE 1/3 FE 1/4 FE 1/5 FE 1/6 FE 1/7 FE 1/8 FE 1/9 FE 1/10 FE 1/11 FE 1/12 FE 1/13 FE 1/14 FE 1/15 FE 1/16 FE 1/17 FE 1/18 FE 1/19 FE 1/20 FE 1/21 FE 1/22 FE 1/23 GE 1/24 GE 1/25
Command History
This command was available in AOS-W 3.3.2
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show port trusted | 1201
�show port xsec
show port xsec
Description
Displays the list of xSec enabled ports.
Syntax
No parameters.
Example
The output of this command shows the list of xSec enabled ports. (host) #show port xsec
Xsec Ports ---------Interface xsec vlan state --------- --------- -----
Command History
This command was available in AOS-W 3.3.2
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1202 | show port xsec
AOS-W 6.2 | Reference Guide
�show priority-map
show priority-map
Description
Displays the list of priority maps on a interface.
Syntax
No parameters.
Example
The output of this command shows the priority maps configured on all interfaces. (host) # show priority-map
Priority Map ------------ID Name DSCP-TOS -- ---- -------1 my-map 4-20,60
DOT1P-COS ---------
4-7
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show priority-map | 1203
�show processes
show processes [sort-by {cpu | memory}]
Description
Displays the list of all process running on the switch. You can sort the list either by CPU intensive or memory intensive processes.
Syntax
Parameter sort-by
cpu memory
Description Add a sort filter to the output This will sort output based on CPU usage. This will sort output based on memory usage.
Example
The output of this command shows list of processes sorted by CPU usage. (host) # show priority-map
%CPU S PID PPID VSZ RSS F NI START
TIME
EIP CMD
3.7 S 595 517 20908 12184 040 0 Apr24 03:39:04 303a4fa8 /mswitch/bin/fpapps
0.2 S 12354 410 1028 296 000 0 02:13 00:00:00 30087fa8 sleep 10
0.1 S 536 441 12012 7264 040 0 Apr24 00:09:08 100e4a74 /mswitch/mysql/libexec/mysqld --
basedir=/mswitch/mysql --datadir=/var/
0.0 S
2
1
0 0 040 0 Apr24 00:00:00 00000000 [keventd]
0.0 S
4
0
0 0 040 0 Apr24 00:00:00 00000000 [kswapd]
0.0 S
6
0
0 0 040 0 Apr24 00:00:00 00000000 [kupdated]
0.0 S 57
1
0 0 040 0 Apr24 00:00:00 00000000 [kjournald]
0.0 S 67
1 1036 424 000 0 Apr24 00:00:00 30087fa8 /bin/sh /mswitch/bin/syslogd_
start
0.0 S
1
0 1028 384 100 0 Apr24 00:00:12 30087fa8 init
0.0 S 397
1 1732 804 100 0 Apr24 00:00:00 30152fa8 /mswitch/bin/nanny
/mswitch/bin/nanny_list 0
0.0 S 399 397 14140 10172 100 0 Apr24 00:00:16 303c8fa8 /mswitch/bin/arci-cli-helper
0.0 S 402
1 768 268 040 0 Apr24 00:00:00 30060fa8 /sbin/tftpd -s -l -u nobody
/mswitch/sap
0.0 S 69 67 1404 752 100 0 Apr24 00:01:27 300d3fa8 /mswitch/bin/syslogd -x -r -n -m
0 -f /mswitch/conf/syslog.conf
0.0 S 407 397 3100 1028 100 0 Apr24 00:00:00 302a0fa8 /mswitch/bin/packet_filter
0.0 S 408 397 4296 1340 100 0 Apr24 00:00:00 30339fa8 /mswitch/bin/certmgr
0.0 R
3
0
0 0 040 19 Apr24 00:00:01 00000000 [ksoftirqd_CPU0]
0.0 S 453 397 700 284 000 0 Apr24 00:01:20 30087fa8 /mswitch/bin/msgHandler -g
0.0 S 468 397 1236 492 100 0 Apr24 00:00:00 300f8fa8 /mswitch/bin/pubsub
0.0 S 484 397 18456 14064 100 0 Apr24 00:00:19 303c8fa8 /mswitch/bin/cfgm
Command History
This command was available in AOS-W 3.0
1204 | show processes
AOS-W 6.2 | Reference Guide
�Command Information
Platformss All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show processes | 1205
�show profile-errors
show profile-errors
Description
Displays the list of invalid user-created profiles.
Syntax
No parameters.
Example
The output of this command shows list of profiles that are invalid and also displays the error in those profiles. In this
example, the VLAN 1000 that is mapped to a virtual-ap that does not exist. (host) #show profile-errors
Invalid Profiles ---------------Profile -------
Error -----
wlan virtual-ap "test-vap" VLAN 1000 does not exist
The following are the list of some profile errors:
Error Named VLAN [named_VLAN] is removed
Named VLAN [named_VLAN] is not mapped
Description
These errors are displayed if a virtual AP profile is configure with a VLAN that does not exist.
Named VLAN [named_VLAN] is invalid
VLAN [x] does not exist
Server group is invalid
User derivation rule is invalid User role is invalid
This error is displayed if an AAA profile is configured an invalid server group.
This error is displayed if a user role in an AAA profile is invalid.
Switch country code is undefined
Country [country_name] does not match switch country [country_name]
These errors are displayed, if your switch is not set to the correct country code or if the country code specified in a WLAN profile does not match the switch's country code.
Opmode requires WPA key
This message is displayed if a SSID profile is configured without a WPA key.
WARNING: if weptxkey = [x], wepkey[x] must be set in order to use static WEP
This message is displayed if a SSID profile is configured to use a static WEP and the WEP is not configured.
Command History
This command was available in AOS-W 3.0
1206 | show profile-errors
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show profile-errors | 1207
�show profile-hierarchy
show profile-hierarchy
Description
Displays the profile hierarchy template.
Syntax
No parameters.
Usage Guidelines
The output of this command shows how profiles relate to each other, and how some higher-level profiles reference other lower-level profiles. The output of this command will vary, depending upon switch configuration and licenses.
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1208 | show profile-hierarchy
AOS-W 6.2 | Reference Guide
�show profile-list aaa
show profile-list aaa [{authentication [captive-portal | dot1x | mac | stateful-ntlm | wispr]} |{authentication-server [ldap | radius | tacacs | windows]} | {profile} | {rfc-3576-server} | {server-group} | {xml-api}]
Description
Displays the list of AAA profiles.
Syntax
Parameter authentication
captive-portal dot1x mac stateful-ntlm wispr authentication-server ldap radius tacacs windows profile rfc-3576-server
server-group xml-api
Description List of aaa authentication profiles. Captive portal authentication profiles. 802.1X authentication profiles. MAC authentication profiles. Stateful-NTLM authentication profiles. WISPr authentication profiles. List of aaa authentication servers List of servers using LDAP for AAA authentication. List of servers using RADIUS for AAA authentication. List of servers using TACACS+ for AAA authentication. List of Windows servers used for AAA authentication. Displays the AAA profile details. Displays IP address of RADIUS servers that use RFC 3576 specification to exchange authorization messages. List of server group used for RADIUS accounting. List of servers configured in an external XML API server.
Example
The output of this command shows list of AAA profiles that use captive-portal authentication. (host) # show profile-list aaa authentication captive-portal
Captive Portal Authentication Profile List
------------------------------------------
Name
References Profile Status
----
---------- --------------
default 1
AOS-W 6.2 | Reference Guide
show profile-list aaa | 1209
�Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1210 | show profile-list aaa
AOS-W 6.2 | Reference Guide
�show profile-list ap
show profile-list ap [ enet-link-profile | mesh-cluster-profile | mesh-ht-ssid-profile | mesh-radio-profile | regulatory-domain-profile | snmp-profile | snmp-user-profile | system-profile | wired-ap-profile ]
Description
Displays the list of AP profiles.
Syntax
Parameter enet-link-profile mesh-cluster-profile mesh-ht-ssid-profile
mesh-radio-profile regulatory-domain-profile snmp-profile snmp-user-profile system-profile wired-ap-profile
Description Display a list of AP Ethernet link profiles. Display a list of mesh cluster profiles used by mesh nodes. Display a list of mesh high-throughput SSID profiles used by mesh nodes. Display a list of mesh radio profiles used by mesh nodes. Display a list of AP regulatory profiles. Display a list of SNMP profiles. Display a list of SNMPv3 user profiles. Display a list of AP system profiles. Display a list of wired AP profiles.
Example
The output of this command shows list of profiles that are invalid and also displays the error in those profiles. (host) # show profile-list aaa authentication captive-portal
Captive Portal Authentication Profile List
------------------------------------------
Name
References Profile Status
----
---------- --------------
default 1
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show profile-list ap | 1211
�show profile-list ap-group
show profile-list ap-group
Description
Displays the status of AP groups profiles in the switch.
Syntax
No parameters.
Example
The output of this command shows the status of AP group profiles in the switch. (host) # show profile-list ap-group
AP group List
-------------
Name
Profile Status
----
--------------
default
Total:1
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1212 | show profile-list ap-group
AOS-W 6.2 | Reference Guide
�show profile-list ap-name
show profile-list ap-name
Description
Displays the status of AP profiles in the switch.
Syntax
No parameters.
Example
The output of this command shows status of AP profiles in the switch. (host) # show profile-list ap-name
AP name List -----------Name Profile Status ---- --------------
Total:0
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show profile-list ap-name | 1213
�show profile-list ids
show profile-list ids [dos-profile | general-profile | impersonation-profile | profile | rate-thresholds-profile | signature-matching-profile | signature-profile | unauthorized-device-profile ]
Description
Displays the status of all IDS profiles in the switch.
Syntax
Parameter dos-profile general-profile impersonation-profile profile rate-thresholds-profile signature-matching-profile signature-profile unauthorized-device-profile
Description Display a list of IDS DoS profiles. Display a list of IDS generate profiles. Display a list IDS impersonation profile. Display a list of IDS profiles. Display a list of IDS rate threshold profiles. Display a list of IDS signature-matching profiles. Display a list of IDS signature profiles. Display a list of IDS unauthorized device profiles.
Example
The output of this command shows a list of all IDS DoS profiles. (host) # show profile-list ids dos-profile
IDS Denial Of Service Profile List
----------------------------------
Name
References
----
----------
default
1
ids-dos-disabled
1
ids-dos-high-setting 1
ids-dos-low-setting
1
ids-dos-medium-setting 1
Profile Status --------------
Predefined Predefined Predefined Predefined
Total:5
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1214 | show profile-list ids
AOS-W 6.2 | Reference Guide
�show profile-list rf
show profile-list rf [ arm-profile | dot11a-radio-profile | dot11g-radio-profile | event-thresholds-profile | ht-radio-profile | optimization-profile ]
Description
Displays the status of all radio profiles.
Syntax
Parameter arm-profile dot11a-radio-profile
dot11g-radio-profile
event-thresholds-profile ht-radio-profile optimization-profile
Description Details of Adaptive Radio Management (ARM) Profile.
Details of AP radio settings for the 5GHz frequency band, including the ARM profile and the high-throughput (802.11n) radio profile.
Details of AP radio settings for the 2.4 GHz frequency band, including the ARM profile and the high-throughput (802.11n) radio profile.
Details of events thresholds profile.
Details of high-throughput AP radio settings
Details of the RF optimization profile
Example
The output of this command shows status of ARM profile. (host) # show profile-list rf arm-profile
Adaptive Radio Management (ARM) profile List
--------------------------------------------
Name
References Profile Status
----
---------- --------------
default 2
Total:1
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show profile-list rf | 1215
�show profile-list wlan
show profile-list wlan [ dotllk-profile | edca-parameters-profile | ht-ssid-profile | ssid-profile | traffic-management-profile | virtual-ap | voip-cac-profile | wmm-trafficmanagement-profile]
Description
Displays the status of WLAN profiles on the switch.
Syntax
Parameter dot11k-profile edca-parameters-profile
ht-ssid-profile traffic-management-profile virtual-ap voip-cac-profile
wmm-traffic-managementprofile
Description Show a list of all 802.11K Profiles Show a list of all enhanced distributed channel access (EDCA) profile for APs or for clients (stations) Show a list of all high-throughput SSID profile.s Show a list of all traffic management profiles. Show a list of all the virtual AP profiles. Show a list of all voice over IP (VoIP) call admission control (CAC) profiles Show a list of all WMM traffic management profiles.
Example
The output of this command shows that the switch has a single ARM profile, "default". (host) # show profile-list rf arm-profile
Adaptive Radio Management (ARM) profile List
--------------------------------------------
Name
References Profile Status
----
---------- --------------
default 2
Total:1
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1216 | show profile-list wlan
AOS-W 6.2 | Reference Guide
�show provisioning-ap-list
show provisioning-ap-list
Description
Displays the list of all APs that are in queue to be provisioned by the admin.
Syntax
No parameters.
Command History
This command was available in AOS-W 3.4
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show provisioning-ap-list | 1217
�show provisioning-params
show provisioning-params
Description
Displays the list of parameters and the values used to provision the APs.
Syntax
No parameters.
Example
The output of this command shows list of all provisioning parameters and their values.
(host) # show provisioning-params
AP provisioning
---------------
Parameter
Value
---------
-----
AP Name
N/A
AP Group
default
Location name
N/A
SNMP sysLocation
N/A
Master
N/A
Gateway
N/A
Netmask
N/A
IP Addr
N/A
DNS IP
N/A
Domain Name
N/A
Server Name
N/A
Server IP
N/A
Antenna gain for 802.11a
N/A
Antenna gain for 802.11g
N/A
Use external antenna
No
Antenna for 802.11a
both
Antenna for 802.11g
both
IKE PSK
N/A
PAP User Name
N/A
PAP Password
N/A
PPPOE User Name
N/A
PPPOE Password
N/A
PPPOE Service Name
N/A
PPPOE CHAP Secret
N/A
USB User Name
N/A
USB Password
N/A
USB Device Type
any
USB Device Identifier
N/A
USB Dial String
N/A
USB Initialization String
N/A
USB TTY device path
N/A
Mesh Role
none
Installation
default
Latitude
N/A
Longitude
N/A
Altitude
N/A
Antenna bearing for 802.11a
N/A
Antenna bearing for 802.11g
N/A
Antenna tilt angle for 802.11a N/A
Antenna tilt angle for 802.11g N/A
1218 | show provisioning-params
AOS-W 6.2 | Reference Guide
�Mesh SAE
sae-default
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show provisioning-params | 1219
�show qos-profile (deprecated)
show qos-profile <profile-name>
Description
Displays the QoS profile configuration.
Command History
This command was deprecated in AOS-W 6.2.
1220 | show qos-profile (deprecated)
AOS-W 6.2 | Reference Guide
�show rap-wml
show rap-wml [cache <server-name> | server | wired-mac <bssid-of-AP>]
Description
Displays the name and attributes of a MySQL database or a MySQL server.
Syntax
Parameter cache servers wired-mac
Description Displays the cache of all lookups for a database server. Displays the database server state. Displays the wired MAC discovered on traffic through the AP.
Example
The output of this command shows status of all database servers. (host) # #show rap-wml servers
WML DB Servers
--------------
name ip type user password db-name cache ageout(sec) in-service
---- -- ---- ---- -------- ------- ----- ----------- ----------
WML DB Tables
-------------
server db table column timestamp-column lookup-time(sec) delimiter
------ -- ----- ------ ---------------- ---------------- ---------
Mesh SAE
sae-default
query-count -----------
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show rap-wml | 1221
�show references aaa authentication
crypto-local show references aaa authentication {captive-portal <profile-name>}|{dot1x <profile-name>}|{mac <profile-name>}|mgmt|stateful-dot1x|{stateful-ntlm <profile-name>}|vpn|wired|{wispr {profilename>} [page <number>] [start <number>]
Description
Show AAA profile references.
Syntax
Parameter captive-portal <profile-name> dot1x <profile-name> mac <profile-name> mgmt <profile-name>
stateful-dot1x
stateful-ntlm <profile-name>
vpn wired wired wispr <profile-name>
page <number>
start <number>
Description
Show the number of references to a captive-portal profile.
Show the number of references to a 802.1X authentication profile.
Show the number of references to a MAC authentication profile.
Show the number of references to a management authentication profile.
Show the number of references to the stateful 802.1X authentication profile.
Show the number of references to the specified stateful NTLM authentication profile.
Show the number of references to VPN authentication.
Show the number of references to wired authentication.
Show the number of references to a wispr authentication.
Show the number of references to the specified WISPr authentication profile.
Include this optional parameter to limit output of this command to the specified number of items.
Include this optional parameter to start displaying the output of this command at the specified index number.
Example
Use this command to show where a specified AAA profile has been applied. The output of the example shown below indicates that the aaa profile default-dot1x contains a single reference to the 802.1X authentication profile default. (host) #show references aaa authentication dot1x default
References to 802.1X Authentication Profile "default"
-----------------------------------------------------
Referrer
Count
--------
-----
aaa profile "default-dot1x" authentication-dot1x 1
Total References:1
1222 | show references aaa authentication
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 3.0 AOS-W 3.4.1
Modification Command introduced The stateful-ntlm and wispr parameters were introduced.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show references aaa authentication | 1223
�show references aaa authentication-server
crypto-local show references aaa authentication-server {ldap <ldap-server-name>}|{radius <radius-servername>}|{tacacs <tacacs-server-name>} [page <number>] [start <number>]
Description
Display information about AAA authentication servers.
Syntax
Parameter ldap <ldap-server-name> radius <radius-server-name> tacacs <radius-server-name> page <number> start <number>
Description
Show the number of server groups that include references to the specified LDAP server.
Show the number of server groups that include references to the specified RADIUS server.
Show the number of server groups that include references to the specified TACACS server.
Include this optional parameter to limit output of this command to the specified number of items.
Include this optional parameter to start displaying the output of this command at the specified index number.
Example
Issue this command to show the AAA server groups that include references to the specified server. The example below shows that two server groups, default and rad, each include a single reference to the radius server rad01.
(host) #show references aaa authentication-server radius rad01
References to RADIUS Server "rad01" ----------------------------------Referrer -------aaa server-group "default" server_group aaa server-group "rad" server_group Total References:2
Count ----1 1
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
1224 | show references aaa authentication-server
AOS-W 6.2 | Reference Guide
�show references aaa profile
crypto-local show references aaa profile <profile-name>
Description
Show references to an AAA Profile.
Syntax
Parameter profile <profile-name>
Description Name of an AAA profile for which you want to view references.
Example
Issue this command to show the wlan virtual AP profiles that include references to the specified AAA profile. The example below shows that seven different virtual AP profiles include a single reference to the AAA profile default.
(host) #References to AAA Profile "default"
-----------------------------------
Referrer
Count
--------
-----
wlan virtual-ap "1.0.0_corporateHQ-wpa2" aaa-profile 1
wlan virtual-ap "110.0.corporateHQ-wpa2" aaa-profile
1
wlan virtual-ap "default" aaa-profile
1
wlan virtual-ap "corporateHQ-vocera" aaa-profile
1
wlan virtual-ap "corporateHQ-voip-wpa2" aaa-profile 1
wlan virtual-ap "Test123" aaa-profile
1
wlan virtual-ap "branch12" aaa-profile
1
Total References:7
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show references aaa profile | 1225
�show references aaa server-group
crypto-local show references aaa server-group <sg-name> [page] [start]}
Description
Show references to a server group.
Syntax
Parameter server-group <sg-name> page <number> start <number>
Description
Name of the server group for which you want to show references
Include this optional parameter to limit output of this command to the specified number of items.
Include this optional parameter to start displaying the output of this command at the specified index number.
Example
Issue this command to display a list of AAA profiles that include references to the specified server group. (host) #show references aaa server-group default
References to Server Group "default" -----------------------------------Referrer -------aaa profile "aircorp-office-ssid" mac-server-group aaa profile "amigopod-guest" mac-server-group aaa profile "default" mac-server-group aaa profile "default-airwave-office" mac-server-group aaa profile "defaultcorporate" mac-server-group aaa profile "defaultcorporate-no-okc" mac-server-group aaa profile "defaultcorporate-okc" mac-server-group aaa profile "default-dot1x" mac-server-group aaa profile "default-India" mac-server-group aaa profile "default-india-hotel" mac-server-group aaa profile "default-India-split" mac-server-group aaa profile "voip-psk" mac-server-group aaa profile "default-dot1x-psk" mac-server-group aaa profile "default-mac-auth" mac-server-group aaa profile "default-open" mac-server-group aaa profile "default-xml-api" mac-server-group Total References:16
Count ----1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Command History
This command was introduced in AOS-W 3.0.
1226 | show references aaa server-group
AOS-W 6.2 | Reference Guide
�Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show references aaa server-group | 1227
�show references ap
crypto-local show references ap
enet-link-profile <profile-name> mesh-cluster-profile <profile-name> mesh-ht-ssid-profile <profile-name> mesh-radio-profile <profile-name> regulatory-domain-profile <profile-name> system-profile <profile-name> wired-ap-profile <profile-name> page <number> start <number>
Description
Show the number of references to a specific AP profile.
Syntax
Parameter enet-link-profile <profile-name>
mesh-cluster-profile <profilename> mesh-ht-ssid-profile <profilename> mesh-radio-profile <profile-name>
regulatory-domain-profile <profile-name> system-profile <profile-name> wired-ap-profile <profile-name>
page <number>
start <number>
Description
Show AP groups that include a references to this Ethernet link profile.
Show AP groups that include a references to this mesh cluster profile.
Show AP groups that include a references to this mesh highthroughput SSID profile.
Show AP groups that include a references to this mesh radio profile.
Show AP groups that include a references to this regulatory domain profile.
Show AP groups that include a references to this system profile.
Show AP groups that include a references to this wired AP profile.
Include this optional parameter to limit output of this command to the specified number of items.
Include this optional parameter to start displaying the output of this command at the specified index number.
Example
The example below shows that 10 different AP groups include links to the AP Ethernet link profile Default. These 10 AP groups reference the Default Ethernet link profile for both their Ethernet 0 and Ethernet 1 interfaces, for a total of 20 references altogether.
(host)#show references ap enet-link-profile default References to AP Ethernet Link profile "default"
1228 | show references ap
AOS-W 6.2 | Reference Guide
�------------------------------------------------
Referrer
Count
--------
-----
ap-group "10.0.0" enet0-profile
1
ap-group "10.0.0" enet1-profile
1
ap-group "corp" enet0-profile
1
ap-group "corp" enet1-profile
1
ap-group "Corp_AM_Ch1" enet0-profile
1
ap-group "Corp_AM_Ch1" enet1-profile
1
ap-group "Corp_AM_Ch6" enet0-profile
1
ap-group "Corp_AM_Ch6" enet1-profile
1
ap-group "corpTest" enet0-profile
1
ap-group "corpTest" enet1-profile
1
ap-group "default" enet0-profile
1
ap-group "default" enet1-profile
1
ap-group "India_Local" enet0-profile
1
ap-group "India_Local" enet1-profile
1
ap-group "ops" enet0-profile
1
ap-group "ops" enet1-profile
1
ap-group "voip-test" enet0-profile
1
ap-group "voip-test" enet1-profile
1
ap-group "voip-test-nokia" enet0-profile 1
ap-group "voip-test-nokia" enet1-profile 1
Total References:20
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show references ap | 1229
�show references guest-access-email
crypto-local show references guest-access-email [page <number>] [start <number>]
Description
Show references to the global guest access email profile.
Syntax
Parameter page <number>
start <number>
Description
Include this optional parameter to limit output of this command to the specified number of items.
Include this optional parameter to start displaying the output of this command at the specified index number.
Example
(host) #show references guest-access-email
References to Guest-access Email Profile ---------------------------------------Referrer Count -------- ----Total References:0
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
1230 | show references guest-access-email
AOS-W 6.2 | Reference Guide
�show references ids
crypto-local show references ids
dos-profilegeneral-profile general-profile impersonation-profile profile rate-thresholds-profile signature-matching-profile signature-profile unauthorized-device-profile
Description
Displays IDS profile references.
Syntax
Parameter
Description
dos-profilegeneral-profile Show references to an IDS Denial Of Service Profile
general-profile
Show references to an IDS General Profile
impersonation-profile
profile
rate-thresholds-profile
Show references to an IDS Rate Thresholds Profile
signature-matching-profile Show references to an IDS Signature Matching Profile
signature-profile
Show references to an IDS Signature Profile
unauthorized-deviceprofile
Show references to an IDS Signature Profile
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show references ids | 1231
�show references papi-security
crypto-local show references papi-security [page <number>] [start <number>]
Description
Show references to a PAPI security profile.
Syntax
Parameter page <number>
start <number>
Description
Include this optional parameter to limit output of this command to the specified number of items.
Include this optional parameter to start displaying the output of this command at the specified index number.
Example
(host) #show references papi-security
References to PAPI Security Profile ----------------------------------Referrer Count -------- ----Total References:0
Command History
This command was introduced in AOS-W 3.4.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
1232 | show references papi-security
AOS-W 6.2 | Reference Guide
�show references rf
crypto-local show references rf
dot11a-radio-profile <profile-name> dot11g-radio-profile <profile-name> event-thresholds-prof <profile-name> ht-radio-profile <profile-name> optimization-profile <profile-name>
Description
Show RF profile references.
Syntax
Parameter dot11a-radio-profile dot11g-radio-profile event-thresholds-prof ht-radio-profile optimization-profile
Description Show references to a 802.11a radio profile Show references to a 802.11g radio profile Show references to an RF Event Thresholds Profile Show references to a High-throughput radio profile Show references to an RF Optimization Profile
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show references rf | 1233
�show references user-role
crypto-local show references user-role <role_name>
Description
Show access rights for user role.
Syntax
Parameter <role_name>
Description The role name assigned to a user.
Example
(host) #show references user-role guest
References to User Role "guest" ------------------------------aaa profile "airwave-office-ssid" mac-default-role aaa profile "amigopod-guest" mac-default-role aaa profile "corp1344-voip" mac-default-role aaa profile "default" mac-default-role aaa profile "default-airwave-office" mac-default-role aaa profile "default-corp1344" mac-default-role aaa profile "default-corp1344-no-okc" mac-default-role aaa profile "default-corp1344-okc" mac-default-role aaa profile "default-dot1x" mac-default-role aaa profile "default-dot1x-psk" mac-default-role aaa profile "default-dot1x-psk" dot1x-default-role aaa profile "default-India" mac-default-role aaa profile "default-india-hotel" mac-default-role
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
1234 | show references user-role
AOS-W 6.2 | Reference Guide
�show references web-server
crypto-local show references web-server [page <number>] [start <number>]
Description
Show the Web server configuration references.
Syntax
Parameter page <number>
start <number>
Description
Include this optional parameter to limit output of this command to the specified number of items.
Include this optional parameter to start displaying the output of this command at the specified index number.
Example
(host) #show references web-server
References to Web Server Configuration -------------------------------------Referrer Count -------- ----Total References:0
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show references web-server | 1235
�show references wlan
crypto-local show references wlan
dot11k-profile <profile-name> edca-parameters-profile <profile-name> ht-ssid-profile <profile-name> ssid-profile <profile-name> traffic-management-pr <profile-name> virtual-ap <profile-name> voip-cac-profile <profile-name>
Description
Shows WLAN profile references.
Syntax
Parameter
Description
dot11k-profile <profile-name>
Shows references to a 802.11K profile.
edca-parameters-profile <profilename>
Shows references to an EDCA parameters profile.
ht-ssid-profile <profile-name>
Shows references to a high-throughput SSID profile.
ssid-profile <profile-name>
Shows references to an SSID management profile.
traffic-management-pr <profile-name> Shows references to a traffic management profile.
virtual-ap <profile-name>
Shows references to a virtual AP profile.
voip-cac-profile <profile-name>
Shows references to a VOIP Call Admission Control profile.
Example
(host) #show references web-server
References to Web Server Configuration -------------------------------------Referrer Count -------- ----Total References:0
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master and local switches
1236 | show references wlan
AOS-W 6.2 | Reference Guide
�show rf am-scan-profile
show rf am-scan-profile [<profile-name>]
Description
Display the Air Monitor (AM) scanning profile list. Optionally display parameter and values of a specified Air Monitor profile.
Syntax
Parameter <profile-name>
Description Name of this instance of the profile.
Usage Guidelines
Enter the basic show command to view a list of profiles, the number of profiles and the profile status. For example: (host) #show rf am-scan-profile
AM Scanning profile List
------------------------
Name
References Profile Status
----
---------- --------------
default 9
north 0
Total:2
Example
In the example above, their are two profile names; default and north. The Reference column indicates the number of references to this profile name. The Profile Status column is blank unless the profile is predefined. Optionally, you can enter a profile name to view the parameters for that profile. For example: (host) #show rf am-scan-profile default
AM Scanning profile "default" ----------------------------Parameter --------Scan Mode Dwell time: Active channels Dwell time: Regulatory Domain channels Dwell time: non-Regulatory Domain channels Dwell time: Rare channels
Value ----all-reg-domain 500 250 200 100
The explanation of the display output is described in the table below.
Parameter Scan-mode
Description The scanning mode for the radio
AOS-W 6.2 | Reference Guide
show rf am-scan-profile | 1237
�Parameter all-reg-domain rare reg-domain Dwell time: Active channels Dwell time: Regulatory Domain channels Dwell time: non-Regulatory Domain channels Dwell time: Rare channels
Description Scan channels in all regulatory domain Scan all channels (all regulatory domains and rare channels) Scan channels in the APs regulatory domain Dwell time (in ms) for channels where there is wireless activity Dwell time (in ms) for AP's Regulatory domain channels
Dwell time (in ms) for channels not in the APs regulatory domain
Dwell time (in ms) for rare channels
Command History
Release AOS-W 6.0
Modification Command introduced
Command Information
Platforms All Platforms
Licensing RFProtect
Command Mode Configuration Mode (config)
1238 | show rf am-scan-profile
AOS-W 6.2 | Reference Guide
�show rf arm-profile
show rf arm-profile [<profile>]
Description
Show an Adaptive Radio Management (ARM) profile.
Syntax
Parameter <profile>
Description Name of an ARM profile.
Usage Guidelines
Issue this command without the <profile> parameter to display the entire ARM profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has five configured ARM profiles. The References column lists the number of other profiles with references to the ARM profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) # show rf arm-profile
Adaptive Radio Management (ARM) profile List
--------------------------------------------
Name
References Profile Status
----
---------- --------------
airwave
2
default
4
default-AP85
2
no-scanning
1
Wireless-rf-profile
1
Total:5.
This example displays the configuration settings for the profile Wireless_rf_profile.
(host) #show rf arm-profile default Adaptive Radio Management (ARM) profile "Wireless_rf_profile"
-------------------------------------------------
Parameter
Value
---------
-----
Assignment
single-band
Allowed bands for 40MHz channels a-only
Client Aware
Enabled
Max Tx EIRP
127 dBm
Min Tx EIRP
9 dBm
Multi Band Scan
Enabled
Rogue AP Aware
Disabled
Scan Interval
10 sec
Active Scan
Disabled
Scanning
Enabled
AOS-W 6.2 | Reference Guide
show rf arm-profile | 1239
�Scan Time VoIP Aware Scan Power Save Aware Scan Video Aware Scan Ideal Coverage Index Acceptable Coverage Index Free Channel Index Backoff Time Error Rate Threshold Error Rate Wait Time Noise Threshold Noise Wait Time Minimum Scan Time Load aware Scan Threshold Mode Aware Arm Scan Mode
110 msec Disabled Disabled Enabled 10 4 25 240 sec 50 % 30 sec 75 -dBm 120 sec 8 1250000 Bps Disabled all-reg-domain
The output of this command includes the following parameters:
Parameter
Description
Assignment
Displays the current ARM channel/power assignment mode.
Allowed bands for 40MHz channels
Shows if 40 MHz mode of operation is allowed on the 5 GHz (802.11a) or 2.4 GHz (802.11b/g) frequency band only, on all frequency bands, or on neither frequency band.
Client Aware
Shows if the client aware feature is enabled or disabled. When enabled, the AP does not change channels when there are active clients.
Max Tx Power
The highest transmit power levels for the AP, from 0-30 dBm in 3 dBm increments. Higher power level settings may be constrained by local regulatory requirements and AP capabilities. In the event that an AP is configured for a Max Tx Power setting it cannot support, this value will be reduced to the highest supported power setting.
Min Tx Power
The lowest transmit power levels for the AP, from 0-30 dBm, in 3 dBm increments. Note that power settings will not change if the Assignment option is set to disabled or maintain.
Multi Band Scan
If enabled, single-radio APs will try to scan across bands for rogue AP detection.
Rogue AP Aware
If enabled, Alcatel-Lucent APs may change channels to contain off-channel rogue APs with active clients. This security features allows APs to change channels even if the Client Aware setting is disabled.
This setting is disabled by default, and should only be enabled in high-security environments where security requirements are allowed to consume higher levels of network resources. You may prefer to receive Rogue AP alerts via SNMP traps or syslog events.
Scan Interval
If Scanning is enabled, the Scan Interval defines how often the AP will leave its current channel to scan other channels in the band.
Off-channel scanning can impact client performance. Typically, the shorter the scan interval, the higher the impact on performance. If you are deploying a large number of new APs on the network, you may want to lower the Scan Interval to help those APs find their optimal settings more quickly. Raise the Scan Interval back to its default setting after the APs are functioning as desired.
1240 | show rf arm-profile
AOS-W 6.2 | Reference Guide
�Parameter Active Scan
Scanning Scan Time VoIP Aware Scan
Power Save Aware Scan Video Aware Scan Ideal Coverage Index Acceptable Coverage Index Free Channel Index
Backoff Time Error Rate Threshold Error Rate Wait Time Noise Threshold Noise Wait Time Minimum Scan Time Load aware Scan Threshold Mode Aware Arm
Scan Mode
Description
If enabled, the AP initiates active scanning via probe request. This option elicits more information from nearby APs, but also creates additional management traffic on the network. Active Scan is disabled by default, and should not be enabled except under the direct supervision of Alcatel-Lucent Support.
Shows if the AP has enabled or disabled AP scanning of other channels.
The amount of time, in milliseconds, an AP will drift out of the current channel to scan another channel.
Shows if Alcatel-Lucent's VoIP Call Admission Control (CAC) prevents any single AP from becoming congested with voice calls. If CAC is enabled, you should also enable VoIP Aware Scan in the ARM profile, so the AP will not attempt to scan a different channel if one of its clients has an active VoIP call.
When enabled, the AP will not scan if Power Save is active.
If Video Aware Scan is enabled in the ARM profile, the AP will not attempt to scan a different channel if one of its clients has an active video session.
The coverage that the AP should try to achieve on its channel. The denser the AP deployment, the lower this value should be.
The minimal coverage that the AP should try to achieve on its channel. The denser the AP deployment, the lower this value should be.
The difference in the interference index between the new channel and current channel must exceed this value for the AP to move to a new channel. The higher this value, the lower the chance an AP will move to the new channel.
Time, in seconds, an AP backs off after requesting a new channel or power level.
The percentage of errors in the channel that triggers a channel change.
Time, in seconds, that the error rate has to maintain or surpass the error rate threshold before it triggers a channel change.
Maximum level of noise (in -dBm) in a channel that triggers a channel change.
Time, in seconds, the noise has to be high to trigger a channel change.
Time, in seconds, that a channel must be scanned before it is considered for assignment.
The traffic throughput level an AP must reach before it stops scanning, in bytes/second. A value of 0 to disables this feature.
If enabled, ARM will turn APs into Air Monitors (AMs) if it detects higher coverage levels than necessary. This helps avoid higher levels of interference on the WLAN. Although this setting is disabled by default, you may want to enable this feature if your APs are deployed in close proximity (e.g. less than 60 feet apart).
This parameter defines the scan mode for the AP. l all-reg-domain: The AP scans channels within all regulatory domains. This
is the default setting. l reg-domain:Limit the AP scans to just the regulatory domain for that AP.
AOS-W 6.2 | Reference Guide
show rf arm-profile | 1241
�Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
1242 | show rf arm-profile
AOS-W 6.2 | Reference Guide
�show rf dot11a-radio-profile
show rf dot11a-radio-profile [<profile>]
Description
Show an 802.11a Radio profile.
Syntax
Parameter <profile>
Description Name of an 802.11a profile.
Usage Guidelines
Issue this command without the> <profileparameter to display the entire 802.11a Radio profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has three configured 802.11a Radio profiles. The References column lists the number of other profiles with references to the 802.11a Radio profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) # show rf dot11a-radio-profile
802.11a radio profile List
--------------------------
Name
References Profile Status
----
---------- --------------
default
18
default-AP85 1
test
1
Total:3.
This example displays the configuration settings for the profile default.
(host) # show rf dot11a-radio-profile default
802.11a radio profile "default"
-------------------------------
Parameter
Value
---------
-----
Radio enable
Enabled
Mode
ap-mode
High throughput enable (radio)
Enabled
Channel
149+
Beacon Period
100 msec
Beacon Regulate
Disabled
Transmit EIRP
15 dBm
Advertise 802.11d and 802.11h Capabilities
Disabled
TPC Power
15 dBm
Spectrum load balancing
Disabled
Spectrum Load balancing mode
channel
Spectrum load balancing update interval (sec) 30 seconds
Spectrum load balancing threshold (%)
20 percent
Advertised regulatory max EIRP
0
Spectrum Load Balancing domain
N/A
RX Sensitivity Tuning Based Channel Reuse
disable
AOS-W 6.2 | Reference Guide
show rf dot11a-radio-profile | 1243
�RX Sensitivity Threshold Non 802.11 Interference Immunity Enable CSA CSA Count Management Frame Throttle interval Management Frame Throttle Limit ARM/WIDS Override Reduce Cell Size (Rx Sensitivity) Adaptive Radio Management (ARM) Profile High-throughput Radio Profile Maximum Distance Spectrum Monitoring Spectrum Monitoring Profile AM Scanning Profile
0 -dBm Level-2 Disabled 4 1 sec 20 Disabled 0 dB default default-a 0 meters Disabled default-a default
The output of this command includes the following parameters:
Parameter
Description
Radio enable
Shows if the AP has enabled or disabled transmissions on this radio band.
Mode
Access Point operating mode. Available options are: l am-mode: Air Monitor mode l ap-mode: Access Point mode l apm-mode: Access Point Monitor mode l sensor-mode: RFprotect sensor mode
High throughput enable (radio)
Name of a high-throughput profile referenced by this 802.11a radio profile. A high-throughput profile manages 40 Mhz tolerance settings, and controls whether or not APs using this profile will advertise intolerance of 40 MHz operation. (This option is disabled by default, allowing 40 MHz operation.) A high-throughput profile also determines whether an AP radio using the profile will stop using the 40 MHz channels surrounding APs or stations advertise 40 Mhz intolerance. This option is enabled by default.
Channel
Channel number for the AP 802.11a/802.11n physical layer.
Beacon Period
Time, in milliseconds, between successive beacon transmissions. The beacon advertises the AP's presence, identity, and radio characteristics to wireless clients.
Beacon Regulate
If enabled, this option introduces randomness in the beacon generation so that multiple APs on the same channel do not send beacons at the same time, which causes collisions over the air. This option is disabled by default.
Transmit EIRP
Maximum transmit power (EIRP) in dBm from 0 to 51 in .5 dBm increments. Further limited by regulatory domain constraints and AP capabilities.
Advertise 802.11d and 802.11h Capabilities
If enabled, the radio advertises its 802.11d (Country Information) and 802.11h (Transmit Power Control) capabilities.
TPC Power
The transmit power advertised in the TPC IE of beacons and probe responses
Spectrum load balancing
The Spectrum load balancing feature helps optimize network resources by balancing clients across channels, regardless of whether the AP or the switch is responding to the wireless clients' probe requests.
If enabled, the switch compares whether or not an AP has more clients than its neighboring APs on other channels. If an AP's client load is at or over a predetermined threshold as compared to its immediate neighbors, or if a neighboring Alcatel-Lucent AP on another channel does not have any clients, load balancing will be enabled on that AP. This feature is disabled by default.
1244 | show rf dot11a-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
Spectrum load balancing mode
SLB Mode allows control over how to balance clients. Channel-based loadbalancing balances clients across channels. Radio-based load-balancing distributes clients across radios on the same band, independent of channels.
Spectrum load balancing This parameter specifies how often spectrum load balancing calculations are
mode update interval
made (in seconds). The default value is 30 seconds.
Spectrum load balancing threshold
If the spectrum load balancing feature is enabled, this parameter controls the percentage difference between number of clients on a channel channel that triggers load balancing. The default value is 20%, meaning that spectrum load balancing is activated when there are 20% more clients on one channel than on another channel used by the AP radio.
Advertised Regulatory Max EIRP
Shows if the radio is configured to work around a known issue on Cisco 7921G telephones by capping for a radio's maximum equivalent isotropic radiated power (EIRP). When you enable this parameter, even if the regulatory approved maximum for a given channel is higher than this EIRP cap, the AP radio using this profile will advertise only this capped maximum EIRP in its radio beacons.
The supported value is131 dBm.
Spectrum load balancing domain
Define a spectrum load balancing domain to manually create RF neighborhoods.
Use this option to create RF neighborhood information for networks that have disabled Adaptive Radio Management (ARM) scanning and channel assignment.
l If spectrum load balancing is enabled in a 802.11a radio profile but the spectrum load balancing domain is not defined, AOS-W uses the ARM feature to calculate RF neighborhoods.
l If spectrum load balancing is enabled in a 802.11a radio profile and a spectrum load balancing domain isalso defined, AP radios belonging to the same spectrum load balancing domain will be considered part of the same RF neighborhood for load balancing, and will not recognize RF neighborhoods defined by the ARM feature.
RX Sensitivity Tuning Based Channel Reuse
Shows if the channel reuse feature's current operating mode, static, dynamic or disable.
l Static: This mode of operation is a coverage-based adaptation of the Clear Channel Assessment (CCA) thresholds. In the static mode of operation, the CCA is adjusted according to the configured transmission power level on the AP, so as the AP transmit power decreases as the CCA threshold increases, and vice versa.
l Dynamic: In this mode, the Clear Channel Assessment (CCA) thresholds are based on channel loads, and take into account the location of the associated clients. When you set the Channel Reuse This feature is automatically enabled when the wireless medium around the AP is busy greater than half the time. When this mode is enabled, the CCA threshold adjusts to accommodate transmissions between the AP its most distant associated client.
l Disable: This mode does not support the tuning of the CCA Detect Threshold.
RX Sensitivity Threshold
If the Rx Sensitivity Tuning Based Channel reuse feature is set to static mode, this parameter manually sets the AP's Rx sensitivity threshold (-dBm). The AP will filter out and ignore weak signals that are below the channel threshold signal strength. For example, if the RX sensitivity threshold was set to -65 dBm, the AP would ignore signals with a strength from -1 dBM to -64 dBm. If the value is set to zero, the feature will automatically determine an appropriate threshold.
AOS-W 6.2 | Reference Guide
show rf dot11a-radio-profile | 1245
�Parameter Enable CSA
CSA Count
Management Frame Throttle Interval Management Frame Throttle Limit ARM/WIDS Override
Reduce Cell Size (Rx Sensitivity)
Adaptive Radio Management (ARM) Profile High-throughput Radio Profile Maximum Distance
Spectrum Monitoring
Spectrum Monitoring Profile AM Scanning Profile
Description
Shows if Channel Switch Announcements (CSAs) are enabled or disabled. CSAs, as defined by IEEE 802.11h, enable an AP to announce that it is switching to a new channel before it begins transmitting on that channel. This allows clients that support CSA to transition to the new channel with minimal downtime.
Number of channel switch announcements that must be sent prior to switching to a new channel. The default CSA count is 4 announcements.
Averaging interval for rate limiting mgmt frames from this radio, in seconds. A management frame throttle interval of 0 seconds disables rate limiting.
Maximum number of management frames that can come in from this radio in each throttle interval.
If enabled, this option disables Adaptive Radio Management (ARM) and Wireless IDS functions and slightly increases packet processing performance. If a radio is configured to operate in Air Monitor mode, then the ARM/WIDS override functions are always enabled, regardless of whether or not this check box is selected.
The cell size reduction feature allows you manage dense deployments and to increase overall system performance and capacity by shrinking an AP's receive coverage area, thereby minimizing co-channel interference and optimizing channel reuse. The possible range of values for this feature is 0-55 dB. The default 0 dB reduction allows the radio to retain its current default Rx sensitivity value.
Name of an Adaptive Radio Management profile associated with this 802.11a profile.
Name of a High Throughput Radio profile associated with this 802.11a profile.
Maximum distance between a client and an AP or between a mesh point and a mesh portal, in meters. This value is used to derive ACK and CTS timeout times. A value of 0 specifies default settings for this parameter, where timeouts are only modified for outdoor mesh radios which use a distance of 16km..
If enabled, the AP operates as a hybrid AP that can simultaneously serve clients and monitor a single channel for spectrum analysis data.
The spectrum monitoring profile referenced by APs using this 802.11a radio profile. For details, see rf spectrum-profile on page 549
The AM scanning profile referenced by APs using this 802.11a radio profile. For details, seerf am-scan-profile on page 516
Command History
Release AOS-W 3.0 AOS-W 3.3.2
Modification Command introduced. Introduced support for the high-throughput IEEE 802.11n standard.
1246 | show rf dot11a-radio-profile
AOS-W 6.2 | Reference Guide
�Release AOS-W 3.4.0
AOS-W 3.4.2 AOS-W 6.0
AOS-W 6.1 AOS-W 6.2.1.0
Modification
Support for the following parameters: l Spectrum load balancing l RX Sensitivity Tuning Based Channel Reuse l RX Sensitivity Threshold l ARM/WIDS Override
Support for the Beacon Regulate parameter
Support for the following parameters: l AM Scanning Profile l Advertised regulatory max EIRP l Spectrum Load balancing mode l Spectrum load balancing update interval (sec)
Support for the following parameters: l Spectrum Monitoring l Spectrum load balancing threshold (%)
The Reduce Cell Size (Rx Sensitivity) parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show rf dot11a-radio-profile | 1247
�show rf dot11g-radio-profile
show rf dot11g-radio-profile [<profile>]
Description
Show an 802.11g Radio profile.
Syntax
Parameter <profile>
Description Name of a 802.11g profile.
Usage Guidelines
Issue this command without the <profile>parameter to display the entire 802.11g profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has four configured 802.11g profiles. The References column lists the number of other profiles with references to the 802.11g profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column
(host) # show rf arm-profile
Adaptive Radio Management (ARM) profile List
--------------------------------------------
Name
References Profile Status
----
---------- --------------
airwave
4
default
4
no-scanning
1
nokia-rf-profile
1
Total:4. This example displays the configuration settings for the profile airwave.
(host) # show rf dot11g-radio-profile default Parameter --------Radio enable Mode High throughput enable (radio) Channel Beacon Period Beacon Regulate Transmit EIRP Advertise 802.11d and 802.11h Capabilities TPC Power Spectrum load balancing Spectrum Load balancing mode Spectrum load balancing update interval (sec) Advertised regulatory max EIRP Spectrum Load Balancing domain RX Sensitivity Tuning Based Channel Reuse RX Sensitivity Threshold
Value ----Enabled ap-mode Enabled N/A 100 msec Disabled 15 dBm Disabled 15 dBm Disabled channel 30 seconds 0 N/A disable 0 -dBm
1248 | show rf dot11g-radio-profile
AOS-W 6.2 | Reference Guide
�Non 802.11 Interference Immunity Enable CSA CSA Count Management Frame Throttle interval Management Frame Throttle Limit ARM/WIDS Override Reduce Cell Size (Rx Sensitivity) Protection for 802.11b Clients Adaptive Radio Management (ARM) Profile High-throughput Radio Profile Maximum Distance Spectrum Monitoring Spectrum Monitoring Profile AM Scanning Profile
Level-2 Disabled 4 1 sec 20 Disabled 0 dB Enabled default default-g 0 meters Disabled default-a default
The output of this command includes the following parameters:
Parameter
Description
Radio enable
Shows if the AP has enabled or disabled transmissions on this radio band.
