Manuals / 3Com / Computer Equipment / Switch

3Com WX1200 3CRWX120695A manual To display the attack list, use the following command

Models: WX1200 3CRWX120695A WX4400 3CRWX440095A WXR100 3CRWXR10095A WX2200 3CRWX220095A

1 728

Download 728 pages 48.88 Kb

Page 578

578CHAPTER 26: ROGUE DETECTION AND COUNTERMEASURES

Configuring an The attack list specifies the MAC addresses of devices that MSS should Attack List issue countermeasures against whenever the devices are detected on the

network. The attack list can contain the MAC addresses of APs and clients.

By default, the attack list is empty. The attack list applies only to the WX switch on which the list is configured. WX switches do not share attack lists.

When on-demand countermeasures are enabled, only those devices configured in the attack list are subject to countermeasures. In this case, devices found to be rogues by other means, such as policy violations or by determining that the device is providing connectivity to the wired network, are not attacked.

If you are using on-demand countermeasures in a Mobility Domain, you should synchronize the attack lists on all the WX switches in the Mobility Domain. See “Using On-Demand Countermeasures in a Mobility Domain” on page 581.

To add an entry to the attack list, use the following command:

set rfdetect attack-list mac-addr

The following command adds MAC address aa:bb:cc:44:55:66 to the attack list:

WX4400# set rfdetect attack-list 11:22:33:44:55:66 success: MAC 11:22:33:44:55:66 is now in attacklist.

To display the attack list, use the following command:

display rfdetect attack-list

The following example shows the attack list on a switch:

WX4400# display	rfdetect	attack-list
Total number of	entries:	1	RSSI	SSID
Attacklist MAC	Port/Radio/Chan		RSSI	SSID
-----------------	-----------------		------	------------
11:22:33:44:55:66 dap 2/1/11			-53	rogue-ssid

To remove a MAC address from the attack list, use the following command:

clear rfdetect attack-list mac-addr

Image 578

3Com WX1200 3CRWX120695A manual To display the attack list, use the following command, Set rfdetect attack-list mac-addr

