1. Software
  2. Zebra
  3. WS5000

Zebra WS5000 Reference Guide

Add to my manuals
728 Pages

advertisement

Zebra WS5000 Reference Guide | Manualzz 
WS5000 Series Switch
System Reference Guide
Copyright
Copyright © 2006 by Symbol Technologies, Inc. All rights reserved.
No part of this publication can be modified or adapted in any way, for any purposes without permission in writing from
Symbol. The material in this manual is subject to change without notice.
Symbol reserves the right to make changes to any product to improve reliability, function, or design.
No license is granted, either expressly or by implication, estoppel, or otherwise under any Symbol Technologies, Inc.,
intellectual property rights. An implied license only exists for equipment, circuits, and subsystems contained in Symbol
products.
Symbol, the Symbol logo are registered trademarks of Symbol Technologies, Inc.
IBM is a registered trademark of International Business Machine Corporation. Microsoft, Windows, and Windows NT are
registered trademarks of Microsoft Corporation. Novell and LAN Workplace are registered trademarks of Novell Inc. Toshiba
is a trademark of Toshiba Corporation. All other product names referred to in this guide might be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
Patents
This product is covered by one or more of the patents listed on the website: http://www.symbol.com/patents.
Contents
Chapter 1. WS5000 Series Switch Overview
1.1 Key Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
1.1.1 Installation Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2 Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4 Networking Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5 Access Port Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-2
1-2
1-3
1-4
1-4
1.2 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
1.2.1 Physical Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
1.2.1.1 Power Cord Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
1.2.1.2 Power Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
1.2.1.3 Cabling Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
1.2.2 System Status LED Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
1.2.3 10/100/1000 Port Status LED Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
iv
WS5000 Series Switch System Reference Guide
1.3 Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
1.3.1 Accessing and Configuring the Switch Software. . . . . . . . . . . . . . . . . . . . . . . . 1-8
1.3.2 Switch Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
1.3.3 Access Port Adoption Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
1.3.4 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
1.3.4.1 Different Dimensions of QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
1.3.4.2 Packet Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
1.3.4.3 Weighted Fair Queuing (WFQ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
1.3.4.4 QoS via Wi-Fi Multimedia Extension (WME). . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
1.3.5 Multi-BSSID and ESSID Access Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
1.3.6 Standby Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
1.3.7 WLAN to VLAN Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
1.4 New Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
1.4.1 WME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
1.4.2 RF Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
1.4.3 GRE Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
1.4.4 Dual DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
1.4.5 SNMP Trap on Config Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
1.4.6 AP to AP Beacons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
1.4.7 DTIM per BSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
1.4.8 WIPS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
1.4.9 CPU Temperature Monitoring in WS5000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
1.4.10 Active Primary Revert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
1.4.11 Access Port Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
1.4.12 Upgrade/Downgrade Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
1.5 Other Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
1.5.1 AP-4131 Port Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
1.5.2 Automatic Channel Select . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
1.5.3 Event Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
1.5.4 Hot Standby. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
1.5.5 Integrated Radius/AAA ServerRadius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
1.5.6 On-Board DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
1.5.6.1 Configuring DHCP Server using CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
1.5.6.2 Viewing DHCP Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
1.5.6.3 Importing a dhcpd.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
1.5.6.4 DHCP Option 60 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
1.5.7 On-Board KDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
1.5.8 Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
1.5.9 Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . . . . . . 1-23
1.5.10 WTLS VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
v
Chapter 2. Installing the System Image
2.1 Before Installing the Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
2.2 Upgrading the Switch Software to 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
2.2.1 Upgrading Using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
2.2.1.1 Upgrading the Switch from 2.0 to 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
2.2.1.2 Upgrading the Switch from 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to 2.1. . . . . . . . . . . 2-4
2.3 Recovering from Upgrade Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
2.4 Downgrading from 2.1 to 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
2.5 Downgrading from 2.1 to 1.4.3/1.4.2/1.4.1/1.4.0 . . . . . . . . . . . . . . . . . . . . . 2-14
2.5.1 Running the PreDowngrade Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
2.5.1.1 Executing the Predowngrade Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
2.5.2 Running the Downgrade.exe Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
2.5.3 Downgrading the Image Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
2.5.3.1 Executing the Downgrade Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Chapter 3. Configuring the WS5000 Series Switch Automatically
3.1 DHCP Auto-install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
3.2 Command File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
3.3 Command File Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
3.3.1 Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.2 TFTP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.3 General Network Configuration and Standby Management . . . . . . . . . . . . . . .
3.3.4 Kerberos Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.5 SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.6 Syslog Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.7 CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-3
3-3
3-4
3-6
3-6
3-7
3-7
3.3.7.1 Command File Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
3.4 Upgrading Using AutoInstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
3.4.1 Using AutoInstall to Upgrade from 2.0 to 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
3.4.2 Using AutoInstall to Upgrade from 1.4.X.X/1.4.1.0/1.4.1.1/1.4.2 /1.4.3 to 2.1 3-11
3.4.3 Using AutoInstall to Upgrade From WS5000 Series Switch Build 49 . . . . . . . 3-12
3.4.3.1 Installing the Patch File Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
3.5 Manual Auto-install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Chapter 4. Using the WS5000 Series Switch GUI
4.1 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
4.2 Key Distribution Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
4.2.1 Configuring Master KDC Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
4.2.2 Configuring Slave KDC Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
4.2.2.1 Configuring the KDC Slave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
4.2.2.2 Configuring the Master KDC to Recognize the Slave . . . . . . . . . . . . . . . . . . . . . . 4-5
vi
WS5000 Series Switch System Reference Guide
4.2.3 Creating Kerberos User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
4.2.4 Setting Kerberos Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Chapter 5. Configuring User and Management Authentication
5.1 WS5000 as a RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.2 Configuring an On-board RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.2.1 Configuring the Radius Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.2.2 Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
5.2.2.1 Importing and Installing CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
5.2.2.2 Uploading Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
5.2.2.3 Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
5.2.2.4 Configuring Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
5.2.2.5 Configuring the Radius Accounting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
5.2.3 Configuring Radius Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12
5.2.3.1 Adding Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
5.2.3.2 Deleting Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
5.2.3.3 Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
5.2.4 Configuring Radius Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
5.3 Configuring Management User Authentication . . . . . . . . . . . . . . . . . . . . . . 5-15
5.3.1 Using External RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
5.3.2 Using On-board RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
5.3.3 Physical Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
5.3.4 Configuring WS5000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
5.4 LDAP and Certificate Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
5.4.1 OpenLdap in Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
5.4.2 User/Group Configuration with LdapBrowser . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
5.4.3 ActiveDirectory in Windows server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
5.4.3.1 LDAP configuration for accessing Openldap/ActiveDirectory . . . . . . . . . . . . . . . 5-19
5.4.4 LDAP Configuration in switch for Active Directory. . . . . . . . . . . . . . . . . . . . . . 5-20
5.4.5 Certificate Management with Win-2003 server. . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.4.5.1 Configuration in MU (client). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.4.5.2 Signing certificate request from WS5000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.4.5.3 Installing CA & Server Certificate in WS5k: . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.5 Configuring Windows Server 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.5.1 Installing Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
5.5.2 Configuring Active Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32
5.5.3 Installing Internet Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36
5.5.4 Configuring Internet Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
5.5.5 Testing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-54
vii
Chapter 6. Configuring Policies
6.1 Configuring Network Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
6.1.1 Classifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
6.1.1.1 Creating a Classifier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
6.1.2 Classification Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
6.1.2.1 Creating a Classification Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
6.1.2.2 Modifying a Classification Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
6.1.3 Creating a Network Input Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
6.1.4 Creating a Network Output Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
6.1.5 Creating a Network Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13
6.1.5.1 Configuring the Switch from the Default Configuration (Example). . . . . . . . . . . 6-14
6.1.5.2 GUI Configration t oset up a switch (EXAMPLE) . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
6.1.6 Modifying a Network Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38
6.2 Switch Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39
6.2.1 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39
6.2.1.1 Creating a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40
6.2.2 Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-47
6.2.2.1 Creating an Access Control List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48
6.2.2.2 Modifying an Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-49
6.2.3 WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50
6.2.3.1 Creating a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-51
6.2.3.2 Modifying a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53
6.2.4 Ethernet Port Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-55
6.2.4.1 Creating an Ethernet Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-55
6.2.4.2 Modifying an Ethernet Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58
6.2.4.3 Configuring VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-59
6.2.5 Access Port Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-59
6.2.5.1 Creating an Access Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-59
6.2.5.2 Modifying an Access Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-64
6.2.6 Setting the Country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-66
6.2.7 Creating a Switch Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-66
6.2.8 Defining/Activating an Emergency Switch Policy . . . . . . . . . . . . . . . . . . . . . . 6-71
Chapter 7. Configuring Rogue AP Detection
7.1 Configuring Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
7.1.1 Defining the Detection Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1.2 Specifying Detector APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1.3 Configuring Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1.4 Examining Approved and Rogue Access Ports. . . . . . . . . . . . . . . . . . . . . . . . . .
7.1.5 Viewing Details of the Rogue AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1.6 SNMP Traps for Rogue AP Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1.7 Rogue AP Syslog Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-2
7-3
7-4
7-5
7-6
7-7
7-7
viii
WS5000 Series Switch System Reference Guide
Chapter 8. CLI Command Reference
8.1 CLI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
8.1.1 About Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
8.1.2 CLI Indexing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
8.1.3 About Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
8.1.4 Basic Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
8.2 Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
8.2.1 .. or end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
8.2.2 exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
8.2.3 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
8.2.4 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
8.2.5 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
8.2.6 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
8.2.7 history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
8.2.8 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
8.3 System Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
8.3.1 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
8.3.2 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
8.3.3 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
8.3.4 configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
8.3.5 copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
8.3.6 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14
8.3.7 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
8.3.8 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
8.3.9 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
8.3.10 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
8.3.11 history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
8.3.12 install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
8.3.13 logdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18
8.3.14 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
8.3.15 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
8.3.16 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
8.3.17 restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
8.3.18 rfping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
8.3.19 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
8.3.20 service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
8.4 show commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
8.4.1 show aaa-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
8.4.2 show accessports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
8.4.3 show acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
8.4.4 show allconfig. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
8.4.5 show appolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
ix
8.4.6 show arp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.7 show autoinstalllog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.8 show ce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.9 show cfghistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.10 show cg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.11 show channelinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.12 show chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.13 show configaccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.14 show ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.15 show etherpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.16 show events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.17 show ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.18 show history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.19 show host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.20 show https . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.21 show interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.22 show kdc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.23 show knownap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.24 show lan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.25 show mu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.26 show musummary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.27 show np . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.28 show po . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.29 show radius-server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.30 show rfstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.31 show rfthreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.32 show rogueap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.33 show routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.34 show securitypolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.35 show sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.36 show snmpclients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.37 show snmpstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.38 show ssh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.39 show standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.40 show switchpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.41 show sysalerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.42 show syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.43 show system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.44 show telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.45 show time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.46 show traphosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.47 show tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4.48 show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-26
8-26
8-27
8-27
8-28
8-28
8-31
8-32
8-32
8-32
8-32
8-34
8-34
8-34
8-34
8-34
8-35
8-35
8-35
8-35
8-36
8-36
8-36
8-36
8-37
8-37
8-38
8-38
8-38
8-38
8-39
8-39
8-39
8-39
8-40
8-40
8-40
8-40
8-41
8-41
8-41
8-41
8-42
x
WS5000 Series Switch System Reference Guide
8.4.49 show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
8.4.50 show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
8.4.51 show vpnsupportstatus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
8.4.52 show wlan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
8.4.53 show wme. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
8.4.54 show WSrfstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
8.4.55 show wtls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
8.4.56 show wvpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
8.5 Configuration (Cfg) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-45
8.5.1 .. or end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-47
8.5.2 exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-47
8.5.3 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48
8.5.4 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48
8.5.5 aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48
8.5.6 accessport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-49
8.5.7 acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-49
8.5.8 appolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50
8.5.9 banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50
8.5.10 ce. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50
8.5.11 cg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-51
8.5.12 chassis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-51
8.5.13 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-52
8.5.14 copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-52
8.5.15 date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-53
8.5.16 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54
8.5.17 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55
8.5.18 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55
8.5.19 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-56
8.5.20 encrypt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-56
8.5.21 ethernet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-56
8.5.22 etherpolicy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57
8.5.23 events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57
8.5.24 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59
8.5.25 ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59
8.5.26 fw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60
8.5.27 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60
8.5.28 install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-61
8.5.29 kdc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-61
8.5.30 logdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-62
8.5.31 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-62
8.5.32 np. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-63
8.5.33 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-63
8.5.34 po. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-65
xi
8.5.35 purge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.36 radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.37 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.38 reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.39 restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.40 rougeap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.41 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.42 runacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.43 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.44 securitypolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.45 sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.46 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.47 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.48 shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.49 snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.50 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.51 ssl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.52 standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.53 switchpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.54 telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.55 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.56 user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.57 wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.58 wme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5.59 wvpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-65
8-66
8-66
8-67
8-67
8-68
8-68
8-69
8-69
8-69
8-70
8-70
8-81
8-81
8-82
8-82
8-83
8-83
8-84
8-84
8-85
8-85
8-85
8-86
8-86
8.6 AAA Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-88
8.6.1 acct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.2 client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.3 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.4 eap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.5 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.6 ldap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.7 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.8 proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.9 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.10 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.11 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6.12 userdb. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-88
8-89
8-89
8-90
8-90
8-90
8-91
8-91
8-92
8-92
8-93
8-93
8.7 AAA Client Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-94
8.7.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-94
8.7.2 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-95
8.7.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-95
8.8 AAA EAP Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-96
xii
WS5000 Series Switch System Reference Guide
8.8.1 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-96
8.8.2 peap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-97
8.8.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-97
8.8.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-98
8.8.5 ttls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-98
8.9 AAA LDAP Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-100
8.9.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-100
8.9.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-101
8.10 AAA Policy Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-103
8.10.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-103
8.10.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-103
8.10.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-104
8.10.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-105
8.11 AAA Proxy Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-106
8.11.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-106
8.11.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-107
8.11.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-107
8.11.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-108
8.12 AAA User Database Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-109
8.12.1 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-109
8.12.2 user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-110
8.13 AAA User Database - Group Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-111
8.13.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-111
8.13.2 adduser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-112
8.13.3 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-112
8.13.4 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-113
8.13.5 remuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-113
8.14 AAA User Database - User Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-114
8.14.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-114
8.14.2 adduser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-115
8.14.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-115
8.14.4 remuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-115
8.14.5 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-116
8.14.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-116
8.15 Access Port (APort) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-118
8.15.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-118
8.15.2 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-119
8.15.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-120
8.15.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-121
8.16 Access Port Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-123
8.16.1 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-123
8.16.2 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-123
8.16.3 reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-124
xiii
8.16.4 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-124
8.16.5 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-127
8.17 Access Control List (ACL) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-129
8.17.1 acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.17.2 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.17.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.17.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-129
8-130
8-130
8-131
8.18 ACL Instance Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-132
8.18.1 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-132
8.18.2 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-132
8.18.2.1 set name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-133
8.18.2.2 set addItem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-133
8.18.2.3 set remItem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-134
8.18.2.4 set editItem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-134
8.18.2.5 set defaultAction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-134
8.18.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-135
8.19 Access Port Policy (APPolicy) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-136
8.19.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.19.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.19.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.19.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-136
8-137
8-138
8-138
8.20 Access Port Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-139
8.20.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.20.2 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.20.3 map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.20.4 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.20.5 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.20.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.20.7 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-139
8-140
8-141
8-141
8-142
8-142
8-143
8.20.7.1 set basicRates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-144
8.20.7.2 set beacon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-145
8.20.7.3 set dTim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-145
8.20.7.4 set nonSpectrumMgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-146
8.20.7.5 set np . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-147
8.20.7.6 set preamble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-147
8.20.7.7 set rtsThreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-147
8.20.7.8 set supportedRates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-148
8.20.7.9 set wmm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-149
8.21 Access Port Map Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-150
8.21.1 select . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.21.2 set bss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.21.3 set bw. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.21.4 set primaryWLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.21.5 unselect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-151
8-152
8-152
8-153
8-153
xiv
WS5000 Series Switch System Reference Guide
8.21.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-154
8.22 Classifier Context (CE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-155
8.22.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-155
8.22.2 ce. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-156
8.22.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-156
8.22.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-157
8.23 Classifier Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-158
8.23.1 addMC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-158
8.23.2 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-160
8.23.3 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-160
8.23.4 removeMC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-161
8.23.5 setMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-161
8.23.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-162
8.24 Classification Group (CG) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-163
8.24.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-163
8.24.2 cg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-164
8.24.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-164
8.24.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-165
8.25 Classification Group Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-166
8.25.1 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-166
8.25.2 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-167
8.25.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-167
8.25.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-168
8.26 Chassis Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-170
8.26.1 set notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-170
8.26.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-171
8.27 Ethernet Port Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-172
8.27.1 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-172
8.27.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-173
8.28 Ethernet Port Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-174
8.28.1 ipAddress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-174
8.28.2 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-175
8.28.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-177
8.29 Ethernet Policy (EtherPolicy) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-178
8.29.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-178
8.29.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-179
8.29.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-179
8.29.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-179
8.30 Ethernet Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-181
8.30.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-181
8.30.2 add tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-182
8.30.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-182
8.30.4 remove tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-183
xv
8.30.5 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.30.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.30.7 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.30.8 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-183
8-184
8-185
8-185
8.31 Event Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-186
8.31.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-186
8.31.2 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-187
8.31.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-187
8.32 Syslog Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-189
8.32.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.2 local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.3 logdir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.4 logsubsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.5 ping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.6 purgelocal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.7 remlocal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.8 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.9 save local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.10 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.11 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.12 start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.32.13 stop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-189
8-190
8-190
8-191
8-192
8-192
8-193
8-193
8-194
8-194
8-196
8-196
8-197
8.33 FTP Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-198
8.33.1 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-198
8.33.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-198
8.33.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-199
8.34 FW (Firewall) Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-200
8.34.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.34.2 addnat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.34.3 addnp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.34.4 addpf. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.34.5 lan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.34.6 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.34.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-200
8-201
8-202
8-203
8-204
8-204
8-205
8.35 FW Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-207
8.35.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-207
8.35.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-208
8.36 Host Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-209
8.36.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.36.2 host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.36.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.36.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-209
8-210
8-210
8-210
8.37 Host Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-212
xvi
WS5000 Series Switch System Reference Guide
8.37.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-212
8.37.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-213
8.38 KDC Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-214
8.38.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-214
8.38.2 authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-215
8.38.3 dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-216
8.38.4 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-216
8.38.5 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-217
8.38.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-219
8.38.7 synchronize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-221
8.39 Network Policy (NP) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-222
8.39.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-222
8.39.2 np. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-223
8.39.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-223
8.39.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-224
8.40 Network Policy Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-225
8.40.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-225
8.40.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-226
8.41 Policy Object (PO) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-228
8.41.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-228
8.41.2 po. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-229
8.41.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-230
8.41.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-230
8.42 Policy Object Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-232
8.42.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-232
8.42.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-234
8.43 Radius Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-235
8.43.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-235
8.43.1.1 set authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-235
8.43.1.2 set primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-236
8.43.1.3 set secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-236
8.43.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-237
8.44 Rogueap Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-239
8.44.1 approvedlist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-239
8.44.2 detectorap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-240
8.44.3 roguelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-240
8.44.4 rulelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-240
8.44.5 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-241
8.44.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-242
8.45 Security Policy Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-243
8.45.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-243
8.45.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-244
8.45.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-244
xvii
8.45.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-245
8.46 Security Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-246
8.46.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-247
8.46.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-251
8.47 Sensor Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-252
8.47.1 convert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.47.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.47.3 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.47.4 revert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.47.5 sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.47.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-252
8-253
8-253
8-253
8-254
8-254
8.48 Sensor Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-256
8.48.1 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-256
8.48.2 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-256
8.48.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-257
8.49 SNMP Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-258
8.49.1 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.49.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.49.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.49.4 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-258
8-259
8-259
8-260
8.49.4.1 set kdcconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-260
8.49.4.2 set snmptrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-260
8.49.4.3 set traphost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-261
8.49.5 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-262
8.49.6 v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-263
8.49.7 v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-263
8.50 v2 Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-264
8.50.1 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-264
8.50.2 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-265
8.50.2.1 set client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-265
8.50.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-265
8.51 v3 Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-267
8.51.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-267
8.51.1.1 set profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-267
8.51.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-268
8.52 SSH (Secure Shell) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-269
8.52.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-269
8.52.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-270
8.53 SSL (Secure Socket Layer) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-271
8.53.1 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.53.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.53.3 revert certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.53.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-271
8-271
8-272
8-272
xviii
WS5000 Series Switch System Reference Guide
8.54 Standby Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-273
8.54.1 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-274
8.54.2 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-274
8.54.3 set autorevert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-274
8.54.4 set arDelay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-275
8.54.5 set heartbeat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-275
8.54.6 set mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-275
8.54.7 set mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-276
8.54.8 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-276
8.55 Switch Policy (SPolicy) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-278
8.55.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-278
8.55.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-279
8.55.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-280
8.55.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-280
8.56 Switch Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-283
8.56.1 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-283
8.56.2 edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-284
8.56.3 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-284
8.56.4 restrictedchannel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-285
8.56.5 set adoptionList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-285
8.56.6 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-286
8.56.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-287
8.57 Restricted Channel Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-289
8.57.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-289
8.57.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-290
8.57.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-290
8.58 Telnet Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-291
8.58.1 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-291
8.58.2 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-292
8.58.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-292
8.58.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-293
8.59 Tunnel Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-294
8.59.1 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-294
8.59.2 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-295
8.60 Tunnel Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-296
8.60.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-296
8.60.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-297
8.61 User Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-298
8.61.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-299
8.61.3 user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-300
8.61.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-300
8.62 User Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-302
8.62.2 deny. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-303
xix
8.62.3 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-303
8.62.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-304
8.63 WLAN Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-305
8.63.2 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-306
8.63.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-307
8.63.4 wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-307
8.64 WLAN Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-309
8.64.1 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.64.2 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.64.3 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.64.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-309
8-310
8-310
8-311
8.65 WME Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-312
8.65.2 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-314
8.65.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-314
8.65.4 wme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-314
8.66 WME Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-316
8.66.1 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.66.2 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.66.3 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.66.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-316
8-317
8-317
8-318
8.67 WVPN Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-319
8.67.1 auth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.67.2 cert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.67.3 ddns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.67.4 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.67.5 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.67.6 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.67.7 ip_pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.67.8 rt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.67.9 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.67.10 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.67.11 wtls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-319
8-320
8-321
8-321
8-322
8-322
8-323
8-323
8-324
8-324
8-326
8.68 cert Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-327
8.68.1 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.68.2 dump cert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.68.3 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.68.4 purge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.68.5 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.68.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.68.7 tftpImport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-327
8-328
8-328
8-329
8-329
8-330
8-330
8.69 ddns Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-332
8.69.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-332
8.69.2 clearClientDns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-333
xx
WS5000 Series Switch System Reference Guide
8.69.3 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-334
8.69.4 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-334
8.69.5 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-335
8.69.6 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-336
8.69.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-336
8.69.8 updateClientDns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-337
8.70 ip pools Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-338
8.70.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-338
8.70.2 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-339
8.70.3 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-339
8.70.4 ip_pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-340
8.70.5 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-341
8.70.6 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-342
8.70.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-342
8.71 rt Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-344
8.71.1 Kill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-344
8.71.2 Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-345
8.72 wtls Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-347
8.72.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-347
8.72.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-348
Chapter 9. Service Mode CLI
9.1 CLI Service Mode Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
9.1.1 Logging into the Service Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
9.1.2 Basic Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
9.2 SM-WS5000> Command Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
9.2.1 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
9.2.2 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
9.2.3 exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
9.2.4 capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
9.2.5 cleanapdbglog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
9.2.6 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
9.2.7 configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
9.2.8 copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
9.2.9 debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
9.2.10 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
9.2.11 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
9.2.12 diag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
9.2.13 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
9.2.14 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
9.2.15 enablecclog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
9.2.16 execute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
9.2.17 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14
xxi
9.2.18 ftpPasswd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.19 getcclogfile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.20 install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.21 launch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.22 ledcolor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.23 logdir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.24 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.25 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.26 ping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.27 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.28 restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.29 rfping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.30 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.31 setThresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.32 shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.33 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.34 showAPFirmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.35 showBuildInfo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.36 showDiskUsage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.37 showHardwareInfo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.38 showMemUsage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.39 showThresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.40 watchdogtimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2.41 wvpnctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-14
9-15
9-15
9-16
9-17
9-17
9-18
9-18
9-18
9-20
9-20
9-21
9-21
9-22
9-22
9-23
9-25
9-25
9-26
9-26
9-27
9-27
9-28
9-28
9.3 Diagnosing problems in WS5000/WS5100 Switch. . . . . . . . . . . . . . . . . . . . 9-29
9.3.1 Diagnose User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29
9.3.2 Finding whether a particular process is running or not . . . . . . . . . . . . . . . . . . 9-30
9.3.3 Encrypt, Launch and Execute commands of Service mode CLI . . . . . . . . . . . . 9-30
9.3.3.1 encrypt Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
9.3.3.2 launch Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
9.3.4 execute Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
Chapter 10. Antennas and Power
Chapter 11. Converting AP-4131 Access Points to RF Ports
11.1 AP-4131 Features in the WS5000 Series Switch . . . . . . . . . . . . . . . . . . . . 11-2
11.1.1 AP-4131 Port Adoption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.1.2 AP-4131 Radio Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.1.3 Multiple BSS and ESS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.1.4 Rate Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.1.5 AP-4131 Features Unavailable after Conversion . . . . . . . . . . . . . . . . . . . . . .
11-2
11-2
11-2
11-2
11-2
11.2 Converting AP-4131 to Access Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
xxii
WS5000 Series Switch System Reference Guide
11.2.1 Updating the Access Point Firmware Using the TFTP Program . . . . . . . . . . . 11-3
11.2.2 Updating the Access Point Firmware Using the XMODEM . . . . . . . . . . . . . . 11-3
11.2.3 Adding an Access Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
11.2.4 Mapping BSS and ESS IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
11.3 Reverting to Access Point Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
11.4 WS5000 Switch Applet Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
Chapter 12. Configuring the WS5100 WTLS VPN
12.1 Onboard DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
12.2 On Board VPN server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
12.2.1 DHCP Relay and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
12.2.2 Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4
12.2.3 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5
12.2.3.1 PKI and PKCS12 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5
12.2.4 WVPN Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
12.2.4.1 Simple Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
12.2.4.2 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
12.2.4.3 IP Pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7
12.2.4.4 Certificate configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
12.2.4.5 VPN Session License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
12.2.5 AES versus 3DES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
12.2.6 Wireless Transport Layer Security (WTLS). . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
12.2.6.1 WTLS versus IPSec. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
12.2.6.2 WTLS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
12.3 VPN Session Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14
12.3.1 Switch Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14
12.3.2 WVPN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15
12.3.3 Starting VPN Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16
12.3.4 Client Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
12.3.4.1 Installing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
12.3.5 Testing VPN Session Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
12.3.6 TroubleShooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-18
12.4 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-19
12.5 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20
12.5.1 Twice NAT Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21
Chapter 13. Neighboring APs
13.1 ccPortalBeaconRptTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
13.2 ccMuProbeRptTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
13.3 Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
xxiii
Chapter 14. Enhanced RF Statistics
14.1 ccApTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
14.2 ccPortal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
14.2.1 ccPortalTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
14.2.2 ccPortalLast Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
14.2.3 ccPortalLastReason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
14.2.4 ccPortalSystemStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
14.2.5 ccPortalStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
14.2.6 ccPortalRxPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6
14.2.7 ccPortalTxPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6
14.2.8 ccPortalRxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7
14.2.9 ccPortalTxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8
14.2.10 ccPortalTxRetriesPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9
14.2.11 ccPortalTxRetriesOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10
14.2.12 ccPortalSigStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12
14.2.13 ccPortalSumStatsShortTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13
14.2.14 ccPortalSumStatsLongTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-16
14.3 ccMus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19
14.3.1 ccMuInfoTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.3.2 ccMuStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.3.3 ccMuRxPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.3.4 ccMuTxPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.3.5 ccMuRxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.3.6 ccMuTxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.3.7 ccMuTxRetriesTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14-19
14-19
14-20
14-21
14-22
14-22
14-23
14.4 ccMuRfSum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-24
14.4.1 ccMuTxRetriesOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.4.2 ccMuSigStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.4.3 ccMuSumStatsShortTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.4.4 ccMuSumStatsLongTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14-24
14-25
14-26
14-28
14.5 RF-Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-30
14.6 Explanation of Enhanced RF Statisitcs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-32
14.6.1 A Sample Usage Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-38
14.6.1.1 Watching min, max, or average is not enough . . . . . . . . . . . . . . . . . . . . . . . . 14-42
14.6.1.2 Who calculates Standard Deviation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-43
14.6.1.3 How is Standard Deviation calculated from running sums? . . . . . . . . . . . . . . 14-44
Chapter 15. AP-300 Sensor Conversion
15.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1
15.1.1 Sensor Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1
15.2 Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2
15.2.1 Sensor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2
xxiv
WS5000 Series Switch System Reference Guide
15.2.2 Sensor Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2
15.2.3 Sensor Revert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
15.3 GUI and CLI Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
15.3.1 Converting an AP300 into a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
15.3.2 Converting an Sensor into AP300 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-7
Chapter 16. Syslog and Traps
16.1 List of Traps and Syslog Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1
Chapter 17. DDNS
17.1 Update Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1
Appendix A. DOM Firmware Upgrade
Appendix B. DTIM Interval per BSS
Appendix C. AP300 LED Codes
Appendix D. Customer Support
About this Guide
This preface introduces the WS5000 Series Switch System Reference Guide and contains the following
sections:
•
Who Should Use this Guide
•
How to Use this Guide
•
Conventions Used in this Guide
•
Service Information
Who Should Use this Guide
The WS5000 Series Switch System Reference Guide is intended for system administrators responsible for the
implementing, configuring, and maintaining the WS5000 Series Switch within the wireless local area network.
It also serves as a reference for configuring and modifying most common system settings. The administrator
should be familiar with wireless technologies, network concepts, ethernet concepts, as well as IP addressing
and SNMP concepts.
xxvi
WS5000 Series Switch System Reference Guide
How to Use this Guide
This guide will help you implement, configure, and administer the WS5000 Series Switch and associated
network elements. This guide is organized into the following sections:
Table 1 Quick Reference on How This Guide Is Organized
Chapter
Jump to this section if you want to...
Chapter 1, “WS5000 Series
Switch Overview”
Review the overall feature set of the WS5000 Series Switch, as well as the many
configuration options available.
Chapter 2, “Installing the
System Image”
Install the System Image. This includes uploading the system image to a TFTP server,
deleting prior configuration or system files, saving a backup version of the existing
configuration, and uploading the system image file, and restoring the site
configuration file.
Chapter 3, “Configuring the
WS5000 Series Switch
Automatically”
Review details about the Command File, its syntax, options, specific settings, and an
example.
Chapter 4, “Using the
WS5000 Series Switch GUI”
Learn about working within the WS5000 Series Switch GUI to perform most daily
administration tasks for the switch and its associated devices.
Chapter 5, “Configuring User
and Management
Authentication”
Configure the Radius server (for both User and Management authentication).
Chapter 6, “Configuring
Policies”
Configure network policies and switch policies.
Chapter 7, “Configuring
Rogue AP Detection”
Configure rogue access port (an access port in the network that is not valid and might
be unsafe) detection.
Chapter 8, “CLI Command
Reference”
Review the CLI command reference for all configuration command details, for when
the administrator will use the CLI interface instead of the GUI interface.
Chapter 9, “Service Mode
CLI”
Review the CLI command reference for all the service mode command details for use
in debugging and problem resolution while troubleshooting the WS5000 Series
Switch configuration.
Chapter 10, “Antennas and
Power”
Review antenna and power settings for numerous field installation demographics.
Chapter 11, “Converting AP4131 Access Points to RF
Ports”
Convert the AP-4131 access point to WS5000 RF ports.
Chapter 12, “Configuring the
WS5100 WTLS VPN”
Configure WS5100 WTLS VPN.
Chapter 13, “Neighboring
APs”
Configure AP to AP beacon using SNMP.
Chapter 14, “Enhanced RF
Statistics”
Learn about RF Stats configuration.
Chapter 15, “AP-300 Sensor
Conversion”
Learn about the concepts and functionality of AP300 Sensor conversion.
xxvii
Table 1 Quick Reference on How This Guide Is Organized (Continued)
Chapter
Jump to this section if you want to...
Chapter 16, “Syslog and
Traps”
See all the syslog and traps generated by WS5000 2.1.
Chapter 17, “DDNS”
Learn about the DDNS updateall mechanism.
Appendix , “DOM Firmware
Upgrade”
Learn about the new DOM firmware upgrade implemented in this release.
Appendix , “DTIM Interval per
BSS”
Learn about the new DTIM interval per BSS implemented in this release.
Appendix , “AP300 LED
Codes”
Learn about the AP300’s LED color code functionality.
Appendix , “Customer
Support”
Contact the customer support department for any queries.
Conventions Used in this Guide
This section describes the following topics:
•
Annotated Symbols
•
Notational Conventions
Annotated Symbols
Note This symbol signals recommended behavior or reference information that
might be important to consider. It may include tips or special requirements.
!
IMPORTANT! THIS SYMBOL SIGNALS INFORMATION ABOUT A PROCESS OR CONDITION
THAT COULD CAUSE DAMAGE TO EQUIPMENT, INTERRUPTION OF SERVICE, OR LOSS OF
DATA.
Warning! This symbol indicated information about conditions that could
cause bodily injury. Before working on any equipment, be aware of
physical and electrical hazards and follow practices for preventing
accidents.
xxviii
WS5000 Series Switch System Reference Guide
Notational Conventions
The following notational conventions are used in this document:
•
Italics are used to highlight specific items in the general text, and to identify chapters and sections in
this and related documents.
•
Bullets (•) indicate:
•
•
action items
•
lists of alternatives
•
lists of required steps that are not necessarily sequential
Sequential lists (those describing step-by-step procedures) appear as numbered lists.
Service Information
If a problem with is encountered with the WS5000 Series Switch, contact Symbol Customer Support. See
Symbol’s Web site (http://www.symbol.com/services/online_support/online_support.html) for Symbol
Customer Support contact information and policies.
Note Before calling Symbol Customer Support, have the model number and serial
number for the WS5000 Series Switch on hand.
If the problem cannot be solved over the phone, you may need to return your equipment for servicing. If that is
necessary, you will be given specific directions.
Symbol Technologies is not responsible for any damages incurred during shipment if the approved shipping
container is not used. Shipping the units improperly can possibly void the warranty. If the original shipping
container was not kept, contact Symbol to have another sent to you.
WS5000 Series Switch Overview
The WS5000 Series Switch provides a centralized management solution for wireless networking components
across the wired network infrastructure. Unlike traditional wireless network infrastructures that reside at the
edge of a network, the switch uses centralized, policy-based management for all devices on the wireless
network.
The switch connects to the network through the Ethernet and a Layer 2 switch or hub. The access ports are
connected to a POE-enabled hub which is connected to a Layer 2 switch or hub on the network.
The switch functions as the center of the wireless network. The access ports function as radio antennas for
data traffic management and routing. All of the system configuration and intelligence for the wireless network
resides in the switch.
The switch uses access ports to bridge data from the associated wireless devices to the wireless switch. The
wireless switch applies policies to the data packets before routing them to their destinations. Data packets
destined for devices on the wired network are processed by the switch where appropriate policies are applied
before they are encapsulated and sent to their destination.
1-2
WS5000 Series Switch System Reference Guide
Access port configuration is managed by the switch through the Graphical User Interface (GUI) or the Command
Line Interface (CLI). A WS5000 Series Switch streamlines management of a large wireless system and allows
for network management features such as Quality of Service (QoS), virtual WLANs and packet forwarding.
1.1 Key Features
WS5000 Series Switch includes a robust set of features. These features are briefly listed and described in the
following sections:
•
Installation Features
•
Management Features
•
Security Features
•
Networking Features
•
Access Port Support
1.1.1 Installation Features
A WS5000 Series Switch includes the following installation features:
•
Single file upgrade
•
Automatic installation and configuration of local or remote wireless switches using a command file.
•
Automatic discovery and adoption of access ports
•
Upgrade/downgrade using auto-install script.
1.1.2 Management Features
WS5000 Series Switch includes the following security features:
•
Policy-based centralized management
•
Secure browser-based management console
•
Command Line Interface (CLI) is accessible via a Telnet session through the serial port or through a
secure shell (SSH) application
•
CLI service mode enables the capture of system status information that can be sent to Symbol personnel
for use in problem resolution
•
“Emergency override” enables the definition of an Emergency Switch Policy that can be activated when
required without system interruption
•
Kerberos principal file can update the wireless switch’s internal KDC
•
Support for Simple Network Management Protocol (SNMP) version 3 as well as SNMP version 2
(including SNMP version 1 support).
•
TFTP upload and download of access port firmware and configuration files
•
Each access port can support multiple WLANs (with the exception being FH APs)
•
System redundancy with auto-revert
•
CPU temperature and fan monitoring
WS5000 Series Switch Overview
1-3
•
IP-Redirect VoIP
•
Multicast support
•
DFS/TPC jumbo packet
•
Support for Proxy ARP statistics applet operation with Sun JRE
•
Service mode features
•
The WS5000 Series Switch GUI applet only supports Sun Java Runtime Environment (JRE) including the
Sun Java Virtual Machine (JVM). Support for the Microsoft Virtual Machine is discontinued with the 1.4
release and WS5000 Series Switch. This is an extension of the JRE support changes implemented in
1.4. The Sun JRE version support on Windows platforms is JRE 1.4.2_06 or greater. JRE 5.0 Update 2 is
recommended.
1.1.3 Security Features
A WS5000 Series Switch includes the following security features:
•
On-board Radius server
•
Rogue AP detection
•
VPN functionality with an integrated DHCP server, firewall, Twice NAT, and integrated VPN server
•
Remote administrator login authentication via external Radius server
•
MAC address-based access control list
•
WEP 40/128
•
KeyGuard Mobile Computing Mode (MCM) support (Symbol’s TKIP encryption implementation based on
the 802.11i standard)
•
Wi-Fi Protected Access (WPA) support with Temporal Key Integrity Protocol (TKIP)
•
Optional broadcast key rotation support, which improves broadcast traffic security
•
On-board Kerberos Key Distribution Center (KDC) v5 on WNMP
•
EAP/TLS on 802.1x
•
VLAN segregation
•
No serial interface on the access ports to prevent tampering
•
Multiple ESSID/BSSID for AP 100, AP-4121 and AP-4131 access point conversions
•
Secure beacon
•
Mobile unit to mobile unit disallow or drop
•
PSP support for mobile units
•
Proxy ARP
•
AES WPAII
•
Short preamble support
•
Load balancing
•
International roaming
•
Power over Ethernet capability
1-4
WS5000 Series Switch System Reference Guide
•
802.1Q functionality and interoperability
•
Report to cell controller tuning
•
Mobile unit roaming between RF ports
•
RF port adoption
•
802.1p support
1.1.4 Networking Features
A WS5000 Series Switch includes the following networking features:
•
Quality of service (QoS) support, including:
•
802.1p support
•
DiffServ (advanced TOS)
•
Multiple Tx power settings
•
Bandwidth allocation
•
Congestion management
•
Customizable classifiers and classification groups (packet filters)
•
Support for VLANs and virtual WLANs
•
IP redirection
•
Ethernet load balancing
•
DHCP option 60 support
•
Layer 2 filtering
•
Layer 3 filtering
•
Multiple WLAN
1.1.5 Access Port Support
Access ports work on any VLAN with connectivity to the wireless switch. The WS5000 Series Switch supports
the following access ports:
•
AP 100 (supports 802.11b)
•
AP 300 (supports 802.11a/b/g)
•
Access points converted to access ports, including:
•
AP 4131
•
AP 4121
•
AP-3020, AP-3021
WS5000 Series Switch Overview
1-5
1.2 Hardware Overview
A WS5000 Series Switch contains types of hardware: a wireless switch and a set of access ports.
The wireless switch is a rack-mountable device that manages all inbound and outbound traffic on the wireless
network. It provides security, network services, and system management applications.
Unlike traditional wireless infrastructure devices that reside at the edge of a network, the WS5000 Series
Switch uses centralized, policy-based management to apply sets of rules or actions to all devices on the
wireless network. It collects management “intelligence” from individual access points and moves the collected
information into the centralized wireless switch. Then, it replaces the access points with “dumb” radio
antennas called access ports.
Access ports (APs) are 48V power-over-Ethernet devices that are connected to the WS5000 Series Switch by
an Ethernet cable. An access port receives 802.11x data from mobile units and forwards this data to the switch,
which applies the appropriate policies and routes the packets to their destinations. Depending on the model,
an AP can support as many as 16 WLANs.
Access ports do not have software or firmware upon initial receipt from the factory. When the access port is
first powered on and cleared for the network, the wireless switch initializes the access port and installs a small
firmware file automatically. Therefore, installation and upgrades of firmware is automatic and transparent.
1.2.1 Physical Specifications
The physical dimensions and operating parameters for the WS5000 Series Switch are:
Width
48.1 cm / 18.93 in. (with mounting brackets)
42.9 cm / 16.89 in. (without mounting brackets)
Height
4.39 cm / 1.73 in.
Depth
40.46 cm / 15.93 in.
Weight
6.25 kg / 13.75 lbs.
Max Power Consumption
100 VAC, 50/60 Hz, 3A
240 VAC, 50/60 Hz, 1.5A
Operating Temperature
10°C - 35°C / 50°F - 95°F
Operating Humidity
5% - 85% without condensation
1.2.1.1 Power Cord Specifications
A power cord is not supplied with the device. Use only a correctly rated power cord certified for the country of
operation.
1.2.1.2 Power Protection
To best protect the WS5000 series switch from unexpected power surges or other power-related problems,
ensure the system installation meets the following power protection guidelines:
•
If possible, use a circuit that is dedicated to data processing equipment. Commercial electrical
contractors are familiar with wiring for data processing equipment and can help with the load balancing
of these circuits.
1-6
WS5000 Series Switch System Reference Guide
•
Install surge protection. Use a surge protection device between the electricity source and the WS5000
Series Switch.
•
Install an Uninterruptible Power Supply (UPS). A UPS provides continuous power during a power outage.
Some UPS devices have integral surge protection. UPS equipment requires periodic maintenance to
ensure reliability. A UPS of the proper capacity for the data processing equipment must be purchased.
1.2.1.3 Cabling Requirements
Two Category 6 Ethernet cables (not supplied) are required to connect the switch to the LAN and the WLAN.
The cables are used with the two Ethernet ports on the front panel of the device.
The console cable shipped with the switch is used to connect the switch to a computer running a serial
terminal emulator program to access the switch’s Command Line Interface (CLI) for initial configuration. Initial
configuration steps are described in the WS5000 Series Switch Installation Guide.
1.2.2 System Status LED Codes
A WS5000 Series Switch has two LEDs on the front panel, adjacent to the RJ45 ports. The System Status LEDs
display three colors—blue, amber, or red —and three “lit” states—solid, blinking, or off. Table 1.1 decodes
the combinations of LED colors and states.
Table 1.1 System Status LED Codes
Event
Top LED
Bottom LED
System Start Up LED Codes
Power off
Off
Off
Power On Self Test (POST) running
All colors in rotation
All colors in rotation
POST succeeded
Blue solid
Blue solid
Software initializing
Blue solid
Off
Software initialized
Blue blinking
Off
Active
Blue blinking
Blue solid
Monitoring
Blue blinking
Amber solid
Standby missing or not enabled
Blue blinking
Off
Inactive
Amber blinking
Blue blinking
Active (acting as primary)
Blue blinking
Blue blinking
Monitoring
Blue blinking
Amber solid
Standby not enabled
Blue blinking
Off
Inactive
Amber blinking
Amber blinking
Configured as a Primary Switch
Configured as a Standby Switch
Error Codes
WS5000 Series Switch Overview
Table 1.1 System Status LED Codes (Continued)
Event
Top LED
Bottom LED
POST failed (critical error)
Red blinking
Red blinking
Software initialization failed
Amber solid
Off
Country code not configureda
Amber solid
Amber blinking
No access ports have been adopted
Blue blinking
Amber blinking
Primary inactive or failed
Amber blinking
Blue blinking
a. During first time setup, the LEDs will remain in this state until the country code is configured.
1.2.3 10/100/1000 Port Status LED Codes
A WS5000 Series Switch includes two indicators for the RJ-45 ports:
•
Upper left (amber/green) for link rate
•
Upper right (green) for link activity
Table 1.2 provides additional information about the status of the 10/100/1000 Port Status LED codes.
Table 1.2 10/100/1000 Port Status LED Codes
LED
Upper left
Upper right
State
Meaning
Off
10 Mbps link rate
Green steady
100 Mbps link rate
Amber steady
1 Gigabit link rate
Off
The port isn’t linked
Green steady
The port is linked
Green blinking
The port is linked and active
1.3 Software Overview
This section provides an overview of the WS5000 Series Switch software and features. It contains:
•
1.3.1 Accessing and Configuring the Switch Software on page 8
•
1.3.2 Switch Policies on page 8
•
1.3.3 Access Port Adoption Process on page 9
•
1.3.4 Quality of Service on page 9
•
1.3.5 Multi-BSSID and ESSID Access Ports on page 13
•
1.3.6 Standby Management on page 14
•
1.3.7 WLAN to VLAN Mapping on page 14
1-7
1-8
WS5000 Series Switch System Reference Guide
1.3.1 Accessing and Configuring the Switch Software
To access and configure the WS5000 Series Switch administration controls and options, the administrator can
access a CLI through a Telnet session, or log into a Web-based graphical user interface.
The CLI is accessible via Telnet, through the console port on the front of the wireless switch, or through a SSH
application (which enables protected access to the switch over the CLI). All configuration and management
functions can be performed through the CLI.
The Web-based graphical user interface (GUI) can be accessed securely from any Web browser on the
network. The GUI provides tools to configure and maintain the wireless system. It also provides real-time
graphs for displaying system load and traffic on the wireless network.
1.3.2 Switch Policies
A WS5000 Series Switch uses a set of rules, or “policies,” to configure the wireless LAN (WLAN), the access
ports that it adopts, and to integrate the wired LANs and VLANs. The policy-based management architecture
lets a network administrator create a class of service (CoS) by defining network access, type of WLAN security,
and quality of service (QoS) for a group of users.
Figure 1.1 displays the WS5000 Series Switch principal policies. The following section describes these
policies:
•
Switch Policy – Acts as a container for all the other policies. It also contains an adoption list, which
controls the types of access ports (APs) that can be adopted.
•
Ethernet Port Policy – Configures the switch’s Ethernet ports, and associates multiple WLANs with
multiple LANs or VLANs. There are two Ethernet ports on WS5000 Series Switches. By convention, port
1 (the left port) connects to the wireless LAN, and port 2 (the right port) connects to the wired LAN.
•
Access Port Policy – Defines access port configuration details such as an APs beacon interval, RTS
threshold, and its set of supported data rates. The AP policy is also responsible for adding WLANs to
the AP and for attaching a security policy, access control list, and network policy (or packet filter) to each
AP.
•
WLAN Policy – Defines attributes (such as ESS ID, beacon rate, DTIM interval) applied to mobile units
on a portion of the wireless LAN.
•
Security Policy – Defines the authentication and encryption methods used to secure communication
between the WS5000 Series Switch and the mobile units through the APs. Each WLAN can have a
different security policy associated with it.
•
Network Policy – Filters and prioritizes packets as they are sent across the wireless network. it can
reject packets completely. Use the network policy to implement QoS and types of service (ToS) protocols.
WS5000 Series Switch Overview
1-9
Figure 1.1 Principal Policies of a WS5000 Series Switch
1.3.3 Access Port Adoption Process
The process in which the WS5000 Series Switch takes on a 802.11 access port and configures it is called
adoption. It includes configuring adoption lists, loading the firmware image on the access port, and configuring
the access port radios according to the switch policy.
The adoption process works as follows:
1. The access port sends a packet to the wireless switch to provide a way for the switch to declare its
intention to adopt.
2. If the switch can adopt the access port, it replies with a message indicating its intention to adopt.
3. After the access port receives the message, it requests a firmware image download.
4. After the firmware image downloads, the access port sends a configuration request packet from the
MAC address of each of its radios. The configuration request informs the switch of the radio
capabilities, including the radio MAC address, radio type, radio serial number, and whether the radio is
equipped with an internal or external antenna.
5. The switch checks the adoption list for policies and configures the radios accordingly. The power,
channel (or if Automatic Channel Selection is enabled—a set of legal channels), BSS IDs, ESSIDs, and
data rates are configured.
1.3.4 Quality of Service
QoS is used to give a user or an application relative precedence or priority over another. QoS applies in the
case of congestion that may occur from excessive traffic or different data rates and link speeds—10 Mbps
Ethernet, 100 Mbps Ethernet, 11 Mbps Wireless, and so on—that exist in the same network.
If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a
very high cost), then applying QoS has very little value. When total bandwidth is shared by different users and
applications, QoS is required to provide policy enforcement for mission-critical applications and/or users that
have critical bandwidth requirements.
1-10
WS5000 Series Switch System Reference Guide
1.3.4.1 Different Dimensions of QoS
Different methods of QoS are applied for distinction between users and applications. The two main categories
are:
•
QoS via Queuing – A network shared by different users such as in a revenue-based, shared office
building or a public hotspot is implemented with Service Level Agreements (SLA) based on how much
each group of users pay for bandwidth. In this case, one or all points of aggregation, such as the switch
and some high-end routers or policy managers, can allocate different percentages of the total
bandwidth to different groups of users through the use of queues. Bandwidth allocation can also be
further divided and applied to different applications again using Queues.
•
Application QoS via Packet Marking – A network or a portion of the allocated bandwidth can be shared
by different applications. Voice communication (for example) can be more latency-sensitive or more
mission-critical than others. In this case, a priority is assigned to the traffic by adding the appropriate
QoS marking or tags to network traffic to provide higher precedence while the data is passed through
points of aggregation—routers, switch(es), and gateways—and the medium of transfer. Packet marking
provides configurable upstream devices and helps QoS end-to-end.
1.3.4.2 Packet Filtering
Packet filtering allows or discards packets matching certain criteria defined by Classification Groups (CG) on
an output packet port. Classification groups on an output port are defined with allow decisions, discard
decisions or a combination of both. A CG defined with an allow condition is associated with a priority number
in the range of 0 – 7, seven being the highest priority. shows the types of packet filtering that the WS5000
Series Switch supports.
Table 1.3 Packet Filters Supported
Packet filter
Filters
MACsource
Source MAC addresses.
MACdestination
Destination MAC addresses.
ethertype
Ethernet specifier: Speed.
vlanid
Virtual LAN IDs
userpriority
User Priority
protocol
Protocol Type
tos
Type of Service
IPsource
Source IP
IPdestination
Destination IP
sourceport
Source Port
destinationport
Destination Port.
MCMask
Destination multicast group MAC address.
WS5000 Series Switch Overview
1-11
1.3.4.3 Weighted Fair Queuing (WFQ)
Weighted Fair Queuing (WFQ) enables a mechanism on the switch that uses up to eight queues to store data—
network packets—and prioritize RF transmission to and from MUs depending on the data type. After the
switch classifies the data (as voice or data), WFQ stores the packets (assuming the network traffic demands
that the data be queued by data type) and then transmits the packets at a rate specified by the WFQ allocation
percentage setting.
You can assign WFQs to classification groups. There is a WFQ for inbound traffic. WFQ for a classification
group must have a nonzero value to enable the classification group.
Note You can use WFQ to prioritize only UDP traffic along with the filters.
WFQ uses one queue for each classification group, up to eight queues total, and one queue for all other data.
For example, if the network has only one classification group for VoIP and no other groups, then WGQ
automatically uses two queues: one for VoIP and the other for all other data (data not defined in the
classification group). Each additional classification group uses another queue and keeps one queue open for
other data.
The allocation setting determines the percentage of available network bandwidth for data from a classification
group. For example, if the WFQ allocation for VoIP data is set to 80%, then the switch sends four packets of
VoIP data every one packet of other data during periods of network congestion.
WFQ is implemented for the different types of traffic on the same ESSID and Access Port (AP) as well as
between different ESSIDs on the same AP. This implementation shares voice and non-voice traffic across
different network paths, thereby balancing the traffic load. A large volume of non-voice traffic on one ESSID
does not deplete the voice traffic on another ESSID on the same AP.
1.3.4.4 QoS via Wi-Fi Multimedia Extension (WME)
Quality of Service (QoS) is required to support multimedia applications and advanced traffic management.
WME (Wi-Fi Multimedia Extension) adds prioritized QoS capabilities to Wi-Fi networks and optimizes their
performance when multiple concurring applications, each with different latency and throughput requirements,
compete for network resources.
By using WME, end-user satisfaction is maintained in a wider variety of environments and traffic conditions.
WMM provides prioritized media access and is based on the Enhanced Distributed Channel Access (EDCA)
method.
It defines four priority classes to manage traffic from different applications:
•
Voice
•
Video
•
Best effort,
•
Background
Typically, networks operate on a best-effort delivery basis. All traffic has equal priority and an equal chance of
being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Applications such as voice, video and music streaming, and interactive gaming generate data streams that
have strict latency and throughput requirements. To ensure a good user experience, traffic from different
applications has to be managed and prioritized using QoS.
1-12
WS5000 Series Switch System Reference Guide
When QoS is configured on the switch, users can select specific network traffic, prioritize it, and use
congestion management and congestion avoidance techniques to provide preferential treatment.
Implementing QoS on wireless LANs makes network performance more predictable and bandwidth utilization
more effective. The benefits of QoS become more obvious as the load on the wireless LAN increases, keeping
the latency, jitter, and loss for selected traffic types within an acceptable range.
WMM introduces traffic prioritization capabilities based on the four “Access Categories" (AC). In the default
configuration, the higher the access categories, the higher the probability to transmit.
The ACs were designed to correspond to 802.1d priorities to facilitate interoperability with QoS policy
management mechanisms, such as UPnP.
Table 1.4
Access Category
Description
802.1d Tags
WMM Voice
(AC 3)
Highest priority.
Allows Multiple concurrent VoIP calls, with low latency and toll voice
quality.
7,6
WMM Video
(AC 2)
Prioritize video traffic above other data traffic.
One 802.11g or 802.11a channel support 3-4 SD TV streams or 1 HDTV
stream.
5,4
WMM Best Effort
(AC 1)
Traffic from legacy devices, traffic from applications or device that lack
QoS capabilities.
Traffic less sensitive to latency, but effected by long delays, such as
internet browsing.
0,3
WMM Background
(AC 0)
low priority traffic (file downloads, print jobs) tat do not have strict
latency and throughput requirements.
2,1
The Access Category of a packets is part of the 802.11 header.
Packets from the wired side to WLAN do not contain any AC information. This traffic is classified into one of
the four WMM ACs:
•
If it contains VLAN tags/DSCP priority, use this information to obtain the AC
•
In addition, existing classifiers (CE/CG) can be used to match traffic of a particular type, it can be
assigned to an AC as an action.
Traffic from a WMM enabled WLAN, when sent to RON (rest of network) retains the priority information in the
VLAN tag (if present) as well as the IP header (if an IP packet). Mapping from AC to 802.1d tags is according
to WMM standards.
Packets not assigned to a specific AC are categorized by default as having best effort priority.
WME can be enabled on a per AP policy basis as well as on a per WLAN basis. A WLAN will use WME only
if both the WLAN, as well as the AP Policy it is under have WME enabled. By default, WME is disabled in
WLANs as well as AP Policies.
WME is only supported on AP300s. WMM enabled switches/ APs coexist with legacy devices (devices that
are not WMM-enabled).
The default WME AC parameters (which determines the prioritization of traffic under each AC) are as specified
by the WME standard. The configuration of each AC can be modified. Four parameters can be configured per
AC: CWmin, CWmax, AIFSN and TXOP. The parameters are explained below
WS5000 Series Switch Overview
1-13
AC Parameters
Packets are then added to one of four independent transmit queues (one per AC; i.e., voice, video, best effort,
or background) in the AP. The AP has an internal collision resolution mechanism to address collision among
different queues, which selects the frames with the highest priority to transmit. The same mechanism deals
with external collision, to determine which client should be granted the “Opportunity to Transmit” (TXOP).
The collision resolution algorithm that is responsible for traffic prioritization is probabilistic and depends on
two timing parameters that vary for each AC.
•
The minimum interframe space, or Arbitrary Inter-Frame Space Number (AIFSN)
•
The Contention Window (CW), sometimes referred to as the Random Backoff Wait.
Both values are smaller for high-priority traffic.
For each AC, a backoff value is calculated as the sum of the AIFSN and a random value from zero to the CW.
•
The value of the CW varies through time.
•
Initially the CW is set to a value that depends on the AC (CWmin)
After each collision, the CW is doubled until a maximum value (CWmax), also dependent on the AC, is reached.
•
After successful transmission, the CW is reset to its initial, AC dependant value.
The AC with the lowest backoff value gets the TXOP.
•
As frames with the highest AC tend to have the lowest backoff values, they are more likely to get a TXOP.
Once a client gains a TXOP, it is allowed to transmit for a given time depending on the AC and the PHY rate.
•
TXOP limit ranges from 0.2 ms (background priority) to 3 ms (video priority) in an 802.11a/g network, and
from 1.2 ms to 6 ms in an 802.11b network.
•
This bursting capability greatly enhances the efficiency for high data rate traffic, such as AV streaming.
•
Also, the devices operating at higher PHY rates are not penalized when devices that support only lower
PHY rates (e.g. because of distance) contend for medium access.
1.3.5 Multi-BSSID and ESSID Access Ports
In a networked wireless environment, multiple access ports are connected to a WS5000 Series Switch to
provide RF connectivity to MUs. Each access port radio sends and receives RF signals over a range of space,
the Basic Service Set (BSS). The BSS coverage area is identified by a Basic Service Set Identifier (BSSID).
The access port beacon contains its BSSID, which enables the MU to recognize the access port and associate
with it. Extended Service Sets (ESS) are a logical group of BSSs. ESSs virtualize or increase the number of BSS
radio signals.
The beacon contains information about the access port and the network, which enables the MU to rank access
ports based on the received signal strength. The beacon can optionally include the Extended Service Set
Identifier (ESSID). MUs associate with the most preferable access port in the coverage area.
After association, the MU continues to scan for other beacons to ensure that it is receiving the best, continuous
signal strength, in case the signal from the currently associated access port becomes too weak to maintain
communications as the MU moves through the area.
Most access ports support multiple BSSs (see Access Port Support on page 1-4). MUs sense each unique BSS
as a separate radio signal. Access ports with multiple BSSs solve performance and security issues by isolating
broadcast traffic on a specific BSS rather than sending broadcasts to all BSSs. This enables MUs to save
1-14
WS5000 Series Switch System Reference Guide
battery power by sensing only for their specific BSS rather than all traffic. An access port with multiple BSSs
provides the same functionality as four single-BSS Access Points and requires less time for installation and
configuration.
Network administrators add WLANs to BSSs. The BSSIDs are mapped to ESSIDs by default. However, the
network administrator can optionally change default settings. The network administrator can map each BSSID
to multiple ESSIDs, so the radios on the access ports support multiple WLANs.
As RF traffic changes over time or the MU roams, the MU searches for access ports that have a matching
ESSID. The MU associates with an access port with the same ESSID to synchronize communication. As the
MU roams from coverage area to coverage area, it switches between access ports.
The MU switches between access ports when the MU analyzes the reception quality at a location and decides
to communicate with another access port based on the best signal strength and lowest MU load distribution.
The AP 100, AP 200, AP 300, AP 4121 and AP 4131 access ports support multiple ESSIDs.
1.3.6 Standby Management
“Failover” or Standby Management enables the network administrator to significantly reduce the chance of a
disruption in service to the switch and associated MUs by placing one or more additional WS5000 Series
Switches as backup to a Primary wireless switch if it fails.
After configuring a Primary and Standby switch, the Primary switch issues a Discovery packet on each
configured interface. Assuming there is a properly configured Standby switch, the Standby receives the
Discover packet and starts sending heartbeats to the Primary. This establishes connectivity between the
Primary and the Standby. The Primary switch executes various internal monitors, in addition to any necessary
to communicate with the Standby switch.
If heartbeats fail after being properly established, a failover event is incurred by the Standby wireless switch,
and thus assumes the duties of the Primary switch including adopting all access ports. The Standby switch
sends an administrative alert—SNMP trap, etc.—to the administrator that a failover event has taken place.
Warning! You cannot configure a WS5000 model switch as a standby for a
WS5100 model switch.
1.3.7 WLAN to VLAN Mapping
Virtual LANs (VLANs) segment large subnets of a network, which enables network administrators to control
broadcasts and heighten network security. The WS5000 Series switch connects to the wired network through
one of two Ethernet ports (typically through NIC 2). Each access port associated with the switch can be
connected to either a trunked or non-trunked Ethernet port of the switch. Administrators configure an Ethernet
policy so it maps each WLAN to a non-trunked Ethernet port or to one of the VLANs visible to the trunked
Ethernet port. Further, administrators enable WLANs to communicate with a VLAN by configuring each WLAN
so that the rest of the network connects through a common router or Layer 2 switch.
Access ports in a VLAN are able to broadcast and multicast only within that VLAN. Using VLANs, wireless
switch administrators limit the general traffic in the wireless network, including broadcast packets because
large numbers of broadcast packets can affect network performance. By segmenting a network into VLANs,
wireless switch administrators limit the spread of broadcast packets.
WS5000 Series Switch Overview
1-15
Using VLANs:
•
Limits broadcast and multicast traffic
•
Increases security by limiting communication between groups
•
Allocates network resources, such as servers, to specific groups
Map WLANs on a one-to-one basis, configuring switch policies such as:
•
Ethernet Policy mapping one WLAN to a VLAN
•
Access Port Policy mapping one or more WLANs to a BSSID
•
Security Policy mapping one security policy to a WLAN policy.
1.4 New Features
This section describes the key enhancements in the WS5000 Series Switch:
•
WME
•
RF Statistics
•
GRE Tunnel
•
Dual DHCP Server
•
SNMP Trap on Config Change
•
AP to AP Beacons
•
DTIM per BSS
•
WIPS Support
•
CPU Temperature Monitoring in WS5000
•
Active Primary Revert
•
Access Port Ping
•
Upgrade/Downgrade Process
1.4.1 WME
WME is quality of service implementation based on the subset of the IEEE 802.11e draft specification. WME
support will enable the wireless infrastructure network based on WS5000 to handle the multimedia traffic
with Quality of Service (QoS). WS5000 will be able to provide the enhanced service for WME capable stations
associated on access-Port that has the WME capability.
To learn more about WME refer to QoS via Wi-Fi Multimedia Extension (WME) on page 1-11.
1.4.2 RF Statistics
The switch shall support approximately 24 new MIB tables, giving various details of the RF statistics. The
purpose of these new (enhanced) statistics is to provide better RF monitoring and troubleshooting capabilities
to network administrators.
1-16
WS5000 Series Switch System Reference Guide
The salient features of enhnaced RF stats are:
•
It supports 350 RF stats, on a per APPortal and per MU basis.
•
Provides Long and Short statistics, Traps and Thresholds.
•
It is accessible using SNMP.
To learn more about enhanced RF Stats, refer to Chapter 14, Enhanced RF Statistics.
1.4.3 GRE Tunnel
GRE Tunneling capability provides the ability to create a GRE tunnel from a switch to a switch/router at the
remote end through an IP backbone. The primary functionality is to provide IP services (from the remote end /
core of the network) to the MUs on particular WLANs that are mapped to the GRE tunnels. The data arriving
from a MU associated a particular WLAN would be sent across to that GRE endpoint.
This functionality inWS5000 v2.1 is based on v1.4.3 when GRE tunneling capability was first introduced. V2.1
will also provide the capability to enable up to 4 GRE tunnels and provide the necessary WLAN mapping and
other required configuration parameters (including Remote IP Address, Time To Live and Keep Alive).
Common tunneling protocols include:
•
Generic Routing Encapsulation (GRE)
•
Layer2 Tunneling (L2TP)
•
IPSec VPN
•
Multi Protocol Label Switching (MPLS) VPN
•
IP over IP
The entire GRE tunnel CLI configuration can be referred at tunnel on page 8-85
1.4.4 Dual DHCP Server
Currently the DHCP server is used along with the VPN server to serve public addresses to the wireless clients.
It can be enabled only on one NIC at one time. It is required that the DHPC server should be able to serve IP
addresses on both the interfaces, and should be able to serve IP addresses from different pool of addresses
on both interfaces.
Since the DHCP server may be used directly with WPA/WPA2 (without VPN), the requirement is that the DHCP
configuration should be available, even when VPN is not enabled.
Also, there is a requirement to restrict serving of the IP-addresses only to the primary (native) VLAN. So, a new
configuration is provided to meet this requirement.
To learn more about Dual DHCP server, refer to Chapter 12, Configuring the WS5100 WTLS VPN.
WS5000 Series Switch Overview
1-17
1.4.5 SNMP Trap on Config Change
For improved system administration,WS5000 v2.1 supports the following:
1. Send out a SNMP Trap whenever configuration in the switch changes. The change could be initiated by
CLI, GUI or SNMP.
2. The trap contains the time when the config was changed. The trap will not contain any details of the
config change itself.
3. The Switch stores the time when the config was last modified. This will not be persistent across switch
reboots.
4. Switch will maintain a count of total configuration changes. This will not be persistent across switch
reboots.
Chapter 16, Syslog and Traps lists all the traps and syslog messages.
1.4.6 AP to AP Beacons
The purpose of this functionality is to measure and report the signal strength of beacons heard by each Portal
(radio) connected to the switch, periodically. Normally, any given Portal would hear beacons from at most all
the other Portals on its assigned channel. It may also hear beacons from 'nearby' Portals on adjacent channels.
This information will be reported by the switch as a new doubly-indexed table. The primary index is the
PortalIndex of the Portal that heard the beacons. The second index is the PortalIndex of the Portal from which
the beacons were heard. For each such combination, 7 pieces of data are tracked in a cumulative fashion,
(since switch reboot).
To learn more about AP to AP beacon, refer to Chapter 13, Neighboring APs.
1.4.7 DTIM per BSS
This would allow for the setting of the DTIM on a per BSS basis. Each Access Port can run one WLAN for data
devices with DTIM 10 and another WLAN with DTIM 2 for VoIP phones. With this feature, not all the WLANS
need to have a lower DTIM value because that would drastically impact the battery performance of data
devices
This would involve sending new information elements, while doing a configuration of the Access Port.
The AP policy context will be enhanced to enable the user to set 4 separate DTIM interval values for 4 different
BSSIDs. DTIM value 1 will be used for BSS1, DTIM value 2 for BSS2, and so on. The first DTIM interval value
will also be the default, to be used when the AP does not support setting of DTIM per BSS. This will help the
user to know what DTIM values are actually used, depending on the BSS-ESS mapping, and will be indicated
as such through the user interfaces.
To learn more about DTIM per BSS, refer to Appendix B, DTIM Interval per BSS
1.4.8 WIPS Support
The Wireless Intrusion Prevention System (WIPS), introduced in 2005 as an overlay system (to the wireless
infrastructure) to provide intrusion detection and prevention services. The system comprises of a WIPS server
(typically located at the NOC / Data Center) and the AP300 Access Ports that act as "sensors" and forward all
1-18
WS5000 Series Switch System Reference Guide
the necessary traffic to the WIPS server that analyzes the network for any sort of unwanted traffic and protects
against various types of Denial of Service attacks.
The idea of using AP300 is to provide an easy to deploy system for intrusion detection / prevention re-using
existing hardware (typical WIPS systems require a dedicated, expensive sensor). The AP300 needs to be
converted to a "sensor" (with a special Firmware downloaded to it).
WS5000 v2.1 addresses the requirement to integrate the capability of converting a standard AP300 to a sensor
(and back as required) from the switch itself (and not have the administrators use a standalone tool to the do
the same).
To learn more about WIPS support, refer to Converting an AP300 into a Sensor on page 15-3.
1.4.9 CPU Temperature Monitoring in WS5000
Some CPU fan failures have been observed in the field; these failures are typically fatal for the processor of
the switch unless rapid servicing of the switch can take place. To assist in the detection of failure-prone
switches, WS5000 Series 2.1 will expose the following information through the different interfaces:
•
The CPU temperature
•
The CPU fan speed
•
The chassis fans
•
The Chassis temperature
This information is available via the CLI, SNMP, Applet, and XML interface for the WS5100 platform. This
functionality will also be available for the WS5000 (SME) platform in WS5000 v2.1.
Additionally to help identify switches that are about to fail, the switch will poll the hardware every 30 seconds.
An event will be generated when threshold values are passed. As for other events, this may result in a syslog
message and/or an SNMP trap depending on the event manager configuration. On the WS5100 platform, this
will also result in an "alert" visual indication on the LEDs.
Refer to Chassis Context on page 8-170 to configure the CPU tempreture in WS5000.
1.4.10 Active Primary Revert
Support issuing 'set mode rev', from the "cfg> standby" context with an "Active" Primary. This is needed
for troubleshooting a suspected issue with the Primary "Active" box.
Refer to Standby Context on page 8-273 to configure the Auto Revert feature.
1.4.11 Access Port Ping
This will allow the Admin to ping an Access Port - at Layer 2 (the access port does not support IP). This uses
Symbol's WNMP protocol's Ping Request and Ping Response to check the connectivity between the switch and
the access port.
Refer to rfping in Chapter 9, Service Mode CLI learn more about rfping.
WS5000 Series Switch Overview
1-19
1.4.12 Upgrade/Downgrade Process
The WS5000 Series Switch provides an autoinstall script that enables you to upgrade to version 2.1
automatically. See Chapter 2, Installing the System Image.
1.5 Other Features
•
1.5.1 AP-4131 Port Conversion on page 19
•
1.5.2 Automatic Channel Select on page 19
•
1.5.3 Event Manager on page 19
•
1.5.4 Hot Standby on page 20
•
1.5.5 Integrated Radius/AAA ServerRadius on page 20
•
1.5.6 On-Board DHCP on page 20
•
1.5.7 On-Board KDC on page 22
•
1.5.8 Rogue AP Detection on page 22
•
1.5.9 Simple Network Management Protocol (SNMP) on page 23
•
1.5.10 WTLS VPN on page 23
1.5.1 AP-4131 Port Conversion
You can convert the Symbol AP-4131 model access points to RF Ports for use with the WS5000. The port
conversion enables existing customers to utilize an existing Symbol wireless infrastructure with the WS5000
Series Switch. See Chapter 11, Converting AP-4131 Access Points to RF Ports.
1.5.2 Automatic Channel Select
The Automatic Channel Selection (ACS) feature enables the switch to determine the best radio frequency or
channel for an access port. The switch determines the best channel for each access port through a set of
algorithms that analyze the channels permitted by country regulations and the relative signal strength of each
access port in the wireless coverage area.
Using ACS optimizes channel selection, which is helpful in areas where coverage is dynamic because either
the site itself changes or coverage needs change. As conditions change, ACS is used to adapt and obtain the
best coverage.
1.5.3 Event Manager
An event notification system monitors an administrator-configured set of events in network performance. The
switch uses the Event Notification manager to log and collect application and system events on remote or local
system log (Syslog) collectors or servers.
Events are conditions about which the network administrator should be notified. The network administrator
can configure the switch to send event notifications using SNMP to an SNMP trap server, to the switch local
log, or to a Syslog server. The administrator can select the events to be notified about and the appropriate
severity level.
1-20
WS5000 Series Switch System Reference Guide
1.5.4 Hot Standby
You can use the WS5000 Series Switch in the hot standby mode, but when the switch is in this mode it will
not adopt primary access ports. The hot standby system only adopts APs after it detects that the primary
system it monitors failed. The system administrator should export the primary system’s configuration into the
backup switch. After importing, the administrator should place the switch in the backup mode. The backup
switch can monitor only one primary machine at a time.
The hot standby switch adopts the APs defined by the switch policy rules. The primary switch license