Mode
Access Point operating mode. Available options are: l am-mode: Air Monitor mode l ap-mode: Access Point mode l apm-mode: Access Point Monitor mode l sensor-mode: RFprotect sensor mode
High throughput enable (radio)
Name of a high-throughput profile referenced by this 802.11a radio profile. A high-throughput profile manages 40 Mhz tolerance settings, and controls whether or not APs using this profile will advertise intolerance of 40 MHz operation. (This option is disabled by default, allowing 40 MHz operation.) A high-throughput profile also determines whether an AP radio using the profile will stop using the 40 MHz channels surrounding APs or stations advertise 40 Mhz intolerance. This option is enabled by default.
Channel
Channel number for the AP 802.11a/802.11n physical layer.
Beacon Period
Time, in milliseconds, between successive beacon transmissions. The beacon advertises the AP's presence, identity, and radio characteristics to wireless clients.
Beacon Regulate
If enabled, this option introduces randomness in the beacon generation so that multiple APs on the same channel do not send beacons at the same time, which causes collisions over the air. This option is disabled by default.
Transmit EIRP
Maximum transmit power (EIRP) in dBm from 0 to 51 in .5 dBm increments. Further limited by regulatory domain constraints and AP capabilities.
Advertise 802.11d and 802.11h Capabilities
If enabled, the radio advertises its 802.11d (Country Information) and 802.11h (Transmit Power Control) capabilities.
TPC Power
The transmit power advertised in the TPC IE of beacons and probe responses
Spectrum load balancing
The Spectrum load balancing feature helps optimize network resources by balancing clients across channels, regardless of whether the AP or the switch is responding to the wireless clients' probe requests.
If enabled, the switch compares whether or not an AP has more clients than its neighboring APs on other channels. If an AP's client load is at or over a predetermined threshold as compared to its immediate neighbors, or if a neighboring Alcatel-Lucent AP on another channel does not have any clients, load balancing will be enabled on that AP. This feature is disabled by default.
AOS-W 6.2 | Reference Guide
show rf dot11g-radio-profile | 1249
�Parameter
Description
Spectrum load balancing mode
SLB Mode allows control over how to balance clients. Channel-based loadbalancing balances clients across channels. Radio-based load-balancing distributes clients across radios on the same band, independent of channels.
Spectrum load balancing This parameter specifies how often spectrum load balancing calculations are
mode update interval
made (in seconds). The default value is 30 seconds.
Spectrum load balancing threshold
If the spectrum load balancing feature is enabled, this parameter controls the percentage difference between number of clients on a channel channel that triggers load balancing. The default value is 20%, meaning that spectrum load balancing is activated when there are 20% more clients on one channel than on another channel used by the AP radio.
Advertised Regulatory Max EIRP
Shows if the radio is configured to work around a known issue on Cisco 7921G telephones by capping for a radio's maximum equivalent isotropic radiated power (EIRP). When you enable this parameter, even if the regulatory approved maximum for a given channel is higher than this EIRP cap, the AP radio using this profile will advertise only this capped maximum EIRP in its radio beacons.
The supported value is131 dBm.
Spectrum load balancing domain
Define a spectrum load balancing domain to manually create RF neighborhoods.
Use this option to create RF neighborhood information for networks that have disabled Adaptive Radio Management (ARM) scanning and channel assignment.
l If spectrum load balancing is enabled in a 802.11g radio profile but the spectrum load balancing domain is not defined, AOS-W uses the ARM feature to calculate RF neighborhoods.
l If spectrum load balancing is enabled in a 802.11g radio profile and a spectrum load balancing domain isalso defined, AP radios belonging to the same spectrum load balancing domain will be considered part of the same RF neighborhood for load balancing, and will not recognize RF neighborhoods defined by the ARM feature.
RX Sensitivity Tuning Based Channel Reuse
Shows if the channel reuse feature's current operating mode, static, dynamic or disable.
l Static: This mode of operation is a coverage-based adaptation of the Clear Channel Assessment (CCA) thresholds. In the static mode of operation, the CCA is adjusted according to the configured transmission power level on the AP, so as the AP transmit power decreases as the CCA threshold increases, and vice versa.
l Dynamic: In this mode, the Clear Channel Assessment (CCA) thresholds are based on channel loads, and take into account the location of the associated clients. When you set the Channel Reuse This feature is automatically enabled when the wireless medium around the AP is busy greater than half the time. When this mode is enabled, the CCA threshold adjusts to accommodate transmissions between the AP its most distant associated client.
l Disable: This mode does not support the tuning of the CCA Detect Threshold.
RX Sensitivity Threshold
If the Rx Sensitivity Tuning Based Channel reuse feature is set to static mode, this parameter manually sets the AP's Rx sensitivity threshold (-dBm). The AP will filter out and ignore weak signals that are below the channel threshold signal strength. For example, if the RX sensitivity threshold was set to -65 dBm, the AP would ignore signals with a strength from -1 dBM to -64 dBm. If the value is set to zero, the feature will automatically determine an appropriate threshold.
1250 | show rf dot11g-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
Non 802.11 Interference Immunity
Show the current value for 802.11 Interference Immunity on the 2.4 Ghz band. The default setting for this parameter is level 2. When performance drops due to interference from non-802.11 interferers (such as DECT or Bluetooth devices), the level can be increased up to level 5 for improved performance. However, increasing the level makes the AP slightly "deaf" to its surroundings, causing the AP to lose a small amount of range. The levels for this parameter are: l Level-0: no ANI adaptation. l Level-1: noise immunity only. l Level-2: noise and spur immunity. l Level-3: level 2 and weak OFDM immunity. l Level-4: level 3 and FIR immunity. l Level-5: disable PHY reporting.
Enable CSA
Shows if Channel Switch Announcements (CSAs) are enabled or disabled. CSAs, as defined by IEEE 802.11h, enable an AP to announce that it is switching to a new channel before it begins transmitting on that channel. This allows clients that support CSA to transition to the new channel with minimal downtime.
CSA Count
Number of channel switch announcements that must be sent prior to switching to a new channel. The default CSA count is 4 announcements.
Management Frame Throttle Interval
Averaging interval for rate limiting mgmt frames from this radio, in seconds. A management frame throttle interval of 0 seconds disables rate limiting.
Management Frame Throttle Limit
Maximum number of management frames that can come in from this radio in each throttle interval.
ARM/WIDS Override
If enabled, this option disables Adaptive Radio Management (ARM) and Wireless IDS functions and slightly increases packet processing performance. If a radio is configured to operate in Air Monitor mode, then the ARM/WIDS override functions are always enabled, regardless of whether or not this check box is selected.
Reduce Cell Size (Rx Sensitivity)
The cell size reduction feature allows you manage dense deployments and to increase overall system performance and capacity by shrinking an AP's receive coverage area, thereby minimizing co-channel interference and optimizing channel reuse. The possible range of values for this feature is 0-55 dB. The default 0 dB reduction allows the radio to retain its current default Rx sensitivity value.
Protection for 802.11b Clients
Shows if the profile has enabled or disabled protection for 802.11b clients.
Adaptive Radio Management (ARM) Profile
Name of an Adaptive Radio Management profile associated with this 802.11a profile.
High-throughput Radio Profile
Name of a High Throughput Radio profile associated with this 802.11a profile.
Maximum Distance
Maximum distance between a client and an AP or between a mesh point and a mesh portal, in meters. This value is used to derive ACK and CTS timeout times. A value of 0 specifies default settings for this parameter, where timeouts are only modified for outdoor mesh radios which use a distance of 16km.
AOS-W 6.2 | Reference Guide
show rf dot11g-radio-profile | 1251
�Parameter Spectrum Monitoring
Spectrum Monitoring Profile AM Scanning Profile
Description
If enabled, the AP operates as a hybrid AP that can simultaneously serve clients and monitor a single channel for spectrum analysis data.
The spectrum monitoring profile referenced by APs using this 802.11g radio profile. For details, see rf spectrum-profile on page 549
The AM scanning profile referenced by APs using this 802.11g radio profile. For details, seerf am-scan-profile on page 516
Command History
Release AOS-W 3.0 AOS-W 3.3.2 AOS-W 3.4
AOS-W 3.4.2 AOS-W 6.0
AOS-W 6.1 AOS-W 6.2.1.0
Modification
Command introduced
Introduced protection for 802.11b clients and support for the high-throughput IEEE 802.11n standard
Support for the following parameters: l Spectrum load balancing l RX Sensitivity Tuning Based Channel Reuse l RX Sensitivity Threshold l ARM/WIDS Override
Support for the Beacon Regulate parameter
Support for the following parameters: l AM Scanning Profile l Advertised regulatory max EIRP l Spectrum Load balancing mode l Spectrum load balancing update interval (sec)
Support for the following parameters: l Spectrum Monitoring l Spectrum load balancing threshold (%)
The Reduce Cell Size (Rx Sensitivity) parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
1252 | show rf dot11g-radio-profile
AOS-W 6.2 | Reference Guide
�show rf event-thresholds-profile
show rf event-thresholds-profile [<profile>]
Description
Show an Event Thresholds profile.
Syntax
Parameter <profile>
Description name of an Event Thresholds profile
Usage Guidelines
Issue this command without the <profile>parameter to display the entire Event Thresholds profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has two configured Event Thresholds profiles. The References column lists the number of other profiles with references to the Event Thresholds profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column
(host) # show rf event-thresholds-profile
RF Event Thresholds Profile List
--------------------------------
Name
References Profile Status
----
---------- --------------
default 6
event1
2
Total: 2.
This example displays the configuration settings for the profile default.
(host) # show rf event-thresholds-profile default
RF Event Thresholds Profile "default"
-------------------------------------
Parameter
Value
---------
-----
Detect Frame Rate Anomalies
Disabled
Bandwidth Rate High Watermark
0%
Bandwidth Rate Low Watermark
0%
Frame Error Rate High Watermark
0%
Frame Error Rate Low Watermark
0%
Frame Fragmentation Rate High Watermark 16 %
Frame Fragmentation Rate Low Watermark 8 %
Frame Low Speed Rate High Watermark
16 %
Frame Low Speed Rate Low Watermark
8%
Frame Non Unicast Rate High Watermark 0 %
Frame Non Unicast Rate Low Watermark
0%
Frame Receive Error Rate High Watermark 16 %
Frame Receive Error Rate Low Watermark 8 %
Frame Retry Rate High Watermark
16 %
Frame Retry Rate Low Watermark
8%
AOS-W 6.2 | Reference Guide
show rf event-thresholds-profile | 1253
�The output of this command includes the following parameters:
Parameter
Detect Frame Rate Anomalies
Bandwidth Rate High Watermark
Bandwidth Rate Low Watermark
Frame Error Rate High Watermark
Frame Error Rate Low Watermark
Frame Fragmentation Rate High Watermark
Frame Fragmentation Rate Low Watermark
Frame Low Speed Rate High Watermark
Frame Low Speed Rate Low Watermark
Frame Non Unicast Rate High Watermark
Frame Non Unicast Rate Low Watermark
Frame Receive Error Rate High Watermark
Frame Receive Error Rate Low Watermark
Frame Retry Rate High Watermark
Frame Retry Rate Low Watermark
Description
Shows of the profile enables or disables detection of frame rate anomalies.
If bandwidth in an AP exceeds this value, it triggers a bandwidth exceeded condition. The value represents the percentage of maximum for a given radio. (For 802.11b, the maximum bandwidth is 7 Mbps. For 802.11 a and g, the maximum is 30 Mbps.) The recommended value is 85%.
If an AP triggers a bandwidth exceeded condition, the condition persists until bandwidth drops below this value.
If the frame error rate (as a percentage of total frames in an AP) exceeds this value, it triggers a frame error rate exceeded condition.
If an AP triggers a frame error rate exceeded condition, the condition persists until the frame error rate drops below this value.
If the frame fragmentation rate (as a percentage of total frames in an AP) exceeds this value, it triggers a frame fragmentation rate exceeded condition.
If an AP triggers a frame fragmentation rate exceeded condition, the condition persists until the frame fragmentation rate drops below this value.
If the rate of low-speed frames (as a percentage of total frames in an AP) exceeds this value, it triggers a low-speed rate exceeded condition.
After a low-speed rate exceeded condition exists, the condition persists until the percentage of low-speed frames drops below this value.
If the non-unicast rate (as a percentage of total frames in an AP) exceeds this value, it triggers a non-unicast rate exceeded condition. This value depends upon the applications used on the network.
If an AP triggers a non-unicast rate exceeded condition, the condition persists until the non-unicast rate drops below this value.
If the frame receive error rate (as a percentage of total frames in an AP) exceeds this value, it triggers a frame receive error rate exceeded condition.
If an AP triggers a frame receive error rate exceeded condition, the condition persists until the frame receive error rate drops below this value.
If the frame retry rate (as a percentage of total frames in an AP) exceeds this value, it triggers a frame retry rate exceeded condition.
If an AP triggers a frame retry rate exceeded condition exists, the condition persists until the frame retry rate drops below this value.
Command History
This command was available in AOS-W 3.0.
1254 | show rf event-thresholds-profile
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show rf event-thresholds-profile | 1255
�show rf ht-radio-profile
show rf ht-radio-profile [<profile>]
Description
Show a High-throughput Radio profile.
Syntax
Parameter <profile>
Description Name of a High-throughput Radio profile.
Usage Guidelines
Issue this command without the <profile>parameter to display the entire High-throughput Radio profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has five configured High-throughput Radio profiles. The References column lists the number of other profiles with references to the High-throughput Radio profile, and the Profile Status column indicates whether the profile is predefined and editable, and if that predefined profile has been changed from its default settings. User-defined profiles will not have an entry in the Profile Status column.
(host) # show rf ht-radio-profile
High-throughput radio profile List
----------------------------------
Name
References Profile Status
----
---------- --------------
default
0
default-a
8
Predefined (editable)
default-g
3
Predefined (changed)
legacystation 1
test
1
Total:5
This example displays the configuration settings for the predefined profile default-a.
(host) #show rf ht-radio-profile default-a
High-throughput radio profile "default-a" (Predefined (editable))
-----------------------------------------------------------------
Parameter
Value
---------
-----
40 MHz intolerance
Disabled
Honor 40 MHz intolerance
Enabled
Diversity spreading workaround Disabled
CSD Override
Disabled
The output of this command includes the following parameters:
1256 | show rf ht-radio-profile
AOS-W 6.2 | Reference Guide
�Parameter 40 MHz intolerance
Honor 40 MHz intolerance
CSD Override Diversity Spreading Workaround
Description
Shows whether or not APs using this radio profile will advertise intolerance of 40 MHz operation. By default, 40 MHz operation is allowed.
If this parameter is enabled, the radio will stop using the 40 MHz channels if the 40 MHz intolerance indication is received from another AP or station.
When this feature is enabled, all legacy transmissions will be sent using a single antenna. This enables interoperability for legacy or high-throughput stations that cannot decode 802.11n cyclic shift diversity (CSD) data. This feature is disabled by default and should be kept disabled unless necessary.
Command History
Release AOS-W 3.0 AOS-W 3.3.2 AOS-W 3.4 AOS-W 6.2
Modification Command introduced Support for the dsss-cck-40mhz parameter was removed Introduced the single-chain-legacy parameter. The CSD Override parameter was renamed to diversity spreading workaround.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show rf ht-radio-profile | 1257
�show rf optimization-profile
show rf optimization-profile [<profile>]
Description
Show an Optimization profile.
Syntax
Parameter <profile>
Description name of an ARM profile
Usage Guidelines
Issue this command without the <profile>parameter to display the entire Optimization profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has two configured Optimization profiles. The References column lists the number of other profiles with references to the Optimization profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) # show rf optimization-profile
RF Optimization Profile List
----------------------------
Name
References Profile Status
----
---------- --------------
default 6
profile2 1
Total:2
This example displays the configuration settings for the profile profile2.
(host) #show rf optimization-profile profile2
RF Optimization Profile "profile2"
---------------------------------
Parameter
Value
---------
-----
Station Handoff Assist
Disabled
Detect Association Failure
Disabled
Coverage Hole Detection
Disabled
Hole Good RSSI Threshold
20
Hole Good Station Ageout
30 sec
Hole Detection Interval
180 sec
Hole Idle Station Ageout
90 sec
Hole Poor RSSI Threshold
10
Detect interference
Disabled
Interference Threshold
90 %
Interference Threshold Exceed Time
25 sec
Interference Baseline Time
25 sec
RSSI Falloff Wait Time
0 sec
Low RSSI Threshold
0
RSSI Check Frequency
0 sec
The output of this command includes the following parameters:
1258 | show rf optimization-profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
Station Handoff Assist
If enabled, this parameter allows the switch to force a client off an AP when the RSSI drops below a defined minimum threshold.
Detect Association Failure
Shows if the profile enables or disables STA association failure detection.
Coverage Hole Detection
Shows if the profile enables or disables coverage hole detection.
Hole Good RSSI Threshold
Time, in seconds, after a coverage hole is detected until a coverage hole event notification is generated. This parameter requires the RF Protect license.
Hole Good Station Ageout
Stations with signal strength above this value are considered to have good coverage. This parameter requires the RF Protect license.
Hole Detection Interval
Time, in seconds, after which a station with good coverage is aged out. This parameter requires the RF Protect license.
Hole Idle Station Ageout
Time, in seconds, after which a station in a poor coverage area is aged out. This parameter requires the RF Protect license.
Hole Poor RSSI Threshold
Stations with signal strength below this value will trigger detection of a coverage hole. This parameter requires the RF Protect license.
Detect interference Enables or disables interference detection.
Interference Threshold
Percentage increase in the frame retry rate (FRR) or frame receive error rate (FRER) before interference monitoring begins on a given channel.
Interference Threshold Exceed Time
Time, in seconds, the FRR or FRER exceeds the threshold before interference is reported.
Interference Baseline Time
Time, in seconds, the air monitor should learn the state of the link between the AP and client to create frame retry rate (FRR) and frame receive error rate (FRER) baselines.
RSSI Falloff Wait Time
Time, in seconds, to wait with decreasing RSSI before a deauthorization message is sent to the client. The maximum value is 8 seconds.
Low RSSI Threshold Minimum RSSI above which deauthorization messages should never be sent.
RSSI Check Frequency
Interval, in seconds, to sample RSSI.
Command History
Version AOS-W 3.0 AOS-W 3.4
Modification
Base operating system
Output parameters displaying load balancing status were removed. You can now view the status of the load balancing feature via the commands show rf dot11a-radio-profile and show rf dot11g-radio-profile.
AOS-W 6.2 | Reference Guide
show rf optimization-profile | 1259
�This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
1260 | show rf optimization-profile
AOS-W 6.2 | Reference Guide
�show rf spectrum-profile
rf spectrum-profile <profile-name>
Description
Show a spectrum profile used by the spectrum analysis feature.
Syntax
Parameter <profile>
Description Name of a spectrum profile.
Usage Guidelines
Issue this command without the <profile>parameter to display the entire spectrum profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has three configured spectrum profiles. The References column lists the number of other profiles with references to the spectrum profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) #show rf spectrum-profile
Spectrum profile List
---------------------
Name
References
----
----------
spectrum1 1
default-a 2
default-g 2
Profile Status --------------
Predefined (editable) Predefined (editable)
This example displays the configuration settings for the profile spectrum1.
(host) #show rf spectrum-profile default
Spectrum profile "default" -------------------------Parameter --------Age Out: WIFI Age Out: Generic Interferer Age Out: Microwave Age Out: Microwave (Inverter type) Age Out: Video Device Age Out: Audio Device Age Out: Cordless Phone Fixed Frequency Age Out: Generic Fixed Frequency Age Out: Bluetooth Age Out: Xbox Age Out: Cordless Network Frequency Hopper Age Out: Cordless Base Frequency Hopper Age Out: Generic Frequency Hopper
Value ----600 sec 30 sec 15 sec 15 sec 60 sec 10 sec 10 sec 10 sec 25 sec 25 sec 60 sec 240 sec 25 sec
The output of this command includes the following information:
AOS-W 6.2 | Reference Guide
show rf spectrum-profile | 1261
�Parameter Age Out: WIFI Age Out: Generic Interferer Age Out: Microwave
Age Out: Microwave (inverter type)
Age Out: Video Device Age Out: Audio Device Age Out: Cordless Phone Fixed Frequency Age Out: Generic Fixed Frequency Age Out: Xbox
Age Out: Bluetooth
Description
The number of seconds for which a wifi device must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 600 seconds.
The number of seconds for which an unknown device must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 30 seconds.
The number of seconds for which a microwave device must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 15 seconds. Note that this parameter is applicable to 2.4GHz spectrum monitor radios only.
The number of seconds for which an inverter microwave must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 15 seconds. Note that this parameter is applicable to 2.4GHz spectrum monitor radios only.
The number of seconds for which a video device must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 60 seconds.
The number of seconds for which an audio device must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 10 seconds.
The number of seconds for which a fixed frequency cordless phone must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 10 seconds.
The number of seconds for which a generic fixed frequency device must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 10 seconds.
The number of seconds for which an Xbox device must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 25 seconds. Note that this parameter is applicable to 2.4GHz spectrum monitor radios only.
The number of seconds for which a bluetooth device must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 25 seconds. Note that this parameter is applicable to 2.4GHz spectrum monitor radios only.
1262 | show rf spectrum-profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
Age Out: Cordless Network Frequency Hopper
The number of seconds for which a frequency-hopping cordless network device must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 60 seconds.
Age Out: Cordless Base Frequency Hopper
The number of seconds for which a frequency-hopping cordless phone base must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 240 seconds.
Age Out: Generic Frequency Hopper
The number of seconds for which a generic frequency-hopping device must stop sending a signal before the spectrum monitor considers that device no longer active on the network. The default value is 25 seconds.
Related Commands
rf spectrum-profile
Command History
Release AOS-W 6.0 AOS-W 6.2
Modification
Command introduced
The spectrum-band parameter was deprecated. The following default ageout times were changed: l cordless-fh-base default timeout is 240 seconds (was 25 seconds in previous releases). l cordless-fh-network default timeout is 60 seconds (was 10 seconds in previous releases). l generic-interferer default timeout is 30 seconds (was 25 seconds in previous releases). l video default timeout is 60 seconds (was 10 seconds in previous releases).
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode
Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show rf spectrum-profile | 1263
�show rft profile
show rft profile {all|antenna-connectivity|link-quality|raw}
Description
Show parameters for the predefined RF test profiles.
Syntax
Parameter
Description
all
Show all predefined profiles.
antenna-connectivity Show configured parameters for the predefined Antenna Connectivity test profile.
link-quality
Show configured parameters for the predefined Link Quality test profile.
raw
Show configured parameters for the predefined RAW test profile.
Usage guidelines
The rft command is used for RF troubleshooting, and should only be used under the supervision of Alcatel-Lucent technical support. Issue the show rft profile command to view the profiles used for these RF tests.
Example
The following example shows the testing parameters for the predefined link-quality RF test profile.
(host) #show rft profile link-quality
Profile LinkQuality: Built-in profile
--------------------------------------
Parameter Value
--------- -----
Antenna
1 and/or 2
Frame Type Null Data
Num Packets 100 for each data-rate
Packet Size 1500
Num Retries 0
Data Rate All rates are tried
Related Commands
To view the results of an RF test, use the command show rft result.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
1264 | show rft profile
AOS-W 6.2 | Reference Guide
�show rft result
show rft result all|{trans-id <trans-id>}
Description
Show the results of an RF test.
Syntax
Parameter all
trans-id <trans-id>
Description
Show the most recent test result for each test type (antenna-connectivity, linkquality or raw).
Each RF test is assigned a transaction ID. Include the trans-id <trans-id> parameters to show the test result for a specific transaction ID.
Usage guidelines
The rft command is used for RF troubleshooting, and should only be used under the supervision of Alcatel-Lucent technical support.
Related Commands
To view a list of the most recent transaction IDs for each test type, use the command show rft transactions.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
AOS-W 6.2 | Reference Guide
show rft result | 1265
�show rft transactions
show rft transactions
Description
Show transaction IDs of RF tests.
Syntax
No parameters.
Usage guidelines
The rft command is used for RF troubleshooting, and should only be used under the supervision of Alcatel-Lucent technical support. Issue the show rft transaction command to view the transaction IDs for the most recent test of each test type.
Example
The following example shows the transaction IDs for the latest RAW, link-quality and antenna-connectivity tests. (host) #show rft transactions
RF troubleshooting transactions
-------------------------------
Profile
Transaction ID
-------
--------------
RAW
2001
LinkQuality
2101
AntennaConnectivity 1801
Related Commands
Use transaction IDs with the command show rft result to view results for individual RF tests.
Command History
This command was available in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
1266 | show rft transactions
AOS-W 6.2 | Reference Guide
�show rights
show rights [<name-of-a-role>]
Description
Displays the list of user roles in the roles table with high level details of role policies. To view role policies of a specific role specify the role name.
Syntax
Parameter name-of-a-role
Description Enter the role name to view its policy details.
Example
The output of this command shows the list of roles in the role table. (host) # show rights
RoleTable
---------
Name
ACL Bandwidth
ACL List
Type
----
--- ---------
--------
----
ap-role
4 Up: No Limit,Dn: No Limit control/,ap-acl/
System
authenticated
39 Up: No Limit,Dn: No Limit allowall/,v6-allowall/
User
default-vpn-role 37 Up: No Limit,Dn: No Limit allowall/,v6-allowall/
User
guest
3 Up: No Limit,Dn: No Limit http-acl/,https-acl/,dhcp-acl/
guest-logon
6 Up: No Limit,Dn: No Limit logon-control/,captiveportal/
User
logon
1 Up: No Limit,Dn: No Limit logon-control/,captiveportal/
User
stateful-dot1x 5 Up: No Limit,Dn: No Limit
System
voice
38 Up: No Limit,Dn: No Limit sip-acl/,noe-acl/,svp-acl/,vocera-acl/
User
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
User
AOS-W 6.2 | Reference Guide
show rights | 1267
�show roleinfo
show roleinfo
Description
Displays the role of the switch.
Syntax
No parameters.
Example
The output of this command shows the role of the switch. (host) # show roleinfo switchrole:master
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1268 | show roleinfo
AOS-W 6.2 | Reference Guide
�show rrm dot11k admission-capacity
show rrm dot11k admission-capacity
Description
Displays the available admission capacity for voice traffic on an AP.
Syntax
No parameters.
Example
The output of this command shows the available admission capacity for voice traffic on all APs. (host) # show rrm dot11k admission-capacity
802.11K Available Admission Capacity for Voice ----------------------------------------------
Flags: B: Bandwidth based CAC, C: Call-count based CAC
D: CAC Disabled,
E: CAC Enabled
AP Name ------r-wing-94 r-wing-94
IP Address ---------10.16.12.247 10.16.12.247
Freq Band --------5 GHz 2.4 GHz
Chan ---40 11
Total ----31250 31250
Available --------0 0
Flags ----EC EC
Num APs:2
Command History
This command was available in AOS-W 3.4
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show rrm dot11k admission-capacity | 1269
�show rrm dot11k ap-channel-report
show rrm dot11k ap-channel-report [ap-name <name-of-an-ap> | bssid <bssid-of-an-ap> | ip-addr <ip-address-of-an-ap>]
Description
Displays the channel information gathered by the AP. You can either specify an ap-name, bssid or ip-address of an AP to see more details.
Syntax
Parameter ap-name bssid ip-addr
Description Enter the name of the AP. Enter the BSSID address of the AP. Enter the IP address of the AP.
Example
The output of this command shows the channel information for r-wing-94:94. (host) # show rrm dot11k ap-channel-report ap-name r-wing-94
802.11K AP Channel Report Details
----------------------------------
Freq Band Channel List
--------- ------------
2.4 GHz 11,
5 GHz
36, 40, 157, 161, 165,
Num Entries:2
Command History
This command was available in AOS-W 3.4
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1270 | show rrm dot11k ap-channel-report
AOS-W 6.2 | Reference Guide
�show rrm dot11k beacon-report
show rrm dot11k beacon-report
Description
Displays the beacon report information sent by a client to its AP.
Syntax
No parameters.
Example
The output of this command shows the beacon report for the client 00:1f:6c:7a:d4:fd. (host) # show rrm dot11k beacon-report station-mac 00:1f:6c:7a:d4:fd
802.11K Beacon Report Details
--------------------------------------------------
Channel
BSSID
---------- -------
1
00:0b:86:6d:3e:40
Reg Class
Antenna ID
------------ -------------
0
1
Meas. Mode ---------------Bcn Table
Num Elements:1
Command History
This command was available in AOS-W 3.4
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show rrm dot11k beacon-report | 1271
�show rrm dot11k neighbor-report
show rrm dot11k neighbor-report [ap-name | bssid <bssid-of-an-ap> | ip-addr <ip-address-of-an-ap>]
Description
Displays the neighbor information for a particular AP. If the AP name or the AP's IP address is specified, the user should specify the ESSID to get the neighbor information. If the ESSID is not specified, the command will display the neighbor information for all the Virtual AP's configured on the AP.
Syntax
Parameter ap-name
<name-of-an-ap> <essid>
bssid ip-addr
Description Identify the AP for which you want to view information. Name of an AP. ESSID of the AP. If the ESSID includes spaces, you must enclose it in quotation marks. Enter the BSSID address of the AP. Enter the IP address of the AP.
Example
The output of this command shows the neighbor information for r-wing-94.
(host) # show rrm dot11k neighbor-report ap-name r-wing-94
802.11K Neighbor Report Details -------------------------------
Flags: S: Spectrum Management, Q: QoS, A: APSD, R: Radio Measurement
ESSID
BSSID
Channel Reachability Security Authenticator Preference
Flags
-----
-----
------- ------------ -------- ------------- ---------- -
----
r-wing-voice 00:0b:86:6d:3e:30 165
Reachable
Same
Same
1
SR
r-wing-voice 00:0b:86:6d:3e:20 1
Reachable
Same
Same
1
SR
r-wing-data 00:0b:86:6d:3e:40 6
Reachable
Same
Same
1
SR
r-wing-data 00:0b:86:6d:4e:41 153
Reachable
Same
Same
1
SR
Num Entries:4
Command History
This command was available in AOS-W 3.4
1272 | show rrm dot11k neighbor-report
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show rrm dot11k neighbor-report | 1273
�show rrm dot11k transmit-stream-report station-mac
show rrm dot11k transmit-stream-report station-mac <mac-addr>
Description
This is a diagnostic option for quick verification of received transmit stream measurement reports. Displays the contents of the transmit stream measurement reports received from a client.
Syntax
Parameter mac-addr
Description MAC address of the client.
Command History
This command is introduced in AOS-W 5.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1274 | show rrm dot11k transmit-stream-report station-mac
AOS-W 6.2 | Reference Guide
�show running-config
show running-config
Description
Displays the current switch configuration, including all pending changes which are yet to be saved.
Syntax
No parameters.
Example
The output of this command shows the running configuration on the switch. (host) # show running-config
version 5.0 enable secret "******" telnet soe loginsession timeout 0 hostname "vjoshi-2400" clock timezone PST -8 location "Building1.floor1" mms config 0 switch config 986 ip access-list eth validuserethacl
permit any ! netservice svc-netbios-dgm udp 138 netservice svc-snmp-trap udp 162 netservice svc-https tcp 443 netservice svc-dhcp udp 67 68 alg dhcp netservice svc-smb-tcp tcp 445 netservice svc-ike udp 500 netservice svc-l2tp udp 1701 ... ... ... netservice svc-bootp udp 67 69 netservice svc-snmp udp 161 netservice svc-v6-dhcp udp 546 547 netservice svc-icmp 1 --More-- (q) quit (u) pageup (/) search (n) repeat
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show running-config | 1275
�show session-acl-list
show session-acl-list
Description
Displays the list of configured session ACLs in the switch.
Syntax
No parameters.
Example
The output of this command shows the session ACLs in the switch. (host) # show session-access-list v6-icmp-acl allow-diskservices control validuser v6-https-acl vocera-acl icmp-acl v6-dhcp-acl captiveportal v6-dns-acl allowall test sip-acl https-acl ... ... ... v6-http-acl dhcp-acl http-acl stateful-dot1x ap-acl svp-acl noe-acl stateful-kerberos v6-logon-control h323-acl
Command History
This command was available in AOS-W 3.4
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1276 | show session-acl-list
AOS-W 6.2 | Reference Guide
�show slots
show slots
Description
Displays the list of slots in the switch, including the status and card type.
Syntax
No parameters.
Example
The output of this command shows slot details on the switch. (host) # show slots
Slots
------
Slot Status
---- ------
1
Present
Card Type --------A2400
Command History
This command was available in AOS-W 3.4
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show slots | 1277
�show snmp community
show snmp community
Description
Displays the SNMP community string details.
Syntax
No parameters.
Example
The output of this command shows slot details on the switch.
(host) # show snmp community
SNMP COMMUNITIES ---------------COMMUNITY ACCESS --------- ------
public READ_ONLY
VERSION ------V1, V2c
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1278 | show snmp community
AOS-W 6.2 | Reference Guide
�show snmp inform
show snmp inform
Description
Displays the length of SNMP inform queue.
Syntax
No parameters.
Example
The output of this command shows slot details on the switch. (host) # show snmp inform stats
Inform queue size is 100
SNMP INFORM STATS ----------------HOST PORT INFORMS-INQUEUE ---- ---- ---------------
OVERFLOW --------
TOTAL INFORMS -------------
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show snmp inform | 1279
�show snmp trap-host
show snmp trap-host
Description
Displays the configured SNMP trap hosts.
Syntax
No parameters.
Example
The output of this command shows details of a SNMP trap host. (host) # show snmp trap-hosts
SNMP TRAP HOSTS
---------------
HOST
VERSION
----
-------
10.16.14.1 SNMPv2c
SECURITY NAME PORT
------------- ----
public
162
TYPE TIMEOUT RETRY
---- ------- -----
Trap N/A
N/A
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1280 | show snmp trap-host
AOS-W 6.2 | Reference Guide
�show snmp trap-list
show snmp trap-list
Description
Displays the list of SNMP traps.
Syntax
No parameters.
Example
The output of this command shows the list of SNMP traps and the status. (host) # show snmp trap-list
SNMP TRAP LIST
--------------
TRAP-NAME
CONFIGURABLE
---------
------------
authenticationFailure
Yes
coldStart
Yes
linkDown
Yes
linkUp
Yes
warmStart
Yes
wlsxAPBssidEntryChanged
Yes
wlsxAPEntryChanged
Yes
wlsxAPImpersonation
Yes
wlsxAPInterferenceCleared
Yes
wlsxAPInterferenceDetected
Yes
wlsxAPRadioAttributesChanged
Yes
wlsxAPRadioEntryChanged
Yes
wlsxAccessPointIsDown
Yes
wlsxAccessPointIsUp
Yes
wlsxAdhocNetwork
Yes
wlsxAdhocNetworkBridgeDetected
Yes
wlsxAdhocNetworkBridgeDetectedAP
Yes
...
...
...
...
wlsxFanOK
Yes
wlsxFanTrayInserted
Yes
--More-- (q) quit (u) pageup (/) search (n) repeat
ENABLE-STATE -----------Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled
Enabled Enabled
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show snmp trap-list | 1281
�show snmp trap-queue
show snmp trap-queue
Description
Displays the list of SNMP traps in queue.
Syntax
No parameters.
Example
The output of this command shows the list of SNMP traps sent to host. (host) # show snmp trap-queue
2009-04-29 00:47:40 An AP/AM 00:0b:86:cd:cc:14, radio 2 at Location 00:0b:86:cd:cc:14 and channel 1, detected an interfering access point (BSSID 00:e0:fc:18:b5:35, SSID WA1003A). More information can be obtained from http://10.16.15.1/screens/wmsi/reports.html?mode=ap&bssid=00:e0:fc:18:b5:35.
2009-04-29 00:49:01 An AP/AM 00:0b:86:cd:cc:14, radio 2 at Location 00:0b:86:cd:cc:14 and channel 10, detected an interfering access point (BSSID 00:1a:1e:a8:2d:a0, SSID l-wing-94). More information can be obtained from http://10.16.15.1/screens/wmsi/reports.html?mode=ap&bssid=00:1a:1e:a8:2d:a0.
2009-04-29 00:49:19 An AP/AM 00:0b:86:cd:cc:14, radio 2 at Location 00:0b:86:cd:cc:14 and channel 1, detected an interfering access point (BSSID 00:e0:fc:18:b5:35, SSID WA1003A). More information can be obtained from http://10.16.15.1/screens/wmsi/reports.html?mode=ap&bssid=00:e0:fc:18:b5:35.
2009-04-29 00:49:20 An AP/AM 00:0b:86:cd:cc:14, radio 2 at Location 00:0b:86:cd:cc:14 and channel 1, detected an interfering access point (BSSID 00:0b:86:5c:d8:e0, SSID r-wing-94). More information can be obtained from http://10.16.15.1/screens/wmsi/reports.html?mode=ap&bssid=00:0b:86:5c:d8:e0.
2009-04-29 00:49:31 An AP/AM 00:0b:86:cd:cc:14, radio 1 at Location 00:0b:86:cd:cc:14 and channel 36, detected an interfering access point (BSSID 00:1a:1e:8d:dc:20, SSID ). More information can be obtained from http://10.16.15.1/screens/wmsi/reports.html?mode=ap&bssid=00:1a:1e:8d:dc:20.
2009-04-29 00:50:15 An AP/AM 00:0b:86:cd:cc:14, radio 2 at Location 00:0b:86:cd:cc:14 and channel 1, detected an interfering access point (BSSID 00:e0:fc:18:b5:35, SSID WA1003A). More information can be obtained from http://10.16.15.1/screens/wmsi/reports.html?mode=ap&bssid=00:e0:fc:18:b5:35.
--More-- (q) quit (u) pageup (/) search (n) repeat
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1282 | show snmp trap-queue
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
show snmp trap-queue | 1283
�show snmp user-table
show snmp user-table [user <username> auth-prot [sha | md5] <value> priv-prot [aes | des] <value>]
Description
Displays the list of SNMP user profile for a specified username.
Syntax
Parameter auth-prot
priv-prot
Description
Authentication protocol for the user, either HMAC-MD5-98 Digest Authentication Protocol (MD5) or HMAC-SHA-98 Digest Authentication Protocol (SHA), and the password for use with the designated protocol.
Privacy protocol for the user, either Advanced Encryption Standard (AES) or CBC-DES Symmetric Encryption Protocol (DES), and the password for use with the designated protocol.
Example
The output of this command shows the list of SNMP traps sent to host. (host) # show snmp user-table
SNMP USER TABLE --------------USER AUTHPROTOCOL ---- ------------
Sam SHA fire SHA
PRIVACYPROTOCOL --------------AES AES
FLAGS -----
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1284 | show snmp user-table
AOS-W 6.2 | Reference Guide
�show spanning-tree
show spanning-tree <interface [fastethernet slot/port | gigabitethernet slot/port | port-channel id] <vlan vlan-id>
Description
View the RSTP and PVST+ configuration.
Syntax
Parameter interface
vlan
Description
Enter the keyword interface followed by the interface and slot/port or portchannel id: l for Fast Ethernet enter the keyword fastethernet followed by the slot/port l For Gigabit Ethernet enter the keyword gigabitethernet followed by the
slot/port l For Port Channel enter the keyword port-channel followed by an id number
Range: 0 to 7
Enter the keyword vlan follow by the VLAN ID. Range: 1 to 4094 Default: 1
Example--show spanning-tree
(host) # show spanning-tree
Spanning tree instance for vlan 10 Spanning Tree is executing the IEEE compatible Rapid Spanning Tree protocol Bridge Identifier has priority 32768, address 00:0b:86:f0:20:00 Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Topology change flag is not set, detected flag not set, changes 1 Times: hold 1, topology change 35 hello 2, max age 20, forward delay 15 Timers: hello 0, notification 0 Last topology change: 2 days, 0 hours, 31 mins, 21 secs
Spanning tree instance for vlan 20 Spanning Tree is executing the IEEE compatible Rapid Spanning Tree protocol Bridge Identifier has priority 32768, address 00:0b:86:f0:20:00 Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Topology change flag is not set, detected flag not set, changes 1 Times: hold 1, topology change 3 hello 2, max age 20, forward delay 15 Timers: hello 0, notification 0 Last topology change: 1 days, 0 hours, 3 mins, 2 secs
Example--show spanning-tree vlan
(host) # show spanning-tree vlan 2 Spanning Tree is executing the IEEE compatible Rapid Spanning Tree protocol Bridge Identifier has priority 32768, address 00:0b:86:f0:20:00 Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Topology change flag is not set, detected flag not set, changes 1 Times: hold 1, topology change 35 hello 2, max age 20, forward delay 15
AOS-W 6.2 | Reference Guide
show spanning-tree | 1285
�Timers: hello 0, notification 0 Last topology change: 2 days, 0 hours, 31 mins, 21 secs
Command History
Release AOS-W 6.0 AOS-W 3.4
Modification PVST+ added Upgraded STP to RSTP with full backward compatibility.
Command Information
Platform All platforms
Licensing Base operating system
Command Mode
Enable mode and Configuration mode (config) on master switches
1286 | show spanning-tree
AOS-W 6.2 | Reference Guide
�show spantree
show spantree <blocking> | <enable> | <forwarding> | <off> | <vlan>
Description
View the global RSTP and PVST+ topology.
Syntax
Parameter blocking enable forwarding off vlan
Description View the spanning tree ports in the Blocking state. View the spanning tree ports in the Enable state. View the spanning tree ports in the Forwarding state. View the ports with spanning tree disabled View the spanning tree instance for the VLAN.
Example
(host) # show spantree
Spanning tree instance vlan 10
Designated Root MAC
00:0b:86:f0:20:00
Designated Root Priority 32768
This bridge is the root
Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec
Bridge MAC
00:0b:86:f0:20:00
Bridge Priority
32768
Configured Max Age 20 sec Hello Time 2 sec Forward Delay 15
Interface
Role
State
Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
eth1/3
Root
Forwarding 2
128.131 P2p Peer
eth1/1
Designated Forwarding 2
128.129 Edge P2p
Rapid Spanning Tree port configuration
--------------------------------------
Port State
Cost Prio PortFast
---- -----
---- ---- --------
FE 1/3 Discarding 0
128 Disable
FE 1/1 Forwarding 4
128 Disable
P-to-P -----Enable Enable
Role ---Disabled Designated
Spanning tree instance vlan 20
Designated Root MAC
00:0b:86:f0:20:20
Designated Root Priority 32768
Root Cost
11
Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec
Bridge MAC
00:0b:86:f0:20:30
Bridge Priority
32768
Configured Max Age 20 sec Hello Time 2 sec
Forward Delay 15
Rapid Spanning Tree port configuration
--------------------------------------
Port State
Cost Prio PortFast P-to-P Role
AOS-W 6.2 | Reference Guide
show spantree | 1287
�---- -----
---- ---- -------- ------ ----
FE 1/3 Discarding 0
128 Disable Enable Disabled
FE 1/1 Forwarding 4
128 Disable Enable Designated
Command History
Release AOS-W 6.0 AOS-W 3.4
Modification PVST+ added Upgraded STP to RSTP with full backward compatibility.
Command Information
Platform All platforms
Licensing Base operating system
Command Mode
Enable mode and Configuration mode (config) on master switches
1288 | show spantree
AOS-W 6.2 | Reference Guide
�show ssh
show ssh
Description
Displays the SSH configuration details.
Syntax
No parameters.
Example
The output of this command shows SSH configuration details. (host) # show ssh
SSH Settings: ------------DSA Mgmt User Authentication Method
Enabled username/password
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show ssh | 1289
�show startup-config
show startup-config
Description
Displays the configuration which will be used the next time the switch is rebooted. It contains all the options last saved using the write memory command. Any unsaved changes are not included.
Syntax
No parameters.
Example
The output of this command shows slot details on the switch.
(host) # show startup-config
version 3.4 enable secret "608265290155fb924578f15b12670a75a37045cbdf62fb0d3a" telnet cli telnet soe loginsession timeout 30 hostname "FirstFloor2400" clock timezone PST -8 location "Building1.floor1" mms config 0 switch config 22
ip access-list eth validuserethacl permit any
! netservice svc-snmp-trap udp 162 netservice svc-dhcp udp 67 68 netservice svc-smb-tcp tcp 445 netservice svc-https tcp 443 netservice svc-ike udp 500 netservice svc-l2tp udp 1701 netservice svc-syslog udp 514 ... ... ... netservice svc-msrpc-udp udp 135 139 netservice svc-ssh tcp 22 netservice svc-http-proxy1 tcp 3128 --More-- (q) quit (u) pageup (/) search (n) repeat
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1290 | show startup-config
AOS-W 6.2 | Reference Guide
�show station-table
show station-table [mac <mac_address>]
Description
Displays the internal station table entries and also details of a station table entry.
Syntax
No parameters.
Example
The output of this command shows details of an entry in the station table. (host) # show station-table mac 00:1f:6c:7a:d4:fd
Association Table
-----------------
BSSID
IP
Essid AP name Phy Age
--------------- ----------- ------- ------- --- ---
00:0b:86:6d:3e:30 10.15.20.252 sam
-
a 01:03:41
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show station-table | 1291
�show storage
show storage
Description
Displays the storage information on the switch.
Syntax
No parameters.
Example
The output of this command shows the storage details on the switch.
(host) # show storage Filesystem /dev/root none /dev/hda3 /dev/usb/flash3 /dev/usbdisk/2 /dev/usbdisk/1
Size 57.0M 70.0M 149.7M
1.5G 3.5G 3.9G
Used Available Use% Mounted on
54.6M
2.3M 96% /
2.0M
68.0M 3% /tmp
9.3M 132.6M 7% /flash
168.6M
1.3G 12% /flash
71.4M
3.2G 2% /mnt/usbdisk/2
131.0M
3.8G 3% /mnt/usbdisk/1
The number at the end of the USB device's name is the partition. Unlike the switch's flash, the USB device has more than two partitions; not just 0 and 1. When copying a file from a USB device, you must know which partition the target file is on.
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1292 | show storage
AOS-W 6.2 | Reference Guide
�show switch ip
show switch ip
Description
Displays the IP address of the switch and VLAN ID.
Syntax
No parameters.
Example
The output of this command shows the IP address and VLAN ID of the switch.
(host) # show switch ip Switch IP Address: 10.16.15.1 Switch IP is from Vlan Interface: 1
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show switch ip | 1293
�show switch software
show switch software
Description
Displays the details of the software running in the switch.
Syntax
No parameters.
Example
The output of this command shows the details of software running in the switch.
(host) # show switch software
Alcatel-Lucent Operating System-Wireless. AOS-W (MODEL: OAW-650-US), Version 3.4.0.0 Website: http://www.alcatel.com/enterprise All Rights Reserved (c) 2005-2009, Alcatel-Lucent. Compiled on 2009-05-31 at 21:59:21 PDT (build 21443) by p4build ROM: System Bootstrap, Version CPBoot 1.0.0.0 (build 21083) Built: 2009-04-06 20:51:16 Built by: p4build@re_client_21083 Switch uptime is 23 hours 15 minutes 4 seconds Reboot Cause: User reboot. Supervisor Card Processor XLS 408 (revision A1) with 907M bytes of memory. 32K bytes of non-volatile configuration memory. 256M bytes of Supervisor Card System flash (model=NAND 256MB).
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1294 | show switch software
AOS-W 6.2 | Reference Guide
�show switches
show switches [all | state {complete | incomplete | inprogress | required} | summary ]
Description
Displays the details of switches connected to the master switch, including the master switch itself.
Syntax
Parameter all state summary
Description List of all switches. Configuration status of all switches. Status of all switches connected to the master.
Example
The output of this command shows that there is a single local switch connected to the master switch. (host) # show switches all
All Switches -----------IP Address Name Config Sync Time (sec) ---------- ------------------------10.16.12.1 r-wing-94 0192.0.2.12 CorpA2400
0
Location
Type Version
Status Configuration State
--------
---- -------
------ -------------------
Building1.floor1 master 6.0.0.0_13782 up Building1.floor1 master 6.0.0.0_13782 up
UPDATE SUCCESSFUL UPDATE SUCCESSFUL
Command History
Version AOS-W 3.0 AOS-W 6.0
Description
Command introduced.
The version column in the output of this command was expanded to include both the version and the build number for switches running AOS-W 6.0 and later releases.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show switches | 1295
�show switchinfo
show switchinfo
Description
Displays the latest and complete summary of switch details including role, last configuration change, hostname, reason for last reboot.
