Manuals / HP / Computer Equipment / Software

HP Manager Software manual WX4400# set security acl ip acl123 deny 192.168.2.11

Models: Manager Software

1 616

Download 616 pages 38.63 Kb

Page 444

444CHAPTER 12: SECURITY ACL COMMANDS

The following command adds an ACE to acl_123 that denies packets from IP address 192.168.2.11:

WX4400# set security acl ip acl_123 deny 192.168.2.11 0.0.0.0

The following command creates acl_125 by defining an ACE that denies TCP packets from source IP address 192.168.0.1 to destination IP address 192.168.0.2 for established sessions only, and counts the hits:

WX4400# set security acl ip acl_125 deny tcp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0 established hits

The following command adds an ACE to acl_125 that denies TCP packets from source IP address 192.168.1.1 to destination IP address 192.168.1.2, on destination port 80 only, and counts the hits:

WX4400# set security acl ip acl_125 deny tcp 192.168.1.1 0.0.0.0 192.168.1.2 0.0.0.0 eq 80 hits

Finally, the following command commits the security ACLs in the edit buffer to the configuration:

WX4400# commit security acl all configuration accepted

See Also

clear security acl on page 424

commit security acl on page 427

display security acl on page 429

set security acl map Assigns a committed security ACL to a VLAN, physical port or ports, virtual port, or Distributed MAP on the WX switch.

To assign a security ACL to a user or group in the local WX database, use the command set user attr, set mac-user attr, set usergroup attr, or set mac-usergroup attr with the Filter-Id attribute. To assign a security ACL to a user or group with Filter-Id on a RADIUS server, see the documentation for your RADIUS server.

