Manuals / 3Com / Computer Equipment / Switch

3Com WX1200 3CRWX120695A, WXR100 3CRWXR10095A, WX4400 3CRWX440095A manual Setting Security ACLs

Models: WX1200 3CRWX120695A WX4400 3CRWX440095A WXR100 3CRWXR10095A WX2200 3CRWX220095A

1 728

Download 728 pages 48.88 Kb

Page 378

378CHAPTER 19: CONFIGURING AND MANAGING SECURITY ACLS

Figure 29 Setting Security ACLs

ACLs in edit buffer

Commited ACLs

null

null

ACLs mapped	ACLs mapped to ports,
to users	VLANs, and virtual ports

Security ACL Filters A security ACL filters packets to restrict or permit network traffic. These filters can then be mapped by name to authenticated users, ports, VLANs, virtual ports, or Distributed MAPs. You can also assign a class-of-service (CoS) level that marks the packets matching the filter for priority handling.

A security ACL contains an ordered list of rules called access control entries (ACEs), which specify how to handle packets. An ACE contains an action that can deny the traffic, permit the traffic, or permit the traffic and apply to it a specific CoS level of packet handling. The filter can include source and destination IP address information along with other Layer 3 and Layer 4 parameters. Action is taken only if the packet matches the filter.

Image 378

3Com WX1200 3CRWX120695A, WXR100 3CRWXR10095A, WX4400 3CRWX440095A, WX2200 3CRWX220095A manual Setting Security ACLs