Syntax
No parameters.
Example
The output of this command lists all switches connected to the master switch including the master switch. (host) # show switchinfo Hostname is Techpubs Console Baudrate: 115200 Location not configured System Time:Tue Nov 27 16:22:14 PST 2012
Alcatel-Lucent Operating System-Wireless.
AOS-W (MODEL: OAW-7220), Version 6.2.0.0 Website: http://www.alcatel.com/enterprise
All Rights Reserved (c) 2005-2012, Alcatel-Lucent.
Compiled on 2012-11-26 at 17:06:31 PST (build 36290) by p4build ROM: System Bootstrap, Version CPBoot 1.2.0.9 (build 35873) Built: 2012-10-24 13:51:09 Built by: p4build@re_client_35873 Switch uptime is 9 hours 34 minutes 3 seconds Reboot Cause: User reboot. Built: 2012-10-24 13:51:0 Built by: p4build@re_client_35873
Internet address is 172.16.0.254 255.255.255.0 Routing interface is enable, Forwarding mode is enable Directed broadcast is disabled Encapsulation 802, loopback not set MTU 1500 bytes Last clearing of "show interface" counters 0 day 9 hr 34 min 3 sec link status last changed 0 day 9 hr 34 min 3 sec Proxy Arp is disabled for the Interface switchrole:master Configuration unchanged since last save Crash information available.
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1296 | show switchinfo
AOS-W 6.2 | Reference Guide
�show syscontact
show syscontact
Description
Displays the contact information for support.
Syntax
No parameters.
Example
The output of this command shows the contact information for technical support. (host) # show syscontact admin@mycompany.com
Command History
This command was available in AOS-W 3.1
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show syscontact | 1297
�show syslocation
show syslocation
Description
Displays the location details of the switch.
Syntax
No parameters.
Example
The output of this command location of the switch. (host) # show syslocation Building 1, Floor 1
Command History
This command was available in AOS-W 3.1
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1298 | show syslocation
AOS-W 6.2 | Reference Guide
�show tech-support
show tech-support
Description
Displays all information about the switch required for technical support purposes.
Syntax
No parameters.
Command History
This command was available in AOS-W 3.1
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show tech-support | 1299
�show telnet
show telnet
Description
Displays the status of telnet access using the command line interface (CLI) or Serial over Ethernet (SOE) to the switch.
Syntax
No parameters.
Example
The output of this command shows the status of CLI and SOE access to the switch. (host) # show telnet
telnet cli is enabled telnet soe is enabled
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1300 | show telnet
AOS-W 6.2 | Reference Guide
�show threshold
show threshold all|controlpath-cpu|controlpath-memory|datapath-cpu| no-of-aps|no-of-locals|total-tunnel-capacity|user-capacity|
Description
This command shows switch capacity thresholds which, when exceeded, will trigger alerts.
Syntax
Parameter all controlpath-cpu controlpath-memory datapath-cpu no-of-APs
no-of-locals
total-tunnel-capacity user-capacity
Description
Display all alert thresholds.
Display the alert threshold for controlpath CPU capacity. The output of this command shows the percentage of the total controlpath CPU capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 80%.
Display the alert threshold for controlpath memory consumption. The output of this command shows the percentage of the total memory capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 85%.
Display the alert threshold for datapath CPU capacity. The output of this command shows the percentage of the total datapath CPU capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 30%.
The maximum number of APs that can be connected to a switch is determined by that switch's model type and installed licenses. This threshold triggers an alert when the number of APs currently connected to the switch exceeds a specific percentage of its total AP capacity. The default threshold for this parameter is 80%.
Display the alert threshold for the master switch's capacity to support remote nodes and local switches. A master switch can support a combined total of 256 remote nodes and local switches. The output of this command shows the percentage of the total master switch capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 80%.
Display the alert threshold for the switch's tunnel capacity. The output of this command shows the percentage of the switch's total tunnel capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 80%
Display the alert threshold for the switch's user capacity. The output of this command shows the percentage of the total resource capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 80%.
Usage Guidelines
The switch will send a wlsxThresholdAbove SNMP trap and a syslog error message when the switch has exceeded a set percentage of the total capacity for that resource. A wlsxThresholdBelow SNMP trap and error message will be
AOS-W 6.2 | Reference Guide
show threshold | 1301
�triggered if the resource usage drops below the threshold once again.
Example
The following command shows the current alert thresholds for controlpath memory resources: (host) (config) #show threshold-limits controlpath-memory
Threshold Values For Controlpath Memory
----------------------------------------
Default(%) Current(%) Total Memory (MB) Available Memory (MB)
---------- ---------- ----------------- ---------------------
85
77
679
225
Command History
The command was introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master and local switches
1302 | show threshold
AOS-W 6.2 | Reference Guide
�show threshold-limits
show threshold-limits controlpath-memory|fan-speed|no-of-aps|no-of-locals|total-tunnel-capacity|user-capacity
Description
This command shows current values of the different resources monitored by the switch.
Syntax
Parameter
Description
controlpath-memory
The output of this command displays the default memory threshold which, when exceeded, will trigger an alert, the current configured threshold, the total memory (in MB) and the currently available memory (in MB).
fan-speed
The output of this command displays the fan alert threshold. This parameter is only available for switches with fans, such as the OAW-6000 and 7200 series.
no-of-aps
The output of this command displays the following values: l The default threshold for the number of APs, which, when exceeded, will
trigger an alert l The current configured threshold. l The maximum number of APs supported by the switch, l The number of available licenses for campus and remote APs, l The total number of APs, and the current number of campus, remote and virtual
APs.
no-of-locals
The output of this command displays the default threshold for the number of local switches which, when exceeded, will trigger an alert, and the current configured threshold. The output also displays the maximum number of local switches that can be connected to this master switch, and the number of local switches currently connected.
total-tunnel-capacity
The output of this command displays the default tunnel capacity threshold which, when exceeded, will trigger an alert, as well as the current configured tunnel threshold. The output also includes the maximum number of tunnels supported by the switch, as well as the number of tunnels currently used by the switch.
user-capacity
The output of this command displays the default user capacity threshold which, when exceeded, will trigger an alert, as well as the current configured user threshold. The output also includes the maximum number of users supported by the switch, as well as the number of users currently associated with the switch.
Usage Guidelines
The switch will send a wlsxThresholdAbove SNMP trap and a syslog error message when the switch has exceeded a set percentage of the total capacity for that resource. A wlsxThresholdBelow SNMP trap and error message will be triggered if the resource usage drops below the threshold once again.
Example
The following command shows the current alert thresholds for all monitored switch resources:
(host) (config) #show threshold all Controller Capacity Threshold Values
AOS-W 6.2 | Reference Guide
show threshold-limits | 1303
�------------------------------------
RESOURCE
THRESHOLD(%)
--------
------------
Datapath-Cpu
30 %
Controlpath-Cpu
80 %
Controlpath-Memory
85 %
Total-Tunnel-Capacity 80 %
Ap-Tunnel-Capacity
80 %
User-Capacity
80 %
No-of-APs
80 %
No-of-locals
80 %
Command History
The command was introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on master and local switches
1304 | show threshold-limits
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
show threshold-limits | 1305
�show tpm cert-info
show tpm cert-info
Description
Displays the TPM and Factory Certificate information on MIPS switches (OAW-S3, , OAW-4x04 Series, OAW-4306 Series, OAW-4x50).
Syntax
No parameters.
Usage Guidelines
Use this command to verify that TPM and factory certificates are installed as expected. This command should be executed before enabling CPSec on MIPS switches (OAW-S3, , OAW-4x04 Series, OAW-4306 Series, OAW4x50).
Example
In the example below, the TPM and certificates are installed. (host)#show tpm cert-info
subject= /CN=AF0000168::00:0b:86:f0:33:e0 issuer= /DC=com/DC=arubanetworks/DC=ca/CN=DEVICE-CA2 serial=1F023F05000000015087 notBefore=Jan 30 01:38:57 2009 GMT notAfter=Jan 25 01:38:57 2029 GMT In the example below, the switch is not able to verify the TPM or Factory Certificate information. (host)#show tpm cert-info
Cannot get TPM and Factory Certificate Info TPM and/or Factory Certificates might be missing.
Command History
Release AOS-W 5.0
Modification Command introduced
Command Information
Platforms MIPS switches (OAW-S3, , OAW-4x04 Series, OAW-4306 Series, OAW-4x50)
Licensing Base operating system
Command Mode Enable Mode
1306 | show tpm cert-info
AOS-W 6.2 | Reference Guide
�show trunk
show trunk
Description
Displays the list of trunk ports on the switch.
Syntax
No parameters.
Example
The output of this command shows details of a trunk port. (host) # show trunk
Trunk Port Table ----------------Port Vlans Allowed Vlan ---- --------------FE2/12 1,613,615-617,632-633,636-640,667-668
Vlans Active -----------1,613,615-617,632-633,636-640,667-668
Native -------1
Command History
This command was available in AOS-W 3.0
Command Information
Pslatforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show trunk | 1307
�show tunneled-node
show tunneled-node [state|database]
Description
Displays the state of the tunneled node and lists all tunneled nodes connected to the switch.
Syntax
No parameters.
Example
The output of this command shows the tunneled node state. (host) # show tunneled-node state
Tunneled Node State --------IP MAC s/p state vlan tunnel inactive-time -- --- --- ----- ---- ------ ------------192.168.123.14 00:0b:86:40:32:40 1/23 complete 10 9 1 192.168.123.14 00:0b:86:40:32:40 1/22 complete 10 10 1 192.168.123.14 00:0b:86:40:32:40 1/20 complete 10 11 1
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced.
The command name was changed to tunneled-node. The database parameter was added.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1308 | show tunneled-node
AOS-W 6.2 | Reference Guide
�show uplink
crypto-local show uplink [config|{connection <link_id>}|signal|{stats <link_id}]
Description
Displays uplink configuration details on an OAW-4306 Series switch.
Syntax
Parameter config
connection
signal stats
Description
Enter the keyword config to display the uplink manager, the default wired priority and default cellular priority
Enter the keyword connection followed by the uplink ID number to display the connection details.
Enter the keyword signal to display the cellular uplink signal strength.
Enter the keyword stats followed by the uplink ID number to display the statistical information on the designated uplink.
Example
The output of this command displays the switch uplink status . (host) ##show uplink Uplink Manager: Enabled
Uplink Management Table
-----------------------
Id Uplink Type Properties Priority State
-- ----------- ---------- ------- -----
1 Wired
vlan 1
200
Initializing
2 Cellular Novatel_U727 100
Standby
Status -----Waiting for link Ready
Command History
Introduced in AOS-W 3.4.
Command Information
Platforms OAW-4306 Series switches
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show uplink | 1309
�show usb
crypto-local show usb [cellular|ports|test|verbose]
Description
Display detailed USB device information.
Syntax
Parameter cellular ports test
verbose
Description
Enter the keyword cellular to display cellular devices.
Enter the keyword ports to display detailed TTY port information such as signal strength.
Enter the keyword test to test the USB TTY ports. NOTE: Testing an invalid modem port may cause the switch to "hang". To resolve this, unplug and re-plug the modem.
Enter the keyword verbose to display detailed USB information including serial number and USB type.
Examples
The USB Device table, in the example below, displays the USB port is in the 'Device Ready' state, meaning that the port has passed the diagnostic test and is ready to send and receive data.
(host) (config-cellular new_modem)# show usb
USB Device Table
----------------
Address Product
Vendor ProdID
------- -------
------ ------
18
Novatel Wireless CDMA 1410 4100
ready
Serial -----091087843891000
Type ---Cellular
Profile ------new_modem
State ----Device
Below is an example of the show usb verbose display output (partial).
(host) #show usb verbose ... T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1410 ProdID=4100 Rev= 0.00 S: Manufacturer=Novatel Wireless Inc. S: Product=Novatel Wireless CDMA S: SerialNumber=091087843891000 C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA ...
Command History
Introduced in AOS-W 3.4.
1310 | show usb
AOS-W 6.2 | Reference Guide
�Command Information
Platforms
OAW-4306 Series and OAW4x50 switches
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
show usb | 1311
�show user
show user ap-group <ap-group> ap-name <ap-name> authentication-method dot1x|mac|opensystem|psk|stateful-dot1x|via-vpn|vpn|web[rows <NUMBER> <NUMBER>] bssid <A:B:C:D:E:F> rows <NUMBER> <NUMBER> devtype <device> essid <STRING> rows <NUMBER> <NUMBER> internal rows <NUMBER> <NUMBER> ip <A.B.C.D> rows <NUMBER> <NUMBER> location b.f.l rows <NUMBER> <NUMBER> mac <A:B:C:D:E:F> mobile {[bindings][visitors]} [rows <NUMBER> <NUMBER>] name <STRING> phy-type {[a]|[b]}[rows <NUMBER> <NUMBER>] role <STRING> rows <NUMBER> <NUMBER> rows <NUMBER> <NUMBER>
Description
Displays detailed information about the switch's connection to a user device, in regards to mobility state and statistics, authentication statistics, VLAN assignment method, AP datapath tunnel info, radius accounting statistics, user name, user-role derivation method, datapath session flow entries, and 802.11 association state and statistics. The show user command allows you to filter specific information by parameter.
Syntax
Parameter ap-group <ap-group>
ap-name <ap-name>
authentication-method
dot1x mac opensystem psk
stateful-dot1x via-vpn vpn web
Description Filter the output of this command by showing users connected to APs that belong to the specified AP group.
Filter the output of this command by the name of the AP to which the user is conected.
Filter the output of this command by the authentication method used for the device:
Show data for devices using 802.1X authentication.
Show data for devices using MAC authentication.
Show data for devices using open (no) authentication.
Show data for devices that do not use authentication but use a preshared key for encryption.
Show data for devices using stateful 802.1X authentication.
Show data for devices that authenticate using Alcatel-Lucent VIA.
Show data for devices using VPN authentication.
Show data for devices using captive portal authentication.
1312 | show user
AOS-W 6.2 | Reference Guide
�Parameter
Description
rows <NUMBER> <NUMBER>
Displays the log output from the specified number of rows from the end of the log and the total number of rows to display.
bssid <A:B:C:D:E:F>
Show user data for a specific device BSSID.
devtype <device>
Show output for a specified device type, if identified. If the device name includes spaces, you must enclose it in quotation marks.
essid <STRING>
Show user data for a specific ESSID. If the ESSID includes spaces, you must enclose it in quotation marks.
internal rows <NUMBER> <NUMBER> Display internal user entries only. Include the rows options to filter the output of this command by specifying the number of rows from the end of the output and the total number of rows to display/
ip <A.B.C.D>
Show user data for a specific IP address .
mac <A:B:C:D:E:F>
MAC address .
mobile
Filter the output of this command to show data for Mobile users.
bindings
Show data for users that have moved away from their home network.
visitors
Show data for mobility users that are visiting the network.
name <STRING>
User's name.
phy-type
801.11 type
a
Matches PHY type a.
g
Matches PHY type b or g.
role <STRING>
User role such as employee, visitor and so on.
rows <NUMBER> <NUMBER>
Filter the output of the show user role command by specifying the number of rows from the end of the output and the total number of rows to display/
rows <NUMBER> <NUMBER>
Filter the output of the show user command by specifying the number of rows from the end of the output and the total number of rows to display/
Usage Guidelines
Use the show user command to show detailed user statistics which includes the entire output of the user-table, mobility state and statics, authentication statistics, VLAN assignment method, AP datapath tunnel information, radius accounting statistics, user-role derivation method, datapath session flow entries and 802.11 association state and statistics.
Examples
This example displays users currently in the employee role. The output of this command is split into two tables in this document, however it appears in one table in the CLI.
(host) (config) show user role employee
Users
-----
IP
MAC
Name
name
Role
Age(d:h:m) Auth VPN link AP
AOS-W 6.2 | Reference Guide
show user | 1313
�-----------192.168.160.1 10.100.105.100 wlan-qa-cage 10.100.105.102 10.100.105.97 10.100.105.109
------------
00:23:6c:80:3d:bc 00:05:4e:45:5e:c8
00:14:a5:30:c2:7f 00:1b:77:c4:a2:fa 00:21:5c:02:16:bb
------
madisonl CORP1NETWORKS
pdedhia CORP1NETWORKS myao
----
employee employee
employee employee employee
----------
01:05:50 00:02:22
01:20:09 00:02:18 00:05:40
----
802.1x 802.1x
802.1x 802.1x 802.1x
--------
---1263
2198 2198 1109
Users ----Roaming
------Associated Associated Associated Associated Associated
Essid/Bssid/Phy ---------------
ethersphere-wpa2/00:1a:1e:85:d3:b1/a-HT ethersphere-wpa2/00:1a:1e:6f:e5:51/a ethersphere-wpa2/00:1a:1e:87:ef:f1/a ethersphere-wpa2/00:1a:1e:87:ef:f1/a ethersphere-wpa2/00:1a:1e:85:c2:11/a-HT
Profile -------
default default default default default
The output of the show user mac <mac-addr> and show user ip <ip-addr> commands include the following information.
(host) # show user-table ip 5.5.5.2 Name: 98:0c:82:45:d6:7b, IP: 5.5.5.2, MAC: 98:0c:82:45:d6:7b, Role: mac-role, ACL: 54/0/0, Age: 00:00:07 Authentication: Yes, status: started, method: MAC, protocol: PAP, server: Internal Bandwidth = No Limit Bandwidth = No Limit Role Derivation: default for authentication type MAC VLAN Derivation: unknown Idle timeouts: 0, Valid ARP: 0 Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0 Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=1 Flags: innerip=0, outerip=0, vpn_outer_ind:0, guest=0, download=1, wispr=0 Auth fails: 0, phy_type: g-HT, reauth: 0, BW Contract: up:0 down:0, user-how: 14 Vlan default: 3, Assigned: 5, Current: 5 vlan-how: 0 DP assigned vlan:0 Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0 Tunnel=0, SlotPort=0x2000, Port=0x1000d (tunnel 13) Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a Current Role name: mac-role, role-how: 1, L2-role: mac-role, L3-role: mac-role Essid: 1_wlan_135, Bssid: d8:c7:c8:38:f4:a0 AP name/group: d8:c7:c8:cb:8f:4a-135/groupfor135 Phy-type: g-HT RadAcct sessionID:n/a RadAcct Traffic In 4/216 Out 2/420 (0:4/0:0:0:216,0:2/0:0:0:420) Timers: reauth 0 Profiles AAA:1_wlan_135-aaa_prof, dot1x:dot1x_prof-rwv10, mac:pMac CP: def-role:'logon' siprole:'' via-auth-profile:'' ncfg flags udr 0, mac 1, dot1x 1, RADIUS interim accounting 0 IP Born: 1354560806 (Mon Dec 3 10:53:26 2012) Core User Born: 1354560805 (Mon Dec 3 10:53:25 2012) Upstream AP ID: 0, Downstream AP ID: 0 Device Type: Dalvik/1.4.0 (Linux; U; Android 2.3.6; SAMSUNG-SGH-I777 Build/GINGERBREAD) Session Timeout from Radius: No, Session Timeout Value:0 Address is from DHCP: yes
The role-how and vlan-how parameters in the output of this command display a code that corresponds to the following values:
1314 | show user
AOS-W 6.2 | Reference Guide
�Role Derivation Code 0 1 2 3 4 5 6 7 8 9 10 11
Description Default logon role Default user role for authentication type Role derived from server rules Role derived from user rules Predefined Guest role Role inherited from station Forced role Role derived from Alcatel-Lucent vendor-specific attribute (VSA) RFC 3576 (Change of Authorization) role Role derived from external captive portal Default role from AAA profile Role assigned by an Extended Service Interface (ESI) server group
VLAN Derivation Code 1 2 3 4 5
6
Description VLAN derived from user rule VLAN derived from user role VLAN derived from server rule VLAN derived from Alcatel-Lucent vendor-specific attribute (VSA) VLAN derived from Microsoft Tunnel attributes (Tunnel-Type, Tunnel Medium Type, and Tunnel Private Group ID) VLAN assigned from derived role
Command History
Release AOS-W 3.0 AOS-W 6.1
AOS-W 6.1
AOS-W 6.2
Modification
Command introduced
The devtype parameter was introduced, and the output of this command expanded to include the Type column.
The devtype parameter was introduced, and the output of this command expanded to include the Type column.
Output for IP address show if it is from DHCP.
This command was introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show user | 1315
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Available in Enable and Config modes.
1316 | show user
AOS-W 6.2 | Reference Guide
�show user_session_count (deprecated)
show user_session_count
Description
Show the number of users using an ESSID for different time intervals.
Syntax
No parameters
Command History
Version AOS-W 3.0 AOS-W 6.0
Modification Command introduced Command deprecated
AOS-W 6.2 | Reference Guide
show user_session_count (deprecated) | 1317
�show util_proc
show util_proc guest-email counters
Description
Show counters for the guest email process.
Syntax
No parameters.
Usage Guidelines
As part of guest provisioning, the guest access email feature allows you to define the SMTP port and server that processes guest provisioning email. This server sends email to the guest or the sponsor when a guest user manually sends email from the Guest Provisioning page, or when a user creates a guest account.
Example
The output of this command shows the numbers of guest emails received, sent and dropped since the switch was last reset
(host) #show util_proc guest-email counters
Guest Email Counters
--------------------
Name
Value
----
-----
Email Received 14
Email Sent
3
Email Dropped 0.
Related Commands
To configure SMTP servers and server ports for guest email, use the command guest-access-email.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
1318 | show util_proc
AOS-W 6.2 | Reference Guide
�show valid-network-oui-profile
show valid-network-oui-profile
Description
This command displays the Valid Equipment OUI Profile table
Syntax
No parameters
Usage Guidelines
If you used the valid-networkoui-profile to add a new OUI to the switch, issue the show valid-network-oui-profile command to see a list of current OUIs.
Example
(Host) (config) #show valid-network-oui-profile
Valid Equipment OUI profile
---------------------------
Parameter Value
--------- -----
OUI
00:1A:1E
Command History
Release AOS-W 5.0
Modification Command introduced
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
show valid-network-oui-profile | 1319
�show version
show version
Description
Show the system software version.
Syntax
No parameters.
Example
host) #show version Alcatel-Lucent Operating System-Wireless. AOS-W (MODEL: OAW-4504-US), Version 6.0.0.0 Website: http://www.alcatel.com/enterprise All Rights Reserved (c) 2005-2010, Alcatel-Lucent. Compiled on 2008-12-17 at 22:52:36 PST (build 20263) by p4build
ROM: System Bootstrap, Version CPBoot 1.2.11 (Sep 13 2005 - 17:39:11)
Switch uptime is 41 days 8 hours 57 minutes 18 seconds Reboot Cause: User reboot. Supervisor Card Processor 16.20 (pvr 8081 1014) with 256M bytes of memory. 32K bytes of non-volatile configuration memory. 256M bytes of Supervisor Card System flash (model=CF 256MB). The output of this command includes the following information
Parameter Model Version ROM Switch Uptime Reboot Cause Supervisor Card
Description Switch model type. Version of AOS-W software. System bootstrap version. Switch uptime (time elapsed since the last switch reset. Reason the switch was last rebooted. Details for the switch's internal supervisor card.
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config mode on local and master switches
1320 | show version
AOS-W 6.2 | Reference Guide
�show via
show via version websessions
Description
Displays VIA version and web session details.
Syntax
Parameter version
Description Displays the version of VIA client available on the switch.
Range Default
--
--
websessions Displays the list of users connected to the VIA switch using the VIA
--
--
client.
Example
The following example displays the version of VIA client available on the switch.
(host) # show via version(host) (VIA Client WLAN Profile "example") #show Default VIA Installer: ---------------------<aruba>
<via> <platform>win32</platform> <version>1.0.0.23373</version>
</via> </aruba>
via version
Command History
This command was available in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show via | 1321
�show vlan-bwcontract-explist
show vlan-bwcontract-explist [internal]
Description
Show entries in the VLAN bandwidth contracts MAC exception lists.
Syntax
Parameter internal
Description
Include the optional internal parameter to display the MAC addresses in the internal, preconfigured VLAN bandwidth contracts MAC exception list.
Example
The following command displays the MAC addresses in the internal MAC exception list.
(host) (config) #show vlan-bwcontract-explist internal
VLAN BW Contracts Internal MAC Exception List --------------------------------------------MAC address ----------01:80:C2:00:00:00 01:00:0C:CC:CC:CD 01:80:C2:00:00:02 01:00:5E:00:82:11
Command History
Command introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or Config mode on master or local switches
1322 | show vlan-bwcontract-explist
AOS-W 6.2 | Reference Guide
�show vlan
show vlan <id>
Description
This command shows a configured VLAN interface number, description and associated ports.
Syntax
Parameter <id>
Description Identification number for the VLAN.
Range 1-4094
Default 1
Usage Guidelines
Issue this command to show the selected VLAN configuration. The VLAN column lists the VLAN ID. The Description column provides the VLAN name or number and the Ports column shows the VLAN's associated ports. The AAA Profile column shows if a wired AAA profile has been assigned to a VLAN, enabling role-based access for wired clients connected to an untrusted VLAN or port on the switch.
(host) #show vlan
VLAN CONFIGURATION
------------------
VLAN Description
---- -----------
1
Default
10 VLAN0010
20 RAP_VLAN
25 VLAN0025
30 VLAN0030
56 VLAN0056
57 VLAN0057
58 VLAN0058
Ports ----GE0/3-7 GE0/9 XG0/10-11 Pc0-7 GE0/8
GE0/0
AAA Profile ----------N/A N/A N/A mac-auth-aaa-prof N/A default default default
Related Commands
(host) (config) #vlan (host) (config) #vlan-name
Command History
Release AOS-W 3.0 AOS-W 6.0
Modification Command available. The output of this command was modified to include the AAA Profile column.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master or local switches
AOS-W 6.2 | Reference Guide
show vlan | 1323
�show vlan mapping
show vlan mapping
Description
This command shows a configured VLAN name, its pool status, assignment type and the VLAN IDs assigned to the pool.
Syntax
Parameter <id>
Description Identification number for the VLAN.
Range 1-4094
Default 1
Usage Guidelines
Issue this command to show the selected VLAN configuration. The VLANName column displays the name of the VLAN pool. The Pool Status column indicates if the pool is enabled or disabled. The VLAN IDs column lists the VLANs that are part of the pool.
(host) #show vlan mapping
Vlan Mapping Table
------------------
VLAN Name
Pool Status
---------
-----------
mygroup
Enabled
newpoolgroup Enabled
vlannametest Enabled
yourvlan
Disabled
Assignment Type --------------Hash Even Even N/A
VLAN IDs -------62,94
62,1511 62
Related Commands
(host) (config) #vlan (host) (config) #vlan-name
Command History
Release AOS-W 3.0 AOS-W 6.2
Modification Command introduced. The Assignment Type parameter was introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master or local switches
1324 | show vlan mapping
AOS-W 6.2 | Reference Guide
�show vlan status
show vlan status <id>
Description
This command shows the current status of all VLANs on the switch.
Syntax
No parameters.
Usage Guidelines
Issue this command to show the status of VLANs on the switch. The VLANID column displays the VLAN ID name or number. The IP Address column provides the VLAN's IP address. The Adminstate column indicates if the VLAN is enabled or disabled. The Operstate column indicates if the VLAN is currently up and running. The PortCount column shows how many ports are associated with the VLAN. The Nat Inside column displays whether source Nat is enabled for the VLAN interface. If Nat is enabled, all the traffic passing through this VLAN interface is the source natted to the outgoing interface's IP address.
(host) #show vlan status
Vlan Status
-----------
VlanId IPAddress
------ ---------
1
10.168.254.221/255.255.255.252
2
unassigned/unassigned
4
unassigned/unassigned
25
unassigned/unassigned
212
10.168.212.2/255.255.255.0
213
10.168.213.2/255.255.255.0
1170 10.3.132.14/255.255.255.0
Adminstate ---------Enabled Enabled Enabled Enabled Enabled Enabled Enabled
Operstate --------Up Down Down Down Down Down Up
PortCount --------5 2 1 1 2 2 2
Nat Inside ---------Disabled Disabled Disabled Disabled Disabled Disabled Disabled
Related Commands
(host) (config) #vlan (host) (config) #vlan-name
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master or local switches
AOS-W 6.2 | Reference Guide
show vlan status | 1325
�show vlan summary
show vlan summary
Description
This command shows the number of existing VLANs.
Syntax
Parameter Number of existing VLANs
Description The number of existing VLANs on the switch.
Usage Guidelines
Issue this command to show the number of existing VLANs on the switch.
(host) #show vlan summary
Number of existing VLANs
:13
Related Commands
(host) (config) #vlan (host) (config) #vlan-name
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable or config mode on master or local switches
1326 | show vlan summary
AOS-W 6.2 | Reference Guide
�show voice call-cdrs
show voice call-cdrs [bssid <value> | cid <value> | count <number> | detail | essid <value> | extn <value> | ip <ip-address> | proto {sip | svp | noe | sccp | vocera | h323} | rtpa | sta <mac-address>]
Description
Displays detailed call records of voice client.
Syntax
Parameter bssid cid count detail
essid extn ip proto rtpa
sta
Description
Filter records based on BSSID of voice clients.
View the detailed records filtered on the CDR Id.
Specify the number of records to be displayed by entering a number.
Include this parameter to view the following additional information for each call record. l Reason l Codec l Band l Setup Time (sec) l Re-Assoc l Initial-BSSID l Initial-ESSID l Initial-AP Name
Filter records based on ESSID of voice clients.
View detailed records for a particular extension number.
View detailed records of voice client using its IP address.
View detailed records filtered on protocol.
Include this parameter to view the voice call quality reports based on the call quality analysis from the RTP media streams. NOTE: This parameter is applicable only if Real Time Call Quality Analysis is enabled on the voice calls.
View the detailed records filtered on the MAC address of a voice client.
Example
The output of this command shows detailed call records filtered by SIP protocol and limited to 5 entries. (host) #show voice call-cdrs proto sip count 5 detail
Voice Client(s) CDRs (Detail)
-----------------------------
CDR Id Client IP Client Name ALG Dir Called/Calling Party Status
time
R-value Reason
Codec Band Setup Time(sec) Re-Assoc
Initial-ESSID Initial-AP Name
Dur(sec) Orig Initial-BSSID
AOS-W 6.2 | Reference Guide
show voice call-cdrs | 1327
�------ --------- ----------- --- --- -------------------- ------
-------- -------
--
------- ------
----- ---- --------------- -------- -------------
--
----------- ---------------
NA
10.15.20.74 6202
sip IC 6203
CONNECTED 2773
Aug 19
13:39:09 82
G729 GREEN 0
0
00:1a:1e:a8:2d:80
legap
AP-65-2
NA
10.15.20.75 6203
sip OG 6202
CONNECTED 2774
Aug 19
13:39:08 65
G729 YELLOW 3
0
NA
NA
NA
56
10.15.20.74 6202
sip IC 6203
SUCC
390
Aug 19
13:20:03 60
Terminated G729 YELLOW 0
0
00:1a:1e:a8:2d:80
legap
AP-65-2
55
10.15.20.75 6203
sip OG 6202
SUCC
390
Aug 19
13:20:03 61
Terminated G729 YELLOW 3
0
00:1a:1e:a8:2d:80
legap
AP-65-2
54
10.15.20.75 6203
sip OG 6203
FAIL
0
Aug 19
13:19:57 NA
NA
NA
0
0
00:1a:1e:a8:2d:80
legap
AP-65-2
Num CDRS:5
Command History
Version AOS-W 3.3.1 AOS-W 6.0
Description Command introduced. The cid and rtpa parameters were introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
1328 | show voice call-cdrs
AOS-W 6.2 | Reference Guide
�show voice call-counters
show voice call-counters
Description
Displays outgoing, incoming and terminated call counter details. The total calls equals the sum of the calls originated and terminated. It also equals the sum of the active, success, failed, blocked, aborted, and forwarded calls.
Syntax
No parameters.
Example
The output of this command shows call counter statitics.
(host) # show voice call-counters
System Wide Voice Call Counters
-------------------------------
Total Call Originated Call Terminated
----- --------------- ---------------
31
16
15
Active -----0
Success ------29
Failed -----0
Blocked ------0
Aborted ------2
Forwarded --------0
Command History
Version AOS-W 3.3.1
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice call-counters | 1329
�show voice call-density
show voice call-density [bssid <value> | essid <value> | extn <value> | ip <ip-address> | proto <protocol>]
Description
Displays call density report for voice calls.
Syntax
Parameter bssid essid extn ip <ip-address> proto <protocol>
Description
Filter records based on BSSID of voice clients.
Filter records based on ESSID of voice clients.
Filter records based on the extension of a voice client.
Filter records based on the IP address of an AP.
Filter records based on a VOIP protocol. Supported values are: l SIP l SVP l NOE l SCCP l VOCERA l H323
Example
The output of this command shows call density report for extension 3015. (host) # show voice call-density extn 3015
VoIP Call Density Report for Client '3015'
------------------------------------------
Sample Time
Orig Term Active Succ Fail
-----------
---- ---- ------ ---- ----
Jan 31 16:01:42 0
0
0
0
0
Jan 31 16:00:00 0
0
0
0
0
Jan 31 15:50:00 0
0
0
0
0
Jan 31 15:40:00 0
0
0
0
0
Jan 31 15:30:00 0
0
0
0
0
Jan 31 15:20:00 0
1
1
1
0
Jan 31 15:10:00 0
2
3
2
0
Jan 31 15:00:00 0
1
1
0
0
Jan 31 14:50:00 0
0
0
0
0
Jan 31 14:40:00 0
0
0
0
0
Jan 31 14:30:00 0
0
0
0
0
Jan 31 14:20:00 0
0
0
0
0
Jan 31 14:10:00 0
0
0
0
0
...
...
...
Blocked ------0 0 0 0 0 0 0 0 0 0 0 0 0
Aborted ------0 0 0 0 0 0 0 1 0 0 0 0 0
Forwarded --------0 0 0 0 0 0 0 0 0 0 0 0 0
R-Value ------NA NA NA NA NA 73.000000 84.000000 80.000000 NA NA NA NA NA
1330 | show voice call-density
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 3.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice call-density | 1331
�show voice call-perf
show voice call-perf [bssid <value> | essid <value> | extn <value> | ip <ip_address> | proto <value>
Description
Displays the performance of voice calls of all clients connected to the switch. You can filter the report based on BSSID, ESSID, extension, IP address or the VOIP protocol type.
Syntax
Parameter bssid essid extn ip <ip-address> proto <protocol>
Description
Filter records based on BSSID of voice clients.
Filter records based on ESSID of voice clients.
Filter records based on the extension of a voice client.
Filter records based on the IP address of an AP.
Filter records based on a VOIP protocol. Supported values are: l SIP l NOE l SCCP l VOCERA l H323
Example
The output of this command shows call performance report for extension 3015.
(host) # show voice call-perf extn 3015
VoIP Call Performance Report for Client '3015'
----------------------------------------------
Sample Time
Delay(ms) AP-Switch Delay(ms)
-----------
--------- -------------------
Jan 31 15:54:46 0.00
0.00
Jan 31 15:50:00 0.00
0.00
Jan 31 15:40:00 0.00
0.00
Jan 31 15:30:00 0.00
0.00
Jan 31 15:20:00 108.24
0.00
Jan 31 15:10:00 106.67
0.00
Jan 31 15:00:00 0.00
0.00
Jan 31 14:50:00 0.00
0.00
Jan 31 14:40:00 0.00
0.00
Jan 31 14:30:00 0.00
0.00
...
...
...
Jitter -----0.000 0.000 0.000 0.000 7.793 12.500 0.000 0.000 0.000 0.000
Packet Loss ----------0.00 0.00 0.00 0.00 8.81 4.44 0.00 0.00 0.00 0.00
R-Value ------0.00 0.00 0.00 0.00 73.00 84.00 0.00 0.00 0.00 0.00
MOS --NA NA NA NA 3.60 4.02 NA NA NA NA
Band ---NA NA NA NA YELLOW GREEN NA NA NA NA
Command History
Version AOS-W 3.3.1
Description Command introduced.
1332 | show voice call-perf
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice call-perf | 1333
�show voice call-quality
show voice call-quality [bssid <value> | essid <value> | extn <value> | ip <ip_address> | proto <value> | rtpa | sta <mac-address>
Description
Displays voice call quality for each call over a period of time.
Syntax
Parameter bssid essid extn ip <ip-address> proto <protocol>
rtpa
sta
Description
Filter records based on BSSID of voice clients.
Filter records based on ESSID of voice clients.
Filter records based on the extension of a voice client.
Filter records based on the IP address of a voice client.
Filter records based on a VOIP protocol. Supported values are: l SIP l NOE l SCCP l VOCERA l H323
Include this parameter to view the voice call quality reports based on the call quality analysis from the RTP media streams. NOTE: This parameter is applicable only if Real Time Call Quality Analysis is enabled on the voice calls.
Filter records based on the MAC address of a voice client.
Example
The output of this command shows call quality report for calls made by extension 3015. (host) # show voice call-quality extn 3015
Voice Client(s) Call Quality Reports
------------------------------------
Client(IP) Client(MAC)
Client(Name) ALG Orig Time
Direction
Called/Calling Party Duration Codec Delay Jitter Pkt Loss R-Value Band BSSID
ESSID AP Name
---------- -----------
------------ --- ---------
--------- -------------
------- -------- ----- ----- ------ -------- ------- ---- -----
-----
-------
10.100.1.10 00:11:22:33:bc:bd 3015
sccp Jan 31 15:10:44 IC
3042
141
108.241 7.793 8.809
73
YELLOW 00:0b:86:5c:d6:08 nkrtp
voice-a
10.100.1.10 00:11:22:33:bc:bd 3015
sccp Jan 31 15:07:48 IC
3042
119
115.333 13.000 8.480
78
YELLOW 00:0b:86:5c:d6:08 nkrtp
voice-a
10.100.1.10 00:11:22:33:bc:bd 3015
sccp Jan 31 15:01:22 IC
3042
35
98.000 12.000 0.391
90
GREEN 00:0b:86:5c:d6:08 nkrtp
voice-a
1334 | show voice call-quality
AOS-W 6.2 | Reference Guide
�10.100.1.10 00:11:22:33:bc:bd 3015
100
G711 103.528 6.056
voice-a
Num Records:4
sccp Jan 31 14:58:58 IC
3042
4.622
80
GREEN 00:0b:86:5c:d6:08 nkrtp
Command History
Version AOS-W 3.3.1 AOS-W 6.0
Description Command introduced. The rtpa and sta parameters were introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice call-quality | 1335
�show voice call-stats
show voice call-stats [bssid <value> | cip <client-ip-address> | essid <value> | extn <value> | ip <ip_address> | proto <value> | sta <value>]
Description
Displays voice call statistics for each client.
Syntax
Parameter bssid cip essid extn ip <ip-address> proto <protocol>
sta
Description
Filter records based on BSSID of a voice client.
Filter records based on a client's IP address.
Filter records based on ESSID of a voice client.
Filter records based on the extension of a voice client.
Filter records based on the IP address of an AP.
Filter records based on a VOIP protocol. Supported values are: l SIP l NOE l SCCP l VOCERA l H323
Filter records based on the MAC address of a voice client.
Example
The output of this command shows call quality report for calls made by extension 6210. (host) # show voice call-stats
Voice Client(s) Call Statistics
-------------------------------
Client IP
Client MAC
Client Name ALG Originated Terminated Active Failed
Success Blocked Aborted Duration
R-Value
Band
---------
----------
----------- --- ---------- ---------- ------ ------ --
----- ------- ------- --------
-------
----
10.15.86.248 00:1f:6c:7a:d4:fd 6005
sccp 3
2
0
0
5
0
0
20489.0/2.0/4173.0 93.00/79.00/89.00 GREEN
10.15.86.247 00:1f:6c:7a:d5:f8 6002
sccp 2
3
0
0
4
0
1
57709.0/2.0/11616.8 93.00/71.00/87.00 GREEN
Num Clients:2
Command History
Version AOS-W 3.3.1
Description Command introduced.
1336 | show voice call-stats
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice call-stats | 1337
�show voice client-status
show voice client-status [active-only | bssid | essid <value> | extn <value> | ip <ip_address> | proto <value> | sta <value>]
Description
Displays list of voice clients and their status. You can also view details of a specifc voice client.
Syntax
Parameter active-only bssid essid extn ip <ip-address> proto <protocol>
sta
Description
Filter records based on active voice clients
Filter records based on BSSID of a voice client.
Filter records based on ESSID of a voice client.
Filter records based on the extension of a voice client.
Filter records based on the IP address of a voice client.
Filter records based on a VOIP protocol. Supported values are: l SIP l SVP l NOE l SCCP l VOCERA l H323
Filter records based on the MAC address of a voice client.
Example
The output of this command shows details about all the voice clients on a switch. (host) #show voice client-status
Voice Client(s) Status
----------------------
Client(IP) Client(MAC)
Client Name ALG Server(IP)
Status BSSID
ESSID
AP Name Flags
---------- -----------
----------- --- ----------
- -----
-----
------- -----
10.15.22.32 00:1f:6c:7a:d5:30 6001
sccp 10.15.32.20
00:1a:1e:80:bb:10 keepwalking1 AP-L-125
Num Clients:1
Flags: V - Visitor, W - Wired, R - Remote
Registration State -----------------REGISTERED
Call ---------Idle
Command History
Version AOS-W 3.3.1 AOS-W 6.0
Description Command introduced. The sta parameter was introduced.
1338 | show voice client-status
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice client-status | 1339
�show voice configurations
show voice configurations
Description
Displays the details of the voice related configurations on your switch.
Syntax
No parameters.
Example
The output of this command shows details about all voice configurations on a switch.
(host) #show voice configurations
Voice firewall policies
-----------------------
Policy
Action
------
------
Stateful SIP Processing
Enabled
Broadcast-filter ARP
Disabled
SSID Profiles
-------------
Profile Name
WMM
EDCA AP prof Strict SVP
------------
---
----------- ----------
default
Enabled
default
Disabled
qa-ma-vocera
Enabled
default
Disabled
WMM-UAPSD TSPEC Min Inactivity(msec) ... EDCA STA prof
--------- -------------------------- ... ------------- -
Enabled 100000
... default
Enabled 0
default
AP Group Profiles
-----------------
Profile Name VoIP CAC Profile
------------ ----------------
default
default
local
default
Virtual AP Group Profiles
-------------------------
Profile Name
802.11K Profile
Broadcast ARP to Unicast
------------
---------------
------------------
abcd
default
Disabled
HA Discovery on-assoc. ---------------------Disabled
Drop Broadcast/Multicast -----------------------Disabled
----
VoIP Call Admission Control Profiles
------------------------------------
Profile Name VoIP CAC
------------ ---------
default
Disabled
802.11K Profiles
----------------
Profile Name Advertise 802.11K Capability
------------ ----------------------------
default
Disabled
1340 | show voice configurations
AOS-W 6.2 | Reference Guide
�SIP settings ------------s Parameter --------Session Timer Session Expiry Dialplan Profile
Value ----Disabled 300 sec N/A
Voice rtcp-inactivity:disable Voice sip-midcall-req-timeout:disable
Command History
Version AOS-W 6.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice configurations | 1341
�show voice dialplan-profile
show voice dialplan-profile <profile>
Description
Displays list of SIP voice dialplan. You can also specify a dialplan to view configuration.
Syntax
No parameter.
Example
The output of this command shows list of all dialplans and the configuration of long distance dialplan.
(host) (config) #show voice dialplan-profile
Dialplan Profile List
---------------------
Name
References Profile Status
----
---------- --------------
default
1
extenstion 0
local
0
longDistance 0
Total:4
(host) (config) #show voice dialplan-profile longDistance Dialplan Profile "longDistance" ------------------------------Parameter Value --------- ----dialplan 102 +1XXXXXXXXXX 9%e
Command History
Version AOS-W 5.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
1342 | show voice dialplan-profile
AOS-W 6.2 | Reference Guide
�show voice logging
show voice logging
Description
Displays the MAC address of the voice client that has logging enabled.
Syntax
No parameters.
Example
The output of this command shows the MAC address of the voice client that has logging enabled. (host) #show voice logging
VoIP Logging -----------Parameter --------Client's MAC Address for Logging
Value ----11:22:33:44:55:67
Command History
Version AOS-W 6.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice logging | 1343
�show voice msg-stats
show voice msg-stats [sccp { bssid <value> | cip <client-ip-address> | essid <value> | ip <ip_address> | sta <client-MAC-address> } ] [sip { bssid <value> | cip <client-ip-address> | essid <value> | ip <ip_address> | sta <client-MAC-address> } ]
Description
Displays voice message counters for each call using either the SCCP or SIP protocol.
Syntax
Parameter bssid cip essid ip sta
Description Filter records based on BSSID of a voice client. Filter records based on a client's IP address. Filter records based on ESSID of a voice client. Filter records based on the IP address of an AP. Filter records based on the MAC address of a voice client.
Example
The output of the command in the example below shows voice message statistics for essid sam filtered on SCCP protocol. In this example, the output has been divided into multiple sections to better fit on the pages of this document. In the actual command-line interface, it will appear in a single, long table.
(host) # show voice msg-stats sccp essid sam
SCCP Voice Client(s) Msg Statistics
-----------------------------------
Client Name Client IP
AP Name
Unregister
----------- ---------
-------
----
6005
10.15.86.248 AP-68-862
2
6002
10.15.86.247 AP-68-862
2
BSSID ----00:0b:86:6d:3e:30 00:0b:86:6d:3e:30
ESSID Register
----- --------
sam 43
5
sam 39
6
Register Ack ------------
1 2
------
Unregister Ack Keepalive Keepalive Ack OpenRecvChannel OpenRecvChannel Ack StartMedia
CloseRecvChannel
-------------- --------- ------------- --------------- ------------------- ---------- --
--------------
5950
6185
7
4
6
7
6
5936
6048
4
4
4
7
6
StopMedia OffHook OnHook Ringing Connected Busy Hold Transfer Invalid
--------- ------- ------ ------- --------- ---- ---- -------- -------
5
17
2
8
0
0
0
0
4
18
3
4
0
0
0
0
Num Clients:2
1344 | show voice msg-stats
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 3.3.1
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice msg-stats | 1345
�show voice real-time-analysis
show voice real-time-analysis [sta <client MAC address>]
Description
Displays the call quality parameters based on the call quality analysis on the RTP media streams for voice calls.
Syntax
Parameter sta
Description
View the detailed Real Time Call Quality analysis report for a voice client based on the MAC address. You can also view the average call quality values for all the clients without passing the MAC address.
Example
The output of this command shows the detailed call quality parameters based on the RTP media stream for a specific voice client. #show voice real-time-analysis sta 00:1f:6c:7a:d5:30
Real-Time Analysis detail report
--------------------------------
Time
Jitter(U)(msec) Pkt-loss(U)(%)
Pkt-loss(D)(%) Delay(D)(usec) rvalue(D)
---------------- --------------- --------------
-------------- -------------- ---------
Aug 17 11:55:18 71.000
0.000
0.000
0.000
NA
Aug 17 11:55:13 76.000
0.000
0.000
0.000
NA
Aug 17 11:55:08 69.000
0.000
0.000
0.000
NA
Aug 17 11:55:03 71.000
0.000
0.000
0.000
NA
...
...
...
Delay(U)(usec) -------------0.000 0.000 0.000 0.000
rvalue(U) --------93.360 93.360 93.360 93.360
Jitter(D)(msec) --------------0.000 0.000 0.000 0.000
Command History
Version AOS-W 6.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
1346 | show voice real-time-analysis
AOS-W 6.2 | Reference Guide
�show voice real-time-analysis-config
show voice real-time-analysis-config
Description
Displays the status of Real Time Call Quality Analysis configuration.
Syntax
No parameters.
Example
The output of this command shows the status of Real Time Call Quality Analysis configuration on a switch. (host) #show voice real-time-config
Configure Real-Time Analysis ---------------------------Parameter --------Real-Time Analysis of voice calls
Value ----Enabled
Command History
Version AOS-W 6.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice real-time-analysis-config | 1347
�show voice rtcp-inactivity
show voice rtcp-inactivity
Description
Displays the status of RTCP protocol.
Syntax
No parameters.