Image 444

HP Manager Software manual WX4400# set security acl ip acl123 deny 192.168.2.11

Contents

Wireless LAN Mobility System 3CRWXR10095A, 3CRWX120695A, 3CRWX440095A3Com Corporation 350 Campus Drive Marlborough, MA USA Contents Clear banner motd Clear history Clear prompt Set system location102 104126 Display ip alias 127 174 Set summertime 177 Set system ip-address 179 180 Set timezone 181 Display dhcp-client 182183 Display snmp community 186 187245 MAP Access Point Commands by Usage 272 Clear radio-profile 274 Clear service-profile 275 276Set user group 258 Set usergroup 259 Set web-aaa 260 267318 STP Commands Security ACL Commands by Usage 423 clear security acl 395Set spantree portvlanpri 396 Set spantree priority 397 414Commands by Usage 447 Display security acl hits 430 Display security acl info 431432 448 Crypto certificate 449500 503525 525 Display rfdetect visible 526528 530Dir Display boot 547 Display config 548 549561 Clear log trace 562 Clear traceSystem LOG Commands Register Your Product 607Page Conventions List conventions that are used throughout this guide„ Wireless LAN Switch Manager 3WXM Release Notes „ Wireless LAN Switch and Controller Release NotesDocumentation Comments Pddtechpubscomments@3com.com„ Document title „ Document part number and revision on the titleExample Overview Set enablepass Clear interface vlan-idipClear fdb dynamic port port-list vlan vlan-id Text Entry ConventionsMAC Address NotationMasks Subnet MasksWildcard Masks User GlobsGives examples of user globs MAC Address GlobsUser Globs WX1200# set port enable Vlan GlobsMatching Order for Globs „ a single port number. For exampleCommand-Line WX1200# reset portEditing Operating systemsWX1200# display i Tab Using CLI Help At your access level, type the help command. For exampleWX1200# display i? Understanding Command Descriptions Set ap dap name command has the following complete syntaxWX1200# display ip ? WX1200# display ip telnetCommands by DisableSyntax disable Defaults None UsageEnable QuitSet enablepass Access Commands System Service Commands To located commands in this chapter based on their useBanner with an empty banner by typing the following command Clear banner motdClear history „ display banner motd onClear prompt Clear systemDisplay banner MotdDisplay Base-information„ clear banner motd on Defaults None Access All Display licenseDisplay system See Also „ set license onDescribes the fields of display system output Display system outputNvram size /SDRAM size percent of total WX switch „ Using CLI Help onHelp Syntax helpSet auto-config HistorySyntax history „ clear history onSet auto-config Enable the Dhcp client on Vlan Enable the auto-config optionWX-1200#crypto generate key admin 1024 key pair generated Common Name remoteswitch1@example.comSave the configuration changes „ Delimiting character that begins and ends the messageSyntax set banner motd text Set confirm See Also „ clear banner motd on „ display banner motd onThat might have a large impact on the network Syntax set confirm on offSet length Examples To turn off these confirmation messages, typeWX4400# clear vlan red WX4400# set confirm offInstalls an upgrade license, for managing more MAPs Set licenseSee Also „ display license on Set prompt Syntax set prompt stringSet system contact Stores a contact name for the WX switch Set systemCountrycode Country CodesCountry Code Country Codes Ip-address Mobility Domain„ ip-addr- IP address, in dotted decimal notation WX1200# set system country code CASyntax set system location string Syntax set system name stringSet system name System Service Commands Port Commands Locate commands in this chapter based on their useThat are using the MAP Clear dapRemoves a Distributed MAP „ set dap onClear port-group „ name name Name of the port groupSee Also „ set port-groupon „ display port-groupon Syntax clear port-group name nameClear port PreferenceClear port name Removes the name assigned to a port See Also „ display port status on „ set port name onClear port type „ display port preference on„ set port preference on PortDisplay port CountersDisplay port-groupShows port group information WX1200 display port counters octets portSyntax display port-group all name group-name Describes the fields in the display port-group output See Also „ clear port-groupon „ set port-grouponDescribes the fields in this display Output for display port-groupDisplay port Output for display port preference WX4400# display port preference Port PreferenceSyntax display port status port-list Output for display port status WX1200# display port statusMonitor port See Also „ clear port type on„ set port negotiation on „ set port speed onKey Controls for Monitor Port Counters Display Output for monitor port counters WX4400# monitor port countersCorrect length but contained an invalid See Also „ display port counters on Reset port Set dapPort Commands Set dap Following command removes Distributed MAP Administratively disables or reenables a portSyntax set port enable disable port-list Set portSee Also „ reset port on Configured together as a single logical linkSingle logical link With no spacesName or number in other CLI commands Set port nameSee Also „ clear port-groupon „ display port-groupon Syntax set port port name nameFollowing command enables autonegotiation on port Syntax set port negotiation port-listenable disableWX1200# set port negotiation 3,5 disable WX1200# set port negotiation 2 enableAccess points Following command enables PoE on ports 4See Also „ set port type ap on „ set port type wired-authon Set port poeSet port speed Changes the speed of a portSyntax set port preference port-listrj45 WX4400# set port preference 2 rj45Set snmp profile command Set port trapMp-352mp-372- MAP access point model WX1200# set port trap 3-4 enable„ poe enable disable Power over Ethernet PoE state „ 11a 802.11a „ 11b 802.11b „ 11g 802.11g„ radiotype 11a 11b 11g Radio type Defaults All WX ports are network ports by default MAP Access Port Defaults WX1200# set port type