Manuals / 3Com / Computer Equipment / Switch

3Com 3CRWX440095A, 3CRWX120695A manual Security ACL Commands

Models: 3CRWX120695A 3CRWX440095A

1 536

Download 536 pages 47.14 Kb

Page 388

388CHAPTER 12: SECURITY ACL COMMANDS

before editbuffer-index— Inserts the new ACE in front of another ACE in the security ACL. Specify the number of the existing ACE in the edit buffer. Index numbers start at 1. (To display the edit buffer, use display security acl editbuffer.)

modify editbuffer-index— Replaces an ACE in the security ACL with the new ACE. Specify the number of the existing ACE in the edit buffer. Index numbers start at 1. (To display the edit buffer, use display security acl editbuffer.)

hits — Tracks the number of packets that are filtered based on a security ACL, for all mappings.

Defaults — Permitted packets are assigned to class-of-service (CoS) class 0 by default.

Access — Enabled.

History — Introduced in MSS Version 3.0.

Usage — The WX switch does not apply security ACLs until you activate them with the commit security acl command and map them to a VLAN, port, or virtual port, or to a user. If the WX switch is reset or restarted, any ACLs in the edit buffer are lost.

You cannot perform ACL functions that include permitting, denying, or marking with a Class of Service (CoS) level on packets with a multicast or broadcast destination address.

The order of security ACEs in a security ACL is important. Once an ACL is active, its ACEs are checked according to their order in the ACL. If an ACE criterion is met, its action takes place and any ACEs that follow are ignored.

ACEs are listed in the order in which you create them, unless you move them. To position security ACEs within a security ACL, use before editbuffer-indexand modify editbuffer-index.

Examples — The following command adds an ACE to security acl_123 that permits packets from IP address 192.168.1.11/24 and counts the hits:

