PDF - Complete Book

Cisco Wireless Controller Command Reference, Release 8.4

First Published: 2017-05-18

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,

INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH

THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,

CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright

©

1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT

LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS

HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks

. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

©

2017 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

P r e f a c e

P A R T I

C H A P T E R 1

P A R T I I

C H A P T E R 2

Preface li

Audience

li

Document Conventions

li

Related Documentation

liv

Obtaining Documentation and Submitting a Service Request

liv

Using the Command-Line Interface 1

Using the Command-Line Interface

3

CLI Command Keyboard Shortcuts

3

Using the Interactive Help Feature

4

Using the help Command

5

Using the ? command

5

Using the partial? command

6

Using the partial command<tab>

6

Using the command ?

7

command keyword ?

8

Clear Commands 9

Clear Commands: a to l 11

clear advanced

12

clear acl counters

13

clear ap config

14

clear ap eventlog

15

clear ap join stats

16

clear arp

17

Cisco Wireless Controller Command Reference, Release 8.4 iii

Contents

C H A P T E R 3

P A R T I I I

C H A P T E R 4

clear ap tsm

18

clear atf

19

clear avc statistics

20

clear client tsm

22

clear config

23

clear ext-webauth-url

24

clear location rfid

25

clear location statistics rfid

26

clear locp statistics

27

clear login-banner

28

clear lwapp private-config

29

Clear Commands: m to z 31

clear mdns service-database

32

clear nmsp statistics

34

clear radius acct statistics

35

clear tacacs auth statistics

36

clear redirect-url

37

clear stats ap wlan

38

clear stats local-auth

39

clear stats mobility

40

clear stats port

41

clear stats radius

42

clear stats smart-lic

44

clear stats switch

45

clear stats tacacs

46

clear transfer

47

clear traplog

48

clear webimage

49

clear webmessage

50

clear webtitle

51

Config Commands 53

Config Commands: 802.11

55

iv


Contents

config 802.11-abgn

58

config 802.11a 11acsupport

59

config 802.11-a antenna extAntGain

60

config 802.11-a channel ap

61

config 802.11-a txpower ap

62

config 802.11 antenna diversity

63

config 802.11 antenna extAntGain

64

config 802.11 antenna mode

65

config 802.11 antenna selection

66

config 802.11b 11gSupport

67

config 802.11b preamble

68

config 802.11h channelswitch

69

config 802.11h powerconstraint

70

config 802.11h setchannel

71

config 802.11 11nsupport

72

config 802.11 11nsupport a-mpdu tx priority

73

config 802.11 11nsupport a-mpdu tx scheduler

75

config 802.11 11nsupport antenna

76

config 802.11 11nsupport guard-interval

77

config 802.11 11nsupport mcs tx

78

config 802.11 11nsupport rifs

80

config 802.11 antenna diversity

81

config 802.11 antenna extAntGain

82

config 802.11 antenna mode

83

config 802.11 antenna selection

84

config 802.11 channel

85

config 802.11 channel ap

87

config 802.11 chan_width

88

config 802.11 rx-sop threshold

90

config 802.11 txPower

92

config 802.11 beamforming

94

config 802.11h channelswitch

96

config 802.11h powerconstraint

97

config 802.11h setchannel

98

config 802.11h smart dfs

99

Cisco Wireless Controller Command Reference, Release 8.4 v

Contents

config 802.11 11nsupport

100

config 802.11 11nsupport a-mpdu tx priority

101

config 802.11 11nsupport a-mpdu tx scheduler

103

config 802.11 11nsupport antenna

104

config 802.11 11nsupport guard-interval

105

config 802.11 11nsupport mcs tx

106

config 802.11 11nsupport rifs

108

config 802.11 beacon period

109

config 802.11 cac defaults

110

config 802.11 cac video acm

112

config 802.11 cac video cac-method

114

config 802.11 cac video load-based

116

config 802.11 cac video max-bandwidth

118

config 802.11 cac media-stream

120

config 802.11 cac multimedia

122

config 802.11 cac video roam-bandwidth

124

config 802.11 cac video sip

126

config 802.11 cac video tspec-inactivity-timeout

128

config 802.11 cac voice acm

130

config 802.11 cac voice max-bandwidth

131

config 802.11 cac voice roam-bandwidth

133

config 802.11 cac voice tspec-inactivity-timeout

135

config 802.11 cac voice load-based

137

config 802.11 cac voice max-calls

139

config 802.11 cac voice sip bandwidth

141

config 802.11 cac voice sip codec

143

config 802.11 cac voice stream-size

145

config 802.11 cleanair

147

config 802.11 cleanair device

149

config 802.11 cleanair alarm

151

config 802.11 disable

153

config 802.11 dtpc

154

config 802.11 enable

155

config 802.11 exp-bwreq

157

config 802.11 fragmentation

158

vi


Contents

C H A P T E R 5

config 802.11 l2roam rf-params

159

config 802.11 max-clients

161

config 802.11 media-stream multicast-direct

162

config 802.11 media-stream video-redirect

164

config 802.11 multicast data-rate

165

config 802.11 rate

166

config 802.11 rssi-check

167

config 802.11 rssi-threshold

168

config 802.11 tsm

169

config 802.11b preamble

170

Config Commands: a to i

171

config aaa auth

182

config aaa auth mgmt

183

config acl apply

184

config acl counter

185

config acl create

186

config acl cpu

187

config acl delete

188

config acl layer2

189

config acl rule

191

config acl url-acl

193

config acl url-acl external-server-ip

195

config acl url-acl list-type

196

config acl url-domain

197

config advanced eap

198

config advanced hotspot

200

config advanced timers auth-timeout

202

config advanced timers eap-timeout

203

config advanced timers eap-identity-request-delay

204

config advanced 802.11 7920VSIEConfig

205

config advanced 802.11 edca-parameters

206

config advanced timers

209

config advanced fastpath fastcache

212

config advanced fastpath pkt-capture

213

Cisco Wireless Controller Command Reference, Release 8.4 vii

Contents

config advanced sip-preferred-call-no

214

config advanced sip-snooping-ports

215

config advanced 802.11 packet

216

config advanced 802.11 profile clients

218

config advanced 802.11 profile customize

219

config advanced 802.11 profile foreign

220

config advanced 802.11 profile noise

221

config advanced 802.11 profile throughput

222

config advanced 802.11 profile utilization

223

config advanced backup-controller primary

224

config advanced backup-controller secondary

225

config advanced client-handoff

226

config advanced dot11-padding

227

config advanced assoc-limit

228

config advanced max-1x-sessions

229

config advanced rate

230

config advanced probe filter

231

config advanced probe limit

232

config advanced timers

233

config advanced 802.11 7920VSIEConfig

236

config advanced 802.11 channel add

237

config advanced 802.11 channel cleanair-event

238

config advanced 802.11 channel dca anchor-time

239

config advanced 802.11 channel dca chan-width-11n

240

config advanced 802.11 channel dca interval

241

config advanced 802.11 channel dca min-metric

242

config advanced 802.11 channel dca sensitivity

243

config advanced 802.11 channel foreign

245

config advanced 802.11 channel load

246

config advanced 802.11 channel noise

247

config advanced 802.11 channel outdoor-ap-dca

248

config advanced 802.11 channel pda-prop

249

config advanced 802.11 channel update

250

config advanced 802.11 coverage

251

config advanced 802.11 coverage exception global

253

viii


Contents

config advanced 802.11 coverage fail-rate

255

config advanced 802.11 coverage level global

257

config advanced 802.11 coverage packet-count

259

config advanced 802.11 coverage rssi-threshold

261

config advanced 802.11 edca-parameters

263

config advanced 802.11 factory

266

config advanced 802.11 group-member

267

config advanced 802.11 group-mode

268

config advanced 802.11 logging channel

269

config advanced 802.11 logging coverage

270

config advanced 802.11 logging foreign

271

config advanced 802.11 logging load

272

config advanced 802.11 logging noise

273

config advanced 802.11 logging performance

274

config advanced 802.11 logging txpower

275

config advanced 802.11 monitor channel-list

276

config advanced 802.11 monitor coverage

277

config advanced 802.11 monitor load

278

config advanced 802.11 monitor mode

279

config advanced 802.11 monitor ndp-type

280

config advanced 802.11 monitor noise

281

config advanced 802.11 monitor signal

282

config advanced 802.11 monitor timeout-factor

283

config advanced 802.11 optimized roaming

284

config advanced 802.11 profile foreign

286

config advanced 802.11 profile noise

287

config advanced 802.11 profile throughput

288

config advanced 802.11 profile utilization

289

config advanced 802.11 receiver

290

config advanced 802.11 tpc-version

291

config advanced 802.11 tpcv1-thresh

292

config advanced 802.11 tpcv2-intense

293

config advanced 802.11 tpcv2-per-chan

294

config advanced 802.11 tpcv2-thresh

295

config advanced 802.11 txpower-update

296

Cisco Wireless Controller Command Reference, Release 8.4 ix

Contents

config ap 802.1Xuser

297

config ap 802.1Xuser delete

298

config ap 802.1Xuser disable

299

config advanced dot11-padding

300

config ap

301

config ap atf 802.11

302

config ap atf 802.11 client-access airtime-allocation

303

config ap atf 802.11 policy

304

config ap autoconvert

305

config ap bhrate

306

config ap bridgegroupname

307

config ap bridging

308

config ap cdp

309

config ap core-dump

311

config ap crash-file clear-all

312

config ap crash-file delete

313

config ap crash-file get-crash-file

314

config ap crash-file get-radio-core-dump

315

config ap dhcp release-override

316

config ap dtls-cipher-suite

317

config ap dtls-version

318

config ap ethernet duplex

319

config ap ethernet tag

321

config ap autoconvert

322

config ap flexconnect central-dhcp

323

config ap flexconnect local-split

325

config ap flexconnect module-vlan

326

config ap flexconnect policy

327

config ap flexconnect radius auth set

328

config ap flexconnect vlan

329

config ap flexconnect vlan add

330

config ap flexconnect vlan native

331

config ap flexconnect vlan wlan

332

config ap flexconnect web-auth

333

config ap flexconnect web-policy acl

334

x


Contents

config ap flexconnect wlan

335

config ap group-name

336

config ap hotspot

337

config ap image predownload

344

config ap image swap

345

config ap led-state

346

config ap link-encryption

348

config ap link-latency

349

config ap location

350

config ap logging syslog level

351

config ap logging syslog facility

353

config ap max-count

355

config ap mgmtuser add

356

config ap mgmtuser delete

358

config ap mode

359

config ap module3g

361

config ap monitor-mode

362

config ap name

363

config ap packet-dump

364

config ap port

367

config ap power injector

368

config ap power pre-standard

369

config ap preferred-mode

370

config ap primary-base

371

config ap priority

373

config ap reporting-period

374

config ap reset

375

config ap retransmit interval

376

config ap retransmit count

377

config ap role

378

config ap rst-button

379

config ap secondary-base

380

config ap sniff

382

config ap ssh

384

config ap static-ip

385

Cisco Wireless Controller Command Reference, Release 8.4 xi

Contents

config ap stats-timer

387

config ap syslog host global

388

config ap syslog host specific

389

config ap tcp-mss-adjust

390

config ap telnet

392

config ap tertiary-base

393

config ap tftp-downgrade

395

config ap username

396

config ap venue

397

config ap wlan

401

config atf 802.11

402

config atf policy

403

config auth-list add

404

config auth-list ap-policy

405

config auth-list delete

406

config avc profile create

407

config avc profile delete

408

config avc profile rule

409

config band-select cycle-count

411

config band-select cycle-threshold

412

config band-select expire

413

config band-select client-rssi

414

config boot

415

config call-home contact email address

416

config call-home events

417

config call-home http-proxy ipaddr

418

config call-home http-proxy ipaddr 0.0.0.0

419

config call-home profile

420

config call-home profile delete

421

config call-home profile status

422

config call-home reporting

423

config call-home tac-profile

424

config cdp

425

config certificate

426

config certificate lsc

427

xii


Contents

config certificate ssc

429

config certificate use-device-certificate webadmin

431

config client ccx clear-reports

432

config client ccx clear-results

433

config client ccx default-gw-ping

434

config client ccx dhcp-test

435

config client ccx dns-ping

436

config client ccx dns-resolve

437

config client ccx get-client-capability

438

config client ccx get-manufacturer-info

439

config client ccx get-operating-parameters

440

config client ccx get-profiles

441

config client ccx log-request

442

config client ccx send-message

444

config client ccx stats-request

447

config client ccx test-abort

448

config client ccx test-association

449

config client ccx test-dot1x

450

config client ccx test-profile

451

config client deauthenticate

452

config client location-calibration

453

config client profiling delete

454

config cloud-services cmx

455

config cloud-services server url

456

config cloud-services server id-token

457

config coredump

458

config coredump ftp

459

config coredump username

460

config country

461

config cts

462

config cts ap

463

config cts inline-tag

464

config cts ap override

465

config cts device-id

466

config cts refresh

467

Cisco Wireless Controller Command Reference, Release 8.4 xiii

Contents

config cts sxp ap connection delete

468

config cts sxp ap connection peer

469

config cts sxp ap default password

470

config cts sxp ap listener

471

config cts sxp ap reconciliation period

472

config cts sxp ap retry period

473

config cts sxp ap speaker

474

config cts sxp

475

config cts sxp connection

476

config cts sxp default password

477

config cts sxp retry period

478

config cts sxp version

479

config cts sxp

480

config custom-web ext-webauth-mode

482

config custom-web ext-webauth-url

483

config custom-web ext-webserver

484

config custom-web logout-popup

485

config custom-web qrscan-bypass-opt

486

config custom-web radiusauth

487

config custom-web redirectUrl

488

config custom-web sleep-client

489

config custom-web webauth-type

490

config custom-web weblogo

491

config custom-web webmessage

492

config custom-web webtitle

493

config database size

494

config dhcp

495

config dhcp opt-82 format

498

config dhcp opt-82 remote-id

499

config dhcp proxy

501

config dhcp timeout

502

config exclusionlist

503

config flexconnect acl

504

config flexconnect acl rule

505

config flexconnect arp-caching

507

xiv


Contents

config flexconnect avc profile

508

config flexconnect fallback-radio-shut

509

config flexconnect group

510

config flexconnect group vlan

516

config flexconnect group group-name dhcp overridden-interface

517

config flexconnect group web-auth

518

config flexconnect group web-policy

519

config flexconnect join min-latency

520

config flexconnect office-extend

521

config flow

523

config guest-lan

525

config guest-lan custom-web ext-webauth-url

526

config guest-lan custom-web global disable

527

config guest-lan custom-web login_page

528

config guest-lan custom-web webauth-type

529

config guest-lan ingress-interface

530

config guest-lan interface

531

config guest-lan mobility anchor

532

config guest-lan nac

533

config guest-lan security

534

config interface 3g-vlan

535

config interface acl

536

config interface address

537

config interface address redundancy-management

539

config interface ap-manager

540

config interface create

541

config interface delete

542

config interface dhcp management

543

config interface dhcp

545

config interface dhcp dynamic-interface

546

config interface dhcp management option-6-opendns

547

config interface address

548

config interface guest-lan

550

config interface hostname

551

config interface nasid

552

Cisco Wireless Controller Command Reference, Release 8.4 xv

Contents

C H A P T E R 6

config interface nat-address

553

config interface port

554

config interface quarantine vlan

555

config interface url-acl

556

config interface vlan

557

config interface group mdns-profile

558

config interface mdns-profile

560

config icons delete

562

config icons file-info

563

config ipv6 disable

564

config ipv6 enable

565

config ipv6 acl

566

config ipv6 capwap

569

config ipv6 interface

571

config ipv6 multicast

573

config ipv6 neighbor-binding

574

config ipv6 ns-mcast-fwd

576

config ipv6 ra-guard

577

config ipv6 route

578

Config Commands: j to q 579

config known ap

586

config lag

587

config ldap

588

config local-auth active-timeout

591

config local-auth eap-profile

592

config local-auth method fast

595

config local-auth user-credentials

597

config lync-sdn

598

config licensing

599

config license boot

600

config load-balancing

602

config location

604

config location info rogue

606

config logging buffered

607

xvi


Contents

config logging console

608

config logging debug

609

config logging fileinfo

610

config logging procinfo

611

config logging traceinfo

612

config logging syslog host

613

config logging syslog facility

616

config logging syslog facility client

618

config logging syslog facility ap

619

config logging syslog level

620

config loginsession close

621

config macfilter

622

config macfilter description

624

config macfilter interface

625

config macfilter ip-address

626

config macfilter mac-delimiter

627

config macfilter radius-compat

628

config macfilter wlan-id

629

config mdns ap

630

config mdns profile

632

config mdns query interval

634

config mdns service

636

config mdns snooping

639

config mdns policy enable

641

config mdns policy service-group

642

config mdns policy service-group parameters

643

config mdns policy service-group user-name

644

config mdns policy service-group user-role

645

config media-stream multicast-direct

646

config media-stream message

647

config media-stream add

649

config media-stream admit

651

config media-stream deny

652

config media-stream delete

653

config memory monitor errors

654

Cisco Wireless Controller Command Reference, Release 8.4 xvii

Contents

config memory monitor leaks

655

config mesh alarm

657

config mesh astools

658

config mesh backhaul rate-adapt

659

config mesh backhaul slot

660

config mesh battery-state

661

config mesh client-access

662

config mesh ethernet-bridging allow-bpdu

664

config mesh ethernet-bridging vlan-transparent

665

config mesh full-sector-dfs

666

config mesh linkdata

667

config mesh linktest

669

config mesh lsc

672

config mesh lsc advanced

673

config mesh lsc advanced ap-provision

674

config mesh multicast

675

config mesh parent preferred

677

config mesh public-safety

678

config mesh radius-server

679

config mesh range

680

config mesh secondary-backhaul

681

config mesh security

682

config mesh slot-bias

684

config mgmtuser add

685

config mgmtuser delete

686

config mgmtuser description

687

config mgmtuser password

688

config mgmtuser telnet

689

config mgmtuser termination-interval

690

config mobility dscp

691

config mobility group anchor

692

config mobility group domain

693

config mobility group keepalive count

694

config mobility group keepalive interval

695

config mobility group member

696

xviii


Contents

config mobility group multicast-address

698

config mobility multicast-mode

699

config mobility new-architecture

700

config mobility oracle

701

config mobility secure-mode

702

config mobility statistics reset

703

config netuser add

704

config netuser delete

706

config netuser description

707

config network dns serverip

708

config netuser guest-lan-id

709

config netuser guest-role apply

710

config netuser guest-role create

711

config netuser guest-role delete

712

config netuser guest-role qos data-rate average-data-rate

713

config netuser guest-role qos data-rate average-realtime-rate

714

config netuser guest-role qos data-rate burst-data-rate

715

config netuser guest-role qos data-rate burst-realtime-rate

716

config netuser lifetime

717

config netuser maxUserLogin

718

config netuser password

719

config netuser wlan-id

720

config network client-ip-conflict-detection

721

config network http-proxy ip-address

722

config network bridging-shared-secret

723

config network web-auth captive-bypass

724

config network web-auth port

725

config network web-auth proxy-redirect

726

config network web-auth secureweb

727

config network webmode

728

config network web-auth

729

config network 802.3-bridging

730

config network allow-old-bridge-aps

731

config network ap-discovery

732

config network ap-easyadmin

733

Cisco Wireless Controller Command Reference, Release 8.4 xix

Contents

config network ap-fallback

734

config network ap-priority

735

config network apple-talk

736

config network arptimeout

737

config assisted-roaming

738


739

config network broadcast

740

config network fast-ssid-change

741

config network ip-mac-binding

742

config network link local bridging

743

config network master-base

744

config network mgmt-via-wireless

745

config network multicast global

746

config network multicast igmp query interval

747

config network multicast igmp snooping

748

config network multicast igmp timeout

749

config network multicast l2mcast

750

config network multicast mld

751

config network multicast mode multicast

752

config network multicast mode unicast

753

config network oeap-600 dual-rlan-ports

754

config network oeap-600 local-network

755

config network otap-mode

756

config network profiling

757

config opendns

758

config opendns api-token

759

config opendns forced

760

config opendns profile

761

config pmipv6 domain

762

config pmipv6 add profile

763

config pmipv6 delete

765

config pmipv6 mag apn

766

config pmipv6 mag binding init-retx-time

767

config pmipv6 mag binding lifetime

768

config pmipv6 mag binding max-retx-time

769

xx


Contents

config pmipv6 mag binding maximum

770

config pmipv6 mag binding refresh-time

771

config pmipv6 mag bri delay

772

config pmipv6 mag bri retries

773

config pmipv6 mag lma

774

config pmipv6 mag replay-protection

775

config port power

776

config policy action opendns-profile-name

777

config network rf-network-name

778

config network secureweb

779

config network secureweb cipher-option

780

config network ssh

782

config network telnet

783

config network usertimeout

784

config network web-auth captive-bypass

785

config network web-auth cmcc-support

786

config network web-auth port

787

config network web-auth proxy-redirect

788

config network web-auth secureweb

789

config network web-auth https-redirect

790

config network webmode

791

config network web-auth

792

config network zero-config

793

config network allow-old-bridge-aps

794

config network ap-discovery

795

config network ap-fallback

796

config network ap-priority

797

config network apple-talk

798


799

config network master-base

800

config network oeap-600 dual-rlan-ports

801

config network oeap-600 local-network

802

config network otap-mode

803

config network zero-config

804

config nmsp notify-interval measurement

805

Cisco Wireless Controller Command Reference, Release 8.4 xxi

Contents

C H A P T E R 7

config paging

806

config passwd-cleartext

807

config policy

808

config port adminmode

811

config port autoneg

812

config port linktrap

813

config port multicast appliance

814

config prompt

815

config qos average-data-rate

816

config qos average-realtime-rate

818

config qos burst-data-rate

820

config qos burst-realtime-rate

822

config qos description

824

config qos fastlane

825

config qos fastlane disable global

826

config qos max-rf-usage

827

config qos dot1p-tag

828

config qos priority

829

config qos protocol-type

831

config qos queue_length

832

config qos qosmap

833

config qos qosmap up-to-dscp-map

834

config qos qosmap dscp-to-up-exception

835

config qos qosmap delete-dscp-exception

836

config qos qosmap clear-all

837

config qos qosmap trust dscp upstream

838

Config Commands: r to z

839

config radius acct

851

config radius acct ipsec authentication

854

config radius acct ipsec disable

855

config radius acct ipsec enable

856

config radius acct ipsec encryption

857

config radius acct ipsec ike

858

config radius acct mac-delimiter

859

xxii


Contents

config radius acct network

860

config radius acct realm

861

config radius acct retransmit-timeout

862

config radius auth

863

config radius auth callStationIdType

866

config radius auth framed-mtu

868

config radius auth IPsec authentication

869

config radius auth ipsec disable

870

config radius auth ipsec encryption

871

config radius auth ipsec ike

872

config radius auth keywrap

874

config radius auth mac-delimiter

875

config radius auth management

876

config radius auth mgmt-retransmit-timeout

877

config radius auth network

878

config radius auth realm

879

config radius auth retransmit-timeout

880

config radius auth rfc3576

881


882

config radius aggressive-failover disabled

883

config radius backward compatibility

884

config radius callStationIdCase

885

config radius callStationIdType

886

config radius dns

888

config radius fallback-test

890

config radius ext-source-ports

892

config radius acct retransmit-timeout

893

config radius auth mgmt-retransmit-timeout

894


895


896

config redundancy interface address peer-service-port

897

config redundancy mobilitymac

898

config redundancy mode

899

config redundancy peer-route

900

config redundancy timer keep-alive-timer

901

Cisco Wireless Controller Command Reference, Release 8.4 xxiii

Contents

config redundancy timer peer-search-timer

902

config redundancy unit

903

config remote-lan

904

config remote-lan aaa-override

905

config remote-lan acl

906

config remote-lan apgroup

907

config remote-lan create

908

config remote-lan custom-web

909

config remote-lan delete

911

config remote-lan dhcp_server

912

config remote-lan exclusionlist

913

config remote-lan host-mode

914

config remote-lan interface

915

config remote-lan ldap

916

config remote-lan mac-filtering

917

config remote-lan mab

918

config remote-lan max-associated-clients

919

config remote-lan pre-auth

920

config remote-lan radius_server

921

config remote-lan security

923

config remote-lan session-timeout

924

config remote-lan violation-mode

925

config remote-lan webauth-exclude

926

config rf-profile band-select

927

config rf-profile client-trap-threshold

929

config rf-profile create

930

config rf-profile fra client-aware

931

config rf-profile data-rates

932

config rf-profile delete

933

config rf-profile description

934

config rf-profile load-balancing

935

config rf-profile max-clients

936

config rf-profile multicast data-rate

937

config rf-profile out-of-box

938

config rf-profile rx-sop threshold

939

xxiv


Contents

config rf-profile tx-power-control-thresh-v1

940

config rf-profile tx-power-control-thresh-v2

941

config rf-profile tx-power-max

942

config rf-profile tx-power-min

943

config rogue ap timeout

944

config rogue adhoc

946

config rogue ap classify

949

config rogue ap friendly

951

config rogue ap rldp

953

config rogue ap ssid

955


957

config rogue auto-contain level

959

config rogue ap valid-client

961

config rogue client

963

config rogue containment

965

config rogue detection

966

config rogue detection client-threshold

968

config rogue detection min-rssi

969

config rogue detection monitor-ap

970

config rogue detection report-interval

972

config rogue detection security-level

973

config rogue detection transient-rogue-interval

974

config rogue rule

975

config rogue rule condition ap

979

config remote-lan session-timeout

981

config rfid auto-timeout

982

config rfid status

983

config rfid timeout

984


985

config route add

987

config route delete

988

config serial baudrate

989

config serial timeout

990

config service timestamps

991

config sessions maxsessions

992

Cisco Wireless Controller Command Reference, Release 8.4 xxv

Contents

config sessions timeout

993

config slot

994

config switchconfig boot-break

995

config switchconfig fips-prerequisite

996

config switchconfig ucapl

997

config switchconfig wlancc

998

config switchconfig strong-pwd

999

config switchconfig flowcontrol

1002

config switchconfig mode

1003

config switchconfig secret-obfuscation

1004

config sysname

1005

config snmp community accessmode

1006

config snmp community create

1007

config snmp community delete

1008

config snmp community ipaddr

1009

config snmp community mode

1010

config snmp engineID

1011

config snmp syscontact

1012

config snmp syslocation

1013

config snmp trapreceiver create

1014

config snmp trapreceiver delete

1015

config snmp trapreceiver mode

1016

config snmp v3user create

1017

config snmp v3user delete

1019

config snmp version

1020

config tacacs acct

1021

config tacacs athr

1023

config tacacs athr mgmt-server-timeout

1025

config tacacs auth

1026

config tacacs auth mgmt-server-timeout

1028

config tacacs dns

1029

config tacacs fallback-test interval

1031

config time manual

1032

config time ntp

1033

config time timezone

1036

xxvi


Contents

config time timezone location

1037

config trapflags 802.11-Security

1040

config trapflags aaa

1041

config trapflags adjchannel-rogueap

1042

config trapflags ap

1044

config trapflags authentication

1045

config trapflags client

1046

config trapflags client max-warning-threshold

1047

config trapflags configsave

1049

config trapflags IPsec

1050

config trapflags linkmode

1051

config trapflags mesh

1052

config trapflags multiusers

1053

config trapflags rfid

1054

config trapflags rogueap

1056

config trapflags rrm-params

1057

config trapflags rrm-profile

1058

config trapflags stpmode

1059

config trapflags strong-pwdcheck

1060

config trapflags wps

1061

config tunnel eogre heart-beat

1062

config tunnel eogre gateway

1063

config tunnel eogre domain

1064

config tunnel profile

1065

config tunnel profile_rule

1066

config tunnel profile_rule-delete

1067

config tunnel profile eogre-DHCP82

1068

config tunnel profile eogre-gateway-radius-proxy

1069

config tunnel profile eogre-gateway-radius-proxy-accounting

1070

config tunnel profile eogre-DHCP82

1071

config tunnel profile eogre-DHCP82-circuit-id

1072

config tunnel profile eogre-DHCP82-delimiter

1073

config tunnel profile eogre-DHCP82-format

1074

config tunnel profile eogre-DHCP82-remote-id

1075

config watchlist add

1076

Cisco Wireless Controller Command Reference, Release 8.4 xxvii

Contents

config watchlist delete

1077

config watchlist disable

1078

config watchlist enable

1079

config wgb vlan

1080

config wlan

1081

config wlan 7920-support

1083

config wlan 802.11e

1084

config wlan aaa-override

1085

config wlan acl

1086

config wlan apgroup

1087

config wlan apgroup atf 802.11

1094

config wlan apgroup atf 802.11 policy

1095

config wlan apgroup opendns-profile

1096

config wlan apgroup qinq

1097

config wlan assisted-roaming

1099

config wlan atf

1100

config wlan avc

1101

config wlan band-select allow

1102

config wlan broadcast-ssid

1103

config wlan call-snoop

1104

config wlan chd

1105

config wlan ccx aironet-ie

1106

config wlan channel-scan defer-priority

1107

config wlan channel-scan defer-time

1108

config wlan custom-web

1109

config wlan dhcp_server

1111

config wlan diag-channel

1112

config wlan dtim

1113

config wlan exclusionlist

1114

config wlan fabric

1115

config wlan flexconnect ap-auth

1116

config wlan flexconnect central-assoc

1117

config wlan flexconnect learn-ipaddr

1118

config wlan flexconnect local-switching

1119

config wlan flexconnect vlan-central-switching

1121

xxviii


Contents

config wlan flow

1122

config wlan hotspot

1123

config wlan hotspot dot11u

1124

config wlan hotspot dot11u 3gpp-info

1125

config wlan hotspot dot11u auth-type

1126

config wlan hotspot dot11u disable

1127

config wlan hotspot dot11u domain

1128

config wlan hotspot dot11u enable

1129

config wlan hotspot dot11u hessid

1130

config wlan hotspot dot11u ipaddr-type

1131

config wlan hotspot dot11u nai-realm

1132

config wlan hotspot dot11u network-type

1135

config wlan hotspot dot11u roam-oi

1136

config wlan hotspot hs2

1137

config wlan hotspot hs2 domain-id

1140

config wlan hotspot hs2 osu legacy-ssid

1141

config wlan hotspot hs2 osu sp create

1142

config wlan hotspot hs2 osu sp delete

1143

config wlan hotspot hs2 osu sp icon-file add

1144

config wlan hotspot hs2 osu sp icon-file delete

1145

config wlan hotspot hs2 osu sp method add

1146

config wlan hotspot hs2 osu sp method delete

1147

config wlan hotspot hs2 osu sp nai add

1148

config wlan hotspot hs2 osu sp nai delete

1149

config wlan hotspot hs2 osu sp uri add

1150

config wlan hotspot hs2 osu sp uri delete

1151

config wlan hotspot hs2 wan-metrics downlink

1152

config wlan hotspot hs2 wan-metrics link-status

1153

config wlan hotspot hs2 wan-metrics lmd

1154

config wlan hotspot hs2 wan-metrics uplink

1155

config wlan hotspot msap

1156

config wlan interface

1157

config wlan ipv6 acl

1158

config wlan kts-cac

1159

config wlan layer2 acl

1160

Cisco Wireless Controller Command Reference, Release 8.4 xxix

Contents

config wlan ldap

1161

config wlan learn-ipaddr-cswlan

1162

config wlan load-balance

1163

config wlan lobby-admin-access

1164

config wlan mac-filtering

1165

config wlan max-associated-clients

1166

config wlan max-radio-clients

1167

config wlan mdns

1168

config wlan media-stream

1169

config wlan mfp

1170

config wlan mobility anchor

1171

config wlan mobility foreign-map

1172

config wlan multicast buffer

1173

config wlan multicast interface

1174

config wlan mu-mimo

1175

config wlan nac

1176

config wlan override-rate-limit

1177

config wlan opendns-mode

1179

config wlan opendns-profile

1180

config wlan passive-client

1181

config wlan peer-blocking

1182

config wlan pmipv6 default-realm

1183

config wlan pmipv6 mobility-type

1184

config wlan pmipv6 profile_name

1185

config wlan policy

1186

config wlan profiling

1187

config wlan qos

1189

config wlan radio

1190

config wlan radius_server acct

1191

config wlan radius_server acct interim-update

1192

config wlan radius_server auth

1193

config wlan radius_server acct interim-update

1194

config wlan radius_server overwrite-interface

1195

config wlan radius_server realm

1196

config wlan roamed-voice-client re-anchor

1197

xxx


Contents

config wlan security 802.1X

1198

config wlan security ckip

1200

