Manuals / 3Com / Computer Equipment / Switch

3Com 3CRWX440095A, 3CRWX120695A manual WX4400# set location policy deny if user eq *.theirfirm.com

Models: 3CRWX120695A 3CRWX440095A

1 536

Download 536 pages 47.14 Kb

Page 206

206CHAPTER 7: AAA COMMANDS

The order of rules in the location policy is important to ensure users are properly granted or denied access. To position rules within the location policy, use before rule-numberand modify rule-numberin the set location policy command, and the clear location policy rule-numbercommand.

When applying security ACLs:

Use inacl inacl-nameto filter traffic that enters the switch from users via an MAP access port or wired authentication port, or from the network via a network port.

Use outacl outacl-nameto filter traffic sent from the switch to users via an MAP access port or wired authentication port, or from the network via a network port.

You can optionally add the suffixes .in and .out to inacl-nameand outacl-nameso that they match the names of security ACLs stored in the local WX database.

Examples — The following command denies network access to all users at *.theirfirm.com, causing them to fail authorization:

WX4400# set location policy deny if user eq *.theirfirm.com

The following command authorizes access to the guest_1 VLAN for all users who are not at *.wodefirm.com:

WX4400# set location policy permit vlan guest_1 if user neq *.wodefirm.com

The following command authorizes users at *.ny.ourfirm.com to access the bld4.tac VLAN instead, and applies the security ACL tac_24 to the traffic they receive:

WX4400# set location policy permit vlan bld4.tac outacl tac_24 if user eq *.ny.ourfirm.com

The following command authorizes access to users on VLANs with names matching bld4.* and applies security ACLs svcs_2 to the traffic they send and svcs_3 to the traffic they receive:

WX4400# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4.*

Image 206

3Com 3CRWX440095A, 3CRWX120695A manual WX4400# set location policy deny if user eq *.theirfirm.com