determines the number of APs. The primary switch sends the current number of licenses during its regular
communication with the standby switch. The primary switch does not communicate policy configuration
information; the system administrator must manually export or import it. The communication between the
switches is an ongoing process, so if you change the number of active licenses on the primary switch while it
runs, the standby adopts the appropriate number of access ports during a fail-over. For maximum robustness,
it is recommended both primary and standby switches run the same version of the switch.
1.5.5 Integrated Radius/AAA ServerRadius
The WS5000 Wireless Switch provides an integrated Radius server as well as the ability to work with external
Radius and LDAP servers to provide user database information and user authentication. Radius configuration
supports:
•
Configuring appropriate authentication types
•
Configuring Clients
•
Configuring External Proxy Servers
•
Configuring LDAP Servers
1.5.6 On-Board DHCP
Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to computers using TCP/IP. A
DHCP server assigns addresses to computers configured as DHCP clients.
The DHCP configuration can be done on both ethernet interfaces independently.
1.5.6.1 Configuring DHCP Server using CLI
You must run all DHCP CLI commands in the Configuration.Ethernet.[N] context. Table 1.5 lists
and describes the DHCP commands:
Table 1.5 DHCP CLI Commands
Command
Description
set dhcpsrv <enable | disable>
Enables or disables the WS5000 Series Switch’s
internal DHCP server (for this NIC).
set dhcp_IP_Range startIP [ endIP ]
Sets the DHCP server’s IP pool range. If endIP isn’t
supplied, the pool consists of the single startIP
address.
WS5000 Series Switch Overview
1-21
Command
Description
set dhcp_Static_IP
<static_IP_Address> <MAC> <hostname>
Assigns the static_IP_Address to the device with
the given MAC address. The device is also assigned a
hostname.
Enables the DHCP server to recognize DHCP option
number code_num. The option takes on the given
name and value. Currently, the only types that are
recognized are ip-address and text.
set dhcp_DefLease <seconds>
Sets the DHCP server’s default lease time, in seconds,
to seconds.
Note The default lease time is always less than or equal to the maximum lease time. If you set
the default lease time to be greater than the maximum lease time, the maximum lease time is
automatically reset to match the default. Conversely, if you set the maximum lease time to be
less than the default lease time, the default is reset to the (new) maximum.
set dhcp_MaxLease <seconds>
Sets the DHCP server’s maximum lease time, in
seconds, to seconds.
set dhcp_DomainName <domain.suffix>
Sets the DHCP server’s domain name; for example,
“symbol.com”. To clear the domain name, pass a NULL
argument.
set dhcp_PriDNS_IP <IP_address>
Sets the IP address that the DHCP server will use as its
primary Domain Name System server. To clear the
primary DNS IP, pass a NULL argument.
set dhcp_SecDNS_IP <IP_address>
Sets the IP address that the DHCP server will use as its
secondary Domain Name System server. To clear the
secondary DNS IP, pass a NULL argument.
set dhcp_Router_IP <IP_address>
Sets the IP address that the DHCP server will use as its
router. To clear the secondary DNS IP, pass a NULL
argument.
set dhcp_PriVLAN_only <IP_address>
Serves DHCP requests only on the primary VLAN for
the interface.
1.5.6.2 Viewing DHCP Configurations
To view the current DHCP server settings for an Ethernet port, use the show command. The DHCP server
settings are grouped and indented at the end of the output:
WS5100_VPN.(Cfg).Ethernet.[1]> show
DHCP Server details
Configured State
Status
: Disable
: Disable
1-22
WS5000 Series Switch System Reference Guide
Subnet IP
Netmask IP
etc...
: 192.000.000.0
: 255.255.255.0
1.5.6.3 Importing a dhcpd.conf File
You can use a DHCP configuration file to configure the DHCP servers on the WS5000 Series Switch. The
configuration file must be named dhcpd.conf. To install the file on the switch, use the copy tftp
system command from the Configuration context:
WS5100_VPN.(Cfg)> copy tftp system
Enter the file name to be copied from TFTP server : dhcpd.conf
IP address of the TFTP server : 192.168.xxx.xxx
Copying 'dhcpd.conf' from tftp://192.168.90.158 to Switch...
File: dhcpd.conf copied successfully from 192.168.90.158
Verifying conf file...
Valid conf file format.
The format of the dhcpd.conf file follows the convention declared in RFC 2131 (http://rfc.net/
rfc2131.html).
Note When you copy a dhcpd.conf file to the WS5000 Series Switch, the previous
version of the file (on the switch) is overwritten.
1.5.6.4 DHCP Option 60
A feature of DHCP (Option 60) enables a DHCP server to recognize a DHCP client’s equipment identifier, and
assign the device an IP drawn from an equipment-specific set of addresses (an IP pool). DHCP servers that
respond to Option 60 should only use DHCP Option 43 to return vendor-specific information to the DHCP client.
1.5.7 On-Board KDC
The WLAN Switch has an on-board Key Distribution Center (KDC) or Kerberos authentication server. The
WS5000 Series Switch provides a secure means for authenticating users/clients associated to a WLAN or ESS
with the Kerberos security policy applied.
The on-board KDC can be configured to use up to three Network Time Protocol servers (NTPs). A separate
switch with an on-board KDC can be configured as a Slave KDC to support the Master KDC in case of a Master
KDC failure.
1.5.8 Rogue AP Detection
Rogue Access Ports (APs) are an area of concern with respect to LAN security. The term Rogue AP denotes an
unauthorized access port connected to the production network or operating in a stand-alone mode (perhaps in
a parking lot or in a neighbor’s building). Rogue APs are not under the management of network administrators
and do not conform to any network security policies.
Although 802.1x security settings should completely protect the LAN, organizations are not always fully
compliant with the newest wireless-security best practices. In addition, organizations want the ability to
detect and disarm rogue APs. The WS5000 Wireless Switch provides a mechanism for detecting and reporting
rogue APs. See Chapter 7, Configuring Rogue AP Detection.
WS5000 Series Switch Overview
1-23
1.5.9 Simple Network Management Protocol (SNMP)
SNMP defines the method for obtaining information about network operating characteristics as well as router
and gateway behaviors. This application-layer protocol initiates the exchange of configuration and
management information between network devices. The SNMP architecture allows a variety of relationships
among network entities.
The WS5000 Series Switch v2.0 supports SNMP v3.0 as well as SNMP v2.0 and v1.0. To configure SNMP on
the WS5000 Series Switch, see SNMP Context on page 8-258.
The switch GUI and CLI help you enable or disable certain SNMP features. Disabling these features
(“hardening” of the switch) helps manage security. Hardening of the KDC only is also permitted.
SNMP is also managed by the SNMP manager through a third-party SNMP client, software permitting the
manipulation and configuration of SNMP components. There are three elements in this process:
•
Management Stations – Software managing SNMP protocol parameters and communicating with
SNMP Agents. The SNMP manager is responsible for this element.
•
SNMP Agent – Local to the Wireless Switch, this SNMP server provides the network device information.
It processes information requests from the SNMP manager via the management station using SNMP.
•
Management Information Base (MIB) – The storage area for network-management information. It
consists of collections of managed objects, such as SNMP parameters and events. These objects
describe the state of a particular network device.
1.5.10 WTLS VPN
Wireless Transport Layer Security (WTLS) is a security level protocol specifically designed to provide
authentication and data integrity for wireless traffic where access devices can change dynamically; such as
access port change due to environmental changes or roaming.
A Virtual Private Network (VPN) is a protected network connection that tunnels through an unprotected
connection. The WS5000 Series Switch uses a VPN connection to protect wireless transmissions on the
untrusted side of the switch.
The WS5000 Series Switch provides WTLS VPN functionality, which includes:
•
On Board DHCP server
•
On Board VPN server
•
Firewall
•
NAT
•
Twice NAT
For details, see Chapter 12, Configuring the WS5100 WTLS VPN.
1-24
WS5000 Series Switch System Reference Guide
Installing the System Image
This chapter describes how to install a new system image with the latest software on the WS5000 Series
Switch. It also guides you through the CLI commands for restoring the site configuration file for the switch.
This chapter contains:
•
Before Installing the Image
•
Upgrading the Switch Software to 2.1
2.1 Before Installing the Image
Before upgrading the software on the WS5000 Series Switch, verify the current software version and update
path as described in the following section.
Symbol recommends you save the configuration of the system to be upgraded onto the network using the save
configuration command.
2-2
WS5000 Series Switch System Reference Guide
Note The WS5000 Series Switch Graphical User Interface does not support this
process.
After you log into the WS5000 series switch, it displays the software version. For example:.
user name: cli
Symbol Wireless Switch WS 5000 Series.
Please enter your username and password to access the Command Line
Interface.
userid: admin
password: ******
Retrieving user and system information...
Setting user permissions flags..
Checking KDC access permissions...
Welcome...
Creating the Event list...
System information...
System Name
: WS5000
Description
: WS5000 Wireless Network
Switch Location
:
Software Ver.
: 2.1.0.0-xxxR
Licensed to
: Symbol Technologies
Copyright
: Copyright (c) 2000-2006. All
rights reserved.
Serial Number
: 00A0F8545254
Number of Licenses
: 48
Max Access Ports
: 48
Max Mobile Clients
: 4096
MU Idle Timeout value
: 1800 seconds
Active Switch Policy
: symbol2006
Emergency Switch Policy
: Not defined
Switch Uptime
: 00d:00h:35m
Global RF stats
: Disabled
# of Unassigned Access Ports : 0
CLI AutoInstall Status
: Enabled
WS5000>
Table 2.1 lists the procedures to upgrade the WS5000 Series Switch to the latest software version (xxx):
Table 2.1 Procedure to Upgrade to 2.1-xxx
If Your Switch Version is
To Update to 2.1-xxx
2.1.0.0-xxx
Do nothing. The wireless switch software is up to date.
2.0.0.0-xxx
Follow the procedures in Upgrading the Switch from 2.0 to 2.1 on page 2-4.
1.4.3.0-xxx
Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3
Installing the System Image
2-3
Table 2.1 Procedure to Upgrade to 2.1-xxx
If Your Switch Version is
To Update to 2.1-xxx
1.4.2.0-xxx
Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3
1.4.1.0.xxx
Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3.
1.4.0.xxx
Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3.
WS5100 1.1v49
Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3.
Any other version
Contact your Symbol Support representative.
2.2 Upgrading the Switch Software to 2.1
The WS5000 Series Switch release 2.1 enables you to upgrade to the 2.1 baseline from the platforms:
•
WS5000 or 5100 running the 2.0/1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3/2.0 baseline.
You can upgrade the switch using the following methods:
•
Upgrading Using the CLI on page 2-3
If you encounter an error during the upgrade process, then refer Recovering from Upgrade Errors on page 2-12
Note There are certain key combinations that might stop the WS5000 Boot Loader
(in 1.4.x.x baseline) so that it accepts user inputs. To avoid this, do no press any key
and do not enable the scroll lock on the serial console window when the upgrade or
downgrade is in progress.
2.2.1 Upgrading Using the CLI
Use either ssh, telnet or a serial access cable to log into the CLI.
The WS5000 Series Switch software package contains:
•
vdate — This binary is used to get the firmware version from the DOM.This binary fails to operate over
a Simpletech DOM and is used only with a Kouwell DOM.
•
dominfo — This binary is used to get the DOM manufacturer information, either Simpletech DOM or
Kouwell DOM. This binary is helpful when a Simpletech DOM using the latest firmware is used and the
vdate fails over it.
•
PreUpgradeScript - This script uses the dominfo to get the DOM manufacturers information. If the
script detects that the DOM is a Kouwell DOM only then it calls the vdate to get the firmware version.
The Simpletech DOM, by default, always has the latest firmaware.
•
WS5000_v2.1.0.0-xxxx.sys.kdi — The image needed for the upgrade.
To upgrade to 2.1 using the CLI, use the following steps:
1. Upgrading the Switch from 2.0 to 2.1.
2. Upgrading the Switch from 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to 2.1
2-4
WS5000 Series Switch System Reference Guide
a. Copy the vdate to the switch
b. Copy the dominfo to the switch
c.
Copy the PreUpgradeScript to the switch.
Note You must run the PreUpgradeScript before you upgrade the switch.This is valid
only when you upgrade the switch from 1.4.x to 2.1
2.2.1.1 Upgrading the Switch from 2.0 to 2.1
To upgrade from WS5000 2.0 to the WS5000 2.1 baseline:
1. Copy the WS5000_v2.1.0.0-xxxx.sys.img image (using ftp) to the system to be upgraded.
Use the following command under the cfg mode of the CLI:
WS5000.(Cfg)> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server :
WS5000_v2.1.0.0-xxxR.sys.img
IP address of the FTP server : 111.111.111.111
Enter the user password : *******
Copying 'WS5000_v2.1.0.0-xxxR.sys.img' from ftp://
111.111.111.111 to Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Status : Transfer completed successfully
17091650 bytes received in 10.3 seconds (1666803 bytes/s)
Verifying imagefile...
Valid imagefile. Completing verification.
WS5000.(Cfg)>
2. Run the following command
WS5000.(Cfg)> restore system WS5000_v2.1.0.0-xxxR.sys.img
This command will reset the system and boot up with the new
restored image.
Do you want to continue (yes/no) : yes
Restoring system image and configuration from WS5000_v2.1.0.0xxxR.sys.img
It might take a few minutes.......
2.2.1.2 Upgrading the Switch from 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to 2.1
To determine whether your WS5000 Series Switch has the memory required for upgrading to xxx, run the
PreUgradeScript. If the switch has the memory, the script tells you how to upgrade. If the switch does not have
enough memory, the script enables you to free the memory to upgrade.
To upgrade from WS5000 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to the WS5000 2.1 baseline:
Copy the vdate to the switch
WS5000.(Cfg)> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server : vdate
IP address of the FTP server : 111.111.111.111
Enter the user password : *******
Installing the System Image
2-5
Copying 'vdate' from ftp://111.111.111.111 to Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Status : Transfer completed successfully
202311 bytes received in 0.036 seconds (5.5e+03 Kbytes/s)
WS5000.(Cfg)>
Copy the dominfo to the switch
WS5000.(Cfg)> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server : dominfo
IP address of the FTP server : 111.111.111.111
Enter the user password : *******
Copying 'dominfo' from ftp://111.111.111.111 to Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Status : Transfer completed successfully
48346 bytes received in 0.018 seconds (2.6e+03 Kbytes/s)
WS5000.(Cfg)>
Copy the PreUpgradeScript to the switch.
1. Copy the PreUpgradeScript script using tftp/ftp to the system to be upgraded using the
following command under the cfg mode of the CLI. This example uses ftp.
WS5000.(Cfg)> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server :
PreUpgradeScript
IP address of the FTP server : 111.111.111.111
Enter the user password : *******
Copying 'PreUpgradeScript' from ftp://111.111.111.111 to
Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Status : Transfer completed successfully
12514 bytes received in 0.021 seconds (5.8e+02 Kbytes/s)
/bin/dedos: line 69: syntax error near unexpected token
`dir'
/bin/dedos: line 69: `dedos -R <dir> # recursive from dir'
WS5000.(Cfg)>
Note When ftping the PreUpgradeScript, the switch displays the error messages:
/bin/dedos: line 69: syntax error near unexpected
token 'dir'
/bin/dedos: line 69: syntax error near unexpected
token 'dir'
Ignore these messages because they do not indicate a problem in ftp'ing the
2-6
WS5000 Series Switch System Reference Guide
script.
Just verify the size of the script ftp'ed matches with the actual one.
2. Enter the CLI service mode:
WS5000.(Cfg)> ..
WS5000> service
Enter CLI Service Mode password: ********
Enabling CLI Service Mode commands...... done.
SM-WS5000>
3. Change the script’s access permissions to make it executable (x):
SM-WS5000> launch -c chmod +x /image/PreUpgradeScript
4. Run the script.
SM-WS5000> launch -c /image/PreUpgradeScript freemem
The script looks for free space on the disk. If it finds the space, it displays the following:
SM-WS5000> launch -c /image/PreUpgradeScript freemem
Verifying dominfo Checksum
dominfo Checksum Verification Passed
checking type of DOM
Showing details of DOM
Model Number______________________: Kouwell DOM
Serial Number_____________________: HyFlash
00003768
Controller Revision Number________: 14/05/02
Able to do Double Word Transfer___: No
Controller buffer size (bytes)____: 512
Transfer Speed____________________: > 10 Mbit/sec
Drive Type________________________: Removable
IORDY Supported___________________: No
Can IORDY be disabled by device___: No
LBA Mode supported________________: Yes
DMA Supported_____________________: No
Number of ECC bytes transferred___: 4
Number of sectors per interrupt___: 1
Number of Cylinders_______________: 980
Number of Heads___________________: 16
Number of Sectors per Track_______: 32
This is a Kouwell DOM which needs to check for the version of
DOM firmware
checking DOM firmware
Verifying vdate Checksum
vdate Checksum Verification Passed
Current Firmware Version
Version Date: 040928b9
Installing the System Image
2-7
Dom Firmware up to date - Done
Finding out the Free Space Needed ... !!
Total Free Space on the System: 150 (in MB)
OK. Required space to do the upgrade exists .. !!
SM-WS5000>
Note While running the PreUpgradeScript, you may encounter two problems.
Scenario 1: The switch may not have enough space to upgrade.
Scenario 2: The switch may ask you to upgrade the DOM firmware before upgrading.
Scenario 1
If there is not enough space for the upgrade procedure, the script displays:
SM-WS5000> launch -c /image/PreUpgradeScript freemem
Verifying dominfo Checksum
dominfo Checksum Verification Passed
checking type of DOM
Showing details of DOM
Model Number______________________: HYPERSTONE FLASH DISK
Serial Number_____________________: HyFlash
00002973
Controller Revision Number________: 14/05/02
Able to do Double Word Transfer___: No
Controller buffer size (bytes)____: 512
Transfer Speed____________________: Drive
Type________________________: IORDY Su
pported___________________: No
Can IORDY be disabled by device___: No
LBA Mode supported________________: Yes
DMA Supported_____________________: No
Number of ECC bytes transferred___: 4
Number of sectors per interrupt___: 1
Number of Cylinders_______________: 1004
Number of Heads___________________: 8
Number of Sectors per Track_______: 32
This is a Kouwell DOM which needs to check for the version of
DOM firmware
Checking DOM firmware
Verifying vdate Checksum
vdate Checksum Verification Passed
Current Firmware Version
Version Date: 040928b9
Dom Firmware up to date - Done
Finding out the Free Space Needed ... !!
Total Free Space on the System: 33 (in MB)
Not enough space to continue with upgrade ... !!
NOTE: Freeing up the space makes you committed for upgrade .. !!
2-8
WS5000 Series Switch System Reference Guide
Please continue with upgrade after this, as freeing might
make the current system unusable .. !!
Do you want to free some space (y/n):
If the script does not find the required space, it displays:
Do you want to free some space (y/n): y
Trying to find out how much space can be freed .. !!
/image/*.img: File or directory doesn't exist
/image/*.txt: File or directory doesn't exist
/WS5x00Switch/CC/*txt*: File or directory doesn't exist
Image Space 0
Txt Space
0
PG Space
3
Apache Space 7
SNMP Space
2
Log Space
0
Total Space that can be freed : 12
Saving the Configuration before Freeing the space .. !!
Saving wireless network management configuration...
Configuration saved successfully.
Found the space to be freed .. Freeing .. !!
SM-WS5000>
Scenario 2
At times you may also need to update the DOM firmware when the switch fails to run the preupgrade script.
In such a case the script displays:
Note If you do not wish to upgrade the firmware, then you can use the following
CLI command:
launch -c /image/PreUpgradeScript freemem nofwcheck
SM-WS5000> launch -c /image/PreUpgradeScript freemem
Verifying dominfo Checksum
dominfo Checksum Verification Passed
checking type of DOM
Showing details of DOM
Model Number______________________: Kouwell DOM
Serial Number_____________________: HyFlash
00002798
Controller Revision Number________: 01/10/09
Able to do Double Word Transfer___: No
Controller buffer size (bytes)____: 512
Transfer Speed____________________: > 10 Mbit/sec
Drive Type________________________: Removable
IORDY Supported___________________: No
Can IORDY be disabled by device___: No
LBA Mode supported________________: Yes
Installing the System Image
2-9
DMA Supported_____________________: No
Number of ECC bytes transferred___: 4
Number of sectors per interrupt___: 1
Number of Cylinders_______________: 1004
Number of Heads___________________: 8
Number of Sectors per Track_______: 32
This is a Kouwell DOM which needs to check for the version of
DOM firmware
checking DOM firmware
Verifying vdate Checksum
vdate Checksum Verification Passed
Current Firmware Version
Version Date: 011012b9
Need Dom Firmware Upgrade..Aborting upgrade
Please upgrade the DOM Firmware before upgrading
SM-WS5000>
Execute the following steps to upgrade the DOM firmware:
•
Copy the WS5k_domfix.cfg file to the switch
SM-WS5000> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server :
WS5k_domfix04.cfg
IP address of the FTP server : 111.111.111.111
Enter the user password : *******
Copying 'WS5k_domfix04.cfg' from ftp://111.111.111.111 to
Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Status : Transfer completed successfully
12514 bytes received in 0.021 seconds (5.8e+02 Kbytes/s)
/bin/dedos: line 69: syntax error near unexpected token `dir'
/bin/dedos: line 69: `dedos -R <dir> # recursive from dir'
SM-WS5000>
•
Enter the CLI service mode and execute the WS5k_domfix.cfg file.
SM-WS5000> exec
Executing CLI Service Mode command file ....
Enter the command file name: WS5k_domfix.cfg
Current firmware version
Version Date: 011012b9
Version Date: 011012b9
Need firmware upgrade
Shutting down Cell controller..
Shutting down snmpd agent.....done.
Shutting down apache server...done.
Shutting down cell controller......done.
Cell controller successfully shut down.
2-10
WS5000 Series Switch System Reference Guide
Shutting down database main thread...done.
Resetting the System..
SKDB kernel debugger installed.
SKDB kernel debugger installed.
Configuring ethernet ports ...
Waiting for network elements to get initialized....done.
Flushing stale dns entries......done.
Checking database integrity...done.
Launching auto-configuration procedure...
Waiting for DHCP lease file to be created...
DHCP lease file found.
Begin parsing DHCP lease file...
Results:
--------------------------TFTP Server :
Command File:
--------------------------TFTP server option not found.
Exiting auto-configuration...
Starting cell controller....done.
Waiting for the corba file to be created.......done.
Starting apache server in SSL mode...done.
Starting snmpd daemon...done.
SM-WS5000>
5. Copy the WS5000_v2.1.0.0-xxxx.sys.kdi image (using ftp) to the system to be upgraded.
Use the following command under the cfg mode of the CLI:
Note You cannot use tftp to acquire this image because the file size exceeds 32 MB.
SM-WS5000> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server :
WS5000_v2.1.0.0-xxxR.sys.kdi
IP address of the FTP server : 1111.111.111.111
Enter the user password : *******
Copying 'WS5000_v2.1.0.0-xxxR.sys.kdi' from ftp://111.111.111.111
to Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Status : Transfer completed successfully
39661568 bytes received in 25 seconds (1.5e+03 Kbytes/s)
SM-WS5000>
Installing the System Image
2-11
Note If you do not wish to upgrade the firmware, use the following CLI command:
launch -c /image/PreUpgradeScript upgrade nofwcheck
6. Run the following command:
SM-WS5000> launch -c /image/PreUpgradeScript upgrade
The following details are displayed on your monitor. Enter WS5000_v2.1.0.0-xxxx.sys.kdi
as image name when the procedure prompts you to - “Enter the image
name”.
SM-WS5000> launch -c /image/PreUpgradeScript upgrade
Verifying dominfo Checksum
dominfo Checksum Verification Passed
checking type of DOM
Showing details of DOM
Model Number______________________: Kouwell DOM
Serial Number_____________________: HyFlash
00003768
Controller Revision Number________: 14/05/02
Able to do Double Word Transfer___:
Controller buffer size (bytes)____:
Transfer Speed____________________:
Drive Type________________________:
IORDY Supported___________________:
Can IORDY be disabled by device___:
LBA Mode supported________________:
DMA Supported_____________________:
Number of ECC bytes transferred___:
Number of sectors per interrupt___:
No
512
> 10 Mbit/sec
Removable
No
No
Yes
No
4
1
Number of Cylinders_______________: 980
Number of Heads___________________: 16
Number of Sectors per Track_______: 32
This is a Kouwell DOM which needs to be checked for the version of
DOM firmware
Checking DOM firmware
Verifying vdate Checksum
vdate Checksum Verification Passed
Current Firmware Version
Version Date: 040928b9
Dom Firmware up to date - Done
Enter the Image Name: WS5000_v2.1.0.0-xxxR.sys.kdi
Verifying Image Checksum
Image Checksum Verification Passed
Saving the Configuration before upgrading
2-12
WS5000 Series Switch System Reference Guide
Saving wireless network management configuration...
Configuration saved successfully.
Creating the configuration tar
tar: Removing leading / from absolute path names in the archive.
image/upgrade.cfg
Copying the image
Rebooting the system
Shutting down snmpd agent.....done.
Shutting down apache server...done.
Shutting down cell controller......done.
Shutting down database main thread...done.
Rebooting the switch...
Note You can also provide the image name a command line argument to the
PreUpgradeScript. If you do this, the script does not prompt for the image name.
Example:
launch -c /image/PreUpgradeScript upgrade<filename>
The switch reboots three times in approximately five minutes, and then displays the 2.1 image. The image has
the same configuration it had before the upgrade. The serial console displays the system logs.
The logs display the switch passing through each reboot state before it finally displays the 2.1 image. The
telnet or ssh window displays the logs until the switch reboots the first time.
2.3 Recovering from Upgrade Errors
In the unlikely event a power failure occurs during the file writing portion of the upgrade process the system
may no longer boot. The most likely symptoms would be the system continuously restarting or never showing
any activity on the serial console. Any system with these symptoms will need to be returned to the local
Symbol Service Center for repair. See the Symbol Service Web-site http
://www.symbol.com/services/msc/msc.html for RMA procedures.
If a serial console is attached to the system during the software upgrade process and the escape key is pressed
at during a specific stage of the process automatic loading will be stopped. If the following message is
displayed for more than 20 seconds, then a key was pressed. This problem can be rectified by pressing the
ENTER key to boot the image.
Note Power cycling the system when any of these screens appears will cause an
unrecoverable error just like a power failure.
GNU GRUB version 0.95 (639K lower / 130048K upper memory)
WS5000-2.x
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit
the commands before booting, or 'c' for a command-line.
Installing the System Image
2-13
If any of the below two messages are displayed then press the escape key (ESC) to return to the boot selection
screen
Minimal BASH-like line editing is supported. For the first word,
TABlists possible command completions. Anywhere else TAB lists
the possiblecompletions of a device/filename. ESC at any time
exits.
grub>
or
kernel (hd0,0)/boot/vmlinuz-2.4.20_mvl31
console=ttyS0,19200 quiet
initrd (hd0,0)/boot/ramdisk.img
2.4 Downgrading from 2.1 to 2.0
1. To downgrade the WS5000 switch from version 2.1 to 2.0 you need to download –
Downgrade2.0.0.0-034R.sys.img. Follow the steps mentioned below to download the
image:
WS5000.(Cfg)> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server : /home/
WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/downgrade/
Downgrade2.0.0.0-034R.sys.img
IP address of the FTP server : 111.111.111.111
Enter the user password : *******
Copying 'Downgrade2.0.0.0-034R.sys.img' from ftp://
111.111.111.111 to Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Status : Transfer completed successfully
15872271 bytes received in 1.9 seconds (8364374 bytes/s)
Verifying imagefile...
Valid imagefile. Completing verification.
2. Run the following command:
WS5000.(Cfg)> restore system Downgrade2.0.0.0-034R.sys.img
This command will reset the system and boot up with the new
restored image.
Do you want to continue (yes/no) : yes
Restoring system image and configuration from Downgrade2.0.0.0034R.sys.img
It might take a few minutes.......
2-14
WS5000 Series Switch System Reference Guide
2.5 Downgrading from 2.1 to 1.4.3/1.4.2/1.4.1/1.4.0
You can downgrade a switch running WS5000 Series Switch 2.1 image to the switch running one of the
following versions:
•
WS5000 Series Switch 1.4.0.0 (026R)
•
WS5000 Series Switch 1.4.1.0 (014R)
•
WS5000 Series Switch 1.4.1.1 (009R)
•
WS5000 Series Switch 1.4.2.0 (005R)
•
WS5000 Series Switch 1.4.3.0 (012R)
Note Save the current system configuration and image files on the network before
downgrading because after you downgrade the switch, it uses the default
configuration settings and the downgraded image files.
After you downgrade from 2.1 to 1.4.3/1.4.2/1.4.1/1.4.1/1.4.0 WS5000 Series Switch, the switch obtains the
following files:
•
Running the PreDowngrade Script
•
Running the Downgrade.exe Script
•
Downgrading the Image Version.
2.5.1 Running the PreDowngrade Script
To check the system has sufficient memory for the downgrade, run the PreDowngrade script.
1. Copy the PreDowngrade script to the switch using copy ftp/tftp command:
copy ftp system -u <user_name> -m bin
2. Enter the PreDowngrade script filename, IP Address, and password at the system prompt.
The switch downloads the PreDowngrade script.
3. Log into the service mode CLI using service command from the cfg context (under system context).
4. Run the following service mode CLI command:
exec <CR>
Executing CLI Service Mode command file ....
Enter the command file name: PreDowngrade.exe
This script determines whether the switch has the memory required for the downgrade. If the memory
is not sufficient, the script provides an option to free the memory needed. If it does not find the required
memory to be freed, it stops and displays an error message.
Note If you use the PreDowngrade.exe script to release memory, you must
proceed with the downgrade.
Installing the System Image
2-15
Example
WS5000.(Cfg)> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server : /home/
WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/
downgrade/PreDowngrade.exe
IP address of the FTP server : 111.111.111.111
Enter the user password : *******
Copying 'PreDowngrade.exe' from ftp://111.111.111.111 to
Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Status : Transfer completed successfully
1059 bytes received in 0.0232 seconds (45617 bytes/s)
WS5000.(Cfg)>
2.5.1.1 Executing the Predowngrade Script
You have to execute the predowngrade script from the service mode. The example below explains how to
execute the predowngrade scipt.
WS5000> service
Enter CLI Service Mode password: ********
Enabling CLI Service Mode commands...... done.
SM-WS5000> exec
Executing CLI Service Mode command file ....
Enter the command file name: PreDowngrade.exe
Finding out the Free Space Needed ... !!
Total Free Space on the System: 101 (in MB)
OK. Required space to do the downgrade exists .. !!
SM-WS5000>
2.5.2 Running the Downgrade.exe Script
After you verify the switch has enough memory for the downgrade, run the Downgrade.exe script as follows:
1. Copy the Downgrade.exe and Downgrade<x.x.x.x-xxxR>.image file to the switch using copy ftp system
command
copy ftp system -u <user_name> -m bin
2. Enter the Downgrade.exe filename, IP Address, and password at the system prompt.
3. Log into the service mode CLI using service command from the cfg context (under system context).
4. Run the following service mode CLI command:
2-16
WS5000 Series Switch System Reference Guide
exec <CR>
Executing CLI Service Mode command file ....
Enter the command file name: Downgrade.exe
5. Enter Downgrade<x.x.x.x-xxxR>.image as the image filename (<x.x.x.x-xxxR> corresponds to the
version to which you downgrade the switch from 2.0).
The switch is downgraded to the corresponding version.
Example
SM-WS5000> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server : /home/
WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/
downgrade/Downgrade.exe
IP address of the FTP server : 111.111.111.111
Enter the user password : *******
Copying 'Downgrade.exe' from ftp://111.111.111.111 to
Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Status : Transfer completed successfully
3500535 bytes received in 0.447 seconds (7823770 bytes/s)
SM-WS5000>
2.5.3 Downgrading the Image Version
1. Copy the Downgrade<version>.image file to the switch using copy ftp system command
copy ftp system -u <user_name> -m bin
2. Enter the Downgrade<version>.image filename, IP Address, and password at the system prompt.
3. Log into the service mode CLI using service command from the cfg context (under system context).
4. Enter Downgrade<x.x.x.x-xxxR>.image as the image filename (x.x.x.x-xxxR corresponds to the
version to which you downgrade the switch from 2.1).
5. Run the following service mode CLI command:
exec Downgrade<x.x.x.x-xxxR>.image
The switch is downgraded to the corresponding version.
Example
SM-WS5000> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server : /home/
WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/downgrade/
Downgrade1.4.0.0-026R.image IP address of the FTP server :
111.111.111.111
Enter the user password : *******
Copying 'Downgrade1.4.0.0-026R.image' from ftp://111.111.111.111
to Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Installing the System Image
2-17
Status : Transfer completed successfully
25608008 bytes received in 8.56 seconds (2990804 bytes/s)
SM-WS5000>
2.5.3.1 Executing the Downgrade Script
You have to execute the Downgrade.exe from the service mode. The example below explains how to
execute the Downgrade scipt.
SM-WS5000> exec
Executing CLI Service Mode command file ....
Enter the command file name: Downgrade.exe
Enter the Image Name: Downgrade1.4.0.0-xxxR.image
Verifying Image Checksum
Image Checksum: 60504983eac60093823e2c890ef0143b
Image Checksum Saved: 60504983eac60093823e2c890ef0143b
Image Checksum Verification Passed
Moving the Boot Loader !!!
Moving the Kernel !!!
Moving the Initrd !!!
Moving the Scripts !!!
GNU GRUB version 0.95 (640K lower / 3072K upper memory)
[ Minimal BASH-like line editing is supported. For the first
word, TAB
lists possible command completions. Anywhere else TAB lists the
possible
completions of a device/filename. ]
grub> root (hd0,0)
Filesystem type is ext2fs, partition type 0x83
grub> setup --stage2=/boot/grub/stage2 --prefix=/boot/grub (hd0)
Checking if "/boot/grub/stage1" exists... yes
Checking if "/boot/grub/stage2" exists... yes
Checking if "/boot/grub/e2fs_stage1_5" exists... yes
Running "embed /boot/grub/e2fs_stage1_5 (hd0)"... failed (this is
not fatal)
Running "embed /boot/grub/e2fs_stage1_5 (hd0,0)"... failed (this
is not fatal)
Running "install --stage2=/boot/grub/stage2 /boot/grub/stage1 hd0)
/boot/grub/stage2 p /boot/grub/menu.lst "... succeeded
Done.
grub> reboot
Creating License Tar File !!!
Rebooting
Rebooting the switch...
Shutting down dhcp daemon.. done
Shutting down apache server in the SSL mode...done.
Shutting down cell controller........ done
2-18
WS5000 Series Switch System Reference Guide
Shutting down snmpd agent...done.
Shutting down Postgres....done.
Configuring the WS5000 Series Switch
Automatically
There are two types of auto-install to configure the WS5000 Series Switch automatically:
1. DHCP Auto-install, performed as a part of WS5000 boot process
2. Manual Auto-install, performed by executing a CLI command. This requires a reboot.
3.1 DHCP Auto-install
To configure the WS5000 Series Switch automatically, you need:
•
An external TFTP server—The switch obtains the IP address of this server through DHCP and stores it in
the returned DHCP lease file.
•
A command file – This is an ASCII text file that contains site-specific settings for the WS5000 Series
Switch (the filename must end with a .sym suffix). The switch obtains this filename through DHCP and
stores it in the returned DHCP lease file.
3-2
WS5000 Series Switch System Reference Guide
After you extract the configuration file from the DHCP lease file, it downloads, parses, and configures the
WS5000 Series Switch
3.2 Command File
The command file option specifies a valid filename for an ASCII text format file that exists on the TFTP server.
It contains site-specific settings for the wireless switch. The command file (see Command File Example on
page 3-8) directs the switch to perform the following remote configuration functions:
•
Load a new wireless switch configuration file
•
Reconfigure the Ethernet IP, DNS, gateway, and DHCP settings on the switch
•
Reconfigure the master and slave Kerberos settings.
•
Manually or automatically update Kerberos user database entries, with automatic propagation to the
slave KDC, if present
•
Enable or disable “hot standby” mode on the switch
•
Optionally provide status and error logging of the automatic configuration operations
•
Reconfiguration of the Primary and Standby settings
•
Reconfiguration of Master and Slave Kerberos settings.
Several site-specific settings are available in the command file. The settings available in the command file
include:
•
Automatic installation command event logging
•
Automatic installation command file TFTP server
•
Automatic installation command file network
3.3 Command File Description
The command file is an ASCII text file that contains case sensitive letters, digits, and the underscore ( _ )
character. The command file name uses the .sym extension. The command file contains all options necessary
to perform a limited switch configuration or reconfiguration.
When the system parses this file, it ignores any option that it does not understand. The switch keeps the
current configuration for that specific option unchanged. The following lines are considered equivalent.
#<option> <value>
<option> #<value>
<option> #some comment
All values of the command file are case insensitive except for SNMP community strings, domain names,
realms, and filenames. The system converts the hostname value into lowercase even when specified using a
combination of lower/upper case. The command file option items do have to be in any sequential order.
A template of the command file, called cmd_template.sym, is available and located on the WS5000
Wireless Switch system CD. Copy this file to a local host computer, then edit, save and rename it to serve as
a command file (the .sym extension is required for the command file to be recognized by the wireless switch).
Save the file to the system used to configure the wireless switch. Use the CLI copy tftp system command (see
the copy command on Chapter 8, CLI Command Reference) to copy the command file from the host computer
to the switch.
The command file example shows the configuration of most options (see Command File Example on page 3-8).
Configuring the WS5000 Series Switch Auto-
3-3
Note The command file is not invoked automatically using this method. The correct
method is to use the DHCP option to send the file to the switch.
3.3.1 Event Logging
The service option is a setting to turn on or off the logging feature, which pushes auto-installation event
messages to a log file named CmdProcErrors.txt. This error log file is automatically generated in the same
directory as the system image/configuration/command files if logging is turned on.
These log messages are generated when events such as firmware/configuration upgrades/downgrades occur,
and/or the command file contains errors such as improper syntax, files that are not present on specified TFTP
server, etc.
Table 3.1 Event Logging (Service) Section
Option
Value
Notes
AutoConfig Log
<on|off>
This selection allows the user to enable or disable the use of the
logging facility. The default is on.
3.3.2 TFTP Server Settings
This section specifies the location of the TFTP server used to download, the names of the system image,
configuration and Kerberos files that need to be downloaded. These settings are used when upgrading/
downgrading firmware, changing configuration files or updating the user database of the Wireless Switch’s
built-in Kerberos KDC.
Table 3.2 TFTP Server (Files to Download) Section
Option
<Value>
Notes
TFTP Server <xxx.xxx.xx.xx>
This is the TFTP server from where the configuration file, the
image file, and the Kerberos file are downloaded. If the TFTP
server is not specified, it is assumed that the user
downloaded these files manually via CLI copy command or the
auto install will look for them in the Wireless Switch.
ImageRestore <image file(.sys.img)>
If the revision levels are different, then the image file will be
downloaded from the TFTP server. After this step has
completed successfully, the switch will perform a reset and
continue to reboot with the most recent (and valid) system
image available. If any error occurred during the file
processing, the firmware will not be upgraded and an error
message will be logged.
3-4
WS5000 Series Switch System Reference Guide
Table 3.2 TFTP Server (Files to Download) Section (Continued)
Option
<Value>
Notes
ConfigFile <config_name (.cfg)>
This is the name of a WS5000 Series Switch configuration.
This file is downloaded automatically from a specified TFTP
server or though the CLI copy command.
If the file is not found, or if there were errors during the TFTP
download, the installation software will abort the
configuration immediately and exit. This is considered a fatal
error and any locally specific configurations should not be
applied as well since they can be interrelated to the general
configuration settings. The IP address of the WS will also
remain unchanged. The file name is case sensitive.
KerberosFile <kerberos_name (.krb)>
This is the name of a Kerberos username/password (Kerberos
MIT DB file format) file and it is used to configure the primary
Kerberos database of the on board KDC server. The database
is completely flushed before the new principals are added.
If an error occurs during the file downloading or processing,
the installation software logs an error message and skips the
Kerberos configuration. The installation software tries to find
the file in the Wireless Switch.
If it is not there, it logs an error message and continues. Once
a Kerberos DB .krb file is provided for download and
installation, this new file replaces the current database file.
There is no automatic attempt to save the previous copy of
this file on the master KDC. The file name is case sensitive.
3.3.3 General Network Configuration and Standby Management
Configure the network settings in this section such as; enabling/disabling DHCP, setting subnet masks, DNS
servers and gateway settings. When the switch’s Standby Management capability is used, configure the
settings for enabling/disabling Standby Management, and assigning hostnames and IP addresses to the
Ethernet interfaces of the Primary and Standby wireless switches.
Utilizing the Standby Management feature requires a pair of switches. Settings for both types (Primary and
Standby) are in the command file so that a single file can be used at a site to install both the Primary and
Standby switch. When a switch begins Standby configuration, it pings the Primary switch’s IP address, as
specified in the command file. If it does not receive a response, it assumes the role of Primary as long as it
does not have a zero-port license key. The second switch will subsequently configure itself as the Standby
switch.
Configuring the WS5000 Series Switch Auto-
3-5
Warning! A WS5000 model switch cannot be configured as a standby for a
WS5100 model switch.
Table 3.3 General Network Configuration and Standby Management
Option
Eth1DNSServer1
Eth1DNSServer2
Eth2DNSServer1
Eth2DNSServer2
Value
<ip_address>
<ip_address>
<ip_address>
<ip_address>
Notes
DNS server configuration for each interface. Users can configure up
to two DNS servers per interface. If it is not supplied, the DHCP
configuration will be kept.
Eth1SubnetMask <ip_subnet_mask>
Eth2SubnetMask <ip_subnet_mask>
Subnet mask for Ethernet port 1.
Subnet mask for Ethernet port 2.
If an Ethernet ports IP address is specified without an associated
subnet mask, an error is logged and the network configuration is not
completed.
Eth1Domain
Eth2Domain
Domain name for Ethernet port 1.
Domain name for Ethernet port 2.
Eth1DHCP
Eth2DHCP
Indicates whether DHCP is on/off for Ethernet port 1.
Indicates whether DHCP is on/off for Ethernet port 2.
If DHCP is on for an interface, all IP settings provided in the
command file will be ignored and the interface will be configured
as a DHCP client.
Note DHCP can only be enabled on a
single interface at a time.
Gateway
Default gateway. There should only be one value since the switch
currently does not allow gateway settings per interface. If this
configuration is not specified, the DHCP settings apply.
HostnamePrimary
HostnameStandby
Hostname of Primary switch.
Hostname of Standby switch.
Eth1PrimaryIP
Eth2PrimaryIP
Eth1StandbyIP
Eth2StandbyIP
IP address of Primary switch.
IP address of Primary switch.
IP address of Standby switch.
IP address of Standby switch.
If these IP addresses are not specified in the command file, the
DHCP settings are kept. When an image upgrade is performed, it
will not change the existing Ethernet configuration.
StandbyMgt
Indicates whether Standby Management is on/off (enabled/
disabled).
If enabled, the installation software queries the database for the
number of licenses. If the switch is able to acquire a license, it may
become a Primary switch. If no license is available, it can only be
considered as a Standby switch.
3-6
WS5000 Series Switch System Reference Guide
3.3.4 Kerberos Configuration
The Wireless Switch features a built-in kerberos KDC, for authentication services, a site may require settings
for configuring kerberos functionality. The settings in the command file for configuring the KDC include primary
or slave status, hostname, IP address, realm and domain. When applicable, up to three NTP (Network Time
Protocol) servers can be specified. A list of all available Kerberos actions is included in the command file.
Table 3.4 Kerberos Configuration Section
Option
Value
Notes
NTPServer1
<NTP xxx.xxx.xx.xx>
NTP server IP address (for the on-board KDC server). The
primary and standby switches need to be defined with the
same NTP service host to insure that the time source is
consistent.
NTPServer2
<NTP xxx.xxx.xx.xx>
Second alternate NTP server IP address.
NTPServer3
<NTP xxx.xxx.xx.xx>
Third alternate NTP server IP address or name.
KDCRealm
<KDC realm name>
Kerberos realm name
KDCInterface
<KDC interface
name>
The interface on which the KDC is configured (1 or 2).
KDCBackupHostname
<xxx.xxx.xx.xx>
Hostname of the backup slave.
KDCBackupIP
<xxx.xxx.xx.xx>
IP address for the backup slave. If this IP address belongs
to any of the ethernet ports and the hostnames match, the
switch is configured as a slave KDC.
KDCBackupDomain
<server name>
Kerberos Master Hostname where the KDC resides.
Note All Security Policies which are configured for Kerberos Authentication will automatically
be populated with the Master/Slave/Remote server’s IP addresses if present in this file.
3.3.5 SNMP Configuration
The SNMP section of the command file contains settings for community attributes and trap actions, used by
SNMP-based network management tools to get/set MIB variables to configure the Wireless Switch along with
gathering and monitoring device status.
Table 3.5 SNMP Configuration
Option
Value
Notes
SNMPCommunity[1-4]
<string>
This is the SNMP community for the designated
group selection of [1..4]
SNMPCommunity[1-4]IP
<ip_address>
SNMP community IP address.
Configuring the WS5000 Series Switch Auto-
3-7
Table 3.5 SNMP Configuration (Continued)
Option
Value
Notes
SNMPCommunity[1-4]Perm
<RO | RW
permissions>
3.3.6 Syslog Configuration
The syslog section of the command file contains settings for adding syslog hosts to which log messages will
be sent. It also allows specifying the severity level for the log messages.
Table 3.6 Syslog Configuration
Option <value >
Notes
SyslogHostname[1-2] <host_name>
Host name of the syslog collector
SyslogIP[1-2] <ip_address>
IP address of the syslog collector
SyslogSev[1-2] <severity numbers from
1 to 8>
Severity level for syslog logging
3.3.7 CLI Commands
In this section you can place any CLI command. There is no limit on the number of commands that you can place
here. Each CLI command should be placed in the file at the CLI# prompt, as mentioned in the CLI Section of
the attached cmd_template.sym file. After execution of a command, enter
CLI#cfg ce add testce
The current context now will be
WS5000.(Cfg).CE.[testce]>
To execute some other command make sure you go to context of that command. This can be done using the
same CLI commands. For example to go to cfg context after executing the above command you need to use
the following lines in the .sym file
CLI#..
CLI#..
This will take you to WS5000.(Cfg)> context.
This way you can execute any number of CLI commands by just placing that command in a separate line at the
CLI# command prompt. Before placing any CLI command, ensure that you are at the correct context level that
you are executing.This context is determined by the execution of the previous command.
The context of the very first command that you execute in the CLI section is System context
WS5000>
This is an optional section in the .sym file and can be omitted.
3-8
WS5000 Series Switch System Reference Guide
3.3.7.1 Command File Example
The following command file example shows the configuration of several options in the WS5000 Series
Switch’s command file.
You can use the same command file to configure both a primary wireless switch and an associated standby
wireless switch.
Figure 3.1 Example
#############################################################################
#
# Copyright (c) 2005, Symbol Technologies, Inc.
# All rights reserved.
#
# cmd_template.sym file
#
# This is a template file to illustrate the format of auto configuration command files.
# The command file must end with the .sym extension and contain options to
# perform switch configuration. The format of the file is as follows:
#
#
<option> <value> #comment
#
# Each line is composed of an option name and its value. All options are
# case sensitive.
#
# When this file is parsed, any option that is not found or has no value is ignored,
# which means that the switch will keep the current configuration for this option
# unchanged. The following lines are considered equivalent.
#
#
#<option> <value>
#
<option>
#<value>
#
<option>
#some comment
#
#############################################################################
#############################################################################
# SECTION: Special Options
#
#############################################################################
AutoConfigLog #on/off: Log errors and events to CmdProcErrors.txt
#Default is 'on'.
#############################################################################
# SECTION: Files to download
#
#############################################################################
TFTPServer
#tftp server where files are located
ImageRestore
#image file (.sys.img)
ConfigFile
#configuration file (.cfg)
KerberosFile
#kerberos username/passwd (.krb)
#############################################################################
# SECTION: General Network Configuration and Standby Management
#
#############################################################################
#
# DNS configuration
#
Eth1DNSServer1
#dns server
Eth1DNSServer2
#dns server
Eth2DNSServer1
#dns server
Eth2DNSServer2
#dns server
#
# Switch configuration
#
Eth1SubnetMask
Eth2SubnetMask
Eth1Domain
Eth2Domain
Eth1DHCP
#subnet
#subnet
#domain
#domain
#on/off
mask
mask
name
name
Configuring the WS5000 Series Switch Auto-
Eth2DHCP
Gateway
#on/off
#default gateway
#
# Primary IP configuration
#
HostnamePrimary
#Hostname of primary CC
Eth1PrimaryIP
#ip address of primary CC
Eth2PrimaryIP
#ip address of primary CC
#
# Standby IP configuration
#
HostnameStandby
#Hostname of standby CC
Eth1StandbyIP
#ip address of standby CC
Eth2StandbyIP
#ip address of standby CC
#
# Enable or disable the standby management
#
StandbyMgt
#on/off
#############################################################################
# SECTION: Kerberos Configuration
#
#############################################################################
#
# NTP server configuration
#
NTPServer1
#NTP server 1
NTPServer2
#NTP server 2
NTPServer3
#NTP server 3
#
# Kerberos Master and Slave configuration
#
KDCRealm
#kerberos realm
KDCInterface
#Interface on which KDC is configured (1 or 2)
#
# Add a remote backup master
# (excluding the main Master/Primary & Slave/Standby from above)
#
KDCBackupHostname
#Hostname of the backup slave
KDCBackupIP
#IP address of backup slave
KDCBackupDomain
#Domain of the backup slave
#
# NOTE: All Security Policies which are configured for Kerberos Authentication
#
will automatically be populated with the Master/Slave/Remote servers IP
#
addresses if present in this file.
#
#############################################################################
# SECTION: SNMP Configuration
#
#############################################################################
#
# SNMP community attributes
#
SNMPCommunity1
#SNMP community name
SNMPCommunity1IP
#IP address for the community
SNMPCommunity1Perm
#RO/RW: Access permissions
SNMPCommunity2
SNMPCommunity2IP
SNMPCommunity2Perm
#SNMP community name
#IP address for the community
#RO/RW: Access permissions
SNMPCommunity3
SNMPCommunity3IP
SNMPCommunity3Perm
#SNMP community name
#IP address for the community
#RO/RW: Access permissions
SNMPCommunity4
SNMPCommunity4IP
#SNMP community name
#IP address for the community
3-9
3-10
WS5000 Series Switch System Reference Guide
SNMPCommunity4Perm
#RO/RW: Access permissions
#
# SNMP Traps
#
SNMPCommunity1Trap
SNMPCommunity1TrapIP
#SNMP community trap
#SNMP community trap IP
SNMPCommunity2Trap
SNMPCommunity2TrapIP
#SNMP community trap
#SNMP community trap IP
SNMPCommunity3Trap
SNMPCommunity3TrapIP
#SNMP community trap
#SNMP community trap IP
SNMPCommunity4Trap
SNMPCommunity4TrapIP
#SNMP community trap
#SNMP community trap IP
#############################################################################
# SECTION: SYSLOG Configuration
#
#############################################################################
#
# Syslog severities
#
# Name
#----------# Emergency
# Alert
# Critical
# Error
# Warning
# Notice
# Info
# Debug
Number
-------1
2
3
4
5
6
7
8
#
# Syslog host 1
#
SysLogHostname1
SysLogIP1
SysLogSev1
#
# Syslog host 2
#
SysLogHostname2
SysLogIP2
SysLogSev2
#
# CLI Commands Section
#
#Example CLI Commands
CLI#
CLI#
CLI#
CLI#
#Hostname of syslog collector
#IP address of syslog collector
#Enter a list of severity numbers
#separated by white spaces EX: 2 3 6 8
#Hostname of syslog collector
#IP address of syslog collector
#Enter a list of severity numbers
#separated by white spaces EX: 2 3 6 8
Configuring the WS5000 Series Switch Auto-
3-11
3.4 Upgrading Using AutoInstall
This section describes how to upgrade to 2.1 using the autoinstall procedure.
3.4.1 Using AutoInstall to Upgrade from 2.0 to 2.1
1. Copy the new image (WS5000_v2.1.0.0-xxx.sys.img) to the TFTP Server.
2. Change the parameters in the cmd_template as mentioned below
TFTPServer<IP address of the TFTP Server>
ImageRestore
<System image filename *.sys.img>
3. Reboot the Switch. As part of boot up process the auto-install will begin and TFTP Server should supply
the new sys.img file.
If all the above parameters are correct, the upgrade will be performed successfully. It is advised the template
file be edited and checked before starting the auto-install process.
Note The following file must be available on the TFTP server before beginning the upgrade process
using Auto Install:
WS5000_v2.0.0.0-034R.sys.img (should be in the TFTP server)
Cmd_template.sym (Should be in the TFTP Server)
3.4.2 Using AutoInstall to Upgrade from 1.4.X.X / 1.4.1.0 / 1.4.1.1 / 1.4.2
/1.4.3 to 2.1
To upgrade the switch from 1.4/1.4.1.0/1.4.1.1/1.4.2/1.4.3/Mantis to 2.1 using the automatic installation:
1. Copy the patch supplied to switch.
copy ftp system -u <user_name>
2. Enter the patch filename, IP Address, and password at the system prompt.
The switch downloads the patch file specified.
3. Log into the service mode CLI using service command from the system context.
4. Run the following service mode CLI command
exec
5. Enter the patch filename when the system prompts. The switch installs the patch file.
6. Before the reboot ensure that the FTP root directory contains the following:
•
PreUpgradeScript
•
vdate
•
dominfo
•
WS5000_v2.1.0.0-xxx.sys.kdi
3-12
WS5000 Series Switch System Reference Guide
7. Reboot the switch.
As part of boot up process, the auto-install begins.
The DHCP server provides the TFTP server IP and command filename. The command file is present on TFTP
server and it should contain the following name - value pairs for the upgrade.
FTPServer <ftp_server_ip_address>
FTPUser<ftp_user_name>
FTPPassword<ftp_user_password>
UpgradeFile<upgrade_file_name_present_on_the_ftp_server>
The upgrade file is the. sys.kdi file in the ftp user home directory on the ftp server.
If you enter all of these parameters, the switch upgrades successfully.
3.4.3 Using AutoInstall to Upgrade From WS5000 Series Switch Build 49
To upgrade from WS5000 Series Switch to 2.1 as part of Auto-install.
1. Copy the patch supplied to the switch running WS5000 Series Switch (build 49):
copy ftp system -u <user_name>
2. Enter the patch filename, IP Address, and password at the system prompt.
The switch downloads the patch file specified.
3. Log into the service mode CLI using service command from the cfg context (under system context).
4. Run the following service mode CLI command:
patch <patch_file>
5. Enter the patch filename when the system prompts. The switch installs the patch file.
6. Before the reboot ensure that the FTP root directory contains the following:
•
PreUpgradeScript
•
vdate
•
dominfo
•
WS5000_v2.1.0.0-xxx.sys.kdi
7. Reboot the switch.
As part of boot up process, the auto-install begins.
The DHCP server provides the TFTP server IP and command filename. The command file is present on TFTP
server and it should contain the following name - value pairs for the upgrade.
FTPServer <ftp_server_ip_address>
FTPUser<ftp_user_name>
FTPPassword<ftp_user_password>
UpgradeFile<upgrade_file_name_present_on_the_ftp_server>
The upgrade file is the. sys.kdi file in the ftp user home directory on the ftp server.
If you enter all of these parameters, the switch upgrades successfully.
Configuring the WS5000 Series Switch Auto-
3-13
3.4.3.1 Installing the Patch File Automatically
You can install the patch files used during the upgrade procedure either manually or automatically using the
Expect program as described below:
Before you run the automatic patch file installation, check that you have:
•
A linux machine with the Expect program installed.
•
Telnet or SSH enabled on the WS5000 Series Switch.
There is no need to have a patch update for WS5000 from version 2.0 to 2.1.
Installing the Patch File in 2.1 Switches
To install the patch file for 2.1 switches:
1. Download the files bfly_caller.sh and bfly.exp to the linux machine with the Expect program installed.
Download both bfly_caller.sh and bfly.exp to the same directory.
2. Enter the following command from the directory where you download the files:
./bfly_caller.sh <telnet/ssh> ftp <service_password>
<file_containing_ip_of_WS5000 Series Switch_switches> <patch_filename>
<ftp_ip> <ftp_user> <ftp_password>
If you are using tftp, enter the command:
./bfly_caller.sh <telnet/ssh> tftp <service_password>
<file_containing_ip_of_WS5000 Series Switch_switches> <patch_filename>
<tftp_ip>
where:
•
<telnet/ssh>: Program (telnet or ssh) enabled on the list of WS5000 Series Switches specified by the
<file_containing_ip_of_WS5000 Series Switch_switches>.
•
ftp or tftp: Method used to download the patch file.
•
service_password: Service mode CLI password.
•
file_containing_ip_of_WS5000 Series Switch_switches: Filename containing the list of
IP Addresses of WS5000 Series Switch Switches (one IP Address per line).
•
patch_filename: Name of the patch file downloaded; bfly_patch.tar by default. If you use ftp,
the patch file is in the home directory of the ftp user on the ftp server specified by <ftp_ip>. If you use
TFTP, the patch file is in the tftp server public directory.
•
ftp_ip: IP Address of the FTP Server.
•
tftp_ip: IP Address of the TFTP Server.
•
ftp_user: Name of the ftp user
•
ftp_password: ftp user’s password.
3-14
WS5000 Series Switch System Reference Guide
Automatically Installing the Patch File in WS5000 Series Switches
1. Download the files mantis_caller.sh and mantis.exp in the same directory of a linux machine
with the Expect program installed.
2. Run the following command from the directory where you downloaded the files:
If you use ftp to download the file:
./mantis_caller.sh
ftp <file_containing_ip_of_WS5000 Series
Switch_switches> <patch_filename> <ftp_ip> <ftp_user> <ftp_password>
If you use tftp to download the file:
./mantis_caller.sh
tftp <file_containing_ip_of_WS5000 Series
Switch_switches> <patch_filename> <tftp_ip>
where:
•
<telnet/ssh>: Program (telnet or ssh) enabled on the list of WS5000 Series Switches specified by the
<file_containing_ip_of_WS5000 Series Switch_switches>.
•
ftp: Method used to download the patch file.
•
tftp:
•
service_password: Service mode CLI password.
•
Method used to download the patch file.
file_containing_ip_of_WS5000 Series Switch_switches: Filename with the list of IP
Addresses of WS5000 Series Switches (one IP Address per line).
•
patch_filename: Name of the patch file downloaded; mantis_patch.tar
•
ftp_ip: IP Address of the FTP Server.
•
tftp_ip:
•
ftp_user:
by default. If you
use ftp, the patch file is in the home directory of the ftp user on the ftp server specified by <ftp_ip>. If
you use TFTP, the patch file is in the tftp server public directory.
IP Address of the TFTP Server.
Name of the FTP user
• ftp_password: FTP user’s password.
There is no need to have a patch update for WS5000 from version 2.0 to 2.1.
Configuring the WS5000 Series Switch Auto-
3-15
3.5 Manual Auto-install
There are two types of file you can use for manual auto-install:
1. The Command File Example shown above. This file has .sym extension.
2. The .cli file, which contains just the CLI section of command file (.sym file).See CLI Commands section
for more details about this file.
A sample CLI file used for radius configuration is shown below:
#############################################################################
#
# Copyright (c) 2005, Symbol Technologies, Inc.
# All rights reserved.
#
# radius_template.sym file
#
# This is a template file to configure WS5000 for MU authentication by onboard
RADIUS Server.
# Requires Server Certificate (cert-srv.pem) and CA Certificate (cacert.pem)
to be present on the TFTP Server
# Username to be used at MU = aaauser0
# Password to be used at MU = aaaaaa
# SSID to be associated to = aaawlan
#
#############################################################################
#Example CLI Commands
# Go to Config context
CLI#cfg
#############################################################################
#TFTP Server Certificate to be installed for RADIUS server
#############################################################################
CLI#copy tftp system
CLI#cacert.pem
CLI#157.235.208.179
#TFTP CA Certificate to be installed for RADIUS server
CLI#copy tftp system
CLI#cert-srv.pem
CLI#157.235.208.179
#############################################################################
#Install Server Certificate to be installed for RADIUS server
#WS5000 is the password used while generating this certificate
#############################################################################
CLI#aaa
CLI#eap
CLI#import servcert cert-srv.pem
CLI#WS5000
CLI#import cacert cacert.pem
CLI#..
CLI#..
#############################################################################
#create a security policy.
#this example uses WEP and 802.1x authentication using Onboard RADIUS server
#shared secret to be used is WS5000
#############################################################################
CLI#securitypolicy
3-16
WS5000 Series Switch System Reference Guide
CLI#add aaasecuritypolicy
CLI#set encryption wep40 enable
CLI#2
CLI#157.235.208.234
CLI#1812
CLI#WS5000
CLI#set radius server 1 127.0.0.1
CLI#..
CLI#..
#############################################################################
#create a WLAN. Use the security policy that was created above
#############################################################################
CLI#wlan
CLI#add aaawlan aaawlan
CLI#set security aaasecuritypolicy
CLI#..
CLI#..
#############################################################################
#Create an APPolicy. Add this WLAN
#############################################################################
CLI#appolicy
CLI#add aaaappolicy
CLI#add aaawlan
CLI#..
CLI#..
#############################################################################
#Create a Switch Policy. Use APPolicy and EtherPolicy created above.
#Set Country to US
#Activate this Switch Policy
#############################################################################
CLI#switchpolicy
CLI#add aaaswitchpolicy
CLI#set appolicy aaaappolicy
CLI#set etherpolicy aaaetherpolicy
CLI#set adoptionlist a default allow aaaappolicy
CLI#set adoptionlist b default allow aaaappolicy
CLI#set adoptionlist g default allow aaaappolicy
CLI#set adoptionlist fh default allow aaaappolicy
CLI#set country us
CLI#yes
CLI#..
CLI#..
CLI#set switchpolicy aaaswitchpolicy
#############################################################################
# AAA Configuration
# Add AAA users
# aaauser0, aaauser1, aaauser2 .....
# passwords for all are aaaaaa
# CLI prompts for the passwords twice.
#############################################################################
CLI#aaa
CLI#userdb
CLI#user
CLI#add aaauser0
CLI#aaaaaa
CLI#aaaaaa
CLI#add aaauser1
CLI#aaaaaa
CLI#aaaaaa
CLI#add aaauser2
CLI#aaaaaa
CLI#aaaaaa
CLI#add aaauser3
CLI#aaaaaa
Configuring the WS5000 Series Switch Auto-
CLI#aaaaaa
CLI#add aaauser4
CLI#aaaaaa
CLI#aaaaaa
CLI#..
#############################################################################
#Add a RADIUS Group
#############################################################################
CLI#group
CLI#add aaagroup
CLI#..
#############################################################################
# Add aaauser0 to this created group
#############################################################################
CLI#adduser aaauser0 aaagroup
CLI#..
CLI#..
#############################################################################
# Set this access policy for this Group to allow the WLAN
#############################################################################
CLI#policy
CLI#add wlan aaagroup aaawlan
CLI#..
#############################################################################
#Issue Save command to save these configurations
# Start the RADIUS server using "enable"
#############################################################################
CLI#save
CLI#enable
CLI#..
CLI#bye
To execute a .sym file, use the following commands:
•
install primary <.sym file name> on a primary switch
•
install standby <.sym file name> on a standby switch
To execute the .cli file, use the following command:
•
install runcli <.cli file name>
3-17
3-18
WS5000 Series Switch System Reference Guide
Using the WS5000 Series Switch GUI
You can configure the WS5000 switch and access ports using one of the following methods:
•
The GUI through a web browser
•
SNMP commands
•
CLI from a Telnet connection through the wireless switch console port or a secure shell (SSH)
application.
However, not all areas of the system can be configured solely by the GUI, CLI, or SNMP.
If you need to use a specific interface for a system configuration, this is specified at the beginning of the
configuration process. For information on using the CLI, see Chapter 8, CLI Command Reference.
4-2
WS5000 Series Switch System Reference Guide
4.1 Logging In
To log into the WS5000 Series Switch graphical user interface:
1. Open a compatible browser.
2. Connect to the WS5000 Series Switch by typing https:// and the switch’s IP address. The WS5000
GUI Login Page is displayed.
Note You must have Java Runtime version 1.4.2-06 (j2re-1_4_2_06-windows-i586p.exe) or greater running on the console machine, to access the WS5000 Series
Switch GUI. This file is included on the CD that ships with the product.
Figure 4.1 WS5000 Series Switch GUI Console Login
3. Type a User ID and Password and click the Login button. The default is “admin” and “symbol”,
respectively.
4.2 Key Distribution Center
The WS5000 Series wireless switch has an on-board Key Distribution Center (KDC), or Kerberos authentication
server. Properly configured, the KDC provides a secure means for authenticating users/clients associated to a
WLAN or ESS with the Kerberos security policy applied. A separate switch with an on-board KDC can be
configured as a slave KDC to support the master KDC in case of a master KDC failure.
The KDC can use the system time or up to three Network Time Protocol servers (NTPs) when available.
Configuration of an NTP server in the KDC is optional, except in a master/slave configuration. When an NTP
server is configured for use, the KDC contacts the NTP server every 30 minutes to synchronize the system time.
When a slave KDC is present, use of an NTP server is recommended so the master and slave KDC times are
synchronized. Not using an NTP server in a master/slave configuration requires periodic, manual time
synchronization to propagate the master database to the slave KDC. This time synchronization step is not
necessary if the master and slave KDC times are within 5 minutes of each other.
Using the WS5000 Series Switch GUI
4-3
Use the WS5000 Series Switch GUI (graphical user interface), the command line interface, or SNMP to
configure the onboard KDC. To configure the KDC via the former, perform the steps in the following sections:
1. Configuring Master KDC Information on page 4-3
2. Setting Kerberos Time Synchronization on page 4-6 (optionally)
3. Creating Kerberos User Accounts on page 4-5
4. Configuring Slave KDC Information on page 4-4 (optionally)
4.2.1 Configuring Master KDC Information
This procedure configures the switch to act as the master KDC authentication server for all Kerberos enabled
WLANs.
Note If using a master and slave switch configuration, ensure that each switch is
named appropriately (using the CLI) in order to avoid two devices with the same
name on the network.
To configure master KDC information:
1. From the WS5000 Series Switch GUI main window, click System Settings > Kerberos >
Configuration > KDC. The Kerberos Security Manager dialog box appears.
Figure 4.2 Kerberos Security Manager—Configuring the Master KDC
2. Select Master from the Configure As list.
3. Enter the Kerberos Realm where the KDC resides.
!
IMPORTANT! A DOMAIN NAME MUST BE ASSIGNED TO THE ETHERNET PORT
PRIOR TO ASSIGNING A REALM NAME TO THE KDC.
4-4
WS5000 Series Switch System Reference Guide
4. By default, “ethernet1” is selected as the wireless switch’s interface that connects to the wireless
traffic. You can also select “ethernet2” if required.
5. Click Save to complete the Master KDC setup.
4.2.2 Configuring Slave KDC Information
To use the wireless switch’s on-board KDC in a master/slave KDC configuration, the network requires at least
two wireless switches: one for the master KDC and the other for the Slave KDC.
Setting slave KDC information is a two step process as described in the following sections:
•
Configuring the KDC Slave
•
Configuring the Master KDC to Recognize the Slave
4.2.2.1 Configuring the KDC Slave
!
IMPORTANT! BEFORE ADDING A SLAVE KDC, A MASTER KDC MUST ALREADY BE
CONFIGURED.
To configure a KDC as a slave KDC:
1. Click System Settings > Kerberos > Configuration > KDC from the WS5000 Series Switch GUI main
window. The Kerberos Security Manager dialog box appears.
Figure 4.3 Kerberos Security Manager—Configuring a Slave KDC
2. Enter the Hostname, IP Address, and Domain for Kerberos authentication.
3. Select New Slave in the left panel, and configure the slave KDC server details, such as Hostname, IP
address, and Domain.
4. Click Add to set the slave KDC information.
5. Continue with the steps described in Configuring the Master KDC to Recognize the Slave.
Using the WS5000 Series Switch GUI
4-5
4.2.2.2 Configuring the Master KDC to Recognize the Slave
To configure the master KDC to recognize the slave KDC, follow these steps:
1. Complete the steps described in Configuring the KDC Slave.
1. Click System Settings > Kerberos > Configuration > Slave from the WS5000 Series Switch GUI
main window.
2. Select the slave KDC from the list in the left pane. Enter the hostname, IP address, and domain of
the master KDC server.
Figure 4.4 KDC Add Slave
3. Click Add to complete adding the slave to the master KDC. The KDC Add Slave dialog box appears.
Note Click the Synchronize Database button to force the Master KDC to push its
database to the selected slave (even though the database is automatically
synchronized whenever you make a change such as adding a KDC user).
4.2.3 Creating Kerberos User Accounts
A Kerberos user account is required for authentication on the WLAN. However, before a user account can be
added, the master KDC must be configured. See Configuring Master KDC Information on page 4-3 for more
details.
To create a Kerberos user account:
1. From the WS5000 Series Switch GUI main window, select System Settings > Kerberos >
Administration > Users. The Kerberos User Administration dialog box appears.
4-6
WS5000 Series Switch System Reference Guide
Figure 4.5 Kerberos User Administration
2. Select New User in the left panel, and configure the user account details as described in Table 4.1,
Table 4.1 Kerberos User Administration Field Descriptions
Field
Description
Name
A unique (1-20 characters) value that corresponds to the name of the user being
added to or removed from the Key Distribution Center (KDC).
Ticket Life (min)
The minimum lifetime of a ticket (value ranges from 1-600 minutes).
Password
The Kerberos password for the specific user.
Confirm
Enter the password a second time to confirm.
3. When done, click Save to save the new Kerberos user account information.
4.2.4 Setting Kerberos Time Synchronization
This procedure synchronizes the NTP server with the switch’s on board KDC. The KDC can use the system time
or an NTP server (when available). When an NTP server is configured for use, the KDC contacts the NTP server
every 30 minutes to synchronize the system time and propagate the master KDC database to the slave KDC.
Except in a master/slave configuration, KDC NTP time configuration is optional.
To synchronize the NTP server with the switch’s on board KDC, follow these steps:
1. From the WS5000 Series Switch GUI main window, click System Settings > Kerberos >
Configuration > NTP.
The KDC Time Configuration dialog box appears.
Using the WS5000 Series Switch GUI
4-7
Figure 4.6 KDC Time Configuration
2. Enter the IP addresses for the Preferred Time Server, the First Alternate Time Server, and the
Second Alternate Time Server. The alternate servers are optional, but recommended.
3. Click Save to apply settings.
4-8
WS5000 Series Switch System Reference Guide
Configuring User and Management
Authentication
The WS5000 Series Switch provides an integrated Radius server as well as the ability to work with External
Radius and LDAP servers to provide user database information and user authentication. Management users
may also be authenticated using external/integrated RADIUS server. The External Radius server cannot be
completely configured through the tools provided by the wireless switch, refer EAP Authentication Settings on
page 6-44 to configure an External Radius server. This association remains unused unless the Radius server
also adds the external switch as a client.The WS5000 Series Switch provides:
•
Configuring an On-board RADIUS Server (Internal Radius server)
•
Configuring Management User Authentication
•
Configuring Remote RADIUS Server (External Radius server), refer EAP Authentication Settings on page
6-44.
•
Configuring Windows Server 2000, provides you information about - How to Configure Windows 2000
Server.
5-2
WS5000 Series Switch System Reference Guide
5.1 WS5000 as a RADIUS Client
The format of the Calling Station and the Called Station ID are changed, to confirm to the RFC-3580 (IEEE
802.1x RADIUS Usage Guidelines), as follows:
•
The 6 byte MAC address now separated by an (-) hyphen when compared to the earlier separator used
(:) colon. An example for Calling Station ID would be – 00-10-A4-23-19-CO.
•
The Called Station ID now has the SSID name suffixed to it using a colon (:). For example, the Called
Station ID for the MAC address of 00-10-A4-23-19-CO with an SSID of API would now be “00-10-A423-19-CO:API”.
5.2 Configuring an On-board RADIUS Server
The WS5000 Series Switch provides an integrated Radius server as well as the ability to work with external
Radius and LDAP servers to provide user database information and user authentication.
5.2.1 Configuring the Radius Server
The Radius Server screen allows the admin to set up data sources, as well as specify authentication
information for the built-in Radius server.
To configure the Radius server, select System Settings -> Radius -> Configuration.
Figure 5.1 System Settings
The following Radius Configuration screen appears:
Configuring User and Management Authenti-
5-3
Figure 5.2 Radius Configuration
1. Use the Data Source drop-down menu to select the data source for the local Radius server.
•
If you select Local, the internal User Database serves as the data source. Refer to the Users screen
to enter the user data. For more information, see
Configuring Radius Users on page 5-12.
•
If you select LDAP, the switch uses the data in an LDAP server. Configure the LDAP server settings
on the LDAP screen under Radius Server on the menu tree. For more information, see Configuring
LDAP Authentication on page 5-7.
2. Use the Default EAP Type drop-down menu in the TTLS/PEAP Configuration field to specify the
EAP type for the Radius server. The options are PEAP and TTLS.
•
Protected EAP (PEAP) uses a TLS layer on top of EAP as a carrier for other EAP modules. PEAP is an
ideal choice for networks using legacy EAP authentication methods.
•
Tunneled TLS EAP (EAP-TTLS) is similar to EAP-TLS, but the client authentication portion of the
protocol is not performed until after a secure transport tunnel has been established. This allows
EAP-TTLS to protect legacy authentication methods used by some Radius servers.
3. Specify an EAP Authentication Type from the drop-down menu in the TTLS/PEAP Configuration
field. The authentication type for PEAP are GTC and MSCHAP-V2. The authentication type for TTLS
are PAP, MD5 and MS-CHAP-V2
•
EAP Generic Token Card (GTC) is a challenge handshake authentication protocol that uses a
hardware token card to provide the response string.
•
Microsoft CHAP (MSCHAP-V2) is an encrypted authentication method based on Microsoft's
challenge/response authentication protocol.
5-4
WS5000 Series Switch System Reference Guide
•
PAP provides a simple method for a remote node to establish its identity using a two-way
handshake. After the PPP link establishment phase is complete, a username and password pair is
repeatedly sent by the remote node across the link (in clear text) until authentication is
acknowledged, or until the connection is terminated
•
MD5 provides a simple method for a remote node to establish its identity using a two-way
handshake. After the PPP link establishment phase is complete, a username and password pair is
repeatedly sent by the remote node across the link (in clear text) until authentication is
acknowledged, or until the connection is terminated
4. Click one of the following buttons in the screen:
Apply
Saves your changes
Undo
Closes the screen without saving your changes. This reverts
the screen back to the last saved configuration.
Cancel
Exits the applet and terminate this session
Help
Displays the online help
5.2.2 Managing Certificates
To generate a certificate request from the WS5000 Series Switch:
1. Select System Settings > Radius > Certificate Management > Self Certificate.
2. Click the Add button.
3. Enter the certificate signing request (CSR) information and click the Generate button.
4. Copy the generated CSR to a file (with a .req extension) in a Windows 2003 server PC that contains
the CA.
5. Run the certreq command from the command prompt on the Windows 2003 server PC.
The command prompts you for the CSR file.
Enter the name of the CSR file generated from the switch.
The command prompts for the destination to place the server certificate.
6. Copy the ROOT certificate of the CA on the Windows 2003 server PC used to sign the server certificate
into the same location as the server certificate. You must upload this certificate on the switch. See
5.2.2.2 Uploading Certificates on page 6.
5.2.2.1 Importing and Installing CA Certificates
To import and install the CA and server certificates on the WS5000 Series Switch:
1. Ensure the time in the switch is synchronized with the Windows 2003 server PC.
2. Select System Settings > Radius > Certificate Management > Self Certificate to load the CA certificate.
Configuring User and Management Authenti-
5-5
Figure 5.3 Generating Certificate
3. Click the Upload CA Certificate button.
4. Browse to the CA certificates file and click the Send button.
5. Click on the View/Install certificate button to install the CA certificate and Server certificates. The
Install Certificates screen shown in Figure 5.4 appears.
5-6
WS5000 Series Switch System Reference Guide
Figure 5.4 Installing Certificates
6. Select the corresponding request ID for the server certificate and the CA certificate ID.
7. Click Apply.
5.2.2.2 Uploading Certificates
If you have a server certificate from a CA and wish to use it on the Radius server:
1. Select Radius > Upload Certificate.
The certificate upload screen (shown in Figure 5.5) appears.
Figure 5.5 Uploading Server Certificate
2. Enter the Radius certificate filename, or click the Browse button.
Configuring User and Management Authenti-
5-7
The menu displays the certificates imported to the switch. You can also choose an imported CA
Certificate to use on the Radius server. If you use a server certificate signed by a CA, you must import
that CA's root certificate using the CA certificates screen from the Certificate Management menu.
Figure 5.6 Uploading CA Certificate
3. Click one of the following buttons in the screen:
Next
Starts uploading the certificate.
Reset
Clears the filename and enter a new name.
Cancel
Exits the applet and terminate this session
Help
Displays the online help
5.2.2.3 Configuring LDAP Authentication
If the Radius Data Source is using an external LDAP server (see Configuring the Radius Server on page 5-2) the
LDAP screen is used to provide data on the external LDAP server. Select System Settings > Radius
Configuration and click LDAP from the Radius configuration screen.
There should be a group configured in the AAA server local database with the same group name as the LDAP
server. The policy in the AAA server for this group must have the same EAP enabled WLAN. Then, only the
mobile unit is authenticated by the Radius server.
5-8
WS5000 Series Switch System Reference Guide
Figure 5.7 LDAP Configuration
1. Configure the LDAP Configuration field to enable the switch to work with the LDAP server. Consult
with the LDAP server administrator for details on how to set the values if necessary.
Server name
Enter the name of the external LDAP server acting as the data source for the
Radius server.
LDAP Server IP
Enter the IP address of the external LDAP server. The server must be
accessible from the WAN port or from an active subnet on the switch.
Port Number
Enter the TCP/IP port number for the LDAP server acting as a data source.
The default port is 389.
Bind DN
Specify the Bind Distinguished Name —the distinguished name to bind with
the LDAP server.
Base DN
Specify a distinguished name that establishes the base object for the search.
The base object is the point in the LDAP tree at which to start searching.
Pass Attribute
Enter the password attribute used by the LDAP server for authentication.
Login Attribute
Enter the login attribute used by the LDAP server for authentication. In most
cases, the default value in this field should work.
Filter
Specify the filters used by the LDAP server.
Password
Enter a valid password for the LDAP server.
Configuring User and Management Authenti-
5-9
Group Name
Specify the name of the group sent to the LDAP server.
Membership
Attribute
Specify the Group Member Attribute to be sent to the LDAP server when
authenticating users.
2. Click one of the following buttons:
Apply
Saves your changes
Undo
Closes the screen without saving your changes. This reverts the screen back
to the last saved configuration.
Cancel
Exits the applet and terminate this session
Help
Displays the online help.
5.2.2.4 Configuring Clients
To configure the WS5000 Radius client so that it can be accessed by external Radius servers:
1. Click the Clients Configuration tab in the Radius Configuration screen.
The Radius client configuration screen appears:
Figure 5.8 Client Configuration
5-10
WS5000 Series Switch System Reference Guide
2. Enter the following information in the Clients Configuration table:
In the Field
Enter
Subnet/Host
Name of the subnet or host to authenticate
Netmask
The subnet mask number of the host to authenticate.
Shared Secret
A shared secret used for each host or subnet authenticating with the Radius
server. The shared secret can be up to seven characters long.
3. Use the Add button to add more entries into the Clients Configuration table. Use the Delete button
to remove entries.
4. Click one of the following buttons in the screen:
Apply
Saves your changes
Undo
Closes the screen without saving your changes. This reverts the screen back
to the last saved configuration.
Cancel
Exits the applet and terminate this session
Help
Displays the online help.
5.2.2.5 Configuring the Radius Accounting Server
The Radius accounting server enables a Network Access Server (NAS) to deliver accounting packets to the
Radius accounting server, which stores this information.
To configure the WS5000 Radius accounting server:
1. Click the Radius Accounting tab in the Radius Configuration screen.
The Radius accounting server screen (shown in Figure 5.9) appears.
Configuring User and Management Authenti-
5-11
Figure 5.9 Radius Accounting Server Configuration
2. Select Enabled or Disabled in the Accounting pulldown menu.
Note Accounting files cannot be viewed from the switch. They have to be
downloaded to a TFTP server for viewing. Downloading the accounting file is
currently supported only through CLI.
3. Enter the following information in the Radius Accounting table:
In the Field
Enter
IP Address
Enter the IP address of the Radius accounting server.
Shared Secret
Enter the shared secret code used to communicate with the Radius accounting
server,
TimeOut (Secs)
Enter a value between five and ten to indicate the number of seconds that will
cause the switch to time out on a request to a Radius accounting server.
Port
Enter the TCP/IP port number for the Radius accounting server. The default value is
1813.
Max Retry
Enter a value between one and ten to indicate the number of times the switch
attempts to reach the Radius accounting server before it stops trying.
5-12
WS5000 Series Switch System Reference Guide
4. Click one of the following buttons in the screen:
Apply
Saves your changes
Undo
Closes the screen without saving your changes. This reverts the screen back
to the last saved configuration.
Cancel
Exits the applet and terminate this session
Help
Displays the online help.
5.2.3 Configuring Radius Users
Use the Users screen to create users and groups for the local Radius server. The users database is used when
Local is selected as the Data Source from the Radius Server screen (for more information, see
Configuring the Radius Server on page 5-2). The information in the database is ignored if an LDAP server is
used for user authentication. Select System Settings -> Radius -> Users to maintain the user entries.
Figure 5.10 Radius Users Configuration
Each user created is assigned a unique password and is associated with one or more groups. Each group can
be configured for its own access policy within the Access Policy configuration screen under the Radius Server
menu.
Configuring User and Management Authenti-
5-13
5.2.3.1 Adding Groups
The Groups table displays a list of all groups in the local Radius server database. The groups are listed in the
order they were added. Although groups can be added and deleted, there is no capability to edit the name of
a group.
1. To add a new group, click the Add button and enter the name of the group in the blank field in the
table.
2. Click one of the following buttons in the screen:
Apply
Saves your changes
Undo All
Closes the screen without saving your changes. This reverts the screen back
to the last saved configuration.
Close
Exits the applet and terminate this session
Help
Displays the online help.
5-14
WS5000 Series Switch System Reference Guide
5.2.3.2 Deleting Groups
To remove a group, select the group from the table and click the Del (Delete) button. A warning message
displays when applying the change if there are users still assigned to the group. You can remove the group
from each user or add the group back to the group list.
5.2.3.3 Adding Users
The Users table displays the entire list of users. Up to 100 users can be entered. Users are listed in the order
they are added. Although users can be added and deleted, there is no capability to edit the name of a group.
1. To add a new user, click the Add button at the bottom of the Users area.
2. In the new line, type a User ID (username).
3. Click the Password table header. A small window displays. Enter a password for the user and click
OK to return to the Users screen.
4. Click the List of Groups table header. A new screen displays enabling you to associate groups with
a user. A user is required to belong to at least one group in order for the user to have access to the
switch.
• To add the user to a group, select the group from the list of groups (on the right) and click the Add
button.
• To remove the user from a group, select the group in the Assigned list (on the left) and click the
Del (Delete) button.
5. Click OK when you are done.
6. Click one of the following buttons in the screen:
Apply
Saves your changes
Undo
Closes the screen without saving your changes. This reverts the screen back
to the last saved configuration.
Cancel
Exits the applet and terminate this session
Help
Displays the online help.
5.2.4 Configuring Radius Proxy
The Radius server can proxy the authentication requests to a remote radius based on the suffix of the user id.
Figure 5.11 shows the Radius proxy configuration screen.
Configuring User and Management Authenti-
5-15
Figure 5.11 Radius Proxy Configuration
For each proxy server, the WS5000 enables the administrator to configure the following:
•
Radius authentication server IP address
•
Radius authentication server port
•
Secret key
•
Suffix of the user ID such as isp2.com or company.com
The WS5000 supports five proxy servers.
5.3 Configuring Management User Authentication
Management users (telnet, cli users etc.) can also be authenticated using external/integrated RADIUS Server.
5.3.1 Using External RADIUS Server
This section will take you step-by-step through the configuration of the wireless switch user authentication
via remote RADIUS server feature using the Symbol WS5000 wireless switch version 1.2 on Microsoft
Windows Server 2000 with Internet Authentication Service and Active Directory.
You would require the following:
1. Symbol WS5000 Wireless Switch version 1.2.0.39 or newer
2. Ethernet switch
5-16
WS5000 Series Switch System Reference Guide
3. Microsoft Windows Server 2000 (or Advanced Server) with SP4 or (newer)
4. Experience with Microsoft Windows operating systems and the WS5000
Note It is possible to use the Wireless Switch User Authentication via Remote RADIUS
Server feature with different configurations than what’s provided in this guide.
However, to complete all of the steps in this installation guide the exact configuration
above must be used.
5.3.2 Using On-board RADIUS Server
Management users, authenticated using the onboard RADIUS Server, will be given Read-Only attributes. To
configure the management onboard RADUIUS server, follow the steps provided in 5.2 Configuring an Onboard RADIUS Server on page 2. Add the user with a password. This user must NOT be attached to any group.
Setup on the WS5000 is the same as mentioned in Configuring an On-board RADIUS Server. Specify the IP
address of the switch in Remote Administration dialog.
5.3.3 Physical Network Configuration
This guide uses the following network configuration:
Figure 5.12 Physical Network Configuration
For this installation, Windows Server 2000 must be accessible by the WS5000. The simplest way to achieve
this is to configure the WS5000 and Windows Server 2000 so they are on the same physical and IP subnet. If
they are on different IP subnets, the WS5000 must be able to route to the Windows Server 2000.
Configuring User and Management Authenti-
5-17
5.3.4 Configuring WS5000
1. From the System Settings menu, select Remote Admin …
2. Select the RADIUS Authentication tab. Check the Network Users (Web, Telnet, etc.) check box.
Enter the IP address of the Windows Server 2000 for the Primary Name / IP Address. Enter a Shared
Secret for the Primary. You will need to remember the Shared Secret when configuring the Windows
Server 2000. Click Close.
5-18
WS5000 Series Switch System Reference Guide
5.4 LDAP and Certificate Configuration
LDAP Server is used as the database with WS5000 RADIUS server. The configuration details for WS5000 and
LDAP server (Linux OpenLDAP and Windows Active Directory Server) are as follows:
5.4.1 OpenLdap in Linux
•
•
Edit the LDAP configuration file (/etc/openldap/slapd.conf) with the base DN, Manager
username and password.
suffix
"o=symbol,c=INDIA"
rootdn
"cn=Manager,o=symbol,c=INDIA"
rootpw
secret
Start the LDAP server (/usr/sbin/slapd -d 4)
Note User addition/deletion/searching can be done either through CLI or through
LdapBrowser
•
OpenLdap cli command for adding/searching users
Configuring User and Management Authenti-
ldapadd -x
ldapadd -x
ldapadd -x
ldapsearch
-D
-D
-D
-x
5-19
"cn=Manager,o=SYMBOL,c=INDIA" -W -f base1.ldif
"cn=Manager,o=SYMBOL,c=INDIA" -W -f group6.ldif
"cn=Manager,o=SYMBOL,c=INDIA" -W -f member6.ldif
-b 'o=SYMBOL,c=INDIA' '(&(cn=group2)(objectclass=groupofNames))'
ldif file format (base1.ldif, group6.ldif, member6.ldif, wvpn.ldif)
dn: o=SYMBOL,c=INDIA
objectclass: organization
o: SYMBOL
dn: cn=group6,o=SYMBOL,c=INDIA
objectclass: groupOfNames
member: cn=srijith,o=SYMBOL,c=INDIA
member: cn=apar,o=SYMBOL,c=INDIA
cn: group6
o: SYMBOL
dn: cn=srijith,o=SYMBOL,c=INDIA
objectclass: person
objectclass: uidObject
cn: srijith
sn: srijith
uid: srijith
userPassword: test
dn: cn=wvpnuser,o=SYMBOL,c=INDIA
objectclass: person
objectclass: uidObject
cn: wvpnuser
sn: wvpnuser
uid: wvpnuser
userPassword: test
5.4.2 User/Group Configuration with LdapBrowser
LdapBrowser (free download) can be used for configuring users instead of CLI. Follow the below given steps
to install and start using the LDAP browser:
1. Install LDAP browser and run the binary for configuration GUI (lbe.sh).
2. Connect to a active LDAP server.
3. Import the LDIF files mentioned above, using LDIF->import menu option
(Import base1.ldif,group6.ldif,member6.ldif,wvpn.ldif).
4. Choose Update/Add option when importing the configuration.
5. Verify the users/groups that are loaded are properly displayed in left panel.
5.4.3 ActiveDirectory in Windows server
ActiveDirectory can also be used as LDAP server with WS5000 switch. Users and groups need to be configured
in Active directory for authentication.
5.4.3.1 LDAP configuration for accessing Openldap/ActiveDirectory
1. Use the following command for LDAP Configuration in switch for Openldap. This is valid only for NONVPN CLIENTS.
5-20
WS5000 Series Switch System Reference Guide
LDAP
LDAP
LDAP
LDAP
LDAP
Server IP
Server Port
Bind DN
Base DN
Login Attribute
:
:
:
:
192.192.4.42
389
cn=Manager,o=symbol,c=India
o=symbol,c=India
: (uid=%{Stripped-User-Name:-%
{User-Name}})
LDAP Password Attribute
: userPassword
LDAP Group Name Attribute
: cn
LDAP Group Membership Filter
:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn})))
LDAP Group Membership Attribute
: radiusGroupName
Note There should be a group configured in the AAA server local database with the
same group name as in LDAP server. The policy in AAA server for this group should
contain the EAP enabled WLAN.
2. Use the following command for LDAP Configuration in switch for Openldap. This is valid only for VPN
CLIENTS.
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
Server IP
: 192.192.4.42
Server Port
: 389
Bind DN
: cn=Manager,o=symbol,c=India
Base DN
: o=symbol,c=India
Login
: (uid=%{Stripped-User-Name:-%{User-Name}})
Password
: userPassword
Group Name Attribute
: cn
Group Membership Filter
: (cn=wwvpnuser)
Group Membership Attribute
:
Passwd
: secret
Note This auth will work only if the username is not present in any group's available @
LDAP server
5.4.4 LDAP Configuration in switch for Active Directory
The following command is used to configuring LDAP in switch for Active Directory:
LDAP Server IP
LDAP Server Port
LDAP Bind DN
LDAP Base DN
LDAP Login Attribute
%{User
-Name}})
LDAP Password Attribute
LDAP Group Name Attribute
LDAP Group Membership Filter
UserDn
})))
LDAP Group Membership Attribute
:
:
:
:
:
192.192.4.42
389
cn=blradmin,ou=WID,dc=TVLAB01,dc=com
ou=WID,dc=TVLAB01,dc=com
(sAMAccountName=%{Stripped-User-Name:-
: UserPassword
: cn
: (|(&(objectClass=group)(member=%{Ldap: radiusGroupName
Note Only the default PAP encryption type is supported when a user is created in the
Active directory on Windows server. To select all the other encryption, go to the User
Properties > Account Information and select Store User Password in Reversible
Encryption checkbox.
Configuring User and Management Authenti-
5-21
5.4.5 Certificate Management with Win-2003 server
Windows 2003 server has Certificate Authority (CA) functionality which can be used for signing requests. This
details the configuration for PEAP/TTLS authentication with WS5000 RADIUS server.
1. Install Certificate Authority which comes with Win-2003 server.
2. Create a CA in standalone mode at the end of installation
5.4.5.1 Configuration in MU (client)
1. Copy the CA certificate from the 2003 server to client (MU) in base64 encoded format.
2. Install the certificate in the client
3. Select Validate server certificate option in MU connection profile configuration.
5.4.5.2 Signing certificate request from WS5000
1. Generate the CSR from WS5000 using the self-certificate management window from the Applet.
(System Setting > Radius > Certificate Management > Self Certificate)
2. Provide the information required for CSR and click on the Generate button. Then copy the generated
CSR to a Win2003 server PC.
3. Execute certreq <CSR-file> <Cert-file> command from command prompt on the Win2003
server PC. [Cert-file : destination certificate filename]
5.4.5.3 Installing CA & Server Certificate in WS5k:
1. Make sure the time in switch is in sync with 2003 server
2. Load the CA certificate in WS5k using import CA certificate on self-certificate window of applet.(
System Setting > Radius > Certificate Management > Self Certificate) by clicking on the Import
CA Certificate button.
Load the server certificate in WS5000. Select the request ID and then click on the Import Server certificate
button on self-certificate window of applet. (System Setting > Radius > Certificate Management > Self
Certificate).Once imported, installation of CA and server certificates can be done in the radius configuration
window. (System Setting > Radius > Configuration > Install Certificates Tab). Select the corresponding request
id and the CA certificate id and click on the Apply Certificate button.
5.5 Configuring Windows Server 2000
The Windows Server 2000 must have the following components installed:
•
Active Directory
•
Internet Authentication Service
If any one or all of these components are not installed, the installation instructions are included prior to the
configuration of the component.
5-22
WS5000 Series Switch System Reference Guide
5.5.1 Installing Active Directory
If Active Directory is already installed, go to 5.5.2 Configuring Active Directory Users on page 32.
1. To install Active Directory, go to the Start Menu, select Programs > Administrative Tools >
Configure Your Server
2. This will open Windows 2000 Configure Your Server. Select Active Directory from the left side menu.
Configuring User and Management Authenti-
3. Click on Start the Active Directory wizard.
5-23
5-24
WS5000 Series Switch System Reference Guide
4. This will open the Welcome to the Active Directory Installation Wizard. Click Next >.
5. Select Domain controller for a new domain. Click Next >.
Configuring User and Management Authenti-
6. Select Create a new domain tree. Click Next >.
7. Select Create a new forest of domain trees. Click Next >
5-25
5-26
WS5000 Series Switch System Reference Guide
8. Enter a Full DNS name for new domain. Click Next >.
9. The Domain NetBIOS name will be entered by the Wizard. Click Next >.
Configuring User and Management Authenti-
10. Keep the default locations for the Database and Log. Click Next >.
11. Keep the default location for the Folder. Click Next >.
5-27
5-28
WS5000 Series Switch System Reference Guide
12. You may get this alert. Click OK.
13. If you get the alert, you may be asked to configure a DNS server. Select No. Click Next >.
Configuring User and Management Authenti-
14. Use the default permission selected by the Wizard. Click Next >.
15. Enter the Administrator password. Click Next >.
5-29
5-30
WS5000 Series Switch System Reference Guide
16. Click Next >.
17. Wait while the Wizard configures Active Directory.
Configuring User and Management Authenti-
18. Click Finish.
19. Click Restart Now.
5-31
5-32
WS5000 Series Switch System Reference Guide
5.5.2 Configuring Active Directory Users
If you have not installed Active Directory, go to 5.5.1 Installing Active Directory on page 22
1. To configure Active Directory users, go to the Start Menu, select Programs > Administrative Tools
> Active Directory Users and Computers.
2. This will open the Active Directory Users and Computers. Select a domain from the tree menu on the
left side. Right click on the Users object and select New > User.
Configuring User and Management Authenti-
5-33
3. Enter a First name, Last name and User logon name. You will need to remember this User logon name
when you log into the wireless switch. Click Next >.
4. Enter a Password and Confirm password. You will need to remember this password when you log into
the switch. Click Next >.
5-34
WS5000 Series Switch System Reference Guide
5. Click Finish.
6. Right click on the Active Directory User you’ve just created and select Properties.
Configuring User and Management Authenti-
7. Click the Dial-in tab. Select Allow access. Click OK.
5-35
5-36
WS5000 Series Switch System Reference Guide
5.5.3 Installing Internet Authentication Service
If Internet Authentication Service is already installed, go ahead to 5.5.4 Configuring Internet Authentication
Service on page 40.
1. To install Internet Authentication Service, go to the Start Menu, select Settings > Control Panel.
2. Select Add/Remove Programs.
Configuring User and Management Authenti-
3. Click Add/Remove Windows Components.
4. Select Networking Services. Click Details….
5-37
5-38
WS5000 Series Switch System Reference Guide
5. Select Internet Authentication Service. Click OK.
6. Click Next >.
Configuring User and Management Authenti-
7. Wait while Windows configures components.
8. Click Finish. Manually restart Windows.
5-39
5-40
WS5000 Series Switch System Reference Guide
5.5.4 Configuring Internet Authentication Service
1. To configure Internet Authentication Service, go to the Start Menu, select Programs >
Administrative Tools > Internet Authentication Service.
2. This will open Internet Authentication Service. From the Tree, right-click Clients and select New
Client.
Configuring User and Management Authenti-
5-41
3. Enter a Friendly name. We suggest you to use the name of the wireless switch that you configured in
Step 3. Keep Protocol as RADIUS. Click Next >.
4. Enter the IP address of the switch configured in Step 3. Enter a Shared Secret and confirm. Click
Finish.
5-42
WS5000 Series Switch System Reference Guide
5. From Internet Authentication Service, right-click on Remote Access Policies and select New
Remote Access Policy.
6. Enter a Policy friendly name. Click Next >.
Configuring User and Management Authenti-
5-43
7. Click Add.
8. Select an Attribute type. If you are not sure which Attribute type to select, go to Windows-Groups.
Click Add…
5-44
WS5000 Series Switch System Reference Guide
9. If you selected Windows-Group, click Add… .
10. Select Domain Users. Click Add.
Configuring User and Management Authenti-
11. This will add Domain Users to the selected groups list. Click OK.
12. Click OK.
5-45
5-46
WS5000 Series Switch System Reference Guide
13. Click Next >.
14. Select Grant remote access permission. Click Next >.
Configuring User and Management Authenti-
5-47
15. Click Edit Profile …
16. Click on the Authentication tab. Select Unencrypted Authentication (PAP, SPAP). Unselect all
other authentication methods. Click OK.
5-48
WS5000 Series Switch System Reference Guide
17. Select the Advanced tab. Click Add… .
18. Select Vendor-Specific. Click Add.
Configuring User and Management Authenti-
19. Click Add.
20. Select No. It does not conform. Click Configure Attribute… .
5-49
5-50
WS5000 Series Switch System Reference Guide
21. Enter 3135 for Hexadecimal attribute value:. This value grants full administrative permissions to an
authorized user. Click OK.
22. Click OK.
Configuring User and Management Authenti-
23. Click OK.
24. Click Close.
5-51
5-52
WS5000 Series Switch System Reference Guide
25. Click OK.
26. If this warning displays. Click No.
Configuring User and Management Authenti-
27. Click Finish. This completes the configuration of Internet Authentication Service.
5-53
5-54
WS5000 Series Switch System Reference Guide
5.5.5 Testing the Configuration
1. To test the configuration, enter the user logon name and password from the new user created in the
Windows Server 2000 Active Directory in 5.5.2 Configuring Active Directory Users on page 32.
2. After successfully logging into the WS5000, check the local logfile for authentication details.
Note To see this message, event 39 (Mgt user auth success [radius]) must be enabled
for the local logfile.
3. Check the Event Viewer on the Windows Server 2000. From the System Log, open the properties for the
IAS source, information event.
Configuring User and Management Authenti-
4. This will show the details of the IAS event.
5-55
5-56
WS5000 Series Switch System Reference Guide
Configuring Policies
A network policy is a “packet filter.” It prioritizes packets as they are sent across the wireless network, and
ultimately reject packets completely. Network policies define what packets should be filtered inbound (input)
and outbound (output) based on Input and Output Network Policies.
Network policies should be created to implement QoS and types of service (ToS) protocols. See Quality of
Service on page 1-9 for more details on QoS and types of service protocols supported by the WS5000 Series
wireless switch.
The data from Access Port directed towards MU is governed by outbound Policy Object and the data from an
MU directed to an Access Port is governed by inbound Policy Object.
6.1 Configuring Network Policies
To view the configuration hierarchy while creating a Network Policy, click Where Am I? at any point. A Where
Am I? Dialog Box, such as Figure 6.1, displays.
6-2
WS5000 Series Switch System Reference Guide
Figure 6.1 Network Policy Where Am I? Dialog Box
Access Port policies use network policies (see Creating a Network Policy on page 6-13), but prior to creating a
network policy, other network related components and policies must be configured within the switch. These
are:
•
Classifiers
•
Classification Groups
See the following sections for more details on working with Network Policies:
•
Classifiers on page 6-2
•
Classification Groups on page 6-5
•
Creating a Network Input Policy on page 6-9
•
Creating a Network Output Policy on page 6-11
•
Creating a Network Policy on page 6-13
•