Contents

Wireless LAN Mobility System 3Com Corporation 350 Campus Drive Marlborough, MA USA United States Government LegendContents Configuring AAA for Administrative and Local Access Managing User PasswordsDisplaying Password Information Configuring and Managing Ports and VlansConfiguring and Managing IP Interfaces and Services 108 Configuring Snmp Configuring and Managing Mobility Domain RoamingMAP Overview Country of Operation 179 Configuring Network DomainsConfiguring MAP Access Points 268 Configuring RF Load Balancing for MapsRF Load Balancing Overview 267 Configuring Wlan Mesh Services Configuring User EncryptionConfiguring Quality of Service Configuring RF AUTO-TUNINGConfiguring Maps to be Aeroscout Listeners Configuring and Managing Spanning Tree Protocol 380 Configuring and Managing Igmp SnoopingConfiguring and Managing Security Acls 414 Why Use Keys and Certificates? 413Managing Keys and Certificates 416460 Configuring AAA for Network Users475 Using an ACL Other Than portalacl 479503 494 Clearing a Security ACL from a User or Group 495496 514Configuring Communication with Radius Managing 802.1X on the WX SwitchConfiguring Soda Endpoint Security for a WX Switch Managing SessionsRogue Detection and Countermeasures Managing System Files Troubleshooting a WX Switch631 Using the Trace Command Enabling and Logging Into WEB View Traffic Ports Used by MSS Glossary Index Command IndexSupported Radius Attributes Obtaining Support for Your 3COM ProductsIcon Description ConventionsList conventions that are used throughout this guide Documentation Including new features and bug fixes3WXM for advanced configuration and management This manual uses the following text and syntax conventionsComments Pddtechpubscomments@3com.comAbout this Guide Overview To configure and manage the switch and its attached MAPsOverwrite a parameter with another set command. Use display Network operationsCase-insensitive Text EntryConventions Alphanumeric characters, except for tabs and spaces, and isMAC Address Notation IP Address and Mask NotationUser Glob Users Designated User GlobsUser Globs MAC Address Globs Vlan GlobsMatching Order for Globs WX1200# set port enableWX1200# reset port WX1200# display port poe 1,2,4,6Operating systems Command-LineEditing CLI Keyboard ShortcutsAt your access level, type the following command Using CLI HelpCommands that begin with those characters. For example Wildcard CharactersWX1200# display ip telnet WX1200# display i?WX1200# display ip ? Set ap Understanding Command DescriptionsSet ap name command has the following complete syntax Set ap apnumber auto securityMethods Switches„ CLI quickstart command „ Web Quick Start WXR100, WX1200, and WX2200WX Setup Methods How a WX Switch Gets its ConfigurationWX2200 Only Accessing the Web To access the Web Quick Start Quick StartWX Setup Methods Web Quick Start WXR100, WX1200 and WX2200 Only CLI quickstart Set enablepass command WX Setup Methods Single-Switch Deployment Verify the configuration changes Remote WX Start 3WXM by doing one of the following Select File Switch Network PlanTo open the network plan „ On Linux systems, change directories toOperation 3Com Mobility System Software MSS supports authenticationHere is an overview of configuration topics Configuring AAA for Administrative and Local Access Building Before You Start AdministrativeAccess AboutFirst-Time Configuration viaAdministrator ConsoleWX1200# set enablepass PasswordSetting the WX Enable Password for the First Time WX1200# save configWX1200# set authentication console * none 3WXM Enable PasswordWX1200# set authentication console * local Configuring AAA for Administrative and Local Access Configuring Configuring AAA for Administrative and Local Access Displaying the AAA Configday. To do this, type the following commandConfiguration, all changes are lost SavingRadius Administrative AAAScenarios Administrative AAA Configuration Scenarios Success configuration saved Passwords, and how to display password information Restrictions apply to user passwordsWX# set user Jose password spRin9 Configuring PasswordsSet user username password encrypted password Clear user usernameWX# set authentication password-restrict enable Setting the Maximum Number of Login AttemptsSet authentication password-restrict enable disable Set authentication max-attempts numberPassword Length Configuring Password Expiration Time WX# display aaa Clear user username lockoutWX# clear user Nin lockout Configuring Managing PortsPort Type Parameter MAP Access Wired Authentication Network VlanSetting a Port for a Directly Connected MAP Maximum MAPs Supported Per SwitchConfiguring a MAP Connection WX1200# set port type wired-auth 7 success change accepted Setting a Port for a Wired Authentication UserSwitch Model Valid Range Valid dap-num ValuesClearing a Port Removing a Port Name Name Setting a Port NameClearing a Distributed MAP Display port media-type port-list Set port media-type port-listrj45Clear port media-type port-list Set port speed port-list10 100 auto Parameters10/100 Ports-Autonegotiation and Port Speed Disabling or Reenabling a Port Disabling or Reenabling Power over EthernetGigabit Ports Autonegotiation and Flow Control Displaying Port Configuration and Status Resetting a PortTo reset a port, use the following command Displaying Port Statistics To display port statistics, use the following commandDisplaying PoE State Monitoring Port Statistics Clearing Statistics CountersCounters begin incrementing again, starting from Clear port countersKey Effect on monitor display Use the keys listed in to control the monitor displayKey Controls for Monitor Port Counters Display WX1200# monitor port countersGroups can participate in a port group Configuring a Port GroupTo configure a port group, use the following command Load SharingRemoving a Port Group To remove a port group, use the following commandWX1200# display vlan config Clear port-group name nameDisplay port-group name group-name Displaying Port Group InformationInteroperating with Cisco Systems EtherChannel WX1200# display port-group name server2VLANs, IP Subnets, and IP Addressing Users and VLANsVlan Names Roaming and VLANsTunnel Affinity Traffic Forwarding802.1Q Tagging Set vlan vlan-numname name To create a VLAN, use the following commandCreating a Vlan You can specify a tag value from 1 through To add a port to a VLAN, use the following commandAdding Ports to a Vlan WX1200# set vlan 2 name redSpecify a value from 1 through 10. The default is To completely remove Vlan ecru, type the following commandTo change the tunneling affinity, use the following command Removing an Entire Vlan or a Vlan PortDisplay security l2-restrict vlan vlan-idall Security l2-restrict Display vlan config vlan-idWX1200# display vlan config burgundy Clear security l2-restrict counters vlan vlan-idallPort associated with the MAC address ForwardingDatabase Displaying Forwarding Database Entries DisplayingInformation Displaying the Size of the Forwarding Database WX1200# display fdb Adding an Entry to the Forwarding DatabaseRemoving Entries from the Forwarding Database WX1200# clear fdb dynamic success change acceptedDisplaying the Aging Timeout Period Changing the Aging Timeout PeriodScenario Configuration change. Type the following