Contents

Wireless LAN Mobility System 3CRWX120695A, 3CRWX440095A3Com Corporation 350 Campus Drive Marlborough, MA USA Contents Clear banner motd Clear history Clear prompt Set system locationVlan Commands 144 131 Ping 132 Set arp 133 Set arp agingtime 134142 Set ip ssh 143 147 Set ntp 148Display location policy 185 Display mobility-profile 169183 234 MAP Access Point Commands by Usage228 241254 Display dap unconfigured 256 Display radio-profile 257 261 Reset ap dap 264326 311319 327337 335Set spantree 345Clear security acl 370 Clear security acl map 371 Commands by Usage 393369 373446 435444 Set rfdetect ignore 467 Set rfdetect log 468 465 Set rf detect countermeasures466 480496 Set trace sm 497 Commands by Usage 491 Clear log trace Clear trace 492Fver 519 Help 520 Next 521 Reset 522 Test 523 517Version Register Your Product 527Conventions List conventions that are used throughout this guideDocumentation „ Wireless LAN Switch Manager 3WXM Release Notes„ Wireless LAN Switch and Controller Release Notes „ Document title CommentsPddtechpubscomments@3com.com „ Document part number and revision on the titleAbout this Guide Overview Clear fdb dynamic port port-list vlan vlan-id Set enablepassClear interface vlan-idip MAC Address Text EntryConventions NotationWildcard Masks MasksSubnet Masks User GlobsUser Globs Gives examples of user globsMAC Address Globs Matching Order for Globs WX1200# set port enableVlan Globs „ a single port number. For exampleEditing Command-LineWX1200# reset port Operating systemsWX1200# display i Tab WX1200# display i? Using CLI HelpAt your access level, type the help command. For example WX1200# display ip ? Understanding Command DescriptionsSet ap dap name command has the following complete syntax WX1200# display ip telnetUnderstanding Command Descriptions Using the COMMAND-LINE Interface To located commands in this chapter based on their use Commands byDisable Syntax disable Defaults NoneEnable QuitSet enablepass Access Commands System Service Commands To located commands in this chapter based on their useClear history Banner with an empty banner by typing the following commandClear banner motd „ display banner motd onClear prompt Clear systemDisplay banner MotdDisplay license DisplayBase-information „ set license on Defaults None Access AllDisplay system Shows system informationDescribes the fields of display system output Display system outputNvram size /SDRAM size percent of total Syntax help WX switchHelp See Also „ clear history on HistorySyntax history That might have a large impact on the network Set confirmSee Also „ clear banner motd on „ display banner motd on Syntax set confirm on offWX4400# clear vlan red Set lengthExamples To turn off these confirmation messages, type WX4400# set confirm offSee Also „ display license on Installs an upgrade license, for managing more MAPsSet license Set prompt Syntax set prompt stringCountrycode Set system contact Stores a contact name for the WX switchSet system Syntax set system contact stringCountry Code Ip-address Defaults The factory default country code is NoneUsing any set ap commands to configure a MAP Mobility DomainSee Also „ clear system on „ display system on Syntax set system location string„ set system contact on „ set system name on Syntax set system name stringSystem Service Commands Port Commands Locate commands in this chapter based on their useRemoves a Distributed MAP That are using the MAPClear dap „ set dap onSee Also „ set port-groupon „ display port-groupon Clear port-group„ name name Name of the port group Clear port name Removes the name assigned to a portSee Also „ display port status on „ set port name on Clear portPreference Interface for the active linkNetwork port Network port defaultsClear port type PortDisplay port CountersOutput for display port-group Display port-groupShows port group informationDescribes the fields in the display port-group output Output for display port poe See Also „ clear port-groupon „ set port-grouponDescribes the fields in this display Syntax display port poe port-list„ set port poe on Usage This command applies only to the WX4400All four ports of a WX4400 switch Specified portsOutput for display port preference Syntax display port status port-listOutput for display port status WX1200# display port status„ set port negotiation on Monitor portSee Also „ clear port type on „ set port speed onKey Controls for Monitor Port Counters Display Output for monitor port counters WX4400# monitor port countersCorrect length but contained an invalid See Also „ display port counters on Reset port Set dapPort Commands Set dap Administratively disables or reenables a port Examples The following command disables portFol1owing command reenables the port Set portWith no spaces Configured together as a single logical linkSingle logical link See Also „ clear port-groupon „ display port-groupon Name or number in other CLI commandsSet port name See Also „ clear port name on „ display port status onResult Set port negotiationSet port poe WX1200# set port poe 4,5 disable Following command enables PoE on ports 4See Also „ set port type ap on „ set port type