Nortel Networks 2300 manual Index, Numerics

Page 633

633

Index

Numerics

802.11a

76, 256, 258

 

802.11b

76, 256, 258

 

802.11g

76, 256, 258

 

802.11i. See RSN

 

802.1Q tagging

91

 

802.1X

 

 

 

 

authentication 417

 

authentication port control 491

authorization

469

 

client reauthentication

496

clients

503

 

 

configuration display

504

information

502

 

key transmission 492

 

order of processing 467

protocol

415

 

quiet period

500

 

settings

 

489

 

 

statistics

505

 

timeout

 

501

 

 

A

AAA(authentication, authorization, and accounting)

administrative access, configuring 51, 54 configuration scenarios for administrators 66 configuration, displaying 464

network users 401 order of processing 467 servers, traffic ports for 605

AAAmethods 63, 412 access

administrative, configuring 54 to console 56

access control entries (ACEs) 353 access control lists. See security ACLs access controls, in a Mobility Domain 605 access levels, command line 50

Access Point (AP) fingerprint 261

Access Point (AP) signatures 549 Access Point. See AP (Access Point) access points

rogues 538

See also AP (Access Point) Access Points (APs)

Wi-Fi Multimedia (WMM) 305 accounting 410

order of processing 467 supported RADIUS attributes 599 users 460

accounting records 460 administrators 63 local users 462 roaming users 463 start-stop 460 stop-only 460 updating 460

Acct-Authentic attribute 602 Acct-Delay-Time attribute 601 Acct-Input-Gigawords attribute 603 Acct-Input-Octets attribute 602 Acct-Input-Packets attribute 602 Acct-Multi-Session-Id attribute 602 Acct-Output-Gigawords attribute 603 Acct-Output-Octets attribute 602 Acct-Output-Packets attribute 602 Acct-Session-Id attribute 602 Acct-Session-Time attribute 602 Acct-Status-Type attribute 601