Example
The output of this command shows the status of RTCP protocol. (host) #show voice rtcp-inactivity Voice rtcp-inactivity:disable
Command History
Version AOS-W 3.3.1
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
1348 | show voice rtcp-inactivity
AOS-W 6.2 | Reference Guide
�show voice sip
show voice sip
Description
Displays the SIP settings on the switch.
Syntax
No parameters.
Example
The output of this command shows the SIP settings on a switch. (host) #show voice sip
SIP settings ------------s Parameter --------Session Timer Session Expiry Dialplan Profile
Value ----Enabled 300 sec N/A
Command History
Version AOS-W 6.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice sip | 1349
�show voice sip-midcall-req-timeout
show voice sip-midcall-req-timeout
Description
Displays the status of the SIP mid-call request timeout configuration on the switch.
Syntax
No parameters.
Example
The output of this command shows the status of the SIP mid-call request timeout configuration on a switch.
(host) #show voice sip-midcall-req-timeouts Voice sip-midcall-req-timeout:disable
Command History
Version AOS-W 6.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
1350 | show voice sip-midcall-req-timeout
AOS-W 6.2 | Reference Guide
�show voice statistics
show voice statistics [ cac | sip-dialplan-hits | tspec-enforcement ]
Description
Displays the CAC, UDP SIP dial plan hits, and TSPEC enforced voice statistics.
Syntax
Parameter cac
sip-dialplan-hits tspec-enforcement
Description
Displays the dropped SIP Invites and SIP Status Code for both server and the client side. Note: This filter supports only the SIP protocol and will work only if CAC is enabled for the parameters.
Displays the statistics of SIP dialplan hits.
Displays the statistics of the number of TSPEC requests accepted, rejected, or denied.
Example
The output of this command shows statistics for TSPEC enforced calls. (host) # show voice statistics tspec-enforcement
TSPEC Enforcement statistics ---------------------------Name ---TSPEC ADDTS Request TSPEC accepted TSPEC denied due to CAC TSPEC enforcement timer events Calls established within enforcement period TSPEC deleted after enforcement period
Value ----16 16 0 2 0 1
Command History
Version AOS-W 3.3.1
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice statistics | 1351
�show voice trace
show voice trace [ sccp {count <value> | ip <ip_address> | mac <mac_address>} ] [ sip {count <value> | ip <ip_address> | mac <mac_address>} ]
Description
Displays the signalling message trace details for all clients.
Syntax
Parameter count ip mac
Description
View the specified number of the latest SIP or SCCP voice client messages. Specify an integer value.
Specify the IP address of a client to display its SIP or SCCP voice client messages.
Specify the IP address of a client to display its SIP or SCCP voice client messages.
Example
The output of this command shows signaling message trace.
(host) #show voice trace sip count 4
SIP Voice Client(s) Message Trace
---------------------------------
ALG Client Name Client(MAC)
BSSID
--- ----------- -----------
-----
SIP 6201
00:24:7d:99:49:01
00:1a:1e:a8:2d:80
SIP 6201
00:24:7d:99:49:01
00:1a:1e:a8:2d:80
SIP 6201
00:24:7d:99:49:01
REQUEST_FAILURE 00:1a:1e:a8:2d:80
SIP 6201
00:24:7d:99:49:01
00:1a:1e:a8:2d:80
Num of Rows:4
Client(IP) ---------10.15.20.59 10.15.20.59 10.15.20.59 10.15.20.59
Event Time ---------Aug 17 10:21:22 Aug 17 10:21:22 Aug 17 10:21:22 Aug 17 10:21:22
Direction --------Server-To-Client Client-To-Server Server-To-Client Client-To-Server
Msg --200_OK REGISTER 4XX_ REGISTER
Command History
Version AOS-W 3.3.1 AOS-W 6.0
Description Command introduced. The trace output included the BSSID parameter.
1352 | show voice trace
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show voice trace | 1353
�show vpdn l2tp configuration
show vpdn l2tp configuration
Description
Displays the VPN L2TP tunnel configuration.
Syntax
No parameters.
Example
The output of this command shows the L2TP tunnel configuration.
(host) # show vpdn l2tp configuration
Enabled Hello timeout: 30 seconds DNS primary server: 10.16.15.1 DNS secondary server: 10.16.14.1 WINS primary server: 0.0.0.0 WINS secondary server: 0.0.0.0 PPP client authentication methods:
PAP IP LOCAL POOLS:
vpnpool: 10.16.15.150 - 10.16.15.160
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1354 | show vpdn l2tp configuration
AOS-W 6.2 | Reference Guide
�show vpdn pptp configuration
show vpdn pptp configuration
Description
Displays the PPTP configuration on the switch.
Syntax
No parameters.
Example
The output of this command shows the L2TP tunnel configuration.
(host) # show vpdn pptp configuration
Enabled Hello timeout: 30 seconds DNS primary server: 10.15.1.1 DNS secondary server: 10.15.1.200 WINS primary server: 0.0.0.0 WINS secondary server: 0.0.0.0 PPP client authentication methods:
MSCHAP MSCHAPv2 MPPE Configuration 128 bit encryption enabled IP LOCAL POOLS
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show vpdn pptp configuration | 1355
�show vpdn pptp local pool
show vpdn pptp local pool <pool_name>
Description
Displays the IP address pool for VPN users using Point-to-Point Tunneling Protocol.
Syntax
No parameters.
Example
The output of this command shows the all IP address pools for VPN users. (host) # show vpdn pptp local pool
IP addresses used in pool localgroup 0 IPs used - 11 IPs free - 11 IPs configured
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1356 | show vpdn pptp local pool
AOS-W 6.2 | Reference Guide
�show vpn-dialer
show vpn-dialer <dialer_name>
Description
Displays the VPN dialer configuration for users using VPN dialers.
Syntax
No parameters.
Example
The output of this command shows the VPN dialer configuration for remote Users.
(host) # show vpn-dialer remoteUser
remoteUser ---------Attribute --------PPTP L2TP DNETCLEAR WIREDNOWIFI PAP CHAP MSCHAP MSCHAPV2 CACHE-SECURID IKESECS IKEENC IKEGROUP IKEHASH IKEAUTH IKEPASSWD IPSECSECS IPSECGROUP IPSECENC IPSECAUTH SECURID_NEWPINMODE
Value ----disabled enabled disabled disabled enabled enabled enabled enabled disabled 4000 3DES ONE MD5 PRE-SHARE ******** 4000 GROUP1 ESP-3DES ESP-MD5-HMAC disabled
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show vpn-dialer | 1357
�show vrrp
show vrrp <vrid>
Description
Displays the list of all VRRP configuration on the switch. To view a specific VRRP configuration, specify the VRID number.
Syntax
No parameters.
Example
The output of this command shows the VRRP configuration enabled in one of the floors of the building.
(host) # show vrrp Virtual Router 2:
Description Floor-1 Settings Admin State DOWN, VR State INIT IP Address 10.15.1.10, MAC Address 00:00:5e:00:01:02, vlan 1 Priority 2, Advertisement 10 sec, Preemption Enable Delay 10 Auth type PASSWORD, Auth data: 123456 tracking type is master-up-time, duration 500 minutes, value 3 tracking type is vrrp-master-state, vrid 10, value 1 tracking type is vlan, vlanid 1, subtract value 3 tracking type is interface, fastethernet 1/1, subtract value 3 tracked priority 2
Command History
Version AOS-W 1.0 AOS-W 3.3 AOS-W 3.3.2
Modification Command introduced
The tracking interface and tracking vlan parameters were introduced.
The add option was removed from the tracking interface and tracking vlan parameters.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
1358 | show vrrp
AOS-W 6.2 | Reference Guide
�show web-server
show web-server
Description
Displays the configuration of the switch's web server.
Syntax
No parameters.
Example
The output of this command shows the web-server configuration.
(host) # show web-server
Web Server Configuration -----------------------Parameter --------Cipher Suite Strength SSL/TLS Protocol Config Switch Certificate Captive Portal Certificate Management user's WebUI access method User session timeout <30-3600> (seconds) Maximum supported concurrent clients <25-400>
Value ----high sslv3 tlsv1 default default username/password 900 25
Command History
This command was available in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config or Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show web-server | 1359
�show whitelist-db cpsec
show whitelist-db cpsec [mac-address <mac-address>]
Description
Display the campus AP whitelist for campus APs using the control plane security feature.
Syntax
Parameter mac-address <mac-address>
Description
MAC address of the campus AP you want to enter into the cpsec whitelist database.
Usage Guidelines
Use this command to display the contents of the control plane security whitelist. To view information for a single AP, use the command show whitelist-db cpsec mac-address <mac-address>. To view a list of all secure APs on your switch, use the command show whitelist-db cpsec. If your deployment includes both master and local switches, then the campus AP whitelist on every switch contains an entry for every secure AP on the network, regardless of the switch to which it is connected.
Example
The output of the following command shows the campus AP whitelist entry for an AP with the MAC address 00:16:CF:AF:3E:E1:
(host) #show whitelist-db cpsec mac-address 00:16:CF:AF:3E:E1
Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address
Enable State
Cert-Type
Secondary Last
Text Key
Updated
-----------
------ -----
---------
-
--------- ---------
00:16:CF:AF:3E:E1 Enabled certified-controller-cert switch-cert
Fri Oct 16 01:
Whitelist Entries: 1 The output of this command includes
Syntax
Parameter MAC-Address Enable State
Description
MAC address of the campus AP.
Shows whether the campus AP has been enabled or disabled.
Shows the current state of the campus AP. l unapproved-no-cert: AP has no certificate and is not approved. l unapproved-factory-cert: AP has a preinstalled certificate that was not
approved. l approved-ready-for-cert: AP is valid, but is waiting to receive a certificate.
1360 | show whitelist-db cpsec
AOS-W 6.2 | Reference Guide
�Parameter
Cert-Type Description Revoke Text Secondary Key Last Updated
Description
l certified-factory-cert: AP has an approved factory-installed certificate l certified-controller-cert: AP has an approved certificate from the switch. l certified-hold-factory-cert: An AP is put in this state when the switch thinks the
AP has been certified with a factory certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP will not be reapproved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised. l certified-hold-controller-cert: An AP is put in this state when the switch thinks the AP has been certified with a switch certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP will not be reapproved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised.
Type of certificate used by the AP. l switch-cert: AP received a certificate from the switch l factory-cert: AP has a factory-installed certificate
If you included an optional description when you added the AP to the campus AP whitelist, that description will appear here.
If you included an optional revoke description when you manually revoked the AP, that description will appear here.
For internal use only.
Date and time that the AP record was last updated in the database.
Related Commands
Command whitelist-db cpsec add mac-address <mac-address>
Description
Configure the campus AP whitelist for the control plane security feature.
Mode
Config mode
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show whitelist-db cpsec | 1361
�show whitelist-db cpsec-local-switch-list
show whitelist-db cpsec-local-switch-list [mac-address <mac-address>]
Description
Display the list of local switches with APs using the control plane security feature.
Syntax
Parameter mac-address <mac-address>
Description MAC address of the local switch whose data you want to view.
Usage Guidelines
When you use the control plane feature on a network with both master and local switches, the master switch maintains a whitelist of local switches with APs using control plane security. When you change a campus AP whitelist on any switch, that switch contacts the master switch to check the local switch whitelist, then contacts every other switch on the local switch whitelist to notify it of the change. This allows an AP to move between local switches and still stay connected to the secure network.
To view information for a single local switch, use the command show whitelist-db cpsec-local-list mac-address <mac-address>. To view a list of all local switches, use the command show whitelist-db cpsec-local-switch-list.
Example
The following command shows information for all local switchs in the local switch whitelist:
(host) #show whitelist-db cpsec-local-switch-list
Registered Local Switch Details
-----------------------------------
MAC-Address
IP-Address Sequence Number Remote Sequence Number
-----------
---------- --------------- ----------------------
00:0b:86:51:a5:4c 10.3.53.2
31
0
00:A0:C9:14:C8:29 10.3.53.4
30
0
NULL Update Count -----------------
Whitelist Entries: 2 The output of this command includes
Syntax
Parameter MAC-Address IP-Address Sequence Number
Description
MAC address of the local switch.
IP address of the local switch.
The number of times the local switch in the whitelist received and acknowledged a campus AP whitelist change from the master switch. In the example above, both local switches received and acknowledged three campus AP whitelist changes sent from the master switch.
1362 | show whitelist-db cpsec-local-switch-list
AOS-W 6.2 | Reference Guide
�Parameter Remote Sequence Number
Null Update Count
Description
The number of times that the master switch has received and acknowledged a campus AP whitelist change from the local switch in the whitelist. In the example above, the master switch received and acknowledged a single campus AP whitelist change from the local switch with the MAC address 00:0b:86:51:a5:4c.
The number of times the switch has checked its control plane security whitelist and found nothing to synchronize with the remote switch. By default, the switch compares its control plane security whitelist against whitelists on other switches every minute. If the null update count reaches 5, the switch will send an "empty sync" heartbeat to the remote switch to ensure the sequence numbers on both switches are the same, then reset the null update count to zero.
Related Commands
Command
whitelist-db cpsec-local-switchlist
Description
Mode
Configure the local switch whitelist for the control plane Config mode security feature.
Command History
Version AOS-W 5.0 AOS-W 6.0
Modification Command introduced The cpsec-local-ctrlr-list parameter was modified to cpsec-local-switch-list
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
show whitelist-db cpsec-local-switch-list | 1363
�show whitelist-db cpsec-master-switch-list
show cpsec-master-ctlr-list-db cpsec show whitelist-db cpsec-master-switch-list [mac-address <mac-address>]
Description
Display the master switch list whitelist on local switches with APs using the control plane security feature.
Syntax
Parameter mac-address <mac-address>
Description MAC address of the master switch.
Usage Guidelines
When you use the control plane feature on a network with both master and local switches, each local switch has a master switch whitelist which contains the IP and MAC addresses of its master switch. If your network has a redundant master switch, then this whitelist will contain more than one entry.
To view information for a single master switch, use the command show whitelist-db cpsec-master-switch-list mac-address <mac-address>. To view a list of all master switches, use the command show whitelist-db cpsecmaster-switch-list.
Example
The following command shows that the local switches have a single master switch with the IP address 10.3.53.3:
(host) #show whitelist-db cpsec-master-list
Registered Master Switch Details
------------------------------------
MAC-Address
IP-Address Sequence Number Remote Sequence Number NULL Update Count
-----------
---------- --------------- ---------------------- -----------------
00:0b:86:61:21:c8
10.3.53.3 1
3
Whitelist Entries: 1 The output of this command includes
Syntax
Parameter MAC-Address IP-Address Sequence Number
Description
MAC address of the master switch.
IP address of the master switch.
The number of times the master switch in the whitelist received and acknowledged a campus AP whitelist change from the local switch. In the example above, the master switch received and acknowledged one campus AP whitelist change from the local switch.
1364 | show whitelist-db cpsec-master-switch-list
AOS-W 6.2 | Reference Guide
�Parameter Remote Sequence Number
Null Update Count
Description
The number of times that the local switch has received and acknowledged a campus AP whitelist change from the master switch in the whitelist. In the example above, the local switch received and acknowledged three campus AP whitelist updates from the master switch.
The number of times the switch has checked its control plane security whitelist and found nothing to synchronize with the master switch. By default, the switch compares its control plane security whitelist against whitelists on other switches every minute. If the null update count reaches 5, the switch will send an "empty sync" heartbeat to the remote switch to ensure the sequence numbers on both switches are the same, then reset the null update count to zero.
Related Commands
Command whitelist-db cpsec-masterswitch-list
Description
Configure the master switch whitelist for the control plane security feature.
Mode Config mode
Command History
Version AOS-W 5.0 AOS-W 6.0
Modification
Command introduced
The cpsec-master-ctrlr-list parameter was modified to cpsec-master-switchlist
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Config mode on local switches
AOS-W 6.2 | Reference Guide
show whitelist-db cpsec-master-switch-list | 1365
�show whitelist-db cpsec-seq
show whitelist-db cpsec-seq
Description
Display the current sequence number for the master or local switch whitelists.
Syntax
No Parameters
Usage Guidelines
The current sequence number in the Sequence Number Details table shows the number of changes to the campus AP whitelist made on this switch.
Each switch compares its campus AP whitelist against whitelists on other switches every two minutes. If a switch detects a difference, it will send its changes to the other switches on the network. If all other switches on the network have successfully received and acknowledged all whitelist changes made on this switch, every entry in the sequence number column in the switch whitelist will have the same value as the number displayed in the Sequence Number Details table. If a switch in the master or local switch whitelist has a lower sequence number, that switch may still be waiting to complete its update, or its update acknowledgement may not have yet been received.
Example
The output of the first command below shows that the campus AP whitelist has been updated 3 times on the master switch. The second command shows the local switch list on the master switch, and verifies that both local switches have received and acknowledged all three of these changes.
(host) #show whitelist-db cpsec-seq
Sequence Number Details
-----------------------
Table Name
Current Seq Number
----------
------------------
cpsec_whitelist 3
Whitelist Entries: 97
(host) # show whitelist-db cpsec-local-list
Registered Local Controller Details
-----------------------------------
MAC-Address
IP-Address Sequence Number
-----------
---------- ---------------
00:0b:86:51:a5:4c 10.3.53.2
3
0
00:A0:C9:14:C8:29 10.3.53.4
3
0
Remote Sequence Number ---------------------1
0
NULL Update Count -----------------
Whitelist Entries: 2
Related Commands
Command
whitelist-db cpsec add mac-address <mac-address>
Description
Configure the campus AP whitelist for the control plane security feature.
Mode
Config mode
1366 | show whitelist-db cpsec-seq
AOS-W 6.2 | Reference Guide
�Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show whitelist-db cpsec-seq | 1367
�show whitelist-db cpsec-status
show whitelist-db cpsec-status
Description
Display aggregate status information APs in the campus AP whitelist.
Syntax
No parameters.
Example
The output of the following command shows current status information for all APs in the campus AP whitelist: (host) #show whitelist-db cpsec cpsec-status Entries in Whitelist database
Total entries:
41
Approved entries:
0
Unapproved entries:
0
Certified entries:
40
Certified hold entries:
0
Revoked entries:
1
Marked for deletion entries: 0
(Host) # The output of this command includes
Syntax
Parameter Total entries Approved entries: Unapproved entries Certified entries Certified hold entries
Revoked entries Marked for deletion entries
Description
Total number of entries in the campus AP whitelist
Number of APs that are valid, but is waiting to receive a certificate.
Number of APs that have certificate that was not not approved.
Number of APs that have an approved certificate.
Number of APs in the certified hold state. An AP is put in this state when the switch thinks the AP a certified certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP will not be reapproved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised.
Number of APs whose entries have been revoked
Number of APs whose entries have been marked for deletion. An entry will not be permanently deleted until all other switches on the network acknowledge the deletion.
1368 | show whitelist-db cpsec-status
AOS-W 6.2 | Reference Guide
�Related Commands
Command show whitelist-db cpsec
Description
Display the campus AP whitelist for campus APs using the control plane security feature.
Mode Config mode
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show whitelist-db cpsec-status | 1369
�1370 | show whitelist-db cpsec-status
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
show whitelist-db cpsec-status | 1371
�The example below shows that the switch has two configured 3GPP profiles. The References column lists the number of other profiles with references to the advertisement profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column
1372 | show whitelist-db cpsec-status
AOS-W 6.2 | Reference Guide
�The example below shows that the switch has two configuredDomain Name profiles. The References column lists the number of other profiles with references to the Domain Name profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column
AOS-W 6.2 | Reference Guide
show whitelist-db cpsec-status | 1373
�The example below shows that the switch has three configured IP Address Availability profiles. The References column lists the number of other profiles with references to the IP Address Availability profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column
1374 | show whitelist-db cpsec-status
AOS-W 6.2 | Reference Guide
�The example below shows that the switch has three configured NAI Realm profiles. The References column lists the number of other profiles with references to the NAI Realm profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column
(host) # show wlan anqp-nai-realm-profile
ANQP NAI Realm Profile List
---------------------------
Name
References Profile Status
----
---------- --------------
default 0
Realm1 2Realm2 2
Total:3
AOS-W 6.2 | Reference Guide
show whitelist-db cpsec-status | 1375
�The example below shows that the switch has two configured Network Authentication profiles. The References column lists the number of other profiles with references to the Network Authentication profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) # show wlan anqp-nwk-auth-profile
ANQP Network Authentication Profile List
----------------------------------------
Name
References Profile Status
----
---------- --------------
auth1
0
default
0
Total:2
(host) #show wlan anqp-nwk-auth-profile default
ANQP Network Authentication Profile "default"
------------------------------------------------
Parameter
Value
---------
-----
Type of Network Authentication acceptance
Redirect URL
N/A
1376 | show whitelist-db cpsec-status
AOS-W 6.2 | Reference Guide
�The example below shows that the switch has two configured Roaming Consortium profiles. The References column lists the number of other profiles with references to the Roaming Consortium profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
AOS-W 6.2 | Reference Guide
show whitelist-db cpsec-status | 1377
�The example below shows that the switch has two configured Venue Name profiles. The References column lists the number of other profiles with references to the Venue Name profile, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
1378 | show whitelist-db cpsec-status
AOS-W 6.2 | Reference Guide
�show wlan bcn-rpt-req-profile
show wlan bcn-rpt-req-profile<profile-name>
Description
Shows configuration and other information about the parameters for the Beacon Report Request frames.
Syntax
Parameter <profile>
Description Name of a WLAN advertisement profile.
Usage Guidelines
Issue this command without the <profile> parameter to display the entire Beacon Report Request profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
For this profile to take effect, the 802.11K feature needs to be enabled.
Examples
(host) #show wlan bcn-rpt-req-profile
Beacon Report Request Profile List
----------------------------------
Name
References Profile Status
----
---------- --------------
default 1
test
0
Total:2
(host) #
(host) #show wlan bcn-rpt-req-profile default
Beacon Report Request Profile "default"
---------------------------------------
Parameter
Value
---------
-----
Interface
1
Regulatory Class
12
Channel
9
Randomization Interval
100
Measurement Duration
100
Measurement Mode for Beacon Reports active-all-ch
Reporting Condition
2
ESSID Name
aruba-ap
Reporting Detail
Disabled
Measurement Duration Mandatory
Disabled
Request Information values
0/21/22
The output of this command includes the following parameters:
AOS-W 6.2 | Reference Guide
show wlan bcn-rpt-req-profile | 1379
�Parameter
Description
Interface
Specifies the Radio interface for transmitting the Beacon Report Request frame. It can have a value of either 0 or 1.
Regulatory Class
Specifies the Regulatory Class field in the Beacon Report Request frame.
Channel
Specifies the Channel field in the Beacon Report Request frame.
Randomization Interval
Specifies the Randomization Interval field in the Beacon Report Request frame. The Randomization Interval is used to specify the desired maximum random delay in the measurement start time. It is expressed in units of TUs (Time Units).
Measurement Duration
Specifies the Measurement Duration field in the Beacon Report Request frame. The Measurement Duration is set to the duration of the requested measurement. It is expressed in units of TUs.
Measuremement Mode for Beacon Reports
Specifies the mode used for the measurement. The valid measurement modes are: l active-all-ch l active-ch-rpt l beacon-table l passive
Reporting Condition
Specifies the value for the "Reporting Condition" field in the Beacon Reporting Information sub-element present in the Beacon Report Request frame.
ESSID Name
Specifies the value for the "SSID" field in the Beacon Report Request frame.
Reporting Detail
Indicates the value for the "Detail" field in the Reporting Detail subelement present in the Beacon Report Request frame.
Measurement Duration Mandatory Specifies the "Duration Mandatory" bit of the Measurement Request Mode field of the Beacon Report Request frame.
Request Information values
Indicates the contents of the Request Information IE that could be present in the Beacon Report Request frame. The Request Information IE is present for all Measurement Modes except the 'Beacon Table' mode. It consists of a list of Element IDs that should be included by the client in the response frame.
Command History
The command is introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master or local switches
1380 | show wlan bcn-rpt-req-profile
AOS-W 6.2 | Reference Guide
�show wlan dot11k-profile
show wlan dot11k-profile [<profile>]
Description
Show a list of all 802.11k profiles, or display detailed configuration information for a specific 802.11k profile.
Syntax
Parameter <profile>
Description Name of an 802.11k profile.
Usage Guidelines
Issue this command without the <profile> parameter to display the 802.11k profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has two configured 802.11k profiles. The References column lists the number of other profiles with references to the 802.11k profile, and the Profile Status column indicates whether the profile is predefined. (User-defined profiles will not have an entry in the Profile Status column.)
(host) #show wlan dot11k-profile
802.11K Profile List
--------------------
Name
----
default
11kprofile2
1
Total: 2
References Profile Status ---------- -------------8
The following example shows configuration settings defined for the profile default.
(host) #show wlan dot11k-profile default
802.11K Profile "default" ------------------------Parameter --------Advertise 802.11K Capability Forcefully disassociate on-hook voice clients Measurement Mode for Beacon Reports Configure specific channel for Beacon Requests Channel requested for Beacon Reports in 'A' band Channel requested for Beacon Reports in 'BG' band Time duration between consecutive Beacon Requests Time duration between consecutive Link Measurement Requests Time duration between consecutive Transmit Stream Measurement Requests
Value ----Disabled Disabled beacon-table Disabled 36 1 60 sec 60 sec 90 sec
The output of this command includes the following data columns:
AOS-W 6.2 | Reference Guide
show wlan dot11k-profile | 1381
�Parameter
Description
Advertise 802.11K Capability
Shows if the profile has enabled or disabled the 802.11K feature.
Forcefully disassociate If enabled, the AP may forcefully disassociate clients that reach the maximum
on-hook voice clients
CAC peak capacity or call handoff reservation.
Measurement Mode for Beacon Reports
Shows the profile's beacon measurement mode: l active: In this mode, the client sends a probe request to the broadcast
destination address on all supported channels, sets a measurement duration timer, and, at the end of the measurement duration, compiles all received beacons or probe response with the requested SSID and BSSID into a measurement report. l beacon-table: In this mode, the client measures beacons and returns a report with stored beacon information for any supported channel with the requested SSID and BSSID. The client does not perform any additional measurements. This is the default beacon measurement mode. l passive: In this mode, the client sets a measurement duration timer, and, at the end of the measurement duration, compiles all received beacons or probe response with the requested SSID and BSSID into a measurement report.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
1382 | show wlan dot11k-profile
AOS-W 6.2 | Reference Guide
�show wlan edca-parameters-profile
show wlan edca-parameters-profile ap|station [<profile>]
Description
Display an Enhanced Distributed Channel Access (EDCA) profile for APs or for clients (stations). EDCA profiles are specific either to APs or clients.
Syntax
Parameter <profile>
Description Name of a EDCA Parameters profile.
Usage Guidelines
Issue this command without the <profile> parameter to display a EDCA Parameters profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has three EDCA Parameters profiles configured for stations. The References column lists the number of other profiles with references to the EDCA Parameters profile, and the Profile Status column indicates whether the profile is predefined. (User-defined profiles will not have an entry in the Profile Status column.)
(host) #show wlan edca-parameters-profile station
EDCA Parameters profile (Station) List
---------------------------------
Name
References Profile Status
----
---------- --------------
station-corp1 3
station-corp2 1
testprofile 0
Total:3
The following example shows configuration settings defined for the profile station-corp1.
(host) #show wlan edca-parameters-profile ap station-corp1
EDCA Parameters
---------------
AC
ECWmin ECWmax AIFSN TXOP ACM
--
------ ------ ----- ---- ---
Best-effort 4
6
3
0
0
Background 4
10
7
0
0
Video
3
4
1
94 0
Voice
2
3
1
47 0
The output of this command includes the following data columns:
Parameter AC
Description Name of an Access channel queue (Best-effort, Background, Video or Voice).
AOS-W 6.2 | Reference Guide
show wlan edca-parameters-profile | 1383
�Parameter ECWmin
ECWmax
AIFSN TXOP ACM
Description
The exponential (n) value of the minimum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15.
The exponential (n) value of the maximum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15.
Arbitrary inter-frame space number.
Transmission opportunity, in units of 32 microseconds.
If this column displays a 1, the profile has enabled mandatory admission control. If this column displays a 0, the profile has disabled this feature.
Command History
This command was introduced in AOS-W 3.1.
Command Information
Platforms All platforms
Licensing
This show command is available in the base operating system, but the switch must have the PEFNG license in order to configure EDCA Parameter Profiles.
Command Mode
Enable and Config mode on master or local switches
1384 | show wlan edca-parameters-profile
AOS-W 6.2 | Reference Guide
�show wlan handover-trigger-profile
show wlan handover-trigger-profile [<profile-name>]
Description
Displays the current configuration settings for a handover trigger profile.
Usage Guidelines
Issue this command without the <profile> parameter to display a handover trigger profile profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
For this profile to take effect, the 802.11K feature needs to be enabled.
Example
(host) #show wlan handover-trigger-profile default Handover Trigger Profile "default" ---------------------------------Parameter --------Enable Handover Trigger feature Enabled Threshold signal strength value at which Handover Trigger should be sent to the client dBm
Value -----
25 -
The output of this command includes the following information:
Parameter Enable Handover Trigger feature
Threshold signal strength value at which Handover Trigger should be sent to the client
Description
Shows if the handoff trigger feature is enabled of disabled. If enabled, the switch will initiate the handover of a voice client (for example: dual mode handsets) roaming at the edge of Wi-Fi coverage to an alternate carrier or connection. The handover trigger is initiated if the Wi-Fi signal strength reported by the voice client (received from all APs) is equal to or less than the threshold value.
Shows the threshold RSSI value below which a handover trigger message will be sent to an associated client by the AP.
Command History
This command was introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master or local switches
AOS-W 6.2 | Reference Guide
show wlan handover-trigger-profile | 1385
�1386 | show wlan handover-trigger-profile
AOS-W 6.2 | Reference Guide
�show wlan ht-ssid-profile
show wlan ht-ssid-profile [<profile>]
Description
Show a list of all High-throughput SSID profiles, or display detailed configuration information for a specific Highthroughput SSID profile.
Syntax
Parameter <profile>
Description Name of a High-throughput SSID profile.
Usage Guidelines
Issue this command without the <profile> parameter to display the entire High-throughput SSID profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has two configured High-throughput SSID profiles. The References column lists the number of other profiles with references to the High-throughput SSID profile, and the Profile Status column indicates whether the profile is predefined. (User-defined profiles will not have an entry in the Profile Status column.)
(host) #show wlan ht-ssid-profile
High-throughput SSID profile List
---------------------------------
Name
----
HT-profile1
16default2
References Profile Status ---------- --------------
1
Total:2
The following example shows configuration settings defined for the profile default2.
(host) #show wlan ht-ssid-profile default High-throughput SSID profile "default2" -------------------------------------Parameter --------40 MHz channel usage BA AMSDU Enable High throughput enable (SSID) Legacy stations Low-density Parity Check Maximum number of spatial streams usable for STBC reception Maximum number of spatial streams usable for STBC transmission MPDU Aggregation Max received A-MPDU size Max transmitted A-MPDU size Min MPDU start spacing Short guard interval in 20 MHz mode Short guard interval in 40 MHz mode Supported MCS set
Value ----Enabled Enabled Enabled Allowed Enabled 1 1 Enabled 65535 bytes 65535 bytes 8 usec Enabled Enabled 0-23
AOS-W 6.2 | Reference Guide
show wlan ht-ssid-profile | 1387
�. The output of this command includes the following data columns:
Parameter 40 MHz channel usage BA AMSDU Enable High throughput enable (SSID) Legacy stations Low-density Parity Check
Maximum number of spatial streams usable for STBC reception
Maximum number of spatial streams usable for STBC transmission
MPDU Aggregation Max received A-MPDU size Max transmitted A-MPDU size
Description
Shows if the profile enables or disables the use of 40 MHz channels.
Shows of the AP has enabled or disabled the ability to receive AMSDU in BA negotiation.
Shows if the profile enables or disables high-throughput (802.11n) features.
Allow or disallow associations from legacy (non-HT) stations. By default, this parameter is enabled (legacy stations are allowed).
If enabled, the AP will advertise Low-density Parity Check (LDPC) support. LDPC improves data transmission over radio channels with high levels of background noise.
Shows the maximum number of spatial streams usable for STBC reception. 0 disables STBC reception, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. (Supported on the OAW-AP90 series, OAWAP130 Series, OAW-AP68, OAW-AP175 and OAWAP105 only. The configured value will be adjusted based on AP capabilities.)
Shows the maximum number of spatial streams usable for STBC transmission. 0 disables STBC transmission, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. (Supported on OAW-AP90 series, OAWAP175, OAW-AP130 Series and OAW-AP105 only. The configured value will be adjusted based on AP capabilities.)
Shows if the profile enables or disables MAC protocol data unit (MPDU) aggregation.
Configured maximum size of a received aggregate MPDU, in bytes.
Configured maximum size of a transmitted aggregate MPDU, in bytes.
Min MPDU start spacing Supported MCS set
Short guard interval in 20 MHz mode
Configured minimum time between the start of adjacent MPDUs within an aggregate MPDU, in microseconds.
Displays a list of Modulation Coding Scheme (MCS) values or ranges of values to be supported on this SSID. The MCS you choose determines the channel width (20MHz vs. 40MHz) and the number of spatial streams used by the mesh node.
Shows if the profile enables or disables use of short (400ns) guard interval in 20 MHz mode.
1388 | show wlan ht-ssid-profile
AOS-W 6.2 | Reference Guide
�Parameter Short guard interval in 20 MHz mode
Description
Shows if the profile enables or disables use of short (400ns) guard interval in 40 MHz mode.
Command History
Version AOS-W 3.3 AOS-W 3.3.1 AOS-W 3.3.2 AOS-W 6.1
Description
Command introduced
The Legacy Stations parameter was introduced
De-aggregation of MAC Service Data Units (A-MSDUs) was introduced
The following parameters were introduced: l Short guard interval in 20 MHz mode l Low-density Parity Check l Maximum number of spatial streams usable for STBC reception l Maximum number of spatial streams usable for STBC transmission The allow weak encryption parameter was deprecated.
Command Information
Platforms
All platforms but operates with IEEE 802.11n compliant devices only
Licensing
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
show wlan ht-ssid-profile | 1389
�show wlan ssid-profile
show wlan ssid-profile [<profile>]
Description
Show a list of all SSID profiles, or display detailed configuration information for a specific SSID profile.
Syntax
Parameter <profile>
Description Name of an SSID profile.
Usage Guidelines
Issue this command without the <profile> parameter to display the entire SSID profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has six configured SSID profiles. The References column lists the number of other profiles with references to the SSIDs profile, and the Profile Status column indicates whether the profile is predefined. (User-defined profiles will not have an entry in the Profile Status column.)
(host) #show wlan ssid-profile SSID Profile List ----------------Name ---coltrane-ssid-profile corp1 -ssid-profile Remote Secure-Profile2 test-ssid-profile wizardtest-ssid-profile
References ---------1
1 0 1 1
Profile Status --------------
3
Total:6 The following example shows configuration settings defined for the SSID Profile Remote. (host) #show wlan ssid-profile remote
(host) #show wlan ssid-profile remote SSID Profile "Remote" (host) #show wlan ssid-profile remote ------------------Parameter --------SSID enable ESSID Encryption Enable Management Frame Protection Require Management Frame Protection DTIM Interval 802.11a Basic Rates 802.11a Transmit Rates 802.11g Basic Rates
Value ----Enabled aruba-ap opensystem Disabled Disabled 1 beacon periods 6 12 24 6 9 12 18 24 36 48 54 12
1390 | show wlan ssid-profile
AOS-W 6.2 | Reference Guide
�802.11g Transmit Rates Station Ageout Time Max Transmit Attempts RTS Threshold Short Preamble Max Associations Wireless Multimedia (WMM) Wireless Multimedia U-APSD (WMM-UAPSD) Powersave WMM TSPEC Min Inactivity Interval Override DSCP mappings for WMM clients DSCP mapping for WMM voice AC DSCP mapping for WMM video AC DSCP mapping for WMM best-effort AC DSCP mapping for WMM background AC Multiple Tx Replay Counters Hide SSID Deny_Broadcast Probes Local Probe Request Threshold (dB) Disable Probe Retry Battery Boost WEP Key 1 WEP Key 2 WEP Key 3 WEP Key 4 WEP Transmit Key Index WPA Hexkey WPA Passphrase Maximum Transmit Failures EDCA Parameters Station profile EDCA Parameters AP profile BC/MC Rate Optimization Rate Optimization for delivering EAPOL frames Strict Spectralink Voice Protocol (SVP) High-throughput SSID Profile 802.11g Beacon Rate 802.11a Beacon Rate Advertise QBSS Load IE Advertise Location Info Advertise AP Name 802.11R Profile Enforce user vlan for open stations
1 2 5 6 9 11 12 18 24 36 48 54 1000 sec 8 2333 bytes Enabled 64 Disabled Enabled 0 msec Disabled N/A N/A N/A N/A Disabled Disabled Disabled 0 Enabled Disabled N/A N/A N/A N/A 1 N/A N/A 0 N/A N/A Disabled Disabled Disabled default default default Disabled Enabled Disabled N/A Enabled
The output of this command includes the following data columns:
Parameter SSID ESSID
Encryption DTIM Interval
Description
Shows of the profile has enabled or disabled this SSID
Name that uniquely identifies a wireless network. If the ESSID includes spaces, you must enclose it in quotation marks.
The layer-2 authentication and encryption type used on this ESSID.
The interval, in milliseconds, between the sending of Delivery Traffic Indication Messages (DTIMs) in the beacon.
AOS-W 6.2 | Reference Guide
show wlan ssid-profile | 1391
�Parameter 802.11a Basic Rates 802.11a Transmit Rates 802.11g Basic Rates 802.11g Transmit Rates Station Ageout Time Max Transmit Attempts RTS Threshold
Short Preamble Max Associations Wireless Multimedia (WMM)
Wireless Multimedia U-APSD (WMMUAPSD) Powersave WMM TSPEC Min Inactivity Interval DSCP mapping for WMM voice AC DSCP mapping for WMM video AC DSCP mapping for WMM best-effort AC DSCP mapping for WMM background AC 902il Compatibility Mode
Hide SSID Deny_Broadcast Probes
Description
List of supported 802.11a rates, in Mbps, that are advertised in beacon frames and probe responses.
Set of 802.11a rates at which the AP is allowed to send data.
List of supported 802.11b/g rates, in Mbps, that are advertised in beacon frames and probe responses.
Set of 802.11b/g rates at which the AP is allowed to send data.
Time, in seconds, that a client is allowed to remain idle before being aged out.
Maximum transmission failures allowed before the client gives up.
Wireless clients transmitting frames larger than this defined threshold must issue Request to Send (RTS) and wait for the AP to respond with Clear to Send (CTS).
Shows if the profile enables or disables short preamble for 802.11b/g radios
Maximum number of wireless clients for the AP
Shows if the profile enables or disables WMM, also known as IEEE 802.11e Enhanced Distribution Coordination Function (EDCF)
Shows if the profile enables or disables Wireless Multimedia (WMM) UAPSD powersave.
Specifies the minimum inactivity time-out threshold of WMM traffic.
DSCP value used to map WMM voice traffic.
DSCP value used to map WMM video traffic.
DSCP value used to map WMM best-effort traffic.
DSCP value used to map WMM background traffic.
(For clients using NTT DoCoMo 902iL phones only) When enabled, the switch does not drop packets from the client if a small or old initialization vector value is received.
Shows if the profile enables or disables hiding of the SSID name in beacon frames.
When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls whether or not the system responds for this SSID. When enabled, no response is sent and clients have to know the SSID in order to associate to the SSID. When disabled, a probe response frame is sent for this SSID
1392 | show wlan ssid-profile
AOS-W 6.2 | Reference Guide
�Parameter Local Probe Response
Disable Probe Retry Battery Boost
WEP Key 1 WEP Key 2 WEP Key 3 WEP Key 4 WEP Transmit Key Index WPA Hexkey WPA Passphrase Maximum Transmit Failures EDCA Parameters Station profile EDCA Parameters AP profile BC/MC Rate Optimization
Strict Spectralink Voice Protocol (SVP) High-throughput SSID Profile Advertise Location Info
Enforce user vlan for open stations
Description
Shows if the profile enables or disables local probe response on the AP. If this option is enabled, the AP is responsible for sending 802.11 probe responses to wireless clients' probe requests. If this option is disabled, then the switch sends the 802.11 probe responses
Shows if the profile enables or disables battery MAC level retries for probe response frames.
If enabled, this feature converts multicast traffic to unicast before delivery to the client, thus allowing you to set a longer DTIM interval.
Displays the Static WEP key associated with this key index.
Displays the Static WEP key associated with this key index.
Displays the Static WEP key associated with this key index.
Displays the Static WEP key associated with this key index.
Show the key index that specifies which static WEP key is to be used
WPA pre-shared key (PSK).
WPA passphrase used to generate a pre-shared key (PSK).
Maximum transmission failures allowed before the client gives up.
Name of the enhanced distributed channel access (EDCA) Station profile that applies to this SSID.
Name of the enhanced distributed channel access (EDCA) AP profile that applies to this SSID.
Shows if the profile enables or disables scanning of all active stations currently associated to an AP to select the lowest transmission rate for broadcast and multicast frames. This option only applies to broadcast and multicast data frames; 802.11 management frames are transmitted at the lowest configured rate
Shows if the profile enables or disables strict Spectralink Voice Protocol (SVP).
Name of the high-throughput SSID profile associated with this SSID profile.
APs that are part of this VAP will broadcast their GPS coordinates in the beacons and probe response frames as part of a vendor-specific Information Element.
Shows the strict enforcement of data traffic only in user's assigned vlan (Open stations only).
Command History
This command was introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
show wlan ssid-profile | 1393
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
1394 | show wlan ssid-profile
AOS-W 6.2 | Reference Guide
�show wlan traffic-management-profile
show wlan traffic-management-profile [<profile>]
Description
Show a list of all traffic management profiles, or display detailed configuration information for a specific traffic management profile.
Syntax
Parameter <profile>
Description Name of a Traffic Management profile.
Usage Guidelines
Issue this command without the <profile> parameter to display the entire Traffic Management profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has three configured Traffic Management profiles. The References column lists the number of other profiles with references to the Traffic Management profile, and the Profile Status column indicates whether the profile is predefined. (User-defined profiles will not have an entry in the Profile Status column.)
(host) #show wlan traffic-management-profile
Traffic management profile List
-------------------------------
Name
References Profile Status
----
---------- --------------
mgmt1 3
mgmt2 2
Total:2
The following example shows configuration settings defined for the profile mgmt1.
(host) #show wlan traffic-management-profile mgmt1
Traffic management profile "default"
------------------------------------
Parameter
Value
---------
-----
Proportional BW Allocation N/A
Report interval
5 min
Station Shaping Policy
default-access
The output of this command includes the following data columns:
Parameter
Proportional BW Allocation
Description
Minimum bandwidth, as a percentage of available bandwidth, allocated to an SSID when there is congestion on the wireless network. An SSID can use all available bandwidth if no other SSIDs are active.
AOS-W 6.2 | Reference Guide
show wlan traffic-management-profile | 1395
�Parameter Report interval Station Shaping Policy
Description
Number of minutes between bandwidth usage reports.
Shows which of three possible Station Shaping policies is configured on the profile. l default-access: Traffic shaping is disabled, and client performance is
dependent on MAC contention resolution. This is the default traffic shaping setting. l fair-access: Each client gets the same airtime, regardless of client capability and capacity. This option is useful in environments like a training facility or exam hall, where a mix of 802.11a/g, 802.11g and 802.11n clients need equal to network resources, regardless of their capabilities. The bw-alloc parameter of a traffic management profile allows you to set a minimum bandwidth to be allocated to a virtual AP profile when there is congestion on the wireless network.You must set traffic shaping to fair-access to use this bandwidth allocation value for an individual virtual AP. l preferred-access: High-throughput (802.11n) clients do not get penalized because of slower 802.11a/g or 802.11b transmissions that take more air time due to lower rates. Similarly, faster 802.11a/g clients get more access than 802.11b clients.
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
1396 | show wlan traffic-management-profile
AOS-W 6.2 | Reference Guide
�show wlan tsm-req-profile
show wlan tsm-req-profile
Description
Shows configuration and other information about the parameters for the Transmit Stream/Category Measurement Request frames.
Syntax
Parameter <profile-name>
Description Name of this instance of the profile. name must be 1-63 characters.
Usage Guidelines
Issue this command without the <profile> parameter to display the entire TSM Request profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
For this profile to take effect, the 802.11K feature needs to be enabled.
Examples
(host) #show wlan tsm-req-profile default
TSM Report Request Profile "default"
------------------------------------
Parameter
Value
---------
-----
Request Mode for TSM Report Request normal
Number of repetitions
65535
Duration Mandatory
Enabled
Randomization Interval
0
Measurement Duration
25
Traffic ID
96
Bin 0 Range
200
The output of this command includes the following information:
Parameter
Description
Request mode for TSM Shows the request mode for the Transmit Stream/Category Measurement Request
Report Request
frame.
Number of repetitions
Shows the "Number of Repetitions" field in the TransmitStream/Category Measurement Request frame.
Duration Mandatory
Shows the "Duration Mandatory" bit of the Measurement Request Mode field of the Transmit Stream/Category Measurement Request frame.
Randomization Inter- Shows the Randomization Interval field in the Transmit Stream/Category
val
Measurement Request frame.
AOS-W 6.2 | Reference Guide
show wlan tsm-req-profile | 1397
�Parameter
Description
Measurement Duration Shows the Measurement Duration field in the Transmit Stream/Category Measurement Request frame.
Traffic ID
Shows the Traffic Identifier field in the Transmit Stream/Category Measurement Request frame.
Bin 0 Range
Shows the 'Bin 0 Range' field in the Transmit Stream/Category Measurement Request frame.
Command History
This command is introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master or local switches
1398 | show wlan tsm-req-profile
AOS-W 6.2 | Reference Guide
�show wlan virtual-ap
show wlan virtual-ap [<profile>]
Description
Show a list of all Virtual AP profiles, or display detailed configuration information for a specific Virtual AP profile.
Syntax
Parameter <profile>
Description Name of a Virtual AP profile
Usage Guidelines
Issue this command without the <profile> parameter to display the entire Virtual AP profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has six configured Virtual AP profiles. The References column lists the number of other profiles with references to the Virtual AP profile, and the Profile Status column indicates whether the profile is predefined. (User-defined profiles will not have an entry in the Profile Status column.)
(host) #show wlan virtual-ap
Virtual AP profile List ----------------------Name ---coltrane-vap-profile default MegTest Remote test-vap-profile wizardtest-vap-profile Total: 6
References Profile Status ---------- -------------1
1 1 1
The following example shows configuration settings defined for the profile wizardtest-vap-profile.
(host) #show wlan virtual-ap test-vap-profile Virtual AP profile "wizardtest-vap-profile" ---------------------------Parameter --------AAA Profile 802.11K Profile SSID Profile Virtual AP enable VLAN Forward mode Allowed band Band Steering Steering Mode Dynamic Multicast Optimization (DMO) Dynamic Multicast Optimization (DMO) Drop Broadcast and Multicast
Value ----default default default Enabled N/A tunnel all Disabled prefer-5ghz Disabled Threshold 6 Disabled
AOS-W 6.2 | Reference Guide
show wlan virtual-ap | 1399
�Convert Broadcast ARP requests to unicast Authentication Failure Blacklist Time Blacklist Time Deny inter user traffic Deny time range DoS Prevention HA Discovery on-association Mobile IP Preserve Client VLAN Remote-AP Operation Station Blacklisting Strict Compliance VLAN Mobility FDB Update on Assoc WMM Traffic Management Profile
Enabled 3600 sec 3600 sec Disabled N/A Disabled Disabled Enabled Disabled standard Enabled Disabled Disabled Disabled N/A
The output of this command includes the following data columns:
Parameter AAA Profile 802.11K Profile SSID Profile Virtual AP enable VLAN Forward mode
Allowed band
Band Steering
Description
Name of the AAA profile associated with this virtual AP.
Name of an 802.11k profile associated with this virtual AP.
Name of an SSID profile associated with this virtual AP.
Shows if the profile enables or disables the virtual AP.