wired-authon WX1200# set port poe 4,5 enableWX4400# set port preference 2 rj45 Set port speedChanges the speed of a port Syntax set port speed port-list10 100 1000 autoSet snmp trap command Set port trapSet port type ap Defaults All WX ports are network ports by default Antenna model, use the following command„ poe enable disable Power over Ethernet PoE state „ 11a 802.11a „ 11b 802.11b „ 11g 802.11gMAP Access Port Defaults STPWired-auth Set port typeWired Authentication Port Details WX1200# set port type wired-auth 2 success change acceptedSee Also „ clear port type on „ set port type ap on Vlan Commands Syntax clear fdb perm static dynamic Clear fdbDeletes an entry from the forwarding database FDB WX4400# clear fdb static vlan blue success change acceptedPort from the VLAN, make sure you specify the port number Clear vlan„ display fdb on Display fdb Following command completely removes Vlan marigoldSee Also „ set vlan port on „ display vlan config on Displays entries in the forwarding databaseWX4400# display fdb all See Also „ clear fdb on AgingtimeDescribes the fields in the display fdb output Output for display fdbSyntax display fdb count perm static dynamic See Also „ set fdb agingtime onWX1200# display fdb agingtime Display roaming StationOutput for display roaming station Describes the fields in the displaySee Also „ display roaming vlan on WX4400# display roaming vlan Output for display roaming vlanSyntax display roaming vlan Output for display tunnel See Also „ display vlan config onDisplay tunnel Syntax display tunnelSyntax display vlan config vlan-id Display vlan configOutput for display vlan config WX1200# display vlan config burgundySyntax set fdb perm static Set fdbAdds a permanent or static entry to the forwarding database See Also „ clear fdb on „ display fdb on Vlan 4094 is reserved for WebAAA Set vlan nameSee Also „ display fdb agingtime on Creates a Vlan and assigns a number and name to itSet vlan port Set vlan Tunnel-affinitySee Also „ display roaming vlan on „ display vlan config on IP Services Commands To locate commands in this chapter based on their useIP Services Commands by Usage DNSSyntax clear interface vlan-idip Clear interfaceRemoves an IP interface See Also „ display ip alias on Access EnabledHistory Introduced in MSS Version WX1200# clear ip dns domain„ set ip dns domain on Clear ip dns serverClear ip route „ set ip dns server on„ set ip route on Clear ip telnet„ display ip route on Clear ntp Update-intervalClear ntp server Receiver „ set ntp server on „ set ntp update-intervalonClear snmp trap See Also „ clear ntp server on „ display ntp onClear summertime Clear timezone CommandFollowing command Examples To clear the system IP address, type the followingDisplay timezone on Display arpDisplay timedate on Shows the ARP tableSyntax display interface vlan-id „ set arp on„ set arp agingtime on See Also „ set interface on „ set interface status on Shows the IP aliases configured on the wireless LAN switchDisplay ip alias Output for display interface„ clear ip alias on Examples The following command displays the DNS informationDisplay ip dns „ set ip alias onOutput for display ip dns Display ip httpsShows information about the Https management port Syntax display ip httpsOutput for display ip https WX4400# display ip httpsSyntax display ip route destination Display ip routeShows the IP route table WX4400# display ip routeOutput of display ip route FieldDescriptionWX4400 display ip telnet Output for display ip telnetSyntax display ip telnet Shows NTP client information Examples To display NTP information for a WX switch, typeDisplay ntp Output for display ntp„ set ntp server on „ set summertime on „ set timezone on Examples To display Snmp settings on a WX switch, type ConfigurationShows Snmp settings on a wireless LAN switch Display snmpOutput of display snmp configuration Syntax display summertime Defaults There is no summertime offset by defaultSummertime WX1200# display summertimeWX4400# display timezone WX1200# display timedateSyntax display timezone Defaults „ count „ set timedate on „ set timezone onSet arp „ traceroute onSyntax set arp agingtime seconds Following command disables ARP agingSee Also „ set arp agingtime on WX1200# set arp agingtimeSet interface WX1200# set interface mauve ip 10.10.20.10 Syntax set interface vlan-idstatus up downSet ip dns Aliases as shortcuts in CLI commandsSet ip alias See Also „ clear ip alias on „ display ip alias onSyntax set ip dns domain name WX1200# set ip dns domain example.comSyntax set ip dns server ip-addrprimary secondary Adds a static route to the IP route table WX switch is also disabledSet ip route Set ip route Syntax set ip snmp server enable disable „ clear snmp trap receiver on See Also „ set ip ssh absolute-timeoutonSet ip ssh Secure Shell SSH management trafficSyntax set ip ssh absolute-timeout minutes Absolute-timeout„ set ip ssh idle-timeouton „ set ip ssh server on Or idleSet ip ssh server Idle-timeoutAlso disabled Set ip telnet Syntax set ip telnet server enable disable WX4400# set ip telnet server enable success change acceptedConfigures a wireless LAN switch to use an NTP server