Contents

Wireless LAN Mobility System 3Com Corporation 350 Campus Drive Marlborough, MA USA United States Government LegendContents Configuring AAA for Administrative and Local Access Managing User PasswordsConfiguring and Managing Ports and Vlans Configuring and Managing IP Interfaces and ServicesDisplaying Password Information 108 Configuring Snmp Configuring and Managing Mobility Domain RoamingConfiguring Network Domains Configuring MAP Access PointsMAP Overview Country of Operation 179 Configuring RF Load Balancing for Maps RF Load Balancing Overview 267268 Configuring Wlan Mesh Services Configuring User EncryptionConfiguring RF AUTO-TUNING Configuring Maps to be Aeroscout ListenersConfiguring Quality of Service Configuring and Managing Spanning Tree Protocol Configuring and Managing Igmp Snooping Configuring and Managing Security Acls380 414 Why Use Keys and Certificates? 413Managing Keys and Certificates 416460 Configuring AAA for Network Users475 Using an ACL Other Than portalacl 479503 494 Clearing a Security ACL from a User or Group 495496 514Configuring Communication with Radius Managing 802.1X on the WX SwitchConfiguring Soda Endpoint Security for a WX Switch Managing SessionsRogue Detection and Countermeasures Troubleshooting a WX Switch 631 Using the Trace CommandManaging System Files Enabling and Logging Into WEB View Traffic Ports Used by MSS Glossary Index Command IndexSupported Radius Attributes Obtaining Support for Your 3COM ProductsConventions List conventions that are used throughout this guideIcon Description Documentation Including new features and bug fixes3WXM for advanced configuration and management This manual uses the following text and syntax conventionsComments Pddtechpubscomments@3com.comAbout this Guide Overview To configure and manage the switch and its attached MAPsOverwrite a parameter with another set command. Use display Network operationsCase-insensitive Text EntryConventions Alphanumeric characters, except for tabs and spaces, and isMAC Address Notation IP Address and Mask NotationUser Globs User GlobsUser Glob Users Designated MAC Address Globs Vlan GlobsMatching Order for Globs WX1200# set port enableWX1200# reset port WX1200# display port poe 1,2,4,6Operating systems Command-LineEditing CLI Keyboard ShortcutsAt your access level, type the following command Using CLI HelpCommands that begin with those characters. For example Wildcard CharactersWX1200# display i? WX1200# display ip ?WX1200# display ip telnet Set ap Understanding Command DescriptionsSet ap name command has the following complete syntax Set ap apnumber auto securityMethods Switches„ CLI quickstart command „ Web Quick Start WXR100, WX1200, and WX2200WX Setup Methods How a WX Switch Gets its ConfigurationWX2200 Only Accessing the Web To access the Web Quick Start Quick StartWX Setup Methods Web Quick Start WXR100, WX1200 and WX2200 Only CLI quickstart Set enablepass command WX Setup Methods Single-Switch Deployment Verify the configuration changes Remote WX Start 3WXM by doing one of the following Select File Switch Network PlanTo open the network plan „ On Linux systems, change directories to3Com Mobility System Software MSS supports authentication Here is an overview of configuration topicsOperation Configuring AAA for Administrative and Local Access Building Before You Start AdministrativeAccess AboutFirst-Time Configuration viaAdministrator ConsoleWX1200# set enablepass PasswordSetting the WX Enable Password for the First Time WX1200# save config3WXM Enable Password WX1200# set authentication console * localWX1200# set authentication console * none Configuring AAA for Administrative and Local Access Configuring Configuring AAA for Administrative and Local Access Displaying the AAA Configday. To do this, type the following commandConfiguration, all changes are lost SavingAdministrative AAA ScenariosRadius Administrative AAA Configuration Scenarios Success configuration saved Passwords, and how to display password information Restrictions apply to user passwordsWX# set user Jose password spRin9 Configuring PasswordsSet user username password encrypted password Clear user usernameWX# set authentication password-restrict enable Setting the Maximum Number of Login AttemptsSet authentication password-restrict enable disable Set authentication max-attempts numberPassword Length Configuring Password Expiration Time Clear user username lockout WX# clear user Nin lockoutWX# display aaa Configuring Managing PortsPort Type Parameter MAP Access Wired Authentication Network VlanSetting a Port for a Directly Connected MAP Maximum MAPs Supported Per SwitchConfiguring a MAP Connection WX1200# set port type wired-auth 7 success change accepted Setting a Port for a Wired Authentication UserSwitch Model Valid Range Valid dap-num ValuesClearing a Port Name Setting a Port Name Clearing a Distributed MAPRemoving a Port Name Set port media-type port-listrj45 Clear port media-type port-listDisplay port media-type port-list Parameters 10/100 Ports-Autonegotiation and Port SpeedSet port speed port-list10 100 auto Disabling or Reenabling Power over Ethernet Gigabit Ports Autonegotiation and Flow ControlDisabling or Reenabling a Port Resetting a Port To reset a port, use the following commandDisplaying Port Configuration and Status To display port statistics, use the following command Displaying PoE StateDisplaying Port Statistics Monitoring Port Statistics Clearing Statistics CountersCounters begin incrementing again, starting from Clear port countersKey Effect on monitor display Use the keys listed in to control the monitor displayKey Controls for Monitor Port Counters Display WX1200# monitor port countersGroups can participate in a port group Configuring a Port GroupTo configure a port group, use the following command Load SharingRemoving a Port Group To remove a port group, use the following commandWX1200# display vlan config Clear port-group name nameDisplay port-group name group-name Displaying Port Group InformationInteroperating with Cisco Systems EtherChannel WX1200# display port-group name server2VLANs, IP Subnets, and IP Addressing Users and VLANsVlan Names Roaming and VLANsTraffic Forwarding 802.1Q TaggingTunnel Affinity To create a VLAN, use the following command Creating a VlanSet vlan vlan-numname name You can specify a tag value from 1 through To add a port to a VLAN, use the following commandAdding Ports to a Vlan WX1200# set vlan 2 name redSpecify a value from 1 through 10. The default is To completely remove Vlan ecru, type the following commandTo change the tunneling affinity, use the following command Removing an Entire Vlan or a Vlan PortDisplay security l2-restrict vlan vlan-idall Security l2-restrict Display vlan config vlan-idWX1200# display vlan config burgundy Clear security l2-restrict counters vlan vlan-idallForwarding DatabasePort associated with the MAC address Displaying Information Displaying the Size of the Forwarding DatabaseDisplaying Forwarding Database Entries WX1200# display fdb Adding an Entry to the Forwarding DatabaseRemoving Entries from the Forwarding Database WX1200# clear fdb dynamic success change acceptedDisplaying the Aging Timeout Period Changing the Aging Timeout PeriodConfiguration change. Type the following commands