The VLAN(s) into which users are placed in order to obtain an IP address.
Forwarding mode defined on the profile: l tunnel mode l bridge mode l split-tunnel mode l decrypt-tunnel mode The forwarding mode controls whether data is tunneled to the switch using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination (corporate traffic goes to the switch, and Internet access remains local). When an AP is configured to use the decrypt-tunnel forwarding mode, that AP decrypts and decapsulates all 802.11 frames from a client and sends the 802.3 frames through the GRE tunnel to to the switch, which then applies firewall policies to the user traffic. When the switch sends traffic to a client, the switch sends 802.3 traffic through the GRE tunnel to the AP, which then converts it to encrypted 802.11 and forwards to the client.
The band(s) on which to use the virtual AP: l a--802.11a band only (5 GHz) l g--802.11b/g band only (2.4 GHz) l all--both 802.11a and 802.11b/g bands (5 GHz and 2.4
GHz)
If enabled, ARM's band steering feature encourages dualband capable clients to stay on the 5GHz band on dual-band APs. This frees up resources on the 2.4GHz band for single band clients like VoIP phones.
1400 | show wlan virtual-ap
AOS-W 6.2 | Reference Guide
�Parameter
Description
Steering Mode
Band steering supports three different band steering modes.
l Force-5GHz: When the AP is configured in force-5GHz band steering mode, the AP will try to force 5Ghz-capable APs to use that radio band.
l Prefer-5GHz (Default): If you configure the AP to use prefer-5GHz band steering mode, the AP will try to steer the client to 5G band (if the client is 5G capable) but will let the client connect on the 2.4G band if the client persists in 2.4G association attempts.
l Balance-bands: In this band steering mode, the AP tries to balance the clients across the two radios in order to best utilize the available 2.4G bandwidth. This feature takes into account the fact that the 5Ghz band has more channels than the 2.4 Ghz band, and that the 5Ghz channels operate in 40MHz while the 2.5Ghz band operates in 20MHz.
NOTE: Steering modes do not take effect until the band steering feature has been enabled. The band steering feature in AOS-W versions 3.3.2-5.0 does not support multiple bandsteering modes. The band-steering feature in these versions of AOS-W functions the same way as the default prefer-5GHz steering mode available in AOS-W 6.0 and later.
Dynamic Multicast Optimization (DMO) If enabled DMO techniques will be used to reliably transmit video data.
Dynamic Multicast Optimization (DMO) Maximum number of high-throughput stations in a multicast
Threshold
group beyond which dynamic multicast optimization stops.
Drop Broadcast and Multicast
If enabled, the virtual AP will filter out broadcast and multicast traffic in the air.
Convert Broadcast ARP requests to unicast Authentication Failure Blacklist Time Blacklist Time Deny Inter User Traffic
Deny time range
If enabled, all broadcast ARP requests are converted to unicast and sent directly to the client.
Time, in seconds, a client is blocked if it fails repeated authentication. An authentication failure blacklist time of 0 blocks failed users indefinitely.
Number of seconds that a client is quarantined from the network after being blacklisted.
This option, when enabled, denies traffic between the clients using this virtual AP profile. The firewall comand includes an option to deny all inter-user traffic, regardless of the Virtual AP profile used by those clients. If the global setting to deny inter-user traffic is enabled, all inter-user traffic between clients will be denied, regardless of the settings configured in the virtual AP profiles. If the setting to deny inter-user traffic is disabled globally but enabled on an individual virtual ap, only the traffic between un-trusted users and the clients on that particular virtual AP will be blocked.
Time range for which the AP will deny access.
AOS-W 6.2 | Reference Guide
show wlan virtual-ap | 1401
�Parameter DoS Prevention HA Discovery on-association
Mobile IP Preserve Client VLAN Remote-AP Operation
Station Blacklisting Strict Compliance
Multi Association Fast Roaming VLAN Mobility WMM Traffic Management Profile
Description
If enabled, APs ignore deauthentication frames from clients. This prevents a successful deauth attack from being carried out against the AP. This does not affect third-party APs.
If enabled, home agent discovery is triggered on client association instead of home agent discovery based on traffic from client. Mobility on association can speed up roaming and improve connectivity for clients that do not send many uplink packets to trigger mobility (VoIP clients). Best practices is to leave this parameter disabled as it increases IP mobility control traffic between switches in the same mobility domain. Enable this parameter only when voice issues are observed in VoIP clients. NOTE: ha-disc-onassoc parameter works only when IP mobility is enabled and configured on the switch.
Shows if the profile has enabled or disabled IP mobility.
This parameter allows clients to retain their previous VLAN assignment if the client disassociates from an AP and then immediately re-associates either with same AP or another AP on same switch.
Shows how the virtual AP operates on a remote AP: l always: Permanently enables the virtual AP. l backup: Enables the virtual AP if the remote AP cannot
connect to the switch. l persistent: Permanently enables the virtual AP after the
remote AP initially connects to the switch. l standard: Enables the virtual AP when the remote AP
connects to the switch.
Shows if the profile has enabled or disabled detection of denial of service (DoS) attacks, such as ping or SYN floods, that are not spoofed deauth attacks.
If enabled, the AP denies client association requests if the AP and client station have no common rates defined. Some legacy client stations which are not fully 802.11-compliant may not include their configured rates in their association requests. Such non-compliant stations may have difficulty associating with APs unless strict compliance is disabled.
If enabled, this feature allows a station to be associated to multiple APs. If this feature is disabled, when a station moves to new AP it will be de authorized by the AP to which it was previously connected, deleting station context and flushing key caching information
Shows if the AP has enabled or disabled fast roaming.
Shows if the AP has enabled or disabled VLAN (Layer-2) mobility.
WMM Traffic Management Profile associated with this Virtual AP Profile
Command History
This command was introduced in AOS-W 3.0.
1402 | show wlan virtual-ap
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
AOS-W 6.2 | Reference Guide
show wlan virtual-ap | 1403
�show wlan voip-cac-profile
show wlan voip-cac-profile [<profile>]
Description
Show a list of all VoIP Call Admission Control profiles, or display detailed configuration information for a specific VoIP Call Admission Control profile.
Syntax
Parameter <profile>
Description Name of a VoIP Call Admission Control profile
Usage Guidelines
Issue this command without the <profile> parameter to display the entire VoIP Call Admission Control profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile.
Examples
The example below shows that the switch has three configured VoIP Call Admission Control profiles. The References column lists the number of other profiles with references to the VoIP Call Admission Control profile, and the Profile Status column indicates whether the profile is predefined. (User-defined profiles will not have an entry in the Profile Status column.)
(host) #show wlan voip-cac-profile
VoIP Call Admission Control profile List
----------------------------------------
Name
References Profile Status
----
---------- --------------
corp-voip
6
kgtest
0
QAlab-voip
1
Total:3
The following example shows configuration settings defined for the profile QAlab-voip .
(host) #show wlan voip-cac-profile VoIP Call Admission Control profile "QAlab-voip " --------------------------------------------Parameter --------VoIP Call Admission Control VoIP Bandwidth based CAC VoIP Call Capacity VoIP Bandwidth Capacity (kbps) VoIP Call Handoff Reservation VoIP Send SIP 100 Trying VoIP Disconnect Extra Call VOIP TSPEC Enforcement VOIP TSPEC Enforcement Period VoIP Drop SIP Invite and send status code (client) VoIP Drop SIP Invite and send status code (server)
Value ----Disabled Disabled 10 2000 20 % Enabled Disabled Disabled 1 sec 486 486
The output of this command includes the following data columns:
1404 | show wlan voip-cac-profile
AOS-W 6.2 | Reference Guide
�Parameter VoIP Call Admission Control VoIP Bandwidth based CAC
VoIP Call Capacity VoIP Bandwidth Capacity (kbps) VoIP Call Handoff Reservation VoIP Send SIP 100 Trying
VoIP Disconnect Extra Call
VOIP TSPEC Enforcement VOIP TSPEC Enforcement Period VoIP Drop SIP Invite and send status code (client)
VoIP Drop SIP Invite and send status code (server)
Description
Shows if the profile enables or disables WiFi VoIP Call Admission Control features.
Shows the desired call admission control (CAC) Mechanism: l Disable - CAC is based on Call Counts l Enable - CAC should be based on Bandwidth.
Number of simultaneous calls that can be handled by one radio.
The maximum bandwidth that can be handled by one radio, in kbps.
Percentage of call capacity reserved for mobile VoIP clients on call.
Shows if the profile enables or disables sending of SIP 100 - trying messages to a call originator to indicate that the call is proceeding.
If enabled, the switch disconnects calls that exceed the high capacity threshold by sending a deauthentication frame.
Shows if the profile enables or disables validation of TSPEC requests for CAC.
Maximum time for the station to start the call after the TSPEC request
Display the status code sent back to the client if the profile is configured to drop a SIP Invite: l 480: Temporary Unavailable l 486: Busy Here l 503: Ser vice Unavailable l none: Don't send SIP status code
Display the status code sent back to the server if the profile is configured to drop a SIP Invite: l 480: Temporary Unavailable l 486: Busy Here l 503: Ser vice Unavailable l none: Don't send SIP status code
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config mode on master or local switches.
AOS-W 6.2 | Reference Guide
show wlan voip-cac-profile | 1405
�show wms ap
show wms ap {<bssid>}|list|{stats [mon-mac <mon-mac> bssid <bssid>}
Description
Display information for APs currently monitored by the AOS-W Wireless Management System (WMS).
Syntax
Parameter
Description
<bssid>
Enter the AP's BSSID number in hexadecimal format (XX:XX:XX:XX:XX:XX).
list
Show the AP Tree table for all APs.
stats
Show the AP Statistics table for all APs.
mon-mac <mon-mac> Show the AP Tree table for an AP with the specified MAC address.
bssid <bssid>
Show the AP Tree table for an AP with the specified BSSID.
Usage Guidelines
The WMS feature periodically sends statistics that it has collected for APs and Probes to the WMS process. When WMS receives an event message from an AM, it will save the event information along with the BSSID of the AP that generated the event in the WMS database. When WMS receives statistics from the AM, it updates its state, and the database.
Examples
The command show wms ap <bssid> displays a list of AP MAC addresses and the BSSIDs seen by each AP. (host)# show wms ap 00:1a:1e:88:01:e0
AP Info
-------
BSSID
SSID
Type HT-Sec-Chan
-----
----
-- -----------
00:1a:1e:88:01:e0 sw-ad
Channel ------11
Type ---soft-ap
RAP_Type -------valid
Status -----up
Match MAC --------00:00:00:00:00:00
Ageout ------1
HT-----
Probe Info ---------MAC --00:1a:1e:88:02:80 00:1a:1e:88:01:e0 00:1a:1e:81:c6:00 00:0b:86:8a:15:20
IP -10.3.129.94 10.3.129.96 10.3.129.99 10.3.129.93
Name ---ad-ap125-13 mp3 ad-ap124-11 sap61-1-6
Type ---soft-ap soft-ap soft-ap soft-ap
Status -----up up down down
AP Type ------125 125 124 65
The output of this command includes the following information:
1406 | show wms ap
AOS-W 6.2 | Reference Guide
�Column BSSID SSID Channel Type
RAP_Type
Status Match MAC
Ageout
HT-type
HT-Sec-Chan MAC IP Name Type
Status AP Type
Description
Basic Service Set Identifier for the AP. This is usually the AP's MAC address.
The Service Set Identifier that identifies a wireless network.
Channel used by the AP's radio.
A WMS AP type can be one of the following: l soft-ap: an Alcatel-Lucent Access Point (AP). l air-monitor: An Alcatel-Lucent Air Monitor (AM).
Indicates one of the following Rogue AP types: l Valid (not a rogue AP) l Interfering l Rogue l Suspected Rogue l Disabled Rogue l Unclassified l Known Interfering
If up, the AP is active. If down (or no information is shown) the AP is inactive.
MAC address of a wired device that helped identify the AP as a rogue. If the AP has not been identified as a rogue, this column will display the MAC address 00:00:00:00:00:00.
An ageout time is the time, in minutes, that the client must remain unseen by any probes before it is eliminated from the database. If this column displays a -1, the client has not yet aged out. Any other number indicates the number of minutes since the client has passed its ageout interval.
The type of high-throughput traffic sent by the AP: l HT-20mhz: The AP radio uses a single 20 mHz channel l HT-40mhz: The AP radio uses a 40 MHz channel pair comprised of two
adjacent 20 MHz channels.
Secondary channel used for 40 MHz high-throughput transmissions.
MAC address of a probe that can see the specified AP.
IP address of a probe that can see the specified AP.
Name of the probe.
Displays the probe type: A WMS probe can be one of the following: l soft-ap: an Alcatel-Lucent Access Point (AP). l air-monitor: An Alcatel-Lucent Air Monitor (AM).
If up, the AP is active. If down (or no information is shown) the AP is inactive.
AP model type.
The example below shows received and transmitted data statistics for each BSSID seen by a monitoring AP.
(host)# show wms ap stats
AP Stats Table
----------------
Monitor-MAC
BSSID
-----------
-----
00:0b:86:c1:af:20 00:0b:86:9a:f2:00
00:0b:86:c1:af:20 00:0b:86:9a:f2:08
RSSI ---12 12
TxPkt ----1575675 1560559
RxPkt ----65 0
TxByte -----173239998 162297938
RxByte -----9340 0
HTRates-Rx ---------0 0
AOS-W 6.2 | Reference Guide
show wms ap | 1407
�00:0b:86:c1:be:56 00:0b:86:9b:e5:60 12 00:0b:86:c1:be:56 00:0b:86:9b:e5:68 12 00:0b:86:c2:0a:98 00:0b:86:a0:a9:80 48 00:0b:86:c2:1c:08 00:0b:86:a1:c0:80 42 00:0b:86:c2:1c:38 00:0b:86:a1:c3:80 42 00:0b:86:c2:3e:a9 00:0b:86:a3:ea:90 48 00:0b:86:c4:0f:3c 00:0b:86:c0:f3:d0 48 00:0b:86:c4:4d:06 00:0b:86:c4:d0:70 48 00:1a:1e:c0:88:82 00:1a:1e:88:88:30 18 00:1a:1e:c0:88:82 00:1a:1e:88:88:20 18 00:1a:1e:c0:88:88 00:1a:1e:88:88:90 36
1683013 4188 184400159 257583 0
1580152 105
164216336 1470
0
1608023 40596 166962148 568386 0
1587097 26236 164904668 453196 0
1573040 20511 174536514 654024 0
1588204 34179 165017293 897431 0
1571202 14258 174338376 351148 0
1598423 56198 182267018 3805826 0
1717310 247532 394461405 14998234 8
1092023 114722 242006054 2442917 10
1783226 485620 460219125 27781583 16
The output of this command includes the following information:
Column Monitor-MAC BSSID RSSI txPkt RxPkt TxByte RxByte HTRates-Rx
Description MAC address of an AP. Basic Service Set Identifier of a station. Received Signal Strength Indicator for the station, as seen by the AP. Number of transmitted packets. Number of received packets. Number of transmitted bytes. Number of received bytes. Number of bytes received at high-throughput rates.
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced
The mon-mac <mon-mac> and bssid <bssid> parameters for the list option were deprecated.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
1408 | show wms ap
AOS-W 6.2 | Reference Guide
�show wms channel
show wms channel stats
Description
Display per-channel statistics for monitored APs.
Syntax
No parameters.
Example
This example shows per-channel statistics for monitored APs.
(host) #show wms channel stats
Channel Stats Table
---------------------
Monitor-MAC
Channel
-----------
-------
00:0b:86:c1:af:20 1
00:0b:86:c1:af:20 6
00:0b:86:c1:af:20 11
00:0b:86:c1:af:20 36
00:0b:86:c1:af:20 40
00:0b:86:c1:af:20 44
00:0b:86:c1:af:20 48
00:0b:86:c1:af:20 149
00:0b:86:c1:af:20 153
00:0b:86:c1:af:20 165
00:0b:86:c1:be:56 1
00:0b:86:c1:be:56 6
00:0b:86:c1:be:56 11
00:0b:86:c1:be:56 36
00:0b:86:c1:be:56 40
00:0b:86:c1:be:56 44
00:0b:86:c1:be:56 48
00:0b:86:c1:be:56 149
00:0b:86:c1:be:56 153
00:0b:86:c1:be:56 165
00:0b:86:c2:0a:98 40
00:0b:86:c2:0a:98 48
00:0b:86:c2:0a:98 149
00:0b:86:c2:1c:08 40
00:0b:86:c2:1c:08 48
00:0b:86:c2:1c:08 149
NumAP ----1 1 8 0 0 0 0 1 3 1 43 8 72 53 8 3 4 0 1 1 4 5 4 3 4 5
NumSta -----0 0 0 0 0 0 0 0 0 0 4 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
TotalPkt -------5228276 1355 5880 2 2 50 23 27094 4648662 1655 14446324 14168505 180553 14716 3033 1453 5330 609279 7615369 4238 4247 4052 6548323 4613 6235436 18904
TotalByte --------613640650 168764 1040338 28 112 903 544 557579 544817261 200349 1959058619 1955474600 23987119 1022825 501568 217596 1067660 72205247 779579648 486121 434512 420436 732910481 478188 658263321 803078
Noise ----97 0 0 0 0 0 0 0 99 0 0 96 0 0 0 0 0 105 0 0 0 0 104 0 103 0
Column Monitor-MAC Channel
Description MAC address of an AP. 802.11 radio channel.
AOS-W 6.2 | Reference Guide
show wms channel | 1409
�Column NumAP NumSta TotalPkt TotalByte Noise
Description Number of other APs seen on the specified channel. Number stations seen on the specified channel. Number of received packets. Number of received bytes. Current noise level.
The output of this command includes the following information:
Command History
This command was introduced in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
1410 | show wms channel
AOS-W 6.2 | Reference Guide
�show wms client
show wms client <mac>|{list}|{probe <mac>}|{stats [mon-mac <mon-mac> mac <mac>]}
Description
Display a list of client information for the clients that can be seen by monitoring APs.
Syntax
Parameter <mac>
list probe <mac>
stats
mon-mac <mon-mac> mac <mac>
Description
Show statistics for a client with the specified MAC address, including the BSSID of the AP to which that client is currently associated, and the MAC addresses of other monitoring APs that can see that client.
Show statistics for all monitored clients.
Specify a client's MAC address to show the BSSIDs of all probes that can see that client.
Show the STA stats table, which displays data for all clients seen by each monitoring AP.
Enter a monitoring AP's MAC address (<mon-mac>) and the MAC address of a client (<mac>) to show data for traffic received from and sent to a specific client as seen by a specific AP.
Example
The AP Info table in the example below shows that the client is associated to an AP with the BSSID 00:0b:86:cd:86:a0. The Probe info table shows the MAC addresses of three other APs that can see the client.
(host) #show wms client 00:0e:35:29:9b:28
STA Info -------MAC --00:0e:35:29:9b:28
Type ---valid
Status -----up
Ageout ------1
AP Info ------BSSID ----00:0b:86:cd:86:a0
SSID ---MySSiD
Channel ------11
Type ---soft-ap
RAP_Type -------valid
Status -----up
Match MAC --------00:00:00:00:00:00
Ageout ------1
Probe Info ---------MAC --00:0b:86:a2:2b:50 00:0b:86:ad:94:40 00:0b:86:cd:86:a0
IP -192.168.2.10 192.168.2.5 192.168.2.4
Name ---0 0 0
Type ---soft-ap soft-ap soft-ap
Status -----up up up
Name ---LeftAP 1.1.1 CEO
AP Type ------61 61 70
AOS-W 6.2 | Reference Guide
show wms client | 1411
�Column MAC Type Status ageout
BSSID SSID RAP_Type
Status Match MAC
Ageout
MAC IP Type
Status Name AP type
Description
MAC address of the client
Station type (valid, interfering, or disabled rogue client )
If up, the client is active. If down (or no information is shown) the client is inactive.
An ageout time is the time, in minutes, that the client must remain unseen by any probes before it is eliminated from the database. If this column displays a -1, the client has not yet aged out. Any other number indicates the number of minutes since the client has passed its ageout interval.
BSSID of the AP to which the client is associated.
Extended service set identifier (ESSID) of the BSSID.
Indicates one of the following Rogue AP types: l Valid (not a rogue AP) l Interfering l Rogue l Disabled Rogue l Suspected Rogue l Unclassified l Known Interfering
If up, the AP is active. If down (or no information is shown) the AP is inactive.
MAC address of a wired device that helped identify the AP as a rogue. If the AP has not been identified as a rogue, this column will display the MAC address 00:00:00:00:00:00.
An ageout time is the time, in minutes, that the client must remain unseen by any probes before it is eliminated from the database. If this column displays a -1, the client has not yet aged out. Any other number indicates the number of minutes since the client has passed its ageout interval.
MAC address of a WMS probe.
IP address of a WMS probe.
A WMS AP type can be one of the following: l soft-ap: an Alcatel-Lucent Access Point (AP). l air-monitor: An Alcatel-Lucent Air Monitor (AM).
If up, the probe is active. If down (or no information is shown) the probe is inactive.
Name of the probe. If a name has not been defined for the probe, this column may display a zero (0).
Model type of the probe.
The output of this command includes the following information:
Command History
This command was introduced in AOS-W 3.0
1412 | show wms client
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
show wms client | 1413
�show wms counters
show wms counters [debug|event]
Description
Show WMS event and debug counters. If you omit the optional debug and events parameters, the show wms counters command will display wms debug and events counters in a single table.
Syntax
Parameter debug events
Description
Show show debug counters only
Show events counters only. If you omit the debug and events parameters, the show wms counters will display debug and events counters in a single table.
Usage Guidelines
This command displays counters for database entries, messages and data structures. The counters displayed will vary for each switch; if the switch does not have an entry for a particular counter type, it will not appear in the output of this command
Example
This example shows part of the output of the command show wms counters.
(host) #show wms counters
Counters -------Name ---DB Reads DB Writes Probe Table DB Reads Probe Table DB Writes AP Table DB Reads AP Table DB Writes STA Table DB Reads STA Table DB Writes Probe STA Table DB Reads Probe STA Table DB Writes Probe Register Probe State Update Set RAP Type Set RAP Type Conf Level ...
Value ----288268 350870 2477 952 143992 138867 40404 99687 101352 117566 2476 37077 42552 152
Command History
This command was introduced in AOS-W 3.0
1414 | show wms counters
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
show wms counters | 1415
�show wms monitor-summary
show wms channel stats
Description
Display the numbers of different AP and client types monitored over the last 5 minutes, 1 hour, and since the switch was last reset.
Syntax
No parameters.
Usage Guidelines
The WLAN management system (WMS) on the switch monitors wireless traffic to detect any new AP or wireless client station that tries to connect to the network. When an AP or wireless client is detected, it is classified and its classification is used to determine the security policies which should be enforced on the AP or client. Use the show wms monitor-summary command to view a quick summary of each classified AP and client type currently on the network. If AP learning is enabled (with the wms general command), non-Alcatel-Lucent APs connected on the same wired network as Alcatel-Lucent APs are classified as valid APs. If AP learning is disabled, a non-Alcatel-Lucent AP is classified as an unsecure or suspect-unsecure AP.
Example
This example shows that the switch currently has 144 valid APs and 32 active valid clients, and verifies that the switch currently aware of a single disabled rogue AP.
(host) #show wms monitor-summary
WMS Monitor Summary
-------------------
Last 5 Min Last Hour All
-
---------- --------- ---
Valid APs
1
1
1
Interfering APs
57
57
60
Rogue APs
3
3
3
Manually Contained APs
0
0
0
Unclassified APs
0
0
0
Neighbor APs
0
0
0
Suspected Rogue APs
138
138
139
Valid Clients
0
0
0
Interfering Clients
1
1
1
Manually Contained Clients 0
0
0
Command History
Release AOS-W 3.0. AOS-W 6.1
Release
Command Introduced
The Disabled Rogue AP, Known Interfering APs and Interfering Clients entries were removed from the show command output, and the suspectedrogue, Manually Contained APs and Manually Contained Clients output entries were introduced.
1416 | show wms monitor-summary
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
show wms monitor-summary | 1417
�show wms probe
show wms probe
Description
Display detailed information for a list of WMS probes.
Syntax
No parameters.
Example
This example shows the Probe List table for WMS probes. The output below has been split into two tables to better fit in this document. In the actual command-line interface, this information appears in a single, long table.
(host) #show wms monitor-summary
WMS Monitor Summary
-------------------
Last 5 Min Last Hour All
-
---------- --------- ---
Valid APs
1
1
1
Interfering APs
57
57
60
Rogue APs
3
3
3
Manually Contained APs
0
0
0
Unclassified APs
0
0
0
Neighbor APs
0
0
0
Suspected Rogue APs
138
138
139
Valid Clients
0
0
0
Interfering Clients
1
1
1
Manually Contained Clients 0
0
0
Column Monitor Eth MAC BSSID PHY Type
Description
Ethernet MAC address of a probe.
Probe Radio BSSID.
Radio PHY type: l 802.11A l 802.11AHT-40Mbps l 802.11AHT-20Mbps l 802.11G l 802,11GHT-20Mbps
IP LMS IP Scan Status
IP address of the AP. IP address of the AP's local switch. Shows if the Air Monitor is performing scanning. If the scan column displays a status of Up, the AP or AM is active
1418 | show wms probe
AOS-W 6.2 | Reference Guide
�Column Updates
Reqs/Fails
Stats Type
Description
Number of updates the AP or AM sent to the WMS database since the switch was last reset.
Number of database update requests that have not yet been added into the database. and the number of failed database requests.
Total number of statistics updates sent to the database.
A WMS AP type can be one of the following: l soft-ap: an Alcatel-Lucent Access Point (AP). l air-monitor: An Alcatel-Lucent Air Monitor (AM).
The output of this command includes the following information:
Command History
Release AOS-W 3.0. AOS-W 6.1
Release
Command Introduced
The output of this command was modified to show the number of failed database requests.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
show wms probe | 1419
�show wms rogue-ap
show wms rogue-ap <mac>
Description
Display statistics for APs classified as rogues APs.
Syntax
Parameter <mac>
Description MAC address of a rogue AP.
Example
The output of this command shows statistics for a suspected Rogue AP, including how it was classified as a suspected rogue.
(host) #show wms rogue-ap 00:0b:86:d4:ca:12
Suspect Rogue AP Info
---------------------
Key
Value
---
-----
BSSID
00:0b:86:89:c6:20
SSID
aruba-ap
Channel
1
Type
generic-ap
RAP Type
suspected-rogue
Confidence Level 30%
Status
up
Match Type
AP-Rule
Match MAC
00:0b:86:61:8a:d0
Match IP
0.0.0.0
Match Rule Name rule2
Match Method
Exact-Match
Match Time
Sun Sep 19 19:11:40 2010
Confidence Level Info
---------------------
Match Type
Match Method
----------
------------
Eth-Wired-Mac OUI-Match
AP-Rule
rule1
AP-Rule
rule2
Conf Level ---------20% 5% 5%
The output of this command includes the following information:
Column BSSID SSID Channel
Description BSSID of the suspected rogue AP. The rogue AP's Extended service set identifier. Channel used by a radio on the rogue AP.
1420 | show wms rogue-ap
AOS-W 6.2 | Reference Guide
�Column Type RAP Type Status Match Type
Match MAC Match IP Match AM Match Method Suspect Match Types Helper Ap BSSID AP name Match Time Confidence Level
Description
Indicates if the AP is an Alcatel-Lucent AP, a Cisco AP, or an AP from any other manufacturer (generic AP).
Type of rogue AP, l Suspect-unsecure: AP has not been confirmed as a rogue AP. l unsecure: AP has been confirmed as a rogue AP
Shows if the AP is active (up) or inactive (down).
Describes how the AP was classified as a rogue. l Eth-Wired-MAC: An Alcatel-Lucent AP or AM detected that a single MAC
address was in both the Ethernet Wired-Mac table and a non-valid AP wiredMac table. l AP-Wired-MAC: An interfering AP is marked as rogue when the Alcatel-Lucent AP finds a MAC address in one of its valid AP wired-mac table and in an interfering AP wired-mac table. You can enable or disable the AP-Wired-MAC matching method using the CLI command ids unauthorized-deviceprofile overlay-classification. l Config-Wired-MAC: This type of classification occurs when an Alcatel-Lucent AP or AM detects a match between a wired MAC table and a pre-defined MAC address that has manually defined via the command ids unauthorized-deviceprofilevalid-wired-mac. l External-Wired-MAC: This type of classification occurs when an Alcatel-Lucent AP or AM detects a match between a wired MAC table entry and a pre-defined MAC address manually defined in the rap-wml table. l Base-BSSID-Override: If an Alcatel-Lucent AP is detected as rogue, then all virtual APs on the particular rogue are marked as rogue using Base-BSSIDOverride match type. l Manual: An AP is manually defined as a rogue by via the command wms ap <bssid> mode rogue. l EMS: An AP is manually defined as a rogue by via the Element Management System
MAC address of a wired device that helped identify the AP as a rogue. If the AP has not been identified as a rogue, this column will display the MAC address 00:00:00:00:00:00.
IP address of a wired device that helped identify the AP as a rogue.
Alcatel-Lucent Air Monitor that reporting seeing the rogue AP.
This variable indicates the type of match.
Describes how an AP was classified as a suspected rogue AP.
BSSID of the AP or AM that helped classify a rogue AP.
Names of APs that are able to see the specified MAC address.
Time the AP was identified as a rogue AP.
Shows the level of confidence that the AP was classified correctly for each match type.The suspected-rogue classification mechanism are: l Each mechanism that causes a suspected-rogue classification is assigned a
confidence level increment of 20%. l AP classification rules have a configured confidence level. l When a mechanism matches a previously unmatched mechanism, the
confidence level increment associated with that mechanism is added to the current confidence level (the confident level starts at zero).
AOS-W 6.2 | Reference Guide
show wms rogue-ap | 1421
�Column
Description
l The confidence level is capped at 100%. If your switch reboots, your suspected-rogue APs are not checked against any new rules that were configured after the reboot. Without this restriction, all the mechanisms that classified your APs as suspected-rogue may trigger again causing the confidence level to surpass their cap of 100%. You can explicitly mark an AP as "interfering" to trigger all new rules to match against it.
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced Confidence level information was added to the output of this command.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
1422 | show wms rogue-ap
AOS-W 6.2 | Reference Guide
�show wms routers
show wms routers <mac>
Description
Show Learned Router Mac Information for WMS APs.
Syntax
Parameter <mac>
Description MAC address of a probe that can see the router.
Usage Guidelines
This command displays the MAC addresses of devices that have been determined to be routers by the listed APs. This output of this command will be blank if there is not any broadcast/multicast activity in an AP's subnet.
Example
In the example below, a single WMS AP has learned MAC information for four different routers.
(host) #show wms routers
Router Mac 00:08:00:00:11:12 is Seen by APs ------------------------------------------AP-Name ------AP32 Router Mac 00:08:00:00:11:29 is Seen by APs ------------------------------------------AP-Name ------AP32 Router Mac 00:08:00:00:11:57 is Seen by APs ------------------------------------------AP-Name ------AP32 Router Mac 00:08:00:00:11:6e is Seen by APs ------------------------------------------AP-Name ------AP32
Command History
This command was introduced in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
show wms routers | 1423
�show wms rules
show wms rules config state summary
Description
Display the internal state and matching information of rules created using the ids ap-classification-rule change command.
Syntax
Parameter config
state summary
Description
Display the following information for each AP classification rule. l name l ids l match-ssid l min-snr l max-snr l min-prcnt l max-prcnt l ssids l enabled l classify l conf-incr l flags l match-cnt
Display the following informatoin for each AP classification rule: l SSID Match Table l SSID Exclude Table l SNR Table l Probe Count Table
Display an AP classification rules summary.
Usage Guidelines
Issue this command to view existing AP classification rules. AP classification rule configuration is performed only on a master switch. If AMP is enabled via the mobility-manager command, then processing of the AP classification rules is disabled on the master switch. A rule is identified by its ASCII character string name (32 characters maximum). The AP classification rules have one of the following specifications: l SSID of the AP l SNR of the AP l Discovered-AP-Count or the number of APs that can see the AP
Example
The output in the example below shows that although two rules have been defined, neither have been enabled using the ids ap-rule-matching rule-name <name> command. (host) (config) #show wms rules summary
1424 | show wms rules
AOS-W 6.2 | Reference Guide
�AP Classification Rules Summary
-------------------------------
Parameter
Value
---------
-----
Num Rules
2
Num Active-Rules
0
Num SSID-to-match
0
Num SSID-to-exclude
0
Num SNR-bounds
0
Num Probe-Count-bounds 0
Command History
This command was introduced in AOS-W 6.1
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
show wms rules | 1425
�show wms system
show wms system
Description
Show the WMS system configuration and system state.
Syntax
No parameters.
Example
This example shows the WMS System Configuration and System State tables.
(host) #show wms system
System Configuration -------------------Key --max-threshold max-rbtree-entries max-system-wm system-wm-update-interval
Value ----0 0 1000 8
System State ------------Key --Max Threshold Current Threshold Total AP Count Total STA Count MAX RB-tree Count Total Tree Count Poll Count(Max)
Value ----25000 230 228 5 50000 195 1(2)
Learned OUIs for Deployed APs -----------------------------OUI --00:1a:1e:00:00:00
Column
Description
Max Threshold
The maximum number of table entries allowed. If this table displays a zero (0), there is no configured limit.
NOTE: If a configured maximum limit has reached, the switch will not create new WMS entries for monitored APs and monitored stations. If new APs are deployed after this limit is reached, those APs will not be marked as 'valid', which will impair the effectiveness of the Adaptive Radio Management feature. If there are new Rogue APs in the network, they will not be classified as a rogue.
Current Threshold Current number of table entries.
1426 | show wms system
AOS-W 6.2 | Reference Guide
�Column
Description
Total AP Count
Total number of statistics entries for monitored APs in the AP table.
Total STA Count
Total number of statistics entries for monitored stations in the Station table.
MAX RB-tree Count Maximum number of entries allowed in the statistics.
Total Tree Count
Total number of entries currently in the statistics tree. If this limit has been reached, the switch will not add entries with the RSSI information for APs, monitored APs and monitored clients that are seen by them. This can negatively affect the RF Plan application.
Poll Count (Max) Current and maximum poll counts.
The output of this command includes the following information:
Command History
This command was introduced in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
show wms system | 1427
�show wms wired-mac
show wms wired-mac gw-mac [<mac>] monitored-ap-wm <mac> prop-eth-mac reg-ap-oui summary system-gw-mac system-wired-mac wireless-device}
Description
Display a summary table of Wireless Management System (wms) wired MAC information. This command can display a list of APs aware of a specific gateway MAC address, or list the wired MAC addresses known to a single AP.
Syntax
Column gw-mac <mac>
monitored-ap-wm <mac>
prop-eth-mac <mac>
Description
Show Gateway Wired Mac Information Collected from the APs. If you include the optional <mac> MAC address parameter, the output of this command will show information for that single MAC address only.
Show Monitored AP Wired Mac Information Collected from the APs. If you include the optional <mac> MAC address parameter, the output of this command will show information for that single MAC address only.
Show Wired Mac Information Collected from the APs. If you include the optional <mac> MAC address parameter, the output of this command will show information for that single MAC address only.
reg-ap-oui <mac> summary
system-gw-mac system-wired-mac
Show Registered AP OUI Information Collected from the APs, including each registered OUI, and the time that OUI was last seen. If you include the optional <mac> MAC address parameter, the output of this command will show information for that single MAC address only
Display a wired MAC summary that includes the number of each of the following MAC types: l Registered AP OUIs l Propagated Ethernet MACs. l Potential Wireless Device MACs l Monitored AP Wired MACs l System Wired MACs l System Gateway MACs
Show system gateway MAC information learned at the switch, including the age of each MAC address. If you include the optional <mac> MAC address parameter, the output of this command will show information for that single MAC address only.
Show system wired MAC information learned at the switch. If you include the optional <mac> MAC address parameter, the output of this command will show information for that single MAC address only.
1428 | show wms wired-mac
AOS-W 6.2 | Reference Guide
�Column wireless-device
Description
Show Routers or potential wireless devices information, including the MAC address of the device, and the MAC address of the AP or switch that saw the device.
Example
This example shows the wired MAC summary.
(host) #show wms system
System Configuration -------------------Key --max-threshold max-rbtree-entries max-system-wm system-wm-update-interval
Value ----0 0 1000 8
System State ------------Key --Max Threshold Current Threshold Total AP Count Total STA Count MAX RB-tree Count Total Tree Count Poll Count(Max)
Value ----25000 230 228 5 50000 195 1(2)
Learned OUIs for Deployed APs -----------------------------OUI --00:1a:1e:00:00:00
Command History
Version AOS-W 3.0 AOS-W 6.1
Modification
Command Introduced
The ap-name <ap-name> parameter was deprecated, and the following parameters were introduced: l gw-mac l monitored-ap-wm l prop-eth-mac l reg-ap-oui l summary l system-gw-mac l system-wired-mac l wireless-device
AOS-W 6.2 | Reference Guide
show wms wired-mac | 1429
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1430 | show wms wired-mac
AOS-W 6.2 | Reference Guide
�show ip interface brief
show ip interface brief
Description
View IP-related information on all interfaces in summary format.
Syntax
No parameters.
Example
(host) #show ip interface brief
Interface vlan 1 vlan 2 loopback mgmt
IP Address / IP Netmask 172.16.0.254 / 255.255.255.0
10.4.62.9 / 255.255.255.0 unassigned / unassigned unassigned / unassigned
Admin up up up down
The following table details the columns and content in the show command.
Protocol up up up down
Column Interface IP Address /IP Netmask Admin
Protocol
Description
List the interface and interface identification, where applicable.
List the IP address and netmask for the interface, if configured.
States the administrative status of the interface. Enabled--up Disabled--down
Status of the IP on the interface. Enabled--up Disabled--down
Command History
Release AOS-W 3.4
Modification Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Available in Config or Enable mode on master switches.
AOS-W 6.2 | Reference Guide
show ip interface brief | 1431
�shutdown
shutdown all
Description
This command disables all interfaces on the switch.
Usage Guidelines
This command stops all traffic through the physical ports on the switch. The console port remains active. Use this command only when you have physical access to the switch, so that you can continue to manage using the console port. To shut down an individual interface, tunnel, or VLAN, use the shutdown option within the interface command. To restore the ports, use the no shutdown command.
Example
The following example shuts down all physical interfaces on the switch. (host) (config)#shutdown all
Command History
This command was introduced in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
1432 | shutdown
AOS-W 6.2 | Reference Guide
�snmp-server
snmp-server community <string> enable trap engine-id host <ipaddr> version {1 <name> udp-port <port>}|2c|{3 <name>} [inform] [interval <seconds>] [retrycount <number>] [udp-port <port>]} inform queue-length <size> source stats trap enable|disable|{source <ipaddr>} user <name> [auth-prot {md5|sha} <password>] [priv-prot {AES|DES} <password>]
Description
This command configures SNMP parameters.
Syntax
Parameter community enable trap engine-id
host
version inform inform stats
trap disable enable source
Description
Range
Sets the read-only community string.
--
Enables sending of SNMP traps to the configured host.
--
Sets the SNMP server engine ID as a hexadecimal number.
24 characters maximum
Configures the IP address of the host to which SNMP traps are -- sent. This host needs to be running a trap receiver to receive and interpret the traps sent by the switch.
Configures the SNMP version and security string for
--
notification messages.
Sends SNMP inform messages to the configured host.
--
Specifies the length for the SNMP inform queue.
100-350
Allows file-based statistics collection for OV-MM-SW. The switch generates a file that contains statistics data used by OVMM-SW to display information in chart and graph formats.
File-based statistics collection is transparent to the user and increases the efficiency of transferring information between the switch and OV-MM-SW.
Source IP address of SNMP traps.
--
Disables an SNMP trap. You can get a list of valid trap names -- using the show snmp trap-list command.
Enables an SNMP trap.
--
Enter the source IP address for sending traps.
--
Default -- disabled --
--
-- disabled 250 enabled
disabled -- -- --
AOS-W 6.2 | Reference Guide
snmp-server | 1433
�Parameter udp-port
user auth-prot
priv-prot
Description
Range
The port number to which notification messages are sent.
--
Configures an SNMPv3 user profile for the specified
--
username.
Authentication protocol for the user, either HMAC-MD5-98 Digest Authentication Protocol (MD5) or HMAC-SHA-98 Digest Authentication Protocol (SHA), and the password for use with the designated protocol.
MD5/SHA
Privacy protocol for the user, either Advanced Encryption Standard (AES) or CBC-DES Symmetric Encryption Protocol (DES), and the password for use with the designated protocol.
AES/DES
Default 162 -- SHA
DES
Usage Guidelines
This command configures SNMP on the switch only. You configure SNMP-related information for APs in an SNMP profile which you apply to an AP group or to a specific AP. To configure SNMP hostname, contact, and location information for the switch, use the hostname, syscontact, and syslocation commands.
Example
The following command configures an SNMP trap receiver: (host) (config) #snmp-server host 191.168.1.1 version 2c 12345678
Command History
Release AOS-W 3.0 AOS-W 3.3.1
Modification Command introduced The stats parameter was introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1434 | snmp-server
AOS-W 6.2 | Reference Guide
�spanning-tree (Global Configuration)
spanning-tree [forward-time <value> | hello-time <value> | max-age <value> | priority <value> | vlan range <WORD>
RSTP is backward compatible with STP and is enabled by default. For ease of use, this command uses the spanning tree keyword.
Description
This command is the global configuration for the Rapid Spanning Tree Protocol (RSTP) and Per VLAN Spanning Tree (PVST+). See spanning-tree (Configuration Interface) for details on the RSTP (config-if) command.
Syntax
Parameter forward-time hello-time max-age priority
vlan range <WORD>
Description
Range
Specifies the time, in seconds, the port spends in the listening and learning state. During this time, the port waits to forward data packets.
4-30
Specifies the time, in seconds, between each bridge protocol data unit (BPDU) transmitted by the root bridge.
1-10
Specifies the time, in seconds, the root bridge waits to receive a hello packet before changing the STP topology.
6-40
Set the priority of a bridge to make it more or less likely to become the root bridge. The bridge with the lowest value has the highest priority. When configuring the priority, remember the following: The highest priority bridge is the root bridge. The highest priority value is 0 (zero).
0-65535
Enter the keywords vlan range followed by the
--
range of VLAN iID's. Separate the VLAN IDs
with a hyphen, comma or both to indicate the
range.
For example: 2-3 or 2,4,6 or 2-6,11
Default 15 seconds 2 seconds 20 seconds 32768
--
Usage Guidelines
This command configures the global RSTP settings on the switch and is backward compatible with past versions of AOS-W using STP. By default, all interfaces and ports on the switch run RSTP as specified in 802.1w and 802.1D. The default RSTP values can be used for most implementations. Use the no spanning-tree command to disable RSTP.
Examples
The following command sets the time a port spends in the listening and learning state to 3 seconds:
AOS-W 6.2 | Reference Guide
spanning-tree (Global Configuration) | 1435
�spanning-tree forward-time 3 The following command sets the time the root bridge waits to transmit BPDUs to 4 seconds:
spanning-tree hello-time 4 The following command sets the time the root bridge waits to receive a hello packet to 30 seconds: spanning-tree max-age 30 The following command sets the bridge priority to 10, making it more likely to become the root bridge:
spanning-tree priority 10 The follow command sets a spanning-tree VLAN range
spanning-tree vlan range 2-8,11
Command History
Release AOS-W 6.0 AOS-W 3.4 AOS-W 1.0
Modification Added support for PVST+ and VLAN and VLAN Range Upgraded STP to RSTP with full backward compatibility Introduced the Spanning Tree Protocol (STP)
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Configuration (config)
1436 | spanning-tree (Global Configuration)
AOS-W 6.2 | Reference Guide
�spanning-tree mode
spanning-tree mode <rapid> | <rapid-pvst>
Description
Set the spanning tree mode to either Rapid Spanning Tree (802.1w) or PVST+ (Per VLAN Spanning Tree).
Syntax
Parameter rapid rapid-pvst
Description Set the spanning tree mode to RSTP (Rapid Spanning Tree Protocol). Set the spanning tree mode to PVST+ (Per VLAN Spanning Tree protocol)
Usage Guidelines
Once the spanning tree mode is set, you can configure RSTP or PVST+.
Command History
Release AOS-W 6.0 AOS-W 3.4
Modification PVST+ added Upgraded STP to RSTP with full backward compatibility.
Command Information
Platform All platforms
Licensing Base operating system
Command Mode
Configuration mode (config) on master switches
AOS-W 6.2 | Reference Guide
spanning-tree mode | 1437
�spanning-tree (Configuration Interface)
spanning-tree cost <value> point-to-point port-priority <value> portfast vlan <vlan-id> cost <value> port-priority <value> vlan range <WORD>
RSTP is backward compatible with STP and is enabled by default. For clarity, this RSTP command uses the spanning tree keyword.
Description
Alcatel-Lucent's RSTP implementation interoperates with both PVST (Per VLAN Spanning Tree 802.1D) and RapidPVST (802.1w) implementation on industry-standard router/switches. Syntax
Parameter cost <value>
Description
Enter the spanning tree path cost. Use the cost values to determine the most favorable path to a particular destination: the lower the cost, the better the path
point-to-point
Set the interface to a point-to-point
port-priority <value> Change the spanning tree priority.
portfast
Change from blocking to forwarding
vlan <vlan-id>
Enter the keyword vlan followed by the VLAN-ID
cost <value>
Enter th keyword cost followed by the cost value to change the interface's spanning tree path cost.
port-priority <value>
Change the spanning tree priority.
vlan range <WORD>
Enter the keywords vlan range followed by the range of VLAN iID's. Separate the VLAN IDs with a hyphen, comma or both to indicate the range.
For example: 2-3 or 2,4,6 or 2-6,11
Range 1 - 65535
n/a 0 - 255
n/a n/a 1 - 65535
0 - 255 --
Default Default: Based on Interface type: l Fast Ethernet 10Mbs--100 l Fast Ethernet 100Mbs--19 l 1Gigabit Ethernet--4 l 10 Gigabit Ethernet--2 Enabled 128 Disabled
--
128
--
Usage Guidelines
Alcatel-Lucent supports global instances of RSTP and PVST+. Therefore, the ports on industry-standard routers/switches must be on the default or untagged VLAN for interoperability with switches.
AOS-W supports RSTP on the following interfaces:
1438 | spanning-tree (Configuration Interface)
AOS-W 6.2 | Reference Guide
�l FastEthernet IEEE 802.3--fastethernet l Gigabitethernet IEEE 802.3--gigabitethernet l Port Channel ID--port-channel In addition to port state changes, RSTP introduces port roles for all the interfaces.
RSTP (802.1w) Port Role Root Designated Alternate
Backup
Description
The port that receives the best BPDU on a bridge.
The port can send the best BPDU on the segment to which it is connected.
The port offers an alternate path, in the direction of root bridge, to that provided by bridge's root port.
The port acts as a backup for the path provided by a designated port in the direction of the spanning tree.
Example
The RSTP default values are adequate for most implementation. Use caution when making changes to the spanning tree values.
(host) (config-if) #spanning-tree cost 345 (host) (config-if) #spanning-tree point-to-point ? (host) (config-if) #spanning-tree portfast ? (host) (config-if) #spanning-tree vlan range 2-8,11
Related Commands
spanning-tree (Global Configuration)
Command History
Release AOS-W 6.0 AOS-W 3.4 AOS-W 1.0
Modification Added support for PVST+ and VLAN and VLAN Range Upgraded STP to RSTP with full backward compatibility. Introduced the Spanning Tree Protocol (STP).
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Configuration Interface (config-if)
AOS-W 6.2 | Reference Guide
spanning-tree (Configuration Interface) | 1439
�spanning-tree vlan range (PVST+)
spanning-tree vlan range <WORD> [forward-time <value> | hello-time <value> | max-age <value> | priority <value>]
Description
Configure PVST+ on a range of VLANs.
Syntax
Parameter <WORD> forward-time
hello-time max-age
priority
Description
Enter a string representing the VLAN range
Specifies the time, in seconds, the VLANs spends in the listening and learning state before transition to the forward state.
Set the time interval, in seconds, between transmission of BPDUs.