Examples The following command enables the NTP clientEnables or disables the NTP client on a wireless LAN switch Set ntpNTP server RFC 1305, Network Time Protocol Version 3 SpecificationImplementation and Analysis From 16 through 1,024 secondsPublic and private Set snmpCommunity „ all Enables or disables all traps „ enable Enables trap information to be sent„ disable Disables the sending of trap information Sends an Snmp trap message to any network management systemDefaults All traps are disabled by default Access Enabled Snmp Trap NamesSet snmp trap See Also „ clear snmp trap receiver onIP Services Commands Date is within the summertime period To PDT Pacific Daylight Time, type the following commandValues Following„ date mmm dd yyyy System date Sets the time of day and date on the wireless LAN switchSet timedate „ time hhmmss System time, in hours, minutes, and secondsTime now is Sun Feb 29 2004, 235802 PST Set timezoneWX4400# set timedate date feb 29 2004 time WX1200# set timezone PST TelnetOpens a Telnet client session with a remote device See Also „ clear sessions on „ display sessions on WX4400# telnetTraceroute Defaults„ dnf Disabled „ no-dns- Disabled „ port „ queries „ size „ ttlError messages for traceroute WX4400# traceroute server1„ ping on AAA Commands by Usage Locate commands in this chapter based on their useThis chapter presents AAA commands alphabetically. Use to Display accounting statistics on Syntax clear accounting admin dot1x user-glob WX4400# clear accounting dot1x NinClear authentication AdminConsoleConsole Syntax clear authentication console user-globWX4400# clear authentication console Regina Syntax clear authentication dot1x ssid ssid-namewired WX4400# clear authentication last-resort wired Clear authentication Removes a MAC authentication rule. macSyntax clear authentication last-resort ssid ssid-namewired Syntax clear authentication mac ssid ssid-namewiredSyntax clear authentication web ssid ssid-namewired Clear authentication Removes a WebAAA rule. webWX4400# clear authentication mac ssid thatcorp aabbcc Syntax clear location policy rule-number „ set location policy on Clear mac-user„ display location policy on See Also „ display aaa on „ set mac-usergroup attr on„ set mac-user attr on Clear mac-user attrGroup Clear Mac-usergroup„ clear mac-usergroup attr on Mac-user group commandMac-usergroup attr Mobility-profile Clear userClear user attr See Also „ display aaa onClear user group Clear usergroupWX4400# clear usergroup cardiology success change accepted „ group-name- Name of an existing user groupSyntax clear usergroup group-name Time-Of-Day attribute from the group Displays all current AAA settingsDisplay aaa Describes the fields that can appear in display aaa output Display aaa OutputUser’s password, and no global password is set Statistics Stored in the local database on the WX switchDisplay accounting Statistics outputAaattyattr „ clear location policy on Display locationPolicy Are sent Admin consoleSet accounting Authenticated by Server when the user roamsAccesses the switch using Telnet or Web Manager Authenticated by MAC authenticationAAA Commands Set authentication AAA Commands Globs on Through the switch’s consoleCompleting logon Following methods in priority order. MSS applies multipleFor more information, see Usage Syntax set authentication dot1x ssid ssid-namewired AAA Commands Set authentication dot1x Success change accepted Syntax set authentication last-resort AAA Commands Syntax set authentication mac AAA Commands Syntax set authentication web ssid ssid-namewired AAA Commands Set location policy AAA Commands Set location policy WX4400# set location policy deny if user eq *.theirfirm.com Set mac-user Tempvendora into Vlan kiosk1See Also „ clear mac-useron „ display aaa on Authentication Attributes for Local Users Authentication Attributes for Local Users Filter-id outboundacl.outYY/MM/DD-HHMM Time-of-day WX4400# set mac-user 010203040506 attr filter-id acl-03.in See Also „ clear mac-user attr on „ display aaa on Syntax set mac-usergroupSee Also „ clear mac-usergroup attr on „ display aaa on Syntax set mobility-profile name name port none allAAA Commands Syntax set mobility-profile mode enable disable „ set user attr on „ set usergroup onSee Also „ clear user on „ display aaa on Set user29Jan04 See Also „ clear user attr on „ display aaa on Set user attrOrange „ clear user group on Set user groupSet usergroup Set web-aaa To add a user to a group, user the command set user groupSyntax set web-aaa enable disable Examples To disable WebAAA, type the following command WX4400# set web-aaa disable success change acceptedTo locate commands in this chapter based on their use Mobility Domain Commands by UsageMobility-domain MemberStatus Display mobility-domain configDisplays the configuration of the Mobility Domain See Also „ set mobility-domain member onDisplay mobility-domain Output WX4400# display mobility-domain statusSet Mode member„ display mobility-domain config on Seed-ipSet mobility-domain mode seed domain-name Syntax set mobility-domain mode seed domain-nameDomain name is Pleasanton Mobility Domain Commands Commands