Manuals / Nortel Networks / Computer Equipment / Switch

Nortel Networks 2300 manual Placing One ACE before Another

Models: 2300

1 658

Download 658 pages 6.46 Kb

Page 371

Configuring and Managing Security ACLs 371

Placing One ACE before Another

You can use the before editbuffer-indexportion of the set security acl command to place a new ACE before an existing ACE. For example, suppose you want to deny some traffic from IP address 192.168.254.12 in acl-111. Follow these steps:

1To display all committed security ACLs, type the following command:

23x0# show security acl info all

ACL information for all

set security acl ip acl-111 (hits #4 0)

----------------------------------------------------

1.permit IP source IP 192.168.253.11 0.0.0.0 destination IP

any

set security acl ip acl-2 (hits #1 0)

----------------------------------------------------

1.permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits

2To add the deny ACE to acl-111and place it first, type the following commands:

23x0# set security acl ip acl-111 deny 192.168.254.12 0.0.0.255 before 1

23x0# commit security acl acl-111 success: change accepted.

3To view the results, type the following command:

23x0# show security acl info all

ACL information for all

set security acl ip acl-111 (hits #4 0)

----------------------------------------------------

1.deny IP source IP 192.168.254.12 0.0.0.255 destination IP

any

2.permit IP source IP 192.168.253.11 0.0.0.0 destination IP

any

set security acl ip acl-2 (hits #1 0)