WX4400# set security acl ip acl_123 permit 192.168.1.11 0.0.0.255 hits

Image 388

3Com 3CRWX440095A, 3CRWX120695A manual Security ACL Commands

Contents

Wireless LAN Mobility System 3CRWX120695A, 3CRWX440095A3Com Corporation 350 Campus Drive Marlborough, MA USA Contents Clear banner motd Clear history Clear prompt Set system locationVlan Commands 131 Ping 132 Set arp 133 Set arp agingtime 134 142 Set ip ssh 143144 147 Set ntp 148183 169Display location policy 185 Display mobility-profile MAP Access Point Commands by Usage 228234 241254 Display dap unconfigured 256 Display radio-profile 257 261 Reset ap dap 264311 319326 327335 Set spantree337 345Commands by Usage 393 369Clear security acl 370 Clear security acl map 371 373444 435446 465 Set rf detect countermeasures 466Set rfdetect ignore 467 Set rfdetect log 468 480Commands by Usage 491 Clear log trace Clear trace 492 Fver 519 Help 520 Next 521 Reset 522 Test 523496 Set trace sm 497 517Version Register Your Product 527Conventions List conventions that are used throughout this guide„ Wireless LAN Switch and Controller Release Notes „ Wireless LAN Switch Manager 3WXM Release NotesDocumentation Comments Pddtechpubscomments@3com.com„ Document title „ Document part number and revision on the titleAbout this Guide Overview Clear interface vlan-idip Set enablepassClear fdb dynamic port port-list vlan vlan-id Text Entry ConventionsMAC Address NotationMasks Subnet MasksWildcard Masks User GlobsMAC Address Globs Gives examples of user globsUser Globs WX1200# set port enable Vlan GlobsMatching Order for Globs „ a single port number. For exampleCommand-Line WX1200# reset portEditing Operating systemsWX1200# display i Tab At your access level, type the help command. For example Using CLI HelpWX1200# display i? Understanding Command Descriptions Set ap dap name command has the following complete syntaxWX1200# display ip ? WX1200# display ip telnetUnderstanding Command Descriptions Using the COMMAND-LINE Interface Commands by DisableTo located commands in this chapter based on their use Syntax disable Defaults NoneEnable QuitSet enablepass Access Commands System Service Commands To located commands in this chapter based on their useBanner with an empty banner by typing the following command Clear banner motdClear history „ display banner motd onClear prompt Clear systemDisplay banner MotdBase-information DisplayDisplay license Defaults None Access All Display system„ set license on Shows system informationDescribes the fields of display system output Display system outputNvram size /SDRAM size percent of total Help WX switchSyntax help Syntax history HistorySee Also „ clear history on Set confirm See Also „ clear banner motd on „ display banner motd onThat might have a large impact on the network Syntax set confirm on offSet length Examples To turn off these confirmation messages, typeWX4400# clear vlan red WX4400# set confirm offSet license Installs an upgrade license, for managing more MAPsSee Also „ display license on Set prompt Syntax set prompt stringSet system contact Stores a contact name for the WX switch Set systemCountrycode Syntax set system contact stringCountry Code Defaults The factory default country code is None Using any set ap commands to configure a MAPIp-address Mobility DomainSee Also „ clear system on „ display system on Syntax set system location string„ set system contact on „ set system name on Syntax set system name stringSystem Service Commands Port Commands Locate commands in this chapter based on their useThat are using the MAP Clear dapRemoves a Distributed MAP „ set dap onClear port-group „ name name Name of the port groupSee Also „ set port-groupon „ display port-groupon Clear port name Removes the name assigned to a portClear port PreferenceSee Also „ display port status on „ set port name on Interface for the active linkNetwork port defaults Clear port typeNetwork port PortDisplay port CountersDescribes the fields in the display port-group output Display port-groupShows port group informationOutput for display port-group See Also „ clear port-groupon „ set port-groupon Describes the fields in this displayOutput for display port poe Syntax display port poe port-listUsage This command applies only to the WX4400 All four ports of a WX4400 switch„ set port poe on Specified portsOutput for display port preference Syntax display port status port-listOutput for display port status WX1200# display port statusMonitor port See Also „ clear port type on„ set port negotiation on „ set port speed onKey Controls for Monitor Port Counters Display Output for monitor port counters WX4400# monitor port countersCorrect length but contained an invalid See Also „ display port counters on Reset port Set dapPort Commands Set dap Examples The following command disables port Fol1owing command reenables the portAdministratively disables or reenables a port Set portSingle logical link Configured together as a single logical linkWith no spaces Name or number in other CLI commands Set port nameSee Also „ clear port-groupon „ display port-groupon See Also „ clear port name on „ display port status onSet port poe Set port negotiationResult