Modifying a Network Policy on page 6-38
6.1.1 Classifiers
A Classifier is a declaration that tests various aspects of a network packet and the path it travels along;
aspects such as source and destination IP, transport protocol, and so on.
A packet will either “pass” or “fail” the predicate. The action taken when a packet passes or fails a Classifier
is not included in the Classifier definition; the action is defined by a Classification Group (see Classification
Groups on page 6-5).
To see the configuration hierarchy while creating a Classifier, click Where Am I? at any point.
A Where Am I? Dialog Box, such as Figure 6.2, is displays.
Configuring Policies
6-3
Figure 6.2 Classifier Where Am I? Dialog Box
6.1.1.1 Creating a Classifier
To create a classifier:
1. From the WS5000 Series Switch GUI main window, select Create > Network > Classifier. The system
launches the Classifier Wizard.
Figure 6.3 Creating a Classifier—Naming the Classifier (and Optionally, Choosing a Template)
2. Enter a name and description for the new WLAN, then if desired, select Use an existing Classifier as
a template.
3. Click Next. A panel for defining match criteria for the classifier is displayed.
6-4
WS5000 Series Switch System Reference Guide
Figure 6.4 Creating a Classifier—Defining Match Criteria
Each row of the Match Criteria table is a simple declaration. For each Criteria type to be defined, a value
must also be defined. Unless otherwise noted, the Classifier uses a case-insensitive comparison when
evaluating network packet values.
Create a classifier(s) by referring to Table 6.1 which describes the meanings and acceptable values
ranges for the criteria types.
Table 6.1 Classifier Types and Acceptable Value Ranges
Criteria Type
Description
Source Mac Address
When evaluating the packet, the Classifier looks at the MAC address of the device
that sent the packet. The value is an arbitrary MAC address in the usual form.
Duplet-separating colons are inserted as you type.
Dest[ination] Mac Address
MAC address of the device to which the packet is being sent. Arbitrary MAC
address in the usual form. Duplet-separating colons are inserted as you type.
Ethertype
Ethernet type values, as defined by RFC 1700. Select pre-defined values 0x800
(IPv4) or 0x400 (nixdorf), or select and enter a hex number (with prefix “0x”) in the
text field to the right.
VLAN ID
ID of the VLAN to/from which the packet is being sent/has been received. The
value is a number (only).
Priority
Relative priority value. The value is a number (only).
Protocol
Ethernet protocol. Choose from one of the pre-defined protocol constants, or type
in the number (only!) of the desired protocol.
ToS
“Type of Service” identifier. The value is a number (only).
Source IP Address
The IP address and subnet mask of the device where the packet emerged. The
values are expressed as two dot-separate IP addresses separated by a a single
forward-slash (/). For example: IPaddress/SubnetMaskAddress
Dest[ination] IP Address
IP address and subnet mask of the device to which the packet is being sent. The
value is expressed in the same manner as Source IP Address.
Configuring Policies
6-5
Table 6.1 Classifier Types and Acceptable Value Ranges (Continued)
Criteria Type
Description
Source Port
The Ethernet port number, on the originating device, through which the packet
was sent.
Dest[ination] Port
The Ethernet port number, on the recipient device, to which the packet is being
sent.
Multicast Mask
MAC address that's used to mask the range of recipients of a broadcast packet.
This is particularly useful for restricting the broadcast of voice and video data.
4. If the predicate for the classifier has more than one clause, the Action conjunction is used to string
predicates together. For example,
•
If the consecutive criteria are dissimilar, the predicates are conjoined with “AND”.
•
If the consecutive criteria are similar, the predicates are conjoined with “OR”.
Predicates are evaluated and conjoined consecutively. In other words, there is no control over the
grouping of predicates other than logical ordering upon creating them.
Note Keep Classifier predicates as simple as possible, and build more complicated
tests by combining Classifiers in a Classification Group.
Use the Add or Remove buttons to add a new predicate or remove an existing predicate from a
Classifier.
5. When done, click Next. A Classifier Created Successfully! message panel is displayed.
6. Click Finish to save the new classifier and exit the wizard.
6.1.2 Classification Groups
A Classification Group (CG) is a collection of classifiers, or complex predicates that evaluate network packets
as they are sent to or arrive from wireless devices. In addition to collecting classifiers, the CG declares the
action that is to be taken after a packet is evaluated by a classifier. Specifically, the CG declares whether a
packet that passes the classifier evaluation is accepted (allowed to precede across the network) or denied
(thrown away).
To see the configuration hierarchy while creating an Network Policy, click Where Am I? at any point. A Where
Am I? Dialog Box, such as Figure 6.5, is displayed.
6-6
WS5000 Series Switch System Reference Guide
Figure 6.5 Classification Group Where Am I? Dialog Box
See the following sections for more details on working with Classification Groups:
•
Creating a Classification Group on page 6-6
•
Modifying a Classification Group on page 6-7
6.1.2.1 Creating a Classification Group
To create a classification group:
1. From the WS5000 Series Switch GUI main window, click Create > Network > Classification Group.
The system launches the Classification Group Wizard.
Figure 6.6 Creating a Classification Group—Naming the Group (and Optionally, Choosing a Template)
2. Enter a name and description for the new classification group, then if desired, select Use an existing
Classification Group as a template.
3. Click Next. A panel for adding classifiers to the group is displayed.
Configuring Policies
6-7
Figure 6.7 Creating a Classification Group—Adding Classifiers
4. Select from among the Available Classifiers and then click the >> button to move to the Selected
pane.
5. Select an action for each Classifier added to the Selected pane.
•
allow – For classifiers with an allow action, packets that pass through the Classifier are allowed
to continue and they are marked as being part of the Classification Group (this is important, since
Input and Output Policies filter packets based on Classification Groups).
Packets that do not pass the evaluation are not immediately thrown away. They are allowed or
denied according to the default action defined in the Input or Output Policy that uses this
Classification Group.
•
deny – Packets that have this action associated with the Classifier are thrown away. Packets that
do not pass are allowed to continue (with no Classification Group marking).
6. When done, click Next. A Classification Group Created Successfully! message panel is displayed.
7. Click Finish to save the new Classification Group and exit the wizard.
6.1.2.2 Modifying a Classification Group
To modify an existing Classification Group:
1. From the WS5000 Series Switch GUI main window, click Modify > Network > Classification Group.
The system launches the Classification Group Manager.
6-8
WS5000 Series Switch System Reference Guide
Figure 6.8 Classification Group Manager
2. This panel lists all available Classification Groups configured on the system. Table 6.2 describes the
fields and options within this panel. To edit a classification group, select the its name in the left pane
first.
Table 6.2 Classification Group Manager Fields and Controls
Field or Control
Description
Name
Name of the selected classification group.
Description
Description of the selected classification group, if available.
Tree View
This expandable tree lists the classification group selected as well as the classifiers that
make up that group.
Properties
Displays a list of classifiers within the classification group. Clicking Properties with a
classifier selected launches a new panel displaying the rules for the selected classifier.
Create
Launches the Classification Group Wizard to create a new classification group. See
Creating a Classification Group on page 6-6 for more details.
Delete
Removes the selected classification group from the system. A dialog appears to confirm
this action.
Edit
Opens a variation of the Classification Group Wizard, for editing it in the same fashion
that it was created. See Creating a Classification Group on page 6-6 for more details.
Close
Closes the Classification Group Manager without saving any changes.
3. When done, click Next. A Classification Group Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Classification Group and exit the wizard.
5. Click Close in the Classification Group Manager panel.
Configuring Policies
6-9
6.1.3 Creating a Network Input Policy
Network Input Policies define incoming packet filters used with Network Policies. To create a Network Input
Policy:
1. From the WS5000 Series Switch GUI main window, select Create > Network > Input Policy. The
system launches New Input Policy Wizard.
Figure 6.9 Creating a Network Input Policy—Naming the Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Input Policy, then if desired, select Use an existing Input
Policy as a template.
3. Click Next. A panel for adding Classification Groups to the Input Policy is displayed.
Figure 6.10 Creating a Network Input Policy—Adding Classification Groups
4. Select from among the Available Classifier Groups and then click the >> button to move a group(s) to
the Selected pane, and to apply it to the Input Policy.
6-10
WS5000 Series Switch System Reference Guide
To create a new Classification Group, click Create. See Creating a Classification Group on page 6-6 for
more details.
5. Click Next. A panel for applying prioritization actions to each chosen classification group is displayed.
Figure 6.11 Creating a Network Input Policy—Applying Prioritization to Chosen Classification Group
Table 6.3 describes the Input Policy classification group prioritization and IP redirection options.
!
IMPORTANT! IP REDIRECTION ONLY APPLIES TO PACKETS THAT HAVE AN
ETHERTYPE=2048, PROTOCOL=TCP, AND A DESTINATION PORT=[21, 23, 80].
REDIRECTION TO A WEB PAGE ONLY WORKS FOR DESTINATION PORT=80.
Table 6.3 Input Policy Classification Group Prioritization and IP Redirection Options
Parameter or Control
Description
Classification Group Tree
The tree on the left shows the Classification Groups (CG) added to the Input
Policy. Select a group before modifying the actions and packet prioritization
associated with a group.
Default Action Is...
Sets the action performed on all packets that are neither rejected by nor marked
as being part of a CG. Packets can either be allowed to continue along the
network, or be denied (and thus, thrown away).
Packet Marking Tab
Set the ToS (Type of Service) bits and set the Tx Priority packet as Data or Voice
(voice gets higher priority than data). To enable these markings, check the
Enable box.
IP Redirection Tab
The IP Redirection feature allows packets to be redirected to a hard-coded
destination, such as an IP address (Enter the New IP Address...) or as the path
to a Web page (Enter the New Path...). To enable IP Redirection, check the
Enable box (until the box is checked, the input fields are disabled).
6. When done, click Next. An Input Policy Created Successfully! message panel is displayed.
7. Click Finish to save the new Input Policy and exit the wizard.
Configuring Policies
6-11
6.1.4 Creating a Network Output Policy
To create a network output policy:
1. From the WS5000 Series Switch GUI main window, select Create > Network > Output Policy. The
system launches Create a New Output Policy Wizard.
Figure 6.12 Creating a Network Output Policy—Naming the Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Output Policy, then if desired, select Use an existing Output
Policy as a template.
3. Click Next. A panel for adding Classification Groups to the Output Policy is displayed.
Figure 6.13 Creating a Network Output Policy—Adding Classification Groups
4. Select from among the Available Classifier Groups and then click the >> button to move a group(s) to
the Selected pane, and to apply it to the Output Policy.
6-12
WS5000 Series Switch System Reference Guide
To create a new Classification Group, click Create. See Creating a Classification Group on page 6-6 for
more details.
5. Click Next. A panel for applying prioritization actions to each chosen classification group is displayed.
Figure 6.14 Creating a Network Output Policy—Applying Prioritization Actions to Chosen Classification
Group
Table 6.4 describes the Output Policy classification group prioritization and weighted fair queuing
options that can be set.
Table 6.4 Output Policy Classification Group Prioritization and WFQ Options
Parameter or Control
Description
Classification Group Tree
The tree on the left shows the Classification Groups (CG) added to the Input
Policy. Select a group before modifying the actions and packet prioritization
associated with a group.
Default Action Is...
Sets the action performed on all packets that are neither rejected by nor marked
as being part of a CG. Packets can either be allowed to continue along the
network, or be denied (and thus, thrown away).
Packet Marking Tab
Set the ToS (Type of Service) bits and set the Tx Priority packet as Data or Voice
(voice gets higher priority than data). To enable these markings, check the
Enable box.
WFQ
Weighted Fair Queuing. Assign a percentage of available bandwidth to the
classification group’s packets. To enable WFQ, check the Enable box.
This is where you implement QoS (Quality of Service). For more details refer 1.3.4.3 Weighted Fair
Queuing (WFQ) on page 11
6. When done, click Next. An Output Policy Created Successfully! message panel is displayed.
7. Click Finish to save the new Output Policy and exit the wizard.
Configuring Policies
6-13
6.1.5 Creating a Network Policy
To create a network policy:
1. From the WS5000 Series Switch GUI main window, select Create > Network > New Policy. The
system launches Create a New Network Policy Wizard
Figure 6.15 Creating a Network Policy—Naming the Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Network Policy, then if desired, select Use an existing
Network Policy as a template.
Note Currently, the interface type is always “Access Port”. That said, the Input
Policy evaluation is performed by the switch before it sends a packet (received from
a wireless device).
3. Click Next. A panel for selecting an Input Policy is displayed.
Input Policies define how to filter incoming packets. Select an Input Policy, or to create a new Input
Policy, click Create... See Creating a Network Input Policy on page 6-9 for more details.
6-14
WS5000 Series Switch System Reference Guide
Figure 6.16 Creating a Network Policy—Selecting an Input Policy
4. When done, click Next. A panel for selecting an Output Policy is displayed.
Output Policies define how to filter outgoing packets. Select an Output Policy, or to create a new Output
Policy, click Create... See Creating a Network Output Policy on page 6-11 for more details.
Figure 6.17 Creating a Network Policy—Selecting an Output Policy
5. When done, click Next. A Network Policy Created Successfully! message panel is displayed.
6. Click Finish to save the new Network Policy and exit the wizard.
6.1.5.1 Configuring the Switch from the Default Configuration (Example)
All of the steps below assume that the user is logged in to the WS5100/WS5000 series switch via the console
interface. The GUI may also be used (instructions are included later in this document).
1. Create a Spectralink Phone classifier (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> ce
Configuring Policies
If “Spectra_Link_Phone” is not present it needs to be created.
b. WS5000.(Cfg).CE> add Spectralink_Phone
c.
WS5000.(Cfg).CE> addmc protocol 119
2. Create a Classification Group (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> cg
If “Spectralink_Group” is not present it needs to be created.
b. WS5000.(Cfg).CG> add SpectralinkGroup
c.
WS5000.(Cfg).CG.[SpectralinkGroup]> set addce Spectralink_Phone
3. Create an Output Policy (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> po
If “Spectralink Output Policy” is not present it needs to be created.
b. WS5000.(Cfg).PO> add SpectraLinkOutput 1
c.
WS5000.(Cfg).PO.[SpectraLinkOutput]> set addcg SpectralinkGroup
d. WS5000.(Cfg).PO.[SpectraLinkOutput]> set cgtxprofile voice SpectralinkGroup
e. WS5000.(Cfg).PO.[SpectraLinkOutput]> set cgpktmod tos enable Spectralink_Group
f.
WS5000.(Cfg).PO.[SpectraLinkOutput]> set cgwfq 70 Spectralink_Group
4. Create a Network Policy (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> np
b. WS5000.(Cfg).NP> add SpectralinkNetwork
c.
WS5000.(Cfg).NP.[SpectralinkNetwork]> set outboundpolicy SpectralinkOutput
5. Create a Security Policy (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> security
b. WS5000.(Cfg).SecurityPolicy> add WPA2
c.
WS5000.(Cfg).SecurityPolicy.[WPA2]> set encryption ccmp enable
Note This command is followed by prompts to enter the type of authentication (EAP
vs. Pre-Shared Key) and information about the key. NetLink Wireless Telephones only
support Pre-Shared Key (PSK) for WPA and WPA2 security.
6. Create a WLAN Policy (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> wlan
b. WS5000.(Cfg).WLAN> add SpectralinkWLAN <essid>
c.
WS5000.(Cfg).WLAN.[SpectralinkWLAN]> set security WPA2
7. Create an AP Policy (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> appolicy
b. WS5000.(Cfg).APPolicy> add SpectralinkAP
c.
WS5000.(Cfg).APPolicy.[SpectralinkAP]> set supportedrates B none
d. WS5000.(Cfg).APPolicy.[SpectralinkAP]> set basicrates B 1,2,5.5,11
6-15
6-16
WS5000 Series Switch System Reference Guide
e. WS5000.(Cfg).APPolicy.[SpectralinkAP]> set dtim 3
f.
WS5000.(Cfg).APPolicy.[SpectralinkAP]> add SpectralinkWLAN
g. WS5000.(Cfg).APPolicy.[SpectralinkAP]> set np SpectralinkNetwork SpectralinkWLAN
8. Create an Ethernet Policy
a. WS5000.(Cfg)> etherpolicy
b. WS5000.(Cfg).EtherPolicy> add SpectralinkEthernet
9. Create a Switch Policy
a. WS5000.(Cfg)> switch
b. WS5000.(Cfg).SPolicy> add SpectralinkSwitch
c.
WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set channel 36 a
d. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set channel 1 B
e. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set channel 1 G
f.
WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set etherpolicy SpectralinkEthernet
g. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set appolicy SpectralinkAP
h. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set countrycode US
i.
WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> end
j.
WS5000.(Cfg).SPolicy> end
k.
WS5000.(Cfg)> set switchpolicy SpectralinkSwitch
10. Configure the Ethernet Ports
a. WS5000.(Cfg)> ethernet
b. WS5000.(Cfg).Ethernet> 1
c.
WS5000.(Cfg).Ethernet.[1]> ipaddress 1.1.1.1 255.255.255.0
d. WS5000.(Cfg).Ethernet.[1]> end
e. WS5000.(Cfg).Ethernet> 2
f.
WS5000.(Cfg).Ethernet.[2]> ipaddress dhcp disable
g. WS5000.(Cfg).Ethernet.[2]> ipaddress 10.3.0.47 255.0.0.0
11. Configure an Access Port
a.
WS5000.(Cfg)> accessport
Access Ports
Radio MAC
--------------------- ---------00:A0:F8:CD:EE:54 [G] 00:A0:F8:C0:38:8C
00:A0:F8:CD:EE:54 [A] 00:A0:F8:C0:44:BC
00:A0:F8:CD:EE:4D [G] 00:A0:F8:C0:38:60
00:A0:F8:CD:EE:4D [A] 00:A0:F8:CD:DA:BC
No. of Active Access Ports/Radios: 0/0
Device MAC
Type
Status
-------------- -------00:A0:F8:CD:EE:54 G
Unavailable
00:A0:F8:CD:EE:54 A
Unavailable
00:A0:F8:CD:EE:4D G
Unavailable
00:A0:F8:CD:EE:4D A
Unavailable
b. WS5000.(Cfg).APort> port "00:A0:F8:CD:EE:54 [G]"
c.
WS5000.(Cfg).APort.[00:A0:F8:CD:EE:54 [G]]> set policy SpectralinkAP
d. WS5000.(Cfg).APort.[00:A0:F8:CD:EE:54 [G]]> set name Channel3_388c
e. WS5000.(Cfg).APort.[Channel3_388c]> set channel 3
Configuring Policies
12. Save the Configuration
a. WS5000.(Cfg)> end
b. WS5000> save config example.cfg
6.1.5.2 GUI Configration t oset up a switch (EXAMPLE)
1. Log onto the switch with the proper User ID and Password.
Figure 6.18 Configuring Ethernet 2 as a trunk port
2. Highlight Ethernet 2, check the 802.1q Trunk, select the Primary VLAN then click Apply.
Note The Primary VLAN is dictated by the connecting wired switches port settings.
In this example the connected ports native VLAN is 4. The Primary VLAN will vary
based on your installation.
6-17
6-18
WS5000 Series Switch System Reference Guide
3. Click OK in the Ethernet Port settings change confirmation dialog box.
Figure 6.19 Ethernet port configured as a trunk before log off
4. Log out of the switch to reflect the trunk port settings.
5. Click OK to log out.
6. Completely close your browser.
Configuring Policies
7. Log back into the switch.
Figure 6.20 Ethernet 2 configuration screen
8. Click on the VLAN Discovery button.
Figure 6.21 VLAN Discovery prior to Discovery
9. Click the Discover button.
6-19
6-20
WS5000 Series Switch System Reference Guide
10. Click Close.
Figure 6.22 WS5000 ready to create the Wireless Switch policy
Figure 6.23 Creating the Wireless Switch policy
Configuring Policies
11. Click Create, Wireless Switch, New Policy.
Figure 6.24 Naming the Wireless Switch Policy
12. Name the Wireless Switch Policy.
Figure 6.25 Create the Ethernet Port Policy
6-21
6-22
WS5000 Series Switch System Reference Guide
13. Click Ceate.
Figure 6.26 Name the Ethernet Port Policy
14. Name the Ethernet Port Policy and click Next.
Figure 6.27 Establishing VLAN to WLAN mappings
Configuring Policies
15. Click VLAN Discovery.
Figure 6.28 VLAN Discovery applet
16. Click Discover.
17. Click Continue.
Figure 6.29 Ethernet Port policy, continued
6-23
6-24
WS5000 Series Switch System Reference Guide
18. Click Next.
Figure 6.30 Ethernet Port Policy Wizard Creating the WLAN
19. Click Create WLAN.
Figure 6.31 WLAN Manager
Configuring Policies
20. Click Create.
Figure 6.32 WLAN Wizard
21. Name the WLAN and click Next.
Figure 6.33 Adding an ESSID to a WLAN
6-25
6-26
WS5000 Series Switch System Reference Guide
22. Give the WLAN an ESSID and click Next.
Figure 6.34 WLAN Wizard initiating the creation of the Security policy to be used
23. Click on Create.
Figure 6.35 Naming the Security Policy
Configuring Policies
6-27
24. Name the Security Policy; choose the encryption method that meets you organization's security
requirements and click Next.
Figure 6.36 Encryption manager selecting PSK
25. Check the appropriate Key Management and click Next.
Figure 6.37 Adding the Pre-Shared Key
26. Add the appropriate Hexadecimal value.
6-28
WS5000 Series Switch System Reference Guide
27. Click Finish.
Figure 6.38 Selecting the newly created Security Policy
28. Click the down arrow next to the Security Policy; select the newly created Security Policy and click
Next.
29. Click Finish.
Figure 6.39 Finished Creating the WLAN
Configuring Policies
30. Click Close.
Figure 6.40 Mapping the newly created WLAN to the wired VLAN
31. Click the down arrow for NIC 2; select the newly created WLAN and click Next.
32. Click Finish.
33. Click OK in Ethernet Policy completion information dialog box.
Figure 6.41 Adding the newly created Ethernet Port Policy to the Wireless Switch Policy
6-29
6-30
WS5000 Series Switch System Reference Guide
34. Click on the down-arrow next to the Ethernet Port Policy; select and click the newly created Ethernet
Port Policy; click Next.
Figure 6.42 Creating the Access Port Policy
35. Click Create.
Figure 6.43 Naming the Access Port Policy
Configuring Policies
36. Name the Access Port Policy; click Next.
Figure 6.44 Adding the newly created WLAN to the Access Port Policy
37. Select the newly created WLAN; click >>.
38. Click Next.
Figure 6.45 Mapping ESSIDs to WLANS
6-31
6-32
WS5000 Series Switch System Reference Guide
39. Assign the newly created WLAN its own ESSID; click Next.
Figure 6.46 Adding a Network Policy to the SpectralinkWLAN
40. Click the down-arrow next to the Spectralink WLAN; highlight and click the Spectralink Network
Policy; click Next.
Figure 6.47 Assigning bandwidth to the SpectralinkWLAN
Configuring Policies
6-33
41. Click the AP300a,300g,200b,4121,4131 tab; allocate 70 percent bandwidth to the SpectralinkWLAN;
click Next.
Figure 6.48 AP 300 settings
42. Click the 802.11g tab, change the DTIM to 3; leave the 1, 2, 5.5, 11 rates at Basic and others at
Supported; Beacon and RTS should be left at the defaults of 100 and 2347 respectively; click Next.
43. Click Finish.
Figure 6.49 Adding the newly created Access Port Policy to the Wireless Switch Policy
6-34
WS5000 Series Switch System Reference Guide
44. Highlight the newly created Access Port Policy; click >>.
Figure 6.50 Finishing adding the Access Port Policy to the Wireless Switch Policy
45. Click Next.
Figure 6.51 Wireless Switch adoption list allow
Configuring Policies
46. Click Next.
Figure 6.52 Wireless Switch adoption list disallow
47. Click Next.
Figure 6.53 Default Access Port Policy that will be adopted by unknown access ports
6-35
6-36
WS5000 Series Switch System Reference Guide
48. Click Next.
Figure 6.54 Wireless Switch Policy
49. Click Finish.
Figure 6.55 Activating the newly created Wireless Switch Policy
50. Click the down-arrow next to Policy Name; highlight and click the newly created Wireless Switch
Policy; click Apply.
51. Click OK in the Wireless Switch Policy activation warning.
Configuring Policies
52. Click OK in the Wireless Switch Policy activation confirmation dialog box.
Figure 6.56 Finished
At this point the access ports connected should now adopt.
6-37
6-38
WS5000 Series Switch System Reference Guide
6.1.6 Modifying a Network Policy
To modify an existing network policy:
1. From the WS5000 Series Switch GUI main window, select Modify > Network > Existing Policy. The
system launches the Network Policy Manager.
Figure 6.57 Modifying an Existing Network Policy—Network Policy Manager
2. This panel lists all available Network Policies configured on the system. Table 6.5 describes the fields
and options within this panel. To edit a policy, select the policy name in the left pane first.
Table 6.5 Network Policy Manager Fields and Controls
Field or Control
Description
Name
Name of the selected Network Policy.
Description
Description of the selected Network Policy, if available.
Input Policy
Tree view of the Classification Groups and Classifiers in the Input policy for the selected
Network Policy.
Output Policy
Tree view of the Classification Groups and Classifiers in the Output policy for the selected
Network Policy.
Properties
Displays information about the selected Input Policy, Output Policy, Classification Group
or Classifier, depending on what is selected/highlighted in the tree.
Create
Launches the Network Policy Wizard to create a new Network Policy. See Creating a
Network Policy on page 6-13 for more details.
Delete
Removes the selected policy from the system. A dialogue appears to confirm this action.
Edit
Opens a variation of the Network Policy Wizard, for editing it in the same fashion that it
was created. See Creating a Network Policy on page 6-13 for more details.
Close
Closes the Network Policy Manager without saving any changes.
Configuring Policies
6-39
3. When done, click Next. An Network Policy Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Network Policy and exit the wizard.
5. Click Close in the Network Policy Manager panel.
6.2 Switch Policies
A Switch Policy acts as a container for many other policies, and contains an “adoption list” that controls the
types of access ports (APs) that can be adopted. Therefore, to be logical, the other policies and related
components—Security Policy, ACL List(s), WLANs, Ethernet Policy, and Access Port Policy—should be created
prior to creating the Switch Policy. (However, this is not mandatory. The Switch Policy Wizard allows the
administrator to create the “other” policies along the way, as well, if desired.)
To see the configuration hierarchy while creating an Wireless Switch Policy, click Where Am I? at any point.
A Where Am I? Dialog Box, such as Figure 6.58, is displayed.
Figure 6.58 Wireless Switch Policy Where Am I? Dialog Box
See the following sections for more details on working with Switch Policies and related components that
comprise a Switch Policy:
•
Security Policies on page 6-39
•
Access Control Lists on page 6-47
•
WLANs on page 6-50
•
Ethernet Port Policies on page 6-55
•
Setting the Country on page 6-66
•
Creating a Switch Policy on page 6-66
•
Defining/Activating an Emergency Switch Policy on page 6-71
6.2.1 Security Policies
A Security Policy defines the authentication and encryption methods used to secure communication between
the WS5000 Series switch, through its APs, and on to the mobile units. Each WLAN can have a different
security policy associated with it.
You can enable VPN authentication in the security policy only by using the CLI.
6-40
WS5000 Series Switch System Reference Guide
To see the configuration hierarchy while creating a Security Policy, click Where Am I? at any point. A Where
Am I? Dialog Box, such as Figure 6.59, is displayed.
Figure 6.59 Security Policy Where Am I? Dialog Box
6.2.1.1 Creating a Security Policy
To create a security policy:
1. From the WS5000 Series Switch GUI main window, select Create > Access Port > Security Policy.
The Security Policy Wizard appears.
Figure 6.60 Creating a Security Policy—Naming the Policy and Specifying an Encryption Type
2. Enter a name and description for the new Switch Policy.
3. Select one or more encryption methods for the Security Policy. The following are encryption options:
•
None – No encryption. Any mobile unit that is set to “open” authentication is allowed to associate
with the system unless the adoption list specifically excludes it.
•
WEP – 802.11 Wired Equivalent Privacy encryption. If using PSK, WEP must be configured by
choosing 40- or 128-bit encryption and supplying four keys.
•
Keyguard MCM – KeyGuard encryption for TKIP (Temporal Key Integrity Protocol). This mode is only
supported by Symbol mobile devices. KeyGuard requires a 128-bit WEP key.
•
TKIP – WPA1/WPA2 dynamic encryption. Wi-Fi Protected Access with Temporal Key Integrity
Configuring Policies
6-41
Protocol. If using PSK, an ASCII or hexadecimal value is required to configure TKIP.
•
AES CCMP – WPA2 dynamic encryption. If using PSK, an ASCII or hexadecimal value is required to
complete configuration.
4. Click Next. A panel for specifying authentication/key management methods is displayed.
Figure 6.61 Creating a Security Policy—Authentication/Key Management Methods
5. Select one or more authentication/key management method to apply to the Security Policy, as described
in Table 6.6.
Table 6.6 Authentication/Key Management Method Settings
Setting
Description
Manually Pre-Shared Key
If you use Pre-shared Key (PSK) authentication, the same key is used for
authentication and encryption. The format and configuration of the key is set in
the Configure panel of the selected encryption method.
Kerberos
Uses a Kerberos server for mobile unit authentication. You can specify an
external server or the switch's on-board server. To use the on-board server, you
must first configure the switch to be a Kerberos Master by visiting System
Settings > Kerberos > Configuration> KDC. Kerberos only supports KeyGuard and
WEP encryption. To configure the Kerberos settings used by this policy, click the
Configure button.
802.1x EAP
Specifies 802.1x EAP authentication using an external Remote Authentication
Dial-In User Service (Radius) server. The Radius server must be accessible to the
switch. To configure the EAP settings used by this policy, click the Configure
button.
Broadcast Key Rotation
EAP authentication provides dynamic unicast WEP keys for client devices but
uses static broadcast, or multicast, keys. When broadcast WEP key rotation is
enabled, the access point provides a dynamic broadcast WEP key and changes at
the specified interval. The default interval is 600 seconds.
6-42
WS5000 Series Switch System Reference Guide
6. When done, click Next. Depending on the Encryption and Authentication settings specified, the
subsequent panels change. These different panels, and how to configure their settings or controls
follow:
•
Kerberos Authentication Settings on page 6-42
•
WEP Encryption Settings on page 6-43
•
EAP Authentication Settings on page 6-44
Figure 6.62 Kerberos Authentication Settings
The Kerberos Authentication Settings panel is where Kerberos KDC (Key Distribution Center) servers
and realm are specified for the Security Policy, as described in Table 6.7.
Table 6.7 Kerberos Authentication Settings
Setting
Description
Primary/Backup/Remote KDC
Address and Port
The three KDC text fields require fully-qualified domain names or IP addresses of
the Primary KDC, and optionally, the Backup KDC, and Remote KDC servers. The
three servers should actually be thought of as "primary," "first backup," and
"second backup."
If the Primary KDC fails, the system looks for the Backup KDC. If the backup fails,
it looks for the (nominal) Remote KDC. Thus, for example, the Primary KDC can be
a remote server, the Backup KDC can be the on-board KDC of the Primary Switch
("Primary" in the failover mode sense), and the Remote KDC can be the Standby
Switch (again, in the failover sense).
If using the switch's on-board Kerberos server, specify the actual IP address of
NIC1 or NIC2, depending on which one you want to use.
Note A properly-formed, fully-qualified domain name or IP address
is required. The panel does not perform validation checking.
KDC Ports
Typically, 88 (default value).
Configuring Policies
6-43
Table 6.7 Kerberos Authentication Settings (Continued)
Setting
Description
Realm Name
In addition to a Primary KDC server, a Kerberos Realm Name is required. The
Realm Name value should be all upper-case (since it is usually also the DNS
domain).
Note Only properly formed, full-qualified realm names are required.
The panel does not perform validation checking.
Saving the Settings
!
To save settings, click the Save button. The button is disabled until a Primary
KDC server and a Realm Name value is entered.
Warning! A WS5000 model switch is not compatible to be configured as a
standbys for a WS5100 model switch.
Figure 6.63 WEP Encryption Settings
Note NIC must have DNS name configured.
The WEP Encryption Settings panel is where four pre-shared, manually fixed WEP keys are defined for
the Security Policy, as described in Table 6.8.
Table 6.8 WEP Encryption Setting Descriptions
Setting
Description
Key Size
To set the key size, choose the 40 bit Key or 128 bit Key radio button in the Key
Size box. If you're using KeyGuard, the key size is automatically set to 128 bits.
6-44
WS5000 Series Switch System Reference Guide
Table 6.8 WEP Encryption Setting Descriptions (Continued)
Setting
Description
Key Values
There are three ways to define your WEP key values:
• Generate a key from a plain text password (or "pass key"). Enter the pass key
in the Pass Key field, select the key you want to generate by clicking a radio
button next to one of the Key #N fields, and then click the Generate button.
A valid pass key value is 1 to 20 ASCII characters in length.
• Define the keys by typing ASCII values into each of the Key #N slots. For a 40bit keys use 5-character ASCII values; for 128-bit keys use 10-character
values.
• Type hexadecimal values into the Key #N slots. Use 12 hex characters for 40bit keys and 26 hex characters for 128-bit keys.
Reset Keys
This button resets the four keys to their factory-default values.
Key Use
To indicate the key to be used, click the radio button to the left of its Key
#N slot.
The EAP (Radius) Authentication Settings panel lets you identify the Radius server and set the switchside parameters used during Radius authentication. Radius server can of two types
•
Remote radius server
•
On-board radius server
Figure 6.64 EAP Authentication Settings
If the radius server is remote then it cannot be completely configured through the tools provided by the
wireless switch. This association remains unused unless the Radius server also adds the switch as a
client.
If an On- board radius server is used then the switch should be added as a client. The IP address and
shared secret should be set as configurable.Refer Configuring Clients for more details.
Configuring Policies
6-45
Table 6.9 describes the EAP authentication settings and Radius identification settings to be configured.
Table 6.9 EAP Authentication Settings and Radius Identification Settings
Setting
Description
Authentication Settings
Pre-authentication
When enabled, pre-authentication (or “fast-associate in advance”) lets an access
port send a mobile unit's authentication credentials (from a previous Radius
authentication attempt) to the “next” access port. This feature enhances fast
roaming between APs.
Opportunistic PMK Caching
When enabled, Pairwise Master Key (PMK) Caching tells the access ports to
cache the mobile unit's credentials as they (the MUs) are authenticated. If the
MU roams away from that AP and then back again, the MU doesn't have to reauthenticate.
Reauthentication Period
Specifies the time interval, in seconds, after which mobile units are forced to
reauthenticate with the Radius server. Valid values are in the range [30, 65535]
seconds; the default is 3600 seconds (1 hour). To edit the Reauthentication value,
click the corresponding checkbox.
Max Retries
Specifies the number of times a mobile unit can try to authenticate during the
reauthentication phase. Valid values are in the range [1, 99]; the default is 5
attempts. A value of 1 means if the first reauthentication attempt fails, the
mobile unit will not be allowed to (re)associate with the switch.
Radius Server Identification
Radius Server Name/IP
Specify the IP addresses or fully-qualified domain names of the servers. Radius
Port
Radius Port
Radius UDP authentication port. This is the port number, in the range [1, 65535,
that the wireless switch uses to send requests to the Radius server. The default
is 1812.
Radius Shared Secret
Specify the key used to encrypt communication between the wireless switch and
the Radius server(s). The secret that you supply here must match the secret that
was specified when the wireless switch was added as a client of the Radius
server. You have to add the switch to the Radius server using tools that are
provided by the Radius server itself. In other words, the switch can't “push” itself
onto the server, the server must “pull” the switch into its client corral.
Advanced Settings
(In general, default settings are acceptable. Only experienced Radius users should modify these values.)
Quiet Period
Specifies how long the switch waits, in seconds, between (failed) attempts to
authenticate an MU.
Supplicant Timeout
Specifies how long the switch waits, in seconds, for an authenticated-butrecently-dissociated MU to respond to a re-associate request. When the
supplicant timeout expires, the MU will need to re-authenticate before reassociating.
Tx Period
Specifies how long the switch waits, in seconds, for an MU to respond to a
"request identity" message. After the Tx period expires, the switch sends another
"request identity" to the MU. When the MU responds to the message, the
authentication process begins.
6-46
WS5000 Series Switch System Reference Guide
Table 6.9 EAP Authentication Settings and Radius Identification Settings (Continued)
Setting
Description
Max Retries
If the reauthentication period is enabled, this value specifies the number of times
the switch will try to re-authenticate an MU that doesn't respond to the “request
identity” message.
Saving the Settings
Save
To save your settings, click the Save button. The button is disabled until you
provide Radius Server Name/IP, Radius Port, and Radius Shared Secret values.
7. When done, click Next. An Security Policy Created Successfully! message panel is displayed.
8. Click Finish to save the new Security Policy and exit the wizard.
Configuring Policies
6-47
6.2.2 Access Control Lists
Use the switch Access Control List (ACL) to specify which mobile units can or cannot gain access to the WLAN.
The ACL employs an adoption rule for allowing or denying specific mobile units by way of exception. By default,
all mobile units can gain access.
The ACL contains MAC addresses for MUs allowed to associate with the switch. This provides security by
preventing unauthorized access. Additionally, the switch uses a disallowed address list of MAC addresses to
prevent the switch from communicating with specified destinations.
To see the configuration hierarchy while creating an Access Control List, click Where Am I? at any point. A
Where Am I? Dialog Box (such as Figure 6.65) displays.
Figure 6.65 ACL Where Am I? Dialog Box
See the following sections for more details on working with switch ACL:
•
Creating an Access Control List on page 6-48
•
Modifying an Access Control List on page 6-49
6-48
WS5000 Series Switch System Reference Guide
6.2.2.1 Creating an Access Control List
To create an access control list:
1. From the main window, select Create > Access Port > Access Control List. The system launches the
Access Control List Wizard.
Figure 6.66 Creating an Access Control List—Naming the ACL (and Optionally, Choosing a Template)
2. Enter a name and default action (allow or deny) for the new ACL, then if desired, select Use an existing
Access Control List as a template.
3. Click Next. A panel for configuring the ACL rules is displayed. An ACL rule consists of a MAC address
range, and an action (either allow or deny). When an MU is discovered, its MAC address is compared to
the defined ACL rules, as follows:
•
If the MU is in an “allow” rule, the MU is allowed to associate.
•
If the MU is in a “deny” rule, it's not allowed to associate.
•
If the MU is in neither rule, the default action applies.
Configuring Policies
6-49
Figure 6.67 Creating an ACL—Defining ACL Rules
Configure the ACL rules per the control options described in Table 6.10.
Table 6.10 Creating an ACL—Control Options within Rule Configuration Panel
Control
Description
Add...
To add a new rule, click the Add... button. In the panel that appears, fill in the
start MAC, end MAC, and action (type).
Delete and Edit...
The Delete and Edit... buttons work on the currently selected rule to remove or
edit a rule, respectively.
Upload...
ACL rules can be defined in a text file, and then uploaded to the switch using the
the Upload button.
The ACL file format contains one rule per line. The rule must follow this format:
action StartMac EndMac
action is either add (allow) or delete (deny)
StartMac and EndMac are normal six-duplet, colon-separated MAX addresses.
To specify a specific MU, exclude the end MAC.
Search...
To look for a specific MAC address among the rules defined, click Search... and
enter the address in the panel that appears (and click Find in the new panel). If
the MAC is affected by a rule, that rule is selected in the rule list.
4. When done, click Next. An Access Control List Rule Created Successfully! message panel is
displayed.
5. Click Finish to save the new Access Port Policy and exit the wizard.
6.2.2.2 Modifying an Access Control List
To modify an existing Access Control List:
1. From the WS5000 Series Switch GUI main window, select Modify > Access Port > Access Control
List. The system launches the Access Control List Manager.
6-50
WS5000 Series Switch System Reference Guide
Figure 6.68 Modifying an Access Control List—Access Control List Manager
2. This panel lists all available Access Control Lists configured on the system. See Table 6.10 for more
details on the controls within this panel to modify the ACL.
3. When done, click Next. An Access Control List Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Access Control List and exit the wizard.
5. Click Close in the Access Control List Manager panel.
6.2.3 WLANs
A WLAN defines attributes applied to mobile units on a portion of the wireless LAN. To see the configuration
hierarchy while creating a WLAN, click Where Am I? at any point. A Where Am I? Dialog Box, such as Figure
6.69, is displayed.
Figure 6.69 WLAN Where Am I? Dialog Box
See the following sections for more details on working with Ethernet Port Policies:
•
Creating a WLAN on page 6-51
•
Modifying a WLAN on page 6-53
Configuring Policies
6-51
6.2.3.1 Creating a WLAN
To define a WLAN:
1. From the WS5000 Series Switch GUI main window, select Create > Access Port > WLAN. The system
launches the WLAN Wizard.
Figure 6.70 Creating a WLAN—Naming the WLAN (and Optionally, Choosing a Template)
2. Enter a name and description for the new WLAN, then if desired, select Use an existing WLAN as a
template.
3. Click Next. A panel for configuring ESS ID, MU associations, and WLAN network addresses is
displayed.
4. Configure the ESS ID, mobile unit association and WLAN network address controls, as displayed in
Figure 6.71 and described in Table 6.11, for the WLAN being created. (If a template was selected in step
2, some components may already be defined.)
Figure 6.71 Creating a WLAN—Configuring ESS ID, MU Association and WLAN Network Address Controls
6-52
WS5000 Series Switch System Reference Guide
Table 6.11 Creating a WLAN—Configuring ESS ID, MU Associations, and WLAN Network Address Controls
Configuration Components
Description
ESS ID Controls
ESSID
Use this text field (1 to 32 characters) to assign an Extended Service Set Identifier
(ESSID) to the WLAN.
Accept Any ESSID
checkbox
When unchecked, an MU trying to associate with the access port on the WLAN
must have the same ESS ID.
When checked, the Access Port will allow any MU to associate. (However, an
ESSID value still must be supplied).
Secured Beacon checkbox
When Use Secured Beacon is checked (in the lower right corner) is checked,
the WLAN's ESSID is not broadcast in the AP's beacon message, otherwise
(unchecked) it is.
MU Access Controls
Max MUs field
Maximum number of MUs that can associate through this WLAN at a time, in the
range [1, 4095].
MU to MU Disallow
checkbox
When checked, MUs are disabled from being able to communicate directly with
each other. Instead, all MU to MU packets are routed through the network.
MU to MU Drop checkbox
When checked, packets sent from one MU to another are dropped within the
switch.
ACL field
Create... button
To apply an Access Control List to the WLAN's gateway, choose an ACL from the
drop-down list. To create a new ACL, click Create... See Creating an Access
Control List on page 6-48 for more details.
Enable ACL checkbox
When checked, the selected ACL is enabled.
Network Addresses
Default Route
Netmask
Set the IP address (default route) and subnet mask (netmask) of the WLAN's
gateway.
5. When done, click Next. A new wizard panel is displayed, as shown in Figure 6.72, to apply a security
policy.
6. Select a security policy or click the Create button to create a new security policy (see Creating a
Security Policy on page 6-40 for more details). If the selected security policy includes Kerberos
Authentication, a Kerberos Password field is enabled, and must also be entered.
Configuring Policies
6-53
Figure 6.72 Creating a WLAN—Applying a Security Policy to the WLAN
7. When done, click Next. A WLAN Created Successfully! message panel is displayed.
8. Click Finish to save the new WLAN and exit the wizard.
6.2.3.2 Modifying a WLAN
To modify an existing WLAN’s definition:
1. From the WS5000 Series Switch GUI main window, select Modify > Access Port > WLAN. The
system launches the WLAN Manager.
Figure 6.73 Modifying an Existing WLAN Definition—WLAN Manager
6-54
WS5000 Series Switch System Reference Guide
2. This panel lists all available WLANs configured on the system, as well as their settings. Table 6.12
describes the fields and options within this panel.
Table 6.12 WLAN Manager Fields and Controls
Field or Control
Description
Name
Name of the selected WLAN.
Description
Description of the selected WLAN, if available.
ESSID
Displays the ESSID for the selected WLAN.
Max MUs
Maximum number of Mobile Units allowed on the selected WLAN.
Security Policy
Active security policy for the selected WLAN.
MU Traffic
Policy for mobile unit communication.
ACL Rule
Active Access Control List policy for the selected WLAN.
ACL
Whether ACLs are being used or not.
Secured Beacon
Controls the behavior of the Access Port signal for this WLAN. One of two values:
• Enable stops broadcasting the beacon.
• Disable allows broadcasting.
Accept Any ESSID
Whether ESSIDs are accepted or not. One of two values:
• If true, the ESSID field is ignored in mobile unit configurations and all mobile users are
allowed to connect to the switch.
• If false, a limited number of mobile user connections to mobile users are configured
with the switch’s ESSID.
Create
Launches the WLAN Wizard to create a new WLAN. See Creating a WLAN on page 6-51
for more details.
Delete
Removes the selected WLAN from the system. A dialog appears to confirm this action.
Edit
Opens a variation of the WLAN Wizard, for editing it in the same fashion that it was
created. See Creating a WLAN on page 6-51 for more details.
Close
Closes the WLAN Manager without saving any changes.
3. When done, click Next. An WLAN Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Ethernet Policy and exit the wizard.
5. Click Close in the WLAN Manager panel.
Configuring Policies
6-55
6.2.4 Ethernet Port Policies
The Ethernet Port Policy configures the switch’s Ethernet ports, and associates multiple WLANs with multiple
LANs or VLANs. There are two Ethernet ports on WS5000 Series switches. By convention, port 1 (the left port)
connects to the wireless LAN, and port 2 (the right port) connects to the wired LAN.
Note Before configuring an Ethernet policy, the administrator must determine if
either of the ports are to be configured as “trunk ports”. If so, they must be
configured on the switch first. Otherwise, the Ethernet policy configuration will not
allow VLAN discovery or mapping of WLANs to VLANs.
To see the configuration hierarchy while creating an Ethernet Port Policy, click Where Am I? at any point. A
Where Am I? Dialog Box, such as Figure 6.74, is displayed.
Figure 6.74 Ethernet Port Policy Where Am I? Dialog Box
See the following sections for more details on working with Ethernet Port Policies:
•
Creating an Ethernet Port Policy on page 6-55
•
Modifying an Ethernet Port Policy on page 6-58
•
Configuring VLANs on page 6-59
6.2.4.1 Creating an Ethernet Port Policy
The default recommended Ethernet port configuration in the wireless switch has Ethernet ports (1) and (2) on
different subnets. Ethernet port (1) supports the WLAN infrastructure (access ports and associated MUs) and
Ethernet port (2) provides connectivity to the wired LAN infrastructure (the primary VLAN ID should always be
mapped to Ethernet port (2) in this configuration).
To create an Ethernet Port Policy:
1. From the WS5000 Series Switch GUI main window, click Create > Ethernet > New Policy. The system
launches the Ethernet Port Policy Wizard.
6-56
WS5000 Series Switch System Reference Guide
Figure 6.75 Creating an Ethernet Port Policy—Naming the Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Ethernet Port Policy, then if desired, select Use an existing
Ethernet Policy as a template.
3. Click Next. A panel for specifying VLAN support is displayed (Figure 6.76).
VLANs are virtual LANs that can support the wireless side of the network. The VLANs for the two
Ethernet ports are specified in separate tabs (ethernet1 tab, ethernet2 tab); otherwise, the contents of
the two tabs are the same. Specify a VLAN, based on the following available options:
•
To force a discovery of any existing VLANs, click VLAN Discovery... If any appear, they can then
be selected from the discovery list and added to the Ethernet Port Policy.
•
To manually add a new VLAN to the Ethernet policy, click Add and fill in the VLAN ID, Priority, and
Subnet fields.
The Priority setting is relative to other priorities. The greater the priority value, the greater service
that VLAN gets. If this is the Primary VLAN for the port, click the Primary radio button.
Note Before configuring an Ethernet policy, the administrator must determine if
either of the ports are to be configured as “trunk ports”. If so, they must be
configured on the switch first. Otherwise, the Ethernet policy configuration will not
allow VLAN discovery or mapping of WLANs to VLANs.
Configuring Policies
6-57
Figure 6.76 Creating an Ethernet Port Policy—Specifying VLAN Support
4. When done specifying a VLAN(s), click Next. A panel for associating WLANs to its NICs (or VLANs) is
displayed (for trunk ports only).
Figure 6.77 Creating an Ethernet Port Policy—Associating WLAN toNICs (or VLANs)
Select a VLAN row in the mapping table and select the WLAN you want to map it to. Other options
include:
•
To add a new arbitrary mapping click Insert, select the NIC that the VLAN will be on, specify the
VLAN ID or IP address, and select the WLAN.
•
If you need to create a new WLAN, click the Create WLAN... button. See Creating a WLAN on page
6-51 for more details.
•
To remove a mapping, select the VLAN row and click the Remove button.
5. When done, click Next. An Ethernet Policy Created Successfully! message panel is displayed.
6. Click Finish to save the new Ethernet Policy and exit the wizard.
6-58
WS5000 Series Switch System Reference Guide
6.2.4.2 Modifying an Ethernet Port Policy
To modify an existing Ethernet Port Policy:
1. From the WS5000 Series Switch GUI main window, select Modify > Ethernet > Existing Policy. The
system launches the Ethernet Policy Manager.
Figure 6.78 Modifying an Existing Ethernet Policy—Ethernet Policy Manager
2. This panel lists all available Ethernet policies configured on the system. Table 6.13 describes the fields
and options within this panel. To edit a policy, select the policy name in the left pane.
Table 6.13 Ethernet Policy Manager Fields and Controls
Field or Control
Description
Name
Name of the selected Ethernet Policy.
Description
Description of the selected Ethernet Policy, if available.
VLANs
Interface configurations in the policy tree.
Properties
Displays the the LANs or VLANs associated with the selected Ethernet policy.
Create
Launches the Ethernet Policy Wizard to create a new Ethernet Policy. See Creating an Ethernet Port
Policy on page 6-55 for more details.
Delete
Removes the selected policy from the system. A dialog appears to confirm this action.
Edit
Opens a variation of the Ethernet Policy Wizard, for editing it in the same fashion that it was
created. See Creating an Ethernet Port Policy on page 6-55 for more details.
Close
Closes the Ethernet Policy Manager without saving any changes.
3. When done, click Next. An Ethernet Policy Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Ethernet Policy and exit the wizard.
5. Click Close in the Ethernet Policy Manager panel.
Configuring Policies
6-59
6.2.4.3 Configuring VLANs
A WLAN to VLAN association is created in a Ethernet port policy. The Ethernet ports on the wireless switch
are configured to support one or more available VLANs for WLAN to VLAN association. See Creating an
Ethernet Port Policy on page 6-55 for more details.
Note The recommended Ethernet port configuration in the wireless switch has
Ethernet ports (1) and (2) on different subnets with Ethernet port (1) supporting the
WLAN infrastructure (access ports and associated MUs). Always map the primary
VLAN ID to Ethernet port (2) in this configuration.
6.2.5 Access Port Policies
An Access Port Policy defines access port configuration details such as an AP’s beacon interval, RTS threshold,
its set of supported data rates, and so on. The AP policy is also responsible for adding WLANs to the AP and
for attaching a security policy, access control list, and network policy (or packet filter) to each AP.
To see the configuration hierarchy while creating an Access Port Policy, click Where Am I? at any point. A
Where Am I? Dialog Box, such as Figure 6.79, is displayed.
Figure 6.79 Access Port Policy Where Am I? Dialog Box
See the following for more details on working with Access Port Policies:
•
Creating an Access Port Policy on page 6-59
•
Modifying an Access Port Policy on page 6-64
6.2.5.1 Creating an Access Port Policy
To create a new Access Port Policy:
1. From the WS5000 Series Switch GUI main window, select Create > Access Port > New Policy. The
system launches the New Access Port Policy Wizard.
6-60
WS5000 Series Switch System Reference Guide
Figure 6.80 Creating an Access Port Policy—Naming the Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Access port policy, then if desired, select Use an existing
Access Port Policy as a template.
3. Click Next. A panel for applying a WLAN(s) to the Access Port Policy is displayed.
Figure 6.81 Creating an Access Port Policy—Assigning an Available WLAN(s)
4. Select from among the Available WLANs and click the >> button to move a WLAN(s) (from 1 to 16
WLANs) to the Selected pane, and apply it to the Access Port Policy.
To create a new WLAN, click Create. See Creating a WLAN on page 6-51 for more details.
5. Click Next. A panel for specifying WLAN policy definitions for specific AP hardware types is displayed
(for example, Figure 6.82). Depending on the selected tab, the contents of this panel change slightly.
Configuring Policies
6-61
Figure 6.82 Creating an Access Port Policy—Specifying Policy Definition for Specific AP Hardware Types
There are seven AP hardware types: AP 100, AP 200a, AP 200b, AP 300a, AP 300g, and converted access
points AP 302x (frequency-hopping) and AP 4131. These hardware types are grouped by the number and
mapping of BSSIDs and ESSIDs. Therefore, each such group is presented in separate tabs. On each tab,
a WLAN(s) can be selected that will support that hardware group. Table 6.14 describes the WLAN
parameters that can be specified, per hardware type.
Table 6.14 WLAN Parameters, Per Hardware Type, within Access Port Policy Definition
Parameter
Description
AP 100; 4BSS - 4ESS
WLAN Name
Select as many as four WLANs that will support AP 100 Access Ports. These APs
provide a 1-1 mapping of four BSSIDs to four ESSIDs. The BSSID values are
created automatically. The WLANs will also be included in the beacon.
AP 200a; 1BSS - 16ESS
WLAN Name
State
All WLANs are automatically added to the AP 200a group, and are given a single,
auto-generated BSSID that maps to 16 ESSIDs. Use the State flag to declare
which of the listed WLANs should be considered the "Primary," WLAN.
AP 300a/g, AP 200b, 4121; 4BSS - 16ESS
WLAN Name
All WLANs get included in this policy with the selected settings.
BSSID
This group provides four 1-BSS-to-4-ESS mappings. Set the BSSID as a value
from 1 to 4.
Primary
Set a Primary WLAN for each BSSID by clicking the checkbox. An Access Port
Policy must have at least one primary if one WLAN, or at least 4, if 4 or more
WLANs.
FHAP302x; 1BSS - 1ESS
6-62
WS5000 Series Switch System Reference Guide
Table 6.14 WLAN Parameters, Per Hardware Type, within Access Port Policy Definition (Continued)
Parameter
Description
WLAN Name
This group provides a single BSS/ESS mapping, by default, for Frequency
Hopping 302x (converted) Access Points. Use the radio buttons to select the
WLAN that will support these devices.
6. When done configuring the hardware type, click Next. A panel for assigning a network policy is
displayed. For each WLAN listed in the left column, select a Network Policy to be applied for the WLAN.
Figure 6.83 Creating an Access Port Policy—Assigning a Network Policy for Each WLAN in the Access Policy
To create a new Network Policy, click Create... See Creating a Network Policy on page 6-13 for more
details.
7. When done, click Next. A panel for assigning RF bandwidth settings is displayed. Bandwidth is set, per
hardware type, so four tabs are shown.
Configuring Policies
6-63
Figure 6.84 Creating an Access Port Policy—Assigning a Network Policy for WLANs in the Access Policy
A WLANs bandwidth is the guaranteed minimum amount of available network bandwidth reserved to
be used by a specific WLAN.
Edit the bandwidth field, in each hardware type tab, to divide the network RF bandwidth across all
WLANs assigned per hardware type grouping. The total bandwidth in each tab must be equal to 100%.
8. When done, click Next. A panel to specify radio characteristics for the Access Port Policy is displayed.
Figure 6.85 Creating an Access Port Policy—Specifying Radio Characteristics
6-64
WS5000 Series Switch System Reference Guide
Configure the Access Port Policy radio settings per the descriptions in Table 6.15. Radio settings should
be configured for all supported radio types in the four different tabs.
Table 6.15 Access Port Policy Radio Settings
Setting
Description
DTIM Interval
Sets the Delivery Traffic Indication Method (DTIM) Interval as a multiple of the
beacon interval. Valid settings are in the range [1, 20]. Broadcasts are stored by
the Access Port. When the Access Port receives a polling signal at the DTIM
interval, it releases the broadcast message to the MU.
Beacon Interval
Sets the AP's beacon interval, in milliseconds. Valid intervals are in the range
[20 – 1000].
RTS Threshold
Sets the Request to Send (RTS) threshold. This is the maximum size of packets
that use the 4-way handshake. The threshold is set by default to 2347 (the largest
packet size), and turns off the 4-way handshake. The 4-way handshake allows
nearby Access Ports to sense the wireless conversation and improve throughput.
Preamble
Use the radio buttons to set the type of network message preamble (short or long)
that is added to messages that are sent through this Access Port Policy.
802.11x Tabs
Declare the data rates supported as one of the following:
• Basic
• Supported
• Not Used
9. When done, click Next. An Access Port Policy Created Successfully! message panel is displayed.
10. Click Finish to save the new Access Port Policy and exit the wizard.
6.2.5.2 Modifying an Access Port Policy
To modify an existing Access Port Policy:
1. From the WS5000 Series Switch GUI main window, select Modify > Access Port > Existing Policy.
The system launches the Access Port Policy Manager.
Configuring Policies
6-65
Figure 6.86 Modifying an Existing Access Port Policy—Access Port Policy Manager
2. This panel lists all available Access Port Policies configured on the system. Table 6.16 describes the
fields and options within this panel. To edit a policy, select the policy name in the left pane first.
Table 6.16 Access Port Policy Manager Fields and Controls
Field or Control
Description
Name
Name of the selected Access Port Policy.
Description
Description of the selected Access Port Policy, if available.
Policy Tree
Access Port configurations in the policy tree.
Properties
Displays a list of access ports (when highlighted in the tree) that can be adopted by the
policy. The list itself is defined by the Wireless Switch Policy.
See Switch Policies on page 6-39 for more details.
Create
Launches the Access Port Policy Wizard to create a new Access Port Policy. See Creating
an Access Port Policy on page 6-59 for more details.
Delete
Removes the selected policy from the system. A dialog appears to confirm this action.
Note Default Access Port Policy cannot be deleted.
Edit
Opens a variation of the Access Port Policy Wizard, for editing it in the same fashion it
was created. See Creating an Access Port Policy on page 6-59 for more details.
Close
Closes the Access Port Policy Manager without saving any changes.
3. When done, click Next. An Access Port Policy Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Access Port Policy and exit the wizard.
5. Click Close in the Access Port Policy Manager panel.
6-66
WS5000 Series Switch System Reference Guide
6.2.6 Setting the Country
The WS5000 Series wireless switch is preconfigured from the factory with the “Default Wireless Switch
Policy” enabled. However, the Country selection for that policy is set to None, thus preventing the switch from
being enabled with a default country setting (United States, for example) that conflicts with the actual location
of the switch.
Note As long as the Country selection remains set to None, the wireless switch
cannot adopt any access port(s).
To set the country, modify the “Default Wireless Switch Policy”, or create a new Wireless Switch Policy with
the appropriate country for the wireless location. See Creating a Switch Policy on page 6-66 for more details.
6.2.7 Creating a Switch Policy
To create a wireless switch policy:
1. From the WS5000 Series Switch GUI main window, click Create > Wireless Switch > New Policy.
The system launches the Wireless Switch Policy Wizard.
Figure 6.87 Creating a Wireless Switch Policy—Naming a Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Wireless Switch Policy, then if desired, select Use an
existing Wireless Switch Policy as a template.
3. Click Next. A panel for configuring the settings of the Wireless Switch Policy is displayed.
Configuring Policies
6-67
Figure 6.88 Creating a Wireless Switch Policy—Configuring Settings
Configure the Wireless Switch Policy settings per the descriptions in Table 6.17.
Table 6.17 Wireless Switch Policy Settings
Setting
Description
Switch Settings
Country
Select the appropriate country for the location of the wireless switch. The switch
will not adopt Access Ports until the country is set. Once a country is specified,
the None option is no longer available.
Note It is the responsibility of the switch owner to correctly set the
country. An incorrect country setting can cause the switch to use
illegal broadcast settings.
Emergency
Check this box to designate the Wireless Switch Policy as the "Emergency"
Switch Policy (ESP). There can only be one ESP at a time (A Switch Policy that
previously assigned as the ESP will no longer act as such.)
After designating an Emergency Switch Policy, the ‘E’ icon in the lower left corner
of main window will turn red. You can turn the ESP on and off by clicking the icon.
When you turn the ESP off, the previously active Switch Policy will be reactivated.
Ethernet Port Policy
Each Switch Policy incorporates a (single) Ethernet Port Policy. To make this
assignment, you can select from among the existing Ethernet Port Policies, or you
can click Create... To create a new policy, see Creating an Ethernet Port Policy
on page 6-55.
6-68
WS5000 Series Switch System Reference Guide
Table 6.17 Wireless Switch Policy Settings (Continued)
Setting
Description
AP Channel and Power Settings
Channel
Select a value from the Channel.11x field. The set of discreet channels available
depends on the country of operation, and is further limited by the restricted
channels declared in the Automatic Channel Settings panel.Special values
include:
• Auto (once) – The AP uses Automatic Channel Selection (ACS) the first time
that it is adopted by the switch, and then sticks to the channel thereafter.
• Auto – The AP uses ACS every time that it is adopted.
• Random – The AP chooses a random channel every time it's adopted.
Power
Select a mW value from the Power.11a field. The set of values depends on the
country.
Allow DS Coexistence.
Only on the 802.11 FH tab. By checking this box, the Access Port divides the
frequency spectrum so Frequency-Hopping (FH) devices use one portion, and
Direct-Sequence (DS) devices use the other.
Note FH/DS co-existence isn't legal in all countries. If you have a
switch set to a country in which co-existence is not allowed, the
Allow DS Coexistence option is disabled.
ACS Settings
Click this button to add/modify Restricted Channel Settings, which defines a set
of channels the Automatic Channel Selection (ACS) mechanism is not allowed to
choose.
Separate sets of restricted channels can be specified for 802.11a and 802.11b/g
devices. To add a restricted channel, click Add and choose a channel. If desired,
add descriptive text to explain why the channel is restricted.
To remove a channel from the list, select a channel in the list and click Delete.
4. When done, click Next. A panel to associate Access Port Policies to the Wireless Switch Policy is
displayed.
Configuring Policies
6-69
Figure 6.89 Creating a Wireless Switch Policy—Associating Access Port Policies
5. Select from among the Available Access Port Policies and click the >> button to move a Policy(s) to the
Selected pane, and to apply it to the Wireless Switch Policy.
6. When done, click Next. A panel to create a set(s) of access ports (and converted access points) the
switch is allowed to adopt is displayed.
Figure 6.90 Creating a Wireless Switch Policy—Allowed Adoption Lists
7. If desired, create an Access Port List that includes “allowed” MAC address ranges. Only those APs that
fall thin the specified address range(s) are allowed to be adopted.
If you do not specify an disallowed AP list, all APs are candidates for adoption.
8. When done, click Next. A panel to create a set(s) of access ports (and converted access points) that the
switch disallows to be adopted is displayed.
6-70
WS5000 Series Switch System Reference Guide
Figure 6.91 Creating a Wireless Switch Policy—Disallowed Adoption Lists
9. If desired, create an Access Port List that includes “disallowed” MAC address ranges. Only those APs
that fall within the specified address range(s) are disallowed to be adopted.
If you do not specify an allowed AP list, all APs are candidates for adoption.
10. When done, click Next. A panel to assign an action to be taken when the Wireless Switch detects an
“unknown” AP—or, in other words, an AP that is not in an “allowed” list or “disallowed” list—is
displayed.
Figure 6.92 Creating a Wireless Switch Policy—Assigning an Action for Unknown APs
11. Set the action within this panel.
•
To deny adoption, select Deny Adoption. By checking the Send SNMP Trap box, an SNMP trap
is captured when such an AP is denied.
•
To allow adoption, select Adopt, and select the Access Port Policy applied to the adopted AP, for
Configuring Policies
6-71
each of the radio types.
12. When done, click Next. A Wireless Switch Policy Created Successfully! message panel is
displayed.
13. Click Finish to save the new Wireless Switch Policy and exit the wizard.
6.2.8 Defining/Activating an Emergency Switch Policy
When creating or modifying a Wireless Switch Policy, the policy can be designated at the Emergency Switch
Policy (ESP). There can only be one ESP at a time; a Switch Policy previously assigned as the ESP is replaced
when a new ESP is designated.
After designating an Emergency Switch Policy, the ‘E’ icon in the lower left corner of main window turns red.
You can turn the ESP on and off by clicking the icon. When the ESP is turned off, a previously active Switch
Policy is re-activated as the ESP.
For more details, see Creating a Switch Policy on page 6-66.
6-72
WS5000 Series Switch System Reference Guide
Configuring Rogue AP Detection
Rogue Access Ports (APs) are an area of concern with respect to LAN security. The term Rogue AP denotes an
unauthorized access port connected to the production network or operating in a stand-alone mode (perhaps in
a parking lot or in a neighbor’s building). Rogue APs are not under the management of network administrators
and do not conform to any network security policies.
Although 802.1x security settings should completely protect the LAN, organizations are not always fully
compliant with the newest wireless-security best practices. In addition, organizations want the ability to
detect and disarm rogue APs. The WS5000 Wireless Switch provides a mechanism for detecting and reporting
rogue APs.
7.1 Configuring Rogue AP Detection
To configure Rogue AP detection, select System Settings > Rogue AP Detection.
The Rogue AP Detection screen appears.
7-2
WS5000 Series Switch System Reference Guide
Figure 7.1 Rogue AP Detection Screen
From the Rogue AP Detection field, select Enable to allow the switch to scan for rogue AP’s over the
network. If you set Rogue AP Detection to Disable, all UI components in this screen are disabled. Disabling
Rogue AP Detection leaves the switch vulnerable to data theft from rogue devices on the switch managed
network.
7.1.1 Defining the Detection Method
The switch provides three methods for detecting rogue Access Ports (APs). Use the Detection Method field
to set the method(s) the switch uses to detect rogue APs. The detection process involves defining a set of
options and detection intervals the switch uses for scanning for devices, then validating located devices as
either legitimate devices operating within the switch managed network, or categorizing the devices as rogue
APs that can be trapped by the administrator and prevented from interoperating with legitimate devices.
1. Check the RF Scan by MU box if you want the switch to work with mobile units (MUs) to detect a rogue
AP.
Each MU reports whether it supports rogue AP detection mechanisms. If it does, the switch sends
WNMP requests, at regular intervals, to the MU to get a list of APs. The MU scans all the channels for
APs in the vicinity. It prepares a list of APs (BSSIDs) and sends it back to the switch using the WNMP
response message. The switch, in turn, processes this information.
Configuring Rogue AP Detection
7-3
2. Check the RF Scan by AP box if you want the switch to work with the APs to detect a rogue AP. By
default, this method is selected.
The switch sends a WISP configuration message to each adopted AP indicating rogue AP detection is
required. Each AP listens for beacons on its present channel and passes the beacons to the switch
without modification. The switch then processes the beacons to determine whether any of them are
rogues. This method is less disruptive than the RF Scan by MU mode.
3. Check the RF Scan by Detector AP box if you want the switch to work with the detector AP on the
LAN (which you set up) to detect rogue APs.
Note Only some devices have the capability of being a Detector AP, including
Symbol AP100, AP200, and AP300 Access Ports.
4. Enter a time interval (in minutes) in the Scan Interval field for each enabled detection method. By
default, the scans are set at one hour intervals.
7.1.2 Specifying Detector APs
To specify an access port as a detector access port, click the Detector AP button in the Rogue AP Detection
screen. The Detector AP screen appears.
Figure 7.2 Detector AP Screen
The Detector AP screen displays the available AP list on the left and the detector AP list on the right.
7-4
WS5000 Series Switch System Reference Guide
To set an AP as a detector AP, click the AP from the available AP list and click the >> button to move it to the
detector AP list.
To move it back to the available AP list, click the << button. Click Apply.
7.1.3 Configuring Rule Management
The Rule Management field within the Rogue AP Detection screen contains a Rule List button for
determining whether a detected AP can be approved or not. Each entry in the table works as an AP evaluation
rule. Specify a particular MAC address or ESSID, or optionally indicate any MAC address or ESSID will work.
Figure 7.3 Rule Management Section
1. Check the Authorize Any AP Having a Symbol Defined MAC Address box to indicate any Symbol
AP (which has a known Symbol MAC address) is an approved AP. This is helpful for rendering all Symbol
devices as approved without having to filter through the list of located addresses.
2. Define the following Rule Management options:
MAC Address
Enter a valid mac address used during the detection process or use a wild card
(FF:FF:FF:FF:FF:FF) to represent any MAC address.
ESSID
Enter an approved ESSID used during the detection process or use a wild card(*)
to represent ANY ESSID.
3. Select a rule and click the Del button to delete it from the table.
4. Click the Delete All button to clear the entire rule list.
Configuring Rogue AP Detection
7-5
5. Click Apply from the Rogue AP screen to save your changes to the Rule List and Rogue AP screens.
6. Click Cancel from the Rogue AP screen to cancel all updates to the Rogue AP and Rule List screens.
7.1.4 Examining Approved and Rogue Access Ports
Use the AP List screen to display information about each AP (rogue or valid) known to the switch. All approved
APs are listed in the upper table. All rogue APs are listed in the lower table. The AP List screen also allows the
administrator to create detection rules from the information collected about approved or rogue APs.
To display the AP List, select System Settings > Rogue AP Detection and click the AP List tab in the Rogue
AP Detection screen.
Figure 7.4 Access Port List Section
Add a selected AP to
the rule list
Select a row and click to view the
details of the selected Rogue AP
7-6
WS5000 Series Switch System Reference Guide
Each row of the AP List represents all unapproved and approved APs that the switch has located. The MAC
and the ESSID for each AP are listed. Use this portion of the screen to change the age out time or to add a rule
to the rule list for a particular AP:
1. Enter a value in the Approved AP 's Entry Age Out Timer field to indicate the number of elapsed
minutes before an AP will be removed from the approved list and reevaluated. A zero (0) for this value
indicates an AP can remain on the list permanently.
2. Click the Add to Rule List button to add a rule to the Approved APs' Rule Management table on the
Rogue AP Detection screen. The generated rule uses the MAC address and ESSID of the selected AP.
The Rogue AP List
Each row of the Rogue AP List represents a rogue AP the switch has found. It lists the MAC address and the
ESSID for each rogue AP.
1. Enter a Rogue Entries Age out time to indicate the number of elapsed minutes before an AP is
removed from the rogue list and reevaluated. Entering a zero indicates an AP can stay on the list
permanently.
2. Click the Add AP to Rule List button to add the AP to the Approved APs' Rule Management table of
the Rogue AP Detection screen. The generated rule uses the MAC address and ESSID of the selected AP.
7.1.5 Viewing Details of the Rogue AP
To view detailed rogue AP information:
1. Select a rogue AP from the Rogue AP List.
2. Click the View Details button to open a new window to view detailed information about the rogue AP
and its detector.
The top of the Rogue AP Details screen lists information about the AP.
MAC Address
The MAC address of the rogue AP.
ESSID
The ESSID for the rogue AP.
Configuring Rogue AP Detection
7-7
Last Heard At
Indicates the number of elapsed hours since the rogue AP was last noticed on
the network in hours:minutes:seconds.
Discovering AP
MAC
Displays the MAC address of the AP that detected the rogue APs.
Signal Strength
Displays the Receiver Signal Strength Indicator (RSSI) for the rogue. This value
is between 1 and 255. The larger the value, the better the signal strength and
the closer the AP.
Note The WS5000 Wireless Switch only reports rogue APs, it does not remove
them from the network. It is up to the administrator to change security settings or
disrupt the rogue AP's connection
7.1.6 SNMP Traps for Rogue AP Events
The WS5000 Series Switch supports two SNMP traps for capturing rogue AP data.
CcRapNewApprovedAp
The CcRapNewApprovedAp generates a trap whenever the switch finds and authorizes a new
AP. It generates a trap at the first instance when the AP is approved. It provides the ESSID and MAC
address of the approved AP.
•
•
CcRapResultsApprovedPortalPtr: A bit maps data, which hints where this AP is
located.
•
CcRapResultsApprovedHowFound: Traps information on how the rogue was detected
(over the air, AP scanning, wire scanning or MU scanning).
•
CcRapResultsApprovedHowAuth: Traps information on how the was approved
CcRapNewRogueAp
The CcRapNewRogueAp generates a trap when the switch determines that an AP is a rogue AP.
The trap provides ESSID and MAC address of the rogue AP.
•
CcRapResultsRoguePortalPtr: Provides information on where the reporting AP is
located.
•
CcRapResultsRogueHowFound: Traps information on how the rogue AP was detected
(over the air, AP scanning, wire scanning or MU scanning).
7.1.7 Rogue AP Syslog Messages
The WS5000 Series Switch logs a number of syslog events as rogue devices are encountered within the switch
managed network. The messages and event scenarios include:
Scenario
Syslog Message
Rogue AP detection feature Rogue AP detection is enabled/disabled.
is enabled/disabled
7-8
WS5000 Series Switch System Reference Guide
MU scan detection is
enabled/disabled
MU scan rogue AP detection is enabled/disabled.
AP scan detection is
enabled/disabled
AP scan detection is enabled/disabled.
Detector AP scan is
enabled/disabled
Detector AP scan is enabled/disabled.
AP is newly approved
AP=<mac>, EssId=<essid> is detected and added to
“approved list.”
AP is newly determined as
Rogue
AP=<mac>, EssId=<essid> detected and added to “rogue list.”
Age out occurs for rogue AP Rogue AP list entries aged out and deleted from the rogue list.
list
Age out occurs for Approved Approved AP list entries aged out and deleted from the approved list.
list
For more information on configuring the WS5000 Series Switch to support the Syslog events described in this
section, see Syslog Context on page 8-189.
CLI Command Reference
This chapter describes the commands that are defined by the WS5000 Series Command Line Interface (CLI).
Access the CLI by running a terminal emulation program on a computer that is connected to the serial port at
the front of the switch, or by using Telnet via secure shell (SSH) to access the switch over the network.
The default cli user is “cli”. The default username and password is admin and symbol, respectively.
8.1 CLI Overview
Before you begin working with the WS5000 Series Switch CLI, review the following sections to gain some
basic understandings of the CLI, in the following areas:
•
About Contexts
•
About Instances
•
Basic Conventions
8-2
WS 5000 Series System Reference
8.1.1 About Contexts
For a WS5000 Series Switch, CLI commands are invoked within “contexts.” Contexts are hierarchical in a
manner similar to directories are hierarchal in a traditional file system; in other words, contexts may contain
other contexts.
When you log into the switch, by default you are in the System context—this is the top of the context
hierarchy. To enter a subcontext, type its name. The only subcontext of the System context is the Configure
context.
To get to the Configure Context from the System Context, type “configure” at the CLI prompt (as a
convenience, you can also type “cfg” to access the Configure Context). When invoked, the CLI prompt changes
to indicate the current context. For example:
WS5000> cfg
WS5000.(Cfg)>
Table 8.1 summarizes the context hierarchy found in the CLI for a WS5000 Series Switch. Named subcontexts
are called Instances (or Instance Contexts). Instances are described further in About Instances on page 8-5.
Table 8.1 CLI Context Hierarchy for a WS5000 Series Switch
Main Context
Subcontext
Subcontext
System Context
Configuration (cfg)
AAA
Instance Context
Access Port (APort)
[APort_Name]
Access Control List (ACL)
[ACL_Name]
Access Port Policy (APPolicy)
[APPolicy_Name]
banner
Classification Element (CE)
[CE_Name]
Classification Group (CG)
[CG_Name]
Chassis
Ethernet Port (Ethernet)
[Ethernet_Name]
Ethernet Policy (EtherPolicy)
[EtherPolicy_Name]
Events
Syslog
FTP
Firewall (FW)
Host
[Host_Name]
Key Distribution Center
Network Policy
[NP_Name]
Policy Object
[PO_Name]
Radius
Rogue AP
Subcontext
CLI Command Reference
Main Context
Subcontext
Subcontext
Instance Context
8-3
Subcontext
Route
Security Policy
[SecurityPolicy_Name]
Sensor
[Sensor_MAC]
SNMP
Secure Shell
Secure Sockets Layer
Standby
Switch Policy
[SPolicy_Name]
Restricted
Channel
Telnet
Tunnel
[GRE_Tunnel_Name]
User
[User_Name]
WLAN
[WLAN_Name]
WME
[WME_Name]
WVPN
Most of the switch configuration is performed in subcontexts of the Configuration context. For example, to drop
into the WLAN subcontext you type “wlan” from the Configuration context:
WS5000.(Cfg)> wlan
WS5000.(Cfg).wlan>
To bump up a context level, type “..”:
WS5000.(Cfg).wlan> ..
ws5000.(Cfg)>
To jump to the system context use exit:
WS5000.(Cfg).wlan> exit
ws5000>
Note You can’t go “up and over” when navigating the CLI—constructions such as
“.. context” or “../context” do not work.
8.1.2 CLI Indexing
You can use CLI indexing and navigate to a subcontext by typing the index number instead of the context name.
The following CLI contexts have the indexing functionality:
•
AAA
•
Access Port
•
Access Control List
8-4
WS 5000 Series System Reference
•
Access Port Policy
•
Classifier Element
•
Classification Group
•
Ethernet
•
Ethernet Policy
•
Events
•
Firewall
•
Host
•
Network Policy
•
Policy Object
•
Security Policy
•
Sensor
•
Switch Policy
•
Tunnel
•
User
•
WLAN
•
WME
The following example shows you how to use the index number 1 to access the Default Access Port Policy
subcontext.
WS5000.(Cfg).APPolicy>
WS5000.(Cfg).APPolicy> show
Available Access Port Policies:
1. Default Access Port Policy.
2. NewAP.
WS5000.(Cfg).APPolicy> 1
Access Port Policy details for "Default Access Port Policy":
Policy Name
Description
Basic Rate for 11a
Supported Rate for 11a
Basic Rate for 11b
Supported Rate for 11b
Basic Rate for 11g
Supported Rate for 11g
Basic Rate for FH
Supported Rate for FH
RF Preamble
RTS Threshold
DTIM Period
DTIM Period BSS 2
DTIM Period BSS 3
DTIM Period BSS 4
Beacon Interval
Allow MUs w/o Spectrum Mgmt
: Default Access Port Policy
: Default Access Port Policy, only ESSID 101
and no security, and default network policy
: 6,12,24
: 9,18,36,48,54
: 1,2
: 5.5,11
: 1,2,5.5,11
: 6,9,12,18,24,36,48,54
: 1
: 2
: short
: 2347 Bytes
: 10
: 10
: 10
: 10
: 100
: false
CLI Command Reference
8-5
WLAN details for the Access Port policy 'Default Access Port Policy'
WLAN Name
Network Policy
---------------------Symbol Default
Default Network Policy
WS5000.(Cfg).APPolicy.[Default Access Port Policy]>
8.1.3 About Instances
Most contexts contain “instances” of themselves. An instance, is like a named context; it is a set of
configuration values that is identified by a name. Some contexts have pre-defined instances, but, in general,
instances must be created.
To create an instance, the add command is used with a <name> parameter. The following example creates a
Switch Policy instance:
WS5000.(Cfg)> switchpol
Active Switch Policy name: Default Wireless Switch Policy
Available Switch Policies:
1. Default Wireless Switch Policy.
WS5000.(Cfg).SPolicy> add TestPolicy
Adding Switch Policy...
Status: Success.
Active Switch Policy name: Default Wireless Switch Policy
Available Switch Policies:
1. Default Wireless Switch Policy.
2. TestPolicy.
Switch Policy details
--------------------Policy Name
Description
Country
Channel for .11a
Channel for .11b
Channel for .11g
Power Level for .11a
Power Level for .11b
Power Level for .11g
Active EtherPolicy Name
# of APPolicies attached
Include Adoption List details
Exclude Adoption List details
Default Adoption action for .11a
Default Adoption action for .11b
Default Adoption action for FH
Default Adoption action for .11g
Send SNMP trap on adoption deny
DS Coexistence
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
WS5000.(Cfg).SPolicy.[TestPolicy]>
TestPolicy
AU
Auto (once)
Auto (once)
Auto (once)
20 dBm
20 dBm
20 dBm
Default Ethernet Policy
0
List is Empty.
List is Empty.
Deny.
Deny.
Deny.
Deny.
Disabled
Disabled
8-6
WS 5000 Series System Reference
When you create an instance, the command prompt changes to that instance’s context; the name of the
instance context is shown in brackets. Like contexts, the available commands are based on the type of instance
created, and are used to configure the instance specifically.
8.1.4 Basic Conventions
Following are a few conventions to keep in mind while working within the command line interface:
•
Pre-defined CLI commands and keywords are case-insensitive: cfg = Cfg = CFG. However, mostly
for clarity, CLI commands and keywords are displayed in this guide using mixed case. For example,
apPolicy, trapHosts, channelInfo.
•
The names of all context instances, whether system defined or created by you, are case-sensitive.
•
CLI commands can be concatenated when invoking them at the command line. For example, to jump
from the System context to the myWLAN instance, you can enter a command as follows:
WS5000> cfg wlan myWLAN
WS5000.(Cfg).wlan.[myWLAN]>
Of course, concatenating commands is quicker than, for example, entering three commands: one to jump
to the Cfg context, one to jump to the wlan context, and one to jump to the myWLAN instance):
•
If an instance name (or other parameter) contains whitespace, the name must be enclosed in quotes:
WS5000.(Cfg)> spol "Default Switch Policy"
WS5000.(Cfg).SPolicy.[Default Switch Policy]>
•
To abort an unresponsive command, type <Ctrl>-c. That is, hold down the Control key and type c.
8.2 Common Commands
Table 8.2 summarizes the commands common amongst many contexts and instance contexts within the
WS5000 Series command line interface.
Table 8.2 Common Commands Among Most Contexts
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
history
Display command history within a context or instance
page 8-9
ping
Ping a network host/IP address
page 8-9
show commands
Display context specific attributes
page 8-23
CLI Command Reference
8-7
8.2.1 .. or end
Common to all contexts and instances, except System Context
Terminates the context or instance session, and changes the command prompt to be one higher.
Syntax
..
or
end
or
exit
Parameters
None.
Example
WS5000.(Cfg).NP> ..
WS5000.(Cfg)> end
WS5000>
8.2.2 exit
Common to all contexts and instances, except System Context
Terminates the context session, and returns the prompt to the root (for example, WS5000>).
For example, if you use the exit command in the ACL context, the prompt reverts to the System context prompt.
Syntax
exit
Parameters
None.
Example
WS5000.(Cfg).ACL> exit
WS5000>
8.2.3 ? or help
Common to all contexts and instances
Retrieves a list of commands supported given the context or instance.
Syntax
?
or
help
Parameters
None.
Example
WS5000> ?
8-8
WS 5000 Series System Reference
or
WS5000> help
8.2.4 logout or bye
Common to all contexts and instances
Closes or logs out of the current session.
Syntax
logout
or
bye
Parameters
None.
Example
WS5000 logout
or
WS5000> bye
8.2.5 clear
Common to all contexts and instances
Clear the screen.
Syntax
clear
Parameters
None.
Example
WS5000> clear
8.2.6 emergencymode
Common to all contexts and instances
Enables or disables the “Emergency” Switch Policy (ESP), a switch policy that can activated (enabled) at any
time in case of an emergency. When ESP is deactivated (disabled), the previous switch policy is reactivated.
To set the emergency policy, use the emergencymode command.
Syntax
> emergencyMode <enable_flag>
CLI Command Reference
8-9
Parameters
enable_flag
Indicates whether to enable or disable the ESP. Possible values are:
• enable
• disable
Example
WS5000.<context_path> > emergencymode enable
8.2.7 history
Common to all contexts and instances
Display the history of commands invoked at the command prompt for any given context. Alternatively, using
the keyboard “up arrow” key is a short-cut to retrieve (and reuse) commands that were used previously in a
context session.
Syntax
history
Parameters
None.
Example
WS5000.<context_path> > history
8.2.8 ping
System Context, Configuration (Cfg) Context, Host Context
Sends ICMP ECHO_REQUEST packets to a network host.
Syntax
ping [-Rdfnqrv] [-c count] [-i wait] [-l preload] [-p pattern]
[-s packetsize] <host/IP_address>
8-10
WS 5000 Series System Reference
Parameters
-Rdfnqrv
These optional flags are can be broken down as follows:
• -R: Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet
and displays the route buffer on returned packets. Note that the IP header is only
large enough for nine such routes. Many hosts ignore or discard this option.
• -d: Set the SO_DEBUG option on the socket being used. Essentially, this socket
option is not used by Linux kernel.
• -f: Flood ping. For every ECHO_REQUEST sent a period ``.'' is printed, while for ever
ECHO_REPLY received a backspace is printed. This provides a rapid display of how
many packets are being dropped. If interval is not given, it sets interval to zero and
outputs packets as fast as they come back or one hundred times per second,
whichever is more. Only the super-user may use this option with zero interval.
• -n: Numeric output only. No attempt will be made to lookup symbolic names for host
addresses.
• -q: Quiet output. Nothing is displayed except the summary lines at startup time and
when finished.
• -r: Bypass the normal routing tables and send directly to a host on an attached
interface. If the host is not on a directly-attached network, an error is returned. This
option can be used to ping a local host through an interface that has no route through
it provided the option -I is also used.
• -v: Verbose output.
-c count
Stop after sending count ECHO_REQUEST packets. With deadline option, ping waits for
count ECHO_REPLY packets, until the timeout expires.
-i wait
Wait interval of seconds between sending each packet. The default is to wait for one
second between each packet normally, or not to wait in flood mode. Only super-user may
set interval to values less 0.2 seconds.
-l preload
If preload is specified, ping sends that many packets not waiting for reply. Only the
super-user may select preload more than 3.
-p pattern
You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for
diagnosing data-dependent problems in a network. For example,
-p ff will cause the sent packet to be filled with all ones.
-s packetsize
Specifies the number of data bytes to be sent. The default is 56, which translates into
64 ICMP data bytes when combined with the 8 bytes of ICMP header data.
host/IP_address
The name or IP address of the host to which the request packets are sent.
Example
WS5000> ping WS5000
PING WS5000 (10.1.1.101):
64 bytes from 10.1.1.101:
64 bytes from 10.1.1.101:
64 bytes from 10.1.1.101:
64 bytes from 10.1.1.101:
56 data bytes
icmp_seq=0 ttl=255
icmp_seq=1 ttl=255
icmp_seq=2 ttl=255
icmp_seq=3 ttl=255
time=0.037 ms
time=0.042 ms
time=0.05 ms
time=0.052 ms
--- WS5000 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.037/0.045/0.052 ms
WS5000>
CLI Command Reference
8-11
8.3 System Context
Table 8.3 summarizes the commands within this context.
Table 8.3 System Context Command Summary
Command
Description
Ref.
? or help
Get the command information
page 8-11
logout or bye
Close this session
page 8-12
clear
Clear the screen
page 8-12
configure
Change to the Configuration Context to configure system attributes
page 8-12
copy
Copy files between the Switch and TFTP/FTP server
page 8-13
delete
Delete an image/config file from the system
page 8-14
description
Set description text
page 8-15
directory
Display the available image/config files in the system
page 8-15
emergencymode
Enable or disable Emergency mode
page 8-15
export
Export log files from the switch to the TFTP server
page 8-16
history
Display command history within a context or instance
page 8-16
install
Install primary/standby or Kerberos config
page 8-17
logdir
Display the user saved log files
page 8-18
name
Set or change the name
page 8-19
ping
Ping a network host/IP address
page 8-19
remove
Remove a log file shown by ‘logdir’ command
page 8-20
restore
Restore a system image or configuration
page 8-21
rfping
Send a WNMP Ping to an Access Port
page 8-21
save
Save the current system configuration to a file
page 8-22
service
Switches to the Service mode
page 8-22
show commands
Display system context specific attributes
page 8-23
8.3.1 ? or help
System Context
Retrieves a list of commands supported given the context or instance.
Syntax
?
or
help
8-12
WS 5000 Series System Reference
Parameters
None.
Example
WS5000> ?
or
WS5000> help
8.3.2 logout or bye
System Context
Closes or logs out of the current session.
Syntax
logout
or
bye
Parameters
None.
Example
WS5000 logout
or
WS5000> bye
8.3.3 clear
System Context
Clear the screen.
Syntax
clear
Parameters
None.
Example
WS5000 > clear
8.3.4 configure
System Context
Puts the user in the Configuration (Cfg) Context to configure system attributes. See Configuration (Cfg) Context
on page 8-45 for more details.
Syntax
configure
CLI Command Reference
8-13
Parameters
None.
Example
WS5000 > configure
WS5000.(Cfg)>
Note As a shortcut, “cfg” can be used instead of “configure”.
8.3.5 copy
System Context
Copies a file from the WS5000 to a (T)FTP server, or vice versa. TFTP can be used to transfer *.sys.img,
*.cfg, and *.sym files. FTP can be used to transfer .krb, .sys.img, .cfg, and .sym files.
The default protocol is TFTP.
The default user for FTP: anonymous
The default mode for FTP: binary
If using FTP, and the user is not anonymous (using -u option), CLI prompts the user to enter password.
!
IMPORTANT! DO NOT USE THIS COMMAND FOR FILES LARGER THAN 32MB.
Syntax
copy <source> <destination> [-u user] [-m mode]
For TFTP:
copy <source> <destination>
For FTP:
copy <source> <destination> [ -u <ftp_user> ] [ -m <ftp_mode> ]
Parameters
source
The source of the file. Possible values are:
• [protocol:]//<host_name or IP>/[file_name]. For example,
ftp://<ipAddress/path/[file_name]. If a filename is not supplied, the system will
prompt for one, in addition to a password.
• tftp
• ftp
• system
• .
• <filename, including path>
8-14
WS 5000 Series System Reference
destination
The destination of the file. Possible values are:
• tftp
• ftp
• system
• .
• /
• [protocol:]//<hostname or IP address>
ftp_user
FTP username. Default is ftpuser.
mode
FTP transfer mode, either ascii or binary. Default is binary.
protocol
Either ‘ftp’ or ‘tftp’
Example
WS5000.(Cfg)> copy tftp system
Enter the file name to be copied from TFTP server : backup.sys.img
IP address of the TFTP server : 10.1.1.1
Copying 'backup.sys.img' from tftp://10.1.1.1 to Switch...
or
WS5000.(Cfg)> copy ftp://100.10.10.1/ftpimages/DefaultConfig.cfg system
Copying 'DefaultConfig.cfg' from ftp://100.10.10.1/ftpimages/ to Switch...
8.3.6 delete
System Context
Deletes the specified image or config file from the WS5000. Use the directory command to list the files that
can be deleted.
Note As a shortcut, “del” can be used instead of “delete”.
Syntax
delete <filename>
Parameters
filename
Name of file to be deleted.
Example
WS5000> directory
Date & Time
Jan 25
Jan 25
Jan 25
15:11
15:35
14:05
Bytes
15155
18819400
6517
File Name
WS5000Defaults_v2.1.0.0-008D.cfg
WS5000_v2.1.0.0-008D.sys.img
cmd_template.sym
WS5000> delete WS5000Defaults_v2.1.0.0-008D.cfg
CLI Command Reference
8-15
8.3.7 description
System Context
Sets a description about the switch displayed with system information.
Syntax
description <description_text>
Parameters
description_text
Enter a brief description of the Wireless Switch.
Example
WS5000> description “Fifth Floor Switch”
8.3.8 directory
System Context
Lists the image and configuration files that are stored on the WS5000.
Note As a shortcut, “dir” can be used instead of “directory”.
Syntax
directory
Parameters
None.
Example
WS5000> directory
Date & Time
Jan 25
Jan 25
Jan 25
15:11
15:35
14:05
Bytes
15155
18819400
6517
File Name
WS5000Defaults_v2.1.0.0-008D.cfg
WS5000_v2.1.0.0-008D.sys.img
cmd_template.sym
8.3.9 emergencymode
System Context
Enables or disables the “Emergency” Switch Policy (ESP), a switch policy that can activated (enabled) at any
time in case of an emergency. When ESP is deactivated (disabled), the previous switch policy is reactivated.
To set the emergency policy, use the emergencymode command.
Syntax
emergencyMode <enable_flag>
8-16
WS 5000 Series System Reference
Parameters
enable_flag
Indicates whether to enable or disable the ESP. Possible values are:
• enable
• disable
Example
WS5000.<context_path> > emergencymode enable
8.3.10 export
System Context
Copy the log files from switch to remote TFTP server. Use logdir to view the list of user log files that can be
exported.
Syntax
WS5000 > export
Parameter
This command is interactive and asks for
destination
Remote TFTP host
filename
Log file name to be exported to the remote TFTP server
username
Enter the user name which you mentioned at the time of logfile creation when
using diag command.The default user name is admin.
Example
WS5000> export
Creating the Event list...
Enter the log file name :
8.3.11 history
System Context
Displays the history of the last 300 commands used.
Syntax
WS5000 > history
Parameters
None
Example
Command history...
1. copy ftp://157.235.188.237/home/pavank/dom/dominfo -u pavank -m bin
2. copy ftp://157.235.188.237/home/pavank/dom/dominfo system -u pavank -m bin
3. WS5000> copy ftp://157.235.188.237/home/pavank/dom/dominfo system -u pavank -m
bin
4. Enter the user password : ***********
5. Copying 'dominfo' from ftp://157.235.188.237 to Switch...
6. Data connection mode : BINARY (Connecting as 'pavank')
CLI Command Reference
8-17
7. Status : 550 Failed to change directory.
8. clear
9. export
10. clear
11. export
12. export
13. clear
14. history
8.3.12 install
System Context
Configures the switch’s failover role as Primary or Standby, and applies all settings specified in the command
file (.sym). Alternatively, this command is used to update Kerberos principals from a specified Kerberos file
(.krb), without reset.
Syntax
install <install_option> [filename]
Parameters
install_option
One of:
• primary – Configures the switch to act as Primary, and applies all settings specified
in the file <filename>. If the command file is not specified, install instead uses the
default “command.sym” file, if present. If “command.sym” is also not present,
install will not change anything.
• standby – Configures the switch to act as Standby, and applies all settings as
described for the primary parameter value.
• kerberos – Updates the Kerberos principals from the settings in the
< filename> file (.krb), without reset.
• runcli – Configures the switch with the commands in the CLI commands
filename
Command (*.sym) or Kerberos (*.krb) file to use, which contains configuration settings.
The default .sym file is command.sym
Example
WS5000.(Cfg)> install primary cmd_template.sym
Begin command file processing...
Begin parsing command file for download and logging parameters...
Command file was parsed successfully.
Current Image Version is 2.1.0. FS patch will not be installed.
Begin processing image file...
Nothing to do. Skipping...
Begin processing config file...
Nothing to do. Skipping...
Validating IP parameters...
ERROR: Hostname or IP has not been provided!
Cannot set switch to Primary.
ERROR: IP parameter validation failed.
Rebooting the switch...
WS5000.(Cfg)> install standby cmd_template.sym
Begin command file processing...
Begin parsing command file for download and logging parameters...
Command file was parsed successfully.
Current Image Version is 2.1.0. FS patch will not be installed.
8-18
WS 5000 Series System Reference
Begin processing image file...
Nothing to do. Skipping...
Begin processing config file...
Nothing to do. Skipping...
Validating IP parameters...
ERROR: Hostname or IP has not been provided!
Cannot set switch to Primary.
ERROR: IP parameter validation failed.
Rebooting the switch...
8.3.13 logdir
System Context
Lists all the user saved log files (history, syslog). For example capturing Packets on ethernet 1 and saving that
captured file can be listed by command logdir.It does not list image or config files.Use directory command to
list image/config files.
Syntax
WS5000 > logdir
or
WS5000 > logdir user <username>
Parameter
username
The name of the user, whose logs are to be displayed
Example
WS5000.(Cfg)> ..
WS5000> service
Enter CLI Service Mode password: ********
Enabling CLI Service Mode commands...... done.
SM-WS5000> capture packet ifname eth1 enable
Start Packet Capture....
sending ioctl to capture packet
SM-WS5000> cfg
SM-WS5000.(Cfg)> save packet examplepacketcapture
Saving captured packets....done
SM-WS5000.(Cfg)> logdir
File Name
Bytes
Date & time
========================================================
examplepacketcapture.pktbin
25835
Sun Feb 12 17:26:39 2006
CLI Command Reference
8-19
8.3.14 name
System Context
Use the name command to change the system name.
Syntax
name <system_name>
Parameters
system_name
The new name of the switch.
Example
WS5000> name MiamiWS5000
Configuring name...
Status : Success.
MiamiWS5000>
8.3.15 ping
System Context
Sends ICMP ECHO_REQUEST packets to a network host.
Syntax
ping <host/ip_address>
OPTIONS:
ping [-Rdfnqrv] [-c count] [-i wait] [-l preload] [-p pattern][-s packetsize]
<host>
Parameters
-Rdfnqrv
These optional flags are can be broken down as follows:
• -R: Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet
and displays the route buffer on returned packets. Note that the IP header is only
large enough for nine such routes. Many hosts ignore or discard this option.
• -d: Set the SO_DEBUG option on the socket being used. Essentially, this socket
option is not used by Linux kernel.
• -f: Flood ping. For every ECHO_REQUEST sent a period ``.'' is printed, while for ever
ECHO_REPLY received a backspace is printed. This provides a rapid display of how
many packets are being dropped. If interval is not given, it sets interval to zero and
outputs packets as fast as they come back or one hundred times per second,
whichever is more. Only the super-user may use this option with zero interval.
• -n: Numeric output only. No attempt will be made to lookup symbolic names for host
addresses.
• -q: Quiet output. Nothing is displayed except the summary lines at startup time and
when finished.
• -r: Bypass the normal routing tables and send directly to a host on an attached
interface. If the host is not on a directly-attached network, an error is returned. This
option can be used to ping a local host through an interface that has no route through
it provided the option -I is also used.
• -v: Verbose output.
8-20
WS 5000 Series System Reference
-c count
Stop after sending count ECHO_REQUEST packets. With deadline option, ping waits for
count ECHO_REPLY packets, until the timeout expires.
-i wait
Wait interval of seconds between sending each packet. The default is to wait for one
second between each packet normally, or not to wait in flood mode. Only super-user may
set interval to values less 0.2 seconds.
-l preload
If preload is specified, ping sends that many packets not waiting for reply. Only the
super-user may select preload more than 3.
-p pattern
You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for
diagnosing data-dependent problems in a network. For example,
-p ff will cause the sent packet to be filled with all ones.
-s packetsize
Specifies the number of data bytes to be sent. The default is 56, which translates into
64 ICMP data bytes when combined with the 8 bytes of ICMP header data.
host
The name of the host to which the request packets are sent.
Example
WS5000> ping WS5000
PING WS5000 (10.1.1.101):
64 bytes from 10.1.1.101:
64 bytes from 10.1.1.101:
64 bytes from 10.1.1.101:
64 bytes from 10.1.1.101:
56 data bytes
icmp_seq=0 ttl=255
icmp_seq=1 ttl=255
icmp_seq=2 ttl=255
icmp_seq=3 ttl=255
time=0.037 ms
time=0.042 ms
time=0.05 ms
time=0.052 ms
--- WS5000 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.037/0.045/0.052 ms
WS5000>
8.3.16 remove
System Context
Removes specified log file.
Syntax
remove
<filename> [username - optional]
Parameters
filename
The name of the file that needs to be deleted
username
The name of the user, from whose storage area, the log file is to be deleted
Example
WS5000.cfg>logdir
File Name
Bytes
Date & time
========================================================
Log1.history
7833
Thu Jan 19 04:36:16 2006
WS5000.(Cfg)> remove Log1.history
Removing file 'Log1.history'.... done.
CLI Command Reference
8-21
8.3.17 restore
System Context
Restores the specified system image and/or configuration, and then resets (reboots) the system with the newly
restored image and/or configuration.
Syntax
restore <restore_option> <filename>
Parameters
restore_option
The type of restore to be invoked. One of:
• system – Restores the system image and configuration from the specified file
• configuration – Restores the configuration from the specified file
• standby – Restores the standby configuration from the specified file
filename
The system image or configuration file to be restored
Example
WS5000>restore config siteconfig.cfg
This command will reset the system and boot up with the new configuration.
Do you want to continue (yes/no) : y
Restoring configuration from siteconfig.cfg
Restoring Wireless Network Management Configuration ...
This may take a few mins ...
Restoring configuration from siteconfig.cfg
Software Ver.
: 1.4.1.0-003D
Starting the Wireless Switch 5000 ...
Licensed to
: Symbol
Configuring ethernet ports ...
Done.
Done.
No TFTP server is present.
Max Mobile Clients
Exiting auto install script...
Active Switch
Starting system database ...Wireless Switch Policy
Done.
Starting switch processes ...
8.3.18 rfping
System Context
This performs a ping to the specified access port, using WNMP, for a specified number of times.
Note This CLI is supported only for AP200 and AP300.
Syntax
rfping <mac address> [<count>]
Parameters
mac address
The device MAC address of the Acess Port
8-22
WS 5000 Series System Reference
Example
WS5000> rfping 00:A0:F8:00:00:26 10
Sending (10) WNMP Ping to 00:A0:F8:00:00:26
WnmpPing reply 1 received successfully
WnmpPing reply 2 received successfully
WnmpPing reply 3 received successfully
WnmpPing reply 4 received successfully
WnmpPing reply 5 received successfully
WnmpPing reply 6 received successfully
WnmpPing reply 7 received successfully
WnmpPing reply 8 received successfully
WnmpPing reply 9 received successfully
WnmpPing reply 10 received successfully
WS5000>
8.3.19 save
System Context
Saves the running system configuration to the specified file. Use directory to list the saved configuration files.
Syntax
save configuration <filename>
Parameters
filename
The filename into which you want to save the running configuration. The .cfg extension
is automatically appended.
Example
WS5000> save
configuration qwerty-config-14-dec
Saving running configuration in: qwerty-config-14-dec.cfg
Saving wireless network management configuration...
Configuration saved successfully.
WS5000> directory
Date & Time
Dec 11
Dec 4
Dec 14
Dec 14
02:36
03:04
14:34
14:34
Bytes
File Name
60432
6453
61525
72256
WS5000Defaults_v2.1.0.0-010B.cfg
cmd_template.sym
qwerty-config-14-dec.cfg
qwerty-config-14-dec.cfg.txt
8.3.20 service
System Context
Places the user in a Service Mode (for which a password is required). This is a command line mode used mostly
by Symbol technicians.
For more details on working within Service Mode, refer to the WS5000 Series Switch Troubleshooting Guide.
CLI Command Reference
8-23
8.4 show commands
System Context
Configuration (Cfg) Context
Show the settings for the specified system component. There are a number of ways to invoke the show
command:
•
Invoked without any arguments, show displays information about the current context. If the current
context contains instances, then show command (usually) displays a list of these instances.
In the case of the System/Configuration context, show displays all the possible show command