----------------------------------------------------

1.permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits

Nortel WLAN Security Switch 2300 Series Configuration Guide

Image 371

Nortel Networks 2300 manual Placing One ACE before Another

Contents

Nortel Wlan Security Switch 2300 Series Configuration Guide Statement of conditions Copyright Nortel Networks Limited 2005. All rights reservedTrademarks Restricted rights legendNortel Inc. software license agreement USA requirements onlyLegal Information Limited Product WarrantyLimited Warranty Software License Agreement Nortel Wlan Security Switch 2300 Series Configuration Guide SSH Source Code Statement OpenSSL Project License Statements Class a Statement RF Radiation Hazard Warning Deployment Statement 320657-A Contents Configuring and Managing Ports and VLANs Configuring and Managing IP Interfaces and Services Configuring Snmp Configuring and Managing Mobility Domain Roaming Configuring AP access points Wi-Fi Multimedia Configuring and Managing Igmp Snooping Managing Keys and Certificates Configuring AAA for Network Users Configuring Communication with Radius Managing 802.1X on the WSS Switch Managing System Files Troubleshooting a WS Switch Supported Radius Attributes Contents 320657-A Getting Help from the Nortel Web site How to get HelpGetting Help over the phone from a Nortel Solutions Center Getting Help through a Nortel distributor or reseller Nortel Wlan 2300 System Introducing the Nortel Wlan 2300 SystemDocumentation Planning, Configuration, and DeploymentSafety and Advisory Notices Bold text Menu Name CommandText and Syntax Conventions CLI Conventions Using the Command-Line InterfaceNT-mm-nnnnnn Command PromptsClear fdb dynamic port port-list vlan vlan-id Set port enable disable port-listSyntax Notation Clear interface vlan-idipIP Address and Mask Notation Text Entry Conventions and Allowed CharactersMAC Address Notation 0001 User Wildcards, MAC Address Wildcards, and Vlan WildcardsUser Wildcards MAC Address Wildcards000102 00010203 0001020304 Vlan WildcardsMatching Order for Wildcards 23x0# show port poe 1,2,4,13 23x0# set port enable23x0# reset port Port ListsVirtual LAN Identification Command-Line Editing Keyboard Shortcuts Function Keyboard ShortcutsHistory Buffer Tabs Single-Asterisk * Wildcard Character Double-Asterisk ** Wildcard Characters 23x0# show i? Using CLI Help23x0# help Commands Set ap dap name Understanding Command DescriptionsServer Status Port Enabled 23x0# show ip telnetOverview of AAA for Administrative and Local Access Configuring AAA for Administrative and Local AccessConfiguring AAA for Administrative and Local Access Typical Nortel Wlan 2300 System Before You StartAbout Administrative Access Access Modes Types of Administrative Access First-Time Configuration using the ConsoleUsername Enabling an AdministratorPassword 23x0 enable23x0# set enablepass Setting the WSS Switch Enable PasswordSetting the WSS Enable Password for the First Time WMS Enable PasswordConfiguring AAA for Administrative and Local Access 23x0# set authentication console * local Authenticating at the ConsoleCustomizing AAA with Wildcards and Groups Setting User Passwords Success User Jose created Configuring Accounting for Administrative UsersAdding and Clearing Local Users for Administrative Access Set user username password password23x0# show accounting statistics 23x0# show aaa Displaying the AAA ConfigurationSaving the Configuration 23x0# save config configdayAdministrative AAA Configuration Scenarios Local Authentication 23x0# set server group sg1 members r1 Success change acceptedLocal Override and Backup Local Authentication Authentication When Radius Servers Do Not Respond Configuring and Managing Ports Configuring and Managing Ports and VLANsVlan Setting the Port TypeShow version WSS 2380 40 AP Software License UpgradeSetting a Port for a Directly Connected AP access port 23x0# set port type ap 4-6 model 2330 poe enable Setting a Port for a Wired Authentication User Configuring for a Distributed APClear port type port-list 23x0# set port type wired-authClearing a Port Clear dap dap-num Clearing a Distributed AP23x0# clear port type Removing a Port Name Configuring a Port NameSetting a Port Name RJ45 Set port preference port-listrj45Clear port preference port-list Show port preference port-listGigabit Ports-Autonegotiation and Flow Control Configuring Port Operating Parameters10/100 Ports-Autonegotiation and Port Speed Disabling or Reenabling a Port Disabling or Reenabling Power over EthernetReset port port-list Resetting a PortSet port poe port-listenable disable Show port status port-list Displaying Port Configuration and StatusDisplaying Port Information Displaying PoE StateMonitoring Port Statistics Displaying Port StatisticsClearing Statistics Counters 23x0# monitor port counters Link Redundancy Configuring Load-Sharing Port GroupsConfiguring a Port Group Load SharingInteroperating with Cisco Systems EtherChannel Configuring and Managing VLANsRemoving a Port Group Displaying Port Group InformationUsers and VLANs Understanding VLANs in Nortel WSS SoftwareVLANs, IP Subnets, and IP Addressing Traffic Forwarding Vlan NamesRoaming and VLANs Tunnel Affinity 802.1Q TaggingSet vlan vlan-numname name Configuring a VlanCreating a Vlan Adding Ports to a Vlan23x0# clear vlan marigold port 13 tag Removing an Entire Vlan or a Vlan Port23x0# set vlan red port 9-11,21 23x0# clear vlan red port23x0# clear vlan ecru Set vlan vlan-idtunnel-affinity num Changing Tunneling AffinityDisplaying Vlan Information Show vlan config vlan-id23x0# show vlan config burgundy Managing the Layer 2 Forwarding DatabaseTypes of Forwarding Database Entries How Entries Enter the Forwarding Database Show fdb count perm static dynamic vlan vlan-id Displaying Forwarding Database InformationDisplaying the Size of the Forwarding Database Displaying Forwarding Database Entries23x0# set fdb perm 00bbccddeeff port 3,5 vlan blue 23x0# set fdb static 002b3c4d5e6f port 1 vlan defaultAdding an Entry to the Forwarding Database 23x0# clear fdb port 3,5 Removing Entries from the Forwarding Database23x0# clear fdb dynamic Changing the Aging Timeout Period Port and Vlan Configuration ScenarioConfiguring the Aging Timeout Period Displaying the Aging Timeout Period23x0# set system countrycode US 23x0# set port 6 name confroom123x0# set port 7 name confroom2 23x0# set port 8-13 name manufacturingMAC 23x0# set port type ap 2-16 model 2330 poe enablePort group backbonelink is up Ports 22 23x0# set port type wired-auth 17,18Save the configuration. Type the following command MTU Support Configuring and Managing IP Interfaces and ServicesConfiguring and Managing IP Interfaces Enabling the Dhcp Client