config wlan security cond-web-redir

1202

config wlan security eap-params

1203

config wlan security eap-passthru

1205

config wlan security ft

1206

config wlan security ft over-the-ds

1207

config wlan security IPsec disable

1208

config wlan security IPsec enable

1209

config wlan security IPsec authentication

1210

config wlan security IPsec encryption

1211

config wlan security IPsec config

1212

config wlan security IPsec ike authentication

1213

config wlan security IPsec ike dh-group

1214

config wlan security IPsec ike lifetime

1215

config wlan security IPsec ike phase1

1216

config wlan security IPsec ike contivity

1217

config wlan security wpa akm ft

1218

config wlan security ft

1219

config wlan security passthru

1220

config wlan security pmf

1221

config wlan security sgt

1223

config wlan security splash-page-web-redir

1224

config wlan security static-wep-key authentication

1225

config wlan security static-wep-key disable

1226

config wlan security static-wep-key enable

1227

config wlan security static-wep-key encryption

1228

config wlan security tkip

1229

config wlan usertimeout

1230

config wlan security web-auth

1231

config wlan security web-auth captive-bypass

1233

config wlan security web-auth qrscan-des-key

1234

config wlan security web-passthrough acl

1235

config wlan security web-passthrough disable

1236

config wlan security web-passthrough email-input

1237

Cisco Wireless Controller Command Reference, Release 8.4 xxxi

Contents

config wlan security web-passthrough enable

1238

config wlan security web-passthrough qr-scan

1239

config wlan security wpa akm 802.1x

1240

config wlan security wpa akm cckm

1241

config wlan security wpa akm ft

1242

config wlan security wpa akm pmf

1243

config wlan security wpa akm psk

1244

config wlan security wpa disable

1245

config wlan security wpa enable

1246

config wlan security wpa ciphers

1247

config wlan security wpa gtk-random

1248

config wlan security wpa osen disable

1249

config wlan security wpa osen enable

1250

config wlan security wpa wpa1 disable

1251

config wlan security wpa wpa1 enable

1252

config wlan security wpa wpa2 disable

1253

config wlan security wpa wpa2 enable

1254

config wlan security wpa wpa2 cache

1255

config wlan security wpa wpa2 cache sticky

1256

config wlan security wpa wpa2 ciphers

1257

config wlan session-timeout

1258

config wlan sip-cac disassoc-client

1260

config wlan sip-cac send-486busy

1261

config wlan static-ip tunneling

1262

config wlan uapsd compliant client enable

1263

config wlan uapsd compliant-client disable

1264

config wlan url-acl

1265

config wlan user-idle-threshold

1266

config wlan usertimeout

1267

config wlan webauth-exclude

1268

config wlan wifidirect

1269

config wlan wmm

1270

config wps ap-authentication

1271

config wps auto-immune

1272

config wps cids-sensor

1273

xxxii


Contents

P A R T I V

C H A P T E R 8

C H A P T E R 9

config wps client-exclusion

1275

config wps mfp

1277

config wps shun-list re-sync

1278

config wps signature

1279

config wps signature frequency

1281

config wps signature interval

1282

config wps signature mac-frequency

1283

config wps signature quiet-time

1284

config wps signature reset

1285

Debug Commands

1287

Debug Commands: 802.11

1289

debug 11k

1290

debug 11w-pmf

1291

debug 11v all

1292

debug 11v detail

1293

debug 11v error

1294

debug 11w-pmf

1295

Debug Commands: a to i 1297

debug aaa

1300

debug aaa events

1302

debug aaa local-auth

1303

debug airewave-director

1305

debug ap

1307

debug ap enable

1308

debug ap packet-dump

1309

debug ap show stats

1310

debug ap show stats video

1312

debug arp

1313

debug avc

1314

debug bcast

1315

debug call-control

1316

debug capwap

1317

Cisco Wireless Controller Command Reference, Release 8.4 xxxiii

Contents

debug capwap reap

1318

debug ccxdiag

1319

debug ccxrm

1320

debug ccxs69

1321

debug cckm

1322

debug client

1323

debug cts aaa

1324

debug cts authz

1325

debug cts capwap

1326

debug cts env-data

1327

debug cts ha

1328

debug cts key-store

1329

debug cts provisioning

1330

debug cts sgt

1331

debug cts sxp

1332

debug cac

1333

debug cdp

1334

debug crypto

1335

debug dhcp

1336

debug dhcp service-port

1337

debug disable-all

1338

debug dns

1339

debug dot11

1340

debug dot11

1342

debug dot11 mgmt interface

1344

debug dot11 mgmt msg

1345

debug dot11 mgmt ssid

1346

debug dot11 mgmt state-machine

1347

debug dot11 mgmt station

1348

debug dot1x

1349

debug dtls

1350

debug fastpath

1351

debug flexconnect avc

1356

debug flexconnect aaa

1357

debug flexconnect acl

1358

xxxiv


Contents

C H A P T E R 1 0

C H A P T E R 1 1

debug flexconnect cckm

1359

debug group

1360

debug fmchs

1361

debug flexconnect client ap

1362

debug flexconnect client ap syslog

1363

debug flexconnect client group

1364

debug flexconnect client group syslog

1365

debug flexconnect group

1366

debug ft

1367

debug hotspot

1368

debug ipv6

1369

Debug Commands: j to q 1371

debug l2age

1372

debug mac

1373

debug mdns all

1374

debug mdns detail

1375

debug mdns error

1376

debug mdns message

1377

debug mdns ha

1378

debug memory

1379

debug mesh security

1380

debug mobility

1381

debug nac

1383

debug nmsp

1384

debug ntp

1385

debug packet error

1386

debug packet logging

1387

debug pem

1390

debug pm

1391

debug poe

1393

debug policy

1394

debug profiling

1395

Debug Commands: r to z

1397

Cisco Wireless Controller Command Reference, Release 8.4 xxxv

Contents

P A R T V

C H A P T E R 1 2

P A R T V I

C H A P T E R 1 3

debug rbcp

1398

debug rfid

1399

debug snmp

1400

debug transfer

1401

debug voice-diag

1402

debug wcp

1403

debug web-auth

1404

debug wips

1405

debug wps sig

1406

debug wps mfp

1407

IMM Commands

1409

IMM Commands 1411

imm address

1412

imm dhcp

1413

imm mode

1414

imm restart

1415

imm summary

1416

imm username

1417

License Commands 1419

License Commands

1421

license activate ap-count eval

1422

license activate feature

1423

license add ap-count

1424

license add feature

1425

license clear

1426

license comment

1427

license deactivate ap-count eval

1428

license deactivate feature

1429

license delete ap-count

1430

license delete feature

1431

license install

1432

xxxvi


Contents

P A R T V I I

C H A P T E R 1 4

C H A P T E R 1 5

license modify priority

1433

license revoke

1435

license save

1436

license smart

1437

Show Commands

1439

Show Commands: 802.11

1441

show 802.11

1442

show 802.11

1444

show 802.11 cleanair

1446

show 802.11 cleanair air-quality summary

1448

show 802.11 cleanair air-quality worst

1449

show 802.11 cleanair device ap

1450

show 802.11 cleanair device type

1451

show 802.11 cu-metrics

1453

show 802.11 extended

1454

show 802.11 media-stream

1456

Show Commands: a to i 1457

show aaa auth

1463

show acl

1464

show acl detailed

1466

show acl url-acl detailed

1467

show acl summary

1468

show acl url-acl summary

1469

show advanced 802.11 channel

1470

show advanced 802.11 coverage

1471

show advanced 802.11 group

1472

show advanced 802.11 l2roam

1473

show advanced 802.11 logging

1474

show advanced 802.11 monitor

1475

show advanced 802.11 optimized roaming

1476

show advanced 802.11 profile

1477

show advanced 802.11 receiver

1478

Cisco Wireless Controller Command Reference, Release 8.4 xxxvii

Contents

show advanced 802.11 summary

1479

show advanced 802.11 txpower

1480

show advanced backup-controller

1481

show advanced dot11-padding

1482

show advanced hotspot

1483

show advanced max-1x-sessions

1484

show advanced probe

1485

show advanced rate

1486

show advanced timers

1487

show advanced client-handoff

1488

show advanced eap

1489

show advanced send-disassoc-on-handoff

1490

show advanced sip-preferred-call-no

1491

show advanced sip-snooping-ports

1492

show arp kernel

1493

show arp switch

1494

show ap auto-rf

1495

show ap ccx rm

1497

show ap cdp

1498

show ap channel

1500

show ap config

1501

show ap config general

1507

show ap config global

1509

show ap core-dump

1510

show ap crash-file

1511

show ap data-plane

1512

show ap dtls-cipher-suite

1513

show ap ethernet tag

1514

show ap eventlog

1515

show ap flexconnect

1516

show ap image

1517

show ap inventory

1518

show ap join stats detailed

1519

show ap join stats summary

1521

show ap join stats summary all

1522

xxxviii


Contents

show ap led-state

1523

show ap led-flash

1524

show ap link-encryption

1525

show ap max-count summary

1526

show ap monitor-mode summary

1527

show ap module summary

1528

show ap packet-dump status

1529

show ap prefer-mode stats

1530

show ap retransmit

1531

show ap stats

1532

show ap summary

1535

show ap tcp-mss-adjust

1536

show ap wlan

1537

show assisted-roaming

1538

show atf config

1539

show atf statistics ap

1540

show auth-list

1541

show avc applications

1542

show avc profile

1543

show avc statistics application

1544

show avc statistics client

1546

show avc statistics guest-lan

1548

show avc statistics remote-lan

1550

show avc statistics top-apps

1552

show avc statistics wlan

1554

show boot

1556

show band-select

1557

show buffers

1558

show cac voice stats

1560

show cac voice summary

1561

show cac video stats

1562

show cac video summary

1564

show call-control ap

1565

show call-control client

1569

show call-home summary

1570

Cisco Wireless Controller Command Reference, Release 8.4 xxxix

Contents

show capwap reap association

1571

show capwap reap status

1572

show cdp

1573

show certificate compatibility

1574

show certificate lsc

1575

show certificate ssc

1576

show certificate summary

1577

show client ap

1578

show client calls

1579

show client ccx client-capability

1580

show client ccx frame-data

1581

show client ccx last-response-status

1582

show client ccx last-test-status

1583

show client ccx log-response

1584

show client ccx manufacturer-info

1586

show client ccx operating-parameters

1587

show client ccx profiles

1588

show client ccx results

1590

show client ccx rm

1591

show client ccx stats-report

1593

show client detail

1594

show client location-calibration summary

1598

show client roam-history

1599

show client summary

1600

show client summary guest-lan

1602

show client tsm

1603

show client username

1605

show client voice-diag

1606

show client detail

1607

show client location-calibration summary

1609

show client probing

1610

show client roam-history

1611

show client summary

1612

show client wlan

1614

show cloud-services cmx summary

1615

xl


Contents

show cloud-services cmx statistics

1616

show cts ap

1617

show cts environment-data

1618

show cts pacs

1619

show cts policy

1620

show cts sgacl

1621

show cts summary

1622

show cts sxp

1623

show coredump summary

1624

show country

1625

show country channels

1626

show country supported

1627

show cpu

1629

show custom-web

1630

show database summary

1631

show dhcp

1632

show dhcp proxy

1633

show dhcp timeout

1634

show dtls connections

1635

show exclusionlist

1636

show flexconnect acl detailed

1637

show flexconnect acl summary

1638

show flexconnect group detail

1639

show flexconnect group summary

1640

show flexconnect office-extend

1641

show flow exporter

1642

show flow monitor summary

1643

show guest-lan

1644

show icons summary

1645

show ike

1646

show interface summary

1647

show interface detailed

1648

show interface group

1650

show invalid-config

1652

show inventory

1653

Cisco Wireless Controller Command Reference, Release 8.4 xli

Contents

C H A P T E R 1 6

show IPsec

1654

show ipv6 acl

1656

show ipv6 summary

1657

show guest-lan

1658

show icons file-info

1659

show ipv6 acl

1660

show ipv6 acl cpu

1661

show ipv6 acl detailed

1662

show ipv6 neighbor-binding

1663

show ipv6 ra-guard

1667

show ipv6 route summary

1668

show ipv6 summary

1669

show known ap

1670

Show Commands: j to q 1671

show l2tp

1675

show lag eth-port-hash

1676

show lag ip-port-hash

1677

show lag summary

1678

show ldap

1679

show ldap statistics

1680

show ldap summary

1681

show license all

1682

show license capacity

1684

show license detail

1685

show license expiring

1686

show license evaluation

1687

show license feature

1688

show license file

1689

show license handle

1690

show license image-level

1691

show license in-use

1692

show license permanent

1693

show license status

1694

show license statistics

1695

xlii


Contents

show license summary

1696

show license udi

1697

show license usage

1698

show load-balancing

1699

show local-auth config

1700

show local-auth statistics

1702

show local-auth certificates

1704

show logging

1705

show logging last-reset

1707

show logging flags

1708

show loginsession

1709

show macfilter

1710

show mdns ap summary

1711

show mdns domain-name-ip summary

1712

show mdns profile

1714

show mdns service

1716

show media-stream client

1718

show media-stream group detail

1719

show media-stream group summary

1720

show mesh ap

1721

show mesh astools stats

1722

show mesh backhaul

1723

show mesh bgscan

1724

show mesh cac

1725

show mesh client-access

1727

show mesh config

1728

show mesh env

1729

show mesh neigh

1730

show mesh path

1733

show mesh per-stats

1734

show mesh public-safety

1735

show mesh queue-stats

1736

show mesh security-stats

1737

show mesh stats

1739

show mgmtuser

1740

Cisco Wireless Controller Command Reference, Release 8.4 xliii

Contents

show mobility anchor

1741

show mobility ap-list

1742

show mobility foreign-map

1743

show mobility group member

1744

show mobility oracle

1745

show mobility statistics

1747

show mobility summary

1748

show msglog

1750

show nac statistics

1751

show nac summary

1752

show network

1753

show network summary

1754

show netuser

1756

show netuser guest-roles

1757

show network multicast mgid detail

1758

show network multicast mgid summary

1759

show network summary

1760

show nmsp notify-interval summary

1762

show nmsp status

1763

show nmsp statistics

1764

show nmsp subscription

1766

show nmsp subscription summary

1767

show ntp-keys

1768

show ntp-keys

1769

show opendns summary

1770

show policy

1771

show port

1773

show profiling policy summary

1775

show qos

1777

show qos qosmap

1778

show queue-info

1779

show pmk-cache

1781

show pmipv6 domain

1782

show pmipv6 mag bindings

1783

show pmipv6 mag globals

1784

xliv


Contents

C H A P T E R 1 7

show pmipv6 mag stats

1785

show pmipv6 profile summary

1787

Show Commands: r to z

1789

show radius acct detailed

1792

show radius acct statistics

1793

show radius auth detailed

1794

show radius auth statistics

1795

show radius avp-list

1796

show radius summary

1797

show redundancy interfaces

1798

show redundancy latency

1799

show redundancy mobilitymac

1800

show redundancy peer-route summary

1801

show redundancy statistics

1802

show redundancy summary

1803

show redundancy timers

1804

show remote-lan

1805

show reset

1807

show rfid client

1808

show rfid config

1809

show rfid detail

1810

show rfid summary

1811

show rf-profile summary

1812

show rf-profile details

1813

show rogue adhoc custom summary

1814

show rogue adhoc detailed

1815

show rogue adhoc friendly summary

1817

show rogue adhoc malicious summary

1818

show rogue adhoc unclassified summary

1819

show rogue adhoc summary

1820

show rogue ap clients

1821

show rogue ap custom summary

1823

show rogue ap detailed

1825

show rogue ap friendly summary

1827

Cisco Wireless Controller Command Reference, Release 8.4 xlv

Contents

show rogue ap malicious summary

1829

show rogue ap summary

1831

show rogue ap unclassified summary

1834

show rogue auto-contain

1835

show rogue client detailed

1836

show rogue client summary

1837

show rogue ignore-list

1838

show rogue rule detailed

1840

show rogue rule summary

1842

show route kernel

1843

show route summary

1844

show rules

1845

show run-config

1846

show run-config startup-commands

1847

show serial

1848

show sessions

1849

show snmpcommunity

1850

show snmpengineID

1851

show snmptrap

1852

show snmpv3user

1853

show snmpversion

1854

show spanningtree port

1855

show spanningtree switch

1856

show stats port

1857

show stats switch

1859

show switchconfig

1861

show sysinfo

1862

show tacacs acct statistics

1864

show tacacs athr statistics

1865

show tacacs auth statistics

1866

show tacacs summary

1867

show tech-support

1868

show time

1869

show trapflags

1871

show traplog

1873

xlvi


Contents

P A R T V I I I

C H A P T E R 1 8

C H A P T E R 1 9

show tunnel profile-summary

1874

show tunnel profile-detail

1875

show tunnel eogre-summary

1876

show tunnel eogre-statistics

1877

show tunnel eogre-domain-summary

1878

show tunnel eogre gateway

1879

show watchlist

1880

show wlan

1881

show wps ap-authentication summary

1886

show wps cids-sensor

1887

show wps mfp

1888

show wps shun-list

1889

show wps signature detail

1890

show wps signature events

1892

show wps signature summary

1894

show wps summary

1896

show wps wips statistics

1898

show wps wips summary

1899

show wps ap-authentication summary

1900

Miscellaneous Commands 1901

Miscellaneous Commands: 1

1903

cping

1904

eping

1905

mping

1906

ping

1907


1909

capwap ap controller ip address

1911

config ap dhcp release-override

1912

capwap ap dot1x

1913

capwap ap hostname

1914

capwap ap ip address

1915

capwap ap ip default-gateway

1916

Cisco Wireless Controller Command Reference, Release 8.4 xlvii

Contents

capwap ap log-server

1917

capwap ap primary-base

1918

capwap ap primed-timer

1919

capwap ap secondary-base

1920

capwap ap tertiary-base

1921

lwapp ap controller ip address

1922

reset system at

1923

reset system in

1924

reset system cancel

1925

reset system notify-time

1926

reset peer-system

1927

save config

1928

transfer download certpasswor

1929

transfer download datatype

1930

transfer download datatype icon

1932

transfer download filename

1933

transfer download mode

1934

transfer download password

1935

transfer download path

1936

transfer download port

1937

transfer download serverip

1938

transfer download start

1939

transfer download tftpPktTimeout

1940

transfer download tftpMaxRetries

1941

transfer download username

1942

transfer encrypt

1943

transfer upload datatype

1944

transfer upload filename

1946

transfer upload mode

1947

transfer upload pac

1948

transfer upload password

1949

transfer upload path

1950

transfer upload peer-start

1951

transfer upload port

1952

transfer upload serverip

1953

xlviii


Contents

transfer upload start

1954

transfer upload username

1955

Cisco Wireless Controller Command Reference, Release 8.4 xlix

Contents l


Preface

This preface describes the audience, organization, and conventions of the Cisco Wireless LAN Controller

Command Reference Guide. It also provides information on how to obtain other documentation. This chapter includes the following sections:

•

Audience, page li

•

Document Conventions, page li

•

Related Documentation, page liv

•

Obtaining Documentation and Submitting a Service Request, page liv

Audience

This publication is for experienced network administrators who configure and maintain Cisco wireless controllers (Cisco WLCs) and Cisco lightweight access points (Cisco APs).

Note

Usage of test commands may cause system disruption such as unexpected reboot of the Cisco WLC.

Therefore, we recommend that you use the test commands on Cisco WLCs for debugging purposes with the help of Cisco Technical Assistance Center (TAC) personnel.

Document Conventions

This document uses the following conventions:

Convention

bold font

italic font

[ ]

Indication

Commands and keywords and user-entered text appear in bold font.

Document titles, new or emphasized terms, and arguments for which you supply values are in italic font.

Elements in square brackets are optional.

Cisco Wireless Controller Command Reference, Release 8.4 li

Preface


Convention

{x | y | z }

[ x | y | z ] string courier font

<>

[]

!, #

Indication

Required alternative keywords are grouped in braces and separated by vertical bars.

Optional alternative keywords are grouped in brackets and separated by vertical bars.

A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.

Terminal sessions and information the system displays appear in courier font.

Nonprinting characters such as passwords are in angle brackets.

Default responses to system prompts are in square brackets.

An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

Note

Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Tip

Means the following information will help you solve a problem.

Caution

Means reader be careful. In this situation, you might perform an action that could result in equipment damage or loss of data.

Warning

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. (To see translations of the warnings that appear in this publication, refer to the appendix "Translated Safety Warnings.")

Warning Title

Waarschuwing

Description

Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het aanhangsel "Translated Safety Warnings" (Vertalingen van veiligheidsvoorschriften) raadplegen.)

lii


Preface


Warning Title

Varoitus

Attention

Warnung

Avvertenza

Advarsel

Aviso

¡Advertencia!

Description

Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat varoitukset).)

Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant entraîner des blessures. Avant d'accéder à cet équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures courantes de prévention des accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez consulter l'annexe intitulée « Translated Safety Warnings » (Traduction des avis de sécurité).

Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem

Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen

Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt.

(Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden

Sie im Anhang mit dem Titel "Translated Safety Warnings" (Übersetzung der

Warnhinweise).)

Questo simbolo di avvertenza indica un pericolo. Si è in una situazione che può causare infortuni. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nell'appendice, "Translated Safety Warnings"

(Traduzione delle avvertenze di sicurezza).

Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated

Safety Warnings" [Oversatte sikkerhetsadvarsler].)

Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o apêndice

"Translated Safety Warnings" - "Traduções dos Avisos de Segurança").

Este símbolo de aviso significa peligro. Existe riesgo para su integridad física.

Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias que aparecen en esta publicación, consultar el apéndice titulado "Translated Safety Warnings.")

Cisco Wireless Controller Command Reference, Release 8.4 liii

Preface

Related Documentation

Warning Title

Varning

Description

Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. (Se förklaringar av de varningar som förekommer i denna publikation i appendix "Translated Safety Warnings" [Översatta säkerhetsvarningar].)

Related Documentation

These documents provide complete information about the Cisco Unified Wireless Network solution:

• Cisco Wireless LAN Controller Configuration Guide

• Cisco Wireless LAN Controller System Message Guide

• Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points

Obtaining Documentation and Submitting a Service Request

For information about obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised

Cisco technical documentation, at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports

RSS Version 2.0.

liv


P A R T

I


•

Using the Command-Line Interface, page 3


This chapter contains the following topics:

•

CLI Command Keyboard Shortcuts, page 3

•

Using the Interactive Help Feature, page 4

CLI Command Keyboard Shortcuts

The table below lists the CLI keyboard shortcuts to help you enter and edit command lines on the controller.

Table 1: CLI Command Keyboard Shortcuts

Action

Change

Delete

Display MORE output

Description

The word at the cursor to lowercase.

The word at the cursor to uppercase.

A character to the left of the cursor.

Keyboard Shortcut

Esc I

Esc u

Ctrl-h, Delete, or Backspace

All characters from the cursor to the beginning of the line.

Ctrl-u

All characters from the cursor to the end of the line.

Ctrl-k

All characters from the cursor to the end of the word.

Esc d

The word to the left of the cursor.

Exit from MORE output.

Ctrl-w or Esc Backspace q, Q, or Ctrl-C

Next additional screen. The default is one screen. To display more than one screen, enter a number before pressing the Spacebar key.

Spacebar


3

Using the Interactive Help Feature

Action Description Keyboard Shortcut

Next line. The default is one line. To display more than one line, enter the number before pressing the Enter key.

Enter

Enter or Return key character.

Ctrl-m

Expand the command or abbreviation.

Move the cursor One character to the left (back).

One character to the right (forward).

Ctrl-t or Tab

Ctrl-b or Left Arrow

Ctrl-f or Right Arrow

Esc b One word to the left (back), to the beginning of the current or previous word.

One word to the right (forward), to the end of the current or next word.

To the beginning of the line.

To the end of the line.

Esc f

Ctrl-a

Ctrl-e

Redraw the screen at the prompt.

Return to the EXEC mode from any configuration mode

Return to the previous mode or exit from the CLI from Exec mode.

Ctrl-l or Ctrl-r

Ctrl-z exit command

Transpose a character at the cursor with a character to the left of the cursor.

Ctrl-t


The question mark (?) character allows you to get the following type of help about the command at the command line. The table below lists the interactive help feature list.

Table 2: Interactive Help Feature List

Command

help

? at the command prompt partial command?

Description

Provides a brief description of the Help feature in any command mode.

Lists all commands available for a particular command mode.

Provides a list of commands that begin with the character string.

4



Command

partial command<Tab> command ?

Description

Completes a partial command name.

Lists the keywords, arguments, or both associated with a command.

command keyword ?

Lists the arguments that are associated with the keyword.

Using the help Command

Before You Begin

To look up keyboard commands, use the help command at the root level.

help

Help may be requested at any point in a command by entering a question mark ‘?’. If nothing matches, the help list will be empty and you must back up until entering a ‘?’ shows the available options. Two types of help are available:

1

Full help is available when you are ready to enter a command argument (for example show ?) and describes each possible argument.

2

Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (for example show pr?).

Example:

> help

HELP:

Special keys:

DEL, BS... delete previous character

Ctrl-A .... go to beginning of line

Ctrl-E .... go to end of line

Ctrl-F .... go forward one character

Ctrl-B .... go backward one character

Ctrl-D .... delete current character

Ctrl-U, X. delete to beginning of line

Ctrl-K .... delete to end of line

Ctrl-W .... delete previous word

Ctrl-T .... transpose previous character

Ctrl-P .... go to previous line in history buffer

Ctrl-N .... go to next line in history buffer

Ctrl-Z .... return to root command prompt

Tab, <SPACE> command-line completion

Exit .... go to next lower command prompt

?

.... list choices

Using the ? command


To display all of the commands in your current level of the command tree, or to display more information about a particular command, use the ? command.


5

Using the Interactive Help Feature command name ?

When you enter a command information request, put a space between the command name and ?.

Examples

This command shows you all the commands and levels available from the root level.

> ?

clear config debug help linktest logout ping reset save show transfer

Clear selected configuration elements.

Configure switch options and settings.

Manages system debug options.

Help

Perform a link test to a specified MAC address.

Exit this session. Any unsaved changes are lost.

Send ICMP echo packets to a specified IP address.

Reset options.

Save switch configurations.

Display switch options and settings.

Transfer a file to or from the switch.

Using the partial? command


To provide a list of commands that begin with the character string, use the partial command ?.

partial command?

There should be no space between the command and the question mark.

This example shows how to provide a command that begin with the character string “ad”:

> controller> config>ad?

The command that matches with the string “ad” is as follows: advanced

Using the partial command<tab>


To completes a partial command name, use the partial command<tab> command.

partial command<tab>

There should be no space between the command and <tab>.

This example shows how to complete a partial command name that begin with the character string “cert”:

Controller >config>cert<tab> certificate

6



Using the command ?

Examples

To list the keywords, arguments, or both associated with the command, use the command ?.

command-name ?

There should be a space between the command and the question mark.

This example shows how to list the arguments and keyword for the command acl:

Controller >config acl ?

Information similar to the following appears: apply counter create delete rule cpu

Applies the ACL to the data path.

Start/Stop the ACL Counters.

Create a new ACL.

Delete an ACL.

Configure rules in the ACL.

Configure the CPU ACL Information


7

Using the Interactive Help Feature command keyword ?

To list the arguments that are associated with the keyword, use the command keyword ?:

command keyword ?

There should be space between the keyword and the question mark.

This example shows how to display the arguments associated with the keyword cpu:

Controller >config acl cpu ?

Information similar to the following appears: none

<name>

None - Disable the CPU ACL

<name> - Name of the CPU ACL

8


P A R T

II

Clear Commands

•

Clear Commands: a to l, page 11

•

Clear Commands: m to z, page 31

Clear Commands: a to l

•

clear advanced, page 12

•

clear acl counters, page 13

•

clear ap config, page 14

•

clear ap eventlog, page 15

•

clear ap join stats, page 16

•

clear arp, page 17

•

clear ap tsm, page 18

•

clear atf, page 19

•

clear avc statistics, page 20

•

clear client tsm, page 22

•

clear config, page 23

•

clear ext-webauth-url, page 24

•

clear location rfid, page 25

•

clear location statistics rfid, page 26

•

clear locp statistics, page 27

•

clear login-banner, page 28

•

clear lwapp private-config, page 29


11

clear advanced clear advanced

To reset edca-parameters, packet parameters, or optimized roaming statistics to their deault values, use clear

advanced command.

clear advanced {802.11a | 802.11b} {optimized-roaming stats | packet | edca-parameter }

Syntax Description

802.11a

802.11b

optimized-roaming stats packet edca-parameter

Specifies the 802.11a network.

Specifies the 802.11b network.

Clear the 802.11a optimized roaming statistics.

Clear the 802.11a packet parameters configuration.

Clear the 802.11a edca-parameter configuration.

Command Default

None

Examples

The following example shows how to reset edca-parameter values to default:

(Cisco Controller) >

clear advanced 802.11a optimized-roaming stats


clear advanced 802.11a packet


clear advanced 802.11a edca-parameter

12


clear acl counters clear acl counters

To clear the current counters for an Access Control List (ACL), use the clear acl counters command.

clear acl counters acl_name


acl_name

ACL name.

Command Default

None

Command History

Release

7.6

Modification

This command was introduced in a release earlier than

Release 7.6.

Usage Guidelines

ACL counters are available only on the following controllers: Cisco 4400 Series Controller, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch.

Examples

The following example shows how to clear the current counters for acl1:


clear acl counters acl1

Related Commands config acl counter show acl


13

clear ap config clear ap config

To clear (reset to the default values) a lightweight access point’s configuration settings, use the clear ap config command.

clear ap config ap_name


ap_name

Access point name.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Entering this command does not clear the static IP address of the access point.

Examples

The following example shows how to clear the access point’s configuration settings for the access point named ap1240_322115:


clear ap config ap1240_322115

Clear ap-config will clear ap config and reboot the AP. Are you sure you want continue?

(y/n)

14


clear ap eventlog clear ap eventlog

To delete the existing event log and create an empty event log file for a specific access point or for all access points joined to the controller, use the clear ap eventlog command.

clear ap eventlog {specific ap_name | all}

Syntax Description specific

ap_name

all

Specifies a specific access point log file.

Name of the access point for which the event log file is emptied.

Deletes the event log for all access points joined to the controller.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to delete the event log for all access points:


clear ap eventlog all

This will clear event log contents for all APs. Do you want continue? (y/n) :y

All AP event log contents have been successfully cleared.


15

clear ap join stats clear ap join stats

To clear the join statistics for all access points or for a specific access point, use the clear ap join stats command.

clear ap join stats {all | ap_mac}

Syntax Description all

ap_mac

Specifies all access points.

Access point MAC address.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to clear the join statistics of all the access points:


clear ap join stats all

16


clear arp

To clear the Address Resolution Protocol (ARP) table, use the clear arp command.

clear arp


This command has no arguments or keywords.

Command Default

None

Command History

Release

7.6

Modification

This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the ARP table:


clear arp

Are you sure you want to clear the ARP cache? (y/n)

Related Commands clear transfer clear download datatype clear download filename clear download mode clear download serverip clear download start clear upload datatype clear upload filename clear upload mode clear upload path clear upload serverip clear upload start clear stats port clear arp


17

clear ap tsm clear ap tsm

To clear the Traffic Stream Metrics (TSM) statistics of clients associated to an access point, use the clear ap

tsm command.

clear ap tsm {802.11a | 802.11b} cisco_ap all


802.11a

802.11b

cisco_ap

all

Clears 802.11a TSM statistics of clients associated to an access point.