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 632 Page 634
Image 633
Page 632 Page 634
Contents Nortel Wlan Security Switch 2300 Series Configuration Guide Trademarks Copyright Nortel Networks Limited 2005. All rights reservedRestricted rights legend Statement of conditionsNortel Inc. software license agreement USA requirements onlyLegal Information Limited Product WarrantyLimited Warranty Software License Agreement Nortel Wlan Security Switch 2300 Series Configuration Guide SSH Source Code Statement OpenSSL Project License Statements Class a Statement RF Radiation Hazard Warning Deployment Statement 320657-A Contents Configuring and Managing Ports and VLANs Configuring and Managing IP Interfaces and Services Configuring Snmp Configuring and Managing Mobility Domain Roaming Configuring AP access points Wi-Fi Multimedia Configuring and Managing Igmp Snooping Managing Keys and Certificates Configuring AAA for Network Users Configuring Communication with Radius Managing 802.1X on the WSS Switch Managing System Files Troubleshooting a WS Switch Supported Radius Attributes Contents 320657-A How to get Help Getting Help over the phone from a Nortel Solutions CenterGetting Help from the Nortel Web site Getting Help through a Nortel distributor or reseller Nortel Wlan 2300 System Introducing the Nortel Wlan 2300 SystemDocumentation Planning, Configuration, and DeploymentSafety and Advisory Notices Menu Name Command Text and Syntax ConventionsBold text CLI Conventions Using the Command-Line InterfaceNT-mm-nnnnnn Command PromptsSyntax Notation Set port enable disable port-listClear interface vlan-idip Clear fdb dynamic port port-list vlan vlan-idText Entry Conventions and Allowed Characters MAC Address NotationIP Address and Mask Notation User Wildcards User Wildcards, MAC Address Wildcards, and Vlan WildcardsMAC Address Wildcards 0001Vlan Wildcards Matching Order for Wildcards000102 00010203 0001020304 23x0# reset port 23x0# set port enablePort Lists 23x0# show port poe 1,2,4,13Virtual LAN Identification Command-Line Editing Keyboard Shortcuts Function Keyboard ShortcutsHistory Buffer Tabs Single-Asterisk * Wildcard Character Double-Asterisk ** Wildcard Characters Using CLI Help 23x0# help Commands23x0# show i? Server Status Port Enabled Understanding Command Descriptions23x0# show ip telnet Set ap dap nameOverview of AAA for Administrative and Local Access Configuring AAA for Administrative and Local AccessConfiguring AAA for Administrative and Local Access Typical Nortel Wlan 2300 System Before You StartAbout Administrative Access Access Modes Types of Administrative Access First-Time Configuration using the ConsolePassword Enabling an Administrator23x0 enable UsernameSetting the WSS Enable Password for the First Time Setting the WSS Switch Enable PasswordWMS Enable Password 23x0# set enablepassConfiguring AAA for Administrative and Local Access 23x0# set authentication console * local Authenticating at the ConsoleCustomizing AAA with Wildcards and Groups Setting User Passwords Adding and Clearing Local Users for Administrative Access Configuring Accounting for Administrative UsersSet user username password password Success User Jose created23x0# show accounting statistics Saving the Configuration Displaying the AAA Configuration23x0# save config configday 23x0# show aaaAdministrative AAA Configuration Scenarios Local Authentication 23x0# set server group sg1 members r1 Success change acceptedLocal Override and Backup Local Authentication Authentication When Radius Servers Do Not Respond Configuring and Managing Ports Configuring and Managing Ports and VLANsVlan Setting the Port TypeShow version WSS 2380 40 AP Software License UpgradeSetting a Port for a Directly Connected AP access port 23x0# set port type ap 4-6 model 2330 poe enable Setting a Port for a Wired Authentication User Configuring for a Distributed AP23x0# set port type wired-auth Clearing a PortClear port type port-list Clearing a Distributed AP 23x0# clear port typeClear dap dap-num Configuring a Port Name Setting a Port NameRemoving a Port Name Clear port preference port-list Set port preference port-listrj45Show port preference port-list RJ45Configuring Port Operating Parameters 10/100 Ports-Autonegotiation and Port SpeedGigabit Ports-Autonegotiation and Flow Control Disabling or Reenabling a Port Disabling or Reenabling Power over EthernetResetting a Port Set port poe port-listenable disableReset port port-list Displaying Port Information Displaying Port Configuration and StatusDisplaying PoE State Show port status port-listDisplaying Port Statistics Clearing Statistics CountersMonitoring Port Statistics 23x0# monitor port counters Configuring a Port Group Configuring Load-Sharing Port GroupsLoad Sharing Link RedundancyRemoving a Port Group Configuring and Managing VLANsDisplaying Port Group Information Interoperating with Cisco Systems EtherChannelUnderstanding VLANs in Nortel WSS Software VLANs, IP Subnets, and IP AddressingUsers and VLANs Vlan Names Roaming and VLANsTraffic Forwarding Tunnel Affinity 802.1Q TaggingCreating a Vlan Configuring a VlanAdding Ports to a Vlan Set vlan vlan-numname name23x0# set vlan red port 9-11,21 Removing an Entire Vlan or a Vlan Port23x0# clear vlan red port 23x0# clear vlan marigold port 13 tag23x0# clear vlan ecru Set vlan vlan-idtunnel-affinity num Changing Tunneling Affinity23x0# show vlan config burgundy Show vlan config vlan-idManaging the Layer 2 Forwarding Database Displaying Vlan InformationTypes of Forwarding Database Entries How Entries Enter the Forwarding Database Displaying the Size of the Forwarding Database Displaying Forwarding Database InformationDisplaying Forwarding Database Entries Show fdb count perm static dynamic vlan vlan-id23x0# set fdb static 002b3c4d5e6f port 1 vlan default Adding an Entry to the Forwarding Database23x0# set fdb perm 00bbccddeeff port 3,5 vlan blue Removing Entries from the Forwarding Database 23x0# clear fdb dynamic23x0# clear fdb port 3,5 Configuring the Aging Timeout Period Port and Vlan Configuration ScenarioDisplaying the Aging Timeout Period Changing the Aging Timeout Period23x0# set port 7 name confroom2 23x0# set port 6 name confroom123x0# set port 8-13 name manufacturing 23x0# set system countrycode USMAC 23x0# set port type ap 2-16 model 2330 poe enablePort group backbonelink is up Ports 22 23x0# set port type wired-auth 17,18Save the configuration. Type the following command MTU Support Configuring and Managing IP Interfaces and ServicesConfiguring and Managing IP Interfaces Statically Configuring an IP Interface Adding an IP InterfaceEnabling the Dhcp Client Set interface vlan-idip dhcp-client enable disable 23x0# set interface corpvlan