commandsPort and Vlan WX1200# display port poe WX1200# set port type ap 2-4 model ap2750 poe enablePort status WX1200# set vlan default port Save the configuration. Type the following commandSet port type wired-auth 5,6 Display Port statusMTU Support To add an IP interface to a VLAN, use the following command Configuring Managing IP InterfacesStatically Configuring an IP Interface Adding an IP InterfaceConfiguring and Managing IP Interfaces WX1200# display interface Set interface vlan-idip dhcp-client enable disableWX1200# set interface corpvlan ip dhcp-client enable Displaying IP To remove an IP interface, use the following commandDisabling or Reenabling an IP Interface To clear the system IP address, use the following command Configuring the System IP AddressTo display the system IP address, use the following command Configuring and Managing IP Routes Display ip route destination WX1200# display ip routeWX1200# display ip route To remove a static route, use the following command Set ip ssh server enable disable Managing Management ServicesLogin Timeouts Managing SSHAdding an SSH User You can verify the key using the following commandFor example These commands display and clear SSH server sessions Changing the SSH Service Port NumberUse the following commands to manage SSH server sessions Managing SSH Server SessionsEnabling Telnet Telnet Login TimersSet ip telnet server enable disable Adding a Telnet UserUse the following commands to manage Telnet server sessions Changing the Telnet Service Port NumberResetting the Telnet Service Port Number to Its Default Displaying Telnet StatusManaging Https Enabling Https Displaying Https InformationSessions Set system idle-timeout secondsClear system idle-timeout Prompting the User to Acknowledge the Motd Banner To specify a Motd banner, use the following commandFollowing command sets the Motd banner on the WX Adding a DNS Server To add a DNS server, use the following commandTo remove a DNS server, use the following command Removing a DNS ServerRemoving the Default Domain Name Adding the Default Domain NameTo add the default domain name, use the following command Specify a domain name of up to 64 alphanumeric charactersClear ip alias name Here is an exampleSet ip alias name ip-addr Display ip alias nameDaylight savings time or similar summertime period Managing TimeParameters Displaying the Time Zone To display the time zone, use the following commandTo clear the time zone, use the following command Clearing the Time ZoneDisplaying the Summertime Period To display the summertime period, use the following commandTo clear the summertime period, use the following command Clearing the Summertime PeriodWX1200# set timedate date feb 29 2004 time 235800 Statically Configuring System Time DateSet timedate date mmm dd yyyy time hhmmss Display timedateNTP client is disabled by default To remove an NTP server, use the following commandDisplaying NTP Information Resetting the Update Interval to DefaultTo display NTP information, use the following command Permanent entries to the ARP table Managing the ARPIP address to the ARP table EntriesWX1200# set arp agingtime Set arp permanent static dynamic ip-addrmac-addrSet arp agingtime seconds Logging In to a Pinging AnotherDevice Remote DeviceTracing a Route WX1200# traceroute server1 IP Interfaces Time and date parametersIp dns WX1200# set ip dns enableWX1200# Set ip Dns Server Sun Feb 29 2004, 235902 PST Configuring and Managing IP Interfaces and Services Authentication options, and encryption options „ SNMPv3-SNMPv3 adds authentication and encryption optionsUSM users, with individually configurable access levels All Snmp versions are disabled by defaultSet snmp protocol v1 v2c usm all enable disable To enable an Snmp protocol, use the following commandConfiguring Community Strings SNMPv1 SNMPv2c Only Set system location string set system contact stringClear snmp community name comm-string To create a USM user for SNMPv3, use the following commandTo clear a USM user, use the following command Clear snmp usm usm-usernameConfiguring Snmp Command Examples Clear snmp notify profile profile-name To clear a notification profile, use the following commandWX1200# set snmp security encrypted success change accepted ClientRoamingTraps-Generated when a client roams Configuring Snmp Command Examples Configuring Snmp Clear snmp notify target target-num To clear a notification target, use the following commandSecurity unsecured authenticated encrypted Command Examples To display USM settings, use the following command To enable the MSS Snmp service, use the following commandFollowing command enables the Snmp service InformationDisplay snmp notify target To display notification profiles, use the following commandDisplay snmp notify profile Display snmp countersMobility Domain Roaming Set mobility-domain mode seed domain-name mob-domain-name Configuring aConfiguring the System IP Address on Mobility DomainSet mobility-domain mode member seed-ip ip-addr Set mobility-domain member ip-addrOn the secondary seed On the other member switches in the Mobility DomainOn the primary seed Switch Domain Status display mobility-domain command. For exampleDisplaying Mobility Domain Configuration WX-WX Security A Mobility MonitoringVLANs and Tunnels DomainWX1200# display roaming vlan WX1200# display tunnelUnderstanding Sessions Roaming Users WX1200 display sessions network verbose VlanWX1200# set mobility-domain member seed-ip Mobility-domainVlan-wep 192.168.12.7 192.168.15.5 Domains Network Domain How a user connects to a remote Vlan in a Network Domain Configuring a WX Switch’s affinity for a Network Domain seed Set network-domain mode seed domain-name net-domain-name Network DomainSet network-domain mode member seed-ip ip-addraffinity num Set network-domain peer ip-addrSet network-domain mode member seed-ip ip-addraffinity num WX4400# display network-domain Clear network-domain WX Switch following commandClear network-domain mode seed member Clear network-domain seed-ip ip-addrConfiguring Network Domains WX1200# display network-domain Upseed Upmember 30.30.30.1 MAP Overview Through radio signals„ Two direct connections to a single WX or two WX switches Combinations of multiple connectionsExample 3Com Network MAP Overview Distributed MAP Network Requirements Distributed MAPs and STP No configuration is required on the WX Distributed MAPs and Dhcp OptionMAP Parameters Resiliency and Dual-Homing Options for MAPs Dual-Homed Configuration Examples Dual-Homed Direct Connections to a Single WXDual-Homed Direct and Distributed Connections to WX Switches Network Backbone WX switch Establishing Connectivity on the Network How a Distributed MAP Obtains an IP Address through DhcpStatic IP Address Configuration for Distributed MAPs DNS server replies with the system IP address of a WX switch Configuring MAP Access Points MAP Overview Configuring MAP Access Points MAP Boot Examples MAP Booting over Layer 2 Network MAP Overview MAP Booting over Layer 3 Network MAP sends Dhcp Discover message from the MAP’s portMAP sends a unicast Find WX message to WX1 Dual-Homed MAP Booting MAP Booting with a Static IP Address MAP sends a Dhcp Discover message from the MAP’s portDefaults for Service Profile Parameters Auth-dot1x