Port and VlanScenario WX1200# set port type ap 2-4 model ap2750 poe enable Port statusWX1200# display port poe WX1200# set vlan default port Save the configuration. Type the following commandSet port type wired-auth 5,6 Display Port statusMTU Support To add an IP interface to a VLAN, use the following command Configuring Managing IP InterfacesStatically Configuring an IP Interface Adding an IP InterfaceConfiguring and Managing IP Interfaces Set interface vlan-idip dhcp-client enable disable WX1200# set interface corpvlan ip dhcp-client enableWX1200# display interface To remove an IP interface, use the following command Disabling or Reenabling an IP InterfaceDisplaying IP Configuring the System IP Address To display the system IP address, use the following commandTo clear the system IP address, use the following command Configuring and Managing IP Routes Display ip route destination WX1200# display ip routeWX1200# display ip route To remove a static route, use the following command Set ip ssh server enable disable Managing Management ServicesLogin Timeouts Managing SSHYou can verify the key using the following command For exampleAdding an SSH User These commands display and clear SSH server sessions Changing the SSH Service Port NumberUse the following commands to manage SSH server sessions Managing SSH Server SessionsEnabling Telnet Telnet Login TimersSet ip telnet server enable disable Adding a Telnet UserUse the following commands to manage Telnet server sessions Changing the Telnet Service Port NumberResetting the Telnet Service Port Number to Its Default Displaying Telnet StatusManaging Https Enabling Https Displaying Https InformationSet system idle-timeout seconds Clear system idle-timeoutSessions To specify a Motd banner, use the following command Following command sets the Motd banner on the WXPrompting the User to Acknowledge the Motd Banner Adding a DNS Server To add a DNS server, use the following commandTo remove a DNS server, use the following command Removing a DNS ServerRemoving the Default Domain Name Adding the Default Domain NameTo add the default domain name, use the following command Specify a domain name of up to 64 alphanumeric charactersClear ip alias name Here is an exampleSet ip alias name ip-addr Display ip alias nameManaging Time ParametersDaylight savings time or similar summertime period Displaying the Time Zone To display the time zone, use the following commandTo clear the time zone, use the following command Clearing the Time ZoneDisplaying the Summertime Period To display the summertime period, use the following commandTo clear the summertime period, use the following command Clearing the Summertime PeriodWX1200# set timedate date feb 29 2004 time 235800 Statically Configuring System Time DateSet timedate date mmm dd yyyy time hhmmss Display timedateNTP client is disabled by default To remove an NTP server, use the following commandResetting the Update Interval to Default To display NTP information, use the following commandDisplaying NTP Information Permanent entries to the ARP table Managing the ARPIP address to the ARP table EntriesSet arp permanent static dynamic ip-addrmac-addr Set arp agingtime secondsWX1200# set arp agingtime Logging In to a Pinging AnotherDevice Remote DeviceTracing a Route WX1200# traceroute server1 IP Interfaces Time and date parametersWX1200# set ip dns enable WX1200# Set ip Dns ServerIp dns Sun Feb 29 2004, 235902 PST Configuring and Managing IP Interfaces and Services Authentication options, and encryption options „ SNMPv3-SNMPv3 adds authentication and encryption optionsUSM users, with individually configurable access levels All Snmp versions are disabled by defaultSet snmp protocol v1 v2c usm all enable disable To enable an Snmp protocol, use the following commandConfiguring Community Strings SNMPv1 SNMPv2c Only Set system location string set system contact stringClear snmp community name comm-string To create a USM user for SNMPv3, use the following commandTo clear a USM user, use the following command Clear snmp usm usm-usernameConfiguring Snmp Command Examples To clear a notification profile, use the following command WX1200# set snmp security encrypted success change acceptedClear snmp notify profile profile-name ClientRoamingTraps-Generated when a client roams Configuring Snmp Command Examples Configuring Snmp To clear a notification target, use the following command Security unsecured authenticated encryptedClear snmp notify target target-num Command Examples To display USM settings, use the following command To enable the MSS Snmp service, use the following commandFollowing command enables the Snmp service InformationDisplay snmp notify target To display notification profiles, use the following commandDisplay snmp notify profile Display snmp countersMobility Domain Roaming Set mobility-domain mode seed domain-name mob-domain-name Configuring aConfiguring the System IP Address on Mobility DomainSet mobility-domain mode member seed-ip ip-addr Set mobility-domain member ip-addrOn the other member switches in the Mobility Domain On the primary seedOn the secondary seed Domain Status display mobility-domain command. For example Displaying Mobility Domain ConfigurationSwitch WX-WX Security A Mobility MonitoringVLANs and Tunnels DomainWX1200# display roaming vlan WX1200# display tunnelUnderstanding Sessions Roaming Users WX1200 display sessions network verbose VlanWX1200# set mobility-domain member seed-ip Mobility-domainVlan-wep 192.168.12.7 192.168.15.5 Domains Network Domain How a user connects to a remote Vlan in a Network Domain Configuring a WX Switch’s affinity for a Network Domain seed Set network-domain mode seed domain-name net-domain-name Network DomainSet network-domain mode member seed-ip ip-addraffinity num Set network-domain peer ip-addrSet network-domain mode member seed-ip ip-addraffinity num WX4400# display network-domain Clear network-domain WX Switch following commandClear network-domain mode seed member Clear network-domain seed-ip ip-addrConfiguring Network Domains WX1200# display network-domain Upseed Upmember 30.30.30.1 MAP Overview Through radio signals„ Two direct connections to a single WX or two WX switches Combinations of multiple connectionsExample 3Com Network MAP Overview Distributed MAP Network Requirements Distributed MAPs and STP No configuration is required on the WX Distributed MAPs and Dhcp OptionMAP Parameters Resiliency and Dual-Homing Options for MAPs Dual-Homed Configuration Examples Dual-Homed Direct Connections to a Single WXDual-Homed Direct and Distributed Connections to WX Switches Network Backbone WX switch Establishing Connectivity on the Network How a Distributed MAP Obtains an IP Address through DhcpStatic IP Address Configuration for Distributed MAPs DNS server replies with the system IP address of a WX switch Configuring MAP Access Points MAP Overview Configuring MAP Access Points MAP Boot Examples MAP Booting over Layer 2 Network MAP Overview MAP Booting over Layer 3 Network MAP sends Dhcp Discover message from the MAP’s portMAP sends a unicast Find WX message to WX1 Dual-Homed MAP Booting MAP Booting with a Static IP Address MAP sends a Dhcp Discover message from the MAP’s portDefaults for Service Profile Parameters Auth-dot1x