ap 1-3,5 model ap3750 poe enableWX1200# set port type ap 1-3,5 model ap8250 poe enable Wired-auth Before changing the port type from ap to wired-author fromCommand Set port typeWired Authentication Port Details Vlan membershipSee Also „ clear port type on „ set port type ap on Port Commands Vlan Commands Clear fdb Deletes an entry from the forwarding database FDBSyntax clear fdb perm static dynamic Clear vlan „ display fdb onPort from the VLAN, make sure you specify the port number Following command completely removes Vlan marigold See Also „ set vlan port on „ display vlan config onDisplay fdb Displays entries in the forwarding databaseWX4400# display fdb all Describes the fields in the display fdb output See Also „ clear fdb onOutput for display fdb WX4400# display fdbAgingtime See Also „ set fdb agingtime onDisplay roaming StationDescribes the fields in the display See Also „ display roaming vlan onOutput for display roaming station Output for display roaming vlan Syntax display roaming vlanWX4400# display roaming vlan See Also „ display vlan config on Display tunnelOutput for display tunnel Syntax display tunnelDisplay vlan config Output for display vlan configSyntax display vlan config vlan-id WX1200# display vlan config burgundySet fdb Adds a permanent or static entry to the forwarding databaseSyntax set fdb perm static See Also „ clear fdb on „ display fdb on Syntax set fdb agingtime vlan-idage secondsSet vlan name See Also „ display fdb agingtime onCreates a Vlan and assigns a number and name to it Syntax set vlan vlan-numname nameSet vlan port Tag value to be the same but some other switches do Set vlanTunnel-affinity Adds ports 1 through 3 to the VlanSee Also „ display roaming vlan on „ display vlan config on IP Services Commands To locate commands in this chapter based on their useIP Services Commands by Usage DNSAccess Enabled History Introduced in MSS Version Clear interfaceRemoves an IP interface Syntax clear interface vlan-idipClear ip alias See Also „ display ip alias onSyntax clear ip alias name Clear ip dns domain Removes the default DNS domain name „ ip-addr- IP address of a DNS serverSyntax clear ip dns domain WX1200# clear ip dns domainDefault is an alias for IP address 0.0.0.0/0 Clear ip route„ clear ip dns domain on See Also „ display ip route on „ set ip route onDefaults The default Telnet port number is Telnet management traffic to its defaultRemoves an NTP server from a WX switch configuration Clear ip telnetUpdate-interval Clear ntpClear snmp CommunitySyntax clear snmp community name comm-string „ display snmp community onClear snmp profile Clear snmp trapReceiver Clear snmp usmSee Also „ set snmp usm on „ display snmp usm on Syntax clear summertimeClear timezone Use the addressDisplay arp Usage AllShows the ARP table Syntax display arp ip-addr„ set arp on „ set arp agingtime onOutput for display arp Shows the IP aliases configured on the wireless LAN switch Display ip aliasSee Also „ set interface on „ set interface status on Output for display interfaceExamples The following command displays the DNS information Display ip dns„ clear ip alias on „ set ip alias onDisplay ip https Shows information about the Https management portOutput for display ip dns Syntax display ip httpsOutput for display ip https WX4400# display ip httpsDisplay ip route Shows the IP route tableSyntax display ip route destination WX4400# display ip routeOutput of display ip route FieldDescriptionOutput for display ip telnet Syntax display ip telnetWX4400 display ip telnet Examples To display NTP information for a WX switch, type Display ntpShows NTP client information Output for display ntp„ set ntp server on „ set summertime on „ set timezone on Configuration Shows Snmp settings on a wireless LAN switchExamples To display Snmp settings on a WX switch, type Display snmpOutput of display snmp configuration Defaults There is no summertime offset by default SummertimeSyntax display summertime WX1200# display summertimeWX1200# display timedate Syntax display timezoneWX4400# display timezone Defaults „ count „ set timedate on „ set timezone onSet arp „ traceroute onFollowing command disables ARP aging See Also „ set arp agingtime onSyntax set arp agingtime seconds WX1200# set arp agingtimeSet interface Syntax set interface vlan-idip dhcp-client enable disable Dhcp-client„ clear interface on Configures the MSS Dhcp server „ enable Enables the Dhcp server„ disable Disables the Dhcp server Defaults The Dhcp server is enabled by default on a newSee Also „ display dhcp-serveron Syntax set interface vlan-idstatus up downAliases as shortcuts in CLI commands Set ip aliasSet ip dns See Also „ clear ip alias on „ display ip alias onSyntax set ip dns domain name WX1200# set ip dns domain example.comSyntax set ip dns server ip-addrprimary secondary WX switch is disabled Syntax set ip https server enable disableSyntax set ip route default ip-addr mask Set ip routeSet ip route Syntax set ip snmp server enable disable WX4400# set ip snmp server enable Set ip ssh„ clear snmp notify target on Secure Shell SSH management trafficAbsolute-timeout „ set ip ssh absolute-timeouton„ set ip ssh idle-timeouton „ set ip ssh server onIdle-timeout Also disabledSet ip ssh server Maximum number of SSH sessions supported on a WX switch is Set ip telnetHistory -Introduced in MSS Version Telnet management trafficSyntax set ip telnet server enable disable Enables or disables the NTP client on a wireless LAN switch Configures a wireless LAN switch to use an NTP serverSet ntp Set ntp serverRFC 1305, Network Time Protocol Version 3 Specification Defaults The default NTP update interval is 64 secondsImplementation and Analysis NTP serverSet snmp User. SNMPv3 does not use community stringsSet snmp community Set snmp notify TargetSNMPv3 with Informs SNMPv3 with Traps Usm trap user usernameSNMPv2c with Informs SNMPv2c with Traps SNMPv1 with TrapsSuccess change accepted „ notification-type- Any of the items in Table Snmp notification typesPoint Snmp notification types