Following command enables PoE on ports 4 See Also „ set port type ap on „ set port type wired-authonWX1200# set port poe 4,5 disable WX1200# set port poe 4,5 enableSet port speed Changes the speed of a portWX4400# set port preference 2 rj45 Syntax set port speed port-list10 100 1000 autoSet snmp trap command Set port trapSet port type ap Antenna model, use the following command „ poe enable disable Power over Ethernet PoE stateDefaults All WX ports are network ports by default „ 11a 802.11a „ 11b 802.11b „ 11g 802.11gMAP Access Port Defaults STPWired-auth Set port typeWired Authentication Port Details WX1200# set port type wired-auth 2 success change acceptedSee Also „ clear port type on „ set port type ap on Vlan Commands Clear fdb Deletes an entry from the forwarding database FDBSyntax clear fdb perm static dynamic WX4400# clear fdb static vlan blue success change accepted„ display fdb on Clear vlanPort from the VLAN, make sure you specify the port number Following command completely removes Vlan marigold See Also „ set vlan port on „ display vlan config onDisplay fdb Displays entries in the forwarding databaseWX4400# display fdb all Agingtime Describes the fields in the display fdb outputSee Also „ clear fdb on Output for display fdbWX1200# display fdb agingtime See Also „ set fdb agingtime onSyntax display fdb count perm static dynamic Display roaming StationSee Also „ display roaming vlan on Describes the fields in the displayOutput for display roaming station Syntax display roaming vlan Output for display roaming vlanWX4400# display roaming vlan See Also „ display vlan config on Display tunnelOutput for display tunnel Syntax display tunnelDisplay vlan config Output for display vlan configSyntax display vlan config vlan-id WX1200# display vlan config burgundyAdds a permanent or static entry to the forwarding database Set fdbSyntax set fdb perm static See Also „ clear fdb on „ display fdb on Set vlan name See Also „ display fdb agingtime onVlan 4094 is reserved for WebAAA Creates a Vlan and assigns a number and name to itSet vlan port Set vlan Tunnel-affinitySee Also „ display roaming vlan on „ display vlan config on IP Services Commands To locate commands in this chapter based on their useIP Services Commands by Usage DNSRemoves an IP interface Clear interfaceSyntax clear interface vlan-idip Access Enabled History Introduced in MSS VersionSee Also „ display ip alias on WX1200# clear ip dns domainClear ip dns server Clear ip route„ set ip dns domain on „ set ip dns server on„ display ip route on Clear ip telnet„ set ip route on Clear ntp server Update-intervalClear ntp „ set ntp server on „ set ntp update-intervalon Clear snmp trapReceiver See Also „ clear ntp server on „ display ntp onClear summertime Command Following commandClear timezone Examples To clear the system IP address, type the followingDisplay arp Display timedate onDisplay timezone on Shows the ARP table„ set arp agingtime on „ set arp onSyntax display interface vlan-id Shows the IP aliases configured on the wireless LAN switch Display ip aliasSee Also „ set interface on „ set interface status on Output for display interfaceExamples The following command displays the DNS information Display ip dns„ clear ip alias on „ set ip alias onDisplay ip https Shows information about the Https management portOutput for display ip dns Syntax display ip httpsOutput for display ip https WX4400# display ip httpsDisplay ip route Shows the IP route tableSyntax display ip route destination WX4400# display ip routeOutput of display ip route FieldDescriptionSyntax display ip telnet Output for display ip telnetWX4400 display ip telnet Examples To display NTP information for a WX switch, type Display ntpShows NTP client information Output for display ntp„ set ntp server on „ set summertime on „ set timezone on Configuration Shows Snmp settings on a wireless LAN switchExamples To display Snmp settings on a WX switch, type Display snmpOutput of display snmp configuration Defaults There is no summertime offset by default SummertimeSyntax display summertime WX1200# display summertimeSyntax display timezone WX1200# display timedateWX4400# display timezone Defaults „ count „ set timedate on „ set timezone onSet arp „ traceroute onFollowing command disables ARP aging See Also „ set arp agingtime onSyntax set arp agingtime seconds WX1200# set arp agingtimeSet interface WX1200# set interface mauve ip 10.10.20.10 Syntax set interface vlan-idstatus up downAliases as shortcuts in CLI commands Set ip aliasSet ip dns See Also „ clear ip alias on „ display ip alias onSyntax set ip dns domain name WX1200# set ip dns domain example.comSyntax set ip dns server ip-addrprimary secondary Set ip route WX switch is also disabledAdds a static route to the IP route table Set ip route Syntax set ip snmp server enable disable See Also „ set ip ssh absolute-timeouton Set ip ssh„ clear snmp trap receiver on Secure Shell SSH management trafficAbsolute-timeout „ set ip ssh idle-timeouton „ set ip ssh server onSyntax set ip ssh absolute-timeout minutes Or idleAlso disabled Idle-timeoutSet ip ssh server Set ip telnet Syntax set ip telnet server enable disable WX4400# set