EnableCipher-ccmp Disable Auth-psk DisableBeacon Enable Cipher-tkip EnableSet radio-profile auth-psk command No-broadcast DisableProxy-arp Disable Soda DisableUser-idle-timeout 180 12.0,24.0Web-portal-form TimeoutWeb-portal Web-portal-sessionMAC Address Allocations on MAPs Public and Private SSIDsEach radio can support the following types of SSIDs Model Address AllocationAP7250 Radios AP2750SSIDs AP8250Encryption Defaults for Radio Profile ParametersNot configured Beacon-interval 100Service-profile Parameter Default Value Frag-threshold 2346Rfid-mode Disable Max-rx-lifetime 2000Lists the defaults for these parameters RF Auto-TuningDefault Radio Profile Radio-Specific ParametersMode Disable Parameter Default Value Description AntennatypeMax-power ANT-5360-OUTSet system countrycode code To specify the country, use the following commandYou specify the country of operation Country Codes Country Codes Country Codes CountryCode WX switch can have one Auto-AP profile How an Unconfigured MAP Finds a WX To Configure ItWX1200 a WX1200 B Configured MAPs Have Precedence Over Unconfigured MAPsExample WX1200 MAP Capacities and Loads Configuring an Auto-AP Profile WX1200# set ap auto success change acceptedConfigurable Profile Parameters for Distributed MAPs Radio Parameters WX# set ap auto mode enable success change acceptedMAP Parameters WX# display ap status auto Set ap auto persistent apnumber allConfiguring a MAP Auto-AP profile is not used to configure the MAP. Instead,MAP configuration persistent across switch restarts Configure the MAP using the following commandConfiguring Static IP Addresses on Distributed MAPs Success change accepted Changing MAP Names Clearing a MAP from the ConfigurationTo clear a MAP, use the following command Changing BiasForcing a MAP To Download its Operational Image from the WX Disabling or Reenabling Automatic Firmware UpgradesSet ap apnumber upgrade-firmware enable disable WX# set ap 1 bias low success change acceptedEnabling LED Blink Mode Set ap apnumber blink enable disableEncryption Key Fingerprint Encryption OptionsWX# display ap status Verifying a MAP Fingerprint on a WX SwitchMAP Can Establish WX# set ap security require Setting the MAP Security Requirement on a WXSet ap security require optional none Fingerprint Log Message Creating a Service ProfileSet service-profile name ssid-name ssid-name An Ssid can be up to 32 alphanumeric characters longDisabling or Reenabling Encryption for an Ssid Removing a Service ProfileChanging a Service Profile Setting Disabling or Reenabling Beaconing of an SsidTo change the fallthru method, use the following command SSIDs are beaconed by defaultChanging the Fallthru Authentication Type Lists the rate settings and their defaults11g-1.0,2.0,5.5,11.0 Transmit Rates11b-1.0,2.0 Beacon-rateEnforcing the Data Rates Transmit RatesDisabling Idle-Client Probing WX# set radio-profile rp1 rate-enforcement mode enableWX# set radio-profile rp1 service-profile sp1 Changing the Short Retry Threshold Changing the User Idle TimeoutThreshold can be a value from 1 through 15. The default is Set service-profile name long-retry threshold Changing the Long Retry ThresholdChanging Radio Parameters To create a radio profile, use the following commandCreating a New Profile To change the Dtim interval, use the following command Set radio-profile name dtim-interval intervalSet radio-profile name frag-threshold threshold To change the RTS threshold, use the following commandSet radio-profile name rts-threshold threshold Set radio-profile name max-rx-lifetime timeSet radio-profile name max-tx-lifetime time Removing a Radio Profile Resetting a Radio Profile Parameter to its Default ValueTo remove a radio profile, use the following command Configuring the Channel and Transmit Power Configuring the External Antenna Model and Location Model Type Gain dBi DescriptionMP-620 External Antenna Models Specifying the External Antenna ModelMP-341, MP-352, MP-262 External Antenna Models Beamwidth Model Type Horizontal VerticalProfiles Set radio-profile name service-profile nameSpecifying the External Antenna Location Assigning a Radio Profile and Enabling RadiosDisabling or Reenabling RadiosClear ap apnumber radio 1 2 all To restart a MAP, use the following commandReset ap apnumber WX1200# clear ap 3 radioConfiguring MAP Access Points Set ap apnumber local-switching mode enable disable Configuring a Vlan ProfileEnabling Local Switching on a MAP Applying a Vlan Profile to a MAP Set ap apnumber local-switching vlan-profile profile-nameClear ap ap-numberlocal-switching vlan-profile Clearing the Vlan Profile from a MAPClear vlan-profile profile-namevlan vlan-name Removing a Vlan Profile from the WX SwitchTo remove Vlan profile locals, type the following command WX# clear vlan-profile locals vlan redWX1200# display ap config Displaying MAP Configuration InformationDisplay ap config apnumber radio 1 Displaying MAP InformationWX4400# display ap global Displaying Connection Information for Distributed MAPsDisplay ap global apnumber serial-id serial-ID Information for Displaying a List Distributed MAPs That Are Not ConfiguredConnection Display service-profile name ? WX# display service-profile sp1Display radio-profile name ? WX# display radio-profile defaultDisplaying MAP Display ap status terse apnumber all radio 1Following command displays the status of a Distributed MAP Displaying Static IPDisplay ap counters apnumber radio 1 WX# display ap countersDisplaying the ARP Table for a MAP Following command displays ARP entries for APDisplaying Vlan Profile Information Following command displays FDB entries for AP Displaying Forwarding Database For a MAPDisplay ap acl map ap-number Display ap acl hits ap-numberWX# display ap acl hits WX# display ap acl map Configuring RF Load Disabling or Re-Enabling RF Load Balancing Configuring RF Load BalancingSet load-balancing mode enable disable Clear ap apnumber radio radio-numload-balancing group Set band-preference none 11bg 11aSet load-balancing strictness low med high max Radios in the same load-balancing group as ap2/radio1 Displaying RF Load Balancing InformationExempting an Ssid From RF Load Balancing WX# display load-balancing group ap 2 radioConfiguring RF Load Balancing for Maps Services Configuring Wlan Mesh ServicesSet ap num boot-configuration mesh ssid mesh-ssid Use the following command to specify the pre-shared keySet ap num boot-configuration mesh mode enable disable Mesh Services following commands Set ap num radio num link-calibration mode enable disable Wireless Bridging Following illustrationWX# display ap status terse Total number of entries Rfid Reports Inactive Antenna Link Calibration EnabledDisplaying Wlan AP, m = mesh AP = mesh portalBssid1 000b0efdfdcd, ssid mesh-ssid mesh „ WPA2 Robust Security Network Encryption settings are configured in the service profileThen authorized to join a Vlan 802.11i standardEncryption Type Client Support Default State MSS Wireless Encryption DefaultsConfiguration Required Default Encryption Configuring User Encryption WPA Encryption with Tkip Only WPA Encryption with Tkip and WEP Configuring WPA Configuring User Encryption Configuring WPA Lists the encryption support for WPA and non-WPA clients Encryption Support for WPA and Non-WPA