WX-1200#set snmp notify profile snmpprofrfdetect send RFDetectRogueDisappearTraps success change accepted Syntax set snmp protocol v1 v2c usm all enable disable WX-1200# set snmp security encrypted success change accepted Versions, use the set snmp community command to configure Set snmp trapSet snmp usm Community strings„ auth-type none md5 sha auth-pass-phrase string IP Services Commands WX-1200# set snmp usm securesnmpmgr1 snmp-engine-id Auth-type sha auth-pass-phrase myauthpwordEncrypt-type 3des encrypt-pass-phrase mycryptpword WX1200# set summertime PDT success change accepted Following WX4400# set interface taupe ip 10.10.20.20/24Sets the time of day and date on the wireless LAN switch Set timedateSyntax set timedate date mmm dd yyyy time hhmmss WX4400# set timedate date feb 29 2004 time 235800It is enabled Set timezoneWX1200# set timezone PST Output for display dhcp-client Syntax display dhcp-clientWX-1200# display dhcp-client See Also „ set interface dhcp-clienton Display dhcp-serverDisplays MSS Dhcp server informationSyntax display dhcp-server interface vlan-id verbose WX-1200#display dhcp-serverDescribe the fields in these displays Output for display dhcp-serverDisplay dhcp-server See Also „ set interface dhcp-serveron Output for display dhcp-client verboseDisplays the configured Snmp community strings Outpot for display snmp communitySyntax display snmp community WX-1200#display snmp communityDisplays Snmp statistics counters Syntax display snmp countersWX-1200#display snmp counters Syntax display snmp notify profile WX-1200#display snmp notify profileSee Also „ clear snmp profile on „ set snmp profile on Syntax display snmp notify targetWX-1200#display snmp notification target Output for display snmp notification target User Name of the Snmp user EngineIDOutput for display Snmp status WX-1200#display snmp statusSwitch has booted „ display snmp notify target on „ display snmp usm on Output for display snmp usmWX-1200#display snmp usm USM users See Also „ clear snmp usm on „ display snmp usm on Telnet Opens a Telnet client session with a remote deviceWX4400# telnet Defaults „ dnf DisabledTraceroute See Also „ clear sessions on „ display sessions on„ no-dns- Disabled „ port „ queries „ size „ ttl„ wait Ctrl+CError messages for traceroute „ ping onLocate commands in this chapter based on their use This chapter presents AAA commands alphabetically. Use toAAA Commands by Usage Display accounting statistics on Syntax clear accounting admin dot1x user-glob WX4400# clear accounting dot1x NinClear authentication AdminSyntax clear authentication console user-glob WX4400# clear authentication console ReginaConsoleConsole Syntax clear authentication dot1x ssid ssid-namewired Clear authentication Removes a MAC authentication rule. mac Syntax clear authentication last-resort ssid ssid-namewiredWX4400# clear authentication last-resort wired Syntax clear authentication mac ssid ssid-namewiredAccess Enabled History -Introduced in MSS WX4400# clear authentication mac ssid thatcorp aabbccSyntax clear authentication proxy ssid ssid-nameuser-glob See Also „ set authentication proxy on „ on Clear authentication Removes a WebAAA rule. webWX-1200#clear authentication proxy ssid mycorp Syntax clear location policy rule-number User who is authenticated by a MAC address Clear mac-userRadius server Syntax clear mac-user mac-addrWX switch, for a user who is authenticated by a MAC address GroupACL from the profile of a user at MAC address For your Radius serverClear Mac-usergroupMac-usergroup attr „ set mobility-profile mode on Mobility-profileClear user „ set mobility-profileonDatabase on the WX switch, for a user with a password Clear user attrNin „ set user onClear user group Clear usergroupUsergroup „ clear usergroup onSyntax clear usergroup group-name attr attribute-name Displays all current AAA settings Secion added to indicate the state of the WebAAA featureDisplay aaa Time-Of-Day attribute from the groupDescribes the fields that can appear in display aaa output Display aaa OutputDisplay aaa Output Stored in the local database on the WX switch Display accountingStatistics Statistics outputDisplay accounting statistics On an WX switch Display locationPolicy „ clear location policy onAdmin console Set accountingAre sent Server when the user roams Accesses the switch using Telnet or Web ManagerAuthenticated by Authenticated by MAC authenticationSet accounting dot1x mac web Set authentication Set authentication admin Through the switch’s console Completing logonGlobs on Following methods in priority order. MSS applies multipleFor more information, see Usage Syntax set authentication dot1x ssid ssid-namewired Set authentication dot1x AAA Commands Success change accepted Syntax set authentication last-resort 235 Syntax set authentication mac Set authentication mac Proxy WX-1200#set authentication proxy ssid mycorp ** srvrgrp1 Syntax set authentication web ssid ssid-namewiredAAA Commands Set location policy For details, see Vlan Globs on Set location policy WX4400# set location policy deny if user eq *.theirfirm.com Set mac-user Tempvendora into Vlan kiosk1See Also „ clear mac-useron „ display aaa on Authentication Attributes for Local Users Authentication Attributes for Local Users Filter-id outboundacl.outYY/MM/DD-HHMM Time-of-day WX4400# set mac-user 010203040506 attr filter-id acl-03.in See Also „ clear mac-user attr on „ display aaa on Syntax set mac-usergroupSee Also „ clear mac-usergroup attr on „ display aaa on Syntax set mobility-profile name name port none allAAA Commands Syntax set mobility-profile mode enable disable „ set user attr on „ set usergroup onSet user Set user attr 29Jan04„ clear user on OrangeThat exists in the local database on the WX switch Set user group„ clear user attr on ServerAssigns authorization attributes for the group To add a user to a group, user the command set user groupSet usergroup Examples To disable WebAAA, type the following command Syntax set web-aaa enable disableSet web-aaa To locate commands