Set the time interval for the PVST+ bridge to maintain configuration information before refreshing that information.
Set the priority of a bridge to make it more or less likely to become the root bridge. The bridge with the lowest value has the highest priority. When configuring the priority, remember the following: The highest priority bridge is the root bridge. The highest priority value is 0 (zero).
Range -4-30
1-10 6-40
0-65535
Default -15 seconds
2 seconds 20 seconds
32768
Example
The following command sets the time the VLAN range 2-3 spends in the listening and learning state to 3 seconds: spanning-tree vlan range 2-3 forward-time 3 The following command sets the time the VLAN range 2-3 waits to transmit BPDUs to 4 seconds: spanning-tree vlan range 2-3 hello-time 4 The following command sets the time the VLAN range 2-3 waits to receive a hello packet to 30 seconds: spanning-tree vlan range 2-3 max-age 30 The following command sets the VLAN range 2-3 priority to 10, making it more likely to become the root bridge: spanning-tree vlan range 2-3 priority 10
Command History
Release AOS-W 6.0
Modification Command introduced
1440 | spanning-tree vlan range (PVST+)
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All Platforms
Licensing Base operating system
Command Mode Configuration Mode (config)
AOS-W 6.2 | Reference Guide
spanning-tree vlan range (PVST+) | 1441
�ssh
ssh disable_dsa | mgmt-auth {public-key [username/password] | username/password [public-key]}
Description
This command configures SSH access to the switch.
Syntax
Parameter disable_dsa
mgmt-auth
Description
Disables DSA authentication for SSH. Only RSA authentication is used.
Configures authentication method for the management user. You can specify username/password only, public key only, or both username/password and public key.
Default --
username/ password
Usage Guidelines
Public key authentication is supported using a X.509 certificate issued to the management client. If you specify public-key authentication, you need to load the client X.509 certificate into the switch and configure certificate authentication for the management user with the mgmt-user ssh-pubkey command.
Example
The following commands configure SSH access using public key authentication only: (host) (config) #ssh mgmt-auth public-key
mgmt-user ssh-pubkey client-cert ssh-pubkey cli-admin root
Command History
Version AOS-W 3.0 AOS-W 3.1
Modification Command introduced The mgmt-auth parameter was introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1442 | ssh
AOS-W 6.2 | Reference Guide
�stm
add-blacklist-client <macaddr> kick-off-sta <macaddr> <bssid> purge-blacklist-clients remove-blacklist-client <macaddr>
Description
This command is used to manually disconnect a client from an AP or control the blacklisting of clients.
Syntax
Parameter add-blacklist-client kick-off-sta
<macaddr> <bssid> purge-blacklist-client remove-blacklist-client <macaddr>
Description
MAC address of the client to be added to the denial of service list.
When you use the kick-off-sta feature specify a client's MAC address and BSSID, the AP sends deauthorization frames to the station to disconnect it.
MAC address of client to be disconnected.
The associated BSSID of the client to be disconnected.
Clear the entire client blacklist.
Specify the MAC address of a client to remove it from the denial of service list.
Usage Guidelines
When you blacklist a client, the client is not allowed to associate with any AP in the network. If the client is connected to the network when you blacklist it, a deauthentication message is sent to force the client to disconnect. The blacklisted client is blacklisted for the duration specified in the virtual AP profile. The client blacklist supports up to 4,000 individual client entries. The switch retains the client blacklist in the user database, so the information is not lost if the switch reboots. When you import or export the switch's user database, the client blacklist will be exported or imported as well.
Example
The following command blacklists a client: (host) #stm add-blacklist-client 00:01:6C:CC:8A:6D
Command History
Version AOS-W 1.0 AOS-W 6.0
Modification
Command introduced.
The purge-client-blacklist parameter was introduced. The start-trace and stop-trace parameters are no longer functional.
AOS-W 6.2 | Reference Guide
stm | 1443
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master or local switches
1444 | stm
AOS-W 6.2 | Reference Guide
�support
support
Description
This command, which should be used only in conjunction with Alcatel-Lucent customer support, is for switch debugging purposes only.
Syntax
No parameters.
Usage Guidelines
This command is used by Alcatel-Lucent customer support for debugging the switch. Do not use this command without the guidance of Alcatel-Lucent customer support.
Example
The following command allows Alcatel-Lucent customer support to debug the switch: (host) #support
Command History
Version AOS-W 2.4 AOS-W 3.1
Modification Command introduced as the secret command Command renamed to support
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
support | 1445
�syscontact
syscontact <syscontact>
Description
This command configures the name of the system contact for the switch.
Syntax
Parameter syscontact
Description An alphanumeric string that specifies the name of the system contact.
Usage Guidelines
Use this command to enter the name of the person who acts as the system contact or administrator for the switch. You can use a combination of numbers, letters, characters, and spaces to create the name. To include a space in the name, use quotation marks to enclose the alphanumeric string. For example, to create the system contact name Lab Technician 1, enter "Lab Technician 1" at the prompt. To change the existing name, enter the command with a different string. The new name takes affect immediately. To unconfigure the name, enter "" at the prompt.
Example
The following command defines LabTechnician as the system contact name: (host) (config) #syscontact LabTechnician
Command History
This command was introduced in AOS-W 3.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1446 | syscontact
AOS-W 6.2 | Reference Guide
�syslocation
syslocation <syslocation>
Description
This command configures the name of the system location for the switch.
Syntax
Parameter syslocation
Description An alphanumeric string that specifies the name of the system location.
Usage Guidelines
Use this command to indicate the location of the switch. You can use a combination of numbers, letters, characters, and spaces to create the name. To include a space in the name, use quotation marks to enclose the text string. To change the existing name, enter the command with a different string. To unconfigure the location, enter "" at the prompt.
Example
The following command defines SalesLab as the location for the switch: (host) # syslocation "Building 10, second floor, room 21E" syscontact LabTechnician
Command History
This command was introduced in AOS-W 3.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
syslocation | 1447
�tar
tar clean {crash|flash|logs}| crash | flash | logs [tech-support]
Description
This command archives a directory.
Syntax
Parameter clean
crash flash logs crash flash logs
Description Removes a tar file Removes crash.tar Removes flash.tar.gz Removes logs.tar Archives the crash directory to crash.tar. A crash directory must exist. Archives and compresses the /flash directory to flash.tar.gz. Archives the logs directory to log.tar. Optionally, technical support information can be included.
Usage Guidelines
This command creates archive files in Unix tar file format.
Example
The following command creates the log.tar file with technical support information: tar logs tech-support
Command History
The command was introduced in AOS-W 3.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
1448 | tar
AOS-W 6.2 | Reference Guide
�telnet
telnet {cli|soe}
Description
Enable telnet to the switch or to an AP through the switch.
Syntax
Parameter cli soe
Description Enable telnet using the CLI. Enable telnet using Serial over Ethernet (SoE).
Default Disabled Disabled
Usage Guidelines
Use the cli option to enable telnet to the switch. Use the soe option to enable telnet using the SoE protocol. This allows you to remotely manage an AP directly connected to the switch.
Example
The following example enables telnet to the switch using the CLI. (host) (config) #telnet cli
Command History
The command was introduced in AOS-W 1.0
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
telnet | 1449
�threshold
threshold controlpath-cpu <percentage> controlpath-memory <percentage> datapath-cpu <percentage> no-of-APs <percentage> no-of-locals <percentage> total-tunnel-capacity <percentage> user-capacity <percentage> no ...
Description
This command configures switch capacity thresholds which, when exceeded, will trigger alerts.
Syntax
Parameter controlpath-cpu <percentage>
controlpath-memory <percentage> datapath-cpu <percentage>
no-of-APs <percentage>
no-of-locals <percentage>
total-tunnel-capacity <percentage>
Description
Set an alert threshold for controlpath CPU capacity. The <percentage> parameter is the percentage of the total controlpath CPU capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 80%.
Set an alert threshold for controlpath memory consumption. The <percentage> parameter is the percentage of the total memory capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 85%.
Set an alert threshold for datapath CPU capacity. The <percentage> parameter is the percentage of the total datapath CPU capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 30%.
The maximum number of APs that can be connected to a switch is determined by that switch's model type and installed licenses. Use this command to trigger an alert when the number of APs currently connected to the switch exceeds a specific percentage of its total AP capacity. The default threshold for this parameter is 80%.
Set an alert threshold for the master switch's capacity to support remote nodes and local switches. A master switch can support a combined total of 256 remote nodes and local switches. The <percentage> parameter is the percentage of the total master switch capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 80%.
Set an alert threshold for the switch's tunnel capacity. The <percentage> parameter is the percentage of the switch's total tunnel capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 80%
1450 | threshold
AOS-W 6.2 | Reference Guide
�Parameter user-capacity <percentage>
Description
Set an alert threshold for the switch's user capacity. The <percentage> parameter is the percentage of the total resource capacity that must be exceeded before the alert is sent. The default threshold for this parameter is 80%.
Usage Guidelines
The switch will send a wlsxThresholdExceeded SNMP trap and a syslog error message when the switch has exceeded a set percentage of the total capacity for that resource. A wlsxThresholdCleared SNMP trap and error message will be triggered if the resource usage drops below the threshold once again.
Example
The following command configures a new alert threshold for controlpath memory consumption:
(host) (config) #threshold datapath-cpu 90
If this threshold is exceeded then subsequently drops below the 90% threshold, the switch would send the following two syslog error messages.
Mar 10 13:13:58 nanny[1393]: <399816> <ERRS> |nanny| above 90% threshold, value : 93 Mar 10 13:16:58 nanny[1393]: <399816> <ERRS> |nanny| below 90% threshold, value : 87
Resource 'Control-Path Memory' has gone Resource 'Control-Path Memory' has come
Command History
The command was introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
threshold | 1451
�time-range
time-range <name> absolute [end <mm/dd/yyyy> <hh:mm>]|[start <mm/dd/yyyy> <hh:mm>] time-range <name> periodic Daily <hh:mm> to <hh:mm> Friday <hh:mm> to <hh:mm> Monday <hh:mm> to <hh:mm> Saturday <hh:mm> to <hh:mm> Sunday <hh:mm> to <hh:mm> Thursday <hh:mm> to <hh:mm> Tuesday <hh:mm> to <hh:mm> Wednesday <hh:mm> to <hh:mm> Weekday <hh:mm> to <hh:mm> Weekend <hh:mm> to <hh:mm> no ...
Description
This command configures time ranges.
Syntax
Parameter <name> absolute periodic
no
Description Name of this time range. You can reference this name in other commands. Specifies an absolute time range, with a specific start and/or end time and date. Specifies a recurring time range. Specify the start and end time and Daily, Weekday, Weekend, or the day of the week. Negates any configured parameter.
Usage Guidelines
You can use time ranges when configuring session ACLs. Once you configure a time range, you can use it in multiple session ACLs.
Example
The following command configures a time range for daytime working hours: (host) (config) #time-range working-hours periodic
weekday 7:30 to 18:00
Command History
The command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1452 | time-range
AOS-W 6.2 | Reference Guide
�tracepath
tracepath <global-address>
Description
Traces the path of an IPv6 host.
Syntax
Parameter
Description
<global-address> The IPv6 global address of the host.
Usage Guidelines
Use this command to identify points of failure in your IPv6 network.
Example
The following command traces the path of the specified IPv6 host. (host) #tracepath 2005:d81f:f9f0:1001::14
Command History
The command was introduced in AOS-W 6.1.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
User, Enable, and Config modes on local or master switches
AOS-W 6.2 | Reference Guide
tracepath | 1453
�traceroute
traceroute <ipaddr>
Description
Trace the route to the specified IP address.
Syntax
Parameter <ipaddr>
Description The destination IP address.
Usage Guidelines
Use this command to identify points of failure in your network.
Example
The following command traces the route to the device identified by the IP address 10.1.2.3. (host) (config) #traceroute 10.1.2.3
Command History
The command was introduced in AOS-W 2.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
User, Enable, and Config modes on local or master switches
1454 | traceroute
AOS-W 6.2 | Reference Guide
�trusted
trusted all
Description
This command makes all physical interfaces on the switch trusted ports.
Syntax
Parameter all
Description Makes all ports on the switch trusted.
Usage Guidelines
Trusted ports are typically connected to internal controlled networks. Untrusted ports connect to third-party APs, public areas, or any other network to which the switch should provide access control. When APs are attached directly to the switch, set the connecting port to be trusted. By default, all ports on the switch are treated as trusted. You can use the interface fastethernet or interface gigabitethernet commands to make individual ports trusted.
Example
The following command makes all ports trusted: (host) (config) #trusted all
Command History
The command was introduced in AOS-W 2.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
trusted | 1455
�tunnel-loop-prevention
tunnel-loop-prevention
Description
This command prevents prevent forwarding loops between tunneled nodes on the switch. The tunneled node loop prevention function appears on the WebUI as the "Enable Wired Access Concentrator Loop Prevention" option. It is located on the Configuration > Advanced Services > Wired Access > Wired Access Concentration Configuration pane
Syntax
No parameters.
Usage Guidelines
To prevent broadcast traffic being flooded on the tunneled nodes. You need to enable broadcast-filter-arp if you want to allow a tunneled node-connected machine communicate with another switch that is connected client on the same subnet.
Example
The following command prevents tunneled node forwarding: (host) (config) #tunnel-loop-prevention
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced
The command name changed from mux-loop-prevention to tunnel-loop-prevention.
Related Commands
(host) (config) #show tunneled-node config (host) (config) #show tunneled-node state
Command Information
Platforms All platforms
Licensing Requires the PEFNG license.
Command Mode Config mode on master switches
1456 | tunnel-loop-prevention
AOS-W 6.2 | Reference Guide
�tunnel-node-mtu
tunnel-node-mtu <mtu> Description
This command configures the MTU of a tunneled node.
Syntax
Parameter tnode-mtu
Description
Value of the MTU for the tunneled nodes Range - 1024 to 9216
Usage Guidelines
An Alcatel-Lucent switch can operate as a Wi-Fi switch, terminating GRE tunnels from tunneled node switches. As a Wi-Fi switch, the switch does not perform full Wi-Fi switching functions. Instead, it accepts traffic from ports designated as tunneled node ports, packages this traffic inside a GRE tunnel, and forwards the traffic back to a central switch for processing.
Example
The following command configures the MTU of a switch for tunneled nodes: (host) (config) #tunnel-node-mtu 1030
Command History
The command was introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
tunnel-node-mtu | 1457
�tunneled-node-address
tunneled-node-address <ipaddr>
Description
This command configures the IP address of a tunneled node server.
Syntax
Parameter
tunneled-nodeaddress
Description
IP address of the switch. This is the loopback or IP address of the switch acting as a tunneled node switch.
Usage Guidelines
An Alcatel-Lucentswitch can operate as a Wi-Fi switch, terminating GRE tunnels from tunneled node switches. As a Wi-Fi switch, the switch does not perform full Wi-Fi switching functions. Instead, it accepts traffic from ports designated as tunneled node ports, packages this traffic inside a GRE tunnel, and forwards the traffic back to a central switch for processing.
Example
The following command configures the address of a switch for tunneled nodes: (host) (config) #tunneled-node-address 192.168.1.245
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification Command introduced The command name changed to tunneled-node-port.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1458 | tunneled-node-address
AOS-W 6.2 | Reference Guide
�uplink
crypto-local uplink {cellular priority <prior>}|disable|enable|{wired priority <prior>}|{wired vlan <id>}
Description
Manage and configure the uplink network connection on the OAW-4306 Seriesswitches.
Syntax
Parameter cellular priority <prior>
enable disable wired priority <prior> wired vlan <id>
Description
Set the priority of the cellular uplink. By default, the cellular uplink is a lower priority than the wired uplink; making the wired link the primary link and the cellular link the secondary or backup link. Configuring the cellular link with a higher priority than your wired link priority will set your cellular link as the primary switch link.
Enable the uplink manager.
Disable the uplink manager.
Set the priority of the wired uplink. Each uplink type has an associated priority; wired ports having the highest priority by default.
Define the VLAN identification (ID) of the uplink VLAN . A maxmim of four wired VLANs can be defined
Range 1-255
-- --
1-255 1-4094
Usage Guidelines
The OAW-4306 Seriesswitches supports multiple 3G cellular uplinks in addition to its standard wired ports, providing redundancy in the event of a connection failure. If an OAW-4306 Series' wired link cannot access the internet, the switch can fail over to a secondary cellular link and continue routing traffic.
Command History
Release AOS-W 3.4 AOS-W 6.0
Modification Command introduced The wired prority parameter was introduced.
Command Information
Platforms OAW-4306 Seriesswitches
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
uplink | 1459
�usb-printer
usb-printer [printer <printer-name> alias <alias-name>]
Description
This command allows you to provide an alias to USB printers connected to OAW-4306G series switches.
Syntax
Parameter printer
alias
Description
Enter the default printer name. To get the default printer name use the show network-printer status command.
Enter a new alias name for the printer.
Example
The following command creates an alias for a printer: (host) usb-printer printer usblp_HP_Officejet_Pro_L7500_MY872231FX alias HPOJ_L7500 (host) #show network-printer status
Networked Printer Status -----------------------Printer Name -----------usblp_Hewlett-Packard_HP_Color_LaserJet_CP3505_CNBJ8B1003 usblp_HP_Officejet_Pro_L7500_MY872231FX
Printer Alias ------------HPLJ_P3005 HPOJ_L7500
Status -----idle idle
Comment ------enabled enabled
Command History
This command was introduced in AOS-W 3.4.
Command Information
Platforms OAW-4306 Series switches
Licensing Base operating system
Command Mode Enable mode.
1460 | usb-printer
AOS-W 6.2 | Reference Guide
�usb reclassify
crypto-local usb reclassify <address>
Description
Disconnect and reclassify an USB device.
Syntax
Parameter <address>
Description USB device address from the show usb command.
Usage Guidelines
There's no way to power off an USB port on the OAW-4306 Series switch, but you can re-initialize the device using the usb reclassify command. This command removes the modem from the USB device list, then detects it via the USB table.
Command History
Introduced in AOS-W 3.4.
Command Information
Platforms OAW-4306 Series switches
Licensing Base operating system
Command Mode Config mode on master and local switches
AOS-W 6.2 | Reference Guide
usb reclassify | 1461
�user-role
user-role <name> access-list {eth|mac|session} <acl> [ap-group <group>] [position <number>] bw-contract <name> [per-user] {downstream|upstream} captive-portal <profile> dialer <name> max-sessions <number> no ... pool {l2tp|pptp} <name> reauthentication-interval <minutes> session-acl <string> [ap-group <group>] [position <number>]a stateful-ntlm <ntlm_profile_name> vlan {VLAN ID|VLAN name} wispr <wispr_profile_name>
Description
This command configures a user role.
Syntax
Parameter <name> access-list
<acl> ap-group position bandwidth-con tract
downstream per-user
upstream
Description
Range Default
Name of the user role.
--
--
Type of access control list (ACL) to be applied:
--
--
eth: Ethertype ACL, configured with the ip access-list eth
command.
mac: MAC ACL, configured with the ip access-list mac
command.
session: Session ACL, configured with the ip access-list
session command.
Name of the configured ACL.
(Optional) AP group to which this ACL applies.
--
--
(Optional) Position of this ACL relative to other ACLs that you -- can configure for the user role. 1 is the top.
(last)
Name of a bandwidth contract or rate limiting policy
--
--
configured with the aaa bandwidth-contract command. The
bandwidth contract must be applied to either downstream or
upstream traffic.
Applies the bandwidth contract to traffic from the switch to the --
--
client.
Specifies that bandwidth contract is assigned on a per-user
--
basis instead of a per-role basis. For example, if two users are
active on the network and both are part of the same role with a
500 Kbps bandwidth contract, then each user is able to use
up to 500 Kbps.
(per role)
Applies the bandwidth contract to traffic from the client to the --
--
switch.
1462 | user-role
AOS-W 6.2 | Reference Guide
�Parameter captive-portal dialer
max-sessions no pool
<name> reauthentica tion-interval session-acl <string>
ap-group position stateful-ntlm vlan
wispr
Description
Range Default
Name of the captive portal profile configured with the aaa
--
--
authentication captive-portal command.
If VPN is used as an access method, name of the VPN dialer --
--
configured with the vpn-dialer command. The user can login
using captive portal and download the dialer. The dialer is a
Windows application that configures the VPN client.
Maximum number of datapath sessions per user in this role.
0-
65535
65535
Negates any configured parameter.
--
--
If VPN is used as an access method, specifies the IP address --
--
pool from which the user's IP address is assigned:
l2tp: When a user negotiates a Layer-2 Tunneling Protocol
(L2TP)/ IPsec session, specifies an address pool configured
with the ip local pool command.
pptp: When a user negotiates a Point-to-Point Tunneling
Protocol (PPTP) session, specifies an address pool
configured with the pptp ip local pool command.
Name of the L2TP or PPTP pool to be applied.
--
--
Interval, in minutes, after which the client is required to reauthenticate.
0-4096, 0
0 to
(dis-
disable abled)
Session ACL configured with the ip access-list session command. You can specify both IPv4 and IPv6 ACLs.
--
--
(Optional) AP group to which this ACL applies.
--
--
(Optional) Position of this ACL relative to other ACLs that you -- can configure for the user role. 1 is the top.
(last)
Apply stateful NTLM authentication to the specified user role
Identifies the VLAN ID or VLAN name to which the user role is --
--
mapped. This parameters works only when using Layer-2
authentication such as 802.1X or MAC address, ESSID, or
encryption type role mapping because these authentications
occur before an IP address is assigned. If a user authenticates
using a Layer-3 mechanism such as VPN or captive portal this
parameter has no effect.
NOTE: VLAN IDs and VLAN names cannot be listed together.
Apply WISPr authentication to the specified user role.
Usage Guidelines
Every client in a user-centric network is associated with a user role. All wireless clients start in an initial role. From the initial role, clients can be placed into other user roles as they pass authentication.
Example
The following command configures a user role: (host) (config) #user-role new-user
dialer default-dialer
AOS-W 6.2 | Reference Guide
user-role | 1463
�pool pptp-pool-1
Command History
Version AOS-W 3.0 AOS-W 3.4.1 AOS-W 6.1
Modification Command introduced
The stateful-ntlm and wispr parameters were introduced.
The ipv6 session-acl parameter was removed. The session-acl parameter is common for both IPv4 and IPv6 ACLs.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license.
Command Mode Config mode on master switches
1464 | user-role
AOS-W 6.2 | Reference Guide
�valid-network-oui-profile
valid-network-oui-profile no oui <oui>
Description
This command allows you to add a new OUI to the switch
Syntax
Parameter no oui <oui>
Description
Range
Negates any configured parameter.
--
The new OUI to be added. Use the aa:bb:cc format -- to input the new OUI.
Default -- --
Usage Guidelines
This command adds a new OUI to the switch. The new OUI must be entered in a aa:bb:cc format.
Example
The following command adds a new OUI to the switch.
(host) (config) #valid-network-oui-profile (host) (Valid Equipment OUI profile) # (host) (Valid Equipment OUI profile) #oui 00:11:22 This should only be used when adding equipment with a new OUI. want to proceed? [y/n]: y
Are you sure you
Command History
Release AOS-W 5.0
Modification Command introduced
Command Information
Platforms Available on all platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
valid-network-oui-profile | 1465
�vlan-bwcontract-explist
vlan-bwcontract-explist mac <mac>
Description
Use this command to add entries to or remove entries from the MAC exception list for bandwidth contracts on broadcast/multicast traffic.
Syntax
Parameter <mac>
Description
MAC address of a protocol that should be added to or removed from the exception list for bandwidth contracts.
Usage Guidelines
Bandwidth contracts on a VLAN can limit broadcast and multicast traffic. AOS-W version 6.0 and later includes an internal exception list to allow broadcast and multicast traffic using the VRRP, LACP, OSPF, PVST and STP protocols. To remove per-vlan bandwidth contract limits on an additional broadcast or multicast protocol, add the MAC address for that broadcast/multicast protocol to the Vlan Bandwidth Contracts MAC Exception List.
Example
The following command adds the MAC address for CDP (Cisco Discovery Protocol) and VTP (Virtual Trunking Protocol to the list of protocols that are not limited by VLAN bandwidth contracts. (host) (config) #vlan-bwcontract-explist mac 01:00:0C:CC:CC:CC
Command History
Command introduced in AOS-W 6.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master or local switches
1466 | vlan-bwcontract-explist
AOS-W 6.2 | Reference Guide
�vlan-name
vlan-name <name> [pool|assignment {even|hash}]
Description
This command creates a named VLAN on the switch. It can be added to a pool and given an assignment type.
Syntax
Parameter <name> [pool] assignment
even
hash
Description
Range
132 characters
Sets the named VLAN to be a pool.
--
Sets the assignment type. This determines how a VLAN -- assignment is handled by the switch.
Sets the assignment type as even.The Even assignment -- type is based on an even distribution of VLAN pool assignments.
Sets the assignment type as hash. The hash type means -- that the VLAN assignment is based on the station MAC address.
Usage Guidelines
Create a named VLAN so you can set up a VLAN pool. A VLAN pool consists of a set of VLAN IDs which are grouped together to efficiently manage multi-switch networks from a single location.
VLAN pooling should not be used with static IP addresses.
The Even VLAN Pool assignment type maintains a dynamic latest usage level of each VLAN ID in the pool. Therefore, as users age out, the number of available addresses increases. This leads to a more even distribution of addresses. The Even type is only supported in tunnel and dtunnel modes. It is not supported in split or bridge modes and it is not allowed for VLAN pools that are configured directly under a virtual AP. It can only be used under named VLANs. If a VLAN pool is given an Even assignment in bridge mode, a message displays indicating that the Hash assignment is automatically used instead to retrieve the VLAN ID. L2 Mobility is not compatible with the existing implementation of the Even VLAN pool assignment type.
Example
The following command creates a VLAN pool named mygroup with the assignment type "even" on the switch: (host) (config) #vlan-name mygroup pool assignment even
Related Commands
(host) (config) #show vlan
AOS-W 6.2 | Reference Guide
vlan-name | 1467
�Command History
Version AOS-W 3.0 AOS-W 3.4 AOS-W 6.2
Modification Command introduced.
The pool parameter was introduced.
The assignment type parameter was introduced along with the even and hash options.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1468 | vlan-name
AOS-W 6.2 | Reference Guide
�vlan
vlan <id> [<description>] |[<name> <vlan-ids>]|[range <range>]|[wired aaa-profile <profile>]
Description
This command creates a VLAN ID or a range of VLAN IDs on the switch.
Syntax
Parameter <id> <description>
<name>
<vlan-ids>
range <range> wired aaa-profile <profile>
Description
Range
Default
Identification number for the VLAN.
2-4094
1
Description of a VLAN ID.
1-32 characters; cannot begin with a numeric character
VLAN000x, where x is the ID number.
(Optional) Identification name of the VLAN. The VLAN name was created using the vlan-name command.
1-32 characters; a name cannot begin with a numeric character
VLAN<id>
(Optional) List of VLAN IDs that are
Existing
1
associated with this VLAN. If two or more VLAN IDs
IDs are listed, the VLAN needs to specified
first as a VLAN pool using the vlan-name
command.
Create a range of multiple VLAN IDs by
2-4094
--
specifying the beginning and ending
VLAN ID separated by a hyphen.
For example, 55-58
Assign an AAA profile to a VLAN to enable --
--
role-based access for wired clients
connected to an untrusted VLAN or port on
the switch. This parameter applies to wired
clients only.
Note that this profile will only take effect if
the VLAN and/or the port on the switch is
untrusted. If both the port and the VLAN
are trusted, no AAA profile is assigned.
Usage Guidelines
Use the interface vlan command to configure the VLAN interface, including an IP address. Use the vlan-name command to create a named VLAN to set up a VLAN pool. A VLAN pool consists of a set of VLAN IDs which are grouped together to efficiently manage multi-switch networks from a single location.
To enable role-based access for wired clients connected to an untrusted VLAN and/or port on the switch, you must use the wired aaa-profile parameter to specify the wired AAA profile you would like to apply to that VLAN. If you do not specify a per-VLAN wired AAA profile, traffic from clients connected to an untrusted wired port or VLAN will use the global wired AAA profile, if configured.
AOS-W 6.2 | Reference Guide
vlan | 1469
�Example
The following command creates VLAN ID 27 with the description myvlan on the switch. (host) (config) #vlan 27 myvlan The following command associates the VLAN IDs 5, 12 and 100 with VLAN guestvlan on the switch. vlan guestvlan 5,12,100 The following command creates VLAN IDs 200-300, 302, 303-400. (host) (config) #vlan range 200-300,302, 303-400
Related Commands
Command show vlan
aaa authentication wired
Description
This command shows a configured VLAN interface number, description and associated ports
This command configures authentication for a client device that is directly connected to a port on the switch.
Command History
Release AOS-W 3.0 AOS-W 3.4 AOS-W 3.4.1 AOS-W 6.0
Modification Command available. vlan-ids parameter introduced. vlan range parameter introduced. wired aaa-profile parameter introduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1470 | vlan
AOS-W 6.2 | Reference Guide
�voice dialplan-profile
voice dialplan-profile <profile> clone <source> dialplan {<sequence> <pattern> <action>} no...
Description
This command allows you to create a dial plan profile and configure dial plans to the profile.
Syntax
Parameter <profile> clone dialplan
<sequence> <pattern>
<action>
Description
Name of this instance of the dial plan profile.
Name of the existing dial plan profile from which parameter values are copied.
Configures a dialplan with the sequence, pattern, and action specified for the profile. You can configure upto 20 dialplans for a profile.
A number that positions the dial plan in the list of dial plans configured in the switch. The range is 100 - 65535.
A digit pattern or the number of digits that will be dialed by the user. You can specify the digit pattern using `X', `Z', `N', `[ ]' and `.'. l X is a wild card that represents any character from 0 to 9. l Z is a wild card that represents any character from 1 to 9. l N is a wild card that represents any character from 2 to 9. l [ ] is a wild card that represents the number or the range specified in the
brackets. l . (period) is a wild card that represents any-length digit strings.
A prefix code that is automatically prefixed to the dialed number. This is specified as <prefix-code>%e. Examples of dial plans are: l 9%e: The number 9 is prefixed to the dialed number. l 91%e: The number 91 is prefixed to the dialed number.
Usage Guidelines
You can configure dial plans on the switch that are required by the local EPABX system to provide outgoing PSTN call facility from a SIP device.
Dial plan can be configured only for SIP over UDP.
Example
The following command creates a dial plan for the dial plan profile, local:
(host) (config) #voice dialplan-profile local (host) (Dialplan Profile "local") #dialplan 300 Z. 91%e
AOS-W 6.2 | Reference Guide
voice dialplan-profile | 1471
�Command History
Version AOS-W 6.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode Config mode on master switch
1472 | voice dialplan-profile
AOS-W 6.2 | Reference Guide
�voice logging
voice logging client mac <client mac> no ...
Description
This command allows you to enable logging for a voice client.
Syntax
Parameter client mac
Description MAC address of the voice client to be enabled for voice logging.
Usage Guidelines
You can enable voice logging for a specific voice client based on the MAC address of the client to troubleshoot any voice issues.
Example
The following command enables voice logging on the client with the MAC address 11:22:33:44:55:67: (host) (config) #voice logging (host)(VoIP Logging) #client-mac 11:22:33:44:55:67
Command History
Version AOS-W 6.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode Config mode on master switch
AOS-W 6.2 | Reference Guide
voice logging | 1473
�voice real-time-config
voice real-time-config config-enable no...
Description
This command enables the switch to analyze the call quality of the voice calls based on the RTP media streams.
Syntax
Parameter config-enable
Description
Enables the switch to analyze the call quality of the voice calls based on the RTP media streams.
Default disabled
Usage Guidelines
You can enable the switch to compute and display the call quality parameters such as Jitter, delay, packet loss, and R-value directly from the RTP media stream of the voice calls. config-enable enables the switch to analyze the call quality of the voice calls based on the RTP media streams.
Example
The following command enables the switch to analyze the RTP media streams for call quality reports: (host) (config) #voice real-time-config (host) (Configure Real-Time Analysis) #config-enable
Command History
Version AOS-W 6.0
Description Command introduced.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode Config mode on master switch
1474 | voice real-time-config
AOS-W 6.2 | Reference Guide
�voice rtcp-inactivity
voice rtcp-inactivity {enable | disable}
Description
This command enables or diables the RTCP inactivity timer.
Syntax
Parameter enable disable
Description Enables the RTCP inactivity timer. Disables the RTCP inactivity timer.
Usage Guidelines
You can enable the RTCP inactivity timer to clear a voip session if an on-hold client moves out of the coverage area.
Example
The following command enables the RTCP inactivity timer: (host) (config) #voice rtcp-inactivity enable
Command History
Version AOS-W 5.0 AOS-W 6.0
Description
The rtcp-inactivity parameter was introduced to the voip command.
This was part of the voip command in the earlier version. voip command is now deprecated.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode Config mode on master switch
AOS-W 6.2 | Reference Guide
voice rtcp-inactivity | 1475
�voice sip
voice sip dialplan-profile <dial-plan profile> no... session-expiry <session-expiry> session-timer
Description
This command allows you to enable SIP session timer and associate a dial plan profile to the SIP ALG.
Syntax
Parameter dial-plan profile session-expiry
session-timer
Description Name of the existing Dial plan profile to be associated to the SIP ALG.
Default _
Timeout value in seconds for the session timer. The range is 240 - 1200 seconds.
If enabled, the SIP session is terminated when no session refresh request is received within the timeout value.
300 sec disabled
Usage Guidelines
You can configure the SIP settings such as enabling the session timer and associating a dial plan profile to the SIP ALG. session-timer acts as a keep alive mechanism for the SIP sessions using the periodic session refresh requests from the user agents. The interval for the session refresh requests is determined through a negotiation mechanism. If a session refresh request is not received within the negotiated interval, the session is terminated. session-expiry is the timeout interval of the session timer configured on the SIP ALG.
Example
The following command enables session timer on the SIP ALG: (host) (config) #voice sip (host)(SIP settings) #session-timer The following command sets the timeout value of the session timer to 400 seconds on the SIP ALG: (host)(SIP settings) #session-expiry 400 The following command associates the dial plan profile, default to the SIP ALG: (host)(SIP settings) #dialplan-profile default
Command History
Version AOS-W 6.0
Description Command introduced.
1476 | voice sip
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode Config mode on master switch
AOS-W 6.2 | Reference Guide
voice sip | 1477
�voice sip-midcall-req-timeout
voice sip-midcall-req-timeout {enable | disable}
Description
This command enables or diables the SIP mid-call request timer.
Syntax
Parameter enable disable
Description Enables the SIP mid-call request timer. Disables the timer.
Usage Guidelines
You can enable the SIP mid-call request timer on the switch to clear the voip session if there is no response to a SIP mid-call request.
Example
The following command enables the SIP mid-call request timer: (host) (config) #voice sip-mid-call-req-timeout enable
Command History
Version AOS-W 5.0 AOS-W 6.0
Description
The sip-midcall-req-timeout parameter was introduced to the voip command.
This was part of the voip command in the earlier version. voip command is now deprecated.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode Config mode on master switch
1478 | voice sip-midcall-req-timeout
AOS-W 6.2 | Reference Guide
�voice test
voice test force_send_delts sta <sta-mac> tid <tid_number>
Description
This command allows a user to manually send Delete Traffic Stream (DELTS) management frames.
Syntax
Parameter <sta-mac> <tid_number>
Description
The MAC address of the client station to which the DELTS are sent
The traffic stream id. The valid range for this parameter is 0 to 7. If the traffic stream ID is not specified and there are multiple live traffic streams, multiple DELTS will be sent out to the station.
Usage Guidelines
Issue this command to send DELTS for a live traffic stream, even if the client is not a voice client.
Example
The following command sends DELTS to a station with the MAC address 08:00:69:02:01:FA.
(host) (config) #voice test force_send_delts sta <08:00:69:02:01:FA> tid 6
Command History
This command was introduced in AOS-W 6.1.
Command Information
Platforms All platforms
Licensing
This command requires the PEFNG license
Command Mode Config mode on a master or local switch
AOS-W 6.2 | Reference Guide
voice test | 1479
�vpdn group l2tp
vpdn group l2tp client configuration {dns|wins} <ipaddr1> [<ipaddr2>] disable|enable l2tp tunnel hello <seconds> no ... ppp authentication {CACHE-SECURID|CHAP|EAP|MSCHAP|MSCHAPv2|PAP} ppp securid cache <minutes>
Description
This command configures an L2TP/IPsec VPN connection.
Syntax
Parameter client configuration
dns wins disable|enable l2tp tunnel hello no ppp authentication
CACHE-SECURID
CHAP EAP
MSCHAP MSCHAPv2 PAP ppp securid
Description Configures parameters for the remote clients.
Range Default
--
--
Configures a primary and optional secondary DNS
--
server.
Configures a primary and optional secondary WINS
--
server.
Disables or enables termination of L2TP clients.
--
Configures L2TP tunneling hello timeout, in seconds.
101440
Negates any configured parameter.
--
Enables the protocols for PPP authentication. This list -- should match the L2TP configuration configured with the vpn-dialer command on the switch.
The switch caches Secure ID tokens so that the user
--
does not need to reauthenticate each time a network
connection is lost.
Use CHAP with PPP authentication.
--
Use EAP-TLS with PPP authentication. Specify this
--
protocol for Windows IPsec VPN clients that use
Common Access Card (CAC) Smart Cards that contain
user information and digital certificates.
Use MSCHAP with PPP authentication.
--
Use MSCHAPv2 with PPP authentication. This is the
--
default for L2TP
--
If CACHE-SECURID is configured for PPP authentication, this specifies the time, in minutes, that the token is cached.
1510080
-- -- enabled 60 seconds -- --
--
-- --
-- -- -- 1440 minutes
1480 | vpdn group l2tp
AOS-W 6.2 | Reference Guide
�Usage Guidelines
L2TP/IPsec relies on the PPP connection process to perform user authentication and protocol configuration. You specify the protocol used for PPP authentication and whether SecureID tokens are cached on the switch. Client addresses are assigned from a pool configured with the ip local pool command.
Example
The following command configures virtual private dial-in networking: (host) (coinfig) #vpdn group l2tp
ppp authentication PAP client configuration dns 10.1.1.2 client configuration wins 10.1.1.2
Command History
The command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
vpdn group l2tp | 1481
�vpdn group pptp
vpdn group pptp client configuration {dns|wins} <ipaddr1> [<ipaddr2>] disable|enable no ... ppp authentication {MSCHAP|MSCHAPv2} pptp echo <seconds>
Description
This command configures a PPTP VPN connection.
Syntax
Parameter client configuration
dns wins disable|enable no ppp authentication
MSCHAP MSCHAPv2 pptp echo
Description
Range
Configures parameters for the remote clients.
--
Configures a primary and optional secondary
--
DNS server.
Configures a primary and optional secondary
--
WINS server.
Disables or enables termination of PPTP clients. --
Negates any configured parameter.
--
Enables the protocols for PPP authentication.
--
This list should match the PPTP configuration
configured with the vpn-dialer command on the
switch.
Use MSCHAP with PPP authentication.
--
Use MSCHAPv2 with PPP authentication. This -- is the default for L2TP
Time, in seconds, that the switch waits for a PPTP echo response from the client before considering the client to be down. The client is disconnected if it does not respond within this interval.
10-300
Default -- -- -- enabled -- --
-- -- 60 seconds
Usage Guidelines
PPTP connections require user-level authentication through a PPP authentication protocol (MSHCAPv2 is the currently-supported method.) Client addresses are assigned from a pool configured with the pptp command.
Example
The following command configures virtual private dial-in networking: vpdn group pptp
ppp authentication MSCHAPv2 client configuration dns 10.1.1.2 client configuration wins 10.1.1.2
1482 | vpdn group pptp
AOS-W 6.2 | Reference Guide
�Command History
The command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
vpdn group pptp | 1483
�vpn-dialer
vpn-dialer <name> enable dnetclear|l2tp|pptp|securid_newpinmode|wirednowifi ike {authentication {pre-share <key>|rsa-sig}|encryption {3des|des}| group {1|2}|hash {md5|sha}|lifetime [<seconds>]} ipsec {encryption {esp-3des|esp-des}|hash {esp-md5-hmac|esp-sha-hmac}| lifetime [<seconds>]|pfs {group1|group2}} no {enable...|ipsec...|ppp...} ppp authentication {cache-securid|chap|mschap|mschapv2|pap}
Description
This command configures the VPN dialer.
Syntax
Parameter <name> enable
dnetclear
l2tp
pptp securid_newpinmode wirednowifi
ike
authentication encryption group hash
Description
Range
Default
Name that identifies this VPN dialer configuration.
--
--
Enables dialer operations:
--
--
Enables "split tunneling" functionality so that
--
traffic destined for the internal network is
tunneled while traffic for the Internet is not. This
option is not recommended for security reasons.
disabled
Allows the dialer to negotiate a Layer-2
--
Tunneling Protocol (L2TP)/IPsec tunnel with the
switch.
enabled
Allows the dialer to negotiate a Point-to-Point
--
Tunneling Protocol (PPTP) with the switch.
disabled
Supports SecurID new and next pin mode.
--
disabled
Allows the dialer to detect when a wired network -- connection is in use, and shuts down the wireless interface.
disabled
Configures internet key exchange (IKE) protocol. --
--
This configuration must match the IKE policy
configured with the crypto isakmp policy
command on the switch.
Specifies whether preshared keys or RSA signatures are used for IKE authentication.
pre-share | pre-share rsa-sig
Specifies the IKE encryption protocol, either DES 3des | des 3des or 3DES.
Specifies the Diffie-Hellman group, either 1 or 2. 1 | 2
2
Specifies the HASH algorithm, ether SHA or MD5.
md5 | sha sha
1484 | vpn-dialer
AOS-W 6.2 | Reference Guide
�Parameter lifetime
ipsec
encryption hash
lifetime pfs no ppp authentication
cache-securid
chap mschap mschapv2 pap
Description
Range
Default
Specifies how long an IKE security association lasts, in seconds.
300-86400 28800 seconds
Configures IPsec. This configuration must match --
--
the IPsec parameters configured with the crypto
dynamic-map and crypto ipsec commands on the
switch.
Specifies the encryption type for IPsec, either DES or 3DES.
esp-3des | esp-3des esp-des
Specifies the hash algorithm used by IPsec, either MD5 or SHA.
esp-md5hmac | espsha- hmac
esp-shahmac
Specifies how long an IPsec security association 300-86400 7200
lasts, in seconds.
seconds
Specifies the IPsec Perfect Forward Secrecy (PFS) mode, either group 1 or group 2.
group1 | group2
group2
Negates any configured parameter.
--
--
Enables the protocols for PPP authentication.
--
--
This list should match the L2TP or PPTP
configuration configured with the vpdn command
on the switch.
The switch caches Secure ID tokens so that the -- user does not need to reauthenticate each time a network connection is lost.
disabled
Use CHAP with PPP authentication.
--
enabled
Use MSCHAP with PPP authentication.
--
enabled
Use MSCHAPv2 with PPP authentication.
--
enabled
Use PAP with PPP authentication.
--
enabled
Usage Guidelines
A VPN dialer is a Windows application that configures a Windows client for use with the VPN services in the switch. When VPN is used as an access method, a user can login using captive portal and download a VPN dialer. You can customize a VPN dialer for a user role configured with the user-role command. After the user authenticates via captive portal, a link appears to allow download of the VPN dialer if a dialer is configured for the user role.
Example
The following command configures a VPN dialer: (host) (config) #vpn-dialer default-dialer
ike authentication pre-share f00xYz123BcA
Command History
The command was introduced in AOS-W 3.0.
AOS-W 6.2 | Reference Guide
vpn-dialer | 1485
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1486 | vpn-dialer
AOS-W 6.2 | Reference Guide
�vrrp
vrrp <id> advertise <interval> authentication <password> description <text> ip address <ipaddr> no... preempt priority <level> shutdown tracking interface {fastethernet <slot>/<port>|gigabitethernet <slot>/<port>} {sub <value>} tracking master-up-time <duration> add <value> tracking vlan <vlanid> {sub <value>} tracking vrrp-master-state <vrid> add <value> vlan <vlanid>
Description
This command configures the Virtual Router Redundancy Protocol (VRRP).
Syntax
Parameter id
advertise authentication
description
Description
Range
Default
Number that uniquely identifies the VRRP
1-255
--
instance, also known as the VRID. This
number should match the VRID on the other
member of the redundant pair.
For ease in administration, you should
configure this with the same value as the
VLAN ID.
After you configure the VRID, the command
platform enters VRRP mode. From here, you
can access the remaining VRRP
commands.
Specifies the time, in seconds, between successive VRRP advertisements sent by the current master. Best practices are to use the default value.
1-60 seconds
1 second (1s=1000ms)
Configure an optional password of up to
8 characters --
eight characters to be used to authenticate
VRRP peers in their advertisements.
The password must be the same on both
members of the redundant pair.
The password is sent in plain-text and
therefore should not be treated as a security
measure. Rather, the purpose of the
password is to guard against
misconfigurations in the event that other
VRRP devices exist on the same network.
Configure an optional text string to describe 1-80
--
the VRRP instance.
characters
AOS-W 6.2 | Reference Guide
vrrp | 1487
�Parameter ip address
no preempt
delay
priority shutdown tracking interface
Description
Range
Configure the virtual IP address that will be -- owned by the elected VRRP master. Use the same IP address on each member of the redundant pair.
This IP address will be redundant - it will be active on the VRRP master, and will become active on the VRRP backup in the event that the VRRP master fails.
The IP address must be unique; the IP address cannot be the loopback address of the switch. Only IPv4 address formats are supported.
Negates all configured VRRP parameters. --
Preempt mode allows a switch to take over -- the role of master if it detects a lower priority switch currently acting as master.
Best practices are to use the default value to avoid excessive interruption to users or "flapping" if a problematic switch is cycling up and down.
Delay value in seconds.
Specifying a value enables the delay timer. The timer is triggered when the VRRP state moves out of backup or init state to become a master. This is applicable only if router pre-emption is enabled.
When the timer is triggered, it delays the router for a specified period of time before taking over the master router. In the mean time, if there is an advertisement from another VRRP master (existing master), the router stops the timer and does not transition to master.
0-60 seconds
Defines the priority level of the VRRP
100
instance for the switch. This value is used in
the election mechanism for the master.
A higher number specifies a higher priority.
The default priority setting is adequate for
most networks.
Administratively shutdown VRRP. When
--
down, VRRP is not active, although the
switch maintains the configuration
information.
To start the VRRP instance, use no
shutdown.
Configures VRRP tracking based on Layer- -- 2 interface state transitions. You can configure this on Fast Ethernet or Gigabit Ethernet interfaces.
You can track a combined maximum of 16 VLAN and Layer-2 interfaces.
Default --
-- disabled
0
1-255 enabled (VRRP is down) --
1488 | vrrp
AOS-W 6.2 | Reference Guide
�Parameter <slot> <port>
sub
tracking master-up-time duration tracking master-up-time add
tracking vlan sub
vrrp-masterstate vrrp-masterstate add
vlan
Description
Range
<slot> is always 1 except for the OAW-
--
6000switch, where the slots can be 0, 1, 2,
or 3.
Number assigned to the network interface
--
embedded in the switch or in the line card
installed in the OAW-6000switch. Port
numbers start at 0 from the left-most
position.
Decreases the priority of the VRRP instance by the specified amount. When the interface comes up again, the value is restored to the previous priority level. The combined priority and tracking vales cannot exceed 255. If the priority value exceeds 255, the switch displays an error message.
0-255
Monitors how long the switch has been master for the VRRP instance.
0-1440 minutes
Instructs the switch to add the specified value to the existing priority level. The combined priority and tracking values cannot exceed 255. If the priority value exceeds 255, the switch displays an error message similar to the following: Error: Vrrp 30 priority + tracking value exceeds 255
0-255
Configures VRRP tracking based on VLAN -- state transitions. You can track a combined maximum of 16 VLAN and Layer-2 interfaces.
Decreases the priority of the VRRP instance by the specified amount. When the VLAN comes up again, the value is restored to the previous priority level. The combined priority and tracking values cannot exceed 255. If the priority value exceeds 255, the switch displays an error message.