EnableCipher-ccmp Disable Auth-psk DisableBeacon Enable Cipher-tkip EnableSet radio-profile auth-psk command No-broadcast DisableProxy-arp Disable Soda DisableUser-idle-timeout 180 12.0,24.0Web-portal-form TimeoutWeb-portal Web-portal-sessionMAC Address Allocations on MAPs Public and Private SSIDsEach radio can support the following types of SSIDs Model Address AllocationAP7250 Radios AP2750SSIDs AP8250Encryption Defaults for Radio Profile ParametersNot configured Beacon-interval 100Service-profile Parameter Default Value Frag-threshold 2346Rfid-mode Disable Max-rx-lifetime 2000Lists the defaults for these parameters RF Auto-TuningDefault Radio Profile Radio-Specific ParametersMode Disable Parameter Default Value Description AntennatypeMax-power ANT-5360-OUTTo specify the country, use the following command You specify the country of operationSet system countrycode code Country Codes Country Codes Country Codes CountryCode WX switch can have one Auto-AP profile How an Unconfigured MAP Finds a WX To Configure ItConfigured MAPs Have Precedence Over Unconfigured MAPs Example WX1200 MAP Capacities and LoadsWX1200 a WX1200 B Configuring an Auto-AP Profile WX1200# set ap auto success change acceptedConfigurable Profile Parameters for Distributed MAPs WX# set ap auto mode enable success change accepted MAP ParametersRadio Parameters WX# display ap status auto Set ap auto persistent apnumber allConfiguring a MAP Auto-AP profile is not used to configure the MAP. Instead,MAP configuration persistent across switch restarts Configure the MAP using the following commandConfiguring Static IP Addresses on Distributed MAPs Success change accepted Changing MAP Names Clearing a MAP from the ConfigurationTo clear a MAP, use the following command Changing BiasForcing a MAP To Download its Operational Image from the WX Disabling or Reenabling Automatic Firmware UpgradesSet ap apnumber upgrade-firmware enable disable WX# set ap 1 bias low success change acceptedEnabling LED Blink Mode Set ap apnumber blink enable disableEncryption Key Fingerprint Encryption OptionsVerifying a MAP Fingerprint on a WX Switch MAP Can EstablishWX# display ap status Setting the MAP Security Requirement on a WX Set ap security require optional noneWX# set ap security require Fingerprint Log Message Creating a Service ProfileSet service-profile name ssid-name ssid-name An Ssid can be up to 32 alphanumeric characters longDisabling or Reenabling Encryption for an Ssid Removing a Service ProfileChanging a Service Profile Setting Disabling or Reenabling Beaconing of an SsidTo change the fallthru method, use the following command SSIDs are beaconed by defaultChanging the Fallthru Authentication Type Lists the rate settings and their defaults11g-1.0,2.0,5.5,11.0 Transmit Rates11b-1.0,2.0 Beacon-rateEnforcing the Data Rates Transmit RatesWX# set radio-profile rp1 rate-enforcement mode enable WX# set radio-profile rp1 service-profile sp1Disabling Idle-Client Probing Changing the User Idle Timeout Threshold can be a value from 1 through 15. The default isChanging the Short Retry Threshold Set service-profile name long-retry threshold Changing the Long Retry ThresholdTo create a radio profile, use the following command Creating a New ProfileChanging Radio Parameters To change the Dtim interval, use the following command Set radio-profile name dtim-interval intervalSet radio-profile name frag-threshold threshold To change the RTS threshold, use the following commandSet radio-profile name rts-threshold threshold Set radio-profile name max-rx-lifetime timeSet radio-profile name max-tx-lifetime time Resetting a Radio Profile Parameter to its Default Value To remove a radio profile, use the following commandRemoving a Radio Profile Configuring the Channel and Transmit Power Configuring the External Antenna Model and Location Model Type Gain dBi DescriptionMP-620 External Antenna Models Specifying the External Antenna ModelMP-341, MP-352, MP-262 External Antenna Models Beamwidth Model Type Horizontal VerticalProfiles Set radio-profile name service-profile nameSpecifying the External Antenna Location Assigning a Radio Profile and Enabling RadiosDisabling or Reenabling RadiosClear ap apnumber radio 1 2 all To restart a MAP, use the following commandReset ap apnumber WX1200# clear ap 3 radioConfiguring MAP Access Points Configuring a Vlan Profile Enabling Local Switching on a MAPSet ap apnumber local-switching mode enable disable Applying a Vlan Profile to a MAP Set ap apnumber local-switching vlan-profile profile-nameClear ap ap-numberlocal-switching vlan-profile Clearing the Vlan Profile from a MAPClear vlan-profile profile-namevlan vlan-name Removing a Vlan Profile from the WX SwitchTo remove Vlan profile locals, type the following command WX# clear vlan-profile locals vlan redWX1200# display ap config Displaying MAP Configuration InformationDisplay ap config apnumber radio 1 Displaying MAP InformationDisplaying Connection Information for Distributed MAPs Display ap global apnumber serial-id serial-IDWX4400# display ap global Displaying a List Distributed MAPs That Are Not Configured ConnectionInformation for Display service-profile name ? WX# display service-profile sp1Display radio-profile name ? WX# display radio-profile defaultDisplaying MAP Display ap status terse apnumber all radio 1Following command displays the status of a Distributed MAP Displaying Static IPDisplay ap counters apnumber radio 1 WX# display ap countersFollowing command displays ARP entries for AP Displaying Vlan Profile InformationDisplaying the ARP Table for a MAP Following command displays FDB entries for AP Displaying Forwarding Database For a MAPDisplay ap acl hits ap-number WX# display ap acl hitsDisplay ap acl map ap-number WX# display ap acl map Configuring RF Load Configuring RF Load Balancing Set load-balancing mode enable disableDisabling or Re-Enabling RF Load Balancing Clear ap apnumber radio radio-numload-balancing group Set band-preference none 11bg 11aSet load-balancing strictness low med high max Radios in the same load-balancing group as ap2/radio1 Displaying RF Load Balancing InformationExempting an Ssid From RF Load Balancing WX# display load-balancing group ap 2 radioConfiguring RF Load Balancing for Maps Services Configuring Wlan Mesh ServicesUse the following command to specify the pre-shared key Set ap num boot-configuration mesh mode enable disableSet ap num boot-configuration mesh ssid mesh-ssid Mesh Services following commands Set ap num radio num link-calibration mode enable disable Wireless Bridging Following illustrationWX# display ap status terse Total number of entries Rfid Reports Inactive Antenna Link Calibration EnabledDisplaying Wlan AP, m = mesh AP = mesh portalBssid1 000b0efdfdcd, ssid mesh-ssid mesh „ WPA2 Robust Security Network Encryption settings are configured in the service profileThen authorized to join a Vlan 802.11i standardWireless Encryption Defaults Configuration RequiredEncryption Type Client Support Default State MSS Default Encryption Configuring User Encryption WPA Encryption with Tkip Only WPA Encryption with Tkip and WEP Configuring WPA Configuring User Encryption Configuring WPA Lists the encryption support for WPA and non-WPA clients Encryption Support for WPA and Non-WPA