ip dhcp-client enable23x0# show interface 23x0# show dhcp-client Interface Corpvlan4 Configuration Status Enabled Dhcp StateSet interface vlan-idstatus up down Disabling or Reenabling an IP InterfaceRemoving an IP Interface Configuring the System IP Address Displaying IP Interface InformationShow interface vlan-id Set system ip-address ip-addr Designating the System IP AddressShow system Displaying the System IP AddressConfiguring and Managing IP Routes Clearing the System IP AddressClear system ip-address Configuring and Managing IP Interfaces and Services 320657-A Displaying IP Routes Show ip route destination23x0# show ip route 224.0.0.0/ 4 IP Local 23x0# set ip route default 10.5.4.1 Adding a Static Route23x0# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 23x0# clear ip route default Managing the Management ServicesRemoving a Static Route 23x0# clear ip route 192.168.4.69/24Session Timeouts Login TimeoutsManaging SSH Enabling SSHAdding an SSH User Changing the SSH Service Port NumberShow crypto key ssh 23x0# show crypto key ssh ec6f567fd1fdc02893aea4f97cf51304Show sessions admin Clear sessions admin ssh session-id Changing SSH Timeouts23x0# show sessions admin 23x0# clear sessions admin sshManaging Telnet Telnet Login TimersEnabling Telnet Adding a Telnet UserChanging the Telnet Service Port Number Resetting the Telnet Service Port Number to Its DefaultManaging Telnet Server Sessions Managing Https Configuring and Managing DNSEnabling Https Displaying Https InformationConfiguring and Managing IP Interfaces and Services Enabling or Disabling the DNS Client Set ip dns enable disableAdding a DNS Server Configuring DNS ServersRemoving a DNS Server Set ip dns server ip-addrprimary secondaryAdding the Default Domain Name Configuring a Default Domain NameRemoving the Default Domain Name Set ip dns domain nameDisplaying DNS Server Information Configuring and Managing AliasesShow ip dns 23x0# show ip dnsAdding an Alias Set ip alias name ip-addr23x0# set ip alias HR1 Clear ip alias name Removing an AliasDisplaying Aliases Configuring and Managing Time ParametersShow ip alias name 23x0# show ip aliasSetting the Time Zone Displaying the Time ZoneClearing the Time Zone Configuring the Summertime Period Displaying the Summertime PeriodClearing the Summertime Period Set timedate date mmm dd yyyy time hhmmss Statically Configuring the System Time and Date23x0# set timedate date feb 29 2004 time Time now is Sun Feb 29 2004, 235802 PSTShow timedate 23x0# show timedate Displaying the Time and DateConfiguring and Managing NTP Adding an NTP Server Set ntp server ip-addr23x0# set ntp server Clear ntp server ip-addrall Removing an NTP ServerChanging the NTP Update Interval Set ntp update-interval seconds23x0# set ntp update-interval Clear ntp update-interval Resetting the Update Interval to the DefaultEnabling the NTP Client Set ntp enable disableManaging the ARP Table Displaying NTP InformationShow ntp Displaying ARP Table Entries Show arp ip-addr23x0# show arp Set arp permanent static dynamic ip-addrmac-addr Adding an ARP Entry23x0# set arp static 10.10.10.1 00bbccddeeff Success added arp 10.10.10.1 at 00bbccddeeff on VlanPinging Another Device Changing the Aging TimeoutSet arp agingtime seconds 23x0# set arp agingtime23x0# telnet Logging In to a Remote Device23x0# show sessions telnet client 23x0# clear sessions telnet clientIP Interfaces and Services Configuration Scenario Tracing a Route23x0# traceroute server1 23x0# set ip route default 10.20.10.1 23x0# set system ip-address23x0# set ip dns server 10.10.10.69 Primary Summertime is enabled, and set to PDT 23x0# set ip dns enable23x0# set ip dns server 10.20.10.69 Secondary 23x0 # show ip dnsConfiguring Snmp Configuring SnmpOverview 23x0# set system contact sysadmin1 Setting the System Location and Contact StringsSet system location string set system contact string 23x0# set system location 3rdfloorclosetSet snmp protocol v1 v2c usm all enable disable 23x023x0# set snmp protocol all enableEnabling Snmp Versions Clear snmp community name comm-string Configuring Community Strings SNMPv1 and SNMPv2c OnlyClear snmp usm usm-username Creating a USM User for SNMPv323x0# set snmp usm snmpmgr1 snmp-engine-id local Command Examples23x0# set snmp security encrypted Setting Snmp SecurityClear snmp profile profile-name Configuring a Notification Profile23x0# set snmp notify profile default send all Configuring Snmp Configuring a Notification Target Security unsecured authenticated encryptedClear snmp notify target target-num 23x0# set snmp notify target 2 10.10.40.10 v1 trap Set ip snmp server enable disable Enabling the Snmp Service23x0# set ip snmp server enable Displaying Snmp InformationDisplaying Snmp Version and Status Information Displaying the Configured Snmp Community Strings Displaying USM Settings Displaying Notification Profiles 23x0# show snmp notify profile insert updated exampleDisplaying Notification Targets 23x0# show snmp notify target insert updated exampleDisplaying Snmp Statistics Counters Configuring Snmp 320657-A About the Mobility Domain Feature Configuring and Managing Mobility Domain RoamingConfiguring a Mobility Domain Configuring the Seed Set mobility-domain mode seed domain-name mob-domain-name23x0# set mobility-domain mode seed domain-name Pleasanton Set mobility-domain member ip-addr Configuring Member WSSs on the SeedConfiguring a Member Set mobility-domain mode member seed-ip ip-addr23x0# set mobility-domain mode member seed-ip 2370# show mobility-domain status Displaying Mobility Domain Status192.168.14.6 192.168.15.5Displaying the Mobility Domain Configuration 2370# show mobility-domain configThis WSS is a member, with seed 2370# clear mobility-domain Clearing a Mobility Domain from a WSSClear mobility-domain member ip-addr Clearing a Mobility Domain Member from a Seed23x0# show roaming station Displaying Roaming StationsDisplaying Roaming VLANs and Their Affinities 23x0 # show roaming vlanAffinity Displaying Tunnel Information Understanding the Sessions of Roaming Users23x0 # show tunnel State PortActive Requirements for Roaming to SucceedEffects of Timers on Roaming Monitoring Roaming Sessions Mobility Domain ScenarioWSS-20show sessions network verbose 23x0# set mobility-domain member seed-ip23x0# show mobility-domain config 23x0# show roaming vlan23x0# show tunnel Configuring User Encryption Wireless Encryption Defaults Default Encryption Configuring WPA WPA Cipher Suites WPA Encryption with Tkip Only WPA Encryption with Tkip and WEP Tkip Countermeasures WPA Authentication Methods WPA Information Element Client Support Supported Encryption Support for WPA and Non-WPA ClientsCreating a Service Profile for WPA Configuring WPAEnabling