0-255
Specifies the VRID to use for tracking the state of the VRRP master switch.
1-255
Instructs the switch to add the specified value to the existing priority level. The combined priority and tracking values cannot exceed 255. If the priority value exceeds 255, the switch displays an error message similar to the following: Error: Vrrp 30 priority + tracking value exceeds 255
0-255
Specifies the VLAN ID of the VLAN on which 1-4094 VRRP will run.
Default -- -- --
-- --
-- --
-- --
--
AOS-W 6.2 | Reference Guide
vrrp | 1489
�Usage Guidelines
Use this command to set parameters for VRRP on the switch. The default VRRP parameters can be left for most implementations.
You can use a combination of numbers, letters, and characters to create the authentication password and the VRRP description. To include a space in the password or description, enter quotation marks around the string. For example, to create the password Floor 1, enter "Floor 1" at the prompt.
To change the existing password or description, enter the command with a different string. The new password or description takes affect immediately.
To unconfigure the existing password or description, enter "" at the prompt. If you update the password on one switch, you must update the password on the redundant member pair.
Interface Tracking
You can track multiple VRRP instances to prevent asymmetric routing and dynamically change the VRRP master to adapt to changes in the network. VRRP interface tracking can alter the priority of the VRRP instance based on the state of a particular VLAN or Layer-2 interface. The priority of the VRRP instance can increase or decrease based on the operational state of the specified interface. For example, interface transitions (up/down events) can trigger a recomputation of the VRRP priority, which can change the VRRP master depending on the resulting priority. You can track a combined maximum of 16 interfaces.
You must enable preempt mode to allow a switch to take over the role of master if it detects a lower priority switch currently acting as master
Example
The following command configures a priority of 105 for VRRP ID (VRID) 30: (host) (config) #vrrp 30
priority 105
The following commands configure VLAN interface tracking and assumes the following:
l You have two switchs, a primary and a backup. l The configuration highlights the parameters for interface tracking. You may have other parameters configured for
VRRP.
Primary Configuration
vrrp 10 vlan 10 ip address 10.200.22.254 priority 105 preempt tracking vlan 20 sub 10
vrrp 20 vlan 20 ip address 10.200.22.254 preempt priority 105 tracking vlan 10 sub 10
vrrp 30
Backup Configuration
vrrp 10 vlan 10 ip address 10.200.22.254 priority 100 preempt tracking vlan 20 sub 10
vrrp 20 vlan 20 ip address 10.200.22.254 preempt priority 100 tracking vlan 10 sub 10
vrrp 30
1490 | vrrp
AOS-W 6.2 | Reference Guide
�vlan 30 ip address 10.200.22.254 preempt priority 105 tracking vlan 20 sub 10
vlan 30 ip address 10.200.22.254 preempt priority 100 tracking vlan 20 sub 10
If VLAN 20 goes down, VRRP 20 automatically fails over, VRRP 10 and VRRP 30 would drop their priority to 95, causing a failover to the backup switch. Once VLAN 20 comes back up, the primary switch restores the VRRP priority to 105 for all VRRP IDs and resumes the master VRRP role.
Command History
Version AOS-W 1.0 AOS-W 3.3 AOS-W 3.3.2
AOS-W 6.1
Modification Command introduced The tracking interface and tracking vlan parameters were introduced. The add option was removed from the tracking interface and tracking vlan parameters. The delay option is added to the preempt parameter.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Config mode on master and local switches
AOS-W 6.2 | Reference Guide
vrrp | 1491
�web-server
web-server captive-portal-cert <name> ciphers {high|low|medium} mgmt-auth [certificate] [username/password] no ... ssl-protocol [sslv2] [sslv3] [tlsvl] session-timeout <session-timeout> switch-cert <name> web-max-clients <web-max-clients>
Description
This command configures the switch's web server.
Syntax
Parameter captive-portal-cert
ciphers
mgmt-auth
no session-timeout <sessiontimeout> ssl-protocol
switch-cert
web-max-clients <web-maxclient>
Description
Range Default
Name of the server certificate associated with
--
captive portal. Use the show crypto-local pki
ServerCert command to see the server
certificates installed in the switch.
default
Configures the strength of the cipher suite: high: encryption keys larger than 128 bits low: 56 or 64 bit encryption keys medium: 128 bit encryption keys
high, low, high medium
Authentication method for the management user; you can choose to use either username/password or certificates, or both username/password and certificates.
username/ password, certificate
username/ password
Negates any configured parameter.
--
--
Specifies the amount of time after which the WebUI session times out and requires login for continued access.
30-3600 seconds
900 seconds
Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol version used for securing communication with the web server: SSLv3 TLSv1
sslv3, tlsv1
sslv3, tlsv1
Name of the server certificate associated with
--
WebUI access. Use the show crypto-local pki
ServerCert command to see the server
certificates installed in the switch.
default
Configures the web server's maximum number 25-400
--
of supported concurrent clients.
1492 | web-server
AOS-W 6.2 | Reference Guide
�Usage Guidelines
There is a default server certificate installed in the switch, however this certificate does not guarantee security in production networks. Best practices are to replace the default certificate with a custom certificate issued for your site by a trusted Certificate Authority (CA). See the AOS-W User Guide for more information about how to generate a Certificate Signing Request (CSR) to submit to a CA and how to import the signed certificate received from the CA into the switch. After importing the signed certificate into the switch, use the web-server command to specify the certificate for captive portal or WebUI access. If you need to specify a different certificate for captive portal or WebUI access, use the no command to revert back to the default certificate before you specify the new certificate (see the Example section).
You can use client certificates to authenticate management users. If you specify certificate authentication, you need to configure certificate authentication for the management user with the mgmt-user webui-cacert command.
Example
The following commands configure WebUI access with client certificates only, and specify the server certificate for the switch: (host) (config) #web-server mgmt-auth certificate
switch-cert ServerCert1 mgmt-user webui-cacert serial 1111111 web-admin root
To specify a different server certificate, use the no command to revert back to the default certificate before you specify the new certificate:
(host) (config) #web-server mgmt-auth certificate switch-cert ServerCert1 no switch-cert switch-cert ServerCert2
Command History
Version AOS-W 3.0 AOS-W 3.1 AOS-W 3.2
Modification Command introduced The mgmt-auth parameter was introduced. The captive-portal-cert parameter was introduced.
Command Information
Platforms All platforms
Licensing
The web-server ciphers and web-server ssl-protocol commands require the PEFNG license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
web-server | 1493
�whitelist-db cpsec add
whitelist-db cpsec add mac-address <mac-address> state {approved-ready-for-cert|certified-factory-cert} cert-type {switch-cert|factory-cert} [description <description>]
Description
Add an AP entry to the campus AP whitelist.
Syntax
Parameter mac-address <mac-address> state
cert-type
description
Description
MAC address of the AP you want to enter into the cpsec whitelist database.
Select one of the following AP states: l approved-ready-for-cert: The AP has been approved as a valid AP
and is ready to receive a certificate. l certified-factory-cert: The AP is already has a factory certificate. APs
in this state will not be re-issued a new certificate if control plane security is reenabled.
Identify the type of certificate to be used by the AP. l switch-cert: AP is using a certificate signed by the switch. l factory-cert: AP is using a factory-installed certificate. This option
should only be used for AP model types OAW-AP105 and OAWAP120 Series.
(Optional) Enter a brief description of the AP. If the description includes spaces, you must enclose the description in quotation marks.
Usage Guidelines
You can manually add entries to the campus AP whitelist to grant valid APs secure access to the network.
Example
The following command creates a new campus AP whitelist entry for an AP with the MAC address 00:16:CF:AF:3E:E1: (host) (config) #whitelist-db cpsec add mac-address 00:16:CF:AF:3E:E1
state certified-factory-cert cert-type factory-cert description "A legacy AP model, apname AP-corp22"
Related Commands
Command show whitelist-db cpsec
Description
Show the campus AP whitelist for the control plane feature.
Mode Enable mode
1494 | whitelist-db cpsec add
AOS-W 6.2 | Reference Guide
�Command History
Version AOS-W 5.0 AOS-W 6.0
Modification Command introduced The controller-cert parameter was modified to switch-cert.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Config mode on master or local switches
AOS-W 6.2 | Reference Guide
whitelist-db cpsec add | 1495
�whitelist-db cpsec delete
whitelist-db cpsec delete mac-address <mac-address>
Description
Remove an individual AP entry to the campus AP whitelist.
Syntax
Parameter mac-address <mac-address>
Description MAC address of the AP you want to remove from the campus AP whitelist.
Usage Guidelines
Use this command to remove an individual whitelist entries for an AP that has been either removed from the network, or is no longer a candidate for automatic certificate provisioning. If the AP whose entry you deleted is still connected to the network and the control plane security feature is configured to send certificates to all APs (or a range of addresses that include that AP), then the switch will send the AP another certificate, and the AP will reappear in the campus whitelist. To permanently revoke a certificate from an invalid or suspected rogue AP, use the command whitelist-db cpsec revoke.
Example
The following command removes an AP with the MAC address 10:14:CA:AF:3E:E1 from the campus AP whitelist.: (host) (config) #whitelist-db cpsec delete mac-address 10:14:CA:AF:3E:E1
Related Commands
Command show whitelist-db cpsec
Description
Show the campus AP whitelist for the control plane feature.
Mode Enable mode
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Config mode on master or local switches
1496 | whitelist-db cpsec delete
AOS-W 6.2 | Reference Guide
�whitelist-db cpsec-local-switch-list
whitelist-db cpsec-local-switch-list del mac-address <mac-address> purge
Description
Delete a local switch from the local switch whitelist.
Syntax
Parameter
Description
del mac-address <mac-address> Remove a single switch from the local switch whitelist.
purge
Clear all entries from the local switch whitelist
Usage Guidelines
If your deployment includes both master and local switches, then the campus AP whitelist on each switch contains an entry for every AP on the network, regardless of the switch to which it is connected. The master switch also maintains a whitelist of local switches with APs using control plane security. When you change a campus AP whitelist on any switch, that switch contacts the master switch to check the local switch whitelist, then contacts every other switch on the local switch whitelist to notify it of the change.
If you ever remove a local switch from the network, you must also remove the local switch from the local switch whitelist. If the local switch whitelist contains entries for local switches no longer on the network, then a campus AP whitelist entry can be marked for deletion but will not be physically deleted, as the switch will be waiting for an acknowledgement from another switch no longer on the network. Any unused local switch entries in the local switch whitelist can significantly increase network traffic and reduce switch memory resources.
Example
The following command removes a local switch from the local switch whitelist: (host) (config) #whitelist-db cpsec-local-switch-list del mac-address 00:1E:33:CA:D2:51
Related Commands
Command
show whitelist-db cpsec-localswitch-list
Description
Show the local switch whitelist for the control plane feature.
Mode Enable mode
Command History
Version AOS-W 5.0 AOS-W 6.0
Modification Command introduced The cpsec-local-ctlr-list parameter was modified to cpsec-local-switch-list
AOS-W 6.2 | Reference Guide
whitelist-db cpsec-local-switch-list | 1497
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1498 | whitelist-db cpsec-local-switch-list
AOS-W 6.2 | Reference Guide
�whitelist-db cpsec-master-switch-list
whitelist-db cpsec-master-switch-list del mac-address <mac-address> purge
Description
Delete a master switch from the master switch whitelist.
Syntax
Parameter
Description
del mac-address <mac-address> Remove a single master switch from the master switch whitelist.
purge
Clear all entries from the master switch whitelist
Usage Guidelines
Each local switch using the control plane security feature has a master switch whitelist which contains the IP and MAC addresses of its master switch. If your network has a redundant master switch, then this whitelist will contain more than one entry. The master switch whitelist rarely needs to be purged. Although you can delete an entry from the master switch whitelist, you should do so only if you have removed a master switch from the network. Deleting a valid master switch from the master switch whitelist can cause errors in your network.
Example
The following command removes a master switch from the master switch whitelist (host) (config) #whitelist-db cpsec-master-switch-list del mac-address 00:1E:33:CA:D2:51
Related Commands
Command
show whitelist-db cpsec-masterswitch-list
Description
Mode
Show the master switch whitelist for the control Enable mode plane feature.
Command History
Version AOS-W 5.0 AOS-W 6.0
Modification
Command introduced
The cpsec-master-ctrlr-list parameter was modified to cpsec-master-switchlist
AOS-W 6.2 | Reference Guide
whitelist-db cpsec-master-switch-list | 1499
�Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Config mode on local switches
1500 | whitelist-db cpsec-master-switch-list
AOS-W 6.2 | Reference Guide
�whitelist-db cpsec modify
whitelist-db cpsec modify mac-address cert-type switch-cert|factory-cert description <description> mode disable|enable revoke-text <revoke-text> state approved-ready-for-cert|certified-factory-cert
Description
Modify an existing entry in the campus AP whitelist.
Syntax
Parameter mac-address <macaddress> cert-type
description mode
revoke-text state
Description
MAC address of the AP you want to enter into the cpsec whitelist database.
Identify the type of certificate to be used by the AP. l switch-cert: AP is using a certificate signed by the switch. l factory-cert: AP is using a factory-installed certificate. This option should
only be used for AP model types OAW-AP105 and OAW-AP120 Series.
(Optional) Enter a brief description of the AP. If the description includes spaces, you must enclose the description in quotation marks.
Select disable to disable an AP's entry in the campus AP whitelist. A disabled AP will not be able to contact the switch via a secure channel. Select enable to reenable a disabled AP.
If you disable an AP entry, the revoke-text parameter allows you to enter a brief text string describing why the AP was revoked.
Select one of the following AP states: l approved-ready-for-cert: AP has been approved state and is ready to
receive a certificate. l certified-factory-cert: AP is certified and has a factory-installed certificate.
Example
The following command changes the certificate type, AP state and description of the AP with the MAC address 00:1E:37:CB:D4:52: (host) (config) #whitelist-db cpsec modify mac-address 00:1E:37:CB:D4:52
cert-type switch-cert state certified-factory-cert description "An legacy AP model, apname AP-corp16"
Related Commands
Command show whitelist-db cpsec
Description
Show the campus AP whitelist for the control plane feature.
Mode Enable mode
AOS-W 6.2 | Reference Guide
whitelist-db cpsec modify | 1501
�Command History
Version AOS-W 5.0 AOS-W 6.0
Modification Command introduced The controller-cert parameter was modified to switch-cert.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Config mode on master or local switches
1502 | whitelist-db cpsec modify
AOS-W 6.2 | Reference Guide
�whitelist-db cpsec purge
whitelist-db cpsec purge
Description
Clear the campus AP whitelist.
Syntax
No parameters.
Usage Guidelines
Use this command to clear all entries in the entire campus AP whitelist. If your network includes both master and local switches, then each campus AP whitelist is synchronized across all switches. If you purge the entire campus AP whitelist on one switch, that action will clear the campus AP whitelist on every switch in the network. To delete an individual entry in the campus AP whitelist, use the command whitelist-db cpsec delete.
Example
The following command remove all APs from the campus AP whitelist: (host) (config) #whitelist-db cpsec purge
Related Commands
Command show whitelist-db cpsec
Description
Show the campus AP whitelist for the control plane feature.
Mode Enable mode
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Config mode on master or local switches
AOS-W 6.2 | Reference Guide
whitelist-db cpsec purge | 1503
�whitelist-db cpsec revoke
whitelist-db cpsec revoke mac-address <mac-address> revoke-text <revoke-text>
Description
Revoke a certificate from an AP in the campus AP whitelist.
Syntax
Parameter mac-address <mac-address>
revoke-text <revoke-text>
Description
MAC address of the AP you want to remove from the cpsec whitelist database.
A brief description why the AP's certificate was revoked, up to 64 alphanumeric characters. If this comment includes spaces, you must enclose the comment in quotation marks.
Usage Guidelines
Use this command to revoke a certificate from a invalid or suspected rogue AP.
Example
The following command revokes a certificate from an AP. This command does not delete a whitelist entry for a revoked AP, but marks its entry with the revoked state. (host) (config) #whitelist-db cpsec revoke mac-address 00:1E:37:CA:D4:51
revoke-text "revoking cert from a rogue AP."
Related Commands
Command show whitelist-db cpsec
Description
Show the campus AP whitelist for the control plane feature.
Mode Enable mode
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing Base operating system.
Command Mode Config mode on master or local switches
1504 | whitelist-db cpsec revoke
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
whitelist-db cpsec revoke | 1505
�1506 | whitelist-db cpsec revoke
AOS-W 6.2 | Reference Guide
�(host) (config) #whitelist-db rap modify mac-address 00:16:CF:AF:3E:E1
AOS-W 6.2 | Reference Guide
whitelist-db cpsec revoke | 1507
�1508 | whitelist-db cpsec revoke
AOS-W 6.2 | Reference Guide
�whoami
whoami
Description
This command displays information about the current user logged into the switch.
Syntax
No parameters.
Usage Guidelines
Example
The following command displays information about the user logged into the switch: (host) #whoami
Command History
This command was available in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Enable and Config modes on master and local switches
AOS-W 6.2 | Reference Guide
whoami | 1509
�1510 | whoami
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
whoami | 1511
�1512 | whoami
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
whoami | 1513
�1514 | whoami
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
whoami | 1515
�1516 | whoami
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
whoami | 1517
�wlan bcn-rpt-req-profile
wlan bcn-rpt-req-profile <profile-name> channel <channel> clone <source> interface <interface> measure-dur-mandatory measure-duration <measure-duration> measure-mode no random-interval <random-interval> reg-class {1|12} request-info <request-info> rpt-condition <rpt-condition> rpt-detail ssid <ssid>
Description
Configures a Beacon Report Request Profile to provide the parameters for the Beacon Report Request frames.
Syntax
Parameter <profile-name> channel <channel>
clone <source>
interface <interface> measure-dur-mandatory
Description
Range Default
Name of this instance of the profile. The
--
name must be 1-63 characters.
"default"
This option is used to set the Channel field in the Beacon Report Request frame. The Channel value can be set to one of the following: l The channel of the AP (when
Measurement Mode is set to either 'Passive' or 'Active-All channels') l 0 (when Measurement Mode is set to 'Beacon Table') l 255 (when Measurement Mode is set to 'Active-Channel Report')
For
255
802.11b-
/g band:
1 to 14
For
802.11a
band:
36 to
165
Creates a copy of the Beacon Report
--
--
Request Profile specified as the <source>.
<source> is the name of an existing Beacon Report Request Profile from which parameter values are copied.
This field is used to specify the radio
0-1
1
interface for transmitting the Beacon Report
Request frame.
This value is used to set the "Duration
--
Mandatory" bit of the Measurement Request
Mode field of the Beacon Report Request
frame.
Disabled
1518 | wlan bcn-rpt-req-profile
AOS-W 6.2 | Reference Guide
�Parameter measure-duration <measureduration>
measure-mode
no random-interval <randominterval>
reg-class {1|12}
Description
Range Default
This value is used to set the Measurement 0
0
Duration field in the Beacon Report
65535
Request frame. The Measurement Duration
is set to the duration of the requested
measurement. It is expressed in units of
TUs.
Indicates the mode used for the
--
measurement. The valid measurement
modes are:
active-all-ch
active-ch-rpt
beacon-table
passive
beacontable
Negates any configured parameter.
--
--
This value is used to set the Randomization 0
0
Interval field in the Beacon Report Request 65535
frame. The Randomization Interval is used
to specify the desired maximum random
delay in the measurement start time. It is
expressed in units of TUs (Time Units). A
Randomization Interval of 0 in a
measurement request indicates that no
random delay is to be used.
This option is used to specify the Regulatory Class field in the Beacon Report Request frame.
For
--
802.11b-
/g
bands,
12. For
802.11-
a, use 1
request-info <request-info>
rpt-condtion <rpt-condition> rpt-detail ssid <ssid>
This option is used to indicate the contents of the Request Information IE that could be present in the Beacon Report Request frame. The Request Information IE is present for all Measurement Modes except the 'Beacon Table' mode. It consists of a list of Element IDs that should be included by the client in the response frame.
Any
--
valid
element
ID in the
x/y/z
format.
For
exam-
ple,
0/21/22.
This option is used to indicate the value for 0 - 255 0 the "Reporting Condition" field in the Beacon Reporting Information sub-element present in the Beacon Report Request frame.
This option is used to indicate the value for -- the "Detail" field in the Reporting Detail subelement present in the Beacon Report Request frame.
Disabled
A unique character string (sometimes
--
--
referred to as a network name), consisting
of no more than 32 characters. The SSID is
case-sensitive (for example, WLAN- 01).
AOS-W 6.2 | Reference Guide
wlan bcn-rpt-req-profile | 1519
�Usage Guidelines
The Beacon Report Request profile is configured under the 802.11K profile.
Example
The following commands configure the parameters under the bcn-rpt-req-profile. (host) (config) #wlan bcn-rpt-req-profile default (host) (Beacon Report Request Profile "default") #channel 9 (host) (Beacon Report Request Profile "default") #interface 1 (host) (Beacon Report Request Profile "default") #no measure-dur-mandatory (host) (Beacon Report Request Profile "default") #measure-duration 100 (host) (Beacon Report Request Profile "default") #measure-mode active-all-ch (host) (Beacon Report Request Profile "default") #random-interval 100 (host) (Beacon Report Request Profile "default") #reg-class 12
(host) (Beacon Report Request Profile "default") #rpt-condition 2 (host) (Beacon Report Request Profile "default") #no rpt-detail (host) (Beacon Report Request Profile "default") #request-info 0/21/22 (host) (Beacon Report Request Profile "default") #ssid aruba-ap
Command History
This command is introduced in AOS-W 6.2.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Configuration mode on master and local switches
1520 | wlan bcn-rpt-req-profile
AOS-W 6.2 | Reference Guide
�wlan client-wlan-profile
wlan client-wlan-profile <profile-name> auth-as-computer auth-as-guest clone eap-cert eap-cert-connect-only-to eap-peap eap-peap-connect-only-to eap-type enable-8021x ieap-cert-connect-only inner-eap inner-eap-type no non-broadcasting-connection range-connect ssid-profile
Description
You can push WLAN profiles to users computers that use the Microsoft Windows Wireless Zero Config (WZC) service to configure and maintain their wireless networks. After the WLAN profiles are pushed to user computers, they are automatically displayed as an ordered list in the preferred networks.
Syntax
Parameter
Description
auth-as-computer Authenticate with domain credentials.
auth-as-guest
Authenticate as a guest user.
clone
Copy settings from another WLAN client profile.
eap-cert
If you select EAP type as certificate, you can use one of the following options: l mschapv2-use-windows-credentials l use-smartcard l simple-certificate-selection l use-different-name l validate-server-certificate
eap-cert-
Comma separated list of servers.
connect-only-to
eap-peap
Configure EAP-PEAP settings.
eap-peap-
Comma separated list of servers.
connect-only-to
eap-type
Enter a EAP type used by client to connect to wireless network.
enable-8021x
Select this option to enable 802.1x authentication for this network.
Default --
EAP-PEAP Enabled
AOS-W 6.2 | Reference Guide
wlan client-wlan-profile | 1521
�Parameter ieap-certconnect-only inner-eap inner-eap-type
no nonbroadcastingconnection range-connect ssid-profile
Description Command separated list of servers
Default
Enter the inner EAP type.
Specify one of the following: l mschapv2-use-windows-credentials: Automatically use the
Windows logon name and password (and domain if any) l use-smartcard: Use a smart card l simple-certificate-selection: Use a certificate on the users
computer or use a simple certificate selection method (recommended) l validate-server-certificate: Validate the server certificate l use-different-name: Use a different user name for the connection (and not the CN on the certificate)
Negate and reset all configuration settings.
Connect even if WLAN is not broadcasting.
EAPMSCHAPv2
Disabled
Automatically connect to this WLAN if in range. Enter the name of the SSID profile.
Command History
This command was introduced in AOS-W 5.0.
Command Information
Platforms All platforms
Licensing
Base operating system on master switches
Command Mode Config mode on master switches
1522 | wlan client-wlan-profile
AOS-W 6.2 | Reference Guide
�wlan dot11k-profile
wlan dotllk <profile-name> ap-chan-rpt-11a ap-chan-rpt-11bg bcn-measurement-mode {active|beacon-table|passive} bcn-req-chan-11a bcn-req-chan-11bg bcn-req-time clone <profile-name> dot11k-enable force-disassoc handover-trigger-profile lm-req-time no ... rrm-ie-profile tsm-req-profile tsm-req-time
Description
Configure a 802.11k radio profile.
Syntax
Parameter <profile-name> ap-chan-rpt-11a ap-chan-rpt-11bg bcn-measurement-mode
active
beacon-table
Description
Default
Name of this instance of the profile. The name must be 1-63 characters.
"default"
This value is sent in the 'Channel' field of the AP channel reports 36 on the 'A' radio. You can specify values in the range 34 to 165.
This value is sent in the 'Channel' field of the AP channel reports 1 on the 'BG' radio. You can specify values in the range 1 to 14.
Configures an active, beacon-table or passive beacon measurement mode for the profile.
beacontable
Enables active beacon measurement mode. In this mode, the
--
client sends a probe request to the broadcast destination
address on all supported channels, sets a measurement
duration timer, and, at the end of the measurement duration,
compiles all received beacons or probe response with the
requested SSID and BSSID into a measurement report.
NOTE: If the station doesn't support active measurement mode, it returns a Beacon Measurement Report with the Incapable bit set in the Measurement Report Mode field.
Enables beacon-table beacon measurement mode.In this mode, -- the client measures beacons and returns a report with stored beacon information for any supported channel with the requested SSID and BSSID. The client does not perform any additional measurements. This is the default beacon measurement mode.
NOTE: If a station doesn't support beacon-table able measurement mode, it returns a Beacon Measurement Report
AOS-W 6.2 | Reference Guide
wlan dot11k-profile | 1523
�Parameter passive
clone <profile-name> bcn-req-chan-11a bcn-req-chan-11bg bcn-req-time
dot11k-enable force-dissasoc
handover-triggerprofile
lm-req-time
Description
Default
with the Incapable bit set in the Measurement Report Mode field.
Enables passive beacon measurement mode. In this mode, the -- client sets a measurement duration timer, and, at the end of the measurement duration, compiles all received beacons or probe response with the requested SSID and BSSID into a measurement report.
NOTE: If a station doesn't support passive measurement mode, it returns a Beacon Measurement Report with the Incapable bit set in the Measurement Report Mode field.
Copy settings from another specified 802.11k profile.
--
This value is sent in the 'Channel' field of the beacon requests
36
on the 'A' radio. You can specify values in the range 34 to 165.
This value is sent in the 'Channel' field of the Beacon Requests 1 on the 'BG' radio. You can specify values in the range 1 to 14.
This option configures the time duration between two consecutive beacon requests sent to a dot11K client. By default, the beacon requests are sent to a dot11K client every 60 seconds. However, if a different value is required, the bcn-req-
time option can be used. This permits values in the range from 10 seconds to 200 seconds.
60 seconds
Enables the 802.11K feature. This feature is disabled by default. Disabled
This feature allows the AP to forcefully disassociate "on-hook" voice clients (clients that are not on a call) after period of inactivity.
Without the forced disassociation feature, if an AP has reached its call admission control limits and an on-hook voice client wants to start a new call, that client may be denied. If forced disassociation is enabled, those clients can associate to a neighboring AP that can fulfil their QoS requirements.
Disabled
This feature is disabled by default.
Name of the handover trigger profile associated with this 802.11k profile. If the handover trigger feature is enabled in the handover trigger profile, the switch will initiate the handover of a voice client (for example: dual mode handsets) roaming at the edge of Wi-Fi coverage to an alternate carrier or connection. The handover trigger is initiated if the Wi-Fi signal strength reported by the voice client (received from all APs) is equal to or less than the threshold value.
You must enable dot11k before using this command.
This option configures the time duration between two consecutive link measurement requests sent to an dot11K client. By default, link measurement requests are sent to a dot11K client every 61 seconds. However, you can use the lm-req-
time option to specify different time interval. This permits values in the range from 10 seconds to 200 seconds.
61 seconds
1524 | wlan dot11k-profile
AOS-W 6.2 | Reference Guide
�Parameter no rrm-ie-profile tsm-req-profile tsm-req-time
Description
Default
Negates or removes any configured parameter
RRM IE Settings Profile
TSM Report Request Settings Profile
This option configures the time duration between two consecutive transmit stream measurement requests sent to a dot11K client. By default, the transmit stream measurement requests are sent to a dot11K client every 90 seconds. However,
you can use the tsm-req time option to specify a different time interval. This permits values in the range from 10 seconds to 200 seconds.
90 seconds
Usage Guidelines
In a 802.11k network, if the AP with the strongest signal is reaches its maximum capacity, clients may connect to an under utilized AP with a weaker signal. A 802.11k profile can assigned to each virtual AP.
Example
The following command enables the 802.11k feature on the 802.11k profile and configures the beacon measurement mode and specifies the time interval for beacon, link, and transmit stream measurement requests. (host) (config) #wlan dot11k-profile default (host) (802.11K Profile "default") #dot11k-enable (host) (802.11K Profile "default") #bcn-measurement-mode beacon-table (host) (802.11K Profile "default") #bcn-req-time 60 (host) (802.11K Profile "default") #lm-req-time 60 (host) (802.11K Profile "default") #tsm-req-time 90
Related Commands
Command Description wlan rrm-ie-profile
Description
Configure a handover trigger profile to ensure QoS for voice calls.
Configure an radio resource management RRM IE profile to define the information elements advertised by an AP with 802.11k support enabled.
Command History
Version AOS-W 3.4 AOS-W 6.2
Description
Command introduced
The following parameters were introduced: l bcn-req-chan-11a l bcn-req-chan-11bg l ap-chan-rpt-11a l ap-chan-rpt-11bg
AOS-W 6.2 | Reference Guide
wlan dot11k-profile | 1525
�Version
Description
l handover-trigger-profile l rrm-ie-profile l bcn-rpt-req-profile l tsm-req-profile The handover trigger threshold parameter was deprecated, as the handover trigger settings are now configured using the handover trigger profile.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1526 | wlan dot11k-profile
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
wlan dot11k-profile | 1527
�wlan edca-parameters-profile
wlan
wlan edca-parameters-profile {ap|station} <profile-name> {background | best-effort | video | voice} [acm][aifsn <number>] [ecw-max <exponent> [ecw-min <exponent>] [txop <number>] [clone <profile-name>
Description
This command configures an enhanced distributed channel access (EDCA) profile for APs or for clients (stations).
Syntax
Parameter <profilename> background best-effort video voice acm
aifsn ecw-max
ecw-min
txop
clone
Description
Range
Name of this instance of the profile. The name must be 1-63 -- characters.
Configures the background queue.
--
Configures the best-effort queue.
--
Configures the video queue.
--
Configures the voice queue.
--
Specifies mandatory admission control. The client reserves
0, 1
the access category through traffic specification (TSPEC)
signaling. Enter 1 to enable, 0 to disable.
Arbitrary inter-frame space number.
1-15
The exponential (n) value of the maximum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 =
15.
1-15
The exponential (n) value of the minimum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 =
15.
0-15
Transmission opportunity, in units of 32 microseconds. Divide the desired transmission duration by 32 to determine the value to configure. For example, for a transmission duration of 3008 microseconds, enter 94 (3008/32).
0-2047
Name of an existing EDCA profile from which parameter
--
values are copied.
Default "default" -- -- -- -- 0 (disabled) 0 0
0
0
--
Usage Guidelines
EDCA profiles are specific either to APs or clients. You apply an EDCA profile to a specific SSID profile. use this command only under the guidance of your Alcatel-Lucent technical support representative.
The following are the default values configured for APs:
1528 | wlan edca-parameters-profile
AOS-W 6.2 | Reference Guide
�Access Category best-effort background video voice
ecw-min 4 4 3 2
ecw-max 6 10 4 3
aifsn 3 7 1 1
The following are the default values configured for clients:
txop 0 0 94 47
acm No No No No
Access Category best-effort background video voice
ecw-min 4 4 3 2
ecw-max 10 10 4 3
aifsn 3 7 2 2
txop 0 0 94 47
acm No No No No
Example
The following command configures an EDCA profile for APs: (host) (config) #wlan edca-parameters-profile ap edca1
best-effort ecw-min 15 ecw-max 15 aifsn 15 txop 100 acm 1
Command History
Version AOS-W 3.1 AOS-W 3.4.1
Description
Command introduced.
License requirements changed in AOS-W 3.4.1, so the command requires the PEF license instead of the Voice Services Module license required in earlier versions.
This command was introduced in AOS-W 3.1.
Command Information
Platforms All platforms
Licensing PEFNG license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
wlan edca-parameters-profile | 1529
�1530 | wlan edca-parameters-profile
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
wlan edca-parameters-profile | 1531
�Example
1532 | wlan edca-parameters-profile
AOS-W 6.2 | Reference Guide
�AOS-W 6.2 | Reference Guide
wlan edca-parameters-profile | 1533
�wlan handover-trigger-profile <profile-name> clone <source> handover-threshold <handover-threshold> handover-trigger no
Description
Configure a handover trigger profile to ensure QoS for voice calls.
Syntax
Parameter <profile-name> clone <source>
handoverthreshold <handoverthreshold> handover-trigger
no
Description
Range
Name of this instance of the profile. The name must be 1- -- 63 characters.
Creates a copy of the Handover Trigger Profile specified as -- the <source>. <source> is the name of an existing Handover Trigger Profile from which parameter values are copied.
If the best signal strength (-dbm) of a WiFi signal received by a voice client from all the APs is equal to or lesser than this threshold value, the handover trigger feature initiates the handover process.. Threshold values can be specified in the range 20 to 70.
20 70 -dBM
Issue this command to enable the handover trigger feature. -- If enabled, the switch will initiate the handover of a voice client (for example: dual mode handsets) roaming at the edge of Wi-Fi coverage to an alternate carrier or connection. The handover trigger is initiated if the Wi-Fi signal strength reported by the voice client (received from all APs) is equal to or less than the threshold value.
You must enable dot11k before using this command.
Negates any configured parameter.
--
Default "default" -- 50 -dBM Enabled
--
Usage Guidelines
The handover-trigger profile is a part of the 802.11K profile. It is used to configure the parameters for the "Wi-Fi Edge Detection and Handover of Voice Clients" feature. It is mandatory to enable the 802.11K feature before enabling the"Wi-Fi Edge Detection and Handover of Voice Clients" feature.
Example
The following command enables the handover trigger feature and sets the handover threshold at -20dbm. (host) (config) #wlan handover-trigger-profile default (host) (Handover Trigger Profile "default") #handover-trigger (host) (Handover Trigger Profile "default") #handover-threshold 20
Command History
This command was introduced in AOS-W 6.2.
1534 | wlan edca-parameters-profile
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Configuration mode on master or local switches
AOS-W 6.2 | Reference Guide
wlan edca-parameters-profile | 1535
�1536 | wlan edca-parameters-profile
AOS-W 6.2 | Reference Guide
�wlan ht-ssid-profile
wlan ht-ssid-profile <profile-name> 40MHz-enable ba-amsdu-enable clone <profile-name> high-throughput-enable ldpc legacy-stations max-rx-a-mpdu-size {8191|16383|32767|65535} max-tx-a-mpdu-size <bytes> min-mpdu-start-spacing {0|.25|.5|1|2|4|8|16} mpdu-agg no... short-guard-intvl-20MHz short-guard-intvl-40MHz STBC-rx-streams STBC-tx-streams supported-mcs-set <mcs-list> txbf-comp-steering txbf-delayed-feedback txbf-explicit-enable txbf-immediate-feedback txbf-noncomp-steering txbf-sounding-interval
Description
This command configures a high-throughput SSID profile.
Syntax
Parameter
Description
Range
<profile-name>
Name of this instance of the profile. The name must -- be 1-63 characters.
40MHz-enable
Enables or disables the use of this high-throughput
--
SSID in 40 MHz mode.
ba-amsdu-enable Enable/Disable Receive AMSDU in BA negotiation. --
clone
Name of an existing high-throughput SSID profile
--
from which parameter values are copied.
high-throughput- Determines if this high-throughput SSID allows high- --
enable
throughput (802.11n) stations to associate.
Enabling high-throughput in an ht-ssid-profile
enables Wi-Fi Multimedia (WMM) base features for
the associated SSID.
ldpc
If enabled, the AP will advertise Low-density Parity
--
Check (LDPC) support. LDPC improves data
transmission over radio channels with high levels of
background noise.
Default "default" enabled disabled --
enabled
enabled
AOS-W 6.2 | Reference Guide
wlan ht-ssid-profile | 1537
�Parameter legacy-stations
max-rx-a-mpdusize
8191 16383 32767 65535 max-tx-a-mpdusize min-mpdu-startspacing 0 .25 .5 1 2 4 8 16 mpdu-agg
no short-guardintvl-20MHz short-guardintvl-40MHz
Description
Range
Default
Controls whether or not legacy (non-HT) stations are -- allowed to associate with this SSID. By default, legacy stations are allowed to associate. This setting has no effect on a BSS in which HT support is not available.
enabled
Controls the maximum size, in bytes, of an Aggregated-MAC Packet Data Unit (A-MPDU) that can be received on this high-throughput SSID.
8191/16383/32767/- 65535 65535
Maximum size of 8191 bytes.
Maximum size of 16383 bytes.
Maximum size of 32767 bytes.
Maximum size of 65535 bytes.
Controls the maximum size, in bytes, of an A-MPDU that can be sent on this high-throughput SSID.
1576-65535
65535
Minimum time between the start of adjacent MDPUs 0/.25/.5/1/2/4/8/16 0 within an aggregate MDPU in microseconds.
No restriction on MDPU start spacing.
Minimum time of .25 µsec.
Minimum time of .5 µsec.
Minimum time of 1 µsec.
Minimum time of 2 µsec.
Minimum time of 4 µsec.
Minimum time of 8 µsec.
Minimum time of 16 µsec.
Enables or disables MAC protocol data unit (MDPU) -- aggregation.
High-throughput APs are able to send aggregated MAC protocol data units (MDPUs), which allow an AP to receive a single block acknowledgment instead of multiple ACK signals. This option, which is enabled by default, reduces network traffic overhead by effectively eliminating the need to initiate a new transfer for every MPDU.
enabled
Negates any configured parameter.
--
--
Enables or disables use of short guard interval in 20 MHz mode of operation.
enabled
Enables or disables use of short guard interval in 40 MHz mode of operation.
enabled
1538 | wlan ht-ssid-profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
Range
stbc-rx-streams
stbc-tx-streams
supported-mcsset
Controls the maximum number of spatial streams
0-1
usable for STBC reception. 0 disables STBC
reception, 1 uses STBC for MCS 0-7. Higher MCS
values are not supported. (Supported on the OAW-
AP90 series, OAW-AP130 Series, OAW-AP68, OAW-
AP175 and OAW-AP105 only. The configured value
will be adjusted based on AP capabilities.)
NOTE: If transmit beamforming is enabled, STBC will
be disabled for disabled for beamformed frames.
Controls the maximum number of spatial streams
0-1
usable for STBC transmission. 0 disables STBC
transmission, 1 uses STBC for MCS 0-7. Higher MCS
values are not supported. (Supported on OAW-AP90
series, OAW-AP175, OAW-AP130 Series and OAW-
AP105 only. The configured value will be adjusted
based on AP capabilities.)
NOTE: If transmit beamforming is enabled, STBC will
be disabled for disabled for beamformed frames.
Comma-separated list of Modulation Coding Scheme (MCS) values or ranges of values to be supported on this high-throughput SSID.
0-23
Default 1
1
0-23
Usage Guidelines
AP configuration settings related to the IEEE 802.11n standard are configurable for OAW-AP120 Series access points, which are IEEE 802.11n standard compliant devices.
The ht-ssid profile configures the high-throughput SSID. Stations are not allowed to use HT with TKIP standalone encryption, although TKIP can be provided in mixed-mode BSSIDs that support HT. HT is disabled on a BSSID if the encryption mode is standalone TKIP or WEP.
You can also use this profile to configure explicit transmit beamforming for OAW-AP130 Series access points. When this feature is enabled, the AP coordinates the signals sent from each antenna so the signals focus on the receiver, improving radio range and performance. The OAW-AP130 Series AP can advertise transmit beamforming capabilities in beacon, probe response and association responses in the HT capabilities IE, then use the compressed or noncompressed beamforming report from clients to form a steering matrix. The AP ensures that the steering matrix stays current by updating and recalibrating the steering matrix at regular intervals.
By default, OAW-AP130 Series access points support both compressed and non-compressed steering information from clients. If you have many clients that can send only non-compressed steering reports, best practices are to retain the default settings, allowing the AP to support both types of steering reports. If all (or nearly all) of the AP's clients are capable of sending compressed steering reports, best practices are to disable non-compressed steering in the AP's HT SSID profile.
De-aggregation of MAC Service Data Units (A-MSDUs) supported on the
De-aggregation of MAC Service Data Units (A-MSDUs) is supported on the OAW-4504, OAW-4604, and OAW4704,OAW-S3, and OAW-4x50Alcatel-Lucentswitches and the with a maximum frame transmission size of 4k bytes; however, this feature is always enabled and is not configurable. Aggregation is not currently supported.
AOS-W 6.2 | Reference Guide
wlan ht-ssid-profile | 1539
�Example
The following command configures the maximum size of a received aggregate MDPU to be 8191 bytes for the highthroughput SSID named "htcorpnet:" (host) (config) #wlan ht-ssid-profile htcorpnet
max-rx-a-mpdu-size 8191
Command History
Version AOS-W 3.3 AOS-W 3.3.1 AOS-W 3.3.2 AOS-W 6.1
Description
Command introduced
The legacy-stations parameter was introduced
De-aggregation of MAC Service Data Units (A-MSDUs) was introduced.
The short-guard-intvl-20Mhz, ldpc, stbc-rx-streams and stbc-rx-streams parameters were introduced. The allow-weak-encryption parameter was deprecated.
Command Information
Platforms
Licensing
All platforms, but operates with IEEE 802.11n-compliant devices only
Command Mode Config mode on master switches
1540 | wlan ht-ssid-profile
AOS-W 6.2 | Reference Guide
�wlan rrm-ie-profile
wlan rrm-ie-profile <profile-name> bss-aac-ie clone country-ie enabled-capabilities-ie no pwr-constraint-ie qbss-load-ie quiet-ie tpc-report-ie
Description
Configure an radio resource management RRM IE profile to define the information elements advertised by an AP with 802.11k support enabled.
Syntax
Parameter
Description
bss-aac-ie
The AP will advertise in beacon and probe responses the BSS Available Admission Capacity (ACC) IE, which contains information about the admission capabilities for each User Priority / Access Category
clone
Copy the settings of an existing RRM IE profile.
country-ie
The AP will advertise in beacon and probe responses the device's regulatory domain.
enabled-capabilities-ie The AP will advertise in beacon and probe responses support for radio measurements in a device.
no ...
Disables the transmission of an IE in this profile.
pwr-constraint-ie
The AP will advertise in beacon and probe responses the regulatory maximum transmit power for that current channel.
qbss-load-ie
The AP will advertise in beacon and probe responses the QoS Basic Service Set (QBSS) Load IE, which contains information on the current station count, channel utilization and available admission capacity levels in the QBSS
quiet-ie
The AP will advertise in beacon and probe responses the Quiet IE, which is used to silence the channel for measurement purposes. When an AP uses a quiet IE to schedule a quiet interval, stations may not transmit on that channel during the quiet interval.
tpc-report-ie
The AP will advertise in beacon and probe responses information about its transmit power controls.
Usage Guidelines
AOS-W supports RRM Information Elements (IEs) for APs with 802.11k support enabled. All IEs are sent by default.
Example
The following command prevents the AP from advertising the country IE.
AOS-W 6.2 | Reference Guide
wlan rrm-ie-profile | 1541
�(host) (config) #wlan rrm-ie-profile default (host) (Handover Trigger Profile) #no country-ie
Related commands
wlan dot11k-profile <profile> dot11k-enable
Command History
Version AOS-W 6.2
Description Command introduced
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1542 | wlan rrm-ie-profile
AOS-W 6.2 | Reference Guide
�wlan ssid-profile
wlan ssid-profile <profile-name> 902il-compatibility-mode a-basic-rates <mbps> a-beacon-rate a-tx-rates <mbps> advertise-ap-name advertise-location ageout <seconds> battery-boost clone <profile-name> deny-bcast disable-probe-retry dtim-period <milliseconds> eapol-rate-opt edca-parameters-profile {ap|station} <profile-name> enforce-user-vlan essid <name> g-basic-rates <mbps> g-beacon-rate g-tx-rates <mbps> hide-ssid ht-ssid-profile <profile-name> local-probe-req-thresh max-clients <number> max-retries <number> max-tx-fail <number> mcast-rate-opt no ... opmode {bSec-128|dynamic-wep|opensystem|static-wep|wpa-aes|wpa2-aes-gcm-128|wpa2-aes-gcm256| wpa-psk-aes|wpa-psk-tkip|wpa-tkip|wpa2-aes|wpa2-psk-aes|wpa2-psk-tkip|wpa2-tkip xSec} qbss-load-enable rts-threshold <number> short-preamble ssid-enable strict-svp wepkey1 <key> wepkey2 <key> wepkey3 <key> wepkey4 <key> weptxkey <index> wmm wmm-be-dscp <best-effort> wmm-bk-dscp <background> wmm-override-dscp-mapping wmm-ts-min-inact-int <milliseconds> wmm-uapsd wmm-vi-dscp <video> wmm-vo-dscp <voice> wpa-hexkey <psk> wpa-passphrase <string>
Description
This command configures an SSID profile.
AOS-W 6.2 | Reference Guide
wlan ssid-profile | 1543
�Syntax
<profile-name> 902il-compatibilitymode
a-basic-rates a-beacon-rate
a-tx-rates
advertise-ap-name advertise-location ageout battery-boost
Description
Range Default
Name of this instance of the profile. The name
--
must be 1-63 characters.
"default"
(For clients using NTT DoCoMo 902iL phones
--
only) When enabled, the switch does not drop
packets from the client if a small or old
initialization vector value is received. (When TKIP
or AES is used for encryption and TSPEC is
enabled, the phone resets the value of the
initialization vector after add/delete TSPEC.)
NOTE: This parameter requires the PEFNG
license.
disabled
List of supported 802.11a rates, in Mbps, that are advertised in beacon frames and probe responses.
6, 9, 12, 18, 24, 36, 48, 54 Mbps
6, 12, 24 Mbps
Sets the beacon rate for 802.11a (use for Distributed Antenna System (DAS) only). Using this parameter in normal operation may cause connectivity problems.
default, 6, 9, 12, 18,24, 36,48,54 Mbps
minimum valid rate
Set of 802.11a rates at which the AP is allowed to send data. The actual transmit rate depends on what the client is able to handle, based on information sent at the time of association and on the current error/loss rate of the client.
6, 9, 12, 18, 24, 36, 48, 54 Mbps
6, 9, 12, 18, 24, 36, 48, 54 Mbps
If enabled, APs that are part of this VAP will-
--
--
broadcast the AP Name information in the bea-
cons frames.
If enabled, APs that are part of this VAP will
--
broadcast their GPS coordinates in the beacons
and probe response frames as part of a vendor-
specific Information Element.
disabled
Time, in seconds, that a client is allowed to remain idle before being aged out.
1000 seconds
Converts multicast traffic to unicast before
--
delivery to the client, thus allowing you to set a
longer DTIM interval. The longer interval keeps
associated wireless clients from activating their
radios for multicast indication and delivery,
leaving them in power-save mode longer and
thus lengthening battery life.
NOTE: This parameter requires the PEFNG
license. This parameter should not be enabled if
you plan on using the Push-To-Talk feature for
Polycom SpectraLink devices.
disabled
1544 | wlan ssid-profile
AOS-W 6.2 | Reference Guide
�clone deny-bcast
disable-probe-retry dtim-period
eapol-rate-opt edca-parameters -profile
ap|sta enforce-user-vlan essid g-basic-rates
g-beacon-rate
Description
Range Default
Name of an existing SSID profile from which
--
--
parameter values are copied.
When a client sends a broadcast probe request -- frame to search for all available SSIDs, this option controls whether or not the system responds for this SSID. When enabled, no response is sent and clients have to know the SSID in order to associate to the SSID. When disabled, a probe response frame is sent for this SSID.
disabled
Enable or disable battery MAC level retries for probe response frames. By default this parameter is enabled, which mean that MAC level retries for probe response frames is disabled.