variations. Use show system command to show system information.
•
Invoked with the display_parameter, it displays information about that component.
Syntax
show [ display_parameter ]
Example
WS5000.(Cfg)> show wlan
WS5000 > show system
Parameters
Table 8.4 lists and describes the display_parameters in the show command.
Table 8.4 show command’s display_parameter Summary
Display_parameter
Description
Context
Example
show aaa-server
Displays AAA information
system / cfg
page 8-25
show accessports
Displays details of all access ports or available
access ports
system / cfg
page 8-25
show acl
Display ACL Information
system / cfg
page 8-26
show allconfig
Displays all configurations on the switch
system
page 8-26
show appolicy
Displays Access Port Policy
system / cfg
page 8-26
show arp
Display arp cache
cfg
page 8-26
show autoinstalllog
Displays autoinstall log
system / cfg
page 8-26
show ce
Displays Classifiers
system / cfg
page 8-27
show cfghistory
Displays configuration change history
system / cfg
page 8-27
show cg
Displays Classification Group
system / cfg
page 8-28
show channelinfo
Displays channel no and country code details
system / cfg
page 8-28
show chassis
Displays Chassis details
system / cfg
page 8-31
show configaccess
Displays configured system access restrictions
system / cfg
page 8-32
show ethernet
Displays Ethernet Port details
system / cfg
page 8-32
show etherpolicy
Displays EtherPolicy details
system / cfg
page 8-32
8-24
WS 5000 Series System Reference
Table 8.4 show command’s display_parameter Summary
Display_parameter
Description
Context
Example
show events
Show Syslog event details
system / cfg
page 8-32
show ftp
Displays FTP status
system / cfg
page 8-34
show history
Dispay previously executed CLI commands
cfg
page 8-34
show host
Displays the Hosts defined in the system
system / cfg
page 8-34
show https
Displays the Applet access type (http/https).
system / cfg
page 8-34
show interfaces
Displays interface details
system / cfg
page 8-34
show kdc
Displays KDC details
system / cfg
page 8-35
show knownap
Displays known APs in the neighborhood.
system / cfg
page 8-35
show lan
Displays LAN details
system / cfg
page 8-35
show mu
Displays MU details (list)
system / cfg
page 8-35
show musummary
Display MU summary
cfg
page 8-36
show np
Displays Network Policy information
system / cfg
page 8-36
show po
Displays Policy Object information
system / cfg
page 8-36
show radius-server
Displays Radius information for authenticating
management users logins (to manage the WS5000
switch)
system / cfg
page 8-36
show rfstats
Display RF statistics for specific AP
cfg
page 8-37
show rfthreshold
Display RF Stats Threshold Values for SNMP traps
cfg
page 8-37
show rougeap
Display Rouge AP configuration
cfg
page 8-38
show routes
Displays configured routes
system / cfg
page 8-38
show securitypolicy
Displays security policy details
system / cfg
page 8-38
show sensor
Display Sensor Details
system / cfg
page 8-38
show snmpclients
Displays the SNMP Client/community details
system / cfg
page 8-39
show snmpstatus
Displays SNMP status
system / cfg
page 8-39
show ssh
Displays SSH configuration
system / cfg
page 8-39
show standby
Displays Standby configuration
system / cfg
page 8-39
show switchpolicy
Displays Switch Policy
system / cfg
page 8-40
show sysalerts
Displays system alert logs (events)
system / cfg
page 8-40
show syslog
Displays Syslog details
system / cfg
page 8-40
show system
Displays system information
system / cfg
page 8-40
show telnet
Displays Telnet status
system / cfg
page 8-41
CLI Command Reference
8-25
Table 8.4 show command’s display_parameter Summary
Display_parameter
Description
Context
Example
show time
Displays date and time information
system / cfg
page 8-41
show traphosts
Displays the SNMP trap-host details
system / cfg
page 8-41
show tunnels
Displays the configured GRE on the system
system / cfg
page 8-41
show users
Displays user information
system / cfg
page 8-42
show version
Displays the system version details
system / cfg
page 8-42
show vlan
Displays VLAN details
system / cfg
page 8-42
show vpnsupportstatus
Displays vpn support status
system / cfg
page 8-42
show wlan
Displays WLAN details
system / cfg
page 8-42
show wme
Displays WME Profile details
system / cfg
page 8-43
show WSrfstats
Display RF statistics for Wireless Switch (WS)
cfg
page 8-43
show wtls
Display WTLS general settings
cfg
page 8-43
show wvpn
Display WVPN general settings
cfg
page 8-43
8.4.1 show aaa-server
WS5000.(Cfg)> show aaa-server
AAA database update status:
----------------------------AAA Server StatusActive
Database Type
local
8.4.2 show accessports
WS5000> show accessports
Access Ports
-----------1
00:A0:F8:A2:26:66
2
00:A0:F8:BC:E8:37
3
00:A0:F8:BC:E8:37
4
00:A0:F8:BC:E3:48
5
00:A0:F8:BC:E3:48
6
00:A0:F8:00:00:26
7
00:A0:F8:00:00:26
8
00:A0:F8:BC:E3:47
9
00:A0:F8:BC:E3:47
10 00:A0:F8:60:C6:64
11 00:A0:F8:60:C6:64
[B]
[A]
[G]
[G]
[A]
[G]
[A]
[G]
[A]
[B]
[A]
show accessports available
Radio MAC
--------00:A0:F8:A2:26:66
00:A0:F8:BC:D3:F0
00:A0:F8:BF:95:B4
00:A0:F8:BC:B4:0C
00:A0:F8:BC:A6:10
00:A0:F8:BF:EF:30
00:A0:F8:BF:EE:54
00:A0:F8:BC:B4:40
00:A0:F8:BC:A5:F8
00:A0:F8:60:C9:80
00:A0:F8:60:BE:E6
Device MAC
---------00:A0:F8:A2:26:66
00:A0:F8:BC:E8:37
00:A0:F8:BC:E8:37
00:A0:F8:BC:E3:48
00:A0:F8:BC:E3:48
00:A0:F8:00:00:26
00:A0:F8:00:00:26
00:A0:F8:BC:E3:47
00:A0:F8:BC:E3:47
00:A0:F8:60:C6:64
00:A0:F8:60:C6:64
Type
Status
--------B Active
A Reset
G Reset
G Unavailable
A Unavailable
G Active
A Active
G Unavailable
A Unavailable
B Unavailable
A Unavailable
8-26
WS 5000 Series System Reference
WS5000> show accessports available
1
2
3
4
5
Access Ports
-----------00:A0:F8:A2:26:66
00:A0:F8:BC:E8:37
00:A0:F8:BC:E8:37
00:A0:F8:00:00:26
00:A0:F8:00:00:26
[B]
[A]
[G]
[G]
[A]
Radio MAC
--------00:A0:F8:A2:26:66
00:A0:F8:BC:D3:F0
00:A0:F8:BF:95:B4
00:A0:F8:BF:EF:30
00:A0:F8:BF:EE:54
Device MAC
---------00:A0:F8:A2:26:66
00:A0:F8:BC:E8:37
00:A0:F8:BC:E8:37
00:A0:F8:00:00:26
00:A0:F8:00:00:26
Type
Status
--------B Active
A Reset
G Reset
G Active
A Active
8.4.3 show acl
WS5000> show acl
Available ACLs:
1. New ACL.
8.4.4 show allconfig
WS5000> show allconfig
<displays all the configurations here>
8.4.5 show appolicy
WS5000> show appolicy
Available Access Port Policies:
1. Default Access Port Policy.
8.4.6 show arp
WS5000. (Cfg)> show arp
ARP Information:
(10.15.10.246) at 00:00:0C:07:AC:01 [ether] on psdT
wswksinba00100r.corp.internal.symbol.com (111.222.200.007) at 00:11:25:89:19:34
[ether] on psdT
8.4.7 show autoinstalllog
WS5000.(Cfg)> show autoinstalllog
Autoinstall log
Symbol Wireless Switch WS 5000 Series.
Please enter your username and password to access the Command Line Interface.
userid:
password:
Retrieving user and system information...
Setting user permissions flags..
Checking KDC access permissions...
Welcome...
Creating the Event list...
CLI Command Reference
System information...
System Name
Description
Switch Location
Software Ver.
Licensed to
Copyright
:
:
:
:
:
:
primarynew
WS5000 Wireless Network
Serial Number
Number of Licenses
Max Access Ports
Max Mobile Clients
MU Idle Timeout value
Active Switch Policy
Emergency Switch Policy
Switch Uptime
Global RF stats
# of Unassigned Access Ports
CLI AutoInstall Status
:
:
:
:
:
:
:
:
:
:
:
00A0F865B4E4
30
30
4096
1800 seconds
WSP
Not defined
00d:13h:33m
Disabled
0
Enabled
2.1.0.0-012B
Symbol Technologies
Copyright (c) 2000-2005.
8-27
All rights reserved.
8.4.8 show ce
WS5000> show ce
Classifier information...
Available Classifiers (CE):
1. Ex HTTP Traffic.
2. Ex Telnet Traffic.
3. RTP_Data.
4. Spectra_Link_Phone.
5. VoIP_Call_Setup_In.
6. VoIP_Call_Setup_Out.
7. VoIP_Ext_Services_Out.
8. VoIP_Ext_Services_In.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
11. New HTTP Traffic Classifier.
8.4.9 show cfghistory
WS5000.(Cfg)> show cfghistory
Last Configuration Change
-------------------------wlans.[Private Access].essid changed to 7072697661746531, at Fri Sep 16
11:33:45 2005.
Note To view the config change history, enable snmptrap for “Switch configuration
changed “under Events context.
WS5000.(Cfg)> show cfghistory all
Last Configuration Change
-------------------------1. cc.configchange changed to true, at Thu Sep 15 14:55:31 2005.
2. cc.snmpip changed to add rw 1.4.1.16 refe 161, at Thu Sep 15 14:56:41 2005.
8-28
WS 5000 Series System Reference
3. cc.snmpip changed to add rw 138.200.200.11 symbol 161, at Fri Sep 16 11:32:32
2005.
4. wlans.[Private Access].essid changed to 7072697661746531, at Fri Sep 16
11:33:45 2005.
Note To view the config change history you have to enable snmptrap for “Switch
configuration changed “under Events context.
Note show cfghistory all displays — recent configuration changes upto a
maximum of 20 changes.
8.4.10 show cg
WS5000> show cg
Classification Group information...
Available Classification Groups:
1. NetVision_VoIP_In.
2. NetVision_VoIP_Out.
3. New Classification Group.
8.4.11 show channelinfo
WS5000.(Cfg)> show channelinfo
Country Name
-----------Argentina
Code
---AR
Australia
AU
Austria
AT
Bahrain
BH
Belarus
BL
Belgium
BE
Brazil
BR
Bulgaria
BG
Canada
CA
Chile
CL
China
CN
Columbia
CO
RF Channels (A, B, G and FH)
---------------------------B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161,1
65
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161,1
65
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 149,153,157,161,165
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
CLI Command Reference
Costa Rica
CR
Croatia
HR
Cyprus
CY
Czech Republic
CZ
Denmark
DK
Ecuador
EC
Egypt
EG
Estonia
EE
Finland
FI
France
FR
Germany
DE
Greece
GR
Guatemala
GT
Hong Kong
HK
Hungary
HU
Iceland
IS
India
IN
Indonesia
ID
Ireland
IE
Israel
IL
Italy
IT
Japan
JP
Jordan
JO
Kazakhstan
KZ
Kuwait
KW
8-29
A Ch: 149,153,157,161,165
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 48-82
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161,1
65
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 5-8
G Ch: 5-8
FH Ch: 20-54
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-14 G Ch: 1-14 FH Ch: 73-95
A Ch: 34,38,42,46
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
8-30
WS 5000 Series System Reference
A Ch:
Latvia
LV
Liechtenstein
LI
Lithuania
LT
Luxembourgh
LU
Malaysia
MY
Malta
MT
Mexico
MX
Morocco
MA
Netherlands
NL
New Zealand
NZ
Norway
NO
Oman
OM
Panama
PA
Peru
PE
Philippines
PH
Poland
PL
Portugal
PT
Qatar
QA
Romania
RO
Russian Federation
RU
Saudi Arabia
SA
Singapore
SG
Slovak Republic
SK
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 52,56,60,64,149,153,157,161,165
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 11-13 G Ch: 11-13 FH Ch: 52-80
A Ch: 149,153,157,161,165
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 0-0
A Ch: 149,153,157,161,165
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
CLI Command Reference
Slovenia
SI
South Africa
ZA
South Korea
KR
Spain
ES
Sri Lanka
LK
Sweden
SE
Switzerland
CH
Taiwan
TW
Thailand
TH
Turkey
TR
UAE
AE
Ukraine
UA
United Kingdom
GB
United States
US
Uruguay
UY
Venezuela
VE
Vietnam
VN
8-31
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 54-76
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 47-73
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-2
G Ch: 1-2
FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
52,56,60,64,100,104,108,112,116,120,124,1
28,132,136,140,149,153,157,161
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161,1
65
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
B Ch: 1-12 G Ch: 1-12 FH Ch: 2-80
A Ch:
WS5000.(Cfg)>
8.4.12 show chassis
WS5000.(Cfg)> show chassis
Description
----------CPU Temperature
System Temperature
System Fan (rpm)
CPU Fan (rpm)
System Fan 2 (rpm)
System Fan 3 (rpm)
System Fan 4 (rpm)
Curr Value
---------24 C
29 C
OFF
16071
OFF
OFF
OFF
Max Value
--------32 C
30 C
16463
-
Min Value
--------24 C
29 C
16071
-
Notify Value
-----------0 C
0 C
None
None
None
None
None
8-32
WS 5000 Series System Reference
8.4.13 show configaccess
WS5000> show configaccess
Configuration Access restriction details:
Telnet access (CLI)
:
System access via SNMP
:
KDC configuration over remote console
:
KDC configuration through SNMP
:
Disable.
Enable.
Enable.
Enable.
8.4.14 show ethernet
WS5000> show ethernet
Available EtherPorts are:
Ethernet 1
Ethernet 2
8.4.15 show etherpolicy
WS5000> show etherpolicy
Available EtherPolicies are:
1. Default Ethernet Policy.
2. New Ethernet Port Policy.
3. eth1.
8.4.16 show events
WS5000.(Cfg)> events
Num
--1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Events
-----License number change
Clock change
Packet discard [wrong NIC]
Packet discard [wrong VLAN]
AP adopt failure [general]
AP adopt failure [policy disallow]
AP adopt failure [acl disallow]
AP adopt failure [limit exceeded]
AP adopt failure [license disallow]
AP adopt failure [no image]
AP status [offline]
AP status [alert]
AP status [adopted]
AP status [reset]
AP config failed [no ESS]
AP max MU count reached
AP detected
Device msg dropped [info]
Device msg dropped [loadme]
Ether port connected
Ether port disconnected
MU assoc failed [ACL violation]
MU assoc failed
MU status [associated]
MU status [roamed]
Local Log
--------Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
SNMP Trap
--------Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Syslog Severity
--------------Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
CLI Command Reference
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
MU status [disassociated]
MU EAP auth failed
MU EAP auth success
MU Kerberos auth failed
MU Kerberos auth success
MU TKIP [decrypt failure]
MU TKIP [replay failure]
MU TKIP [MIC error]
WLAN auth success
WLAN auth failed
WLAN max MU count reached
Mgt user auth failed [radius]
Mgt user auth rejected
Mgt user auth success [radius]
Radius server timeout
KDC user [added]
KDC user [changed]
KDC user [deleted]
KDC DB replaced
KDC propagation failure
WPA counter-measures [active]
Primary lost heartbeat
Standby active
Primary internal failure [reset]
Standby internal failure [reset]
Standby auto-revert
Primary auto-revert
Auto channel select error
Emergency Policy [active]
Emergency Policy [deactivated]
Low flash space on switch
Miscellaneous debug events
HSB Starts Up
HSB Peer Connect
CPU/SYS Temp Notification
Access Changed Notification
Radio power is reduced [TPC]
Radar is detected [DFS]
Channel selected to avoid radar [DFS]
Switch to new channel [DFS]
Revert back to original channel [DFS]
Radio is suspended
Radio is resumed
Radio is moved to random channel
A new rogue AP is detected
A new approved AP is detected
WVPN certificate anomalies
WVPN Config/connection changes
RADIUS Accounting Log
RADIUS Server Status
Switch configuration changed
Tunnel Status change
NON IP packet received on Tunnel
RF Stats threshold crossed by a AP
RF Stats threshold crossed by a MU
RF Stats threshold crossed by a WLAN
RF Stats threshold crossed by Switch
AP is converted to sensor
Sensor is reverted back to AP
Failed to communicate to a sensor
Sensor is no longer responding to ping
WS5000.(Cfg).Event>
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Disabled
Enabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
8-33
8-34
WS 5000 Series System Reference
8.4.17 show ftp
WS5000> show ftp
FTP Status:
Active.
8.4.18 show history
WS5000. (Cfg)> show history
Displaying last <300> executed commands...
Command Name
Command Context
Date & Time
================================================================
show history
(Cfg)
Wed Dec 14 02:25:12 2005
show sensor
(Cfg)
Wed Dec 14 02:14:58 2005
show arp
(Cfg)
Wed Dec 14 02:12:23 2005
show history
(Cfg)
Wed Dec 14 02:11:04 2005
clear
(Cfg)
Wed Dec 14 02:11:00 2005
cfg
WS5000
Wed Dec 14 02:10:58 2005
8.4.19 show host
You need to first add a syslog host in the WS5000.(Cfg).Event.Syslog context. Show host displays the
syslog host added in the Events context, as mentoned above.
WS5000> show host
Host Name
--------1 syslogHost
IP Address
---------192.192.4.111
Domain
-----symbol.com
WS5000>
8.4.20 show https
WS5000> show https
Web based configuration (Applet) access by : https
8.4.21 show interfaces
WS5000> show interfaces
Interface information
Access Ports
-----------00:A0:F8:A2:91:7C
00:A0:F8:5D:B9:0C
00:A0:F8:6E:4A:7A
00:A0:F8:6E:4A:7A
00:A0:F8:BB:B3:6D
[B]
[A]
[G]
[A]
[G]
Radio MAC
--------00:A0:F8:A2:91:7C
00:A0:F8:60:BC:3D
00:A0:F8:6E:55:30
00:A0:F8:6E:4C:60
00:A0:F8:BB:F6:E8
Device MAC
---------00:A0:F8:A2:91:7C
00:A0:F8:5D:B9:0C
00:A0:F8:6E:4A:7A
00:A0:F8:6E:4A:7A
00:A0:F8:BB:B3:6D
Type
---B
A
G
A
G
Status
-----Active
Active
Unavailable
Unavailable
Unavailable
CLI Command Reference
00:A0:F8:BB:B3:6D [A] 00:A0:F8:BB:C7:6C
00:A0:F8:BB:B3:6D
A
8-35
Unavailable
Available EtherPorts are:
Ethernet 1
Ethernet 2
8.4.22 show kdc
WS5000> show kdc
The system is configured as MASTER KDC.
Kerberos Realm
: realm1
Interface
: ethernet1
User count (Active + deleted) : 0
Active users (MUs and WLANs)
: 0
Slave KDCsIP AddressDomain
-------------------------No entry available.
List of all active KDC users (MUs & WLANs): No active Users available.
8.4.23 show knownap
WS5000> show knownap
Number of Access Points known to the Switch
: 5
8.4.24 show lan
WS5000.(Cfg)> show lan LAN1
LAN information:
LAN details...
Name
Description
ep
np
allow
deny
NAT list:
:
:
:
:
:
:
LAN1
Public LAN
1
https http telnet ftp
8.4.25 show mu
WS5000.(Cfg)> show mu
# of MUs: 1
MU : MU_0
Type
---Data
ESSID: kris
MAC Address
----------00:0F:3D:E9:A6:6A
RF Status Auth.Status
--------- ----------Associated Authenticated
IP Address
---------157.235.208.93
Auth.Method
----------Open
WLAN
---Symbol Default
Enc.Method
---------Open
Broadcast Enc.Method
-------------------Open
8-36
WS 5000 Series System Reference
Access Port
----------00:A0:F8:5A:B3:1B [B]
Power Mode
---------CAM Mode
Statistics
---------Packets :
Bytes
:
Interface
--------RF
VLAN
Uptime
--------NA
2267 sec
Transmitted
----------34
4578
RSSI
---28
Cur.Rate
-------11 Mbps
Time left
--------0 sec
Received
-------2545
600
Supported Rates
--------------1,2,5.5,11 Mbps
Last Activity
------------21 sec
Session Username
---------------NA
WS5000.(Cfg)>
8.4.26 show musummary
WS5000.(Cfg)> show musummary
# of MUs: 1
# MU-MAC-Address
MU-IP
AP-NAME
ESSID
1 00:0F:3D:E9:A6:6A
157.235.208.93 00:A0:F8:5A:B3:1B [B]
kris
Associated(2327 sec.), Last Activity=21 sec., SNR=0 dB, #Roams=33
8.4.27 show np
WS5000> show np
Network Policy information
Available Network Policies:
1. Default Network Policy.
2. NetVision_VoIP_Priority.
3. New Network Policy.
8.4.28 show po
WS5000> show po
Policy Object information......
Available Policies (PO):
1. NetVision Priority for RF.
2. NetVision Packet Marking for Ethernet.
3. New Input Policy.
4. New Output Policy.
8.4.29 show radius-server
S5000.(Cfg)> show radius-server
RADIUS authentication status:
----------------------------Network users (Web, Telnet, etc.)
Local users (via serial port)
Authenticate locally if RADIUS server refuses access
: Disable
: Disable
: Disable
CLI Command Reference
Server
-----Primary
Secondary
Host Name/IP
-----------Not defined
Not defined
Port
---1812
1812
Retry
----3
3
8-37
Timeout
------5
5
8.4.30 show rfstats
WS5000.(Cfg)> show rfstats
Must provide AP index or AP name
Syntax:show rfstats <radioname|radioindex>
{<radioname>|<radioindex>}
where:
<radioname|radioindex> {<radioname>|<radioindex>}
or Radioindex.
Example:
show rfstats radioindex 1
8.4.31 show rfthreshold
WS5000.(Cfg)> show rfthreshold
Enter the Type.
Displays Threshold Values for RF Stats Traps
Syntax: show rfthreshold < ap|mu|switch > [CR]
WS5000.(Cfg)> show rfthreshold ap
Ap Threshold details :
Status
Min Packets for RF Traps
Packets Per Second
Throughput in Mbps
Average Bit Speed in Mbps
Percent of NUCast Packets
Average Signal in Dbm
Average Retries
Percent of Dropped Packets
Percent of Undecryp Packets
Number of Associated MUs
:
:
:
:
:
:
:
:
:
:
:
disabled
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
WS5000.(Cfg)> show rfthreshold mu
Mu Threshold details :
Status
Min Packets for RF Traps
Packets Per Second
Throughput in Mbps
Average Bit Speed in Mbps
Percent of NUCast Packets
Average Signal in Dbm
Average Retries
Percent of Dropped Packets
Percent of Undecryp Packets
:
:
:
:
:
:
:
:
:
:
disabled
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
: adopted Radioname
8-38
WS 5000 Series System Reference
WS5000.(Cfg)> show rfthreshold switch
Switch Threshold details :
Status
Min Packets for RF Traps
Packets Per Second
Throughput in Mbps
Associated MUs
:
:
:
:
:
disabled
Not Set
Not Set
Not Set
Not Set
8.4.32 show rogueap
WS5000.(Cfg)> show rogueap
RogueAP configuration details:
-----------------------------RogueAP Status
MU Scan Status
AP Scan Status
Detector Scan Status
MU Scan Interval(min.)
AP Scan Interval(min.)
Detector Scan Interval(min.)
:
:
:
:
:
:
:
disable
disable
disable
disable
0
0
0
8.4.33 show routes
WS5000.(Cfg)> show routes
Route Management:
Kernel IP routing table
Destination
Gateway
157.235.208.0
0.0.0.0
10.1.1.0
0.0.0.0
0.0.0.0
157.235.208.246
Genmask
255.255.255.0
255.255.255.0
0.0.0.0
8.4.34 show securitypolicy
WS5000> show securitypolicy
Available Security Policies:
1. Kerberos Default.
2. Default.
3. WEP40 Default.
4. WEP128 Default.
5. New WEP Security Policy.
8.4.35 show sensor
WS5000. (Cfg)> show sensor
Sensor functionality:Enabled
AP300’s
------00:A0:F8:00:00:26
00:A0:F8:BF:8A:9F
Flags
U
U
UG
CLI Command Reference
Sensor AP’s
----------WS5000.(Cfg).sensor>
8.4.36 show snmpclients
WS5000.(Cfg)> show snmpclients
State
----1. Read/Write
Port
---161
IP Address
---------157.236.208.70
Community Name
-------------symbol
WS5000.(Cfg)>
8.4.37 show snmpstatus
WS5000> show snmpstatus
SNMP details:
------------SNMP (deamon) Status
SNMP Traps
: Enabled
: Disabled
8.4.38 show ssh
WS5000> show ssh
SSH configurations details:
--------------------------SSH Status
: Enabled
Version
: V2
Port
: 22
Session inactivity timeout
: 0 (Disabled)
8.4.39 show standby
WS5000> show standby
Standby Management:
StandBy mode
Standby Status
State
Failover Reason
Standby Connectivity status
Standby AutoRevert Mode
Standby AutoRevert Delay
:
:
:
:
:
:
:
Primary
Disable
Startup
Interface (Ethernet) 1
---------------------StandBy Heart-Beat MAC
Heart-Beat status
Received Heart-Beat
: Auto Discovery Enabled
: Enable
: No
Not Connected
Disable
15 Minutes
8-39
8-40
WS 5000 Series System Reference
Interface (Ethernet) 2
---------------------StandBy Heart-Beat MAC
Heart-Beat status
Received Heart-Beat
: Auto Discovery Enabled
: Disable
: No
8.4.40 show switchpolicy
WS5000> show switchpolicy
Active Switch Policy name: Default Wireless Switch Policy
Available Switch Policies:
1. Default Wireless Switch Policy.
8.4.41 show sysalerts
WS5000.(Cfg)> show sysalerts
Generating the log file....
Reading the log file.....
[01/11/2006][12:23:00] Access Port (00:A0:F8:CD:C9:4A [B]) with MAC address "00.
[01/11/2006][12:22:57] Access Port (00:A0:F8:CD:C9:4A [A]) with MAC address "00.
[01/11/2006][12:21:18] Mobile Unit (00:0F:3D:E9:A6:6A) was associated to Access.
[01/11/2006][12:21:04] Access Port (00:A0:F8:00:00:26 [A]) with MAC address "00.
[01/11/2006][12:21:04] Access Port (00:A0:F8:00:00:26 [G]) with MAC address "00.
[01/11/2006][12:20:33] ACS success. Setting Radio 00:A0:F8:B5:7C:A4 to channel .
[01/11/2006][12:20:31] ACS success. Setting Radio 00:A0:F8:B5:3B:39 to channel .
[01/11/2006][12:20:25] Adopted an Access Port "00:A0:F8:CD:C9:4A".
8.4.42 show syslog
WS5000.(Cfg)> show syslog
Remote Syslog Status:
Disable (Syslog Deamon is not running).
Local Syslog Status:
(Local Syslog Disabled).
Host
---sys
emerg
----x
alert
----x
crit
---x
err
--x
warning notice
------- -----x
x
8.4.43 show system
WS5000.(Cfg)> show system
System information...
System Name
Description
Switch Location
Software Ver.
Licensed to
:
:
:
:
:
WS5000
WS5000 Wireless Network
2.1.0.0-012B
Symbol Technologies
info
---x
debug
----x
CLI Command Reference
Copyright
:
Serial Number
:
Number of Licenses
:
Max Access Ports
:
Max Mobile Clients
:
MU Idle Timeout value
:
Active Switch Policy
:
Emergency Switch Policy
:
Switch Uptime
:
Global RF stats
:
# of Unassigned Access Ports :
Unassigned Access Ports
:
1. 00:A0:F8:00:00:26 [G].
CLI AutoInstall Status
:
Copyright (c) 2000-2006. All rights reserved.
00A0F853C13D
10
10
4096
1800 seconds
Default Wireless Switch Policy
Not defined
00d:21h:45m
Disabled
1
Enabled
WS5000.(Cfg)>
8.4.44 show telnet
WS5000> show telnet
Telnet Status
Session inactivity timeout
: Disabled.
: 0 (Disabled)
8.4.45 show time
WS5000> show time
System clock:
Date
:
05:29:46 AM
Wed Feb 9 2005
Time Zone
:
(GMT -08:00) Pacific Time (US & Canada); Tijuana
8.4.46 show traphosts
WS5000.(Cfg)> show traphosts
CommunityName
------------1. symbol
Port
---162
Version
------v1
IP Address
---------157.235.208.70
8.4.47 show tunnel
WS5000.(Cfg)> show tunnel
Tunnel details...
1.
2.
3.
4.
Tunnel Name
----------tunnel1
tunnel2
tunnel3
tunnel4
8-41
Remote IP Address
----------------11.1.11.11
none
none
none
8-42
WS 5000 Series System Reference
8.4.48 show users
WS5000> show users
Available Users:
1. admin.
8.4.49 show version
WS5000.(Cfg)> show version
Version details:
--------------Hardware Version
Firmware Version
Software Version
Release date
CLI Version
MIB Version
XML Version
:
:
:
:
:
:
:
CC-5000
2.2(date 07/09/02)
2.1.0.0-012B
Fri Jan 6 16:39:44 IST 2006
08a
v24b07
08a
WS5000.(Cfg)>
8.4.50 show vlan
WS5000> show vlan
ID
-LAN 1
LAN 2
Interface
--------Ethernet 1
Ethernet 2
Priority
-------0
0
# of WLANs
---------1
0
Ethernet Policy
--------------eth1
eth1
8.4.51 show vpnsupportstatus
WS5000.(Cfg)> show vpnsupportstatus
VPN Support details:
------------VPN Support Status
: Disabled
VPN Server Serial Number Status Query
Serial number
:
151-34-13-254-68
8.4.52 show wlan
WS5000> show wlan
WLAN Name
--------Symbol Default
Secure Access
Private Access
Public Access
ESSID
----101
secure
private
public
Security Policy
--------------Default
Kerberos Default
WEP128 Default
Default
CLI Command Reference
8-43
8.4.53 show wme
WS5000.(Cfg)> show wme
WME Profile Name
---------------1. Default MU WME Profile
2. Default AP WME Profile
3. new
8.4.54 show WSrfstats
WS5000.(Cfg)> show wsrfstats
Displaying RF Statistics for Wireless Switch
AP
Status
GatherAP
MUs Tx
Rx
Tx
Avg
Avg
MAC
Stats
Uptime
PPS PPS Retry RSSI
SNR
----------------------------------------------------------------------------------------------------------------------------------------------------------------00:A0:F8:5A:B3:1B
Active
Disable
=================================================================================
Total for WS:
0
0
0
0
0
0
WS5000.(Cfg)>
8.4.55 show wtls
WS5000.(Cfg)> show wtls
WTLS Settings:
Server number:
Security mode:
Wanted FIPS mode:
Cipher:
MAC:
Minimum client RSA key size:
Maximum client RSA key size:
Minimum RSA key size:
Maximum RSA key size:
Handshake timeout:
Require client certificates:
Key refresh:
:
:
:
:
:
:
:
:
:
:
:
:
1
defaultSecurity
Unavailable
AES128
SHA_160
1024 bits
4096 bits
1024 bits
4096 bits
0h 1m( 90 secs)
false
256 packets
8.4.56 show wvpn
WS5000.(Cfg)> show wvpn
WVPN
WVPN
WVPN
WVPN
WVPN
WVPN
WVPN
WVPN
WVPN
WVPN
Management:
available
Status
Server Address
Server Port
Unused session timeout
Debug level
DOS Support
DOS Port
Client keep alive
:
:
:
:
:
:
:
:
:
true
Stopped
10.1.1.101 / 157.235.208.167
9102
48h 0m (172800 secs)
Debug Info Disabled
no
9103
10 seconds
8-44
WS 5000 Series System Reference
WVPN Maximum VPN Licenses
WVPN Currently In-Use VPN Licenses
WVPN License Type
30,Eval days left
30
: 50
: 0
: Evaluation version,Total eval days
CLI Command Reference
8-45
8.5 Configuration (Cfg) Context
The Configuration context is where detailed configurations for the switch and network can be accessed, as
well as configured. Also, in order to get to any uniquely defined policies for the switch, you must first access
the Configuration context.
Within the command prompt, the Configuration context is indicated by “Cfg”. For example:
WS5000.(Cfg)>
Table 8.5 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.5 Configuration Context Commands
Command
Description
Ref.
.. or end
Go back to the previous context
page 8-47
exit
Go back to root context.
page 8-47
? or help
Get the command information.
page 8-48
logout or bye
Close this session.
page 8-48
aaa
Configure AAA setting.
page 8-48
accessport
Configure an Access Port.
page 8-49
acl
Configure ACL for the system.
page 8-49
appolicy
Configure an Access Port policy.
page 8-50
banner
Configure banner for the system.
page 8-50
ce
Configure a Classifier.
page 8-50
cg
Configure a Classification Group.
page 8-51
chassis
Configure Chassis settings.
page 8-51
clear
Clear the screen.
page 8-52
copy
Copy files between the Switch and TFTP/FTP server.
page 8-52
date
Set or display system time and/or date.
page 8-53
delete
Delete an image files from the memory.
page 8-54
description
Set description text.
page 8-55
directory
Display the available image files in memory.
page 8-55
emergencymode
Enable or disable Emergency mode.
page 8-56
encrypt
Encrypt the password to be used in auto-install.
page 8-56
ethernet
Configure Ethernet Port.
page 8-56
etherpolicy
Configure an EtherPolicy.
page 8-57
events
Configure Event properties.
page 8-57
export
Exports log files from the Switch to TFTP server.
page 8-59
8-46
WS 5000 Series System Reference
Table 8.5 Configuration Context Commands (Continued)
Command
Description
Ref.
ftp
Configure system FTP settings.
page 8-59
fw
Configure Firewall for the system.
page 8-60
host
Configure Host properties.
page 8-60
install
Install primary/standby or Kerberos config.
page 8-61
kdc
Configure KDC server.
page 8-61
logdir
Display the user saved log files.
page 8-62
name
Set or change the name.
page 8-62
np
Configure a Network Policy.
page 8-63
ping
Ping a network host/IP address.
page 8-63
po
Configure a Policy Object.
page 8-65
purge
It clears the specified contents from memory only. It does not delete
any files. Use logdir to view user log files and remove to delete user
log files.
page 8-65
radius
Display the Radius authentication status on the switch.
page 8-66
remove
Remove a log file shown by ‘logdir’ command.
page 8-66
reset
Reset Switch.
page 8-67
restore
Restore system image or configuration.
page 8-67
rougeap
Configure RogueAP Detection feature for the system.
page 8-68
route
Configure system Route settings.
page 8-68
runacs
Run Automatic Channel Scan (ACS) on all adopted Access Ports.
page 8-69
save
Save the running system configuration to a file.
page 8-69
securitypolicy
Configure Security Policy for the system.
page 8-69
sensor
Configure the Sensors setting, including default sensor settings.
page 8-70
set
Displays the config specific set commands/parameters.
page 8-70
show
Display context specific attributes.
page 8-81
shutdown
Shutdown the switch.
page 8-81
snmp
Configure SNMP parameters.
page 8-82
ssh
Configure SSH settings.
page 8-82
ssl
Configure SSL settings.
page 8-83
standby
Configure system standby (failover) settings.
page 8-83
switchpolicy
Configure switch policy.
page 8-84
CLI Command Reference
8-47
Table 8.5 Configuration Context Commands (Continued)
Command
Description
Ref.
telnet
Configure system telnet settings.
page 8-84
tunnel
Configuring and mapping GRE to WLAN.
page 8-85
user
Configure user information.
page 8-85
wlan
Configure WLAN for the system.
page 8-85
wme
Configure WME setting.
page 8-86
wvpn
Configure system WVPN settings.
page 8-86
8.5.1 .. or end
Configuration (Cfg) Context
Terminates the context or instance session, and changes the command prompt to move up by one context.
Syntax
..
or
end
or
exit
Parameters
None.
Example
WS5000.(Cfg).NP> ..
WS5000.(Cfg)> end
WS5000>
8.5.2 exit
Configuration (Cfg) Context
Terminates the context session, and returns the prompt to the root.
For example, if you use the exit command in the ACL context, the prompt reverts to the System context prompt.
Syntax
exit
Parameters
None.
Example
WS5000.(Cfg).ACL> exit
WS5000>
8-48
WS 5000 Series System Reference
8.5.3 ? or help
Configuration (Cfg) Context
Retrieves a list of commands supported in a given the context or instance.
Syntax
?
or
help
Parameters
None.
Example
WS5000> ?
or
WS5000> help
8.5.4 logout or bye
Configuration (Cfg) Context
Closes or logs out of the current session.
Syntax
logout
or
bye
Parameters
None.
Example
WS5000 logout
or
WS5000> bye
8.5.5 aaa
Configuration (Cfg) Context
Display the current aaa settings managed by the switch.
Syntax
aaa
Parameters
None
Example
WS5000.(Cfg)> aaa
AAA database update status:
-----------------------------
CLI Command Reference
AAA Server Status
Database Type
8-49
Disabled
local
WS5000.(Cfg).AAA>
8.5.6 accessport
Configuration (Cfg) Context
Display the current access ports being managed by the switch. Also, the context is changed to the Access Port
(APort) Context. See page 8-118 for more details.
Note As a shortcut, “aport” can be used instead of “accessport”.
Syntax
accessport
Parameters
None.
Example
WS5000.(Cfg)> accessport
Access Ports
-----------00:A0:F8:A2:91:7C
00:A0:F8:5D:B9:0C
00:A0:F8:6E:4A:7A
00:A0:F8:6E:4A:7A
00:A0:F8:BB:B3:6D
00:A0:F8:BB:B3:6D
[B]
[A]
[G]
[A]
[G]
[A]
Radio MAC
--------00:A0:F8:A2:91:7C
00:A0:F8:60:BC:3D
00:A0:F8:6E:55:30
00:A0:F8:6E:4C:60
00:A0:F8:BB:F6:E8
00:A0:F8:BB:C7:6C
Device MAC
---------00:A0:F8:A2:91:7C
00:A0:F8:5D:B9:0C
00:A0:F8:6E:4A:7A
00:A0:F8:6E:4A:7A
00:A0:F8:BB:B3:6D
00:A0:F8:BB:B3:6D
Type
---B
A
G
A
G
A
Status
-----Active
Active
Unavailable
Unavailable
Unavailable
Unavailable
WS5000.(Cfg).APort>
8.5.7 acl
Configuration (Cfg) Context
Display the currently available access control lists (ACLs) for the switch. Also, the context is changed to the
Access Control List (ACL) Context. See page 8-129 for more details.
Syntax
acl
Parameters
None.
Example
WS5000.(Cfg)> acl
Available ACLs:
1. New ACL.
WS5000.(Cfg).ACL>
8-50
WS 5000 Series System Reference
8.5.8 appolicy
Configuration (Cfg) Context
Display the currently available access port policies for the switch. Also, the context is changed to the Access
Port Policy (APPolicy) Context. See page 8-136 for more details.
Syntax
appolicy
Parameters
None.
Example
WS5000.(Cfg)> appolicy
Available Access Port Policies:
1. Default Access Port Policy.
WS5000.(Cfg).APPolicy>
8.5.9 banner
Configuration (Cfg) Context
Use this to configure a Banner for the system
Syntax
banner
Parameters
None
Example
WS5000.(Cfg)> banner
WS5000.(Cfg).Banner> add testbanner
Adding Banner to the System...
WS5000 Banner Interactive Terminal
Type: \q to exit the banner prompt
banner> First Example Banner \q
WS5000.(Cfg).Banner>
8.5.10 ce
Configuration (Cfg) Context
Display list of classifiers available for configuration. Also, the context is changed to the Classifier Context (CE).
See page 8-155 for more details.
Syntax
ce <ce_name>
CLI Command Reference
8-51
Parameters
ce_name
Name of the configurable classifier.
Example
WS5000.(Cfg)> ce
Classifier information...
Available Classifiers (CE):
1. Ex HTTP Traffic.
2. Ex Telnet Traffic.
3. RTP_Data.
4. Spectra_Link_Phone.
5. VoIP_Call_Setup_In.
6. VoIP_Call_Setup_Out.
7. VoIP_Ext_Services_Out.
8. VoIP_Ext_Services_In.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
11. New HTTP Traffic Classifier.
WS5000.(Cfg).CE>
8.5.11 cg
Configuration (Cfg) Context
Display the list of currently available classification group for the switch. Also, the context is changed to the
Classification Group (CG) Context. See page 8-163 for more details.
Syntax
cg
or
cg_name
Parameters
None.
Example
WS5000.(Cfg)> cg
Classification Group information...
Available Classification Groups:
1. NetVision_VoIP_In.
2. NetVision_VoIP_Out.
3. New Classification Group.
WS5000.(Cfg).CG>
8.5.12 chassis
Configuration (Cfg) Context
Display the currently available chassis environmental details for the switch. Also, the context is changed to
the Chassis Context. See page 8-170 for more details.
8-52
WS 5000 Series System Reference
Syntax
chassis
Parameters
None.
Example
WS5000.(Cfg)> chassis
Description
----------CPU Temperature
System Temperature
System Fan (rpm)
CPU Fan (rpm)
System Fan 2
System Fan 3
System Fan 4
Curr Value
---------42 C
37 C
8544
21093
OFF
OFF
15340
Max Value
--------48 C
40 C
8653
24500
15340
Min Value
--------40 C
36 C
8437
5000
15000
Notify Value
-----------0 C
0 C
None
None
None
None
None
WS5000.(Cfg).Chassis>
8.5.13 clear
Configuration (Cfg) Context
Clear the screen of all running command input and output entries.
Syntax
clear
Parameters
None.
Example
WS5000> clear
8.5.14 copy
Configuration (Cfg) Context
Copies a file from the switch to a (T)FTP server, or vice versa. The following types of files can be transferred
via TFTP or FTP:
•
*.sys.img
•
*.cfg
•
*.sym
•
*.krb (FTP only)
!
IMPORTANT! DO NOT USE THIS COMMAND FOR FILES LARGER THAN 32MB.
CLI Command Reference
8-53
Syntax
For TFTP:
copy <source> <destination>
For FTP:
copy <source> <destination> [ -u <ftp_user> ] [ -m <ftp_mode> ]
Parameters
source
The source of the file. Possible values are:
• [protocol:]//<hostname or IP address>/[filename]. For example,
ftp://<ipAddress/path/[file_name].
• tftp
• ftp
• system
• .
• <filename, including path>
destination
The destination of the file. Possible values are:
• tftp
• ftp
• system
• .
• /
• [protocol:]//<hostname or IP address>
ftp_user
FTP username. Default is anonymous.
mode
FTP transfer mode, either ascii or binary. Default is binary.
Example
WS5000.(Cfg)> copy tftp system
Enter the file name to be copied from TFTP server : backup.sys.img
IP address of the TFTP server : 10.1.1.1
Copying 'backup.sys.img' from tftp://10.1.1.1 to Switch...
or
WS5000.(Cfg)> copy ftp://100.10.10.1/ftpimages/DefaultConfig.cfg system
Copying 'DefaultConfig.cfg' from ftp://100.10.10.1/ftpimages/ to Switch...
8.5.15 date
Configuration (Cfg) Context
Display or sets the system time and date. When no parameters, this command displays the time/date currently
set. Otherwise, it modifies the time/date based on the specified parameters.
Syntax
date [time_format] [time_zone]
8-54
WS 5000 Series System Reference
Parameters
time_format
The time to be set, in one of the following formats:
• yyyymmddhhmm[.ss]
• yymmddhhmm[.ss]
• mmddhhmm[.ss]
• ddhhmm[.ss]
• hhmm[.ss]
time_zone
Valid range is -12:00 to +13:00 [+/-](HH:MM), where 0.00 is Greenwich Mean Time. Note
that the ‘+’ must be included for positive timezone values.
Note In WS5000 2.1, Daylight Saving is enabled by
default
Example
WS5000.(Cfg)> date 200502110245.11 -08:00 1
Setting system time/date...
Status: Success.
Fri Feb 11 02:45:11 PST 2005
Time Zone
:
(GMT -08:00) Pacific Time (US & Canada); Tijuana
WS5000.(Cfg)> date
Fri Feb 11 02:45:15 PST 2005
Time Zone
:
(GMT -08:00) Pacific Time (US & Canada); Tijuana
8.5.16 delete
Configuration (Cfg) Context
Deletes the specified image or config file from the switch. Use the directory command to list the files that can
be deleted.
Note As a shortcut, “del” can be used instead of “delete”.
Syntax
delete <filename>
Parameters
filename
Name of file to be deleted.
CLI Command Reference
Example
WS5000.(Cfg)> directory
Date & Time
Bytes
Jan 11
Jan 11
Jan 6
Jan 4
2006
2006
2006
2006
86588
86137
6453
15484
File Name
WS5000Defaults_v2.1.0.0-012B.cfg
WS5k_Auto_v2.0.0.0-034R_20060111.cfg
cmd_template.sym
upgrade.cfg
WS5000.(Cfg)> delete WS5000Defaults_v2.1.0.0-012B.cfg
8.5.17 description
Configuration (Cfg) Context.
Sets a description to the policy of the item in the selection.
Syntax
description <description_text>
Parameters
description_text
Enter brief text to describe a configuration item.
Example
WS5000.(Cfg)> description “Created 7-14-05”
8.5.18 directory
Configuration (Cfg) Context
Lists the image and configuration files that are stored on the WS5000.
Note As a shortcut, “dir” can be used instead of “directory”.
Syntax
directory
Parameters
None.
Example
WS5000.(Cfg)> directory
Date & Time
Bytes
Jan 11
Jan 11
Jan 6
Jan 4
2006
2006
2006
2006
WS5000.(Cfg)>
86588
86137
6453
15484
File Name
WS5000Defaults_v2.1.0.0-012B.cfg
WS5k_Auto_v2.0.0.0-034R_20060111.cfg
cmd_template.sym
upgrade.cfg
8-55
8-56
WS 5000 Series System Reference
8.5.19 emergencymode
Configuration (Cfg) Context
Enables or disables the “Emergency” Switch Policy (ESP), a switch policy that can activated (enabled) at any
time in case of an emergency. When ESP is deactivated (disabled), the previous switch policy is reactivated.
To set the emergency policy, use the emergencymode command.
Syntax
emergencyMode <enable/disable>
Parameters
enable / disable
Indicates whether to enable or disable the ESP.
Example
WS5000.(cfg)> emergencymode enable
8.5.20 encrypt
Configuration (Cfg) Context
Use this command to get the encrypted password.This command encrypts CLI user passwords, kerberos user
passwords, service mode password, vpn simple auth password, radius secret, WEP keys.This encrypted
password is used in autoinstall command file.
Syntax
encrypt <password>
Parameters
password
The password to be encrypted.
Example
WS5000.(Cfg)> encrypt <symbol>
Encrypting password '<symbol>'....
Actual Password <symbol>
Encrypted Password 4527w5630f51f
WS5000.(Cfg)>
8.5.21 ethernet
Configuration (Cfg) Context
Display the currently available ethernet ports for the switch. Also, the context is changed to the Ethernet Port
Context. See page 8-172 for more details.
Syntax
ethernet
Parameters
None.
CLI Command Reference
8-57
Example
WS5000.(Cfg)> ethernet
Available EtherPorts are:
Ethernet 1
Ethernet 2
WS5000.(Cfg).Ethernet>
8.5.22 etherpolicy
Configuration (Cfg) Context
Display the currently available ethernet policies applied to the switch. Also, the context is changed to the
Ethernet Policy (EtherPolicy) Context. See page 8-178 for more details.
Syntax
etherpolicy
Parameters
None.
Example
WS5000.(Cfg)> etherpolicy
Available EtherPolicies are:
1. Default Ethernet Policy.
2. New Ethernet Port Policy.
3. eth1.
WS5000.(Cfg).EtherPolicy>
8.5.23 events
Configuration (Cfg) Context
Display the event settings currently applied to the switch. Also, the context is changed to the Event Context.
See page 8-186 for more details.
Syntax
events
Parameters
None.
Example
WS5000.(Cfg)> events
Num
--1
2
3
4
5
6
7
Events
-----RF Stats threshold crossed
RF Stats threshold crossed
RF Stats threshold crossed
RF Stats threshold crossed
AP is converted to sensor
Sensor is reverted back to
Failed to communicate to a
by
by
by
by
a AP
a MU
a WLAN
Switch
AP
sensor
Local Log
--------Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
SNMP Trap
--------Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Syslog Severity
--------------Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
8-58
WS 5000 Series System Reference
8 Sensor is no longer responding to ping Enabled
9 Switch configuration changed
Disabled
10 Miscellaneous debug events
Disabled
11 Tunnel Status change
Enabled
12 NON IP packet received on Tunnel
Enabled
13 License number change
Enabled
14 Clock change
Enabled
15 Packet discard [wrong NIC]
Enabled
16 Packet discard [wrong VLAN]
Enabled
17 AP adopt failure [general]
Enabled
18 AP adopt failure [policy disallow]
Enabled
19 AP adopt failure [acl disallow]
Enabled
20 AP adopt failure [limit exceeded]
Enabled
21 AP adopt failure [license disallow]
Enabled
22 AP adopt failure [no image]
Enabled
23 AP status [offline]
Enabled
24 AP status [alert]
Enabled
25 AP status [adopted]
Enabled
26 AP status [reset]
Enabled
27 AP config failed [no ESS]
Enabled
28 AP max MU count reached
Enabled
29 AP detected
Enabled
30 Device msg dropped [info]
Enabled
31 Device msg dropped [loadme]
Enabled
32 Ether port connected
Enabled
33 Ether port disconnected
Enabled
34 MU assoc failed [ACL violation]
Enabled
35 MU assoc failed
Enabled
36 MU status [associated]
Enabled
37 MU status [roamed]
Enabled
38 MU status [disassociated]
Enabled
39 MU EAP auth failed
Enabled
40 MU EAP auth success
Enabled
41 MU Kerberos auth failed
Enabled
42 MU Kerberos auth success
Enabled
43 MU TKIP [decrypt failure]
Enabled
44 MU TKIP [replay failure]
Enabled
45 MU TKIP [MIC error]
Enabled
46 WLAN auth success
Enabled
47 WLAN auth failed
Enabled
48 WLAN max MU count reached
Enabled
49 Mgt user auth failed [radius]
Disabled
50 Mgt user auth rejected
Disabled
51 Mgt user auth success [radius]
Enabled
52 Radius server timeout
Enabled
53 KDC user [added]
Enabled
54 KDC user [changed]
Enabled
55 KDC user [deleted]
Enabled
56 KDC DB replaced
Enabled
57 KDC propagation failure
Enabled
58 WPA counter-measures [active]
Enabled
59 Primary lost heartbeat
Enabled
60 Standby active
Enabled
61 Primary internal failure [reset]
Enabled
62 Standby internal failure [reset]
Enabled
63 Standby auto-revert
Enabled
64 Primary auto-revert
Enabled
65 Auto channel select error
Enabled
66 Emergency Policy [active]
Enabled
67 Emergency Policy [deactivated]
Enabled
68 Low flash space on switch
Enabled
69 HSB Starts Up
Enabled
70 HSB Peer Connect
Enabled
71 CPU/SYS Temp Notification
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Disabled
Enabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
crit
alert
crit
info
err
err
crit
crit
alert
crit
crit
crit
alert
alert
debug
info
crit
warning
info
debug
debug
info
alert
info
info
info
info
info
err
info
err
info
debug
debug
debug
info
debug
debug
warning
warning
info
notice
notice
notice
notice
notice
alert
debug
alert
alert
alert
alert
alert
alert
err
info
warning
alert
alert
alert
crit
CLI Command Reference
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
Access Changed Notification
Radio power is reduced [TPC]
Radar is detected [DFS]
Channel selected to avoid radar [DFS]
Switch to new channel [DFS]
Revert back to original channel [DFS]
Radio is suspended
Radio is resumed
Radio is moved to random channel
A new rogue AP is detected
A new approved AP is detected
WVPN certificate anomalies
WVPN Config/connection changes
RADIUS Accounting Log
RADIUS Server Status
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
8-59
info
alert
alert
alert
alert
alert
alert
alert
alert
alert
alert
alert
alert
info
alert
WS5000.(Cfg).Event>
8.5.24 export
Configuration (Cfg) Context
This CLI is used to copy the log files from switch to remote TFTP server. Use logdir to view the list of user log
files that can be exported.
This is an interactive command and asks for
a.
destination: Remote TFTP host
b.
filename : Log file name to be exported to the remote TFTP server.
c.
username : Enter the user name which you mentioned at the time of logfile creation
when using diag command.
Default user name is admin.
Syntax
export
Parameters
None.
Example
WS5000.(Cfg)> export
VPN is NOT supported ...
Creating the Event list...
Enter the log file name : WS5000
Enter the user name : admin
WS5000.(Cfg)>
8.5.25 ftp
Configuration (Cfg) Context
Display the FTP settings currently applied to the switch. Also, the context is changed to the FTP Context. See
page 8-198 for more details.
8-60
WS 5000 Series System Reference
Syntax
ftp
Parameters
None.
Example
WS5000.(Cfg)> ftp
FTP Status:
Active.
WS5000.(Cfg).FTP>
8.5.26 fw
Configuration (Cfg) Context
This CLI is used to configure Firewall and port filter rules.
Syntax
fw
Parameters
None
Example
WS5000.(Cfg)> fw
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
WS5000.(Cfg)> fw
8.5.27 host
Configuration (Cfg) Context
Display the host settings currently applied to the switch. Also, the context is changed to the Host Context. See
page 8-209 for more details.
Syntax
host
Parameters
None.
Example
WS5000.(Cfg)> host
Host Name
--------1 SFHost
IP Address
Domain
--------------157.235.208.117 symbol.com
CLI Command Reference
8-61
8.5.28 install
Configuration (Cfg) Context
Configures the switch’s failover role as Primary or Standby, and applies all settings specified in the command
file (.sym). Alternatively, this command is used to update Kerberos principal from a specified Kerberos file
(.krb), without reset.
Syntax
install <install_option> [filename]
Parameters
install_option
One of:
• primary – Configures the switch to act as Primary, and applies all settings specified
in the <filename> command file (.sym).
By default, install uses the command.sym file, if present. If “command.sym” is not
present, install will not change anything.
• standby – Configures the switch to act as Standby, and applies all settings as
described for the primary parameter value.
• kerberos – Updates the Kerberos principal from the settings in the filename file (.krb),
without reset.
• runcli – Configure the switch with the commands in CLI command file.
filename
Command (*.sym) or Kerberos (*.krb) file to execute, which contains configuration
settings. By dafault, this is command.sym.
Example
WS5000.(Cfg)> install primary
Begin command file processing...
8.5.29 kdc
Configuration (Cfg) Context
Display the Kerberos Key Distribution Center (KDC) status/settings currently applied to the switch. Also, the
context is changed to the KDC Context. See page 8-214 for more details.
The KDC context provides configuration options to configure the switch-resident KDC as a Master or Slave.
Syntax
kdc
Parameters
None.
Example
WS5000.(Cfg)> kdc
The system is configured as MASTER KDC.
Kerberos Realm
: realm1
Interface
: ethernet1
User count (Active + deleted) : 0
Active users (MUs and WLANs)
: 0
Slave KDCsIP AddressDomain
-------------------------No entry available.
8-62
WS 5000 Series System Reference
List of all active KDC users (MUs & WLANs): No active Users available.
WS5000.(Cfg).KDC>
8.5.30 logdir
Configuration (Cfg) Context
This CLI is used to list available user log (history, syslog) files. It does not list image/config files.
Use dir command to list image/config files.
Syntax
logdir
or
logdir user <username>
Parameters
username
It is the storage directory for the logs
Example
WS5000.(Cfg)> ..
WS5000> service
Enter CLI Service Mode password: ********
Enabling CLI Service Mode commands...... done.
SM-WS5000> capture packet ifname eth1 enable
Start Packet Capture....
sending ioctl to capture packet
SM-WS5000> cfg
SM-WS5000.(Cfg)> save packet examplepacketcapture
Saving captured packets....done
SM-WS5000.(Cfg)> logdir
File Name
Bytes
Date & time
========================================================
examplepacketcapture.pktbin
25835
8.5.31 name
Configuration (Cfg) Context
Use the name command to change the system name.
Syntax
name <system_name>
Parameters
system_name
The new name of the switch.
Sun Feb 12 17:26:39 2006
CLI Command Reference
8-63
Example
WS5000.(Cfg)> name MiamiWS5000
Configuring name...
Status : Success.
MiamiWS5000.(Cfg)>
8.5.32 np
Configuration (Cfg) Context
Display the currently available network policies on the switch. Also, the context is changed to the Network
Policy (NP) Context. See page 8-222 for more details.
Syntax
np
Parameters
None.
Example
WS5000.(Cfg)> np
Network Policy information
Available Network Policies:
1. Default Network Policy.
2. NetVision_VoIP_Priority.
3. New Network Policy.
WS5000.(Cfg).NP>
8.5.33 ping
System Context, Configuration (Cfg) Context, Host Context
Sends ICMP ECHO_REQUEST packets to a network host.
Syntax
ping <host/ip_address>
options:ping [-Rdfnqrv] [-c count] [-i wait] [-l preload] [-p pattern][-s packetsize] <host/IP_address>
8-64
WS 5000 Series System Reference
Parameters
-Rdfnqrv
These optional flags are can be broken down as follows:
• -R: Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet
and displays the route buffer on returned packets. Note that the IP header is only
large enough for nine such routes. Many hosts ignore or discard this option.
• -d: Set the SO_DEBUG option on the socket being used. Essentially, this socket
option is not used by Linux kernel.
• -f: Flood ping. For every ECHO_REQUEST sent a period ``.'' is printed, while for ever
ECHO_REPLY received a backspace is printed. This provides a rapid display of how
many packets are being dropped. If interval is not given, it sets interval to zero and
outputs packets as fast as they come back or one hundred times per second,
whichever is more. Only the super-user may use this option with zero interval.
• -n: Numeric output only. No attempt will be made to lookup symbolic names for host
addresses.
• -q: Quiet output. Nothing is displayed except the summary lines at startup time and
when finished.
• -r: Bypass the normal routing tables and send directly to a host on an attached
interface. If the host is not on a directly-attached network, an error is returned. This
option can be used to ping a local host through an interface that has no route through
it provided the option -I is also used.
• -v: Verbose output.
-c count
Stop after sending count ECHO_REQUEST packets. With deadline option, ping waits for
count ECHO_REPLY packets, until the timeout expires.
-i wait
Wait interval of seconds between sending each packet. The default is to wait for one
second between each packet normally, or not to wait in flood mode. Only super-user may
set interval to values less 0.2 seconds.
-l preload
If preload is specified, ping sends that many packets not waiting for reply. Only the
super-user may select preload more than 3.
-p pattern
You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for
diagnosing data-dependent problems in a network. For example,
-p ff will cause the sent packet to be filled with all ones.
-s packetsize
Specifies the number of data bytes to be sent. The default is 56, which translates into
64 ICMP data bytes when combined with the 8 bytes of ICMP header data.
host/IP_address
The name or IP address of the host to which the request packets are sent.
Example
WS5000.(Cfg)> ping WS5000
PING WS5000 (10.1.1.101) from 10.1.1.101 : 56(84) bytes of data.
64 bytes from WS5000 (10.1.1.101): icmp_seq=1 ttl=64 time=0.068 ms
64 bytes from WS5000 (10.1.1.101): icmp_seq=2 ttl=64 time=0.028 ms
64 bytes from WS5000 (10.1.1.101): icmp_seq=3 ttl=64 time=0.031 ms
64 bytes from WS5000 (10.1.1.101): icmp_seq=4 ttl=64 time=0.029 ms
--- WS5000 ping statistics --4 packets transmitted, 4 received, 0% loss, time 2997ms
rtt min/avg/max/mdev = 0.028/0.039/0.068/0.016 ms
WS5000.(Cfg)>
CLI Command Reference
8-65
8.5.34 po
Configuration (Cfg) Context
Display the currently available policy object information on the switch. Also, the context is changed to the
Policy Object (PO) Context. See page 8-228 for more details.
Syntax
po
Parameters
None.
Example
WS5000.(Cfg)> po
Policy Object information......
Available Policies (PO):
1. NetVision Priority for RF.
2. NetVision Packet Marking for Ethernet.
3. New Input Policy.
4. New Output Policy.
WS5000.(Cfg).PO>
8.5.35 purge
Configuration (Cfg) Context
This CLI is used to clear the specified contents from memory only. It does not delete any files. Use logdir to
view user log files and remove to delete user log files.
Syntax
purge <purge_option> [radioname|radioindex <radioname>|<radioindex>]
Parameters
purge_option
Use one of:
•
history
•
rfstats
•
rfstats ap <ap_mac> : To clear RF statistics for specified AP.
radioname
Adopted Radioname
radioindex
Adpoted RadioIndex
: Clears global command history.
: Clears RF stats for all or specified AP(s).
Example
1. To clear global history contents from memory, use
WS5000.(Cfg)> purge history
2. To clear RF statistics for all APs, use
WS5000.(Cfg)> purge rfstats
3. To clear RF statistics for specified AP, use
WS5000.(Cfg)> purge rfstats ap 1
WS5000.(Cfg)> purge rfstats ap <ap_mac>
8-66
WS 5000 Series System Reference
8.5.36 radius
Configuration (Cfg) Context
Display the Radius authentication status on the switch. Also, the context is changed to the Radius Context.
See page 8-235 for more details.
Syntax
radius
Parameters
None.
Example
WS5000.(Cfg)> radius
Radius authentication status:
----------------------------Network users (Web, Telnet, etc.)
Local users (via serial port)
Authenticate locally if Radius server refuses access
Server
-----Primary
Secondary
Host Name/IP
-----------Not defined
Not defined
Port
---1812
1812
Retry
----3
3
: Disable
: Disable
: Disable
Timeout
------5
5
WS5000.(Cfg).Radius>
8.5.37 remove
Removes the user log files (the once listed by logdir cli command). If a log file is saved using a username,
then username option is used to remove it. It does not remove image/config or local syslog files.
Syntax
remove <file_name> [username-optional]
where username is optional and is the storage directory for the logs
Parameters
filename
the file that is to be removed
username
Used to remove a log file in case the log file is saved using a user name.
Example
WS5000.cfg>logdir
File Name
Bytes
Date & time
========================================================
Log1.history
7833
Thu Jan 19 04:36:16 2006
WS5000.(Cfg)> remove Log1.history
Removing file 'Log1.history'.... done.
CLI Command Reference
8-67
8.5.38 reset
Configuration (Cfg) Context
WS5000.(Cfg)> reset
Resets the switch. Resetting the switch includes a graceful shutdown, and reboot.
Syntax
reset
Parameters
None.
Example
WS5000.(Cfg)> reset
This command will reset the system.
Are you sure (yes/no) : yes
System shutdown may take a few mins....
Rebooting the switch...
Shutting down dhcp daemon.. done
Shutting down apache server in the SSL mode...done.
Shutting down cell controller....... done
Shutting down snmpd agent...done.
Shutting down Postgres....done.
Restarting system
8.5.39 restore
Configuration (Cfg) Context
Restores the specified system image and/or configuration, and then resets (reboots) the system (based on the
restore_option) with the newly restored image and/or configuration.
Syntax
restore <restore_option> <filename>
Parameters
restore_option
The type of restore to be invoked. image or configuration that you want to restore. One
of:
• system – Restores the system image and configuration from the specified file.
• configuration – Restores the configuration from the specified file.
• standby – Restores the standby configuration from the specified file.
filename
The new system image or configuration file to be restored.
Example
WS5000.(Cfg)> restore config WS5000Defaults_v2.1.0.0-014B.cfg
This command will reset the system and boot up with the new configuration.
Do you want to continue (yes/no) : y
Restoring configuration from WS5000Defaults_v2.1.0.0-014B.cfg
Rebooting the switch...
8-68
WS 5000 Series System Reference
Shutting down dhcp daemon.. done
Shutting down apache server in the SSL mode...done.
Shutting down cell controller......... done
Shutting down snmpd agent...done.
Shutting down Postgres....done.
Restarting system
8.5.40 rougeap
Configuration (Cfg) Context
This CLI displays context specific attirbutes, rogue AP configuration, authorised AP rulelist and list of detector
APs. See Rogue AP Detection on page 1-22 for more details.
Syntax
rogueap
Parameters
None.
Example
WS5000.(Cfg)> rogueap
RogueAP configuration details:
-----------------------------RogueAP Status
MU Scan Status
AP Scan Status
Detector Scan Status
MU Scan Interval(min.)
AP Scan Interval(min.)
Detector Scan Interval(min.)
:
:
:
:
:
:
:
disable
disable
disable
disable
0
0
0
WS5000.(Cfg).rogueap>
8.5.41 route
Configuration (Cfg) Context
This CLI is used to configure system route settings.
Syntax
route
Parameters
None.
Example
WS5000.(Cfg)> route
Route Management:
Kernel IP routing table
Destination
Gateway
157.235.206.0
0.0.0.0
10.1.1.0
0.0.0.0
0.0.0.0
157.235.206.246
WS5000.(Cfg).route>
Genmask
255.255.255.0
255.255.255.0
0.0.0.0
Flags
U
U
UG
Ref
0
0
0
Use
0
0
0
Iface
psdT
psdU
psdT
CLI Command Reference
8-69
8.5.42 runacs
Configuration (Cfg) Context
Runs Automatic Channel Selection on all adopted access ports. See Automatic Channel Select on page 1-19
for more details.
Syntax
runacs
Parameters
None.
Example
WS5000.(Cfg)> runacs
Executing Automatic Channel Selection on all the adopted Access Ports...
Success.
WS5000.(Cfg)>
8.5.43 save
Configuration (Cfg) Context
Saves the running system configuration to the specified file. Use directory to list the saved configuration files.
Syntax
save configuration <filename>
Parameters
filename
The filename into which you want to save the running configuration. The .cfg extension
is automatically appended.
Example
WS5000.(Cfg)> save conf sample
Saving running configuration in: sample.cfg
Saving wireless network management configuration...
Configuration saved successfully.
8.5.44 securitypolicy
Configuration (Cfg) Context
Display the security policy options available to the switch. Also, the context is changed to the Security Policy
Context. See page 8-243 for more details.
Syntax
securitypolicy
Parameters
None.
8-70
WS 5000 Series System Reference
Example
WS5000.(Cfg)> securitypolicy
Available Security Policies:
1. Kerberos Default.
2. Default.
3. WEP40 Default.
4. WEP128 Default.
WS5000.(Cfg).SecurityPolicy>
8.5.45 sensor
Configuration (Cfg) Context
Display details of all Sensors and the Active AP 300's.You can also configure the default sensor configuration
in this context.See 8.47 Sensor Context on page 252 for more details.
Syntax
sensor
Parameters
None.
Example
WS5000.(Cfg)> sensor
AP300's
------Sensor AP's
-----------1. 00:A0:F8:AA:BB:CC
WS5000.(Cfg).sensor>
8.5.46 set
Configuration (Cfg) Context
Displays the set commands for the different system component. There are a number of ways to invoke the set
command:
•
When invoked within any system component context, set is used to configure the attributes for the
current context.
•
When invoked within the system configuration context, it is used to set the information about various
system parameters.
Syntax
set <system_parameter>
Parameters
Table 8.6
lists and describes the display_parameters in the set command:
Table 8.6 set command’s display_parameter Summary
Display Parameter
set arpcache
Description
Configure Arp Cache
Example
page 8-71
CLI Command Reference
8-71
Table 8.6 set command’s display_parameter Summary
Display Parameter
Description
Example
set emergencypolicy
Set the Emergency Switch Policy
page 8-72
set autoinstall
Enable/Disable auto-install
page 8-73
set rfstats
Enables/Disables RF Stats gathering
page 8-73
set licensekey
Update the port license
page 8-74
set location
Set the switch location string
page 8-75
set muidletimeout
Set the MU Idle Timeout value (for all MU's)
page 8-75
set rfthreshold
Set RF Stats threshold values for SNMP traps
page 8-76
set logout
Set CLI auto session logout time
page 8-77
set snmptrap
Enable/disable SNMP traps (global flag)
page 8-77
set vpnsupport
Enable VPN support
page 8-78
set switchpolicy
Activate a Switch Policy
page 8-78
set time
Set system time and/or date
page 8-79
set zone
Set the time zone
page 8-80
set clearstat
Clears Packet Stats
page 8-81
set arpcache
Configuration (Cfg) Context
Sets the address resolution display and control. The arp program displays and modifies the Internet-toEthernet with no flags, the program displays the current ARP entry for hostname. The host may be specified
by name or by number, using Internet dot notation.
Syntax
set arpcache <command> <parameters>NAME
Parameters
hostname
-a
The program displays all of the current ARP entries.
-d hostname
A super-user may delete an entry for the host called hostname with the -d flag.
-s hostname ether_addr
[temp] [pub] [trail]
Create an ARP entry for the host called hostname with the Ethernet address ether_addr.
The Ethernet address is given as six hex bytes separated by colons. The entry will be
permanent unless the word temp is given in the command. If the word pub is given, the
entry will be 'published'; i.e., this system will act as an ARP server, responding to
requests for hostname even though the host address is not its own. The word trail
indicates that trailer encapsulations may
be sent to this host.
8-72
WS 5000 Series System Reference
-f filename
Causes the file filename to be read and multiple entries to be set in the ARP tables.
Entries in the file should be of the form hostname ether_addr [temp] [pub] [trail] with
argument meanings as given above.
Example
WS5000.(Cfg)> set arpcache -a
Arp cache operation....
Status : Success.
ARP Information:
? (157.235.208.246) at 00:00:0C:07:AC:01 [ether] on psdT
WS5000.(Cfg)>
set emergencypolicy
Configuration (Cfg) Context
Sets a defined switch policy to be designated as the emergency switch policy (ESP). to the switch policy that
will assume the role of emergency switch policy (ESP). The ESP is provided as a means to quickly return to a
known, safe configuration.
Use the emergencymode command to enable or disable the ESP.
Note If the switch policy name includes “blank” spaces in the name, use quotation
marks within the command.
Syntax
set emergencypolicy <emergencypolicyname>
Parameters
emergencypolicyname
Name of the switch policy to be designated as the emergency switch policy. To see
available switch policies, use the switchpolicy command.
Example
WS5000.(Cfg)> set emergencypolicy TestPolicy
Setting 'TestPolicy' as Emergency Policy....
Status: Success.
System information...
System Name
Description
Switch Location
Software Ver.
Licensed to
Copyright
Serial Number
Number of Licenses
Max Access Ports
Max Mobile Clients
MU Idle Timeout value
:
:
:
:
:
:
:
:
:
:
:
ABS01_DEPOT_081804
WS5000 Wireless Network
2.1.0.0-011B
Symbol Technologies
Copyright (c) 2000-2005. All rights reserved.
00A0F853C13D
0
0
4096
1800 seconds
CLI Command Reference
Active Switch Policy
:
Emergency Switch Policy
:
Switch Uptime
:
Global RF stats
:
# of Unassigned Access Ports :
Unassigned Access Ports
:
1. 00:A0:F8:CD:ED:C1 [G].
2. 00:A0:F8:CD:ED:C1 [A].
CLI AutoInstall Status
:
8-73
wm_stores
TestPolicy
00d:00h:00m
Enabled
2
Disabled
WS5000.(Cfg)>
set autoinstall
Configuration (Cfg) Context
Used to enable / disable the autoinstall feature.
Syntax
set autoinstall {enable|disable}
Parameters
enable
Enables the auto install feature
disable
Disables the auto install feature
Example
WS5000.(Cfg)> set autoinstall enable
Enabling autoinstall.... done
WS5000.(Cfg)>
set rfstats
Configuration (Cfg) Context
Enables/Disables RF statistics gathering for all or specific AP(s).It can take only one
radioname|radioindex at a time.
To enable RF statistics gathering for all active Radios, use
set rfstats enable
To enable RF statistics gathering for Radio at index 1, use
set rfstats radioindex 1 enable
Syntax
set rfstats <radioname|radioindex> {<radioname|radioindex>}
Parameters
radioname
Adopted Radioname.
radioindex
Adopted Radioindex.
enable
To enable RF statistics gathering for all active Radios.
{enable|disable}
8-74
WS 5000 Series System Reference
disable
To disable RF statistics gathering for Radio at an index.
Example
WS5000.(Cfg)> set rfstats radioindex 1 enable
Success.
Invalid input '[A]'
Use quotes for name containing white space, e.g. "string1 string2"
Access Port details...
Name
: 00:A0:F8:BF:8A:78 [A]
Device type
: AP300
Radio MAC Address
: 00:A0:F8:BF:EE:68
Device MAC Address
: 00:A0:F8:BF:8A:78
Port Type
: A
Description
:
Status
: Unavailable
Tx Channel
: 52
Current Tx Channel
: 0
Policy Attached
: Default Access Port Policy
Tx Power
: 20 dBm
Current Tx Power
: 0 dBm
Location
:
NIC Connected
: Ethernet 1
VLAN id
: None
VLAN Tags seen
: None
CCA Mode
: 1
CCA Threshold
: 1
Diversity
: Full
Maximum MUs allowed
: 256
No. of MUs associated
: 0
Up Time
: 0d:0h:0m
Statistics gathering
: Enable
Tx Packets/second
: 0
Antenna
: external
Indoor/Outdoor
: in
DFS
: Off
TPC
: Off
Antenna Correction
: 0
MU Power Adjustment
: 0
All Channels
: 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161, 16,5
Radar Channels
:
Valid Power Range
: 4-20
DetectorAP
: disable
On Channel Scan
: enable
WS5000.(Cfg)>
set licensekey
Configuration (Cfg) Context
Sets the license key for the switch. The license key, issued by Symbol, is used to determine the number of APs
and MUs that the switch is able to support.
Syntax
set licensekey <licensekey>
CLI Command Reference
8-75
Parameters
licensekey
The license key, issued by Symbol. The switch must be configured as “Primary” if
updating the license key.
Use the set mode command to set the switch mode, if not already set as Primary.
Example
WS5000.(Cfg)> set licensekey <licensekey>
set location
Configuration (Cfg) Context
Sets an informational location string for where the switch is located.
Syntax
set location <string>
Parameters
location
Enter a string for where the switch is located, such as the NOC city, or campus building
#, for example. This information is displayed using the show system command.
Example
WS5000.(Cfg)> set location US
Setting the location string....
Status: Success.
System information...
System Name
Description
Switch Location
Software Ver.
Licensed to
Copyright
Serial Number
Number of Licenses
Max Access Ports
Max Mobile Clients
MU Idle Timeout value
Active Switch Policy
Emergency Switch Policy
Switch Uptime
Global RF stats
# of Unassigned Access Ports
CLI AutoInstall Status
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
WS5000
WS5000 Wireless Network
US
2.1.0.0-014B
Symbol Technologies
Copyright (c) 2000-2006. All rights reserved.
00A0F865A8E0
8
8
4096
1800 seconds
Default Wireless Switch Policy
Not defined
01d:07h:29m
Disabled
0
Enabled
WS5000.(Cfg)>
set muidletimeout
Configuration (Cfg) Context
Use set muidletimeout to set the MU Idle Timeout value (for all MUs).
8-76
WS 5000 Series System Reference
MU idle timeout — It is the time for which each MU’s details ( which are associated) will retian in the switch
database. This helps MUs in PSP mode not ot get removed from the database till the timeout value expires.
The default value is 30 minutes.
Syntax
set muidletimeout <muIdleTimeout value>
Parameters
muIdleTimeout
The time duration for which the MU should be idle
Example
WS5000.(Cfg)> set muidletimeout 88
Setting the MU Idle Timeout value....
Status: Success.
System information...
System Name
Description
Switch Location
Software Ver.
Licensed to
Copyright
Serial Number
Number of Licenses
Max Access Ports
Max Mobile Clients
MU Idle Timeout value
Active Switch Policy
Emergency Switch Policy
Switch Uptime
Global RF stats
# of Unassigned Access Ports
CLI AutoInstall Status
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
WS5000
WS5000 Wireless Network
US
2.1.0.0-014B
Symbol Technologies
Copyright (c) 2000-2006. All rights reserved.
00A0F865A8E0
8
8
4096
88 seconds
Default Wireless Switch Policy
Not defined
01d:07h:30m
Disabled
0
Enabled
WS5000.(Cfg)>
set rfthreshold
Configuration (Cfg) Context
Syntax
set rfthreshold <Type> <Thresholdname> <Thresholdvalue / reset>
Parameters
Type
Placeholder for the type of RF threshold. It can be either AP, MU or Switch.
Thresholdname
Placeholder for the threshold associated with each of the threshold type mentioned
above.
Thresholdvalue
Place holder for the value that can be associated with each of the threshold name.
Example
WS5000.(Cfg)> set rfthreshold mu pps 100
Success.
CLI Command Reference
Mu Threshold details :
Status
Min Packets for RF Traps
Packets Per Second
Throughput in Mbps
Average Bit Speed in Mbps
Percent of NUCast Packets
Average Signal in Dbm
Average Retries
Percent of Dropped Packets
Percent of Undecryp Packets
:
:
:
:
:
:
:
:
:
:
8-77
disabled
Not Set
100
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
Not Set
Note The threshold value for all the threshold names, except for average signal, can
be between zero and (no maximum limit).
Note The value for Average signal, measured in Dbm, must always be below zero
(negative value).
set logout
Configuration (Cfg) Context
Sets the CLI’s auto-logout time, in minutes.
Syntax
set logout <#minutes>
Parameters
#minutes
CLI’s auto-logout time, in minutes. Valid values are 0 through 1440 (24 hours). Use 0 to
disable auto-logout.
Example
WS5000.(Cfg)> set logout 10
Setting auto-logout time (10 min) for CLI.... done.
WS5000.(Cfg)> set logout 0
Disabling auto log-off.... done.
WS5000.(Cfg)>
set snmptrap
Configuration (Cfg) Context
Enables or disables SNMP traps, globally.
Syntax
set snmptrap <snmptrap_flag>
8-78
WS 5000 Series System Reference
Parameters
snmptrap_flag
Indicates whether to enable or disable SNMP traps on the switch. Possible values are:
• enable
• disable
Example
WS5000.(Cfg)> set snmptrap enable
Setting SNMP Trap status....
Status: Success.
SNMP details:
------------SNMP (deamon) Status
: Enabled
SNMP Traps
: Enabled
WS5000.(Cfg)> set snmptrap disable
Setting SNMP Trap status....
Status: Success.
SNMP details:
------------SNMP (deamon) Status
SNMP Traps
WS5000.(Cfg)>
: Enabled
: Disabled
set vpnsupport
Configuration (Cfg) Context
Used to enable or disable the VPN support.
Syntax
set vpnsupport enable|disable <license file>
Parameters
enable
Use this to enables the VPN support.
disable
Use this to disables the VPN support.
license_file
Use this to enter the location for the VPN license file.
Example
WS5000.(Cfg)> set vpnsupport enable
This command will reset the system.
Are you sure (yes/no) : y
Setting VPN Support status....
Status: Need minimum 256MB ram to enable vpn support !
WS5000.(Cfg)>
set switchpolicy
Configuration (Cfg) Context
Sets a defined switch policy to be designated as the active switch policy.
CLI Command Reference
8-79
Note If the switch policy name includes “blank” spaces in the name, use quotation
marks within the command.
Syntax
set switchpolicy <spolicy_name>
Parameters
spolicy_name
Name of the switch policy to be designated as the active switch policy. To see available
switch policies, use the switchpolicy command.
Example
WS5000.(Cfg)> set switchpolicy "Default Wireless Switch Policy"
Setting active Switch Policy to 'Default Wireless Switch Policy'....
Status: Success.
System information...
System Name
:
Description
:
Switch Location
:
Software Ver.
:
Licensed to
:
Copyright
:
Serial Number
:
Number of Licenses
:
Max Access Ports
:
Max Mobile Clients
:
Active Switch Policy
:
Emergency Switch Policy
:
Switch Uptime
:
# of Unassigned Access Ports :
Unassigned Access Ports
:
1. 00:A0:F8:6E:4A:7A [G].
2. 00:A0:F8:BB:B3:6D [G].
WS5000
WS5000 Wireless Network
San Francisco
2.1.0.0-008D
Symbol Technologies
Copyright (c) 2000-2005. All rights reserved.
00A0F8658C10
48
48
4096
Default Wireless Switch Policy
EmerPolicy2-10
09d:22h:02m
2
WS5000.(Cfg)>
set time
Configuration (Cfg) Context
Sets the system time and date based on the specified parameters.
Syntax
set time [time_format] [time_zone]
Parameters
time_format
The time to be set, in one of the following formats:
• yyyymmddhhmm[.ss]
• yymmddhhmm[.ss]
• mmddhhmm[.ss]
• ddhhmm[.ss]
• hhmm[.ss]
8-80
WS 5000 Series System Reference
time_zone
Valid range is -12:00 to +13:00 [+/-](HH:MM), where 0.00 is Greenwich Mean Time. Note
that the ‘+’ must be included for positive timezone values.
Note In WS5000 2.1, Daylight Saving is enabled by
default
Example
WS5000.(Cfg)> set time 200502110145.11 -08:00
Setting system time/date...
Status: Success.
System clock:
Date
:
01:45:11 AM
Fri Feb 11 2005
Time Zone
:
(GMT -08:00) Pacific Time (US & Canada); Tijuana
WS5000.(Cfg)>
set zone
Configuration (Cfg) Context
Sets the time zone, without changing the time and date.
Syntax
set zone <time_zone>
Parameters
time_zone
Valid range is -12:00 to +13:00 [+/-](HH:MM), where 0.00 is Greenwich Mean Time. Note
that the ‘+’ must be included for positive timezone values.
Note In WS5000 2.1, Daylight Saving is enabled by
default
Example
WS5000.(Cfg)> date
System clock:
Date
:
01:52:52 AM
Fri Feb 11 2005
Time Zone
:
(GMT -08:00) Pacific Time (US & Canada); Tijuana
WS5000.(Cfg)>
WS5000.(Cfg)> set zone -12:00
CLI Command Reference
8-81
Setting the time zone...
Status: Success.
System clock:
Date
:
01:53:09 AM
Fri Feb 11 2005
Time Zone
:
(GMT -12:00) Eniwetok, Kwajalein
WS5000.(Cfg)>
set clearstat
Configuration (Cfg) Context
Clears the packet statistics
Syntax
set clearstat
Parameters
none
Example
WS5000.(Cfg)> set clearstats
WS5000.(Cfg)>
8.5.47 show
Configuration (Cfg) Context
Display all the available commands within the Configuration context. Also, any of the show commands, with
an associated <display_parameter> will show a summary specific to the parameter.
Syntax
show
or
show [<display_parameter> [instance_name]]
Parameters
display parameter
Categories of information related to the switch or the network components associated
with the switch. Possible values are listed in Table 8.4 on page 8-23.
Example
For a complete list of display parameters refer – show commands on page 8-23
8.5.48 shutdown
Configuration (Cfg) Context
Gracefully shuts down the switch. Before turning off the switch (power down), wait 10 seconds or more.
8-82
WS 5000 Series System Reference
After the switch has been shut down, bring it back up with a full power cycle (power down and then power
back up).
Syntax
shutdown
Parameters
None.
Example
WS5000.(Cfg)> shutdown
This command will halt the system.
A manual power cycle will be required to re-start the switch.
Do you want to proceed (yes/no) : y
System shut down might take a few mins....
Shutting down snmpd agent...done.
Shutting down apache server...done.
Shutting down cell controller......done.
Shutting down database main thread...done.
Shutting down the switch...
Please wait 10 secs before turning off power.
8.5.49 snmp
Configuration (Cfg) Context
Display the SNMP settings currently applied to the switch. Also, the context is changed to the SNMP Context.
See page 8-258 for more details.
Syntax
snmp
Parameters
None.
Example
WS5000.(Cfg)> snmp
SNMP details:
------------SNMP (deamon) Status
SNMP Traps
: Enabled
: Disabled
WS5000.(Cfg).SNMP>
8.5.50 ssh
Configuration (Cfg) Context
Display the Secure Shell settings currently applied to the switch. Also, the context is changed to the SSH
(Secure Shell) Context. See page 8-269 for more details.
Syntax
ssh
CLI Command Reference
8-83
Parameters
None.
Example
WS5000.(Cfg)> ssh
SSH configurations details:
--------------------------SSH Status
: Enabled
Version
: V2
Port
: 22
Session inactivity timeout
: 0 (Disabled)
WS5000.(Cfg).SSH>
8.5.51 ssl
Configuration (Cfg) Context
Display the Secure Socket Layer settings currently applied to the switch. Also, the context is changed to the
SSL (Secure Socket Layer) Context. See page 8-271 for more details.
Syntax
ssl
Parameters
None.
Example
WS5000.(Cfg)> ssl
Web based configuration (Applet) access by : https
WS5000.(Cfg).SSL>
8.5.52 standby
Configuration (Cfg) Context
Display the standby (failover) management settings currently applied to the switch. Also, the context is
changed to the Standby Context. See page 8-273 for more details.
Syntax
standby
Parameters
None.
Example
WS5000.(Cfg)> standby
Standby Management:
StandBy mode
Standby Status
State
Failover Reason
: Primary
: Disable
: Startup
:
8-84
WS 5000 Series System Reference
Standby Connectivity status
Standby AutoRevert Mode
Standby AutoRevert Delay
: Not Connected
: Disable
: 15 Minutes
Interface (Ethernet) 1
---------------------StandBy Heart-Beat MAC
Heart-Beat status
Received Heart-Beat
: Auto Discovery Enabled
: Enable
: No
Interface (Ethernet) 2
---------------------StandBy Heart-Beat MAC
Heart-Beat status
Received Heart-Beat
: Auto Discovery Enabled
: Disable
: No
WS5000.(Cfg).StandBy>
8.5.53 switchpolicy
Configuration (Cfg) Context
Display the active and available switch policy currently defined on the switch. Also, the context is changed to
the Switch Policy (SPolicy) Context. See page 8-278 for more details.
Syntax
switchpolicy
Parameters
None.
Example
WS5000.(Cfg)> switchpolicy
Active Switch Policy name: Default Wireless Switch Policy
Available Switch Policies:
1. Default Wireless Switch Policy.
2. EmerPolicy2-10.
WS5000.(Cfg).SPolicy>
8.5.54 telnet
Configuration (Cfg) Context
Display the telnet accessibility settings currently defined on the switch. Also, the context is changed to the
Telnet Context. See page 8-291 for more details.
Syntax
telnet
Parameters
None.
Example
WS5000.(Cfg)> telnet
Telnet Status
Session inactivity timeout
WS5000.(Cfg).Telnet>
: Active.
: 0 (Disabled)
CLI Command Reference
8-85
8.5.55 tunnel
Configuration (Cfg) Context
Displays the GRE tunnels and the remote tunnel IP address that is used to map it to the WLAN. Only 4 GRE
tunnels can be configured in WS5000 switch. Also, the context changes to Tunnel Context. See page 8-294 for
more details.
Syntax
tunnel
Parameters
None.
Example
WS5000.(Cfg)> tunnel
Tunnel details...
Tunnel Name
----------tunnel1
tunnel2
tunnel3
tunnel4
Remote IP Address
----------------none
none
none
none
8.5.56 user
Configuration (Cfg) Context
Display the user accounts currently defined on the switch. Also, the context is changed to the User Context.
See page 8-298 for more details.
Syntax
user
Parameters
None.
Example
WS5000.(Cfg)> user
User information
Available Users:
1. admin.
2. techsupport.
WS5000.(Cfg).User>
8.5.57 wlan
Configuration (Cfg) Context
Display the WLAN settings currently defined on the switch. Also, the context is changed to the WLAN Context.
See page 8-305 for more details.
Syntax
wlan
Parameters
None.
8-86
WS 5000 Series System Reference
Example
WS5000.(Cfg)> wlan
WLAN Name
--------Symbol Default
Secure Access
Private Access
Public Access
ESSID
----101
secure
private
public
Security Policy
--------------Default
Kerberos Default
WEP128 Default
Default
WS5000.(Cfg).WLAN>
8.5.58 wme
Configuration (Cfg) Context
This CLI is used to displays and configure the various WME profiles.
Syntax
wme
Parameters
None.
Example
WS5000.(Cfg)> wme
WME Profile Name
---------------1. Default MU WME Profile
2. Default AP WME Profile
WS5000.(Cfg).WME>
8.5.59 wvpn
Configuration (Cfg) Context
This CLI is used to display and configure system WVPN settings
Syntax
wvpn
Parameters
None.
Example
WS5000.(Cfg)> wvpn
WVPN Management:
WVPN
WVPN
WVPN
WVPN
WVPN
WVPN
WVPN
WVPN
available
Status
Server Address
Server Port
Unused session timeout
Debug level
DOS Support
DOS Port
:
:
:
:
:
:
:
:
true
Stopped
10.1.1.101 / 157.235.208.77
9102
48h 0m (172800 secs)
Debug Info Disabled
no
9103
CLI Command Reference
WVPN Client keep alive
WVPN Maximum VPN Licenses
WVPN Currently In-Use VPN Licenses
WVPN License Type
30,Eval days left
30
WS5000.(Cfg)> wvpn
: 10 seconds
: 250
: 0
: Evaluation version,Total eval days
8-87
8-88
WS 5000 Series System Reference
8.6 AAA Context
The AAA context enables you to configure the onboard Radius server and user database.
Table 8.7 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.7 AAA Context Commands
Command
Description
.. or end
Go back to the previous context.
exit
Go back to root context.
? or help
To get the command information
logout or bye
Close this session
acct
Configure the RADIUS Accounting Server.
clear
Clears the screen
client
Configure Radius Clients setting.
disable
Disable the AAA Server.
eap
Configure EAP setting.
emergencymode
Enable or disable Emergency Mode
enable
Start the AAA Server.
ldap
Configure LDAP setting.
policy
Configure Access Policy.
proxy
Configure Radius Proxy setting.
save
Restart the AAA Server.
set
Configure the AAA Server.
show
Display context specific attributes
userdb
Configure user database setting.
8.6.1 acct
AAA Context
Used to set the IP, Port Number, Timeout Value, and the Max Retry values for the Radius accounting server.
Syntax
acct
acct
acct
acct
acct
acct
acct
<name/IP> <portNum> <timeoutVal> <retryVal>
host <IPAddr>
port <portNum>
timeout <timeoutVal>
retry <retryVal>
show
secret
CLI Command Reference
acct
acct
acct
acct
acct
8-89
dir [ipAddr] | [ipAddr/fileName]
tftp <destIpAddr> <srcDir>/<filename>
purge [force]
enable
disable
Parameters
ip
IP address of the Radius accounting server.
portNum
Port number of the accounting server.
TimeoutVal
The time out value thats set for the switch after which it stops attempting to connect to
the Radius accounting server.
retryVal
The number a tries the switch attempts to contact the Radius server.
Example
WS5000.(Cfg).AAA> acct 156.5.0.0 10 3 4
8.6.2 client
AAA Context
Configures client parameters.
Syntax
client
Parameters
None
Example
WS5000.(Cfg).AAA> client
Client information
Available Client Servers:
1. myclient.
WS5000.(Cfg).AAA.Client>
8.6.3 disable
AAA Context
Disables the AAA server settings.
Syntax
Disable
Parameters
None
Example
WS5000.(Cfg).AAA> disable
8-90
WS 5000 Series System Reference
Configuring AAA server...
AAA database update status:
----------------------------AAA Server Status
Disabled
Database Type
local
8.6.4 eap
AAA Context
To configure EAP parameters, use the Eap command.
Syntax
eap
Parameters
None
Example
WS5000.(Cfg).AAA> eap
EAP Configurations
:
----------------------------EAP Type
peap
Private key password
wwwww
8.6.5 enable
AAA Context
To start the AAA Server settings, use the enable command.
Syntax
enable
Parameters
None
Example
WS5000.(Cfg).AAA> enable
Configuring AAA server...
AAA database update status:
----------------------------AAA Server Status
Active
Database Type
local
8.6.6 ldap
AAA Context
To configure LDAP parameters, use the ldap command.
Syntax
ldap
CLI Command Reference
8-91
Parameters
None
Example
WS5000.(Cfg).AAA> ldap
LDAP information
LDAP Server IP
157.235.205.4
LDAP Server Port
389
LDAP Bind DN
cn=Manager,o=symbol,c=India
LDAP Base DN
o=symbol,c=India
LDAP Password Attribute
userPassword
LDAP Login Attribute
(uid=%{Stripped-User-Name:-%{User-Name}
})
LDAP Group Membership Filter
(|(&(objectClass=GroupOfNames)(member=%
{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
LDAP Password
LDAP Group Name Attribute
LDAP Group Membership Attribute
secret
cn
radiusGroupName
8.6.7 policy
AAA Context
To configure acceess policy for a group, use the policy command.
Syntax
policy
Parameters
None
Example
WS5000.(Cfg).AAA> policy
WS5000.(Cfg).AAA.Policy>
8.6.8 proxy
AAA Context
To configure proxies and proxy parameters, use the proxy command.
Syntax
proxy
Parameters
None
Example
WS5000.(Cfg).AAA> proxy
Proxy information
Available Proxy Servers:
1.symbol.
WS5000.(Cfg).AAA.Proxy>
8-92
WS 5000 Series System Reference
8.6.9 save
AAA Context
To restart the AAA Server with the new configuration settings, use the save command.
Syntax
save [CR]
Parameters
None
Example
WS5000.(Cfg).AAA> save
Configuring AAA server...
Status : Success.
AAA database update status:
----------------------------AAA Server Status
Disabled
Database Type
local
8.6.10 set
AAA Context
To configure the AAA Server database type, use the set command.
Syntax
set dbtype <value>
Parameters
value
the value can be either ldap or local
Example
WS5000.(Cfg).AAA> set dbtype ldap
Configuring AAA server...
Status : Success.
AAA database update status:
----------------------------AAA Server Status
Disabled
Database Type
ldap
Warning: Please commit these changes using Save command in AAA context.
CLI Command Reference
8-93
8.6.11 show
AAA Context
Table 8.8 lists the show commands.
Table 8.8 Show Commands
Command
Description
show
Display context specific attributes
show eap-config
Display EAP information
show ldap
Display LDAP information
show certs
Display Certificate information
show clients
Display Clients or details of a specific Client
show radius-acct
Display RADIUS Accounting Server information
show proxy
Display Proxy or details of a specific Proxy
show aaa-server
Display AAA information
8.6.12 userdb
AAA Context
To configure a user database for the AAA server, use the userdb command.This command leads you to userdb
context. Refer to AAA User Database Context for more information on userdb.
Syntax
userdb
Parameters
None
Example
Refer to AAA User Database Context for more information on userdb.
8-94
WS 5000 Series System Reference
8.7 AAA Client Context
Table 8.9 shows the AAA client context commands.
Table 8.9 AAA Client Context Commands
Commands
Description
.. or end
Go back to the previous context.
exit
Go back to root context.
? or help
To get the command information.
logout or bye
Close this session.
add
Add a new Radius Client.
clear
Clears the screen.
emergencymode
Enable or disable Emergency Mode.
remove
Remove the Radius client server.
show
Display the current list of clients.
8.7.1 add
AAA Client Context
To add a new client, use the add command.
Syntax
add <client_name> <ip_address> <netmask> <secret>
Parameters
client_name
Name of the new client added.
ip_address
IP address of the new client
netmask
Subnet mask of the new client’s IP address.
secret
USed to encrypt packets between the RADIUS server (switch) and the RADIUS
client.
Example
WS5000.(Cfg).AAA.Client> add new 1.1.1.1 255.0.0.0 secret
Adding Client...
Status: Success.
Client information
Available Client Servers:
1. myclient.
2. new.
Warning: Please commit these changes using Save command in AAA context.
CLI Command Reference
8.7.2 remove
AAA Client Context
To remove a RADIUS client from the WS5000 Series Switch, use the remove command.
Syntax
remove <client_name> [CR]
Parameters
Client_name
Name of AAA client
Example
WS5000.(Cfg).AAA.Client> remove new
Removing Client...
Status: Success.
Client information
Available Client Servers:
1. myclient
Warning: Please commit these changes using Save command in AAA context.
8.7.3 show
AAA Client Context
To display list of clients or attributes of a specific client, use the show command.
Syntax
show — Display context specific attributes
show clients
Parameters
clients
Display Clients or details of a specific Client
Example
WS5000.(Cfg).AAA.Client> show client
Client information
Available Client Servers:
1.switch.
WS5000.(Cfg).AAA.Client> show client switch
Client
Client
Client
Client
information
IP
Secret
Netmask
157.235.208.186
WS5000
255.255.255.0
8-95
8-96
WS 5000 Series System Reference
8.8 AAA EAP Context
Table 8.10 shows the AAA EAP context commands.
Table 8.10 AAA EAP Context Commands
Commands
Description
.. or end
Go back to the previous context.
exit
Go back to root context.
? or help
To get the command information
logout or bye
Close this session
clear
Clears the screen
emergencymode
Enable or disable Emergency Mode
import
Import Server and CA Certificates for EAP Server.
peap
Configure PEAP setting.
set
Configure the EAP Server.
show
Display current EAP settings.
ttls
Configure TTLS setting.
8.8.1 import
AAA EAP Context
To set server and CA Certificate paths, use the import command.
Syntax
Import <servcert/cacert> <path>
Parameters
servcert
use servcert if server certificate is being imported.
cacert
use cacert if ca certificate is being imported.
Example
WS5000.(Cfg)> aaa
AAA database update status:
----------------------------AAA Server Status
Database Type
Active
local
WS5000.(Cfg).AAA> eap
EAP Configurations
:
----------------------------EAP Type
peap
Private key password
WS5000
CLI Command Reference
8-97
WS5000.(Cfg).AAA.EAP> import cacert root.pem
Configuring AAA EAP server...
Status :
Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.EAP> show cert
CA Certficate
------------Issuer
/C=IN/ST=Karnataka/L=Bangalore/O=Symbol Technologies India
P
vt Ltd/OU=Testing and Validation/CN=ROOT/[email protected]
Serial Number
AB111ABF223AA1A1
Valid From
Jan 3 08:20:34 2006 GMT
Valid Till
Feb 2 08:20:34 2006 GMT
WS5000.(Cfg).AAA.EAP>
8.8.2 peap
AAA EAP Context
To configure PEAP parameters, use the peap command.
Syntax
peap
Parameters
None
Example
WS5000.(Cfg).AAA.EAP> peap
PEAP Configurations
:
----------------------------PEAP Type mschapv2
WS5000.(Cfg).AAA.EAP.PEAP>
8.8.3 set
AAA EAP Context
To set the EAP type and private key password, use the set command.
Syntax
set eaptype <peap/ttls>
set keypassword <password>
Parameters
Eaptype
set EAP authentication type to peap or ttls
Keypassword
set password used to protect the certificate being imported
8-98
WS 5000 Series System Reference
Example
WS5000.(Cfg).AAA.EAP> set eaptype peap
Configuring AAA EAP server...
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.EAP>
WS5000.(Cfg).AAA.EAP> set eaptype ttls
Configuring AAA EAP server...
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.EAP>
WS5000.(Cfg).AAA.EAP> set keypassword 123
Configuring AAA EAP server...
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.EAP>
8.8.4 show
Use the show command to display context specific attributes.
Syntax
show [display_parameter]
Parameters
eap-config
Display EAP information.
certs
Display Certificate information.
peap-config
Display PEAP information.
ttls-config
Display TTLS information.
Example
WS5000.(Cfg).AAA.EAP> show eap-config
EAP Configurations
:
----------------------------EAP Type
ttls
Private key password
123
WS5000.(Cfg).AAA.EAP>
8.8.5 ttls
AAA Context
Use ttls context to configure TTLS parameters.
Syntax
ttls
Parameters
None
CLI Command Reference
Example
WS5000.(Cfg).AAA.EAP> ttls
TTLS Configurations
:
----------------------------TTLS Type
mschapv2
WS5000.(Cfg).AAA.EAP.TTLS>
8-99
8-100
WS 5000 Series System Reference
8.9 AAA LDAP Context
Table 8.11 shows the AAA LDAP context commands.
Table 8.11 AAA LDAP Context Commands
Commands
Description
.. or end
Go back to the previous context.
exit
Go back to root context.
? or help
To get the command information
logout or bye
Close this session
clear
Clears the screen
emergencymode
Enable or disable Emergency Mode
set
Configure LDAP server
show
Display current LDAP settings.
8.9.1 set
AAA LDAP Context
To configure a LDAP server components, use the set command.
Syntax
set <config_parameter> <parameter_value>
Parameters
config_parameter
LDAP server parameter to be configured.
parameter_value
Value for the LDAP server parameter
Table 8.12 shows the configurable attributes/parametes
Table 8.12 Configurable Attributes Using the set Command
Config Parameter
Description
Usage
ip
Assign Server IP.
Set ip <param_value>
port
Assign Server Port Number
Set port <param_value>
passwd
Assign Password.
set passwd <param_value>
login
Assign Login Attribute.
set login <param_value>
passattr
Assign Password Attribute.
set passattr <param_value>
filter
Assign Group Membership Filter.
set filter <param_value>
groupname
Assign Group Name Filter.
set groupname <param_value>
membership
Assign Group Membership Attribute.
set membership <param_value>
CLI Command Reference
8-101
Table 8.12 Configurable Attributes Using the set Command
Config Parameter
Description
Usage
basedn
Assign Base DN.
set basedn <param_value>
binddn
Assign Bind DN.
set binddn <param_value>
Example
WS5000.(Cfg).AAA.LDAP> set ip 1.1.1.1
Configuring LDAP Server...Success.
LDAP information
LDAP Server IP
1.1.1.1
LDAP Server Port
389
LDAP Bind DN
cn=Manager,o=symbol,c=India
LDAP Base DN
o=symbol,c=India
LDAP Password Attribute
userPassword
LDAP Login Attribute
(uid=%{Stripped-User-Name:-%{User-Name}
})
LDAP Group Membership Filter
(|(&(objectClass=GroupOfNames)(member=%
{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
LDAP Password
LDAP Group Name Attribute
LDAP Group Membership Attribute
secret
cn
radiusGroupName
Warning: Please commit these changes using Save command in AAA context.
8.9.2 show
AAA LDAP Context
To display LDAP information, use the show ldap command.
Syntax
show
or
show ldap
Parameters
ldap
Displays LDAP information.
Example
WS5000.(Cfg).AAA.LDAP> show ldap
LDAP information
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
})
LDAP
Server IP
Server Port
Bind DN
Base DN
Password Attribute
Login Attribute
157.235.205.4
389
cn=Manager,o=symbol,c=India
o=symbol,c=India
userPassword
(uid=%{Stripped-User-Name:-%{User-Name}
Group Membership Filter
(|(&(objectClass=GroupOfNames)(member=%
8-102
WS 5000 Series System Reference
{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
LDAP Password
LDAP Group Name Attribute
LDAP Group Membership Attribute
secret
cn
radiusGroupName
CLI Command Reference
8.10 AAA Policy Context
AAA Policy Context shows the AAA policy context commands.
Table 8.13 AAA Policy Context Commands
Commands
Description
.. or end
Go back to the previous context.
exit
Go back to root context.
? or help
To get the command information
logout or bye
Close this session
add
Add a new WLAN to a group
clear
Clears the screen
emergencymode
Enable or disable Emergency Mode
remove
Remove a Policy for a group.
set
set time of access policy to a Group
show
Display current information on all policies information
8.10.1 add
AAA Policy Context
To add a new WLAN to a group, use the add command.
Syntax
add wlan <group> <wlan-name>
Parameters
group
Name of the group to which you add the WLAN
wlan-name
Name of the WLAN for the group
Example
WS5000.(Cfg).AAA.Policy> add wlan ws5k xyz
Adding Access Policy...
Status: Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.Policy>
8.10.2 remove
AAA Policy Context
To remove a policy from a group, use the remove command.
8-103
8-104
WS 5000 Series System Reference
Syntax
remove <group> <wlan>
Parameters
group
Name of the group to which you add the WLAN
wlan
Name of the WLAN for the group
Example
WS5000.(Cfg).AAA.Policy> remove ws5k NewWlan
Configuring Policies..
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.Policy> show policies ws5k
Policy information
Available Policies for this group:
WLAN Policies:
1. xyz.
Days Policy:
Sa-Su-Mo
StartTime Policy:
1000
EndTime Policy:
2200
8.10.3 set
AAA Policy Context
To set new time restrictions to a group, use the set command.
Syntax
set days <group> <attribute>
set time <group> <starttime> <endtime>
Parameters
group
Name of the group.
attribute
Day attribute for the group.
starttime
Start time for the group.
endtime
End time for the group.
Choose days restrictions as follows:
For All Days, specify all
For weekdays, specify weekdays
For specific days, type the days separated by space
eg : For Mo, Tu, Fr -- Type Mo<space>Tu<space>Fr
Use the following Codes
Mo
Monday
Tu
Tuesday
We
Wednesday
CLI Command Reference
Th
Fr
Sa
Su
Thursday
Friday
Saturday
Sunday
Use the following time format : hhmm
Example
WS5000.(Cfg).AAA.Policy> set days ws5k Sa Su Mo
Adding Access Policy...
Status: Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.Policy> set time ws5k 1000 2200
Adding Access Policy...
Status: Success.
Warning: Please commit these changes using Save command in AAA context.
8.10.4 show
AAA Policy Context
To view access policies attached to a group, use the show command.
Syntax
show policies [groupname]
Parameters
groupname
Name of the group to which you add the WLAN
Example
WS5000.(Cfg).AAA.Policy> show policies ws5k
Policy information
Available Policies for this group:
WLAN Policies:
1. NewWlan.
2. xyz.
Days Policy:
Sa-Su-Mo
StartTime Policy:
1000
EndTime Policy:
2200
8-105
8-106
WS 5000 Series System Reference
8.11 AAA Proxy Context
Table 8.11 shows the AAA proxy context commands.
Table 8.14 AAA Proxy Context Commands
Commands
Description
.. or end
Go back to the previous context.
exit
Go back to root context.
? or help
To get the command information
logout or bye
Close this session
add
Add a new Radius Proxy
clear
Clears the screen
emergencymode
Enable or disable Emergency Mode
remove
Remove a Proxy Server
set
Configure the Proxy Server.
show
Display current Proxy settings.
8.11.1 add
AAA Proxy Context
Use add to add a new Proxy.
Syntax
add <proxy_name> <suffix> <ip_address> <port> <secret>
Parameters
proxy_name
The name of the new proxy being added.
suffix
Suffix
auth-server_ip
AuthIP
port
Port
secret
Secret code to access the proxy.
Example
WS5000.(Cfg).AAA.Proxy> add NewProxy symbol.com 1.1.1.1 1812 secret
Adding Proxy...
Status: Success.
Proxy information
Available Proxy Servers:
1. NewProxy.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.Proxy>
CLI Command Reference
8.11.2 remove
AAA Proxy Context
Use remove to remove a Proxy from the system.
Syntax
remove <proxyname> [CR]
Parameters
proxy_name
The name of the new proxy being removed.
Example
WS5000.(Cfg).AAA.Proxy> remove NewProxy
Removing Proxy...
Status: Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.Proxy>
8.11.3 set
AAA Proxy Context
Use set to set Proxy configurations.
Syntax
set retry-delay <retry delay:5-10>
set retry-count <retry count:3-6>
Parameters
retry_delay
The delay period you set for the proxy to attempt a retry.
retry_count
To count the number of retries attempted.
Example
WS5000.(Cfg).AAA.Proxy> set retry-delay 6
Configuring AAA Proxy server...
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.Proxy> set retry-count 3
Configuring AAA Proxy server...
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.Proxy>
8-107
8-108
WS 5000 Series System Reference
8.11.4 show
AAA Proxy Context
Use d to display the current Proxy settings.
Syntax
show
show proxy
show config-proxy
Parameters
proxy
Display Proxy or details of a specific Proxy
config-proxy
Display details of Proxy
Example
WS5000.(Cfg).AAA.Proxy> show config-proxy
Proxy information
----------------Retry Count
Retry Delay
3
6 (seconds)
WS5000.(Cfg).AAA.Proxy> show proxy NewProxy
Proxy
Proxy
Proxy
Proxy
Proxy
information
Suffix
Auth Server IP
Secret
Port
symbol.com
1.1.1.1
secret
1812
CLI Command Reference
8-109
8.12 AAA User Database Context
Table 8.15 shows the AAA user database context commands.
Table 8.15 AAA User Database Context Commands
Commands
Description
.. or end
Go back to the previous context.
exit
Go back to root context.
? or help
To get the command information
logout or bye
Close this session
clear
Clears the screen
emergencymode
Enable or disable Emergency Mode
group
Configure Groups.
user
Configure Users.
8.12.1 group
AAA User Database - Group Context
This is a sub-context of userdb context. Use group to configure Group parameters.You can add and remove
Groups, using the group command.
Use AAA.userdb.Group context to
•
add a new group to the system
•
add a user to group
•
remove a RADIUS group from the system
•
remove a user from group
Syntax
group [CR]
Parameters
None
Example
WS5000.(Cfg).AAA.userdb.Group> add newGroup1
Adding RADIUS Group...
Warning: Please commit these changes using Save command in AAA context.
Status: Success.
Group information
Available Groups:
1. newGroup1.
Group information
Available Policies for this group:
8-110
WS 5000 Series System Reference
WLAN Policies:
StartTime Policy
EndTime Policy
Days Policy
:
:
:
0000
2359
Any
WS5000.(Cfg).AAA.userdb.Group.[newGroup1]>
Note You need to enter into the Group sub-context level to add/remove a User/
Group.
8.12.2 user
AAA User Database - User Context
This is a sub-context of userdb context.To add and remove users, use the user command.Use
AAA.userdb.Group context to
•
Add a new user to the system
•
Add a User to Group.
•
Remove a RADIUS User from the system
•
Remove a User from Group
•
Configure the Userdb
Syntax
user [CR]
Parameters
None
Example
WS5000.(Cfg).AAA.userdb.User> add newUser1
Enter User Password : ******
Re-Enter User Password : ******
Adding RADIUS User...
Status: Success.
Warning: Please commit these changes using Save command in AAA context.
WS5000.(Cfg).AAA.userdb.User>
Note You need to enter into the Group sub-context level to add/remove a User/
Group.
CLI Command Reference
8-111
8.13 AAA User Database - Group Context
The AAA user database group context contains commands to add, remove, and configure Radius user groups.
This section describes the commands in the AAA user database group context.
Table 8.16 AAA User Database -Group Context Commands
Commands
Description
.. or end
Go back to the previous context.
exit
Go back to root context.
? or help
To get the command information
logout or bye
Close this session
add
Add a new group to the system
adduser
Add a User to Group.
clear
Clears the screen
emergencymode
Enable or disable Emergency Mode
group
Select a Group to configure.
remove
Remove a RADIUS Group from the system
remuser
Remove a User from Group
show
Display current User Database settings.
8.13.1 add
AAA User Database - Group Context
Use add to add a new group to the system.
Syntax
add <group_name>
Parameters
group_name
Name of the Group.
Example
WS5000.(Cfg).AAA.userdb.Group> add newgroup
Adding RADIUS Group...
Warning: Please commit these changes using Save command in AAA context.
Status: Success.
Group information
Available Groups:
1. ws5k.
8-112
WS 5000 Series System Reference
2. newgroup.
Group information
Available Policies for this group:
WLAN Policies:
StartTime Policy
EndTime Policy
Days Policy
:
:
:
0000
2359
Any
WS5000.(Cfg).AAA.userdb.Group.[newgroup]>
8.13.2 adduser
AAA User Database - Group Context
Use adduser to add a user to a group.
Syntax
adduser
<user> <group>
Parameters
user
Adds a new user to the group
group
The group name to which you want to add the new User.
Example
WS5000.(Cfg).AAA.userdb.User> adduser new ws5k
Configuring Userdb...
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
8.13.3 group
AAA User Database - Group Context
Use group to select group to configure.
Syntax
group <group_name>
Parameters
group name
Displays the name of the group that you want to configure.
Example
WS5000.(Cfg).AAA.userdb.Group> group ws5k
Group information
Available Policies for this group:
WLAN Policies:
CLI Command Reference
1. xyz.
StartTime Policy
EndTime Policy
Days Policy
:
:
:
1000
2200
Sa-Su-Mo
WS5000.(Cfg).AAA.userdb.Group.[ws5k]>
8.13.4 remove
AAA User Database - Group Context
Use remove to remove a RADIUS group from the system.
Syntax
remove <group_name> [CR]
Parameters
group name
The RADIUS group that you want to remove from the system.
Example
WS5000.(Cfg).AAA.userdb.Group> remove newgroup
Removing Group...
Status: Success.
Group information
Available Groups:
1. ws5k.
Warning: Please commit these changes using Save command in AAA context.
8.13.5 remuser
Use remuser to remove a user from a group
Syntax
remuser
<user> <group>
Parameters
User
user name that you want to remove from the group.
Group
group name to which the user is associated.
Example
WS5000.(Cfg).AAA.userdb.User> remuser abc ws5k
Configuring Userdb...
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
8-113
8-114
WS 5000 Series System Reference
8.14 AAA User Database - User Context
The AAA user database user context contains commands to add or remove a new user, add ore remove a new
group and to configure the user database. Table 8.17 shows the AAA user database
Table 8.17 AAA User Database User Context Commands
Commands
Description
.. or end
Go back to the previous context.
exit
Go back to root context.
? or help
To get the command information
logout or bye
Close this session
add
Add a new user to the system
adduser
Add a user to group.
clear
Clear the screen
emergencymode
Enable or disable emergency mode
remove
Remove a Radius user from the system
remuser
Remove a user from group
set
Configure the user database
show
Display the user database
8.14.1 add
AAA User Database - User Context
Use add to add a new User to the system.
Syntax
add <user_name>
Parameters
user_name
Name of the User.
Example
WS5000.(Cfg).AAA.userdb.User> add new
Enter User Password : ******
Re-Enter User Password : ******
Adding RADIUS User...
Status: Success.
Warning: Please commit these changes using Save command in AAA context.
CLI Command Reference
8.14.2 adduser
AAA User Database - User Context
Use adduser to add a user to a group
Syntax
adduser
<user> <group>
Parameters
user
Adds a new user to the group
group
The group name to which you want to add the new User.
Example
WS5000.(Cfg).AAA.userdb.User> adduser new ws5k
Configuring Userdb...
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
8.14.3 remove
AAA User Database - User Context
Use remove to remove a RADIUS User from the system.
Syntax
remove <user_name> [CR]
Parameters
user_name
Removes the RADIUS user from the system
Example
WS5000.(Cfg).AAA.userdb.User> remove new
Removing User...
Status: Success.
Warning: Please commit these changes using Save command in AAA context.
8.14.4 remuser
AAA User Database - User Context
Use remuser to remove a user from a group
Syntax
remuser <user> <group>
8-115
8-116
WS 5000 Series System Reference
Parameters
user
removes the user from the group.
group
The group name from which you want to remove the user.
Example
WS5000.(Cfg).AAA.userdb.User> remuser abc ws5k
Configuring Userdb...
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
8.14.5 set
AAA User Database - User Context
Use set to set password for an existing user.
Syntax
set passwd
<username> [CR]
Parameters
username
The user for which you intend to add a password.
Example
WS5000.(Cfg).AAA.userdb.User> set passwd abc
Enter New Password : ******
Re-Enter New Password : ******
Configuring Userdb...
Status : Success.
Warning: Please commit these changes using Save command in AAA context.
8.14.6 show
AAA User Database - User Context
Use show to display user database information.
Syntax
show users
show groups <userid>
Parameters
users
Display user database information.
userid
Displays the group to which the user is associated.
Example
WS5000.(Cfg).AAA.userdb.User> show users
CLI Command Reference
Available Users:
1.abc.
WS5000.(Cfg).AAA.userdb.User> show groups abc
Available Groups for the User:
1.ws5k.
8-117
8-118
WS 5000 Series System Reference
8.15 Access Port (APort) Context
The Access Port context lets you name the RF devices (the radios in the Access Ports and converted Access
Points) that exist on your WLAN. You can create Access Port instances by hand through the add command, or
enable them to be created as Access Ports are discovered and adopted by the switch.
Note For brevity, converted Access Points are referred to as “Access Ports”
throughout this documentation.
Table 8.18 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.18 Access Port (APort) Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
history
Display command history within a context or instance
page 8-9
add
Creates a new Access Port instance, AP type specific.
page 8-118
port
Changes the context to the named Access Port instance, while displaying the
Access Port’s details.
page 8-119
remove
Removes the named Access Port.
page 8-120
show
Shows the Access Port configuration values.
page 8-121
8.15.1 add
Access Port (APort) Context
Creates a new Access Port instance (or two, for dual-radio APs). The first argument is the AP type. The rest of
the arguments depend on the AP type.
Syntax
add
add
add
add
add
AP100 <MAC> <name> [location]
AP200 <MAC> <a_name> <a_MAC> [b_name]
AP300 <MAC> <g_name> <g_MAC> [a_name]
AP3020-3021 <MAC> <name> [location]
AP4121 <MAC> <name> [location]
[b_MAC] [location]
[a_MAC] [location]
Parameters
MAC
The Access Port’s (unique) MAC address.
CLI Command Reference
8-119
a_MAC, b_MAC, g_MAC
For dual-radio APs, you must supply the MAC of (at least) the AP’s “first” radio. The MAC
of the second radio is optional. The a_name, b_name, and g_name arguments refer to
the 802.11x radio types.
name, a_name, b_name,
g_name
Unique names that you give to the Access Port and/or its radios. The a_name, b_name,
and g_name arguments refer to the 802.11x radio types. For single-radio APs, you only
need to supply one name. For dual-radio APs, the name for the second radio is optional.
location
Optional, arbitrary string that identifies the Access Port’s location.
Example
WS5000.(Cfg).APort> add AP100 00:10:5b:63:36:81 a_name BC
Adding a new Access Port device...
Status: Success.
Access Ports
-----------a_name
Radio MAC
--------00:10:5B:63:36:81
Access Port details...
Name
Device type
Radio MAC Address
Device MAC Address
Port Type
Description
Status
Tx Channel
Current Tx Channel
Policy Attached
Tx Power
Current Tx Power
Location
NIC Connected
VLAN id
VLAN Tags seen
CCA Mode
CCA Threshold
Diversity
No. of MUs associated
Up Time
Statistics gathering
Tx Packets/second
Antenna
Indoor/Outdoor
Antenna Correction
MU Power Adjustment
All Channels
Valid Power Range
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Device MAC
Type
------------00:10:5B:63:36:81
B
Status
-----Unavailable
a_name
AP100
00:10:5B:63:36:81
00:10:5B:63:36:81
B
Unavailable
Auto (once)
0
Default Access Port Policy
20 dBm
0 dBm
BC
None
None
None
1
1
Full
0
0d:0h:0m
Enable
0
unknown
in
0
0
4-20
WS5000.(Cfg).APort.[a_name]>
8.15.2 port
Access Port (APort) Context