WPA Specifying the WPA Cipher SuitesEnabling PSK Authentication Changing the Tkip Countermeasures Timer Value23x0# set service-profile wpa auth-psk enable Set service-profile name auth-psk enable disableSet service-profile name psk-phrase passphrase Set service-profile name psk-raw hexShow service-profile name ? Displaying WPA Settings23x0# show service-profile wpa Set radio-profile name service-profile nameCreating a Service Profile for RSN Configuring RSNEnabling RSN Specifying the RSN Cipher Suites23x0# set service-profile rsn cipher-ccmp enable Displaying RSN Settings23x0# set radio-profile blgd2 service-profile rsn Configuring WEPEncryption for Dynamic and Static WEP Set service-profile name wep key-index num key value Setting Static WEP Key ValuesEncryption Configuration Scenarios 23x0# set service-profile wepsrvc4 wep active-unicast-indexAssigning Static WEP Keys Enabling WPA with Tkip 23x0# set service-profile wpa success change accepted23x0# show ap config 23x0# show service-profile wpa-wep 23x0# set service-profile wpa-wep success change accepted23x0# set ap 5,11 radio 1 radio-profile rp2 mode enable Enabling Dynamic WEP in a WPA NetworkSuccess change accepted 23x0# set service-profile wpa-wep-for-mac Configuring Encryption for MAC Clients23x0# show service-profile wpa-wep-for-mac 23x0# show ap config Configuring User Encryption 320657-A AP Overview Configuring AP access pointsExample Nortel Network Country of Operation Distributed AP Network Requirements Directly Connected APs and Distributed APsDistributed APs and Dhcp Option Distributed APs and STPAP Parameters NameBias High Disable Upgrade-firmware EnableResiliency and Dual-Homing Options for APs GroupDual-Homed Direct Connections to a Single WSS Dual-Homed Direct and Distributed Connections to WSSs Dual-Homed Distributed Connections to WSSs on Both AP Ports Dual-Homed Distributed Connections to WSSs on One AP Port AP Boot ProcessConfiguring AP access points Configuring AP access points Configuring AP access points Example AP Boot over Layer 2 Network Example AP Boot over Layer 3 Network Example Boot of Dual-Homed AP Dual-Homed AP Booting Session Load Balancing Service Profiles Public and Private SSIDs Encryption Dap status commandConfiguring AP access points Radio Profiles Default Radio Profile RF Auto-TuningRadio-Specific Parameters Tx-powerChannel Antennatype Internal Nortel external antenna modelConfiguring AP access points Set system countrycode code Specifying the Country of OperationWSS 23x0# show system How an Unconfigured AP Finds an WSS Switch To Configure It Configuring a Template for Automatic AP ConfigurationConfiguring a Template Configured APs Have Precedence Over Unconfigured APs23x0# show dap config auto Radio 2 type 802.11a, mode enabled, channel dynamicChanging AP Parameter Values 23x0# set dap auto mode enable 23x0# set dap auto radio 1 radio-profile autodap123x0# show dap status auto Set dap auto persistent dap-numall Setting the Port Type for a Directly Connected AP Configuring AP Port ParametersPort parameter Setting 23x0# set port type ap 11-14,16 model 2330 poe enable Configuring an Indirectly Connected APChanging AP Names Clearing an AP from the ConfigurationDisabling or Reenabling Automatic Firmware Upgrades Configuring a Load-Balancing GroupEnabling LED Blink Mode Changing BiasEncryption Key Fingerprint Configuring AP-WSS SecurityEncryption Options RSA aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa23x0# show dap status Confirming an AP’s Fingerprint on an WSS SwitchSet dap num fingerprint hex Setting the AP Security Requirement on an WSS SwitchSet dap security require optional 23x0# set dap security requireFingerprint Log Message Changing the Fallthru Authentication Type Configuring a Service ProfileDisabling or Reenabling Encryption for an Ssid Disabling or Reenabling Beaconing of an SsidConfiguring AP access points Set radio-profile name mode enable disable Configuring a Radio ProfileCreating a New Profile Changing Radio Parameters23x0# set radio-profile rp1 beacon-interval Set radio-profile name beacon-interval intervalSet radio-profile name dtim-interval interval 23x0# set radio-profile rp1 dtim-interval23x0# set radio-profile rp1 rts-threshold Set radio-profile name rts-threshold thresholdSet radio-profile name frag-threshold threshold 23x0# set radio-profile rp1 frag-threshold23x0# set radio-profile rp1 max-rx-lifetime Set radio-profile name max-rx-lifetime timeSet radio-profile name max-tx-lifetime time 23x0# set radio-profile rp1 max-tx-lifetime23x0# set radio-profile rp1 11g-only enable Set radio-profile name 11g-only enable disableSet radio-profile name preamble-length long short 23x0# set radio-profile rplong preamble-length longRemoving a Radio Profile Resetting a Radio Profile Parameter to its Default ValueClear radio-profile name parameter Clear radio-profile nameConfiguring the Channel and Transmit Power Configuring Radio-Specific ParametersConfiguring the External Antenna Model 23x0# set ap 11 radio 1 channel 1 tx-power23x0# set ap 5 radio 2 channel 36 tx-power 23x0# set dap 1 radio 1 antennatype ANT1060 23x0# set radio-profile rp2 service-profile wpaclients Mapping the Radio Profile to Service Profiles23x0# set ap 6 radio 1 radio-profile rp1 mode disable 23x0# set ap 11-14,16 radio 2 radio-profile rp1 mode enableDisabling or Reenabling Radios Assigning a Radio Profile and Enabling RadiosSet ap port-listdap dap-numradio 1 2 mode enable disable 23x0# set ap 3,7 radio 2 mode disableEnabling or Disabling Individual Radios Disabling or Reenabling All Radios Using a Profile 23x0# set radio-profile rp1 mode enable23x0# set radio-profile rp1 mode disable Resetting a Radio to its Factory Default Settings Clear ap port-listdap dap-numradio 1 2 all23x0# clear ap 3 radio Restarting an AP Displaying AP Information23x0# show dap config Displaying AP Configuration InformationDisplaying a List of Distributed APs Show dap global dap-numserial-id serial-ID23x0 # show dap global 23x0 # show dap unconfigured Show dap unconfiguredShow dap connection dap-numserial-id serial-ID Displaying Connection Information for Distributed APs23x0 # show service-profile wpaclients Displaying Service Profile Information23x0 # show radio-profile default Displaying Radio Profile InformationShow radio-profile name ? Displaying AP Status Information 23x0 # show ap counters Displaying AP Statistics Counters116665 7694 11643396 629107 112115 3368239 142900 TotlRF Auto-Tuning Overview Configuring RF Auto-TuningInitial Channel and Power Assignment Channel and Power Tuning Power TuningChannel Tuning Tuning the Transmit Data Rate RF Auto-Tuning Parameters Min-client-rate For 802.11b For 802.11a Changing RF Auto-Tuning