Statically Configuring an IP InterfaceAdding an IP Interface 23x0# show interface Set interface vlan-idip dhcp-client enable disable23x0# set interface corpvlan ip dhcp-client enable 23x0# show dhcp-client Interface Corpvlan4 Configuration Status Enabled Dhcp StateSet interface vlan-idstatus up down Disabling or Reenabling an IP InterfaceRemoving an IP Interface Show interface vlan-id Configuring the System IP AddressDisplaying IP Interface Information Set system ip-address ip-addr Designating the System IP AddressShow system Displaying the System IP AddressClear system ip-address Configuring and Managing IP RoutesClearing the System IP Address Configuring and Managing IP Interfaces and Services 320657-A 23x0# show ip route Displaying IP RoutesShow ip route destination 224.0.0.0/ 4 IP Local 23x0# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 23x0# set ip route default 10.5.4.1Adding a Static Route 23x0# clear ip route 192.168.4.69/24 Managing the Management Services23x0# clear ip route default Removing a Static RouteEnabling SSH Login TimeoutsSession Timeouts Managing SSH23x0# show crypto key ssh ec6f567fd1fdc02893aea4f97cf51304 Changing the SSH Service Port NumberAdding an SSH User Show crypto key ssh23x0# clear sessions admin ssh Changing SSH TimeoutsShow sessions admin Clear sessions admin ssh session-id 23x0# show sessions adminAdding a Telnet User Telnet Login TimersManaging Telnet Enabling TelnetManaging Telnet Server Sessions Changing the Telnet Service Port NumberResetting the Telnet Service Port Number to Its Default Displaying Https Information Configuring and Managing DNSManaging Https Enabling HttpsConfiguring and Managing IP Interfaces and Services Enabling or Disabling the DNS Client Set ip dns enable disableSet ip dns server ip-addrprimary secondary Configuring DNS ServersAdding a DNS Server Removing a DNS ServerSet ip dns domain name Configuring a Default Domain NameAdding the Default Domain Name Removing the Default Domain Name23x0# show ip dns Configuring and Managing AliasesDisplaying DNS Server Information Show ip dns23x0# set ip alias HR1 Adding an AliasSet ip alias name ip-addr Clear ip alias name Removing an Alias23x0# show ip alias Configuring and Managing Time ParametersDisplaying Aliases Show ip alias nameClearing the Time Zone Setting the Time ZoneDisplaying the Time Zone Clearing the Summertime Period Configuring the Summertime PeriodDisplaying the Summertime Period Time now is Sun Feb 29 2004, 235802 PST Statically Configuring the System Time and DateSet timedate date mmm dd yyyy time hhmmss 23x0# set timedate date feb 29 2004 timeShow timedate 23x0# show timedate Displaying the Time and DateConfiguring and Managing NTP 23x0# set ntp server Adding an NTP ServerSet ntp server ip-addr Clear ntp server ip-addrall Removing an NTP Server23x0# set ntp update-interval Changing the NTP Update IntervalSet ntp update-interval seconds Clear ntp update-interval Resetting the Update Interval to the DefaultEnabling the NTP Client Set ntp enable disableShow ntp Managing the ARP TableDisplaying NTP Information 23x0# show arp Displaying ARP Table EntriesShow arp ip-addr Success added arp 10.10.10.1 at 00bbccddeeff on Vlan Adding an ARP EntrySet arp permanent static dynamic ip-addrmac-addr 23x0# set arp static 10.10.10.1 00bbccddeeff23x0# set arp agingtime Changing the Aging TimeoutPinging Another Device Set arp agingtime seconds23x0# clear sessions telnet client Logging In to a Remote Device23x0# telnet 23x0# show sessions telnet client23x0# traceroute server1 IP Interfaces and Services Configuration ScenarioTracing a Route 23x0# set ip dns server 10.10.10.69 Primary 23x0# set ip route default 10.20.10.123x0# set system ip-address 23x0 # show ip dns 23x0# set ip dns enableSummertime is enabled, and set to PDT 23x0# set ip dns server 10.20.10.69 SecondaryOverview Configuring SnmpConfiguring Snmp 23x0# set system location 3rdfloorcloset Setting the System Location and Contact Strings23x0# set system contact sysadmin1 Set system location string set system contact stringEnabling Snmp Versions Set snmp protocol v1 v2c usm all enable disable23x023x0# set snmp protocol all enable Clear snmp community name comm-string Configuring Community Strings SNMPv1 and SNMPv2c OnlyClear snmp usm usm-username Creating a USM User for SNMPv323x0# set snmp usm snmpmgr1 snmp-engine-id local Command Examples23x0# set snmp security encrypted Setting Snmp SecurityClear snmp profile profile-name Configuring a Notification Profile23x0# set snmp notify profile default send all Configuring Snmp Clear snmp notify target target-num Configuring a Notification TargetSecurity unsecured authenticated encrypted 23x0# set snmp notify target 2 10.10.40.10 v1 trap Displaying Snmp Information Enabling the Snmp ServiceSet ip snmp server enable disable 23x0# set ip snmp server enableDisplaying Snmp Version and Status Information Displaying the Configured Snmp Community Strings Displaying USM Settings Displaying Notification Profiles 23x0# show snmp notify profile insert updated exampleDisplaying Notification Targets 23x0# show snmp notify target insert updated exampleDisplaying Snmp Statistics Counters Configuring Snmp 320657-A About the Mobility Domain Feature Configuring and Managing Mobility Domain RoamingConfiguring a Mobility Domain 23x0# set mobility-domain mode seed domain-name Pleasanton Configuring the SeedSet mobility-domain mode seed domain-name mob-domain-name Set mobility-domain member ip-addr Configuring Member WSSs on the Seed23x0# set mobility-domain mode member seed-ip Configuring a MemberSet mobility-domain mode member seed-ip ip-addr 192.168.15.5 Displaying Mobility Domain Status2370# show mobility-domain status 192.168.14.6This WSS is a member, with seed Displaying the Mobility Domain Configuration2370# show mobility-domain config 2370# clear mobility-domain Clearing a Mobility Domain from a WSSClear mobility-domain member ip-addr Clearing a Mobility Domain Member from a Seed23x0# show roaming station Displaying Roaming StationsAffinity Displaying Roaming VLANs and Their Affinities23x0 # show roaming vlan State Port Understanding the Sessions of Roaming UsersDisplaying Tunnel Information 23x0 # show tunnelActive Requirements for Roaming to SucceedEffects of Timers on Roaming 23x0# set mobility-domain member seed-ip Mobility Domain ScenarioMonitoring Roaming Sessions WSS-20show sessions network verbose23x0# show tunnel 23x0# show mobility-domain config23x0# show roaming vlan Configuring User Encryption Wireless Encryption Defaults Default Encryption Configuring WPA WPA Cipher Suites WPA Encryption with Tkip Only WPA Encryption with Tkip and WEP Tkip Countermeasures WPA Authentication Methods WPA Information Element Client Support Supported Encryption Support for WPA and Non-WPA ClientsSpecifying the WPA Cipher Suites Configuring WPACreating a Service Profile for WPA Enabling WPAEnabling PSK Authentication Changing the Tkip Countermeasures Timer ValueSet service-profile name psk-raw hex Set service-profile name auth-psk enable disable23x0# set service-profile wpa auth-psk enable Set service-profile name psk-phrase passphraseSet radio-profile name service-profile name Displaying WPA SettingsShow service-profile name ? 