Managed Access Point Commands Map Access Point Commands by Usage Clear ap dap RadioWX1200# clear ap 3 radio Syntax clear radio-profile name parameter„ name Service profile name Syntax clear service-profile nameSee Also „ clear radio-profileon „ set radio-profile mode on WX4400# display dap config Output for display ap configWX1200# display ap config Does not belong to any load balancing groups An associated client Display ap dap Displays MAP access point and radio statistics countersMAP access point on port Radio 1 Shows statistics counters for radioOutput for display ap counters Tkip Pkt ReplaysWX4400# display dap etherstats See Also „ display sessions network onSyntax display ap dap etherstats port-listdap-num Output of display ap etherstats TxMaxColl„ name Name of an MAP group or Distributed MAP group Syntax Syntax display ap status port-listall radio 1WX4400# display dap status WX1200# display ap statusOutput for display ap status Decide whether to change channel or power settings Output for display ap statusWX1200# display auto-tune attributes ap 2 radio See Also „ display auto-tune neighbors onOutput for display auto-tune attributes Display auto-tune NeighborsOutput for display auto-tune neighbors Display auto-tune Neighbors ap 2 radioDisplay dap ConnectionOutput of display dap connection „ display ap dap config on„ display dap global on „ display dap unconfigured on Dap connection serial-id M9DE48B6EAD00Output for display dap global WX4400# display dap globalBut that are not configured on any WX switches Unconfigured„ display ap dap config on Longer appears in the command’s outputDescribes the fields in this display Displays radio profile informationWX4400# display radio-profile default Output for display radio-profileSetting and tuning channels Ssid „ name Displays information about the named service profile Service-profileDisplays service profile information „ ? Displays a list of service profilesUsername „ Tkip countermeasures time Indicates the amount Syntax set ap port-listdap dap-numbias high low Reset ap dapWX1200# reset ap See Also „ display ap dap config on WX4400# set dap 1 bias low success change acceptedSyntax set ap port-listdap dap-numblink enable disable WX1200# set ap 3-4 blink enable success change accepted WX1200# set ap 4 group none success change accepted Set ap dap name Changes an MAP name„ display ap dap group on WX1200# set ap 1 name techpubs success change accepted„ antennatype ANT5060 ANT5120 ANT5180 internal Set ap dap radio antennatype„ antennatype ANT1060 ANT1120 ANT1180 internal Set ap dap radio auto-tune max-power Set ap dap radio auto-tune max- retransmissions Managed Access Point Commands Syntax set ap port-listdap dap-numradio 1 Set ap dap radio channelSets an MAP radio’s channel Set ap dap radio min-client-rate WX1200# set ap 5 radio 1 channel 36 success change acceptedSet ap dap radio min-client-rate Following command enables radio 2 on ports 1 through Set ap dap radio modeEnables or disables a radio on an MAP access point Set ap dap radio radio-profile Set ap dap radio tx-power Sets an MAP radio’s transmit powerUpgrade-firmware Set ap dapSet radio-profile 11g-onlySet radio-profile auto-tune channel-config Set radio-profile auto-tune channel-holddown Syntax set radio-profile name auto-tune channel-holddownSet radio-profile auto-tune channel-interval Syntax set radio-profile name auto-tune channel-intervalWX4400# set radio-profile rp2 auto-tune power-backoff-timer Set radio-profile auto-tune power-backoff- timerSyntax set radio-profile name auto-tune power-backoff-timer Set radio-profile auto-tune power-config Set radio-profile auto-tune power-interval Specify from 25 ms to 8191 ms Service set identifier SsidBeacon-interval Radio profile rp1 to 200 msSyntax set radio-profile name frag-threshold threshold Syntax set radio-profile name long-retry threshold Syntax set radio-profile name max-rx-lifetime time Max-tx-lifetime ModeDefaults for Radio Profile Parameters Parameter Default ValueWX4400# set radio-profile rp1 mode enable WX4400# set radio-profile rp1 success change acceptedSyntax set radio-profile name Syntax set radio-profile name rts-threshold threshold Defaults for Service Profile Parameters Syntax set radio-profile name service-profile name297 Defaults for Service Profile Parameters Syntax set radio-profile name short-retry threshold Syntax set service-profile Name auth-dot1x enable disable WPA IESet service-profile auth-fallthru Syntax set service-profile name auth-psk enable disable Syntax set service-profile name beaconed enable disable Set service-profile Cipher-ccmpCipher-tkip Cipher-wep104 Use the set service-profile wep commandsSee Also „ set service-profilecipher-ccmpon Defaults 40-bit WEP encryption is disabled by default „ enable Enables 40-bit WEP encryption for WPA clients„ disable Disables 40-bit WEP encryption for WPA clients Cipher-wep104 commandSyntax set service-profile name psk-phrase passphrase Syntax set service-profile name psk-raw hex Syntax set service-profile name rsn-ie enable disable Set service-profile auth-psk command Syntax set service-profile name ssid-name ssid-nameSee Also „ set