Clears 802.11b TSM statistics of clients associated to an access point.

Cisco lightweight access point.

Clears TSM statistics of clients associated to the access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to clear 802.11a TSM statistics for all clients of an access point:


clear ap tsm 802.11a AP3600_1 all

18


clear atf

To clear Cisco Airtime Fairness configuration or statistics, use the clear atf command.

clear atf {config | statistics}

Syntax Description config statistics

Clears Cisco ATF configuration

Clears Cisco ATF statistics

Command History

Release

8.1

Examples

Modification

This command was introduced

The following is a sample output of the clear atf config command:


clear atf config clear atf


19

clear avc statistics clear avc statistics

To clear Application Visibility and Control (AVC) statistics of a client, guest LAN, remote LAN, or a WLAN use the clear avc statistics command.

clear avc statistics {client {all | client-mac} | guest-lan {all | guest-lan-id} | remote-lan {all | remote-lan-id}

| wlan {all | wlan-id}}

Syntax Description client all

client-mac

guest-lan all

guest-lan-id

remote-lan all

remote-lan-id

wlan all

wlan-id

Clears AVC statistics of a client.

Clears AVC statistics of all clients.

MAC address of a client.

Clears AVC statistics of a guest LAN.

Clears AVC statistics of all guest LANs.

Guest LAN Identifier between 1 and 5.

Clears AVC statistics of a remote LAN.

Clears AVC statistics of all remote LANs.

Remote LAN Identifier between 1 and 512.

Clears AVC statistics of a WLAN.

Clears AVC statistics of all WLANs.

WLAN Identifier between 1 and 512.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to clear the AVC statistics of a client:


clear avc statistics client 00:21:1b:ea:36:60

20


Related Commands config avc profile create config avc profile delete config avc profile rule config wlan avc show avc profile show avc applications show avc statistics debug avc error debug avc events clear avc statistics


21

clear client tsm clear client tsm

To clear the Traffic Stream Metrics (TSM) statistics for a particular access point or all the access points to which this client is associated, use the clear client tsm command.

clear client tsm {802.11a | 802.11b} client_mac {ap_mac | all}


802.11a

802.11b

client_mac ap_mac

all



MAC address of the client.

MAC address of a Cisco lightweight access point.


Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear the TSM for the MAC address 00:40:96:a8:f7:98:


clear client tsm 802.11a 00:40:96:a8:f7:98 all

Related Commands clear upload start

22


clear config clear config

To reset configuration data to factory defaults, use the clear config command.

clear config



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to reset the configuration data to factory defaults:


clear config

Are you sure you want to clear the configuration? (y/n) n

Configuration not cleared!

Related Commands clear transfer clear download datatype clear download filename clear download mode clear download serverip clear download start clear upload datatype clear upload filename clear upload mode clear upload path clear upload serverip clear upload start clear stats port


23

clear ext-webauth-url clear ext-webauth-url

To clear the external web authentication URL, use the clear ext-webauth-url command.

clear ext-webauth-url



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear the external web authentication URL:


clear ext-webauth-url

URL cleared.

Related Commands clear transfer clear download datatype clear download filename clear download mode clear download serverip clear download start clear upload datatype clear upload filename clear upload mode clear upload path clear upload serverip clear upload start clear stats port

24


clear location rfid clear location rfid

To clear a specific Radio Frequency Identification (RFID) tag or all of the RFID tags in the entire database, use the clear location rfid command.

clear location rfid {mac_address | all}


mac_address

all

MAC address of a specific RFID tag.

Specifies all the RFID tags in the database.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear all the RFID tags in the database:


clear location rfid all

Related Commands clear location statistics rfid config location show location show location statistics rfid


25

clear location statistics rfid clear location statistics rfid

To clear Radio Frequency Identification (RFID) statistics, use the clear location statistics rfid command.

clear location statistics rfid



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear RFID statistics:


clear location statistics rfid

Related Commands config location show location show location statistics rfid

26


clear locp statistics clear locp statistics

To clear the Location Protocol (LOCP) statistics, use the clear locp statistics command.

clear locp statistics



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear the statistics related to LOCP:


clear locp statistics

Related Commands clear nmsp statistics config nmsp notify-interval measurement show nmsp notify-interval summary show nmsp statistics show nmsp status


27

clear login-banner clear login-banner

To remove the login banner file from the controller, use the clear login-banner command.

clear login-banner



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear the login banner file:


clear login-banner

Related Commands transfer download datatype

28


clear lwapp private-config clear lwapp private-config

To clear (reset to default values) an access point’s current Lightweight Access Point Protocol (LWAPP) private configuration, which contains static IP addressing and controller IP address configurations, use the clear

lwapp private-config command.

clear lwapp private-config



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Enter the command on the access point console port.

Prior to changing the FlexConnect configuration on an access point using the access point’s console port, the access point must be in standalone mode (not connected to a Cisco WLC) and you must remove the current

LWAPP private configuration by using the clear lwapp private-config command.

Note

The access point must be running Cisco Access Point IOS Release 12.3(11)JX1 or later releases.

Examples

The following example shows how to clear an access point’s current LWAPP private configuration: ap_console >


removing the reap config file flash:/lwapp_reap.cfg


29


30


Clear Commands: m to z

•

clear mdns service-database, page 32

•

clear nmsp statistics, page 34

•

clear radius acct statistics, page 35

•

clear tacacs auth statistics, page 36

•

clear redirect-url, page 37

•

clear stats ap wlan, page 38

•

clear stats local-auth, page 39

•

clear stats mobility, page 40

•

clear stats port, page 41

•

clear stats radius, page 42

•

clear stats smart-lic, page 44

•

clear stats switch, page 45

•

clear stats tacacs, page 46

•

clear transfer, page 47

•

clear traplog, page 48

•

clear webimage, page 49

•

clear webmessage, page 50

•

clear webtitle, page 51


31

clear mdns service-database clear mdns service-database

To clear the multicast DNS service database, use the clear mdns service-database command.

clear mdns service-database {all | service-name}


service-name

Clears the mDNS service database.

Name of the mDNS service. The Cisco WLC clears the details of the mDNS service.

Command Default

None

Command History

Release

7.6

Modification



The Cisco WLC snoops and learns about the mDNS service advertisements only if the service is available in the Master Services database.

Examples

The following example shows how to clear the mDNS service database:


clear mdns service-database all

Related Commands config mdns query interval config mdns service config mdns snooping config interface mdns-profile config interface group mdns-profile config wlan mdns show mdns profile show mnds service config mdns profile debug mdns all debug mdns error debug mdns detail

32


debug mdns message clear mdns service-database


33

clear nmsp statistics clear nmsp statistics

To clear the Network Mobility Services Protocol (NMSP) statistics, use the clear nmsp statistics command.

clear nmsp statistics



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to delete the NMSP statistics log file:


clear nmsp statistics

Related Commands clear locp statistics config nmsp notify-interval measurement show nmsp notify-interval summary show nmsp status

34


clear radius acct statistics clear radius acct statistics

To clear the RADIUS accounting statistics on the controller, use the clear radius acc statistics command.

clear radius acct statistics [index | all]

Syntax Description index all

(Optional) Specifies the index of the RADIUS accounting server.

(Optional) Specifies all RADIUS accounting servers.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to clear the RADIUS accounting statistics:


clear radius acc statistics

Related Commands show radius acct statistics


35

clear tacacs auth statistics clear tacacs auth statistics

To clear the RADIUS authentication server statistics in the controller, use the clear tacacs auth statistics command.

clear tacacs auth statistics [index | all]

Syntax Description index all

(Optional) Specifies the index of the RADIUS authentication server.

(Optional) Specifies all RADIUS authentication servers.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to clear the RADIUS authentication server statistics:


clear tacacs auth statistics

Related Commands show tacacs auth statistics show tacacs summary config tacacs auth

36


clear redirect-url clear redirect-url

To clear the custom web authentication redirect URL on the Cisco Wireless LAN Controller, use the clear

redirect-url command.

clear redirect-url



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear the custom web authentication redirect URL:


clear redirect-url

URL cleared.

Related Commands clear transfer clear download datatype clear download filename clear download mode clear download path clear download start clear upload datatype clear upload filename clear upload mode clear upload path clear upload serverip clear upload start


37

clear stats ap wlan clear stats ap wlan

To clear the WLAN statistics, use the clear stats ap wlan command.

clear stats ap wlan cisco_ap


cisco_ap

Selected configuration elements.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to clear the WLAN configuration elements of the access point cisco_ap:


clear stats ap wlan cisco_ap

WLAN statistics cleared.

38


clear stats local-auth clear stats local-auth

To clear the local Extensible Authentication Protocol (EAP) statistics, use the clear stats local-auth command.

clear stats local-auth



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to clear the local EAP statistics:


clear stats local-auth

Local EAP Authentication Stats Cleared.

Related Commands config local-auth active-timeout config local-auth eap-profile config local-auth method fast config local-auth user-credentials debug aaa local-auth show local-auth certificates show local-auth config show local-auth statistics


39

clear stats mobility clear stats mobility

To clear mobility manager statistics, use the clear stats mobility command.

clear stats mobility



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to clear mobility manager statistics:


clear stats mobility

Mobility stats cleared.

40


clear stats port clear stats port

To clear statistics counters for a specific port, use the clear stats port command.

clear stats port port


port

Physical interface port number.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to clear the statistics counters for port 9:


clear stats port 9

Related Commands clear transfer clear download datatype clear download datatype clear download filename clear download mode clear download serverip clear download start clear upload datatype clear upload filename clear upload mode clear upload path clear upload serverip clear upload start clear stats port


41

clear stats radius clear stats radius

To clear the statistics for one or more RADIUS servers, use the clear stats radius command.

clear stats radius {auth | acct} {index | all}

Syntax Description auth acct index all

Clears statistics regarding authentication.

Clears statistics regarding accounting.

Specifies the index number of the RADIUS server to be cleared.

Clears statistics for all RADIUS servers.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to clear the statistics for all RADIUS authentication servers:


clear stats radius auth all

Related Commands clear transfer clear download datatype clear download filename clear download mode clear download serverip clear download start clear upload datatype clear upload filename clear upload mode clear upload path clear upload serverip

42


clear upload start clear stats port clear stats radius


43

clear stats smart-lic clear stats smart-lic

To clear all the Cisco Smart Software statistics, use the clear stats smart-lic command.

clear stats smart-lic

Command History

Release

8.2

Modification

This command was introduced.

Examples

The following example shows how to clear smart licensing statistics:


clear stats smart-lic

Initiated Smart Licensing statistics clear

44


clear stats switch clear stats switch

To clear all switch statistics counters on a Cisco wireless LAN controller, use the clear stats switch command.

clear stats switch



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear all switch statistics counters:


clear stats switch

Related Commands clear transfer clear download datatype clear download filename clear download mode clear download path clear download start clear upload datatype clear upload filename clear upload mode clear upload path clear upload serverip clear upload start


45

clear stats tacacs clear stats tacacs

To clear the TACACS+ server statistics on the controller, use the clear stats tacacs command.

clear stats tacacs [auth | athr | acct] [index | all]

Syntax Description auth athr acct index all

(Optional) Clears the TACACS+ authentication server statistics.

(Optional) Clears the TACACS+ authorization server statistics.

(Optional) Clears the TACACS+ accounting server statistics.

(Optional) Specifies index of the TACACS+ server.

(Optional) Specifies all TACACS+ servers.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to clear the TACACS+ accounting server statistics for index 1:


clear stats tacacs acct 1

Related Commands show tacacs summary

46


clear transfer clear transfer

To clear the transfer information, use the clear transfer command.

clear transfer



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear the transfer information:


clear transfer

Are you sure you want to clear the transfer information? (y/n) y

Transfer Information Cleared.

Related Commands transfer upload datatype transfer upload pac transfer upload password transfer upload port transfer upload path transfer upload username transfer upload datatype transfer upload serverip transfer upload start


47

clear traplog clear traplog

To clear the trap log, use the clear traplog command.

clear traplog



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear the trap log:


clear traplog

Are you sure you want to clear the trap log? (y/n) y

Trap Log Cleared.

Related Commands clear transfer clear download datatype clear download filename clear download mode clear download path clear download serverip clear download start clear upload filename clear upload mode clear upload path clear upload serverip clear upload start

48


clear webimage clear webimage

To clear the custom web authentication image, use the clear webimage command.

clear webimage



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear the custom web authentication image:


clear webimage



49

clear webmessage clear webmessage

To clear the custom web authentication message, use the clear webmessage command.

clear webmessage



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear the custom web authentication message:


clear webmessage

Message cleared.


50


clear webtitle clear webtitle

To clear the custom web authentication title, use the clear webtitle command.

clear webtitle



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to clear the custom web authentication title:


clear webtitle

Title cleared.



51

clear webtitle

52


P A R T

III

Config Commands

•

Config Commands: 802.11, page 55

•

Config Commands: a to i, page 171

•

Config Commands: j to q, page 579

•

Config Commands: r to z, page 839

Config Commands: 802.11

•

config 802.11-abgn, page 58

•

config 802.11a 11acsupport, page 59

•

config 802.11-a antenna extAntGain, page 60

•

config 802.11-a channel ap, page 61

•

config 802.11-a txpower ap, page 62

•

config 802.11 antenna diversity, page 63

•

config 802.11 antenna extAntGain, page 64

•

config 802.11 antenna mode, page 65

•

config 802.11 antenna selection, page 66

•

config 802.11b 11gSupport, page 67

•

config 802.11b preamble, page 68

•

config 802.11h channelswitch, page 69

•

config 802.11h powerconstraint, page 70

•

config 802.11h setchannel, page 71

•

config 802.11 11nsupport, page 72

•

config 802.11 11nsupport a-mpdu tx priority, page 73

•

config 802.11 11nsupport a-mpdu tx scheduler, page 75

•

config 802.11 11nsupport antenna, page 76

•

config 802.11 11nsupport guard-interval, page 77

•

config 802.11 11nsupport mcs tx, page 78

•

config 802.11 11nsupport rifs, page 80

•

config 802.11 antenna diversity, page 81

•

config 802.11 antenna extAntGain, page 82

•

config 802.11 antenna mode, page 83


55

•

config 802.11 antenna selection, page 84

•

config 802.11 channel, page 85

•

config 802.11 channel ap, page 87

•

config 802.11 chan_width, page 88

•

config 802.11 rx-sop threshold, page 90

•

config 802.11 txPower, page 92

•

config 802.11 beamforming, page 94

•

config 802.11h channelswitch, page 96

•

config 802.11h powerconstraint, page 97

•

config 802.11h setchannel, page 98

•

config 802.11h smart dfs, page 99

•

config 802.11 11nsupport, page 100

•

config 802.11 11nsupport a-mpdu tx priority, page 101

•

config 802.11 11nsupport a-mpdu tx scheduler, page 103

•

config 802.11 11nsupport antenna, page 104

•

config 802.11 11nsupport guard-interval, page 105

•

config 802.11 11nsupport mcs tx, page 106

•

config 802.11 11nsupport rifs, page 108

•

config 802.11 beacon period, page 109

•

config 802.11 cac defaults, page 110

•

config 802.11 cac video acm, page 112

•

config 802.11 cac video cac-method, page 114

•

config 802.11 cac video load-based, page 116

•

config 802.11 cac video max-bandwidth, page 118

•

config 802.11 cac media-stream, page 120

•

config 802.11 cac multimedia, page 122

•

config 802.11 cac video roam-bandwidth, page 124

•

config 802.11 cac video sip, page 126

•

config 802.11 cac video tspec-inactivity-timeout, page 128

•

config 802.11 cac voice acm, page 130

•

config 802.11 cac voice max-bandwidth, page 131

•

config 802.11 cac voice roam-bandwidth, page 133

•

config 802.11 cac voice tspec-inactivity-timeout, page 135

56


•

config 802.11 cac voice load-based, page 137

•

config 802.11 cac voice max-calls, page 139

•

config 802.11 cac voice sip bandwidth, page 141

•

config 802.11 cac voice sip codec, page 143

•

config 802.11 cac voice stream-size, page 145

•

config 802.11 cleanair, page 147

•

config 802.11 cleanair device, page 149

•

config 802.11 cleanair alarm, page 151

•

config 802.11 disable, page 153

•

config 802.11 dtpc, page 154

•

config 802.11 enable, page 155

•

config 802.11 exp-bwreq, page 157

•

config 802.11 fragmentation, page 158

•

config 802.11 l2roam rf-params, page 159

•

config 802.11 max-clients, page 161

•

config 802.11 media-stream multicast-direct, page 162

•

config 802.11 media-stream video-redirect, page 164

•

config 802.11 multicast data-rate, page 165

•

config 802.11 rate, page 166

•

config 802.11 rssi-check, page 167

•

config 802.11 rssi-threshold, page 168

•

config 802.11 tsm, page 169

•

config 802.11b preamble, page 170


57

config 802.11-abgn config 802.11-abgn

To configure dual-band radio parameters on an access point, use the config 802.11-abgn command.

config 802.11-abgn {cleanair {enable | disable} {cisco_ap band band} | {enable | disable} {cisco_ap}}

Syntax Description cleanair enable disable

cisco_ap

band

band

enable disable

Configures CleanAir on the dual-band radio.

Enables CleanAir for both 2.4-GHz and 5-GHz radios.

Disables CleanAir for both

2.4-GHz and 5-GHz radios.

Name of the access point to which the command applies.

Configures the radio band.

Radio band that can be 2.4-GHz or

5-GHz.

Enables the dual-band radio on an access point.

Disables the dual-band radio on an access point.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Only Cisco CleanAir-enabled access point radios can be configured for Cisco CleanAir.

Examples

The following example shows how to enable Cisco CleanAir on an access point:


config 802.11-abgn cleanair enable AP3600 band 5

58


config 802.11a 11acsupport config 802.11a 11acsupport

To configure 802.11ac 5-GHz parameters, use the config 802.11a 11acsupport

config 802.11a 11acsupport {enable | disable | mcs tx mcs_index ss spatial_stream {enable | disable}}

Syntax Description enable disable mcs tx tx

mcs_index

ss

spatial_stream

Enables 802.11ac 5-GHz mode.

Disables 802.11ac 5-GHz mode.

Configures 802.11ac 5-GHz Modulation and Coding Scheme (MCS) rates at which data can be transmitted between the access point and the client.

Configures 802.11ac 5-GHz MCS transmit rates.

MCS index value of 8 or 9. MCS data rates with index 8 or 9 are specific to 802.11ac.

When you enable an MCS data rate with index 9, the data rate with MCS index 8 is automatically enabled.

Configures the 802.11ac 5-GHz MCS spatial stream (SS).

Spatial stream within which you can enable or disable an MCS data rate.

Signals transmitted by the various antennae are multiplexed by using different spaces within the same spectral channel. These spaces are known as spatial streams. Three spatial streams are available within which you can enable or disable a MCS rate. The range is from 1 to 3.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Disabling the 802.11n/ac mode applies only to access radios. Backhaul radios always have 802.11n/ac mode enabled if they are 802.11n capable.

Examples

The following example shows how to configure the MCS index for spatial stream 3:


config 802.11a 11acsupport mcs tx 9 ss 3


59

config 802.11-a antenna extAntGain config 802.11-a antenna extAntGain

To configure the external antenna gain for the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a antenna extAntGain commands.

config {802.11-a49 | 802.11-a58} antenna extAntGain ant_gain cisco_ap {global | channel_no}


802.11-a49

802.11-a58

ant_gain cisco_ap

global

channel_no

Specifies the 4.9-GHz public safety channel.


Value in .5-dBi units (for instance, 2.5 dBi = 5).


Specifies the antenna gain value to all channels.

Antenna gain value for a specific channel.

Command Default

Channel properties are disabled.

Command History

Release

7.6

Modification



Before you enter the config 802.11-a antenna extAntGain command, disable the 802.11 Cisco radio with the config 802.11-a disable command.

After you configure the external antenna gain, use the config 802.11-a enable command to reenable the 802.11

Cisco radio.

Examples

The following example shows how to configure an 802.11-a49 external antenna gain of 10 dBi for AP1:


config 802.11-a antenna extAntGain 10 AP1

60


config 802.11-a channel ap config 802.11-a channel ap

To configure the channel properties for the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a channel ap command.

config {802.11-a49 | 802.11-a58} channel ap cisco_ap {global | channel_no}


802.11-a49

802.11-a58

cisco_ap

global

channel_no




Enables the Dynamic Channel Assignment (DCA) on all 4.9-GHz and

5.8-GHz subband radios.

Custom channel for a specific mesh access point. The range is 1 through

26, inclusive, for a 4.9-GHz band and 149 through 165, inclusive, for a

5.8-GHz band.

Command Default

Channel properties are disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to set the channel properties:


config 802.11-a channel ap


61

config 802.11-a txpower ap config 802.11-a txpower ap

To configure the transmission power properties for the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a txpower ap command.

config {802.11-a49 | 802.11-a58} txpower ap cisco_ap {global | power_level}


802.11-a49

802.11-a58 txpower ap

cisco_ap

global

power_level



Configures transmission power properties.

Configures access point channel settings.


Applies the transmission power value to all channels.

Transmission power value to the designated mesh access point. The range is from 1 to 5.

Command Default

The default transmission power properties for the 4.9-GHz and 5.8-GHz public safety channels on an access point is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure an 802.11-a49 transmission power level of 4 for AP1:


config 802.11-a txpower ap 4 AP1

62


config 802.11 antenna diversity config 802.11 antenna diversity

To configure the diversity option for 802.11 antennas, use the config 802.11 antenna diversity command.

config 802.11{a | b} antenna diversity {enable | sideA | sideB} cisco_ap

Syntax Description a b enable sideA sideB

cisco_ap


Specifies the 802.11b/g network.

Enables the diversity.

Specifies the diversity between the internal antennas and an external antenna connected to the Cisco lightweight access point left port.

Specifies the diversity between the internal antennas and an external antenna connected to the Cisco lightweight access point right port.

Cisco lightweight access point name.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable antenna diversity for AP01 on an 802.11b network:


config 802.11a antenna diversity enable AP01

The following example shows how to enable diversity for AP01 on an 802.11a network, using an external antenna connected to the Cisco lightweight access point left port (sideA):


config 802.11a antenna diversity sideA AP01


63

config 802.11 antenna extAntGain config 802.11 antenna extAntGain

To configure external antenna gain for an 802.11 network, use the config 802.11 antenna extAntGain command.

config 802.11{a | b} antenna extAntGain antenna_gain cisco_ap

Syntax Description a b

antenna_gain cisco_ap



Antenna gain in 0.5 dBm units (for example, 2.5 dBm = 5).


Command Default

None

Command History

Release

7.6

Modification



Before you enter the config 802.11 antenna extAntGain command, disable the 802.11 Cisco radio with the

config 802.11 disable command.

After you configure the external antenna gain, use the config 802.11 enable command to enable the 802.11

Cisco radio.

Examples

The following example shows how to configure an 802.11a external antenna gain of 0.5 dBm for AP1:


config 802.11 antenna extAntGain 1 AP1

64


config 802.11 antenna mode config 802.11 antenna mode

To configure the Cisco lightweight access point to use one internal antenna for an 802.11 sectorized 180-degree coverage pattern or both internal antennas for an 802.11 360-degree omnidirectional pattern, use the config

802.11 antenna mode command.

config 802.11{a | b} antenna mode {omni | sectorA | sectorB} cisco_ap

Syntax Description a b omni sectorA sectorB

cisco_ap



Specifies to use both internal antennas.

Specifies to use only the side A internal antenna.

Specifies to use only the side B internal antenna.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure access point AP01 antennas for a 360-degree omnidirectional pattern on an 802.11b network:


config 802.11 antenna mode omni AP01


65

config 802.11 antenna selection config 802.11 antenna selection

To select the internal or external antenna selection for a Cisco lightweight access point on an 802.11 network, use the config 802.11 antenna selection command.

config 802.11{a | b} antenna selection {internal | external} cisco_ap

Syntax Description a b internal external

cisco_ap



Specifies the internal antenna.

Specifies the external antenna.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure access point AP02 on an 802.11b network to use the internal antenna:


config 802.11a antenna selection internal AP02

66


config 802.11b 11gSupport config 802.11b 11gSupport

To enable or disable the Cisco wireless LAN solution 802.11g network, use the config 802.11b 11gSupport command.

config 802.11b 11gSupport {enable | disable}

Syntax Description enable disable

Enables the 802.11g network.

Disables the 802.11g network.

Command Default

The default network for Cisco wireless LAN solution 802.11g is enabled.

Command History

Release

7.6

Modification


Release 7.6.


Before you enter the config 802.11b 11gSupport {enable | disable} command, disable the 802.11 Cisco radio with the config 802.11 disable command.

After you configure the support for the 802.11g network, use the config 802.11 enable command to enable the 802.11 radio.

Note

To disable an 802.11a, 802.11b and/or 802.11g network for an individual wireless LAN, use the config

wlan radio command.

Examples

The following example shows how to enable the 802.11g network:


config 802.11b 11gSupport enable

Changing the 11gSupport will cause all the APs to reboot when you enable

802.11b network.

Are you sure you want to continue? (y/n) n

11gSupport not changed!


67

config 802.11b preamble config 802.11b preamble

To change the 802.11b preamble as defined in subclause 18.2.2.2 to long (slower, but more reliable) or short

(faster, but less reliable), use the config 802.11b preamble command.

config 802.11b preamble {long | short}

Syntax Description long short

Specifies the long 802.11b preamble.

Specifies the short 802.11b preamble.

Command Default

The default 802.11b preamble value is short.

Command History

Release

7.6

Modification


Release 7.6.


Note

You must reboot the Cisco Wireless LAN Controller (reset system) with save to implement this command.

This parameter must be set to long to optimize this Cisco wireless LAN controller for some clients, including

SpectraLink NetLink telephones.

This command can be used any time that the CLI interface is active.

Examples

The following example shows how to change the 802.11b preamble to short:


config 802.11b preamble short

(Cisco Controller) >(reset system with save)

68


config 802.11h channelswitch config 802.11h channelswitch

To configure an 802.11h channel switch announcement, use the config 802.11h channelswitch command.

config 802.11h channelswitch {enable {loud | quiet} | disable}


Enables the 802.11h channel switch announcement.

Disables the 802.11h channel switch announcement.

Command Default

None

Command History

Release

7.6

Modification

• This command was introduced in a release earlier than Release 7.6.

• The loud and quiet parameters were introduced.

Examples

The following example shows how to disable an 802.11h switch announcement:


config 802.11h channelswitch disable


69

config 802.11h powerconstraint config 802.11h powerconstraint

To configure the 802.11h power constraint value, use the config 802.11h powerconstraint command.

config 802.11h powerconstraint value


value

802.11h power constraint value.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to configure the 802.11h power constraint to 5:


config 802.11h powerconstraint 5

70


config 802.11h setchannel config 802.11h setchannel

To configure a new channel using 802.11h channel announcement, use the config 802.11h setchannel command.

config 802.11h setchannel cisco_ap


cisco_ap


Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to configure a new channel using the 802.11h channel:


config 802.11h setchannel ap02


71

config 802.11 11nsupport config 802.11 11nsupport

To enable 802.11n support on the network, use the config 802.11 11nsupport command.

config 802.11{a | b} 11nsupport {enable | disable}

Syntax Description a b enable disable

Specifies the 802.11a network settings.

Specifies the 802.11b/g network settings.

Enables the 802.11n support.

Disables the 802.11n support.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the 802.11n support on an 802.11a network:


config 802.11a 11nsupport enable

72


config 802.11 11nsupport a-mpdu tx priority config 802.11 11nsupport a-mpdu tx priority

To specify the aggregation method used for 802.11n packets, use the config 802.11 11nsupport a-mpdu tx

priority command.

config 802.11{a | b} 11nsupport a-mpdu tx priority {0-7 | all} {enable | disable}


0-7 all enable disable



Specifies the aggregated MAC protocol data unit priority level between 0 through

7.

Configures all of the priority levels at once.

Specifies the traffic associated with the priority level uses A-MPDU transmission.

Specifies the traffic associated with the priority level uses A-MSDU transmission.

Command Default

Priority 0 is enabled.


Aggregation is the process of grouping packet data frames together rather than transmitting them separately.

Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated

MAC Service Data Unit (A-MSDU). A-MPDU is performed in the software whereas A-MSDU is performed in the hardware.

Aggregated MAC Protocol Data Unit priority levels assigned per traffic type are as follows:

• 1—Background

• 2—Spare

• 0—Best effort

• 3—Excellent effort

• 4—Controlled load

• 5—Video, less than 100-ms latency and jitter

• 6—Voice, less than 10-ms latency and jitter

• 7—Network control

• all—Configure all of the priority levels at once.


73

config 802.11 11nsupport a-mpdu tx priority

Note

Configure the priority levels to match the aggregation method used by the clients.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure all the priority levels at once so that the traffic associated with the priority level uses A-MSDU transmission:


config 802.11a 11nsupport a-mpdu tx priority all enable

74


config 802.11 11nsupport a-mpdu tx scheduler config 802.11 11nsupport a-mpdu tx scheduler

To configure the 802.11n-5 GHz A-MPDU transmit aggregation scheduler, use the config 802.11 11nsupport

a-mpdu tx scheduler command.

config 802.11{a | b} 11nsupport a-mpdu tx scheduler {enable | disable | timeout rt timeout-value}

Syntax Description enable disable timeout rt

timeout-value

Enables the 802.11n-5 GHz A-MPDU transmit aggregation scheduler.

Disables the 802.11n-5 GHz A-MPDU transmit aggregation scheduler.

Configures the A-MPDU transmit aggregation scheduler realtime traffic timeout.

Timeout value in milliseconds. The valid range is between 1 millisecond to 1000 milliseconds.

Command Default

None


Ensure that the 802.11 network is disabled before you enter this command.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the A-MPDU transmit aggregation scheduler realtime traffic timeout of 100 milliseconds:


config 802.11 11nsupport a-mpdu tx scheduler timeout rt 100


75

config 802.11 11nsupport antenna config 802.11 11nsupport antenna

To configure an access point to use a specific antenna, use the config 802.11 11nsupport antenna command.

config 802.11{a | b} 11nsupport antenna cisco_ap {A | B | C | D} {enable | disable}


cisco_ap

A/B/C/D enable disable

Specifies the 802.11a/n network.

Specifies the 802.11b/g/n network.

Access point.

Specifies an antenna port.

Enables the configuration.

Disables the configuration.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure transmission to a single antenna for legacy orthogonal frequency-division multiplexing:


config 802.11 11nsupport antenna AP1 C enable

76


config 802.11 11nsupport guard-interval config 802.11 11nsupport guard-interval

To configure the guard interval, use the config 802.11 11nsupport guard-interval command.

config 802.11 {a | b} 11nsupport guard-interval {any | long}

Syntax Description any long

Enables either a short or a long guard interval.

Enables only a long guard interval.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure a long guard interval:


config 802.11 11nsupport guard-interval long


77

config 802.11 11nsupport mcs tx config 802.11 11nsupport mcs tx

To specify the modulation and coding scheme (MCS) rates at which data can be transmitted between the access point and the client, use the config 802.11 11nsupport mcs tx command.

config 802.11{a | b} 11nsupport mcs tx {0-15} {enable | disable}


11nsupport mcs tx enable disable



Specifies support for 802.11n devices.

Specifies the modulation and coding scheme data rates as follows:

• 0 (7 Mbps)

• 1 (14 Mbps)

• 2 (21 Mbps)

• 3 (29 Mbps)

• 4 (43 Mbps)

• 5 (58 Mbps)

• 6 (65 Mbps)

• 7 (72 Mbps)

• 8 (14 Mbps)

• 9 (29 Mbps)

• 10 (43 Mbps)

• 11 (58 Mbps)

• 12 (87 Mbps)

• 13 (116 Mbps)

• 14 (130 Mbps)

• 15 (144 Mbps)

Enables this configuration.