in this chapter based on their use Mobility Domain Commands by UsageMobility-domain MemberDisplay mobility-domain config Displays the configuration of the Mobility DomainStatus See Also „ set mobility-domain member onDisplay mobility-domain Output WX4400# display mobility-domain statusCommand is rejected SetSyntax set mobility-domain member ip-addr Mode member Seed, this command overwrites that configurationSeed-ip 192.168.1.8Set mobility-domain mode seed domain-name Syntax set mobility-domain mode seed domain-nameMobility Domain Commands Commands Type Command Set ap dap radio auto-tune max-power on Set ap dap radio auto-tunemin-client-rateon Clear ap dap RadioSyntax clear ap port-listdap dap-num radio 1 2 all Radio-Specific Parameters WX1200# clear ap 3 radioSyntax clear radio-profile name parameter „ name Service profile name Syntax clear service-profile nameSee Also „ clear radio-profileon „ set radio-profile mode on WX1200# display ap config WX4400# display dap configOutput for display ap config DAP„ set port type ap on „ set ap dap bias on WX1200# display ap counters Output for display ap counters Tkip Pkt ReplaysSee Also „ display sessions network on Ccmp Pkt ReplaysOutput for display ap dap qos-stats WX-1200#display dap qos-statsOutput of display ap etherstats Syntax display ap dap etherstats port-listdap-numWX4400# display dap etherstats Access point groups „ name Name of an MAP group or Distributed MAP groupSyntax display ap dap group name „ set ap dap group on Output for display ap groupWX1200# display ap group loadbalance1 MAP WX4400# display dap statusOutput for display ap status WX1200# display ap statusOutput for display ap status Decide whether to change channel or power settings Display auto-tuneAttributes Syntax display auto-tune attributesSee Also „ display auto-tune neighbors on Output for display auto-tune attributesWX1200# display auto-tune attributes ap 2 radio Neighbors 3Com radio can hearSyntax display auto-tune neighbors Ap map-numradio 1 2allOutput for display auto-tune neighbors Display auto-tune Neighbors ap 2 radioDisplay dap global command Display dapConnection Output of display dap connection Dap connection serial-id M9DE48B6EAD00Syntax display dap global dap-numserial-id serial-ID Output for display dap global WX4400# display dap globalUnconfigured But that are not configured on any WX switchesLonger appears in the command’s output Network port is a member of a VlanOutput for display dap unconfigured Radio-profileDisplays radio profile information Syntax display radio-profile name ?WX4400# display radio-profile default Output for display radio-profileTune Channel Ssid Service-profile Displays service profile information„ name Displays information about the named service profile „ ? Displays a list of service profilesDisplay service-profile Other WPA parameters Reset ap dap Dap auto mode enable command Usage lists the configurable template parameters and theirListed in . The commands are listed in the See Also section Configurable Template Parameters for Distributed MAPsWX1200# set dap auto success change accepted Syntax set dap auto mode enable disable Radiotype Template„ Radio type „ 11a-802.11a „ 11b-802.11b „ 11g-802.11g See Also „ set dap auto onSyntax set ap port-listdap dap-numauto bias high low See Also „ display ap dap config on Blink enable disable Syntax set dap num fingerprint hex„ ap port-list- List of MAP access ports to add to the group WX1200# set ap 4 group none success change accepted Set ap dap name Changes an MAP name „ antennatype ANT1060 ANT1120 ANT1180 internal „ antennatype ANT5060 ANT5120 ANT5180 internalSet ap dap radio auto-tune max-power Radio 1 2 auto-tune max-power power-levelSet ap dap radio auto-tune max- retransmissions Radio 1 2 auto-tune max-retransmissions retransmissionsSet ap dap radio auto-tune max- retransmissions Set ap dap radio channel Sets an MAP radio’s channelSyntax set ap port-listdap dap-numradio 1 „ display ap dap config on Set ap dap radio auto-tune min-client-rateRadio 1 2 auto-tune min-client-rate rate Examples Set ap 6 radio 1 min-client-rateSet ap dap radio mode Enables or disables a radio on an MAP access pointFollowing command enables radio 2 on ports 1 through Radio 1 2 mode enable disableDefaults None Set ap dap radio tx-power Sets an MAP radio’s transmit powerSyntax set dap security require none optional WX-1200#set dap security require Upgrade-firmware Set ap dapSet radio-profile 11g-onlySet radio-profile auto-tune channel-config Syntax set radio-profile name active-scan enable disableSet radio-profile auto-tune channel-holddown Syntax set radio-profile name auto-tune channel-holddownSet radio-profile auto-tune channel-interval Syntax set radio-profile name auto-tune channel-intervalSet radio-profile auto-tune power-backoff- timer Syntax set radio-profile name auto-tune power-backoff-timerSet radio-profile auto-tune power-config WX4400# set radio-profile rp2 auto-tune power-backoff-timerSet radio-profile auto-tune power-interval Beacon-interval Clients from being able to use rogue access points „ rogue Configures radios to attack rogues onlyDefaults Countermeasures are disabled by default Following command disables countermeasures in radio profileSyntax set radio-profile name dtim-interval interval Syntax set radio-profile name frag-threshold threshold Syntax set radio-profile name long-retry thresholdSyntax set radio-profile name max-rx-lifetime time Syntax set radio-profile name max-tx-lifetime time Mode Set radio-profile mode WX4400# set radio-profile rp1 mode enable Syntax set radio-profile name Syntax set radio-profile name service-profile name Syntax set radio-profile name rts-threshold thresholdDefaults for Service Profile Parameters Parameter Default Value To Default ValueSet radio-profile auth-psk command 349 Short-retry WmmSyntax set service-profile Name auth-dot1x enable disable WPA IE Set service-profile auth-fallthru Syntax set service-profile name auth-psk enable disable Syntax set service-profile name beaconed