service-profilessid-typeon See Also „ set service-profilessid-nameonSyntax set service-profile name tkip-mc-time wait-time Web-aaa-form Ssid managed by the service profileSyntax set service-profile name web-aaa-form url „ mkdir on Set service-profile wep active-multicast- index„ copy on „ dir on Set service-profile wep active-unicast- index Syntax set service-profile name wep active-unicast-index numWep key-index Syntax set service-profile name wpa-ie enable disable STP Commands by Usage STP Commands byTable to locate commands in this chapter based on their use Portcost STP root bridge in all VLANs on a WX switchClear spantree Syntax clear spantree portcost port-list„ clear spantree portvlanpri on PortpriPortvlancost „ set spantree portpri onPortvlanpri „ clear spantree portcost on„ clear spantree portpri on See Also „ display spantree statistics onSpantree vlan default Syntax display spantreeOutput for display spantree RootBackbonefast Or disabledDisplay spantree „ display spantree blockedports on„ set spantree backbonefast on WX switch with backbone fast convergence enabledBlockedports One or all of its VLANsSee Also „ set spantree portfast on PortfastFor one or more network ports Output for display spantree portfastSyntax display spantree portvlancost port-list Port’s VLANs„ port-list- List of ports Syntax display spantree statisticsWX4400# display spantree statistics Topology change Timer value Hold timer Output for display spantree statistics Vlan Vlan IDConfigpending Switch is the root or is attempting to become the root See Also „ clear spantree statistics on Syntax display spantree uplinkfast vlan vlan-idSet spantree „ set spantree uplinkfast onFollowing command disables STP on Vlan burgundy Examples The following command enables STP on all VLANsConfigured on a WX switch An indirect linkFwddelay „ display spantree backbonefast onVLANs to 4 seconds Issues a topology change messageMaxage „ all Changes the maximum age on all VLANsPath to the STP root bridge Type. lists the defaults for STP port path costSnmp Port Path Cost Defaults 65,535. STP selects lower-cost paths over higher-cost pathsPortvlancost command See Also „ display spantree portfast on Syntax set spantree portpri port-listpriority valueType. See on Bridge for a specific Vlan on a wireless LAN switch„ all Changes the cost on all VLANs To 20 in Vlan mauvePriority Pink to Uplinkfast32,768 Primary link failsSee Also „ display spantree uplinkfast on Igmp Snooping Commands Igmp Commands by UsageSee Also display igmp statistics on Clear igmp statisticsDisplay igmp TTL Output for display igmp TTL WX1200# display igmp Mrouter vlan orange MrouterSyntax display igmp mrouter vlan vlan-id Syntax display igmp querier vlan vlan-id Defaults None Access EnabledOnly one querier WX1200# display igmp querier vlan orange WX1200# display igmp querier vlan defaultOutput for display igmp mrouter WX1200# display igmp querier vlan redReceiver-table „ set igmp querier onVLAN, MSS displays Igmp statistics for all VLANs See Also „ set igmp receiver onShows Igmp statistics WX1200# display igmp receiver-table group 237.255.255.0/24WX1200# display igmp statistics vlan orange Output of display igmp statistics From the multicast routers in the subnetWireless LAN switch See Also „ set igmp rv onSet igmp lmqi VLANs on a wireless LAN switchVLAN, the timer change applies to all VLANs From 1 through 65,535Set igmp mrsol Enables or disables multicast router solicitation by a WXSyntax set igmp mrsol enable disable vlan vlan-id See Also „ display igmp statistics onSyntax set igmp mrsol mrsi seconds vlan vlan-id See Also „ set igmp mrsol mrsi onSee Also „ set igmp mrsol on WX1200# set igmp mrsol mrsi 60 success change acceptedSyntax set igmp oqi seconds vlan vlan-id Set igmp oqiAll VLANs on a WX Set igmp qi Set igmpProxy-report Group. You can specify a value from 1 through 65,535 Set igmp qriVLANs on a WX WX1200# set igmp qi 100 vlan orange success change acceptedSyntax set igmp querier enable disable vlan vlan-id WX1200# set igmp qri 50 vlan orange success change acceptedSyntax set igmp receiver port port-listenable disable See Also „ display igmp querier onOccurs on the network Defaults The default robustness value for all VLANs isSet igmp rv VLAN, MSS changes the robustness value for all VLANsSecurity ACL Commands Security ACLSyntax clear security acl acl-name all editbuffer-index Clear security acl map Syntax clear security acl map acl-nameall vlan vlan-id WX4400# clear security acl map all success change accepted Syntax commit security acl acl-nameallSyntax display security acl editbuffer WX4400# commit security acl allWX4400# display security acl WX4400# display security acl editbuffer Syntax display security acl hitsSyntax display security acl info acl-nameall editbuffer See Also „ hit-sample-rateon „ set security acl onWX4400# display security acl hits Security ACL is assigned Display security aclMap Syntax display security acl map acl-nameSupport for your Product on Resource-usageACL acl111 is mapped WX4400# display security acl map acl111WX4400# display security acl resource-usage Output of display security acl resource-usage Output