ClientsCreating a Service Profile for WPA Enabling WPASpecifying the WPA Cipher Suites Set service-profile name tkip-mc-time wait-time Changing the Tkip Countermeasures Timer ValueEnabling PSK Authentication Set service-profile name auth-psk enable disableSet service-profile name psk-raw hex Set service-profile name auth-dot1x enable disableDisplaying WPA Settings WPA settings appear at the bottom of the outputWX1200# display service-profile sp1 Set radio-profile name service-profile name WX1200# set service-profile rsn success change accepted Set service-profile name rsn-ie enable disableCcmp Assigning the Service Profile to Radios Enabling the Radios RSN settings appear at the bottom of the outputConfiguring WEP Encryption for Dynamic and Static WEP To set the value of a WEP key, use the following command Traffic, use the following commandsSet service-profile name wep key-index num key value Encryption Configuration Scenarios TkipEncryption Configuration Scenarios WX1200# set service-profile wpa-wep success change accepted 305 Clients WX1200# display aaa Default Values WX1200# display service-profile sp1 Save the configuration. Type the following command Configuring User Encryption Disabled for power configuration RF Auto-Tuning can perform the following tasksPower setting if needed RF Auto-TuningHow Channels Are Selected Power Tuning Channel TuningTuning the Transmit Data Rate Defaults for RF Auto-Tuning ParametersDefaults for RF Auto-Tuning Parameters RF Auto-Tuning SettingsChanging Changing the Channel Holddown Interval Changing the Channel Tuning IntervalEnabling Power Tuning Set radio-profile name auto-tune channel-interval secondsChanging the Maximum Default Power Allowed On a Radio Tuned SettingsChanging the Power Tuning Interval Channel or set ap dap radio tx-power command for each radioRadios in radio profile rp2 Displaying RF Auto-Tuning SettingsDisplaying Values of RF attributesWX# display ap config 2 radio WX# display ap configCommands Display auto-tune Neighbors ap 2 radioWX1200# display auto-tune attributes ap 2 radio Configuring RF AUTO-TUNING Aeroscout Listeners Configuring MAP Radios to Listen for AeroScout Rfid Tags Using an AeroScout Engine StatusSelect Locate AeroScout Tag About QoS MSS and how to configure and manage themOptimized forwarding of wireless traffic for time-sensitive QoS ParametersSet service-profile cac-mode QoS Parameters Keepalives and timeouts for clients set service-profile QoS Feature Description Configuration CommandSet service-profile proxy-arp Set service-profile idle-client-probingOn page 332 shows how WX switches classify ingress traffic QoS on WX Switches-Classification of Ingress Packets QoS on WX Switches-Marking of Egress Packets Configuring Quality of Service WMM QoS Mode WMM Priority Mappings WMM QoS on the WX SwitchService Forwarding Type IP ToSDefault CoS-to-MAP-Forwarding-Queue Mappings CoS MAP Forwarding QueueWMM QoS in a 3Com Network MAP B receives the packet and does the following SVP QoS Mode To configure CAC, see Configuring Call Admission Control onWMM QoS Mode Changing QoS Settings Set radio-profile name wmm-powersave enable disableSet radio-profile name qos-mode svp wmm Enabling CAC Set service-profile name cac-mode none sessionSet service-profile name cac-session max-sessions Changing the Maximum Number of Active SessionsSet service-profile name use-client-dscp enable disable To change CoS mappings, use the following commandsUsing the Client’s Dscp Value to Classify QoS Level Changing CoS MappingsProfile’s QoS Settings following command Displaying QoS InformationWX1200# display radio-profile rp1 This example, the QoS mode is WMM Displaying a ServiceQoS Mode Wmm WX# display service-profile sp1 cac session Displaying the Default CoS MappingsDisplay service-profile name cac session WX1200# display qos defaultDisplay qos dscp-to-cos-map dscp-value Displaying a DSCP-to-CoS MappingDisplaying a CoS-to-DSCP Mapping Display qos cos-to-dscp-map cos-valueDisplay ap qos-stats apnumber clear Displaying MAP Forwarding Queue StatisticsWX1200# display qos dscp-table WX# display ap qos-statsConfiguring Quality of Service All network ports as untagged members of the same Vlan Loop in the topology and blocks one or more redundant pathsTree protocol PVST+ Separate instance of PVST+ on each tagged VlanEnabling Spanning TreeProtocol Port Priority Snmp Port Path Cost DefaultsPort Speed Link Type Default Port Path Cost Set spantree priority value all vlan vlan-idResetting the STP Port Cost to the Default Value Changing the STP Port CostChanging the STP Port Priority WX1200# clear spantree portcost 3-4 success change acceptedResetting the STP Port Priority to the Default Value To change the forwarding delay, use the following command To change the hello interval, use the following commandChanging the STP Forwarding Delay Changing the STP Hello IntervalConvergence FeaturesManaging STP Fast Changing the STP Maximum AgeSet spantree portfast port port-listenable disable Displaying Port Fast Convergence Information Configuring Backbone Fast ConvergenceThis example, backbone fast convergence is enabled Displaying Backbone Fast Convergence StateDisplaying Spanning Tree Information Fast ConvergenceDisplaying Uplink Fast Convergence Information WX1200# display spantree vlan mauve Active optionDisplaying the STP Port Cost on a Vlan Basis Display spantree portvlancost port-listDisplay spantree statistics port-listvlan vlan-id WX1200# display spantree blockedports Vlan defaultDisplay spantree blockedports vlan vlan-id WX1200# display spantree statisticsInactive Counters again Enables STP on the Vlan to prevent loopsClearing STP Statistics Clear spantree statistics port-listvlan vlan-idWX1200# set vlan 10 name backbone port Set port enable Configuring and Managing Spanning Tree Protocol Disabling or Reenabling Igmp Snooping Traffic. Igmp snooping is enabled by defaultFeature on an individual Vlan basis IP address, the group addressReporting Changing Igmp TimersReenabling Proxy Pseudo-QuerierYou can specify a value from 2 through 255. The default is Changing Other-Querier Present IntervalChanging the Last Member Query Interval Set igmp mrsol enable disable vlan vlan-id Set igmp mrsol mrsi seconds vlan vlan-idDisplaying Multicast Configuration Information Statistics Displaying Multicast InformationDisplay igmp statistics vlan vlan-id Displaying Multicast Statistics OnlyClearing Multicast Statistics Clear igmp statistics vlan vlan-idDisplay igmp mrouter vlan vlan-id Display igmp querier vlan vlan-idDisplay igmp querier vlan orange WX1200# display igmp Mrouter vlan orangeIgmp receiver-table group 237.255.255.0/24 About Security Access Control ListsACL Commands Overview of SecuritySetting Security ACLs „ Vlan Traffic DirectionSecurity ACL CreatingCommitting a ACLWX1200# set security acl ip acl-1 permit 192.168.1.4 Set security acl ip acl-namepermit cos cos denyCommon IP Protocol Numbers Class of ServiceWildcard Masks Number ProtocolClass-of-Service CoS Packet Handling Common Icmp Message Types and Codes Icmp Message Type Number Icmp Message Code NumberSetting a TCP ACL Following command filters TCP packetsSetting a UDP ACL Following command filters UDP packetsCommit acl-99, type the following command WX1200# commit security