Disables this configuration.

Command Default

None

78


config 802.11 11nsupport mcs tx

Command History

Examples

Release

7.6

Modification


The following example shows how to specify MCS rates:


config 802.11a 11nsupport mcs tx 5 enable


79

config 802.11 11nsupport rifs config 802.11 11nsupport rifs

To configure the Reduced Interframe Space (RIFS) between data frames and its acknowledgment, use the

config 802.11 11nsupport rifs command.

config 802.11{a | b} 11nsupport rifs {enable | disable}


Enables RIFS for the 802.11 network.

Disables RIFS for the 802.11 network.

Command Default

None

Command History

Examples

Release

7.6

Modification


This example shows how to enable RIFS:


config 802.11a 11nsupport rifs enable

80


config 802.11 antenna diversity config 802.11 antenna diversity

To configure the diversity option for 802.11 antennas, use the config 802.11 antenna diversity command.

config 802.11{a | b} antenna diversity {enable | sideA | sideB} cisco_ap

Syntax Description a b enable sideA sideB

cisco_ap



Enables the diversity.

Specifies the diversity between the internal antennas and an external antenna connected to the Cisco lightweight access point left port.

Specifies the diversity between the internal antennas and an external antenna connected to the Cisco lightweight access point right port.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable antenna diversity for AP01 on an 802.11b network:


config 802.11a antenna diversity enable AP01

The following example shows how to enable diversity for AP01 on an 802.11a network, using an external antenna connected to the Cisco lightweight access point left port (sideA):


config 802.11a antenna diversity sideA AP01


81

config 802.11 antenna extAntGain config 802.11 antenna extAntGain

To configure external antenna gain for an 802.11 network, use the config 802.11 antenna extAntGain command.

config 802.11{a | b} antenna extAntGain antenna_gain cisco_ap


antenna_gain cisco_ap



Antenna gain in 0.5 dBm units (for example, 2.5 dBm = 5).


Command Default

None

Command History

Release

7.6

Modification



Before you enter the config 802.11 antenna extAntGain command, disable the 802.11 Cisco radio with the


After you configure the external antenna gain, use the config 802.11 enable command to enable the 802.11

Cisco radio.

Examples

The following example shows how to configure an 802.11a external antenna gain of 0.5 dBm for AP1:


config 802.11 antenna extAntGain 1 AP1

82


config 802.11 antenna mode config 802.11 antenna mode

To configure the Cisco lightweight access point to use one internal antenna for an 802.11 sectorized 180-degree coverage pattern or both internal antennas for an 802.11 360-degree omnidirectional pattern, use the config

802.11 antenna mode command.

config 802.11{a | b} antenna mode {omni | sectorA | sectorB} cisco_ap

Syntax Description a b omni sectorA sectorB

cisco_ap



Specifies to use both internal antennas.

Specifies to use only the side A internal antenna.

Specifies to use only the side B internal antenna.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure access point AP01 antennas for a 360-degree omnidirectional pattern on an 802.11b network:


config 802.11 antenna mode omni AP01


83

config 802.11 antenna selection config 802.11 antenna selection

To select the internal or external antenna selection for a Cisco lightweight access point on an 802.11 network, use the config 802.11 antenna selection command.

config 802.11{a | b} antenna selection {internal | external} cisco_ap

Syntax Description a b internal external

cisco_ap



Specifies the internal antenna.

Specifies the external antenna.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure access point AP02 on an 802.11b network to use the internal antenna:


config 802.11a antenna selection internal AP02

84


config 802.11 channel config 802.11 channel

To configure an 802.11 network or a single access point for automatic or manual channel selection, use the

config 802.11 channel command.

config 802.11{a | b} channel {global [auto | once | off | restart]} | ap {ap_name [global | channel]}

Syntax Description a b global auto once off restarts

ap_name channel



Specifies the 802.11a operating channel that is automatically set by RRM and overrides the existing configuration setting.

(Optional) Specifies that the channel is automatically set by Radio Resource

Management (RRM) for the 802.11a radio.

(Optional) Specifies that the channel is automatically set once by RRM.

(Optional) Specifies that the automatic channel selection by RRM is disabled.

(Optional) Restarts the aggressive DCA cycle.

Access point name.

Manual channel number to be used by the access point. The supported channels depend on the specific access point used and the regulatory region.

Command Default

None

Command History

Release

7.6

Modification



When configuring 802.11 channels for a single lightweight access point, enter the config 802.11 disable command to disable the 802.11 network. Enter the config 802.11 channel command to set automatic channel selection by Radio Resource Management (RRM) or manually set the channel for the 802.11 radio, and enter the config 802.11 enable command to enable the 802.11 network.


85

config 802.11 channel

Examples

Note

See the Channels and Maximum Power Settings for Cisco Aironet Lightweight Access Points document for the channels supported by your access point. The power levels and available channels are defined by the country code setting and are regulated on a country-by-country basis.

The following example shows how to have RRM automatically configure the 802.11a channels for automatic channel configuration based on the availability and interference:


config 802.11a channel global auto

The following example shows how to configure the 802.11b channels one time based on the availability and interference:


config 802.11b channel global once

The following example shows how to turn 802.11a automatic channel configuration off:


config 802.11a channel global off

The following example shows how to configure the 802.11b channels in access point AP01 for automatic channel configuration:


config 802.11b AP01 channel global

The following example shows how to configure the 802.11a channel 36 in access point AP01 as the default channel:


config 802.11a channel AP01 36

86


config 802.11 channel ap config 802.11 channel ap

To set the operating radio channel for an access point, use the config 802.11 channel ap command.

config 802.11{a | b} channel ap cisco_ap {global | channel_no}


cisco_ap

global

channel_no



Name of the Cisco access point.

Enables auto-RF on the designated access point.

Default channel from 1 to 26, inclusive.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable auto-RF for access point AP01 on an 802.11b network:


config 802.11b channel ap AP01 global


87

config 802.11 chan_width config 802.11 chan_width

To configure the channel width for a particular access point, use the config 802.11 chan_width command.

config 802.11{a | b} chan_width cisco_ap {20 | 40 | 80 | 160 | best}


cisco_ap

20

40

80

160 best

Configures the 802.11a radio on slot 1 and 802.11ac

radio on slot 2.

Specifies the 802.11b/g radio.

Access point.

Allows the radio to communicate using only 20-MHz channels.

Choose this option for legacy 802.11a radios, 20-MHz

802.11n radios, or 40-MHz 802.11n radios that you want to operate using only 20-MHz channels.

Allows 40-MHz 802.11n radios to communicate using two adjacent 20-MHz channels bonded together.

Allows 80-MHz 802.11ac radios to communicate using two adjacent 40-MHz channels bonded together.

Allows 160-MHz 802.11ac radios to communicate.

In this mode, the device selects the optimum bandwidth channel.

Command Default

The default channel width is 20.

Command History

Release

7.6

8.3

Modification


Release 7.6.

This command was enhanced in this release with the inclusion of 160 MHz and best channel bandwidth modes.


This parameter can be configured only if the primary channel is statically assigned.

88


config 802.11 chan_width

Examples

Caution

We recommend that you do not configure 40-MHz channels in the 2.4-GHz radio band because severe co-channel interference can occur.

Statically configuring an access point’s radio for 20-MHz or 40-MHz mode overrides the globally configured

DCA channel width setting (configured by using the config advanced 802.11 channel dca chan-width command). If you change the static configuration back to global on the access point radio, the global DCA configuration overrides the channel width configuration that the access point was previously using.

The following example shows how to configure the channel width for access point AP01 on an 802.11 network using 40-MHz channels:


config 802.11a chan_width AP01 40


89

config 802.11 rx-sop threshold config 802.11 rx-sop threshold

To configure the high, medium or low Receiver Start of Packet Detection Threshold (Rx SOP) threshold value for each 802.11 band, use the config 802.11 rx-sop threshold command.

config {802.11a | 802.11b} rx-sop threshold {high | medium | low | auto} {ap ap_name | default}


802.11a

802.11b

high medium low auto

ap ap_name

default

Configures an Rx SOP threshold value for the 802.11a network.

Configures an Rx SOP threshold value for the 802.11b network.

Configures the high Rx SOP threshold value for 802.11a/b networks.

Configures the medium Rx SOP threshold value for 802.11a/b networks.

Configures the low Rx SOP threshold value for 802.11a/b networks.

Configures an auto Rx SOP threshold value for 802.11a/b networks. When you choose auto, the access point determines the best Rx SOP threshold value.

Configures the Rx SOP threshold value on an access point of an 802.11 network.

Configures the Rx SOP threshold value on all access points of an 802.11 network.

Command Default

The default Rx SOP threshold option is auto.

Command History

Release

8.0

Modification



Rx SOP determines the Wi-Fi signal level in dBm at which an access point's radio demodulates and decodes a packet. Higher the level, less sensitive the radio is and smaller the receiver cell size. The table below shows the Rx SOP threshold values for high, medium and low levels for each 802.11 band.

Table 3: Rx SOP Thresholds

802.11 Band

5 GHz

2.4 GHz

High Threshold

-76 dBm

-79 dBm

Medium Threshold

-78 dBm

-82 dBm

Low Threshold

-80 dBm

-85 dBm

90


config 802.11 rx-sop threshold

Examples

The following example shows how to configure a high Rx SOP threshold value for all access points in the

802.11a band:


config 802.11a rx-sop threshold high default


91

config 802.11 txPower config 802.11 txPower

To configure the transmit power level for all access points or a single access point in an 802.11 network, use the config 802.11 txPower command.

config 802.11{a | b} txPower {global {power_level | auto | max | min | once } | ap cisco_ap}

Syntax Description a b global auto once

power_level

ap

ap_name



Configures the 802.11 transmit power level for all lightweight access points.

(Optional) Specifies the power level is automatically set by Radio Resource Management (RRM) for the

802.11 Cisco radio.

(Optional) Specifies the power level is automatically set once by RRM.

(Optional) Manual Transmit power level number for the access point.

Configures the 802.11 transmit power level for a specified lightweight access point.

Access point name.

Command Default

The command default (global, auto) is for automatic configuration by RRM.

Command History

Release

7.6

Modification


Release 7.6.


The supported power levels depends on the specific access point used and the regulatory region. For example, the 1240 series access point supports eight levels and the 1200 series access point supports six levels. See the

Channels and Maximum Power Settings for Cisco Aironet Lightweight Access Points document for the maximum transmit power limits for your access point. The power levels and available channels are defined by the country code setting and are regulated on a country-by-country basis.

92


config 802.11 txPower

Examples

The following example shows how to automatically set the 802.11a radio transmit power level in all lightweight access points:


config 802.11a txPower auto

The following example shows how to manually set the 802.11b radio transmit power to level 5 for all lightweight access points:


config 802.11b txPower global 5

The following example shows how to automatically set the 802.11b radio transmit power for access point

AP1:


config 802.11b txPower AP1 global

The following example shows how to manually set the 802.11a radio transmit power to power level 2 for access point AP1:


config 802.11b txPower AP1 2

Related Commands show ap config 802.11a

config 802.11b txPower


93

config 802.11 beamforming config 802.11 beamforming

To enable or disable Beamforming (ClientLink) on the network or on individual radios, enter the config 802.11

beamforming command.

config 802.11{a | b} beamforming {global | ap ap_name} {enable | disable}

Syntax Description a b global

ap ap_name

enable disable



Specifies all lightweight access points.

Specifies the Cisco access point name.

Enables beamforming.

Disables beamforming.

Command Default

None

Command History

Release

7.6

Modification



When you enable Beamforming on the network, it is automatically enabled for all the radios applicable to that network type.

Follow these guidelines for using Beamforming:

• Beamforming is supported only for legacy orthogonal frequency-division multiplexing (OFDM) data rates (6, 9, 12, 18, 24, 36, 48, and 54 mbps).

Note

Beamforming is not supported for complementary-code keying (CCK) data rates (1, 2,

5.5, and 11 Mbps).

• Beamforming is supported only on access points that support 802.11n (AP1250 and AP1140).

• Two or more antennas must be enabled for transmission.

• All three antennas must be enabled for reception.

• OFDM rates must be enabled.

94


Examples config 802.11 beamforming

If the antenna configuration restricts operation to a single transmit antenna, or if OFDM rates are disabled,

Beamforming is not used.

The following example shows how to enable Beamforming on the 802.11a network:


config 802.11 beamforming global enable


95

config 802.11h channelswitch config 802.11h channelswitch

To configure an 802.11h channel switch announcement, use the config 802.11h channelswitch command.

config 802.11h channelswitch {enable {loud | quiet} | disable}


Enables the 802.11h channel switch announcement.

Disables the 802.11h channel switch announcement.

Command Default

None

Command History

Release

7.6

Modification

• This command was introduced in a release earlier than Release 7.6.

• The loud and quiet parameters were introduced.

Examples

The following example shows how to disable an 802.11h switch announcement:


config 802.11h channelswitch disable

96


config 802.11h powerconstraint config 802.11h powerconstraint

To configure the 802.11h power constraint value, use the config 802.11h powerconstraint command.

config 802.11h powerconstraint value


value

802.11h power constraint value.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to configure the 802.11h power constraint to 5:


config 802.11h powerconstraint 5


97

config 802.11h setchannel config 802.11h setchannel

To configure a new channel using 802.11h channel announcement, use the config 802.11h setchannel command.

config 802.11h setchannel cisco_ap


cisco_ap


Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to configure a new channel using the 802.11h channel:


config 802.11h setchannel ap02

98


config 802.11h smart dfs config 802.11h smart dfs

To enable or disable 802.11h smart-dfs feature, use the config 802.11h smart-dfs command.

config 802.11h smart-dfs {enable | disable}


Enables non occupancy time doubling for Radar interfere channel.

Disables non occupancy time doubling and use legacy time (30 minutes) for

Radar interference channel.

Use disable to match legacy DFS behavior.

Command Default

Enabled

Command History

Examples

Release

8.2.141.0

Modification


The following example shows how to enable 802.11h smart-dfs:


config 802.11h smart-dfs enable


99

config 802.11 11nsupport config 802.11 11nsupport

To enable 802.11n support on the network, use the config 802.11 11nsupport command.

config 802.11{a | b} 11nsupport {enable | disable}


Specifies the 802.11a network settings.

Specifies the 802.11b/g network settings.

Enables the 802.11n support.

Disables the 802.11n support.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the 802.11n support on an 802.11a network:


config 802.11a 11nsupport enable

100


config 802.11 11nsupport a-mpdu tx priority config 802.11 11nsupport a-mpdu tx priority

To specify the aggregation method used for 802.11n packets, use the config 802.11 11nsupport a-mpdu tx

priority command.

config 802.11{a | b} 11nsupport a-mpdu tx priority {0-7 | all} {enable | disable}


0-7 all enable disable



Specifies the aggregated MAC protocol data unit priority level between 0 through

7.

Configures all of the priority levels at once.

Specifies the traffic associated with the priority level uses A-MPDU transmission.

Specifies the traffic associated with the priority level uses A-MSDU transmission.

Command Default

Priority 0 is enabled.


Aggregation is the process of grouping packet data frames together rather than transmitting them separately.

Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated

MAC Service Data Unit (A-MSDU). A-MPDU is performed in the software whereas A-MSDU is performed in the hardware.

Aggregated MAC Protocol Data Unit priority levels assigned per traffic type are as follows:

• 1—Background

• 2—Spare

• 0—Best effort

• 3—Excellent effort

• 4—Controlled load

• 5—Video, less than 100-ms latency and jitter

• 6—Voice, less than 10-ms latency and jitter

• 7—Network control

• all—Configure all of the priority levels at once.


101

config 802.11 11nsupport a-mpdu tx priority

Note

Configure the priority levels to match the aggregation method used by the clients.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure all the priority levels at once so that the traffic associated with the priority level uses A-MSDU transmission:


config 802.11a 11nsupport a-mpdu tx priority all enable

102


config 802.11 11nsupport a-mpdu tx scheduler config 802.11 11nsupport a-mpdu tx scheduler

To configure the 802.11n-5 GHz A-MPDU transmit aggregation scheduler, use the config 802.11 11nsupport

a-mpdu tx scheduler command.

config 802.11{a | b} 11nsupport a-mpdu tx scheduler {enable | disable | timeout rt timeout-value}

Syntax Description enable disable timeout rt

timeout-value

Enables the 802.11n-5 GHz A-MPDU transmit aggregation scheduler.

Disables the 802.11n-5 GHz A-MPDU transmit aggregation scheduler.

Configures the A-MPDU transmit aggregation scheduler realtime traffic timeout.

Timeout value in milliseconds. The valid range is between 1 millisecond to 1000 milliseconds.

Command Default

None


Ensure that the 802.11 network is disabled before you enter this command.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the A-MPDU transmit aggregation scheduler realtime traffic timeout of 100 milliseconds:


config 802.11 11nsupport a-mpdu tx scheduler timeout rt 100


103

config 802.11 11nsupport antenna config 802.11 11nsupport antenna

To configure an access point to use a specific antenna, use the config 802.11 11nsupport antenna command.

config 802.11{a | b} 11nsupport antenna cisco_ap {A | B | C | D} {enable | disable}


cisco_ap

A/B/C/D enable disable



Access point.

Specifies an antenna port.

Enables the configuration.

Disables the configuration.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure transmission to a single antenna for legacy orthogonal frequency-division multiplexing:


config 802.11 11nsupport antenna AP1 C enable

104


config 802.11 11nsupport guard-interval config 802.11 11nsupport guard-interval

To configure the guard interval, use the config 802.11 11nsupport guard-interval command.

config 802.11 {a | b} 11nsupport guard-interval {any | long}

Syntax Description any long

Enables either a short or a long guard interval.

Enables only a long guard interval.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure a long guard interval:


config 802.11 11nsupport guard-interval long


105

config 802.11 11nsupport mcs tx config 802.11 11nsupport mcs tx

To specify the modulation and coding scheme (MCS) rates at which data can be transmitted between the access point and the client, use the config 802.11 11nsupport mcs tx command.

config 802.11{a | b} 11nsupport mcs tx {0-15} {enable | disable}


11nsupport mcs tx enable disable



Specifies support for 802.11n devices.

Specifies the modulation and coding scheme data rates as follows:

• 0 (7 Mbps)

• 1 (14 Mbps)

• 2 (21 Mbps)

• 3 (29 Mbps)

• 4 (43 Mbps)

• 5 (58 Mbps)

• 6 (65 Mbps)

• 7 (72 Mbps)

• 8 (14 Mbps)

• 9 (29 Mbps)

• 10 (43 Mbps)

• 11 (58 Mbps)

• 12 (87 Mbps)

• 13 (116 Mbps)

• 14 (130 Mbps)

• 15 (144 Mbps)

Enables this configuration.

Disables this configuration.

Command Default

None

106


config 802.11 11nsupport mcs tx

Command History

Examples

Release

7.6

Modification


The following example shows how to specify MCS rates:


config 802.11a 11nsupport mcs tx 5 enable


107

config 802.11 11nsupport rifs config 802.11 11nsupport rifs

To configure the Reduced Interframe Space (RIFS) between data frames and its acknowledgment, use the

config 802.11 11nsupport rifs command.

config 802.11{a | b} 11nsupport rifs {enable | disable}


Enables RIFS for the 802.11 network.

Disables RIFS for the 802.11 network.

Command Default

None

Command History

Examples

Release

7.6

Modification


This example shows how to enable RIFS:


config 802.11a 11nsupport rifs enable

108


config 802.11 beacon period config 802.11 beacon period

To change the beacon period globally for an 802.11a, 802.11b, or other supported 802.11 network, use the

config 802.11 beacon period command.

config 802.11{a | b} beacon period time_units

Note

Disable the 802.11 network before using this command. See the “Usage Guidelines” section.


time_units



Beacon interval in time units (TU). One TU is 1024 microseconds.

Command Default

None


In Cisco wireless LAN solution 802.11 networks, all Cisco lightweight access point wireless LANs broadcast a beacon at regular intervals. This beacon notifies clients that the 802.11a service is available and allows the clients to synchronize with the lightweight access point.

Before you change the beacon period, make sure that you have disabled the 802.11 network by using the

config 802.11 disable command. After changing the beacon period, enable the 802.11 network by using the

config 802.11 enable command.

Command History

Release

7.6

Modification


Examples

This example shows how to configure an 802.11a network for a beacon period of 120 time units:


config 802.11 beacon period 120

Related Commands show 802.11a

config 802.11b beaconperiod config 802.11a disable config 802.11a enable


109

config 802.11 cac defaults config 802.11 cac defaults

To configure the default Call Admission Control (CAC) parameters for the 802.11a and 802.11b/g network, use the config 802.11 cac defaults command.

config 802.11 {a | b} cac defaults





CAC commands for video applications on the 802.11a or 802.11b/g network require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Gold.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

• Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.

• Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.

• Save the new configuration by entering the save config command.

• Enable voice or video CAC for the network you want to configure by entering the config 802.11{a |

b} cac voice acm enable or config 802.11{a | b} cac video acm enable command.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring

Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History

Release

7.6

Modification


Examples

This example shows how to configure the default CAC parameters for the 802.11a network:


config 802.11 cac defaults

Related Commands show cac voice stats show cac voice summary show cac video stats show cac video summary config 802.11 cac video tspec-inactivity-timeout

110


config 802.11 cac video max-bandwidth config 802.11 cac video acm config 802.11 cac video sip config 802.11 cac video roam-bandwidth config 802.11 cac load-based config 802.11 cac media-stream config 802.11 cac multimedia config 802.11 cac video cac-method debug cac config 802.11 cac defaults


111

config 802.11 cac video acm config 802.11 cac video acm

To enable or disable video Call Admission Control (CAC) for the 802.11a or 802.11b/g network, use the

config 802.11 cac video acm command.

config 802.11{a | b} cac video acm {enable | disable}




Enables video CAC settings.

Disables video CAC settings.

Command Default

The default video CAC settings for the 802.11a or 802.11b/g network is disabled.


CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia

(WMM) protocol and the quality of service (QoS) level be set to Platinum.




• Save the new configuration by entering the save config command.


b} cac voice acm enable, or config 802.11{a | b} cac video acm enable commands.



Command History

Release

7.6

Modification


Examples

The following example shows how to enable the video CAC for the 802.11a network:


config 802.11 cac video acm enable

112


config 802.11 cac video acm

The following example shows how to disable the video CAC for the 802.11b network:


config 802.11 cac video acm disable

Related Commands config 802.11 cac video max-bandwidth config 802.11 cac video roam-bandwidth config 802.11 cac video tspec-inactivity-timeout


113

config 802.11 cac video cac-method config 802.11 cac video cac-method

To configure the Call Admission Control (CAC) method for video applications on the 802.11a or 802.11b/g network, use the config 802.11 cac video cac-method command.

config 802.11 {a | b} cac video cac-method {static | load-based}

Syntax Description a b static load-based



Enables the static CAC method for video applications on the 802.11a

or 802.11b/g network.

Static or bandwidth-based CAC enables the client to specify how much bandwidth or shared medium time is required to accept a new video request and in turn enables the access point to determine whether it is capable of accommodating the request.

Enables the load-based CAC method for video applications on the

802.11a or 802.11b/g network.

Load-based or dynamic CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by collocated channel interference. Load-based CAC also covers the additional bandwidth consumption results from PHY and channel impairment. The access point admits a new call only if the channel has enough unused bandwidth to support that call.

Load-based CAC is not supported if SIP-CAC is enabled.

Command Default

Static.









114


config 802.11 cac video cac-method



Video CAC consists of two parts: Unicast Video-CAC and MC2UC CAC. If you need only Unicast Video-CAC, you must configure only static mode. If you need only MC2UC CAC, you must configure Static or Load-based

CAC. Load-based CAC is not supported if SIP-CAC is enabled.

Command History

Release

7.6

Modification


Examples

This example shows how to enable the static CAC method for video applications on the 802.11a network:


config 802.11 cac video cac-method static

Related Commands show cac voice stats show cac voice summary show cac video stats show cac video summary config 802.11 cac video tspec-inactivity-timeout config 802.11 cac video max-bandwidth config 802.11 cac video acm config 802.11 cac video sip config 802.11 cac video roam-bandwidth config 802.11 cac load-based config 802.11 cac defaults config 802.11 cac media-stream config 802.11 cac multimedia debug cac


115

config 802.11 cac video load-based config 802.11 cac video load-based

To enable or disable load-based Call Admission Control (CAC) for video applications on the 802.11a or

802.11b/g network, use the config 802.11 cac video load-based command.

config 802.11 {a | b} cac video load-based {enable | disable}




Enables load-based CAC for video applications on the 802.11a or

802.11b/g network.

Load-based or dynamic CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by collocated channel interference. Load-based CAC also covers the additional bandwidth consumption results from PHY and channel impairment. The access point admits a new call only if the channel has enough unused bandwidth to support that call.

Disables load-based CAC method for video applications on the 802.11a

or 802.11b/g network.

Command Default

Disabled.











116


config 802.11 cac video load-based

Video CAC consists of two parts: Unicast Video-CAC and MC2UC CAC. If you need only Unicast Video-CAC, you must configure only static mode. If you need only MC2UC CAC, you must configure Static or Load-based

CAC. Load-based CAC is not supported if SIP-CAC is enabled.

Note

Load-based CAC is not supported if SIP-CAC is enabled.

Command History

Release

7.6

Modification


Examples

This example shows how to enable load-based CAC method for video applications on the 802.11a network:


config 802.11 cac video load-based enable

Related Commands show cac voice stats show cac voice summary show cac video stats show cac video summary config 802.11 cac video tspec-inactivity-timeout config 802.11 cac video max-bandwidth config 802.11 cac video acm config 802.11 cac video sip config 802.11 cac video roam-bandwidth config 802.11 cac load-based config 802.11 cac defaults config 802.11 cac media-stream config 802.11 cac multimedia config 802.11 cac video cac-method debug cac


117

config 802.11 cac video max-bandwidth config 802.11 cac video max-bandwidth

To set the percentage of the maximum bandwidth allocated to clients for video applications on the 802.11a

or 802.11b/g network, use the config 802.11 cac video max-bandwidth command.

config 802.11{a | b} cac video max-bandwidth bandwidth


bandwidth



Bandwidth percentage value from 5 to 85%.

Command Default

The default maximum bandwidth allocated to clients for video applications on the 802.11a or 802.11b/g network is 0%.


The maximum radio frequency (RF) bandwidth cannot exceed 85% for voice and video. Once the client reaches the value specified, the access point rejects new calls on this network.

Note

If this parameter is set to zero (0), the controller assumes that you do not want to allocate any bandwidth and allows all bandwidth requests.

Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.






b} cac voice acm enable, or config 802.11{a | b} cac video acm enable commands.



Command History

Release

7.6

Modification


118


config 802.11 cac video max-bandwidth

Examples

The following example shows how to specify the percentage of the maximum allocated bandwidth for video applications on the selected radio band:


config 802.11 cac video max-bandwidth 50

Related Commands config 802.11 cac video acm config 802.11 cac video roam-bandwidth config 802.11 cac voice stream-size config 802.11 cac voice roam-bandwidth


119

config 802.11 cac media-stream config 802.11 cac media-stream

To configure media stream Call Admission Control (CAC) voice and video quality parameters for 802.11a

and 802.11b networks, use the config 802.11 cac media-stream command.

config 802.11 {a | b} cac media-stream multicast-direct {max-retry-percent retry-percentage |

min-client-rate dot11-rate}

Syntax Description a b multicast-direct max-retry-percent

retry-percentage

min-client-rate

dot11-rate



Configures CAC parameters for multicast-direct media streams.

Configures the percentage of maximum retries that are allowed for multicast-direct media streams.

Percentage of maximum retries that are allowed for multicast-direct media streams.

Configures the minimum transmission data rate to the client for multicast-direct media streams.

Minimum transmission data rate to the client for multicast-direct media streams. Rate in kbps at which the client can operate.

If the transmission data rate is below this rate, either the video will not start or the client may be classified as a bad client. The bad client video can be demoted for better effort QoS or subject to denial. The available data rates are 6000, 9000, 12000,

18000, 24000, 36000, 48000, 54000, and 11n rates.

Command Default

The default value for the maximum retry percent is 80. If it exceeds 80, either the video will not start or the client might be classified as a bad client. The bad client video will be demoted for better effort QoS or is subject to denial.


CAC commands for video applications on the 802.11a or 802.11b/g network require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Gold.





120


config 802.11 cac media-stream





Command History

Release

7.6

Modification


Examples

The following example shows how to configure the maximum retry percent for multicast-direct media streams as 90 on a 802.11a network:


config 802.11 cac media-stream multicast-direct max-retry-percent 90

Related Commands show cac voice stats show cac voice summary show cac video stats show cac video summary config 802.11 cac video tspec-inactivity-timeout config 802.11 cac video max-bandwidth config 802.11 cac video acm config 802.11 cac video sip config 802.11 cac video roam-bandwidth config 802.11 cac load-based config 802.11 cac defaults config 802.11 cac multimedia debug cac


121

config 802.11 cac multimedia config 802.11 cac multimedia

To configure the CAC media voice and video quality parameters for 802.11a and 802.11b networks, use the

config 802.11 cac multimedia command.

config 802.11 {a | b} cac multimedia max-bandwidth bandwidth

Syntax Description a b max-bandwidth

bandwidth



Configures the percentage of maximum bandwidth allocated to Wi-Fi Multimedia (WMM) clients for voice and video applications on the 802.11a or

802.11b/g network.

Percentage of the maximum bandwidth allocated to WMM clients for voice and video applications on the 802.11a or 802.11b/g network. Once the client reaches the specified value, the access point rejects new calls on this radio band. The range is from 5 to 85%.

Command Default

The default maximum bandwidth allocated to Wi-Fi Multimedia (WMM) clients for voice and video applications on the 802.11a or 802.11b/g network is 85%.


Call Admission Control (CAC) commands for video applications on the 802.11a or 802.11b/g network require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Gold.









122


config 802.11 cac multimedia

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the percentage of the maximum bandwidth allocated to WMM clients for voice and video applications on the 802.11a network:


config 802.11 cac multimedia max-bandwidth 80

Related Commands show cac voice stats show cac voice summary show cac video stats show cac video summary config 802.11 cac video tspec-inactivity-timeout config 802.11 cac video max-bandwidth config 802.11 cac video acm config 802.11 cac video sip config 802.11 cac video roam-bandwidth config 802.11 cac load-based config 802.11 cac defaults debug cac


123

config 802.11 cac video roam-bandwidth config 802.11 cac video roam-bandwidth

To configure the percentage of the maximum allocated bandwidth reserved for roaming video clients on the

802.11a or 802.11b/g network, use the config 802.11 cac video roam-bandwidth command.

config 802.11{a | b} cac video roam-bandwidth bandwidth


bandwidth




Command Default

The maximum allocated bandwidth reserved for roaming video clients on the 802.11a or 802.11b/g network is 0%.

Command History

Release

7.6

Modification


Release 7.6.


The controller reserves the specified bandwidth from the maximum allocated bandwidth for roaming video clients.

Note

If this parameter is set to zero (0), the controller assumes that you do not want to do any bandwidth allocation and, therefore, allows all bandwidth requests.





• Disable the radio network you want to configure by entering the config 802.11 {a | b} disable network command.


• Enable voice or video CAC for the network you want to configure by entering the config 802.11 {a |

b} cac voice acm enable or config 802.11 {a | b} cac video acm enable command.



124


config 802.11 cac video roam-bandwidth

Examples

The following example shows how to specify the percentage of the maximum allocated bandwidth reserved for roaming video clients on the selected radio band:


config 802.11 cac video roam-bandwidth 10

Related Commands config 802.11 cac video tspec-inactivity-timeout config 802.11 cac video max-bandwidth config 802.11 cac video acm config 802.11 cac video cac-method config 802.11 cac video sip config 802.11 cac video load-based


125

config 802.11 cac video sip config 802.11 cac video sip

To enable or disable video Call Admission Control (CAC) for nontraffic specifications (TSPEC) SIP clients using video applications on the 802.11a or 802.11b/g network, use the config 802.11 cac video sip command.

config 802.11 {a | b} cac video sip {enable | disable}




Enables video CAC for non-TSPEC SIP clients using video applications on the 802.11a or 802.11b/g network.