enable disable Set service-profile Cipher-ccmpCipher-tkip Use the set service-profile wep commands Cipher-wep104Cipher-wep40 Syntax set service-profile name psk-phrase passphrase Syntax set service-profile name psk-raw hex See Also „ set service-profilecipher-ccmpon Syntax set service-profile name rsn-ie enable disableSet service-profile auth-psk command Syntax set service-profile name ssid-name ssid-nameSee Also „ set service-profilessid-typeon SyntaxSee Also „ set service-profilessid-nameon Syntax set service-profile name tkip-mc-time wait-timeSsid managed by the service profile Syntax set service-profile name web-aaa-form urlWeb-aaa-form WX4400# mkdir corpa-ssid success change acceptedSet service-profile wep active-multicast- index „ copy on „ dir on„ mkdir on Set service-profile wep active-unicast- index Syntax set service-profile name wep active-unicast-index numWep key-index Syntax set service-profile name wpa-ie enable disable STP Commands by Table to locate commands in this chapter based on their useSTP Commands by Usage STP root bridge in all VLANs on a WX switch Clear spantreePortcost Syntax clear spantree portcost port-listPortpri Portvlancost„ clear spantree portvlanpri on „ set spantree portpri onPortvlanpri „ clear spantree portcost on„ clear spantree portpri on See Also „ display spantree statistics onSpantree vlan default Syntax display spantreeOutput for display spantree RootOr disabled Display spantreeBackbonefast „ display spantree blockedports onBlockedports „ set spantree backbonefast onSee Also „ display spantree on Portfast For one or more network portsSee Also „ set spantree portfast on Output for display spantree portfastPort’s VLANs „ port-list- List of portsSyntax display spantree portvlancost port-list Syntax display spantree statisticsWX4400# display spantree statistics Topology change Timer value Hold timer Output for display spantree statistics Vlan Vlan IDConfigpending Switch is the root or is attempting to become the root See Also „ clear spantree statistics on Syntax display spantree uplinkfast vlan vlan-idSet spantree „ set spantree uplinkfast onExamples The following command enables STP on all VLANs Configured on a WX switchFollowing command disables STP on Vlan burgundy An indirect linkFwddelay „ display spantree backbonefast onIssues a topology change message MaxageVLANs to 4 seconds „ all Changes the maximum age on all VLANsType. lists the defaults for STP port path cost STP Port Path Cost DefaultsPath to the STP root bridge 65,535. STP selects lower-cost paths over higher-cost pathsPortvlancost command See Also „ display spantree portfast on Syntax set spantree portpri port-listpriority valueBridge for a specific Vlan on a wireless LAN switch „ all Changes the cost on all VLANsType. See on To 20 in Vlan mauvePath to the STP root bridge, on one Vlan or all VLANs PortsHighest priority through 255 lowest priority „ all Changes the priority on all VLANsPriority UplinkfastSee Also „ display spantree uplinkfast on Igmp Snooping Commands Igmp Commands by UsageClear igmp statistics Display igmpSee Also display igmp statistics on TTL Output for display igmp TTL Mrouter Syntax display igmp mrouter vlan vlan-idWX1200# display igmp Mrouter vlan orange Defaults None Access Enabled Only one querierSyntax display igmp querier vlan vlan-id WX1200# display igmp querier vlan default Output for display igmp mrouterWX1200# display igmp querier vlan orange WX1200# display igmp querier vlan redReceiver-table „ set igmp querier onSee Also „ set igmp receiver on Output for display igmp receiver-tableIgmp Receiver-table group 237.255.255.0/24 Shows Igmp statistics „ vlan vlan-id Vlan name or number. If you do not specify aSyntax display igmp statistics vlan vlan-id WX1200# display igmp statistics vlan orangeOutput of display igmp statistics From the multicast routers in the subnetWireless LAN switch See Also „ set igmp rv onVLANs on a wireless LAN switch VLAN, the timer change applies to all VLANsSet igmp lmqi From 1 through 65,535Syntax set igmp mrouter port port-listenable disable See Also „ display igmp statistics onEnables or disables multicast router solicitation by a WX Syntax set igmp mrsol enable disable vlan vlan-idSet igmp mrsol See Also „ set igmp mrsol mrsi onSet igmp oqi See Also „ set igmp mrsol onAll VLANs on a WX Syntax set igmp oqi seconds vlan vlan-idSet igmp Proxy-report„ set igmp lmqi on „ set igmp qri onSet igmp qi Syntax set igmp qi seconds vlan vlan-idSet igmp qri VLANs on a WXGroup. You can specify a value from 1 through 65,535 Syntax set igmp querier enable disable vlan vlan-id Syntax set igmp receiver port port-listenable disableSee Also „ display igmp querier on Set igmp rv Set igmp rv Igmp Snooping Commands Security ACL Commands Security ACLSyntax clear security acl acl-name all editbuffer-index WX4400# commit security acl acl133 configuration accepted Syntax clear security acl map acl-nameall vlan vlan-id Syntax commit security acl acl-nameall WX4400# commit security acl all WX4400# display security aclSyntax display security acl dscp Examples The following command displays the table See Also „ set security acl onWX-1200#display security acl dscp Syntax display security acl editbufferWX4400# display security acl editbuffer Syntax display security acl hitsSee Also „ hit-sample-rateon „ set security acl on WX4400# display security acl hitsSyntax display security acl info acl-nameall editbuffer Display security acl MapSecurity ACL is assigned Syntax display security acl map acl-nameResource-usage ACL acl111 is mappedSupport for your Product on WX4400# display security acl map acl111WX4400# display security acl resource-usage Output of display security acl resource-usage Output of display security acl resource-usage Hit-sample-rate Packets filtered by the security ACL or hitsSyntax hit-sample-rate seconds Syntax rollback security acl acl-nameall Set security acl Protocol, or IP, ICMP, TCP, or UDP packet informationBy Icmp packets By TCP packetsBy UDP packets „ ip „ tcp „ udp „ icmp