SettingsDisabling or Reenabling Channel Tuning Changing Channel Tuning SettingsChanging the Channel Tuning Interval Changing the Channel Holddown IntervalEnabling Power Tuning Changing Power Tuning SettingsChanging the Power Tuning Interval Changing the Power Backoff Interval23x0# set ap 7 radio 1 auto-tune max-power Changing the Client Retransmission Threshold23x0# set ap 7 radio 1 auto-tune max-retransmissions Changing the Minimum Transmit Data Rate Displaying RF Auto-Tuning InformationDisplaying RF Auto-Tuning Settings 23x0# show radio-profile default23x0# show ap config 2 radio 23x0# show auto-tune neighbors ap 2 radio Displaying RF Neighbors23x0# show auto-tune attributes ap 2 radio Displaying RF AttributesConfiguring RF Auto-Tuning 320657-A How WMM Works in WSS Software Wi-Fi MultimediaQoS on the WSS Switch WMM in a Nortel Network QoS on an APSet radio-profile name wmm enable disable Disabling or Reenabling WMMWMM Priority Mappings 23x0# show radio-profile radprof1 Displaying WMM InformationShow dap qos-stats dap-numshow dap qos-stats port-list 23x0# show dap qos-statsWi-Fi Multimedia Configuring and Managing Spanning Tree Protocol Set spantree enable disable 23x0# set spantree enableEnabling the Spanning Tree Protocol Changing Standard Spanning Tree Parameters Snmp Port Path Cost DefaultsPort Priority Changing the Bridge Priority Set spantree priority value all vlan vlan-id23x0# set spantree priority 69 vlan pink Resetting the STP Port Cost to the Default Value Changing STP Port ParametersChanging the STP Port Cost Changing the STP Port Priority Resetting the STP Port Priority to the Default Value23x0# set spantree portpri 3-4 priority 23x0# set spantree portvlanpri 3-4 priority 48 vlan mauveChanging the STP Forwarding Delay Changing Spanning Tree TimersChanging the STP Hello Interval Changing the STP Maximum Age23x0# set spantree maxage 15 all Configuring and Managing STP Fast Convergence FeaturesUplink Fast Convergence Configuring Port Fast Convergence Set spantree portfast port port-listenable disable23x0# set spantree portfast port 9,11,13 enable Displaying Port Fast Convergence Information Port Vlan Portfast Disable EnableShow spantree portfast port-list 23x0# show spantree portfastConfiguring Backbone Fast Convergence Set spantree backbonefast enable disable23x0# set spantree backbonefast enable Displaying the Backbone Fast Convergence State Backbonefast is enabledShow spantree backbonefast 23x0# show spantree backbonefastSet spantree uplinkfast enable disable Configuring Uplink Fast ConvergenceDisplaying Uplink Fast Convergence Information Displaying Spanning Tree InformationShow spantree uplinkfast vlan vlan-id 23x0# show spantree uplinkfastDisplaying STP Bridge and Port Information Show spantree port-listvlan vlan-id active23x0# show spantree vlan mauve Show spantree portvlancost port-list Displaying the STP Port Cost on a Vlan Basis23x0# show spantree portvlancost Port 1 Vlan 1 have path cost23x0# show spantree blockedports vlan default Displaying Blocked STP PortsShow spantree blockedports vlan vlan-id Displaying Spanning Tree Statistics Show spantree statistics port-listvlan vlan-id23x0# show spantree statistics 1 Bpdu related parameters Topology change Timer value Hold timer Topology change TimerHold timer value Delay root port Timer Delay root port Timer value Timer restarted is23x0# set port disable Spanning Tree Configuration ScenarioClearing STP Statistics Clear spantree statistics port-listvlan vlan-idSpanning tree mode Default None Backbone DownDisabled 128 23x0# set port enableDown Auto Network 10/100BaseTx 1000/full Set igmp enable disable vlan vlan-id Disabling or Reenabling Igmp SnoopingDisabling or Reenabling Proxy Reporting Set igmp proxy-report enable disable vlan vlan-id Changing Igmp TimersSet igmp querier enable disable vlan vlan-id Enabling the Pseudo-QuerierSet igmp qi seconds vlan vlan-id Changing the Query IntervalSet igmp oqi seconds vlan vlan-id Changing the Other-Querier-Present IntervalSet igmp qri tenth-seconds vlan vlan-id Changing the Query Response IntervalSet igmp lmqi tenth-seconds vlan vlan-id Changing the Last Member Query IntervalEnabling Router Solicitation Set igmp mrsol enable disable vlan vlan-idChanging Robustness Set igmp rv num vlan vlan-idConfiguring Static Multicast Ports Changing the Router Solicitation IntervalSet igmp mrsol mrsi seconds vlan vlan-id Adding or Removing a Static Multicast Router Port Set igmp mrouter port port-listenable disableSet igmp receiver port port-listenable disable Displaying Multicast InformationAdding or Removing a Static Multicast Receiver Port Show igmp vlan vlan-id 23x0# show igmp vlan orange192.28.7.5 Dvmrp Group Port Receiver-IP Receiver-MAC Clearing Multicast Statistics Displaying Multicast Statistics OnlyShow igmp statistics vlan vlan-id Clear igmp statistics vlan vlan-idShow igmp querier vlan vlan-id Displaying Multicast QueriersShow igmp querier vlan orange Querier for vlan orange Port Querier-IP Querier-MACShow igmp mrouter vlan vlan-id Displaying Multicast RoutersShow igmp mrouter vlan orange 192.28.7.5 000102030405 DvmrpDisplaying Multicast Receivers 23x0# show igmp receiver-table group 237.255.255.0/24Vlan red Session Port Receiver-IP Receiver-MAC Configuring and Managing Igmp Snooping 320657-A About Security Access Control Lists Configuring and Managing Security ACLsSetting Security ACLs Overview of Security ACL CommandsSecurity ACL Filters Creating and Committing a Security ACLSetting a Source IP ACL Common IP Protocol Numbers23x0# set security acl ip acl-1 permit 192.168.1.4 Class of Service Class-of-Service CoS Packet HandlingWildcard Masks Configuring and Managing Security ACLs Common Icmp Message Types and Codes Setting an Icmp ACLCommon Icmp Message Types and Codes Setting TCP and UDP ACLs Setting a TCP ACLSetting a UDP ACL Configuring and Managing Security ACLs Determining the ACE Order Committing a Security ACL 23x0# commit security acl acl-9923x0# commit security acl all Viewing the Edit Buffer Viewing Security ACL InformationViewing Committed Security ACLs Viewing Security ACL Details23x0# show security acl hits ACL hit-counters Displaying Security ACL HitsMapping Security ACLs Clearing Security ACLs23x0# clear security acl acl-99 Mapping User-Based Security ACLs 23x0# commit security acl acl-222 success change accepted23x0# set user Natasha attr filter-id acl-222.in Configuring and Managing Security ACLs Clearing a Security ACL Map Displaying ACL Maps to Ports, VLANs, and Virtual Ports23x0# set security acl map acl-222 port 2 tag 1-3,5 23x0# show security acl map acl-99923x0# show security acl map acljoe Modifying a Security ACLACL acljoe is mapped to 23x0# clear security acl map