Enabled
Specifies the interval, in milliseconds, between
1
the sending of Delivery Traffic Indication
Messages (DTIMs) in the beacon. This is the
maximum number of beacon cycles before
unacknowledged network broadcasts are
flushed. When using wireless clients that employ
power management features to sleep, the client
must revive at least once during the DTIM period
to receive broadcasts.
Enable rate optimization for delivering EAPOL
--
frames.
disabled
Name of the enhanced distributed channel
--
--
access (EDCA) profile that applies to this SSID.
NOTE: This parameter requires the PEFNG
license. Configure this parameter only under the
guidance of your Alcatel-Lucent representative.
Assigns the specified EDCA profile to AP or
--
--
station (client).
Strict enforcement of data traffic only in user's
--
--
assigned vlan (Open stations only).
Name that uniquely identifies a wireless network. -- The ESSID can be up to 31 characters. If the ESSID includes spaces, you must enclose it in quotation marks.
alcatel-ap
List of supported 802.11b/g rates that are advertised in beacon frames and probe responses.
1, 2, 5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps
1, 2 Mbps
Sets the beacon rate for 802.11g (use for Distributed Antenna System (DAS) only). Using this parameter in normal operation may cause connectivity problems.
default, 1,2,5, 6 9, 11, 12, 18, 24, 36, 48, 54 Mbps
minimum valid rate
AOS-W 6.2 | Reference Guide
wlan ssid-profile | 1545
�g-tx-rates
hide-ssid ht-ssid-profile local-probe-req-thresh max-clients max-retries max-tx-fail
mcast-rate-opt
no opmode
bSec-128 dynamic-wep opensystem static-wep wpa-aes
Description
Range Default
Set of 802.11b/g rates at which the AP is allowed to send data. The actual transmit rate depends on what the client is able to handle, based on information sent at the time of association and on the current error/loss rate of the client.
1, 2, 5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps
1, 2, 5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps
Enables or disables hiding of the SSID name in -- beacon frames. Note that hiding the SSID does very little to increase security.
disabled
Name of high-throughput SSID profile to use for -- configuring high-throughput support. See wlan ht-ssid-profile on page 1537.
"default"
APs will not respond to client probe requests if
0-100
0
the SNR value in the probe request is less than
the specified threshold value.
Maximum number of wireless clients for the AP. 0-256
64
Maximum number of retries allowed for the AP to 0-15
4
send a frame.
The AP assumes the client has left and should be 0 -2,147, 0 deauthorized when the AP detects this number of 483,647 consecutive frames were not delivered because the max-retries threshold was exceeded.
Enables or disables scanning of all active
--
stations currently associated to an AP to select
the lowest transmission rate for broadcast and
multicast frames. This option only applies to
broadcast and multicast data frames; 802.11
management frames are transmitted at the lowest
configured rate.
NOTE: Do not enable this parameter unless
instructed to do so by your Alcatel-Lucent
technical support representative.
disabled
Negates any configured parameter.
--
--
The layer-2 authentication and encryption to be -- used on this ESSID to protect access and ensure the privacy of the data transmitted to and from the network.
opensystem
WPA2 with AES GCM-128 encryption and
--
--
dynamic keys using 802.1X
WEP with dynamic keys.
--
--
No authentication and encryption.
--
--
WEP with static keys.
--
--
WPA with AES encryption and dynamic keys
--
--
using 802.1x.
1546 | wlan ssid-profile
AOS-W 6.2 | Reference Guide
�wpa2-aes-gcm-128
wpa2-aes-gcm-256
wpa-psk-aes wpa-psk-tkip wpa-tkip wpa2-aes wpa2-psk-aes wpa2-psk-tkip wpa2-tkip wpa-psk-aes wpa2-psk-tkip wpa2-tkip xSec
qbss-load-enable
Description
Range
WPA2 with AES GCM-128 (Suite-b) encryption
--
and dynamic keys
using 802.1X. This parameter requires the ACR
license.
WPA2 with AES GCM-256 (Suite-b) encryption
--
and dynamic keys
using 802.1X. This parameter requires the ACR
license.
WPA with AES encryption using a preshared key. --
WPA with TKIP encryption using a preshared
--
key.
WPA with TKIP encryption and dynamic keys
--
using 802.1x.
WPA2 with AES encryption and dynamic keys
--
using 802.1x.
WPA2 with AES encryption using a preshared
--
key.
WPA2 with TKIP encryption using a preshared
--
key.
WPA2 with TKIP encryption and dynamic keys
--
using 802.1x.
WPA with AES encryption using a preshared key. --
WPA2 with TKIP encryption using a preshared
--
key.
WPA2 with TKIP encryption and dynamic keys
--
using 802.1x.
Encryption and tunneling of Layer-2 traffic
--
between the switch and wired or wireless clients,
or between switches. To use xSec encryption,
you must use a RADIUS authentication server.
For clients, you must install the Funk Odyssey
client software.
Requires installation of the xSec license. For
xSec between switches, you must install an xSec
license in each switch.
Enables the AP to advertise the QBSS load
--
element. The element includes the following
parameters that provide information on the traffic
situation:
l Station count: The total number of stations
associated to the QBSS.
l Channel utilization: The percentage of time
(normalized to 255) the channel is sensed to
be busy. The access point uses either the
physical or the virtual carrier sense
mechanism to sense a busy channel.
Default --
--
-- -- -- -- -- -- -- -- -- -- --
disabled
AOS-W 6.2 | Reference Guide
wlan ssid-profile | 1547
�rts-threshold
short-preamble
ssid-enable strict-svp wepkey1 - wepkey4 weptxkey wmm
wmm-be-dscp wmm-bk-dscp wmm-override-dscpmapping
Description
Range Default
l Available admission capacity: The remaining amount of medium time (measured as number of 32us/s) available for a station via explicit admission control.
The QAP uses these parameters to decide whether to accept an admission control request. A wireless station uses these parameters to choose the appropriate access points.
NOTE: Ensure that wmm is enabled for legacy APs to advertise the QBSS load element. For 802.11n APs, ensure that either wmm or high throughput is enabled.
Wireless clients transmitting frames larger than this threshold must issue Request to Send (RTS) and wait for the AP to respond with Clear to Send (CTS). This helps prevent mid-air collisions for wireless clients that are not within wireless peer range and cannot detect when other wireless clients are transmitting.
2333 bytes
Enables or disables short preamble for
--
802.11b/g radios. Network performance may be
higher when short preamble is enabled. In mixed
radio environments, some 802.11b wireless
client stations may experience difficulty
associating with the AP using short preamble. To
use only long preamble, disable short preamble.
Legacy client devices that use only long
preamble generally can be updated to support
short preamble.
enabled
Enables/disables this SSID.
--
enabled
Enable Strict Spectralink Voice Protocol (SVP)
--
disabled
Static WEP key associated with the key index.
--
--
Can be 10 or 26 hex characters in length.
Key index that specifies which static WEP key is to be used. Can be 1, 2, 3, or 4.
1, 2, 3, 4 1
Enables or disables WMM, also known as IEEE -- 802.11e Enhanced Distribution Coordination Function (EDCF). WMM provides prioritization of specific traffic relative to other traffic in the network.
disabled
DSCP value used to map WMM best-effort traffic. 0-63
--
DSCP used to map WMM background traffic.
0-63
--
Overrides the default DSCP mappings in the
--
SSID profile with the ToS value. This setting is
useful when you want to set a non-default ToS
value for a specific traffic.
disabled
1548 | wlan ssid-profile
AOS-W 6.2 | Reference Guide
�wmm-ts-min-in act-int
wmm-uapsd
wmm-vi-dscp wmm-vo-dscp wpa-hexkey wpa-passphrase
Description
Range Default
Specifies the minimum inactivity time-out threshold of WMM traffic. This setting is useful in environments where low inactivity interval timeouts are advertised, which may cause unwanted timeouts.
0-3,600, 000
0 milliseconds
Enable Wireless Multimedia (WMM) UAPSD
--
powersave.
enabled
DSCP used to map WMM video traffic.
0-63
--
DSCP used to map WMM voice traffic.
0-63
--
WPA pre-shared key (PSK).
--
--
WPA passphrase with which to generate a pre- --
--
shared key (PSK).
Usage Guidelines
The SSID profile configures the SSID.
AP configuration settings related to the IEEE 802.11n standard are configurable for OAW-AP120 Series access points, which are IEEE 802.11n standard compliant devices.
Default WMM mappings exist for all SSIDs. After you customize an WMM mapping and apply it to the SSID, the switch overwrites the default mapping values and uses the user-configured values.
Suite-B cryptography
The opmode parameters for Suite-B encryption, wpa2-aes-gcm-128 , require the ACR license. Note, however, that not all switches support Suite-B encryption. The table below describes the switch support for Suite-B encryption in AOS-W.
Switch OAW-4x50, OAW-4550, OAW-4650/, OAW-4750 OAW-4306 Series OAW-S3 card OAW-S3 card
Serial Number Prefix All serial numbers supported
All serial numbers supported AK A
ACR License Support Yes
Yes Yes No
To determine the serial number prefix for your switch, issue the CLI command show inventory and note the prefix before the system serial number. The serial number prefix in the example below appears in bold.
(host) #show inventory
Supervisor Card slot
System Serial#
SC
Assembly#
SC
Serial#
SC
Model#
:0 : AK0093676 : 2010052B (Rev:02.01) : F01629529 (Date:03/29/10) : OAW-4704-US
AOS-W 6.2 | Reference Guide
wlan ssid-profile | 1549
�Multicast Rate Optimization
The Multicast Rate Optimization feature dynamically selects the rate for sending broadcast/multicast frames on any BSS. This feature determines the optimal rate for sending broadcast and multicast frames based on the lowest of the unicast rates across all associated clients.
When the Multicast Rate Optimization option (mcast-rate-opt) is enabled, the switch scans the list of all associated stations in that BSS and finds the lowest transmission rate as indicated by the rate adaptation state for each station. If there are no associated stations in the BSS, it selects the lowest configured rate as the transmission rate for broadcast and multicast frames.
This feature is disabled by default. Multicast Rate Optimization applies to broadcast and multicast frames only. 802.11 management frames are not affected by this feature and will be transmitted at the lowest configured rate.
The Multicast Rate Optimization feature should only be enabled on a BSS where all associated stations are sending or receiving unicast data. If there is no unicast data to or from a particular station, then the rate adaptation state may not accurately reflect the current sustainable transmission rate for that station. This could result in a higher packet error rate for broadcast/multicast packets at that station.
Example
The following command configures an SSID for WPA2 AES authentication: (host) (config) #wlan ssid-profile corpnet
essid Corpnet opmode wpa2-aes
Command History
Release AOS-W 3.0 AOS-W 3.2 AOS-W 3.3 AOS-W 3.3.1 AOS-W 3.4 AOS-W 3.4.1
AOS-W 6.1
AOS-W 6.1.4.1 AOS-W 6.2
Modification
Command introduced
The wmm-ts-min-inact-int parameter was introduced. The wpa2-preauth parameter was removed,
Support for the high-throughput IEEE 802.11n standard was introduced including the ht-ssid-profile parameter and various rate changes.
Support for configurable WMM AC mapping was introduced including the wmm-be-dscp, wmm-bk-dscp, wmm-vi-dscp, and wmm-vo-dscp parameters.
The deny-bcast and disable-probe-retry parameters were introduced. The drop-mcast parameter was deprecated.
License requirements changed in AOS-W 3.4.1, so the command required the PEF license instead of the Voice Services Module license required in earlier versions.
The opmode options wpa2-aes-gcm-128 and wpa2-aes-gcm-256 were introduced. These parameters require the ACR license. The qbss-load-enable option is included.
The advertise-ap-name parameter was added.
The advertise-location and enforce-user-vlan parameters were added.
1550 | wlan ssid-profile
AOS-W 6.2 | Reference Guide
�Command Information
Platforms
All platforms, except for the noted opmode parameters.
Licensing
Base operating system, except for the noted parameters
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
wlan ssid-profile | 1551
�wlan traffic-management-profile
wlan traffic-management-profile <profile-name> bw-alloc virtual-ap <virtual-ap> share <percent> clone <profile-name> no ... report-interval <minutes> shaping-policy default-access|fair-access|preferred-access
Description
This command configures a traffic management profile.
Syntax
Parameter <profile-name>
bw-alloc
virtual-ap <virtualap> share <percent>
clone <profile-name>
no report-interval <minutes> shaping-policy
Description
Range
Name of this instance of the profile. The name
--
must be 1-63 characters.
Minimum bandwidth, as a percentage of available bandwidth, allocated to a Virtual AP when there is congestion on the wireless network. An virtual AP can use all available bandwidth if no other virtual APs are active.
Name of the virtual AP to which you will allocate -- a share of bandwidth.
Percentage of available bandwidth allocated to this virtual AP.
0-100
Name of an existing traffic management profile -- from which parameter values are copied.
Negates any configured parameter.
--
Number of minutes between bandwidth usage reports.
1 - 999999 minutes
Define Station Shaping Policy This feature has the following three options:
l default-access: Traffic shaping is disabled, and client performance is dependent on MAC contention resolution. This is the default traffic shaping setting.
l fair-access: Each client gets the same airtime, regardless of client capability and capacity. This option is useful in environments like a training facility or exam hall, where a mix of 802.11a/g, 802.11g and 802.11n clients need equal to network resources, regardless of their capabilities. The bw-alloc parameter of a traffic management profile allows you to set a minimum bandwidth to be allocated to a virtual AP profile when there is congestion on the wireless network.You must set traffic shaping to fair-access to use this bandwidth
defaultaccess fair-access preferredaccess
Default "default"
-- -- -- -- 5 minutes defaultaccess
1552 | wlan traffic-management-profile
AOS-W 6.2 | Reference Guide
�Parameter
Description
Range
allocation value for an individual virtual AP.
l preferred-access: High-throughput (802.11n) clients do not get penalized because of slower 802.11a/g or 802.11b transmissions that take more air time due to lower rates. Similarly, faster 802.11a/g clients get more access than 802.11b clients.
Default
Usage Guidelines
The traffic management profile allows you to allocate bandwidth to SSIDs. When you enable the band-steering feature, an AP keeps track of all BSSIDs active on a radio, all clients connected to the BSSID, and 802.11a/g, 802.11b, or 802.11n capabilities of each client. Every sampling period, airtime is allocated to each client, giving it opportunity to get and receive traffic. The specific amount of airtime given to an individual client is determined by; l Client capabilities (802.11a/g, 802.11b or 802.11n) l Amount of time the client spent receiving data during the last sampling period l Number of active clients in the last sampling period l Activity of the current client in the last sampling period The bw-alloc parameter of a traffic management profile allows you to set a minimum bandwidth to be allocated to a virtual AP profile when there is congestion on the wireless network.You must set traffic shaping to fair-access to use this bandwidth allocation value for an individual virtual AP.
Example
The following command configures a traffic management profile that allocates bandwidth to the corpnet virtual AP: (host) (config) #wlan traffic-management-profile best
bw-alloc virtual-ap corpnet share 75
Command History
This command was introduced in AOS-W 3.0. The mode parameters were introduced in AOS-W 3.2.
Command Information
Platforms All platforms
Licensing
Base operating system on master switches
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
wlan traffic-management-profile | 1553
�wlan tsm-req-profile
wlan tsm-req-profile <profle-name> bin0-range <bin0-range> clone dur-mandatory measure-duration <measure-duration> no num-repeats <num-repeats> random-interval <random-interval> request-mode {normal | triggered} traffic-id <traffic-id>
Description
This command configures a TSM Report Request Profile.
Syntax
Parameter <profile-name> bin0-range <bin0-range>
clone <source> dur-mandatory measure-duration <measureduration>
no
Description
Name of this instance of the profile. The name must be 1-63 characters.
This value is used to set the 'Bin 0 Range' field in the Transmit Stream/Category Measurement Request frame. Bin 0 Range indicates the delay range of the first bin (Bin 0) of the Transmit Delay Histogram, expressed in units of TUs.
Creates a copy of the Transmit Stream Measurement Request Report Request Profile. <source> is the name of an existing TSM Profile from which parameter values are copied.
This parameter is used to set the "Duration Mandatory" bit of the Measurement Request Mode field of the Transmit Stream/Category Measurement Request frame.
This parameter is used to set the Measurement Duration field in the Transmit Stream/Category Measurement Request frame. The Measurement Duration is set to the duration of the requested measurement. It is expressed in units of TUs. When the request mode for the Transmit Stream/Category Measurement Request frame is set to "triggered", the Measurement Duration field should be set to 0.
Negates any configured parameter
Rang- Defau-
e
lt
--
"defaul-
t"
0- 255 6
--
--
--
Ena-
bled
0-
9776
65535
--
--
1554 | wlan tsm-req-profile
AOS-W 6.2 | Reference Guide
�Parameter num-repeats <num-repeats>
random-interval <randominterval>
request-mode {normal | triggered} traffic-id <traffic-id>
Description
Rang- Defau-
e
lt
This parameter is used to set the "Number of Repetitions" field in the Transmit Stream/Category Measurement Request frame. The Number of Repetitions field contains the requested number of repetitions for all the Measurement Request elements in this frame. A value of zero in the Number of Repetitions field indicates Measurement Request elements are executed once without repetition. A value of 65535 in the Number of Repetitions field indicates Measurement Request elements are repeated until the measurement is cancelled or superseded.
065535
65535
This parameter is used to set the Randomization
0-
0
Interval field in the Transmit Stream/Category
65535
Measurement Request frame. The Randomization
Interval is used to specify the desired maximum
random delay in the measurement start time. It is
expressed in units of TUs (Time Units). When the
request mode for the Transmit Stream/Category
Measurement Request frame is set to "triggered", the
Randomization Interval is not used and is set to 0. A
Randomization Interval of 0 in a measurement
request indicates that no random delay is to be used.
This parameter is used to determine the request
--
mode for the Transmit Stream/Category
Measurement Request frame. There are two options
for this field:
l normal
l triggered
normal
The parameter is used to set the Traffic Identifier field 0-255 96 in the Transmit Stream/Category Measurement Request frame. The Traffic Identifier field contains the TID subfield. The TID subfield indicates the TC or TS for which traffic is to be measured.
Usage Guidelines
The tsm-req-profile is a part of the 802.11K profile. It is used to configure the parameters for the Transmit Stream/Category Measurement frames. It takes effect only when the 802.11K feature is enabled.
Example
(host) (config) # wlan tsm-req-profile default (host) (TSM Report Request Profile "default") #bin0-range 1 (host) (TSM Report Request Profile "default") #dur-mandatory (host) (TSM Report Request Profile "default") #measure-duration 25 (host) (TSM Report Request Profile "default") #num-repeats 0 (host) (TSM Report Request Profile "default") #random-interval 0 (host) (TSM Report Request Profile "default") #request-mode normal (host) (TSM Report Request Profile "default") #traffic-id 96
Command History
This command is introduced in AOS-W 6.2.
AOS-W 6.2 | Reference Guide
wlan tsm-req-profile | 1555
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode
Configuration mode on master and local switches
1556 | wlan tsm-req-profile
AOS-W 6.2 | Reference Guide
�wlan virtual-ap
wlan virtual-ap <profile-name> aaa-profile <profile-name> allowed-band <band>... auth-failure-blacklist-time <seconds> band-steering blacklist blacklist-time <seconds> broadcast-filter all|arp clone <profile-name> deny-inter-user-traffic deny-time-range <range> dos-prevention dot11k-profile dynamic-mcast-optimization dynamic-mcast-optimization-threshold fdb-update-on-assoc forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel} ha-disc-onassoc mobile-ip no ... outer-vlan preserve-vlan rap-operation {always|backup|persistent|standard} ssid-profile <profile-name> steering-mode band-balancing|force-5ghz|prefer-5ghz strict-compliance vap-enable vlan <vlan>... vlan-mobility wmm-traffic-management-profile
Description
This command configures a virtual AP profile.
Syntax
Parameter <profile-name> aaa-profile allowed-band
auth-failureblacklist-time
Description
Range
Default
Name of this instance of the profile. The
--
name must be 1-63 characters.
"default"
Name of the AAA profile that applies to this -- virtual AP.
"default"
The band(s) on which to use the virtual AP: a/g/all
all
a--802.11a band only (5 GHz)
g--802.11b/g band only (2.4 GHz)
all--both 802.11a and 802.11b/g bands
(5 GHz and 2.4 GHz)
Time, in seconds, a client is blocked if it fails repeated authentication. A value of 0 blocks a client indefinitely.
0-2,147,483, 0 647 seconds
AOS-W 6.2 | Reference Guide
wlan virtual-ap | 1557
�Parameter band-steering
blacklist blacklist-time broadcast-filter all
1558 | wlan virtual-ap
Description
Range
Default
ARM's band steering feature can
--
encourage or require dual-band capable
clients to stay on the 5GHz band on dual-
band APs. This frees up resources on the
2.4GHz band for single band clients like
VoIP phones.
Band steering reduces co-channel
interference and increases available
bandwidth for dual-band clients, because
there are more channels on the 5GHz
band than on the 2.4GHz band. Dual-band
802.11n-capable clients may see even
greater bandwidth improvements, because
the band steering feature will automatically
select between 40MHz or 20MHz
channels in 802.11n networks. This
feature is disabled by default, and must be
enabled in a Virtual AP profile.
The band steering feature supports three
steering modes, which can be configured
via the steering-mode parameter:
Band steering can be configured on both
campus APs and remote APs that have a
virtual AP profile set to tunnel, decrypt-
tunnel, split-tunnel or bridge forwarding
mode. Note, however, that if a campus or
remote APs has virtual AP profiles
configured in bridge or split-tunnel
forwarding mode but no virtual AP in
tunnel mode, those APs will gather
information about 5G-capable clients
independently and will not exchange this
information with other APs that also have
bridge or split-tunnel virtual APs only.
disabled
Enables detection of denial of service
--
(DoS) attacks, such as ping or SYN floods,
that are not spoofed deauth attacks.
enabled
Number of seconds that a client is quarantined from the network after being blacklisted.
0-2,147,483, 3600
647
seconds
seconds
(1 hour)
Filter out broadcast and multicast traffic in -- the air.
disabled
Filter out broadcast and multicast traffic in -- the air.
NOTE: Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the switch, so the switch is able to drop all broadcast traffic. When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the switch is not able to filter out that broadcast traffic.
enabled
AOS-W 6.2 | Reference Guide
�Parameter arp
clone deny-inter-user-traffic deny-time-range
Description
Range
IMPORTANT: If you enable this option, you must also enable the Broadcast-Filter ARP parameter in the stateful firewall configuration to prevent ARP requests from being dropped. Note also that although a virtual AP profile can be replicated from a master switch to local switches, stateful firewall settings do not. If you select the broadcast-filter all option for a Virtual AP Profile on a master switch, you must enable the broadcast-filter arp setting on each individual local switch.
If enabled, all broadcast ARP requests are -- converted to unicast and sent directly to the client. You can check the status of this option using the show ap active and the show datapath tunnel command. If enabled, the output will display the letter a in the flags column.
Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virual APs in tunnel mode. In tunnel mode, all packets travel to the switch, so the switch is able to convert ARP requests directed to the broadcast address into unicast. When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the switch is not able to convert that broadcast traffic.
Name of an existing traffic management
--
profile from which parameter values are
copied.
Select this checkbox to deny traffic
--
between the clients using this virtual AP
profile.
The firewall comand includes an option to
deny all inter-user traffic, regardless of the
Virtual AP profile used by those clients.
If the global setting to deny inter-user traffic
is enabled, all inter-user traffic between
clients will be denied, regardless of the
settings configured in the virtual AP
profiles. If the setting to deny inter-user
traffic is disabled globally but enabled on
an individual virtual ap, only the traffic
between un-trusted users and the clients
on that particular virtual AP will be
blocked.
Specify the name of the time range for
--
which the AP will deny access. Time
ranges can be defined using the CLI
command time-range.
Default disabled
-- disabled --
AOS-W 6.2 | Reference Guide
wlan virtual-ap | 1559
�Parameter
Description
Range
dos-prevention
If enabled, APs ignore deauthentication
--
frames from clients. This prevents a
successful deauth attack from being
carried out against the AP. This does not
affect third-party APs.
dot11k-profile
Name of an 802.11k profile to be
--
associated with this VAP.
dynamic-mcast-optimization Enable/Disable dynamic multicast
--
optimization. This parameter can only be
enabled on a switch with a PEFNG
license.
dynamic-mcast-optimizationthreshold
Maximum number of high-throughput stations in a multicast group beyond which dynamic multicast optimization stops.
2-255 stations
fdb-update-on-assoc
This parameter enables seamless failover -- for silent clients, allowing them to re-associate. If you select this option, the switch will generate a Layer 2 update on behalf of client to update forwarding tables in bridge devices.
Default: Disabled
forward-mode
Controls whether 802.11 frames are tunneled to the switch using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination (corporate traffic goes to the switch, and Internet access remains local).
Select one of the following forward modes:
l Tunnel: When an AP is in tunnel forwarding mode, the AP handles all 802.11 association requests and responses. The AP sends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the switch for processing. The switch removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual.
l Bridge: When an AP is in bridge mode, data is bridged onto the local Ethernet LAN. When in bridge mode, the AP handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed. An AP in bridge mode supports only the 802.1x authentication type.
l Split-Tunnel: Data frames are either tunneled or bridged, depending on the
tunnel bridge split-tunnel decrypttunnel
Default disabled
default disabled 6 stations disabled
tunnel
1560 | wlan virtual-ap
AOS-W 6.2 | Reference Guide
�Parameter
ha-disc-onassoc mobile-ip
Description
Range
destination (corporate traffic goes to the switch, and Internet access remains local). The AP handles all 802.11 association requests and responses, encryption/decryption, and firewall enforcement. 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed. An AP in splittunnel mode supports only the 802.1x authentication type.
l Decrypt-Tunnel: An AP in decrypttunnel forwarding mode decrypts and decapsulates all 802.11 frames from a station and sends the 802.3 frames through the GRE tunnel to the switch, which then applies firewall policies to the user traffic. This mode allows a network to utilize the encryption/decryption capacity the AP while reducing the demand for processing resources on the switch. APs in decrypt-tunnel forwarding mode also manage all 802.11 association requests and responses, and process all 802.11e and 802.11k action frames.
NOTE: Virtual APs in bridge or split-tunnel mode using static WEP should use key slots 2-4 on the switch. Key slot 1 should only be used with Virtual APs in tunnel mode.
If enabled, home agent discovery is
--
triggered on client association instead of home agent discovery based on traffic from client. Mobility on association can
speed up roaming and improve connectivity for clients that do not send many uplink packets to trigger mobility
(VoIP clients). Best practices is to leave this parameter disabled, as it increases IP mobility control traffic between switches in
the same mobility domain. Enable this parameter only when voice issues are observed in VoIP clients.
NOTE: ha-disc-onassoc parameter
works only when IP mobility is enabled and configured on the switch.
Enables or disables IP mobility for this
--
virtual AP.
Default
disabled enabled
AOS-W 6.2 | Reference Guide
wlan virtual-ap | 1561
�Parameter multi-association no preserve-vlan rap-operation
ssid-profile steering-mode
1562 | wlan virtual-ap
Description
Range
Default
Enables or disables multi-association for -- this virtual AP. When enabled, this feature allows a station to be associated to multiple APs. If this feature is disabled, when a station moves to new AP it will be de authorized by the AP to which it was previously connected, deleting station context and flushing key caching information.
disabled
Negates any configured parameter.
--
--
This parameter allows clients to retain their previous VLAN assignment if the client disassociates from an AP and then immediately re-associates either with same AP or another AP on same switch.
Configures when the virtual AP operates on a remote AP: always--Permanently enables the virtual AP. backup--Enables the virtual AP if the remote AP cannot connect to the switch. persistent--Permanently enables the virtual AP after the remote AP initially connects to the switch. standard--Enables the virtual AP when the remote AP connects to the switch. Use always and backup for bridge SSIDs. Use persistent and standard for 802.1x, tunneled, and split-tunneled SSIDs.
always/ backup/ persistent/ standard
standard
Name of the SSID profile that applies to
--
this virtual AP.
"default"
Band steering supports three different band steering modes.
l Force-5GHz: When the AP is configured in force-5GHz band steering mode, the AP will try to force 5Ghz-capable APs to use that radio band.
l Prefer-5GHz (Default): If you configure the AP to use prefer-5GHz band steering mode, the AP will try to steer the client to 5G band (if the client is 5G capable) but will let the client connect on the 2.4G band if the client persists in 2.4G association attempts.
l Balance-bands: In this band steering mode, the AP tries to balance the clients across the two radios in order to best utilize the available 2.4G bandwidth. This feature takes into account the fact that the 5Ghz band has more channels than the 2.4 Ghz band, and that the 5Ghz channels operate in 40MHz while the 2.5Ghz band operates in 20MHz.
Force-5GHz prefer-5ghz balancebands
prefer5ghz
AOS-W 6.2 | Reference Guide
�Parameter
strict-compli ance
vap-enable vlan
vlan-mobility wmm-traffic-managementprofile
Description
Range
NOTE: Steering modes do not take effect until the band steering feature has been enabled. The band steering feature in AOS-W versions 3.3.2-5.0 does not support multiple band-steering modes. The band-steering feature in these versions of AOS-W functions the same way as the default prefer-5GHz steering mode available in AOS-W 6.0 and later.
If enabled, the AP denies client
--
association requests if the AP and client
station have no common rates defined.
Some legacy client stations which are not
fully 802.11-compliant may not include
their configured rates in their association
requests. Such non-compliant stations
may have difficulty associating with APs
unless strict compliance is disabled.
Enable or disable the virtual AP.
--
The VLAN(s) into which users are placed in order to obtain an IP address. Enter VLANs as a comma-separated list of existing VLAN IDs or VLAN names. A mixture of names and numeric IDs are not allowed.
Enable or disable VLAN (Layer-2) mobility. --
Specify the WMM Traffic Management
--
Profile to be associated with this Virtual AP
Profile.
Default
disabled
enabled 1 disabled __
Usage Guidelines
Wireless LAN profiles configure WLANs in the form of virtual AP profiles. A virtual AP profile contains an SSID profile which defines the WLAN and an AAA profile which defines the authentication for the WLAN. You can configure and apply multiple instances of virtual AP profiles to an AP group or to an individual AP.
A named VLAN can be deleted although it is configured in a virtual AP profile. If this occurs the virtual AP profiles becomes invalid. If the named VLAN is added back later the virtual AP becomes valid again.
Beginning with AOS-W 6.1.3.2, the broadcast-filter arp parameter is enabled by default. Behaviors associated with these settings are enabled upon upgrade to AOS-W 6.1.3.2. If your switch supports clients behind a wireless bridge or virtual clients on VMware devices, you must disable the broadcast-filter arp setting to allow those clients to obtain an IP address. In previous releases of AOS-W, the virtual AP profile included two unique broadcast filter parameters; the broadcast-filter all parameter, which filtered out all broadcast and multicast traffic in the air except DHCP response frames (these were converted to unicast frames and sent to the corresponding client) and the broadcastfilter arp parameter, which converted broadcast ARP requests to unicast messages sent directly to the client.
Starting with AOS-W 6.1.3.2, the broadcast-filter arp setting includes the additional functionality of broadcast-filter all parameter, where DHCP response frames are sent as unicast to the corresponding client. This can impact DHCP discover/requested packets for clients behind a wireless bridge and virtual clients on VMware devices. Disable the broadcast-filter arp setting using the wlan virtual-ap <profile> no broadcast-filter arp command to resolve this issue and allow clients behind a wireless bridge or VMware devices to receive an IP address.
AOS-W 6.2 | Reference Guide
wlan virtual-ap | 1563
�Example
The following command configures a virtual AP: wlan virtual-ap corpnet
vlan 1 aaa-profile corpnet
Command History
Release AOS-W 3.0 AOS-W 3.2 AOS-W 3.3 AOS-W 3.3.2
AOS-W 3.4 AOS-W 5.0 AOS-W 6.0 AOS-W 6.1
AOS-W 6.2
Modification
Command introduced
Support for the split tunneling option and the rap-operation parameter was introduced.
In support of the IEEE 802.11n standard, a change to the allowed-band parameter was introduced.
l Support for the ha-disc-onassoc parameter was introduced. l The band-steering parameter was introduced but is not a released feature
in AOS-W 3.3.2. Do not use band-steering without proper guidance from Alcatel-Lucent technical support. l Support for the voip-proxy-arp parameter was introduced.
The voip-proxy-arp parameter was renamed to broadcast-filter-arp and it does not require a Voice license. The fast-roaming parameter was renamed to multi-association.
The decrypt-tunnel forwarding mode was introduced.
The steering-mode balance-bands|force-5ghz| prefer-5ghz parameters were introduced.
l The deny inter user traffic and Disable conversion multicast RA packets to unicast parameters were introduced.
l The multi-association parameter was deprecated. l The Multicast Optimization for Video and Multicast Optimization
Threshold parameter were renamed to Dynamic Multicast Optimization (DMO) and Dynamic Multicast Optimization (DMO) Threshold.
The outer-vlan and fdb-update-on-assoc parameters wereintroduced.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
1564 | wlan virtual-ap
AOS-W 6.2 | Reference Guide
�wlan voip-cac-profile
wlan voip-cac-profile <profile-name> bandwidth-cac bandwidth-capacity <bandwidth-capacity> call-admission-control call-capacity call-handoff-reservation <percent> clone <profile-name> disconnect-extra-call no ... send-sip-100-trying send-sip-status-code client|server <code> wmm_tspec_enforcement wmm_tspec_enforcement_period <seconds>
Description
This command configures a Voice over IP (VoIP) call admission control (CAC) profile.
Syntax
Parameter <profile-name> bandwidth-cac
bandwidth-capacity
<bandwidth-capacity>
call-admissioncontrol call-capacity call-handoff-reservation clone disconnect-ex tra-call
Description
Range Default
Name of this instance of the profile. The
--
name must be 1-63 characters.
"default"
Select the desired call admission control -- (CAC) Mechanism: l Disable - CAC is based on Call
Counts l Enable - CAC should be based on
Bandwidth.
disabled
Define the maximum bandwidth that can --
--
be handled by one radio, in kbps. The
default value is 2000 kbps (2 Mbps)
Maximum bandwidth that can be handled by one radio, in kbps. The default value is 2000 kbps (2 Mbps)
1600000
2000
Enables or disables WiFi VoIP Call
--
disabled
Admission Control features.
Number of simultaneous calls that can be 2-8000 10 handled by one radio.
Percentage of call capacity reserved for mobile VoIP clients on call.
0-100
20%
Name of an existing VoIP CAC profile
--
--
from which parameter values are copied.
Disconnects calls that exceed the high
--
capacity threshold by sending a
deauthentication frame.
disabled
AOS-W 6.2 | Reference Guide
wlan voip-cac-profile | 1565
�Parameter no send-sip-100trying
send-sip-status-code client|server <code>
wmm_tspec_en forcement wmm_tspec_en forcement_ period
Description
Range Default
Negates any configured parameter.
--
--
Enables sending of SIP 100 - trying
--
messages to a call originator to indicate
that the call is proceeding. This is useful
when the SIP invite may be redirected
through a number of servers before
reaching the switch.
enabled
Use this parameter with the client or
--
486
server options to drop a SIP Invite and
send status code back to the client or
server. You must also include one of the
following codes:
l 480: Temporary Unavailable
l 486: Busy Here
l 503: Ser vice Unavailable
l none: Don't send SIP status code
Enables validation of TSPEC requests for -- CAC.
disabled
Maximum time for the station to start the call after the TSPEC request.
1-100
1 second
Usage Guidelines
The VoIP CAC profile prevents any single AP from becoming congested with voice calls.
Example
The following command enables VoIP CAC: (host) (config) #wlan voip-cac-profile cac1
call-admission-control disconnect-extra-call
Command History
Version AOS-W 3.0 AOS-W 3.4
Change
Command introduced
The following parameters were deprecated: l active-load-balancing l high-threshold-capacity l noe-call-capacity l sccp-call-capacity l svp-call-capacity l vocera-call-capacity
The following parameters were introduced: l bandwidth-cac l bandwidth-capacity l call-capacity
1566 | wlan voip-cac-profile
AOS-W 6.2 | Reference Guide
�Version AOS-W 3.4.1
AOS-W 5.0
Change
License requirements changed in AOS-W 3.4.1, so the command required the PEF license instead of the Voice Services Module license required in earlier versions.
The supported range for the call-capacity parameter changed from 0-8000 to 2-8000.
Command Information
Platforms All platforms
Licensing PEFNG license
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
wlan voip-cac-profile | 1567
�wms-local system
wms-local system [max-rbtree-entries <number> | max-system-wm <number> | max-threshold <number> | system-wm-update-interval <number>]
Description
This command sets the local configuration parameters to control the size of the Wired MAC table and APs and Stations.
Syntax
Parameter
Description
max-rbtree-entries
Set the max threshold for the total number of AP and Station RBTree entries.
max-system-wm
Set the max number of system wired MAC table entries learned at the switch. Range: 1-2000 Default: 1000
max-threshold
Set the max threshold for the total number of APs and Stations.
system-wm-update-interval
Set the interval, in minutes, for repopulating the system wired MAC table at the switch. Range: 1 to 30 minutes Default: 8 minutes
Usage Guidelines
The wms-local system command is used for configuring commands that are local, not global. This means in a master-local system, the configuration parameter is modifiable at each individual switch, and the setting on one switch does not affect the setting on other switches. Increasing the max threshold limit will cause an increase in usage in the memory by WMS. In general, each entry will consume about 500 bytes of memory. If the setting is bumped up by 2000, then it will cause an increase in WMS memory usage by 1MB.
Example
The following commands first set the interval time for repopulating the MAC table to 10 minutes and then sets the maximimum number of APs and stations to 500. (host) (config) #wms-local system system-wm-update-interval 10 (host) (config)# wms-local system max-threshold 500
Command History
Release AOS-W 3. AOS-W 6.1
Modification
Introduced
Local configuration parameters to control the size of the Wired MAC table max-system-wm and system-wm-update-interval
1568 | wms-local system
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Config mode on master switches
AOS-W 6.2 | Reference Guide
wms-local system | 1569
�wms ap
wms ap <bssid> mode {interfering|manually-contained|neighbor|rogue|suspected-rogue|valid}
Description
This command allows you to classify an AP into one of several categories.
Syntax
Parameter <bssid> mode
interfering manuallycontained neighbor suspected-rogue
rogue
valid
Description BSSID of the AP.
Classify the AP into one of the following categories.
An AP seen in the RF environment but is not connected to the wired network.
Manually enable denial of service from this AP
An neighboring AP whose BSSID is known.
A suspected rogue AP that is plugged into the wired side of the network but may not be an unauthorized device. Automatic shutdown of rogue APs does not apply to these devices.
A rogue AP that is unauthorized and is plugged into the wired side of the network. You can configure automatic shutdown of rogue APs in the IDS unauthorized device detection profile.
An AP that is part of the enterprise providing WLAN service.
Usage Guidelines
If AP learning is enabled (with the wms general learn-ap enable command), non-Alcatel-Lucent APs connected on the same wired network as Alcatel-Lucent APs are classified as valid APs. If AP learning is disabled, a non-AlcatelLucent AP is classified as an unsecure or suspect-unsecure AP.
Example
The following command classifies an interfering AP as a known-interfering AP: (host) #wms ap 01:00:00:00:00:00 mode known-interfering
Command History
Release AOS-W 3.0 AOS-W 6.0 AOS-W 6.1
Modification Introduced Renamed the modes and deprecated the DoS mode. The suspected-rogue parameter was introduced.
1570 | wms ap
AOS-W 6.2 | Reference Guide
�Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
wms ap | 1571
�wms clean-db
wms clean-db
Description
This command deletes the WMS database.
Syntax
Parameter clean-db
Description Cleans the WMS database.
Usage Guidelines
This command deletes all entries from the WMS database. Do not use this command unless instructed to do so by an Alcatel-Lucent representative.
Example
The following command cleans the WMS database: (host) #wms clean-db
WMS Database will be deleted. Do you want to proceed with this action [y/n]:
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
1572 | wms clean-db
AOS-W 6.2 | Reference Guide
�wms client
wms client <macaddr> mode {manually-contain|interfering|valid}
Description
This command allows you to classify a wireless client into one of several categories.
Syntax
Parameter client mode
manually-contain interfering valid
Description MAC address of the client. Classify the client into one of the following categories: Manualy enable denial of service to this client. Setting the client mode to interfering makes it part of clients outside the enterprise A client that is part of the enterprise.
Usage Guidelines
AOS-W can automatically determine client classification based on client behavior, but this command allows you to explicitly classify a client. The classification of a client is used in certain policy enforcement features. For example, if protect-valid-sta is enabled in the IDS Unauthorized Device Profile, then clients that are classified as valid cannot connect to non-valid APs.
Example
The following command classifies a client as valid: (host) #wms client 00:00:A4:34:C9:B3 mode valid
Command History
Release AOS-W 3.0 AOS-W 6.1
Modification
Command introduced
The following parameters were deprecated dos neighbor
The following parameters were introduced: manually-contain interfering
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
wms client | 1573
�1574 | wms client
AOS-W 6.2 | Reference Guide
�wms export-class
wms export-class <filename>
Description
This command exports classification information into a file.
Syntax
Parameter <filename>
Description Name of the file into which you want to export classification information
Usage Guidelines
This command writes classification data into comma separated values (CSV) files--one for APs and one for clients. You can import these files into the Alcatel-Lucent Mobility Manager system.
Example
The following command exports classification data into an AP and a client file: (host) #wms export-class class
Exported data to class_ap.csv and class_sta.csv
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
wms export-class | 1575
�wms export-db
wms export-db <filename>
Description
This command exports the WMS database to a specified file.
Syntax
Parameter <filename>
Description
Name of the file into which you want to export the database. The filename plus any extensions must be no longer than 32 characters and may contain only keyboard characters.
Usage Guidelines
The file is exported as an ASCII text file. If you have configured the switch for operation with Alcatel-LucentOV-MMSW, this command will fail and an error will be returned.
Example
The following command exports the WMS database to a file: (host) #wms export-db database
Exported WMS DB to database
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
1576 | wms export-db
AOS-W 6.2 | Reference Guide
�wms import-db
wms import-db <filename>
Description
This command imports the specified file into the WMS database.
Syntax
Parameter <filename>
Description
Name of the file into which you want to import into the database. The filename plus any extensions must be no longer than 32 characters and may contain only keyboard characters.
Usage Guidelines
The imported file replaces the WMS database. The imported file must be a valid WMS database file that you previously exported using the wms export-db command.
Example
The following command imports the WMS database from a file: (host) #wms import-db database
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
AOS-W 6.2 | Reference Guide
wms import-db | 1577
�wms reinit-db
wms reinit-db
Description
This command reinitializes the WMS database to its factory defaults.
Syntax
No parameters.
Usage Guidelines
When you use this command, there is no automatic backup of the current database. If an OV-MM-SW server is configured on the switch (See mobility-manager on page 451), this command will fail and return an error.
Example
The following command reinitializes the WMS database: (host) #wms reinit-db WMS Database will be re-initialized. Do you want to proceed with this action [y/n ]:
Command History
This command was introduced in AOS-W 3.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable mode on master switches
1578 | wms reinit-db
AOS-W 6.2 | Reference Guide
�write
write {erase [all] | memory | terminal}
Description
This command saves the running configuration to memory or displays the running configuration on the screen. This command can also be used to erase the running configuration and return the switch to factory defaults.
Syntax
Parameter erase
memory terminal
Description
Erases the running system configuration file. Rebooting the switch resets it to the factory default configuration. If you specify all, the configuration and all data in the switch databases (including the license, WMS, and internal databases) are erased.
Saves the current system configuration to memory. Any configuration changes made during this session will be made permanent.
Displays the current system configuration.
Usage Guidelines
Configuration changes made using the CLI affect only the current session. You must save your changes for them to be retained across system reboots. Changes are lost if the system reboots before saving the changes. To save your configuration changes, use the write memory command.
If you use the write erase command, the license key management database on the switch is not affected. If you use the write erase all command, all databases on the switch are deleted, including the license key management database. If you reset the switch to the factory default configuration, perform the Initial Setup as described in the AOS-W 6.2 Quick Start Guide.
If you use the write terminal command, all of the commands used to configure the switch appear on the terminal. If paging is enabled, there is a pause mechanism that stops the output from printing continuously to the terminal. To navigate through the output, use any of the commands displayed at the bottom of the output, as described in below. If paging is disabled, the output prints continuously to the terminal. For more information about the paging command, see paging on page 473.
Key Q U spacebar / N
Description Exit the display. Page up through the output. Page down through the output. Enter a text string to search for. Repeat the text string to search for.
Example
The following command saves your changes so they are retained after a reboot:
AOS-W 6.2 | Reference Guide
write | 1579
�(host) #write memory The following command deletes the running configuration and databases and returns the switch to the factory default settings: (host) #write erase
Command History
This command was introduced in AOS-W 1.0.
Command Information
Platforms All platforms
Licensing Base operating system
Command Mode Enable and Config modes
1580 | write
AOS-W 6.2 | Reference Guide
�Appendix A: Command Modes
The AOS-W command-line interface offers different levels of user access by differentiating between different command modes. When you first log in to the CLI, you start your session in User mode, which provides only limited access for basic operational testing. You must enter an additional password to access Enable mode, which allows you to issue show commands run certain management functions. Configuration commands can only be issued in Config mode. You can access Config mode by entering configure terminal at the command prompt. You can exit your current command mode and return to a lower-level command mode at any time by entering exit at the command prompt. The following sections describes how to access each command mode, the command prompt for each mode, and links to its available commands.
User mode
You always begin a CLI session in user mode, the command mode with the lowest level of user access. The command prompt for a user mode session is a greater-than (>) symbol: (host) > The following commands are available in user mode. l enable l exit l help l logout l ping l traceroute
Enable Mode
To move from user mode to enable mode, you must enter the command enable, press Enter, then enter config mode password that was defined during the switch's initial setup process. (The default password is enable.) Users in enable mode may return to user mode at any time by entering the command exit.
The command prompt for a CLI session in enable mode is a pound (#) symbol: (host) #
To view a list of commands available in enable mode, access the CLI in enable mode and enter a question mark (?): (host) #?
Some top-level commands have different sets of subcommands available in Enable or Config mode. To view a list of available subcommands in Enable mode, access the CLI in Enable mode, enter the top level command, then enter a question mark (?). For example, the following example shows which aaa commands are available in Enable mode:
(host) #aaa ? authentication inservice ipv6 query-user test-server
Authentication Bring authentication server into service Internet Protocol Version 6 Query User Test authentication server
AOS-W 6.2 | Reference Guide
Appendix A: Command Modes | 1581
�user
User commands
Config Mode
To move from enable mode to config mode, enter the command config terminal. Users in config mode may return to enable mode at any time by entering the command exit.
When you are in config mode, (config) appears before the # prompt:
(host) (config) #
Some top-level commands have different sets of subcommands available in Enable or Config mode. To view a list of available subcommands in Config mode, access the CLI in Config mode, enter the top level command, then enter a question mark (?). For example, the following example shows which aaa commands are available in Config mode:
(host) (config) #aaa ? alias-group authentication authentication-server bandwidth-contract derivation-rules dns-query-interval password-policy profile radius-attributes server-group tacacs-accounting timers user
Configure an Alias Group Authentication Authentication Servers Configure bandwidth contract (256 Kbps - 2 Gbps) Configure rules to derive user role or vlan Set DNS query interval Password policy for locally configured management users Configure an AAA Profile Configure RADIUS attribute Configure a Server Group Configure accounting Configure authentication timers User commands
Configuration Sub-modes
Some Config mode commands can enter you into a sub-mode with a limited number of available commands specific to that mode. When you are in a configuration sub-mode, the (config) that appears before the command prompt will change to indicate your current mode; e.g (config-if) for config-interface mode, and (config-tunnel) for config-tunnel mode.
You can exit a sub-command mode and return to the basic configuration mode at any time by entering the exit command.
1582 | Appendix A: Command Modes
AOS-W 6.2 | Reference Guide
�MadCap Flare V8