acl acl-99 success change acceptedWX1200# commit security acl all success change accepted Viewing the Edit Buffer Viewing Committed Security ACLsViewing Security ACL Details Displaying Security ACL Hits WX1200# display security acl hitsMapping Security ACLsTo map a security ACL to a user session, follow these steps WX1200# commit security acl acl-222 success change acceptedDisplaying ACL Maps to Ports, VLANs, and Virtual Ports WX1200# display security acl map Acl-999Clearing a Security ACL Map WX1200# display security acl map acljoeModifying a Security ACL Modifying a Security ACL To view the results, type the following command WX1200# display security acl infoSet security acl ip acl-111 hits #4 ACL edit-buffer table WX1200# rollback security acl acl-111 Filtering Based on Using ACLs toChange CoS Dscp ValuesUsing the dscp Option Using the precedence and tos OptionsLegacy Voice over Following commands perform the same CoS reassignment asPrioritization for Are forwarded to any 10.10.90.x address on Distributed MAPConfiguring and Managing Security Acls Service VoIPWX4400# set security acl ip voip permit any Commit the ACL to the configuration Known LimitationsWX4400# commit security acl voip Configuring a Service Profile for RSN WPA2 Configuring a Service Profile for WPAConfiguring a Radio Profile Configuring a Vlan for Voice Clients Configuring an ACL to Prioritize Voice TrafficConfiguring and Managing Security Acls Forwarding Among RestrictingClient-To-Client IP-Only ClientsWX1200# commit security acl c2c Address, and how to map the ACL to a port and a userWX1200# set security acl ip c2c permit 0.0.0.0 WX1200# set security acl map c2c vlan vlan-1 OutTo save your configuration, type the following command Configuring and Managing Security Acls Certificates Managing Keys and Certificates About Keys and Certificates Managing Keys and Certificates Pkcs Object Files Supported by 3Com Generate key commandGenerate request command. Copy File Type Standard PurposeCertificates AutomaticallyGenerated by MSS Creating Keys and Certificates File Type Steps Required Instructions Self-signed Procedures for Creating and Validating CertificatesFor Your Network more complex to use CertificateCrypto generate key admin domain eap ssh web 128 512 1024 # crypto generate key admin 1024 admin key pair generatedCrypto generate self-signed admin eap web # crypto generate self-signed admin Country Name USCrypto otp admin eap web one-time-password To enter the one-time password, use the following commandFilename is the location of the file on the WX switch Crypto pkcs12 admin eap web filenameCrypto generate request admin eap web # crypto generate request admin Country Name USCrypto certificate admin eap web PEM-formatted # crypto ca-certificate admin Enter PEM-encoded certificate END Certificate# display crypto certificate admin Certificate Displaying Certificate and Key InformationObject files For SSH configuration information, see Managing SSH onKey and Certificate Generate self-signed certificatesWX1200# crypto generate self-signed web WX1200# display crypto certificate adminDisplay certificate information for verification WX1200# display crypto certificate eapWX1200# display crypto certificate web WX1200# crypto otp eap SeC%#6@o%d WX1200# crypto otp admin SeC%#6@o%cPkcs12 admin 2048admn.p12 WX1200# crypto otp web SeC%#6@o%eWX1200# crypto generate request admin CSR and a Pkcs #7 Object FileWX1200# crypto certificate admin WX1200# crypto ca-certificate adminWX1200# display crypto ca-certificate admin Authentication About AAA for Network UsersAuthentication Types MSS provides the following types of authenticationAuthentication Algorithm „ Web „ Last-resort „ NoneAuthentication Flowchart for Network Users Ssid Name Any Last-Resort ProcessingUser Credential Requirements Configuring AAA for Network Users About AAA for Network Users Configuring AAA for Network Users AAA Tools for Network UsersWildcard Any for Ssid Matching AAA Rollover Process Local Override ExceptionRemote Authentication with Local Backup Shows the results of this combination of methods EAP Authentication Protocols for Local Processing EAP Type Description UseThree Basic WX Approaches to EAP Authentication Approach DescriptionAuthentication Last-Resort WebAAA Effects Authentication Type On Encryption MethodEncryption Available to Various Authentication Methods EapConfiguring 802.1X Authentication Success change accepted Configuring 802.1X Authentication Authentication Rule Requirements Set dot1x bonded-period seconds To set the Bonded Auth period, use the following commandBonded Auth Period Clear dot1x bonded-periodDisplay dot1x config Bonded Auth Configuration ExampleDisplaying Bonded Auth Configuration Information WX1200# set dot1x bonded-period 60 success change acceptedWX1200# display dot1x config Authentication Authorization byMAC Address Clear mac-user mac-address Clearing MAC Users and GroupsClear mac-user mac-addrgroup WX1200# clear mac-user 010f03040506 success change acceptedFor a complete list of authorization attributes, see on For example, to add the MAC user 000102030405 to Vlan redSet radius server server-nameauthor-password password How WebAAA Portal Works Display of the Login WX Switch Requirements WebAAAConfiguring Web Portal WebAAA Configuring AAA for Network Users Portal ACL and User ACLs Network Requirements WX Switch Recommendations„ Configure the NIC to use Dhcp to obtain its IP address Client NIC RequirementsConfiguring Web To configure Web Portal WebAAA Web Portal WebAAA Configuration ExamplePortal WebAAA Display the service profile to verify the changes Configure individual WebAAA usersDisplay the configuration WX1200# display configDisplaying Session Information for Web Portal WebAAA Users Display sessions network user user-globWX4400# display sessions network ssid mycorp Configuring Web Portal WebAAA „ If the switch nonvolatile storage has a page in web named Copying and Modifying the Web LoginSave the modified Custom Login Page ScenarioMap a radio to the temporary radio profile and enable it Change the logoChange the greeting Change the warning statement if desiredURLs variables you can include in a redirect URL Variables for Redirect URLsValues for Literal Characters Add the last rule contained in portalacl Display security acl info acl-nameall editbufferSet service-profile name web-portal-acl aclname PeriodCommit security acl Set service-profile name web-portal-session-timeout seconds Last-Resort Access WX1200# display service-profile last-resort-srvcprof 481 Configuring AAA for Users of Third-Party APs Process for Users of a Third-Party APRequirements Third-Party AP Requirements Radius Server Requirements Set authentication mac wired mac-addr-glob method1 Set authentication proxy ssid ssid-nameuser-globSet radius proxy port port-listtag tag-valuessid WX4400# set authentication mac wired aabbcc010101 srvrgrp1 WX4400# set authentication proxy ssid mycorp ** srvrgrp1Authorization AssigningAttributes Authentication Attributes for Local Users Start-date,end-date, or both Idle-timeoutAttribute Description Valid Values End-date Filter-idAttribute Description Valid Values Service-type Session-timeoutSsid Attribute Description Valid Values Start-date Time-of-dayOr group in the local WX