acljoe port 423x0# show security acl info all Adding Another ACE to a Security ACLPlacing One ACE before Another Modifying an Existing Security ACL 23x0# show security acl editbuffer Clearing Security ACLs from the Edit BufferACL edit-buffer table Type Status Acl-a Not Committed Acl-111Using ACLs to Change CoS 23x0# rollback security acl acl-111ACL edit-buffer information for all Filtering Based on Dscp Values 23x0# set security acl ip voip permit 0.0.0.0 Enabling Prioritization for Legacy Voice over IP23x0# commit security acl voip 23x0# set security acl map voip vlan corpvlan outEnabling SVP Optimization for SpectraLink Phones Security ACL Configuration Scenario23x0# save config Managing Keys Certificates Why Use Keys and Certificates?Wireless Security through TLS PEAP-MS-CHAP-V2 Security About Keys and CertificatesPublic Key Infrastructures Public and Private Keys Digital Certificates Creating Keys and Certificates Crypto generate key commandPkcs #7, Pkcs #10, and Pkcs #12 Object Files Pkcs Object Files Supported by NortelManaging Keys and Certificates Procedures for Creating and Validating Certificates 23x0# crypto generate key admin Crypto generate key admin eap ssh webaaa 512 1024Admin key pair generated Creating Public-Private Key PairsCrypto generate self-signed admin eap webaaa 23x0# crypto generate self-signed admin Country Name USGenerating Self-Signed Certificates Crypto pkcs12 admin eap webaaa filename Crypto otp admin eap webaaa one-time-password23x0# crypto generate request admin Begin Certificate Installing a CA’s Own CertificateKey and Certificate Configuration Scenarios 23x0# show crypto certificate admin CertificateDisplaying Certificate and Key Information Self-signed cert for admin is 23x0# crypto generate self-signed adminCreating Self-Signed Certificates ENDCERTIFICATE-----23x0#crypto generate self-signed eap23x0# show crypto certificate admin 20# crypto generate self-signed webaaa Country Name US23x0# show crypto certificate eap 23x0# show crypto certificate webaaa Certificate 23x0# crypto pkcs12 admin 2048admn.p12 23x0# crypto otp admin SeC%#6@o%c23x0# copy tftp//192.168.253.1/2048admn.p12 2048admn.p12 23x0# copy tftp//192.168.253.1/20481x.p12 20481x.p12Keypair Device certificate CA certificate Unstructured Name wiring closet 12 CSR for admin is Email Address admin@example.com23x0# crypto ca-certificate admin 23x0# crypto certificate admin23x0# show crypto ca-certificate admin Enter PEM-encoded certificateAbout AAA for Network Users Configuring AAA for Network UsersAuthentication Types AuthenticationAuthentication Algorithm Authentication Flowchart for Network Users To 802.1X? Yes Ssid Name Any Last-Resort ProcessingUser Credential Requirements Configuring AAA for Network Users CLI AuthorizationAccounting AAA Tools for Network Users Summary of AAA FeaturesWildcard Any for Ssid Matching Wildcards and Groups for Network User ClassificationAAA Methods for Ieee 802.1X and Web Network Access AAA Rollover ProcessLocal Override Exception Remote Authentication with Local Backup Remote Pass-Through or Local Authentication EAP-MD5 Ieee 802.1X Extensible Authentication Protocol TypesWays an WSS Switch Can Use EAP Effects of Authentication Type on Encryption Method Configuring 802.1X AuthenticationConfiguring 802.1X Acceleration Using Pass-Through Authenticating through a Local Database Binding User Authentication to Machine Authentication Authentication Rule Requirements Bonded Authentication Configuration Example Bonded Authentication PeriodSet dot1x bonded-period seconds Clear dot1x bonded-periodDisplaying Bonded Authentication Configuration Information Show dot1x config 23x0# show dot1x config23x0# set dot1x bonded-period Configuring Authentication and Authorization by MAC Address Adding and Clearing MAC Users and User Groups Locally Adding MAC Users and GroupsClearing MAC Users and Groups 23x0# set authentication mac ssid voice 010102030405 local Configuring MAC Authentication and Authorization23x0# set authentication mac ssid voice 010102* local 23x0# set mac-user 000102030405 attr vlan-name redChanging the MAC Authorization Password for Radius Configuring Web-based AAASet radius server server-nameauthor-password password 23x0# set radius server bigbird author-password h00perHow Portal Web-based AAA Works WSS Requirements Web-based AAA Requirements and RecommendationsConfiguring AAA for Network Users Client NIC Requirements WSS RecommendationsClient Web Browser Requirements Client Web Browser RecommendationsConfiguring Portal Web-based AAA Portal Web-based AAA Configuration Example23x0# set user web-portal-mycorp attr vlan-name corpvlan 23x0# show sessions network ssid mycorp 23x0# show config23x0# show sessions network ssid mycorp Using a Custom Login Copying and Modifying the Nortel Login Custom Login Page ScenarioTitleMy Corp webAAA/title BWARNING/b My corp’s warning text H3Welcome to Mycorp’s Wireless LAN/h323x0# mkdir mycorp-webaaa success change accepted 23x0# dir mycorp-webaaaVariables for Redirect URLs Description Using Dynamic Fields in Web-based AAA Redirect URLsConfiguring Last-Resort Access WSS Switch Serving as Radius Proxy Configuring AAA for Users of Third-Party APsAuthentication Process for 802.1X Users of a Third-Party AP WSS Switch Requirements RequirementsThird-Party AP Requirements 23x0# set port type wired-auth 3-4 tag Set authentication mac wired mac-addr-wildcard method123x0# set authentication mac wired aabbcc010101 srvrgrp1 Set radius proxy port port-listtag tag-valuessid ssid-name23x0# set radius proxy client address 10.20.20.9 key radkey1 23x0# set authentication proxy ssid mycorp ** srvrgrp1End-date Assigning Authorization AttributesService-type Idle-timeoutSession-timeout Filter-idSsid Start-dateTime-of-day Vlan-name UrlAssigning Attributes to Users and Groups Assigning a Security ACL Locally Assigning a Security ACL to a User or a Group23x0# set user Jose attr filter-id acl-101.in 23x0# set usergroup eastcoasters attr filter-id acl-101.inAssigning a Security ACL on a Radius Server Clear mac-usergroup groupname attr filter-id Clearing a Security ACL from a User or GroupAssigning Encryption Types to Wireless Users Assigning and Clearing Encryption Types Locally23x0# set mac-usergroup mac-fans attr encryption-type Assigning and Clearing Encryption Types on a Radius Server About the Location Policy How the Location Policy Differs from a Security ACL Setting the Location Policy Applying Security ACLs in a Location Policy Rule23x0# set location policy deny if user eq *.theirfirm.com WSS-20show location policy Displaying and Positioning Location Policy RulesConfiguring Accounting for Wireless Network Users Set accounting admin console dot1x mac webClear