Changes the context to the named Access Port instance, while displaying the Access Port’s details.
8-120
WS 5000 Series System Reference
Note The system never needs to automatically assign a name to an 802.11g or a
frequency-hopping (FH) radio since you’re compelled to supply names for these
radios when you add their Access Port instances.
Syntax
port <APort_name>
Parameters
APort_name
Selects the Access Port instance by name. Until you give an Access Port a name, it’s
known by the space-separated concatenation of its device MAC address and its 802.11
type (A or B), all enclosed in quotes: "xx:xx:xx:xx:xx:xx [A | B]"
For example: "00:A0:B0:C0:D0:E0 [A]"
Example
WS5000.(Cfg).APort> port a_name
Access Port details...
Name
Device type
Radio MAC Address
Device MAC Address
Port Type
Description
Status
Tx Channel
Current Tx Channel
Policy Attached
Tx Power
Current Tx Power
Location
NIC Connected
VLAN id
VLAN Tags seen
CCA Mode
CCA Threshold
Diversity
No. of MUs associated
Up Time
Statistics gathering
Tx Packets/second
Antenna
Indoor/Outdoor
Antenna Correction
MU Power Adjustment
All Channels
Valid Power Range
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
a_name
AP100
00:09:5B:63:33:81
00:09:5B:63:33:81
B
Unavailable
Auto (once)
0
Default Access Port Policy
20 dBm
0 dBm
BC
None
None
None
1
1
Full
0
0d:0h:0m
Enable
0
unknown
in
0
0
4-20
WS5000.(Cfg).APort.[a_name]>
8.15.3 remove
Access Port (APort) Context
Removes the named Access Port. For a list of Access Port names, invoke the show command.
CLI Command Reference
8-121
Syntax
remove <port_name>
Parameters
port_name
Removes the port with the given name.
Example
WS5000.(Cfg).APort> remove "00:a0:f8:11:12:14 [B]"
Removing the dsp device of the radio 00:a0:f8:11:12:14 [B]....
Status: Success.
8.15.4 show
Access Port (APort) Context
Shows the Access Port configuration values.
Syntax
show
show interfaces
show channelInfo
Parameters
(none)
Display a list of Access Port instances.
interfaces
Display a list of Access Port instances and lists the available Ethernet ports.
channelInfo
Display a list of country codes and the channels each country supports.
Example
WS5000.(Cfg).APort> show
1
2
3
4
Access Ports
Radio MAC
Device MAC
----------------------------00:A0:F8:CD:C9:5A [B] 00:A0:F8:B5:7A:D0
00:A0:F8:CD:C9:5A [A] 00:A0:F8:CD:D0:DE
00:A0:F8:CF:20:1B [G] 00:A0:F8:CE:80:10
00:A0:F8:CF:20:1B [A] 00:A0:F8:CE:D8:48
Type
Status
--------00:A0:F8:CD:C9:5A
00:A0:F8:CD:C9:5A
00:A0:F8:CF:20:1B
00:A0:F8:CF:20:1B
No. of Active Access Ports/Radios: 0/0
WS5000.(Cfg).APort.[00:A0:F8:CF:20:1B [G]]> show
Access Port details...
Name
Device type
Radio MAC Address
Device MAC Address
Port Type
Description
Status
Tx Channel
Current Tx Channel
Policy Attached
Tx Power
Current Tx Power
Location
:
:
:
:
:
:
:
:
:
:
:
:
:
00:A0:F8:CF:20:1B [G]
AP300
00:A0:F8:CE:80:10
00:A0:F8:CF:20:1B
G
Unavailable
Auto (once)
0
Default Access Port Policy
20 dBm
0 dBm
B
A
G
A
Unavailable
Unavailable
Unavailable
Unavailable
8-122
WS 5000 Series System Reference
NIC Connected
VLAN id
VLAN Tags seen
CCA Mode
CCA Threshold
Diversity
Maximum MUs allowed
No. of MUs associated
Up Time
Statistics gathering
Tx Packets/second
ERP Protection
Short Slot
Antenna
DTIM per BSS
: Ethernet 2
: None
: None
: 1
: 1
: Full
: 256
: 0
: 0d:0h:0m
: Disable
: 0
: off
: on
: external
: Enabled
WS5000.(Cfg).APort.[00:A0:F8:CF:20:1B [G]]> ..
WS5000.(Cfg).APort>
WS5000.(Cfg).APort> show interfaces
Interface information
Access Ports
-----------00:A0:F8:A2:91:7C
00:A0:F8:5D:B9:0C
00:A0:F8:6E:4A:7A
00:A0:F8:6E:4A:7A
00:A0:F8:BB:B3:6D
00:A0:F8:BB:B3:6D
[B]
[A]
[G]
[A]
[G]
[A]
Radio MAC
--------00:A0:F8:A2:91:7C
00:A0:F8:60:BC:3D
00:A0:F8:6E:55:30
00:A0:F8:6E:4C:60
00:A0:F8:BB:F6:E8
00:A0:F8:BB:C7:6C
Device MAC
---------00:A0:F8:A2:91:7C
00:A0:F8:5D:B9:0C
00:A0:F8:6E:4A:7A
00:A0:F8:6E:4A:7A
00:A0:F8:BB:B3:6D
00:A0:F8:BB:B3:6D
Type
---B
A
G
A
G
A
Status
-----Active
Active
Unavailable
Unavailable
Unavailable
Unavailable
Available EtherPorts are:
Ethernet 1
Ethernet 2
WS5000.(Cfg).APort>
WS5000.(Cfg).APort> show channelinfo
Country Name
-----------Argentina
Code
---AR
Australia
AU
Austria
AT
Bahrain
BH
Belarus
BL
Belgium
BE
Brazil
BR
Bulgaria
BG
Canada
CA
...
RF Channels (A, B, G and FH)
---------------------------B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64,149,153,11
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64,100,104,10
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64,149,153,11
CLI Command Reference
8-123
8.16 Access Port Instance
To drop into an Access Port instance, use the port <name> command from within the APort context.
Table 8.19 summarizes the commands within this context.Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.19 Access Port Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
history
Display command history within a context or instance.
page 8-9
description
Create a description for thr Access Port instance.
page 8-123
name
Set the Access Port name.
page 8-123
reset
Resets the Access Port or its radio.
page 8-124
set
Configures settings for a particular Access Port.
page 8-124
show
Display context specific attributes
page 8-127
8.16.1 description
Access Port Instance
Create a description for the Access Port instance.
Syntax
description <description_text>
Parameters
description_text
Brief text to describe the Access Port instance.
Example
WS5000.(Cfg).APort.[ap_name]> description “This is a generic AP”
8.16.2 name
Access Port Instance
Set the Access Port name.
8-124
WS 5000 Series System Reference
Syntax
name <AP_name>
Parameters
AP_name
Name defined for the Access Port.
Example
WS5000.(Cfg).APort.[ap_name]> name New_AP_name
WS5000.(Cfg).APort.[New_AP_name]>
8.16.3 reset
Access Port Instance
Resets the Access Port or its radio, depending on the parameter value.
Syntax
reset <reset_flag>
Parameters
reset_flag
Indicates whether to reset the access port or radio. Valid options are:
• ap – Resets the Access Port that contains this radio that’s represented by this
instance. radio
• radio – Resets the radio that’s represented by this instance.
Example
WS5000.(Cfg).APort.[ap_name]> reset radio
WS5000.(Cfg).APort.[ap_name]> reset ap
8.16.4 set
Access Port Instance
The set command includes a group of different configuration commands to “set” or change Access Port device
parameters. The set of parameters that can be set or changed depends on the AP model, as shown inTable
8.20.
Table 8.20 Access Port Instance “Set” Command Summary
Set Command
Description
AP Models
Syntax
name
Set the Access Port name.
All
set name <ap_name>
description
Access Port description string.
All
set description <desc_text>
policy
Access Port policy thats applied to this Access
Port. See Access Port Policy (APPolicy) Context
on page 8-136.
All
set policy <policy_name>
CLI Command Reference
8-125
Table 8.20 Access Port Instance “Set” Command Summary (Continued)
Set Command
Description
AP Models
Syntax
channel
Access Port transmit channel. Possible values
are:
• <channel#> – Specific channel number
• auto-once – The AP uses Automatic Channel
Selection (ACS) the first time it’s adopted by
the switch, and then sticks to that channel
thereafter.
• auto-always – The AP uses ACS every time
it’s adopted.
• random – The AP chooses a random channel
every time it's adopted.
All except:
• AP 3020
• AP 3021
set channel <value>
power
Access Port transmission power. Possible
values are 4-20 dBm
All except:
• AP 3020
• AP 3021
set power <power_value>
muPower
The amount in which associated mobile units
are told to adjust (increase) their power.
Although this is a drain on MU batteries, it can
help improve signal fidelity. The possible
adjustment values are in positive, integral dB.
All except:
• AP 3020
• AP 3021
set muPower <mupwr_value>
location
Access Port location description.
All
set location <location_text>
ccaMode
Sets the Access Port’s CCA mode. Possible
values are:
• 0–
• 1 – Energy above threshold
• 2 – Carrier sense only
• 3 – Carrier sense with energy above
threshold
All
set ccaMode <CCA_mode#>
ccaThreshold
Sets the Clear Channel Assessment threshold,
which is the maximum level of traffic that the
AP will accept and still consider the channel to
be clear. 0 means no traffic; 31 means jampacked.
All
set ccaThreshold <value>
diversity
Access port diversity antenna setting. Possible
values are:
• full – The AP dynamically chooses the
antenna with the strongest signal.
• primary – Use this AP as a Primary antenna.
• secondary – Use this AP as a Secondary
antenna.
All
set diversity <setting>
vLanId
VLAN ID that the Access Port is to be part of.
All
set vLanId <vLAN_ID>
clearVLanTags
Clears the VLAN tag register.
All
set clearVLanTags
8-126
WS 5000 Series System Reference
Table 8.20 Access Port Instance “Set” Command Summary (Continued)
Set Command
Description
AP Models
Syntax
statistics
Enable/disable Access Port information
gathering. When enabled, the Access Port
reports throughput in packets-per-second, as
well as the amount of time that it has been
adopted by the switch. Use the show command
with no argument to display.
All
set statistics <enable_flag>
dwellTime
Frequency-hopping maximum dwell time.
AP 3020
AP 3021
AP 100
set dwellTime <maxdwelltime>
hopSeq
Frequency-hopping hop sequence.
maxChannels is the maximum number of
channels (allowed by the country setting)
divided by three.
AP 3020
AP 3021
AP 100
set hopseq <maxchannels>
hopSet
Frequency-hopping hop set.
AP 3020
AP 3021
AP 100
set hopSet <value>
antCorrection
The power correction (increase) due to the AP’s
(isotropic) antenna; in dB (dBi).
AP 300
set antCorrection <value>
indoor
Indicates whether the AP is being used indoors
(true) or outdoors (false).
AP 300
set indoors <true_or_false>
simulateRadar
Tells the Access Port to pretend that radar has
been discovered.
AP 300
set simmulateRadar
user-802.1x
Declares a username for the AP, for information
only.
AP 300
set user-802.1x <username>
detectorap
Scans for rougue APs in all the channels
AP 3020
AP 3021
AP 100
set detectorap
onchannelscan
Scans for rougue APs in its operating channel.
AP 3020
AP 3021
AP 100
set onchannelscan
Syntax
set <attribute> <value>
Parameters
See the applicable set command in Table 8.20 for more details, as applicable.
Example
When access port device attributes are set, all access port settings for the access port instance are displayed,
with the change in place. For example, in the following, the CCA Threshold value was changed from 0 to 10.
See the Syntax examples in Table 8.20 for details on each set command.
WS5000.(Cfg).APort.[00:A0:F8:A2:91:7C [B]]> set ccathreshold 10
CLI Command Reference
Configuring Access Port device...
Status: Success.
Access Port details...
Name
Device type
Radio MAC Address
Device MAC Address
Port Type
Description
Status
Tx Channel
Current Tx Channel
Policy Attached
Tx Power
Current Tx Power
Location
NIC Connected
VLAN id
VLAN Tags seen
CCA Mode
CCA Threshold
Diversity
No. of MUs associated
Up Time
Statistics gathering
Tx Packets/second
Antenna
Indoor/Outdoor
Antenna Correction
MU Power Adjustment
All Channels
Valid Power Range
DetectorAP
On Channel Scan
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
00:A0:F8:A2:91:7C [B]
AP100
00:A0:F8:A2:91:7C
00:A0:F8:A2:91:7C
B
Active
6
6
appol1
20 dBm1
20 dBm
Ethernet 1
None
None
1
10
Full
1
6d:20h:36m
Disable
0
unknown
in
0
0
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
4-20
disable
enable
WS5000.(Cfg).APort.[00:A0:F8:A2:91:7C [B]]>
8.16.5 show
Access Port Instance
Display the configured details for the specified Access Port instance.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).APort.[00:A0:F8:A2:91:7C [B]]> show
Access Port details...
Name
Device type
Radio MAC Address
Device MAC Address
Port Type
Description
Status
Tx Channel
:
:
:
:
:
:
:
:
00:A0:F8:A2:91:7C [B]
AP100
00:A0:F8:A2:91:7C
00:A0:F8:A2:91:7C
B
Active
6
8-127
8-128
WS 5000 Series System Reference
Current Tx Channel
Policy Attached
Tx Power
Current Tx Power
Location
NIC Connected
VLAN id
VLAN Tags seen
CCA Mode
CCA Threshold
Diversity
No. of MUs associated
Up Time
Statistics gathering
Tx Packets/second
Antenna
Indoor/Outdoor
Antenna Correction
MU Power Adjustment
All Channels
Valid Power Range
DetectorAP
On Channel Scan
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
6
appol1
20 dBm1
20 dBm
Ethernet 1
None
None
1
10
Full
1
6d:20h:36m
Disable
0
unknown
in
0
0
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
4-20
disable
enable
WS5000.(Cfg).APort.[00:A0:F8:A2:91:7C [B]]
8-129
CLI Command Reference
8.17 Access Control List (ACL) Context
An Access Control List is a set of rules that governs the adoption of mobile units. Each rule contains a MAC
address or MAC address range, and an allow or deny declaration deeming whether the device can have
associations with access ports or not. When a device attempts to associate with an access port, the switch
searches for the device (by MAC address) in the port’s ACL.
An ACL’s rules must be non-overlapping with regard to MAC addresses. If you try to create a rule that includes
an address that already appears in the ACL—whether it appears as an individual address or as part of an
address range—the creation attempt is denied.
You apply an ACL to a WLAN through the WLAN context’s set command.
Table 8.21 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.21 ACL Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
history
Display command history within a context or instance
page 8-9
acl
Display the ACL and related details.
page 8-129
add
Adds a new ACL (and changes to that instance context).
page 8-130
remove
Removes an ACL.
page 8-130
show
Display all defined ACLs within the switch.
page 8-131
8.17.1 acl
Access Control List (ACL) Context
Display the ACL, including device MAC addresses, associated allow or deny rule, as well as the default ACL
action for the ACL if no rule is assigned to a particular device.
Syntax
acl <ACLname>
Parameters
name
Name assigned to the ACL to be added.
Example
WS5000.(Cfg).ACL> acl "New ACL"
8-130
WS 5000 Series System Reference
ACL Name
Default action on ACL items
: New ACL
: allow
MAC address (range)
------------------00:A0:F8:6E:4A:7A
Rule
---allow
WS5000.(Cfg).ACL.[New ACL]>
8.17.2 add
Access Control List (ACL) Context
Adds a new ACL and then changes the context to the named ACL instance context.
Syntax
add <ACLname>
Parameters
ACLname
Name of the ACL to be added.
Example
WS5000.(Cfg).ACL> add 2-10ACL
Adding ACL...
Status: Success.
Available ACLs:
1. newacl.
2. 2-10ACL.
ACL Name
Default action on ACL items
: 2-10ACL
: allow
MAC address (range)
-------------------
Rule
----
WS5000.(Cfg).ACL.[2-10ACL]>
8.17.3 remove
Access Control List (ACL) Context
Removes the named ACL.
Syntax
remove <ACLname>
Parameters
ACLname
The name of the ACL to be removed.
Example
WS5000.(Cfg).ACL> remove newacl
Removing ACL...
CLI Command Reference
Status: Success.
Available ACLs:
1. 2-10ACL.
WS5000.(Cfg).ACL>
8.17.4 show
Access Control List (ACL) Context
Display all defined ACLs within the switch.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).ACL> show
Available ACLs:
1. 2-10ACL.
WS5000.(Cfg).ACL>
8-131
8-132
WS 5000 Series System Reference
8.18 ACL Instance Context
Table 8.22 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.22 ACL Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
history
Display command history within a context or instance
page 8-9
name
Renames an ACL.
page 8-132
set
Configures settings for a particular ACL. Includes set name, set addItem, set
remItem, set editItem, and set defaultAction.
page 8-132
show
Display the ACL device lists and default settings.
page 8-135
8.18.1 name
ACL Instance Context
Rename an ACL. Similar command to the set name command.
Syntax
name <new_name>
Parameters
new_name
New name of the ACL.
Example
WS5000.(Cfg).ACL.[2-10ACL]> name archive_ACL
Configuring name...
Status : Success.
WS5000.(Cfg).ACL.[archive_ACL]>
8.18.2 set
ACL Instance Context
Configures settings for a particular ACL.
CLI Command Reference
8-133
See set name, set addItem, set remItem, set editItem, and set defaultAction for more details.
Syntax
set <set_operation> [applicable_parameters]
Parameters
set_operation
The configurable parameters of the ACL.
8.18.2.1 set name
ACL Instance Context
Renames an ACL, while displaying the MAC addresses included with the ACL. Similar to the name command.
Syntax
name <new_name>
Parameters
new_name
New name of the ACL.
Example
WS5000.(Cfg).ACL.[archive_ACL]> set name oldACL
Configuring Access Control List...
Status: Success.
ACL Name
: oldACL
Default action on ACL items
: allow
MAC address (range)
-------------------
Rule
----
WS5000.(Cfg).ACL.[oldACL]>
8.18.2.2 set addItem
ACL Instance Context
Adds an MU to the ACL list.
Syntax
set addItem <MAC address>
Parameters
startMAC
Adds a device to the adoption list.
<MAC_address>
Example
WS5000.(Cfg).ACL.[testacl]> set addItem 00:a0:f8:01:02:03 allow
Configuring Access Control List...
Status: Success.
ACL Name
: testacl
Default action on ACL items
: allow
MAC address (range)
Rule
---------------------00:A0:F8:01:02:03
allow
8-134
WS 5000 Series System Reference
8.18.2.3 set remItem
ACL Instance Context
Removes a device(s) from the ACL.
Syntax
set remItem <MAC_Address>
Parameters
MAC_Address
The MAC address of the device(s) to be removed. If the MAC address identifies the
beginning of an device range, the entire range is removed from the ACL.
Example
WS5000.(Cfg).ACL.[testacl]> set remItem 00:a0:f8:01:02:03
Configuring Access Control List...
Status: Success.
ACL Name
: testacl
Default action on ACL items
: allow
MAC address (range)
-------------------
Rule
----
8.18.2.4 set editItem
ACL Instance Context
Edits an MU in the ACL list.
Syntax
set editItem <oldStartMac> <newStartMac> <allow | deny> | newEndMAC>
Parameters
oldStartMac
newStartMac
Redefines an existing ACL entry. You can switch between allow and deny, or reset
the address range. You can’t do both at the same time.
<allow | deny> |
newEndMAC>
Example
WS5000.(Cfg).ACL.[testacl]> set edititem 00:a0:f8:01:02:03 00:a0:f8:00:01:00 all
ow
Configuring Access Control List...
Status: Success.
ACL Name
: testacl
Default action on ACL items
: allow
MAC address (range)
------------------00:A0:F8:00:01:00
8.18.2.5 set defaultAction
ACL Instance Context
Sets the default adoption action for this ACL.
Syntax
set defaultAction <allow | deny>
Rule
---allow
CLI Command Reference
8-135
Parameters
allow | deny
Indicates a default adoption action for devices that are not associated with any ACL. If
allow is set, the device is associated with this ACL. If not, the device remains
unassociated.
Example
WS5000.(Cfg).ACL.[oldACL]> set defaultAction allow
Configuring Access Control List...
Status: Success.
ACL Name
: oldACL
Default action on ACL items
: allow
MAC address (range)
-------------------
Rule
----
WS5000.(Cfg).ACL.[oldACL]>
8.18.3 show
ACL Instance Context
Display the ACL device lists and default settings.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).ACL.[oldACL]> show
ACL Name
: oldACL
Default action on ACL items
: allow
MAC address (range)
------------------WS5000.(Cfg).ACL.[oldACL]>
Rule
----
8-136
WS 5000 Series System Reference
8.19 Access Port Policy (APPolicy) Context
An Access Port Policy configures a physical Access Port by defining attributes such as beacon interval, RTS
threshold, the set of supported data rates, and so on.
The APPolicy is also responsible for adding WLANs to the Access Port, and for attaching a Security Policy,
Access Control List, and Network Policy (or packet filter) to each AP.
Table 8.23 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.23 Access Port Policy Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
history
Display command history within the context.
page 8-9
add
Creates and names a new Access Port policy instance.
page 8-136
policy
Changes the context to a specific Access Port policy instance.
page 8-137
remove
Removes an Access Port policy.
page 8-138
show
Shows details about the Access Port policy.
page 8-138
8.19.1 add
Access Port Policy (APPolicy) Context
Creates and names a new Access Port policy instance.
Syntax
add <name>
Parameters
name
The name that’s given to the new policy.
Example
WS5000.(Cfg).APPolicy> add newpolicy
Adding Access Port policy...
Status: Success.
Available Access Port Policies:
1. Default Access Port Policy.
2. newpolicy.
CLI Command Reference
Access Port Policy details for "newpolicy":
Policy Name
Description
Basic Rate for 11a
Supported Rate for 11a
Basic Rate for 11b
Supported Rate for 11b
Basic Rate for 11g
Supported Rate for 11g
Basic Rate for FH
Supported Rate for FH
RF Preamble
RTS Threshold
DTIM Period
DTIM Period BSS 2
DTIM Period BSS 3
DTIM Period BSS 4
Beacon Interval
Allow MUs w/o Spectrum Mgmt
WME Enaled
WME Profile Name
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
newpolicy
6,12,24
9,18,36,48,54
1,2
5.5,11
1,2,5.5,11
6,9,12,18,24,36,48,54
1
2
long
2347 Bytes
10
10
10
10
100
false
Disabled
Default AP WME Profile
WLAN details for the Access Port policy 'newpolicy'
WLAN Name
Network Policy
---------------------WS5000.(Cfg).APPolicy.[newpolicy]>
8.19.2 policy
Access Port Policy (APPolicy) Context
Changes the command prompt into the named Access Port policy instance.
Syntax
policy <name>
Parameters
name
The name of the Access Port policy instance.
Example
WS5000.(Cfg).APPolicy> policy appol1
Access Port Policy details for "appol1":
Policy Name
Description
Basic Rate for
Supported Rate
Basic Rate for
Supported Rate
Basic Rate for
Supported Rate
Basic Rate for
Supported Rate
RF Preamble
RTS Threshold
DTIM Period
11a
for
11b
for
11g
for
FH
for
11a
11b
11g
FH
:
:
:
:
:
:
:
:
:
:
:
:
: 10
appol1
6,12,24
9,18,36,48,54
1,2
5.5,11
1,2,5.5,11
6,9,12,18,24,36,48,54
1
2
long
2347 Bytes
8-137
8-138
WS 5000 Series System Reference
DTIM Period BSS 2
DTIM Period BSS 3
DTIM Period BSS 4
Beacon Interval
Allow MUs w/o Spectrum Mgmt
WME Enaled
WME Profile Name
:
:
:
:
:
:
:
10
10
10
100
false
Disabled
Default AP WME Profile
WLAN details for the Access Port policy 'appol1'
WLAN Name
Network Policy
---------------------WLAN_NE
WS5000.(Cfg).APPolicy.[appol1]>
8.19.3 remove
Access Port Policy (APPolicy) Context
Removes the named Access Port policy.
Syntax
remove <name>
Parameters
name
The name of the Access Port policy that’s to be removed.
Example
WS5000.(Cfg).APPolicy> remove newpolicy
Removing Access Port Policy...
Status: Success.
Available Access Port Policies:
1. Default Access Port Policy.
WS5000.(Cfg).APPolicy>
8.19.4 show
Show’s details about the Access Port policy.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).APPolicy> show
Available Access Port Policies:
1. Default Access Port Policy.
2. New Access Port Policy.
3. appol1.
4. NY_APpolicy.
8-139
CLI Command Reference
8.20 Access Port Policy Instance
Table 8.24 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.24 Access Port Policy Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
add
Add an access port policy instance
page 8-139
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
history
Display command history within a context or instance
page 8-9
add
Adds an WLAN to the Access Port Policy instance.
page 8-139
description
Add a unique identifier or description to the policy instance.
page 8-140
map
The map command, depending on the specified AP hardware type,
moves you into a WLAN-to-BSS/ESS mapping subcontext.
page 8-141
name
Rename an access port policy instance.
page 8-141
remove
Remove an access port policy instance.
page 8-142
show
Show details for the Access Port Policy instance.
page 8-142
set
Set various configurations for the access port policy instance. This includes:
set basicRates, set beacon, set dTim, set nonSpectrumMgmt, set np, set
preamble, set rtsThreshold, and set supportedRates.
page 8-143
8.20.1 add
Access Port Policy Instance
Adds an Access Port Policy instance.
Syntax
add <policy_name>
Parameters
policy_name
The name of the Access Port Policy being added.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy]> add WLAN_NE
Adding WLAN...
Status: Success.
8-140
WS 5000 Series System Reference
WLAN details for the Access Port policy 'NY_APpolicy'
WLAN Name
Network Policy
---------------------WLAN_NE
WS5000.(Cfg).APPolicy.[NY_APpolicy]>
8.20.2 description
Access Port Policy Instance
Configures a brief description for the Access Port Policy instance.
Syntax
description <description_text>
Parameters
description_text
Brief description of the Access Port Policy instance.
Example
WS5000.(Cfg).APPolicy.[myAPPolicy]> description 2-11-05
Adding description...
Status : Success.
Access Port Policy details for "myAPPolicy":
Policy Name
Description
Basic Rate for 11a
Supported Rate for 11a
Basic Rate for 11b
Supported Rate for 11b
Basic Rate for 11g
Supported Rate for 11g
Basic Rate for FH
Supported Rate for FH
RF Preamble
RTS Threshold
DTIM Period
DTIM Period BSS 2
DTIM Period BSS 3
DTIM Period BSS 4
Beacon Interval
Allow MUs w/o Spectrum Mgmt
WME Enaled
WME Profile Name
:
:
:
:
:
:
:
:
:
:
:
:
myAPPolicy
2-11-05
6,12,24
9,18,36,48,54
1,2
5.5,11
1,2,5.5,11
6,9,12,18,24,36,48,54
1
2
long
2347 Bytes
: 10
: 10
: 10
: 10
: 100
: false
: Disabled
: Default AP WME Profile
WLAN details for the Access Port policy 'myAPPolicy'
WLAN Name
Network Policy
---------------------WS5000.(Cfg).APPolicy.[myAPPolicy]>
CLI Command Reference
8-141
8.20.3 map
Access Port Policy Instance
The map command, depending on the specified AP hardware type, moves you into a WLAN-to-BSS/ESS
mapping subcontext.
Some explanation is necessary, as follows. There are six Access Port device/radio types: AP 100, AP 200a, AP
200b, AP 300(a/g), AP 302x, AP 4121, and AP 4131. These hardware types are grouped by the number of BSSs
and ESSs that they support. Each BSS/ESS combination is represented by a pre-defined Map subcontext (there
are four Maps). Upon invoking the map command and specifying the “AP hardware type” parameter, the
command prompt is automatically changed to the correct Map subcontext.
From within the Map subcontext, you can assign (or map) the WLAN(s) that will support the BSS/ESS
combination. See the Access Port Map Context section for more details.
Syntax
map <apType>
Parameters
apType
Type of AP, which thus indicates the BSS/ESS Mapping. Possible values are:
• AP100 – 4 BSS to 4 ESS
• AP200a – 1 BSS to 16 ESS
• AP200b, AP300a, or AP4121 – 4 BSS to 16 ESS
• FH – 1 BSS to 1 ESS
a. The AP 300 802.11a radio uses the same mapping as the AP 300 802.11g.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy]> map ap4121
4BSS-16BSS mapping (used for AP200 11b radio, AP300 and AP4121):
WLAN Name
BSS
Primary
BW(%)
--------------------WLAN_NE
1
*
5.00%
Total BandWidth:
5.00%
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-16ESS]>
WS5000.(Cfg).APPolicy.[SF_APpolicy]> map ap100
4BSS-4ESS mapping (used for AP100):
WLAN Name
Selected
---------------WLAN_NE
*
Total BandWidth:
BW(%)
----5.00%
5.00%
WS5000.(Cfg).APPolicy.[SF_APpolicy].Map.[4BSS-4ESS]>
8.20.4 name
Access Port Policy Instance
Rename an access port policy instance.
Syntax
name <appolicy_name>
8-142
WS 5000 Series System Reference
Parameters
appolicy_namename
AP policy name of the access port policy.
Example
WS5000.(Cfg).APPolicy.[NY_appolicy]> name NY_APPolicy
Configuring name...
Status : Success.
WS5000.(Cfg).APPolicy.[NY_APPolicy]>
8.20.5 remove
Access Port Policy Instance
Remove an AP Policy instance.
Syntax
remove <APPolicy_name>
Parameters
APPolicy_name
Name of the AP Policy to be removed.
Example
WS5000.(Cfg).APPolicy> remove "New Access Port Policy"
Removing Access Port Policy...
Status: Success.
Available Access Port Policies:
1. Default Access Port Policy.
2. appol1.
3. NY_APPolicy.
WS5000.(Cfg).APPolicy>
8.20.6 show
Access Port Policy Instance
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy]> show
Access Port Policy details for "NY_APpolicy":
Policy Name
Description
Basic Rate for 11a
: NY_APpolicy
:
: 6,12,24
CLI Command Reference
Supported Rate for 11a
Basic Rate for 11b
Supported Rate for 11b
Basic Rate for 11g
Supported Rate for 11g
Basic Rate for FH
Supported Rate for FH
RF Preamble
RTS Threshold
DTIM Period
DTIM Period BSS 2
DTIM Period BSS 3
DTIM Period BSS 4
Beacon Interval
Allow MUs w/o Spectrum Mgmt
WME Enaled
WME Profile Name
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
8-143
9,18,36,48,54
1,2
5.5,11
1,2,5.5,11
6,9,12,18,24,36,48,54
1
2
short
2347 Bytes
10
10
10
10
100
false
Disabled
Default AP WME Profile
WLAN details for the Access Port policy 'NY_APpolicy'
WLAN Name
Network Policy
---------------------WLAN_NE
WS5000.(Cfg).APPolicy.[NY_APpolicy]>
8.20.7 set
Access Port Policy Instance
Used to configure the Access Port Policy instance related parameters.
Syntax
set <config_parameter>
Parameters
set <config_parameter>
Description
set np
Assigns the Network Policy that’s associated with the combination of this
Access Port Policy and WLAN.
set preamble
Sets the length of the preamble (either short or long) that’s added to the
packets that are sent by Access Ports that adopt this policy
set rtsThreshold
Sets the Request to Send (RTS) threshold.
set dTim
Sets the Access Port’s DTIM interval as a multiple of the beacon interval. Valid
DTIM values are in the range [1, 20].
set beacon
Sets the Access Port’s radio beacon interval, in milliseconds. Valid intervals are
in the range [20, 1000].
set basicRates
Sets the basic frequency rates for a given 802.11 radio type
set supportedRates
Sets the radio frequencies that are supported by the device.
set nonSpectrumMgmt
Tells the Access Port to allow (true) or deny (false) association for mobile
devices that don’t have spectrum management capabilities.
set wmm
Sets the wmn for the switch
8-144
WS 5000 Series System Reference
Access Port Policy details
for "NY_APPolicy":
Example
WS5000.(Cfg).APPolicy.[NY_APPolicy]> set
Syntax: set <config_parameter>
config_parameter is a required parameter.
Valid commands:
set name
set np
set preamble
set rtsthreshold
set dtim
set beacon
set basicrates
set supportedrates
set nonspectrummgmt
set wmm
set wmeprofile
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).APPolicy.[NY_APPolicy]>
8.20.7.1 set basicRates
Access Port Policy Instance
Sets the basic frequency rates for a given 802.11 radio type.
Syntax
set basicRates <radioType> <rates ...>
Parameters
radioType
One of A, B, G, or FH (frequency hopping). Radio values are:
• A – Frequencies 6, 9, 12, 18, 24, 36, 48, 54
• B – Frequencies 1, 2, 5.5, 11
• G – Frequencies 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54
• FH – Frequencies 1, 2
rates
A list of frequency values, in Mbps. The list of candidate frequencies depends on the
radio type. You can set multiple basic rates by passing a list of frequencies, e.g.: > set
B basicrates 1 2 11
Example
WS5000.(Cfg).APPolicy.[QIAPPolicy01]> set basicrates b 1,2,5.5,11
Configuring a Access Port Policy...
Status: Success.
Access Port Policy details for "QIAPPolicy01":
Policy Name
Description
Basic Rate for
Supported Rate
Basic Rate for
Supported Rate
Basic Rate for
Supported Rate
11a
for 11a
11b
for 11b
11g
for 11g
:
:
:
:
:
:
:
:
QIAPPolicy01
6,12,24
9,18,36,48,54
1,2,5.5,11
1,2,5.5,11
6,9,12,18,24,36,48,54
CLI Command Reference
Basic Rate for FH
Supported Rate for FH
RF Preamble
RTS Threshold
DTIM Period
DTIM Period BSS 2
DTIM Period BSS 3
DTIM Period BSS 4
Beacon Interval
Allow MUs w/o Spectrum Mgmt
:
:
:
:
:
:
:
:
:
:
8-145
1
2
long
2347 Bytes
10
10
10
10
100
false
WS5000.(Cfg).APPolicy.[QIAPPolicy01]>
8.20.7.2 set beacon
Access Port Policy Instance
Sets the Access Port’s radio beacon interval, in milliseconds. Valid intervals are in the range [20, 1000].
Syntax
set beacon <20 - 1000>
Parameters
beacon_interval
Place holder to assign a becon interval period for the access port.
Example
WS5000.(Cfg).APPolicy.[QIAPPolicy01]> set beacon 150
Configuring a Access Port Policy...
Status: Success.
Access Port Policy details for "QIAPPolicy01":
Policy Name
Description
Basic Rate for 11a
Supported Rate for 11a
Basic Rate for 11b
Supported Rate for 11b
Basic Rate for 11g
Supported Rate for 11g
Basic Rate for FH
Supported Rate for FH
RF Preamble
RTS Threshold
DTIM Period
DTIM Period BSS 2
DTIM Period BSS 3
DTIM Period BSS 4
Beacon Interval
Allow MUs w/o Spectrum Mgmt
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
QIAPPolicy01
6,12,24
9,18,36,48,54
1,2
5.5,11
1,2,5.5,11
6,9,12,18,24,36,48,54
1
2
long
2347 Bytes
10
10
10
10
150
false
WS5000.(Cfg).APPolicy.[QIAPPolicy01]>
8.20.7.3 set dTim
Access Port Policy Instance
Sets the Access Port’s DTIM interval as a multiple of the beacon interval. Valid DTIM values are in the range
[1, 20].
8-146
WS 5000 Series System Reference
Syntax
set dtim
set dtim
<dtim_period : 1 - 20>
<bss1 | bss2 | bss3 | bss4> <dtim_period : 1 - 20>
Parameters
dtim period
Used to set the range of dtim interval
bss
Placeholder for selecting one of the four bss. AP which has only one bss use the value
for bss1.
Example
WS5000.(Cfg).APPolicy.[DtimTest5]> set dTim bss3 8
Configuring a Access Port Policy...
Status: Success.
Access Port Policy details for "DtimTest5":
Policy Name
Description
Basic Rate for 11a
Supported Rate for 11a
Basic Rate for 11b
Supported Rate for 11b
Basic Rate for 11g
Supported Rate for 11g
Basic Rate for FH
Supported Rate for FH
RF Preamble
RTS Threshold
DTIM Period
DTIM Period BSS 2
DTIM Period BSS 3
DTIM Period BSS 4
Beacon Interval
Allow MUs w/o Spectrum Mgmt
WME Enabled
WME Profile Name
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
DtimTest5
6,12,24
9,18,36,48,54
1,2
5.5,11
1,2,5.5,11
6,9,12,18,24,36,48,54
1
2
long
2347 Bytes
10
10
8
10
100
false
Disabled
Default AP WME Profile
8.20.7.4 set nonSpectrumMgmt
Access Port Policy Instance
Tells the Access Port to allow (true) or deny (false) association for mobile devices that don’t have spectrum
management capabilities. This is only significant when the AP has DFS or TPC enabled.
Syntax
set nonSpectrumMgmt <flag>
Parameters
flag
Indicates whether the AP will allow (true) or deny (false> association of mobile devices
that are not Spectrum-capable.
Example
WS5000.(Cfg).APPolicy.[NY_APPolicy]> set nonSpectrumMgmt true
CLI Command Reference
8-147
8.20.7.5 set np
Access Port Policy Instance
Assigns the Network Policy that’s associated with the combination of this Access Port Policy and WLAN.
Syntax
set np <np_name> <wlan_name>
Parameters
name
The name of the Network Policy.
wlan_name
The name of the WLAN.
Example
WS5000.(Cfg).APPolicy.[testappolicy]> set np "Default Network Policy" WLAN10
Configuring a Access Port Policy...
Status: Success.
WLAN details for the Access Port policy 'testappolicy'
WLAN Name
Network Policy
---------------------WLAN10
Default Network Policy
8.20.7.6 set preamble
Access Port Policy Instance
Sets the length of the preamble (either short or long) that’s added to the packets that are sent by Access
Ports that adopt this policy.
Syntax
set preamble <short | long>
8.20.7.7 set rtsThreshold
Access Port Policy Instance
Sets the Request to Send (RTS) threshold.
Syntax
set rtsThreshold <threshold_value>
Parameters
threshold_value
This is the maximum size of packets (in bytes) that use the four-way handshake, a
technique that allows nearby Access Ports to sense the wireless conversation and
improve throughput. The RTS threshold is set, by default, to 2347 (the largest packet
size). This effectively turns off the four-way handshake.
Possible values are 0 - 2347.
Example
WS5000.(Cfg).APPolicy.[NY_APPolicy]> set rtsthreshold 200
Configuring a Access Port Policy...
Status: Success.
Access Port Policy details for "NY_APPolicy":
Policy Name
: NY_APPolicy
8-148
WS 5000 Series System Reference
Description
Basic Rate for 11a
Supported Rate for 11a
Basic Rate for 11b
Supported Rate for 11b
Basic Rate for 11g
Supported Rate for 11g
Basic Rate for FH
Supported Rate for FH
RF Preamble
RTS Threshold
DTIM Period
DTIM Period BSS 2
DTIM Period BSS 3
DTIM Period BSS 4
Beacon Interval
Allow MUs w/o Spectrum Mgmt
WME Enaled
WME Profile Name
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
6,12,24
9,18,36,48,54
1,2
5.5,11
1,2,5.5,11
6,9,12,18,24,36,48,54
1
2
short
200 Bytes
10
10
10
10
100
false
Disabled
Default AP WME Profile
WS5000.(Cfg).APPolicy.[NY_APPolicy]>
8.20.7.8 set supportedRates
Access Port Policy Instance
Sets the radio frequencies that are supported by the device.
Note Same as set basicRates (set on page 8-143).
Syntax
set supportedRates <radioType> <rates ...>
Parameters
radioType
used to set any one of the valid radio types. The Valid Radio types are: A, B, G or FH.
rates
Place holder to set the supported rates for corresponding selected radio. The support
rates for the different radio types are
A: 6, 9, 12, 18, 24, 36,48,54 and none
B: 1, 2, 5.5,11and none
G: 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 and none
FH: 1, 2 and none
Example
WS5000.(Cfg).APPolicy.[testappolicy]> set supportedrates a 36 54
Configuring a Access Port Policy...
Status: Success.
Access Port Policy details for "testappolicy":
Policy Name
Description
Basic Rate for
Supported Rate
Basic Rate for
Supported Rate
11a
for 11a
11b
for 11b
:
:
:
:
:
:
testappolicy
6,12,24
36,54
1,2
5.5,11
CLI Command Reference
Basic Rate for 11g
Supported Rate for 11g
Basic Rate for FH
Supported Rate for FH
RF Preamble
RTS Threshold
DTIM Period
DTIM Period BSS 2
DTIM Period BSS 3
DTIM Period BSS 4
Beacon Interval
Allow MUs w/o Spectrum Mgmt
:
:
:
:
:
:
:
:
:
:
:
:
8-149
1,2,5.5,11
6,9,12,18,24,36,48,54
1
2
long
2347 Bytes
10
10
10
10
100
false
8.20.7.9 set wmm
Access Port Policy Instance
Sets the wmn for the switch.
Syntax
set wmm <enable/disable>
Parameters
enable/disable
Enables/Disables Wireless MultiMedia (wmm) capability support
Example
WS5000.(Cfg).APPolicy.[Default Access Port Policy]> set wmm enable
Policy Name
:
Description
:
security, and default network
Basic Rate for 11a
:
Supported Rate for 11a
:
Basic Rate for 11b
:
Supported Rate for 11b
:
Basic Rate for 11g
:
Supported Rate for 11g
:
Basic Rate for FH
:
Supported Rate for FH
:
RF Preamble
:
RTS Threshold
:
DTIM Period
:
DTIM Period BSS 2
:
DTIM Period BSS 3
:
DTIM Period BSS 4
:
Beacon Interval
:
Allow MUs w/o Spectrum Mgmt :
WME
:
WME Profile Name
:
Access Port Policy details for
Default Access Port Policy
Default Access Port Policy, only ESSID 101 and no
policy
6,12,24
9,18,36,48,54
1,2
5.5,11
1,2,5.5,11
6,9,12,18,24,36,48,54
1
2
short
2347 Bytes
10
10
10
10
100
false
Enabled (At Next Reboot)
Default AP WME ProfileStatus: Success.
"NY_APPolicy":
8-150
WS 5000 Series System Reference
8.21 Access Port Map Context
See the map command for an introduction to the Map context, a context where mapping of WLANs to different
radio types is configured. The four Map contexts and the radios that use each mapping are shown in Table
8.25.
Depending on the pre-defined Map context, the following configurations can be set:
•
Set the BSS index ID for each WLAN.
•
Set the primary WLAN for the Map.
•
Set the percentage of bandwidth that’s reserved for each WLAN.
Not all Map contexts support all of these settings. For example, it does not make sense to set the primary
WLAN for an AP radio that only supports one WLAN (such as is the case with frequency-hopping radios). Upon
changing into a particular map context instance, the command prompt changes to reflect the mapping..
Table 8.25 Map Context and Associated Radios
Map
Radio
Prompt Example
4 BSS to 4 ESS
AP100
WS5000.(Cfg).APPolicy.[AP0].Map.[4BSS-4ESS]>
1 BSS to 16 ESS
AP200a
WS5000.(Cfg).APPolicy.[AP0].Map.[1BSS-16ESS]>
4 BSS to 16 ESS
AP200b, AP300(a/g),
AP4121
WS5000.(Cfg).APPolicy.[AP0].Map.[4BSS-16ESS]>
1 BSS to 1 ESS
AP302x (frequency hopping
radio)
WS5000.(Cfg).APPolicy.[AP0].Map.[1BSS-1ESS]>
Table 8.26 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.26 Access Port Map Context Command Summary
Command
Description
BSS Map (AP Type)
Ref.
.. or end
Terminate a current session and moves up a context,
hierarchically.
All
page 8-7
exit
Terminate a current session and returns to the “root”
prompt.
All
page 8-7
? or help
Get the command information.
All
page 8-7
logout or bye
Close this session.
All
page 8-8
clear
Clear the screen.
All
page 8-8
emergencymode
Enable or disable Emergency mode.
All
page 8-8
select
Assign a WLAN to the map.
4 BSS to 4 ESS
(AP100)
1BSS-to-1ESS
(AP302x)
page 8-151
set bss
Assign a BSS index ID to a WLAN.
4BSS-to-16ESS
(AP200b, AP300,
AP4121)
page 8-152
CLI Command Reference
8-151
Table 8.26 Access Port Map Context Command Summary (Continued)
Command
Description
BSS Map (AP Type)
Ref.
set bw
Set the guaranteed bandwidth that is assigned to a
WLAN.
1BSS-to-16ESS
(AP200a)
4BSS-to-16ESS
(AP200b, AP300,
AP4121)
page 8-152
set primaryWLAN
Set the primary WLAN for this map.
1BSS-to-16ESS
(AP200a)
4BSS-to-16ESS
(AP200b, AP300,
AP4121)
page 8-153
unselect
Unassign a WLAN to the map.
4BSS-to-4ESS
(AP100)
1BSS-to-1ESS
(AP302x)
page 8-153
show commands
Display context specific attributes.
All
page 8-154
8.21.1 select
Access Port Map Context
Assigns a WLAN to the map.
Note This command applies only to: 4BSS-to-4ESS (AP100), 1BSS-to-1ESS
(AP302x).
Syntax
select <wlan_name>
Parameters
wlan_name
The name of the WLAN to take on the BSS ID assignment.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-4ESS]> select WLAN_NE
Success.
4BSS-4ESS mapping (used for AP100):
WLAN Name
Selected
---------------WLAN_NE
*
Total BandWidth:
BW(%)
----5.00%
5.00%
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-4ESS]>
8-152
WS 5000 Series System Reference
8.21.2 set bss
Access Port Map Context
Assigns a BSS index ID to a WLAN. The WLAN must already be part of the Access Port Policy that owns this
Map.
Note This command applies only to: 4BSS-to-16ESS (AP200b, AP300, AP4121)
Syntax
set bss <bss_index> <wlan_name>
Parameters
bssid
The BSS index ID that is being assigned to the WLAN. Possible values are:
1 - 4.
wlan_name
The name of the WLAN to take on the BSS index assignment.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-16ESS]> set bss 1 WLAN_NE
Configuring a Access Port Policy...
Status: Success.
4BSS-16BSS mapping (used for AP200 11b radio, AP300 and AP4121):
WLAN Name
BSS
Primary
BW(%)
--------------------WLAN_NE
1
*
5.00%
Total BandWidth:
5.00%
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-16ESS]>
8.21.3 set bw
Access Port Map Context
Sets the guaranteed bandwidth that’s assigned to a WLAN. The total bandwidth for all WLANs within a Map
must equal 100. This command applies only to: 1BSS-to-16ESS (AP200a), 4BSS-to-16ESS (AP200b, AP300,
AP4121)
Syntax
set bw <bandwidth> <wlan_name>
Parameters
bandwidth
The percentage of bandwidth assigned to the WLAN. Valid percentages are in the range
from 5 to 100.
wlan_name
The name of the WLAN.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-16ESS]> set bw 20 WLAN_NE
Configuring a Access Port Policy...
CLI Command Reference
8-153
Status: Success.
4BSS-16BSS mapping (used for AP200 11b radio, AP300 and AP4121):
WLAN Name
BSS
Primary
BW(%)
--------------------WLAN_NE
1
*
20.00%
Total BandWidth:
20.00%
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-16ESS]>
8.21.4 set primaryWLAN
Access Port Map Context
Sets the Primary WLAN for this map.
Note This command applies only to: 1BSS-to-16ESS (AP200a), 4BSS-to-16ESS
(AP200b, AP300, AP4121).
Syntax
set primaryWLAN <wlan_name>
Parameters
wlan_name
The name of the WLAN.
Example
WS5000.(Cfg).APPolicy.[QIAPPolicy01].Map.[4BSS-16ESS]> set primarywlan QIWLAN01
Configuring a Access Port Policy...
Status: Success.
4BSS-16BSS mapping (used for AP200 11b radio, AP300, AP4121 and AP4131):
WLAN Name
BSS
Primary
BW(%)
--------------------QIWLAN01
1
*
100.00%
Total BandWidth:
100.00%
WS5000.(Cfg).APPolicy.[QIAPPolicy01].Map.[4BSS-16ESS]>
8.21.5 unselect
Access Port Map Context
Unassigns a WLAN to the map.
Note This command applies only to: 4BSS-to-4ESS (AP100), 1BSS-to-1ESS (AP302x)
Syntax
select <wlan_name>
Parameters
wlan_name
The name of the WLAN to be unassigned from the BSSID assignment.
8-154
WS 5000 Series System Reference
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-4ESS]> unselect WLAN_NE
Success.
4BSS-4ESS mapping (used for AP100):
WLAN Name
Selected
---------------WLAN_NE
Total BandWidth:
BW(%)
----%
0.00%
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-4ESS]>
8.21.6 show
Access Port Map Context
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).APPolicy.[NY_APPolicy].Map.[4BSS-4ESS]> show
4BSS-4ESS mapping (used for AP100):
WLAN Name
Selected
---------------WLAN_NE
*
Total BandWidth:
BW(%)
----5.00%
5.00%
WS5000.(Cfg).APPolicy.[NY_APPolicy].Map.[4BSS-4ESS]>
CLI Command Reference
8-155
8.22 Classifier Context (CE)
A Classifier is a predicate that tests various aspects of a network packet: Source and destination IP, transport
protocol, and so on. A packet will either “pass” or “fail” the predicate. The action that is taken when a packet
passes or fails a Classifier isn’t included in the Classifier definition—that is the job (primarily) of a
Classification Group.
See the Network Policy (NP) Context for an overview of the objects that are involved in the packet filtering
mechanism. This mechanism also involves Classification Group (CG) Context and Classification Group (CG)
Context.
Table 8.27 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.27 Classifier Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
add
Add a new Classifier.
page 8-155
ce
Select a Classifier to configure.
page 8-156
remove
Remove a Classifier.
page 8-156
show
Display available classification groups.
page 8-157
8.22.1 add
Classifier Context (CE)
Creates and names a Classifier instance, and changes the prompt to the instance’s context.
Syntax
add <ce_name>
Parameters
ce_name
Name given to the new Classifier.
Example
WS5000.(Cfg).CE> add TestClassifier
Adding Classifier...
Status: Success.
Classifier information...
8-156
WS 5000 Series System Reference
Available Classifiers (CE):
1. Ex HTTP Traffic.
2. Ex Telnet Traffic.
3. RTP_Data.
4. Spectra_Link_Phone.
5. VoIP_Call_Setup_In.
6. VoIP_Call_Setup_Out.
7. VoIP_Ext_Services_Out.
8. VoIP_Ext_Services_In.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
11. Spectralink_Multicast.
12. TestClassifier.
Classifier information...
Classifier Name
CE Description
# of Matching Criteria assigned
: TestClassifier
:
: 0
WS5000.(Cfg).CE.[TestClassifier]> ..
8.22.2 ce
Classifier Context (CE)
Changes the prompt to the context for the named Classifier instance.
Syntax
ce <ce_name>
Parameters
ce_name
Selects the Classifier by name.
Example
WS5000.(Cfg).CE> ce 1
Classifier information...
Classifier Name
CE Description
# of Matching Criteria assigned
: Ex HTTP Traffic
:
: 3
Matching Criteria details for 'Destination Port' : (MC Offset: 10)
1. 80.
Matching Criteria details for 'EtherType' : (MC Offset: 2)
1. 800.
Matching Criteria details for 'Protocol' : (MC Offset: 5)
1. 6
: TCP
Transmission Control
WS5000.(Cfg).CE.[Ex HTTP Traffic]>
8.22.3 remove
Classifier Context (CE)
Use remove to remove a classifier.
[RFC793].
CLI Command Reference
Syntax
remove <name>
Parameters
name
The name of the Classifier that is to be removed.
Example
WS5000.(Cfg).CE> remove TestClassifier
Removing Classifier...
Status: Success.
Classifier information...
Available Classifiers (CE):
1. Ex HTTP Traffic.
2. Ex Telnet Traffic.
3. RTP_Data.
4. Spectra_Link_Phone.
5. VoIP_Call_Setup_In.
6. VoIP_Call_Setup_Out.
7. VoIP_Ext_Services_Out.
8. VoIP_Ext_Services_In.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
11. Spectralink_Multicast.
WS5000.(Cfg).CE>
8.22.4 show
Classifier Context (CE)
WS5000.(Cfg).CE> show
Shows Classifier details.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).CE> show
Classifier information...
Available Classifiers (CE):
1. Ex HTTP Traffic.
2. Ex Telnet Traffic.
3. RTP_Data.
4. Spectra_Link_Phone.
5. VoIP_Call_Setup_In.
6. VoIP_Call_Setup_Out.
7. VoIP_Ext_Services_Out.
8. VoIP_Ext_Services_In.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
11. Spectralink_Multicast.
WS5000.(Cfg).CE>
8-157
8-158
WS 5000 Series System Reference
8.23 Classifier Instance
A Classifier instance contains a collection of “matching criteria” (MC). Each MC consists of a network packet
attribute and the value to which the attribute is compared. As packets arrive from or are sent to the wireless
network, they’re evaluated by the Classifier. If the packet attribute matches the value, then the packet
“passes” the MC; if the attribute doesn’t match, the packet “fails.” The action that’s taken when a packet
passes or fails a Classifier isn’t defined by the Classifier itself—it’s defined by the higher-level Classification
Group object.
A Classifier’s collection of MCs are evaluated and conjoined consecutively, in the order they were added. If
successive criteria identify the same packet attribute, the criteria are OR’d, otherwise they’re AND’d. You don't
have any control over the grouping of the criteria other than savvy ordering. In general, you should stick to
simple Classifier MCs and build more complicated tests by combining Classifiers in a Classification Group.
!
IMPORTANT! THE MATCHING CRITERIA ARE EVALUATED USING A CASESENSITIVE STRING COMPARISON.
Table 8.31 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.28 Classifier Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
addMC
Add a new matching criteria.
page 8-158
name
Change the name of the Classifier.
page 8-160
description
Configure a brief description for the Classifier.
page 8-160
removeMC
Remove a matching criteria.
page 8-161
setMC
Configure matching criteria variables.
page 8-161
show
Show details about the Classifier.
page 8-162
8.23.1 addMC
Classifier Instance
Adds a new matching criterion to the Classifier.
Syntax
addMC <parameters>
CLI Command Reference
8-159
Parameters
MACsource <MAC_address>
The MAC address of the device that sent the packet. The value is a MAC
address in the usual form.
MACdestination <dest_MAC_address>
The MAC address of the device to which the packet is being sent. The
value is a MAC address in the usual form.
ethertype <RFC1700 Ethernet type values>
Ethernet type values, as defined by RFC 1700. Values are hex numbers in
the range [0 - FFFF].
vlanid <IDnumber>
The ID of the VLAN to/from which the packet is being sent/has been
received. The value is a number.
userpriority <priority_value>
Relative priority value. The value is a number in the range [0 - 7].
protocol <protocol_value>
Ethernet protocol. The value is a (decimal) number in the range [0 - 254].
tos <tos_value>
Type of Service identifier. The value is a number in the range [0 - 63].
IPsource <IPaddress> <subnet_mask>
The IP address and subnet mask of the device from which the packet
emerged. The subnet mask is passed as a second argument
(subnet_mask). Both arguments are dot-separated IP addresses.
IPdestination <IPaddress> <subnet_mask>
The IP address and subnet mask of the device to which the packet is
being sent. The subnet mask is passed as a second argument
(subnet_mask). Both arguments are dot-separated IP addresses.
sourceport <port#> [end_port#]
The Ethernet port number, on the originating device, through which the
packet was sent. Optionally, a specific port can be declared (as a decimal
number), or a range of ports by supplying a second port number as the
end_port argument. Valid port numbers are in the range [0, 65535].
destinationport <port#> [end_port#]
The Ethernet port number, on the recipient device, to which the packet is
being sent. Optionally, a specific port can be declared (as a decimal
number), or a range of ports by supplying a second port number as the
end_port argument. Valid port numbers are in the range [0, 65535].
MCMask <MAC_address>
Multicast mask. The value is a MAC address that’s used to mask the
range of recipients of a broadcast packet.
Example
WS5000.(Cfg).CE.[HTTP_ce]> addmc IPsource 172.39.80.2 255.255.255.0
Adding Matching Criteria for the CE...
Status: Success.
Classifier information...
Classifier Name
: HTTP_ce
CE Description
:
# of Matching Criteria assigned
: 3
Matching Criteria details for 'Destination IP' : (MC Offset: 8)
Matching Criteria details for 'Source Port' : (MC Offset: 9)
1. 7001.
2. 7001-7010.
Matching Criteria details for 'Source IP' : (MC Offset: 7)
1. 172.39.80.2
IP Mask: 255.255.255.0
WS5000.(Cfg).CE.[HTTP_ce]>
8-160
WS 5000 Series System Reference
8.23.2 name
Classifier Instance
This CLI is used to change the name of the classifier.
Syntax
name <name>
Parameters
name
The new name placeholder
Example
WS5000.(Cfg).CE.[NewTraffic]> name "Ex HTTP Traffic"
Configuring name...
Status : Success.
WS5000.(Cfg).CE.[Ex HTTP Traffic]>
8.23.3 description
This CLI is used to set the description for the policy or item selected in the context.
Syntax
description <description_text>
Parameters
description_text
The content of the description can be entered in this placeholder.
Example
WS5000.(Cfg).CE.[Ex Telnet Traffic]> description "This classifier is related to
Telnet Traffic"
Adding description...
Status : Success.
Classifier information...
Classifier Name
CE Description
Traffic
# of Matching Criteria assigned
: Ex Telnet Traffic
: This classifier is related to
Telnet
: 3
Matching Criteria details for 'Destination Port' : (MC Offset: 10)
1. 23.
Matching Criteria details for 'EtherType' : (MC Offset: 2)
1. 800.
Matching Criteria details for 'Protocol' : (MC Offset: 5)
1. 6
: TCP
Transmission Control
WS5000.(Cfg).CE.[Ex Telnet Traffic]>
[RFC793].
CLI Command Reference
8.23.4 removeMC
Classifier Instance
Removes the matching criterion for the named criteria.
Syntax
removeMC <parameters>
Parameters
See parameters described in addMC command on page 8-158.
Example
WS5000.(Cfg).CE.[HTTP_ce]> removemc IPsource
Removing Matching Criteria...
Status: Success.
Classifier information...
Classifier Name
CE Description
# of Matching Criteria assigned
: HTTP_ce
:
: 2
Matching Criteria details for 'Destination IP' : (MC Offset: 8)
Matching Criteria details for 'Source Port' : (MC Offset: 9)
1. 7001.
2. 7001-7010.
WS5000.(Cfg).CE.[HTTP_ce]>
8.23.5 setMC
Classifier Instance
Sets the value of an existing matching criterion.
Syntax
setMC <paremeters>
Parameters
See parameters described in addMC command on page 8-158.
Example
WS5000.(Cfg).CE.[HTTP_ce]> setmc sourceport 7001 7010
Configuring CE Matching Criteria...
Status: Success.
Classifier information...
Classifier Name
CE Description
# of Matching Criteria assigned
: HTTP_ce
:
: 3
Matching Criteria details for 'Source IP' : (MC Offset: 7)
Matching Criteria details for 'Destination IP' : (MC Offset: 8)
Matching Criteria details for 'Source Port' : (MC Offset: 9)
1. 7001.
8-161
8-162
WS 5000 Series System Reference
2. 7001-7010.
WS5000.(Cfg).CE.[HTTP_ce]>
8.23.6 show
Classifier Instance
Shows details for this Classifier instance.
Syntax
show
show mc
Parameters
None.
Example
WS5000.(Cfg).CE.[Name]> show
Classifier information...
Classifier Name
CE Description
# of Matching Criteria assigned
: HTTP_ce
:
: 3
Matching Criteria details for 'Destination IP' : (MC Offset: 8)
Matching Criteria details for 'Source Port' : (MC Offset: 9)
1. 7001.
2. 7001-7010.
Matching Criteria details for 'Source IP' : (MC Offset: 7)
1. 172.39.80.2
IP Mask: 255.255.255.0
WS5000.(Cfg).CE.[HTTP_ce]>
8-163
CLI Command Reference
8.24 Classification Group (CG) Context
A Classification Group (CG) is a collection of classifiers that evaluate network packets as they are sent to or
received from wireless devices (in Layer 2/layer 3 filters) and wired devices in firewall filters. The CG collects
classifiers and specifies what the classifier should do after it evaluates a packet.
It declares whether a packet that passes the classifier evaluation is accepted (allowed to proceed along the
network) or denied (thrown away). See the Network Policy (NP) Context for an overview of the objects that are
involved in the packet filtering mechanism. Also, see Classifier Context (CE) and Policy Object (PO) Context
for more details.
Table 8.29 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.29 Classification Group Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
add
Creates and names a new Classification Group instance.
page 8-163
cg
Changes the prompt to the context to a specified Classification Group
instance.
page 8-164
remove
Removes a Classification Group instance.
page 8-164
show commands
Display available classification groups.
page 8-165
8.24.1 add
Classification Group (CG) Context
Creates and names a new Classification Group instance, and changes the prompt to the instance’s context.
Syntax
add <cg_name>
Parameters
cg_name
The name to be given to the new Classification Group.
Example
WS5000.(Cfg).CG> add voip_in_cg
Adding Classification Groups...
Status: Success.
8-164
WS 5000 Series System Reference
Classification Group information...
Available Classification Groups:
1. NetVision_VoIP_In.
2. NetVision_VoIP_Out.
3. New Classification Group.
4. voip_in_cg.
Classification Group information...
Classification Group Name
CG Description
No of classifiers for this CG
: voip_in_cg
:
: 0
WS5000.(Cfg).CG.[voip_in_cg]>
8.24.2 cg
Classification Group (CG) Context
Changes the prompt to the context for a Classification Group instance.
Syntax
cg <cg_name>
Parameters
cg_name
The selected Classification Group.
Example
WS5000.(Cfg).CG> cg voip_in_cg
Classification Group information...
Classification Group Name
CG Description
No of classifiers for this CG
: voip_in_cg
:
: 1
Classifiers & Action details:
1. RTP_Data
--> Allow
WS5000.(Cfg).CG.[voip_in_cg]>
8.24.3 remove
Classification Group (CG) Context
Removes a Classification Group instance.
Syntax
remove <cg_name>
Parameters
cg_name
The name of the Classification Group to be removed.
Example
WS5000.(Cfg).CG> remove "New Classification Group"
Removing Classification Group...
Status: Success.
CLI Command Reference
Classification Group information...
Available Classification Groups:
1. NetVision_VoIP_In.
2. NetVision_VoIP_Out.
3. voip_in_cg.
WS5000.(Cfg).CG>
8.24.4 show
Classification Group (CG) Context
Display information about a system component or named context instance.
Syntax
show
show ce
Parameters
None.
Example
WS5000.(Cfg).CG> show
Classification Group information...
Available Classification Groups:
1. NetVision_VoIP_In.
2. NetVision_VoIP_Out.
3. new_CG.
WS5000.(Cfg).CG>
8-165
8-166
WS 5000 Series System Reference
8.25 Classification Group Instance
When you drop into a Classification Group instance, the CG’s set of Classifiers and associated actions are
displayed.
Table 8.30 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.30 Classification Group Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
description
Add a text string to describe the Classification Group in more detail.
page 8-166
emergencymode
Enable or disable Emergency mode.
page 8-8
name
Rename a classification Group Instance.
page 8-167
set
Set configuration parameters regarding the specific Classification Group
Instance. Parameters such as name, adding and removing classifiers, and
setting actions
page 8-167
show
Display available classification groups.
page 8-168
8.25.1 description
Classification Group Instance
Configures a brief description for the Classification Group instance.
Syntax
description <description_text>
Parameters
description_text
Brief description of the Classification Group instance.
Example
WS5000.(Cfg).CG.[anotherName]> description "This is a VOIP Group"
Adding description...
Status : Success.
Classification Group information...
Classification Group Name
CG Description
No of classifiers for this CG
WS5000.(Cfg).CG.[anotherName]>
: anotherName
: This is a VOIP Group
: 0
CLI Command Reference
8-167
8.25.2 name
Classification Group Instance
Rename a Classification Group Instance.
Syntax
name <new_name>
Parameters
new_name
New Name that the current Classification Group will be renamed.
Example
WS5000.(Cfg).CG.[new_CG]> name anotherName
Configuring name...
Status : Success.
WS5000.(Cfg).CG.[anotherName]>
8.25.3 set
Classification Group Instance
Performs an operation on the Classification Group instance.
Syntax
set <attribute> <value>
Parameters
attribute
Description
name <cg_name>
Sets the name of the Classification Group. Same as name command.
addCE <ce_name>
Adds the named Classifier instance to the CG.
removeCE <ce_name>
Removes the named Classifier instance from the CG.
action
Associates an action with a Classifier (ce_name) that has been added to the CG.
Possible values are:
• allow <ce_name> – If this is set, packets that pass the Classifier are allowed to
continue and they’re marked as being part of this Classification Group instance (this
will be important when we bump up a level to Input and Output Policies). Packets that
don’t pass the evaluation are not immediately thrown away—they’re allowed or
denied according to the default action defined in the Input or Output Policy that uses
this CG.
• deny <ce_name> – Packets that pass the Classifier are thrown away. Packets that
don’t pass are allowed to continue (again, with no CG marking).
Example
WS5000.(Cfg).CG.[voip_in_cg]> set name VoIP_in_CG
WS5000.(Cfg).CG.[VoIP_in_CG]>
8-168
WS 5000 Series System Reference
WS5000.(Cfg).CG.[voip_in_cg]> show ce
Classifier information...
Available Classifiers (CE):
1. Ex HTTP Traffic.
2. Ex Telnet Traffic.
3. RTP_Data.
4. Spectra_Link_Phone.
5. VoIP_Call_Setup_In.
6. VoIP_Call_Setup_Out.
7. VoIP_Ext_Services_Out.
8. VoIP_Ext_Services_In.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
11. New HTTP Traffic Classifier.
WS5000.(Cfg).CG.[voip_in_cg]> set addce Spectra_Link_Phone
Configuring Classification Group... done.
Classification Group information...
Classification Group Name
: voip_in_cg
CG Description
:
No of classifiers for this CG
: 2
Classifiers & Action details:
1. RTP_Data
2. Spectra_Link_Phone
--> Allow
--> Allow
WS5000.(Cfg).CG.[voip_in_cg]>
WS5000.(Cfg).CG.[voip_in_cg]> set removece Spectra_Link_Phone
Configuring Classification Group... done.
Classification Group information...
Classification Group Name
: voip_in_cg
CG Description
:
No of classifiers for this CG
: 1
Classifiers & Action details:
1. RTP_Data
--> Allow
WS5000.(Cfg).CG.[voip_in_cg]>
WS5000.(Cfg).CG.[voip_in_cg]> set action deny Spectra_Link_Phone
Configuring Classification Group... done.
Classification Group information...
Classification Group Name
: voip_in_cg
CG Description
:
No of classifiers for this CG
: 2
Classifiers & Action details:
1. RTP_Data
2. Spectra_Link_Phone
--> Allow
--> Deny
WS5000.(Cfg).CG.[voip_in_cg]>
8.25.4 show
Classification Group Instance
Display information about this Classification Group instance.
CLI Command Reference
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).CG.[CG_name]> show
Classification Group information...
Classification Group Name
CG Description
No of classifiers for this CG
WS5000.(Cfg).CG.[CG_name]>
: anotherName
: This is a VOIP Group
: 0
8-169
8-170
WS 5000 Series System Reference
8.26 Chassis Context
Display and manage CPU and system temperature.
Table 8.31 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.31 Chassis Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
set notify
Tells the switch to send a notification if the temperature of the CPU or of the
system, in general, rises above a given threshold.
page 8-170
show
Display context specific attributes
page 8-171
8.26.1 set notify
Chassis Context
Tells the switch to send a notification if the temperature of the CPU or of the system rises above a given
threshold. Notifications are sent to the local system log, the Syslog, and cause an SNMP trap to be thrown.
!
IMPORTANT! THE SYSTEM AUTOMATICALLY SHUTS DOWN IF THE CPU OR
SYSTEM TEMPERATURE RISES ABOVE 105 DEGREES.
Syntax
set notify <cpu-temperature | system-temperature> <threshold>
Parameters
threshold
The temperature threshold is expressed in degrees centigrade and must fall in the range
[0, 105]. The notification is only sent when the temperature rises from below to above
the threshold temperature—it isn’t sent when the temperature drops from above to
below the threshold.
Example
WS5000.(Cfg).Chassis> set notify system-temperature 30
Configuring notify temperature...
Status: Success.
Description
-----------
Curr Value
----------
Max Value
---------
Min Value
---------
Notify Value
------------
CLI Command Reference
CPU Temperature
System Temperature
System Fan (rpm)
CPU Fan (rpm)
System Fan 2
System Fan 3
System Fan 4
42 C
38 C
8437
23275
OFF
OFF
15340
48 C
40 C
8653
675000
15340
40 C
36 C
8437
5000
15000
8-171
0 C
30 C
None
None
None
None
None
WS5000.(Cfg).Chassis> set notify cpu-temperature 40
Configuring notify temperature...
Status: Success.
Description
----------CPU Temperature
System Temperature
System Fan (rpm)
CPU Fan (rpm)
System Fan 2
System Fan 3
System Fan 4
Curr Value
---------45 C
37 C
8544
24107
OFF
OFF
15340
Max Value
--------48 C
40 C
8653
675000
15340
Min Value
--------40 C
36 C
8437
5000
15000
Notify Value
-----------40 C
30 C
None
None
None
None
None
WS5000.(Cfg).Chassis>
8.26.2 show
Chassis Context
Display a table of temperature and fan speed statistics.
Under normal circumstances, both the system and the CPU should hover around 36 degrees. The Max Value
and Min Value readings are the maximum and minimum temperatures since the switch was last booted.
Currently, you cannot install a notification for fan speed.
Syntax
WS5000.(Cfg).Chassis> show
Parameters
None.
Example
WS5000.(Cfg).Chassis> show
Description
----------CPU Temperature
System Temperature
System Fan (rpm)
CPU Fan (rpm)
System Fan 2
System Fan 3
System Fan 4
Curr Value
---------34 C
36 C
OFF
21093
OFF
OFF
15340
Max Value
--------36 C
38 C
675000
15340
Min Value
--------33 C
32 C
9782
15000
Notify Value
-----------45 C
45 C
None
None
None
None
None
8-172
WS 5000 Series System Reference
8.27 Ethernet Port Context
There are two Ethernet ports on WS5000 Series switches.
•
•
Port 1 connects (by convention) to the wired LAN.
Port 2 connects to the wireless LAN.
Table 8.32 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.32 Ethernet Port Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
history
Display command history within a context or instance
page 8-9
ping
Ping a network host/IP address
page 8-9
port
Changes the context to an Ethernet port instance.
page 8-172
show
Display context specific attributes
page 8-173
8.27.1 port
Ethernet Port Context
Changes the context to an Ethernet port instance.
Syntax
port <port_number>
Parameters
port_number
The index of the Ethernet port. Either 1 or 2.
Example
WS5000.(Cfg).Ethernet> port 1
Name
: Ethernet 1
Network Interface Card #
: 1
Description
: Ethernet Adapter
MAC Address
: 00:A0:F8:65:94:B8
Status
: Enable
Online
: Yes
Configured Mode
: auto
Negotiated Mode - Duplex
: Full
Negotiated Mode - Speed
: 100
DHCP status
: Disable
IP Address
: 10.1.1.101
CLI Command Reference
Network Mask
Domain Name
Port type (trunk/non-trunk)
VLAN Tags seen
Up-Time
Transmit packets
Received packets
Gateway
DNS servers
1. 111.222.111.100.
:
:
:
:
:
:
:
:
:
255.255.255.0
domain1
Non-Trunk
None
12d:03h:54m
4260726
4959514
111.222.111.254
WS5000.(Cfg).Ethernet.[1]>
8.27.2 show
Ethernet Port Context
Display Ethernet port details.
Syntax
show
show interfaces
Parameters
(none)
Display a list of Ethernet port instances.
interfaces
Shows adopted Access Port info and lists the switch’s Ethernet ports
Example
WS5000.(Cfg).Ethernet> show
Available EtherPorts are:
Ethernet 1
Ethernet 2
WS5000.(Cfg).Ethernet>
8-173
8-174
WS 5000 Series System Reference
8.28 Ethernet Port Instance
There are two Ethernet Port instances, one for each of the WS5000’s NICs. The instances are identified by
number: 1 or 2. By convention, the WLAN is connected to the switch through NIC 1, and NIC 2 connects the
switch to the wired network.
Table 8.33 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.33 Ethernet Port Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
ping
Sends ICMP ECHO_REQUEST packets to a network host.
page 8-9
description
Set description text about the Ethernet port instance.
page 8-15
ipAddress
Configure an IP address for the Ethernet port.
page 8-174
set
Configure the Ethernet port.
page 8-175
show
Display details about the Ethernet Port instance.
page 8-177
8.28.1 ipAddress
Ethernet Port Instance
Assigns an IP address to this Ethernet port instance.
Syntax
ipAddress <IP_address> <net_mask>
ipaddress dhcp <enable_flag>
Parameters
IP_address
The IP address assigned to the Ethernet port if DHCP is disabled. Otherwise, use the
“ipaddress dhcp” command.
net_mask
The network mask assigned to the Ethernet port if DHCP is disabled. Otherwise, use the
“ipaddress dhcp” command.
enable_flag
When the ipaddress dhcp command is used, this flag indicates that the Ehernet port’s IP
address should be assigned by DHCP. Possible value is “enable” only, because
otherwise DHCP is disabled by default.
Example
WS5000.(Cfg).Ethernet.[1]> ipaddress 111.222.111.33 255.255.255.0
CLI Command Reference
8-175
Configuring IP address of Ethernet 1...
Status: Success.
Name
: Ethernet 1
Network Interface Card #
: 1
Description
: Ethernet Adapter
MAC Address
: 00:A0:F8:65:94:B8
Status
: Enable
Online
: Yes
Configured Mode
: auto
Negotiated Mode - Duplex
: Full
Negotiated Mode - Speed
: 100
DHCP status
: Disable
IP Address
: 10.1.1.101
Network Mask
: 255.255.255.0
Domain Name
: domain1
Port type (trunk/non-trunk)
: Non-Trunk
VLAN Tags seen
: None
Up-Time
: 12d:03h:58m
Transmit packets
: 4261430
Received packets
: 4960275
Gateway
: 111.222.111.254
DNS servers
:
1. 111.222.111.100.
WS5000.(Cfg).Ethernet.[1]>
WS5000.(Cfg).Ethernet.[1]> ipaddress dhcp enable
Configuring IP address of Ethernet 1...
Status: Failed.
ERROR: Cannot set parameter. DHCP can only be enabled on single interface at a
time.
WS5000.(Cfg).Ethernet.[1]>
8.28.2 set
Ethernet Port Instance
Sets an attribute of this Ethernet port instance.
Syntax
set <attribute> [<value>]
Parameters
attribute
Description
cfgMode
Sets the Ethernet port mode. Possible values are:
• Auto
• 10_Half
• 10_Ful
• 100_Half
• 100_Full
dhcp
Enables/disables the DHCP client for this port. Possible values are:
• enable
• disable
gateway
Sets the IP address of the gateway. Enter the IP address as a value.
8-176
WS 5000 Series System Reference
attribute
Description
nonTrunk
Sets the port to be non-trunked.
trunk <primary_vLanID>
Sets the port to be a trunked.
vLanId
Sets the primary VLAN ID. The port automatically becomes trunked.
clearVlanTags
Clears the VLAN tag register.
Example
WS5000.(Cfg).Ethernet.[1]> set
port_parameter is a required parameter.
Syntax: set <port_parameter> <value>
Valid commands:
set dhcp
set domain
set vlanid
set gateway
set dns
set trunk
set nontrunk
set clearvlantags
set cfgmode
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).Ethernet.[1]>
WS5000.(Cfg).Ethernet.[1]> set vlanid 5
Configuring Ethernet port...
Status: Success.
Name
Network Interface Card #
Description
MAC Address
Status
Online
Configured Mode
Negotiated Mode - Duplex
Negotiated Mode - Speed
DHCP status
IP Address
Network Mask
Domain Name
Port type (trunk/non-trunk)
Primary VLAN id
VLAN Tags seen
Up-Time
Transmit packets
Received packets
Gateway
DNS servers
1. 111.222.111.100.
WS5000.(Cfg).Ethernet.[1]>
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Ethernet 1
1
Ethernet Adapter
00:A0:F8:65:94:B8
Enable
Yes
auto
Full
100
Disable
10.1.1.101
255.255.255.0
domain1
Trunk Port
5
None
12d:04h:05m
4262798
4961764
111.222.111.254
CLI Command Reference
8-177
8.28.3 show
Ethernet Port Instance
Display Ethernet Port instance information.
Syntax
show
show interfaces
Parameters
(none)
Display a list of Ethernet port instances.
interfaces
Shows adopted Access Port info and lists the switch’s Ethernet ports
Example
WS5000.(Cfg).Ethernet.[1]> show
Name
:
Network Interface Card #
:
Description
:
MAC Address
:
Status
:
Online
:
Configured Mode
:
Negotiated Mode - Duplex
:
Negotiated Mode - Speed
:
DHCP status
:
IP Address
:
Network Mask
:
Domain Name
:
Port type (trunk/non-trunk)
:
Primary VLAN id
:
VLAN Tags seen
:
Up-Time
:
Transmit packets
:
Received packets
:
Gateway
:
DNS servers
:
1. 111.222.111.100.
Ethernet 1
1
Ethernet Adapter
00:A0:F8:65:94:B8
Enable
Yes
auto
Full
100
Disable
10.1.1.101
255.255.255.0
domain1
Trunk Port
5
None
12d:04h:07m
4263145
4962140
111.222.111.254
WS5000.(Cfg).Ethernet.[1]> show interfaces
Interface information
Access Ports
-----------00:A0:F8:A2:91:7C
00:A0:F8:5D:B9:0C
00:A0:F8:6E:4A:7A
00:A0:F8:6E:4A:7A
00:A0:F8:BB:B3:6D
00:A0:F8:BB:B3:6D
[B]
[A]
[G]
[A]
[G]
[A]
Radio MAC
--------00:A0:F8:A2:91:7C
00:A0:F8:60:BC:3D
00:A0:F8:6E:55:30
00:A0:F8:6E:4C:60
00:A0:F8:BB:F6:E8
00:A0:F8:BB:C7:6C
Available EtherPorts are:
Ethernet 1
Ethernet 2
WS5000.(Cfg).Ethernet.[1]>
Device MAC
Type
------------00:A0:F8:A2:91:7C
B
00:A0:F8:5D:B9:0C
A
00:A0:F8:6E:4A:7A
G
00:A0:F8:6E:4A:7A
A
00:A0:F8:BB:B3:6D
G
00:A0:F8:BB:B3:6D
A
Status
-----Active
Active
Unavailable
Unavailable
Unavailable
Unavailable
8-178
WS 5000 Series System Reference
8.29 Ethernet Policy (EtherPolicy) Context
Ethernet policies are used by the WS5000 Series switch to configure a VLAN ID to an Ethernet port.
Table 8.34 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.34 Ethernet Policy Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
add
Add a new Ether Policy to the system.
page 8-178
policy
Select an Ethenet policy to configure.
page 8-179
remove
Remove an Ethernet policy.
page 8-179
show
Display available classifier instance details.
page 8-179
8.29.1 add
Ethernet Policy (EtherPolicy) Context
Creates and names an Ethernet Policy instance, and changes the prompt to the new instance’s context.
Syntax
add <name>
Parameters
name
The name that’s given to the new Ethernet policy.
Example
WS5000.(Cfg).EtherPolicy> add LabEtherPolicy
Adding Ether Policy...
Status : Success.
Available EtherPolicies are:
1. Default Ethernet Policy.
2. eth1.
3. LabEtherPolicy.
Ether Policy Name
Description
Rest of Network on
VLANs mapped are:
LAN2
: LabEtherPolicy
:
: Ethernet 2
--> Ethernet: 2
CLI Command Reference
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]>
8.29.2 policy
Ethernet Policy (EtherPolicy) Context
Changes the prompt to the context of the named Ethernet policy instance.
Syntax
policy <name>
Parameters
name
Selects the Ethernet policy.
Example
WS5000.(Cfg).EtherPolicy> policy LabEtherPolicy
Ether Policy Name
: LabEtherPolicy
Description
:
Rest of Network on
: Ethernet 2
VLANs mapped are:
LAN2
--> Ethernet: 2
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]>
8.29.3 remove
Ethernet Policy (EtherPolicy) Context
Removes an Ethernet Policy instance.
Syntax
remove <name>
Parameters
name
The name of the Ethernet Policy that’s to be removed.
Example
WS5000.(Cfg).EtherPolicy> remove "New Ethernet Port Policy"
Removing EtherPolicy...
Status : Success.
Available EtherPolicies are:
1. Default Ethernet Policy.
2. eth1.
WS5000.(Cfg).EtherPolicy>
8.29.4 show
Ethernet Policy (EtherPolicy) Context
Display Ethernet Policy information.
8-179
8-180
WS 5000 Series System Reference
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).EtherPolicy> show
Available EtherPolicies are:
1. Default Ethernet Policy.
2. New Ethernet Port Policy.
3. eth1.
WS5000.(Cfg).EtherPolicy>
CLI Command Reference
8-181
8.30 Ethernet Policy Instance
An Ethernet policy instance configures the two Ethernet ports to support the LAN and the WLAN, and creates
and maps VLANs to the two ports.
Table 8.35 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.35 Ethernet Policy Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
add
Create and adds a VLAN to this ethernet policy instance.
page 8-181
add tunnel
Create and add an existing GRE Tunnel to this ethernet policy instance.
page 8-182
clear
Clear the screen.
page 8-8
description
Set the description text.
page 8-15
emergencymode
Enable or disable emergency mode.
page 8-8
remove
Remove a VLAN from this ethernet policy instance.
page 8-182
remove tunnel
Remove the GRE tunnel from this ethernet policy instance.
page 8-183
set
Configure attributes of the ethernet policy instance.
page 8-183
show
Display details about the ethernet policy instance.
page 8-184
tunnel
Select a tunnel to configure.
page 8-185
vlan
Select a VLAN to configure.
page 8-185
8.30.1 add
Ethernet Policy Instance
Creates and adds a VLAN to this Ethernet Policy instance.
Syntax
add <vlan_ID> <NIC>
Parameters
vlan_ID
The number that’s assigned to this VLAN. Valid VLAN ID numbers are in the range [1-4095].
NIC
The NIC that will support this VLAN.
Example
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> add 200 1
8-182
WS 5000 Series System Reference
Adding VLAN...
Status : Success.
Ether Policy Name
Description
Rest of Network on
VLANs mapped are:
LAN2
VLAN 200
ID
-VLAN 200
Interface
--------Ethernet 1
: LabEtherPolicy
:
: Ethernet 2
--> Ethernet: 2
--> Ethernet: 1
Priority
-------0
# of WLANs
---------0
Ethernet Policy
--------------LabEtherPolicy
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy].Vlan.[200]>
8.30.2 add tunnel
Ethernet Policy Instance
Creates/ adds a GRE Tunnel to this ethernet policy instance.
Syntax
addtunnel <tunnel_name>
Parameters
tunnel_name
Place holders for one of the existing GRE tunnels.
Example
WS5000.(Cfg).EtherPolicy.[tunnelEP]> addtunnel tunnel4
Adding Tunnel...
Status : Success.
Ether Policy Name
Description
Rest of Network on
VLANs mapped are:
LAN1
LAN2
TUNNEL 1
TUNNEL 3
TUNNEL 4
Tunnel
------tunnel4
Interface
--------Ethernet 2
: tunnelEP
:
: Ethernet 2
-->
-->
-->
-->
-->
Ethernet:
Ethernet:
Ethernet:
Ethernet:
Ethernet:
Priority
-------0
1
2
2
2
2
# of WLANs
---------0
Ethernet Policy
--------------tunnelEP
WS5000.(Cfg).EtherPolicy.[tunnelEP].Tunnel.[tunnel4]>
8.30.3 remove
Ethernet Policy Instance
Removes a VLAN from this Ethernet Policy instance.
CLI Command Reference
8-183
Syntax
remove <vlan_id>
Parameters
vlan_id
The ID number of the VLAN that’s to be removed. For a list of VLAN IDs, invoke
show vlan.
Example
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> remove LAN2
Ether Policy Name
: LabEtherPolicy
Description
:
Rest of Network on
: Ethernet 2
VLANs mapped are:
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]>
8.30.4 remove tunnel
Removes the Tunnel from the EtherPolicy.
Syntax
removetunnel <tunnel_name>
Parameters
tunnel_name
Place holders for one of the existing GRE tunnels that you want to remove from the etherpolicy.
Example
WS5000.(Cfg).EtherPolicy.[tunnelEP]> removetunnel tunnel4
Removing Tunnel...
Status : Success.
Ether Policy Name
Description
Rest of Network on
VLANs mapped are:
LAN1
LAN2
TUNNEL 1
TUNNEL 3
: tunnelEP
:
: Ethernet 2
-->
-->
-->
-->
Ethernet:
Ethernet:
Ethernet:
Ethernet:
WS5000.(Cfg).EtherPolicy.[tunnelEP]>
8.30.5 set
Ethernet Policy Instance
Configure attributes of the Ethernet Policy instance.
Syntax
set <attribute> <value>
1
2
2
2
8-184
WS 5000 Series System Reference
Parameters
attribute
Description
ronnic <Ethernet_Port#>
Sets the “rest of the network” NIC. This is the NIC that connects the switch to the wired
network. Possible values are:
• 1 – Ethernet port 1
• 2 – Ethernet port 2
description <text_string>
Adds a description string to the Ethernet Policy instance.
Example
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> show
Ether Policy Name
: LabEtherPolicy
Description
:
Rest of Network on
: Ethernet 2
VLANs mapped are:
LAN2
--> Ethernet: 2
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> set ronnic 1
Ether Policy Name
: LabEtherPolicy
Description
:
Rest of Network on
: Ethernet 1
VLANs mapped are:
LAN2
--> Ethernet: 2
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> description “Created 3-8-05”
Ether Policy Name
: LabEtherPolicy
Description
: Created 3-8-05
Rest of Network on
: Ethernet 1
VLANs mapped are:
LAN2
--> Ethernet: 2
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]>
8.30.6 show
Ethernet Policy Instance
Display Ethernet Policy details.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> show
Ether Policy Name
: LabEtherPolicy
Description
:
Rest of Network on
: Ethernet 2
VLANs mapped are:
LAN2
--> Ethernet: 2
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]>
CLI Command Reference
8.30.7 tunnel
Use this to configure a tunnel.
Syntax
tunnel <tunnel_name>
Parameters
tunnel_name
Place holders for one of the existing GRE tunnels that you want to configure.
Example
WS5000.(Cfg).EtherPolicy.[tunnelEP]> tunnel tunnel3
Tunnel
------tunnel3
Interface
--------Ethernet 2
Priority
-------0
# of WLANs
---------0
Ethernet Policy
--------------tunnelEP
WS5000.(Cfg).EtherPolicy.[tunnelEP].Tunnel.[tunnel3]>
8.30.8 vlan
Ethernet Policy Instance
Changes the prompt to the context of the VLAN identified by VLAN ID.
Syntax
vlan <vlan_ID>
Parameters
vlan_ID
The ID of the VLAN. For a list of VLAN IDs, invoke show vlan.
Example
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> vlan 200
Adding VLAN...
Status : Success.
Ether Policy Name
Description
Rest of Network on
VLANs mapped are:
LAN2
VLAN 200
ID
-VLAN 200
Interface
--------Ethernet 1
: LabEtherPolicy
:
: Ethernet 2
--> Ethernet: 2
--> Ethernet: 1
Priority
-------0
# of WLANs
---------0
Ethernet Policy
--------------LabEtherPolicy
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy].Vlan.[200]>
8-185
8-186
WS 5000 Series System Reference
8.31 Event Context
The Event context provides a place to configure notifications and severities of system events.
Table 8.36 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.36 Event Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
ping
Sends ICMP ECHO_REQUEST packets to a network host.
page 8-9
set
Configuration option to configure notifications and severities for
events sent to the Syslog.
page 8-186
syslog
Changes the prompt to the Syslog context.
page 8-187
show
Display available system events, and notification settings for various
page 8-187
system logs.
8.31.1 set
Event Context
Provides event notification and event severity configurations for events sent to the Syslog.
Syntax
set <event> <target> <<enable | severity> | disable>
set all <localLog | snmpTrap | syslog> <<enable | severity> | disable>
set all default
Parameters
event
Describes the event that you’re interested in. Either all or a number in the range [1,
69]. Use the show command for a list of available events.
target
The recipient of the events. One of localLog, snmpTrap, syslog, or all.
enable, disable
Enables and disables recording of the event. If your target is syslog, then you can
pass a severity value rather than simply enable’ing the event.
severity
Events that are sent to the Syslog are tagged with a severity, one of emerg(ency),
alert, crit(ical), err(or), info, notice, and warning. If you enable an event
without a severity, it assumes a default severity setting.
all <localLog | snmpTrap |
syslog>
The first set all form of the command lets you send or repress all events to/from the
specified target.
CLI Command Reference
all default
8-187
This form of the command resets all events to their factory defaults.
8.31.2 syslog
Event Context
Changes the prompt to the Syslog Context. See page 8-189 for more details.
8.31.3 show
Event Context
Display available system events, and notification settings in terms of the following logging:
•
Local log – Events are recorded in a local log file. You can dump the log file to the screen through show
sysAlerts in the System or Configuration context.
•
SNMP Traps – You can ask to have an SNMP trap thrown when a specific event occurs.
•
Syslog – The Syslog is a remote event-recording server. You have to set up the server yourself and
identify the server’s host.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg)> show
Num
--1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Events
-----License number change
Clock change
Packet discard [wrong NIC]
Packet discard [wrong VLAN]
AP adopt failure [general]
AP adopt failure [policy disallow]
AP adopt failure [acl disallow]
AP adopt failure [limit exceeded]
AP adopt failure [license disallow]
AP adopt failure [no image]
AP status [offline]
AP status [alert]
AP status [adopted]
AP status [reset]
AP config failed [no ESS]
AP max MU count reached
AP detected
Device msg dropped [info]
Device msg dropped [loadme]
Ether port connected
Ether port disconnected
MU assoc failed [ACL violation]
MU assoc failed
MU status [associated]
MU status [roamed]
MU status [disassociated]
Local Log
--------Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
SNMP Trap
--------Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Syslog Severity
--------------Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
8-188
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
WS 5000 Series System Reference
MU EAP auth failed
MU EAP auth success
MU Kerberos auth failed
MU Kerberos auth success
MU TKIP [decrypt failure]
MU TKIP [replay failure]
MU TKIP [MIC error]
WLAN auth success
WLAN auth failed
WLAN max MU count reached
Mgt user auth failed [radius]
Mgt user auth rejected
Mgt user auth success [radius]
Radius server timeout
KDC user [added]
KDC user [changed]
KDC user [deleted]
KDC DB replaced
KDC propagation failure
WPA counter-measures [active]
Primary lost heartbeat
Standby active
Primary internal failure [reset]
Standby internal failure [reset]
Standby auto-revert
Primary auto-revert
Auto channel select error
Emergency Policy [active]
Emergency Policy [deactivated]
Low flash space on switch
Miscellaneous debug events
HSB Starts Up
HSB Peer Connect
CPU/SYS Temp Notification
Access Changed Notification
Radio power is reduced [TPC]
Radar is detected [DFS]
Channel selected to avoid radar [DFS]
Switch to new channel [DFS]
Revert back to original channel [DFS]
Radio is suspended
Radio is resumed
Radio is moved to random channel
A new rogue AP is detected
A new approved AP is detected
WVPN certificate anomalies
WVPN Config/connection changes
RADIUS Accounting Log
RADIUS Server Status
Switch configuration changed
Tunnel Status change
NON IP packet received on Tunnel
RF Stats threshold crossed by a Portal
RF Stats threshold crossed by a MU
RF Stats threshold crossed by a WLAN
RF Stats threshold crossed by Switch
AP is converted to sensor
Sensor is reverted back to AP
Failed to communicate to a sensor
Sensor is no longer responding to ping
WS5000.(Cfg).Event>
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Disabled
Enabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
CLI Command Reference
8-189
8.32 Syslog Context
The Syslog context is a subcontext of Event. The commands in the Syslog context let you configure and control
the remote and local event logging system. The remote service sends system logging information to a remote
host, which must have a message logging daemon running. The remote host is set through the add command.
To tailor the types of messages that the syslog will be sent, use the set command. The local file is saved under
/WS5000 Switch/Userlogs/admin (if admin is the user).
All syslog messages are in RFC 3164 message format.
Table 8.37 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.37 Syslog Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
add
Add a new host to the system.
page 8-189
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
local
Enables you to debug logs stored locally
page 8-190
logdir
Display the user saved log files
page 8-190
logsubsys
Selects the subsystem to be sent to the remote syslog server
page 8-191
ping
Sends ICMP ECHO_REQUEST packets to a network host.
page 8-9
purgelocal
Purge the local syslog contents from memory
page 8-192
remlocal
Deletes the specified local syslog file
page 8-193
remove
Remove the syslog host
page 8-193
save local
Save local syslog in a file
page 8-194
set
Set syslog host severity level.
page 8-194
show
Display available classifier instance details
page 8-196
start
Start syslog service.
page 8-196
stop
Stop syslog service.
page 8-197
8.32.1 add
Syslog Context
Add a new host to the system.
8-190
WS 5000 Series System Reference
Syntax
add <host_name> <IP_address> [domain]
Parameters
host_name
Gives a (local) name to the host.
IP_address
IP address of the remote host.
domain
Optional domain name of the remote host.
Example
WS5000.(Cfg).Event.Syslog> add SFhost 111.222.111.32 domain1
Adding Host...
Status: Success.
Host Name
--------SFhost
IP Address
---------111.222.111.32
Domain
-----domain1
WS5000.(Cfg).Event.Syslog>
8.32.2 local
Syslog Context
Stores the debug logs locally and maintains a ring buffer of debug logs.
To save the logs to a file use the command:
save local <filename>
To view the logs use the command:
view local <filename>
To delete the logs to a file use the command:
remlocal <filename>
Syntax
local <enable | disable>
Parameters
enable/disable
Enable/disable the local syslog.
Example
WS5000.(Cfg).Event.Syslog> local enable
Local Syslog enabled
WS5000.(Cfg).Event.Syslog>
8.32.3 logdir
Syslog Context
This command displays the contents of all directories (one directory each for each user) under /WS5000
Switch/Userlogs/ <the local log log file saved with a .syslog extension>
CLI Command Reference
8-191
Syntax
logdir
logdir <username>
Parameters
username
A user of the switch as configured in cfg>user context.
Example
WS5000.(Cfg).Event.Syslog> logdir
File Name
Bytes
Date & time
========================================================
SymbolLocal.syslog
34
Thu Feb 23 03:14:13 2006
WS5000.(Cfg).Event.Syslog>
8.32.4 logsubsys
Syslog Context
Selects the subsystem logs (used for debugging) to be sent to the remote syslog server. These logs are different
from Event logs.
Syntax
logsubsys [<subsys>] enable | disable
The following subsys are available for logsusbys:
logsubsys general
logsubsys threads
logsubsys packets
logsubsys corba
logsubsys sharedmem
logsubsys rfimage
logsubsys rfport
logsubsys mu
logsubsys ess
logsubsys xmlcfg
logsubsys policy
logsubsys vlan
logsubsys ether
logsubsys QoS
logsubsys stats
logsubsys database
logsubsys snmp
logsubsys security
logsubsys DebugEvents
8-192
WS 5000 Series System Reference
logsubsys driver
Parameters
subsys
Use any of the above mentioned subsys.
enable/disable
enable or disable the selected subsys.
Example
WS5000.(Cfg).Event.Syslog> logsubsys driver enable
Success!! Subsystems Enabled:
Subsystems saved: driver
driver
enable
WS5000.(Cfg).Event.Syslog>
8.32.5 ping
Syslog Context
Ping is used to send ICMP ECHO_REQUEST packets to network hosts.
Syntax
ping <host/ip_address>
Options:
ping [-Rdfnqrv] [-c count] [-i wait] [-l preload]
[-p pattern] [-s packetsize] host
Parameters
host
Name of the host you want to ping to.
ip_address
IP address of the host you want to ping to.
Example
WS5000.(Cfg)> ping 157.235.208.70
PING 157.235.208.70 (157.235.208.70) from 157.235.208.137 :
64 bytes from 157.235.208.70: icmp_seq=1 ttl=128 time=0.637
64 bytes from 157.235.208.70: icmp_seq=2 ttl=128 time=0.318
64 bytes from 157.235.208.70: icmp_seq=3 ttl=128 time=0.303
64 bytes from 157.235.208.70: icmp_seq=4 ttl=128 time=0.296
--- 157.235.208.70 ping statistics --4 packets transmitted, 4 received, 0% loss, time 2997ms
rtt min/avg/max/mdev = 0.296/0.388/0.637/0.145 ms
WS5000.(Cfg)> ping
8.32.6 purgelocal
Syslog Context
This command is used to clears the local syslog memory.
56(84) bytes of dat.
ms
ms
ms
ms
CLI Command Reference
8-193
Syntax
purgelocal
Parameters
None
Example
WS5000.(Cfg).Event.Syslog> purgelocal
Clearing local syslog memory...done.
WS5000.(Cfg).Event.Syslog>
8.32.7 remlocal
Syslog Context
This command is used to delete the specified local syslog file. Use 'logdir' to view list of previously saved local
syslog files.
Syntax
remlocal <file_name>
Parameters
file_name
The log file that you want to delete.
Example
WS5000.(Cfg).Event.Syslog> remlocal SymbolLocal
Removing local syslog file SymbolLocal.... done.
WS5000.(Cfg).Event.Syslog>
8.32.8 remove
Syslog Context
Remove a syslog host.
Syntax
remove <name>
Parameters
name
The name of the syslog host, as assigned in the add command.
Example
WS5000.(Cfg).Host> show
Host Name
--------SFhost
WS5000.(Cfg).Host>
IP Address
---------111.222.111.32
Domain
-----domain1
8-194
WS 5000 Series System Reference
8.32.9 save local
Syslog Context
This is used to save local syslog in specified file.
Syntax
save local <file_name>
Parameters
file_name
the naame of the local log file without the .syslog extension.
Example
WS5000.(Cfg).Event.Syslog> save local SymbolLocal
Saving local syslog...done
WS5000.(Cfg).Event.Syslog>
8.32.10 set
Syslog Context
Set the types of messages that are sent to the syslog.
Syntax
set <host> <severity> <send_flag>
Parameters
host
The name of the syslog host.
severity
Specifies a type of message tracked to be sent to the syslog. Possible values are:
• emerg – emergency messages
• alert
• crit – critical messages
• err – error messages
• info – information only messages
• notice
• warning
• all – all messages of all types
send_flag
Indicates whether messages are sent to the syslog or not. Possible values are:
• enable – messages of the specified type are sent to the syslog
• disable – messages are not sent to the syslog
Example
WS5000.(Cfg).Event.Syslog> set
Enter the host_name
set:
Set syslog host severity level values.
Syntax: set <host_name> <severity_level> <enable/disable> [CR]
severity_level:
CLI Command Reference
emerg
alert
crit
err
warning
notice
info
debug
all
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
or
or
or
or
or
or
or
or
or
disable
disable
disable
disable
disable
disable
disable
disable
disable
8-195
Severity level Emergency.
Severity level Alert.
Severity level Critical.
Severity level Error.
Severity level Warning.
Severity level Notice.
Severity level Info.
Severity level Debug.
all the Severity levels.
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).Event.Syslog>
WS5000.(Cfg).Event.Syslog> set SFhost alert enable
Changing severity level...
Status: Success.
Syslog Status:
Enable (Syslog Deamon is Running).
Host
---SFhost
emerg
-----
alert
----x
crit
----
err
---
warning notice
------- ------
info
----
debug
-----
info
----
debug
-----
info
----
debug
-----
info
----
debug
-----
WS5000.(Cfg).Event.Syslog> set SFhost warning enable
Changing severity level...
Status: Success.
Syslog Status:
Enable (Syslog Deamon is Running).
Host
---SFhost
emerg
-----
alert
----x
crit
----
err
---
warning notice
------- -----x
WS5000.(Cfg).Event.Syslog> set SFhost crit enable
Changing severity level...
Status: Success.
Syslog Status:
Enable (Syslog Deamon is Running).
Host
---SFhost
emerg
-----
alert
----x
crit
---x
err
---
warning notice
------- -----x
WS5000.(Cfg).Event.Syslog> set SFhost err enable
Changing severity level...
Status: Success.
Syslog Status:
Enable (Syslog Deamon is Running).
Host
---SFhost
emerg
-----
alert
----x
WS5000.(Cfg).Event.Syslog>
crit
---x
err
--x
warning notice
------- -----x
8-196
WS 5000 Series System Reference
8.32.11 show
Syslog Context
Display information about the syslog service.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).Event.Syslog> show
Syslog Status:
Enable (Syslog Deamon is Running).
Host
---SFhost
emerg
-----
alert
----x
crit
---x
err
--x
warning notice
------- -----x
info
----
debug
-----
info
----
debug
-----
info
----
debug
-----
info
debug
WS5000.(Cfg).Event.Syslog>
WS5000.(Cfg).Event.Syslog> set SFhost all disable
Success.
Syslog Status:
Enable (Syslog Deamon is Running).
Host
emerg
alert
crit
err
----------------No Syslog hosts are defined in the switch.
warning notice
------- ------
WS5000.(Cfg).Event.Syslog> show
Syslog Status:
Enable (Syslog Deamon is Running).
Host
emerg
alert
crit
err
----------------No Syslog hosts are defined in the switch.
warning notice
------- ------
WS5000.(Cfg).Event.Syslog>
8.32.12 start
Syslog Context
Starts the syslog service.
Syntax
syslog
Parameters
None.
Example
WS5000.(Cfg).Event.Syslog> start
Status: Success.
Syslog Status:
Enable (Syslog Deamon is Running).
Host
emerg
alert
crit
err
warning notice
CLI Command Reference
---SFhost
----x
----x
---x
--x
------- -----x
x
8-197
---x
----x
info
---x
debug
----x
WS5000.(Cfg).Event.Syslog>
8.32.13 stop
Syslog Context
Stops the syslog service.
Syntax
stop
Parameters
None.
Example
WS5000.(Cfg).Event.Syslog> stop
Status: Success.
Syslog Status:
Disable (Syslog Deamon is not running).
Host
---SFhost
emerg
----x
alert
----x
WS5000.(Cfg).Event.Syslog>
crit
---x
err
--x
warning notice
------- -----x
x
8-198
WS 5000 Series System Reference
8.33 FTP Context
Table 8.38 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.38 FTP Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
enable
Enable FTP.
page 8-198
disable
Disable FTP.
page 8-198
show
Display available classifier instance details.
page 8-199
8.33.1 enable
FTP Context
Enables the FTP server.
Syntax
enable
Parameters
None.
Example
WS5000.(Cfg).FTP> enable
Enabling...
Status : Success.
FTP Status:
Active.
WS5000.(Cfg).FTP>
8.33.2 disable
FTP Context
Disables the FTP server.
Syntax
disable
Parameters
CLI Command Reference
None.
Example
WS5000.(Cfg).FTP> disable
Disabling...
Status : Success.
FTP Status:
Disabled.
WS5000.(Cfg).FTP>
8.33.3 show
FTP Context
Display the state of the FTP server.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).FTP> show
FTP Status:
Active.
WS5000.(Cfg).FTP>
8-199
8-200
WS 5000 Series System Reference
8.34 FW (Firewall) Context
Firewall is used to configure a LAN for traffic filtering.You need to first enable the VPN support to enter the
firewall context. You need to first create a NP and then add it to an exisitng LAN in the firewall context.
Table 8.39 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.39 Firewall Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
add
Add a new LAN to the system.
page 8-200
addnat
Add a new NAT entry to a LAN.
page 8-201
addnp
Add a new NP entry to a LAN.
page 8-202
addpf
Add a new Pf to a LAN.
page 8-203
clear
Clear the screen.
page 8-8
lan
Select a LAN to configure.
page 8-204
remove
Remove a LAN from the system.
page 8-204
show
Display context specific attributes.
page 8-205
8.34.1 add
FW (Firewall) Context
This command is used to add a new LAN to the system.
Syntax
add <lan_name>
Parameters
lan_name
Name of the LAN that you wish too add to the system.
Example
WS5000.(Cfg).Fw> add testLAN
Adding LAN...
Status: Success.
LAN information:
Available LANs:
1. LAN1
CLI Command Reference
8-201
2. LAN2
3. LAN_VPN
4. testLAN
LAN information:
LAN details...
Name
Description
ep
np
allow
deny
NAT list:
: testLAN
:
:
:
: https http telnet ftp
:
WS5000.(Cfg).Fw.[testLAN]>
8.34.2 addnat
FW (Firewall) Context
This command is used to add a NAT (Network Address Translation) entry to a specific LAN/LAN+ VLAN
combination.
Syntax
addnat <"remoteRealIp,localNatIp"> <lan_name> [vlanid]
Parameters
remoteRealIp
This is the real IP address of the remote end
localNatIp
This is the IP address of the remote device as seen by the device accross the WS5000
switch.
lan_name
The LAN in which this NAT entry should be added to. Could be one of LAN 1 or LAN 2 or
LAN_VPN.
vlanid
An optional VLAN ID.
Example
WS5000.(Cfg).Fw> addnat "1.2.3.4,10.2.3.4" LAN1
Addng a NAT entry to a LAN...
Status: Success.
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
WS5000.(Cfg).Fw> 1
LAN information:
LAN details...
Name
Description
ep
np
: LAN1
: Public LAN
: 1
:
8-202
WS 5000 Series System Reference
allow
deny
NAT list:
: https http telnet ftp
:
1: 1.2.3.4,10.2.3.4
WS5000.(Cfg).Fw.[LAN1]>
8.34.3 addnp
FW (Firewall) Context
This command is used to add a new NP (network policy) to the system.
Syntax
addnp <lan_name> <NP> enter remove to delete the existing NP.
Parameters
lan_name
The LAN in which this network policy should be added to. Could be one of LAN 1 or LAN
2 or LAN_VPN.
NP
The network policy name.
Example
WS5000.(Cfg)> np
Network Policy information
Available Network Policies:
1. Default Network Policy.
2. NetVision_VoIP_Priority.
3. Spectralink Network Policy.
WS5000.(Cfg).NP> add TestNP
Adding Network Policy...
Status: Success.
Network Policy information
Available Network Policies:
1. Default Network Policy.
2. NetVision_VoIP_Priority.
3. Spectralink Network Policy.
4. TestNP.
Network Policy information
Network Policy Name
Policy Description
Outbound Policy Object name
Inbound Policy Object name
WS5000.(Cfg).NP.[TestNP]>
WS5000.(Cfg)> fw
: TestNP
:
:
:
CLI Command Reference
8-203
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
WS5000.(Cfg).Fw> addnp LAN2 TestNP
Addng a NP (network policy) entry to a LAN...
Status: Success.
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
WS5000.(Cfg).Fw> lan 2
LAN information:
LAN details...
Name
Description
ep
np
allow
deny
NAT list:
:
:
:
:
:
:
LAN2
Private LAN
2
TestNP
https http telnet ftp
WS5000.(Cfg).Fw.[LAN2]>
8.34.4 addpf
FW (Firewall) Context
This command is used to add a PF (port filter) to the system.
Syntax
addpf <lan_name> <allow/deny> <web/telnet/ftp>
Parameters
lan_name
The LAN in which this port filter should be added to. Could be one of LAN 1 or LAN 2 or
LAN_VPN.
allow/deny
Allows or denies traffic to the specified port to the sytem .
web/telnet/ftp
Port to be allowed or denied
Example
WS5000.(Cfg).Fw> addpf LAN1 allow telnet
Addng a PF (Port Filter) to a LAN...
Status: Success.
8-204
WS 5000 Series System Reference
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
WS5000.(Cfg).Fw>
8.34.5 lan
FW (Firewall) Context
Use this command to select a LAN to configure.
Syntax
lan <lan_name>
Parameters
lan_name
LAN which is to be configured. Could be one of LAN 1 or LAN 2 or LAN_VPN.
Example
WS5000.(Cfg).Fw> lan LAN1
LAN information:
LAN details...
Name
Description
ep
np
allow
deny
NAT list:
:
:
:
:
:
:
LAN1
Public LAN
1
https http telnet ftp
1: 1.2.3.4,10.2.3.4
WS5000.(Cfg).Fw.[LAN1]>
8.34.6 remove
FW (Firewall) Context
This command is used to remove a LAN from the system.
Syntax
remove <lan_name>
Parameters
lan_name
LAN which is to be removed.
Example
WS5000.(Cfg).Fw> remove testLAN
Removing LAN...
Status: Success.
CLI Command Reference
8-205
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
4. lan
WS5000.(Cfg).Fw>
8.34.7 show
FW (Firewall) Context
This command is used to display the ACL information, security policy detials, LAN details and other context
specific attributes.
Syntax
show acl
show securitypolicy
show
show lan
Parameters
acl
Display ACL information
securitypolicy
Display security policy details
lan
Display LAN details
Example
WS5000.(Cfg).Fw> show acl
Available ACLs:
1. testACL.
WS5000.(Cfg).Fw>
WS5000.(Cfg).Fw> show securitypolicy
Available Security Policies:
1. Kerberos Default.
2. Default.
3. WEP40 Default.
4. WEP128 Default.
WS5000.(Cfg).Fw>
WS5000.(Cfg).Fw> show lan
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
4. lan
8-206
WS 5000 Series System Reference
WS5000.(Cfg).Fw>
CLI Command Reference
8-207
8.35 FW Instance
Table 8.40 Firewall Instance Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
description
Set description text.
page 8-15
set
Configure the LAN.
page 8-207
show
Display context specific attributes.
page 8-208
8.35.1 set
FW Instance
This command is used to configure LAN parameters.
Syntax
set <config_parameter> <parameter_value>
Parameters
description
Set the LAN description text.
ep
Set the ethernet port.
np
Set the network policy.
addnat
Add a NAT entry "remoteRealIp,localNatIp"
addrange
Add range of NAT entries "remoteRealIp,localNatIp,num"
delnat
Delete a NAT entry "remoteRealIp,localNatIp"
delrange
Delete range of NAT entries "remoteRealIp,localNatIp,num”
allow
Allow management traffic "http|https|telnet|ftp"
deny
Deny management traffic "http|https|telnet|ftp"
Example
WS5000.(Cfg).Fw.[LAN1]> set np "Default Network Policy"
Configuring a LAN...
Status: Success.
8-208
WS 5000 Series System Reference
LAN information:
LAN details...
Name
Description
ep
np
allow
deny
NAT list:
1: 1.2.3.4,10.2.3.4
:
:
:
:
:
:
LAN1
Public LAN
1
Default Network Policy
https http telnet ftp
WS5000.(Cfg).Fw.[LAN1]>
8.35.2 show
FW Instance
This command is used to display firewalls LAN information.
Syntax
show
Parameters
None
Example
WS5000.(Cfg).Fw.[LAN1]> show
LAN information:
LAN details...
Name
Description
ep
np
allow
deny
NAT list:
1: 1.2.3.4,10.2.3.4
WS5000.(Cfg).Fw.[LAN1]>
:
:
:
:
:
:
LAN1
Public LAN
Default Network Policy
https http telnet ftp
8-209
CLI Command Reference
8.36 Host Context
The Host context collects the various hosts that are declared in other contexts.
Table 8.41 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.41 Host Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
add
Add a host to the system.
page 8-209
emergencymode
Enable or disable Emergency mode.
page 8-8
host
Configure attributes for a particular host.
page 8-210
remove
Remove a defined host on the system.
page 8-210
show
Display available host details.
page 8-210
8.36.1 add
Host Context
Adds a new host to the system.
Syntax
add host <name> <IP_address> [domain]
Parameters
name
Name given to the host.
IP_address
IP address of the host.
domain
Optional domain of the host.
Example
WS5000.(Cfg).Host> add NYhost 111.222.111.30 NYdomain
Adding Host...
Status: Success.
Host Name
--------NYhost
IP Address
---------111.222.111.30
WS5000.(Cfg).Host.[NYhost]>
Domain
-----NYdomain
8-210
WS 5000 Series System Reference
8.36.2 host
Host Context
Changes the prompt to the context of a specified Host instance context.
Syntax
edit <host>
Parameters
host
The name of the host that you want to edit.
Example
WS5000.(Cfg).Host> host NYhost
Host Name
--------NYhost
IP Address
---------111.222.111.30
Domain
-----NYdomain
WS5000.(Cfg).Host.[NYhost]>
8.36.3 remove
Host Context
Removes a host from the host list.
Syntax
remove <host_name>
Parameters
host_name
The name of the host to be removed.
Example
WS5000.(Cfg).Host> remove NYhost
Host Name
--------WS5000.(Cfg).Host>
8.36.4 show
Host Context
Display host information.
Syntax
show
show host
show syslog
show system
IP Address
----------
Domain
------
CLI Command Reference
Parameters
host
The name of the host defined in the system.
syslog
Displays the syslog details.
system
Displays the system information.
Example
WS5000.(Cfg).Host> show host NYhost 111.222.111.30 NYdomain
Host Name
--------WS5000.(Cfg).Host>
IP Address
----------
Domain
------
8-211
8-212
WS 5000 Series System Reference
8.37 Host Instance
The Host instance context lets you modify an entry in the host list.
Table 8.42 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.42 Host Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
set
Configure attributes of a particular host.
page 8-212
emergencymode
Enable or disable Emergency mode.
page 8-8
show
Display available classifier instance details.
page 8-213
8.37.1 set
Host Instance
Configures a host.
Syntax
set <attribute> <value>
Parameters
domain
The host’s domain name. The value of the domain should follow.
ip
The host’s IP address. The IP address value should follow.
Example
WS5000.(Cfg).Host.[NYhost]> show
Host Name
--------NYhost
IP Address
---------111.222.111.31
Domain
-----NYdomain
WS5000.(Cfg).Host.[NYhost]>
WS5000.(Cfg).Host.[NYhost]> set ip 111.222.111.30
Changing Host property...
Status: Success.
Host Name
--------NYhost
IP Address
---------111.222.111.30
Domain
-----NYdomain
CLI Command Reference
8-213
WS5000.(Cfg).Host.[NYhost]>
WS5000.(Cfg).Host.[NYhost]> set domain NYdomain1
Changing Host property...
Status: Success.
Host Name
--------NYhost
IP Address
---------111.222.111.30
Domain
-----NYdomain1
WS5000.(Cfg).Host.[NYhost]>
8.37.2 show
Host Instance
Shows host configuration details.
Syntax
show
show system
Parameters
None.
Example
WS5000.(Cfg).Host.[NYhost]> show host
Host Name
--------SFhost
NYhost
IP Address
---------111.222.111.32
111.222.111.30
Domain
-----domain1
NYdomain1
WS5000.(Cfg).Host.[NYhost]>
WS5000.(Cfg).Host.[NYhost]> show system
System information...
System Name
:
Description
:
Switch Location
:
Software Ver.
:
Licensed to
:
Copyright
:
Serial Number
:
Number of Licenses
:
Max Access Ports
:
Max Mobile Clients
:
Active Switch Policy
:
Emergency Switch Policy
:
Switch Uptime
:
# of Unassigned Access Ports :
Unassigned Access Ports
:
1. 00:A0:F8:6E:4A:7A [G].
2. 00:A0:F8:BB:B3:6D [G].
WS5000.(Cfg).Host.[NYhost]>
WS5000
WS5000 Wireless Network
1.4.1.0-003D
Symbol Technologies
Copyright (c) 2000-2005.
00A0F86594B8
48
48
4096
sw1
Not defined
12d:05h:01m
2
All rights reserved.
8-214
WS 5000 Series System Reference
8.38 KDC Context
KDC Context
The KDC context provides configuration options to configure the switch-resident Kerberos Key Distribution
Center (KDC) as a Master or Slave.
Table 8.43 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.43 KDC Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
add
Add a new KDC Slave or User.
page 8-214
authenticate
Authenticates a Slave KDC with a Master KDC.
page 8-215
clear
Clear the screen.
page 8-8
dump
Dumps the principals to the specified file (The file can be moved to another
machine and the database is thus transferred)
page 8-216
emergencymode
Enable or disable Emergency mode.
page 8-8
remove
Remove a Slave KDC, User or NTP addresses.
page 8-216
set
Configure/create the KDC.
page 8-217
show
isplay context specific attribute
page 8-219
synchronize
Synchronize a Slave KDC DB with a Master KDC DB.
page 8-221
8.38.1 add
KDC Context
Adds a Slave KDC to/from the Master KDC. This command can only be invoked if the switch is configured to
be the Master KDC.
Syntax
add mu <name> <ticket_life>
or
add slavekdc <name> <ip_address> <domain>
Parameters
mu
Adds a KDC user of type MU.
slavekdc
Adds a slave KDC.
CLI Command Reference
name
Name given to the user or slave KDC.
domain
Domain of the slave KDC.
IP_address
IP address of the Slave KDC
domain
Domain of the Slave KDC.
8-215
Example
WS5000.(Cfg).KDC> add mu symbol 10
Enter password for the mu "symbol"
: ******
Confirm password for mu "symbol" : ******
Adding mu 'symbol' to the KDC.
Status: Success.
List of active MUs (KDC user):
Type
Name
------MU
symbol
Ticket Life
----------10 min.
WS5000.(Cfg).KDC>
8.38.2 authenticate
KDC Context
Authenticates a slave KDC with its master. This is used when a KDC master has been deleted and re-created
afterwards. In this case, the slave has no way of knowing if a new master has been configured, therefore it
needs to be manually authenticated again.
Note When you try to exectue this command on a switch which has been confiured
as a Master KDC , the following message is displayed:
WS5000.(Cfg).KDC> authenticate
This command is available only for a SLAVE KDC.
The present KDC is configured as MASTER.
WS5000.(Cfg).KDC>
Syntax
authenticate
Parameters
None
Example
WS5000.(Cfg).KDC> authenticate
Authenticating slave KDC with Master....
Status: Success.
WS5000.(Cfg).KDC>
8-216
WS 5000 Series System Reference
8.38.3 dump
KDC Context
Writes the KDC database to a file.
Syntax
dump <filename>
Parameters
Name of the file to which the database is written. The “.krb” extension is
automatically appended.
filename
Example
WS5000.(Cfg).KDC> dump kdcTracks
Saving KDC principals in: kdcTracks.krb
Status: Success.
WS5000.(Cfg).KDC> ..
WS5000.(Cfg)> dir
Date & Time
May 5
Jan 25
Apr 23
Feb 10
May 5
21:33
15:11
16:18
17:31
21:33
Bytes
1068
15155
18821897
6517
2105
File Name
KerberosErrorLog.txt
WS5000Defaults_v1.4.0.0-026R.cfg
WS5000_v1.4.1.0-003D.sys.img
cmd_template.sym
kdcTracks.krb
WS5000.(Cfg)>
8.38.4 remove
KDC Context
This command is used to remove to delete Slave-KDC or MU from the Master KDC or to delete NTP Servers.
Syntax
remove mu <name>
remove slavekdc <name> <ip_address> <domain>
remove ntpserver <ntp_index>
Parameters
mu
KDC user of type MU to be removed.
slavekdc
Slave KDC to be removed.