ClientsSpecifying the WPA Cipher Suites Creating a Service Profile for WPAEnabling WPA Set service-profile name tkip-mc-time wait-time Changing the Tkip Countermeasures Timer ValueEnabling PSK Authentication Set service-profile name auth-psk enable disableSet service-profile name psk-raw hex Set service-profile name auth-dot1x enable disableWX1200# display service-profile sp1 Displaying WPA SettingsWPA settings appear at the bottom of the output Set radio-profile name service-profile name WX1200# set service-profile rsn success change accepted Set service-profile name rsn-ie enable disableCcmp Assigning the Service Profile to Radios Enabling the Radios RSN settings appear at the bottom of the outputConfiguring WEP Encryption for Dynamic and Static WEP Set service-profile name wep key-index num key value To set the value of a WEP key, use the following commandTraffic, use the following commands Encryption Configuration Scenarios TkipEncryption Configuration Scenarios WX1200# set service-profile wpa-wep success change accepted 305 Clients WX1200# display aaa Default Values WX1200# display service-profile sp1 Save the configuration. Type the following command Configuring User Encryption Disabled for power configuration RF Auto-Tuning can perform the following tasksPower setting if needed RF Auto-TuningHow Channels Are Selected Power Tuning Channel TuningTuning the Transmit Data Rate Defaults for RF Auto-Tuning ParametersDefaults for RF Auto-Tuning Parameters Changing RF Auto-TuningSettings Changing the Channel Holddown Interval Changing the Channel Tuning IntervalEnabling Power Tuning Set radio-profile name auto-tune channel-interval secondsChanging the Maximum Default Power Allowed On a Radio Tuned SettingsChanging the Power Tuning Interval Channel or set ap dap radio tx-power command for each radioRadios in radio profile rp2 Displaying RF Auto-Tuning SettingsDisplaying Values of RF attributesWX# display ap config 2 radio WX# display ap configWX1200# display auto-tune attributes ap 2 radio CommandsDisplay auto-tune Neighbors ap 2 radio Configuring RF AUTO-TUNING Aeroscout Listeners Configuring MAP Radios to Listen for AeroScout Rfid Tags Using an AeroScout Engine StatusSelect Locate AeroScout Tag About QoS MSS and how to configure and manage themOptimized forwarding of wireless traffic for time-sensitive QoS ParametersSet service-profile cac-mode QoS Parameters Keepalives and timeouts for clients set service-profile QoS Feature Description Configuration CommandSet service-profile proxy-arp Set service-profile idle-client-probingOn page 332 shows how WX switches classify ingress traffic QoS on WX Switches-Classification of Ingress Packets QoS on WX Switches-Marking of Egress Packets Configuring Quality of Service WMM QoS Mode WMM Priority Mappings WMM QoS on the WX SwitchService Forwarding Type IP ToSDefault CoS-to-MAP-Forwarding-Queue Mappings CoS MAP Forwarding QueueWMM QoS in a 3Com Network MAP B receives the packet and does the following SVP QoS Mode To configure CAC, see Configuring Call Admission Control onWMM QoS Mode Set radio-profile name qos-mode svp wmm Changing QoS SettingsSet radio-profile name wmm-powersave enable disable Enabling CAC Set service-profile name cac-mode none sessionSet service-profile name cac-session max-sessions Changing the Maximum Number of Active SessionsSet service-profile name use-client-dscp enable disable To change CoS mappings, use the following commandsUsing the Client’s Dscp Value to Classify QoS Level Changing CoS MappingsWX1200# display radio-profile rp1 Profile’s QoS Settings following commandDisplaying QoS Information QoS Mode Wmm This example, the QoS mode is WMMDisplaying a Service WX# display service-profile sp1 cac session Displaying the Default CoS MappingsDisplay service-profile name cac session WX1200# display qos defaultDisplay qos dscp-to-cos-map dscp-value Displaying a DSCP-to-CoS MappingDisplaying a CoS-to-DSCP Mapping Display qos cos-to-dscp-map cos-valueDisplay ap qos-stats apnumber clear Displaying MAP Forwarding Queue StatisticsWX1200# display qos dscp-table WX# display ap qos-statsConfiguring Quality of Service All network ports as untagged members of the same Vlan Loop in the topology and blocks one or more redundant pathsTree protocol PVST+ Separate instance of PVST+ on each tagged VlanProtocol EnablingSpanning Tree Port Priority Snmp Port Path Cost DefaultsPort Speed Link Type Default Port Path Cost Set spantree priority value all vlan vlan-idResetting the STP Port Cost to the Default Value Changing the STP Port CostChanging the STP Port Priority WX1200# clear spantree portcost 3-4 success change acceptedResetting the STP Port Priority to the Default Value To change the forwarding delay, use the following command To change the hello interval, use the following commandChanging the STP Forwarding Delay Changing the STP Hello IntervalConvergence FeaturesManaging STP Fast Changing the STP Maximum AgeSet spantree portfast port port-listenable disable Displaying Port Fast Convergence Information Configuring Backbone Fast ConvergenceThis example, backbone fast convergence is enabled Displaying Backbone Fast Convergence StateDisplaying Uplink Fast Convergence Information Displaying Spanning Tree InformationFast Convergence WX1200# display spantree vlan mauve Active optionDisplaying the STP Port Cost on a Vlan Basis Display spantree portvlancost port-listDisplay spantree statistics port-listvlan vlan-id WX1200# display spantree blockedports Vlan defaultDisplay spantree blockedports vlan vlan-id WX1200# display spantree statisticsInactive Counters again Enables STP on the Vlan to prevent loopsClearing STP Statistics Clear spantree statistics port-listvlan vlan-idWX1200# set vlan 10 name backbone port Set port enable Configuring and Managing Spanning Tree Protocol Disabling or Reenabling Igmp Snooping Traffic. Igmp snooping is enabled by defaultFeature on an individual Vlan basis IP address, the group addressReporting Changing Igmp TimersReenabling Proxy Pseudo-QuerierChanging the Last Member Query Interval You can specify a value from 2 through 255. The default isChanging Other-Querier Present Interval Set igmp mrsol enable disable vlan vlan-id Set igmp mrsol mrsi seconds vlan vlan-idDisplaying Multicast Configuration Information Statistics Displaying Multicast InformationDisplay igmp statistics vlan vlan-id Displaying Multicast Statistics OnlyClearing Multicast Statistics Clear igmp statistics vlan vlan-idDisplay igmp mrouter vlan vlan-id Display igmp querier vlan vlan-idDisplay igmp querier vlan orange WX1200# display igmp Mrouter vlan orangeIgmp receiver-table group 237.255.255.0/24 About Security Access Control ListsACL Commands Overview of SecuritySetting Security ACLs „ Vlan Traffic DirectionSecurity ACL CreatingCommitting a ACLWX1200# set security acl ip acl-1 permit 192.168.1.4 Set security acl ip acl-namepermit cos cos denyCommon IP Protocol Numbers Class of ServiceWildcard Masks Number ProtocolClass-of-Service CoS Packet Handling Common Icmp Message Types and Codes Icmp Message Type Number Icmp Message Code NumberSetting a TCP ACL Following command filters TCP packetsSetting a UDP ACL Following command filters UDP packetsWX1200# commit security acl all success change accepted Commit