database and specify its value Attribute Description Valid Values UrlVlan-name Set service-profile name attr attribute-name value Commands for Assigning a Security ACL Locally Assigning a Security ACL LocallyAssigning a Security ACL on a Radius Server Assigning and Clearing Encryption Types Locally Encryption-Type Encryption Algorithm Value AssignedAssigning and Clearing Encryption Types on a Radius Server Encryption Type Values and Associated AlgorithmsLocation Policy After RoamingVlan Assignment After Roaming from One WX to Another Vlan Assigned ByOverriding or Configuring AAA for Network Users Set location policy deny if Set location policy permitWX1200# set location policy deny if user eq *.theirfirm.com Applying Security ACLs in a Location Policy Rule Displaying and Positioning Location Policy RulesWX1200 display location policy To delete a location policy rule, use the following commandClearing Location Policy Rules Disabling Clear location policy rule-numberUsers Wireless NetworkAccounting for Network resource usageWX1200# display accounting statistics User started on WX1200-0013User roamed to WX1200-0017 WX1200-0013#display accounting statisticsUser terminated the session on WX1200-0017 WX1200# display aaa WX switch and how to avoid them ProblemsConfiguration Order Avoiding AAAConfiguration Producing an Incorrect Processing Order Configuration for a Correct Processing OrderMobility Profile Name and identifying the accessible port or portsAccessing any MAP access ports, Distributed MAPs, or wired All of the ports or Distributed MAPsTo remove a Mobility Profile, type the following command WX1200# display mobility-profile Mobility ProfilesClear mobility-profile name Network User NamePorts ========================= Tulip WX1200# set radius server r1 address 10.1.1.1 key sunny Save the configurationWX1200# set user Natasha password moon WX1200# set server group sg1 members r1WX1200# set user Natasha attr vlan-name red WX1200# set user Natasha attr session-timeoutWX1200 save config WX1200# set radius server r1 address 10.1.1.1 key starrySave the configuration Redirect bldga-prof-VLAN users to the Vlan bldgb-eng WX1200# display location policyConfiguring AAA for Network Users With Radius Wireless Client, MAP, WX Switch, and Radius Servers Radius Servers „ Timeout WX wait for a server response 5 secondsBefore You Begin „ Transmission attemptsWX switch uses to authenticate itself to the Radius server Clear radius deadtime key retransmit timeoutWX1200# set radius client system-ip success change accepted Configuring Individual Radius ServersWX1200# clear radius deadtime success change accepted Set radius server server-nameaddress ip-address key stringRadius Server Radius servers, type the following command Ordering Server GroupsSet server group group-namemembers server-name1 Enable load balancing by typing the following command Configuring Load BalancingTo configure load balancing, use the following command Set server group group-nameload-balance enableSet server group group-namemembers To remove a server group, type the following commandAdding Members to a Server Group Clear server group group-nameConfigure Radius servers. Type the following commands Radius and ServerGroup Display the configuration. Type the following command Configuring Communication with Radius Ports On WiredManaging EnablingSet dot1x port-control Forceauth forceunauth auto port-list WX1200# clear dot1x port-control success change acceptedSet dot1x key-tx enable disable AuthenticationConfiguring Key Transmission Time Intervals Set dot1x tx-period secondsWX1200# clear dot1x tx-period success change accepted Setting EAP RetransmissionAttempts Set dot1x reauth enable disable Enabling Disabling ReauthenticationSetting the Maximum Number Reauthentication Attempts Set dot1x reauth-max number-of-attemptsSet dot1x reauth-period seconds Setting Reauthentication PeriodWX1200# clear dot1x reauth-max success change accepted WX1200# set dot1x reauth-periodClear dot1x max-req Set dot1x quiet-period secondsSet dot1x timeout auth-server seconds Setting Timeout for an Authorization ServerType the following command to reset the timeout period Set dot1x timeout supplicant secondsConfiguration Display dot1x clients stats configWX1200# display dot1x clients WX1200# display dot1x stats Managing 802.1X on the WX Switch About Soda Endpoint SecuritySoda Endpoint Security Support on WX Switches About Soda Endpoint Security Functionality tasks Configuring Soda Functionality Https//hostname/soda/ssid/xxx.html Install soda agent agent-fileagent-directory directory WX1200# install soda agent soda.ZIP agent-directory sp1WX1200# copy tftp//172.21.12.247/soda.ZIP soda.ZIP Enabling Soda Functionality for the Service Profile Set service-profile name soda mode enable disableSet service-profile name enforce-checks enable disable Set service-profile name soda success-page Clear service-profile name soda success-pageSet service-profile name soda failure-page Clear service-profile name soda failure-page Set service-profile name soda remediation-acl acl-nameClear service-profile name soda remediation-acl Set service-profile name soda logout-page Clear service-profile name soda logout-pageSet ip https server enable Clear service-profile name soda agent-directory Uninstalling the Soda Agent Files from the WX SwitchSet service-profile name soda agent-directory directory Uninstall soda agent agent-directory directoryWX1200# uninstall soda agent agent-directory sp1 Configuring Soda Endpoint Security for a WX Switch Displaying Clearing Administrative Sessions Display sessions admin console telnet clientClear sessions admin console telnet client session-id WX1200 display sessions admin Displaying Clearing All Administrative SessionsDisplaying Clearing an Administrative Console Session WX1200# clear sessions adminDisplaying Clearing Administrative Telnet Sessions Displaying Clearing Client Telnet SessionsWX1200 display sessions telnet Displaying Clearing Network Sessions Display sessions networkWX1200# display sessions network Network Session to get more in-depth information Clear sessions network user user-glob Displaying Clearing Network Sessions by UsernameWX1200# display sessions network user E WX1200# clear sessions network user BobAddress set of MAC addresses, type the following command For example, to clear all sessions for MAC addressClear sessions network vlan vlan-glob WX1200# clear sessions network vlan redWX1200 display session network session-id Session Timers Session-id commandChanging Network Changing or Disabling the User Idle Timeout To disable the user idle timeout, use the following commandAbout Rogues RF DetectionRogue Classification Rogue Detection Lists Rogue Detection Algorithm Dynamic Frequency Selection DFS Rogue Detection and Countermeasures Detection Features Summary of Rogue lists the rogue detection features in MSSRogue Detection Features Countermeasures Set rfdetect vendor-list client ap mac-addr Clear rfdetect vendor-list client ap mac-addrallSet rfdetect ssid-list ssid-name WX1200# display rfdetect ssid-list Total number of entriesClear rfdetect ssid-list ssid-name Set rfdetect black-list mac-addr To display the client black list, use the following commandFollowing example shows the client black