name
Name of the User (MU) or slave KDC.
ip_address
IP address of the slave KDC.
domain
Domain of the slave KDC.
ntp_server
NTP server index: 1 - 3 or all.
Example
WS5000.(Cfg).KDC> remove mu symbol
CLI Command Reference
Deleting mu 'symbol' from the KDC.
Status: Success.
List of active MUs (KDC user):No active Users available.
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> remove
Deleting slave KDC....
Status: Success.
slavekdc standby
1.1.1.1 symbol.com
The system is configured as MASTER KDC.
Kerberos Realm
: SYMBOL.LOCAL
Interface
: ethernet1
User count (Active + deleted) : 1
Active users (MUs and WLANs)
: 0
Slave KDCs
---------No entry available.
IP Address
----------
Domain
------
List of all active KDC users (MUs & WLANs): No active Users available.
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> remove ntpserver 1
Deleting NTP Server....
Status: Success.
No NTP IP Entry
exist, Time synchronization is Disabled
Time Server (NTP) details:
Primary NTP Server
First alternate NTP Server
Second alternate NTP Server
:
:
:
WS5000.(Cfg).KDC>
8.38.5 set
KDC Context
Use set to configure or create the KDC in the system or configure KDC access type.
Syntax
set
set
set
set
set
master <realm> <if_num>
slave <realm> <masters_name> <masters_ip> <if_num>
clear
ntpserver <server_no> <server_ip>
access <cli/snmp> <enable/disable>
Parameters
master
Configure the switch as master KDC.
8-217
8-218
WS 5000 Series System Reference
slave
Configure the switch as slave KDC.
clear
Clear all KDC configuration on the switch.
realm
Kerboros realm name.
masters_name
Name assigned to the Master KDC. Required if kdc_type is slave.
masters_ip
Domain over which the KDC has dominion.Required is kdc_type is slave.
if_num
interface number, 1 or 2.
server_no
Sets one of the three NTP servers for this switch.NTP server number, 1 to 3.
server_ip
NTP server IP address.
access
Permits or denies configuration of the on-board KDC through Telnet (CLI) or SNMP.
Example
WS5000.(Cfg).KDC> set access cli disable
Configuring KDC access restriction for cli....
Status : Success.
Configuration Access restriction details:
Telnet access (CLI)
:
System access via SNMP
:
KDC configuration over remote console
:
KDC configuration through SNMP
:
Disable.
Enable.
Disable.
Enable.
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> set access snmp
Enter enable/disable.
Syntax: set access snmp <enable/disable> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).KDC> set access snmp enable
Configuring KDC access restriction for snmp....
Status : Success.
Configuration Access restriction details:
Telnet access (CLI)
:
System access via SNMP
:
KDC configuration over remote console
:
KDC configuration through SNMP
:
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> set clear
Deleting all KDC configurations.....
Status : Success.
KDC is not configured in this machine.
WS5000.(Cfg).KDC>
Disable.
Enable.
Enable.
Enable.
CLI Command Reference
WS5000.(Cfg).KDC> set ntpserver 1 192.192.4.111
Configuring time server (NTP) ....
Status : Success.
Time Server (NTP) details:
Primary NTP Server
First alternate NTP Server
Second alternate NTP Server
: 192.192.4.111
:
:
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> set slave test1 test2 1.1.1.1 2
Configuring KDC as slave.
Status : Success.
The system is configured as SLAVE KDC.
Kerberos Realm
: test1
Interface
: ethernet2
User count (Active + deleted) : 0
Active users (MUs and WLANs)
: 0
Master KDC
:
Name
: test2
IP address : 1.1.1.1
List of all active KDC users (MUs & WLANs): No active Users available.
WS5000.(Cfg).KDC>
8.38.6 show
KDC Context
Shows KDC details.
Syntax
show
show
show
show
show
configaccess
kdc
ntpservers
users
Parameters
configaccess
Display configured system access restrictions
kdc
Display KDC details
ntpservers
Display NTP Server information
users
Display the list of active KDC users
Example
WS5000.(Cfg).KDC> show
The system is configured as MASTER KDC.
Kerberos Realm
: realm1
8-219
8-220
WS 5000 Series System Reference
Interface
User count (Active + deleted)
Active users (MUs and WLANs)
Slave KDCs
---------slaveKDC_NY
: ethernet1
: 1
: 1
IP Address
---------111.222.111.30
Domain
-----NYdomain1
List of all active KDC users (MUs & WLANs):
Type
Name
Ticket Life
----------------MU
489-45-5672
3 min.
ESSID
----Not Available
WS5000.(Cfg).KDC> show users
List of all active KDC users (MUs & WLANs):
Type
---MU
Name
---489-45-5672
Ticket Life
----------3 min.
ESSID
----Not Available
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> show configaccess
Configuration Access restriction details:
Telnet access (CLI)
:
System access via SNMP
:
KDC configuration over remote console
:
KDC configuration through SNMP
:
Disable.
Enable.
Enable.
Enable.
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> show kdc
The system is configured as MASTER KDC.
Kerberos Realm
: a
Interface
: ethernet1
User count (Active + deleted) : 1
Active users (MUs and WLANs)
: 0
Slave KDCs
IP Address
------------------No entry available.
Domain
------
List of all active KDC users (MUs & WLANs): No active Users available.
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> show ntpservers
Time Server (NTP) details:
Primary NTP Server
First alternate NTP Server
Second alternate NTP Server
WS5000.(Cfg).KDC>
: 192.192.4.111
:
:
CLI Command Reference
8-221
WS5000.(Cfg).KDC> show users
List of all active KDC users (MUs & WLANs):
Type
Name
Ticket Life
----------------MU
symbol1
7 min.
ESSID
----Not Available
WS5000.(Cfg).KDC>
8.38.7 synchronize
KDC Context
The krb database propagates from master to slave so that slave gets all the user information. It copies the
Master KDC database to the Slave KDC.
Syntax
synchronize <slave_name> <slave_ip> <slave_domain>
Parameters
slave_name
Name of the KDC slave.
slave_ip
IP address of the KDC slave.
slave_domain
Domain of the KDC slave.
Example
WS5000.(Cfg).KDC> synchronize standby 111.222.111.30 Symbol.com
Synchronizing slave KDC (standby) DB with master....
8-222
WS 5000 Series System Reference
8.39 Network Policy (NP) Context
A Network Policy is a collection of packet filters that you can use to implement various Quality of Service
requirements. Each Network Policy contains an inbound Policy Object and an outbound Policy Object. The
inbound policy filters packets that are sent from wireless devices to the WS5000. The outbound policy filters
packets that are sent from the switch to the wireless devices.
A Policy Object contains some number of Classification Groups, which contain Classifiers. It is at the Classifier
and Classification Group levels that the filtering rules are defined.
Table 8.44 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.44 Network Policy Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
np
Select a Network Policy to configure
page 8-223
remove
Remove a Network Policy
page 8-223
show
Display available classifier instance details.
page 8-224
8.39.1 add
Network Policy (NP) Context
Creates and adds a Network Policy instance.
Syntax
add <name>
Parameters
name
The name that’s given to the new Network Policy.
Example
WS5000.(Cfg).NP> add NY_ntwk_SwitchPolicy
Adding Network Policy...
Status: Success.
Network Policy information
Available Network Policies:
1. Default Network Policy.
2. NetVision_VoIP_Priority.
CLI Command Reference
3. New Network Policy.
4. NY_ntwk_SwitchPolicy.
Network Policy information
Network Policy Name
Policy Description
Outbound Policy Object name
Inbound Policy Object name
: NY_ntwk_SwitchPolicy
:
:
:
WS5000.(Cfg).NP.[NY_ntwk_SwitchPolicy]>
8.39.2 np
Network Policy (NP) Context
Changes the prompt to the context of a specific Network Policy instance.
Syntax
np <name>
Parameters
name
Selects the Network Policy by name.
Example
WS5000.(Cfg).NP> np NY_ntwk_SwitchPolicy
Network Policy information
Network Policy Name
Policy Description
Outbound Policy Object name
Inbound Policy Object name
: NY_ntwk_SwitchPolicy
:
:
:
WS5000.(Cfg).NP.[NY_ntwk_SwitchPolicy]>
8.39.3 remove
Network Policy (NP) Context
Removes a Network Policy instance.
Syntax
remove <name>
Parameters
name
The name of the Network Policy that’s to be removed.
Example
WS5000.(Cfg).NP> show
Network Policy information
Available Network Policies:
1. Default Network Policy.
2. NetVision_VoIP_Priority.
3. New Network Policy.
4. NY_ntwk_SwitchPolicy.
WS5000.(Cfg).NP> remove "New Network Policy"
8-223
8-224
WS 5000 Series System Reference
Removing Network Policy...
Status: Success.
Network Policy information
Available Network Policies:
1. Default Network Policy.
2. NetVision_VoIP_Priority.
3. NY_ntwk_SwitchPolicy.
WS5000.(Cfg).NP>
8.39.4 show
Network Policy (NP) Context
Shows Network Policy details.
Syntax
show
show
show
show
show
ce
cg
np
po
Display
Display
Display
Display
Display
context specific attributes
Classifiers
Classification Group
Network Policy information
Policy Object information
Parameters
None.
Example
WS5000.(Cfg).NP> show
Network Policy information
Available Network Policies:
1. Default Network Policy.
2. NetVision_VoIP_Priority.
3. New Network Policy.
4. NY_ntwk_SwitchPolicy.
WS5000.(Cfg).NP>
CLI Command Reference
8-225
8.40 Network Policy Instance
Table 8.45 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.45 Network Policy Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
show
Display available classifier instance details.
8.40.1 set
Network Policy Instance
Sets an attribute of this Network Policy instance.
Syntax
set <attribute> <value>
Parameters
attribute
value
Description
name
name
Sets the name of the Network Policy. Enter the name after the “name” attribute.
inboundPolicy
name | remove
Adds the named Policy Object as the inbound policy. If the value is remove, the
policy is removed.
outboundPolicy
name | remove
Adds the named Policy Object as the outbound policy. If the value is remove, the
policy is removed.
Example
WS5000.(Cfg).NP.[NY_NetworkPolicy]> set
config_parameter is a required parameter.
set:
Use set to configure a Network Policy components.
Syntax: set <config_parameter>, <parameter_value>
where:
config_parameter
parameter_value
config_parameter:
name
Network Policy parameter to be cofigured.
Value for the NP parameter.
Type 'remove' to remove a Policy Object
Change name of the Network Policy.
8-226
WS 5000 Series System Reference
inboundpolicy
outboundpolicy
Assign Input Policy Object.
Assign Output Policy Object.
ERROR: Command 'set' cancelled due to invalid or unrecognized parameter.
WS5000.(Cfg).NP.[NY_NetworkPolicy]>
WS5000.(Cfg).NP.[NY_NetworkPolicy]> show po
Policy Object information......
Available Policies (PO):
1. NetVision Priority for RF.
2. NetVision Packet Marking for Ethernet.
3. New Input Policy.
4. New Output Policy.
WS5000.(Cfg).NP.[NY_NetworkPolicy]> set inboundpolicy "New Input Policy"
Configuring Network Policy... done.
Network Policy information
Network Policy Name
: NY_NetworkPolicy
Policy Description
:
Outbound Policy Object name
:
Inbound Policy Object name
: New Input Policy
WS5000.(Cfg).NP.[NY_NetworkPolicy]> set outboundpolicy "New Output Policy"
Configuring Network Policy... done.
Network Policy information
Network Policy Name
: NY_NetworkPolicy
Policy Description
:
Outbound Policy Object name
: New Output Policy
Inbound Policy Object name
: New Input Policy
8.40.2 show
Network Policy Instance
Syntax
show
show
show
show
show
ce
cg
np
po
Parameters
ce
Display Classifiers
cg
Display Classification Group
np
Display Network Policy information
po
Display context specific attributes
Example
WS5000.(Cfg).NP.[NY_NetworkPolicy]> show
Network Policy information
Network Policy Name
Policy Description
Outbound Policy Object name
Inbound Policy Object name
:
:
:
:
NY_NetworkPolicy
For NY switching
New Output Policy
New Input Policy
CLI Command Reference
WS5000.(Cfg).NP.[NY_NetworkPolicy]>
8-227
8-228
WS 5000 Series System Reference
8.41 Policy Object (PO) Context
Table 8.46 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.46 Policy Object Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
add
Adds a new Policy Object
page 8-228
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
po
Select a Policy Object to configure
page 8-229
remove
Removes a Policy Object
page 8-230
show
Displays context specific attributes
page 8-230
8.41.1 add
Policy Object (PO) Context
Creates and adds a Policy Object instance.
Syntax
add <name> <type>
Parameters
name
The name that’s given to the new Policy Object.
type
The “direction” of the policy: Possible values are: 1 = outbound; 2 = inbound.
Example
WS5000.(Cfg).PO> add
po_name is a required parameter.
Syntax: add <po_name> <po_type> [CR]
Where: <po_types> can be,
1.
2.
3.
4.
5.
6.
Outbound Access Port
Inbound Access Port
Outbound Ethernet **
Inbound Ethernet
**
Outbound Bluetooth **
Inbound Bluetooth **
** These types will be implemented in future release.
CLI Command Reference
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).PO> add Inbound 2
Adding Policy Object...
Status: Success.
Policy Object information......
Available Policies (PO):
1. NetVision Priority for RF.
2. NetVision Packet Marking for Ethernet.
3. New Input Policy.
4. New Output Policy.
5. Inbound.
Policy Object information......
Network Policy Name
:
Description
:
Type
:
Default action
:
No of CG Associated with the Policy Object:
Inbound
Inbound Access Port
Allow
0
WS5000.(Cfg).PO.[Inbound]>
8.41.2 po
Policy Object (PO) Context
Changes the prompt to the context of a specified Policy Object instance.
Syntax
po <name>
Parameters
name
Selects the Policy Object by name.
Example
WS5000.(Cfg).PO> 1
Policy Object information......
Network Policy Name
:
Description
:
Type
:
Default action
:
No of CG Associated with the Policy Object:
The list of CG associated:
1. NetVision_VoIP_Out.
CG
-NetVision_VoIP_Out
TOS
--000000
WFQ
--66%
NetVision Priority for RF
Outbound Access Port
Allow
1
Tx-Profile
---------Voice
Pkt Modifier(s)
--------------Priority & TOS
WME-AC
-----1
8-229
8-230
WS 5000 Series System Reference
8.41.3 remove
Policy Object (PO) Context
Removes a Policy Object instance.
Syntax
remove <name>
Parameters
name
The name of the Policy Object to be removed.
Example
WS5000.(Cfg).PO> remove Inbound
Removing Policy Object...
Status: Success.
Policy Object information......
Available Policies (PO):
1. NetVision Priority for RF.
2. NetVision Packet Marking for Ethernet.
3. New Input Policy.
4. New Output Policy.
WS5000.(Cfg).PO>
8.41.4 show
Policy Object (PO) Context
Shows Policy Object details.
Syntax
show
show
show
show
show
ce
cg
np
po
Parameters
ce
Display Classifiers
cg
Display Classification Group
np
Display Network Policy information
po
Display Policy Object information
Example
WS5000.(Cfg).PO> show
Policy Object information......
Available Policies (PO):
1. NetVision Priority for RF.
2. NetVision Packet Marking for Ethernet.
3. New Input Policy.
4. New Output Policy.
CLI Command Reference
5. Inbound.
WS5000.(Cfg).PO>
8-231
8-232
WS 5000 Series System Reference
8.42 Policy Object Instance
Table 8.47 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.47 Policy Object Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
set
Configure Policy Object
page 8-232
show
Display context specific attributes
page 8-234
8.42.1 set
Policy Object Instance
Sets an attribute of this Policy Object instance.
Syntax
set <attribute> <value>
Parameters
attribute
Description
Syntax
addCG
Adds the named Classification Group to the Policy
Object.
set addCG <cg_name>
defaultAction
Sets the default action for this Policy Object.
set defaultAction <allow_deny_flag>
name
Sets the name of this Policy Object instance.
set name <policy_object_name>
removeCG
Removes the named Classification Group from the
Policy Object.
set removeCG <cg_name>
cgPktmod
Packet modification variables include:
• disable – Disables packet prioritization for all
packets that are marked with the named
Classification Group. To re-enable packet
prioritization, remove and then re-add the
Classification Group.
• Enables (enable) or disables (disable) Type of
Service modification for all packets that are
marked with the named Classifier Group.
set cgPktMod disable <cg_name>
set cgPktMod tos <enable_flag> <cg_name>
IPredirect
CLI Command Reference
attribute
Description
Syntax
priority
tos
Sets the ToS packet marking bits for packets
marked with the named Classification Group. The
bits value is the packet marking/ToS given as a 6-bit
set tos <bits> <cg_name>
bit-field. For example: 101101.
Example
WS5000.(Cfg).PO.[Inbound]> set
config_parameter is a required parameter.
Syntax: set <config_parameter>
Valid commands:
set name
set addcg
set removecg
set cgpktmod
set defaultaction
set ipredirect
set priority
set tos
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).PO.[Inbound]> show cg
Classification Group information...
Available Classification Groups:
1. NetVision_VoIP_In.
2. NetVision_VoIP_Out.
3. voip_in_cg.
WS5000.(Cfg).PO.[Inbound]> set addcg voip_in_cg
Configuring Policy Object...
Status: Success.
Policy Object information......
Network Policy Name
:
Description
:
Type
:
Default action
:
No of CG Associated with the Policy Object:
The list of CG associated:
1. voip_in_cg.
CG
VlanPriority TOS
------------- --voip_in_cg
0
000000
Inbound
Inbound Access Port
Allow
1
IP-Redirect
----------0.0.0.0
WS5000.(Cfg)> po
Policy Object information......
Available Policies (PO):
1. NetVision Priority for RF.
2. NetVision Packet Marking for Ethernet
WS5000.(Cfg).PO> 1
Policy Object information......
Pkt Modifier(s)
--------------Disabled
8-233
8-234
WS 5000 Series System Reference
Network Policy Name
:
Description
:
Type
:
Default action
:
No of CG Associated with the Policy Object:
The list of CG associated:
1. NetVision_VoIP_Out.
CG
-NetVision_VoIP_Out
TOS
--000000
WFQ
--66%
NetVision Priority for RF
Outbound Access Port
Allow
1
Tx-Profile
---------Voice
8.42.2 show
Policy Object Instance
Show details about the Policy Object or related components.
Syntax
show
show
show
show
show
ce
cg
np
po
Parameters
ce
Display Classifiers
cg
Display Classification Group
np
Display Network Policy information
po
Display Policy Object information
Example
WS5000.(Cfg)> po
Policy Object information......
Available Policies (PO):
1. NetVision Priority for RF.
2. NetVision Packet Marking for Ethernet
Pkt Modifier(s)
--------------Priority & TOS
WME-AC
-----1
CLI Command Reference
8-235
8.43 Radius Context
The Radius context enables you to specify an external Radius server for authenticating network users (Web,
Telnet, and SSH) and local user through the serial port.
Table 8.48 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.48 Radius Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
set
configure the RADIUS Server
page 8-235
show
Display context specific attributes
page 8-237
8.43.1 set
8.43.1.1 set authentication
Radius Context
Sets the type of connection for which logins must be authenticated by the Radius server.
Syntax
set authentication <connection>
Parameters
connection
The type of connection. Possible values are:
• serial
• network
• localDB
Example
WS5000.(Cfg).RADIUS> set authentication serial enable
Configuring RADIUS server...
Status : Success.
RADIUS authentication status:
----------------------------Network users (Web, Telnet, etc.)
Local users (via serial port)
Authenticate locally if RADIUS server refuses access
: Disable
: Enable
: Disable
8-236
WS 5000 Series System Reference
Server
-----Primary
Secondary
Host Name/IP
-----------157.235.207.46
Not defined
Port
---1812
1812
Retry
----3
3
Timeout
------5
5
WS5000.(Cfg).RADIUS>
8.43.1.2 set primary
Radius Context
Sets the identity or parameter value of the primary Radius server.
Syntax
set
set
set
set
set
primary
primary
primary
primary
primary
<radius_parameter> <value>
host <host_name/IP> [port] [timeout] [retry]
port <port: 1-65535>
timeout <time: 5-20>
retry <retry: 1-10>
Parameters
attribute
value
Description
host
name | IP [port] [timeout] [retry]
Identifies the Radius server by name or IP address. The other three
attributes can be set here, as well
port
0 - 65535
Sets the port number of the Radius server.
retry
1 - 10
Specifies the number of times a Mobile Unit can try to authenticate
itself during the reauthentication phase. The default is 5 attempts.
timeout
30, 65535
Specifies the time interval, in seconds, after which Mobile Units are
forced to reauthenticate with the Radius server. Valid values are in the
range seconds; the default is 3600 seconds (1 hour).
Example
WS5000.(Cfg).RADIUS> set primary port 20
Configuring RADIUS server...
Status : Success.
RADIUS authentication status:
----------------------------Network users (Web, Telnet, etc.)
Local users (via serial port)
Authenticate locally if RADIUS server refuses access
Server
-----Primary
Secondary
Host Name/IP
-----------157.235.207.46
Not defined
Port
---20
1812
Retry
----3
3
8.43.1.3 set secondary
Radius Context
Sets the identity or parameter value of the secondary Radius server.
: Disable
: Enable
: Disable
Timeout
------5
5
CLI Command Reference
8-237
Syntax
set secondary <radius_parameter> <value>
set secondary host <host_name/IP> [port] [timeout] [retry]
set secondary port <port: 1-65535>
set secondary timeout <time: 5-20>
set secondary retry <retry: 1-10>
Parameters
attribute
value
Description
host
name | IP [port] [timeout] [retry]
Identifies the Radius server by name or IP address. The other three
attributes can be set here, as well
port
0 - 65535
Sets the port number of the Radius server.
retry
1 - 10
Specifies the number of times a Mobile Unit can try to authenticate
itself during the reauthentication phase. The default is 5 attempts.
timeout
30, 65535
Specifies the time interval, in seconds, after which Mobile Units are
forced to reauthenticate with the Radius server. Valid values are in the
range seconds; the default is 3600 seconds (1 hour).
Example
WS5000.(Cfg).RADIUS> set secondary retry 5
Configuring RADIUS server...
Status : Success.
RADIUS authentication status:
----------------------------Network users (Web, Telnet, etc.)
Local users (via serial port)
Authenticate locally if RADIUS server refuses access
Server
-----Primary
Secondary
Host Name/IP
-----------157.235.207.46
Not defined
Port
---20
1812
Retry
----3
5
: Disable
: Enable
: Disable
Timeout
------5
5
WS5000.(Cfg).RADIUS>
8.43.2 show
Radius Context
Display the WS5000’s Radius settings.
Syntax
show
show radius-server
Display context specific attributes
Display Radius information
Parameters
None.
Example
WS5000.(Cfg).Radius> show
Radius authentication status:
-----------------------------
8-238
WS 5000 Series System Reference
Network users (Web, Telnet, etc.)
Local users (via serial port)
Authenticate locally if Radius server refuses access
Server
-----Primary
Secondary
Host Name/IP
-----------SFhost
NYhost
Port
---1812
1812
Retry
----3
3
: Enable
: Enable
: Enable
Timeout
------5
5
WS5000.(Cfg).Radius>
WS5000.(Cfg).Radius> show radius-server
Radius authentication status:
----------------------------Network users (Web, Telnet, etc.)
Local users (via serial port)
Authenticate locally if Radius server refuses access
Server
-----Primary
Secondary
Host Name/IP
-----------SFhost
NYhost
WS5000.(Cfg).Radius>
Port
---1812
1812
Retry
----3
3
: Enable
: Enable
: Enable
Timeout
------5
5
CLI Command Reference
8-239
8.44 Rogueap Context
The RougeAP context helps you to configure RogueAP detection for the system.
Table 8.49 RogueAP Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clears the screen.
page 8-8
approvedlist
View or configure the Approved AP List.
page 8-239
detectorap
View or configure the DetectorAP List.
page 8-240
roguelist
View or configure the Detected RogueAP List.
page 8-240
rulelist
Configure Authorized AP Rule List.
page 8-240
set
Set or Reset any or all of the detection mechanism
page 8-241
show
Display context specific attributes
page 8-242
8.44.1 approvedlist
Rogueap Context
Use approvedlist to view or configure Approved AP List for RogueAP detection.
Syntax
approvedlist
Parameters
None
Example
WS5000.(Cfg).rogueap> approvedlist
List Entry AgeOut Interval (min.) : 0
Index
----1
2
MAC
---11:22:22:22:22:22
00:A0:F8:C5:F6:F8
WS5000.(Cfg).rogueap.approvedlist>
ESSID
----test
GRE
8-240
WS 5000 Series System Reference
8.44.2 detectorap
Rogueap Context
Use detectorap to view or configure DetectorAP List for DetectorAP scan.
Syntax
detectorap
Parameters
None
Example
WS5000.(Cfg).rogueap.detectorap> add "00:A0:F8:BF:8A:6B [A]"
Adding DetectorAP...
Status: Success.
Available DetectorAPs:
---------------------1
00:A0:F8:BF:8A:6B [A]
WS5000.(Cfg).rogueap.detectorap>
8.44.3 roguelist
Rogueap Context
Use roguelist to view or configure Approved AP List for RogueAP detection.
Syntax
roguelist
Parameters
None
Example
WS5000.(Cfg).rogueap> roguelist
List Entry AgeOut Interval (min.) : 0
Index
----1
2
MAC
---11:33:22:22:22:33
00:B0:F8:C5:F6:F8
WS5000.(Cfg).rogueap.roguelist>
8.44.4 rulelist
Rogueap Context
Use rulelist to configure Authorised AP List for RogueAP detection.
Syntax
rulelist
ESSID
----ESSID1
ESSID2
CLI Command Reference
Parameters
None
Example
WS5000.(Cfg).rogueap.rulelist> add 11:22:22:22:22:22 test
Adding AuthAP...
Status: Success.
Authorise Symbol AP : disable
Index
----0
MAC
---11:22:22:22:22:22
ESSID
----test
WS5000.(Cfg).rogueap.rulelist>
8.44.5 set
Rogueap Context
Use set to set or reset any or all of the detection mechanism.
Note Detectorscan requires detector APs to be configured on the system. Use
detectorap context to do the same.
Syntax
set <feature_name> <enable/disable> [<interval>]
Parameters
feature_name
It can be either the rogueap OR muscan/apscan/detectorscan.
interval
Integer value between 5 and 65535. Applicable only when muscan/apscan/
detectorscan is enabled.
Example
WS5000.(Cfg).rogueap> set rogueap enable
Configuring RogueAP...
Status: Success.
RogueAP configuration details:
-----------------------------RogueAP Status
MU Scan Status
AP Scan Status
Detector Scan Status
MU Scan Interval(min.)
AP Scan Interval(min.)
Detector Scan Interval(min.)
:
:
:
:
:
:
:
enable
disable
disable
disable
0
0
0
WS5000.(Cfg).rogueap>
or
WS5000.(Cfg).rogueap> set apscan enable 8
8-241
8-242
WS 5000 Series System Reference
Configuring APScan...
Status: Success.
RogueAP configuration details:
-----------------------------RogueAP Status
MU Scan Status
AP Scan Status
Detector Scan Status
MU Scan Interval(min.)
AP Scan Interval(min.)
Detector Scan Interval(min.)
:
:
:
:
:
:
:
enable
disable
enable
disable
0
8
0
WS5000.(Cfg).rogueap>
8.44.6 show
Rogueap Context
Lists the available RogueAP instances.
Syntax
show [display_parameter]
Parameters
rogueap
Display Rogue AP configuration
rulelist
Display Authorised AP rulelist
approvedlist
View Approved AP list
roguelist
View Rogue AP list
detectorap
Display list of DetectorAPs
Example
WS5000.(Cfg).rogueap> show rogueap
RogueAP configuration details:
-----------------------------RogueAP Status
MU Scan Status
AP Scan Status
Detector Scan Status
MU Scan Interval(min.)
AP Scan Interval(min.)
Detector Scan Interval(min.)
WS5000.(Cfg).rogueap>
:
:
:
:
:
:
:
enable
disable
enable
disable
0
8
0
CLI Command Reference
8-243
8.45 Security Policy Context
Table 8.50 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.50 Security Policy Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
add
Creates and adds a new Security Policy Instance.
page 8-243
policy
Changes the prompt to the context of the named Security Policy instance.
page 8-244
remove
Removes the named Security Policy instance.
page 8-244
show
Lists the available Security Policy instances.
page 8-245
8.45.1 add
Security Policy Context
Creates and adds a new Security Policy Instance.
Syntax
add <name>
Parameters
name
The name of the new Security Policy.
Example
WS5000.(Cfg).SecurityPolicy> add NewKerberosPolicy
Adding Security Policy...
Status: Success.
Available Security Policies:
1. Kerberos Default.
2. Default.
3. WEP40 Default.
4. WEP128 Default.
5. New WEP Security Policy.
6. NewKerberosPolicy.
Security Policy details...
Policy name
: NewKerberosPolicy
Description
:
Beacon ESSID
: Enabled
8-244
WS 5000 Series System Reference
EAP PreAuthentication
: Enabled
Opportunistic PMK Caching : Enabled
Encryption
Open
WEP
KeyGuard-MCM
TKIP
AES CCMP
----------
----
---
------------
----
--------
Status:
Enable
Disable
Disable
Disable
Disable
Pre-Shared
---------Disable
Kerberos
-------Disable
802.1x,EAP with Radius
---------------------Disable
Authentication
-------------Status:
WS5000.(Cfg).SecurityPolicy>
8.45.2 policy
Security Policy Context
Changes the prompt to the context of the named Security Policy instance.
Syntax
policy <name>
Parameters
name
The name of the new Security Policy.
Example
WS5000.(Cfg).SecurityPolicy> policy Default
Security Policy details...
Policy name
:
Description
:
Beacon ESSID
:
EAP PreAuthentication
:
Opportunistic PMK Caching :
Default
Default Security Policy
Enabled
Disabled
Disabled
Encryption
Open
WEP
KeyGuard-MCM
TKIP
AES CCMP
----------
----
---
------------
----
--------
Status:
Enable
Disable
Disable
Disable
Disable
Pre-Shared
---------Disable
Kerberos
-------Disable
802.1x,EAP with Radius
---------------------Disable
Authentication
-------------Status:
WS5000.(Cfg).SecurityPolicy.[Default]>
8.45.3 remove
Security Policy Context
Removes the named Security Policy instance.
Syntax
remove <name>
Parameters
name
The name of the new Security Policy.
CLI Command Reference
Example
WS5000.(Cfg).SecurityPolicy> remove NewKerberosPolicy
Removing Security Policy...
Status: Success.
Available Security Policies:
1. Kerberos Default.
2. Default.
3. WEP40 Default.
4. WEP128 Default.
5. New WEP Security Policy.
WS5000.(Cfg).SecurityPolicy>
8.45.4 show
Security Policy Context
Lists the available Security Policy instances.
Syntax
show
show securitypolicy
Display context specific attributes
Display security policy details
Parameters
None.
Example
WS5000.(Cfg).SecurityPolicy> show securitypolicy
Available Security Policies:
1. Kerberos Default.
2. Default.
3. WEP40 Default.
4. WEP128 Default.
5. New WEP Security Policy.
WS5000.(Cfg).SecurityPolicy>
8-245
8-246
WS 5000 Series System Reference
8.46 Security Policy Instance
A Security Policy instance declares the types of encryption and authentication that can be used to create
secure login and data communication on the WLAN.
The type of encryption that can be set are as follows:
•
Open – No encryption; any unsecured Mobile Unit is allowed to associate with the system unless the
adoption list specifically excludes it.
•
KeyGuard encryption for TKIP (Temporal Key Integrity Protocol) – This mode is only supported by Symbol
mobile devices. KeyGuard requires a 128-bit WEP key.
•
Wired Equivalent Privacy (WEP) – WEP comes in a choice of 40- or 128-bit encryption, and lets you
define and choose from four different keys.
•
WPA/TKIP – Wi-Fi Protected Access with Temporal Key Integrity Protocol
•
WPA2 AES
In addition, the type of authentication methodologies used are as follows:
•
None – If encryption is set to open, then there’s no authentication.
•
Pre-Shared Key (PSK) – In PSK, the same key is used for authentication and encryption.
•
Kerberos – Uses a Kerberos server for mobile unit authentication. You can specify an external server or
use the switch’s on-board server. To use the on-board server, you must first configure the switch to be a
Kerberos Master (see set on page 8-217). Kerberos only supports KeyGuard and WEP encryption.
•
802.1x EAP – Authentication is performed by an external Remote Authentication Dial-In User Service
(Radius) server. The Radius server must be accessible to the switch.
A single Security Policy can accept more than one method (of each), thus providing wider support for MUs that
use expect different security methods. However, the Security Policy is only as strong as its weakest method.
Table 8.51 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.51 Security Policy Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
set
Sets an attribute of the Security policy instance.
page 8-247
show
Display the attributes of this Security policy instance.
page 8-251
CLI Command Reference
8-247
8.46.1 set
Security Policy Instance
Sets an attribute of the Security policy instance. The tables, below, divide the settings into topical groups.
Syntax
set <attribute> <value(s)>
Parameters
attribute
Description
Syntax
General Settings
description
Adds a description string to the Security policy instance.
set description <text_string>
name
Sets the name of the Security policy instance.
set name <name_string>
Encryption and Authentication Settings
encryption
Enables or disables a data encryption type. Possible
values:
• open
• wep40
• wep128
• keyguard
• tkip
• ccmp
set encryption <type> <enable>
authentication
Enables or disables an authentication type. Possible
values are:
• preshared
• kerberos
• eap
You can enter multiple authetication values in the CLI with
a space between each value.
set authentication <type> <enable>
Note The WS5000 Series
Switch does not work with the
combination of wep40 encryption
and kerberos authentication.
Pre-Shared Key (PSK) Settings
presharedKey
Sets the PSK key in either ASCII or Hexidecimal format. An
ASCII key must be between 8 and 63 characters long. A
hex key must be 64 characters.
set presharedKey
<ascii_or_hex_key>
Sets the active WEP key string, identified by key index.
Valid key_index values are [0, 3].
set activeWepKey <key_index>
WEP Settings
activeWepKey
8-248
WS 5000 Series System Reference
attribute
wepKey
Description
Syntax
Sets the WEP key string for the given key index. Valid
key_index values are [1, 4]. The key_string argument must
be enclosed in quotation marks.
set wepKey <key_index> <key
string>
kerberos
Sets the active WEP key string, identified by key index.
Valid key_index values are [0, 3].
set kerberos <key_index>
wepKey
Sets the WEP key string for the given key index. Valid
key_index values are [1, 4]. The key_string argument must
be enclosed in quotation marks.
set wepKey <key_index>
<key_string>
Kerberos Settings
Example
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set
config_parameter is a required parameter.
Syntax: set <config_parameter>
Valid commands:
set name
set description
set encryption
set authentication
set wepkey
set activewepkey
set kerberos
set eap
set radius
set groupkeyupdate
set presharedkey
set preauthentication
set opppmkcaching
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set encryption
Enter encryption_type.
Syntax: set encryption <encryption_type> <enable/disable> [CR]
Valid commands:
set encryption open
set encryption wep40
set encryption wep128
set encryption keyguard
set encryption tkip
set encryption ccmp
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set authentication
Enter authentication_type.
Syntax: set authentication <authentication_type> <enable/disable> [CR]
Valid commands:
set authentication preshared
set authentication kerberos
set authentication eap
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set webkey
Invalid config_parameter.
Syntax: set <config_parameter>
Valid commands:
set name
set description
set encryption
set authentication
CLI Command Reference
set
set
set
set
set
set
set
set
set
wepkey
activewepkey
kerberos
eap
radius
groupkeyupdate
presharedkey
preauthentication
opppmkcaching
ERROR: Command 'set' cancelled due to invalid or unrecognized parameter.
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set wepkey
Enter the WEP Key number or keyword 'string' to generate the Keys.
Enter 'default' to set the WEP Keys to default values.
Syntax: set wepkey <wep_key_no:1-4> <wepkey> [CR]
set wepkey string <genkey_string> [CR]
set wepkey default [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]>
===
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set activewepkey
Enter the WEP Key number.
Syntax: set activewepkey <wep_key_no:1-4> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set kerberos
Enter the Kerberos option
Syntax: set kerberos <option> [1-3]/[realm] [value]
Valid commands:
set kerberos enable
set kerberos disable
set kerberos realm
set kerberos port
set kerberos server
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set kerberos realm
Enter the realm.
Syntax: set kerberos realm <realm> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set kerberos port
Enter the index.
Syntax: set kerberos port <1-3> <value> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set kerberos server
Enter the index.
Syntax: set kerberos server <1-3> <value> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]>
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap
Enter the EAP option.
Syntax: set eap <option> [enable/disable]/[time]/[count]
Valid commands:
set eap enable
set eap disable
set eap quietperiod
set eap txperiod
set eap reauthentication
set eap suplicanttimeout
set eap maxrequestretries
Incomplete command... use '?' for help.... exiting...
8-249
8-250
WS 5000 Series System Reference
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap quietperiod
Enter the value for EAP quietperiod.
Syntax: set eap quietperiod <period: 1-99> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap txperiod
Enter the value for EAP txperiod.
Syntax: set eap txperiod <period: 1-99> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap reauthentication
Enter EAP Re-authentication option
Syntax: set eap reauthentication <option> [time/count]
Valid commands:
set eap reauthentication enable
set eap reauthentication disable
set eap reauthentication period
set eap reauthentication maxretries
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap reauthentication
period
Enter the value for EAP Re-authentication period
Syntax: set eap reauthentication period <time: 30-65535> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap reauthentication
maxretries
Enter the value for EAP Re-authentication maxretries
Syntax: set eap reauthentication maxretries <count: 1-99> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]>
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap suplicanttimeout
Enter the value for EAP suplicanttimeout.
Syntax: set eap suplicanttimeout <time: 1-99> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap maxrequestretries
Enter the value for EAP maxrequestretries.
Syntax: set eap maxrequestretries <count: 1-10> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]>
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set radius
Enter the Radius option.
Syntax: set radius <option> <host_name>/<1-2> <value> [CR]
Valid commands:
set radius hostname
set radius port
set radius server
set radius secret
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]>
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set groupkeyupdate
Enter the group key update time
Syntax: set groupkeyupdate <time:30-65535> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set presharedkey
Enter the pre-shared key date entry option
Syntax: set presharedkey <ascii/hex> [CR]
Incomplete command... use '?' for help.... exiting...
CLI Command Reference
8-251
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set preauthentication
Enter 'enable' or disable'
Syntax: set preauthentication <enable/disable> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set opppmkcaching
Enter 'enable' or disable'
Syntax: set opppmkcaching <enable/disable> [CR]
Incomplete command... use '?' for help.... exiting...
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]>
8.46.2 show
Security Policy Instance
Display the attributes of this Security policy instance.
Syntax
show
show securitypolicy
Display context specific attributes
Display security policy details
Parameters
None.
Example
WS5000.(Cfg).SecurityPolicy.[WEP40 Default]> show
Security Policy details...
Policy name
:
Description
:
EAP PreAuthentication
:
Opportunistic PMK Caching :
Encryption
---------Status:
Open
WEP
-----Disable Enable(WEP40)
Authentication
-------------Status:
Wep
Wep
Wep
Wep
Wep
Key
Key
Key
Key
Key
WEP40 Default
40-bit WEP with default WEP Keys
Disabled
Disabled
to use
1
2
3
4
VPN Authentication
Pre-Shared
---------Enable
:
:
:
:
:
KeyGuard-MCM
-----------Disable
TKIP
---Disable
Kerberos
-------Disable
802.1x,EAP with Radius
---------------------Disable
1
**********
**********
**********
**********
: Disabled
WS5000.(Cfg).SecurityPolicy.[WEP40 Default]>
AES CCMP
-------Disable
8-252
WS 5000 Series System Reference
8.47 Sensor Context
Table 8.52 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.52 Sensor Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
convert
Used to convert the AP 300 to a sensor
page 8-252
disable
Disables the sensor functionality.
page 8-253
emergencymode
Enable or disable Emergency mode.
page 8-8
enable
Enable sensor functionality
page 8-253
revert
Revert from a sensor to an AP 300
page 8-253
sensor
Select a sensor to Configure
page 8-254
show
Display context specific attributes
page 8-254
8.47.1 convert
Sensor Context
This is used to convert the AP 300 to a sensor.
Syntax
convert <ap300 mac>
Parameters
ap300 mac
MAC address of AP that is to be converted to a sensor.
Example
WS5000.(Cfg).sensor> convert 00:A0:F8:BF:8A:6B
Converting to a sensor ...
Status : Success.
WS5000.(Cfg).sensor>
CLI Command Reference
8.47.2 disable
Sensor Context
Disbales the sensor functionality.
Syntax
disable
Parameters
None
Example
WS5000.(Cfg).sensor> disable
Disable Sensor Functionality ...
Status : Success.
WS5000.(Cfg).sensor>
8.47.3 enable
Sensor Context
Enables the sensor functionality
Syntax
enable
Parameters
None
Example
WS5000.(Cfg).sensor> enable
Enabling Sensor Functionality ...
Status : Success.
WS5000.(Cfg).sensor>
8.47.4 revert
Sensor Context
This is used to revert the sensor back to AP.
Syntax
revert
<sensor mac>
Parameters
sensor mac
MAC address of sensor that needs to be reverted back as AP.
Example
WS5000.(Cfg).sensor> revert 00:A0:F8:BF:8A:6B
Reverting to a
Sensor ...
8-253
8-254
WS 5000 Series System Reference
Status : Success.
WS5000.(Cfg).sensor>
8.47.5 sensor
Sensor Context
This is used to configure a sensor.
Syntax
sensor <sensor/ap300 mac address>
Parameters
sensor
The mac address of the sensor to be configured
ap300 mac address
The mac address of the AP to be configured
Example
WS5000.(Cfg).sensor> sensor 1
Sensor Details
-------------DHCP
IP Address
Netmask
Gateway IP Address
Primary WIPS IP
Secondary WIPS IP
:
:
:
:
:
:
disable
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
WS5000.(Cfg).sensor.[00:A0:F8:AA:BB:CC]>
8.47.6 show
Sensor Context
This displays the sensor context specific attributes.
Syntax
show [display_parameter]
show
show sensor
Display context specific attributes
Display Sensor's and AP 300's / Sensor details
Parameters
sensor
Display Sensor's details
ap300
Display AP 300's details
Example
WS5000.(Cfg).sensor> show
AP300's
-------
CLI Command Reference
Sensor AP's
----------1. 00:A0:F8:AA:BB:CC
WS5000.(Cfg).sensor>
8-255
8-256
WS 5000 Series System Reference
8.48 Sensor Instance
Table 8.53 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.53 Sensor Instance Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
description
Set description text
page 8-256
emergencymode
Enable or disable Emergency mode.
page 8-8
set
Configure the Sensor Profile
page 8-256
show
Display context specific attributes
page 8-257
8.48.1 description
Sensor Instance
This is used to enter a description text for the sensor.
Syntax
description <description_text>
Parameters
description_text
Brief description of the switch policy instance.
8.48.2 set
Sensor Instance
Used to configure sensor parameters.
Syntax
set <config_parameter> <parameter_value>
Parameters
config_parameter
parameter_value
dhcp
Enable or disable DHCP
ip
Set the IP address
mask
Set the subnet mask
CLI Command Reference
gateway
Set the gateway address
primary
Set primary WIPS server's IP address
secondary
Set secondary WIPS server's IP address
Example
WS5000.(Cfg).sensor.[00:A0:F8:AA:BB:CC]> set dhcp enable
Configuring Sensor Parameters...
Status: Success.
Sensor Details
-------------DHCP
Primary WIPS IP
Secondary WIPS IP
: enable
: 0.0.0.0
: 0.0.0.0
WS5000.(Cfg).sensor.[00:A0:F8:AA:BB:CC]>
8.48.3 show
Sensor Instance
This command displays the sensor context attributes.
Syntax
show [display_parameter]
show sensor
show
Display Sensor Profile details
Display context specific attributes
Parameters
sensor
Display Sensor Profile details
ap300
Display AP300’s details
Example
WS5000.(Cfg).sensor.[00:A0:F8:AA:BB:CC]> show
Sensor Details
-------------DHCP
Primary WIPS IP
Secondary WIPS IP
: enable
: 0.0.0.0
: 0.0.0.0
WS5000.(Cfg).sensor.[00:A0:F8:AA:BB:CC]>
8-257
8-258
WS 5000 Series System Reference
8.49 SNMP Context
The Wireless 5000 Series Switch supports Simple Network Management Protocol (SNMP) version 1 ,SNMP
v2 and SNMP v3. The switch supports SNMPv1 and SNMPv2 traps.
Use the SNMP CLI context to configure the SNMP trap destinations, the SNMP clients as well as the SNMP
agent status. There are two sub-contexts where in the SNMP can be configured.
•
SNMP v2 (v2 context)
•
SNMP v3 (v3 context)
Note No special configuration for V1 access is required, it can be done with v2
communities.
The SNMP context provides commands that configures the SNMP system and that controls the activity of the
SNMP daemon.
Table 8.54 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.54 SNMP Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
enable
Starts the SNMP daemon.
page 8-258
disable
Stops the SNMP daemon.
page 8-259
remove
Remove an SNMP trap destination.
page 8-259
set
Enable/Disable KDC config through SNMP, and Enable/Disable SNMP traps,
Configure SNMP trap destinations.
page 8-260
show
Shows details pertaining to the SNMP sub-system.
page 8-262
v2
Configure SNMP v2 access parameters
page 8-263
v3
Configure SNMP v3 access parameters
page 8-263
8.49.1 enable
SNMP Context
Starts the SNMP daemon.
CLI Command Reference
Syntax
enable
Parameters
None.
Example
WS5000.(Cfg).SNMP> enable
Enabling...
Status : Success.
SNMP details:
------------SNMP (deamon) Status
SNMP Traps
: Enabled
: Disabled
8.49.2 disable
SNMP Context
Stops the SNMP daemon.
Syntax
disable
Parameters
None.
Example
WS5000.(Cfg).SNMP> disable
Disabling...
Status : Success.
SNMP details:
------------SNMP (deamon) Status
SNMP Traps
: Disabled
: Disabled
8.49.3 remove
SNMP Context
Removes an SNMP trap destination.
Syntax
remove traphost <client_ip> <community_name>
Parameters
traphost
Remove an SNMP trap-host.
client_ip
IP address of the SNMP trap destination.
community_name
Name of the SNMP community
Example
WS5000.(Cfg).SNMP> remove traphost 123.121.112.112 testing
Removing SNMP trap-host...
Status : Success.
8-259
8-260
WS 5000 Series System Reference
8.49.4 set
SNMP Context
Syntax
set <kdcconfig | snmptrap | traphost>
Parameters
set kdcconfig
Enable/disable KDC configuration through SNMP
set snmptrap
Enable/disable SNMP traps (global flag)
set traphost
Configure SNMP trap destination
8.49.4.1 set kdcconfig
SNMP Context
Allows or disallows the configuration of the on-board Kerberos KDC through SNMP.
Syntax
set kdcconifg <enable_flag>
Parameters
enable_flag
Enable or disable Kerberos KDC configuration, as appropriate. Possible values are:
• enable — can configure KDC through SNMP
• disable — cannot configure KDC through SNMP
Example
WS5000.(Cfg).SNMP> set kdcconfig enable
Setting KDC configuration rights...
Status : Success.
Configuration Access restriction details:
Telnet access (CLI)
: Disable.
System access via SNMP
: Enable.
KDC configuration over remote console : Enable.
KDC configuration through SNMP
: Enable.
8.49.4.2 set snmptrap
SNMP Context
Enables or disables SNMP traps.
Syntax
set snmptrap <enable/disable>
Parameters
enable_flag
Enable or disable SNMP traps, as appropriate. Possible values are:
• enable — Enables sending of the SNMP traps
• disable — Disables sending of the SNMP traps
CLI Command Reference
8-261
Example
WWS5000.(Cfg).SNMP> set snmptrap enable
Setting SNMP Trap status....
Status: Success.
SNMP details:
------------SNMP (deamon) Status : Enabled
SNMP Traps
: Enabled
WS5000.(Cfg).SNMP>set snmptrap disable
Setting SNMP Trap status....
Status: Success.
SNMP details:
------------SNMP (deamon) Status : Enabled
SNMP Traps
: Disabled
8.49.4.3 set traphost
SNMP Context
Configures a destination IP to which the switch will send the SNMP traps.
Syntax
set traphost <ip_address> <community_name> [<port> <version>]
set traphost <ip_address> <community_name> [port]
Parameters
ip_address
SNMP manager host IP address
community_name
SNMP community name for the trap host
port
Port number to which the traps would be sent
version
SNMP trap version (v1 or v2)
Example
To configure the SNMP v1 trap host at 192.168.204.4, with community name as Symbol, and use port 162,
enter:
WS5100.(Cfg).SNMP> set traphost 192.168.204.4 Symbol 162 v1
Note SNMP v1/v2 trap message format in WS5000 has been implemented such that
the Variable Bindings in the SNMP TRAP PDU, has minimum of two bindings:
name = snmpTrapOID, value = OID of the trap being raised
name = OID of ccTargetTrapString, value = Display String
For v2 traps, the variable binding in the SNMP TRAP PDU also has:
name = OID of sysUpTime, value = current time
8-262
WS 5000 Series System Reference
8.49.5 show
SNMP Context
Displays the various details of the SNMP in the switch.
Syntax
show
show
show
show
show
configaccess
snmpclients
snmpstatus
traphosts
v3users
Parameters
configaccess
Displays configured system access restrictions
snmpclients
Displays the configured SNMP clients
snmpstatus
Displays the current SNMP status
traphosts
Displays the configured trap destinations
v3users
Displays the configured SNMP v3 user profile details
Example
WS5000.(Cfg).SNMP> show configaccess
Configuration Access restriction details:
Telnet access (CLI)
:
System access via SNMP
:
KDC configuration over remote console
:
KDC configuration through SNMP
:
Disable.
Enable.
Enable.
Enable.
WS5000.(Cfg).SNMP> show snmpclients
State
----1. Read/Write
Port
---161
IP Address
---------123.123.123.123
Community Name
-------------testing
WS5000.(Cfg).SNMP> show snmpstatus
SNMP details:
------------SNMP (deamon) Status : Enabled
SNMP Traps
: Enabled
WS5000.(Cfg).SNMP> show traphosts
CommunityName
Port Version
---------------- ------1. domain1
162
v1
WS5000.(Cfg).SNMP> show v3users
SNMPv3 users information:
1.
2.
SNMP v3 User
Auth.
Priv.
------------------------------snmpv3AllRW
MD5
DES
snmpv3AllRO
MD5
DES
IP Address
---------172.34.35.68
CLI Command Reference
8-263
8.49.6 v2
SNMP Context
Use v2 to configure SNMP v2 access parameters. You need to enter the v2 Context to set the SNMP v2
parameters
Syntax
v2
Parameters
None
Example
WS5000.(Cfg).SNMP> v2
State
----1. Read/Write
Port
---161
IP Address
---------157.235.208.44
Community Name
-------------symbol
8.49.7 v3
SNMP Context
Use v3 to configure SNMP v3 access parameters. You need to enter the v3 Context to configure the SNMP v3 parameters.
Syntax
v3
Parameters
None
Example
WS5000.(Cfg).SNMP> v3
SNMPv3 users information:
1.
2.
SNMP v3 User
Auth.
Priv.
------------------------------snmpv3AllRW
MD5
DES
snmpv3AllRO
MD5
DES
8-264
WS 5000 Series System Reference
8.50 v2 Context
SNMP Context
The v2 context provides commands that configure the SNMP v2 access parameters.
Table 8.55 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.55 SNMP v2 Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
remove
Remove an SNMP client/community or SNMP trap.
page 8-264
set
Set SNMP attributes.
page 8-265
show
Display context specific attributes.
page 8-265
8.50.1 remove
v2 Context
Use remove to remove SNMP v2 client.
Syntax
remove <access-perm> <client_ip> <community_name> [port_no]
Parameters
access-perm
The access permission of the SNMP client. Can be one of:
•
ro — readonly
•
rw — readwrite
client_ip
IP address of the SNMP client.
community_name
Name of the community the client is a member of.
port_no
Optional port number. The default is 161.
Example
WS5000.(Cfg).SNMP.v2> remove rw 172.34.35.68 symbol
Removing SNMP Client...
Status : Success.
CLI Command Reference
8-265
8.50.2 set
v2 Context
Sets SNMP attributes
8.50.2.1 set client
v2 Context
Use set client command to add SNMP clients, to which the swtich will respond. If no SNMP client is configured
in the switch, the switch will respond to get requests, from clients with community as ‘public’; the switch will
respond to get/set requests, from clients with community as ‘private’.
Syntax
set client <rw/ro> <client_ip> <community_name> [port_no]
Parameters
rw
Client will have read-write access permissions.
ro
Client will have read-only acess permissions.
client_ip
IP address of the snmp client.
community_name
Name of the SNMP community.
port_no
SNMP port (0 - 65535), default is 161
Example
WS5000.(Cfg).SNMP.v2> set client rw 172.34.35.68 symbol
Configuring SNMP client...
Status : Success.
State
----1. Read/Write
Port
---161
IP Address
---------172.34.35.68
Community Name
-------------symbol
8.50.3 show
v2 Context
Shows SNMP details
Syntax
show
show snmpclients
Parameters
snmpclients
Display the SNMP Client/community details
8-266
WS 5000 Series System Reference
Example
WS5000.(Cfg).SNMP.v2> show
State
Port
-------1. Read/Write
161
IP Address
---------172.34.35.68
Community Name
-------------symbol
WS5000.(Cfg).SNMP.v2> show snmpclients
State
Port
IP Address
----------------1. Read/Write
161
172.34.35.68
Community Name
-------------symbol
8-267
CLI Command Reference
8.51 v3 Context
SNMP Context
The v3 context provides commands that configure the SNMP v3 access parameters.
Table 8.55 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.56 SNMP v3 Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
set
Set SNMP attributes
page 8-269
show
Shows SNMP details.
page 8-265
8.51.1 set
v3 Context
Set SNMP attributes
8.51.1.1 set profile
v3 Context
Use set profile to configure SNMP v3 user profile.
Syntax
set profile <user> <algorithm> <auth_pass> [ priv_pass ]
Parameters
user
User profile name, can be one of : snmpv3AllRW, snmpv3AllRO
algorithm
Algorithm to be used, can be one of : MD5, SHA
auth_pass
Authentication pass-phrase
priv_pass
Privacy pass-phrase, default is same as <auth_pass>
Example
To set the profile of snmpv3AllRO with algorithm as SHA and with pass phrase as test1234
WS5100.(Cfg).SNMP.v3> set profile snmpv3AllRO SHA test1234
Configuring SNMP client...
Status : Success.
SNMPv3 users information:
8-268
1.
2.
WS 5000 Series System Reference
SNMP v3 User
Auth.
Priv.
------------------------------snmpv3AllRW
MD5
DES
snmpv3AllRO
SHA
DES
8.51.2 show
v3 Context
Displays the details of the SNMP v3 in the switch
Syntax
show
show v3users
Parameters
v3users
Display the SNMP v3 user profile details
Example
WS5000.(Cfg).SNMP.v3> show
SNMPv3 users information:
1.
2.
SNMP v3 User
Auth.
Priv.
------------------------------snmpv3AllRW
MD5
DES
snmpv3AllRO
SHA
DES
WS5000.(Cfg).SNMP.v3> show v3users
SNMPv3 users information:
1.
2.
SNMP v3 User
Auth.
Priv.
------------------------------snmpv3AllRW
MD5
DES
snmpv3AllRO
SHA
DES
CLI Command Reference
8-269
8.52 SSH (Secure Shell) Context
The SSH context lets you configure the WS5000’s Secure Shell daemon.
Note Do not change the SSH port number because this can create conflicts with
other applications running in the WS5000 Series Switch.
Table 8.57 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.57 SSH Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
set
Configures the SSH daemon.
page 8-269
show
Display connection configuration and session information.
page 8-270
8.52.1 set
SSH (Secure Shell) Context
Configures the SSH daemon.
Syntax
set <attribute> <value>
Parameters
attribute
value
Description
ssh
enable | disable
Enables or disables the SSH daemon.
version
V1/V2 | V2
Configures the daemon to accept SSH V1 and SSH V2 client connections (V1/V2),
or to only accept SSH V2 (V2). SSH V2 is more secure than SSH V1.
port
22 | 1025 - 65535
Sets the port through which SSH connections are accepted. By default, the SSH
port is set to 22.
8-270
WS 5000 Series System Reference
8.52.2 show
SSH (Secure Shell) Context
Display connection configuration and session information.
Syntax
show <attribute> <value>
Parameters
(none)
Display SSH configuration and session information.
telnet
Display telnet configuration and session information. See 8.58 Telnet Context on page
291
ssh
Display SSH configuration and session information.
Example
WS5000.(Cfg).SSH> show
WS5000.(Cfg).SSH> show telnet
WS5000.(Cfg).SSH> show ssh
CLI Command Reference
8-271
8.53 SSL (Secure Socket Layer) Context
The SSL context defines the protocol (http or https) that a client needs to access the WS5000 Series Switch
applet, or graphical user interface. With SSL enabled, the applet can only be accessed through the (secure)
https protocol; if it’s disabled, the applet can only be accessed through (non-secure) http.
Table 8.58 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.58 SSL Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
enable
Enables SSL client authentication.
page 8-271
disable
Disables SSL client authentication.
page 8-271
revert certificate
Tells the Web server to use the currently installed authentication certificate.
page 8-272
show
Display the Web server’s accessibility setting.
page 8-272
8.53.1 enable
SSL (Secure Socket Layer) Context
Turns on SSL client authentication. To access the applet, a client must use https. For example:
https://192.0.0.1
Syntax
enable
Parameters
None.
Example
WS5000.(Cfg).SSL> enable
8.53.2 disable
SSL (Secure Socket Layer) Context
Turns off SSL client authentication. To access the applet, a client must use https. For example:
https://192.0.0.1
8-272
WS 5000 Series System Reference
Syntax
disable
Parameters
None.
Example
WS5000.(Cfg).SSL> disable
8.53.3 revert certificate
SSL (Secure Socket Layer) Context
Tells the Web server to use the currently installed authentication certificate. You use this command after
uploading a new certificate. Until the certificate is reverted, clients will not be able to establish new
connections to the applet. Reverting the certificate causes the Web server to restart.
Syntax
revert certificate
Parameters
None.
Example
WS5000.(Cfg).SSL> revert certificate
8.53.4 show
SSL (Secure Socket Layer) Context
Display the Web server’s accessibility setting.
Syntax
show
show https
Parameters
None.
Example
WS5000.(Cfg).SSL> show
Web based configuration (Applet) access by : https.
CLI Command Reference
8-273
8.54 Standby Context
The Standby context lets you configure the failover system (aka “Standby” or “warm Standby”). You need two
switches to implement the failover system: The “Primary” switch handles all network traffic; the Standby
switch takes over if the Primary switch goes down. After the Primary comes back up, it can automatically take
over active duty, or you can configure the switch so that it waits to be re-activated manually.
Except for the declarations of their roles in the failover system, the configurations of the two WS5000s must
be exactly the same. If you modify one of them, you must modify the other in the same way.
The failover system must be disabled (disable) before you can call most of the commands defined in the
Standby context. Moreover, it’s a good idea to disable the failover system before making any significant
changes to the WS5000. Re-configuring the Primary switch while the Standby system is enabled could cause
the switch to fail.
!
Warning! A WS5000 model switch is not compatible to be configured as a
standby for a WS5100 model switch.
Table 8.59 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.59 Standby Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
enable
Adds the switch to the Standby system.
page 8-274
disable
Removes the switch from the Standby system.
page 8-274
set autorevert
Enables or disables the automatic reversion feature.
page 8-274
set arDelay
Enables or disables the (sending of the) heartbeat on a particular NIC.
page 8-275
set heartbeat
Sets the heartbeat for the Standby switch.
page 8-275
set mac
Sets the Ethernet port on the other WS5000 to which this WS5000 sends its
heartbeat (per NIC).
page 8-275
set mode
Set the mode that the switch should be running in (that is primary, standby, etc.).
page 8-276
show
Display available Standby context details.
page 8-276
8-274
WS 5000 Series System Reference
8.54.1 enable
Standby Context
Adds the switch to the Standby system.
Syntax
enable
Parameters
None.
Example
WS5000.(Cfg).standby> enable
8.54.2 disable
Standby Context
Removes the switch from the Standby system.
Syntax
disable
Parameters
None.
Example
WS5000.(Cfg).standby> disable
8.54.3 set autorevert
Standby Context
Enables or disables the automatic reversion feature. When auto-revert is enabled, a Standby switch that has
become active due to a failover automatically reverts to its monitoring role after the Primary switch comes back
up. If you disable auto-revert, you can manually revert the Standby switch through the revert option of the set
mode command.
Note Be sure to call the disable command before calling this command.
“Auto-revert delay.” If auto-revert is enabled, this is the amount of time to wait, in minutes, before the Primary
switch becomes active after it has come back up.
Syntax
set autorevert <enable_flag>
Parameters
enable_flag
Enable of disable auto-revert, as applicable.
Example
WS5000.(Cfg).standby> set autorevert enable
CLI Command Reference
8-275
8.54.4 set arDelay
Standby Context
Enables or disables the (sending of the) heartbeat on a particular NIC by setting an auto-revert delay, in
minutes.
Note You must call disable before calling this command.
Syntax
set arDelay <delay>
Parameters
delay
The delay time, in minutes. An integer in the range [0, 9999].
Example
WS5000.(Cfg).StandBy> set ardelay 10
8.54.5 set heartbeat
Standby Context
Sets the heartbeat for the Standby switch.
Syntax
set heartbeat <enable_flag> <NIC>
Parameters
enable_flag
Valid values are enable, to enable the heartbeat, or disable—to disable the heartbeat.
NIC
The NIC through which the heartbeat is sent.
Example
WS5000.(Cfg).standby> set heartbeat enable
8.54.6 set mac
Standby Context
Sets the Ethernet port on the other WS5000 to which this WS5000 sends its heartbeat (per NIC). You can set
the port by its MAC address, or you can ask the switch to discover the port automatically.
Note You must call disable before calling this command.
Syntax
set mac <port> <NIC>
8-276
WS 5000 Series System Reference
Parameters
port
Either the MAC address of the port, or auto for automatic discovery.
NIC
The local NIC through which the heartbeat is sent. Either 1 or 2.
Example
WS5000.(Cfg).standby> set mac auto 1
8.54.7 set mode
Standby Context
Set the mode that the switch should be running in (that is primary, standby, etc.). The mode command is used
for three things:
•
It can set the switch to be the Primary or the Standby.
•
It can manually revert the switch to its original role after a failover.
•
It can enable and disable the switch’s participation in the standby system.
!
IMPORTANT! YOU MUST CALL DISABLE BEFORE SETTING THE SWITCH’S
FAILOVER ROLE.
Syntax
set mode <option>
Parameters
option
Description
primary
Sets the switch to be the Primary.
standby
Sets the switch to be secondary.
revert
Standby mode–Reverts the switch to its original role.
Primary (active) mode–Switchs back to standby mode
enable
Adds the switch to the standby system. Same as the enable command.
disable
Removes the switch from the standby system. Same as the disable command.
8.54.8 show
Standby Context
Display Standby details for the switch.
Syntax
show
Parameters
None.
CLI Command Reference
Example
WS5000.(Cfg).StandBy> show
Standby Management:
StandBy mode
Standby Status
State
Failover Reason
Standby Connectivity status
Standby AutoRevert Mode
Standby AutoRevert Delay
:
:
:
:
:
:
:
Interface (Ethernet) 1
---------------------StandBy Heart-Beat MAC
Heart-Beat status
Received Heart-Beat
: Auto Discovery Enabled
: Enable
: No
Interface (Ethernet) 2
---------------------StandBy Heart-Beat MAC
Heart-Beat status
Received Heart-Beat
: Auto Discovery Enabled
: Disable
: No
WS5000.(Cfg).StandBy>
Primary
Disable
Startup
Not Connected
Disable
15 Minutes
8-277
8-278
WS 5000 Series System Reference
8.55 Switch Policy (SPolicy) Context
A Switch Policy acts as a container for all the other policies. Although you can define any number of Switch
Policies, only one of them can be active at a time.
The WS5000 lets you designate an “Emergency Switch Policy” (ESP). The ESP, which you can quickly activate
from any of the WS5000 access venues (CLI, SNMP, and GUI), is meant to serve as a known, safe, and
conservative policy that you use in the case of an emergency, such as a security breach. To designate the ESP,
see set emergencypolicy. To activate the ESP, use the enable option with the emergencymode command within
any context
In addition to containing all the other policies, the Switch Policy defines an adoption list that defines the types
of Access Ports that can be adopted.
Table 8.60 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.60 Switch Policy Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
add
Add a new Switch Policy to the system.
page 8-278
policy
Select a Switch Policy to configure.
page 8-279
remove
Remove a Switch Policy from the system.
page 8-280
show
Display available Switch Policy details.
page 8-280
8.55.1 add
Switch Policy (SPolicy) Context
Creates and adds a new Switch Policy instance.
Syntax
add <name>
Parameters
name
The name of the new Switch policy.
Example
WS5000.(Cfg).SPolicy> add new_policy
Adding Switch Policy...
Status: Success.
CLI Command Reference
Active Switch Policy name: Default Wireless Switch Policy
Available Switch Policies:
1. Default Wireless Switch Policy.
2. EmerPolicy2-10.
3. new_policy.
Switch Policy details
--------------------Policy Name
Description
Country
Channel for .11a
Channel for .11b
Channel for .11g
Power Level for .11a
Power Level for .11b
Power Level for .11g
Active EtherPolicy Name
# of APPolicies attached
:
:
:
:
:
:
:
:
:
:
:
Include Adoption List details
: List is Empty.
Exclude Adoption List details
: List is Empty.
new_policy
US
Auto (once)
Auto (once)
Auto (once)
20 dBm
20 dBm
20 dBm
Default Ethernet Policy
0
Default Adoption action for .11a : Deny.
Default Adoption action for .11b : Deny.
Default Adoption action for FH
: Deny.
Default Adoption action for .11g : Deny.
Send SNMP trap on adoption deny : Disabled
Press any key to continue...or (q)uit
8.55.2 policy
Switch Policy (SPolicy) Context
Changes the prompt to the context to the named Switch policy instance.
Syntax
policy <name>
Parameters
name
The name of the Switch Policy.
Example
WS5000.(Cfg).SPolicy> policy sw1
Active Switch Policy details
---------------------------Policy Name
: sw1
Description
:
Country
: US
Channel for .11a
: Auto (once)
Channel for .11b
: Auto (once)
Channel for .11g
: Auto (once)
Power Level for .11a
: 20 dBm
Power Level for .11b
: 20 dBm
Power Level for .11g
: 20 dBm
Active EtherPolicy Name
: eth1
# of APPolicies attached
: 1
List of APPolicies attached
1. appol1.
:
8-279
8-280
WS 5000 Series System Reference
Include Adoption List details
: List is Empty.
Exclude Adoption List details
: List is Empty.
Default Adoption action for .11a : Adopt .11a with APPolicy appol1
Default Adoption action for .11b : Adopt .11b with APPolicy appol1
Default Adoption action for FH
Default Adoption action for .11g
Send SNMP trap on adoption deny
DS Coexistence
:
:
:
:
Deny.
Deny.
Disabled
Not Applicable for current country setting.
WS5000.(Cfg).SPolicy.[sw1]>
8.55.3 remove
Switch Policy (SPolicy) Context
Removes the named Switch Policy instance.
Syntax
remove <name>
Parameters
name
The name of the Switch Policy to be removed.
Example
WS5000.(Cfg).SPolicy> remove new_policy
Removing Switch Policy...
Status: Success.
Active Switch Policy name: Default Wireless Switch Policy
Available Switch Policies:
1. Default Wireless Switch Policy.
2. EmerPolicy2-10.
WS5000.(Cfg).SPolicy>
8.55.4 show
Switch Policy (SPolicy) Context
Display switch policy details, or details about other entities if specified in the command.
Syntax
show
show
show
show
show
show
show
show
show
show
show
accessports
acl
appolicy
channelinfo
ethernet
etherpolicy
interfaces
securitypolicy
switchpolicy
system
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
context specific attributes
access port details
ACL information
Access Port Policy
channel no and country code details
Ethernet Port details
EtherPolicy details
interface details
security policy details
Switch Policy
system information
CLI Command Reference
8-281
Parameters
component
Description
none
Display information about this Switch Policy instance.
channelInfo
Display a list of country codes and the channels each country supports.
interfaces
Display a list of Access Port instances and lists the available Ethernet ports.
Example
WS5000.(Cfg).SPolicy> show
Active Switch Policy details
---------------------------Policy Name
Description
Country
Channel for .11a
Channel for .11b
Channel for .11g
Power Level for .11a
Power Level for .11b
Power Level for .11g
Active EtherPolicy Name
# of APPolicies attached
:
:
:
:
:
:
:
:
:
:
:
Default Wireless Switch Policy
Switch Policy with Default Settings
None
Auto (once)
Auto (once)
Auto (once)
20 dBm
20 dBm
20 dBm
Default Ethernet Policy
1
List of APPolicies attached
:
1. Default Access Port Policy.
Include Adoption List details
: List is Empty.
Exclude Adoption List details
: List is Empty.
Default Adoption action for .11a : Adopt .11a with APPolicy Default Access Porty
Default Adoption action for .11b : Adopt .11b with APPolicy Default Access Porty
Default Adoption action for FH
: Adopt FH with APPolicy Default Access Port Py
Default Adoption action for .11g : Adopt .11g with APPolicy Default Access Porty
DS Coexistence
: Disabled
WS5000.(Cfg).SPolicy>
WS5000.(Cfg).SPolicy> show interfaces
Interface information
Access Ports
-----------a_name
g_name
Radio MAC
--------00:09:5B:63:33:81
00:04:E2:5E:B5:3A
Device MAC
Type
------------00:09:5B:63:33:81
B
00:04:E2:5E:B5:3A
FH
Status
-----Unavailable
Unavailable
Available EtherPorts are:
Ethernet 1
Ethernet 2
WS5000.(Cfg).SPolicy>
WS5000.(Cfg).SPolicy> show channelinfo
Generating country/channel tables. Please wait for few seconds...
Country Name
Code
RF Channels (A, B, G and FH)
-----------------------------------------Argentina
AR
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161
Australia
AU
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
8-282
WS 5000 Series System Reference
Austria
AT
Bahrain
BH
Belarus
BL
Belgium
BE
Brazil
BR
Bulgaria
BG
Canada
CA
Press any key to continue...or (q)uit
A
B
A
B
A
B
A
B
A
B
A
B
A
B
A
Ch:
Ch:
Ch:
Ch:
Ch:
Ch:
Ch:
Ch:
Ch:
Ch:
Ch:
Ch:
Ch:
Ch:
Ch:
36,40,44,48,52,56,60,64,149,153,11
1-13 G Ch: 1-13 FH Ch: 2-80
36,40,44,48,52,56,60,64,100,104,10
1-13 G Ch: 1-13 FH Ch: 2-80
1-13
G Ch: 1-13
FH Ch: 2-80
1-13 G Ch: 1-13 FH Ch: 2-80
36,40,44,48,52,56,60,64
1-11 G Ch: 1-11 FH Ch: 2-80
149,153,157,161
1-13 G Ch: 1-13 FH Ch: 2-80
1-13 G Ch: 1-13 FH Ch: 2-80
36,40,44,48,52,56,60,64,149,153,11
CLI Command Reference
8-283
8.56 Switch Policy Instance
Table 8.61 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.61 Switch Policy Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
description
Set description text.
page 8-283
edit
Edit adoption list entry.
page 8-284
name
Set or change the name of the switch policy.
page 8-284
restrictedchannel
Select a radio type to configure restricted channels.
page 8-285
set adoptionList
Adds/removes an entry to/from the access port adoption-inclusion and
adoption-exclusion lists.
page 8-285
set
Configure various parameters for the switch policy (name, description, country
code, channel, power, AP policy, Ethernet policy, DS co-existence).
page 8-286
show
Display available switch policy instance details.
page 8-287
8.56.1 description
Switch Policy Instance
Set description text.
Syntax
description <description_text>
Parameters
description_text
Brief description of the switch policy instance.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> description Sample descrn
Adding description...
Status : Success.
Active Switch Policy details
---------------------------Policy Name
Description
Country
: Default Wireless Switch Policy
: Sample description
: None
8-284
WS 5000 Series System Reference
Channel for .11a
Channel for .11b
Channel for .11g
Power Level for .11a
Power Level for .11b
Power Level for .11g
Active EtherPolicy Name
# of APPolicies attached
:
:
:
:
:
:
:
:
Auto (once)
Auto (once)
Auto (once)
20 dBm
20 dBm
20 dBm
Default Ethernet Policy
1
List of APPolicies attached
:
1. Default Access Port Policy.
Include Adoption List details
: List is Empty.
Exclude Adoption List details
: List is Empty.
Default Adoption action for .11a : Adopt .11a with APPolicy Default Access Porty
Default Adoption action for .11b : Adopt .11b with APPolicy Default Access Porty
Press any key to continue...or (q)uit
8.56.2 edit
Switch Policy Instance
Edit adoption list entry to include or exclude a radio type. Same as “include” and “exclude” options within the
set adoptionList command.
Syntax
edit include <old_radio_type> <start_MAC> [<end_MAC>] <app_name | remove>
edit exclude <old_radio_type> <start_MAC> [<end_MAC>] [remove]
Parameters
old_radio_radio
The radio type that this list applies to. Valid values are: A, B, G, or FH (case-insensitive).
For exclude, ALL is also a valid value.
start_MAC, end_MAC
Identifies the access ports that are part of this list entry. If end_MAC is excluded, the
entry consists of the AP identified by start_MAC; otherwise, the entry contains all APs
between start_MAC and end_MAC.
app_name
The access port policy used when an AP is adopted.
remove
Removes the entry from the list. To remove an address range, you need only supply the
starting address.
Example
8.56.3 name
Switch Policy Instance
Set or change the name of the switch policy. Same as when “name” parameter is used with the set command.
Syntax
name <new_name>
CLI Command Reference
8-285
Parameters
new_name
New name to set or change the switch policy name to.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> name newname
Configuring name...
Status : Success.
WS5000.(Cfg).SPolicy.[newname]>
8.56.4 restrictedchannel
Switch Policy Instance
Changes the prompt to the Restricted Channel context, where channels that cannot be chosen by Automatic
Channel Selection for a particular radio type can be specified.
See Restricted Channel Instance on page 8-289 for more details.
Syntax
restrictedchannel <radio_type>
Parameters
radio_type
Type of radio to configure restricted channels for. Valid values are a, b, g, for 802.11a,
802.11b, or 802.11g, respectively.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> restrictedchannel A
Radio
----A
A
Restricted Ch.
-------------153
46
Description
-----------
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy].Restricted.[A]>
8.56.5 set adoptionList
Switch Policy Instance
Adds/removes an entry to/from the access port adoption-inclusion and adoption-exclusion lists. APs that are
in the inclusion list are adopted through a specified access port policy. APs in the exclusion list are never
adopted.
This command to also used to set the default action (adopt or not) for APs that are in neither list.
APs are identified by MAC address. Each entry in either listed as a single MAC address or a range of MAC
addresses.
The adoption lists are based on radio type. There is a different list for each radio type: 802.11a, 802.11b,
802.11g, and frequency hopping radios. In addition, the switch policy contains a master adoption list that is
applied to all radios.
8-286
WS 5000 Series System Reference
Syntax
set
set
set
set
adoptionList
adoptionList
adoptionList
adoptionList
<radio>
<radio>
<radio>
<radio>
include
exclude
default
default
<start_MAC> [<end_MAC>] <app_name | remove>
<start_MAC> [<end_MAC>] [remove]
allow <app_name>
deny [traps <enable | disable>]
Parameters
radio
The radio type that this list applies to. Valid values are: A, B, G, or FH (case-insensitive).
For exclude, ALL is also a valid value.
start_MAC, end_MAC
Identifies the access ports that are part of this list entry. If end_MAC is excluded, the
entry consists of the AP identified by start_MAC; otherwise, the entry contains all APs
between start_MAC and end_MAC.
app_name
The access port policy used when an AP is adopted.
remove
Removes the entry from the list. To remove an address range, you need only supply the
starting address.
traps <enable | disable>
If the default action is deny, you can ask to have the apAdoptFail SNMP trap sent when
an unknown AP asks to be adopted. Pass enable to ask for the trap, and disable to ask
that the trap not be sent. By default the trap is sent.
Example
8.56.6 set
Switch Policy Instance
Configures the switch policy. Adds or removes an access port policy to or from the switch policy.
Syntax
set <attribute> <value> [remove]
Parameters
attribute and value
Description
adoptionList
See set adoptionList on page 8-285.
apPolicy name [remove]
Adds or removes the named Access Port Policy to/from the Switch Policy’s list
of AP Policies.
channel <integer>
Sets the default channel. The set of candidate channel numbers depends on
the country code setting.
countryCode <ISO_3166_code>
Sets the country code. The switch won’t adopt Access Ports until the country
is set.
!
IMPORTANT! IT IS THE RESPONSIBILITY OF THE SWITCH
OWNER TO CORRECTLY SET THE COUNTRY CODE. AN
INCORRECT COUNTRY SETTING CAN CAUSE THE SWITCH TO
USE ILLEGAL BROADCAST SETTINGS.
CLI Command Reference
attribute and value
8-287
Description
dsCoexistence <enable_flag>
Frequence hopping/direct sequence (FH/DS) coexistence. With coexistence
enabled, the access port divides the frequency spectrum such that FH devices
use one portion, and DS devices use the other. Possible values are: enable or
disable.
Note: FH/DS co-existence isn't legal in all countries.
The dsCoexistence attribute is always turned off in
these countries.
description <description_text>
Brief descriptive text to identify the switch policy.
etherPolicy <etherpolicy_name>
Sets the switch policy’s active ethernet policy
name <SwitchPolicyName>
Sets the switch policy’s name.
power <power_setting> <radio_type>
Sets the power, in milliWatts, for the specified 802.11x radio type. Valid
power settings are in the range 4 through 20.
Valid radio types are a, b, g, for 802.11a, 802.11b, or 802.11g respectively.
8.56.7 show
Switch Policy Instance
Display details about the switch policy instance, or other entities if specified in the command.
Syntax
show
show
show
show
show
show
show
show
show
show
show
show
accessports
acl
appolicy
channelinfo
ethernet
etherpolicy
interfaces
restrictedchannels
securitypolicy
switchpolicy
system
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
context specific attributes
access port details
ACL information
Access Port Policy
channel no and country code details
Ethernet Port details
EtherPolicy details
interface details
the restricted channels
security policy details
Switch Policy
system information
Parameters
None.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> show
Active Switch Policy details
---------------------------Policy Name
: Default Wireless Switch Policy
Description
: Switch Policy with Default Settings
Country
: None
Channel for .11a
: Auto (once)
Channel for .11b
: Auto (once)
Channel for .11g
: Auto (once)
Power Level for .11a
: 20 dBm
Power Level for .11b
: 20 dBm
Power Level for .11g
: 20 dBm
Active EtherPolicy Name
: Default Ethernet Policy
8-288
WS 5000 Series System Reference
# of APPolicies attached
: 1
List of APPolicies attached
:
1. Default Access Port Policy.
Include Adoption List details
: List is Empty.
Exclude Adoption List details
: List is Empty.
Default Adoption action for .11a : Adopt .11a with APPolicy Default Access Porty
Default Adoption action for .11b : Adopt .11b with APPolicy Default Access Porty
Default Adoption action for FH
: Adopt FH with APPolicy Default Access Port Py
Default Adoption action for .11g : Adopt .11g with APPolicy Default Access Porty
DS Coexistence
: Disabled
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]>
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> show interfaces
Interface information
Access Ports
-----------a_name
g_name
Radio MAC
--------00:09:5B:63:33:81
00:04:E2:5E:B5:3A
Device MAC
Type
------------00:09:5B:63:33:81
B
00:04:E2:5E:B5:3A
FH
Status
-----Unavailable
Unavailable
Available EtherPorts are:
Ethernet 1
Ethernet 2
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]>
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> show channelinfo
Generating country/channel tables. Please wait for few seconds...
Country Name
Code
RF Channels (A, B, G and FH)
-----------------------------------------Argentina
AR
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161
Australia
AU
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64,149,153,11
Austria
AT
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64,100,104,10
Bahrain
BH
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Belarus
BL
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Belgium
BE
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
Brazil
BR
B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161
Bulgaria
BG
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Canada
CA
B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64,149,153,11
Press any key to continue...or (q)uit
CLI Command Reference
8-289
8.57 Restricted Channel Instance
Restricted Channel is a subcontext of a Switch Policy instance.
There are three Restricted Channel instances, one for each of the three 802.11x radio types. You drop into an
instance by invoking restrictedchannel command from a Switch Policy instance.
Restricted channels are removed from the set of channels that can be chosen during Automatic Channel
Selection (ACS).
Table 8.62 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.62 Classifier Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
add
Add a channel to the restricted list.
page 8-289
remove
Remove a channel from the restricted list.
page 8-290
show
Display available restricted channel instance details.
page 8-290
8.57.1 add
Restricted Channel Instance
Add a channel to the list of restricted channels. Use show channelinfo to see a list of channels for the radio
type for which instance you are in.
Syntax
add channel [optional_description]
Parameters
channel_num
The channel that you want to restrict. The set of valid channel numbers depends on the
country setting and radio type.
description
Optional description that explains why the channel is restricted.
Example
WS5000.(Cfg).SPolicy.[Name].Restricted.[Radio]> add channel 153
Adding 153 to the restricted list...
Status: Success.
WS5000.(Cfg).SPolicy.[Name].Restricted.[Radio]>
8-290
WS 5000 Series System Reference
8.57.2 remove
Restricted Channel Instance
Remove a channel from the list of restricted channels, thus making it available for use during Automatic
Channel Selection.
Syntax
remove <channel_num>
Parameters
channel_num
The channel that you want to “unrestrict”. The set of valid channel numbers depends on
the country setting and radio type.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy].Restricted.[A]> remove 153
Removing 153 from the restricted list...
Status : Success.
8.57.3 show
Display restricted channel details.
Syntax
show
or
show <attribute>
Parameters
attribute
channelInfo
Description
Display a list of country codes and the channels each country supports. If channelInfo is
not used, a list of restricted channels is displayed.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy].Restricted.[A]> show
Radio
----A
A
Restricted Ch.
-------------153
46
Description
-----------
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy].Restricted.[A]>
CLI Command Reference
8-291
8.58 Telnet Context
You can use telnet to access the CLI and/or to configure the on-board KDC. The Telnet context provides
commands to configure (enable or disable) telnet access.
Table 8.63 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.63 Telnet Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
enable
Enable the port/telnet service.
page 8-291
disable
Disable the port/telnet service.
page 8-292
set
Configure telnet services, such as enabling/disabling for configuration to be done
via the KDC.
page 8-292
show
Display available classifier instance details.
page 8-293
8.58.1 enable
Telnet Context
Enable the port/service on the switch to enable Telnet configuration through the CLI.
Syntax
enable
Parameters
None.
Example
WS5000.(Cfg).Telnet> enable
Enabling...
Status : Success.
Telnet Status
Session inactivity timeout
WS5000.(Cfg).Telnet>
: Active.
: 0 (Disabled)
8-292
WS 5000 Series System Reference
8.58.2 disable
Telnet Context
Disable the port/service on the switch to enable Telnet configuration via the CLI.
Syntax
disable
Parameters
None.
Example
WS5000.(Cfg).Telnet> disable
WARNING: This will disable all remote (CLI) access to the switch.
Do you want to continue (yes/no)? : n
WS5000.(Cfg).Telnet>
8.58.3 set
Telnet Context
WS5000.(Cfg).Telnet> set kdcConfig
Enables or disables on-board KDC configuration through telnet.
Syntax
set <attribute>
Parameters
attribute
kdcConfig <enable_flag>
Description
Enable or disable whether KDC configuration can be performed via Telnet connections.
Possible values are: enable, disable.
Example
WS5000.(Cfg).Telnet> set kdcconfig enable
Setting KDC configuration rights...
Status : Success.
Configuration Access restriction details:
Telnet access (CLI)
:
System access via SNMP
:
KDC configuration over remote console
:
KDC configuration through SNMP
:
Enable.
Enable.
Enable.
Enable.
WS5000.(Cfg).Telnet> set kdcconfig disable
Setting KDC configuration rights...
Status : Success.
Configuration Access restriction details:
Telnet access (CLI)
:
System access via SNMP
:
KDC configuration over remote console
:
KDC configuration through SNMP
:
WS5000.(Cfg).Telnet>
Enable.
Enable.
Disable.
Enable.
CLI Command Reference
8-293
8.58.4 show
Telnet Context
Display Telnet-related details based on the attribute used with the command.
Syntax
show
or
show <attribute>
Parameters
attribute
Description
(none)
Display statistics about the current telnet session.
configAccess
Display the permissibility of configuring the system and the KDC through telnet and
SNMP.
ssh
Display information about the ssh configuration. See SSH (Secure Shell) Context for
more details.
Example
WS5000.(Cfg).Telnet> show
Telnet Status
Session inactivity timeout
: Active.
: 0 (Disabled)
WS5000.(Cfg).Telnet> show configaccess
Configuration Access restriction details:
Telnet access (CLI)
:
System access via SNMP
:
KDC configuration over remote console
:
KDC configuration through SNMP
:
Enable.
Enable.
Enable.
Enable.
WS5000.(Cfg).Telnet> show ssh
SSH configurations details:
--------------------------SSH Status
: Disabled
Version
: V2
Port
: 22
Session inactivity timeout
WS5000.(Cfg).Telnet>
: 0 (Disabled)
8-294
WS 5000 Series System Reference
8.59 Tunnel Context
Table 8.64 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.64 Tunnel Context Command Summary
Commands
Brief Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
show
Display context specific attributes
page 8-294
tunnel
Select a Tunnel to configure
page 8-295
8.59.1 show
Tunnel Context
Display Tunnel-related details based on the attribute used with the command.
Syntax
show
or
show tunnels
Parameters
attribute
tunnel
Description
Displays the tunnel details
Example
WS5000.(Cfg).Tunnel> show
Tunnel Details...
Tunnel Name
----------1. tunnel1
2. tunnel2
3. tunnel3
WS5000.(cfg).Tunnel>
Remote IP Address
-----------------1.1.1.1
2.2.2.2
3.3.3.3
CLI Command Reference
8.59.2 tunnel
Tunnel Context
Display Tunnel-related details based on the attribute used with the command.
Syntax
tunnel
or
tunnel <attribute>
Parameters
attribute
Description
Name
Name of the GRE tunnel
Description
Description provided for the GRE tunnel
Mode
GRE
State
Active or inactive
Remote IP Address
IP Address of the Tunnel EndPoint
Time To Live
Time To Live.(1-255)
Keepalive
Keepalive timer of the Tunnel.(0-5)
Example
WS5000.(Cfg).Tunnel> tunnel
Tunnel details...
Name
Description
Mode
State
Remote IP Address
Time To Live
Keepalive
:
:
:
:
:
:
:
tunnel1
tunnel one
GRE
active
none
255
0
WS5000.(Cfg).Tunnel>
8-295
8-296
WS 5000 Series System Reference
8.60 Tunnel Instance
Table 8.65 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.65 Tunnel Instance Command Summary
Commands
Brief Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
set
Configure the tunnel setting
page 8-296
show
Display context specific attributes
page 8-297
8.60.1 set
Tunnel Instance
Sets the value of an attribute of this tunnel instance.
Syntax
set <config_parameter>, <parameter_value>
set remote_ip <new_remote_ip/none>
where
config_parameter
parameter_value
Tunnel parameter to be cofigured.
Value for the Tunnel parameter.
Parameters
remote_ip
Change IPaddress of the Tunnel EndPoint
ttl
Change Time To Live. Value ranges from 1-255
keepalive
Change Keepalive timer of the tunnel. Value ranges from 0-5
Example
WS5000.(Cfg).Tunnel.[tunnel1]> set remote_ip 1.1.1.1
Configuring Tunnel Settings...
Status: Success.
Tunnel details...
Name
Description
Mode
State
Remote IP Address
:
:
:
:
:
tunnel1
tunnel one
GRE
active
1.1.1.1
CLI Command Reference
Time To Live
Keepalive
Clear IP DF
: 255
: 0
: disable
WS5000.(Cfg).Tunnel.[tunnel1]>
8.60.2 show
Tunnel Instance
Display Tunnel-related details based on the attribute used with the command.
Syntax
show
or
show <attribute>
Parameters
tunnel
displays the tunnel details.
Example
WS5000.(Cfg).Tunnel.[tunnel1]> show
Tunnel details...
Name
Description
Mode
State
Remote IP Address
Time To Live
Keepalive
Clear IP DF
:
:
:
:
:
:
:
:
tunnel1
tunnel one
GRE
active
1.1.1.1
255
0
disable
WS5000.(Cfg).Tunnel.[tunnel1]>
8-297
8-298
WS 5000 Series System Reference
8.61 User Context
The user context is where users privileges are specified for particular users of the system. Users are added,
removed, and configured via the User Context. Privileges that a specific user can have are categorized as
follows:
•
Policy Administration
•
SNMP Administration
•
Security Administration
•
System Administration
After a user is added, administration privileges are configured via that specific user’s instance command
options -- namely the allow command.
Table 8.66 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.66 User Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
add
Add a new user to the switch.
page 8-299
remove
Remove a user from the switch.
page 8-299
user
Select a user to configure (and drop into specified user instance).
page 8-300
show
Display available classifier instance details.
page 8-300
CLI Command Reference
8-299
8.61.1 add
User Context
Adds a new user to the switch. You are prompted to provide and then confirm the new user’s password.
Syntax
add <user_name>
Parameters
user_name
The name (login) of the new user. The name can be 6 to 20 characters long.
Example
WS5000.(Cfg).User> add mktgmgr
Enter User Password (6 - 20 characters) : ******
Re-Enter User Password (6 - 20 characters) : ******
Adding user...
Status: Success.
User information
Available Users:
1. admin.
2. efeaheny.
3. mktgmgr.
User information
User Name
Policy Administration
SNMP Administration
Security Administration
System Administration
:
:
:
:
:
mktgmgr
false
false
false
false
WS5000.(Cfg).User.[mktgmgr]>
8.61.2 remove
User Context
Removes an existing user from the switch.
Syntax
remove <user_name>
Parameters
user_name
The name the user to be removed.
Example
WS5000.(Cfg).User> remove mktgmgr
Removing user...
Status: Success.
User information
Available Users:
1. admin.
8-300
WS 5000 Series System Reference
2. techsupport.
WS5000.(Cfg).User>
8.61.3 user
User Context
Select a user to configure and drop into specified user instance context.
Syntax
user <user_name>
Parameters
user_name
The user name of the user to be configured.
Example
WS5000.(Cfg).User> user admin
User information
User Name
Policy Administration
SNMP Administration
Security Administration
System Administration
:
:
:
:
:
admin
true
true
true
true
WS5000.(Cfg).User.[admin]>
8.61.4 show
User Context
Display a summary of all available users within the system, or details about a specific user, if specified.
Syntax
show
or
show <user_name>
Parameters
user_name
User name for which details will be displayed. If no user name parameter, then display
a summary of all available users in the system.
Example
WS5000.(Cfg).User> show
User information
Available Users:
1. admin.
2. techsupport.
WS5000.(Cfg).User> show admin
User information
User Name
: admin
CLI Command Reference
Policy Administration
SNMP Administration
Security Administration
System Administration
WS5000.(Cfg).User>
:
:
:
:
true
true
true
true
8-301
8-302
WS 5000 Series System Reference
8.62 User Instance
Table 8.67 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.67 User Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
allow
Grant specific user permissions.
page 8-303
deny
Deny specific user permissions.
page 8-303
password
Change the user password.
page 8-303
show
Display details regarding the user instance.
page 8-304
CLI Command Reference
8-303
8.62.1 allow
User Instance
Sets the list of subsystems that you can configure.
Syntax
allow <subsystem1> [<subsystem2>] [...]
Parameters
subsystemN
The subsystem that you can configure with one or more of the following possible values:
• all
• default
• system
• policy
• security
• SNMP
Example
WS5000.(Cfg).User.[Name]> allow system policy security
8.62.2 deny
User Instance
WS5000.(Cfg).User.[Name]> deny
Sets the list of subsystems that you cannot configure.
Syntax
deny <subsystem1> [<subsystem2>] [...]
Parameters
subsystemN
The subsystem that you cannot configure with one or more of the following possible
values:
• all
• default
• system
• policy
• security
• SNMP
Example
WS5000.(Cfg).User.[Name]> deny SNMP policy security
8.62.3 password
User Instance
Set the user password. You are prompted to provide a new password and then confirm the new password.
8-304
WS 5000 Series System Reference
Syntax
password
Parameters
None.
Example
WS5000.(Cfg).User.[admin]> password
Creating the Event list...
Enter new password
: ******
Confirm new password
: ******
Changing user password... done.
WS5000.(Cfg).User.[admin]>
8.62.4 show
User Instance
Show the details of the user instance.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).User.[admin]> show
User information
User Name
Policy Administration
SNMP Administration
Security Administration
System Administration
WS5000.(Cfg).User.[admin]>
:
:
:
:
:
admin
true
true
true
true
CLI Command Reference
8-305
8.63 WLAN Context
Table 8.68 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.68 WLAN Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
add
Add a new WLAN to the system.
page 8-306
remove
Remove a WLAN from the system.
page 8-306
show
Display available WLAN details.
page 8-307
wlan
Select a WLAN to configure.
page 8-307
8-306
WS 5000 Series System Reference
8.63.1 add
WLAN Context
Creates and adds a new WLAN instance.
Syntax
add <WLAN_name>
Parameters
WLAN_name
The name to be given to the WLAN (instance).
Example
WS5000.(Cfg).WLAN> add EastCoastWLAN 124
Adding WLAN...
Status: Success.
WLAN Name
--------Symbol Default
Symbol Default
Private Access
Public Access
WLAN_NE
EastCoastWLAN
ESSID
----101
101
private
public
111
124
Security Policy
--------------Default
Default
WEP128 Default
Default
Default
Default
WLAN details...
Name
: Symbol Default
ESSID #
: 101
Description
: Default WLAN
Security Policy
: Default
WLAN Auth. Status
: Authenticated
Kerberos auth. name : 101
ACL Attached
: None
Accept any ESSID
: Disable
Secured Beacon
: Disable
Mu Traffic
: MU to MU Allow
Maximum MUs allowed : 4096
Current MUs
: 0
Default Route
: 0.0.0.0
Network Mask
: 0.0.0.0
WME Enabled
: Disabled
WME Profile
: Default MU WME Profile
WS5000.(Cfg).WLAN.[EastCoastWLAN]>
8.63.2 remove
WLAN Context
Removes a WLAN from the system
Syntax
remove <name>
Parameters
name
The name of the WLAN instance that is to be removed.
Example
WS5000.(Cfg).WLAN> remove <WLAN_name>
CLI Command Reference
8-307
8.63.3 show
WLAN Context
Display summary details about all available WLAN instances, or specific details about a WLAN instance if the
instance is called out as a parameter.
Syntax
show
or
show [WLAN_name]
Parameters
WLAN_name
When a WLAN_name is indicated, details about that WLAN instance is shown.
Otherwise, with no parameter, a summary list of all WLAN instances is shown.
Example
WS5000.(Cfg).WLAN> show
WLAN Name
--------Symbol Default
Secure Access
Private Access
Public Access
ESSID
----101
secure
private
public
Security Policy
--------------Default
Kerberos Default
WEP128 Default
Default
WS5000.(Cfg).WLAN>
or
WS5000.(Cfg).WLAN> show "Secure Access"
WLAN details...
Name
ESSID #
Description
Security Policy
WLAN Auth. Status
ACL Status
ACL Attached
Accept any ESSID
Secured Beacon
Broadcast Encryption
Mu Traffic
Maximum MUs allowed
Current MUs
Default Route
Network Mask
WS5000.(Cfg).WLAN>
8.63.4 wlan
WLAN Context
Syntax
wlan <name>
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Secure Access
secure
Default WLAN
Kerberos Default
Not-Authenticated
Disabled
None
Enable
Disable
Wep128(11a), Wep128(11b/11g), Wep128(FH)
MU to MU Allow
4096
0
0.0.0.0
0.0.0.0
8-308
WS 5000 Series System Reference
Parameters
name
The name of the WLAN instance.
Example
WS5000.(Cfg).WLAN> wlan "Secure Access"
WLAN details...
Name
ESSID #
Description
Security Policy
WLAN Auth. Status
ACL Status
ACL Attached
Accept any ESSID
Secured Beacon
Broadcast Encryption
Mu Traffic
Maximum MUs allowed
Current MUs
Default Route
Network Mask
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Secure Access
secure
Default WLAN
Kerberos Default
Not-Authenticated
Disabled
None
Enable
Disable
Wep128(11a), Wep128(11b/11g), Wep128(FH)
MU to MU Allow
4096
0
0.0.0.0
0.0.0.0
WS5000.(Cfg).WLAN.[Secure Access]>
CLI Command Reference
8-309
8.64 WLAN Instance
Table 8.69 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.69 WLAN Instance Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
description
Set description text.
page 8-309
name
Set or change the name of the WLAN instance.
page 8-310
set
Configure the WLAN instance. Configurable parameters include name, ESSID,
description, security, Kerberos name, MU acl, acl, broadcast ESS, secured beacon,
MU traffic, maximum MUs, default route.
page 8-310
show
Display details for the WLAN instance.
page 8-311
8.64.1 description
WLAN Instance
Set description text.
Syntax
description <description_text>
Parameters
description_text
String of text that briefly describes the WLAN instance.
Example
WS5000.(Cfg).WLAN.[Symbol Default]> description “Sample description text”
Adding description...
Status : Success.
WLAN details...
Name
ESSID #
Description
Security Policy
WLAN Auth. Status
Kerberos auth. name
ACL Status
ACL Attached
Accept any ESSID
:
:
:
:
:
:
:
:
:
Symbol Default
101
Sample description text
Default
Authenticated
101
Disabled
None
Disable
8-310
WS 5000 Series System Reference
Secured Beacon
Broadcast Encryption
Mu Traffic
Maximum MUs allowed
Current MUs
Default Route
Network Mask
:
:
:
:
:
:
:
Disable
Open(11a), Open(11b/11g), Open(FH)
MU to MU Allow
4096
0
0.0.0.0
0.0.0.0
WS5000.(Cfg).WLAN.[Symbol Default]>
8.64.2 name
WLAN Instance
Changes the name of the WLAN instance.
Syntax
name <new_name>
Parameters
new_name
The new name of the WLAN instance.
Example
WS5000.(Cfg).WLAN.[Name]> name new_name
8.64.3 set
WLAN Instance
Sets the value of an attribute of this WLAN instance.
Syntax
set <attribute> <value>
Parameters
attribute <value>
Description
acl <acl_name/none>
Sets the WLAN’s Access Control List. See Access Control List (ACL) Context
for more details.
securedbeacon <enable_flag>
Enable or disable the secured beacon. Possible values are: enable, disable.
defaultroute <IP_address>
Sets the IP address of the WLAN’s default route.
description <description_text>
Sets the WLAN instance’s informational description.
essID <ESSID>
Sets the ESSID.
kerberosname <kerberos_auth_name>
Sets the Kerberos authentication name.
maxmus <1 - 4096>
Sets the maximum number of Mobile Units that may be asssociated through
this WLAN.
muacl <enable_flag>
Enable or disable the WLAN’s Access Control List. Possible values are:
enable, disable.
CLI Command Reference
attribute <value>
8-311
Description
mutraffic <allow_flag>
Specifies what to do with mobile unit traffic passed through the switch.
Possible values are: allow, disallow, drop.
name <new_name>
Sets the name of the WLAN instance.
security <security_policy_name>
Sets the Security policy that’s applied to this WLAN.
broadcastess <enable_flag>
Enable or disable broadcast ESS. Possible values are: enable, disable.
Example
8.64.4 show
WLAN Instance
Show details about the WLAN instance.
Syntax
show
show acl
show securitypolicy
show wlan
Display
Display
Display
Display
context specific attributes
ACL information
security policy details
WLAN details
Parameters
None.
Example
WS5000.(Cfg).WLAN.[Symbol Default]> show
WLAN details...
Name
ESSID #
Description
Security Policy
WLAN Auth. Status
Kerberos auth. name
ACL Status
ACL Attached
Accept any ESSID
Secured Beacon
Broadcast Encryption
Mu Traffic
Maximum MUs allowed
Current MUs
Default Route
Network Mask
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Symbol Default
101
Sample description text
Default
Authenticated
101
Disabled
None
Disable
Disable
Open(11a), Open(11b/11g), Open(FH)
MU to MU Allow
4096
0
0.0.0.0
0.0.0.0
WS5000.(Cfg).WLAN.[Symbol Default]>
8-312
WS 5000 Series System Reference
8.65 WME Context
Table 8.70 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.70 WME Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
emergencymode
Enable or disable Emergency mode.
page 8-8
add
Add a new WME Profile to the system.
page 8-313
remove
Remove a WME from the system.
page 8-314
show
Display available WME details.
page 8-314
wme
Select a WME Profile to configure.
page 8-314
CLI Command Reference
8.65.1 add
WME Context
Creates and adds a new WME Profile to the instance.
Syntax
add <WME_ProfileName>
Parameters
WME_ProfileName
The name to be given to the WME Profile
Example
WS5000.(Cfg).WME> add symbol3
# of params = 1
param #0 = symbol3
Adding WME...
Status: Success.
WME Profile Name
---------------1. Default MU WME Profile
2. Default AP WME Profile
3. symbol1
4. symbol2
5. symbol3
WME Profile Details
------------------Name
: symbol3
Description
:
eCWMin
eCWMax
Txop Lim
AIFSN
[VO/AC1]
[VO/AC1]
[VO/AC1]
[VO/AC1]
:
:
:
:
2
3
102/[b]
2
eCWMin
eCWMax
Txop Lim
AIFSN
[VI/AC2]
[VI/AC2]
[VI/AC2]
[VI/AC2]
:
:
:
:
3
4
188/[b]
2
eCWMin
eCWMax
Txop Lim
AIFSN
[BE/AC3]
[BE/AC3]
[BE/AC3]
[BE/AC3]
:
:
:
:
4
10
0/[b]
3
eCWMin
eCWMax
Txop Lim
AIFSN
[BK/AC4]
[BK/AC4]
[BK/AC4]
[BK/AC4]
:
:
:
:
4
10
0/[b]
7
QoS Param Info
: 19
WS5000.(Cfg).WME.[symbol3]>
47/[a/g]
94/[a/g]
0/[a/g]
0/[a/g]
8-313
8-314
WS 5000 Series System Reference
8.65.2 remove
WME Context
Removes a WME from the system
Syntax
remove <wmeProfileName>
Parameters
wmeProfileName
The name of the WME instance that is to be removed.
Example
WS5000.(Cfg).WME> remove symbol2
Removing WME Profile...
Status: Success.
WS5000.(Cfg).WME>
8.65.3 show
WME Context
Display summary details about all available WME profiles.
Syntax
show
or
show wme
Parameters
None.
Example
WS5000.(Cfg).WME> show
WME Profile Name
---------------1. Default MU WME Profile
2. Default AP WME Profile
3. symbol1
4. symbol3
WS5000.(Cfg).WME>
8.65.4 wme
WME Context
Syntax
wme <wme_profile_name>
CLI Command Reference
Parameters
wme_profile_name
The name of the WME Profile.
Example
WS5000.(Cfg).WME> wme symbol1
WME Profile Details
------------------Name
: symbol1
Description
:
eCWMin
eCWMax
Txop Lim
AIFSN
[VO/AC1]
[VO/AC1]
[VO/AC1]
[VO/AC1]
:
:
:
:
2
3
102/[b]
2
eCWMin
eCWMax
Txop Lim
AIFSN
[VI/AC2]
[VI/AC2]
[VI/AC2]
[VI/AC2]
:
:
:
:
3
4
188/[b]
2
eCWMin
eCWMax
Txop Lim
AIFSN
[BE/AC3]
[BE/AC3]
[BE/AC3]
[BE/AC3]
:
:
:
:
4
10
0/[b]
3
eCWMin
eCWMax
Txop Lim
AIFSN
[BK/AC4]
[BK/AC4]
[BK/AC4]
[BK/AC4]
:
:
:
:
4
10
0/[b]
7
QoS Param Info
: 19
WS5000.(Cfg).WME.[symbol1]>
47/[a/g]
94/[a/g]
0/[a/g]
0/[a/g]
8-315
8-316
WS 5000 Series System Reference
8.66 WME Instance
Table 8.71 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.71 WME Instance Context Command Summary
Command
Description
.. or end
Terminate a current session and moves up a context, hierarchically.
exit
Terminate a current session and returns to the “root” prompt.
? or help
Get the command information.
logout or bye
Close this session.
clear
Clear the screen.
emergencymode
Enable or disable Emergency mode.
description
Set description text.
name
Set or change the name of the WME Profile.
set
Configure the WME Profile.
Configurable parameters include name, ESSID, description, security, Kerberos
name, MU acl, acl, broadcast ESS, secured beacon, MU traffic, maximum MUs,
default route.
show
Display details for the WME Profile.
8.66.1 description
WME Instance
Set description text to the policy or item in the selected context.
description <description_text>
Parameters
description_text
String of text that briefly describes the WME Profile.
Example
WS5000.(Cfg).WME.[symbol1]> description <Sample Text for Symbol1>
Adding description...
Status : Success.
WME Profile Details
------------------Name
: symbol1
Description
: <Sample Text for Symbol1>
eCWMin
eCWMax
Txop Lim
AIFSN
[VO/AC1]
[VO/AC1]
[VO/AC1]
[VO/AC1]
:
:
:
:
2
3
102/[b]
2
47/[a/g]
Ref.
CLI Command Reference
eCWMin
eCWMax
Txop Lim
AIFSN
[VI/AC2]
[VI/AC2]
[VI/AC2]
[VI/AC2]
:
:
:
:
3
4
188/[b]
2
eCWMin
eCWMax
Txop Lim
AIFSN
[BE/AC3]
[BE/AC3]
[BE/AC3]
[BE/AC3]
:
:
:
:
4
10
0/[b]
3
eCWMin
eCWMax
Txop Lim
AIFSN
[BK/AC4]
[BK/AC4]
[BK/AC4]
[BK/AC4]
:
:
:
:
4
10
0/[b]
7
QoS Param Info
94/[a/g]
0/[a/g]
0/[a/g]
: 19
WS5000.(Cfg).WME.[symbol1]>
8.66.2 name
WME Instance
Changes the name of the WME Profile.
Syntax
name <name>
Parameters
name
The new name of the WME Profile.
Example
WS5000.(Cfg).WME.[symbol3]> name <symbol3>
Configuring name...
Status : Success.
WS5000.(Cfg).WME.[<symbol3>]>
8.66.3 set
WME Instance
Sets the value of an attribute of this WME Profile.
Syntax
set <ac> <configParam> <value>
8-317
8-318
WS 5000 Series System Reference
Parameters
attribute <value>
Description
ac
Sets the AC to be configured. It can be either of the following:
•
ac1 | vo
ac2 | vi
•
ac3 | be
•
ac4 | bk
configParam
Sets the WME parameter to be configured.
value
Sets the value for the WME parameter.
8.66.4 show
WME Instance
Show details about the WME Profile.
Syntax
show [display_parameter]
Parameters
display_parameter
Display WME Profile details.
Example
WS5000.(Cfg).WME.[symbol1]> show
WME Profile Details
------------------Name
: symbol1
Description
: <Sample Text for Symbol1>
eCWMin
eCWMax
Txop Lim
AIFSN
[VO/AC1]
[VO/AC1]
[VO/AC1]
[VO/AC1]
:
:
:
:
2
3
102/[b]
2
eCWMin
eCWMax
Txop Lim
AIFSN
[VI/AC2]
[VI/AC2]
[VI/AC2]
[VI/AC2]
:
:
:
:
3
4
188/[b]
2
eCWMin
eCWMax
Txop Lim
AIFSN
[BE/AC3]
[BE/AC3]
[BE/AC3]
[BE/AC3]
:
:
:
:
4
10
0/[b]
3
eCWMin
eCWMax
Txop Lim
AIFSN
[BK/AC4]
[BK/AC4]
[BK/AC4]
[BK/AC4]
:
:
:
:
4
10
0/[b]
7
QoS Param Info
: 19
WS5000.(Cfg).WME.[symbol1]>
47/[a/g]
94/[a/g]
0/[a/g]
0/[a/g]
CLI Command Reference
8-319
8.67 WVPN Context
The commands mentioned under this context are used to configure system WVPN settings. Table 8.72
summarizes the commands within this context. Common commands between multiple contexts are described
in further detail in the Common Commands section.
Table 8.72 WVPN Context Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
auth
Configure authentication settings.
page 8-319
cert
Configure certicate settings.
page 8-320
clear
Clear the screen.
page 8-8
ddns
Configure DDNS settings.
page 8-321
directory
Display the uploaded WVPN files from local repository.
page 8-321
disable
Disable the WVPN service.
page 8-322
enable
Enable the WVPN service.
page 8-322
ip_pools
Configure ip pool settings.
page 8-323
rt
See VPN runtime session info.
page 8-323
set
Configure WVPN general attributes.
page 8-324
show
Display context specific attributes.
page 8-324
wtls
Configure system WTLS settings.
page 8-326
8.67.1 auth
WVPN Context
This command is used to configure authentication settings.
Syntax
auth
Parameters
None
Example
WS5000.(Cfg).wvpn> auth
Authentication Management:
Simple authentication:
: Enabled
8-320
WS 5000 Series System Reference
Simple user name:
Simple password:
Simple domain:
RADIUS authentication:
Primary Host:
Primary Port:
Primary Retry:
Primary Timeout:
Primary User Password:
Primary Secret:
Secondary Host:
Secondary Port:
Secondary Retry:
Secondary Timeout:
Secondary User Password:
Secondary Secret:
LDAP authentication:
Local database authentication:
:
: ******
:
: Disabled
: Unset
: 1645
: 2
: 5 ms
: Unset
: Unset
: Unset
: 1645
: 2
: 5 ms
: Unset
: Unset
: Unavailable
: Unavailable
WS5000.(Cfg).wvpn.auth>
Authentication is of 2 types: Simple and Radius.
Example : Simple Authentiction
WS5000.(Cfg).wvpn.auth> simple
Simple Authentication Settings
: Disable
Simple user name:
Simple password:
Simple domain:
:
: ******
:
Example: Radius Authentication
RadiusWS5000.(Cfg).wvpn.auth> radius
RADIUS authentication status
Server
-----Primary
Secondary
Host Name/IP
-----------192.168.1.2
Unset
: Enable
Port
---1812
1645
Retry
----3
2
Timeout
------5 ms
5 ms
Secret
-----******
******
User Password
------------******
******
8.67.2 cert
WVPN Context
This command is used to configure certificate settings. This command changes the context to cert. For details
of cert context see cert Instance on page 8-327
Syntax
cert
Parameters
None
Example
WS5000.(Cfg).wvpn> cert
Certificate Management:
CLI Command Reference
8-321
Index Serial Number Issuer
Keylen
Valid
-----------------------------------------------------------------1
1434020001
OU=CA ; O=Symbo 1024
5Apr2005 to 6Apr2010
Index Serial Number Issuer
Keylen
Valid
-----------------------------------------------------------------1
ServerCert
OU=CA ; O=Symbo 1024
5Apr2005 to 6Apr2010
WS5000.(Cfg).wvpn.cert>
8.67.3 ddns
WVPN Context
This command is used to configure DDNS settings.This command changes the context to ddns. For details of
cert context see ddns Instance on page 8-332
Syntax
ddns
Parameters
None
Example
WS5000.(Cfg).wvpn> ddns
DDNS Settings:
DNS Enable
Time to Live (ttl)
Cleanup Timeout
Forward Zone
Reverse Zones
DNS Servers
:
:
:
:
:
:
true
50%
5
forward.update.net
1. 1.168.192.in-addr.arpa.
1. 192.168.1.1
WS5000.(Cfg).wvpn.ddns>
8.67.4 directory
WVPN Context
This comand is used to display the uploaded WVPN files from local repository.
Syntax
dir
Parameters
None
Example
WS5000.(Cfg).wvpn> dir
total 1
-rw-r--r-1 nobody
WS5000.(Cfg).wvpn>
root
429 Jan 18 13:55 CA_WVPN.cer
8-322
WS 5000 Series System Reference
8.67.5 disable
WVPN Context
This command is used to disable the interface/service in CC.
Syntax
disable
Parameters
None
Example
WS5000.(Cfg).wvpn> disable
Disabling...
Status : Success.
WVPN Management:
WVPN available
WVPN Status
WVPN Server Address
WVPN Server Port
WVPN Unused session timeout
WVPN Debug level
WVPN DOS Support
WVPN DOS Port
WVPN Client keep alive
WVPN Maximum VPN Licenses
WVPN Currently In-Use VPN Licenses
WVPN License Type
30,Eval days left
30
:
:
:
:
:
:
:
:
:
:
:
:
true
Stopped
10.1.1.101 / 192.192.4.156
9102