When you enable video CAC for non-TSPEC SIP clients, you can use applications like Facetime and CIUS video calls.

Disables video CAC for non-TSPEC SIP clients using video applications on the 802.11a or 802.11b/g network.

Command Default

None





• Disable the radio network you want to configure by entering the config 802.11 {a | b} disable network command.






• Enable call snooping on the WLAN on which the SIP client is present by entering the config wlan

call-snoop enable wlan_id command.

Examples

The following example shows how to enable video CAC for non-TSPEC SIP clients using video applications on the 802.11a network:


config 802.11 cac video sip enable

126


Related Commands config 802.11 cac video tspec-inactivity-timeout config 802.11 cac video max-bandwidth config 802.11 cac video acm config 802.11 cac video cac-method config 802.11 cac video load-based config 802.11 cac video roam-bandwidth config 802.11 cac video sip


127

config 802.11 cac video tspec-inactivity-timeout config 802.11 cac video tspec-inactivity-timeout

To process or ignore the Call Admission Control (CAC) Wi-Fi Multimedia (WMM) traffic specifications

(TSPEC) inactivity timeout received from an access point, use the config 802.11 cac video

tspec-inactivity-timeout command.

config 802.11{a | b} cac video tspec-inactivity-timeout {enable | ignore}

Syntax Description a ab enable ignore



Processes the TSPEC inactivity timeout messages.

Ignores the TSPEC inactivity timeout messages.

Command Default

The default CAC WMM TSPEC inactivity timeout received from an access point is disabled (ignore).









b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.



Examples

This example shows how to process the response to TSPEC inactivity timeout messages received from an access point:


config 802.11a cac video tspec-inactivity-timeout enable

This example shows how to ignore the response to TSPEC inactivity timeout messages received from an access point:


config 802.11a cac video tspec-inactivity-timeout ignore

128


Related Commands config 802.11 cac video acm config 802.11 cac video max-bandwidth config 802.11 cac video roam-bandwidth config 802.11 cac video tspec-inactivity-timeout


129

config 802.11 cac voice acm config 802.11 cac voice acm

To enable or disable bandwidth-based voice Call Admission Control (CAC) for the 802.11a or 802.11b/g network, use the config 802.11 cac voice acm command.

config 802.11{a | b} cac voice acm {enable | disable}




Enables the bandwidth-based CAC.

Disables the bandwidth-based CAC.

Command Default

The default bandwidth-based voice CAC for the 802.11a or 802.11b/g network id disabled.












Examples

This example shows how to enable the bandwidth-based CAC:


config 802.11c cac voice acm enable

This example shows how to disable the bandwidth-based CAC:


config 802.11b cac voice acm disable

Related Commands config 802.11 cac video acm

130


config 802.11 cac voice max-bandwidth config 802.11 cac voice max-bandwidth

To set the percentage of the maximum bandwidth allocated to clients for voice applications on the 802.11a

or 802.11b/g network, use the config 802.11 cac voice max-bandwidth command.

config 802.11{a | b} cac voice max-bandwidth bandwidth


bandwidth




Command Default

The default maximum bandwidth allocated to clients for voice applications on the 802.11a or 802.11b/g network is 0%.


The maximum radio frequency (RF) bandwidth cannot exceed 85% for voice and video. Once the client reaches the value specified, the access point rejects new calls on this network.











Command History

Release

7.6

Modification


Examples

The following example shows how to specify the percentage of the maximum allocated bandwidth for voice applications on the selected radio band:


config 802.11a cac voice max-bandwidth 50


131

config 802.11 cac voice max-bandwidth

Related Commands config 802.11 cac voice roam-bandwidth config 802.11 cac voice stream-size config 802.11 exp-bwreq config 802.11 tsm config wlan save show wlan show wlan summary config 802.11 cac voice tspec-inactivity-timeout config 802.11 cac voice load-based config 802.11 cac video acm

132


config 802.11 cac voice roam-bandwidth config 802.11 cac voice roam-bandwidth

To configure the percentage of the Call Admission Control (CAC) maximum allocated bandwidth reserved for roaming voice clients on the 802.11a or 802.11b/g network, use the config 802.11 cac voice

roam-bandwidth command.

config 802.11{a | b} cac voice roam-bandwidth bandwidth


bandwidth




Command Default

The default CAC maximum allocated bandwidth reserved for roaming voice clients on the 802.11a or 802.11b/g network is 85%.


The maximum radio frequency (RF) bandwidth cannot exceed 85% for voice and video. The controller reserves the specified bandwidth from the maximum allocated bandwidth for roaming voice clients.

Note

If this parameter is set to zero (0), the controller assumes you do not want to allocate any bandwidth and therefore allows all bandwidth requests.











Command History

Release

7.6

Modification



133

config 802.11 cac voice roam-bandwidth

Examples

The following example shows how to configure the percentage of the maximum allocated bandwidth reserved for roaming voice clients on the selected radio band:


config 802.11 cac voice roam-bandwidth 10

Related Commands config 802.11 cac voice acm config 802.11cac voice max-bandwidth config 802.11 cac voice stream-size

134


config 802.11 cac voice tspec-inactivity-timeout config 802.11 cac voice tspec-inactivity-timeout

To process or ignore the Wi-Fi Multimedia (WMM) traffic specifications (TSPEC) inactivity timeout received from an access point, use the config 802.11 cac voice tspec-inactivity-timeout command.

config 802.11{a | b} cac voice tspec-inactivity-timeout {enable | ignore}

Syntax Description a b enable ignore



Processes the TSPEC inactivity timeout messages.

Ignores the TSPEC inactivity timeout messages.

Command Default

The default WMM TSPEC inactivity timeout received from an access point is disabled (ignore).


Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.









Command History

Release

7.6

Modification


Examples

The following example shows how to enable the voice TSPEC inactivity timeout messages received from an access point:


config 802.11 cac voice tspec-inactivity-timeout enable


135

config 802.11 cac voice tspec-inactivity-timeout

Related Commands config 802.11 cac voice load-based config 802.11 cac voice roam-bandwidth config 802.11 cac voice acm config 802.11cac voice max-bandwidth config 802.11 cac voice stream-size

136


config 802.11 cac voice load-based config 802.11 cac voice load-based

To enable or disable load-based Call Admission Control (CAC) for the 802.11a or 802.11b/g network, use the config 802.11 cac voice load-based command.

config 802.11{a | b} cac voice load-based {enable | disable}




Enables load-based CAC.

Disables load-based CAC.

Command Default

The default load-based CAC for the 802.11a or 802.11b/g network is disabled.





• Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.







Command History

Release

7.6

Modification


Examples

The following example shows how to enable the voice load-based CAC parameters:


config 802.11a cac voice load-based enable


137

config 802.11 cac voice load-based

The following example shows how to disable the voice load-based CAC parameters:


config 802.11a cac voice load-based disable

Related Commands config 802.11 cac voice tspec-inactivity-timeout config 802.11 cac video max-bandwidth config 802.11 cac video acm config 802.11 cac voice stream-size

138


config 802.11 cac voice max-calls config 802.11 cac voice max-calls

Note

Do not use the config 802.11 cac voice max-calls command if the SIP call snooping feature is disabled and if the SIP based Call Admission Control (CAC) requirements are not met.

To configure the maximum number of voice call supported by the radio, use the config 802.11 cac voice

max-calls command.

config 802.11{a | b} cac voice max-calls number


number



Number of calls to be allowed per radio.

Command Default

The default maximum number of voice call supported by the radio is 0, which means that there is no maximum limit check for the number of calls.





• Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.







Command History

Release

7.6

Modification



139

config 802.11 cac voice max-calls

Examples

The following example shows how to configure the maximum number of voice calls supported by radio:


config 802.11 cac voice max-calls 10

Related Commands config 802.11 cac voice roam-bandwidth config 802.11 cac voice stream-size config 802.11 exp-bwreq config 802.11 cac voice tspec-inactivity-timeout config 802.11 cac voice load-based config 802.11 cac video acm

140


config 802.11 cac voice sip bandwidth config 802.11 cac voice sip bandwidth

Note

SIP bandwidth and sample intervals are used to compute per call bandwidth for the SIP-based Call

Admission Control (CAC).

To configure the bandwidth that is required per call for the 802.11a or 802.11b/g network, use the config

802.11 cac voice sip bandwidth command.

config 802.11{a | b} cac voice sip bandwidth bw_kbps sample-interval number_msecs


bw_kbps

sample-interval

number_msecs



Bandwidth in kbps.

Specifies the packetization interval for SIP codec.

Packetization sample interval in msecs. The sample interval for SIP codec is 20 seconds.

Command Default

None






• Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.






Command History

Release

7.6

Modification



141

config 802.11 cac voice sip bandwidth

Examples

The following example shows how to configure the bandwidth and voice packetization interval for a SIP codec:


config 802.11 cac voice sip bandwidth 10 sample-interval 40

Related Commands config 802.11 cac voice acm config 802.11 cac voice load-based config 802.11 cac voice max-bandwidth config 802.11 cac voice roam-bandwidth config 802.11 cac voice tspec-inactivity-timeout config 802.11 exp-bwreq

142


config 802.11 cac voice sip codec config 802.11 cac voice sip codec

To configure the Call Admission Control (CAC) codec name and sample interval as parameters and to calculate the required bandwidth per call for the 802.11a or 802.11b/g network, use the config 802.11 cac voice sip

codec command.

config 802.11{a | b} cac voice sip codec {g711 | g729} sample-interval number_msecs

Syntax Description a b g711 g729 sample-interval

number_msecs



Specifies CAC parameters for the SIP G711 codec.

Specifies CAC parameters for the SIP G729 codec.

Specifies the packetization interval for SIP codec.

Packetization interval in msecs. The sample interval for SIP codec value is 20 seconds.

Command Default

The default CAC codec parameter is g711.












Command History

Release

7.6

Modification



143

config 802.11 cac voice sip codec

Examples

The following example shows how to configure the codec name and sample interval as parameters for SIP

G711 codec:


config 802.11a cac voice sip codec g711 sample-interval 40

This example shows how to configure the codec name and sample interval as parameters for SIP G729 codec:


config 802.11a cac voice sip codec g729 sample-interval 40


144


config 802.11 cac voice stream-size config 802.11 cac voice stream-size

To configure the number of aggregated voice Wi-Fi Multimedia (WMM) traffic specification (TSPEC) streams at a specified data rate for the 802.11a or 802.11b/g network, use the config 802.11 cac voice stream-size command.

config 802.11{a | b} cac voice stream-size stream_size number mean_datarate max-streams mean_datarate

Syntax Description a b stream-size

stream_size number

mean_datarate max-streams

mean_datarate



Configures the maximum data rate for the stream.

Range of stream size is between 84000 and 92100.

Number (1 to 5) of voice streams.

Configures the mean data rate.

Configures the mean data rate of a voice stream.

Mean data rate (84 to 91.2 kbps) of a voice stream.

Command Default

The default number of streams is 2 and the mean data rate of a stream is 84 kbps.


Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.









Command History

Release

7.6

Modification



145

config 802.11 cac voice stream-size

Examples

The following example shows how to configure the number of aggregated voice traffic specifications stream with the stream size 5 and the mean data rate of 85000 kbps:


config 802.11 cac voice stream-size 5 max-streams size 85


146


config 802.11 cleanair config 802.11 cleanair

To enable or disable CleanAir for the 802.11 a or 802.11 b/g network, use the config 802.11 cleanair command.

config 802.11{a | b} cleanair {alarm {air-quality {disable | enable | threshold alarm_threshold } | device

{disable device_type | enable device_type | reporting {disable | enable} | unclassified {disable | enable

| threshold alarm_threshold }} | device {disable device_type | enable device_type | reporting {disable |

enable} | disable {network | cisco_ap} | enable {network | cisco_ap}}

Syntax Description a b alarm air-quality enable disable threshold

alarm_threshold

device



Configure 5-GHz cleanair alarms.

Configures the 5-GHz air quality alarm.

Enables the CleanAir settings.

Disables the CleanAir settings.

Configure the 5-GHz air quality alarm threshold.

Air quality alarm threshold (1 is bad air quality, and

100 is good air quality).

Configures the 5-GHz cleanair interference devices alarm.


147

config 802.11 cleanair

device_type

reporting unclassified

network cisco_ap

Device types. The device types are as follows:

• 802.11-nonstd—Devices using nonstandard

Wi-Fi channels.

• 802.11-inv—Devices using spectrally inverted

Wi-Fi signals.

• superag—802.11 SuperAG devices.

• all —All interference device types.

• cont-tx—Continuous Transmitter.

• dect-like—Digital Enhanced Cordless

Communication (DECT) like phone.

• tdd-tx—TDD Transmitter.

• jammer—Jammer.

• canopy—Canopy devices.

• video—Video cameras.

• wimax-mobile—WiMax Mobile.

• wimax-fixed—WiMax Fixed.

Configures the 5-GHz CleanAir interference devices alarm reporting.

Configures the 5-GHz air quality alarm on exceeding unclassified category severity.

5-GHz Cisco APs.


Command Default

The default CleanAir settings for the 802.11 a or 802.11 b/g network is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the CleanAir settings on access point ap_24:


config 802.11a cleanair enable ap_24

148


config 802.11 cleanair device config 802.11 cleanair device

To configure CleanAir interference device types, use the config 802.11 cleanair device command.

config 802.11{a | b} cleanair device {enable | disable | reporting {enable | disable}} device_type

Syntax Description a b enable disable reporting enable disable

device_type



Enables the CleanAir reporting for the interference device type.

Disables the CleanAir reporting for the interference device type.

Configures CleanAir interference device reporting.

Enables the 5-GHz Cleanair interference devices reporting.

Disables the 5-GHz Cleanair interference devices reporting.

Interference device type. The device type are as follows:


WiFi channels.


WiFi signals.













149

config 802.11 cleanair device

Command Default

The default setting CleanAir reporting for the interference device type is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the CleanAir reporting for the device type jammer:


config 802.11a cleanair device enable jammer

The following example shows how to disable the CleanAir reporting for the device type video:


config 802.11a cleanair device disable video

The following example shows how to enable the CleanAir interference device reporting:


config 802.11a cleanair device reporting enable

150


config 802.11 cleanair alarm config 802.11 cleanair alarm

To configure the triggering of the air quality alarms, use the config 802.11 cleanair alarm command.

config 802.11{a | b} cleanair alarm {air-quality {disable | enable | threshold alarm_threshold } | device

{disable device_type | enable device_type | reporting {disable | enable } | unclassified {disable | enable

| threshold alarm_threshold }}

Syntax Description a b air-quality disable enable threshold

alarm_threshold

device all reporting unclassified



Configures the 5-GHz air quality alarm.

Disables the 5-GHz air quality alarm.

Enables the 5-GHz air quality alarm.

Configures the 5-GHz air quality alarm threshold.

Air quality alarm threshold (1 is bad air quality, and

100 is good air quality).

Configures the 5-GHz cleanair interference devices alarm.

Configures all the device types at once.

Configures the 5-GHz CleanAir interference devices alarm reporting.

Configures the 5-GHz air quality alarm on exceeding unclassified category severity.


151

config 802.11 cleanair alarm

device_type

Device types. The device types are as follows:


Wi-Fi channels.


Wi-Fi signals.












Command Default

The default setting for 5-GHz air quality alarm is enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the CleanAir alarm to monitor the air quality:


config 802.11a cleanair alarm air-quality enable

The following example shows how to enable the CleanAir alarm for the device type video:


config 802.11a cleanair alarm device enable video

The following example shows how to enable alarm reporting for the CleanAir interference devices:


config 802.11a cleanair alarm device reporting enable

152


config 802.11 disable config 802.11 disable

To disable radio transmission for an entire 802.11 network or for an individual Cisco radio, use the


config 802.11{a | b} disable {network | cisco_ap}

Syntax Description a b network

cisco_ap

Configures the 802.11a on slot 1 and 802.11ac radio on slot 2.

radio.


Disables transmission for the entire 802.11a network.

Individual Cisco lightweight access point radio.

Command Default

The transmission is enabled for the entire network by default.

Command History

Release

7.6

Modification



Examples

• You must use this command to disable the network before using many config 802.11 commands.

• This command can be used any time that the CLI interface is active.

The following example shows how to disable the entire 802.11a network:


config 802.11a disable network

The following example shows how to disable access point AP01 802.11b transmissions:


config 802.11b disable AP01


153

config 802.11 dtpc config 802.11 dtpc

To enable or disable the Dynamic Transmit Power Control (DTPC) setting for an 802.11 network, use the

config 802.11 dtpc command.

config 802.11{a | b} dtpc {enable | disable}




Enables the support for this command.

Disables the support for this command.

Command Default

The default DTPC setting for an 802.11 network is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable DTPC for an 802.11a network:


config 802.11a dtpc disable

154


config 802.11 enable config 802.11 enable

To enable radio transmission for an entire 802.11 network or for an individual Cisco radio, use the config 802.11

enable command.

config 802.11{a | b} enable {network | cisco_ap}

Syntax Description a b network

cisco_ap

Configures the 802.11a radioon slot 1 and 802.11ac on slot 2.


Disables transmission for the entire 802.11a network.

Individual Cisco lightweight access point radio.

Command Default

The transmission is enabled for the entire network by default.


Use this command with the config 802.11 disable command when configuring 802.11 settings.


Command History

Release

7.6

Modification


Examples

The following example shows how to enable radio transmission for the entire 802.11a network:


config 802.11a enable network

The following example shows how to enable radio transmission for AP1 on an 802.11b network:


config 802.11b enable AP1

Related Commands show sysinfo show 802.11a

config wlan radio config 802.11a disable config 802.11b disable config 802.11b enable config 802.11b 11gSupport enable


155

config 802.11 enable config 802.11b 11gSupport disable

156


config 802.11 exp-bwreq config 802.11 exp-bwreq

To enable or disable the Cisco Client eXtension (CCX) version 5 expedited bandwidth request feature for an

802.11 radio, use the config 802.11 exp-bwreq command.

config 802.11{a | b} exp-bwreq {enable | disable}




Enables the expedited bandwidth request feature.

Disables the expedited bandwidth request feature.

Command Default

The expedited bandwidth request feature is disabled by default.


When this command is enabled, the controller configures all joining access points for this feature.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the CCX expedited bandwidth settings:


config 802.11a exp-bwreq enable

Cannot change Exp Bw Req mode while 802.11a network is operational.

The following example shows how to disable the CCX expedited bandwidth settings:


config 802.11a exp-bwreq disable


show ap stats 802.11a


157

config 802.11 fragmentation config 802.11 fragmentation

To configure the fragmentation threshold on an 802.11 network, use the config 802.11 fragmentation command.

config 802.11{a | b} fragmentation threshold

Note

This command can only be used when the network is disabled using the config 802.11 disable command.


threshold



Number between 256 and 2346 bytes (inclusive).

Command Default

None.

Command History

Release

7.6

Modification


Examples

This example shows how to configure the fragmentation threshold on an 802.11a network with the threshold number of 6500 bytes:


config 802.11a fragmentation 6500

Related Commands config 802.11b fragmentation show 802.11b

show ap auto-rtf

158


config 802.11 l2roam rf-params config 802.11 l2roam rf-params

To configure 802.11a or 802.11b/g Layer 2 client roaming parameters, use the config 802.11 l2roam rf-params command.

config 802.11{a | b} l2roam rf-params {default | custom min_rssi roam_hyst scan_thresh trans_time}

Syntax Description a b default custom

min_rssi roam_hyst scan_thresh trans_time



Restores Layer 2 client roaming RF parameters to default values.

Configures custom Layer 2 client roaming RF parameters.

Minimum received signal strength indicator (RSSI) that is required for the client to associate to the access point. If the client’s average received signal power dips below this threshold, reliable communication is usually impossible. Clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached. The valid range is –80 to –90 dBm, and the default value is –85 dBm.

How much greater the signal strength of a neighboring access point must be in order for the client to roam to it. This parameter is intended to reduce the amount of roaming between access points if the client is physically located on or near the border between the two access points. The valid range is 2 to 4 dB, and the default value is 2 dB.

Minimum RSSI that is allowed before the client should roam to a better access point. When the RSSI drops below the specified value, the client must be able to roam to a better access point within the specified transition time. This parameter also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when the RSSI is below the threshold.

The valid range is –70 to –77 dBm, and the default value is –72 dBm.

Maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client’s associated access point is below the scan threshold. The valid range is 1 to 10 seconds, and the default value is 5 seconds.

Note

For high-speed client roaming applications in outdoor mesh environments, we recommend that you set the transition time to 1 second.


159

config 802.11 l2roam rf-params

Command Default

The default minimum RSSI is -85 dBm. The default signal strength of a neighboring access point is 2 dB.

The default scan threshold value is -72 dBm. The default time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam is 5 seconds.


For high-speed client roaming applications in outdoor mesh environments, we recommend that you set the

trans_time to 1 second.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure custom Layer 2 client roaming parameters on an 802.11a

network:


config 802.11 l2roam rf-params custom

–80 2 –70 7

Related Commands show advanced 802.11 l2roam show l2tp

160


config 802.11 max-clients config 802.11 max-clients

To configure the maximum number of clients per access point, use the config 802.11 max-clients command.

config 802.11{a | b} max-clients max-clients

Syntax Description a b max-clients

max-clients



Configures the maximum number of client connections per access point.

Maximum number of client connections per access point. The range is from 1 to 200.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the maximum number of clients at 22:


config 802.11 max-clients 22


config 802.11b rate


161

config 802.11 media-stream multicast-direct config 802.11 media-stream multicast-direct

To configure the media stream multicast-direct parameters for the 802.11 networks, use the config 802.11

media-stream multicast-direct command.

config 802.11{a | b} media-stream multicast-direct {admission-besteffort {enable | disable} |

{client-maximum | radio-maximum} {value | no-limit } | enable | disable}


802.11a

802.11b

admission-besteffort enable disable client-maximum radio-maximum

value

no-limit



Admits media stream to best-effort queue.

Enables multicast-direct on a 2.4-GHz or a 5-GHz band.

Disables multicast-direct on a 2.4-GHz or a 5-GHz band.

Specifies the maximum number of streams allowed on a client.

Specifies the maximum number of streams allowed on a 2.4-GHz or a 5-GHz band.

Number of streams allowed on a client or on a 2.4-GHz or a 5-GHz band, between

1 to 20.

Specifies the unlimited number of streams allowed on a client or on a 2.4-GHz or a 5-GHz band.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Before you configure the media stream multicast-direct parameters on a 802.11 network, ensure that the network is nonoperational.

Examples

This example shows how to enable a media stream multicast-direct settings on an 802.11a network:

>

config 802.11a media-stream multicast-direct enable

162


config 802.11 media-stream multicast-direct

This example shows how to admit the media stream to the best-effort queue:

>

config 802.11a media-stream multicast-direct admission-besteffort enable

This example shows how to set the maximum number of streams allowed on a client:

>

config 802.11a media-stream multicast-direct client-maximum 10

Related Commands config 802.11 media-stream video-redirect show 802.11a media-stream name show media-stream group summary show media-stream group detail


163

config 802.11 media-stream video-redirect config 802.11 media-stream video-redirect

To configure the media stream video-redirect for the 802.11 networks, use the config 802.11 media-stream

video-redirect command.

config 802.11{a | b} media-stream video-redirect {enable | disable}


802.11a

802.11b

enable disable



Enables traffic redirection.

Disables traffic redirection.

Command Default

None.


Before you configure the media stream video-redirect on a 802.11 network, ensure that the network is nonoperational.

Examples

This example shows how to enable media stream traffic redirection on an 802.11a network:

>

config 802.11a media-stream video-redirect enable

Related Commands config 802.11 media-stream multicast-redirect show 802.11a media-stream name show media-stream group summary show media-stream group detail

164


config 802.11 multicast data-rate config 802.11 multicast data-rate

To configure the minimum multicast data rate, use the config 802.11 multicast data-rate command.

config 802.11{a | b} multicast data-rate data_rate [ap ap_name | default]


data_rate ap_name

default

Minimum multicast data rates. The options are 6, 9, 12, 18, 24, 36, 48, 54. Enter

0 to specify that APs will dynamically adjust the number of the buffer allocated for multicast.

Specific AP radio in this data rate.

Configures all APs radio in this data rate.

Command Default

The default is 0 where the configuration is disabled and the multicast rate is the lowest mandatory data rate and unicast client data rate.


When you configure the data rate without the AP name or default keyword, you globally reset all the APs to the new value and update the controller global default with this new data rate value. If you configure the data rate with default keyword, you only update the controller global default value and do not reset the value of the APs that are already joined to the controller. The APs that join the controller after the new data rate value is set receives the new data rate value.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure minimum multicast data rate settings:


config 802.11 multicast data-rate 12


165

config 802.11 rate config 802.11 rate

To set mandatory and supported operational data rates for an 802.11 network, use the config 802.11 rate command.

config 802.11{a | b} rate {disabled | mandatory | supported} rate

Syntax Description a b disabled mandatory supported

rate



Disables a specific data rate.

Specifies that a client supports the data rate in order to use the network.

Specifies to allow any associated client that supports the data rate to use the network.

Rate value of 6, 9, 12, 18, 24, 36, 48, or 54 Mbps.

Command Default

None


The data rates set with this command are negotiated between the client and the Cisco wireless LAN controller.

If the data rate is set to mandatory, the client must support it in order to use the network. If a data rate is set as supported by the Cisco wireless LAN controller, any associated client that also supports that rate may communicate with the Cisco lightweight access point using that rate. It is not required that a client is able to use all the rates marked supported in order to associate.

Command History

Release

7.6

Modification


Examples

The following example shows how to set the 802.11b transmission at a mandatory rate at 12 Mbps:


config 802.11b rate mandatory 12


config 802.11b rate

166


config 802.11 rssi-check config 802.11 rssi-check

To configure the 802.11 RSSI Low Check feature, use the config 802.11 rssi-check command.

config 802.11{a| b}rssi-check{enable| disable}

Syntax Description rssi-check enable disable

Configures the RSSI Low Check feature.

Enables the RSSI Low Check feature.

Disables the RSSI Low Check feature.

Command Default

None

Command History

Release

7.5

Modification



Service providers can use the RSSI Low Check feature to prevent clients from connecting to their Wi-Fi network unless the client has a viable connection. In many scenarios, even though clients can hear beacons and connect to Wi-Fi, the signal might not be strong enough to support a stable connection. Use this feature to determine how strong a client must be heard for it to associate with the Wi-Fi network.

If you enable the RSSI Low Check feature, when a client sends an association request to the AP, the controller gets the RSSI value from the association message and compares it with the RSSI threshold that is configured.

If the RSSI value from the association message is less than the RSSI threshold value, the controller rejects the association request. Note that this is only for association frames, and not for other messages.

The default RSSI Low Check value is –80 dBm, which means an association request from a client can be rejected if the AP hears a client with a signal that is weaker than –80 dBm. If you lower the value to –90 dBm, clients are allowed to connect at a further distance, but there is also a higher probability of the connection quality being poor. We recommend that you do not go higher than –80 dBm, for example –70 dBm, because this makes the cell size significantly smaller.


167

config 802.11 rssi-threshold config 802.11 rssi-threshold

To configure the 802.11 RSSI Low Check threshold, use the config 802.11 rssi-threshold command.

config 802.11{a| b} rssi-threshold value-in-dBm

Syntax Description rssi-threshold

value-in-dBm

Configures the RSSI Low Check threshold value.

RSSI threshold value in dBm. The default value is –80 dBm.

Command Default

The default value of the RSSI Low Check threshold is –80 dBm.

Command History

Release

7.5

Modification



Service providers can use the RSSI Low Check feature to prevent clients from connecting to their Wi-Fi network unless the client has a viable connection. In many scenarios, even though clients can hear beacons and connect to Wi-Fi, the signal might not be strong enough to support a stable connection. Use this feature to determine how strong a client must be heard for it to associate with the Wi-Fi network.

If you enable the RSSI Low Check feature, when a client sends an association request to the AP, the controller gets the RSSI value from the association message and compares it with the RSSI threshold that is configured.

If the RSSI value from the association message is less than the RSSI threshold value, the controller rejects the association request. Note that this is only for association frames, and not for other messages.

The default RSSI Low Check value is –80 dBm, which means an association request from a client can be rejected if the AP hears a client with a signal that is weaker than –80 dBm. If you lower the value to –90 dBm, clients are allowed to connect at a further distance, but there is also a higher probability of the connection quality being poor. We recommend that you do not go higher than –80 dBm, for example –70 dBm, because this makes the cell size significantly smaller.

Examples

The following example shows how to configure the RSSI threshold value to –70 dBm for an 802.11a network:


config 802.11a rssi-threshold

–70

168


config 802.11 tsm config 802.11 tsm

To enable or disable the video Traffic Stream Metric (TSM) option for the 802.11a or 802.11b/g network, use the config 802.11 tsm command.

config 802.11{a | b} tsm {enable | disable}




Enables the video TSM settings.

Disables the video TSM settings.

Command Default

By default, the TSM for the 802.11a or 802.11b/g network is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the video TSM option for the 802.11b/g network:


config 802.11b tsm enable

The following example shows how to disable the video TSM option for the 802.11b/g network:


config 802.11b tsm disable

Related Commands show ap stats show client tsm


169

config 802.11b preamble config 802.11b preamble

To change the 802.11b preamble as defined in subclause 18.2.2.2 to long (slower, but more reliable) or short

(faster, but less reliable), use the config 802.11b preamble command.

config 802.11b preamble {long | short}

Syntax Description long short

Specifies the long 802.11b preamble.

Specifies the short 802.11b preamble.

Command Default

The default 802.11b preamble value is short.

Command History

Release

7.6

Modification


Release 7.6.


Note

You must reboot the Cisco Wireless LAN Controller (reset system) with save to implement this command.

This parameter must be set to long to optimize this Cisco wireless LAN controller for some clients, including

SpectraLink NetLink telephones.