ip telnet server enable success change acceptedExamples The following command enables the NTP client Enables or disables the NTP client on a wireless LAN switchConfigures a wireless LAN switch to use an NTP server Set ntpRFC 1305, Network Time Protocol Version 3 Specification Implementation and AnalysisNTP server From 16 through 1,024 secondsCommunity Set snmpPublic and private „ enable Enables trap information to be sent „ disable Disables the sending of trap information„ all Enables or disables all traps Sends an Snmp trap message to any network management systemDefaults All traps are disabled by default Access Enabled Snmp Trap NamesSet snmp trap See Also „ clear snmp trap receiver onIP Services Commands To PDT Pacific Daylight Time, type the following command ValuesDate is within the summertime period FollowingSets the time of day and date on the wireless LAN switch Set timedate„ date mmm dd yyyy System date „ time hhmmss System time, in hours, minutes, and secondsWX4400# set timedate date feb 29 2004 time Set timezoneTime now is Sun Feb 29 2004, 235802 PST Opens a Telnet client session with a remote device TelnetWX1200# set timezone PST See Also „ clear sessions on „ display sessions on WX4400# telnetDefaults „ dnf Disabled „ no-dns- Disabled „ portTraceroute „ queries „ size „ ttlError messages for traceroute WX4400# traceroute server1„ ping on This chapter presents AAA commands alphabetically. Use to Locate commands in this chapter based on their useAAA Commands by Usage Display accounting statistics on Syntax clear accounting admin dot1x user-glob WX4400# clear accounting dot1x NinClear authentication AdminWX4400# clear authentication console Regina Syntax clear authentication console user-globConsoleConsole Syntax clear authentication dot1x ssid ssid-namewired Clear authentication Removes a MAC authentication rule. mac Syntax clear authentication last-resort ssid ssid-namewiredWX4400# clear authentication last-resort wired Syntax clear authentication mac ssid ssid-namewiredWX4400# clear authentication mac ssid thatcorp aabbcc Clear authentication Removes a WebAAA rule. webSyntax clear authentication web ssid ssid-namewired Syntax clear location policy rule-number Clear mac-user „ display location policy on„ set location policy on See Also „ display aaa on „ set mac-usergroup attr onGroup Clear mac-user attr„ set mac-user attr on Clear Mac-usergroupMac-usergroup attr Mac-user group command„ clear mac-usergroup attr on Mobility-profile Clear userClear user attr See Also „ display aaa onClear user group Clear usergroupSyntax clear usergroup group-name „ group-name- Name of an existing user groupWX4400# clear usergroup cardiology success change accepted Display aaa Displays all current AAA settingsTime-Of-Day attribute from the group Describes the fields that can appear in display aaa output Display aaa OutputUser’s password, and no global password is set Stored in the local database on the WX switch Display accountingStatistics Statistics outputAaattyattr Policy Display location„ clear location policy on Set accounting Admin consoleAre sent Server when the user roams Accesses the switch using Telnet or Web ManagerAuthenticated by Authenticated by MAC authenticationAAA Commands Set authentication AAA Commands Through the switch’s console Completing logonGlobs on Following methods in priority order. MSS applies multipleFor more information, see Usage Syntax set authentication dot1x ssid ssid-namewired AAA Commands Set authentication dot1x Success change accepted Syntax set authentication last-resort AAA Commands Syntax set authentication mac AAA Commands Syntax set authentication web ssid ssid-namewired AAA Commands Set location policy AAA Commands Set location policy WX4400# set location policy deny if user eq *.theirfirm.com Set mac-user Tempvendora into Vlan kiosk1See Also „ clear mac-useron „ display aaa on Authentication Attributes for Local Users Authentication Attributes for Local Users Filter-id outboundacl.outYY/MM/DD-HHMM Time-of-day WX4400# set mac-user 010203040506 attr filter-id acl-03.in See Also „ clear mac-user attr on „ display aaa on Syntax set mac-usergroupSee Also „ clear mac-usergroup attr on „ display aaa on Syntax set mobility-profile name name port none allAAA Commands Syntax set mobility-profile mode enable disable „ set user attr on „ set usergroup on29Jan04 Set userSee Also „ clear user on „ display aaa on Orange Set user attrSee Also „ clear user attr on „ display aaa on Set usergroup Set user group„ clear user group on Syntax set web-aaa enable disable To add a user to a group, user the command set user groupSet web-aaa Examples To disable WebAAA, type the following command WX4400# set web-aaa disable success change acceptedTo locate commands in this chapter based on their use Mobility Domain Commands by UsageMobility-domain MemberDisplay mobility-domain config Displays the configuration of the Mobility DomainStatus See Also „ set mobility-domain member onDisplay mobility-domain Output WX4400# display mobility-domain statusMode member „ display mobility-domain config onSet Seed-ipSet mobility-domain mode seed domain-name Syntax set mobility-domain