48h 0m (172800 secs)
Debug Info Disabled
no
9103
10 seconds
250
0
Evaluation version,Total eval days
WS5000.(Cfg).wvpn>
8.67.6 enable
WVPN Context
This command is used to enable the interface/service.
Syntax
enable
Parameters
None
Example
WS5000.(Cfg).wvpn> enable
Enabling...
Status : Success.
WVPN Management:
WVPN
WVPN
WVPN
WVPN
WVPN
WVPN
WVPN
available
Status
Server Address
Server Port
Unused session timeout
Debug level
DOS Support
:
:
:
:
:
:
:
true
Started
10.1.1.101 / 192.192.4.156
9102
48h 0m (172800 secs)
Debug Info Disabled
no
CLI Command Reference
WVPN DOS Port
WVPN Client keep alive
WVPN Maximum VPN Licenses
WVPN Currently In-Use VPN Licenses
WVPN License Type
30,Eval days left
30
:
:
:
:
:
8-323
9103
10 seconds
250
0
Evaluation version,Total eval days
WS5000.(Cfg).wvpn>
8.67.7 ip_pools
WVPN Context
This command is used to configure ip pools.This command changes the context to ip_pools. For details of cert
context see 8.70 ip pools Instance on page 338
Syntax
ip_pools [pool_name]
Parameters
pool_name
The ip pool that you wish to configure for the WVPN.
Example
WS5000.(Cfg).wvpn> ip
WVPN IP Pools:
DHCP Enabled
Use DHCP Gateway
: no
: no
Available Pools:
1. Default.
WS5000.(Cfg).wvpn.ip_pools>
8.67.8 rt
WVPN Context
This command is used to see VPN runtime session info. This command changes the context to rt. For details
of cert context see 8.71 rt Instance on page 344
Syntax
rt
Parameters
None
Example
WS5000.(Cfg).wvpn> rt
1 VPN sessions
'*' indicates inactive VPN tunnel.
Session
------1
VPN IP
--------------192.168.1.100
WS5000.(Cfg).wvpn.rt>
Real IP
--------------10.1.1.60
MAC Addr
----------------00:a0:f8:65:f5:81
User Class
---------------
8-324
WS 5000 Series System Reference
8.67.9 set
WVPN Context
This command is used to configure WVPN Management attributes.
Syntax
set <parameter> <value>
Parameters
restart
Restart WVPN.
licensefile
Installs/upgrades WVPN session license file.
debug
Enable WVPN debug support.
sport
Sets IP port number to listen on for client VPN requests.
session_timeout
Unused session timeout (seconds).
dosSupport
Enable DOS support - enables use of Reliable UDP.
dosPort
Reliable UDP port.
clientKeepAlive
Reliable UDP keep alive time (seconds).
Example
WS5000.(Cfg).wvpn> set session_timeout 150
Configuring WVPN ....
Status : Success.
WVPN Management:
WVPN available
WVPN Status
WVPN Server Address
WVPN Server Port
WVPN Unused session timeout
WVPN Debug level
WVPN DOS Support
WVPN DOS Port
WVPN Client keep alive
WVPN Maximum VPN Licenses
WVPN Currently In-Use VPN Licenses
WVPN License Type
30,Eval days left
30
:
:
:
:
:
:
:
:
:
:
:
:
true
Started
10.1.1.101 / 192.192.4.156
9102
0h 2m (150 secs)
Debug Info Disabled
no
9103
10 seconds
250
0
Evaluation version,Total eval days
WS5000.(Cfg).wvpn>
8.67.10 show
WVPN Context
This command displays the details about the WVPN specific attributes like — Auth general settings, installed
certificates, DDNS settings, pool information, VPN session details, VPN runtime summary, WTLS general
settings and WVPN general settings.
CLI Command Reference
Syntax
show
show
show
show
show
show
show
show
show
auth
certs
ddns
ip_pools
session
sessions
wtls
wvpn
Parameters
auth
Display Auth general settings.
certs
Display installed certificates.
ddns
Display DDNS settings.
ip_pools
Display pool information.
session
Display VPN session details.
sessions
Display VPN runtime summary.
wtls
Display WTLS general settings.
wvpn
Display WVPN general settings.
Example
WS5000.(Cfg).wvpn> show auth
Authentication Management:
Simple authentication:
Simple user name:
Simple password:
Simple domain:
RADIUS authentication:
Primary Host:
Primary Port:
Primary Retry:
Primary Timeout:
Primary User Password:
Primary Secret:
Secondary Host:
Secondary Port:
Secondary Retry:
Secondary Timeout:
Secondary User Password:
Secondary Secret:
LDAP authentication:
Local database authentication:
WS5000.(Cfg).wvpn>
: Enabled
:
: ******
:
: Disabled
: Unset
: 1645
: 2
: 5 ms
: Unset
: Unset
: Unset
: 1645
: 2
: 5 ms
: Unset
: Unset
: Unavailable
: Unavailable
8-325
8-326
WS 5000 Series System Reference
8.67.11 wtls
WVPN Context
This command is used to configure system WTLS settings.This command changes the context to wtls. For
details of cert context see 8.72 wtls Instance on page 347
Syntax
wtls
Parameters
None
Example
WS5000.(Cfg).wvpn> wtls
WTLS Settings:
Server number:
Security mode:
Wanted FIPS mode:
Cipher:
MAC:
Minimum client RSA key size:
Maximum client RSA key size:
Minimum RSA key size:
Maximum RSA key size:
Handshake timeout:
Require client certificates:
Key refresh:
WS5000.(Cfg).wvpn.wtls>
:
:
:
:
:
:
:
:
:
:
:
:
1
defaultSecurity
Unavailable
AES128
SHA_160
1024 bits
4096 bits
1024 bits
4096 bits
0h 1m( 90 secs)
false
256 packets
CLI Command Reference
8-327
8.68 cert Instance
WVPN Context
This context is an instance of WVPN context.Table 8.73 summarizes the commands within this context.
Common commands between multiple contexts are described in further detail in the Common Commands
section.
Table 8.73 cert Instance Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
directory
Display the uploaded WVPN files from local repository.
page 8-327
dump cert
Dump contents of specified certificate file.
page 8-328
import
Import Certificates from local repository.
page 8-328
purge
Deletes a certificate file from the local repository.
page 8-329
remove
Remove installed Certificates.
page 8-329
show
Display installed certificate attributes.
page 8-330
tftpImport
Download & Import Certificates from remote location.
page 8-330
8.68.1 directory
cert Instance
Display the uploaded WVPN files from local repository.
Syntax
directory
Parameters
None
Example
WS5000.(Cfg).wvpn.cert> dir
total 1
-rw-r--r-1 nobody
root
WS5000.(Cfg).wvpn.cert>
429 Jan 18 13:55 CA_WVPN.cer
8-328
WS 5000 Series System Reference
8.68.2 dump cert
cert Instance
This is used to view the contents of the certificate.
Syntax
dump cert <value>
Parameters
value
The certificate filename that you want to view.
Example
WS5000.(Cfg).wvpn.cert> dump cert CA_WVPN.cer
Certificate Information:
Serial number: 1434020001
Issuer: OU=CA ; O=Symbol India - WID; C=IN; CN=WS5000; [email protected]; SN
=1434020001
Subject: OU=CA ; O=Symbol India - WID; C=IN; CN=WS5000; [email protected]; S
N=1434020001
Valid From: 20050405183000Z
Valid To: 20100406182959Z
Key length: 1024
WS5000.(Cfg).wvpn.cert>
8.68.3 import
cert Instance
This command is used to install certificates.
Syntax
import caCert <caCertFile>
import serverCert <serverPkcs12KeyFile> <passwd> [<serverCertFile>]
Parameters
caCert
Used to install a CA certificate file.
CaCertFile
The CA certificate file that you want import and install.
serverCert
Used to install a server certificate file.
serverPkcs12KeyFile
Pkcs12 format of server certificate file.
passwd
password to decrypt the Pkcs12 format server certificate file (*.pl2 file).
serverCertFile
The server certificate file (*.cer file) that you want to import.
Example
WS5000.(Cfg).wvpn.cert> import ca /image/CA_WVPN.cer
Importing Certificate ....
Status : Success.
CLI Command Reference
Certificate Management:
Index Serial Number Issuer
Keylen
Valid
-----------------------------------------------------------------1
1434020001
OU=CA ; O=Symbo 1024
5Apr2005 to 6Apr2010
Index Serial Number Issuer
Keylen
Valid
-----------------------------------------------------------------1
ServerCert
OU=CA ; O=Symbo 1024
5Apr2005 to 6Apr2010
WS5000.(Cfg).wvpn.cert>
8.68.4 purge
cert Instance
This command is used to delete a certificate file from the local repository.
Syntax
purge <file_name>
Parameters
filename
The name of the certificate file that you want to purge or delete.
Example
WS5000.(Cfg).wvpn.cert> purge CA_WVPN.cer
Purging CA_WVPN.cer... done.
WS5000.(Cfg).wvpn.cert>
8.68.5 remove
cert Instance
This command is used to remove installed certificates.
Syntax
remove <cert_type> [<index>]
remove caCert <index> removes CA Certificate (index required)
remove serverCert
removes Server Certificate (no index used)
Parameters
cert_type
This can be either of the below two:
• caCert— Removes CA certificate. You need to pass index as value.
• serverCert— Removes server certificate. You do not need to pass a value.
index
Pass a index value if the cert_type is caCert.
Example
WS5000.(Cfg).wvpn.cert> remove ca 1
Removing Certificate 1...
Status : Success.
8-329
8-330
WS 5000 Series System Reference
Certificate Management:
Index Serial Number Issuer
Keylen
Valid
-----------------------------------------------------------------1
ServerCert
OU=CA ; O=Symbo 1024
5Apr2005 to 6Apr2010
WS5000.(Cfg).wvpn.cert>
8.68.6 show
cert Instance
This command is used to view all the installed certificates information.
Syntax
show certs
show [index]
show server
to see all installed certificates.
to see a installed CA certificate.
to see the installed server certificate.
Parameters
index
Optional, this is used to see a installed CA certificate.
server
This is used to see the installed server certificate.
Example
WS5000.(Cfg).wvpn.cert> show
Certificate Management:
Index Serial Number Issuer
Keylen
Valid
-----------------------------------------------------------------1
1434020001
OU=CA ; O=Symbo 1024
5Apr2005 to 6Apr2010
Index Serial Number Issuer
Keylen
Valid
-----------------------------------------------------------------1
ServerCert
OU=CA ; O=Symbo 1024
5Apr2005 to 6Apr2010
WS5000.(Cfg).wvpn.cert>
8.68.7 tftpImport
cert Instance
This command is used to download and import certificates from remote location.
Syntax
tftpImport caCert <ipAddr> <caCertFile>
tftpImport serverCert <ipAddr> <serverPkcs12KeyFile> <passwd> [<serverCertFile>]
Parameters
caCert
Used to install a CA certificate file.
ipAdd
IP address of the tftp server from where the CA certificate needs to be downloaded.
aCertFile
The CA certificate file that you want to import/download.
serverCert
Used to install a server certificate file.
CLI Command Reference
8-331
ipAddr
IP address of the tftp server from where the CA certificate needs to be downloaded.
serverPkcs12keyFile
Pkcs12 format of server certificate file.
passwd
password to decrypt the Pkcs12 format server certificate file (*.pl2 file).
serverCertFile
The server certificate file that you want to download/import.
Example
WS5000.(Cfg).wvpn.cert> tftpI CA 192.168.1.1 CA_WVPN.cer
Downloading and Importing Certificate CA_WVPN.cer...
Status : Success.
Certificate Management:
Index Serial Number Issuer
Keylen
Valid
-----------------------------------------------------------------1
1434020001
OU=CA ; O=Symbo 1024
5Apr2005 to 6Apr2010
Index Serial Number Issuer
Keylen
Valid
-----------------------------------------------------------------1
ServerCert
OU=CA ; O=Symbo 1024
5Apr2005 to 6Apr2010
WS5000.(Cfg).wvpn.cert>
8-332
WS 5000 Series System Reference
8.69 ddns Instance
WVPN Context
This context is an instance of WVPN context and is used to configure the DDNS settings. Table 8.73
summarizes the commands within this context. Common commands between multiple contexts are described
in further detail in the Common Commands
Table 8.74 ddns Instance Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
add
Add DNS Server attributes.
page 8-332
clearClientDns
Clear client DNS table.
page 8-333
disable
Disable DDNS.
page 8-334
enable
Enable DDNS.
page 8-334
remove
Delete DNS Server attributes.
page 8-335
set
Configure DDNS attributes
page 8-336
show
Display context specific attributes
page 8-336
updateClientDns
Update client DNS table.
page 8-337
8.69.1 add
ddns Instance
This command is used to add DNS Server attributes.
Syntax
add <add_parameter> <value>
Parameters
add_parameter
This can be either of the two:
• dnsServerAddr— This command adds a DNS server IP address to the existing list of
addresses.
• dnsReverseZone— This command adds a DNS reverse zone.
value
Takes IP address of DNS server to be added as the value.
Example
WS5000.(Cfg).wvpn.ddns> add dnsServerAddr 192.168.1.3
CLI Command Reference
Adding dynamicDnsSettings.addDnsAddr....
Status : Success.
DDNS Settings:
DNS Enable
Time to Live (ttl)
Cleanup Timeout
Forward Zone
Reverse Zones
DNS Servers
:
:
:
:
:
:
true
50%
5
forward.update.net
1. 1.168.192.in-addr.arpa.
1. 192.168.1.1
2. 192.168.1.3
WS5000.(Cfg).wvpn.ddns> add dnsReverseZone 2.168.192.in-addr.arpa
Adding dynamicDnsSettings.addReverseZone....
Status : Success.
DDNS Settings:
DNS Enable
: true
Time to Live (ttl)
: 50%
Cleanup Timeout
: 5
Forward Zone
: forward.update.net
Reverse Zones
:
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers
:
1. 192.168.1.1
2. 192.168.1.3
WS5000.(Cfg).wvpn.ddns>
8.69.2 clearClientDns
ddns Instance
Use clearClientDns to clear client DNS table at DNS server.
Syntax
clearClientDns
Parameters
None
Example
WS5000.(Cfg).wvpn.ddns> clearClientDns
Sending clear command to DNS serversdynamicDnsSettings.clearClientDns....
Status : Success.
DDNS Settings:
DNS Enable
: true
Time to Live (ttl)
: 50%
Cleanup Timeout
: 5
Forward Zone
: forward.update.net
Reverse Zones
:
1. 1.168.192.in-addr.arpa.
8-333
8-334
WS 5000 Series System Reference
2. 2.168.192.in-addr.arpa.
DNS Servers
:
1. 192.168.1.1
2. 192.168.1.3
WS5000.(Cfg).wvpn.ddns>
8.69.3 disable
ddns Instance
This command disables the DDNS.
Syntax
disable
Parameters
None
Example
WS5000.(Cfg).wvpn.ddns> disable
Disabling DDNS dynamicDnsSettings.update....
Status : Success.
DDNS Settings:
DNS Enable
: false
Time to Live (ttl)
: 50%
Cleanup Timeout
: 5
Forward Zone
: forward.update.net
Reverse Zones
:
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers
:
1. 192.168.1.1
2. 192.168.1.3
WS5000.(Cfg).wvpn.ddns>
8.69.4 enable
ddns Instance
Enable DDNS.
Syntax
enable
Parameters
none
Example
WS5000.(Cfg).wvpn.ddns> enable
Disabling DDNS dynamicDnsSettings.update....
Status : Success.
DDNS Settings:
CLI Command Reference
8-335
DNS Enable
: true
Time to Live (ttl)
: 50%
Cleanup Timeout
: 5
Forward Zone
: forward.update.net
Reverse Zones
:
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers
:
1. 192.168.1.1
2. 192.168.1.3
WS5000.(Cfg).wvpn.ddns>
8.69.5 remove
ddns Instance
Use remove to remove DNS specific attributes.
Syntax
remove <rem_parameter> <value>
rem_parameter:
dnsServerAddr
This command removes a DNS Server IP Address from
existing list of addresses. Takes IP Address of DNS
Server to be removed as the value.
dnsReverseZone This command removes a DNS reverse zone.
Parameters
rem_parameter
This can be either of the two:
• dnsServerAddr— This command removes the DNS server IP address to the existing
list of addresses.
• dnsReverseZone— This command removes the DNS reverse zone.
value
Takes IP address of DNS server to be removed as the value.
Example
WS5000.(Cfg).wvpn.ddns> remove dnsServerAddr 192.168.1.3
Removing dynamicDnsSettings.deleteDnsAddr....
Status : Success.
DDNS Settings:
DNS Enable
: false
Time to Live (ttl)
: 50%
Cleanup Timeout
: 5
Forward Zone
: forward.update.net
Reverse Zones
:
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers
:
1. 192.168.1.1
WS5000.(Cfg).wvpn.ddns>
8-336
WS 5000 Series System Reference
8.69.6 set
ddns Instance
This command is used to configure DDNS management attributes.
Syntax
set <cfg_parameter> <value>
Parameters
ttl
Time-To-Live.A long value indicating ttl as a percentage of unused session
timeout (0-100).
forwardZone
Text string containing the forward zone to be updated.
cleanupTimeout
Duration of cleanup timeout (currently locked at 5).
value
A long value indicating ttl as a percentage of unused session timeout (0-100).
Example
WS5000.(Cfg).wvpn.ddns> set ttl 39
Configuring DDNS dynamicDnsSettings.ttl....
Status : Success.
DDNS Settings:
DNS Enable
: false
Time to Live (ttl)
: 39%
Cleanup Timeout
: 5
Forward Zone
: forward.update.net
Reverse Zones
:
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers
:
1. 192.168.1.1
WS5000.(Cfg).wvpn.ddns>
8.69.7 show
ddns Instance
This command is used to view the DDNS setting.
Syntax
show
show ddns
Parameters
ddns
This is used to display the DDNS settings.
Example
WS5000.(Cfg).wvpn.ddns> show ddns
DDNS Settings:
CLI Command Reference
DNS Enable
: true
Time to Live (ttl)
: 39%
Cleanup Timeout
: 5
Forward Zone
: forward.update.net
Reverse Zones
:
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers
:
1. 192.168.1.1
WS5000.(Cfg).wvpn.ddns>
8.69.8 updateClientDns
ddns Instance
This command is used to update client DNS table.
Syntax
updateClientDns
Parameters
None
Example
WS5000.(Cfg).wvpn.ddns> updateClientDns
Sending update command to DNS serversdynamicDnsSettings.updateClientDns....
Status : Success.
DDNS Settings:
DNS Enable
: true
Time to Live (ttl)
: 39%
Cleanup Timeout
: 5
Forward Zone
: forward.update.net
Reverse Zones
:
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers
:
1. 192.168.1.1
WS5000.(Cfg).wvpn.ddns>
8-337
8-338
WS 5000 Series System Reference
8.70 ip pools Instance
WVPN Context
This context is an instance of WVPN context and is used to configure the DDNS settings. Table 8.75
summarizes the commands within this context. Common commands between multiple contexts are described
in further detail in the Common Commands
Table 8.75 ip_pools Instance Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
add
Add IP Address pools.
page 8-338
disable
Disable DHCP WVPN Service.
page 8-339
enable
Enable DHCP WVPN Service.
page 8-339
ip_pools
Select a Pool to configure.
page 8-340
remove
Remove IP Address pool.
page 8-341
set
Configure WVPN DHCP.
page 8-342
show
Display context specific attributes.
page 8-342
8.70.1 add
ip pools Instance
This command is used to add IP Address pools.
Syntax
add pool <pool_name> <begin IP> <end IP>
Parameters
pool_name
The name of the IP pool that you want to add.
begin IP
The starting/first IP address of the IP pool.
end IP
The last/closing IP address of the IP pool.
Example
WS5000.(Cfg).wvpn.ip_pools> add pool TestPool 192.168.1.10 192.168.1.20
Adding ....
Status : Success.
WVPN IP Pools:
CLI Command Reference
DHCP Enabled
Use DHCP Gateway
: no
: no
Available Pools:
1. Default.
2. TestPool.
WS5000.(Cfg).wvpn.ip_pools>
8.70.2 disable
ip pools Instance
This command disable DHCP WVPN service.
Syntax
disable
Parameters
None
Example
WS5000.(Cfg).wvpn.ip_pools> disable
Disabling...
Status : Success.
WVPN IP Pools:
DHCP Enabled
Use DHCP Gateway
: no
: no
Available Pools:
1. Default.
2. TestPool.
WS5000.(Cfg).wvpn.ip_pools>
8.70.3 enable
ip pools Instance
This command enables the DHCP WVPN service.
Syntax
enable
Parameters
None
Example
WS5000.(Cfg).wvpn.ip_pools> enable
Enabling...
Status : Success.
WVPN IP Pools:
DHCP Enabled
Use DHCP Gateway
Available Pools:
1. Default.
: yes
: yes
8-339
8-340
WS 5000 Series System Reference
2. TestPool.
WS5000.(Cfg).wvpn.ip_pools>
8.70.4 ip_pools
ip pools Instance
This command issued to select a Pool to configure.
Syntax
ip_pools <pool_name_or_number> [CR]
Parameters
pool_name
The name of the IP pool that you want to configure.
Example
WS5000.(Cfg).wvpn.ip_pools> ip_pools TestPool
WVPN IP Pools:
Name
: TestPool
Netmask
: 255.255.255.0
DHCP Server Address : 0.0.0.0
Default Gateway
: 0.0.0.0
DNS Address
: 0.0.0.0
WINS Address
: 0.0.0.0
Domain name
:
NETBIOS Node type
: H-node
Reuse Address Time : 0 seconds
Number of ranges
: 1
IP Ranges:
0) 192.168.1.10-192.168.1.20
WS5000.(Cfg).wvpn.ip_pools.[TestPool]>
You need to further configure the ip_pools for setting the DHCP Server Addres,Default Gateway,DNS
Address,WINS Address and Domain name mentioned in the example above. For this you have to enter
the sub context level of ip_pools. You can enter this sub-context level by either entering the ip_pool name or
the index of the ip_pools. The following are the contents of the sub-context of ip_pools:
1. To enter the sub-context of ip_pools
WS5000.(Cfg).wvpn.ip_pools> ip_pools 1
WVPN IP Pools:
Name
: TestPool
Netmask
: 255.255.255.0
DHCP Server Address : 0.0.0.0
Default Gateway
: 0.0.0.0
DNS Address
: 0.0.0.0
WINS Address
: 0.0.0.0
Domain name
:
NETBIOS Node type
: H-node
Reuse Address Time : 0 seconds
Number of ranges
: 1
IP Ranges:
0) 198.162.1.10-198.162.1.20
WS5000.(Cfg).wvpn.ip_pools.[1]>
CLI Command Reference
8-341
2. Configure the DHCP Server Addres,Default Gateway,DNS Address,WINS Address and
Domain name mentioned in the above example using the set command
Syntax
set <cfg_parameter> <value>
Parameters
netmask
The IP address of the network mask.
dhcpServer
The IP address of the DHCP server.
dns
The IP address of the DNS server.
defaultGateway
The IP address of the default gateway.
wins
The IP address of Wins.
domainName
Domain name for the IP pool.
nodeType
NETBIOS node type.
reuseTime
Idle timeout to reuse addresses when addresses are exhausted.
Example
WS5000.(Cfg).wvpn.ip_pools.[1]> set dhcpServer 192.168.1.2
Configuring pool[1] information....
Status : Success.
WVPN IP Pools:
Name
: TestPool
Netmask
: 255.255.255.0
DHCP Server Address : 192.168.1.2
Default Gateway
: 0.0.0.0
DNS Address
: 0.0.0.0
WINS Address
: 0.0.0.0
Domain name
:
NETBIOS Node type
: H-node
Reuse Address Time : 0 seconds
Number of ranges
: 1
IP Ranges:
0) 198.162.1.10-198.162.1.20
WS5000.(Cfg).wvpn.ip_pools.[1]>
8.70.5 remove
ip pools Instance
This command is used to delete IP pools.
Syntax
remove pool <pool_name>
Parameters
pool_name
The name of the IP pool that you want to remove.
8-342
WS 5000 Series System Reference
Example
WS5000.(Cfg).wvpn.ip_pools> remove pool TestPool
Removing pool TestPool....
Status : Success.
WVPN IP Pools:
DHCP Enabled
Use DHCP Gateway
: no
: no
Available Pools:
1. Default.
WS5000.(Cfg).wvpn.ip_pools>
8.70.6 set
ip pools Instance
This command issued to configure WVPN DHCP.
Syntax
set useDhcpGateway <yes/no> [CR]
Enable/disable the DHCP Gateway (Relay) function.
Also use "enable/disable" command to enable/disable
DHCP Gateway (Relay) functionality.
Parameters
None
Example
WS5000.(Cfg).wvpn.ip_pools> set useDhcpGateway yes
Configuring WVPN DHCP ....
Status : Success.
WVPN IP Pools:
DHCP Enabled
Use DHCP Gateway
: yes
: yes
Available Pools:
1. Default.
WS5000.(Cfg).wvpn.ip_pools>
8.70.7 show
ip pools Instance
This command is used to display the pool information.
Syntax
show ip_pools
Display pool information
CLI Command Reference
Parameters
ip_pools
Displays the pool information.
Example
WS5000.(Cfg).wvpn.ip_pools> show ip_pools
WVPN IP Pools:
DHCP Enabled
Use DHCP Gateway
: yes
: yes
Available Pools:
1. Default.
WS5000.(Cfg).wvpn.ip_pools>
8-343
8-344
WS 5000 Series System Reference
8.71 rt Instance
WVPN Context
This context is an instance of WVPN context and is used to view the VPN runtime session information. Table
8.76 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands
Table 8.76 rt Instance Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
Kill
Kill VPN sessions
page 8-344
Show
Display context specific attributes
page 8-345
8.71.1 Kill
rt Instance
This command is used to kill VPN sessions.
Syntax
kill<session_id>
Parameters
Session_id
It can be either one of the below three:
• nn— The VPN session number.
• ipaddr— The VPN session IP address (trusted/untrusted).
• macaddr— The VPN session MAC address.
Example
WS5000.(Cfg).wvpn.rt> kill 1
Session 1:
VPN Assigned IP:
Real Client IP:
MAC Address:
User Class:
Logged in at:
Last roamed at:
Last activity at:
Session ID:
192.168.1.15
10.1.1.50
00:40:96:a8:4e:38
Mon Mar 6 20:09:51 2006
Mon Mar 6 20:09:51 2006
Mon Mar 6 20:22:22 2006
0x21000005
Really KILL this VPN session ? (Yes/No) yes
Killing session 1...
Succeeded - Session 1 was killed
CLI Command Reference
8-345
WS5000.(Cfg).wvpn.rt>
8.71.2 Show
rt Instance
This command is used to view the VPN session and VPN runtime details.
Syntax
Syntax: show [display_parameter]
show
show session
show sessions
Display context specific attributes
Display VPN session details.
Display VPN runtime summary.
Parameters
session
Displays VPN session details. Provide one of the three values wile using this parameter:
• n— The session number. (show session n)
• ipaddr— The IP address of the session. (show session ipaddr)
• macaddr— The MAC address of the session. (show session mac)
sessions
Displays VPN runtime summary.
Example
WS5000.(Cfg).wvpn.rt> show
1 VPN sessions
'*' indicates inactive VPN tunnel.
Session
------1
VPN IP
--------------192.168.1.15
Real IP
--------------10.1.1.50
MAC Addr
----------------00:40:96:a8:4e:38
WS5000.(Cfg).wvpn.rt>
WS5000.(Cfg).wvpn.rt> show session 1
Session 1:
VPN Assigned IP
Real Client IP
MAC Address
User Class
Current Time
Logged in at
Last roamed at
Last activity at
Session ID
Tunnel Status
:
:
:
:
:
:
:
:
:
:
192.168.1.15
10.1.1.50
00:40:96:a8:4e:38
Mon Mar 6
Mon Mar 6
Mon Mar 6
Mon Mar 6
0x21000005
Active
WS5000.(Cfg).wvpn.rt>
20:24:11
20:09:51
20:09:51
20:22:22
2006
2006
2006
2006
User Class
---------------
8-346
WS 5000 Series System Reference
WS5000.(Cfg).wvpn.rt> show sessions
1 VPN sessions
'*' indicates inactive VPN tunnel.
Session
------1
VPN IP
--------------192.168.1.15
WS5000.(Cfg).wvpn.rt>
Real IP
--------------10.1.1.50
MAC Addr
----------------00:40:96:a8:4e:38
User Class
---------------
CLI Command Reference
8-347
8.72 wtls Instance
WVPN Context
This context is an instance of WVPN context and is used to configure the DDNS settings. Table 8.75
summarizes the commands within this context. Common commands between multiple contexts are described
in further detail in the Common Commands
Table 8.77 ip_pools Instance Command Summary
Command
Description
Ref.
.. or end
Terminate a current session and moves up a context, hierarchically.
page 8-7
exit
Terminate a current session and returns to the “root” prompt.
page 8-7
? or help
Get the command information.
page 8-7
logout or bye
Close this session.
page 8-8
clear
Clear the screen.
page 8-8
set
Configure WTLS attributes
page 8-347
show
Display context specific attributes.
page 8-348
8.72.1 set
wtls Instance
This command is used to configure the security attributes.
Syntax
set <cfg_parameter> <value>
Parameters
customCipher
Set a custom cipher.
customMac
Set a custom MAC.
handshakeTimeout
Handshake timeout in seconds.
maxClientKey
Maximum length RSA key for client.
minClientKey
Minimum length RSA key for client.
maxRsaKey
Maximum RSA key.
minRsaKey
Minimum RSA key.
requireClientCert
Set whether client certificates are required.
keyRefresh
Key refresh- specified as 2 to the power of N packets.
securityMode
Set security mode.
serverNumber
Set server number.
8-348
WS 5000 Series System Reference
Example
WS5000.(Cfg).wvpn.wtls> set customCipher AES256
Configuring WTLS....
Status : Success.
WTLS Settings:
Server number:
Security mode:
Wanted FIPS mode:
Cipher:
MAC:
Minimum client RSA key size:
Maximum client RSA key size:
Minimum RSA key size:
Maximum RSA key size:
Handshake timeout:
Require client certificates:
Key refresh:
:
:
:
:
:
:
:
:
:
:
:
:
1
customSecurity
Unavailable
AES256
SHA_160
1024 bits
4096 bits
1024 bits
3072 bits
0h 1m( 90 secs)
false
256 packets
WS5000.(Cfg).wvpn.wtls>
WS5000.(Cfg).wvpn.wtls> set customMAC MD5_128
Configuring WTLS....
Status : Success.
WTLS Settings:
Server number:
Security mode:
Wanted FIPS mode:
Cipher:
MAC:
Minimum client RSA key size:
Maximum client RSA key size:
Minimum RSA key size:
Maximum RSA key size:
Handshake timeout:
Require client certificates:
Key refresh:
:
:
:
:
:
:
:
:
:
:
:
:
1
customSecurity
Unavailable
AES256
MD5_128
1024 bits
4096 bits
1024 bits
3072 bits
0h 1m( 90 secs)
false
256 packets
WS5000.(Cfg).wvpn.wtls>
8.72.2 show
wtls Instance
This command issued to view the WTLS general settings.
Syntax
show
show wtls
Parameters
wtls
Displays WTLS general setting.
CLI Command Reference
Example
WS5000.(Cfg).wvpn.wtls> show wtls
WTLS Settings:
Server number:
Security mode:
Wanted FIPS mode:
Cipher:
MAC:
Minimum client RSA key size:
Maximum client RSA key size:
Minimum RSA key size:
Maximum RSA key size:
Handshake timeout:
Require client certificates:
Key refresh:
WS5000.(Cfg).wvpn.wtls>
:
:
:
:
:
:
:
:
:
:
:
:
1
defaultSecurity
Unavailable
AES128
SHA_160
1024 bits
4096 bits
1024 bits
3072 bits
0h 1m( 90 secs)
false
256 packets
8-349
8-350
WS 5000 Series System Reference
Service Mode CLI
9.1 CLI Service Mode Overview
The CLI Service Mode allows retrieval of system data that includes tables, log files, configuration, status, and
operation, for use in debugging and problem resolution while troubleshooting the WS5000 Series Switch
configuration.
Only Symbol Technologies trained and customer-authorized personnel should use the advanced commands
within the CLI Service Mode. Occasionally, the customer may be asked to retrieve system data and provide it
to a Symbol Support Engineer who uses this data to examine the system status.
To enter Service Mode Configuration context, invoke the service command within the System or Configuration
context (WS5000> or WS5000.(Cfg)> prompts, for example). The CLI user can either output the data to the
standard display, or capture the data in a file stored in the default system directory. The user can immediately
access the file, or transport it to another host.
The Service mode includes almost all of the commands that are provided in “normal” CLI mode. The same
commands from the “normal” CLI mode execute identically in the Service Mode CLI System context and
Configuration context.
9-2
WS5000 Series Switch System Reference
9.1.1 Logging into the Service Mode
Initially, to log into the Service mode, follow these steps:
1. Enter service at the WS5000> System Context prompt.
2. Enter the CLI Service Mode password. The default password is password.
WS5000> service
Enter CLI Service Mode password:********
Enabling CLI Service Mode commands...... done.
SM-WS5000>
The customer can allow or deny access to the CLI Service Mode by maintaining the CLI Service Mode
password. The service mode password command is used to update/change the Service Mode password.
9.1.2 Basic Conventions
When working within Service Mode, consider the following basic conventions:
•
Service Mode is clearly marked by its differentiated prompt. You know you are in “service mode” when
the prompt is:
SM-WS5000>
•
All CLI commands are case insensitive but, all user data is case sensitive.
•
Any time a name is assigned that contains two or more words separated by a space, use double quotes
around the words that make up the name. For example:
SM-WS5000>name "Wireless Switch"
•
The Service Mode is password-protected and should only be used by customer-authorized personnel
such as Symbol support personnel.
9.2 SM-WS5000> Command Review
This section provides detailed command and syntax descriptions, as well as examples of the Service Mode
commands.
Table 9.1 Service Mode Command Summary
Command
Description
Ref.
? or help
To get the command information
page 9-4
logout or bye
Close this session
page 9-5
exit
Exit from the Service CLI mode.
page 9-5
capture
Capture the current system status to a file
page 9-5
cleanapdbglog
Cleanup AP300 debug log files
page 9-6
clear
Clears the screen
page 9-6
configure
Configure system attributes
page 9-6
copy
Copy files between the Switch and TFTP/FTP server
page 9-8
debug
Enable/disable debug information to the log file
page 9-9
Service Mode CLI
9-3
Table 9.1 Service Mode Command Summary
Command
Description
Ref.
delete
Delete an image files from the memory
page 9-10
description
Set description text
page 9-11
diag
Diagnostic utility
page 9-12
directory
Display the available image files in memory
page 9-12
emergencymode
Enable or disable Emergency Mode
page 9-13
enablecclog
Enable Switch log information to the log file
page 9-13
execute
CLI Service Mode command file execution
page 9-13
export
Exports log files from the Switch to TFTP server.
page 9-14
ftpPasswd
Changes password for FTP operations
page 9-14
getcclogfile
Upload Switch log file to TFTP Server
page 9-15
install
Install primary/standby/Kerberos config or CLI commands.
page 9-15
launch
Launches the specified program
page 9-16
ledcolor
Get or set the color of the LEDs
page 9-17
logdir
Display the user saved log files
page 9-17
name
Set or change the name
page 9-18
password
Change the CLI Service Mode password
page 9-18
ping
Ping a network host/IP address
page 9-18
remove
Remove a log file shown by 'logdir' command.
page 9-20
restore
Restore system image or configuration
page 9-20
rfping
Send a WNMP ping to a Access Port
page 9-21
save
Save the running system configuration to a file
page 9-21
setThresholds
Enable/Disable/Set thresholds for periodic monitoring
page 9-22
shell
Enter into the embedded O.S. command prompt
page 9-22
show
Display context specific attributes
page 9-23
showAPFirmware
Displays AP Firmware images available
page 9-25
showBuildInfo
Displays build version Information
page 9-25
showDiskUsage
Displays current disk usage
page 9-26
showHardwareInfo
Displays current hardware Information
page 9-26
showMemUsage
Displays current memory usage
page 9-27
showThresholds
Display current settings for various thresholds
page 9-27
watchdogtimer
Enable/disable watch dog timer
page 9-28
wvpnctl
Enable/disable wvpn logging
page 9-28
9-4
WS5000 Series Switch System Reference
9.2.1 ? or help
Displays a list of available commands. Identical to "help" command.
Syntax
?
Parameters
None
Example
SM-WS5000> ?
System Context.
---------------------------------------------Commands
Brief Description
---------------------------------------------? or help
To get the command information
logout or bye
Close this session
exit
Exit from the Service CLI mode.
capture
Capture the current system status to a file
cleanapdbglog
Cleanup AP300 debug log files
clear
Clears the screen
configure
Configure system attributes
copy
Copy files between the Switch and TFTP/FTP server.
debug
Enable/disable debug information to the log file
delete
Delete an image files from the memory
description
Set description text.
diag
Diagnostic utility.
directory
Display the available image files in memory
emergencymode
Enable or disable Emergency Mode
enablecclog
Enable Switch log information to the log file
execute
CLI Service Mode command file execution
export
Exports log files from the Switch to TFTP server.
ftpPasswd
Changes password for FTP operations.
getcclogfile
Upload Switch log file to TFTP Server
install
Install primary/standby/Kerberos config or CLI
commands.
launch
Launches the specified program
ledcolor
Get or set the color of the LEDs
logdir
Display the user saved log files
name
Set or change the name.
password
Change the CLI Service Mode password
ping
Ping a network host/IP address
remove
Remove a log file shown by 'logdir' command.
restore
Restore system image or configuration.
rfping
Send a WNMP ping to a Access Port
save
Save the running system configuration to a file.
setThresholds
Enable/Disable/Set thresholds for periodic monitoring.
shell
Enter into the embedded O.S. command prompt
show
Display context specific attributes
showAPFirmware
Displays AP Firmware images available.
showBuildInfo
Displays build version Information.
showDiskUsage
Displays current disk usage.
showHardwareInfo
Displays current hardware Information.
showMemUsage
Displays current memory usage.
showThresholds
Display current settings for various thresholds.
watchdogtimer
Enable/disable watch dog timer
wvpnctl
Enable/disable wvpn logging
SM-WS5000>
Service Mode CLI
9-5
9.2.2 logout or bye
Exits service mode and logs the user out of the switch. Identical to the command "bye".
Syntax
bye
Parameters
None
Example
SM-WS5000> bye
Logging out...
user name:
9.2.3 exit
Exits the CLI Service Mode and returns to the switch command prompt (normal CLI).
Syntax
exit
Parameters
None
Example
SM-WS5000> exit
Disabling CLI Service Mode commands...... done.
WS5000>
9.2.4 capture
This command saves the current system status (and packets) of various tables, files and processes of the
switch to a file, for use by Symbol engineers during problem resolution. The file name, ssm_report, appears in
the WS5000/scripts/service/ directory. Any previous ssm_report file gets renamed to ssm_report.prev.
After capturing the system status, it can be displayed by using the show sysstat command. Use 'logdir' to list
the captured file names.Similarly, use 'remove' to delete the saved files and 'export' command to copy files to
remote TFTP server.
Syntax
capture <option>
Parameters
option
It can be either of the below two:
•
sysstat— Saves the system status to a file.
•
packet— Captures packets in real time.
9-6
WS5000 Series Switch System Reference
Example
SM-WS5000> capture sysstat
Capturing current system status....
Starting the SSM capture ...
Finished the SSM capture ...
SM-WS5000>
9.2.5 cleanapdbglog
This command is used to clean up AP300 debug log files.
Syntax
cleanapdbglog
Parameters
None
Example
This command does not generate any output.
9.2.6 clear
Clears the screen contents and returns to the service mode prompt.
Syntax
clear
Parameters
None
Example
SM-WS5000> clear
SM-WS5000>
9.2.7 configure
The command changes the Service Mode CLI to the Service Mode “Configuration” context, allowing the
administrator to configure system attributes within the Service Mode. The sub-contexts and related commands
available in the normal System Context (WS5000> prompt) are the same.
Syntax
configure
Parameters
None
Example
SM-WS5000> configure
SM-WS5000.(Cfg)> ?
Config Context.
---------------------------------------------Commands
Brief Description
----------------------------------------------
Service Mode CLI
.. or end
exit
? or help
logout or bye
aaa
accessport
acl
appolicy
banner
ce
cg
chassis
clear
copy
date
delete
description
diag
directory
emergencymode
encrypt
ethernet
etherpolicy
events
export
ftp
ftpPasswd
fw
host
install
kdc
launch
ledcolor
logdir
name
np
ping
po
purge
radius
remove
reset
restore
rogueap
route
runacs
save
securitypolicy
sensor
set
setThresholds
show
showAPFirmware
showBcmcStats
showBuildInfo
showDiskUsage
showDriverStats
showEthernetStats
showHardwareInfo
showMemUsage
showStartupLog
showThresholds
showUpgradeLog
shutdown
9-7
Go back to the previous context.
Go back to root context.
To get the command information
Close this session
Configure AAA setting.
Configure an Access Port.
Configure ACL for the system.
Configure an Access Port policy.
Configure Banner for the system.
Configure a Classifier.
Configure a Classification Group.
Configure Chassis settings.
Clears the screen
Copy files between the Switch and TFTP/FTP server.
Set or display system time and/or date
Delete an image files from the memory
Set description text.
Diagnostic utility.
Display the available image files in memory
Enable or disable Emergency Mode
Encrypt the passwd to be used in auto-install
Configure Ethernet Port.
Configure an EtherPolicy.
Configure Event properties.
Exports log files from the Switch to TFTP server.
Configure system FTP settings.
Changes password for FTP operations.
Configure LAN for the system.
Configure Host properties.
Install primary/standby/Kerberos config or CLI
commands.
Configure KDC server.
Launches the specified program
Get or set the color of the LEDs
Display the user saved log files
Set or change the name.
Configure a Network Policy.
Ping a network host/IP address
Configure a Policy Object.
Purge the specified contents.
Configure RADIUS setting.
Remove a log file shown by 'logdir' command.
Reset Switch
Restore system image or configuration.
Configure RogueAP Detection feature for the system.
Configure system Route settings.
Run ACS on all adopted Access Ports
Save the running system configuration to a file.
Configure Security Policy for the system.
Configure Sensor setting.
Set Switch attributes
Enable/Disable/Set thresholds for periodic monitoring.
Display context specific attributes
Displays AP Firmware images available.
Displays BCMC statistics for PSD.
Displays build version Information.
Displays current disk usage.
Displays driver statistics for ethernet ports.
Displays ethernet port statistics
Displays current hardware Information.
Displays current memory usage.
Displays system startup log.
Display current settings for various thresholds.
Displays system restore log.
Shutdown the Switch
9-8
WS5000 Series Switch System Reference
snmp
ssh
ssl
standby
switchpolicy
telnet
tunnel
user
watchdogtimer
wlan
wvpn
wvpnctl
Configure SNMP parameters.
Configure SSH settings.
Configure SSL settings.
Configure system Standby settings.
Configure Switch Policy.
Configure system Telnet settings.
Configure tunnel information.
Configure user information.
Enable/disable watch dog timer
Configure WLAN for the system.
Configure system WVPN settings.
Enable/disable wvpn logging
SM-WS5000.(Cfg)>
9.2.8 copy
Copies a file (system image (*.img) or configuration file (*.cfg) from the WS5000 to a (T)FTP server, or vice
versa. TFTP can be used to transfer *.sys.img, *.cfg, and *.sym files. FTP can be used to transfer .krb,
.sys.img, .cfg, and .sym files.
The following are the default modes:
•
Default protocol is TFTP
•
Default user for FTP: anonymous
•
Default mode for FTP: binary.
If using FTP, and the user is not anonymous (using -u option), CLI prompts the user to enter password.
IMPORTANT! DO NOT USE THIS COMMAND FOR FILES LARGER THAN 32MB.
Syntax
copy <source> <destination> [-u user] [-m mode]
Parameters
source
The source of the file. Possible values are:
• [protocol:]//<host_name or IP>/[file_name].For example,
ftp://<ipAddress/path/[file_name]. If a filename is not supplied, the system
will prompt for one, in addition to a password.
•
•
•
•
•
tftp
ftp
system
.
[/]<file_name>
Service Mode CLI
destination
9-9
The destination of the file. Possible values are:
•
•
•
•
•
tftp
ftp
system
.
/
user
FTP username. Default is anonymous.
mode
FTP transfer mode, either ascii or binary. Default is binary.
Example
SM-WS5000> copy tftp system
Enter the file name to be copied from TFTP server : backup.sys.img
IP address of the TFTP server : 157.235.208.208
Copying 'backup.sys.img' from tftp://157.235.208.208 to Switch...
9.2.9 debug
Allows enabling or disabling logging of debug messages in the debug log file. User must execute the debug
command to see the log of the operating function. Entering a specific option displays the debug option that is
enabled.
Syntax
debug [<option> <enable/disable>]
Parameters
Option
Parameters
Descriptions.
errors
enable/disable
Error messages.
general
enable/disable
General messages.
threads
enable/disable
Process thread information.
sharedmem
enable/disable
Shared memory data.
accessport
enable/disable
Access Port information.
ess
enable/disable
ESS handling.
policy
enable/disable
policy handling.
ethernet
enable/disable
Ethernet data.
stats
enable/disable
Statistical data.
snmp
enable/disable
SNMP data.
driver
enable/disable
Driver messages.
standby
enable/disable
Standby information.
frames
enable/disable
Frame information.
9-10
WS5000 Series Switch System Reference
events
enable/disable
Events information.
corba
enable/disable
Corba handling.
packets
enable/disable
Packets data.
apfirmware
enable/disable
AP firmware information.
mu
enable/disable
Mobile unit data.
xml
enable/disable
XML information.
qos
enable/disable
QOS handling.
vlan
enable/disable
VLAN handling.
database
enable/disable
Database information.
security
enable/disable
Security handling.
memory
enable/disable
Memory use information.
kdc
enable/disable
Kerboros messages.
acs
enable/disable
ACS information.
all
enable/disable
Select all the above options.
Example
SM-WS5000> debug sharedmem enable
Enabling SHARED MEMEORY data logging ...
Status: Success.
Debug flag value (Hex): 0000000000000100
Enabled options are:
------------------sharedmem
- SHARED MEMEORY data
SM-WS5000>
9.2.10 delete
Deletes the specified image or config file from the WS5000. As a shortcut, “del” can be used instead of
“delete”. Use the directory command to list the files that can be deleted.
Syntax
delete <file_name>
Parameters
filename
Name of the file to be deleted.
Service Mode CLI
Example
SM-WS5000> directory
Date & Time
Mar 9
Mar 9
Mar 9
Mar 9
Mar 10
Mar 9
Mar 9
Mar 10
Mar 9
23:25
20:42
22:57
23:23
00:01
23:05
23:31
00:01
20:50
Bytes
115219
92004
91824
91818
7531
17020
17023
17023
34603
9-11
File Name
WS5000Defaults_v2.1.0.0-017B.cfg
WS5k_Auto_v2.1.0.0-015B_20060309.cfg
WS5k_Auto_v2.1.0.0-016B_20060309.cfg
WS5k_Auto_v2.1.0.0-017B_20060309.cfg
cmd_template.sym
kp.cfg
pavan.cfg
test1.cfg
walmart_new.cfg
SM-WS5000> delete WS5000Defaults_v2.1.0.0-017B.cfg
Removing test1.cfg.... done.
SM-WS5000>
9.2.11 description
Sets the description to the policy or item in the selected context.
Syntax
description <description_text>
Parameters
description_text
Enter a brief description of the switch.
Example
SM-WS5000> description WS5000 Wireless Network
Adding description...
Status : Success.
System information...
System Name
Description
Switch Location
Software Ver.
Licensed to
Copyright
Serial Number
Number of Licenses
Max Access Ports
Max Mobile Clients
MU Idle Timeout value
Active Switch Policy
Emergency Switch Policy
Switch Uptime
Global RF stats
Use JumboSupport
AP300 debugging
# of Unassigned Access Ports
Unassigned Access Ports
1. 00:A0:F8:B8:10:96.
2. 00:A0:F8:B8:10:5A.
CLI AutoInstall Status
SM-WS5000>
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
WS5000
WS5000 Wireless Network
2.1.0.0-017B
Symbol Technologies
Copyright (c) 2000-2005. All rights reserved.
00A0F853D9A9
30
30
4096
1800 seconds
wm_stores
Not defined
00d:23h:08m
Disabled
enable
disable
2
: Enabled
9-12
WS5000 Series Switch System Reference
9.2.12 diag
Use diag to create a text file for memory dump of different data structures. It dumps all the information related
to the object in /logfile which can be viewed using the root permission.This command is to be used by an admin
with a root permission (access to the shell).
The output file will be saved in logs dir which can be viewed using 'logdir' command.
Syntax
diag <obj_name> <file_name> <user_name>
Parameters
obj_name
<obj_name>={inQ|outQ|muo|bfio|ALT|cgo|ceo|mco|po}
Name of object whose memory dump is required. It can be either of the following:
•
•
•
•
•
•
•
•
•
inQ=Input Q.
outQ=Output Q.
muo=MU Object.
bfio=Interface Object (both NIC and AP).
ALT=Address Lookup Table.
cgo=CG Object.
ceo=CE Object.
mco=MC Object.
po=Policy Object.
file_name
Name of file where the output needs to be saved.
user_name
Name of user executing the command.
Example
SM-WS5000> diag ALT TestFile admin
SM-WS5000> logdir
File Name
Bytes
Date & time
========================================================
TestFile.ALT.diag
454
Sat Mar 11 18:20:26 2006
SM-WS5000>
9.2.13 directory
Lists the image and configuration files that are stored on a WS5000. As a shortcut, “dir” can be used instead
of “directory”.
Syntax
directory
Parameters
None
Service Mode CLI
Example
SM-WS5000> directory
Date & Time
Mar 9
Mar 9
Mar 9
Mar 9
Mar 10
Mar 9
Mar 9
Mar 9
23:25
20:42
22:57
23:23
00:01
23:05
23:31
20:50
Bytes
115219
92004
91824
91818
7531
17020
17023
34603
9-13
File Name
WS5000Defaults_v2.1.0.0-017B.cfg
WS5k_Auto_v2.1.0.0-015B_20060309.cfg
WS5k_Auto_v2.1.0.0-016B_20060309.cfg
WS5k_Auto_v2.1.0.0-017B_20060309.cfg
cmd_template.sym
kp.cfg
pavan.cfg
walmart_new.cfg
SM-WS5000>
9.2.14 emergencymode
Enables or disables the “Emergency” Switch Policy (ESP). This is a switch policy that can activated (enabled)
at any time in case of an emergency. When ESP is deactivated (disabled), the previous switch policy is
reactivated.
Define an Emergency switch Policy prior to enabling the Emergency Wireless Switch Policy. Create two or
more switch policies. An error message displays if less than two Switch Policies are available.
Syntax
emergencymode <enable/disable>
Parameters
enable/disable
Indicates whether to enable or disable the ESP.
Example
SM-WS5000> emergencyMode enable
9.2.15 enablecclog
This command is used to enable the CC log with dd.conf input file.
Syntax
enablecclog
Parameters
None
Example
9.2.16 execute
Executes the specified file. The command is used with specified optimization (patch file) files provided from
Symbol Technologies when a service upgrade is needed on the WS5000 Series Switch.
9-14
WS5000 Series Switch System Reference
Syntax
execute
Parameters
None
Example
SM-WS5000> execute
Executing CLI Service Mode command file....
Enter the command file name:
9.2.17 export
This command is used to copy the log files from the switch to the remote TFTP server. use ‘logdir’ to view the
list of user log files that can be exported.
Syntax
export
Parameters
This is an interactive command and you will be asked for the following:
•
destination — This is the remote TFTP host.
•
filename — The name of the log file that has to be exported to the remote TFTP server.
•
username — Enter the user name which you mentioned at the time of log file creation when using the
‘diag’ command. The default user name would is admin.
Example
SM-WS5000> logdir
File Name
Bytes
Date & time
========================================================
TestFile.ALT.diag
TestBfio.bfio.diag
2006
454
41560
Sat Mar 11 18:20:26 2006
Sat Mar 11 18:35:33
SM-WS5000> export
Creating the Event list...
Enter the log file name : TestBfio.bfio.diag
Enter the user name : admin
IP address of the remote TFTP server : 192.168.168.10
Optional storage path in the TFTP server (press ENTER if none) :
Copying log file TestBfio.bfio.diag to remote TFTP Server 192.168.168.10 ...
File: TestBfio.bfio.diag copied successfully to 192.168.168.10
SM-WS5000>
9.2.18 ftpPasswd
This command is used to reset the FTP password for the switch.
This command is used to change the password of the standard user for FTP operations. The default user name
is — ftpuser. You have to use the default user name to FTP to the switch along with the password that you
provide using ftpPasswd.
Service Mode CLI
9-15
Syntax
ftpPasswd
Parameters
None
Example
SM-WS5000> ftpPasswd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Password for FTP operations updated
SM-WS5000>
9.2.19 getcclogfile
This command is used to upload the CC log file to the TFTP server.
Syntax
getcclogfile
Parameters
None
Example
SM-WS5000> getcclogfile
Enter IP Address of TFTP Server where log file to be copied:192.168.168.10
File: CCErrors.txt copied successfully to 192.168.168.10
Do you want to disable Switch debug logging (yes/no)
Disabled Switch Debug Logging successfully.
: y
SM-WS5000>
9.2.20 install
Configures the switch as primary or standby, installs Kerberos settings, or runs a CLI command file, depending
on the value of the first parameter.
Syntax
install <install_option> [file_name]
Parameters
install_option
Specify Primary or Standby to configure the switch as the primary or standby
Switch.Specify which command (.sym) file to install. Omitting a specific
command file, forces the system to install the default command *.sym file. If no
default command file exits, omitting the file name results in no changes to the
current configuration.
file_name
The optional command file name extensions are (.sym) or Kerberos file (.krb) to
install. Specifying a valid command file (*.sym) causes the switch to shutdown
and reset. Specifying a valid Kerberos file to update (*.krb) does not require the
Kerberos enabled switches to reset.
9-16
WS5000 Series Switch System Reference
Example
SM-WS5000> install primary test.sym
Begin command file processing...
Begin parsing command file for download and logging parameters...
/WS5000/scripts/cmd_process: tr: command not found
/WS5000/scripts/cmd_process: tr: command not found...
Command file was parsed successfully.
Shutting down running processes. This may take a while...
Shutting down running processes...
Resetting the Switch...
SM-WS5000>
9.2.21 launch
Use launch to specify the program or shell command to be executed. Observe the following constraints:
•
For executing a Linux program, its path must be available in the environment variable $PATH.
•
When executing a command, the command must be available in the /WS5000/scripts/engg directory
with executable permission.
Syntax
launch -p <key>
<option> <program_name>
Parameters
<key>
Secret key for password to access launch command.
Note Use encrypt command along with the root
password to generate the key for executing the launch
command.
<option>
It can be either of the below mentioned two:
• -c for command
• -f for file
<program_name>
It can be either of the below mentioned two:
• for -c option it is command name
• for -f option it is a file name to be executed
Example
SM-WS5000> cfg encrypt B20!FlyIn
Encrypting password 'B20!FlyIn'....
Actual Password B20!FlyIn
Encrypted Password 14c8bf727be6e37b3fbd25489b00b3b1
Service Mode CLI
SM-WS5000.(Cfg)> launch
PID TTY
TIME
20808 pts/0
00:00:00
25402 pts/0
00:00:00
9-17
-p 14c8bf727be6e37b3fbd25489b00b3b1 -c ps
CMD
CLI
ps
SM-WS5000.(Cfg)>
9.2.22 ledcolor
This command is not supported in WS5000 hardware platform.
Syntax
None
Parameters
None
Example
None
9.2.23 logdir
This command is used to lists available user log (history, syslog, pktlog, diag log, system status log) files. It
does not list image/config files. Use dir command to list image/config files.
Syntax
logdir
OR
logdir user <username>
Parameters
username
This s the storage directory for the logs.
Example
WS5000.(Cfg)> ..
WS5000> service
Enter CLI Service Mode password: ********
Enabling CLI Service Mode commands...... done.
SM-WS5000> capture packet ifname eth1 enable
Start Packet Capture....
sending ioctl to capture packet
SM-WS5000> cfg
SM-WS5000.(Cfg)> save packet examplepacketcapture
Saving captured packets....done
SM-WS5000.(Cfg)> logdir
File Name
Bytes
Date & time
========================================================
9-18
WS5000 Series Switch System Reference
examplepacketcapture.pktbin
25835
Sun Feb 12 17:26:39 2006
9.2.24 name
This command is used to change the systems name.
Syntax
name <name>
Parameters
name
The name which you want to assign to the switch.
Example
SM-WS5000> name Bangalore_WS5000
WARNING: Changing the switch name will require
the KDC configuration to be recreated
Are you sure? (yes/no)
: yes
Configuring name...
Status : Success.
9.2.25 password
This command is used to change the CLI Service Mode password.
Syntax
password
Parameters
None
Example
SM-WS5000> password
Changing CLI Service Mode password....
Enter the new password : *********
Re-Enter the new password : *********
SUCCESS: CLI Service Mode password update successful.
SM-WS5000>
9.2.26 ping
Sends ICMP ECHO_REQUEST packets to a network host.
Service Mode CLI
9-19
Syntax
ping <host/ip_address>
Options:
ping [-Rdfnqrv] [-c count] [-i wait] [-l preload] [-p pattern]
[-s packetsize] host
Parameters
-Rdfnqrv
These optional flags are can be broken down as follows:
• -R — Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST
packet and displays the route buffer on returned packets. Note that the IP header is
only large enough for nine such routes. Many hosts ignore or discard this option.
• -d — Set the SO_DEBUG option on the socket being used. Essentially, this socket
option is not used by linux kernel.
• -f — Flood ping. For every ECHO_REQUEST sent a period ``.'' is printed, while for ever
ECHO_REPLY received a backspace is printed. This provides a rapid display of how
many packets are being dropped. If interval is not given, it sets interval to zero and
outputs packets as fast as they come back or one hundred times per second,
whichever is more. Only the super-user may use this option with zero interval.
• -n — Numeric output only. No attempt will be made to lookup symbolic names for host
addresses.
• -q — Quiet output. Nothing is displayed except the summary lines at startup time and
when finished.
• -r — Bypass the normal routing tables and send directly to a host on an attached
interface. If the host is not on a directly-attached network, an error is returned. This
option can be used to ping a local host through an interface that has no route through
it provided the option -I is also used.
• -v — Verbose output.
-c count
Stop after sending count ECHO_REQUEST packets. With deadline option, ping
waits for count ECHO_REPLY packets, until the timeout expires.
-i wait
Wait interval of seconds between sending each packet. The default is to wait for
one second between each packet normally, or not to wait in flood mode. Only
super-user may set interval to values less 0.2 seconds.
-l preload
If preload is specified, ping sends that many packets not waiting for reply. Only
the super-user may select preload more than 3.
-p pattern
You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful
for diagnosing data-dependent problems in a network. For example, -p ff will
cause the sent packet to be filled with all ones.
-s packetsize
Specifies the number of data bytes to be sent. The default is 56, which translates
into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.
host/ip_address
The name or IP address of the host to which the request packets are sent.
9-20
WS5000 Series Switch System Reference
Example
SM-WS5000> ping WS5000
PING WS5000 (10.1.1.101) from 10.1.1.101 : 56(84) bytes of data.
64 bytes from WS5000 (10.1.1.101): icmp_seq=1 ttl=64 time=0.074 ms
64 bytes from WS5000 (10.1.1.101): icmp_seq=2 ttl=64 time=0.027 ms
64 bytes from WS5000 (10.1.1.101): icmp_seq=3 ttl=64 time=0.031 ms
64 bytes from WS5000 (10.1.1.101): icmp_seq=4 ttl=64 time=0.032 ms
--- WS5000 ping statistics --4 packets transmitted, 4 received, 0% loss, time 2997ms
rtt min/avg/max/mdev = 0.027/0.041/0.074/0.019 ms
SM-WS5000>
9.2.27 remove
This command is used to remove specified log (history, packet, diag log, sysstatus) file. It does not remove
image/config or local syslog files.To remove image/config files use 'delete'. To remove local syslog files use
‘remlocal’.
Syntax
remove <file_name> [username-optional]
Parameters
file_name
The log file that you want to remove.
username
This field is optional and is the storage directory for the logs.
Example
WS5000.cfg>logdir
File Name
Bytes
Date & time
========================================================
Log1.history
7833
Thu Jan 19 04:36:16 2006
SM-WS5000> remove Log1.history
Removing file 'Log1.history'.... done.
9.2.28 restore
This command is used to restore system images and configuration. This command will reset the system and
boot up with the new restored image/config.
Syntax
restore <restore_option> <file_name>
Parameters
restore_option
It can be one of the following three:
• system — Restore the system image and configurations from file_name.
• configuration — Restore the configuration from the specified file name.
• standby — Restore the configuration from the specified file name.
file_name
The system image file name to be restored.
Service Mode CLI
9-21
Example
SM-WS5000> restore configuration kp.cfg
This command will reset the system and boot up with the new configuration.
Do you want to continue (yes/no)
: yes
Restoring configuration from kp.cfg
Rebooting the switch...
9.2.29 rfping
This command is used to ping to the Access Port. You need to enter the Access Port MAC address to ping.
Syntax
rfping <mac address> [<count>]
Parameters
mac_address
The MAC address of the Access Port to which you want to ping.
count
The number of ping attempts to be made
Example
SM-WS5000> rfping 00:A0:F8:B5:59:1E 4
Sending (4) WNMP
WnmpPing reply 1
WnmpPing reply 2
WnmpPing reply 3
WnmpPing reply 4
Ping to 00:A0:F8:B5:59:1E
received successfully
received successfully
received successfully
received successfully
SM-WS5000>
9.2.30 save
This command is used to save the running system configuration to a file.
Syntax
save <save_option> [nocertificate] <file_name>
Parameters
save_option
It ca nbe one of the following three:
• configuration — Save the present configuration in file_name.
• history — Save global command history in <file_name>.
• packets — Save captured packets in <file_name> (last packet first).
nocertificate
Use nocertificate option to save configuration without RADIUS certificates.
file_name
The name you assign to the file.
9-22
WS5000 Series Switch System Reference
Example
SM-WS5000> save config TestConfig
Saving running configuration in: TestConfig.cfg
Saving wireless network management configuration...
Configuration saved successfully.
SM-WS5000>
9.2.31 setThresholds
This command is used to set/clear thresholds for monitoring.Whenever any of the cpu/mem/disk usage goes
above the specified threshold percent value, an alert is sent. As long as the usage remains above this
threshold, no more alerts are sent. When the usage goes down and subsequently, this threshold is crossed, an
alert will be sent again, and so on.
Please enable monitoring using 'set monitor' command before using this command.
Specify zero value to disable corresponding threshold monitoring.
Syntax
setThresholds [-c <nn>] [-m <nn>] [-d <nn>]
Parameters
-c <nn>
Add syslog when cpu usage percent goes above <nn>.
-d <nn>
Add syslog when disk usage percent goes above <nn>.
-m <nn>
Add syslog when memory usage percent goes above <nn>.
Example
SM-WS5000> setThresholds -c 95
Various thresholds are now:
CPU Usage
: 95%
Memory Usage : Monitoring disabled
Disk Usage
: Monitoring disabled
Alert Sent: No
SM-WS5000>
9.2.32 shell
This command is used to enter into the embedded OS Command prompt and environment.
Syntax
shell
Parameters
None
Service Mode CLI
Example
SM-WS5000> shell
Entering into O.S.Command shell....
password:
WS5000#
WS5000# exit
SM-WS5000>
9.2.33 show
Displays a list of details about the WS5000 system related to the chosen display_parameter.
Syntax
show <display_parameter>
Parameters
show aaa-server
Display AAA information
show accessports
Display details of all access ports or all available access ports
show acl
Display ACL information
show allconfig
Display all config details
show appolicy
Display Access Port Policy
show autoinstalllog
Display autoinstall log
show ce
Display Classifiers
show cfghistory
Display configuration change history
show cg
Display Classification Group
show channelinfo
Display channel no and country code details
show chassis
Display Chassis details
show configaccess
Display configured system access restrictions
show cpuUsage
Displays CPU Usage
show ddnsupdatealllog
Display the current system restore log
show debuglog
Display the current dynamic debug log
show ethernet
Display Ethernet Port details
show etherpolicy
Display EtherPolicy details
show events
Show Syslog event details
show ftp
Display FTP status
show host
Display the Hosts defined in the system
show https
Display the Applet access type (http/https).
show interfaces
Display interface details
show kdc
Display KDC details
show knownap
Display known APs in the neighborhood.
show lan
Display LAN details
show logfolder
Display the current Log folder contents
9-23
9-24
WS5000 Series Switch System Reference
show mu
Display MU details (list)
show musummary
Display MU summary
show np
Display Network Policy information
show po
Display Policy Object information
show radius-server
Display RADIUS information
show restorelog
Display the current system restore log
show routes
Display configured routes
show securitypolicy
Display security policy details
show sensor
Display Sensor's and AP 300's / Sensor details
show snmpclients
Display the SNMP Client/community details
show snmpstatus
Display SNMP status
show ssh
Display SSH configuration
show standby
Display Standby configuration
show switchpolicy
Display Switch Policy
show sysalerts
Display system alert logs (events)
show syslog
Display Syslog details
show sysstat
Display the current system status
show system
Display system information
show telnet
Display Telnet status
show time
Display date and time information
show traphosts
Display the SNMP trap-host details
show tunnels
Display Tunnel details
show users
Display user information
show version
Display the system version details
show vlan
Display VLAN details
show vpnsupportstatus
Display vpn support status
show watchdog
Display the watch dog status
show wlan
Display WLAN details
Service Mode CLI
9-25
Example
SM-WS5000> show accessports
Access Ports
Status
-----------1
00:A0:F8:BC:E8:F2
Unavailable
2
00:A0:F8:BC:E8:F2
Unavailable
3
00:A0:F8:BF:8A:9F
4
00:A0:F8:BF:8A:9F
Radio MAC
Device MAC
Type
---------
----------
----
[G]
00:A0:F8:BC:97:48
00:A0:F8:BC:E8:F2
G
[A]
00:A0:F8:BF:99:00
00:A0:F8:BC:E8:F2
A
[G]
[A]
00:A0:F8:BF:E0:EC
00:A0:F8:BF:ED:00
00:A0:F8:BF:8A:9F
00:A0:F8:BF:8A:9F
G Active
A Active
No. of Active Access Ports/Radios: 1/2
SM-WS5000>
9.2.34 showAPFirmware
This command is used to show Access Port image information.
Syntax
showAPFirmware
Parameters
None
Example
SM-WS5000> showAPFirmware
AP Firmware is loaded with following image
-----------------------------------------ap-302x-revert.bin.img root 329596 Mar 9
ap-302x.bin.img root 169664 Mar 9
ap-413x-revert.bin.img root 665704 Mar 9
ap-413x.bin.img root 191440 Mar 9
ap-41xx-revert.bin.img root 391688 Mar 9
ap-41xx.bin.img root 158924 Mar 9
ccrf-5020.bin.img root 31034 Mar 9
wsap-5030.bin.img root 257860 Mar 9
wsap-51x0-sensor.bin.img root 295196 Mar 9
wsap-51x0.bin.img root 293320 Mar 9
-----------------------------------------SM-WS5000>
9.2.35 showBuildInfo
This command is used to show current build information.
Syntax
showBuildInfo
Parameters
None
-----
9-26
WS5000 Series Switch System Reference
Example
SM-WS5000> showBuildInfo
WVPND
RFIMG
RFIMG
RFIMG
RFIMG
RFIMG
RFIMG
RFIMG
RFIMG
RFIMG
RFIMG
ver=
ver=
ver=
ver=
ver=
ver=
ver=
ver=
ver=
ver=
ver=
126
ap-302x-revert.bin.img root 329596 Mar 9
ap-302x.bin.img root 169664 Mar 9
ap-413x-revert.bin.img root 665704 Mar 9
ap-413x.bin.img root 191440 Mar 9
ap-41xx-revert.bin.img root 391688 Mar 9
ap-41xx.bin.img root 158924 Mar 9
ccrf-5020.bin.img root 31034 Mar 9
wsap-5030.bin.img root 257860 Mar 9
wsap-51x0-sensor.bin.img root 295196 Mar 9
wsap-51x0.bin.img root 293320 Mar 9
CC
root
CLI
root
SNMPD
root
DHCP SERVER
root
SYSLOG DAEMON
root
Patches Installed: None.
5384312 Mar 9
2974924 Mar 9
2708330 Mar 13
559164 Mar 9
27808 Jan 24
SM-WS5000>
9.2.36 showDiskUsage
This command is used to show current disk usage.
Syntax
showDiskUsage
Parameters
None
Example
SM-WS5000> showDiskUsage
Disk Space: In Use: 95%
Free: 5%
SM-WS5000>
9.2.37 showHardwareInfo
This command is used to view the hardware information of the switch.
Syntax
showHardwareInfo
Parameters
None
Service Mode CLI
Example
SM-WS5000> showHardwareInfo
Hardware Type
Ethernet Port Type
DOM Size
RAM Size
:
:
:
:
5000
10/100
121M
376 M
SM-WS5000>
9.2.38 showMemUsage
This command is used to view the current memory usage.
Syntax
showMemUsage
Parameters
None
Example
SM-WS5000> showMemUsage
total:
used:
free: shared: buffers: cached:
Mem: 395223040 135512064 259710976
0 8073216 55934976
Swap:
0
0
0
MemTotal:
385960 kB
MemFree:
253624 kB
MemShared:
0 kB
Buffers:
7884 kB
Cached:
54624 kB
SwapCached:
0 kB
Active:
27048 kB
Inactive:
48424 kB
HighTotal:
0 kB
HighFree:
0 kB
LowTotal:
385960 kB
LowFree:
253624 kB
SwapTotal:
0 kB
SwapFree:
0 kB
Committed_AS:
63244 kB
VmallocTotal:
647148 kB
VmallocUsed:
44596 kB
VmallocChunk:
602552 kB
SM-WS5000>
9.2.39 showThresholds
This command is used to view current values of various thresholds for monitoring.
Syntax
showThresholds
Parameters
None
9-27
9-28
WS5000 Series Switch System Reference
Example
SM-WS5000> showThresholds
Various thresholds are now:
CPU Usage
: Monitoring disabled
Memory Usage : Monitoring disabled
Disk Usage
: Monitoring disabled
SM-WS5000>
9.2.40 watchdogtimer
This command is used t oeither enable or disable the watch dog timer.
Syntax
watchdogtimer <enable/disable>
Parameters
enable/disable
Either enable or disable the watch dog timer.
Example
SM-WS5000> watchdogtimer enable
Watch Dog Timer status:
Enabled
SM-WS5000>
9.2.41 wvpnctl
This command is used to configure wvpn server logging.
Syntax
wvpnctl enable [flags=<flags>] [size=<size>] [filename=<name>]
or
wvpnctl disable
Parameters
enable
Enable wvpn logging.
disable
Disable wvpn logging.
flags
WVPN logging filter flags.
size
Maximum file size of WVPN log.
filename
WVPN log file name (complete path).
Service Mode CLI
9-29
Example
SM-WS5000> wvpnctl enable size=1024 filename=/image/Testwvpn
WVPN debugging is now enabled with filename="/image/Testwvpn" size="1024"
flags="All"
SM-WS5000>
9.3 Diagnosing problems in WS5000/WS5100 Switch
The WS5000/WS5100 generates logs for various features in /log folder which cannot be seen using CLI,
Applet or SNMP.
9.3.1 Diagnose User
1. To view the log files in the /log folder, use the new diagnose login created in the switch with the
following details
Diagnose Username : diagnose
Diagnose Password
: bf20jbin
2. Once logged in, the diagnose user can go to logs folder using the following command
cd /log
3. To view the list of log files the user can use the following command
ls -l
4. You can view the contents of any specific log file using cat command as follows
cat <filename>
5. If the file is longer than one screen of display, you can see the contents of the file one screen at a time
using the following command.
cat <filename> | more
For example, to find out when the switch was last started or rebooted, you can view the file
shutdownhistory.log using the following command
cat shutdownhistory.log
Use the cat command as mentioned baove to view:
•
The CC logs (if enabled in the file /CC/dd.conf) in the file /CC/CCErrors.txt.
•
The logs of the CC during the previous boot can be seen in the file /CC/CCErrors.txt.save.
If the switch has crashed for some reason, then a file called Fault.dmp will be generated in /CC folder. This
contains the trace of the stack at the time the switch was crashed.
The switch administrator can send the logs/Fault.dmp to the engineering team using the standard ftp/tftp
command.
9-30
WS5000 Series Switch System Reference
9.3.2 Finding whether a particular process is running or not
1. Login to the switch as diagnose user and execute any of the following command
ps -amx | grep <process_name>
2. If the process is running then this displays the process name together with its process id, else
3. Use the following command to view the process ID of the process, if it is running
pidof <process_name>
9.3.3 Encrypt, Launch and Execute commands of Service mode CLI
launch command is modified in WS5000 2.1, to take an additional argument which indicates the encrypted
version of root password for security reasons. It is a mandatory requirement for launch command to take this
encrypted version of root password as argument.
9.3.3.1 encrypt Command
The encrypt command is available under config context of service mode CLI. This command takes a string as
an argument and returns its equivalent encrypted version.
This is used primarily to create the encrypted version of the root password which is then passed as the
argument to launch command.
The encrypted version of the root password is "14c8bf727be6e37b3fbd25489b00b3b1".
9.3.3.2 launch Command
The launch command is available under both "system" and "config" context of Service mode CLI. This
command can be used to execute any linux command or any script (or any executable program) placed in
/scripts/engg folder. Its syntax is
Syntax
launch -p <key> <option> <program_name>
Parameters
key
Is the secret key for password to access launch command.
option
It can one of the following:
• {-c|-f}— c for command and -f for file.
program_name
• For -c option it is command name.
• For -f option it is a file name to be executed.
9.3.4 execute Command
This command is available under "system" context of Service mode CLI. This command is used to install
patches provided by the engineering team. Its syntax is
SM-WS5000> Execute
This command will prompt for the patch file name which should be present in the /image folder of the switch.
Antennas and Power
Use this table to determine the correct power settings for International use when using external antennas with
the AP 100 802.11b Access Port, Model CCRF-5020-10-WW.
Note For US (FCC), all Symbol Technologies, certified antennas can be used on the
maximum power level setting.
Table 10.1 International Antenna and Power Settings for AP 100 802.11b Access Port
Antenna Model
Max Power Setting Antenna Type
ML-2499-APA2-01
1
Dipole
ML-2499-HPA3-01
2
Indoor/Outdoor Omni
Directional
Comments
10-2
WS5000 Series Switch System Reference
Table 10.1 International Antenna and Power Settings for AP 100 802.11b Access Port (Continued)
Antenna Model
Max Power Setting Antenna Type
Comments
ML-2499-PNAHD-01
3
Heavy-duty Indoor/Outdoor
65° H-Plane Directional
Panel
ML-2499-7PNA2-01
4
Indoor/Outdoor 65° H-Plane
Diversity Directional Panel
ML-2499-BMMA1-01
3
Heavy Duty, High Gain
Outdoor Mast Mount
ML-2499-SD3-01
1
Low Profile Ceiling Mount
Omni Directional
ML-2499-SDD1-01
1
Low Profile Dual Integrated
Diversity Omni Directional
ML-2499-12PNA2-01
3
High gain Indoor/Outdoor
60° H-Plane Directional
Panel
ML-2499-11PNA2-01
3
High gain Indoor/Outdoor
120° H-Plane Directional
Panel
ML-2499-BYGA2-01
4
Heavy-duty Outdoor 35°
High-gain Directional Yagi
Also valid at Power setting:
3 with 50 ft cable ML-1499-50JK-01
2 with 100 ft cable ML-1499-100JK-01
ML-2499-BPNA3-01
4
Heavy-duty Indoor/Outdoor
35° High-gain Directional
Panel
Also valid at Power setting:
3 with 50 ft cable,
2 with 100 ft cable
ML-2499-BPDA1-01
5
Heavy Duty 10° Directional
High Gain Parabolic Dish
Use with 100ft cable ML-1499-100JK-01
Also valid at Power setting:
2 with 25ft cable ML-1499-25JK-01
1 with 100ft cable ML-1499-100JK-01
Use this table to determine the correct European Union power settings for the AP 200 802.11a/b Access Port,
Model CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna
802.11a/b radio), CCRF-5030-210-WW.
Use this table to determine the correct Japanese power settings for the AP 200 802.11a/b Access Port, Model
Table 10.2 European Union and Japanese Antenna and Power Settings for The AP 200 802.11a/b Access Port
Antenna Model
Antenna Type/Pattern
2.4 GHz
Additional Cable Length in Feet
Max Authorized Power Settings
0
6
10
25
50
100
ML-2499-APA2-01
Flexible Rubber Dipole Omni-Directional
Any
Any
Any
Any
Any
Any
ML-2499-HPA3-01
Hi-gain Dipole Omni-directional
Any
Any
Any
Any
Any
Any
ML-2499-PNAHD-01
Hi-gain in/outdoor Panel Directional
Any
Any
Any
Any
Any
Any
Antennas and Power
10-3
Table 10.2 European Union and Japanese Antenna and Power Settings for The AP 200 802.11a/b Access Port (ConAntenna Model
Antenna Type/Pattern
Additional Cable Length in Feet
Max Authorized Power Settings
ML-2499-7PNA2-01
Panel Directional
Any
Any
Any
Any
Any
Any
ML-2499-BMMA1-01
Hi-gain in/outdoor Dipole OmniDirectional
Any
Any
Any
Any
Any
Any
ML-2499-SD3-01
Patch Omni-Directional
Any
Any
Any
Any
Any
Any
ML-2499-SDD1-01
Patch w/diversity Omni-Directional
Any
Any
Any
Any
Any
Any
ML-2499-12PNA2-01
Panel Directional
2, 3,
4, 5
Any
2, 3,
4, 5
Any
Any
Any
ML-2499-11PNA2-01
Panel Directional
2, 3,
4, 5
Any
Any
Any
Any
Any
ML-2499-BYGA2-01
In/Outdoor Yagi Directional
3, 4,
5
2, 3,
4, 5
3, 4,
5
3, 4,
5
Any
Any
ML-2499-BPNA3-01
In/Outdoor Panel Directional
2, 3,
4, 5
Any
2, 3,
4, 5
2, 3,
4, 5
Any
Any
ML-2499-BPDA1-01
Outdoor Parabolic Dish Directional
5
5
5
5
4, 5
4, 5
Internal Antenna
Omni Directional
Any
Any
Any
Any
Any
Any
5 GHz
ML-5299-APA1-01
Omni-directional
Any
N/A
Any
Any
Any
Any
ML-5299-HPA1-01
Hi-gain Dipole
2, 3,
4, 5
N/A
Any
Any
Any
Any
ML-5299-WPNA1-01
Panel Omni-directional
Any
N/A
Any
Any
Any
Any
Internal
Omni-Directional
Any
N/A
N/A
N/A
N/A
N/A
Table 10.3 CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna
802.11a/b radio), CCRF-5030-210-WW
Antenna Model
Antenna Type/Pattern
2.4 GHz
Additional Cable Length in Feet
Max Authorized Power Settings
0
6
10
25
50
100
ML-2499-APA2-01
Flexible Rubber Dipole Omni-Directional
Any
Any
Any
Any
Any
Any
ML-2499-HPA3-01
Hi-gain Dipole Omni-directional
Any
Any
Any
Any
Any
Any
ML-2499-PNAHD-01
Hi-gain in/outdoor Panel Directional
Any
Any
Any
Any
Any
Any
ML-2499-7PNA2-01
Panel Directional
Any
Any
Any
Any
Any
Any
ML-2499-BMMA1-01
Hi-gain in/outdoor Dipole OmniDirectional
None
None
3, 4
2, 3,
4
Any
Any
10-4
WS5000 Series Switch System Reference
Table 10.3 CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna
802.11a/b radio), CCRF-5030-210-WW (Continued)
Additional Cable Length in Feet
Max Authorized Power Settings
Antenna Model
Antenna Type/Pattern
ML-2499-SD3-01
Patch Omni-Directional
2, 3,
4
Any
Any
Any
Any
Any
ML-2499-SDD1-01
Patch w/diversity Omni-Directional
Any
Any
Any
Any
Any
Any
ML-2499-12PNA2-01
Panel Directional
Any
Any
Any
Any
Any
Any
ML-2499-11PNA2-01
Panel Directional
Any
Any
Any
Any
Any
Any
ML-2499-BYGA2-01
In/Outdoor Yagi Directional
2, 3,
4
2, 3,
4
Any
Any
Any
Any
ML-2499-BPNA3-01
In/Outdoor Panel Directional
2, 3,
4
2, 3,
4
Any
Any
Any
Any
ML-2499-BPDA1-01
Outdoor Parabolic Dish Directional
None
None
4
4
3, 4
2, 3,
4
Internal Antenna
Omni Directional
Any
N/A
N/A
N/A
N/A
N/A
5 GHz
ML-5299-APA1-01
Omni-directional
Any
N/A
Any
Any
Any
Any
ML-5299-HPA1-01
Hi-gain Dipole
Any
N/A
Any
Any
Any
Any
ML-5299-WPNA1-01
Panel Omni-directional
None
N/A
None
None
None
1
Internal
Omni-Directional
Any
N/A
N/A
N/A
N/A
N/A
Use this table to determine the correct United States power settings for the AP 200 802.11a/b Access Port,
Model CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna
802.11a/b radio), CCRF-5030-210-WW.
Note All Symbol Technologies certified antennas can be used on the maximum power
level setting.
Table 10.4 United States Antenna and Power Settings for the AP 200 802.11a/b Access Port
Antenna Model
Antenna Type/Pattern
2.4 GHz
Additional Cable Length in Feet
Max Authorized Power Settings
0
6
10
25
50
100
ML-2499-APA2-01
Flexible Rubber Dipole Omni-Directional
2, 3,
4, 5
2, 3,
4, 5
2, 3,
4, 5
2, 3,
4, 5
Any
Any
ML-2499-HPA3-01
Hi-gain Dipole Omni-directional
3, 4,
5
3, 4,
5
3, 4,
5
3, 4,
5
3, 4,
5
2, 3,
4, 5
Antennas and Power
10-5
Table 10.4 United States Antenna and Power Settings for the AP 200 802.11a/b Access Port (Continued)
Additional Cable Length in Feet
Max Authorized Power Settings
Antenna Model
Antenna Type/Pattern
ML-2499-PNAHD-01
Hi-gain in/outdoor Panel Directional
3, 4,
5
3, 4,
5
3, 4,
5
3, 4,
5
3, 4,
5
2, 3,
4, 5
ML-2499-7PNA2-01
Panel Directional
3, 4,
5
3, 4,
5
3, 4,
5
3, 4,
5
3, 4,
5
2, 3,
4, 5
ML-2499-BMMA1-01
Hi-gain in/outdoor Dipole OmniDirectional
2, 3,
4, 5
Any
Any
Any
Any
Any
ML-2499-SD3-01
Patch Omni-Directional
Any
Any
Any
Any
Any
Any
ML-2499-SDD1-01
Patch w/diversity Omni-Directional
2, 3,
4, 5
2, 3,
4, 5
2, 3,
4, 5
2, 3,
4, 5
Any
Any
ML-2499-12PNA2-01
Panel Directional
4, 5
4, 5
4, 5
4, 5
3, 4,
5
3, 4,
5
ML-2499-11PNA2-01
Panel Directional
4, 5
4, 5
4, 5
4, 5
3, 4,
5
3, 4,
5
ML-2499-BYGA2-01
In/Outdoor Yagi Directional
None
None
None
None
None
5
ML-2499-BPNA3-01
In/Outdoor Panel Directional
None
None
None
None
None
5
ML-2499-BPDA1-01
Outdoor Parabolic Dish Directional
None
None
None
None
None
None
Internal Antenna
Omni Directional
Any
N/A
N/A
N/A
N/A
N/A
5 GHz
ML-5299-APA1-01
Omni-directional
Any
N/A
Any
Any
Any
Any
ML-5299-HPA1-01
Hi-gain Dipole
Any
N/A
Any
Any
Any
Any
ML-5299-WPNA1-01
Panel Omni-directional
N/A
N/A
N/A
N/A
N/A
N/A
Internal
Omni-Directional
Any
N/A
N/A
N/A
N/A
N/A
10-6
WS5000 Series Switch System Reference
Converting AP-4131 Access Points to RF
Ports
You can convert the Symbol AP-4131 model access point to RF Ports for use with the WS5000. The port
conversion enables existing customers to utilize an existing Symbol wireless infrastructure with the WS5000
Series Switch.
A converted AP-4131 is one of the many different types of AP's that can be adopted, configured and monitored
by WS5000. After the conversion, the AP-4131 becomes a thin AP responsible for receiving and transmitting
wireless data. All other functionality (such as 802.11 management, security, and packet switching) is
performed by the switch.
The WS5000 CDROM contains an installation package with new firmware image files for AP-4131:
•
ap-4131.bin.img
•
ap-4131-revert.bin.img
The WS5000 CDROM also includes the following file used for the initial AP-4131 port conversion:
•
ap-4131.bin
11-2
WS5000 Series Switch System Reference
11.1 AP-4131 Features in the WS5000 Series Switch
This section describes some of the AP-4131 features in the WS5000 Series Switch.
11.1.1 AP-4131 Port Adoption
A WS5000 Series Switch can adopt different types of Symbol RF ports. The switch supports
AP-100, AP-200, AP-300 and AP-3121 ports. It reuses the existing AP-4131’s implementation and supports AP4131 as well. The switch recognizes the AP-4131 model number and uploads the appropriate firmware to the
port.
Note SNMP traps or Syslog messages are not defined for AP-4131 port conversion
support.
11.1.2 AP-4131 Radio Configuration
An AP-4131 contains one 802.11b radio. The AP-4131 radio supports the same set of configuration parameters
as other 802.11b radios supported by the switch (such as power, channel, rates, secure beacon, CCA, and
diversity).
An AP-4131 does not support antenna type detection (external vs. internal).It always displays the antenna type
as Unknown. You must enter a valid Antenna Correction Factor to prevent the radio from transmitting at
power levels illegal for the configured regulatory domain.
11.1.3 Multiple BSS and ESS Support
A converted AP-4131 supports 4 BSSIDs and 16 ESSIDs. It uses the same mapping as other APs with similar
features such as the AP3000 and the AP-200B.
11.1.4 Rate Scaling
The rate scaling algorithm is not impacted by the AP-4131 conversion. Rate information is stored and
communicated to AP-4131 as a bit mask with the rates sorted by their numeric value irrespective of the
AP-4131 modulation (1, 2, 5.5 and 11Mbps).
11.1.5 AP-4131 Features Unavailable after Conversion
When the AP-4131 operates as an access point, it supports Bluetooth Coexistence. Bluetooth Coexistence
allows the AP-4131 and MUs to share network resources with Bluetooth RF terminals during a user-specified
interval. Bluetooth Coexistence is not available after the AP-4131 is converted and adopted by a WS5000
Series Switch.
Converting AP-4131 Access Points to RF Ports
11-3
11.2 Converting AP-4131 to Access Ports
To convert AP-4131 to access ports:
1. Connect the AP4131 to a PC with serial cable.
2. Open the Hyper terminal select the COM port to which the serial cable is connect and set the following
parameters:
Baud Rate : 19200
Data: 8 bit
Parity : None
Stop : 1 bit
Flow Control : hardware
The Access Point Configuration Main Menu appears.
3. Enter the Admin mode. The default password is Symbol (it is case-sensitive).
4. Select the Special Functions --> Firmware Update menu.
5. Press the F3 button.
6. Update the access point firmware using the TFTP or XMODEM.
11.2.1 Updating the Access Point Firmware Using the TFTP Program
To update the access point using the TFTP program:
1. Change the firmware filename to ap-413X.bin in the Alter Filename(s)/HELP URL/TFTP Server
section.
2. Change the TFTP server IP address to point to your TFTP server.
3. Select Firmware from the Use TFTP to update Access Points: section and press the enter key.
You can also update the firmware using the TFTP program by configuring the AP4131 applet. The default login
and password (both case-sensitive) for the AP4131 applet are:
Username: admin
Password: Symbol
11.2.2 Updating the Access Point Firmware Using the XMODEM
To update the access point using the XMODEM:
1. Select Firmware from the Use XMODEM to update Access Points: section and press the enter key.
2. Select Transfer menu --> Send from the HyperTerminal. Select the file ap-4131.bin as the file to be
transferred and select the XMODEM protocol. Click Send.
This updates the access point firmware.
After the system updates the firmware, it displays the message: Downloading firmware using
WISP on the HyperTerminal. Now, the AP4131 is ready to get adopted by the switch.
11-4
WS5000 Series Switch System Reference
11.2.3 Adding an Access Port
To add an AP-4131 to the WS5000, use the add AP4131 command:
Common to all contexts and instances
Description
Adds new AP-4131 access port to the WS5000 Series Switch
Syntax
WS5000.(Cfg).APPort> add AP4131 <AP MAC> <Radio 1> <Radio 1 MAC> [location] [CR]
Parameters
Name of radio 1, MAC of radio 1 - B radio, mandatory location - optional
Example
WS5000.(Cfg).APPort> add AP4131 <00A0F8A0A89D> <Radio 1> <00A0F8A1A66E>
[location] [CR]
11.2.4 Mapping BSS and ESS IDs
To map up to four ESS IDs to four primary BSS IDs to a converted AP-4131, use the map ap4131 command.
Common to all contexts and instances
Description
Enters four ESS IDs and four primary BSS IDs that are mapped and used for the AP-4131
Syntax
WS5000.(Cfg).APPolicy.[pol_name]> map ap4131 [CR]
Parameters
None
11.3 Reverting to Access Point Functionality
The WS5000 Series Switch can revert a converted AP-4131 to a traditional access point.
To revert an AP-4131 to a traditional access point, the switch must keep multiple versions of the firmware for
the same type of RF port. During adoption, the switch uses the version of the firmware with the highest version
number by default. You can specify a different version of the firmware for the RF port.
To revert an AP-4131 back to access point functionality, the switch includes an additional firmware file (ap4131-revert.bin.img). The firmware version is set to 0.0.0.0 to ensure the file can never be used as a default
adoption file. The file is created using the latest released version of AP-4131 firmware.
To revert the AP-4131:
Select the ap-4131-revert.bin.img for each AP-4131 requiring conversion
The switch sends the file to a converted AP-4131 using an existing WISP firmware download.
After the download completes, the AP-4131 becomes an independent access point again. You can apply any
custom releases or patches after the revert procedure completes.
Converting AP-4131 Access Points to RF Ports
11-5
11.4 WS5000 Switch Applet Behavior
The WS5000 Series Switch applet displays three new icons for an adopted AP-4131:
•
normal
•
alert
•
offline
The applet adds ap4131 to 4BSS-16ESS tabs in the WLAN-BSS Mapping screen and the Bandwidth screen.
The applet also adds AP-4131 to the list of device types. AP-4131 has an 802.11b radio with the MAC address
the same as the device MAC address.
11-6
WS5000 Series Switch System Reference
Configuring the WS5100 WTLS VPN
A Virtual Private Network or VPN is a protected network connection that tunnels through an unprotected
connection. The WS5100-VPN uses a VPN connection to protect wireless transmissions on the untrusted side
of the switch.
The VPN functionary includes the following:
•
On Board VPN server
•
Firewall
•
Network Address Translation (NAT)
This chapter also includes
•
VPN Session Setup
12-2
WS5000 Series Switch System Reference
12.1 Onboard DHCP
Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to computers using TCP/IP. A
DHCP server assigns addresses to computers configured as DHCP clients.
WS5100 VPN consists of two DHCP servers:
1. Onboard DHCP server—This server is on the box and provides public IP address to the VPN client.
2. VPN DHCP server —This server resides inside the VPN server and provides private IP address to the VPN
client.The VPN server can relay DHCP requests to an external DHCP server or use its own DHCP server.
Note You can configure the internal DHCP server on the box to provide public IP
addresses to VPN clients. The server uses relay to transfer virtual IP addresses to VPN
clients.
A device on the untrusted side of the network receives a public IP address from the onboard DHCP server. After
the server authenticates the device, it retrieves a virtual IP address using DHCP relay from the external DHCP
server or from the VPN DHCP server. When the device sends and receives packets, the virtual IP address is
“wrapped around” the public address to enforce secure transmission.See Configuring DHCP Server using CLI
in Chapter 1, WS5000 Series Switch Overview.
12.2 On Board VPN server
The VPN functionary introduces the concept of trusted and untrusted networks. A trusted network is a
collection of devices authenticated and authorized to access network resources using a secure network
connection. To ensure that the network is completely secure, the connection should be fixed (wired) and the
network perimeter should be defined (in a secure building, for example).
An untrusted network is any network connection not secured (such as wireless, wired internet and dial-in) and
the identity of a connected device cannot be directly verified. Each device on the untrusted LAN segment
connects to the trusted network through a VPN tunnel.
Figure 12.1 shows a network with trusted and untrusted segments.
Configuring the WS5100 WTLS VPN
12-3
Figure 12.1 Network with Trusted and Untrusted Elements
WS 5100-V P N
Eth1
Eth2
Layer 2 S witch
B
Layer 2 S witch
A
P OE
AP 100
Internet
Wireles s
C lients
C omputer
LAN
WL A N
Trusted Network
Untrusted Network
12.2.1 DHCP Relay and VPN
DHCP relay is a mechanism that enables an external DHCP server assign virtual IP addresses. The VPN server
relays DHCP request to an external DHCP server in the private side.
To configure the DHCP relay mechanism so that it relays the DHCP for getting private IP address to the external
DHCP server:
1. Enable the DHCP relay and configure the IP address, netmask etc., of the external DHCP server as
follows:
WS5000.(Cfg).wvpn.ip_pools> enable
Enabling...Status : Success.
WVPN IP Pools:
DHCP Enabled : yes
Use DHCP Gateway : yes
Available Pools:
1. default.
2. Set the DHCP IP address as the External DHCP server's IP (where you want to relay the DHCP req)
12-4
WS5000 Series Switch System Reference
WS5000.(Cfg).wvpn.ip_pools.[default]> set dhcpServer 1.1.1.1
12.2.2 Dynamic DNS
Each time a VPN client connects to the VPN server, an IP-address is allocated for the client. The server then
sends a DNS Update to a pre-configured DNS server. Both the forward and reverse zone will be updated. The
master DNS server for the zone will be obtained through a DNS SQA query.
The following CLI commands are used to configure the Dynamic DNS settings:
1. Show dynamic DNS settings:
WS5000.(Cfg).WVPN.DDNS>show
The output of this CLI command will look like the following:
DNS Enable : boolean
Time to Live (ttl) : long
Forward Zone : string
Reverse Zone : string
Total DNS addresses : xx
1 : IP address
…
XX : IP address
2. Configure DNS Update Commands
WS5000>configure WVPN DDNS
WS5000.(Cfg).WVPN.DDNS>set updateClientDns
This CLI command sends an updateClientDns request to the AirBeam Safe VPN Server to
send
new updates to the DNS server for all clients that are currently established to the AirBeam Safe
Server.
WS5000>configure WVPN DDNS
WS5000.(Cfg).WVPN.DDNS>set clearClientDns
This CLI command sends a clearClientDns request to the AirBeam Safe Server to send delete operation
for all clients that are currently established to the AirBeam Safe Server.
3. Add/Remove DNS Server address
•
Add a DNS Server ip address
WS5000>Configure WVPN DDNS
WS5000.(Cfg).WVPN.DDNS>add DnsServerAddr < ip>
This CLI command adds a DNS Server address to the existing list of DNS Server
•
addresses.
Remove a DNS Server ip address
WS5000>Configure WVPN DDNS
WS5000.(Cfg). WVPN. DDNS>remove DnsServerAddr <ip>
This CLI command removes an existing DNS Server address from current list of DNS Server
addresses.
Configuring the WS5100 WTLS VPN
12-5
4. Configure DNS Properties
•
update
WS5000>Configure WVPN DDNS
WS5000.(Cfg). WVPN. DDNS> set enable <Boolean value>
•
ttl
WS5000>Configure WVPN DDNS
WS5000.(Cfg). WVPN. DDNS> set ttl <Long value>
•
entry (clientName)
WS5000>Configure WVPN DDNS
WS5000.(Cfg). WVPN. DDNS>add entry <String value>
•
forwardZone
WS5000>Configure WVPN DDNS
WS5000.(Cfg). WVPN. DDNS> set forwardZone <String value>
•
reverseZone
WS5000>Configure WVPN DDNS
WS5000.(Cfg). WVPN. DDNS> set reverseZone <String value>
12.2.3 Certificates
Certificates are security credentials that allow network users to prove their identity. A certificate includes the
owner's public key, the expiration date of the certificate, the owner's name and other information about the
public key owner. The verification of these items is done through a Certificate Authority (CA). A CA is a
company that’s set up to generate individual certificates to requestors upon verification of proof of identity.
The WS5100-VPN requires the following types of certificates:
•
A CA certificate that’s used to authenticate the certificate issuer.
•
A PKCS12 server certificate, issued by a Certificate Authority.
Both certificates must be made available to the WS5100-VPN by copying them to a switch-accessible TFTP
server.
In addition, the Symbol AirBEAM VPN Client must be loaded on all Mobile Units requesting VPN services,
AirBEAM Client is used to download the certificate to the device.
12.2.3.1 PKI and PKCS12 Certificates
Public Key Infrastructure is a protocol that creates encrypted public keys using digital certificates from
Certificate Authorities. PKI ensures that each online party is who they claim to be.
PKCS12 is the Personal Information Exchange Syntax Standard and specifies a portable format for storing or
transporting a user's private keys, certificates and miscellaneous secrets. PKCS12 is for client certificates only,
and is used during SSL client authentication. For the WS5100-VPN, even low-end legacy devices (like DOSbased terminals) can use PKCS12 certificates.
For more information on PKCS12, see:
http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.htm
12-6
WS5000 Series Switch System Reference
12.2.4 WVPN Authentication
A request for authentication made by a VPN client on the untrusted network can be forwarded to a VPN server
which proxies to the RADIUS server (internal or external). The trusted RADIUS server authenticates the client
and allows VPN client access from the untrusted network to the trusted network.
Note VPN server supports both, internal and external, RADIUS server authentication.
The RADIUS server database can be either Local or LDAP.
12.2.4.1 Simple Authentication
To configure simple authentication (non-RADIUS), set the simple username, password and domain by using the
following CLI command:
WS5100_VPN>conf wvpn auth simple
WS5000(Cfg) .wvpn.auth.simpleAuth>set simpleUser userName
WS5000(Cfg) .wvpn.auth.simpleAuth>set simplePassword ******
WS5000(Cfg) .wvpn.auth.simpleAuth>set simpleDomain domainName
Table 12.1 lists and describes the CLI commands used to configure simple authentication server settings:
Table 12.1 Simple Authentication Settings
To
Use the CLI Command
Show Authentication Server
settings. (This command will show
all the Authentication Server
related configurable parameters)
WS5000>show WVPN AUTH
Configure simpleAuthUserName
WS5000(Cfg) .wvpn.auth.simpleAuth>set simpleUser
userName
Configure simpleAuthPassword
WS5000(Cfg) .wvpn.auth.simpleAuth>set
simplePassword ******
Configure simpleAuthDomain
WS5000(Cfg) .wvpn.auth.simpleAuth>set simpleDomain
domainName
12.2.4.2 RADIUS Authentication
A request for authentication made by a VPN client on the untrusted network can be forwarded to a VPN server
which proxies to the RADIUS server. The RADIUS server authenticates the client and allows VPN client access
from the untrusted network to the trusted network. RADIUS Proxy can be enabled by typing enable at the CLI
command prompt as shown below.
WS5000.(Cfg).wvpn.auth.wvpnradius> enable
Enabling...
Status : Success.
RADIUS authentication status :Enable
The primary and secondary RADIUS servers can be set using either of the following commands in CLI.
WS5000.(CFG).wvpn.auth.wvpnradius>set ?
set <primary/secondary> host <name/IP> [port]
or
[timeout]
[retry]
[userpwd]
Configuring the WS5100 WTLS VPN
set <primary/secondary>
<radius_parameter>
12-7
<value>
Table 12.2 describes how to configure the server by settings the parameters for each RADIUS server. The VPN
server supports any number of servers:
Table 12.2 RADIUS Authentication Setting
To
Parameter used
set the RADIUS host name host
or IP address.
CLI command used
WS5000.(Cfg).wvpn.auth.wvpnradius>set ?
set <primary/secondary> host <name/IP>
Note To use on-board RADIUS server to authenticate the VPN clients, set any of the
switch interface IP address as the RADIUS IP address (in the configuration above).
set the RADIUS port.
Default is 1812
Port
WS5000.(Cfg).wvpn.auth.wvpnradius>set ?
set <primary/secondary> port <value>
set RADIUS timeout.
Value range is 5-20
millisecs
timeout
WS5000.(Cfg).wvpn.auth.wvpnradius>set ?
set <primary/secondary> timeout <value>
set RADIUS retry. Valid
range 1- 10.
retry
WS5000.(Cfg).wvpn.auth.wvpnradius>set ?
set <primary/secondary> retry <value>
set RADIUS user
password. (Dummy
password).
userpwd
WS5000.(Cfg).wvpn.auth.wvpnradius>set ?
set <primary/secondary> userpwd <value>
Note Some servers require the password attribute to be a non empty string.If this value
is set, this string will be used as password. This password is usually left blank to ensure
that different RADIUS users are authenticated.
12.2.4.3 IP Pool configuration
Table 12.3 lists and describes the CLI commands used to configure the WVPN IP Pool settings:
Table 12.3 IP Pool Configuration
To
CLI command used
enter WVPN Pool configuration
Configure wvpn pool [enter]
WS5000.(Cfg).wvpn.pool>
add an IP Pool
WS5000.(Cfg).wvpn.pool >add pool <pool name> <begin
IP> <end IP>
remove an IP Pool
WS5000.(Cfg).wvpn.pool >remove pool <pool name>
12-8
WS5000 Series Switch System Reference
Table 12.3 IP Pool Configuration
To
get the index number
CLI command used
WS5000.(Cfg).wvpn.pool >show pool <pool name>
Output of this command (Index is in bold)
Number of ranges
: 1
IP Ranges:
0) 111.111.111.150-111.111.111.160
enable/disable use of DHCP
Gateway
WS5000.(Cfg).wvpn.pool >enable/disable
set ip pool netmask
WS5000.(Cfg).wvpn.pool[pool name] >set netmask
<netmask>
set IP Pool DHCP Server IP
address
WS5000.(Cfg).wvpn.pool[pool name]
<ip address>
>set dhcpServer
set IP Pool default gateway
WS5000.(Cfg).wvpn.pool[pool name]
<defaultGateway <ip address>
>set
set IP Pool DNS Address
WS5000.(Cfg).wvpn.pool[pool name]
<ip address>
>set dns
set IP Pool WINS Address
WS5000.(Cfg).wvpn.pool[pool name]
<ip address>
>set wins
set IP Pool domain name
WS5000.(Cfg).wvpn.pool[pool name]
<domain name>
>set domain
set IP Pool NETBIOS Node Type
WS5000.(Cfg).wvpn.pool[pool name]
<node type>
>set nodeType
Node type can be: H-node, B-node, P-node, & M-node. H-node is the
default
set IP Pool domain name
WS5000.(Cfg).wvpn.pool[pool name]
<domain name>
set IP Pool DHCP Lease Time
WS5000.(Cfg).wvpn.pool[pool name] >set dhcpLeaseTime
< duration in seconds>
add a range to an existing pool
WS5000.(Cfg).wvpn.pool[pool name]
<begin IP> <end IP>
remove a range from an existing
pool
set IP Pool Reuse timer
>set domain
>add range
WS5000.(Cfg).wvpn.pool[pool name] >remove range
<begin IP> <end IP>
OR
WS5000.(Cfg).wvpn.pool[pool name] >remove rangeIndex
<index number>
WS5000.(Cfg).wvpn.pool[pool name]
duration in seconds>
>set reuseTime <
This IP address reuse time is used only when all pool ranges are exhausted.
Once pool is depleted and a new request is made for an address, the current
list of active IP addresses are checked to see how long they are idle. Those
IP addresses that are greater than this reuse time are reallocated and
handed out to the new client.
Configuring the WS5100 WTLS VPN
12-9
12.2.4.4 Certificate configuration
Table 12.4 lists and describes the CLI commands used to configure the WVPN certificate loading, generation
and configuration in switch:
Table 12.4 Certificate Configuration
To
CLI command used
enter certificate
configuration
Configure wvpn
cert
show the server
certificates
WS5000>show cert
Expected output
Certificate end user names:
---------------------------server
CA Certificate Serial Numbers:
-------------------------------781077985
show the properties of a
server certificate
WS5000.(Cfg).wvpn.cert >decode cert <Certificate number>
Expected output
Certificate Information:
Serial number: 1
Issuer: C=ZA; S=Western Cape; localityName=Cape Town;
O=Thawte Consulting cc; OU=Certification Services
Division; CN=Thawte Server CA; [email protected]
Subject: C=ZA; S=Western Cape; localityName=Cape Town;
O=Thawte Consulting cc; OU=Certification Services
Division; CN=Thawte Server CA; [email protected]
Valid from 838854000 to 1609459199
import a CA certificate
WS5000.(Cfg).wvpn.cert >import caCert <filename>
import Server certificate
WS5000.(Cfg).wvpn.cert >import serverCert <PKCS file>
<password> [<CA Cert filename>]
TFTP a remote file and
import a CA certificate
WS5000.(Cfg).wvpn.cert >tftpImport caCert <IP address>
<path/filename>
TFTP a remote server
certificate and import
WS5000.(Cfg).wvpn.cert >import serverCert <TFTP Server IP
Address> <PKCS file> <password> [<CA Cert filename>]
remove a CA certificate
WS5000.(Cfg).wvpn.cert > remove caCert <Certificate
number>
12-10
WS5000 Series Switch System Reference
Table 12.4 Certificate Configuration
To
show list of uploaded
certificates
CLI command used
WS5000.(Cfg).wvpn.cert > directory certs
Expected output
File Name
Bytes
anotherca.cer
ca-x509.cer
ca.cer
jiar.cer
jiar.p12
server-x509.cer
test(wtls).cer
test(wtls).p12
testCA(wtls).cer
582
791
815
578
834
873
390
3642
405
Date & time
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
16
16
16
16
16
16
16
16
16
07:39
07:39
07:39
07:39
07:39
07:39
07:39
07:39
07:39
12.2.4.5 VPN Session License
A licensing mechanism ensures that the user provide a valid license key to access the VPN. The number of
simultaneous license sessions serverd by the VPN server is controlled by the license file—/etc/wvpn/
license.lk.This file is unique for every switch and is generated on the basis of the MAC based serial
number of the switch.
The switch,by default, does not support VPN. To enable the VPN you need to supply a valid license file.Table
12.5 lists and describes the CLI commands used to configure the VPN session license:
Table 12.5 Configuring VPN Session License
To
CLI command used
supply a valid license file to enable the VPN
session
cfg> set vpnsupport enable <license file>
pick the license file from /image
cfg> copy tftp system
Note This CLI picks up the license file and places it
at /etc/wvpn/ license.lk, which is then
accepted by the VPN server.This CLI also reboots the
switch and on restart the WVPN server is allocated
the number of sessions as indicated by the license
file.
disable the VPN support
cfg> set vpnsupport disable
Note This CLI reboots the switch and disables the
VPN on restart.
Configuring the WS5100 WTLS VPN
12-11
Table 12.5 Configuring VPN Session License
To
CLI command used
enable the VPN support
cfg> set vpnsupport enable
Note You don’t need to provide the name of the
license file as the switch will use the license.lk file
that was either disabled earlier or use the preloaded file.
show the status of vpnsupport, whether its
enabled or disabled.
cfg> show vpnsupport
show the MAC based serial number that is
used to generate a license file
cfg> show vpnsupport
increase the number of sessions allowed in
license file
cfg> wvpn> set licensefile <license file>
Note This CLI picks up the license file and places it
at /etc/wvpn, which is then accepted by the VPN
server. This CLI does not reboot the switch.
The license key is decrypted to yield two items-a MAC address, which must match the switch being configured
and the number of VPN sessions to allow.
Note A site license will have a customer-specific code embedded into the MAC
address field; in this case the MAC address value will not be a valid address for any
Ethernet device anywhere. This license entitlement will be meant for use by any and all
switches owned by the customer.
Note Both wired and non-wired VPN clients are supported.
12.2.5 AES versus 3DES
The Advanced Encryption Standard (AES) protocol is a block cipher that supports 128, 192 and 256-bit keys and
encryption blocks and is being implemented as a replacement for 3DES (Triple Data Encryption Standard).
The critical advantage of AES over 3DES is that 3DES has been defeated while AES has proven to be much
more difficult to defeat. A further advantage of AES is that it is faster than 3DES.
In addition to being stronger and faster, AES can also protect WS5100-VPN DOS-based clients.
12-12
WS5000 Series Switch System Reference
12.2.6 Wireless Transport Layer Security (WTLS)
WTLS is a security level protocol specifically designed to provide authentication and data
integrity for wireless traffic where access devices can change dynamically (such as access port
change due to environmental changes or roaming).
12.2.6.1 WTLS versus IPSec
The WS5100-VPN supports WTLS and not IP security (IPSec) for the following reasons:
•
IPSec is a wired security protocol and WTLS provides for wireless communication in a
roaming environment.
•
IPSec does not support IP fragmentation which forces packet sizes to be smaller and more
numerous. This increases overhead (by approximately 50%).
•
IPSec does not support DOS devices.
•
IPSec does not support standard NAT.
IPSec requires a full session handshake when a connection is lost then restored.
12.2.6.2 WTLS configuration
Table 12.6 lists and describes the CLI commands that are used to configure the WVPN WTLS (Wireless
Transport layer Security):
Table 12.6 WTLS Configuratin
To
CLI command used
enter WTLS submenu
WS5000> Configure WVPN
WS5000.(Cfg).wvpn> wtls
WS5000.(Cfg).wvpn.wtls>
configure the ClientRsaKeySize
maximum values
WS5000.(Cfg).wvpn.wtls> set maxClientKey <Integer
value>
Key sizes available: 512, 768, 1024, 1536, 2048, 3072, 4096, 7680, 15360
configure the ClientRsaKeySize
minimum value
WS5000.(Cfg).wvpn.wtls > set minClientKey <Integer
value>
Key sizes available:512, 768, 1024, 1536, 2048, 3072, 4096,
15360
configure the RsaKeySize
maximum value
7680,
WS5000.(Cfg).wvpn.wtls > set maxRsaKey <Integer
value>
Key sizes available: 512, 768, 1024, 1536, 2048, 3072, 4096, 7680,
15360
Configuring the WS5100 WTLS VPN
12-13
Table 12.6 WTLS Configuratin
To
configure the RsaKeySize
maximum and minimum values
CLI command used
WS5000.(Cfg).wvpn.wtls > set minRsaKey <Integer
value>
Key sizes available: 512, 768, 1024, 1536, 2048, 3072, 4096, 7680,
15360
configure the customCipher
value
WS5000.(Cfg).wvpn.wtls > set customCipher <Integer
value>
Ciphers available: AES256, AES192, AES128, 3DES, DES56, DES40
configure the customMac value
WS5000.(Cfg).wvpn.wtls > set customMac <Integer
value>
MACs available: MD5_128, MD5_80, MD5_40, SHA_512, SHA_384,
SHA_256, SHA_160, SHA_80, SHA_40
configure
requireClientCertificate
WS5000.(Cfg).wvpn.wtls > set
requireClientCertificate <Boolean value>
configure keyRefresh
WS5000.(Cfg).wvpn.wtls > set keyRefresh <Integer
value>
configure securityMode
WS5000.(Cfg).wvpn.wtls > set securityMode <string>
The modes are: customSecurity, defaultSecurity
configure serverNumber
WS5000.(Cfg).wvpn.wtls > set serverNumber <Integer
value>
show WTLS settings
WS5000>show WVPN WTLS
(This command will show all the
WTLS related configurable
parameters)
12-14
WS5000 Series Switch System Reference
12.3 VPN Session Setup
Figure 12.2 VPN Network Setup
12.3.1 Switch Setup
Table 12.7 lists and describes the CLI commands used to configure the various switch parameters.
Table 12.7 Switch Setup
To
set VPN support status
Use
set vpnsupport enable <license file> [CR]
set vpnsupport disable [CR]
WS5000.(Cfg)> set vpnsupport enable
This command will reset the system.
Are you sure (yes/no) : yes
set up a new WLAN
WS5000.(Cfg)>wlan add SampleWlan SampleEssid
Where SampleEssid is the ESSID
setup Access Port Policy
WS5000.(Cfg)>appolicy
WS5000.(Cfg).APPolicy> add SampleAPPolicy
WS5000.(Cfg).APPolicy.[SampleAPPolicy]> add SampleWlan
Configuring the WS5100 WTLS VPN
12-15
Table 12.7 Switch Setup
To
Use
setup Security Policy
Create a new security policy SampleSecurity and assign it to SampleWlan.
WS5000.(Cfg)>securitypol
WS5000.(Cfg).SecurityPolicy> add SampleSecurity
Go to Wlan context
WS5000.(Cfg).WLAN.[ SampleWlan]> set security
SampleSecurity
In the SampleSecurity Policyt context enable VPN authentication:
WS5000.(Cfg)>securitypol
WS5000.(Cfg).SecurityPolicy>SampleSecurity
WS5000.(Cfg).SecurityPolicy.[SampleSecurity]>set
vpn enable
Setup Ether Policy
WS5000.(Cfg)> etherpolicy
WS5000.(Cfg).EtherPolicy> add SampleEtherPolicy
WS5000.(Cfg).EtherPolicy.[SampleEtherPolicy]>vlan LAN1
WS5000.(Cfg).EtherPolicy.[SampleEtherPolicy].Vlan.
[LAN1]>set wlan SampleWlan
WS5000.(Cfg).EtherPolicy.[SampleEtherPolicy].Vlan.
[LAN1]> ..
setup Switch Policy
WS5000.(Cfg)> spolicy
WS5000.(Cfg).SPolicy> add SampleSwitchPolicy
WS5000.(Cfg).SPolicy.[SampleSwitchPolicy]> set
countrycode US
WS5000.(Cfg).SPolicy.[SampleSwitchPolicy]> set
etherpolicy SampleEtherPolicy
WS5000.(Cfg).SPolicy.[SampleSwitchPolicy]> set appolicy
SampleAPPolicy
WS5000.(Cfg).SPolicy.[SampleSwitchPolicy]> set
adoptionlist default allow SampleAPPolicy
activate the Switch
Policy
WS5000.(Cfg)> set switchpolicy SampleSwitchPolicy
setup DHCP Server
Ethernet interface 1 is configured by default to 10.1.1.101
WS5000.(Cfg) Ethernet 1
WS5000.(Cfg).Ethernet.[1]> set dhcp_IP_Range 10.1.1.102
10.1.1.110
WS5000.(Cfg).Ethernet.[1]> set dhcpsrv enable
12.3.2 WVPN Setup
Download the CA certificate, server certificate, and server certificate keys on the switch using FTP or TFTP. The
server certificate keys should be in pfx/p12 format.Ensure the date and time on the swiitch are correct by using
WS5000.(Cfg)> date
Wed Aug 24 09:09:37 PDT 2005
Use the following CLI commands to download the CA certificate, server certificate, and server certificate keys
on the switch
12-16
WS5000 Series Switch System Reference
WS5000.(Cfg)> wvpn
WS5000.(Cfg).wvpn> cert
WS5000.(Cfg).wvpn.cert> import /image/caCert cacert.cer
WS5000.(Cfg).wvpn.cert> import serverCert ?
import serverCert <server_pkcs12_key_file> <password> [<server_cert_file>]
Note File names must always be accompanied by directory path. For example: /
certs/ca.cer
WS5000.(Cfg).wvpn.cert> import serverCert /image/server.p12 password
server.cer
Certificates can also be placed on the tftp server. The tftp server import can be done by issuing the following
CLI commands:
WS5000.(Cfg).wvpn.cert> tftpimport caCert 192.168.4.3 cacert.cer
WS5000.(Cfg).wvpn.cert> tftpimport serverCert 192.168.4.3 server.p12 <keypassword> server.cer
Where 192.168.4.3 is the address of the tftp server.
Table 12.8 lists and describes the CLI commands used to configure the various WVPN parameters.
Table 12.8 WVPN Setup
To
Use
setup the Authentication
WS5000.(Cfg)> wvpn auth
WS5000.(Cfg).wvpn.auth> simple
WS5000.(Cfg).wvpn.auth.simpleAuth> set
simpleUser test
WS5000.(Cfg).wvpn.auth.simpleAuth> set
simplePassword test
WS5000.(Cfg).wvpn.auth.simpleAuth> set
simpleDomain test
Configuring IP Pools and the DHCP
server for WVPN.
WS5000.(Cfg)> wvpn ip_pools
WS5000.(Cfg).wvpn.ip_pools> add pool default
192.168.4.70 192.168.4.90
WS5000.(Cfg).wvpn.ip_pools> default
WS5000.(Cfg).wvpn.ip_pools.[default]> set
dhcpServer 10.1.1.101
WS5000.(Cfg).wvpn.ip_pools.[default]> set
defaultGateway 10.1.1.101
WS5000.(Cfg).wvpn.ip_pools.[default]> set dns
1.1.1.1
Make sure you have atleast one ip_pool with name default.
Note The above setup—Configuring IP Pools and the DHCP server for WVPN, is based
on an onboard VPN DHCP server. The configuration for using an extrernal/corporate
DHCP server is same except you need to provide the IP, defaultGateway and DNS of the
external DHCP server
12.3.3 Starting VPN Service
VPN serveice can be started once you download the CA certificate, server certificate, and server certificate
keys on the switch. To start the VPN service use
Configuring the WS5100 WTLS VPN
12-17
WS5000.(Cfg).wvpn> enable
The expected output of this command is
Enabling...
Status : Success.
WVPN Management:
WVPN available
: true
WVPN Status
: Started
WVPN Server Address