23x0# show service-profile wpaSpecifying the RSN Cipher Suites Configuring RSNCreating a Service Profile for RSN Enabling RSN23x0# set service-profile rsn cipher-ccmp enable Displaying RSN Settings23x0# set radio-profile blgd2 service-profile rsn Configuring WEPEncryption for Dynamic and Static WEP Set service-profile name wep key-index num key value Setting Static WEP Key ValuesAssigning Static WEP Keys Encryption Configuration Scenarios23x0# set service-profile wepsrvc4 wep active-unicast-index Enabling WPA with Tkip 23x0# set service-profile wpa success change accepted23x0# show ap config Enabling Dynamic WEP in a WPA Network 23x0# set service-profile wpa-wep success change accepted23x0# show service-profile wpa-wep 23x0# set ap 5,11 radio 1 radio-profile rp2 mode enableSuccess change accepted 23x0# set service-profile wpa-wep-for-mac Configuring Encryption for MAC Clients23x0# show service-profile wpa-wep-for-mac 23x0# show ap config Configuring User Encryption 320657-A AP Overview Configuring AP access pointsExample Nortel Network Country of Operation Distributed AP Network Requirements Directly Connected APs and Distributed APsDistributed APs and Dhcp Option Distributed APs and STPBias High AP ParametersName Group Upgrade-firmware EnableDisable Resiliency and Dual-Homing Options for APsDual-Homed Direct Connections to a Single WSS Dual-Homed Direct and Distributed Connections to WSSs Dual-Homed Distributed Connections to WSSs on Both AP Ports Dual-Homed Distributed Connections to WSSs on One AP Port AP Boot ProcessConfiguring AP access points Configuring AP access points Configuring AP access points Example AP Boot over Layer 2 Network Example AP Boot over Layer 3 Network Example Boot of Dual-Homed AP Dual-Homed AP Booting Session Load Balancing Service Profiles Public and Private SSIDs Encryption Dap status commandConfiguring AP access points Radio Profiles Default Radio Profile RF Auto-TuningAntennatype Internal Nortel external antenna model Tx-powerRadio-Specific Parameters ChannelConfiguring AP access points Set system countrycode code Specifying the Country of OperationWSS 23x0# show system How an Unconfigured AP Finds an WSS Switch To Configure It Configuring a Template for Automatic AP ConfigurationRadio 2 type 802.11a, mode enabled, channel dynamic Configured APs Have Precedence Over Unconfigured APsConfiguring a Template 23x0# show dap config autoChanging AP Parameter Values 23x0# show dap status auto 23x0# set dap auto mode enable23x0# set dap auto radio 1 radio-profile autodap1 Set dap auto persistent dap-numall Setting the Port Type for a Directly Connected AP Configuring AP Port ParametersPort parameter Setting 23x0# set port type ap 11-14,16 model 2330 poe enable Configuring an Indirectly Connected APChanging AP Names Clearing an AP from the ConfigurationChanging Bias Configuring a Load-Balancing GroupDisabling or Reenabling Automatic Firmware Upgrades Enabling LED Blink ModeRSA aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa Configuring AP-WSS SecurityEncryption Key Fingerprint Encryption Options23x0# show dap status Confirming an AP’s Fingerprint on an WSS Switch23x0# set dap security require Setting the AP Security Requirement on an WSS SwitchSet dap num fingerprint hex Set dap security require optionalFingerprint Log Message Disabling or Reenabling Beaconing of an Ssid Configuring a Service ProfileChanging the Fallthru Authentication Type Disabling or Reenabling Encryption for an SsidConfiguring AP access points Changing Radio Parameters Configuring a Radio ProfileSet radio-profile name mode enable disable Creating a New Profile23x0# set radio-profile rp1 dtim-interval Set radio-profile name beacon-interval interval23x0# set radio-profile rp1 beacon-interval Set radio-profile name dtim-interval interval23x0# set radio-profile rp1 frag-threshold Set radio-profile name rts-threshold threshold23x0# set radio-profile rp1 rts-threshold Set radio-profile name frag-threshold threshold23x0# set radio-profile rp1 max-tx-lifetime Set radio-profile name max-rx-lifetime time23x0# set radio-profile rp1 max-rx-lifetime Set radio-profile name max-tx-lifetime time23x0# set radio-profile rplong preamble-length long Set radio-profile name 11g-only enable disable23x0# set radio-profile rp1 11g-only enable Set radio-profile name preamble-length long shortClear radio-profile name Resetting a Radio Profile Parameter to its Default ValueRemoving a Radio Profile Clear radio-profile name parameterConfiguring the Channel and Transmit Power Configuring Radio-Specific Parameters23x0# set ap 5 radio 2 channel 36 tx-power Configuring the External Antenna Model23x0# set ap 11 radio 1 channel 1 tx-power 23x0# set dap 1 radio 1 antennatype ANT1060 23x0# set radio-profile rp2 service-profile wpaclients Mapping the Radio Profile to Service ProfilesAssigning a Radio Profile and Enabling Radios 23x0# set ap 11-14,16 radio 2 radio-profile rp1 mode enable23x0# set ap 6 radio 1 radio-profile rp1 mode disable Disabling or Reenabling RadiosEnabling or Disabling Individual Radios Set ap port-listdap dap-numradio 1 2 mode enable disable23x0# set ap 3,7 radio 2 mode disable 23x0# set radio-profile rp1 mode disable Disabling or Reenabling All Radios Using a Profile23x0# set radio-profile rp1 mode enable 23x0# clear ap 3 radio Resetting a Radio to its Factory Default SettingsClear ap port-listdap dap-numradio 1 2 all Restarting an AP Displaying AP Information23x0# show dap config Displaying AP Configuration Information23x0 # show dap global Displaying a List of Distributed APsShow dap global dap-numserial-id serial-ID 23x0 # show dap unconfigured Show dap unconfiguredShow dap connection dap-numserial-id serial-ID Displaying Connection Information for Distributed APs23x0 # show service-profile wpaclients Displaying Service Profile InformationShow radio-profile name ? 