acl-99, type the following commandWX1200# commit security acl acl-99 success change accepted Viewing Security ACL Details Viewing the Edit BufferViewing Committed Security ACLs Displaying Security ACL Hits WX1200# display security acl hitsMapping Security ACLsTo map a security ACL to a user session, follow these steps WX1200# commit security acl acl-222 success change acceptedDisplaying ACL Maps to Ports, VLANs, and Virtual Ports WX1200# display security acl map Acl-999Clearing a Security ACL Map WX1200# display security acl map acljoeModifying a Security ACL Modifying a Security ACL Set security acl ip acl-111 hits #4 To view the results, type the following commandWX1200# display security acl info ACL edit-buffer table WX1200# rollback security acl acl-111 Filtering Based on Using ACLs toChange CoS Dscp ValuesUsing the dscp Option Using the precedence and tos OptionsLegacy Voice over Following commands perform the same CoS reassignment asPrioritization for Are forwarded to any 10.10.90.x address on Distributed MAPConfiguring and Managing Security Acls WX4400# set security acl ip voip permit any ServiceVoIP WX4400# commit security acl voip Commit the ACL to the configurationKnown Limitations Configuring a Service Profile for RSN WPA2 Configuring a Service Profile for WPAConfiguring a Radio Profile Configuring a Vlan for Voice Clients Configuring an ACL to Prioritize Voice TrafficConfiguring and Managing Security Acls Forwarding Among RestrictingClient-To-Client IP-Only ClientsWX1200# commit security acl c2c Address, and how to map the ACL to a port and a userWX1200# set security acl ip c2c permit 0.0.0.0 WX1200# set security acl map c2c vlan vlan-1 OutTo save your configuration, type the following command Configuring and Managing Security Acls Certificates Managing Keys and Certificates About Keys and Certificates Managing Keys and Certificates Pkcs Object Files Supported by 3Com Generate key commandGenerate request command. Copy File Type Standard PurposeGenerated by MSS CertificatesAutomatically Creating Keys and Certificates File Type Steps Required Instructions Self-signed Procedures for Creating and Validating CertificatesFor Your Network more complex to use CertificateCrypto generate key admin domain eap ssh web 128 512 1024 # crypto generate key admin 1024 admin key pair generatedCrypto generate self-signed admin eap web # crypto generate self-signed admin Country Name USCrypto otp admin eap web one-time-password To enter the one-time password, use the following commandFilename is the location of the file on the WX switch Crypto pkcs12 admin eap web filenameCrypto certificate admin eap web PEM-formatted Crypto generate request admin eap web# crypto generate request admin Country Name US # crypto ca-certificate admin Enter PEM-encoded certificate END Certificate# display crypto certificate admin Certificate Displaying Certificate and Key InformationObject files For SSH configuration information, see Managing SSH onKey and Certificate Generate self-signed certificatesWX1200# crypto generate self-signed web WX1200# display crypto certificate adminDisplay certificate information for verification WX1200# display crypto certificate eapWX1200# display crypto certificate web WX1200# crypto otp eap SeC%#6@o%d WX1200# crypto otp admin SeC%#6@o%cPkcs12 admin 2048admn.p12 WX1200# crypto otp web SeC%#6@o%eWX1200# crypto generate request admin CSR and a Pkcs #7 Object FileWX1200# display crypto ca-certificate admin WX1200# crypto certificate adminWX1200# crypto ca-certificate admin Authentication About AAA for Network UsersAuthentication Types MSS provides the following types of authenticationAuthentication Algorithm „ Web „ Last-resort „ NoneAuthentication Flowchart for Network Users User Credential Requirements Ssid Name AnyLast-Resort Processing Configuring AAA for Network Users About AAA for Network Users Configuring AAA for Network Users AAA Tools for Network UsersWildcard Any for Ssid Matching AAA Rollover Process Local Override ExceptionRemote Authentication with Local Backup Shows the results of this combination of methods EAP Authentication Protocols for Local Processing EAP Type Description UseThree Basic WX Approaches to EAP Authentication Approach DescriptionAuthentication Last-Resort WebAAA Effects Authentication Type On Encryption MethodEncryption Available to Various Authentication Methods EapConfiguring 802.1X Authentication Success change accepted Configuring 802.1X Authentication Authentication Rule Requirements Set dot1x bonded-period seconds To set the Bonded Auth period, use the following commandBonded Auth Period Clear dot1x bonded-periodDisplay dot1x config Bonded Auth Configuration ExampleDisplaying Bonded Auth Configuration Information WX1200# set dot1x bonded-period 60 success change acceptedWX1200# display dot1x config MAC Address AuthenticationAuthorization by Clear mac-user mac-address Clearing MAC Users and GroupsClear mac-user mac-addrgroup WX1200# clear mac-user 010f03040506 success change acceptedFor a complete list of authorization attributes, see on For example, to add the MAC user 000102030405 to Vlan redSet radius server server-nameauthor-password password How WebAAA Portal Works Display of the Login WX Switch Requirements WebAAAConfiguring Web Portal WebAAA Configuring AAA for Network Users Portal ACL and User ACLs Network Requirements WX Switch Recommendations„ Configure the NIC to use Dhcp to obtain its IP address Client NIC RequirementsPortal WebAAA Configuring Web To configure Web Portal WebAAAWeb Portal WebAAA Configuration Example Display the service profile to verify the changes Configure individual WebAAA usersDisplay the configuration WX1200# display configWX4400# display sessions network ssid mycorp Displaying Session Information for Web Portal WebAAA UsersDisplay sessions network user user-glob Configuring Web Portal WebAAA „ If the switch nonvolatile storage has a page in web named Copying and Modifying the Web LoginSave the modified Custom Login Page ScenarioMap a radio to the temporary radio profile and enable it Change the logoChange the greeting Change the warning statement if desiredValues for Literal Characters URLs variables you can include in a redirect URLVariables for Redirect URLs Add the last rule contained in portalacl Display security acl info acl-nameall editbufferCommit security acl Set service-profile name web-portal-acl aclnamePeriod Set service-profile name web-portal-session-timeout seconds Last-Resort Access WX1200# display service-profile last-resort-srvcprof 481 Configuring AAA for Users of Third-Party APs Process for Users of a Third-Party APRequirements Third-Party AP Requirements Radius Server Requirements Set radius proxy port port-listtag tag-valuessid Set authentication mac wired mac-addr-glob method1Set authentication proxy ssid ssid-nameuser-glob WX4400# set authentication mac wired aabbcc010101 srvrgrp1 WX4400# set authentication proxy ssid mycorp ** srvrgrp1Attributes AuthorizationAssigning Authentication Attributes for Local Users Start-date,end-date, or both Idle-timeoutAttribute Description Valid Values End-date Filter-idSsid Attribute Description Valid Values Service-typeSession-timeout Attribute Description Valid Values Start-date Time-of-dayVlan-name Or group in the