Security ACL Commands Set security acl WX4400# set security acl ip acl123 deny 192.168.2.11 Set security acl map Security ACL Commands To locate commands in this chapter based on their use Cryptography Commands by UsageSyntax crypto ca-certificate admin eap webaaa Syntax crypto certificate admin eap webaaa See Also „ display crypto ca-certificateonAccess Enabled History -Introduced in MSS Version Syntax crypto generate key admin eap ssh webaaa 512 1024 See Also display crypto key ssh onSyntax crypto generate request admin eap webaaa WX4400# crypto generate request admin Email Address admin@example.comSyntax crypto generate self-signed admin eap webaaa See Also „ crypto certificate on „ crypto generate key onWX4400# crypto generate self-signed admin Crypto otp Crypto pkcs12 „ crypto pkcs12 onSee Also „ crypto otp on WX4400# crypto otp eap hap9iN#ssDisplay crypto Ca-certificatePkcs #7 certificate Display crypto ca-certificate OutputOn the WX switch Syntax display crypto certificate admin eap webaaaCertificate Describes the fields of the displaySee Also crypto generate key on Syntax display crypto key sshCryptography Commands Locate commands in this chapter based on their uses Radius Commands by UsageClear radius See Also „ display aaa on „ set radius client system-ipon Syntax clear radius client system-ipSee Also „ set radius proxy client on See Also „ set radius proxy port onSyntax clear radius proxy client all Syntax clear radius proxy port allSee Also „ display aaa on „ set radius server on Syntax clear radius server server-nameSyntax clear server group group-nameload-balance Set radius „ set server group onSet radius client System-ip„ clear radius server on WX4400# set radius client system-ipsuccess change accepted Set radius proxy Port„ clear radius proxy client on To 32 characters long, with no spaces or tabs Set radius server WX1200# set server group shorebirds members heron egret Load-balance group „ group-name- Server group name of up to 32 charactersSandpiper Radius and Server Group Commands On the switch Commands on802.1X Commands by Usage PerformanceResets the Bonded Auth period to its default value Clear dot1xBonded-period See Also „ display dot1x on „ set dot1x bonded-periodonPort-control „ set dot1x max-reqonQuiet-period Reauth-max Reauth-period„ set dot1x reauth-maxon See Also „ display dot1x on „ set dot1x reauth-periodon„ set dot1x timeout auth-serveron „ set dot1x timeout supplicant onAuth-server SupplicantTx-period Display dot1x„ set dot1x tx-periodon WX1200# display dot1x config WX4400# display dot1x clientsType the following command to display 802.1X statistics Explains the counters in the display dot1x stats outputWX4400# display dot1x stats Port-control command Set dot1xAuthcontrol Authentication is enabled Examples To enable per-port 802.1X authentication on wiredAuthentication ports, type the following command Machine to start reauthentication for the userSyntax set dot1x key-tx enable disable See Also „ display dot1x on „ clear dot1x bonded-periodonSee Also „ display dot1x on See Also „ clear dot1x max-reqon „ display dot1x onAuthentication dot1X command See Also „ display port status on „ display dot1x onTo a supplicant after a failed authentication Syntax set dot1x reauth enable disableSyntax set dot1x quiet-period seconds Before the supplicant client becomes unauthorized See Also „ display dot1x on „ clear dot1x reauth-maxonSyntax set dot1x reauth-max number-of-attempts Set dot1x timeout Attempts reauthenticationOut a request to a Radius authentication server See Also „ display dot1x on „ clear dot1x reauth-periodonOut an authentication session with a supplicant client Syntax set dot1x timeout supplicant secondsSyntax set dot1x tx-period seconds Syntax set dot1X wep-rekey enable disable Wep-rekeySee Also „ display dot1x on „ clear dot1x tx-periodon Broadcast and multicast encryption keysDefaults The default is 1800 seconds 30 minutes Wep-rekey-period„ seconds Specify a value between 30 and 1,641,600 19 days To 300 secondsClear sessions Telnet sessionsNetwork VLANs, or session IDTo clear session 9, type the following command WX4400# clear sessions network mac-addrWX1200# clear sessions network session-id Display sessions WX4400 display sessions admin WX4400 display sessions consoleWX4400 display sessions telnet See Also „ clear sessions on Display sessions telnet client OutputSyntax display sessions network „ Summary display See on „ Verbose display See on „ display sessions network session-id display See onWX1200# display sessions network WX1200# display sessions network mac-addr 00055d7e981aWX1200# display sessions network verbose WX1200# display sessions network session-idDisplay sessions network summary Output Additional display sessions network verbose OutputTime 802.1X protocol on a wired authentication port Display sessions network session-id OutputSee Also „ clear sessions network on Session Management Commands To locate the commands in this chapter based on their use RF Detection Commands by UsageExamples The following command clears MAC address Clear rfdetectAttack-list Removes a MAC address from the attack listBlack-list Countermeasures Mac Clear rfdetectIgnore Ssid-list „ display rfdetect ignore on„ set rfdetect ignore on „ set rfdetect ssid-listonVendor-list Display rfdetect„ set rfdetect vendor-liston „ display rfdetect vendor-listonRF Detection Commands Countermeasures Mobility DomainDomain Display rfdetect countermeasures OutputDisplays information about the APs detected by a WX switch DataSyntax display rfdetect data Display rfdetect data Output WX1200# display rfdetect dataIgnore list Syntax display rfdetect ignoreWX4400# display rfdetect ignore Total number of entries Bssid mac-addr Displays rogues that are using the specified During RF detection scansSyntax display rfdetect mobility-domain WS1200# display rfdetect mobility-domainSsid 3Com-webaaa WS1200# display rfdetect mobility-domain ssid 3Com-webaaaFollowing command displays detailed information for a Bssid Display rfdetect