location policy rule-number Configuring AAA for Network Users Viewing Local Accounting Records WSS-20-0013#show accounting statistics Viewing Roaming Accounting RecordsWSS-20-0017#show accounting statistics May 21 Acct-Status-Type=STOP Acct-Authentic=2Server Addr Ports Set authentication admin Jose sg3Rs-3 Rs-4Set authentication web ssid any ** sg1 Avoiding AAA Problems in Configuration OrderSet authentication web ssid corpa ** corpasrvr Vlan-Name = k2Configuring AAA for Network Users Configuration Producing an Incorrect Processing Order Using Authentication and Accounting Rules TogetherConfiguration for a Correct Processing Order 23x0# set accounting dot1x ssid mycorp * start-stop group123x0# set mobility-profile name roses-profile port 2-4,7,9 Configuring a Mobility Profile23x0# set mobility-profile mode enable Network User Configuration Scenarios23x0# show mobility-profile Mobility Profiles NamePorts ========================= Roses-profile23x0# set user EXAMPLE\username attr filter-id acl-101.in General Use of Network User Commands23x0# show security acl info acl-101 Mobility Profiles NamePorts ========================= TulipWSS-20save config 23x0# set radius server r1 address 10.1.1.1 key sunny Enabling Radius Pass-Through Authentication23x0# set user Natasha password moon Enabling PEAP-MS-CHAP-V2 Authentication23x0# set user Natasha attr session-timeout Unstructured Name wiring closet23x0# set radius server r1 address 10.1.1.1 key starry Enabling PEAP-MS-CHAP-V2 Offload23x0# set radius server r1 address 10.1.1.1 key starry Overriding AAA-Assigned VLANs Radius Overview Configuring Communication with RadiusConfiguring Communication with Radius Before You Begin Configuring Radius ServersClear radius deadtime key retransmit timeout Configuring Global Radius Defaults23x0# set radius deadtime 23x0# set radius key r8gneySetting the System IP Address as the Source Address 23x0# set radius client system-ip23x0# clear radius client system-ip Set radius server server-nameaddress ip-address key string Configuring Individual Radius ServersConfiguring Radius Server Groups Deleting Radius ServersClear radius server server-name Configuring Load Balancing Creating Server GroupsOrdering Server Groups Adding Members to a Server Group Set server group group-nameload-balance enableClear server group group-nameload-balance 23x0 # show aaaConfiguring Communication with Radius Deleting a Server Group Radius and Server Group Configuration Scenario23x0# set server group shorebirds load-balance enable Managing 802.1X on Wired Authentication Ports Managing 802.1X on WSS Switch23x0# set dot1x authcontrol enable Set dot1x authcontrol enable disableSuccess dot1x authcontrol enabled Enabling and Disabling 802.1X GloballyManaging 802.1X Encryption Keys Setting 802.1X Port Control23x0# set dot1x key-tx enable Set dot1x key-tx enable disableSuccess dot1x key transmission enabled Enabling 802.1X Key TransmissionSet dot1x tx-period seconds Configuring 802.1X Key Transmission Time Intervals23x0# set dot1x tx-period Success dot1x tx-period set toConfiguring 802.1X WEP Rekeying Configuring the Interval for WEP RekeyingManaging WEP Keys Managing 802.1X Client Reauthentication Setting EAP Retransmission Attempts23x0# set dot1x max-req Success dot1x max request set toSet dot1x reauth enable disable Enabling and Disabling 802.1X Reauthentication23x0# set dot1x reauth enable Success dot1x reauthentication enabled23x0# set dot1x reauth-max Set dot1x reauth-max number-of-attemptsSuccess dot1x max reauth set to 23x0# clear dot1x reauth-maxSuccess dot1x auth-server timeout set to Setting the 802.1X Reauthentication PeriodSet dot1x reauth-period seconds 23x0# set dot1x reauth-periodManaging Other Timers Setting the Bonded Authentication PeriodClear dot1x max-req Set dot1x quiet-period seconds Setting the 802.1X Quiet Period23x0# set dot1x quiet-period Success dot1x quiet period set toSet dot1x timeout auth-server seconds Setting the 802.1X Timeout for an Authorization Server23x0# set dot1x timeout auth-server 23x0# clear dot1x timeout auth-serverDisplaying 802.1X Information Setting the 802.1X Timeout for a Client23x0# show dot1x clients Viewing 802.1X ClientsViewing the 802.1X Configuration 23x0# show dot1x stats Viewing 802.1X StatisticsManaging 802.1X on the WSS Switch 320657-A Show sessions admin console telnet client Displaying and Clearing Administrative SessionsClear sessions admin console telnet client session-id Managing SessionsDisplaying and Clearing All Administrative Sessions WSS-20 show sessions admin23x0# clear sessions admin WSS-20 show sessions console Displaying and Clearing an Administrative Console SessionTty Username Time Type Tty0 5310 Console Console session 23x0# clear sessions consoleTty Username Time Type Tty3 Sshadmin 2099 Displaying and Clearing Administrative Telnet SessionsWSS-20 show sessions telnet Telnet sessionDisplaying and Clearing Client Telnet Sessions Displaying and Clearing Network Sessions23x0 # show sessions network User Sess IP or MACJose@example.com 5125 Vlan-eng Displaying Verbose Network Session Information003065168d69 4385 Vlan-wep 761 000bbe154656 noneShow sessions network user user-wildcard Displaying and Clearing Network Sessions by Username23x0# show sessions network user E Clear sessions network user user-wildcardShow sessions network mac-addr mac-addr-wildcard Displaying and Clearing Network Sessions by MAC AddressShow sessions net mac-addr 01055d7e981a Clear sessions network mac-addr mac-addr-wildcardShow sessions network vlan vlan-wildcard Displaying and Clearing Network Sessions by Vlan NameShow sessions network vlan west Clear sessions network vlan vlan-wildcardDisplaying and Clearing Network Sessions by Session ID Clear sessions network session-id session-id2370# clear sessions network session-id About System Files Managing System FilesShow version details Displaying Software Version Information23x0# show version 23x0# show version detailsW2 N/A Displaying Boot Information 23x0# show bootWorking with Files 23x0# dir old Displaying a List of FilesCopying a File 23x0# copy floor2WSS tftp//10.1.1.1/floor2WSS-backup23x0# copy floor2WSS tftp//10.1.1.1/floor2WSS Success sent 365 bytes in 0.401 seconds 910 bytes/sec23x0# copy tftp//10.1.1.1/newconfig newconfig 23x0# copy tftp//10.1.1.1/newconfig WSSconfigSuccessreceived9163214bytesin105.939seconds Bytes/sec 23x0# delete testconfig 23x0# copy testconfig tftp//10.1.1.1/testconfigDeleting a File Delete url23x0# mkdir corp2 Creating a SubdirectoryManaging Configuration Files Removing a Subdirectory23x0# rmdir corp2 Displaying the Running Configuration Show config area area all23x0# show config area vlan Managing System Files Save config filename