local WX database and specify its valueAttribute Description Valid Values Url Set service-profile name attr attribute-name value Commands for Assigning a Security ACL Locally Assigning a Security ACL LocallyAssigning a Security ACL on a Radius Server Assigning and Clearing Encryption Types Locally Encryption-Type Encryption Algorithm Value AssignedAssigning and Clearing Encryption Types on a Radius Server Encryption Type Values and Associated AlgorithmsLocation Policy After RoamingVlan Assignment After Roaming from One WX to Another Vlan Assigned ByOverriding or Configuring AAA for Network Users WX1200# set location policy deny if user eq *.theirfirm.com Set location policy deny ifSet location policy permit Applying Security ACLs in a Location Policy Rule Displaying and Positioning Location Policy RulesWX1200 display location policy To delete a location policy rule, use the following commandClearing Location Policy Rules Disabling Clear location policy rule-numberUsers Wireless NetworkAccounting for Network resource usageWX1200# display accounting statistics User started on WX1200-0013User roamed to WX1200-0017 WX1200-0013#display accounting statisticsUser terminated the session on WX1200-0017 WX1200# display aaa WX switch and how to avoid them ProblemsConfiguration Order Avoiding AAAConfiguration Producing an Incorrect Processing Order Configuration for a Correct Processing OrderMobility Profile Name and identifying the accessible port or portsAccessing any MAP access ports, Distributed MAPs, or wired All of the ports or Distributed MAPsClear mobility-profile name To remove a Mobility Profile, type the following commandWX1200# display mobility-profile Mobility Profiles Network User NamePorts ========================= Tulip WX1200# set radius server r1 address 10.1.1.1 key sunny Save the configurationWX1200# set user Natasha password moon WX1200# set server group sg1 members r1WX1200# set user Natasha attr vlan-name red WX1200# set user Natasha attr session-timeoutWX1200 save config WX1200# set radius server r1 address 10.1.1.1 key starrySave the configuration Redirect bldga-prof-VLAN users to the Vlan bldgb-eng WX1200# display location policyConfiguring AAA for Network Users With Radius Wireless Client, MAP, WX Switch, and Radius Servers Radius Servers „ Timeout WX wait for a server response 5 secondsBefore You Begin „ Transmission attemptsWX switch uses to authenticate itself to the Radius server Clear radius deadtime key retransmit timeoutWX1200# set radius client system-ip success change accepted Configuring Individual Radius ServersWX1200# clear radius deadtime success change accepted Set radius server server-nameaddress ip-address key stringRadius Server Set server group group-namemembers server-name1 Radius servers, type the following commandOrdering Server Groups Enable load balancing by typing the following command Configuring Load BalancingTo configure load balancing, use the following command Set server group group-nameload-balance enableSet server group group-namemembers To remove a server group, type the following commandAdding Members to a Server Group Clear server group group-nameGroup Configure Radius servers. Type the following commandsRadius and Server Display the configuration. Type the following command Configuring Communication with Radius Ports On WiredManaging EnablingSet dot1x port-control Forceauth forceunauth auto port-list WX1200# clear dot1x port-control success change acceptedSet dot1x key-tx enable disable AuthenticationConfiguring Key Transmission Time Intervals Set dot1x tx-period secondsWX1200# clear dot1x tx-period success change accepted Attempts Setting EAPRetransmission Set dot1x reauth enable disable Enabling Disabling ReauthenticationSetting the Maximum Number Reauthentication Attempts Set dot1x reauth-max number-of-attemptsSet dot1x reauth-period seconds Setting Reauthentication PeriodWX1200# clear dot1x reauth-max success change accepted WX1200# set dot1x reauth-periodClear dot1x max-req Set dot1x quiet-period secondsSet dot1x timeout auth-server seconds Setting Timeout for an Authorization ServerType the following command to reset the timeout period Set dot1x timeout supplicant secondsWX1200# display dot1x clients ConfigurationDisplay dot1x clients stats config WX1200# display dot1x stats Managing 802.1X on the WX Switch About Soda Endpoint SecuritySoda Endpoint Security Support on WX Switches About Soda Endpoint Security Functionality tasks Configuring Soda Functionality Https//hostname/soda/ssid/xxx.html WX1200# copy tftp//172.21.12.247/soda.ZIP soda.ZIP Install soda agent agent-fileagent-directory directoryWX1200# install soda agent soda.ZIP agent-directory sp1 Set service-profile name enforce-checks enable disable Enabling Soda Functionality for the Service ProfileSet service-profile name soda mode enable disable Set service-profile name soda failure-page Set service-profile name soda success-pageClear service-profile name soda success-page Clear service-profile name soda remediation-acl Clear service-profile name soda failure-pageSet service-profile name soda remediation-acl acl-name Set ip https server enable Set service-profile name soda logout-pageClear service-profile name soda logout-page Clear service-profile name soda agent-directory Uninstalling the Soda Agent Files from the WX SwitchSet service-profile name soda agent-directory directory Uninstall soda agent agent-directory directoryWX1200# uninstall soda agent agent-directory sp1 Configuring Soda Endpoint Security for a WX Switch Clear sessions admin console telnet client session-id Displaying Clearing Administrative SessionsDisplay sessions admin console telnet client WX1200 display sessions admin Displaying Clearing All Administrative SessionsDisplaying Clearing an Administrative Console Session WX1200# clear sessions adminWX1200 display sessions telnet Displaying Clearing Administrative Telnet SessionsDisplaying Clearing Client Telnet Sessions WX1200# display sessions network Displaying Clearing Network SessionsDisplay sessions network Network Session to get more in-depth information Clear sessions network user user-glob Displaying Clearing Network Sessions by UsernameWX1200# display sessions network user E WX1200# clear sessions network user BobAddress set of MAC addresses, type the following command For example, to clear all sessions for MAC addressWX1200 display session network session-id Clear sessions network vlan vlan-globWX1200# clear sessions network vlan red Changing Network Session TimersSession-id command Changing or Disabling the User Idle Timeout To disable the user idle timeout, use the following commandAbout Rogues RF DetectionRogue Classification Rogue Detection Lists Rogue Detection Algorithm Dynamic Frequency Selection DFS Rogue Detection and Countermeasures Rogue Detection Features Detection FeaturesSummary of Rogue lists the rogue detection features in MSS Countermeasures Set rfdetect vendor-list client ap mac-addr Clear rfdetect vendor-list client ap mac-addrallClear rfdetect ssid-list ssid-name Set rfdetect ssid-list ssid-nameWX1200# display rfdetect ssid-list Total number of entries Set rfdetect black-list mac-addr To display the client black list, use the following commandFollowing example shows the client black