mobility-domain OutputWX1200# display rfdetect mobility-domain bssid 000b0e0004d1 Display rfdetect mobility-domain ssid or bssid Output WX switch „ display rfdetect data onDisplays the entries in the permitted Ssid list „ clear rfdetect ssid-listonDisplay ap dap status command VisibleDisplay rfdetect visible Output WX1200# display rfdetect visible RadioSet rfdetect Active-scanAddresses of APs and clients Configured. WX switches do not share attack lists Examples The following command adds MAC addressDefaults The client black list is empty by default Configured. WX switches do not share client black listsSet rf detect Countermeasures Mac Set rfdetect ignoreSee Also „ display log buffer on WX switches in a Mobility Domain SignatureExamples The following command adds Ssid mycorp to the list Only for the SSIDs that are on the listPermitted SSIDs Device’s OUI is in the permitted vendor listTrailing 000000 value is required Syntax display rfdetect attack-listWX1200# display rfdetect attack-list Displays the wireless clients detected by an WX switch ClientsSyntax display rfdetect black-list WX1200# display rfdetect black-listDisplay rfdetect clients Output WX1200# display rfdetect ClientsDisplay rfdetect clients mac Output From the wired side of the network addressed to File Management Commands Dir command output Locally on the switchTape archive tar format „ tftp/ip-addr/filename- Name of the archive file to createSyntax clear boot config „ reset system on CopyPerforms the following copy operations „ Copies a file from a Tftp server to nonvolatile storageWX4400# copy test-config new-config WX4400# copy floorwx tftp//10.1.1.1/floorwxFile or the running configuration DeleteImmediately deletes the specified file Syntax delete urlDir Describes the fields in the dir output „ copy on „ delete onOutput for dir Display boot Reboot and configured for use after the next rebootAccess Access Describes the fields in the display boot outputDisplay config Displays the configuration running on the WX switchSyntax display config area area all See Also „ load config on „ save config on And, optionally, for any attached MAP access pointsWX4400# display config area vlan Display versionWX1200# display version WX1200# display version detailsLoad config Running configuration with the commands in the loaded fileDescribes the fields in the display version output Output for display versionFollowing command loads configuration file testconfig1 Syntax load config urlWX4400# load config WX4400# load config testconfig1Mkdir Creates a new subdirectory in nonvolatile storageReset system Restarts an WX switch and reboots the software„ dir on „ rmdir on Restore Generate new key pairs and certificates on the switch„ backup on WX1200# restore system tftp/10.10.20.9/sysabakRmdir Removes a subdirectory from nonvolatile storageSave config Saves the running configuration to a configuration fileSyntax save config filename „ dir on „ mkdir onSet boot Configuration-fileConfiguration Testconfig1Syntax set boot partition boot0 boot1 File Management Commands Trace Commands Deletes running trace commands and ends trace processes Clear log traceClear trace Deletes the log messages stored in the trace bufferWX switch, or all possible trace options Display traceSyntax display trace all WX4400# display traceAuthentication Save traceSet trace Authorization See Also „ clear trace on „ display trace onSet trace dot1x Set trace sm Syntax set trace sm mac-addr mac-address port port-numTrace Commands Snoop Commands Clear snoop Clear snoop map„ display snoop info on Set snoop „ set snoop map on„ display snoop on „ display snoop map onChapter Snoop Commands WX1200# set snoop snoop1 observer 10.10.30.2 snap-length Set snoop map FilterRadio 1 of the MAP Radio 2 of the MAP. This option does not apply toSet snoop mode To an MAP radio and enable the filterEnable stop-afternum-pkts- Enables the snoop filter All snoop filtersDisplay snoop map command For all snoop filters configured on a WX switchDisplay snoop Displays the MAP radio mapping for all snoop filtersDisplay snoop info Shows the configured snoop filters See Also „ clear snoop onSyntax display snoop filter-name WX1200# display snoop info snoop1Snoop map snoop1 Examples display snoop stats filter-namedap-numradioSnoop1 Display snoop stats OutputSnoop stats snoop1 Chapter Snoop Commands Clear log Syntax clear log buffer server ip-addrSee Also „ clear log trace on You can view event messages archived in the buffer Log buffer facility ?WX4400# display log buffer facility AAA „ display log config on Log config„ clear log on „ set log on „ clear log onSyntax display log trace +-/number-of-messages Set log Storage„ console Sets log parameters for console sessions Address in dotted decimal notation„ trace Sets log parameters for trace files See Also See Also „ display log config on Set log traceMbytes System LOG Commands Boot Prompt Commands Boot PromptAutoboot Boot „ BT=type Boot type„ DEV=device Location of the system image file „ FN=filename System image filename„ change on „ display on Change Syntax changeCreate Syntax createUsage When you type the delete command, the next-lower Examples To remove the currently active boot profile, typeProfiles, see display on Syntax deleteDiag Syntax diagSyntax display Defaults None Output of display command „ change on „ create on „ delete on „ next onFver For an individual command „ command-name- Boot prompt commandDisplays a list of the boot prompt commands „ ls onNext Syntax nextReset Resets a WX switch’s hardwareSyntax reset Command at the boot prompt„ on Enables the poweron test flag „ OFF Disables the poweron test flagDefaults The poweron test flag is disabled by default TestDir or fver command Type the following command at the boot promptVersion Syntax versionServices Register YourProduct PurchaseAccess Software TroubleshootOnline DownloadsContact Us Country Telephone Number Latsupportanc@3com.comIndex Delete 544, 597 diag Dir 545, 598 disable 33 display Index Index Index Traceroute Version