Examples

The following example shows how to change the 802.11b preamble to short:


config 802.11b preamble short

(Cisco Controller) >(reset system with save)

170


Config Commands: a to i

•

config aaa auth, page 182

•

config aaa auth mgmt, page 183

•

config acl apply, page 184

•

config acl counter, page 185

•

config acl create, page 186

•

config acl cpu, page 187

•

config acl delete, page 188

•

config acl layer2, page 189

•

config acl rule, page 191

•

config acl url-acl, page 193

•

config acl url-acl external-server-ip, page 195

•

config acl url-acl list-type, page 196

•

config acl url-domain, page 197

•

config advanced eap, page 198

•

config advanced hotspot, page 200

•

config advanced timers auth-timeout, page 202

•

config advanced timers eap-timeout, page 203

•

config advanced timers eap-identity-request-delay, page 204

•

config advanced 802.11 7920VSIEConfig, page 205

•

config advanced 802.11 edca-parameters, page 206

•

config advanced timers, page 209

•

config advanced fastpath fastcache, page 212

•

config advanced fastpath pkt-capture, page 213

•

config advanced sip-preferred-call-no, page 214


171

•

config advanced sip-snooping-ports, page 215

•

config advanced 802.11 packet, page 216

•

config advanced 802.11 profile clients, page 218

•

config advanced 802.11 profile customize, page 219

•

config advanced 802.11 profile foreign, page 220

•

config advanced 802.11 profile noise, page 221

•

config advanced 802.11 profile throughput, page 222

•

config advanced 802.11 profile utilization, page 223

•

config advanced backup-controller primary, page 224

•

config advanced backup-controller secondary, page 225

•

config advanced client-handoff, page 226

•

config advanced dot11-padding, page 227

•

config advanced assoc-limit, page 228

•

config advanced max-1x-sessions, page 229

•

config advanced rate, page 230

•

config advanced probe filter, page 231

•

config advanced probe limit, page 232

•

config advanced timers, page 233

•

config advanced 802.11 7920VSIEConfig, page 236

•

config advanced 802.11 channel add, page 237

•

config advanced 802.11 channel cleanair-event, page 238

•

config advanced 802.11 channel dca anchor-time, page 239

•

config advanced 802.11 channel dca chan-width-11n, page 240

•

config advanced 802.11 channel dca interval, page 241

•

config advanced 802.11 channel dca min-metric, page 242

•

config advanced 802.11 channel dca sensitivity, page 243

•

config advanced 802.11 channel foreign, page 245

•

config advanced 802.11 channel load, page 246

•

config advanced 802.11 channel noise, page 247

•

config advanced 802.11 channel outdoor-ap-dca, page 248

•

config advanced 802.11 channel pda-prop, page 249

•

config advanced 802.11 channel update, page 250

•

config advanced 802.11 coverage, page 251

172


•

config advanced 802.11 coverage exception global, page 253

•

config advanced 802.11 coverage fail-rate, page 255

•

config advanced 802.11 coverage level global, page 257

•

config advanced 802.11 coverage packet-count, page 259

•

config advanced 802.11 coverage rssi-threshold, page 261

•

config advanced 802.11 edca-parameters, page 263

•

config advanced 802.11 factory, page 266

•

config advanced 802.11 group-member, page 267

•

config advanced 802.11 group-mode, page 268

•

config advanced 802.11 logging channel, page 269

•

config advanced 802.11 logging coverage, page 270

•

config advanced 802.11 logging foreign, page 271

•

config advanced 802.11 logging load, page 272

•

config advanced 802.11 logging noise, page 273

•

config advanced 802.11 logging performance, page 274

•

config advanced 802.11 logging txpower, page 275

•

config advanced 802.11 monitor channel-list, page 276

•

config advanced 802.11 monitor coverage, page 277

•

config advanced 802.11 monitor load, page 278

•

config advanced 802.11 monitor mode, page 279

•

config advanced 802.11 monitor ndp-type, page 280

•

config advanced 802.11 monitor noise, page 281

•

config advanced 802.11 monitor signal, page 282

•

config advanced 802.11 monitor timeout-factor, page 283

•

config advanced 802.11 optimized roaming, page 284

•

config advanced 802.11 profile foreign, page 286

•

config advanced 802.11 profile noise, page 287

•

config advanced 802.11 profile throughput, page 288

•

config advanced 802.11 profile utilization, page 289

•

config advanced 802.11 receiver, page 290

•

config advanced 802.11 tpc-version, page 291

•

config advanced 802.11 tpcv1-thresh, page 292

•

config advanced 802.11 tpcv2-intense, page 293


173

•

config advanced 802.11 tpcv2-per-chan, page 294

•

config advanced 802.11 tpcv2-thresh, page 295

•

config advanced 802.11 txpower-update, page 296

•

config ap 802.1Xuser, page 297

•

config ap 802.1Xuser delete, page 298

•

config ap 802.1Xuser disable, page 299

•

config advanced dot11-padding, page 300

•

config ap, page 301

•

config ap atf 802.11, page 302

•

config ap atf 802.11 client-access airtime-allocation, page 303

•

config ap atf 802.11 policy, page 304

•

config ap autoconvert, page 305

•

config ap bhrate, page 306

•

config ap bridgegroupname, page 307

•

config ap bridging, page 308

•

config ap cdp, page 309

•

config ap core-dump, page 311

•

config ap crash-file clear-all, page 312

•

config ap crash-file delete, page 313

•

config ap crash-file get-crash-file, page 314

•

config ap crash-file get-radio-core-dump, page 315

•

config ap dhcp release-override, page 316

•

config ap dtls-cipher-suite, page 317

•

config ap dtls-version, page 318

•

config ap ethernet duplex, page 319

•

config ap ethernet tag, page 321

•

config ap autoconvert, page 322

•

config ap flexconnect central-dhcp, page 323

•

config ap flexconnect local-split, page 325

•

config ap flexconnect module-vlan, page 326

•

config ap flexconnect policy, page 327

•

config ap flexconnect radius auth set, page 328

•

config ap flexconnect vlan, page 329

174


•

config ap flexconnect vlan add, page 330

•

config ap flexconnect vlan native, page 331

•

config ap flexconnect vlan wlan, page 332

•

config ap flexconnect web-auth, page 333

•

config ap flexconnect web-policy acl, page 334

•

config ap flexconnect wlan, page 335

•

config ap group-name, page 336

•

config ap hotspot, page 337

•

config ap image predownload, page 344

•

config ap image swap, page 345

•

config ap led-state, page 346

•

config ap link-encryption, page 348

•

config ap link-latency, page 349

•

config ap location, page 350

•

config ap logging syslog level, page 351

•

config ap logging syslog facility, page 353

•

config ap max-count, page 355

•

config ap mgmtuser add, page 356

•

config ap mgmtuser delete, page 358

•

config ap mode, page 359

•

config ap module3g, page 361

•

config ap monitor-mode, page 362

•

config ap name, page 363

•

config ap packet-dump, page 364

•

config ap port, page 367

•

config ap power injector, page 368

•

config ap power pre-standard, page 369

•

config ap preferred-mode, page 370

•

config ap primary-base, page 371

•

config ap priority, page 373

•

config ap reporting-period, page 374

•

config ap reset, page 375

•

config ap retransmit interval, page 376


175

•

config ap retransmit count, page 377

•

config ap role, page 378

•

config ap rst-button, page 379

•

config ap secondary-base, page 380

•

config ap sniff, page 382

•

config ap ssh, page 384

•

config ap static-ip, page 385

•

config ap stats-timer, page 387

•

config ap syslog host global, page 388

•

config ap syslog host specific, page 389

•

config ap tcp-mss-adjust, page 390

•

config ap telnet, page 392

•

config ap tertiary-base, page 393

•

config ap tftp-downgrade, page 395

•

config ap username, page 396

•

config ap venue, page 397

•

config ap wlan, page 401

•

config atf 802.11, page 402

•

config atf policy, page 403

•

config auth-list add, page 404

•

config auth-list ap-policy, page 405

•

config auth-list delete, page 406

•

config avc profile create, page 407

•

config avc profile delete, page 408

•

config avc profile rule, page 409

•

config band-select cycle-count, page 411

•

config band-select cycle-threshold, page 412

•

config band-select expire, page 413

•

config band-select client-rssi, page 414

•

config boot, page 415

•

config call-home contact email address, page 416

•

config call-home events, page 417

•

config call-home http-proxy ipaddr, page 418

176


•

config call-home http-proxy ipaddr 0.0.0.0, page 419

•

config call-home profile, page 420

•

config call-home profile delete, page 421

•

config call-home profile status, page 422

•

config call-home reporting, page 423

•

config call-home tac-profile, page 424

•

config cdp, page 425

•

config certificate, page 426

•

config certificate lsc, page 427

•

config certificate ssc, page 429

•

config certificate use-device-certificate webadmin, page 431

•

config client ccx clear-reports, page 432

•

config client ccx clear-results, page 433

•

config client ccx default-gw-ping, page 434

•

config client ccx dhcp-test, page 435

•

config client ccx dns-ping, page 436

•

config client ccx dns-resolve, page 437

•

config client ccx get-client-capability, page 438

•

config client ccx get-manufacturer-info, page 439

•

config client ccx get-operating-parameters, page 440

•

config client ccx get-profiles, page 441

•

config client ccx log-request, page 442

•

config client ccx send-message, page 444

•

config client ccx stats-request, page 447

•

config client ccx test-abort, page 448

•

config client ccx test-association, page 449

•

config client ccx test-dot1x, page 450

•

config client ccx test-profile, page 451

•

config client deauthenticate, page 452

•

config client location-calibration, page 453

•

config client profiling delete, page 454

•

config cloud-services cmx, page 455

•

config cloud-services server url, page 456


177

•

config cloud-services server id-token, page 457

•

config coredump, page 458

•

config coredump ftp, page 459

•

config coredump username, page 460

•

config country, page 461

•

config cts, page 462

•

config cts ap, page 463

•

config cts inline-tag, page 464

•

config cts ap override, page 465

•

config cts device-id, page 466

•

config cts refresh, page 467

•

config cts sxp ap connection delete, page 468

•

config cts sxp ap connection peer, page 469

•

config cts sxp ap default password, page 470

•

config cts sxp ap listener, page 471

•

config cts sxp ap reconciliation period, page 472

•

config cts sxp ap retry period, page 473

•

config cts sxp ap speaker, page 474

•

config cts sxp, page 475

•

config cts sxp connection, page 476

•

config cts sxp default password, page 477

•

config cts sxp retry period, page 478

•

config cts sxp version, page 479

•

config cts sxp, page 480

•

config custom-web ext-webauth-mode, page 482

•

config custom-web ext-webauth-url, page 483

•

config custom-web ext-webserver, page 484

•

config custom-web logout-popup, page 485

•

config custom-web qrscan-bypass-opt , page 486

•

config custom-web radiusauth , page 487

•

config custom-web redirectUrl, page 488

•

config custom-web sleep-client, page 489

•

config custom-web webauth-type, page 490

178


•

config custom-web weblogo, page 491

•

config custom-web webmessage, page 492

•

config custom-web webtitle, page 493

•

config database size, page 494

•

config dhcp, page 495

•

config dhcp opt-82 format, page 498

•

config dhcp opt-82 remote-id, page 499

•

config dhcp proxy, page 501

•

config dhcp timeout, page 502

•

config exclusionlist, page 503

•

config flexconnect acl, page 504

•

config flexconnect acl rule, page 505

•

config flexconnect arp-caching, page 507

•

config flexconnect avc profile, page 508

•

config flexconnect fallback-radio-shut, page 509

•

config flexconnect group, page 510

•

config flexconnect group vlan, page 516

•

config flexconnect group group-name dhcp overridden-interface, page 517

•

config flexconnect group web-auth, page 518

•

config flexconnect group web-policy, page 519

•

config flexconnect join min-latency, page 520

•

config flexconnect office-extend, page 521

•

config flow, page 523

•

config guest-lan, page 525

•

config guest-lan custom-web ext-webauth-url, page 526

•

config guest-lan custom-web global disable, page 527

•

config guest-lan custom-web login_page, page 528

•

config guest-lan custom-web webauth-type, page 529

•

config guest-lan ingress-interface, page 530

•

config guest-lan interface, page 531

•

config guest-lan mobility anchor, page 532

•

config guest-lan nac, page 533

•

config guest-lan security, page 534


179

•

config interface 3g-vlan, page 535

•

config interface acl, page 536

•

config interface address, page 537

•

config interface address redundancy-management, page 539

•

config interface ap-manager, page 540

•

config interface create, page 541

•

config interface delete, page 542

•

config interface dhcp management, page 543

•

config interface dhcp, page 545

•

config interface dhcp dynamic-interface, page 546

•

config interface dhcp management option-6-opendns , page 547

•

config interface address, page 548

•

config interface guest-lan, page 550

•

config interface hostname, page 551

•

config interface nasid, page 552

•

config interface nat-address, page 553

•

config interface port, page 554

•

config interface quarantine vlan, page 555

•

config interface url-acl, page 556

•

config interface vlan, page 557

•

config interface group mdns-profile, page 558

•

config interface mdns-profile, page 560

•

config icons delete, page 562

•

config icons file-info, page 563

•

config ipv6 disable, page 564

•

config ipv6 enable, page 565

•

config ipv6 acl, page 566

•

config ipv6 capwap, page 569

•

config ipv6 interface, page 571

•

config ipv6 multicast, page 573

•

config ipv6 neighbor-binding, page 574

•

config ipv6 ns-mcast-fwd, page 576

•

config ipv6 ra-guard, page 577

180


•

config ipv6 route, page 578


181

config aaa auth config aaa auth

To configure the AAA authentication search order for management users, use the config aaa auth command.

config aaa auth mgmt [aaa_server_type1 | aaa_server_type2]

Syntax Description mgmt

aaa_server_type

Configures the AAA authentication search order for controller management users by specifying up to three

AAA authentication server types. The order that the server types are entered specifies the AAA authentication search order.

(Optional) AAA authentication server type (local,

radius, or tacacs). The local setting specifies the local database, the radius setting specifies the RADIUS server, and the tacacs setting specifies the TACACS+ server.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


You can enter two AAA server types as long as one of the server types is local. You cannot enter radius and

tacacs together.

Examples

The following example shows how to configure the AAA authentication search order for controller management users by the authentication server type local:


config aaa auth radius local

Related Commands show aaa auth

182


config aaa auth mgmt config aaa auth mgmt

To configure the order of authentication when multiple databases are configured, use the config aaa auth

mgmt command.

config aaa auth mgmt [radius | tacacs]

Syntax Description radius tacacs

(Optional) Configures the order of authentication for

RADIUS servers.

(Optional) Configures the order of authentication for

TACACS servers.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the order of authentication for the RADIUS server:


config aaa auth mgmt radius

The following example shows how to configure the order of authentication for the TACACS server:


config aaa auth mgmt tacacs

Related Commands show aaa auth order


183

config acl apply config acl apply

To apply an access control list (ACL) to the data path, use the config acl apply command.

config acl apply rule_name


rule_name

ACL name that contains up to 32 alphanumeric characters.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless

LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series

Wireless LAN Controllers.

Examples

The following example shows how to apply an ACL to the data path:


config acl apply acl01

Related Commands show acl

184


config acl counter config acl counter

To see if packets are hitting any of the access control lists (ACLs) configured on your controller, use the

config acl counter command.

config acl counter {start | stop}

Syntax Description start stop

Enables ACL counters on your controller.

Disables ACL counters on your controller.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


ACL counters are available only on the following controllers: 4400 series, Cisco WiSM, and Catalyst 3750G

Integrated Wireless LAN Controller Switch.

Examples

The following example shows how to enable ACL counters on your controller:


config acl counter start

Related Commands clear acl counters show acl detailed


185

config acl create config acl create

To create a new access control list (ACL), use the config acl create command.

config acl create rule_name


rule_name


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.





Examples

The following example shows how to create a new ACL:


config acl create acl01


186


config acl cpu config acl cpu

To create a new access control list (ACL) rule that restricts the traffic reaching the CPU, use the config acl

cpu command.

config acl cpu rule_name {wired | wireless | both}


rule_name

wired wireless both

Specifies the ACL name.

Specifies an ACL on wired traffic.

Specifies an ACL on wireless traffic.

Specifies an ACL on both wired and wireless traffic.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


This command allows you to control the type of packets reaching the CPU.

Examples

The following example shows how to create an ACL named acl101 on the CPU and apply it to wired traffic:


config acl cpu acl01 wired

Related Commands show acl cpu


187

config acl delete config acl delete

To delete an access control list (ACL), use the config acl delete command.

config acl delete rule_name


rule_name


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.





Examples

The following example shows how to delete an ACL named acl101 on the CPU:


config acl delete acl01


188


config acl layer2 config acl layer2

To configure a Layer 2 access control list (ACL), use the config acl layer2 command.

config acl layer2 {apply acl_name | create acl_name | delete acl_name | rule {action acl_name index

{permit | deny} | add acl_name index | change index acl_name old_index new_index | delete acl_name

index | etherType acl_name index etherType etherTypeMask | swap index acl_name index1 index2}}

Syntax Description apply

acl_name

create delete rule action

index

permit deny add change index

old_index new_index

delete etherType

etherType etherTypeMask

swap index

Applies a Layer 2 ACL to the data path.

Layer 2 ACL name. The name can be up to 32 alphanumeric characters.

Creates a Layer 2 ACL.

Deletes a Layer 2 ACL.

Configures a Layer 2 ACL rule.

Configures the action for the Layer 2 ACL rule.

Index of the Layer 2 ACL rule.

Permits rule action.

Denies rule action.

Creates a Layer 2 ACL rule.

Changes the index of the Layer 2 ACL rule.

Old index of the Layer 2 ACL rule.

New index of the Layer 2 ACL rule.

Deletes a Layer 2 ACL rule.

Configures the EtherType of a Layer 2 ACL rule.

EtherType of a Layer 2 ACL rule. EtherType is used to indicate the protocol that is encapsulated in the payload of an Ethernet frame. The range is a hexadecimal value from 0x0 to 0xffff.

Netmask of the EtherType. The range is a hexadecimal value from 0x0 to 0xffff.

Swaps the index values of two rules.


189

config acl layer2

index1 index2

Index values of two Layer 2 ACL rules.

Command Default

The Cisco WLC does not have any Layer2 ACLs.

Command History

Release

7.6

Modification


Release 7.6.

Command History

Release

7.5

Modification



You can create a maximum of 16 rules for a Layer 2 ACL.

You can create a maximum of 64 Layer 2 ACLs on a Cisco WLC.

A maximum of 16 Layer 2 ACLs are supported per access point because an access point supports a maximum of 16 WLANs.

Ensure that the Layer 2 ACL names do not conflict with the FlexConnect ACL names because an access point does not support the same Layer 2 and Layer 3 ACL names.

Examples

The following example shows how to apply a Layer 2 ACL:


config acl layer2 apply acl_l2_1

190


config acl rule config acl rule

To configure ACL rules, use the config acl rule command.

config acl rule {action rule_name rule_index {permit | deny} | add rule_name rule_index | change index

rule_name old_index new_index | delete rule_name rule_index | destination address rule_name rule_index

ip_address netmask | destination port range rule_name rule_index start_port end_port | direction rule_name

rule_index {in | out | any} | dscp rule_name rule_index dscp | protocol rule_name rule_index protocol |

source address rule_name rule_index ip_address netmask | source port range rule_name rule_index

start_port end_port | swap index rule_name index_1 index_2}

Syntax Description action

rule_name rule_index

permit deny add change index delete destination address destination port range

ip_address netmask start_port end_port

direction in out

Configures whether to permit or deny access.


Rule index between 1 and 32.

Permits the rule action.

Denies the rule action.

Adds a new rule.

Changes a rule’s index.

Specifies a rule index.

Deletes a rule.

Configures a rule’s destination IP address and netmask.

Configure a rule's destination port range.

IP address of the rule.

Netmask of the rule.

Start port number (between 0 and 65535).

End port number (between 0 and 65535).

Configures a rule’s direction to in, out, or any.

Configures a rule’s direction to in.

Configures a rule’s direction to out.


191

config acl rule any dscp

dscp

protocol

protocol

source address source port range swap

Configures a rule’s direction to any.

Configures a rule’s DSCP.

Number between 0 and 63, or any.



Configures a rule’s source IP address and netmask.

Configures a rule’s source port range.

Swaps two rules’ indices.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.



LAN for the external web server. This ACL should then be set as a wireless LAN pre-authentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series


Examples

The following example shows how to configure an ACL to permit access:


config acl rule action lab1 4 permit


192


config acl url-acl config acl url-acl

To configure URL Access Control Lists, use the config acl url-acl command.

config acl url-acl[apply|create |delete|disable|enable|rule]

config acl url-aclapply acl-name

config acl url-acl create acl-name

config acl url-acl delete acl-name

config acl url-acldisable config acl url-aclenable

config acl url-aclrule [action|add|delete|url]

config acl url-aclrule action acl-name index {permit | deny}

config acl url-aclrule add acl-name index

config acl url-aclrule delete acl-name index

config acl url-aclrule url acl-name index url-name


apply acl-name

create delete disable enable

rule (action) (acl-name) (index)

{permit|deny}

add acl-name index

delete acl-name index

url acl-name index url-name

Enter URL ACL name up to 32 alphanumeric characters.

Create a new URL ACL.

Delete URL ACL.

Disable URL ACL feature.

Enable URL ACL feature.

Configures a rule's action in the URL ACL to either permit or deny access. URL ACL name can contains up to 32 alphanumeric characters and URL ACL rule index can be between 1 and 100.

Permit or deny the url rule.

Adds a new rule and rule index.

Deletes a rule and rule index.

Configures a rule’s url address. Enter a url address and set an index between 1and 100.

Command Default

None


193

config acl url-acl

Command History

Examples

Release

8.3

Modification


This example shows how to create a new URL ACL:


config acl url-acl create test

194


config acl url-acl external-server-ip config acl url-acl external-server-ip

To redirect the user to a page which will be served when the requested URL is blocked. To configure the external server IP address, use the config acl url-acl external-server-ip command.

config acl url-acl external-server-ip ip-address

Syntax Description external-server-ip

ip-address

Specifies the ACL name.

Enter IP address of the external server.

Command Default

None

Command History

Examples

Release

8.4

Modification


The following example shows how to configure the external server IP address to redirect and show a page when the URL is blocked:


config acl url-acl external-server-ip 192.0.2.1


195

config acl url-acl list-type config acl url-acl list-type

To permit or deny traffic for rules in an given acl, use the config acl url-acl list-type command.

config acl url-acl list-type acl_name{blacklist| || whitelist}

Syntax Description list-type blacklist whitelist

Configure list-type for an URL ACL

All the rules will have action as deny.

All the rules will have action as permit.

Command Default

None

Command History

Examples

Release

8.4

Modification


The following example shows how to permit traffic for an ACL:


config acl url-acl list-type testacl whitelist

196


config acl url-domain config acl url-domain

To add or delete an URL domain for the access control list, use the config acl url-domain command.

config acl url-domain{add| delete} domain_name acl_name


domain_name acl_name

URL domain name for the access control list

Name of the access control list.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to add a new URL domain for the access control list:


config acl url-domain add cisco.com android

The following example shows how to delete an existing URL domain from the access control list:


config acl url-domain delete play.google.com android


197

config advanced eap config advanced eap

To configure advanced extensible authentication protocol (EAP) settings, use the config advanced eap command.

config advanced eap {bcast-key-interval seconds | eapol-key-timeout timeout | eapol-key-retries retries

| identity-request-timeout timeout | identity-request-retries retries | key-index index |

max-login-ignore-identity-response {enable | disable} request-timeout timeout | request-retries retries}


bcast-key-interval seconds

eapol-key-timeout timeout

eapol-key-retries retries

identity-request- timeout timeout

identity-request- retries

key-index index

Specifies the EAP-broadcast key renew interval time in seconds.

The range is from 120 to 86400 seconds.

Specifies the amount of time (200 to 5000 milliseconds) that the controller waits before retransmitting an EAPOL (WPA) key message to a wireless client using EAP or WPA/WPA-2 PSK.

The default value is 1000 milliseconds.

Specifies the maximum number of times (0 to 4 retries) that the controller retransmits an EAPOL

(WPA) key message to a wireless client.

The default value is 2.

Specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting an EAP

Identity Request message to a wireless client.

The default value is 30 seconds.

Specifies the maximum number of times (0 to 4 retries) that the controller retransmits an EAPOL

(WPA) key message to a wireless client.


Specifies the key index (0 or 3) used for dynamic wired equivalent privacy (WEP).

198


config advanced eap max-login-ignore- identity-response enable disable request-timeout request-retries

When enabled, this command ignores the limit set for the number of devices that can be connected to the controller with the same username using

802.1xauthentication. When disabled, this command limits the number of devices that can be connected to the controller with the same username. This option is not applicable for Web auth user.

Use the command config netuser maxUserLogin to set the limit of maximum number of devices per same username

Ignores the same username reaching the maximum

EAP identity response.

Checks the same username reaching the maximum

EAP identity response.

For EAP messages other than Identity Requests or

EAPOL (WPA) key messages, specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting the message to a wireless client.


(Optional) For EAP messages other than Identity

Requests or EAPOL (WPA) key messages, specifies the maximum number of times (0 to 20 retries) that the controller retransmits the message to a wireless client.


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the key index used for dynamic wired equivalent privacy

(WEP):


config advanced eap key-index 0

Related Commands show advanced eap


199

config advanced hotspot config advanced hotspot

To configure advanced hotspot configurations, use the config advanced hotspot command.

config advanced hotspot {anqp-4way {disable | enable | threshold value } | cmbk-delay value | garp

{disable | enable } | gas-limit {disable | enable }}

Syntax Description anqp-4way disable enable threshold

value

cmbk-delay

value

garp disable enable gas-limit disable enable

Enables, disables, or, configures the Access Network Query Protocol (ANQP) four way fragment threshold.

Disables the ANQP four way message.

Enables the ANQP four way message.

Configures the ANQP fourway fragment threshold.

ANQP four way fragment threshold value in bytes. The range is from 10 to

1500. The default value is 1500.

Configures the ANQP comeback delay in Time Units (TUs).

ANQP comeback delay in Time Units (TUs). 1 TU is defined by 802.11 as 1024 usec. The range is from 1 milliseconds to 30 seconds.

Disables or enables the Gratuitous ARP (GARP) forwarding to wireless network.

Disables the Gratuitous ARP (GARP) forwarding to wireless network.

Enables the Gratuitous ARP (GARP) forwarding to wireless network.

Limits the number of Generic Advertisement Service (GAS) request action frames sent to the switch by an access point in a given interval.

Disables the GAS request action frame limit on access points.

Enables the GAS request action frame limit on access points.

Command Default

None

Command History

Release

7.6

Modification


200


config advanced hotspot

Examples

The following example shows how to configure the ANQP four way fragment threshold value:


config advanced hotspot anqp-4way threshold 200


201

config advanced timers auth-timeout config advanced timers auth-timeout

To configure the authentication timeout, use the config advanced timers auth-timeout command.

config advanced timers auth-timeout seconds


seconds

Authentication response timeout value in seconds between 10 and 600.

Command Default

The default authentication timeout value is 10 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the authentication timeout to 20 seconds:


config advanced timers auth-timeout 20

202


config advanced timers eap-timeout config advanced timers eap-timeout

To configure the Extensible Authentication Protocol (EAP) expiration timeout, use the config advanced

timers eap-timeout command.

config advanced timers eap-timeout seconds


seconds

EAP timeout value in seconds between 8 and 120.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the EAP expiration timeout to 10 seconds:


config advanced timers eap-timeout 10


203

config advanced timers eap-identity-request-delay config advanced timers eap-identity-request-delay

To configure the advanced Extensible Authentication Protocol (EAP) identity request delay in seconds, use the config advanced timers eap-identity-request-delay command.

config advanced timers eap-identity-request-delay seconds


seconds

Advanced EAP identity request delay in number of seconds between 0 and 10.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the advanced EAP identity request delay to 8 seconds:


config advanced timers eap-identity-request-delay 8

204


config advanced 802.11 7920VSIEConfig config advanced 802.11 7920VSIEConfig

To configure the Cisco unified wireless IP phone 7920 VISE parameters, use the config advanced 802.11

7920VSIEConfig command.

config advanced 802.11{a | b} 7920VSIEConfig {call-admission-limit limit | G711-CU-Quantum quantum}

Syntax Description a b call-admission-limit

G711-CU-Quantum

limit quantum



Configures the call admission limit for the 7920s.

Configures the value supplied by the infrastructure indicating the current number of channel utilization units that would be used by a single G.711-20ms call.

Call admission limit (from 0 to 255). The default value is 105.

G711 quantum value. The default value is 15.

Command Default

None

Command History

Examples

Release

7.6

Modification


This example shows how to configure the call admission limit for 7920 VISE parameters:


config advanced 802.11 7920VSIEConfig call-admission-limit 4


205

config advanced 802.11 edca-parameters config advanced 802.11 edca-parameters

To enable a specific Enhanced Distributed Channel Access (EDCA) profile on a 802.11a network, use the

config advanced 802.11 edca-parameters command.

config advanced 802.11{a | b} edca-parameters {wmm-default | svp-voice | optimized-voice |

optimized-video-voice | custom-voice | fastlane | custom-set { QoS Profile Name } { aifs AP-value (0-16 )

Client value (0-16) | ecwmax AP-Value (0-10) Client value (0-10) | ecwmin AP-Value (0-10) Client value

(0-10) | txop AP-Value (0-255) Client value (0-255) } }

Syntax Description a b wmm-default svp-voice optimized-voice optimized-video-voice custom-voice fastlane



Enables the Wi-Fi Multimedia (WMM) default parameters. Choose this option if voice or video services are not deployed on your network.

Enables Spectralink voice-priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.

Enables EDCA voice-optimized profile parameters.

Choose this option if voice services other than

Spectralink are deployed on your network.

Enables EDCA voice-optimized and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.

Note

If you deploy video services, admission control must be disabled.

Enables custom voice EDCA parameters for 802.11a.

The EDCA parameters under this option also match the

6.0 WMM EDCA parameters when this profile is applied.

Enables fastlane on compatible devices.

206


config advanced 802.11 edca-parameters custom-set

Enables customization of EDCA parameters

• aifs—Configures the Arbitration Inter-Frame

Space.

AP Value (0-16) Client value (0-16)

• ecwmax—Configures the maximum

Contention Window.

AP Value(0-10) Client Value (0-10)

• ecwmin—Configures the minimum Contention

Window.

AP Value(0-10) Client Value(0-10)

• txop—Configures the Arbitration

Transmission Opportunity Limit.


QoS Profile Name - Enter the QoS profile name:

• bronze

• silver

• gold

• platinum

Command Default

The default EDCA parameter is wmm-default.

Command History

Release

7.6

8.2.110.0

8.3

Modification


In this release, custom-set keyword was added to edca-parameters command.

This command was modified and the fastlane keyword was added.

Examples

The following example shows how to enable Spectralink voice-priority parameters:


config advanced 802.11 edca-parameters svp-voice

Related Commands config advanced 802.11b edca-parameters

Enables a specific Enhanced Distributed Channel

Access (EDCA) profile on the 802.11a network.


207

config advanced 802.11 edca-parameters show 802.11a

Displays basic 802.11a network settings.

208


config advanced timers config advanced timers

To configure an advanced system timer, use the config advanced timers command.

config advanced timers {ap-discovery-timeout discovery-timeout | ap-fast-heartbeat {local | flexconnect

| all} {enable | disable} fast_heartbeat_seconds | ap-heartbeat-timeout heartbeat_seconds |

ap-primary-discovery-timeout primary_discovery_timeout | ap-primed-join-timeout primed_join_timeout

| auth-timeout auth_timeout | pkt-fwd-watchdog {enable | disable} {watchdog_timer | default} |

eap-identity-request-delay eap_identity_request_delay | eap-timeout eap_timeout}

Syntax Description ap-discovery-timeout

discovery-timeout

ap-fast-heartbeat local flexconnect all enable

Configures the Cisco lightweight access point discovery timeout value.

Cisco lightweight access point discovery timeout value, in seconds. The range is from 1 to 10.

Configures the fast heartbeat timer, which reduces the amount of time it takes to detect a controller failure in access points.

Configures the fast heartbeat interval for access points in local mode.

Configures the fast heartbeat interval for access points in FlexConnect mode.

Configures the fast heartbeat interval for all the access points.

Enables the fast heartbeat interval.

disable

fast_heartbeat_seconds

ap-heartbeat-timeout

heartbeat_seconds

ap-primary-discovery-timeout

Configures the access point primary discovery request timer.

primary_discovery_timeout

Cisco the Cisco lightweight access point heartbeat timeout value, in seconds. The range is from 1 to 30. This value should be at least three times larger than the fast heartbeat timer.

ap-primed-join-timeout

Access point primary discovery request time, in seconds. The range is from 30 to 3600.

Configures the access point primed discovery timeout value.

primed_join_timeout

auth-timeout

Disables the fast heartbeat interval.

Small heartbeat interval, which reduces the amount of time it takes to detect a controller failure, in seconds. The range is from 1 to 10.

Configures Cisco lightweight access point heartbeat timeout value.

Access point primed discovery timeout value, in seconds. The range is from 120 to 43200.

Configures the authentication timeout.


209

config advanced timers

auth_timeout

pkt-fwd-watchdog

watchdog_timer

default eap-identity-request-delay

eap_identity_request_delay

eap-timeout

eap_timeout

Authentication response timeout value, in seconds. The range is from 10 to 600.

Configures the packet forwarding watchdog timer to protect from fastpath deadlock.

Packet forwarding watchdog timer, in seconds. The range is from 60 to

300.

Configures the watchdog timer to the default value of 240 seconds.

Configures the advanced Extensible Authentication Protocol (EAP) identity request delay, in seconds.

Advanced EAP identity request delay, in seconds. The range is from 0 to 10.