list on WX switch Rfdetect Black-listSet rfdetect attack-list mac-addr To display the attack list, use the following commandFollowing example shows the attack list on a switch Rfdetect Attack-listSet rfdetect ignore mac-addr To display the ignore list, use the following commandMac-addris the Bssid of the device you want to ignore Clear rfdetect ignore mac-addrCountermeasures Enabling Countermeasures Enabling MAP Reenabling ActiveScan SignaturesWXR100desk# set rfdetect ? Creating an Encrypted RF Fingerprint Key as MAP SignatureSet rfdetect signature key encrypted keyvalue WXR100desk# set rfdetect signature ?Enabling Rogue Reenabling LoggingRogues NotificationsIDS and DoS Alerts Rogue Detection and Countermeasures Message Type Example Log Message ExamplesIDS and DoS Log Messages Client aabbccddeeff is sending rsvd mgmt frame D IDS and DoS Log Messages Displaying RF You can use the CLI commands listed in to display rogueRogue Detection Display Commands DetectionRogue Detection Display Commands Display rfdetect clients mac mac-addr WX# display rfdetect clientsWX1200# display rfdetect counters Detection Counters commandDisplay rfdetect counters WX1200# display rfdetect mobility-domain Displaying Ssid or Bssid Information for a Mobility DomainDisplay rfdetect mobility-domain ssid ssid-namebssid Displaying RF Detection Information WX1200# display rfdetect data Displaying the APs Detected by MAP RadioDisplay rfdetect data WX1200# display rfdetect visible ap RadioWX# display rfdetect countermeasures Displaying Countermeasures InformationDisplay rfdetect countermeasures Rogue Detection and Countermeasures Version Information About System FilesDisplaying Software WX# display version details To also display MAP information, type the following commandWX# display version To display boot information, type the following command BootWorking with Files Following command displays the files in the old subdirectory WX1200# dir fileWX1200# dir core WX1200# dir boot0URL can be one of the following „ boot0/filename „ boot1/filename WX1200# copy floor2wx tftp//10.1.1.1/floor2wxWX1200# copy tftp//10.1.1.107/wxb04102.rel boot1wxb04102.rel Md5 boot0 boot1filenameDelete url To delete a file, use the following commandWX1200# md5 boot0wxb04102.rel WX1200# rmdir corp2 success change accepted To remove subdirectory corp2, type the following exampleWX1200# mkdir corp2 success change accepted. WX1200# dir Configuration Files RunningWX1200# display config area vlan Save config filenameLoad config url WX1200# save config newconfigSet boot configuration-file filename WX1200# load config newconfigBackup boot configuration Backup.cfg Set boot backup-configuration filenameWX1200# clear boot backup-config Clear boot configSystem Managing System Files WX1200# backup system tftp/10.10.20.9/sysabak critical Upgrading Switch forUpgrade System ImageUpgrading an Individual Switch Using the CLI Reset system forceWX1200# copy tftp//172.16.0.10/WX040101.20 boot1WX040100.20 Upgrade ScenarioWX1200# backup system tftp//172.16.0.10/sysabak WX1200# reset systemTroubleshooting a WX Setup Problems and Remedies WX Setup Problems and Remedies Type the save configSystem When RecoveringEnable Password Is LostComponents System LogLog Message LevelsSystem Log Destinations and Defaults Event Severity LevelsClear log server ip-addr Display log buffer traceClear log buffer trace Set log buffer severity severity-level WX1200# display log buffer severity errorLogging to the Log Buffer Logging to the Console To clear the buffer, type the following commandTo disable console logging, type the following command Logging Messages to a Syslog Server Setting Telnet Session DefaultsSet log sessions severity severity-levelenable For information on severity levels, see onTo disable trace logging, use the following command To disable session logging, use the following commandChanging the Current Telnet Session Defaults Logging to the Trace BufferDisplaying the Log Configuration Saving Trace Messages in a FileTracing Authentication Activity Using the TraceCommand Tracing Session Manager ActivityWX1200# display trace Tracing Authorization ActivityTracing 802.1X Sessions Clear trace all trace areaWX1200# display log trace severity error WX1200# display log trace facility WX1200# set trace ?For more information about Vlan interfaces, see Configuring Using displayCommands InterfacesDatabase FDB information, type the following command Requirements Configuring PortPort Mirroring MirroringRemotely Monitoring TrafficRemote Traffic MonitoringWX1200# set snoop snoop1 observer 10.10.30.2 snap-length Editing a Snoop Filter Displaying Configured Snoop FiltersTo delete a snoop filter, use the following command Deleting a Snoop FilterDisplaying the Snoop Filter Mappings for All Radios Following command shows the mapping for snoop filter snoop1Displaying the Snoop Filters Mapped to a Radio Removing Snoop Filter MappingsFollowing command shows statistics for snoop filter snoop1 Filter operates until you manually disable itFollowing command enables snoop filter snoop1 Preparing an Observer Capturing TrafficSet snoop filter-nameall mode enable disable Technical Support Capturing SystemSending it to Corenetsys.core.217.tar Corenetsys.core.217.tar Support WEB View System RequirementsLogging Into Web View Attributes VSAs, listed in on 3Com Mobility System Software MSS supports the standardOn page 652. Also supported are 3Com vendor-specific StatedRcv Sent Access Acct Attribute Type Resp? Reqst? Description Supported Standard Extended AttributesSupported Standard and Extended Attributes Filter-id inboundacl.in Filter-id outboundacl.outDisplayed, they must NAS Radius Acct-Output Yes Users, on 3ComVendor-Specific 3Com VSAs YY/MM/DD-HHMMTraffic Ports Used by MSS Protocol Port FunctionIP/ICMP Dhcp Server Chapter E Dhcp Server Dhcp Server Set interface dhcp-server command’s primary-dnsSet ip dns server command Displayed instead Displaying DhcpServer Information Register Your Service BenefitsSolve Problems Online Product to GainPurchase Extended WarrantyAccess Software ProfessionalCountry Telephone Number Latin America Telephone Technical Support and Repair US and Canada Telephone Technical Support and RepairGlossary GHz and data rates of up to 54 Mbps Radio that can receive and transmit signals at Ieee 802.11b802.11a 802.11bSee ACE See security ACLAES BSS CCI BssidCBC-MAC CcmpCRC ChapCPC CSR DES DhcpDynamic Host See Dhcp Configuration Protocol EAP EAP-TLSFCC ESSEtsi Gbic FDBFhss Hmac GMKGTK IAS HpovHttps ICVInformation element Igmp snoopingIndustry Canada InfrastructureLawn ISLISO LdapMAC MAP MD5MS-CHAP-V2 MICMpdu MTU MsduMSS NATPIM PeapPEM PkcsPMK PSK PRFPrng PTK PVST+RC4 Rssi RSARSN SSH SHASIP SsidSSL STPTtls TLSTLV NII VlanWatch list Vlan globVSA Web ViewWEP WPA WispWlan WPA IEGlossary Glossary Index NumbersSessions, clearing 557 sessions, displaying Cipher suites, RSN enabling ARP Index Index See also MAC addresses MAC addresses Names Https Radius Repair support, Europe, Middle East, and Africa Configuring 717Seed, Mobility Domain configuring 154 defined STP Index Usernames Invalid certificate Case-sensitive Index Command Index Clear summertime Load config 61 Md5 606 mkdir Monitor port counters Command Index Set radius proxy port 729Command Index