: 10.1.1.101 / 10.0.1.73
WVPN Server Port
: 9102
WVPN Unused session timeout
: 48h 0m (172800 secs)
WVPN Debug level
: Debug Info Disabled
WVPN DOS Support
: no
WVPN DOS Port
: 9103
WVPN Client keep alive
: 10 seconds
WVPN Maximum VPN Licenses
: 250
WVPN Currently In-Use VPN Licenses
: 0
WVPN License Type : Evaluation version,Total eval days 30,Eval days left
30
12.3.4 Client Setup
Open Mobile Companion on the client and create a new profile and enter a valid ESSID in the ESSID field.
Set the IP Config tab to DHCP and encryption to Open System to enable WEP encryption on the server side. Set
the Operating mode to infrastructure and the country code to USA.
12.3.4.1 Installing Certificates
Transfer the CA Certificate using ActiveSync (or any other program ) to a hand-held and import these
certificates in the VPN client. You can import the certificates by clicking on
AirBeam->Certificates>CA Certificates menu
Click Import and browse for the folder where the certificates were transferred during ActiveSync transfer.
Click on the Certificate to install the certificates on the hand-held. Repeat the process for all the certificates
that need to be imported.
12.3.5 Testing VPN Session Setup
Open the Mobile Companion and connect it to a switch (via the access port). This establishes a basic IP
connectivity via the WLAN and the client can obtain the outer IP address via DHCP (The range is between
10.1.1.102 to 10.1.1.110). You can now ping the public interface (In this case it is 10.1.1.101) of the switch from
the Mobile Companion in the hand-held.
To establish the VPN connection, open Air Beam and go to AirBeam->Profiles->Settings and set the VPN
server address in the Air Beam to point to the VPN Server. Change the Host to 10.1.1.101 and Port to
9102.Then establish the VPN connection using AirBeam->Connect option.
A successful authentication will create a virtual interface which will give access to the trusted network. This
provides access to the private interface/network of the switch.
Once the sessions are established use the config show sessions command to examine the established VPN
sessions. You should be able to see all VPN sessions established in the switch using following CLI command:
12-18
WS5000 Series Switch System Reference
WS5000.(Cfg)> show sessions
12.3.6 TroubleShooting
Problem: 1 The Access Ports are not adopted
Possible Reasons:
1. You don't have a valid license key.
2. The country code in the switchpolicy is not set.
3. The MAC address corresponding to the Access Port is in the access port deny list of the switchpolicy.
4. Default action for the switchpolicy is deny.
Problem: 2 Show mu command does not show the hand-held in the list of mobile units although the
hand-held shows it is connected.
Possible Reasons:
1. Hand-held is not associated with the essid of the switch. It is associated with some other essid. In this
case make sure you associate with the essid of the switch
Problem: 3 Show mu command shows the hand-held in the list of mobile units but the ip address of the
hand-held is 0.0.0.0 or 169.x.x.x
Possible Reasons:
1. DHCP server is not running on the Ethernet interface 1 of the switch. Enable the DHCP server on the
switch.
2. IP Pool Range is not set for the DHCP server on Ethernet interface 1.
3. Etherpolicy is not configured properly on the switch. Make sure you have followed all the steps for
creating new etherpolicy and associating it with the active switch policy.
4. Hand-held is not configured properly. Make sure if encryption is used on the switch then the hand-held
has proper encryption settings. This can be done by editing the profile for current essid in Mobile
Companion and setting the correct encryption key.
Problem: 4 Hand-held gets a IP Address but Airbeam safe fails to connect to the VPN server
Possible Reasons:
1. VPN server address is not set properly in the Airbeam safe. This can be done by setting the Host value
in the Airbeam safe to the IP address of the Ethernet 1.
2. Default ip pool is not present in the switch. Make sure you create a "default" ip pool and set the DNS
and DefaultGetway entries for this pool.
3. ip_pool has dhcp server enabled.
4. Certificates are not properly installed on the switch. Install both client and server certificates on the
client.
5. CA Certificates are not installed on the hand-held. Install the proper certificates on the hand-held.
Configuring the WS5100 WTLS VPN
12-19
6. The date settings of the hand-held are not current. Change the date setting of the hand-held to the
current dates.
Problem: 5 Hand-held looses ip address after some time. It shows 0.0.0.0 as IP address on renewing
the ip address.
Possible Reasons:
1. Try warm-booting the hand-held. This may be because of the problem in the hand-helds.
12.4 Firewall
WS5000, with the introduction of VPN services, acts as a device at the boundary between a public and a
private network. As such it must act not only as an encryption/decryption point but also as a gateway and a
firewall between two networks.Hence Firewall and Port Filter functionality is required, which can filter the
traffic based on a configured list of hosts. It also provides selective enable/disable of web (http or https), telnet
and ftp on the management interface.
WS5000 acts as gateway and a firewall between public and a private network in the below pattern:
•
Public: Un-Trusted LAN
•
Private: Trusted LAN
WS5000 provides limited stateless firewall functionality for a configurable list of peers on private and public
networks. Firewall filtering is based on the existing packet classification engine. Part of the existing packet
classification functionality allows the traffic that matches classifiers to be allowed or denied. Same
functionality is used to implement firewall filtering.
Following are the different policies applied for the packets from different type of hosts:
1. LAN 1 - This LAN object refers to all the clients configured on Ethernet 1 (ep =1 by default).
2. LAN 2 - This LAN object refers to all the wired clients (Non VPN)configured on Ethernet 2 (ep =2 by
default).
3. LAN_VPN - This LAN object refers to wired VPN clients (ep = 3, refers to virtual interface for VPN
clients).IN policy is applied before the packets from the private LAN are forwarded from the Packet
Switch to the VPN server.OUT policy is applied to the packets as the VPN server sends them to the
private LAN.
The filters can applied in any of the LAN context by attaching a network policy to the LAN object.
Filters for MU with or without VPN are applied by attaching Network Policy to the WLAN object in the appolicy
context.
4. Wired hosts without VPN - Filtering uses IN and OUT policies that are associated with a LAN
configuration object.
Note You can create any number of LAN objects but at any given instance only LAN
object can be associated with a particular Ethernet port.
Table 12.9 lists and describes the CLI commands used to manage firewall in WS5000:
12-20
WS5000 Series Switch System Reference
Table 12.9 Managing Firewall
To
CLI command
enter firewall context
WS5000.(Cfg)> fw
add a new LAN - lan3
WS5000.(Cfg).Fw> add lan3
add a network policy to the lan3
WS5000.(Cfg).Fw.[lan3]> set np testnppolicy
add port filter configuration to lan3
WS5000.(Cfg).Fw> addpf lan3
show lan3 configuration
WS5000.(Cfg).Fw> lan3
remove lan3
WS5000.(Cfg).Fw> remove lan3
show details of all LAN
WS5000.(Cfg).Fw> show
set Ethernet port to lan3
WS5000.(Cfg).Fw.[lan3]> set ep 1
set network policy for lan3
WS5000.(Cfg).Fw.[lan3]> set np testnppolicy
disable ftp on lan3
WS5000.(Cfg).Fw> addpf lan3 deny ftp
enable ftp on lan3
WS5000.(Cfg).Fw> addpf lan3 allow web
set description for lan3
WS5000.(Cfg).Fw.[lan3]> set desc "Lan 3"
allow web
12.5 Network Address Translation (NAT)
Twice NAT is used for non-VPN clients to establish communication with the trusted side network. When the
NAT feature is enabled, the switch can alter the source and destination IP addresses of packets so that hosts
on different subnets can communicate with each other.
For instance, when VPN is used, the real IP addresses of MUs are are allocated from a different subnet from
trusted wired hosts. A host cannot communicate with another host on a different subnet without an
intermediate router. This does not pose a problem for MUs that run the VPN client. They communicate with
trusted hosts, since the VPN server performs the IP address translation. However, MUs not running a VPN
session will be unable to do so. To get around this problem, the switch can translate the source and destination
IP address between the MU and wired host so that the MU can address the latter with an IP address on its
own subnet and vice versa.
Figure 12.2.1 displays the issues that need to be addressed to have an external device at address a.b.c.1
communicate with a device behind the firewall at address x.y.z.1:
Configuring the WS5100 WTLS VPN
Figure 12.3 Configuring NAT
12.5.1 Twice NAT Commands
To add the NAT entry pairs associating the local NAT address and the real IP address, go to the
conf.fw.eth2 context and use the set addnet command:
WS5100_VPN> config fw eth2
WS5100_VPN.(Cfg).Fw.[eth2]> set addnat ?
Syntax: set addnat <"remoteRealIp,localNatIp">
In this command, a NAT entry was added in the eth2 LAN.
To delete a NAT entry, use set delnat and specify the addresses to be deleted.
To add a range of NAT addresses, use set addrange:
WS5100_VPN.(Cfg).Fw.[eth2]> set addrange ?
Syntax: set addrange <"remoteRealIp,localNatIp,numEntries">
In this command, a range of NAT addresses was added in the eth2 LAN.
To delete a range of NAT addresses, use set delrange and specify the range to be deleted.
12-21
12-22
WS5000 Series Switch System Reference
Neighboring APs
Access ports send out beacons at periodic intervals. By default, access ports send out one beacon frame every
100 milli-seconds. If more than one Access Port is connected to the WS5000 switch and all such Access Ports
are adopted, each Access Port will receive beacons from their neighboring access ports. These beacon frames
are passed to the WS5000 Switch.
The switch maintains a table, on a adopted AP - found AP basis, along with other information like the signal
strengths etc. Also, the switch maintains a similar table for the APs detected by an associated Mobile Unit.
(Only Symbol Mobile Units support this).
The following are the details of the two tables, accessible through SNMP:
13.1 ccPortalBeaconRptTable
This table describes the identification information and the signal values (in dBm) of beacons heard from
other Portals.
This table is indexed on
a. ccRapResultsRogueIndex
13-2
WS5000 Series Switch System Reference
b. ccPortalBeaconRptPortalIndex
Table 13.1 ccPortalBeaconRptTable
Field
Type
Description
ccRapResultsRogueIndex
Integer
The index of the neighbor AP
that has been heard.
ccPortalBeaconRptPortalIndex
Integer
The index of the portal (adopted by
the switch), that has detected the
neighboring AP
ccPortalBeaconRptNumBeaconsHeard
Counter32
Number of beacons reported in this
entry
ccPortalBeaconRptBest
Integer32
The strongest beacon signal
strength heard
ccPortalBeaconRptWorst
Integer32
The weakest beacon signal
strength heard
ccPortalBeaconRptSum
Integer32
The sum of all signal values heard
ccPortalBeaconRptSumSquares
Counter64
The sum of each signal value heard,
squared before summing
ccPortalBeaconRptMostRecent
Integer32
The most-recent value of signal
heard for a beacon
ccPortalBeaconRptLastHeard
DisplayString
The time, at which the Finder AP
last heard from Found AP
ccPortalBeaconRpFinderMac
DisplayString
The MAC address of the finder AP
ccPortalBeaconRpFoundMac
DisplayString
The MAC address of the found AP
13.2 ccMuProbeRptTable
This table reports the AP’s detected by a Mobile Unit. It has information on the signal strength and when
the Mobile Unit last heard from the AP. It is indexed on
a. ccMuMac
b. ccPortalIndex
Table 13.2 ccMuProbeRptTable
Field
Type
Description
ccMuProbeRptSignalMostRecent
Integer32
The signal strength (in dBm), of the mostrecently heard beacon from the AP, as
reported by the MU.
ccMuProbeRptLastHeard
DisplayString
Snapshot of sysUpTime at the time the
prior item(s) in this entry were last
updated
ccMuProbeRptFinderMac
DisplayString
The MAC address of the MU, that
detected beacons from the Found AP
ccMuProbeRptFoundMac
DisplayString
The MAC address of the AP, that was
detected by the MU
Neighboring APs
13-3
13.3 Management Interface
The above tables, are populated when the the RogueAP/DetectorAP scan is enabled or the MU scan is enabled
in the RogueAP CLI context. You can also enable these using the RogueAP feature within the GUI.
13-4
WS5000 Series Switch System Reference
Enhanced RF Statistics
Enhanced RF Stats is a feature to monitor the RF environment of the wireless switch system. RF stats includes
an extensive set of RF parameters which are maintained by the wireless switch which are sourced from the
data packets and the WISP packets that are transmitted to and from the switch. All the statistics are gathered
at runtime and none of these parameters are persistent. Hence on a reboot all these parameters are reset. The
system provides only an SNMP interface to query the parameters. All the parameters are read-only. The
parameters include AP, Radio and MU statistics. Each of Radio and MU in-turn have Static, Raw and Derived
parameters which are grouped based on type. For the AP, only the static parameters are supported. The
description of the SNMP tables and their contents is as below.
This chapter also describes how enhanced RF Statistics can be used to detect common wireless networking
problems in Explanation of Enhanced RF Statisitcs on page 14-32
14.1 ccApTable
DESCRIPTION: This table contains general information related to an AP. It holds details regarding the APs
connected to the switch and all their packet information. It identifies all access ports and their radios, (called
“Portals”) associated with the wireless switch.
14-2
WS5000 Series Switch System Reference Guide
INDEXED ON:ccApIndex
Field
Type
Description
ccApIndex
Integer32
Small, arbitrary integer index.
ccApNicMac
PhysAddress
MAC Address of Access Port.
ccApModelNumber
DisplayString
Model number of Access Port.
ccApSerialNumber
DisplayString
Serial number of this Access Port.
ccApPcbRevision
DisplayString
Revision of the printed circuit board for this
Access Port.
ccApBootLoaderRev
DisplayString
Revision of the boot loader code in this Access
Port.
ccApWispVersion
DisplayString
Version of the WISP (AP / Switch) protocol
implemented by this Access Port.
ccApRuntimeFwVersion
DisplayString
Version of run-time code on this Access Port.
ccApNumPortals
Unsigned32
The number of portals implemented on this
Access Port.
ccApPointersToPortals
MultiPointer255
If bit <n> of this value is set, this ApTable entry
'points' to entry <n> in the portal Table.
Such a reference conveys that the portal entry
pointed-to represents a portal contained in the
Access Port represented by this entry.
Note Since one
Access Port can
implement 1, 2, (and
in the future
possibly more) portals, this
'pointer' field is a bit-mask
14.2 ccPortal
14.2.1 ccPortalTable
DESCRIPTION: It contains all the general information related to each portal. It indentifies all access ports and
their radios (called “Portals”) associated with the wireless switch.
The ccPortalTable lists all radios (“Portals”) currently adopted by the wireless switch.
INDEXED ON:ccPortalIndex
Field
ccPortalIndex
Type
INTEGER
Description
Small, arbitrary integer index
Enhanced RF Statistics
Field
ccPortalPointerToAp
Type
SinglePointer
14-3
Description
This value is the index in the ApTable for the
entry representing the Access Port that
contains this portal.
Since each portal has one and only one Access
Port as 'Parent', this value is a simple integer,
not a bit-mask.
ccPortalPointersToWlans
MultiPointer63
Reserved for future implementation.
ccPortalName
DisplayString
Name of this portal, as assigned by the web UI
or CLI.
ccPortalLocation
DisplayString
Location string for this portal, as assigned by
the Web UI or CLI.
ccPortalOptions
BITS
This value describes the presence/absence of
internal and/or external primary and/or
secondary antennas. It also indicates if the
portal supports DTIM per BSS and/or WME.
ccPortalMac
PhysAddress
MAC address of the portal.
ccPortalNumberofEss
Integer32
The number of ESSs implemented by this
portal.
ccPortalNumberOfBss
Integer32
The number of BSSs implemented by this
portal.
ccPortalAssociatedMus
Integer32
The number of MUs currently associated to
this portal.
ccPortalRadioType
RadioType
Radio type of the portal.
ccPortalChannel
INTEGER
The value describes the channel the portal is
currently operating on.
ccPortalTxPowerLevel
Integer32
Output power level for the portal.
ccPortalLastAdoption
TimeTicks
The number of time-ticks elapsed since this
portal got adopted.
ccPortalState
INTEGER
This indicates the current state of the portal. It
can be one of:
offline
active
alert
reset
ccPortalBackgroundNoise
NumSamples
Counter32
The number of samples, used to compute the
background noise statistics.
ccPortalBackgroundNoise
Best
Integer32
The least value of the background noise heard
till now expressed in dBm.
ccPortalBackgroundNoise
Worst
Integer32
The maximum value of the background noise
heard till now expressed in dBm.
14-4
WS5000 Series Switch System Reference Guide
Field
Type
ccPortalBackgroundNoise
Sum
Description
Integer32
Sum of the noise values (in dBm)
Note This value is
normally a negative
value ranging from 10dBm to -80dBm. It
is possible for this value to be
positive, but that would be rare,
and would signal an
exceptionally strong signal.
ccPortalBackgroundNoise
SumSquares
Counter64
Sum of the squares of the noise values (in
dBm)
(This value can be used to calculate the
standard deviation for noise values)
14.2.2 ccPortalLast Mac
Field
Type
ccPortalLastMac
Description
PhysAddress
This scalar records the MAC address of the
most recent portal to be Adopted, UnAdopted,
or Denied.
14.2.3 ccPortalLastReason
Field
ccPortalLastReason
Type
Description
Integer
This value indicates the reason for the mostrecent portal UnAdoption or Denial.
14.2.4 ccPortalSystemStatsTable
DESCRIPTION: The table contains statistics related to the management packets sent/received by each portal
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalSystemStatsBeaconTx
Integer32
The number of beacons sent.
ccPortalSystemStatsBeaconsTxO
ctets
Unsigned32
The number of octets sent in beacons.
ccPortalSystemStatsProbeReqRx
Unsigned32
The number of probe request packets
received.
Enhanced RF Statistics
Field
Type
14-5
Description
ccPortalSystemStatsProbeReqRx
Octets
Unsigned32
The number of octets received in probe
request packets.
ccPortalSystemStatsProbeRespR
etriesNone
Unsigned32
The number of probe response packets
sent with no retries.
ccPortalSystemStatsProbeRespR
etries1
Unsigned32
The number of probe response packets
sent with 1 retry.
ccPortalSystemStatsProbeRespR
etries2
Unsigned32
The number of probe response packets
sent with 2 retries.
ccPortalSystemStatsProbeRespR
etries3OrMore
Unsigned32
The number of probe response packets
sent with 3 or more retries.
ccPortalSystemStatsProbeRespR
etriesFailed
Unsigned32
The number of probe response packets
that were never successfully
transmitted because the max retry
count was reached.
ccPortalSystemStatsProbeRespT
xOctets
Unsigned32
The number of octets successfully
transmitted in probe response packets.
(For example, the octets in a probe
response that is transmitted twice - i.e.
one retry - only counts once in this sum.
14.2.5 ccPortalStatsTable
DESCRIPTION: This table describes general statistics about data packets sent/received through each portal on
the switch.
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalTxPktsUcast
Counter32
Count of unicast packets sent through
the portal.
ccPortalRxPktsUcast
Counter32
Count of unicast packets received
through the portal.
ccPortalRxPktsNUcast
Counter32
Count of non-unicast (broadcast &
multicast) packets received through
the portal.
ccPortalTxOctetsUcast
Counter32
Count of unicast octets transmitted
through the portal.
ccPortalRxOctetsUcast
Counter32
Count of unicast octets received
through the portal.
ccPortalRxOctetsNUcast
Counter32
Count of non-unicast (broadcast &
multicast) octets received through the
portal.
ccPortalRxUndecryptablePkts
Counter32
Count of packets received through the
portal that could not be decrypted.
14-6
WS5000 Series Switch System Reference Guide
Field
ccPortalLastActivity
Type
TimeTicks
Description
The number of time ticks elapsed since
portal’s last activity.
14.2.6 ccPortalRxPktsTable
DESCRIPTION: This table gives the statistics of the packets received by a portal at various rates.
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalRxPktsAt1Mb
Counter32
Number of packets received through
this portal at 1 Mbps
ccPortalRxPktsAt2Mb
Counter32
Number of packets received through
this portal at 2 Mbps
ccPortalRxPktsAt5pt5Mb
Counter32
Number of packets received through
this portal at 5.5 Mbps.
ccPortalRxPktsAt6Mb
Counter32
Number of packets received through
this portal at 6 Mbps.
ccPortalRxPktsAt9Mb
Counter32
Number of packets received through
this portal at 9 Mbps.
ccPortalRxPktsAt11Mb
Counter32
Number of packets received through
this portal at 11 Mbps.
ccPortalRxPktsAt12Mb
Counter32
Number of packets received through
this portal at 12 Mbps.
ccPortalRxPktsAt18Mb
Counter32
Number of packets received through
this portal at 18 Mbps.
ccPortalRxPktsAt22Mb
Counter32
Number of packets received through
this portal at 22 Mbps.
ccPortalRxPktsAt24Mb
Counter32
Number of packets received through
this portal at 24 Mbps.
ccPortalRxPktsAt36Mb
Counter32
Number of packets received through
this portal at 36 Mbps.
ccPortalRxPktsAt48Mb
Counter32
Number of packets received through
this portal at 48 Mbps.
ccPortalRxPktsAt54Mb
Counter32
Number of packets received through
this portal at 54 Mbps.
14.2.7 ccPortalTxPktsTable
DESCRIPTION: This table gives the statistics of the packets transmitted by a portal at various rates.
Enhanced RF Statistics
14-7
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalTxPktsAt1Mb
Counter32
Number of packets transmitted
through this portal at 1 Mbps.
ccPortalTxPktsAt2Mb
Counter32
Number of packets transmitted
through this portal at 2 Mbps.
ccPortalTxPktsAt5pt5Mb
Counter32
Number of packets transmitted
through this portal at 5.5 Mbps.
ccPortalTxPktsAt6Mb
Counter32
Number of packets transmitted
through this portal at 6 Mbps.
ccPortalTxPktsAt9Mb
Counter32
Number of packets transmitted
through this portal at 9 Mbps.
ccPortalTxPktsAt11Mb
Counter32
Number of packets transmitted
through this portal at 11 Mbps.
ccPortalTxPktsAt12Mb
Counter32
Number of packets transmitted
through this portal at 12 Mbps.
ccPortalTxPktsAt18Mb
Counter32
Number of packets transmitted
through this portal at 18 Mbps.
ccPortalTxPktsAt22Mb
Counter32
Number of packets transmitted
through this portal at 22 Mbps.
ccPortalTxPktsAt24Mb
Counter32
Number of packets transmitted
through this portal at 24 Mbps.
ccPortalTxPktsAt36Mb
Counter32
Number of packets transmitted
through this portal at 36 Mbps.
ccPortalTxPktsAt48Mb
Counter32
Number of packets transmitted
through this portal at 48 Mbps.
ccPortalTxPktsAt54Mb
Counter32
Number of packets transmitted
through this portal at 54 Mbps.
14.2.8 ccPortalRxOctetsTable
DESCRIPTION: This table gives the statistics of the number of octets received by a portal at various rates.
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalRxOctetsAt1Mb
Counter32
Number of octets received through this
portal at 1 Mbps.
ccPortalRxOctetsAt2Mb
Counter32
Number of octets received through this
portal at 2 Mbps.
ccPortalRxOctetsAt5pt5Mb
Counter32
Number of octets received through this
portal at 5.5 Mbps.
14-8
WS5000 Series Switch System Reference Guide
Field
Type
Description
ccPortalRxOctetsAt6Mb
Counter32
Number of octets received through this
portal at 6 Mbps.
ccPortalRxOctetsAt9Mb
Counter32
Number of octets received through this
portal at 9 Mbps.
ccPortalRxOctetsAt11Mb
Counter32
Number of octets received through this
portal at 11 Mbps.
ccPortalRxOctetsAt12Mb
Counter32
Number of octets received through this
portal at 12 Mbps.
ccPortalRxOctetsAt18Mb
Counter32
Number of octets received through this
portal at 18 Mbps.
ccPortalRxOctetsAt22Mb
Counter32
Number of octets received through this
portal at 22 Mbps.
ccPortalRxOctetsAt24Mb
Counter32
Number of octets received through this
portal at 24 Mbps.
ccPortalRxOctetsAt36Mb
Counter32
Number of octets received through this
portal at 36 Mbps.
ccPortalRxOctetsAt48Mb
Counter32
Number of octets received through this
portal at 48 Mbps.
ccPortalRxOctetsAt54Mb
Counter32
Number of octets received through this
portal at 54 Mbps.
14.2.9 ccPortalTxOctetsTable
DESCRIPTION: This table gives the statistics of the number of octes transmitted by a portal at various rates.
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalTxOctetsAt1Mb
Counter32
Number of octets transmitted through
this portal at 1 Mbps.
ccPortalTxOctetsAt2Mb
Counter32
Number of octets transmitted through
this portal at 2 Mbps.
ccPortalTxOctetsAt5pt5Mb
Counter32
Number of octets transmitted through
this portal at 5.5 Mbps.
ccPortalTxOctetsAt6Mb
Counter32
Number of octets transmitted through
this portal at 6 Mbps.
ccPortalTxOctetsAt9Mb
Counter32
Number of octets transmitted through
this portal at 9 Mbps.
ccPortalTxOctetsAt11Mb
Counter32
Number of octets transmitted through
this portal at 11 Mbps.
ccPortalTxOctetsAt12Mb
Counter32
Number of octets transmitted through
this portal at 12 Mbps.
Enhanced RF Statistics
Field
Type
14-9
Description
ccPortalTxOctetsAt18Mb
Counter32
Number of octets transmitted through
this portal at 18 Mbps.
ccPortalTxOctetsAt22Mb
Counter32
Number of octets transmitted through
this portal at 22 Mbps.
ccPortalTxOctetsAt24Mb
Counter32
Number of octets transmitted through
this portal at 24 Mbps.
ccPortalTxOctetsAt36Mb
Counter32
Number of octets transmitted through
this portal at 36 Mbps.
ccPortalTxOctetsAt48Mb
Counter32
Number of octets transmitted through
this portal at 48 Mbps.
ccPortalTxOctetsAt54Mb
Counter32
Number of octets transmitted through
this portal at 54 Mbps.
14.2.10 ccPortalTxRetriesPktsTable
DESCRIPTION: This table gives the statistics of the number of retries for the packets transmitted by a portal.
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalTxRetriesPktsNone
Counter32
Number of packets successfully
transmitted through this portal with no
retries.
ccPortalTxRetriesPkts01
Counter32
Number of packets successfully
transmitted through this portal with 1
retry.
ccPortalTxRetriesPkts02
Counter32
Number of packets successfully
transmitted through this portal with 2
retries.
ccPortalTxRetriesPkts03
Counter32
Number of packets successfully
transmitted through this portal with 3
retries.
ccPortalTxRetriesPkts04
Counter32
Number of packets successfully
transmitted through this portal with 4
retries.
ccPortalTxRetriesPkts05
Counter32
Number of packets successfully
transmitted through this portal with 5
retries.
ccPortalTxRetriesPkts06
Counter32
Number of packets successfully
transmitted through this portal with 6
retries.
ccPortalTxRetriesPkts07
Counter32
Number of packets successfully
transmitted through this portal with 7
retries.
14-10
WS5000 Series Switch System Reference Guide
Field
Type
Description
ccPortalTxRetriesPkts08
Counter32
Number of packets successfully
transmitted through this portal with 8
retries.
ccPortalTxRetriesPkts09
Counter32
Number of packets successfully
transmitted through this portal with 9
retries.
ccPortalTxRetriesPkts10
Counter32
Number of packets successfully
transmitted through this portal with 10
retries.
ccPortalTxRetriesPkts11
Counter32
Number of packets successfully
transmitted through this portal with 11
retries.
ccPortalTxRetriesPkts12
Counter32
Number of packets successfully
transmitted through this portal with 12
retries.
ccPortalTxRetriesPkts13
Counter32
Number of packets successfully
transmitted through this portal with 13
retries.
ccPortalTxRetriesPkts14
Counter32
Number of packets successfully
transmitted through this portal with 14
retries.
ccPortalTxRetriesPkts15
Counter32
Number of packets successfully
transmitted through this portal with 15
retries. This counter is deprecated.
ccPortalTxRetriesPktsFailed
Counter32
Number of packets that never were
successfully transmitted through this
portal because the maximum retry
count was exceeded.
14.2.11 ccPortalTxRetriesOctetsTable
DESCRIPTION: This table gives the statistics of the number of retries w.r.t the octets transmitted by the portal.
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalTxRetriesOctetsNone
Counter32
Number of octets successfully
transmitted through this portal with no
retries.
ccPortalTxRetriesOctets01
Counter32
Number of octets successfully
transmitted through this portal with 1
retry.
Enhanced RF Statistics
Field
Type
14-11
Description
ccPortalTxRetriesOctets02
Counter32
Number of octets successfully
transmitted through this portal with 2
retries.
ccPortalTxRetriesOctets03
Counter32
Number of octets successfully
transmitted through this portal with 3
retries.
ccPortalTxRetriesOctets04
Counter32
Number of octets successfully
transmitted through this portal with 4
retries.
ccPortalTxRetriesOctets05
Counter32
Number of octets successfully
transmitted through this portal with 5
retries.
ccPortalTxRetriesOctets06
Counter32
Number of octets successfully
transmitted through this portal with 6
retries.
ccPortalTxRetriesOctets07
Counter32
Number of octets successfully
transmitted through this portal with 7
retries.
ccPortalTxRetriesOctets08
Counter32
Number of octets successfully
transmitted through this portal with 8
retries.
ccPortalTxRetriesOctets09
Counter32
Number of octets successfully
transmitted through this portal with 9
retries.
ccPortalTxRetriesOctets10
Counter32
Number of octets successfully
transmitted through this portal with 10
retries.
ccPortalTxRetriesOctets11
Counter32
Number of octets successfully
transmitted through this portal with 11
retries.
ccPortalTxRetriesOctets12
Counter32
Number of octets successfully
transmitted through this portal with 12
retries.
ccPortalTxRetriesOctets13
Counter32
Number of octets successfully
transmitted through this portal with 13
retries.
ccPortalTxRetriesOctets14
Counter32
Number of octets successfully
transmitted through this portal with 14
retries.
ccPortalTxRetriesOctets15
Counter32
Number of octets successfully
transmitted through this portal with 15
retries. This counter is deprecated.
14-12
WS5000 Series Switch System Reference Guide
Field
ccPortalTxRetriesOctetsFailed
Type
Description
Counter32
Number of octets that never were
successfully transmitted through this
portal because the maximum retry
count was exceeded.
14.2.12 ccPortalSigStatsTable
DESCRIPTION: This table gives statistics about RSSI, Signal, Noise, and SNR for packets received by a portal.
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalSigStatsNumPkts
Counter32
Total packets received by the portal.
ccPortalSigStatsSignalBest
Integer32
The best signal value seen by the portal so
far. (-20dBm is better than -60dBm)
ccPortalSigStatsSignalWorst
Integer32
The worst signal value seen by the portal so
far. (-80dBm is worse than -60dBm).
ccPortalSigStatsSignalSum
Integer32
Sum of all signal values (in dBm) received by
the portal.
Note This
normally is a
negative value
ranging from 10dBm to -80dBm. It is
possible for this value to be
positive, but that would be
rare, and would signal an
exceptionally strong signal.
ccPortalSigStatsSignalSumSquares
Counter64
Sum of the squares of each signal value (in
dBm), calculated for the packets received by
this portal.
Unlike SignalSum, this value is never
negative, since the square of a negative
number is a positive.
ccPortalSigStatsSignalMostRecent
Integer32
The signal value (in dBm) of the most recent
packet received by the portal. (-20dBm
signal is better than -60dBm).
This value is invalid, if the
ccPortalSigStatsNumPkts equals to 0.
ccPortalSigStatsNoiseBest
Integer32
The best noise value seen by the portal so
far. (-80dBm noise is better than -70dBm).
Enhanced RF Statistics
Field
Type
14-13
Description
ccPortalSigStatsNoiseWorst
Integer32
The worst noise value seen by the portal so
far. (-50dBm noise is worse than
60dBm).
ccPortalSigStatsNoiseSum
Integer32
The sum of the noise values (in dBm)
received by the portal.
Like SignalSum, this value is normally a
negative value.
ccPortalSigStatsNoiseSumSquares
Counter64
A sum of the squares of each noise value
calculated for packets received through this
portal.
As with SignalSumSquares, this value is
never negative.
ccPortalSigStatsNoiseMostRecent
Integer32
The most recent noise value seen by the
portal so far. (-80dBm noise is better than
-70dBm).
This value is invalid when
ccPortalSigStatsNumPkts equals to 0.
ccPortalSigStatsSnrBest
Integer32
The best SNR value seen by the portal so
far. (+30dBm SNR is better than +20dBm).
ccPortalSigStatsSnrWorst
Integer32
The worst SNR value seen by the portal so
far. (+10dBm SNR is worse than +20dBm).
ccPortalSigStatsSnrSum
Integer32
The sum of all the SNR values (in dBm)
calculated for this portal.
Unlike signal and noise, this value is never
negative.
ccPortalSigStatsSnrSumSquares
Counter64
Sum of the squares of each SNR value (in
dBm) calculated for packets received
through this portal.
This value is never negative.
ccPortalSigStatsSnrMostRecent
Integer32
The most recent SNR value seen by the
portal so far. (+30dBm SNR is better than
+20dBm).
This value is invalid if
ccPortalSigStatsNumPkts equals to 0.
14.2.13 ccPortalSumStatsShortTable
DESCRIPTION: This table contains the derived statistics calculated over 30 seconds window for each portal.
14-14
WS5000 Series Switch System Reference Guide
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalSumStatsShortTimestamp
TimeTicks
The number of time ticks
elapsed since the beginning of
this window
ccPortalSumStatsShortNumPkts
Unsigned32
The number of packets used to
calculate the statistics in this
window.
ccPortalSumStatsShortPktsPerSec100
ScaleBy100
Packets per second as
averaged over the 'window'.
Since SNMP does not convey
decimal values, the result is
multiplied by 100.
ccPortalSumStatsShortPktsPerSecTx100
ScaleBy100
Number of packets transmitted
per second as averaged over
the 'window'.
Since SNMP does not convey
decimal values, the result is
multiplied by 100.
ccPortalSumStatsShortPktsPerSecRx100
ScaleBy100
Number of packets received per
second as averaged over the
'window'.Since SNMP does not
convey decimal values, the
result is multiplied by 100.
ccPortalSumStatsShortThroughput
Unsigned32
Actual number of bits sent and
received over the window,
divided by the number of
seconds in the window.
ccPortalSumStatsShortThroughputTx
Unsigned32
Actual number of bits
transmitted over the window,
divided by the number of
seconds in the window.
ccPortalSumStatsShortThroughputRx
Unsigned32
Actual number of bits received
over the window, divided by the
number of seconds in the
window.
ccPortalSumStatsShortAvgBitSpeed
Unsigned32
An average of the speeds of all
bits sent/received by the portal.
(For each possible speed,
multiply the number of octets
sent received by that speed;
divide the sum by the total
number of octets; multiply by
8).
ccPortalSumStatsShortAvgMuSignal
Integer32
The average of all signal values
received over the window.
Enhanced RF Statistics
Field
Type
14-15
Description
ccPortalSumStatsShortAvgMuNoise
Integer32
The average of all noise values
over the window. (in dBm)
ccPortalSumStatsShortAvgMuSnr
Integer32
The average of all SNR values
over the window. (in dBm)
ccPortalSumStatsShortPp10kNUcastPkts
PartsPer10k
Ratio of packets that were not
unicast to the total number of
packets sent/received by the
portal. Expressed as parts-per10000.
ccPortalSumStatsShortPp10kTxWithRetries
PartsPer10k
Ratio of transmitted packets
that experienced one or more
retries to the total number of
transmission retries by this
portal.
Expressed as parts-per-10000.
ccPortalSumStatsShortPp10kTxMaxRetries
PartsPer10k
Ratio of transmitted packets
that were dropped due to
excessive retries to the total
number of packets transmitted
by this portal.
Expressed as parts-per-10000.
ccPortalSumStatsShortTxAvgRetries100
ScaleBy100
For all transmitted packets
(including those that
experienced some retries,
those that were successfully
transmitted in first attempt of
transmission, and those that
attempted maximum times and
gave-up), the average number
of re-transmission attempts.
Since SNMP does not convey
decimal values, the result is
multiplied by 100.
If there were no retransmissions, this value would
be 0. If every single packet
required exactly two
tranmissions, this value would
be 100, (representing 1.00).
ccPortalSumStatsShortPp10kRxUndecrypt
PartsPer10k
Ratio of received packets that
were undecryptable to the total
number of received packets.
Expressed as parts-per-10000.
14-16
WS5000 Series Switch System Reference Guide
Field
Type
Description
ccPortalSumStatsShortTotalMus
Unsigned32
The total number of Mobile
Units associated with the
portal.
ccPortalSumStatsShortPp10kRfUtil
PartsPer10k
The approximate utilization of
the portal's RF port. Calculated
as Throughput divided by
AvgBitSpeed. Expressed as
parts-per-10000.
ccPortalSumStatsShortPp10kDropped
PartsPer10k
The total number of packets
dropped divided by total
number of packets sent.
Dropped here means dropped
intentionally due to the
appropriate QoS queue being
full. Expressed as parts-per10000.
14.2.14 ccPortalSumStatsLongTable
DESCRIPTION: The derived statistics calculated over 1 hour window for each portal.
INDEXED ON: ccPortalIndex
Field
Type
Description
ccPortalSumStatsLongTimestamp
TimeTicks
The number of time ticks
elapsed since the beginning of
the this window
ccPortalSumStatsLongNumPkts
Unsigned32
The number of packets used to
calculate the statistics in this
window.
ccPortalSumStatsLongPktsPerSec100
ScaleBy100
Packets (both rx, tx) per second
as averaged over the 'window'.
Since SNMP does not convey
decimal values, the result is
multiplied by 100.
ccPortalSumStatsLongPktsPerSecTx100
ScaleBy100
Number of packets transmitted
per second as averaged over the
'window'.
Since SNMP does not convey
decimal values, the result is
multiplied by 100.
Enhanced RF Statistics
Field
Type
14-17
Description
ccPortalSumStatsLongPktsPerSecRx100
ScaleBy100
Number of packets received per
second as averaged over the
'window'.Since SNMP does not
convey decimal values, the
result is multiplied by 100.
ccPortalSumStatsLongThroughput
Unsigned32
Actual number of bits sent and
received over the window,
divided by the number of
seconds in the window.
ccPortalSumStatsLongThroughputTx
Unsigned32
Actual number of bits
transmitted over the window,
divided by the number of
seconds in the window.
ccPortalSumStatsLongThroughputRx
Unsigned32
Actual number of bits received
over the window, divided by the
number of seconds in the
window.
ccPortalSumStatsLongAvgBitSpeed
Unsigned32
An average of the speeds of all
bits sent/received by the portal.
(For each possible speed,
multiply the number of octets
sent received by that speed;
divide the sum by the total
number of octets; multiply by 8).
ccPortalSumStatsLongAvgMuSignal
Integer32
The average of all signal values
received over the window.
ccPortalSumStatsLongAvgMuNoise
Integer32
The average of all noise values
over the window. (in dBm)
ccPortalSumStatsLongAvgMuSnr
Integer32
The average of all SNR values
over the window. (in dBm)
ccPortalSumStatsLongPp10kNUcastPkts
PartsPer10k
Ratio of packets that were not
unicast to the total number of
packets sent/received by the
portal. Expressed as parts-per10000.
ccPortalSumStatsLongPp10kTxWithRetries
PartsPer10k
Ratio of transmitted packets
that experienced one or more
retries to the total number of
transmission retries by this
portal.
Expressed as parts-per-10000.
14-18
WS5000 Series Switch System Reference Guide
Field
Type
Description
ccPortalSumStatsLongPp10kTxMaxRetries
PartsPer10k
Ratio of transmitted packets
that were dropped due to
excessive retries to the total
number of packets transmitted
by this portal.
Expressed as parts-per-10000.
ccPortalSumStatsLongTxAvgRetries100
ScaleBy100
For all transmitted packets
(including those that
experienced some retries, those
that were successfully
transmitted in first attempt of
transmission, and those that
attempted maximum times and
gave-up), the average number of
re-transmission attempts.Since
SNMP does not convey decimal
values, the result above is
multiplied by 100.
If there were no retransmissions, this value would
be 0.If every single packet
required exactly two
tranmissions, this value would
be 100, (representing 1.00).
ccPortalSumStatsLongPp10kRxUndecrypt
PartsPer10k
Ratio of received packets that
were undecryptable to the total
number of received packets.
Expressed as parts-per-10000.
ccPortalSumStatsLongTotalMus
Unsigned32
The total number of Mobile
Units associated with given
portal.
ccPortalSumStatsLongPp10kRfUtil
PartsPer10k
The approximate utilization of
the portal's RF port. Calculated
as Throughput divided by
AvgBitSpeed. Expressed as
parts-per-10000.
ccPortalSumStatsLongPp10kDropped
PartsPer10k
The total number of packets
dropped divided by total number
of packets sent. Dropped here
means dropped intentionally
due to the appropriate QoS
queue being full. Expressed as
parts-per-10000.
Enhanced RF Statistics
14-19
14.3 ccMus
14.3.1 ccMuInfoTable
DESCRIPTION: This table describes general information about each MU associated to the switch/AP.
INDEXED ON: ccMuMac
Field
Type
Description
ccMuMac
PhysAddress
MAC address of the MU.
ccMuWlanIndex
Integer32
Reserved for future implementation.
ccMuWlanName
DisplayString
The name of the WLAN this MU is associated
to.
ccMuIsDataReady
TruthValue
This value is true if the WS5000 is ready to
forward/switch packets to/from this MU.
Otherwise this value is false.
ccMuPortalIndex
Integer32
The index of the entry in the portal table to
which this MU is associated.
ccMuPortalMac
PhysAddress
The MAC address of the portal to which this
MU is associated.
ccMuSymbolRogueApEna
TruthValue
If true, this MU supports Symbol's Rogue AP
detection assist algorithm.
ccMuIpAddr
IpAddress
IP address of the MU.
ccMuType
INTEGER
Type of the MU.
ccMuRadioType
RadioType
Radio type of the MU.
ccMuSupportedRates
BITS
A bit-mask of rates supported by this MU.
ccMuPowerMode
INTEGER
Power-mode implemented by the MU.
ccMuAuthenticationMethod
INTEGER
Authentication method used by the MU.
ccMuEncryptionMethod
INTEGER
Encryption method used by the MU.
ccMuVlanId
Unsigned32
The VLAN that this MU is assigned to.
14.3.2 ccMuStatsTable
DESCRIPTION: It contains the number of data packets received form/transmitted to a MU which includes
unicast, non unicast and undecryptable packets
INDEXED ON: ccMuMac
Field
Type
Description
ccMuTxPktsUcast
Counter32
The number of unicast packets transmitted to
the MU.
ccMuRxPktsUcast
Counter32
The number of unicast packets received from
the MU.
14-20
WS5000 Series Switch System Reference Guide
Field
Type
Description
ccMuRxPktsNUcast
Counter32
The number of non-unicast packets received
from a MU.
ccMuTxOctetsUcast
Counter32
The number of unicast bytes transmitted to
the MU.
ccMuRxOctetsUcast
Counter32
The number of unicast bytes received from an
MU.
ccMuRxOctetsNUcast
Counter32
The number of non-unicast bytes received
from an MU.
ccMuRxUndecryptablePkts
Counter32
The number of undecryptable packets
received from an MU.
ccMuRxRssiNumPkts
Counter32
The number of packets received from a MU.
ccMuRxRssiSum
Counter32
The sum of signal strength values of all the
packets received from this MU.
ccMuRxRssiSumSquares
Counter32
The sum of the squares of signal strength
values of all the packets received from this
MU.
ccMuRxRssiMostRecent
INTEGER
The most recent value of the signal strength
received from this MU.
ccMuLastActivity
TimeTicks
The number of time ticks elapsed since MU’s
last activity.
14.3.3 ccMuRxPktsTable
DESCRIPTION: The number of packets received at various rates from the MU.
INDEXED ON: ccMuMac
Field
Type
Description
ccMuRxPktsAt1Mb
Counter32
The number of packets received from the MU at
1 Mbps.
ccMuRxPktsAt2Mb
Counter32
The number of packets received from the MU at
2 Mbps.
ccMuRxPktsAt5pt5Mb
Counter32
The number of packets received from the MU at
5.5 Mbps.
ccMuRxPktsAt6Mb
Counter32
The number of packets received from the MU
at 6 Mbps.
ccMuRxPktsAt9Mb
Counter32
The number of packets received from the MU at
9 Mbps.
ccMuRxPktsAt11Mb
Counter32
The number of packets received from the MU at
11 Mbps.
ccMuRxPktsAt12Mb
Counter32
The number of packets received from the MU at
12 Mbps.
Enhanced RF Statistics
Field
Type
14-21
Description
ccMuRxPktsAt18Mb
Counter32
The number of packets received from the MU at
18 Mbps.
ccMuRxPktsAt22Mb
Counter32
The number of packets received from the MU at
22 Mbps.
ccMuRxPktsAt24Mb
Counter32
The number of packets received from the MU at
24 Mbps.
ccMuRxPktsAt36Mb
Counter32
The number of packets received from the MU at
36 Mbps.
ccMuRxPktsAt48Mb
Counter32
The number of packets received from the MU at
48 Mbps.
ccMuRxPktsAt54Mb
Counter32
The number of packets received from the MU at
54 Mbps.
14.3.4 ccMuTxPktsTable
DESCRIPTION: The number of packets transmitted to the MU at various rates
INDEXED ON: ccMuMac
Field
Type
Description
ccMuTxPktsAt1Mb
Counter32
The number of packets transmitted to the MU
at 1 Mbps.
ccMuTxPktsAt2Mb
Counter32
The number of packets transmitted to the MU
at 2 Mbps.
ccMuTxPktsAt5pt5Mb
Counter32
The number of packets transmitted to the MU
at 5.5 Mbps.
ccMuTxPktsAt6Mb
Counter32
The number of packets transmitted to the MU
at 6 Mbps.
ccMuTxPktsAt9Mb
Counter32
The number of packets transmitted to the MU
at 9 Mbps.
ccMuTxPktsAt11Mb
Counter32
The number of packets transmitted to the MU
at 11 Mbps.
ccMuTxPktsAt12Mb
Counter32
The number of packets transmitted to the MU
at 12 Mbps.
ccMuTxPktsAt18Mb
Counter32
The number of packets transmitted to the MU
at 18 Mbps.
ccMuTxPktsAt22Mb
Counter32
The number of packets transmitted to the MU
at 22 Mbps.
ccMuTxPktsAt24Mb
Counter32
The number of packets transmitted to the MU
at 24 Mbps.
ccMuTxPktsAt36Mb
Counter32
The number of packets transmitted to the MU
at 36 Mbps.
14-22
WS5000 Series Switch System Reference Guide
Field
Type
Description
ccMuTxPktsAt48Mb
Counter32
The number of packets transmitted to the MU
at 48 Mbps.
ccMuTxPktsAt54Mb
Counter32
The number of packets transmitted to the MU
at 54 Mbps.
14.3.5 ccMuRxOctetsTable
DESCRIPTION: The number of bytes received from the MU at various rates.
INDEXED ON: ccMuMac
Field
Type
Description
ccMuRxOctetsAt1Mb
Counter32
The number of bytes received from the MU at 1 Mbps.
ccMuRxOctetsAt2Mb
Counter32
The number of bytes received from the MU at 2 Mbps.
ccMuRxOctetsAt5pt5Mb
Counter32
The number of bytes received from the MU at 5.5 Mbps.
ccMuRxOctetsAt6Mb
Counter32
The number of bytes received from the MU at 6 Mbps.
ccMuRxOctetsAt9Mb
Counter32
The number of bytes received from the MU at 9 Mbps.
ccMuRxOctetsAt11Mb
Counter32
The number of bytes received from the MU at 11 Mbps.
ccMuRxOctetsAt12Mb
Counter32
The number of bytes received from the MU at 12 Mbps.
ccMuRxOctetsAt18Mb
Counter32
The number of bytes received from the MU at 18 Mbps.
ccMuRxOctetsAt22Mb
Counter32
The number of bytes received from the MU at 22 Mbps.
ccMuRxOctetsAt24Mb
Counter32
The number of bytes received from the MU at 24 Mbps.
ccMuRxOctetsAt36Mb
Counter32
The number of bytes received from the MU at 36 Mbps.
ccMuRxOctetsAt48Mb
Counter32
The number of bytes received from the MU at 48 Mbps.
ccMuRxOctetsAt54Mb
Counter32
The number of bytes received from the MU at 54 Mbps.
14.3.6 ccMuTxOctetsTable
DESCRIPTION: The number of bytes transmitted to the MU at various rates.
INDEXED ON: ccMuMac
Field
Type
Description
ccMuTxOctetsAt1Mb
Counter32
The number of bytes transmitted to the MU at 1 Mbps.
ccMuTxOctetsAt2Mb
Counter32
The number of bytes transmitted to the MU at 2 Mbps.
ccMuTxOctetsAt5pt5Mb
Counter32
The number of bytes transmitted to the MU at 5.5 Mbps.
ccMuTxOctetsAt6Mb
Counter32
The number of bytes transmitted to the MU at 6 Mbps.
ccMuTxOctetsAt9Mb
Counter32
The number of bytes transmitted to the MU at 9 Mbps.
ccMuTxOctetsAt11Mb
Counter32
The number of bytes transmitted to the MU at 11 Mbps.
ccMuTxOctetsAt12Mb
Counter32
The number of bytes transmitted to the MU at 12 Mbps.
ccMuTxOctetsAt18Mb
Counter32
The number of bytes transmitted to the MU at 18 Mbps.
Enhanced RF Statistics
Field
Type
14-23
Description
ccMuTxOctetsAt22Mb
Counter32
The number of bytes transmitted to the MU at 22 Mbps.
ccMuTxOctetsAt24Mb
Counter32
The number of bytes transmitted to the MU at 24 Mbps.
ccMuTxOctetsAt36Mb
Counter32
The number of bytes transmitted to the MU at 36 Mbps.
ccMuTxOctetsAt48Mb
Counter32
The number of bytes transmitted to the MU at 48 Mbps.
ccMuTxOctetsAt54Mb
Counter32
The number of bytes transmitted to the MU at 54 Mbps.
14.3.7 ccMuTxRetriesTable
DESCRIPTION: The number of packets transmitted to the MU at various retries
INDEXED ON: ccMuMac
Field
Type
Description
ccMuTxRetriesNone
Counter32
The number of packets transmitted to the MU
with 0 retries.
ccMuTxRetries01
Counter32
The number of packets transmitted to the MU
with 1 retry.
ccMuTxRetries02
Counter32
The number of packets transmitted to the MU
with 2 retries.
ccMuTxRetries03
Counter32
The number of packets transmitted to the MU
with 3 retries.
ccMuTxRetries04
Counter32
The number of packets transmitted to the MU
with 4 retries.
ccMuTxRetries05
Counter32
The number of packets transmitted to the MU
with 5 retries.
ccMuTxRetries06
Counter32
The number of packets transmitted to the MU
with 6 retries.
ccMuTxRetries07
Counter32
The number of packets transmitted to the MU
with 7 retries.
ccMuTxRetries08
Counter32
The number of packets transmitted to the MU
with 8 retries.
ccMuTxRetries09
Counter32
The number of packets transmitted to the MU
with 9 retries.
ccMuTxRetries10
Counter32
The number of packets transmitted to the MU
with 10 retries.
ccMuTxRetries11
Counter32
The number of packets transmitted to the MU
with 11 retries.
ccMuTxRetries12
Counter32
The number of packets transmitted to the MU
with 12 retries.
ccMuTxRetries13
Counter32
The number of packets transmitted to the MU
with 13 retries.
14-24
WS5000 Series Switch System Reference Guide
Field
Type
Description
ccMuTxRetries14
Counter32
The number of packets transmitted to the MU
with 14 retries.
ccMuTxRetries15
Counter32
The number of packets transmitted to the MU
with 15 retries.
ccMuTxRetriesFailed
Counter32
The number of failed packet transmissions to
the MU.
ccMuTxRetriesTotal
Counter32
A total sum of all retries across all packets
sent to this MU.
For example, if 4 packets have been sent, with
the following number of retires: 2, 0, 5, gaveup, this value would be 2+0+5+16 = 23
ccMuTxRetriesMostRecent
Counter32
The number of retries of the packet most
recently transmitted to the MU.
14.4 ccMuRfSum
14.4.1 ccMuTxRetriesOctetsTable
DESCRIPTION: The number of retries experienced w.r.t the bytes transmitted to the MU
INDEXED ON: ccMuMac
Field
Type
Description
ccMuTxRetriesOctetsNone
Counter32
The number of octets transmitted to the MU
with 0 retries.
ccMuTxRetriesOctets01
Counter32
The number of octets transmitted to the MU
with 1 retry.
ccMuTxRetriesOctets02
Counter32
The number of octets transmitted to the MU
with 2 retries.
ccMuTxRetriesOctets03
Counter32
The number of octets transmitted to the MU
with 3 retries.
ccMuTxRetriesOctets04
Counter32
The number of octets transmitted to the MU
with 4 retries.
ccMuTxRetriesOctets05
Counter32
The number of octets transmitted to the MU
with 5 retries.
ccMuTxRetriesOctets06
Counter32
The number of octets transmitted to the MU
with 6 retries.
ccMuTxRetriesOctets07
Counter32
The number of octets transmitted to the MU
with 7 retries.
ccMuTxRetriesOctets08
Counter32
The number of octets transmitted to the MU
with 8 retries.
ccMuTxRetriesOctets09
Counter32
The number of octets transmitted to the MU
with 9 retries.
Enhanced RF Statistics
Field
Type
14-25
Description
ccMuTxRetriesOctets10
Counter32
The number of octets transmitted to the MU
with 10 retries.
ccMuTxRetriesOctets11
Counter32
The number of octets transmitted to the MU
with 11 retries.
ccMuTxRetriesOctets12
Counter32
The number of octets transmitted to the MU
with 12 retries.
ccMuTxRetriesOctets13
Counter32
The number of octets transmitted to the MU
with 13 retries.
ccMuTxRetriesOctets14
Counter32
The number of octets transmitted to the MU
with 14 retries.
ccMuTxRetriesOctets15
Counter32
The number of octets transmitted to the MU
with 15 retries.
ccMuTxRetriesOctetsFailed
Counter32
The number of octets in failed packet
transmissions.
14.4.2 ccMuSigStatsTable
DESCRIPTION: The various signal strength information for this MU
INDEXED ON: ccMuMac
Field
Type
Description
ccMuSigStatsNumPkts
Counter32
The number of packets received from the MU.
ccMuSigStatsSignalBest
Integer32
The best value of the signal strength in dBm.
ccMuSigStatsSignalWorst
Integer32
The worst value of signal strength in dBm.
ccMuSigStatsSignalSum
Integer32
The sum of signal strength of all the packets
received from the MU in dBm.
ccMuSigStatsSignalSumSquares
Counter64
The sum of the square of the signal strength
of all the packets received from the MU in
dBm.
ccMuSigStatsSignalMostRecent
Integer32
The most recent signal strength value
received from the MU in dBm.
ccMuSigStatsNoiseBest
Integer32
The best noise value in dBm heard by the
Radio to which this MU is associated.
Here best value of noise implies the the least
noise value.
ccMuSigStatsNoiseWorst
Integer32
The worst value of the noise strength in dBm
as received by the radio to which the MU is
associated.
ccMuSigStatsNoiseSum
Integer32
The sum of all noise samples in dBm received
from the Radio to which the MU is
associsated.
14-26
WS5000 Series Switch System Reference Guide
Field
Type
Description
ccMuSigStatsNoiseSumSquares
Counter64
The sum of the square of all the noise samples
in dBm received from the radio to which this
MU is associated.
ccMuSigStatsNoiseMostRecent
Integer32
The strength of the most recent noise value
heard from the radio to which this MU is
associated.
ccMuSigStatsSnrBest
Integer32
The best value of SNR in dBm calculated for
this MU.
ccMuSigStatsSnrWorst
Integer32
The worst value of SNR in dBm calculated for
this MU.
ccMuSigStatsSnrSum
Integer32
The sum of all the SNR values in dBm
calculated for this MU.
ccMuSigStatsSnrSumSquares
Counter64
The sum of the square of all the SNR values in
dBm calculated for this MU.
ccMuSigStatsSnrMostRecent
Integer32
The most recent value of the SNR calculated
for this MU.
14.4.3 ccMuSumStatsShortTable
DESCRIPTION: The table contains derived statistics calculated over a window of 30 seconds.
INDEXED ON: ccMuMac
Field
Type
Description
ccMuSumStatsShortTimestamp
TimeTicks
The number of time ticks
elapsed since the beginning of
this window.
ccMuSumStatsShortNumPkts
Unsigned32
The number of packets used to
calculate the statistics in this
window.
ccMuSumStatsShortPktsPerSec100
ScaleBy100
Packets per second as averaged
over the 'window'. Since SNMP
does not convey decimal
values, the result is multiplied
by 100.
ccMuSumStatsShortPktsPerSecTx100
ScaleBy100
The number of transmitted
packets per second as
averaged over the 'window'.
Since SNMP does not convey
decimal values, the result is
multiplied by 100.
Enhanced RF Statistics
Field
ccMuSumStatsShortPktsPerSecRx100
Type
ScaleBy100
14-27
Description
Number of received packets per
second as averaged over the
'window'.
Since SNMP does not convey
decimal values, the result is
multiplied by 100.
ccMuSumStatsShortThroughput
Unsigned32
Actual number of bits sent and
received over the window,
divided by the number of
seconds in the window.
ccMuSumStatsShortThroughputTx
Unsigned32
Actual number of bits
transmitted over the window,
divided by the total number of
seconds in the window.
ccMuSumStatsShortThroughputRx
Unsigned32
Actual number of bits received
over the window, divided by the
number of seconds in the
window.
ccMuSumStatsShortAvgBitSpeed
Unsigned32
The average of the speeds of all
packets sent/received. (For
each possible speed, multiply
the number of octets sent/
received by that speed; divide
the sum by the total number of
octets; multiply by 8).
i.e. the average bit-speed at
which packets were sent/
received.
ccMuSumStatsShortAvgMuSignal
Integer32
The average of all signal values
over the window.
ccMuSumStatsShortAvgMuNoise
Integer32
The average of all noise values
over the window.
ccMuSumStatsShortAvgMuSnr
Integer32
The average of all SNR values
over the window.
ccMuSumStatsShortPp10kNUcastPkts
PartsPer10k
Ratio of packets that were not
unicast to the total number of
packets sent/received.
Expressed as parts-per-10000.
ccMuSumStatsShortPp10kTxWithRetries
PartsPer10k
Ratio of transmitted packets
that experienced one or more
retries to the total number of
packets sent or received.
Expressed as parts-per-10000.
14-28
WS5000 Series Switch System Reference Guide
Field
Type
Description
ccMuSumStatsShortPp10kDropped
PartsPer10k
Ratio of transmitted packets
that were dropped due to
excessive retries to the total
number of transmitted pakets.
Expressed as parts-per-10000.
ccMuSumStatsShortTxAvgRetries100
ScaleBy100
For all transmitted packets
(including those that
experienced some retries,
those that were successfully
transmitted in first attempt of
transmission, and those that
attempted maximum times and
gave-up), the average number
of re-transmission attempts.
Since SNMP does not convey
decimal values, the result
above is multiplied by 100.
If there were no retransmissions, this value would
be 0. If every single packet
required exactly two
tranmissions, this value would
be 100, (representing 1.00).
ccMuSumStatsShortPp10kRxUndecrypt
PartsPer10k
Ratio of received packets that
were undecryptable to the total
number of packets received.
Expressed in parts per 10000.
14.4.4 ccMuSumStatsLongTable
DESCRIPTION: The table contains derived statistics calculated over a window of 1 hour.
INDEXED ON: ccMuMac
Field
Type
Description
ccMuSumStatsLongTimestamp
TimeTicks
The number of time ticks
elapsed since the beginning of
this window.
ccMuSumStatsLongNumPkts
Unsigned32
The number of packets used to
calculate the statistics in this
window.
ccMuSumStatsLongPktsPerSec100
ScaleBy100
Packets per second as averaged
over the 'window'. Since SNMP
does not convey decimal
values, the result is multiplied
by 100.
Enhanced RF Statistics
Field
ccMuSumStatsLongPktsPerSecTx100
Type
ScaleBy100
14-29
Description
The number of transmitted
packets per second as
averaged over the 'window'.
Since SNMP does not convey
decimal values, the result is
multiplied by 100.
ccMuSumStatsLongPktsPerSecRx100
ScaleBy100
Number of received packets per
second as averaged over the
'window'.
Since SNMP does not convey
decimal values, the result is
multiplied by 100.
ccMuSumStatsLongThroughput
Unsigned32
Actual number of bits sent and
received over the window,
divided by the number of
seconds in the window.
ccMuSumStatsLongThroughputTx
Unsigned32
Actual number of bits
transmitted over the window,
divided by the number of
seconds in the window.
ccMuSumStatsLongThroughputRx
Unsigned32
Actual number of bits received
over the window, divided by the
number of seconds in the
window.
ccMuSumStatsLongAvgBitSpeed
Unsigned32
The average of the speeds of all
packets sent/received. (For
each possible speed, multiply
thenumber of octets sent/
received by that speed; divide
the sum by the total number of
octets; multiply by 8).
i.e. the average bit-speed at
which packets were sent/
received.
ccMuSumStatsLongAvgMuSignal
Integer32
The average of all signal values
over the window.
ccMuSumStatsLongAvgMuNoise
Integer32
The average of all noise values
over the window.
ccMuSumStatsLongAvgMuSnr
Integer32
The average of all SNR values
over the window.
14-30
WS5000 Series Switch System Reference Guide
Field
ccMuSumStatsLongPp10kNUcastPkts
Type
PartsPer10k
Description
Ratio of packets that were not
unicast to the total number of
packets sent/received.
Expressed as parts-per-10000.
ccMuSumStatsLongPp10kTxWithRetries
PartsPer10k
Ratio of transmitted packets
that experienced one or more
retries to the total number of
packets sent or received.
Expressed as parts-per-10000.
ccMuSumStatsLongPp10kDropped
PartsPer10k
Ratio of transmitted packets
that were dropped due to
excessive retries to the total
number of transmitted pakets.
Expressed as parts-per-10000.
ccMuSumStatsLongTxAvgRetries100
ScaleBy100
For all transmitted packets
(including those that
experienced some retries,
those that were successfully
transmitted in first attempt of
transmission, and those that
attempted maximum times and
gave-up), the average number
of re-transmission attempts.
Since SNMP does not convey
decimal values, the result
above is multiplied by 100.
If there were no re transmissions, this value would
be 0.If every single packet
required exactly two
tranmissions, this value would
be 100, (representing 1.00).
ccMuSumStatsLongPp10kRxUndecrypt
PartsPer10k
Ratio of received packets that
were undecryptable to the total
number of packets received.
Expressed in parts per 10000.
14.5 RF-Traps
RF Traps are used to generate SNMP traps when some of the RF statistical values exceed a particular
threshold.The threshold values can be configured from the CLI. You can configure only the maximun value of
the threshold. The threshold values will always be compared with the most recent short window of the
corresponding RF statistical value.
Enhanced RF Statistics
14-31
A short window can be explained as :Time period over which the threshold values (of the derived statistics)
are computed (it has a value of 30 seconds).
To enable the RF Traps you have to set the snmp_trap for the corresponding event in events context. WS5000
v2.1 supports traps for AP, Switch and MU. Currently, traps for WLAN are not supported.
The following are the traps generated for AP, Switch and MU:
Table 14.1 RF Traps for APs
Trap Name
Description
rfthreshold ap pps
Packets per second as averaged over the 'window'.For transmitted packets,
each packet sucessfully sent counts as 1.
rfthreshold ap thrput
Actual number of bits sent and received over the window, divided by the
number of seconds in the window.
rfthreshold ap avgbitspeed
An octet-weighted average of the speeds of all packets sent/received. (For
each possible speed, multiply the number of octets sent received by that
speed; divide the sum by the total number of octets; multiply
by 8).
rfthreshold ap nonucast
Ratio of packets that were non-unicast to the total number of packets sent/
received.
rfthreshold ap avgsig
The average of all signal values over the window.
rfthreshold ap avgretries
For all transmitted packets, the average number of re-transmission attempts.
rfthreshold ap percentdrop
Packets dropped divided by packets sent. Dropped here means dropped
intentionally due to the appropriate QoS queue being full.
rfthreshold ap undecryptable
Ratio of packets that were undecryptable to the total number of received
packets.
rfthreshold ap associatedmus
The total number of MUs associated to the given AP.
rfthreshold ap minpkts
Read the note below.
Note minpkts - Its the minimum number of packets required for the SNMP trap to
be fired.This should not be treated as a trap.
Table 14.2 RF Traps for MUs
Trap Name
Description
rfthreshold mu pps
Packets per second as averaged over the 'window'.
rfthreshold mu thrput
Actual number of bits sent and received over the window, divided by the
number of seconds in the window.
14-32
WS5000 Series Switch System Reference Guide
Table 14.2 RF Traps for MUs
Trap Name
Description
rfthreshold mu avgbitspeed
An octet-weighted average of the speeds of all packets sent/received. (For each
possible speed, multiply the number of octets sent received by that speed;
divide the sum by the total number of octets; multiply
by 8).
rfthreshold mu nonucast
Ratio of packets that were non-unicast to the total number of packets sent/
received.
rfthreshold mu avgsig
The average of all signal values over the window.
rfthreshold mu avgretires
For all transmitted packets, the average number of re-transmission attempts.
rfthreshold mu percentdrop
Packets dropped divided by packets sent. Dropped here means dropped
intentionally due to the appropriate QoS queue being full.
rfthreshold mu undecryptable
Ratio of packets that were undecryptable.
rfthreshold mu minpkts
Read the note below.
Note minpkts - Its the minimum number of packets required for the SNMP trap to
be fired.This should not be treated as a trap.
Table 14.3 RF Traps for Switch
Trap Name
Description
rfthreshold switch pps
Packets per second as averaged over the 'window'.
rfthreshold switch thrput
Actual number of bits sent and received over the window, divided by the
number of seconds in the window.
rfthreshold switch associatedmus The total number of MUs associated to the given Switch.
rfthreshold switch minpkts
Read the note below.
Note minpkts - Its the minimum number of packets required for the SNMP trap to
be fired.This should not be treated as a trap.
14.6 Explanation of Enhanced RF Statisitcs
Symbol’s family of wireless products all share a rich set of monitoring variables, called enhanced RF
Statisitcs .This section describes those statistics, and how they can be used to detect common wireless
networking problems.
The information shown here is available both via SNMP and via the embedded Web UI. In mostcases, the
SNMP tables are shown for the sake of brevity.The statistics described here for a pyramid of information. The
specific details will be described from the bottom of this pyramid, working upwards.
Enhanced RF Statistics
14-33
Figure 14.1 Pyramid” of network infrastructure monitoring statistics.
Information is available to identify all Access Ports and their embedded radios, (called “Portals”), associated
with the wireless switch. Figure 14.2 and Figure 14.3 show the tables that give this general information.
Figure 14.2 The ccApTable lists all the Access Ports currently adopted by the wireless switch.
I
14-34
WS5000 Series Switch System Reference Guide
Figure 14.3 The ccPortalTable lists all radios (“Portals”) currently adopted by the wireless switch.
In a similar fashion, (see Figure 14.4 ), every MU currently associated with the device are shown in a table,
along with general information.
Figure 14.4 The ccMuInfoTable lists general information about every mobile unit currently associated.
Additional “raw” statistics are maintained for:
Enhanced RF Statistics
•
Every MU currently associated to the device
•
Every Portal currently adopted by the device
•
The device in it’s entirety
14-35
For the remainder of this description, only the MU tables are shown, but there are nearly identical tables for
the Portals (the entire switch is represented by entry #1001 in the WLAN tables).
These stats are labeled “raw” as they count total occurrences since reboot. They are not timebased. To
determine the number of occurrences that have taken place over an interval of time, the counter is read at the
start of the interval and at the end of the interval, and the difference is calculated. These “raw” stats will form
the foundation of the “time-based” stats described below.
These stats are also “raw” in the sense that, (where possible), no resolution is lost. In most cases, every single
counter is offered in the form of an array that represents a histogram; (those histograms are summarized by
the “time-based” stats, described below).
Figure 14.5 shows tables that count the number of packets and octets that have been affected by each
possible number of retry attempts on transmission.
Figure 14.5 These tables show how many packets/octets have been affected by the given number of retries.
Figure 14.6 shows the tables that count the number of packets or octets, (bytes), that have been either
transmitted or received at every possible data rate.
14-36
WS5000 Series Switch System Reference Guide
Figure 14.6 These tables show counts of all packets/octets transmitted/received to/from the MU
Note In all cases, variables are named from the perspective of the network
infrastructure device. For example, a packet sent from an MU is, (for the MU), a
transmitted packet, but for the wireless switch, a received packet. Using this rule,
it would be counted as a received packet.
Figure 14.7 shows sums of signal, noise, and SNR readings for all packets received, in addition to the total
number of readings that have been taken, (“NumPkts”). Specifically, for each attribute, (signal, noise, SNR),
each of the following are maintained:
•
sum — this can be used to calculate the average.
•
sum of each value squared — this can be used to calculate the standard deviation.
•
best, worst ever seen.
•
most recent value observed — this is useful for determining the trend of the most recent values.
(It would have been prohibitive to provide a histogram of all signal/noise/SNR values observed).
Enhanced RF Statistics
14-37
Figure 14.7 The ccMuSigStatsTable shows statistics for signal, noise, and SNR.
All of the above “raw” statistics have no time interval – they count the number of occurrences
since the device booted-up. Those “raw” stats are summarized over selected time-intervals: the
“short” and “long” window.
The short window represents a summary of all the packets seen in the past 30 seconds. This 30 second
backwards view is recalculated every 30 seconds. The long window represents a summary of all the packets
seen in the past 1 hour, and is updated every 1 hour.
Note The intervals mentioned above are not configurable, and could possibly
change in the future. Their actual values can be determined from read-only SNMP
variables provided in each device.
Since the “raw” stats count all occurrences since reboot, these time-based stats avoid the need to read the
values, wait, read them again, and calculate the deltas.
When the network condition changes significantly, the values in the short window will vary significantly from
those in the long window, (see the detailed example below).
Figure 14.8 shows the short and long tables – they are identical, except for the time-interval represented.
14-38
WS5000 Series Switch System Reference Guide
Figure 14.8 The ccMuSumStats tables show the key history for the past 30 seconds and past 1hr.
The device can be programmed with thresholds for most of these time-based stats. Those thresholds can be
different for the entire switch than for the WLANs than for the APs than for the MUs. When a threshold is
crossed, an SNMP trap is generated. In order to avoid false-alarms, a trap is only generated if a sufficient
number of packets have been processed to be statistically significant.
14.6.1 A Sample Usage Example
The section below explains the appropriate way in which enhanced RF stats can be used to monitor the
wireless switch system’s RF environment. The Figure 14.9 shows a sample comparision of short stats and
long stats which are claculated over a period of 30 seconds and 1 hour respectively. As shown in the figure,
the short stats reflect sudden changes to the RF environment whereas the long stats reflect a long term
average of the RF environment.
Enhanced RF Statistics
14-39
Figure 14.9 Just minutes after the antenna was removed, the long-term (1hr) average bit speed continues tohover near 7Mb/s while short-term (30sec) value sinks quickly to less than 2Mb.
Figure 14.10 Only one minute after the antenna was removed, the short-term statistics reflect the new
[poor]wireless conditions, while the long-term stats show the (mostly good) prior hour.
14-40
WS5000 Series Switch System Reference Guide
The RF environment is also effected by the presence/absence of antennas in the APs. The Figure 14.11 and
Figure 14.12 below shows the received and transsmit speed are severly degraded without the antenna
installed. Figure 14.13 shows retries also increase significantly without the antennas.
Figure 14.11 Without the antenna, most packets were received (by the AP300) at 1Mb/s.
Figure 14.12 Without the antenna, most packets were transmitted (by the AP300) at 1 or 2 Mb/s.
Enhanced RF Statistics
14-41
Figure 14.13 Without the antenna, many packets had 1 to 4 retries.
The “raw” stats also accumulate the number of packets received, the sum of all signal values on those packets,
and the sum of all each signal value squared. Taking the delta of each of those values over both the interval
with the antenna present and absent, results in average signal readings with corresponding standard
deviations.
With the antenna absent, the average signal was –88.5 dB with a stddev of 3.4, (meaning that 67% of packets
had signal values of –91.9 to –85.1 dB).
Note The greater variance while the antenna is present can be explained by the
fact that the AP radio has a certain floor of receive sensitivity, probably around –
91 dB. This fact compresses the range of possible values.
With the antenna present, the average signal was –63.6 with a stddev of 10.2 dB. Assuming the signal
readings fit a normal distribution, those curves would look approximately as shown in Figure 14.14. Note that
these values match very close to the values, (–89 and –67 dB), shown in Figure 14.10.
14-42
WS5000 Series Switch System Reference Guide
Figure 14.14 Distributions of received signal strength, as predicted by the average and standard deviationcalculated
across the collection of packets received.
14.6.1.1 Watching min, max, or average is not enough
Suppose your SLA (Service Level Agreement) states to provide a wireless signal strength of –63dB (or better)
to your customers partners/colleagues. What variables would you need to monitor to assure all involved that
the agreed service level was being achieved?
SLA 1 — End stations will experience –63dB or better
Monitoring min/max would not suffice. In most wireless infrastructures, this would tell you nothing as at least
one end station would have experienced –20dB (or some such excellent signal), and at least one end station
would have experienced –90dB (or some such signal at the very threshold of being detected).
Monitoring the mean would also not suffice. Figure 14.15 shows three possible scenarios. In the red case, all
end stations are experiencing a very similar level of signal ranging from –53dB to –63dB. In the blue case,
some are experiencing very strong signal while an equal number are experiencing very weak signal. Note that
in all cases the mean is identical.
Process control theory has addressed many such problems for decades using standard deviation. For any
normal distribution, 68% of the population resides in the range of mean +/– one standard deviation. 95% of
the population resides in the range of mean +/– two standard deviations, and 99.7% within three standard
deviations.
Note Six standard deviations include all but two billionths of the sample. Due to
the quality control methodology called ‘Six Sigma’, the term has acquired a
commonplace meaning as containing 99.99966% of the sample. Many
corporations have adopted the Six Sigma methodology for Quality Control and try
to achieve a defect rate of 3.4 per million. The rate of 3.4 per million, however, actually
corresponds to 4.5 standard deviations, because the Six Sigma founders assumed a natural
offset of 1.5 sigma to account for drift in production quality over time.
Enhanced RF Statistics
14-43
Figure 14.15 Graph dispalying the 3 possible scenarios while monitoring the signal strenght
This begs the question: what percentage of end stations must be experiencing –63dB or better at any given
time? Depending on the situation, the requirement might be that 80% must have 63dB or better, (which the
red and green distributions achieve). Or, the requirement might be that 98% have better than –63dB, (which
only the red distribution achieves).
SLA 2 — 80% of end stations will experience –63dB or better
In any case, both the mean and the standard deviation must be monitored. If success was defined as having
80% of the end stations at –63dB or better, that would suggest that the mean of the measured signal strengths
needs to be at least one standard deviation better than –63dB; (since +/– one standard deviation accounts for
68% of a normally distributed population, that means one ‘tail’ would leave 32% / 2 = 16%, which is just
slightly better than the 20% we permit to be worse than –63dB).
So, to ensure that our threshold is met, we routinely fetch the mean and standard deviation from the wireless
infrastructure and check that mean + [one] standard deviation is less than or equal to – 63dB.10.
14.6.1.2 Who calculates Standard Deviation?
There are two possibilities: the network infrastructure devices themselves, or an external, server-based
network management application.
When a SLA is negotiated, it must specify not just the threshold, (–63dB in our example), and the percentage
of the population in compliance, (80% in our example), but also the monitoring interval. An environment that
14-44
WS5000 Series Switch System Reference Guide
has 80% of the end stations at –63dB or better as averaged over a 24 hour period may not have met that
standard each and every hour of that day.
SLA 3 — Within each 30 seconds interval, 80% of end stations will experience -63dB or
better
Whatever interval the SLA specifies is the minimum interval at which monitoring must take place. Since those
intervals are often relatively short, it would clearly be more efficient for the network infrastructure device to
perform this monitoring, rather than an external server. For the infrastructure to do this well, it would allow
the threshold (-63dB in our case) to be specified, as well as the number of standard deviations, (1 in our case),
which the current mean should be from the threshold. If standard deviation is relatively constant, solely the
mean could be monitored, (but for many installations that might be a big assumption).
Additionally, it’s important that the infrastructure device ignore any calculations that are performed on too few
packets to be statistically significant. A time-period that only represents 5 packets is meaningless, regardless
of the mean and/or standard deviation.
14.6.1.3 How is Standard Deviation calculated from running sums?
In order to calculate the mean, for efficiency reasons the network infrastructure device would typically
maintain a total sum of received signal strengths, and ‘n’, the number of readings/packets. Such running sums
are much more efficient to maintain than re-calculating the mean after each new reading/packet.
Note Re-calculating average and stddev after each new sample would require
several multiplication, division, and square-root calculations for each packet.
Keeping a running sum and sum-of-squares requires only two additions per
packet, and a lookup (in place of the squaring function).
Additionally, using sum and sum-of-squares allows the average and standard deviation to be calculated over
any arbitrary interval of time.
Note Note that this would not be possible if the device were maintaining a
‘running’ average and ‘running’ standard deviation. The delta calculation: endaverage – start-average does not yield the average over a given interval of time.
Likewise for standard deviation.
Mean (average) can be easily calculated at any time by dividing the sum of readings by ‘n’.
Standard deviation can be calculated from ‘n’, the sum of all readings, and the sum of each reading squared.
Enhanced RF Statistics
Or, in terms more suited to a programmer, rather than a math major:
// at start of the time interval
GET start-n, start-sum-of-values, start-sum-of-squares
:
// wait for the time interval to expire
:
// at end of the time interval
GET end-n, end-sum-of-values, end-sum-of-squares
// calculate the delta of readings over the interval
n = end-n - start-n
sum-of-values = end-sum-of-values – start-sum-of-values
sum-of-squares = end-sum-of-squares – start-sum-of-squares
// calculate average & stddev
mean = sum-of-values / n
std-dev = SQRT( (sum-of-squares – (n * mean * mean)) / (n – 1) )
14-45
14-46
WS5000 Series Switch System Reference Guide
AP-300 Sensor Conversion
15.1 Overview
WS5000 switch is capable of adopting different types of Access Ports. It is capable of using custom firmware
instead of default firmware images for specified APs. This functionality is used to perform the conversion from
an AP to an W-IPS sensor.
A new conversion firmware image is added to the WS5000 distribution. This image is similar to all other
firmware images that are used by the switch to adopt the variety of APs.This image contains standard WS5000
image header that identifies the image as AP300 firmware. The image version in the header is set to 0.0.0.0.
This prevents it from being used as a default image during AP300 adoption. The firmware is provided by
AirDefense and contains the code necessary for AP300 to operate in the W-IPS sensor mode.
15.1.1 Sensor Implementation
The switch can convert an AP300 to a W-IPS sensor and vice-versa. The conversion of an AP300 to a sensor is
possible only on the currently active AP’s.
15-2
WS5000 Series Switch System Reference Guide
15.2 Functionality
In addition to the basic AP to sensor conversion it is also desirable that the switch provide some minimal
management capabilities for the sensors. You should be able to view the list of sensors, read and send sensors'
configuration and revert selected sensors back to AP.
AirDefense defines Layer 2 communication protocol that can be used to discover sensors connected to the
switch and to send commands to the sensors. A broadcast ping packet is used for sensor discovery, which
implies that the sensors must stay in the same broadcast domain as the switch after the conversion. This is
not an unreasonable expectation because AP adoption and subsequent conversion to a sensor would not be
possible without it.
This extended sensor management functionality has minimal potential impact on the core WS5000
functionality.The switch maintains the list of known sensors in a separate list that does not interfere with an
existing list of AP's.
15.2.1 Sensor Discovery
The switch discovers sensors by sending PINGREQUEST packets on all VLAN's connected to the switch. The
switch dynamically obtains the list of all known VLAN's from the switch Ethernet configuration. All sensors
that are reachable by the switch respond with PINGRESPONSE packet. The switch then sends
REQ_CONFIG command to all discovered sensors. The switch maintains the list of all sensors and their
configuration.The list is refreshed on a regular basis. The content of the list is returned to UI/CLI via an XML
command
15.2.2 Sensor Configuration
Sensor configuration consists of:
•
DHCP or Static IP address
•
IP/mask/gateway for Static IP
•
Primary and secondary IP address of AirDefense server
The configuration is sent to a sensor after the initial conversion and at any other time based on user's request.
The switch persistently stores a single default configuration that is sent to every sensor immediately after the
conversion. The switch does not store per-sensor configuration. You can also interactively request for
configuration of an individual sensor, modify it and send it back to the sensor.
After the conversion, the switch continuously ping newly converted sensor by sending unicast
PINGREQUEST packets to the MAC address on the VLAN in which the AP300 has been created. After the
switch receives PINGRESPONSE from the sensor it sends CONFIG_UPDATE command to the sensor and
waits for an acknowledgement. That completes the initial configuration after the conversion. If the switch fails
to receive PINGRESPONSE after 10 seconds of conversion or if the switch fails to receive an acknowledgement
after the switch logs an error.
You can select one of the sensors to change its configuration.The switch issues REQ_CONFIG command and
waits for a response. The response contains current sensor's configuration and you can make changes in it.
After the changes are made the switch sends CONFIG_UPDATE command to the sensor and waits for an
acknowledgement. If the switch fails to receive an acknowledgement it logs an error.
AP-300 Sensor Conversion
15-3
15.2.3 Sensor Revert
You can revert sensors back to AP's by selecting sensors from the list and issuing a revert command. The
switch sends a DOWNGRADE command to all selected sensors and waits for an acknowledgement from
every one of them. DOWNGRADE commands forces the sensor to reactivate WISP bootloader at which point
AP300 can be adopted as an access port. If the switch failed to receive and ACK it logs an error.
Note At any given time, you cannot send more than one configuration command to
a sensor. The sensor resets after receiving the first command and is unavailable for
45 seconds.
15.3 GUI and CLI Interface
The actions related to sensor configuration and revert are performed asynchronously and outside the normal
interaction between the switch and UI/CLI. Its because of this, the switch returns success for any command
that has valid syntax and parameters, i.e. valid MAC address of the sensor, valid IP/network mask/gateway,
etc. The command itself is executed after the initial result is returned to UI/CLI. For complete CLI reference
see 8.47 Sensor Context on page 252
The convert and revert command take some time for completion. When you issue a convert command using
CLI, you get a success. This means the command has been accepted and the syntax and MAC address is valid.
It will take anywhere between 45 seconds upto a minute to complete the conversion. Hence the newly
converted AP will get displayed in the sensor list only after about a minute.
A syslog/SNMP trap is generated whenever the sensor is disconnected anytime during the period when it was
discovered and the moment you attempt to issue a command to the sensor.
Note All the sensor conversion and management related functionality is disabled
by default. User is required to enable it through UI/CLI command before using any of
the described functionality. Configuration through SNMP is also supported.
15.3.1 Converting an AP300 into a Sensor
To convert an AP300 to a sensor, select AP300/Sensor from the left hand side tree menu of the main window.
This will open AP300/Sensor configuration window. By default the window displays the AP300 tab details.
Follow the steps mentioned below to convert an AP300 to a sensor:
15-4
WS5000 Series Switch System Reference Guide
1. The sensor conversion and management functionality is disabled by default. Select Enable from the
Enable Sensor drop-down box, this will enable you to convert the AP300 to a sensor.
Figure 15.1 AP300/Sensor window
2. Select an AP300 by clicking on the checkbox associated with each AP300. Click on the Default Config
button to view the default configuration of the sensor. This opens the WIPS Default Configuration
AP-300 Sensor Conversion
15-5
window. All the fields in this window are configurable and you can change the default configuration if
required and commit it by clicking on the Save button.
Figure 15.2 The WIPS Default configuration window
Note If you enable the DHCP, then you cannot edit Sensor IP, Subnet Mask and
Gateway fields.
15-6
WS5000 Series Switch System Reference Guide
3. Click on the Convert to Sensor button to convert the selected AP300 into a sensor. This opens the WIPS
Configuration window. Click on the Save button to commit the changes made.
Figure 15.3 The WIPS Configuration window
4. The switch opens a dialog box prompting you to confirm the changes made. Click OK to confirm the
changes made (if any) and save the configuration to start the conversion from an AP to W-IPS.
Note If you enable the DHCP server type in the WIPS Configuration window, the
Sensor IP, Subnet Mask, Gateway will be disabled. These values will now be
provided by the DHCP server.
AP-300 Sensor Conversion
15-7
5. To view the new sensor, click on the AP300/Sensor from the tree menu on the left hand side. Select the
Sensor tab and then click on the Refresh button in the main AP300/Sensor window. It generally takes
about a minute to convert the AP into a sensor.
Figure 15.4 Viewing the newly created sensor in the Sensor tab
15.3.2 Converting an Sensor into AP300
To convert an sensor to a AP300, select AP300/Sensor from the left hand side tree menu of the main window.
This will open AP300/Sensor configuration window. Click on the Sensor tab to view the list of sensors
available. Follow the steps mentioned below to convert an sensor to a AP300:
1. Select Enable from the Enable Sensor drop-down box, this will enable you to convert the sensor to a
AP300.
15-8
WS5000 Series Switch System Reference Guide
Figure 15.5 Sensor tab displaying the available sensor(s)
2. Select an sensor by clicking on the checkbox associated with the sensor that you want to convert to an
AP300. Click on the Modify button to view the current/default configuration of the sensor. This opens
the WIPS Configuration window.
Disable the DHCP, by clicking on the checkbox, to modify the values of Sensor IP and Subnet Mask . If
the DHCP server is enabled then these values (Sensor IP and Subnet Mask ) is provided by DHCP and
you cannot modify it. Click the Save button to commit the changes made, if any.
Figure 15.6 The default WIPS Configuration window displaying the default sensor configuration
AP-300 Sensor Conversion
15-9
3. The switch opens a dialog box prompting you to save the configuration. Click OK to confirm the changes
made (if any) and save the configuration.
Figure 15.7 Converting a Sensor to an AP300
4. To view the new AP300,click on the AP300/Sensor from the tree menu on the left hand side.Select the
AP300 tab and then click on the Refresh button in the main AP300/Sensor window. It generally takes
about a minute to convert the sensor into a AP300.
15-10
WS5000 Series Switch System Reference Guide
Syslog and Traps
The WS5000 switch supports raising of SNMP Traps and/or logging of Syslog messages, on certain events.
The list of events are listed in the table below.
The user can configure, for each event, if a SNMP Trap is to be sent, a syslog message is to be logged or both
16.1 List of Traps and Syslog Messages.
Table 16.1 Default Syslog and Traps Configuration
S.No
1
Event
License number change
Whenever the number of access port licences that is supported by the
switch, has changed.
Default
Local Log
Enabled
Default
SNMP
Trap
Disabled
Default
Syslog
Severity
Disabled
16-2
WS5000 Series Switch System Reference
Table 16.1 Default Syslog and Traps Configuration
S.No
Event
Default
Local Log
Default
SNMP
Trap
Default
Syslog
Severity
2
Clock change
Whenever the time changes.
Enabled
Disabled
Disabled
3
Packet discard [wrong NIC]
Whenever the switch has received a packet from the access port via a NIC that
is different from the one through which the access port is/was adopted.
Enabled
Disabled
Disabled
4
Packet discard [wrong VLAN]
Whenever the switch has received a packet from the access port via a VLAN
that is different from the one through which the access port is/was adopted.
Enabled
Disabled
Disabled
5
AP adopt failure [general]
Whenever the switch fails to adopt an access port.
Enabled
Enabled
Disabled
6
AP adopt failure [policy disallow]
Whenever the switch fails to adopt an access port because the access port
policy dis-allowed it.
Enabled
Enabled
Disabled
7
AP adopt failure [acl disallow]
Whenever the switch fails to adopt an access port because the access port is
in the exclude list.
Enabled
Enabled
Disabled
8
AP adopt failure [limit exceeded]
Whenever the switch fails to adopt an access port because the # of licenses for
access port has reached its maximum.
Enabled
Enabled
Disabled
9
AP adopt failure [license disallow]
whenever the switch fails to adopt an access port because the license would
not allow it to do so.
Enabled
Enabled
Disabled
10
AP adopt failure [no image]
Whenever the switch fails to adopt an access port because the switch did not
find an AP image corresponding to the information sent by the AP.
Enabled
Enabled
Disabled
11
AP status [offline]
Whenever the communication with the AP is lost.
Enabled
Enabled
Disabled
12
AP status [alert]
Whenever the communication with the AP is active but the ap is not adopted
(for various reasons).
Enabled
Enabled
Disabled
13
AP status [adopted]
Whenever the ap is adopted.
Enabled
Enabled
Disabled
14
AP status [reset]
Whenever a reset has been issued to an AP.
Enabled
Enabled
Disabled
15
AP config failed [no ESS]
Whenever the access policy used to adopt an AP does not have any ESS.
Enabled
Enabled
Disabled
16
AP max MU count reached
Whenever the maximum number of MU’s that can be associated with an AP is
reached.
Enabled
Enabled
Disabled
Syslog and Traps
16-3
Table 16.1 Default Syslog and Traps Configuration
S.No
Event
Default
Local Log
Default
SNMP
Trap
Default
Syslog
Severity
17
AP detected
Whenever an AP is detected by the switch.
Enabled
Disabled
Disabled
18
Device msg dropped [info]
Whenever the device info message from the AP is dropped (for various
reasons).
Enabled
Enabled
Disabled
19
Device msg dropped [loadme]
Whenever the load me info message from the AP is dropped (for various
reasons).
Enabled
Enabled
Disabled
20
Ether port connected
Whenever the ethernet port is connected.
Enabled
Enabled
Disabled
21
Ether port disconnected
Whenever the ethernet port is dis connected.
Enabled
Enabled
Disabled
22
MU assoc failed [ACL violation]
Whenever an MU association with an AP/switch fails because ACL (Access
Control List) does not allow this MU to be associated.
Enabled
Enabled
Disabled
23
MU assoc failed
Whenever an MU association with an AP/switch fails (for various reasons).
Enabled
Enabled
Disabled
24
MU status [associated]
Whenever an MU is successfully associated with an AP/Switch.
Enabled
Enabled
Disabled
25
MU status [roamed]
Whenever the MU has roamed form one AP to another AP.
Enabled
Enabled
Disabled
26
MU status [disassociated]
Whenever an MU is disassociated (for various reasons).
Enabled
Enabled
Disabled
27
MU EAP auth failed
Whenever an MU EAP authentication has failed for (var reasons).
Enabled
Enabled
Disabled
28
MU EAP auth success
Whenever the MUs EAP auth is completed successfully.
Enabled
Enabled
Disabled
29
MU Kerberos auth failed
Whenever the MUs kerboros auth has failed.
Enabled
Enabled
Disabled
30
MU Kerberos auth success
Whenever the MUs kerboros auth has is completed successfully.
Enabled
Enabled
Disabled
31
MU TKIP [decrypt failure]
whenever an MU using TKIP encryption mechanicsm has encountered a
decryption failure.
Enabled
Enabled
Disabled
32
MU TKIP [replay failure]
Whenever an MU using TKIP encryption mechanicsm has encountered a replay
counter failure.
Enabled
Enabled
Disabled
16-4
WS5000 Series Switch System Reference
Table 16.1 Default Syslog and Traps Configuration
S.No
Event
Default
Local Log
Default
SNMP
Trap
Default
Syslog
Severity
33
MU TKIP [MIC error]
Whenever an MU using TKIP encryption mechanism has encountered a micheal
intergrity check failure.
Enabled
Enabled
Disabled
34
WLAN auth success
Whenever the MU (associating to an ESSID) is authenticated successfully
through Kerboros KDC.
Enabled
Disabled
Disabled
35
WLAN auth failed
Whenever the MU (associating to an ESSID) is not authenticated successfully
to a KerborosKDC.
Enabled
Enabled
Disabled
36
WLAN max MU count reached
Whenever the number of MU’s associated with this WLAN/ESSID has exceed
the permissible limit.
Enabled
Enabled
Disabled
37
Mgt user auth failed [radius]
Whenever the given management user’s authentication request has been
rejected by the RADIUS server.
Disabled
Disabled
Disabled
38
Mgt user auth rejected
Whenever the given management user’s authentication request has been
rejected locally.
Disabled
Disabled
Disabled
39
Mgt user auth success [radius]
Whenever the given management user’s authentication request has been
sucessfully accepted by the RADIUS server (OR) locally.
Enabled
Disabled
Disabled
40
Radius server timeout
Whenever the given management user’s authentication request to the RADIUS
server has timed out, at the RADIUS server end.
Enabled
Enabled
Disabled
41
KDC user [added]
Whenever an KDC user is added.
Enabled
Disabled
Disabled
42
KDC user [changed]
Whenever a KDCuser is changed.
Enabled
Disabled
Disabled
43
KDC user [deleted]
Whenever a KDC user is deleted.
Enabled
Disabled
Disabled
44
KDC DB replaced
Whenever a KDC user is replaced.
Enabled
Enabled
Disabled
45
KDC propagation failure
Whenever KDC propagation failed on the specified host.
Enabled
Enabled
Disabled
46
WPA counter-measures [active]
Whenever the WPA counter measures has been started for the specified WLAN
Enabled
Enabled
Disabled
47
Primary lost heartbeat
Whenever no heart beat is received from standby.
Enabled
Disabled
Disabled
Syslog and Traps
16-5
Table 16.1 Default Syslog and Traps Configuration
S.No
Event
Default
Local Log
Default
SNMP
Trap
Default
Syslog
Severity
48
Standby active
Whenever standby is taken over from primary.
Enabled
Enabled
Disabled
49
Primary internal failure [reset]
Whenever primary interface is stopped.
Enabled
Disabled
Disabled
50
Standby internal failure [reset]
Whenever standby interface is stopped.
Enabled
Disabled
Disabled
51
Standby auto-revert
Whenever the standby, which is currently active enters the non-active state
because primary switch has come up.
Enabled
Enabled
Disabled
52
Primary auto-revert
Whenever the primary, which is currently active enters the non-active state
because standby switch has come up.
Enabled
Enabled
Disabled
53
Auto channel select success/error
Whenever the switch has successfully/unsuccessfully performed the ACS for
an Access Port.
Enabled
Enabled
Disabled
54
Emergency Policy [active]
Whenever the emergency switch policy is activated.
Enabled
Enabled
Disabled
55
Emergency Policy [deactivated]
Whenever the emergency switch policy is de activated.
Enabled
Enabled
Disabled
56
Low flash space on switch
Whenever the freespace on the flash drive (DOM) has gone below a user
configurable threshold.
Enabled
Enabled
Disabled
57
Miscellaneous debug events
For various miscellaneous events:
• license key on a WS-Lite cannot be upgraded.
• Invalid License key for WS-Lite
• Watchdog timer could not be updated
• Ethernet port configuration issues.
• DFS radio channelscan results overdue.
• No valid country for 2.11 radio
• End of WPA counter measures.
Disabled
Disabled
Disabled
58
HSB Starts Up
Whenever the HSB feature is enabled.
Enabled
Disabled
Disabled
59
HSB Peer Connect
Whenever the primary/standby switch gets connected.
Enabled
Disabled
Disabled
60
CPU/SYS Temp Notification
Whenever the CPUs/ systems temp exceeds the user specified threshold.
Enabled
Enabled
Disabled
61
Access Changed Notification
Whenever the access mechanism to the system (telnet,ssh) are changed
Enabled
Disabled
Disabled
16-6
WS5000 Series Switch System Reference
Table 16.1 Default Syslog and Traps Configuration
S.No
Event
Default
Local Log
Default
SNMP
Trap
Default
Syslog
Severity
62
Radio power is reduced [TPC]
Whenever the radio power is reduced.
Enabled
Disabled
Disabled
63
Radar is detected [DFS]
Whenever a radar is detected by a radio (in an adopted AP) in the current
operation channel.
Enabled
Disabled
Disabled
64
Channel selected to avoid radar [DFS]
Whenever the radio in am adopted AP moves the channel because a radar was
detected int eh current operating channel.
Enabled
Disabled
Disabled
65
Switch to new channel [DFS]
The radio in an AP switches to a new channel.
Enabled
Disabled
Disabled
66
Revert back to original channel [DFS]
Whenever the radio in the AP moves back to the original channel (for various
reasons).
Enabled
Disabled
Disabled
67
Radio is suspended
Whenever the radio is suspended.
Enabled
Disabled
Disabled
68
Radio is resumed
Whenever the radio re starts / resumes.
Enabled
Disabled
Disabled
69
Radio is moved to random channel
Whenever the radio (in an adopted AP) moves from a user selected channel to
a random channel (for various reasons).
Enabled
Disabled
Disabled
70
A new rogue AP is detected
Whenever a new rougue AP is detected.
Enabled
Disabled
Disabled
71
A new approved AP is detected
Whenever a new approved AP is detected, as determined by the rule list or
explicitly specified by the operator.
Enabled
Disabled
Disabled
72
WVPN certificate anomalies
Whenever the certificates associated with the VPN are not valid.
Enabled
Disabled
Disabled
73
WVPN Config/connection changes
Enabled
Disabled
Disabled
74
RADIUS Accounting Log
Whenever an MU is associated or dis associated with an AP/Switch, a
corresponding start or stop log is generated.
Disabled
Disabled
Disabled
75
RADIUS Server Status
Whenever the status (enable/disable) of the on board RADIUS server is
changed.
Enabled
Disabled
Disabled
76
Switch configuration changed
Whenever there is a change to the switch configuration.
Disabled
Disabled
Disabled
77
Tunnel Status change
Whenever the status of the tunnel has changed.
Enabled
Disabled
Disabled
Syslog and Traps
16-7
Table 16.1 Default Syslog and Traps Configuration
S.No
Event
Default
Local Log
Default
SNMP
Trap
Default
Syslog
Severity
78
NON IP packet received on Tunnel
Whenever a non IP (internet protocol) packet is received in the tunnel.
Enabled
Disabled
Disabled
79
Statistics has crossed the prescribed threshold by a AP
Whenever the AP has exceeded the threshold for a one or more monitored
parameters.
Enabled
Disabled
Disabled
80
Statistics has crossed the prescribed threshold by a MU
Whenever the MU has exceeded the threshold for a one or more monitored
parameters.
Enabled
Disabled
Disabled
81
Statistics has crossed the prescribed threshold by a WLAN
Whenever the WLAN has exceeded the threshold for a one or more monitored
parameters.
Enabled
Disabled
Disabled
82
Statistics has crossed the prescribed threshold by switch
Whenever the Switch has exceeded the threshold for one or more monitored
parameters.
Enabled
Disabled
Disabled
83
AP is converted to sensor
Whenever an AP300 is converted to an Sensor.
Enabled
Disabled
Disabled
84
Sensor is reverted back to AP
Whenever a Sensor is re converted to an AP300.
Enabled
Disabled
Disabled
85
Failed to communicate to a sensor
Whenever the communication with the sensor is lost.
Enabled
Disabled
Disabled
86
Sensor is no longer responding to ping
Whenever connectivity with the sensor is lost.
Enabled
Disabled
Disabled
16-8
WS5000 Series Switch System Reference
DDNS
DDNS is based on the current ISC DHCP server on WS5000. It implements the update all feature by parsing
the existing DHCP server lease database and sends an update for every valid lease. The user class option send
by the DHCP client must perform in accordance to RFC3004. To know about this the user must specify whether
the user class option must be interpreted as a multiple user option field or not.
17.1 Update Mechanism
The update mechanism followed by DDNS to parse the existing DHCP server lease is as follows:
1. On receipt of a DHCPREQUEST, the server send a DDNS update to add a DNS entry.
2. The DDNS update is send to the master server for the zone.
3. When a new lease is allocated, the DNS server creates a hash as specified in draft-ietf-dnsext-dhcidrr-06.
4. A DNS update adds an A record with the name and a TXT record with the hash, the prerequisite being
that the A record with the same name must not exist.
17-2
WS5000 Series Switch System Reference
5. If this fails because the A entry already exists, an update is sent for the A record with the name, the
prerequisite being that the TXT record must have the same hash.
6. It next sends a PTR update.
When the lease expires or when the client sends a DHCPRELEASE, the A and PTR entries are deleted.
When an update all command is issued to a DHCP server, all leases issued by the DHCP server will be updated
on the DNS server. As this command may take considerable time to complete, it runs asynchronously. You may
view the status of the last update all command at any time.
If the update of a DDNS entry fails, it is recorded and the update all process continues with the next entry.The
status displayed will be as follows:
•
If no update command has been issued since system bootup: No manual update initiated
•
If an update is in progress: Update being performed: [x total, y completed, z failures]
•
If an update completed with no failures: Completed x updates successfully
•
If an update had failures: Update failed: [x total, y failed]
DOM Firmware Upgrade
Images Needed
1. For Upgrade on Mantis DOM's
domfix.patch.sys.img
2. For Upgrade on 1.4 DOM's
WS5k_domfix.cfg
Procedure to Upgrade On the Mantis DOM
1. FTP/TFTP the domfix.patch.sys.img on the switch using copy tftp/ftp command.
2. In the Cfg mode, run patch command to install the Firmware Upgrade Patch
ie: Cfg> patch domfix.patch.sys.img
3. This will check if the DOM firmware is up to date. If yes, it will just exit or else it will reboot the switch
and upgrade the DOM Firmware.
-2
WS5000 Series Switch System Reference Guide
Procedure to Upgrade On the WS5x00 Series Wireless Switch DOM
1. FTP/TFTP the WS5k_domfix.cfg on the switch using copy tftp/ftp command.
2. In the service mode CLI, run exec command to install the Firmware Upgrade Patch
ie: SM-WS5000> exec
Enter the command file: WS5k_domfix.cfg
3. This will check if the DOM firmware is up to date. If yes, it will just exit or else it will reboot the switch
and upgrade the DOM Firmware.
This is only supported for Kouwell DOM.
DTIM Interval per BSS
The WS5000 switch allows the user to modify the DTIM interval. This value, also called as DTIM Period, is set
on a per AP Policy basis.
The choice of this DTIM period depends on what is more important–power consumption, or WLAN
performance.
•
•
A longer DTIM interval results in reduced power consumption for devices in PSP mode.
A shorter DTIM period would be desirable for voice traffic to improve voice quality.
This creates a conflict when the customer has both–WLAN phones and battery operated mobile devices that
transfer data on the same infrastructure. These two sets of devices may be on different WLANs but share
access ports. So the DTIM interval is forced to be the same for both. To solve this conflict, the user is now
enabled to set the DTIM on a per BSS basis.
Overview
The AP policy CLI context is enhanced to enable the user to set 4 DTIM interval values number 1-4. DTIM value
1 is used for BSS1, DTIM value 2 for BSS2, and so on. The first DTIM interval value is also the default, and is
-2
WS5000 Series Switch System Reference Guide
used when the AP does not support setting of DTIM per BSS, and will be indicated as such through the user
interface.
The AP indicates its ability to set the DTIM interval on a per BSS basis through the DeviceInfo message. If the
AP supports this feature, the switch will include an item with DTIM interval for each BSS the AP supports in
the configuration packet sent at adoption of the AP. If not, the switch will send the older configuration item
setting a per radio DTIM interval with the value indicated as the default DTIM interval in the AP Policy map.
If you modify the value of DTIM period for an AP Policy currently applied to any adopted APs, the switch will
send a configuration packet with the updated DTIM interval value to any such APs.
The AP sends a DTIM_POLL / QOS_DTIM_POLL for each BSS before DTIM time. The switch sends stored
broadcasts to the AP for that BSS on receipt of the message.
Currently only AP100 and AP300 support this feature.
AP300 LED Codes
The AP300 LED operates under the following circumstances:
•
•
•
Quiet state.
RF Transmit activity state.
RF Receive activity state.
The maximum flash rate for each LED in the AP300 is ten times per second.
Table C.1 AP300 LED code
Current AP300 State
LED Code
Quiet State
(AP300 is powered on with normal operation and no RF traffic)
Both LEDs flash together (on/off) every five
seconds
RF Transmit activity state
Every non-beacon radio packet transmitted causes
the corresponding LED to flash (followed by off)
(non-beacons)
• Amber for the 802.11a radio
• Green for the 802.11b/g radio
-2
WS5000 Series Switch System Reference Guide
Table C.1 AP300 LED code
Current AP300 State
RF Receive activity state
LED Code
Each data packet received causes the
corresponding LED to flash.
Customer Support
Symbol Technologies provides its customers with prompt and accurate customer support. Use
the Symbol Support Center as the primary contact for any technical problem, question or support
issue involving Symbol products.
If the Symbol Customer Support specialists cannot solve a problem, access to all technical
disciplines within Symbol becomes available for further assistance and support. Symbol
Customer Support responds to calls by email, telephone or fax within the time limits set forth in
individual contractual agreements.
When contacting Symbol Customer Support, please provide the following information:
•
•
•
serial number of unit
model number or product name
software type and version number.
A-2
WS5000 Series Switch System Reference
North American Contacts
Inside North America:
Symbol Technologies, Inc.
One Symbol Plaza Holtsville, New York 11742-1300
Telephone: 1-631-738-2400/1-800-SCAN 234
Fax: 1-631-738-5990
Symbol Support Center (for warranty and service information):
telephone: 1-800-653-5350
fax: (631) 738-5410
Email: [email protected]
International Contacts
Outside North America:
Symbol Technologies
Symbol Place
Winnersh Triangle, Berkshire, RG41 5TP
United Kingdom
0800-328-2424 (Inside UK)
+44 118 945 7529 (Outside UK)
A-3
Web Support Sites
MySymbolCare
http://www.symbol.com/services/msc
Symbol Services Homepage
http://symbol.com/services
Symbol Software Updates
http://symbol.com/services/downloads
Symbol Developer Program
http://software.symbol.com/devzone
Additional Information
Obtain additional information by contacting Symbol at:
1-800-722-6234, inside North America
+1-516-738-5200, in/outside North America
http://www.symbol.com/
A-4
WS5000 Series Switch System Reference
Symbol Technologies, Inc.
One Symbol Plaza
Holtsville, New York 11742-1300
http://www.symbol.com
72E-81435-01
Document Revision A March 2006

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

Symbol WS5000 Series Reference Manual

Symbol

WS5000 Series

  • Reference Manual
Zebra WS5000 Owner Manual

Zebra

WS5000

  • Owner Manual
Zebra WS5000 Troubleshooting guide

Zebra

WS5000

  • Troubleshooting guide
Symbol Technologies Switch 5000 Quick Setup Guide

Symbol Technologies

Wireless Switch 5000

  • Quick Setup Guide
Motorola WS5100 - Wireless Switch - Security Appliance Specifications

Motorola

WS5100 - Wireless Switch - Security Appliance

  • Specifications
Motorola WS5100 Series Reference Guide

Motorola

WS5100 Series

  • Reference Guide
Bye Bye Standby BBSLP power plug adapter Specification

Bye Bye Standby

BBSLP-EP

  • Specifications
Motorola WS5100 Series Migration Giude

Motorola

WS5100 Series

  • Migration Giude
Symbol WS5100 Series CLI Reference Guide

Symbol

WS5100 Series

  • CLI Reference Guide
Zebra WS5100 Owner Manual

Zebra

WS5100

  • Owner Manual
Download PDF

advertisement