of display security acl resource-usage Syntax hit-sample-rate seconds Hit-sample-ratePackets filtered by the security ACL or hits Syntax rollback security acl acl-nameall Set security acl Protocol, or IP, ICMP, TCP, or UDP packet informationBy UDP packets By Icmp packetsBy TCP packets „ ip „ tcp „ udp „ icmp Set security acl Security ACL Commands WX4400# commit security acl all configuration accepted WX4400# set security acl ip acl123 deny 192.168.2.11Defaults None Set security acl map Security ACL Commands To locate commands in this chapter based on their use Cryptography Commands by UsageSyntax crypto ca-certificate admin eap webaaa Syntax crypto certificate admin eap webaaa See Also „ display crypto ca-certificateonExamples The following command installs a certificate See Also display crypto key ssh on Syntax crypto generate key admin eap ssh webaaa 512 1024WX4400# crypto generate key admin 1024 key pair generated Syntax crypto generate request admin eap webaaa WX4400# crypto generate request admin Email Address admin@example.comSyntax crypto generate self-signed admin eap webaaa See Also „ crypto certificate on „ crypto generate key onWX4400# crypto generate self-signed admin Crypto otp Crypto pkcs12 „ crypto pkcs12 onSee Also „ crypto otp on Pkcs #7 certificate Display cryptoCa-certificate Display crypto ca-certificate OutputCertificate On the WX switchSyntax display crypto certificate admin eap webaaa Describes the fields of the displaySee Also crypto generate key on Syntax display crypto key sshCryptography Commands Locate commands in this chapter based on their uses Radius Commands by UsageClear radius Syntax clear radius client system-ip WX4400# clear radius timeout success change acceptedSee Also „ display aaa on „ set radius client system-ipon WX4400# clear radius server rs42 success change accepted See Also „ display aaa on „ set radius server onSyntax clear radius server server-name Syntax clear server group group-nameload-balanceSet radius „ set server group on„ clear radius server on Set radius clientSystem-ip WX4400# set radius client system-ip success change accepted Radius and Server Group Commands Syntax set server group group-namemembers server-name1 Load-balance group „ group-name- Server group name of up to 32 charactersSet server group load-balance Radius and Server Group Commands 802.1X Commands by Usage On the switchCommands on PerformanceClear dot1x Which disables the featureExamples To reset the Bonded period to its default, type Bonded-period„ set dot1x max-reqon Port-controlSee Also „ display dot1x on „ set dot1x bonded-periodon See Also „ display dot1x on „ set dot1x quiet-periodon Quiet-period„ set dot1x port-controlon „ set dot1x reauth-maxon Reauth-maxReauth-period See Also „ display dot1x on „ set dot1x reauth-periodonAuth-server Defaults The default is 30 secondsAuthentication server, type the following command Before the WX times out a request to a Radius serverDisplay dot1x „ set dot1x timeout supplicant onTx-period „ set dot1x tx-periodonWX1200# display dot1x config WX4400# display dot1x clientsWX4400# display dot1x stats Type the following command to display 802.1X statisticsExplains the counters in the display dot1x stats output Authcontrol Port-control commandSet dot1x Authentication ports, type the following command Authentication is enabledExamples To enable per-port 802.1X authentication on wired Machine to start reauthentication for the userSee Also „ display dot1x on „ clear dot1x bonded-periodon Syntax set dot1x key-tx enable disableWX4400# set dot1x key-tx enable WX4400# set dot1x bonded-period 60 success change acceptedSet dot1x max-req „ clear dot1x max-reqonSyntax set dot1x quiet-period seconds To a supplicant after a failed authenticationSee Also „ display port status on „ display dot1x on Syntax set dot1x reauth enable disable See Also „ display dot1x on „ clear dot1x reauth-maxon Attempts reauthenticationBefore the supplicant client becomes unauthorized Syntax set dot1x reauth-max number-of-attemptsOut an authentication session with a supplicant client Set dot1x timeoutOut a request to a Radius authentication server SupplicantSee Also „ display dot1x on „ clear dot1x tx-periodon Syntax set dot1x tx-period secondsWep-rekey Wep-rekey-periodSee Also „ display dot1x on „ set dot1x wep-rekeyon Clear sessions Telnet sessionsUsers NetworkVLANs, or session ID WX1200# clear sessions network session-id To clear session 9, type the following commandWX4400# clear sessions network mac-addr WX1200# clear sessions network user NatashaDisplay sessions WX4400 display sessions telnet WX4400 display sessions adminWX4400 display sessions console See Also „ clear sessions on Display sessions telnet client OutputSyntax display sessions network WX1200# display sessions network „ Summary display See on „ Verbose display See on„ display sessions network session-id display See on WX1200# display sessions network mac-addr 00055d7e981aWX1200# display sessions network verbose WX1200# display sessions network session-idDisplay sessions network summary Output Additional display sessions network verbose OutputTime 802.1X protocol on a wired