mode seed domain-nameDomain name is Pleasanton Mobility Domain Commands Commands Managed Access Point Commands Map Access Point Commands by Usage Clear ap dap RadioWX1200# clear ap 3 radio Syntax clear radio-profile name parameter„ name Service profile name Syntax clear service-profile nameSee Also „ clear radio-profileon „ set radio-profile mode on WX1200# display ap config Output for display ap configWX4400# display dap config Does not belong to any load balancing groups An associated client Displays MAP access point and radio statistics counters MAP access point on portDisplay ap dap Radio 1 Shows statistics counters for radioOutput for display ap counters Tkip Pkt ReplaysSyntax display ap dap etherstats port-listdap-num See Also „ display sessions network onWX4400# display dap etherstats Output of display ap etherstats TxMaxColl„ name Name of an MAP group or Distributed MAP group Syntax Syntax display ap status port-listall radio 1WX4400# display dap status WX1200# display ap statusOutput for display ap status Decide whether to change channel or power settings Output for display ap statusOutput for display auto-tune attributes See Also „ display auto-tune neighbors onWX1200# display auto-tune attributes ap 2 radio Display auto-tune NeighborsOutput for display auto-tune neighbors Display auto-tune Neighbors ap 2 radioDisplay dap Connection„ display ap dap config on „ display dap global on „ display dap unconfigured onOutput of display dap connection Dap connection serial-id M9DE48B6EAD00Output for display dap global WX4400# display dap globalUnconfigured „ display ap dap config onBut that are not configured on any WX switches Longer appears in the command’s outputDescribes the fields in this display Displays radio profile informationWX4400# display radio-profile default Output for display radio-profileSetting and tuning channels Ssid Service-profile Displays service profile information„ name Displays information about the named service profile „ ? Displays a list of service profilesUsername „ Tkip countermeasures time Indicates the amount WX1200# reset ap Reset ap dapSyntax set ap port-listdap dap-numbias high low See Also „ display ap dap config on WX4400# set dap 1 bias low success change acceptedSyntax set ap port-listdap dap-numblink enable disable WX1200# set ap 3-4 blink enable success change accepted Set ap dap name Changes an MAP name „ display ap dap group onWX1200# set ap 4 group none success change accepted WX1200# set ap 1 name techpubs success change accepted„ antennatype ANT1060 ANT1120 ANT1180 internal Set ap dap radio antennatype„ antennatype ANT5060 ANT5120 ANT5180 internal Set ap dap radio auto-tune max-power Set ap dap radio auto-tune max- retransmissions Managed Access Point Commands Sets an MAP radio’s channel Set ap dap radio channelSyntax set ap port-listdap dap-numradio 1 Set ap dap radio min-client-rate WX1200# set ap 5 radio 1 channel 36 success change acceptedSet ap dap radio min-client-rate Enables or disables a radio on an MAP access point Set ap dap radio modeFollowing command enables radio 2 on ports 1 through Set ap dap radio radio-profile Set ap dap radio tx-power Sets an MAP radio’s transmit powerUpgrade-firmware Set ap dapSet radio-profile 11g-onlySet radio-profile auto-tune channel-config Set radio-profile auto-tune channel-holddown Syntax set radio-profile name auto-tune channel-holddownSet radio-profile auto-tune channel-interval Syntax set radio-profile name auto-tune channel-intervalSyntax set radio-profile name auto-tune power-backoff-timer Set radio-profile auto-tune power-backoff- timerWX4400# set radio-profile rp2 auto-tune power-backoff-timer Set radio-profile auto-tune power-config Set radio-profile auto-tune power-interval Service set identifier Ssid Beacon-intervalSpecify from 25 ms to 8191 ms Radio profile rp1 to 200 msSyntax set radio-profile name frag-threshold threshold Syntax set radio-profile name long-retry threshold Syntax set radio-profile name max-rx-lifetime time Max-tx-lifetime ModeDefaults for Radio Profile Parameters Parameter Default ValueWX4400# set radio-profile rp1 mode enable WX4400# set radio-profile rp1 success change acceptedSyntax set radio-profile name Syntax set radio-profile name rts-threshold threshold Defaults for Service Profile Parameters Syntax set radio-profile name service-profile name297 Defaults for Service Profile Parameters Syntax set radio-profile name short-retry threshold Syntax set service-profile Name auth-dot1x enable disable WPA IESet service-profile auth-fallthru Syntax set service-profile name auth-psk enable disable Syntax set service-profile name beaconed enable disable Set service-profile Cipher-ccmpCipher-tkip See Also „ set service-profilecipher-ccmpon Use the set service-profile wep commandsCipher-wep104 „ enable Enables 40-bit WEP encryption for WPA clients „ disable Disables 40-bit WEP encryption for WPA clientsDefaults 40-bit WEP encryption is disabled by default Cipher-wep104 commandSyntax set service-profile name psk-phrase passphrase Syntax set service-profile name psk-raw hex Syntax set service-profile name rsn-ie enable disable Set service-profile auth-psk command Syntax set