23x0 # show radio-profile defaultDisplaying Radio Profile Information Displaying AP Status Information 23x0 # show ap counters Displaying AP Statistics Counters116665 7694 11643396 629107 112115 3368239 142900 TotlRF Auto-Tuning Overview Configuring RF Auto-TuningInitial Channel and Power Assignment Channel Tuning Channel and Power TuningPower Tuning Tuning the Transmit Data Rate RF Auto-Tuning Parameters Min-client-rate For 802.11b For 802.11a Changing RF Auto-Tuning SettingsChanging the Channel Holddown Interval Changing Channel Tuning SettingsDisabling or Reenabling Channel Tuning Changing the Channel Tuning IntervalChanging the Power Backoff Interval Changing Power Tuning SettingsEnabling Power Tuning Changing the Power Tuning Interval23x0# set ap 7 radio 1 auto-tune max-retransmissions 23x0# set ap 7 radio 1 auto-tune max-powerChanging the Client Retransmission Threshold Changing the Minimum Transmit Data Rate Displaying RF Auto-Tuning Information23x0# show ap config 2 radio Displaying RF Auto-Tuning Settings23x0# show radio-profile default 23x0# show auto-tune neighbors ap 2 radio Displaying RF Neighbors23x0# show auto-tune attributes ap 2 radio Displaying RF AttributesConfiguring RF Auto-Tuning 320657-A How WMM Works in WSS Software Wi-Fi MultimediaQoS on the WSS Switch WMM in a Nortel Network QoS on an APWMM Priority Mappings Set radio-profile name wmm enable disableDisabling or Reenabling WMM 23x0# show dap qos-stats Displaying WMM Information23x0# show radio-profile radprof1 Show dap qos-stats dap-numshow dap qos-stats port-listWi-Fi Multimedia Configuring and Managing Spanning Tree Protocol Enabling the Spanning Tree Protocol Set spantree enable disable23x0# set spantree enable Changing Standard Spanning Tree Parameters Snmp Port Path Cost DefaultsPort Priority 23x0# set spantree priority 69 vlan pink Changing the Bridge PrioritySet spantree priority value all vlan vlan-id Changing the STP Port Cost Resetting the STP Port Cost to the Default ValueChanging STP Port Parameters 23x0# set spantree portvlanpri 3-4 priority 48 vlan mauve Resetting the STP Port Priority to the Default ValueChanging the STP Port Priority 23x0# set spantree portpri 3-4 priorityChanging the STP Maximum Age Changing Spanning Tree TimersChanging the STP Forwarding Delay Changing the STP Hello Interval23x0# set spantree maxage 15 all Configuring and Managing STP Fast Convergence FeaturesUplink Fast Convergence 23x0# set spantree portfast port 9,11,13 enable Configuring Port Fast ConvergenceSet spantree portfast port port-listenable disable 23x0# show spantree portfast Port Vlan Portfast Disable EnableDisplaying Port Fast Convergence Information Show spantree portfast port-list23x0# set spantree backbonefast enable Configuring Backbone Fast ConvergenceSet spantree backbonefast enable disable 23x0# show spantree backbonefast Backbonefast is enabledDisplaying the Backbone Fast Convergence State Show spantree backbonefastSet spantree uplinkfast enable disable Configuring Uplink Fast Convergence23x0# show spantree uplinkfast Displaying Spanning Tree InformationDisplaying Uplink Fast Convergence Information Show spantree uplinkfast vlan vlan-id23x0# show spantree vlan mauve Displaying STP Bridge and Port InformationShow spantree port-listvlan vlan-id active Port 1 Vlan 1 have path cost Displaying the STP Port Cost on a Vlan BasisShow spantree portvlancost port-list 23x0# show spantree portvlancostShow spantree blockedports vlan vlan-id 23x0# show spantree blockedports vlan defaultDisplaying Blocked STP Ports 23x0# show spantree statistics 1 Bpdu related parameters Displaying Spanning Tree StatisticsShow spantree statistics port-listvlan vlan-id Delay root port Timer value Timer restarted is Topology change TimerTopology change Timer value Hold timer Hold timer value Delay root port TimerClear spantree statistics port-listvlan vlan-id Spanning Tree Configuration Scenario23x0# set port disable Clearing STP Statistics23x0# set port enable Default None Backbone DownSpanning tree mode Disabled 128Down Auto Network 10/100BaseTx 1000/full Disabling or Reenabling Proxy Reporting Set igmp enable disable vlan vlan-idDisabling or Reenabling Igmp Snooping Enabling the Pseudo-Querier Changing Igmp TimersSet igmp proxy-report enable disable vlan vlan-id Set igmp querier enable disable vlan vlan-idSet igmp qi seconds vlan vlan-id Changing the Query IntervalSet igmp oqi seconds vlan vlan-id Changing the Other-Querier-Present IntervalSet igmp qri tenth-seconds vlan vlan-id Changing the Query Response IntervalSet igmp lmqi tenth-seconds vlan vlan-id Changing the Last Member Query IntervalSet igmp rv num vlan vlan-id Set igmp mrsol enable disable vlan vlan-idEnabling Router Solicitation Changing RobustnessSet igmp mrsol mrsi seconds vlan vlan-id Configuring Static Multicast PortsChanging the Router Solicitation Interval Adding or Removing a Static Multicast Router Port Set igmp mrouter port port-listenable disableAdding or Removing a Static Multicast Receiver Port Set igmp receiver port port-listenable disableDisplaying Multicast Information 192.28.7.5 Dvmrp Group Port Receiver-IP Receiver-MAC Show igmp vlan vlan-id23x0# show igmp vlan orange Clear igmp statistics vlan vlan-id Displaying Multicast Statistics OnlyClearing Multicast Statistics Show igmp statistics vlan vlan-idQuerier for vlan orange Port Querier-IP Querier-MAC Displaying Multicast QueriersShow igmp querier vlan vlan-id Show igmp querier vlan orange192.28.7.5 000102030405 Dvmrp Displaying Multicast RoutersShow igmp mrouter vlan vlan-id Show igmp mrouter vlan orangeVlan red Session Port Receiver-IP Receiver-MAC Displaying Multicast Receivers23x0# show igmp receiver-table group 237.255.255.0/24 Configuring and Managing Igmp Snooping 320657-A About Security Access Control Lists Configuring and Managing Security ACLsSetting Security ACLs Overview of Security ACL CommandsSecurity ACL Filters Creating and Committing a Security ACL23x0# set security acl ip acl-1 permit 192.168.1.4 Setting a Source IP ACLCommon IP Protocol Numbers Wildcard Masks Class of ServiceClass-of-Service CoS Packet Handling Configuring and Managing Security ACLs Common Icmp Message Types and Codes Setting an Icmp ACLCommon Icmp Message Types and Codes Setting a UDP ACL Setting TCP and UDP ACLsSetting a TCP ACL Configuring and Managing Security ACLs Determining the ACE Order 23x0# commit security acl all Committing a Security ACL23x0# commit security acl acl-99 Viewing Security ACL Details Viewing Security ACL InformationViewing the Edit Buffer Viewing Committed Security ACLs23x0# show security acl hits ACL hit-counters Displaying Security ACL Hits23x0# clear security acl acl-99 Mapping Security ACLsClearing Security ACLs 23x0# set user Natasha attr filter-id acl-222.in Mapping User-Based Security ACLs23x0# commit security acl acl-222 success change accepted Configuring and Managing Security ACLs 23x0# show security acl map acl-999 Displaying ACL Maps to Ports, VLANs, and Virtual PortsClearing a Security ACL Map 23x0# set security acl map acl-222 port 2 tag 1-3,523x0# clear