list on WX switch Rfdetect Black-listSet rfdetect attack-list mac-addr To display the attack list, use the following commandFollowing example shows the attack list on a switch Rfdetect Attack-listSet rfdetect ignore mac-addr To display the ignore list, use the following commandMac-addris the Bssid of the device you want to ignore Clear rfdetect ignore mac-addrCountermeasures Enabling Countermeasures Enabling MAP Reenabling ActiveScan SignaturesWXR100desk# set rfdetect ? Creating an Encrypted RF Fingerprint Key as MAP SignatureSet rfdetect signature key encrypted keyvalue WXR100desk# set rfdetect signature ?Enabling Rogue Reenabling LoggingRogues NotificationsIDS and DoS Alerts Rogue Detection and Countermeasures Examples IDS and DoS Log MessagesMessage Type Example Log Message Client aabbccddeeff is sending rsvd mgmt frame D IDS and DoS Log Messages Displaying RF You can use the CLI commands listed in to display rogueRogue Detection Display Commands DetectionRogue Detection Display Commands Display rfdetect clients mac mac-addr WX# display rfdetect clientsDetection Counters command Display rfdetect countersWX1200# display rfdetect counters Displaying Ssid or Bssid Information for a Mobility Domain Display rfdetect mobility-domain ssid ssid-namebssidWX1200# display rfdetect mobility-domain Displaying RF Detection Information WX1200# display rfdetect data Displaying the APs Detected by MAP RadioDisplay rfdetect data WX1200# display rfdetect visible ap RadioDisplaying Countermeasures Information Display rfdetect countermeasuresWX# display rfdetect countermeasures Rogue Detection and Countermeasures About System Files Displaying SoftwareVersion Information To also display MAP information, type the following command WX# display versionWX# display version details To display boot information, type the following command BootWorking with Files Following command displays the files in the old subdirectory WX1200# dir fileWX1200# dir boot0 URL can be one of the followingWX1200# dir core „ boot0/filename „ boot1/filename WX1200# copy floor2wx tftp//10.1.1.1/floor2wxWX1200# copy tftp//10.1.1.107/wxb04102.rel boot1wxb04102.rel Md5 boot0 boot1filenameTo delete a file, use the following command WX1200# md5 boot0wxb04102.relDelete url To remove subdirectory corp2, type the following example WX1200# mkdir corp2 success change accepted. WX1200# dirWX1200# rmdir corp2 success change accepted Configuration Files RunningWX1200# display config area vlan Save config filenameLoad config url WX1200# save config newconfigSet boot configuration-file filename WX1200# load config newconfigBackup boot configuration Backup.cfg Set boot backup-configuration filenameWX1200# clear boot backup-config Clear boot configSystem Managing System Files WX1200# backup system tftp/10.10.20.9/sysabak critical Upgrading Switch forUpgrade System ImageUpgrading an Individual Switch Using the CLI Reset system forceWX1200# copy tftp//172.16.0.10/WX040101.20 boot1WX040100.20 Upgrade ScenarioWX1200# backup system tftp//172.16.0.10/sysabak WX1200# reset systemTroubleshooting a WX Setup Problems and Remedies WX Setup Problems and Remedies Type the save configSystem When RecoveringEnable Password Is LostComponents System LogLog Message LevelsSystem Log Destinations and Defaults Event Severity LevelsDisplay log buffer trace Clear log buffer traceClear log server ip-addr WX1200# display log buffer severity error Logging to the Log BufferSet log buffer severity severity-level To clear the buffer, type the following command To disable console logging, type the following commandLogging to the Console Logging Messages to a Syslog Server Setting Telnet Session DefaultsSet log sessions severity severity-levelenable For information on severity levels, see onTo disable trace logging, use the following command To disable session logging, use the following commandChanging the Current Telnet Session Defaults Logging to the Trace BufferDisplaying the Log Configuration Saving Trace Messages in a FileTracing Authentication Activity Using the TraceCommand Tracing Session Manager ActivityWX1200# display trace Tracing Authorization ActivityTracing 802.1X Sessions Clear trace all trace areaWX1200# display log trace severity error WX1200# display log trace facility WX1200# set trace ?For more information about Vlan interfaces, see Configuring Using displayCommands InterfacesDatabase FDB information, type the following command Requirements Configuring PortPort Mirroring MirroringRemotely Monitoring TrafficRemote Traffic MonitoringWX1200# set snoop snoop1 observer 10.10.30.2 snap-length Editing a Snoop Filter Displaying Configured Snoop FiltersTo delete a snoop filter, use the following command Deleting a Snoop FilterDisplaying the Snoop Filter Mappings for All Radios Following command shows the mapping for snoop filter snoop1Displaying the Snoop Filters Mapped to a Radio Removing Snoop Filter MappingsFollowing command shows statistics for snoop filter snoop1 Filter operates until you manually disable itFollowing command enables snoop filter snoop1 Preparing an Observer Capturing TrafficSet snoop filter-nameall mode enable disable Capturing System Sending it toTechnical Support Corenetsys.core.217.tar Corenetsys.core.217.tar Support WEB View System RequirementsLogging Into Web View Attributes VSAs, listed in on 3Com Mobility System Software MSS supports the standardOn page 652. Also supported are 3Com vendor-specific StatedRcv Sent Access Acct Attribute Type Resp? Reqst? Description Supported Standard Extended AttributesSupported Standard and Extended Attributes Filter-id inboundacl.in Filter-id outboundacl.outDisplayed, they must NAS Radius Acct-Output Yes 3Com Vendor-SpecificUsers, on 3Com VSAs YY/MM/DD-HHMMTraffic Ports Used by MSS Protocol Port FunctionIP/ICMP Dhcp Server Chapter E Dhcp Server Set interface dhcp-server command’s primary-dns Set ip dns server commandDhcp Server Displaying Dhcp Server InformationDisplayed instead Register Your Service BenefitsSolve Problems Online Product to GainPurchase Extended WarrantyAccess Software ProfessionalCountry Telephone Number Latin America Telephone Technical Support and Repair US and Canada Telephone Technical Support and RepairGlossary GHz and data rates of up to 54 Mbps Radio that can receive and transmit signals at Ieee 802.11b802.11a 802.11bSee ACE See security ACLAES BSS CCI BssidCBC-MAC CcmpChap CPCCRC CSR DES DhcpDynamic Host See Dhcp Configuration Protocol EAP EAP-TLSESS EtsiFCC FDB FhssGbic GMK GTKHmac IAS HpovHttps ICVInformation element Igmp snoopingIndustry Canada InfrastructureLawn ISLISO LdapMAC MAP MD5MIC MpduMS-CHAP-V2 MTU MsduMSS NATPIM PeapPEM PkcsPMK PRF PrngPSK PTK PVST+RC4 RSA RSNRssi SSH SHASIP SsidSSL STPTLS TLVTtls NII VlanWatch list Vlan globVSA Web ViewWEP WPA WispWlan WPA IEGlossary Glossary Index NumbersSessions, clearing 557 sessions, displaying Cipher suites, RSN enabling ARP Index Index See also MAC addresses MAC addresses Names Https Radius Repair support, Europe, Middle East, and Africa Configuring 717Seed, Mobility Domain configuring 154 defined STP Index Usernames Invalid certificate Case-sensitive Index Command Index Clear summertime Load config 61 Md5 606 mkdir Monitor port counters Command Index Set radius proxy port 729Command Index