service-profile name ssid-name ssid-nameSee Also „ set service-profilessid-typeon See Also „ set service-profilessid-nameonSyntax set service-profile name tkip-mc-time wait-time Syntax set service-profile name web-aaa-form url Ssid managed by the service profileWeb-aaa-form „ copy on „ dir on Set service-profile wep active-multicast- index„ mkdir on Set service-profile wep active-unicast- index Syntax set service-profile name wep active-unicast-index numWep key-index Syntax set service-profile name wpa-ie enable disable Table to locate commands in this chapter based on their use STP Commands bySTP Commands by Usage STP root bridge in all VLANs on a WX switch Clear spantreePortcost Syntax clear spantree portcost port-listPortpri Portvlancost„ clear spantree portvlanpri on „ set spantree portpri onPortvlanpri „ clear spantree portcost on„ clear spantree portpri on See Also „ display spantree statistics onSpantree vlan default Syntax display spantreeOutput for display spantree RootOr disabled Display spantreeBackbonefast „ display spantree blockedports onWX switch with backbone fast convergence enabled Blockedports„ set spantree backbonefast on One or all of its VLANsPortfast For one or more network portsSee Also „ set spantree portfast on Output for display spantree portfastPort’s VLANs „ port-list- List of portsSyntax display spantree portvlancost port-list Syntax display spantree statisticsWX4400# display spantree statistics Topology change Timer value Hold timer Output for display spantree statistics Vlan Vlan IDConfigpending Switch is the root or is attempting to become the root See Also „ clear spantree statistics on Syntax display spantree uplinkfast vlan vlan-idSet spantree „ set spantree uplinkfast onExamples The following command enables STP on all VLANs Configured on a WX switchFollowing command disables STP on Vlan burgundy An indirect linkFwddelay „ display spantree backbonefast onIssues a topology change message MaxageVLANs to 4 seconds „ all Changes the maximum age on all VLANsType. lists the defaults for STP port path cost Snmp Port Path Cost DefaultsPath to the STP root bridge 65,535. STP selects lower-cost paths over higher-cost pathsPortvlancost command See Also „ display spantree portfast on Syntax set spantree portpri port-listpriority valueBridge for a specific Vlan on a wireless LAN switch „ all Changes the cost on all VLANsType. See on To 20 in Vlan mauvePriority Uplinkfast 32,768Pink to Primary link failsSee Also „ display spantree uplinkfast on Igmp Snooping Commands Igmp Commands by UsageDisplay igmp Clear igmp statisticsSee Also display igmp statistics on TTL Output for display igmp TTL Syntax display igmp mrouter vlan vlan-id MrouterWX1200# display igmp Mrouter vlan orange Only one querier Defaults None Access EnabledSyntax display igmp querier vlan vlan-id WX1200# display igmp querier vlan default Output for display igmp mrouterWX1200# display igmp querier vlan orange WX1200# display igmp querier vlan redReceiver-table „ set igmp querier onSee Also „ set igmp receiver on Shows Igmp statisticsVLAN, MSS displays Igmp statistics for all VLANs WX1200# display igmp receiver-table group 237.255.255.0/24WX1200# display igmp statistics vlan orange Output of display igmp statistics From the multicast routers in the subnetWireless LAN switch See Also „ set igmp rv onVLANs on a wireless LAN switch VLAN, the timer change applies to all VLANsSet igmp lmqi From 1 through 65,535Enables or disables multicast router solicitation by a WX Syntax set igmp mrsol enable disable vlan vlan-idSet igmp mrsol See Also „ display igmp statistics onSee Also „ set igmp mrsol mrsi on See Also „ set igmp mrsol onSyntax set igmp mrsol mrsi seconds vlan vlan-id WX1200# set igmp mrsol mrsi 60 success change acceptedAll VLANs on a WX Set igmp oqiSyntax set igmp oqi seconds vlan vlan-id Proxy-report Set igmpSet igmp qi Set igmp qri VLANs on a WXGroup. You can specify a value from 1 through 65,535 WX1200# set igmp qi 100 vlan orange success change acceptedSyntax set igmp querier enable disable vlan vlan-id WX1200# set igmp qri 50 vlan orange success change acceptedSyntax set igmp receiver port port-listenable disable See Also „ display igmp querier onDefaults The default robustness value for all VLANs is Set igmp rvOccurs on the network VLAN, MSS changes the robustness value for all VLANsSecurity ACL Commands Security ACLSyntax clear security acl acl-name all editbuffer-index Clear security acl map Syntax clear security acl map acl-nameall vlan vlan-id WX4400# clear security acl map all success change accepted Syntax commit security acl acl-nameallWX4400# display security acl WX4400# commit security acl allSyntax display security acl editbuffer WX4400# display security acl editbuffer Syntax display security acl hitsWX4400# display security acl hits See Also „ hit-sample-rateon „ set security acl onSyntax display security acl info acl-nameall editbuffer Display security acl MapSecurity ACL is assigned Syntax display security acl map acl-nameResource-usage ACL acl111 is mappedSupport for your Product on WX4400# display security acl map acl111WX4400# display security acl resource-usage Output of