security acl map acljoe port 4 Modifying a Security ACL23x0# show security acl map acljoe ACL acljoe is mapped to23x0# show security acl info all Adding Another ACE to a Security ACLPlacing One ACE before Another Modifying an Existing Security ACL Type Status Acl-a Not Committed Acl-111 Clearing Security ACLs from the Edit Buffer23x0# show security acl editbuffer ACL edit-buffer tableACL edit-buffer information for all Using ACLs to Change CoS23x0# rollback security acl acl-111 Filtering Based on Dscp Values 23x0# set security acl map voip vlan corpvlan out Enabling Prioritization for Legacy Voice over IP23x0# set security acl ip voip permit 0.0.0.0 23x0# commit security acl voipEnabling SVP Optimization for SpectraLink Phones Security ACL Configuration Scenario23x0# save config Managing Keys Certificates Why Use Keys and Certificates?Wireless Security through TLS PEAP-MS-CHAP-V2 Security About Keys and CertificatesPublic Key Infrastructures Public and Private Keys Digital Certificates Pkcs Object Files Supported by Nortel Crypto generate key commandCreating Keys and Certificates Pkcs #7, Pkcs #10, and Pkcs #12 Object FilesManaging Keys and Certificates Procedures for Creating and Validating Certificates Creating Public-Private Key Pairs Crypto generate key admin eap ssh webaaa 512 102423x0# crypto generate key admin Admin key pair generatedGenerating Self-Signed Certificates Crypto generate self-signed admin eap webaaa23x0# crypto generate self-signed admin Country Name US Crypto pkcs12 admin eap webaaa filename Crypto otp admin eap webaaa one-time-password23x0# crypto generate request admin Begin Certificate Installing a CA’s Own CertificateDisplaying Certificate and Key Information Key and Certificate Configuration Scenarios23x0# show crypto certificate admin Certificate ENDCERTIFICATE-----23x0#crypto generate self-signed eap 23x0# crypto generate self-signed adminSelf-signed cert for admin is Creating Self-Signed Certificates23x0# show crypto certificate eap 23x0# show crypto certificate admin20# crypto generate self-signed webaaa Country Name US 23x0# show crypto certificate webaaa Certificate 23x0# copy tftp//192.168.253.1/20481x.p12 20481x.p12 23x0# crypto otp admin SeC%#6@o%c23x0# crypto pkcs12 admin 2048admn.p12 23x0# copy tftp//192.168.253.1/2048admn.p12 2048admn.p12Keypair Device certificate CA certificate Unstructured Name wiring closet 12 CSR for admin is Email Address admin@example.comEnter PEM-encoded certificate 23x0# crypto certificate admin23x0# crypto ca-certificate admin 23x0# show crypto ca-certificate adminAbout AAA for Network Users Configuring AAA for Network UsersAuthentication Types AuthenticationAuthentication Algorithm Authentication Flowchart for Network Users To 802.1X? Yes User Credential Requirements Ssid Name AnyLast-Resort Processing Configuring AAA for Network Users CLI AuthorizationAccounting AAA Tools for Network Users Summary of AAA FeaturesWildcard Any for Ssid Matching Wildcards and Groups for Network User ClassificationLocal Override Exception AAA Methods for Ieee 802.1X and Web Network AccessAAA Rollover Process Remote Authentication with Local Backup Remote Pass-Through or Local Authentication EAP-MD5 Ieee 802.1X Extensible Authentication Protocol TypesWays an WSS Switch Can Use EAP Effects of Authentication Type on Encryption Method Configuring 802.1X AuthenticationConfiguring 802.1X Acceleration Using Pass-Through Authenticating through a Local Database Binding User Authentication to Machine Authentication Authentication Rule Requirements Clear dot1x bonded-period Bonded Authentication PeriodBonded Authentication Configuration Example Set dot1x bonded-period seconds23x0# set dot1x bonded-period Displaying Bonded Authentication Configuration InformationShow dot1x config 23x0# show dot1x config Configuring Authentication and Authorization by MAC Address Clearing MAC Users and Groups Adding and Clearing MAC Users and User Groups LocallyAdding MAC Users and Groups 23x0# set mac-user 000102030405 attr vlan-name red Configuring MAC Authentication and Authorization23x0# set authentication mac ssid voice 010102030405 local 23x0# set authentication mac ssid voice 010102* local23x0# set radius server bigbird author-password h00per Configuring Web-based AAAChanging the MAC Authorization Password for Radius Set radius server server-nameauthor-password passwordHow Portal Web-based AAA Works WSS Requirements Web-based AAA Requirements and RecommendationsConfiguring AAA for Network Users Client Web Browser Recommendations WSS RecommendationsClient NIC Requirements Client Web Browser Requirements23x0# set user web-portal-mycorp attr vlan-name corpvlan Configuring Portal Web-based AAAPortal Web-based AAA Configuration Example 23x0# show sessions network ssid mycorp 23x0# show config23x0# show sessions network ssid mycorp Using a Custom Login TitleMy Corp webAAA/title Copying and Modifying the Nortel LoginCustom Login Page Scenario 23x0# dir mycorp-webaaa H3Welcome to Mycorp’s Wireless LAN/h3BWARNING/b My corp’s warning text 23x0# mkdir mycorp-webaaa success change acceptedVariables for Redirect URLs Description Using Dynamic Fields in Web-based AAA Redirect URLsConfiguring Last-Resort Access WSS Switch Serving as Radius Proxy Configuring AAA for Users of Third-Party APsAuthentication Process for 802.1X Users of a Third-Party AP Third-Party AP Requirements WSS Switch RequirementsRequirements Set radius proxy port port-listtag tag-valuessid ssid-name Set authentication mac wired mac-addr-wildcard method123x0# set port type wired-auth 3-4 tag 23x0# set authentication mac wired aabbcc010101 srvrgrp123x0# set radius proxy client address 10.20.20.9 key radkey1 23x0# set authentication proxy ssid mycorp ** srvrgrp1End-date Assigning Authorization AttributesFilter-id Idle-timeoutService-type Session-timeoutTime-of-day SsidStart-date Vlan-name UrlAssigning Attributes to Users and Groups 23x0# set usergroup eastcoasters attr filter-id acl-101.in Assigning a Security ACL to a User or a GroupAssigning a Security ACL Locally 23x0# set user Jose attr filter-id acl-101.inAssigning a Security ACL on a Radius Server Clear mac-usergroup groupname attr filter-id Clearing a Security ACL from a User or Group23x0# set mac-usergroup mac-fans attr encryption-type Assigning Encryption Types to Wireless UsersAssigning and Clearing Encryption Types Locally Assigning and Clearing Encryption Types on a Radius Server About the Location Policy How the Location Policy Differs from a Security ACL 23x0# set location policy deny if user eq *.theirfirm.com Setting the Location PolicyApplying Security ACLs in a Location Policy Rule WSS-20show location policy Displaying and Positioning Location Policy RulesClear