authentication port Display sessions network session-id OutputSee Also „ clear sessions network on Session Management Commands RF Detection Commands Clear rfdetect Countermeasures mac commandRfdetect countermeasures mac commands CountermeasuresIgnore Syntax clear rfdetect ignore mac-addrDomain Display rfdetectMobility Domain Syntax display rfdetect countermeasuresRadios as well as by third-party access points Syntax display rfdetect dataDisplay rfdetect data Output WX1200# display rfdetect dataIgnore list Display rfdetect data command on that switchRadios, use the display rfdetect data command „ clear rfdetect ignore onDisplay rfdetect mobility-domain Output WX1200# display rfdetect mobility-domainTo display the base MAC address of a 3Com radio, use Third-party access points„ mac-addr- Base MAC address of the 3Com radio Display neighboring BSSIDsWX1200# display rfdetect Visible ap Radio Display rfdetect visible OutputWX1200# display rfdetect visible 000b0e000a6a Set rf detect Set rfdetectActive-scan Syntax set rfdetect countermeasures mac mac-addr Set rfdetect countermeasures macStarts countermeasures against a specific rogue Syntax set rfdetect ignore mac-addr Set rfdetect log Detected or when they disappearSyntax set rfdetect log enable disable See Also „ display log buffer onFile Management Commands Tape archive tar format BackupDefaults All HistoryDescribes the fields in the dir output Output for backupSyntax clear boot config „ reset system on CopyWX4400# copy floorwx tftp//10.1.1.1/floorwx Immediately deletes the specified file File or the running configurationDelete Syntax delete urlDir WX4400# delete dang/dangdoc success file deletedFollowing command displays the files in the old subdirectory „ copy on Display bootBoot Output for dirDisplays the configuration running on the WX switch Display configDescribes the fields in the display boot output „ area area Configuration area. You can specify oneSee Also „ load config on WX4400# display config area vlanDisplay version „ save config onAnd, optionally, for any attached MAP access points Describes the fields in the display version output Output for display versionSyntax load config url Load configRunning configuration with the commands in the loaded file Creates a new subdirectory in nonvolatile storage Following command loads configuration file testconfig1Mkdir „ dir on „ rmdir on Syntax reset system force Reset systemRestarts an WX switch and reboots the software WX4400# reset systemOr restoring an archive RestoreKey pairs and certificates on the switch Rmdir Save config„ backup on „ dir on „ mkdir onConfiguration Set bootConfiguration-file Testconfig1Syntax set boot partition boot0 boot1 File Management Commands Syntax clear log trace Clear log traceDeletes the log messages stored in the trace buffer „ set log on Deletes running trace commands and ends trace processesClear trace Syntax display trace all WX switch, or all possible trace optionsDisplay trace WX4400# display traceSet trace AuthenticationSave trace Traces authorization information AuthorizationAbout user jose’s authentication Authorization for MAC addressSet trace dot1x See Also „ clear trace on „ display trace onSet trace sm Syntax set trace sm mac-addr mac-address port port-numTrace Commands Clear log Syntax clear log buffer server ip-addrSee Also „ clear log trace on WX4400# clear log buffer success change acceptedWX4400# display log buffer facility AAA You can view event messages archived in the bufferLog buffer facility ? „ clear log on „ display log config onLog config „ set log on „ clear log onSyntax display log trace +-/number-of-messages Set log „ trace Sets log parameters for trace files „ Logging state enabled or disabled„ enable Enables messages to the specified target Set log trace MbytesSee Also „ display log config on WX4400# set log trace mbytes 4 success change acceptedSystem LOG Commands Boot Prompt Commands Boot PromptAutoboot „ DEV=device Location of the system image file Boot„ BT=type Boot type „ FN=filename System image filename„ change on „ display on Change Syntax changeCreate Syntax createProfiles, see display on Usage When you type the delete command, the next-lowerExamples To remove the currently active boot profile, type Syntax deleteDiag Syntax diagSyntax display Defaults None „ fver on „ version onOutput of display command „ change on „ create on „ delete on „ next onFver Displays a list of the boot prompt commands For an individual command„ command-name- Boot prompt command „ ls onSyntax next Defaults None NextSyntax reset ResetResets a WX switch’s hardware Command at the boot promptDefaults The poweron test flag is disabled by default „ on Enables the poweron test flag„ OFF Disables the poweron test flag TestType the following command at the boot prompt Syntax version Defaults NoneDir or fver command Boot version„ dir on „ fver on Boot Prompt Commands Product ServicesRegister Your PurchaseOnline Access SoftwareTroubleshoot DownloadsNeed to apply for a user name and password Contact UsCountry Telephone Number Latsupportanc@3com.comIndex Delete 474, 515 diag Dir 475, 516 disable 33 display Index Index Index Index