display security acl resource-usage Output of display security acl resource-usage Packets filtered by the security ACL or hits Hit-sample-rateSyntax hit-sample-rate seconds Syntax rollback security acl acl-nameall Set security acl Protocol, or IP, ICMP, TCP, or UDP packet informationBy TCP packets By Icmp packetsBy UDP packets „ ip „ tcp „ udp „ icmp Set security acl Security ACL Commands WX4400# commit security acl all configuration accepted WX4400# set security acl ip acl123 deny 192.168.2.11Defaults None Set security acl map Security ACL Commands To locate commands in this chapter based on their use Cryptography Commands by UsageSyntax crypto ca-certificate admin eap webaaa Syntax crypto certificate admin eap webaaa See Also „ display crypto ca-certificateonExamples The following command installs a certificate WX4400# crypto generate key admin 1024 key pair generated Syntax crypto generate key admin eap ssh webaaa 512 1024See Also display crypto key ssh on Syntax crypto generate request admin eap webaaa WX4400# crypto generate request admin Email Address admin@example.comSyntax crypto generate self-signed admin eap webaaa See Also „ crypto certificate on „ crypto generate key onWX4400# crypto generate self-signed admin Crypto otp Crypto pkcs12 „ crypto pkcs12 onSee Also „ crypto otp on Display crypto Ca-certificatePkcs #7 certificate Display crypto ca-certificate OutputOn the WX switch Syntax display crypto certificate admin eap webaaaCertificate Describes the fields of the displaySee Also crypto generate key on Syntax display crypto key sshCryptography Commands Locate commands in this chapter based on their uses Radius Commands by UsageClear radius See Also „ display aaa on „ set radius client system-ipon WX4400# clear radius timeout success change acceptedSyntax clear radius client system-ip See Also „ display aaa on „ set radius server on Syntax clear radius server server-nameWX4400# clear radius server rs42 success change accepted Syntax clear server group group-nameload-balanceSet radius „ set server group onSystem-ip Set radius client„ clear radius server on WX4400# set radius client system-ip success change accepted Radius and Server Group Commands Syntax set server group group-namemembers server-name1 Load-balance group „ group-name- Server group name of up to 32 charactersSet server group load-balance Radius and Server Group Commands On the switch Commands on802.1X Commands by Usage PerformanceWhich disables the feature Examples To reset the Bonded period to its default, typeClear dot1x Bonded-periodSee Also „ display dot1x on „ set dot1x bonded-periodon Port-control„ set dot1x max-reqon „ set dot1x port-controlon Quiet-periodSee Also „ display dot1x on „ set dot1x quiet-periodon Reauth-max Reauth-period„ set dot1x reauth-maxon See Also „ display dot1x on „ set dot1x reauth-periodonDefaults The default is 30 seconds Authentication server, type the following commandAuth-server Before the WX times out a request to a Radius server„ set dot1x timeout supplicant on Tx-periodDisplay dot1x „ set dot1x tx-periodonWX1200# display dot1x config WX4400# display dot1x clientsExplains the counters in the display dot1x stats output Type the following command to display 802.1X statisticsWX4400# display dot1x stats Set dot1x Port-control commandAuthcontrol Authentication is enabled Examples To enable per-port 802.1X authentication on wiredAuthentication ports, type the following command Machine to start reauthentication for the userSyntax set dot1x key-tx enable disable WX4400# set dot1x key-tx enableSee Also „ display dot1x on „ clear dot1x bonded-periodon WX4400# set dot1x bonded-period 60 success change acceptedSet dot1x max-req „ clear dot1x max-reqonSee Also „ display port status on „ display dot1x on To a supplicant after a failed authenticationSyntax set dot1x quiet-period seconds Syntax set dot1x reauth enable disable Attempts reauthentication Before the supplicant client becomes unauthorizedSee Also „ display dot1x on „ clear dot1x reauth-maxon Syntax set dot1x reauth-max number-of-attemptsSet dot1x timeout Out a request to a Radius authentication serverOut an authentication session with a supplicant client SupplicantSee Also „ display dot1x on „ clear dot1x tx-periodon Syntax set dot1x tx-period secondsWep-rekey Wep-rekey-periodSee Also „ display dot1x on „ set dot1x wep-rekeyon Clear sessions Telnet sessionsVLANs, or session ID NetworkUsers To clear session 9, type the following command WX4400# clear sessions network mac-addrWX1200# clear sessions network session-id WX1200# clear sessions network user NatashaDisplay sessions WX4400 display sessions console WX4400 display sessions adminWX4400 display sessions telnet See Also „ clear sessions on Display sessions telnet client OutputSyntax display sessions network „ Summary display See on „ Verbose display See on „ display sessions network session-id display See onWX1200# display sessions network WX1200# display sessions network mac-addr 00055d7e981aWX1200# display sessions network verbose WX1200# display sessions network session-idDisplay sessions network summary Output Additional display sessions network verbose OutputTime 802.1X