Configures the EAP expiration timeout.

EAP timeout value, in seconds. The range is from 8 to 120.

Command Default

• The default access point discovery timeout is 10 seconds.

• The default access point heartbeat timeout is 30 seconds.

• The default access point primary discovery request timer is 120 seconds.

• The default authentication timeout is 10 seconds.

• The default packet forwarding watchdog timer is 240 seconds.

Command History

Release

7.6

Modification


Release 7.6.


The Cisco lightweight access point discovery timeout indicates how often a Cisco WLC attempts to discover unconnected Cisco lightweight access points.

The Cisco lightweight access point heartbeat timeout controls how often the Cisco lightweight access point sends a heartbeat keepalive signal to the Cisco Wireless LAN Controller.

Examples

The following example shows how to configure an access point discovery timeout with a timeout value of

20:


config advanced timers ap-discovery-timeout 20

210



The following example shows how to enable the fast heartbeat interval for an access point in FlexConnect mode:


config advanced timers ap-fast-heartbeat flexconnect enable 8





211

config advanced fastpath fastcache config advanced fastpath fastcache

To configure the fastpath fast cache control, use the config advanced fastpath fastcache command.

config advanced fastpath fastcache {enable | disable}


Enables the fastpath fast cache control.

Disables the fastpath fast cache control.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the fastpath fast cache control:


config advanced fastpath fastcache enable

Related Commands config advanced fastpath pkt-capture

212


config advanced fastpath pkt-capture config advanced fastpath pkt-capture

To configure the fastpath packet capture, use the config advanced fastpath pkt-capture command.

config advanced fastpath pkt-capture {enable | disable}


Enables the fastpath packet capture.

Disables the fastpath packet capture.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the fastpath packet capture:


config advanced fastpath pkt-capture enable

Related Commands config advanced fastpath fastcache


213

config advanced sip-preferred-call-no config advanced sip-preferred-call-no

To configure voice prioritization, use the config advanced sip-preferred-call-no command.

config advanced sip-preferred-call-no call_index {call_number | none}


call_index call_number

none

Call index with valid values between 1 and 6.

Preferred call number that can contain up to 27 characters.

Deletes the preferred call set for the specified index.

Command Default

None


Before you configure voice prioritization, you must complete the following prerequisites:

• Set the voice to the platinum QoS level by entering the config wlan qos wlan-id platinum command.

• Enable the admission control (ACM) to this radio by entering the config 802.11 {a | b} cac {voice |

video} acm enable command.

• Enable the call-snooping feature for a particular WLAN by entering the config wlan call-snoop enable

wlan-id command.

To view statistics about preferred calls, enter the show ap stats {802.11{a | b} | wlan} cisco_ap command.

Command History

Release

7.6

Modification


Examples

The following example shows how to add a new preferred call for index 2:


config advanced sip-preferred-call-no 2 0123456789

Related Commands config wlan qos config 802.11 cac video acm config 802.11 cac voice acm config wlan call-snoop show ap stats

214


config advanced sip-snooping-ports config advanced sip-snooping-ports

To configure call snooping ports, use the config advanced sip-snooping-ports command.

config advanced sip-snooping-ports start_port end_port


start_port end_port

Starting port for call snooping. The range is from 0 to 65535.

Ending port for call snooping. The range is from 0 to 65535.


If you need only a single port for call snooping, configure the start and end port with the same number.

The port used by the CIUS tablet is 5060 and the port range used by Facetime is from 16384 to16402.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the call snooping ports:


config advanced sip-snooping-ports 4000 4500

Related Commands show cac voice stats show cac voice summary show cac video stats show cac video summary config 802.11 cac video sip config 802.11 cac voice sip show advanced sip-preferred-call-no show advanced sip-snooping-ports debug cac


215

config advanced 802.11 packet config advanced 802.11 packet

To configure the maximum packet retries, consecutive packet failure thresholds, and the default timeout value, use config advanced 802.11 packet command.

config advanced 802.11{a | b} < QoS Profile Name > { max-client-count <threshold value (0-1000)> |

max-packet-count <threshold value (0-1000)> | max-retry <maximum retry count> | timeout <time(in

miliseconds)> }


QoS Profile Name

max-client-count max-packet-count max-retry timeout



• bronze

• silver

• gold

• platinum

Configures the consecutive packet failure threshold before disassociating a client.

threshold value - Enter the client count threshold value in the range 0 to 1000

Configures the consecutive packet failure threshold before not retrying failure packet.

threshold value - Enter the packet failure threshold value in the range 0 to 1000

Configures the packet retry time for failure packet.

maximum retry count - Enter the maximum number of retries allowed.

Configures the packet aging or discard timeout threshold.

time - Enter the maximum time before the packet times out.

Command Default

The default values for parameters in config advanced 802.11 packet command are:

Keyword

max-client-count

Default Value

500

216


config advanced 802.11 packet

Keyword

max-packet-count max-retry timeout

Command History

Release

8.2

Default Value

100

3

35 miliseconds

Modification

packet command was introduced in this release.

Examples


config advanced 802.11a packet platinum max-packet-count 200




217

config advanced 802.11 profile clients config advanced 802.11 profile clients

To set the Cisco lightweight access point clients threshold between 1 and 75 clients, use the config advanced

802.11 profile clients command.

config advanced 802.11{a | b} profile clients {global | cisco_ap} clients


cisco_ap clients



Configures all 802.11a Cisco lightweight access points.


802.11a Cisco lightweight access point client threshold between 1 and 75 clients.

Command Default

The default Cisco lightweight access point clients threshold is 12 clients.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set all Cisco lightweight access point clients thresholds to 25 clients:


config advanced 802.11 profile clients global 25

Global client count profile set.

The following example shows how to set the AP1 clients threshold to 75 clients:


config advanced 802.11 profile clients AP1 75

Global client count profile set.

218


config advanced 802.11 profile customize config advanced 802.11 profile customize

To turn customizing on or off for an 802.11a Cisco lightweight access point performance profile, use the

config advanced 802.11 profile customize command.

config advanced 802.11{a | b} profile customize cisco_ap {on | off}


cisco_ap

on off




Customizes performance profiles for this Cisco lightweight access point.

Uses global default performance profiles for this Cisco lightweight access point.

Command Default

The default state of performance profile customization is Off.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to turn performance profile customization on for 802.11a Cisco lightweight access point AP1:


config advanced 802.11 profile customize AP1 on


219

config advanced 802.11 profile foreign config advanced 802.11 profile foreign

To set the foreign 802.11a transmitter interference threshold between 0 and 100 percent, use the config

advanced 802.11 profile foreign command.

config advanced 802.11{a | b} profile foreign {global | cisco_ap} percent


cisco_ap percent





802.11a foreign 802.11a interference threshold between 0 and 100 percent.

Command Default

The default foreign 802.11a transmitter interference threshold value is 10.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the foreign 802.11a transmitter interference threshold for all Cisco lightweight access points to 50 percent:


config advanced 802.11a profile foreign global 50

The following example shows how to set the foreign 802.11a transmitter interference threshold for AP1 to 0 percent:


config advanced 802.11 profile foreign AP1 0

220


config advanced 802.11 profile noise config advanced 802.11 profile noise

To set the 802.11a foreign noise threshold between –127 and 0 dBm, use the config advanced 802.11 profile

noise command.

config advanced 802.11{a | b} profile noise {global | cisco_ap} dBm


cisco_ap dBm



Configures all 802.11a Cisco lightweight access point specific profiles.


802.11a foreign noise threshold between –127 and 0 dBm.

Command Default

The default foreign noise threshold value is –70 dBm.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the 802.11a foreign noise threshold for all Cisco lightweight access points to –127 dBm:


config advanced 802.11a profile noise global -127

The following example shows how to set the 802.11a foreign noise threshold for AP1 to 0 dBm:


config advanced 802.11a profile noise AP1 0


221

config advanced 802.11 profile throughput config advanced 802.11 profile throughput

To set the Cisco lightweight access point data-rate throughput threshold between 1000 and 10000000 bytes per second, use the config advanced 802.11 profile throughput command.

config advanced 802.11{a | b} profile throughput {global | cisco_ap} value


cisco_ap value





802.11a Cisco lightweight access point throughput threshold between 1000 and

10000000 bytes per second.

Command Default

The default Cisco lightweight access point data-rate throughput threshold value is 1,000,000 bytes per second.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set all Cisco lightweight access point data-rate thresholds to 1000 bytes per second:


config advanced 802.11 profile throughput global 1000

The following example shows how to set the AP1 data-rate threshold to 10000000 bytes per second:


config advanced 802.11 profile throughput AP1 10000000

222


config advanced 802.11 profile utilization config advanced 802.11 profile utilization

To set the RF utilization threshold between 0 and 100 percent, use the config advanced 802.11 profile

utilization command. The operating system generates a trap when this threshold is exceeded.

config advanced 802.11{a | b} profile utilization {global | cisco_ap} percent


cisco_ap percent



Configures a global Cisco lightweight access point specific profile.


802.11a RF utilization threshold between 0 and 100 percent.

Command Default

The default RF utilization threshold value is 80 percent.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the RF utilization threshold for all Cisco lightweight access points to 0 percent:


config advanced 802.11 profile utilization global 0

The following example shows how to set the RF utilization threshold for AP1 to 100 percent:


config advanced 802.11 profile utilization AP1 100


223

config advanced backup-controller primary config advanced backup-controller primary

To configure a primary backup controller, use the config advanced backup-controller primary command.

config advanced backup-controller primary system name IP addr


system name

IP addr

Configures primary|secondary backup controller.

IP address of the backup controller.

Command Default

None

Command History

Release

7.6

8.0

Modification


This command supports both IPv4 and IPv6 address formats.


To delete a primary backup controller entry (IPv6 or IPv4), enter 0.0.0.0 for the controller IP address.

Examples

The following example shows how to configure the IPv4 primary backup controller:


config advanced backup-controller primary Controller_1 10.10.10.10

The following example shows how to configure the IPv6 primary backup controller:


config advanced backup-controller primary systemname 2001:9:6:40::623

The following example shows how to remove the IPv4 primary backup controller:



The following example shows how to remove the IPv6 primary backup controller:



Related Commands show advanced back-up controller

224


config advanced backup-controller secondary config advanced backup-controller secondary

To configure a secondary backup controller, use the config advanced backup-controller secondary command.

config advanced backup-controller secondary system name IP addr


system name

IP addr

Configures primary|secondary backup controller.

IP address of the backup controller.

Command Default

None

Command History

Release

7.6

8.0

Modification




To delete a secondary backup controller entry (IPv4 or IPv6), enter 0.0.0.0 for the controller IP address.

Examples

The following example shows how to configure an IPv4 secondary backup controller:


config advanced backup-controller secondary Controller_2 10.10.10.10

The following example shows how to configure an IPv6 secondary backup controller:


config advanced backup-controller secondary Controller_2 2001:9:6:40::623

The following example shows how to remove an IPv4 secondary backup controller:



The following example shows how to remove an IPv6 secondary backup controller:



Related Commands show advanced back-up controller


225

config advanced client-handoff config advanced client-handoff

To set the client handoff to occur after a selected number of 802.11 data packet excessive retries, use the

config advanced client-handoff command.

config advanced client-handoff num_of_retries


num_of_retries

Number of excessive retries before client handoff (from 0 to 255).

Command Default

The default value for the number of 802.11 data packet excessive retries is 0.

Command History

Release

7.6

Modification



This command is supported only for the 1000/1510 series access points.

Examples

This example shows how to set the client handoff to 100 excessive retries:


config advanced client-handoff 100

226


config advanced dot11-padding config advanced dot11-padding

To enable or disable over-the-air frame padding, use the config advanced dot11-padding command.

config advanced dot11-padding {enable | disable}


Enables the over-the-air frame padding.

Disables the over-the-air frame padding.

Command Default

The default over-the-air frame padding is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable over-the-air frame padding:


config advanced dot11-padding enable

Related Commands debug dot11 debug dot11 mgmt interface debug dot11 mgmt msg debug dot11 mgmt ssid debug dot11 mgmt state-machine debug dot11 mgmt station show advanced dot11-padding


227

config advanced assoc-limit config advanced assoc-limit

To configure the rate at which access point radios send association and authentication requests to the controller, use the config advanced assoc-limit command.

config advanced assoc-limit {enable [number of associations per interval | interval ] | disable}


number of associations per interval interval

Enables the configuration of the association requests per access point.

Disables the configuration of the association requests per access point.

(Optional) Number of association request per access point slot in a given interval.

The range is from 1 to 100.

(Optional) Association request limit interval. The range is from 100 to 10000 milliseconds.

Command Default

The default state of the command is disabled state.

Command History

Release

7.6

Modification


Release 7.6.


When 200 or more wireless clients try to associate to a controller at the same time, the clients no longer become stuck in the DHCP_REQD state when you use the config advanced assoc-limit command to limit association requests from access points.

Examples

The following example shows how to configure the number of association requests per access point slot in a given interval of 20 with the association request limit interval of 250:


config advanced assoc-limit enable 20 250

228


config advanced max-1x-sessions config advanced max-1x-sessions

To configure the maximum number of simultaneous 802.1X sessions allowed per access point, use the config

advanced max-1x-sessions command.

config advanced max-1x-sessions no_of_sessions


no_of_sessions

Number of maximum 802.1x session initiation per AP at a time. The range is from 0 to 255, where 0 indicates unlimited.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the maximum number of simultaneous 802.1X sessions:


config advanced max-1x-sessions 200


229

config advanced rate config advanced rate

To configure switch control path rate limiting, use the config advanced rate command.

config advanced rate {enable | disable}


Enables the switch control path rate limiting feature.

Disables the switch control path rate limiting feature.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable switch control path rate limiting:


config advanced rate enable

230


config advanced probe filter config advanced probe filter

To configure the filtering of probe requests forwarded from an access point to the controller, use the config

advanced probe filter command.

config advanced probe filter {enable | disable}


Enables the filtering of probe requests.

Disables the filtering of probe requests.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable the filtering of probe requests forwarded from an access point to the controller:


config advanced probe filter enable


231

config advanced probe limit config advanced probe limit

To limit the number of probes sent to the WLAN controller per access point per client in a given interval, use the config advanced probe limit command.

config advanced probe limit num_probes interval


num_probes interval

Number of probe requests (from 1 to 100) forwarded to the controller per client per access point radio in a given interval.

Probe limit interval (from 100 to 10000 milliseconds).

Command Default

The default number of probe requests is 2. The default interval is 500 milliseconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to set the number of probes per access point per client to 5 and the probe interval to 800 milliseconds:


config advanced probe limit 5 800

232


config advanced timers config advanced timers

To configure an advanced system timer, use the config advanced timers command.

config advanced timers {ap-discovery-timeout discovery-timeout | ap-fast-heartbeat {local | flexconnect

| all} {enable | disable} fast_heartbeat_seconds | ap-heartbeat-timeout heartbeat_seconds |

ap-primary-discovery-timeout primary_discovery_timeout | ap-primed-join-timeout primed_join_timeout

| auth-timeout auth_timeout | pkt-fwd-watchdog {enable | disable} {watchdog_timer | default} |

eap-identity-request-delay eap_identity_request_delay | eap-timeout eap_timeout}

Syntax Description ap-discovery-timeout

discovery-timeout

ap-fast-heartbeat local flexconnect all enable

Configures the Cisco lightweight access point discovery timeout value.

Cisco lightweight access point discovery timeout value, in seconds. The range is from 1 to 10.

Configures the fast heartbeat timer, which reduces the amount of time it takes to detect a controller failure in access points.

Configures the fast heartbeat interval for access points in local mode.

Configures the fast heartbeat interval for access points in FlexConnect mode.

Configures the fast heartbeat interval for all the access points.

Enables the fast heartbeat interval.

disable

fast_heartbeat_seconds

ap-heartbeat-timeout

heartbeat_seconds

ap-primary-discovery-timeout

Configures the access point primary discovery request timer.

primary_discovery_timeout

Cisco the Cisco lightweight access point heartbeat timeout value, in seconds. The range is from 1 to 30. This value should be at least three times larger than the fast heartbeat timer.

ap-primed-join-timeout

Access point primary discovery request time, in seconds. The range is from 30 to 3600.

Configures the access point primed discovery timeout value.

primed_join_timeout

auth-timeout

Disables the fast heartbeat interval.

Small heartbeat interval, which reduces the amount of time it takes to detect a controller failure, in seconds. The range is from 1 to 10.

Configures Cisco lightweight access point heartbeat timeout value.

Access point primed discovery timeout value, in seconds. The range is from 120 to 43200.

Configures the authentication timeout.


233


auth_timeout

pkt-fwd-watchdog

watchdog_timer

default eap-identity-request-delay

eap_identity_request_delay

eap-timeout

eap_timeout

Authentication response timeout value, in seconds. The range is from 10 to 600.

Configures the packet forwarding watchdog timer to protect from fastpath deadlock.

Packet forwarding watchdog timer, in seconds. The range is from 60 to

300.

Configures the watchdog timer to the default value of 240 seconds.

Configures the advanced Extensible Authentication Protocol (EAP) identity request delay, in seconds.

Advanced EAP identity request delay, in seconds. The range is from 0 to 10.

Configures the EAP expiration timeout.

EAP timeout value, in seconds. The range is from 8 to 120.

Command Default

• The default access point discovery timeout is 10 seconds.

• The default access point heartbeat timeout is 30 seconds.

• The default access point primary discovery request timer is 120 seconds.

• The default authentication timeout is 10 seconds.

• The default packet forwarding watchdog timer is 240 seconds.

Command History

Release

7.6

Modification


Release 7.6.


The Cisco lightweight access point discovery timeout indicates how often a Cisco WLC attempts to discover unconnected Cisco lightweight access points.

The Cisco lightweight access point heartbeat timeout controls how often the Cisco lightweight access point sends a heartbeat keepalive signal to the Cisco Wireless LAN Controller.

Examples

The following example shows how to configure an access point discovery timeout with a timeout value of

20:


config advanced timers ap-discovery-timeout 20

234



The following example shows how to enable the fast heartbeat interval for an access point in FlexConnect mode:


config advanced timers ap-fast-heartbeat flexconnect enable 8





235

config advanced 802.11 7920VSIEConfig config advanced 802.11 7920VSIEConfig

To configure the Cisco unified wireless IP phone 7920 VISE parameters, use the config advanced 802.11

7920VSIEConfig command.

config advanced 802.11{a | b} 7920VSIEConfig {call-admission-limit limit | G711-CU-Quantum quantum}

Syntax Description a b call-admission-limit

G711-CU-Quantum

limit quantum



Configures the call admission limit for the 7920s.

Configures the value supplied by the infrastructure indicating the current number of channel utilization units that would be used by a single G.711-20ms call.

Call admission limit (from 0 to 255). The default value is 105.

G711 quantum value. The default value is 15.

Command Default

None

Command History

Examples

Release

7.6

Modification


This example shows how to configure the call admission limit for 7920 VISE parameters:


config advanced 802.11 7920VSIEConfig call-admission-limit 4

236


config advanced 802.11 channel add config advanced 802.11 channel add

To add channel to the 802.11 networks auto RF channel list, use the config advanced 802.11 channel add command.

config advanced 802.11{a | b} channel add channel_number

Syntax Description a b add

channel_number



Adds a channel to the 802.11 network auto RF channel list.

Channel number to add to the 802.11 network auto RF channel list.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to add a channel to the 802.11a network auto RF channel list:


config advanced 802.11 channel add 132


237

config advanced 802.11 channel cleanair-event config advanced 802.11 channel cleanair-event

To configure CleanAir event driven Radio Resource Management (RRM) parameters for all 802.11 Cisco lightweight access points, use the config advanced 802.11 channel cleanair-event command.

config advanced 802.11{a | b} channel cleanair-event {enable | disable | sensitivity [low | medium | high]

| custom threshold threshold_value}

Syntax Description a b enable disable sensitivity low medium high custom threshold

threshold_value



Enables the CleanAir event-driven RRM parameters.

Disables the CleanAir event-driven RRM parameters.

Sets the sensitivity for CleanAir event-driven RRM.

(Optional) Specifies low sensitivity.

(Optional) Specifies medium sensitivity

(Optional) Specifies high sensitivity

Specifies custom sensitivity.

Specifies the EDRRM AQ threshold value.

Number of custom threshold.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable the CleanAir event-driven RRM parameters:


config advanced 802.11 channel cleanair-event enable

The following example shows how to configure high sensitivity for CleanAir event-driven RRM:


config advanced 802.11 channel cleanair-event sensitivity high

238


config advanced 802.11 channel dca anchor-time config advanced 802.11 channel dca anchor-time

To specify the time of day when the Dynamic Channel Assignment (DCA) algorithm is to start, use the config

advanced 802.11 channel dca anchor-time command.

config advanced 802.11{a | b} channel dca anchor-time value


value



Hour of the time between 0 and 23. These values represent the hour from 12:00 a.m. to 11:00 p.m.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the time of delay when the DCA algorithm starts:


config advanced 802.11 channel dca anchor-time 17

Related Commands config advanced 802.11 channel dca interval config advanced 802.11 channel dca sensitivity config advanced 802.11 channel


239

config advanced 802.11 channel dca chan-width-11n config advanced 802.11 channel dca chan-width-11n

To configure the Dynamic Channel Assignment (DCA) channel width for all 802.11n radios in the 5-GHz band, use the config advanced 802.11 channel dca chan-width-11n command.

config advanced 802.11{a | b} channel dca chan-width-11n {20 | 40 | 80}


20

40

80



Sets the channel width for 802.11n radios to 20 MHz.

Sets the channel width for 802.11n radios to 40 MHz.

Sets the channel width for 802.11ac radios to 80-MHz.

Command Default

The default channel width is 20.

Command History

Release

7.6

Modification


Release 7.6.


If you choose 40, be sure to set at least two adjacent channels in the config advanced 802.11 channel {add

| delete} channel_number command (for example, a primary channel of 36 and an extension channel of 40).

If you set only one channel, that channel is not used for the 40-MHz channel width.

To override the globally configured DCA channel width setting, you can statically configure an access point’s radio for 20- or 40-MHz mode using the config 802.11 chan_width command. If you then change the static configuration to global on the access point radio, the global DCA configuration overrides the channel width configuration that the access point was previously using.

Examples

Examples

The following example shows how to add a channel to the 802.11a network auto channel list:


config advanced 802.11a channel dca chan-width-11n 40

The following example shows how to set the channel width for the 802.11ac radio as 80-MHz:


config advanced 802.11a channel dca chan-width-11n 80

240


config advanced 802.11 channel dca interval config advanced 802.11 channel dca interval

To specify how often the Dynamic Channel Assignment (DCA) is allowed to run, use the config advanced

802.11 channel dca interval command.

config advanced 802.11{a | b} channel dca interval value


value



Valid values are 0, 1, 2, 3, 4, 6, 8, 12, or 24 hours. 0 is 10 minutes (600 seconds).

Command Default

The default DCA channel interval is 10 (10 minutes).

Command History

Release

7.6

Modification


Release 7.6.


If your controller supports only OfficeExtend access points, we recommend that you set the DCA interval to

6 hours for optimal performance. For deployments with a combination of OfficeExtend access points and local access points, the range of 10 minutes to 24 hours can be used.

Examples

The following example shows how often the DCA algorithm is allowed to run:


config advanced 802.11 channel dca interval 8

Related Commands config advanced 802.11 dca anchor-time config advanced 802.11 dca sensitivity show advanced 802.11 channel


241

config advanced 802.11 channel dca min-metric config advanced 802.11 channel dca min-metric

To configure the 5-GHz minimum RSSI energy metric for DCA, use the config advanced 802.11 channel

dca min-metric command.

config advanced 802.11{a | b} channel dca RSSI_value


RSSI_value



Minimum received signal strength indicator (RSSI) that is required for the DCA to trigger a channel change. The range is from –100 to –60 dBm.

Command Default

The default minimum RSSI energy metric for DCA is –95 dBm.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the minimum 5-GHz RSSI energy metric for DCA:


config advanced 802.11a channel dca min-metric

–80

In the above example, the RRM must detect an interference energy of at least -80 dBm in RSSI for the DCA to trigger a channel change.

Related Commands config advanced 802.11 dca interval config advanced 802.11 dca anchor-time show advanced 802.11 channel

242


config advanced 802.11 channel dca sensitivity config advanced 802.11 channel dca sensitivity

To specify how sensitive the Dynamic Channel Assignment (DCA) algorithm is to environmental changes

(for example, signal, load, noise, and interference) when determining whether or not to change channels, use the config advanced 802.11 channel dca sensitivity command.

config advanced 802.11{a | b} channel dcasensitivity {low | medium | high}

Syntax Description a b low medium high



Specifies the DCA algorithm is not particularly sensitive to environmental changes. See the “Usage

Guidelines” section for more information.

Specifies the DCA algorithm is moderately sensitive to environmental changes. See the “Usage Guidelines” section for more information.

Specifies the DCA algorithm is highly sensitive to environmental changes. See the “Usage Guidelines” section for more information.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The DCA sensitivity thresholds vary by radio band as shown in the table below.

To aid in troubleshooting, the output of this command shows an error code for any failed calls. This table explains the possible error codes for failed calls.

Table 4: DCA Sensitivity Thresholds

Sensitivity

High

Medium

2.4-GHz DCA Sensitivity Threshold

5 dB

15 dB

5-GHz DCA Sensitivity Threshold

5 dB

20 dB


243

config advanced 802.11 channel dca sensitivity

Sensitivity

Low

2.4-GHz DCA Sensitivity Threshold 5-GHz DCA Sensitivity Threshold

30 dB 35 dB

Examples

The following example shows how to configure the value of DCA algorithm’s sensitivity to low:


config advanced 802.11 channel dca sensitivity low

Related Commands config advanced 802.11 dca interval config advanced 802.11 dca anchor-time show advanced 802.11 channel

244


config advanced 802.11 channel foreign config advanced 802.11 channel foreign

To have Radio Resource Management (RRM) consider or ignore foreign 802.11a interference avoidance in making channel selection updates for all 802.11a Cisco lightweight access points, use the config advanced

802.11 channel foreign command.

config advanced 802.11{a | b} channel foreign {enable | disable}




Enables the foreign access point 802.11a interference avoidance in the channel assignment.

Disables the foreign access point 802.11a interference avoidance in the channel assignment.

Command Default

The default value for the foreign access point 802.11a interference avoidance in the channel assignment is enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to have RRM consider foreign 802.11a interference when making channel selection updates for all 802.11a Cisco lightweight access points:


config advanced 802.11a channel foreign enable

Related Commands show advanced 802.11a channel config advanced 802.11b channel foreign


245

config advanced 802.11 channel load config advanced 802.11 channel load

To have Radio Resource Management (RRM) consider or ignore the traffic load in making channel selection updates for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel load command.

config advanced 802.11{a | b} channel load {enable | disable}




Enables the Cisco lightweight access point 802.11a

load avoidance in the channel assignment.

Disables the Cisco lightweight access point 802.11a

load avoidance in the channel assignment.

Command Default

The default value for Cisco lightweight access point 802.11a load avoidance in the channel assignment is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to have RRM consider the traffic load when making channel selection updates for all 802.11a Cisco lightweight access points:


config advanced 802.11 channel load enable

Related Commands show advanced 802.11a channel config advanced 802.11b channel load

246


config advanced 802.11 channel noise config advanced 802.11 channel noise

To have Radio Resource Management (RRM) consider or ignore non-802.11a noise in making channel selection updates for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel

noise command.

config advanced 802.11{a | b} channel noise {enable | disable}




Enables non-802.11a noise avoidance in the channel assignment. or ignore.

Disables the non-802.11a noise avoidance in the channel assignment.

Command Default

The default value for non-802.11a noise avoidance in the channel assignment is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to have RRM consider non-802.11a noise when making channel selection updates for all 802.11a Cisco lightweight access points:


config advanced 802.11 channel noise enable

Related Commands show advanced 802.11a channel config advanced 802.11b channel noise


247

config advanced 802.11 channel outdoor-ap-dca config advanced 802.11 channel outdoor-ap-dca

To enable or disable the controller to avoid checking the non-Dynamic Frequency Selection (DFS) channels, use the config advanced 802.11 channel outdoor-ap-dca command.

config advanced 802.11{a | b} channel outdoor-ap-dca {enable | disable}




Enables 802.11 network DCA list option for outdoor access point.

Disables 802.11 network DCA list option for outdoor access point.

Command Default

The default value for 802.11 network DCA list option for outdoor access point is disabled.

Command History

Release

7.6

Modification


Release 7.6.


The config advanced 802.11{a | b} channel outdoor-ap-dca {enable | disable} command is applicable only for deployments having outdoor access points such as 1522 and 1524.

Examples

The following example shows how to enable the 802.11a DCA list option for outdoor access point:


config advanced 802.11a channel outdoor-ap-dca enable

Related Commands show advanced 802.11a channel config advanced 802.11b channel noise

248


config advanced 802.11 channel pda-prop config advanced 802.11 channel pda-prop

To enable or disable propagation of persistent devices, use the config advanced 802.11 channel pda-prop command.

config advanced 802.11{a | b} channel pda-prop {enable | disable}




Enables the 802.11 network DCA list option for the outdoor access point.

Disables the 802.11 network DCA list option for the outdoor access point.

Command Default

The default 802.11 network DCA list option for the outdoor access point is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable or disable propagation of persistent devices:


config advanced 802.11 channel pda-prop enable


249

config advanced 802.11 channel update config advanced 802.11 channel update

To have Radio Resource Management (RRM) initiate a channel selection update for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel update command.

config advanced 802.11{a | b} channel update




Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to initiate a channel selection update for all 802.11a network access points:


config advanced 802.11a channel update

250


config advanced 802.11 coverage config advanced 802.11 coverage

To enable or disable coverage hole detection, use the config advanced 802.11 coverage command.

config advanced 802.11{a | b} coverage {enable | disable}




Enables the coverage hole detection.

Disables the coverage hole detection.

Command Default

The default coverage hole detection value is enabled.

Command History

Release

7.6

Modification


Release 7.6.


If you enable coverage hole detection, the Cisco WLC automatically determines, based on data that is received from the access points, whether any access points have clients that are potentially located in areas with poor coverage.

If both the number and percentage of failed packets exceed the values that you entered in the config advanced

802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in the config

advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The Cisco WLC determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.

Examples

The following example shows how to enable coverage hole detection on an 802.11a network:


config advanced 802.11a coverage enable

Related Commands config advanced 802.11 coverage exception global config advanced 802.11 coverage fail-rate config advanced 802.11 coverage level global


251

config advanced 802.11 coverage config advanced 802.11 coverage packet-count config advanced 802.11 coverage rssi-threshold

252


config advanced 802.11 coverage exception global config advanced 802.11 coverage exception global

To specify the percentage of clients on an access point that are experiencing a low signal level but cannot roam to another access point, use the config advanced 802.11 coverage exception global command.

config advanced 802.11{a | b} coverage exception global percent


percent



Percentage of clients. Valid values are from 0 to

100%.

Command Default

The default percentage value for clients on an access point is 25%.

Command History

Release

7.6

Modification


Release 7.6.



802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in theconfig

advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The controller determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.

Examples

The following example shows how to specify the percentage of clients for all 802.11a access points that are experiencing a low signal level:


config advanced 802.11 coverage exception global 50

Related Commands config advanced 802.11 coverage exception global config advanced 802.11 coverage fail-rate config advanced 802.11 coverage level global config advanced 802.11 coverage packet-count


253

config advanced 802.11 coverage exception global config advanced 802.11 coverage rssi-threshold config advanced 802.11 coverage

254


config advanced 802.11 coverage fail-rate config advanced 802.11 coverage fail-rate

To specify the failure rate threshold for uplink data or voice packets, use the config advanced 802.11 coverage

fail-rate command.

config advanced 802.11{a | b} coverage {data | voice} fail-rate percent

Syntax Description a b data voice

percent



Specifies the threshold for data packets.

Specifies the threshold for voice packets.

Failure rate as a percentage. Valid values are from 1 to 100 percent.