Saving Configuration Changes23x0# save config newconfig Success configuration saved to newconfigSet boot configuration-file filename 23x0# set boot configuration-file floor2WSSSuccess boot config set Loading a Configuration File Load config url23x0# load config newconfig Backing Up and Restoring the System Resetting to the Factory Default ConfigurationManaging System Files Managing Configuration Changes 23x0# backup system tftp/10.10.20.9/sysabak critical Backup and Restore Examples23x0# restore system tftp/10.10.20.9/sysabak Upgrading the System ImageManaging System Files 320657-A About Rogues and RF Detection Rogue Detection CountermeasuresRogue access points and Clients Rogue ClassificationRogue Detection Lists Rogue Detection and Countermeasures Rogue Detection Algorithm Dynamic Frequency Selection DFS RF Detection ScansCountermeasures Summary of Rogue Detection FeaturesConfiguring Rogue Detection Lists Set rfdetect vendor-list client ap mac-addr Configuring a Permitted Vendor ListShow rfdetect vendor-list 23x0# show rfdetect vendor-list Total number of entriesSet rfdetect ssid-list ssid-name Configuring a Permitted Ssid ListShow rfdetect ssid-list 23x0# show rfdetect ssid-list Total number of entriesSet rfdetect black-list mac-addr Configuring a Client Black ListShow rfdetect black-list 23x0# show rfdetect black-listSet rfdetect attack-list mac-addr Configuring an Attack ListShow rfdetect attack-list 23x0# show rfdetect attack-listEnabling Countermeasures Configuring an Ignore ListEnabling AP Signatures Disabling or Reenabling Active ScanDisabling or Reenabling Logging of Rogues Set rfdetect log enable disableEnabling Rogue and Countermeasures Notifications IDS and DoS AlertsFlood Attacks DoS Attacks Netstumbler and Wellenreiter Applications Wireless Bridge Ad-Hoc Network Weak WEP Key Used by Client Disallowed Devices or SSIDs Displaying Statistics Counters IDS and DoS Log Messages IDS Log Message ExamplesMessage Type Displaying RF Detection Information Show rfdetect ignore Show rfdetect attack-listShow rfdetect clients mac mac-addr Displaying Rogue Clients23x0# show rfdetect clients mac 000c4163fd6d 23x0# show rfdetect clientsDisplaying Rogue Detection Counters Show rfdetect counters23x0# show rfdetect counters Show rfdetect mobility-domain ssid ssid-namebssid mac-addr Displaying Ssid or Bssid Information for a Mobility Domain23x0# show rfdetect mobility-domain 23x0# show rfdetect mobility-domain ssid nrtl-webaaa23x0# show rfdetect mobility-domain bssid 000b0e0004d1 Displaying RF Detect Data Show rfdetect data23x0 # show rfdetect data 23x0# show rfdetect visible ap 3 radio Displaying the APs Detected by an AP RadioDisplaying Countermeasures Information Show rfdetect countermeasures23x0# show rfdetect countermeasures Rogue Detection and Countermeasures 320657-A Appendix a Troubleshooting a WS Switch WSS Setup Problems and Remedies Fixing Common WSS Setup ProblemsSymptom Diagnosis Boot boot OPT+=default Recovering the System PasswordWSS-2350 WSS-2370, WSS-2380, or WSS-2360Log Message Components Configuring and Managing the System LogLogging Destinations and Levels Debug InfoLogging to the Log Buffer Using Log CommandsLogging Messages to a Syslog Server Logging to the ConsoleChanging the Current Telnet Session Defaults Setting Telnet Session DefaultsDisplaying the Log Configuration Logging to the Trace BufferSaving Trace Messages in a File Tracing Authentication Activity Using the Trace CommandRunning Traces Tracing Session Manager ActivityDisplaying a Trace Tracing Authorization ActivityStopping a Trace Tracing 802.1X Sessions23x0# show log trace severity error About Trace ResultsDisplaying Trace Results Copying Trace Results to a Server Clearing the Trace LogList of Trace Areas Viewing Vlan Interfaces Using Show CommandsViewing AAA Session Statistics WSS-2370# show interfaceViewing ARP Information Viewing FDB InformationVlan-name = vlan-wep 23x0# show fdbRemotely Monitoring Traffic Using Snoop Filters on Radios That Use Active ScanHow Remote Traffic Monitoring Works Best Practices for Remote Traffic MonitoringAppendix a Troubleshooting a WS Switch 23x0# set snoop snoop1 observer 10.10.30.2 snap-length Configuring a Snoop FilterMapping a Snoop Filter to a Radio Displaying Configured Snoop FiltersEditing a Snoop Filter Deleting a Snoop FilterDisplaying the Snoop Filters Mapped to a Radio Enabling or Disabling a Snoop FilterDisplaying the Snoop Filter Mappings for All Radios Removing Snoop Filter MappingsSuccess filter snoop1 enabled 23x0# set snoop snoop1 mode enable stop-afterDisplaying Remote Traffic Monitoring Statistics Preparing an Observer and Capturing TrafficShow snoop stats filter-namedap-numradio 1 Capturing System Information for Technical Support Displaying Technical Support Information 23x0# show tech-support file fortechsupport Sending Information to NetsSuccess results saved to fortechsupport.gz 23x0# copy fortechsupport.gz tftp//tftpserver/filename.gzAppendix a Troubleshooting a WS Switch 320657-A Supported Standard and Extended Attributes Appendix B Supported Radius Attributes801.1X Attributes 801.1X Attributes Radius Nortel Vendor-Specific Attributes Nortel VSAs Protocol Port Function Appendix C Mobility Domain Traffic PortsAppendix C Mobility Domain Traffic Ports 320657-A Appendix D Dhcp Server How the WSS Software Dhcp Server Works Configuring the Dhcp ServerDisplaying Dhcp Server Information Show dhcp-server interface vlan-id verbose23x0# show dhcp-server Appendix D Dhcp Server Glossary Advanced Encryption Standard See AES Authentication, authorization, and accounting See AAA CBC-MAC See Ccmp Cyclic redundancy check See CRC Glossary EAP with Transport Layer Security See EAP-TLS Group master key See GMK Group transient key See GTK Industry Canada See IC Information element See WPA IE Media access control address See MAC address Microsoft Challenge Handshake Authentication Per-VLAN Spanning Tree protocol See PVST+ Port address translation See PAT Power over Ethernet See PoE Quality of service See QoS Remote Authentication Dial-In User Service See Radius Spanning Tree Protocol See STP Temporal Key Integrity Protocol See Tkip Type, length, and value See TLV Wisp WPA information element See WPA IE Glossary 320657-A Numerics IndexIndex Index DNS Enable password Description Subnet masks for, notation conventions System IP address 366 To ports, VLANs, or virtual ports 368 Index Radius Https Index Configuring 341 rogue access points detecting TCP Snmp STP Uplink fast convergence Index WMS Index 320657-A Command Index Command Index Set dap auto radiotype Command Index Command Index 324 Show spantree blockedports 329
Related manuals
Manual 4 pages 4.45 Kb
Top Page Image Contents