protocol on a wired authentication port Display sessions network session-id OutputSee Also „ clear sessions network on Session Management Commands RF Detection Commands Countermeasures mac command Rfdetect countermeasures mac commandsClear rfdetect CountermeasuresIgnore Syntax clear rfdetect ignore mac-addrDisplay rfdetect Mobility DomainDomain Syntax display rfdetect countermeasuresRadios as well as by third-party access points Syntax display rfdetect dataDisplay rfdetect data Output WX1200# display rfdetect dataDisplay rfdetect data command on that switch Radios, use the display rfdetect data commandIgnore list „ clear rfdetect ignore onDisplay rfdetect mobility-domain Output WX1200# display rfdetect mobility-domainThird-party access points „ mac-addr- Base MAC address of the 3Com radioTo display the base MAC address of a 3Com radio, use Display neighboring BSSIDsWX1200# display rfdetect visible 000b0e000a6a Display rfdetect visible OutputWX1200# display rfdetect Visible ap Radio Active-scan Set rfdetectSet rf detect Starts countermeasures against a specific rogue Set rfdetect countermeasures macSyntax set rfdetect countermeasures mac mac-addr Syntax set rfdetect ignore mac-addr Detected or when they disappear Syntax set rfdetect log enable disableSet rfdetect log See Also „ display log buffer onFile Management Commands Backup Defaults AllTape archive tar format HistorySyntax clear boot config Output for backupDescribes the fields in the dir output „ reset system on CopyWX4400# copy floorwx tftp//10.1.1.1/floorwx File or the running configuration DeleteImmediately deletes the specified file Syntax delete urlDir WX4400# delete dang/dangdoc success file deletedFollowing command displays the files in the old subdirectory Display boot Boot„ copy on Output for dirDisplay config Describes the fields in the display boot outputDisplays the configuration running on the WX switch „ area area Configuration area. You can specify oneSee Also „ load config on WX4400# display config area vlanAnd, optionally, for any attached MAP access points „ save config onDisplay version Describes the fields in the display version output Output for display versionRunning configuration with the commands in the loaded file Load configSyntax load config url Mkdir Following command loads configuration file testconfig1Creates a new subdirectory in nonvolatile storage „ dir on „ rmdir on Reset system Restarts an WX switch and reboots the softwareSyntax reset system force WX4400# reset systemKey pairs and certificates on the switch RestoreOr restoring an archive Save config „ backup onRmdir „ dir on „ mkdir onSet boot Configuration-fileConfiguration Testconfig1Syntax set boot partition boot0 boot1 File Management Commands Deletes the log messages stored in the trace buffer Clear log traceSyntax clear log trace Clear trace Deletes running trace commands and ends trace processes„ set log on WX switch, or all possible trace options Display traceSyntax display trace all WX4400# display traceSave trace AuthenticationSet trace Authorization About user jose’s authenticationTraces authorization information Authorization for MAC addressSet trace dot1x See Also „ clear trace on „ display trace onSet trace sm Syntax set trace sm mac-addr mac-address port port-numTrace Commands Clear log Syntax clear log buffer server ip-addrSee Also „ clear log trace on WX4400# clear log buffer success change acceptedLog buffer facility ? You can view event messages archived in the bufferWX4400# display log buffer facility AAA „ display log config on Log config„ clear log on „ set log on „ clear log onSyntax display log trace +-/number-of-messages Set log „ enable Enables messages to the specified target „ Logging state enabled or disabled„ trace Sets log parameters for trace files Set log trace MbytesSee Also „ display log config on WX4400# set log trace mbytes 4 success change acceptedSystem LOG Commands Boot Prompt Commands Boot PromptAutoboot Boot „ BT=type Boot type„ DEV=device Location of the system image file „ FN=filename System image filename„ change on „ display on Change Syntax changeCreate Syntax createUsage When you type the delete command, the next-lower Examples To remove the currently active boot profile, typeProfiles, see display on Syntax deleteDiag Syntax diagSyntax display Defaults None „ fver on „ version onOutput of display command „ change on „ create on „ delete on „ next onFver For an individual command „ command-name- Boot prompt commandDisplays a list of the boot prompt commands „ ls onSyntax next Defaults None NextReset Resets a WX switch’s hardwareSyntax reset Command at the boot prompt„ on Enables the poweron test flag „ OFF Disables the poweron test flagDefaults The poweron test flag is disabled by default TestSyntax version Defaults None Dir or fver commandType the following command at the boot prompt Boot version„ dir on „ fver on Boot Prompt Commands Services Register YourProduct PurchaseAccess Software TroubleshootOnline DownloadsNeed to apply for a user name and password Contact UsCountry Telephone Number Latsupportanc@3com.comIndex Delete 474, 515 diag Dir 475, 516 disable 33 display Index Index Index Index