location policy rule-number Configuring Accounting for Wireless Network UsersSet accounting admin console dot1x mac web Configuring AAA for Network Users Viewing Local Accounting Records May 21 Acct-Status-Type=STOP Acct-Authentic=2 Viewing Roaming Accounting RecordsWSS-20-0013#show accounting statistics WSS-20-0017#show accounting statisticsRs-4 Set authentication admin Jose sg3Server Addr Ports Rs-3Vlan-Name = k2 Avoiding AAA Problems in Configuration OrderSet authentication web ssid any ** sg1 Set authentication web ssid corpa ** corpasrvrConfiguring AAA for Network Users 23x0# set accounting dot1x ssid mycorp * start-stop group1 Using Authentication and Accounting Rules TogetherConfiguration Producing an Incorrect Processing Order Configuration for a Correct Processing Order23x0# set mobility-profile name roses-profile port 2-4,7,9 Configuring a Mobility ProfileNamePorts ========================= Roses-profile Network User Configuration Scenarios23x0# set mobility-profile mode enable 23x0# show mobility-profile Mobility ProfilesMobility Profiles NamePorts ========================= Tulip General Use of Network User Commands23x0# set user EXAMPLE\username attr filter-id acl-101.in 23x0# show security acl info acl-101WSS-20save config 23x0# set radius server r1 address 10.1.1.1 key sunny Enabling Radius Pass-Through AuthenticationUnstructured Name wiring closet Enabling PEAP-MS-CHAP-V2 Authentication23x0# set user Natasha password moon 23x0# set user Natasha attr session-timeout23x0# set radius server r1 address 10.1.1.1 key starry Enabling PEAP-MS-CHAP-V2 Offload23x0# set radius server r1 address 10.1.1.1 key starry Overriding AAA-Assigned VLANs Radius Overview Configuring Communication with RadiusConfiguring Communication with Radius Before You Begin Configuring Radius Servers23x0# set radius key r8gney Configuring Global Radius DefaultsClear radius deadtime key retransmit timeout 23x0# set radius deadtime23x0# clear radius client system-ip Setting the System IP Address as the Source Address23x0# set radius client system-ip Set radius server server-nameaddress ip-address key string Configuring Individual Radius ServersClear radius server server-name Configuring Radius Server GroupsDeleting Radius Servers Ordering Server Groups Configuring Load BalancingCreating Server Groups 23x0 # show aaa Set server group group-nameload-balance enableAdding Members to a Server Group Clear server group group-nameload-balanceConfiguring Communication with Radius Deleting a Server Group Radius and Server Group Configuration Scenario23x0# set server group shorebirds load-balance enable Managing 802.1X on Wired Authentication Ports Managing 802.1X on WSS SwitchEnabling and Disabling 802.1X Globally Set dot1x authcontrol enable disable23x0# set dot1x authcontrol enable Success dot1x authcontrol enabledManaging 802.1X Encryption Keys Setting 802.1X Port ControlEnabling 802.1X Key Transmission Set dot1x key-tx enable disable23x0# set dot1x key-tx enable Success dot1x key transmission enabledSuccess dot1x tx-period set to Configuring 802.1X Key Transmission Time IntervalsSet dot1x tx-period seconds 23x0# set dot1x tx-periodManaging WEP Keys Configuring 802.1X WEP RekeyingConfiguring the Interval for WEP Rekeying Success dot1x max request set to Setting EAP Retransmission AttemptsManaging 802.1X Client Reauthentication 23x0# set dot1x max-reqSuccess dot1x reauthentication enabled Enabling and Disabling 802.1X ReauthenticationSet dot1x reauth enable disable 23x0# set dot1x reauth enable23x0# clear dot1x reauth-max Set dot1x reauth-max number-of-attempts23x0# set dot1x reauth-max Success dot1x max reauth set to23x0# set dot1x reauth-period Setting the 802.1X Reauthentication PeriodSuccess dot1x auth-server timeout set to Set dot1x reauth-period secondsClear dot1x max-req Managing Other TimersSetting the Bonded Authentication Period Success dot1x quiet period set to Setting the 802.1X Quiet PeriodSet dot1x quiet-period seconds 23x0# set dot1x quiet-period23x0# clear dot1x timeout auth-server Setting the 802.1X Timeout for an Authorization ServerSet dot1x timeout auth-server seconds 23x0# set dot1x timeout auth-serverDisplaying 802.1X Information Setting the 802.1X Timeout for a Client23x0# show dot1x clients Viewing 802.1X ClientsViewing the 802.1X Configuration 23x0# show dot1x stats Viewing 802.1X StatisticsManaging 802.1X on the WSS Switch 320657-A Managing Sessions Displaying and Clearing Administrative SessionsShow sessions admin console telnet client Clear sessions admin console telnet client session-id23x0# clear sessions admin Displaying and Clearing All Administrative SessionsWSS-20 show sessions admin 23x0# clear sessions console Displaying and Clearing an Administrative Console SessionWSS-20 show sessions console Tty Username Time Type Tty0 5310 Console Console sessionTelnet session Displaying and Clearing Administrative Telnet SessionsTty Username Time Type Tty3 Sshadmin 2099 WSS-20 show sessions telnetUser Sess IP or MAC Displaying and Clearing Network SessionsDisplaying and Clearing Client Telnet Sessions 23x0 # show sessions network761 000bbe154656 none Displaying Verbose Network Session InformationJose@example.com 5125 Vlan-eng 003065168d69 4385 Vlan-wepClear sessions network user user-wildcard Displaying and Clearing Network Sessions by UsernameShow sessions network user user-wildcard 23x0# show sessions network user EClear sessions network mac-addr mac-addr-wildcard Displaying and Clearing Network Sessions by MAC AddressShow sessions network mac-addr mac-addr-wildcard Show sessions net mac-addr 01055d7e981aClear sessions network vlan vlan-wildcard Displaying and Clearing Network Sessions by Vlan NameShow sessions network vlan vlan-wildcard Show sessions network vlan west2370# clear sessions network session-id Displaying and Clearing Network Sessions by Session IDClear sessions network session-id session-id About System Files Managing System Files23x0# show version details Displaying Software Version InformationShow version details 23x0# show versionW2 N/A Working with Files Displaying Boot Information23x0# show boot 23x0# dir old Displaying a List of FilesSuccess sent 365 bytes in 0.401 seconds 910 bytes/sec 23x0# copy floor2WSS tftp//10.1.1.1/floor2WSS-backupCopying a File 23x0# copy floor2WSS tftp//10.1.1.1/floor2WSSSuccessreceived9163214bytesin105.939seconds Bytes/sec 23x0# copy tftp//10.1.1.1/newconfig newconfig23x0# copy tftp//10.1.1.1/newconfig WSSconfig Delete url 23x0# copy testconfig tftp//10.1.1.1/testconfig23x0# delete testconfig Deleting a File23x0# mkdir corp2 Creating a Subdirectory23x0# rmdir corp2 Managing Configuration FilesRemoving a Subdirectory 23x0# show config area vlan Displaying the Running ConfigurationShow config area area all Managing System Files Success configuration saved to newconfig Saving Configuration ChangesSave config filename 23x0# save config newconfigSuccess boot config set Set boot configuration-file filename23x0# set boot configuration-file floor2WSS 23x0# load config newconfig Loading a Configuration FileLoad config url Backing Up and Restoring the System Resetting to the Factory Default ConfigurationManaging System Files Managing Configuration Changes Upgrading the System Image Backup and Restore Examples23x0# backup system tftp/10.10.20.9/sysabak critical 23x0# restore system tftp/10.10.20.9/sysabakManaging System Files 320657-A About Rogues and RF Detection Rogue Detection CountermeasuresRogue Detection Lists Rogue access points and ClientsRogue Classification Rogue Detection and Countermeasures Rogue Detection Algorithm Dynamic Frequency Selection DFS RF Detection ScansCountermeasures Summary of Rogue Detection FeaturesConfiguring Rogue Detection Lists 23x0# show rfdetect vendor-list Total number of entries Configuring a Permitted Vendor ListSet rfdetect vendor-list client ap mac-addr Show rfdetect vendor-list23x0# show rfdetect ssid-list Total number of entries Configuring a Permitted Ssid ListSet rfdetect ssid-list ssid-name Show rfdetect ssid-list23x0# show rfdetect black-list Configuring a Client Black ListSet rfdetect black-list mac-addr Show rfdetect black-list23x0# show rfdetect attack-list Configuring an Attack ListSet rfdetect attack-list mac-addr Show rfdetect attack-listEnabling Countermeasures Configuring an Ignore ListEnabling AP Signatures Disabling or Reenabling Active ScanIDS and DoS Alerts Set rfdetect log enable disableDisabling or Reenabling Logging of Rogues Enabling Rogue and Countermeasures NotificationsFlood Attacks DoS Attacks Netstumbler and Wellenreiter Applications Wireless Bridge Ad-Hoc Network Weak WEP Key Used by Client Disallowed Devices or SSIDs Displaying Statistics Counters IDS and DoS Log Messages IDS Log Message ExamplesMessage Type Displaying RF Detection Information Show rfdetect ignore Show rfdetect attack-list23x0# show rfdetect clients Displaying Rogue ClientsShow rfdetect clients mac mac-addr 23x0# show rfdetect clients mac 000c4163fd6d23x0# show rfdetect counters Displaying Rogue Detection CountersShow rfdetect counters 23x0# show rfdetect mobility-domain ssid nrtl-webaaa Displaying Ssid or Bssid Information for a Mobility DomainShow rfdetect mobility-domain ssid ssid-namebssid mac-addr 23x0# show rfdetect mobility-domain23x0# show rfdetect mobility-domain bssid 000b0e0004d1 23x0 # show rfdetect data Displaying RF Detect DataShow rfdetect data 23x0# show rfdetect visible ap 3 radio Displaying the APs Detected by an AP Radio23x0# show rfdetect countermeasures Displaying Countermeasures InformationShow rfdetect countermeasures Rogue Detection and Countermeasures 320657-A Appendix a Troubleshooting a WS Switch WSS Setup Problems and Remedies Fixing Common WSS Setup ProblemsSymptom Diagnosis WSS-2370, WSS-2380, or WSS-2360 Recovering the System PasswordBoot boot OPT+=default WSS-2350Log Message Components Configuring and Managing the System LogLogging Destinations and Levels Debug InfoLogging to the Log Buffer Using Log CommandsLogging Messages to a Syslog Server Logging to the ConsoleChanging the Current Telnet Session Defaults Setting Telnet Session DefaultsSaving Trace Messages in a File Displaying the Log ConfigurationLogging to the Trace Buffer Tracing Session Manager Activity Using the Trace CommandTracing Authentication Activity Running TracesTracing 802.1X Sessions Tracing Authorization ActivityDisplaying a Trace Stopping a TraceDisplaying Trace Results 23x0# show log trace severity errorAbout Trace Results List of Trace Areas Copying Trace Results to a ServerClearing the Trace Log WSS-2370# show interface Using Show CommandsViewing Vlan Interfaces Viewing AAA Session Statistics23x0# show fdb Viewing FDB InformationViewing ARP Information Vlan-name = vlan-wepBest Practices for Remote Traffic Monitoring Using Snoop Filters on Radios That Use Active ScanRemotely Monitoring Traffic How Remote Traffic Monitoring WorksAppendix a Troubleshooting a WS Switch 23x0# set snoop snoop1 observer 10.10.30.2 snap-length Configuring a Snoop FilterDeleting a Snoop Filter Displaying Configured Snoop FiltersMapping a Snoop Filter to a Radio Editing a Snoop FilterRemoving Snoop Filter Mappings Enabling or Disabling a Snoop FilterDisplaying the Snoop Filters Mapped to a Radio Displaying the Snoop Filter Mappings for All RadiosSuccess filter snoop1 enabled 23x0# set snoop snoop1 mode enable stop-afterShow snoop stats filter-namedap-numradio 1 Displaying Remote Traffic Monitoring StatisticsPreparing an Observer and Capturing Traffic Capturing System Information for Technical Support Displaying Technical Support Information 23x0# copy fortechsupport.gz tftp//tftpserver/filename.gz Sending Information to Nets23x0# show tech-support file fortechsupport Success results saved to fortechsupport.gzAppendix a Troubleshooting a WS Switch 320657-A Supported Standard and Extended Attributes Appendix B Supported Radius Attributes801.1X Attributes 801.1X Attributes Radius Nortel Vendor-Specific Attributes Nortel VSAs Protocol Port Function Appendix C Mobility Domain Traffic PortsAppendix C Mobility Domain Traffic Ports 320657-A Appendix D Dhcp Server How the WSS Software Dhcp Server Works Configuring the Dhcp Server23x0# show dhcp-server Displaying Dhcp Server InformationShow dhcp-server interface vlan-id verbose Appendix D Dhcp Server Glossary Advanced Encryption Standard See AES Authentication, authorization, and accounting See AAA CBC-MAC See Ccmp Cyclic redundancy check See CRC Glossary EAP with Transport Layer Security See EAP-TLS Group master key See GMK Group transient key See GTK Industry Canada See IC Information element See WPA IE Media access control address See MAC address Microsoft Challenge Handshake Authentication Per-VLAN Spanning Tree protocol See PVST+ Port address translation See PAT Power over Ethernet See PoE Quality of service See QoS Remote Authentication Dial-In User Service See Radius Spanning Tree Protocol See STP Temporal Key Integrity Protocol See Tkip Type, length, and value See TLV Wisp WPA information element See WPA IE Glossary 320657-A Numerics IndexIndex Index DNS Enable password Description Subnet masks for, notation conventions System IP address 366 To ports, VLANs, or virtual ports 368 Index Radius Https Index Configuring 341 rogue access points detecting TCP Snmp STP Uplink fast convergence Index WMS Index 320657-A Command Index Command Index Set dap auto radiotype Command Index Command Index 324 Show spantree blockedports 329