Command Default

The default failure rate threshold uplink coverage fail-rate value is 20%.

Command History

Release

7.6

Modification


Release 7.6.


If both the number and percentage of failed packets exceed the values that you entered in theconfig advanced



Examples

The following example shows how to configure the threshold count for minimum uplink failures for data packets:


config advanced 802.11 coverage fail-rate 80

Related Commands config advanced 802.11 coverage exception global config advanced 802.11 coverage level global


255

config advanced 802.11 coverage fail-rate config advanced 802.11 coverage packet-count config advanced 802.11 coverage rssi-threshold config advanced 802.11 coverage

256


config advanced 802.11 coverage level global config advanced 802.11 coverage level global

To specify the minimum number of clients on an access point with an received signal strength indication

(RSSI) value at or below the data or voice RSSI threshold, use the config advanced 802.11 coverage level

global command.

config advanced 802.11{a | b} coverage level global clients


clients



Minimum number of clients. Valid values are from 1 to 75.

Command Default

The default minimum number of clients on an access point is 3.

Command History

Release

7.6

Modification


Release 7.6.





Examples

The following example shows how to specify the minimum number of clients on all 802.11a access points with an RSSI value at or below the RSSI threshold:


config advanced 802.11 coverage level global 60

Related Commands config advanced 802.11 coverage exception global config advanced 802.11 coverage fail-rate config advanced 802.11 coverage packet-count config advanced 802.11 coverage rssi-threshold


257

config advanced 802.11 coverage level global config advanced 802.11 coverage

258


config advanced 802.11 coverage packet-count config advanced 802.11 coverage packet-count

To specify the minimum failure count threshold for uplink data or voice packets, use the config advanced

802.11 coverage packet-count command.

config advanced 802.11{a | b} coverage {data | voice} packet-count packets


packets





Minimum number of packets. Valid values are from

1 to 255 packets.

Command Default

The default failure count threshold for uplink data or voice packets is10.

Command History

Release

7.6

Modification


Release 7.6.





Examples

The following example shows how to configure the failure count threshold for uplink data packets:


config advanced 802.11 coverage packet-count 100

Related Commands config advanced 802.11 coverage exception global config advanced 802.11 coverage fail-rate config advanced 802.11 coverage level global


259

config advanced 802.11 coverage packet-count config advanced 802.11 coverage rssi-threshold config advanced 802.11 coverage

260


config advanced 802.11 coverage rssi-threshold config advanced 802.11 coverage rssi-threshold

To specify the minimum receive signal strength indication (RSSI) value for packets that are received by an access point, use the config advanced 802.11 coverage rssi-threshold command.

config advanced 802.11{a | b} coverage {data | voice} rssi-threshold rssi


rssi





Valid values are from –60 to –90 dBm.

Command Default

• The default RSSI value for data packets is –80 dBm.

• The default RSSI value for voice packets is –75 dBm.

Command History

Release

7.6

Modification


Release 7.6.


The rssi value that you enter is used to identify coverage holes (or areas of poor coverage) within your network.

If the access point receives a packet in the data or voice queue with an RSSI value that is below the value that you enter, a potential coverage hole has been detected.

The access point takes RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.





261

config advanced 802.11 coverage rssi-threshold

Examples

The following example shows how to configure the minimum receive signal strength indication threshold value for data packets that are received by an 802.11a access point:


config advanced 802.11a coverage rssi-threshold -60

Related Commands config advanced 802.11 coverage exception global config advanced 802.11 coverage fail-rate config advanced 802.11 coverage level global config advanced 802.11 coverage packet-count config advanced 802.11 coverage

262


config advanced 802.11 edca-parameters config advanced 802.11 edca-parameters

To enable a specific Enhanced Distributed Channel Access (EDCA) profile on a 802.11a network, use the

config advanced 802.11 edca-parameters command.

config advanced 802.11{a | b} edca-parameters {wmm-default | svp-voice | optimized-voice |

optimized-video-voice | custom-voice | fastlane | custom-set { QoS Profile Name } { aifs AP-value (0-16 )

Client value (0-16) | ecwmax AP-Value (0-10) Client value (0-10) | ecwmin AP-Value (0-10) Client value

(0-10) | txop AP-Value (0-255) Client value (0-255) } }

Syntax Description a b wmm-default svp-voice optimized-voice optimized-video-voice custom-voice fastlane



Enables the Wi-Fi Multimedia (WMM) default parameters. Choose this option if voice or video services are not deployed on your network.

Enables Spectralink voice-priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.

Enables EDCA voice-optimized profile parameters.

Choose this option if voice services other than

Spectralink are deployed on your network.

Enables EDCA voice-optimized and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.

Note

If you deploy video services, admission control must be disabled.

Enables custom voice EDCA parameters for 802.11a.

The EDCA parameters under this option also match the

6.0 WMM EDCA parameters when this profile is applied.

Enables fastlane on compatible devices.


263

config advanced 802.11 edca-parameters custom-set

Enables customization of EDCA parameters

• aifs—Configures the Arbitration Inter-Frame

Space.

AP Value (0-16) Client value (0-16)

• ecwmax—Configures the maximum

Contention Window.

AP Value(0-10) Client Value (0-10)

• ecwmin—Configures the minimum Contention

Window.


• txop—Configures the Arbitration

Transmission Opportunity Limit.


QoS Profile Name - Enter the QoS profile name:

• bronze

• silver

• gold

• platinum

Command Default

The default EDCA parameter is wmm-default.

Command History

Release

7.6

8.2.110.0

8.3

Modification


In this release, custom-set keyword was added to edca-parameters command.

This command was modified and the fastlane keyword was added.

Examples

The following example shows how to enable Spectralink voice-priority parameters:


config advanced 802.11 edca-parameters svp-voice

Related Commands config advanced 802.11b edca-parameters

Enables a specific Enhanced Distributed Channel

Access (EDCA) profile on the 802.11a network.

264


show 802.11a

config advanced 802.11 edca-parameters



265

config advanced 802.11 factory config advanced 802.11 factory

To reset 802.11a advanced settings back to the factory defaults, use the config advanced 802.11 factory command.

config advanced 802.11{a | b} factory




Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to return all the 802.11a advanced settings to their factory defaults:


config advanced 802.11a factory

Related Commands show advanced 802.11a channel

266


config advanced 802.11 group-member config advanced 802.11 group-member

To configure members in 802.11 static RF group, use the config advanced 802.11 group-member command.

config advanced 802.11{a | b} group-member {add | remove} controller controller-ip-address

Syntax Description a b add remove

controller controller-ip-address



Adds a controller to the static RF group.

Removes a controller from the static RF group.

Name of the controller to be added.

IP address of the controller to be added.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to add a controller in the 802.11a automatic RF group:


config advanced 802.11a group-member add cisco-controller 209.165.200.225

Related Commands show advanced 802.11a group config advanced 802.11 group-mode


267

config advanced 802.11 group-mode config advanced 802.11 group-mode

To set the 802.11a automatic RF group selection mode on or off, use the config advanced 802.11 group-mode command.

config advanced 802.11{a | b} group-mode {auto | leader | off | restart}

Syntax Description a b auto leader off restart



Sets the 802.11a RF group selection to automatic update mode.

Sets the 802.11a RF group selection to static mode, and sets this controller as the group leader.

Sets the 802.11a RF group selection to off.

Restarts the 802.11a RF group selection.

Command Default

The default 802.11a automatic RF group selection mode is auto.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the 802.11a automatic RF group selection mode on:


config advanced 802.11a group-mode auto

The following example shows how to configure the 802.11a automatic RF group selection mode off:


config advanced 802.11a group-mode off

Related Commands show advanced 802.11a group config advanced 802.11 group-member

268


config advanced 802.11 logging channel config advanced 802.11 logging channel

To turn the channel change logging mode on or off, use the config advanced 802.11 logging channel command.

config advanced 802.11{a | b} logging channel {on | off}

Syntax Description a b logging channel on off



Logs channel changes.

Enables the 802.11 channel logging.

Disables 802.11 channel logging.

Command Default

The default channel change logging mode is Off (disabled).

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to turn the 802.11a logging channel selection mode on:


config advanced 802.11a logging channel on

Related Commands show advanced 802.11a logging config advanced 802.11b logging channel


269

config advanced 802.11 logging coverage config advanced 802.11 logging coverage

To turn the coverage profile logging mode on or off, use the config advanced 802.11 logging coverage command.

config advanced 802.11{a | b} logging coverage {on | off}

Syntax Description a b on off



Enables the 802.11 coverage profile violation logging.

Disables the 802.11 coverage profile violation logging.

Command Default

The default coverage profile logging mode is Off (disabled).

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to turn the 802.11a coverage profile violation logging selection mode on:


config advanced 802.11a logging coverage on

Related Commands show advanced 802.11a logging config advanced 802.11b logging coverage

270


config advanced 802.11 logging foreign config advanced 802.11 logging foreign

To turn the foreign interference profile logging mode on or off, use the config advanced 802.11 logging

foreign command.

config advanced 802.11{a | b} logging foreign {on | off}




Enables the 802.11 foreign interference profile violation logging.

Disables the 802.11 foreign interference profile violation logging.

Command Default

The default foreign interference profile logging mode is Off (disabled).

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to turn the 802.11a foreign interference profile violation logging selection mode on:


config advanced 802.11a logging foreign on

Related Commands show advanced 802.11a logging config advanced 802.11b logging foreign


271

config advanced 802.11 logging load config advanced 802.11 logging load

To turn the 802.11a load profile logging mode on or off, use the config advanced 802.11 logging load command.

config advanced 802.11{a | b} logging load {on | off}




Enables the 802.11 load profile violation logging.

Disables the 802.11 load profile violation logging.

Command Default

The default 802.11a load profile logging mode is Off (disabled).

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to turn the 802.11a load profile logging mode on:


config advanced 802.11 logging load on

Related Commands show advanced 802.11a logging config advanced 802.11b logging load

272


config advanced 802.11 logging noise config advanced 802.11 logging noise

To turn the 802.11a noise profile logging mode on or off, use the config advanced 802.11 logging noise command.

config advanced 802.11{a | b} logging noise {on | off}




Enables the 802.11 noise profile violation logging.

Disables the 802.11 noise profile violation logging.

Command Default

The default 802.11a noise profile logging mode is off (disabled).

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to turn the 802.11a noise profile logging mode on:


config advanced 802.11a logging noise on

Related Commands show advanced 802.11a logging config advanced 802.11b logging noise


273

config advanced 802.11 logging performance config advanced 802.11 logging performance

To turn the 802.11a performance profile logging mode on or off, use the config advanced 802.11 logging

performance command.

config advanced 802.11{a | b} logging performance {on | off}




Enables the 802.11 performance profile violation logging.

Disables the 802.11 performance profile violation logging.

Command Default

The default 802.11a performance profile logging mode is off (disabled).

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to turn the 802.11a performance profile logging mode on:


config advanced 802.11a logging performance on

Related Commands show advanced 802.11a logging config advanced 802.11b logging performance

274


config advanced 802.11 logging txpower config advanced 802.11 logging txpower

To turn the 802.11a transmit power change logging mode on or off, use the config advanced 802.11 logging

txpower command.

config advanced 802.11{a | b} logging txpower {on | off}




Enables the 802.11 transmit power change logging.

Disables the 802.11 transmit power change logging.

Command Default

The default 802.11a transmit power change logging mode is off (disabled).

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to turn the 802.11a transmit power change mode on:


config advanced 802.11 logging txpower off

Related Commands show advanced 802.11 logging config advanced 802.11b logging power


275

config advanced 802.11 monitor channel-list config advanced 802.11 monitor channel-list

To set the 802.11a noise, interference, and rogue monitoring channel list, use the config advanced 802.11

monitor channel-list command.

config advanced 802.11{a | b} monitor channel-list {all | country | dca}

Syntax Description a b all country dca



Monitors all channels.

Monitors the channels used in the configured country code.

Monitors the channels used by the automatic channel assignment.

Command Default

The default 802.11a noise, interference, and rogue monitoring channel list is country.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to monitor the channels used in the configured country:


config advanced 802.11 monitor channel-list country

Related Commands show advanced 802.11a monitor coverage

276


config advanced 802.11 monitor coverage config advanced 802.11 monitor coverage

To set the coverage measurement interval between 60 and 3600 seconds, use the config advanced 802.11

monitor coverage command.

config advanced 802.11{a | b} monitor coverage seconds


seconds



Coverage measurement interval between 60 and 3600 seconds.

Command Default

The default coverage measurement interval is180 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the coverage measurement interval to 60 seconds:


config advanced 802.11 monitor coverage 60

Related Commands show advanced 802.11a monitor config advanced 802.11b monitor coverage


277

config advanced 802.11 monitor load config advanced 802.11 monitor load

To set the load measurement interval between 60 and 3600 seconds, use the config advanced 802.11 monitor

load command.

config advanced 802.11{a | b} monitor load seconds


seconds



Load measurement interval between 60 and 3600 seconds.

Command Default

The default load measurement interval is 60 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the load measurement interval to 60 seconds:


config advanced 802.11 monitor load 60

Related Commands show advanced 802.11a monitor config advanced 802.11b monitor load

278


config advanced 802.11 monitor mode config advanced 802.11 monitor mode

To enable or disable 802.11a access point monitoring, use the config advanced 802.11 monitor mode command.

config advanced 802.11{a | b} monitor mode {enable | disable}




Enables the 802.11 access point monitoring.

Disables the 802.11 access point monitoring.

Command Default

The default 802.11a access point monitoring is enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the 802.11a access point monitoring:


config advanced 802.11a monitor mode enable

Related Commands show advanced 802.11a monitor config advanced 802.11b monitor mode


279

config advanced 802.11 monitor ndp-type config advanced 802.11 monitor ndp-type

To configure the 802.11 access point radio resource management (RRM) Neighbor Discovery Protocol (NDP) type, use the config advanced 802.11 monitor ndp-type command:

config advanced 802.11{a | b} monitor ndp-type {protected | transparent}

Syntax Description a b protected transparent



Specifies the Tx RRM protected NDP.

Specifies the Tx RRM transparent NDP.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Before you configure the 802.11 access point RRM NDP type, ensure that you have disabled the network by entering the config 802.11 disable network command.

Examples

The following example shows how to enable the 802.11a access point RRM NDP type as protected:


config advanced 802.11 monitor ndp-type protected

Related Commands config advanced 802.11 monitor config advanced 802.11 monitor mode config advanced 802.11 disable

280


config advanced 802.11 monitor noise config advanced 802.11 monitor noise

To set the 802.11a noise measurement interval between 60 and 3600 seconds, use the config advanced 802.11

monitor noise command.

config advanced 802.11{a | b} monitor noise seconds


seconds



Noise measurement interval between 60 and 3600 seconds.

Command Default

The default 802.11a noise measurement interval is 80 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the noise measurement interval to 120 seconds:


config advanced 802.11 monitor noise 120

Related Commands show advanced 802.11a monitor config advanced 802.11b monitor noise


281

config advanced 802.11 monitor signal config advanced 802.11 monitor signal

To set the signal measurement interval between 60 and 3600 seconds, use the config advanced 802.11 monitor

signal command.

config advanced 802.11{a | b} monitor signal seconds


seconds



Signal measurement interval between 60 and 3600 seconds.

Command Default

The default signal measurement interval is 60 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the signal measurement interval to 120 seconds:


config advanced 802.11 monitor signal 120

Related Commands show advanced 802.11a monitor config advanced 802.11b monitor signal

282


config advanced 802.11 monitor timeout-factor config advanced 802.11 monitor timeout-factor

To configure the 802.11 neighbor timeout factor, use the config advanced 802.11 monitor timeout-factor command:

config advanced 802.11{a | b} monitor timeout-factor factor-value-in-minutes


factor-value-in-minutes

Neighbor timeout factor value that you must enter.

Valid range is between 5 minutes to 60 minutes. We recommend that you set the timeout factor to 60 minutes.

Command Default

None

Command History

Release

8.1

Modification



If you are using Release 8.1 or a later release, we recommend that you set the timeout factor to 60 minutes.

If the access point radio does not receive a neighbor packet from an existing neighbor within 60 minutes, the

Cisco WLC deletes the neighbor from the neighbor list.

Note

The Neighbor Timeout Factor was hardcoded to 60 minutes in Release 7.6, but was changed to 5 minutes in Release 8.0.100.0.


283

config advanced 802.11 optimized roaming config advanced 802.11 optimized roaming

To configure the optimized roaming parameters for each 802.11 band, use the config advanced 802.11

optimized roaming command.

config advanced {802.11a | 802.11b} optimized-roaming {enable | disable | interval seconds | datarate

mbps}


802.11a

802.11b

enable disable interval

seconds

datarate

mbps

Configures optimized roaming parameters for 802.11a network.

Configures optimized roaming parameters for 802.11b network.

Enables optimized roaming.

Disables optimized roaming.

Configures the client coverage reporting interval for 802.11a/b networks.

Client coverage reporting interval in seconds. The range is from 5 to 90 seconds.

Configures the threshold data rate for 802.11a/b networks.

Threshold data rate in Mbps for 802.11a/b networks.

For 802.11a, the configurable data rates are 6, 9, 12, 18, 24, 36, 48, and 54.

For 802.11b, the configurable data rates are 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, and 54.

You can configure 0 to disable the data rate for disassociating clients.

Command Default

By default, optimized roaming is disabled. The default value for client coverage reporting interval is 90 seconds and threshold data rate is 0 (disabled state).

Command History

Release

8.0

Modification



You must disable the 802.11a/b network before you configure the optimized roaming reporting interval. If you configure a low value for the reporting interval, the network can get overloaded with coverage report messages.

284


config advanced 802.11 optimized roaming

Examples

The following example shows how to enable optimized roaming for the 802.11a network:


config advanced 802.11a optimized roaming enable

The following example shows how to configure the data rate interval for the 802.11a network:


config advanced 802.11a optimized roaming datarate 9


285

config advanced 802.11 profile foreign config advanced 802.11 profile foreign

To set the foreign 802.11a transmitter interference threshold between 0 and 100 percent, use the config

advanced 802.11 profile foreign command.

config advanced 802.11{a | b} profile foreign {global | cisco_ap} percent


cisco_ap percent





802.11a foreign 802.11a interference threshold between 0 and 100 percent.

Command Default

The default foreign 802.11a transmitter interference threshold value is 10.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the foreign 802.11a transmitter interference threshold for all Cisco lightweight access points to 50 percent:


config advanced 802.11a profile foreign global 50

The following example shows how to set the foreign 802.11a transmitter interference threshold for AP1 to 0 percent:


config advanced 802.11 profile foreign AP1 0

286


config advanced 802.11 profile noise config advanced 802.11 profile noise

To set the 802.11a foreign noise threshold between –127 and 0 dBm, use the config advanced 802.11 profile

noise command.

config advanced 802.11{a | b} profile noise {global | cisco_ap} dBm


cisco_ap dBm





802.11a foreign noise threshold between –127 and 0 dBm.

Command Default

The default foreign noise threshold value is –70 dBm.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the 802.11a foreign noise threshold for all Cisco lightweight access points to –127 dBm:


config advanced 802.11a profile noise global -127

The following example shows how to set the 802.11a foreign noise threshold for AP1 to 0 dBm:


config advanced 802.11a profile noise AP1 0


287

config advanced 802.11 profile throughput config advanced 802.11 profile throughput

To set the Cisco lightweight access point data-rate throughput threshold between 1000 and 10000000 bytes per second, use the config advanced 802.11 profile throughput command.

config advanced 802.11{a | b} profile throughput {global | cisco_ap} value


cisco_ap value





802.11a Cisco lightweight access point throughput threshold between 1000 and

10000000 bytes per second.

Command Default

The default Cisco lightweight access point data-rate throughput threshold value is 1,000,000 bytes per second.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set all Cisco lightweight access point data-rate thresholds to 1000 bytes per second:


config advanced 802.11 profile throughput global 1000

The following example shows how to set the AP1 data-rate threshold to 10000000 bytes per second:


config advanced 802.11 profile throughput AP1 10000000

288


config advanced 802.11 profile utilization config advanced 802.11 profile utilization

To set the RF utilization threshold between 0 and 100 percent, use the config advanced 802.11 profile

utilization command. The operating system generates a trap when this threshold is exceeded.

config advanced 802.11{a | b} profile utilization {global | cisco_ap} percent


cisco_ap percent



Configures a global Cisco lightweight access point specific profile.


802.11a RF utilization threshold between 0 and 100 percent.

Command Default

The default RF utilization threshold value is 80 percent.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the RF utilization threshold for all Cisco lightweight access points to 0 percent:


config advanced 802.11 profile utilization global 0

The following example shows how to set the RF utilization threshold for AP1 to 100 percent:


config advanced 802.11 profile utilization AP1 100


289

config advanced 802.11 receiver config advanced 802.11 receiver

To set the advanced receiver configuration settings, use the config advanced 802.11 receiver command.

config advanced 802.11{a | b} receiver {default | rxstart jumpThreshold value}

Syntax Description a b receiver default rxstartjumpThreshold

value



Specifies the receiver configuration.

Specifies the default advanced receiver configuration.

Specifies the receiver start signal.

Jump threshold configuration value between 0 and

127.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to prevent changes to receiver parameters while the network is enabled:


config advanced 802.11 receiver default

Related Commands config advanced 802.11b receiver

290


config advanced 802.11 tpc-version config advanced 802.11 tpc-version

To configure the Transmit Power Control (TPC) version for a radio, use the config advanced 802.11

tpc-version command.

config advanced 802.11{a | b} tpc-version {1 | 2}


1

2

Specifies the TPC version 1 that offers strong signal coverage and stability.

Specifies TPC version 2 is for scenarios where voice calls are extensively used. The Tx power is dynamically adjusted with the goal of minimum interference. It is suitable for dense networks. In this mode, there could be higher roaming delays and coverage hole incidents.

Command Default

The default TPC version for a radio is 1.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the TPC version as 1 for the 802.11a radio:


config advanced 802.11a tpc-version 1

Related Commands config advanced 802.11 tpcv1-thresh


291

config advanced 802.11 tpcv1-thresh config advanced 802.11 tpcv1-thresh

To configure the threshold for Transmit Power Control (TPC) version 1 of a radio, use the config advanced

802.11 tpcv1-thresh command.

config advanced 802.11{a | b} tpcv1-thresh threshold


threshold



Threshold value between –50 dBm to –80 dBm.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the threshold as –60 dBm for TPC version 1 of the 802.11a

radio:


config advanced 802.11 tpcv1-thresh -60

Related Commands config advanced 802.11 tpc-thresh config advanced 802.11 tpcv2-thresh

292


config advanced 802.11 tpcv2-intense config advanced 802.11 tpcv2-intense

To configure the computational intensity for Transmit Power Control (TPC) version 2 of a radio, use the

config advanced 802.11 tpcv2-intense command.

config advanced 802.11{a | b} tpcv2-intense intensity


intensity



Computational intensity value between 1 to 100.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the computational intensity as 50 for TPC version 2 of the

802.11a radio:


config advanced 802.11 tpcv2-intense 50

Related Commands config advanced 802.11 tpc-thresh config advanced 802.11 tpcv2-thresh config advanced 802.11 tpcv2-per-chan


293

config advanced 802.11 tpcv2-per-chan config advanced 802.11 tpcv2-per-chan

To configure the Transmit Power Control Version 2 on a per-channel basis, use the config advanced 802.11

tpcv2-per-chan command.

config advanced 802.11{a | b} tpcv2-per-chan {enable | disable}


Enables the configuration of TPC version 2 on a per-channel basis.

Disables the configuration of TPC version 2 on a per-channel basis.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable TPC version 2 on a per-channel basis for the 802.11a radio:


config advanced 802.11 tpcv2-per-chan enable

Related Commands config advanced 802.11 tpc-thresh config advanced 802.11 tpcv2-thresh config advanced 802.11 tpcv2-intense

294


config advanced 802.11 tpcv2-thresh config advanced 802.11 tpcv2-thresh

To configure the threshold for Transmit Power Control (TPC) version 2 of a radio, use the config advanced

802.11 tpcv2-thresh command.

config advanced 802.11{a | b} tpcv2-thresh threshold


threshold



Threshold value between –50 dBm to –80 dBm.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the threshold as –60 dBm for TPC version 2 of the 802.11a

radio:


config advanced 802.11a tpcv2-thresh -60

Related Commands config advanced 802.11 tpc-thresh config advanced 802.11 tpcv1-thresh config advanced 802.11 tpcv2-per-chan


295

config advanced 802.11 txpower-update config advanced 802.11 txpower-update

To initiate updates of the 802.11a transmit power for every Cisco lightweight access point, use the config

advanced 802.11 txpower-update command.

config advanced 802.11{a | b} txpower-update




Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to initiate updates of 802.11a transmit power for an 802.11a access point:


config advanced 802.11 txpower-update

Related Commands config advance 802.11b txpower-update

296


config ap 802.1Xuser

config ap 802.1Xuser

To configure the global authentication username and password for all access points currently associated with the controller as well as any access points that associate with the controller in the future, use the config ap

802.1Xuser command.

config ap 802.1Xuser add username ap-username password ap-password {all | cisco_ap}

Syntax Description add username

ap-username

password

ap-password cisco_ap

all

Specifies to add a username.

Username on the Cisco AP.

Specifies to add a password.

Password.

Specific access point.


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


You must enter a strong password. Strong passwords have the following characteristics:

• They are at least eight characters long.

• They contain a combination of uppercase and lowercase letters, numbers, and symbols.

• They are not a word in any language.

You can set the values for a specific access point.

Examples

This example shows how to configure the global authentication username and password for all access points:


config ap 802.1Xuser add username cisco123 password cisco2020 all


297

config ap 802.1Xuser delete config ap 802.1Xuser delete

To force a specific access point to use the controller’s global authentication settings, use the config ap

802.1Xuser delete command.

config ap 802.1Xuser delete cisco_ap


cisco_ap

Access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to delete access point AP01 to use the controller’s global authentication settings:


config ap 802.1Xuser delete AP01

298


config ap 802.1Xuser disable config ap 802.1Xuser disable

To disable authentication for all access points or for a specific access point, use the config ap 802.1Xuser

disable command.

config ap 802.1Xuser disable {all | cisco_ap}

Syntax Description disable all

cisco_ap

Disables authentication.


Access point.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


You can disable 802.1X authentication for a specific access point only if global 802.1X authentication is not enabled. If global 802.1X authentication is enabled, you can disable 802.1X for all access points only.

Examples

The following example shows how to disable the authentication for access point cisco_ap1:


config ap 802.1Xuser disable


299

config advanced dot11-padding config advanced dot11-padding

To enable or disable over-the-air frame padding, use the config advanced dot11-padding command.

config advanced dot11-padding {enable | disable}


Enables the over-the-air frame padding.

Disables the over-the-air frame padding.

Command Default

The default over-the-air frame padding is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable over-the-air frame padding:


config advanced dot11-padding enable

Related Commands debug dot11 debug dot11 mgmt interface debug dot11 mgmt msg debug dot11 mgmt ssid debug dot11 mgmt state-machine debug dot11 mgmt station show advanced dot11-padding

300


config ap config ap

To configure a Cisco lightweight access point or to add or delete a third-party (foreign) access point, use the

config ap command.

config ap {{enable | disable} cisco_ap | {add | delete} MAC port {enable | disable} IP_address}


cisco_ap

add delete

MAC port

IP_address

Enables the Cisco lightweight access point.

Disables the Cisco lightweight access point.

Name of the Cisco lightweight access point.

Adds foreign access points.

Deletes foreign access points.

MAC address of a foreign access point.

Port number through which the foreign access point can be reached.

IP address of the foreign access point.

Command Default

None

Command History

Release

7.6

8.0

Examples

Modification


Release 7.6.

This command supports both IPv4 and IPv6.

The following example shows how to disable lightweight access point AP1:


config ap disable AP1

The following example shows how to add a foreign access point with MAC address 12:12:12:12:12:12 and

IP address 192.12.12.1 from port 2033:


config ap add 12:12:12:12:12:12 2033 enable 192.12.12.1


301

config ap atf 802.11

config ap atf 802.11

Configure Cisco Airtime Fairness at an AP level by using the config ap atf 802.11 command.

config ap atf 802.11{a | b} {mode {disable | monitor | enforce-policy} ap-name} | {optimization {enable

| disable}}

Syntax Description a b mode disable monitor enforce-policy

ap-name

optimization enable disable

Specifies the 802.11a network settings

Specifies the 802.11b/g network settings

Configures the granularity of Cisco ATF enforcement

Disables Cisco ATF

Configures Cisco ATF in monitor mode

Configures Cisco ATF in enforcement mode

AP name that you must specify

Configures airtime optimization

Enables airtime optimization

Disables airtime optimization

Command History

Examples

Release

8.1

Modification


To enable airtime optimization on an 802.11a network for a Cisco AP, my-ap, enter the following command:


config ap atf 802.11a optimization enable my-ap

302


config ap atf 802.11 client-access airtime-allocation config ap atf 802.11 client-access airtime-allocation

To configure override of ATF airtime allocation on mesh AP, use the config ap atf 802.11 client-access

airtime-allocation override {enable | disable} command.

config ap atf 802.11{a | b} client-access airtime-allocation %-of-airtime-allocation-bw-5-to-90 mesh-ap-name

override {enable | disable}




%-of-airtime-allocation-bw-5-to-90

Percentage of airtime allocation for client access. Valid range is between

5 and 90. This percentage of airtime allocation impacts both the client and the uplink backhaul percentage.

mesh-ap-name

Name of the mesh AP

override enable disable

Allows override of ATF airtime allocation on the mesh AP

Enables airtime allocation override

Disables airtime allocation override

Command History

Release

8.4

Examples

Modification


On an 802.11a network, to configure override of ATF airtime allocation on a mesh AP, map1, enter the following command:


config ap atf 802.11a client-access airtime-allocation

10 override map1 enable


303

config ap atf 802.11 policy config ap atf 802.11 policy

To configure AP-level override for Cisco ATF policy on a WLAN, enter this command:

confit ap atf 802.11{a | b} policy wlan-id policy-name ap-name override {enable | disable}

Syntax Description a b policy

wlan-id policy-name ap-name



Specifies the 802.11b network settings

Specifies the Cisco ATF policy

WLAN ID or Remote LAN ID that you must specify

Cisco ATF policy name that you must specify

Name of the AP that you must specify

Configures ATF policy override for a WLAN in the AP group

Enables ATF policy override for a WLAN in the AP group

Disables ATF policy override for a WLAN in the AP group

Command History

Release

8.1

Modification


304


config ap autoconvert config ap autoconvert

To automatically convert all access points to FlexConnect mode or Monitor mode upon associating with the

Cisco WLC, use the config ap autoconvert command.

config ap autoconvert {flexconnect | monitor | disable}

Syntax Description flexconnect monitor disable

Configures all the access points automatically to FlexConnect mode.

Configures all the access points automatically to monitor mode.

Disables the autoconvert option on the access points.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


When access points in local mode connect to a Cisco 7500 Series Wireless Controller, they do not serve clients. The access point details are available in the controller. To enable access points to serve clients or perform monitoring related tasks when connected to the Cisco 7500 Series Wireless Controller, the access points must be in FlexConnect mode or Monitor mode.

The command can also be used for conversion of AP modes in Cisco 5520, 8540, and 8510 Series Wireless

Controller platforms.

Examples

The following example shows how to automatically convert all access points to the FlexConnect mode:


config ap autoconvert flexconnect

The following example shows how to disable the autoconvert option on the APs:


config ap autoconvert disable


305

config ap bhrate config ap bhrate

To configure the Cisco bridge backhaul Tx rate, use the config ap bhrate command.

config ap bhrate {rate | auto} cisco_ap


rate

auto

cisco_ap

Cisco bridge backhaul Tx rate in kbps. The valid values are 6000, 12000, 18000, 24000,

36000, 48000, and 54000.

Configures the auto data rate.

Name of a Cisco lightweight access point.

Command Default

The default status of the command is set to Auto.

Command History

Release

7.6

Modification



In previous software releases, the default value for the bridge data rate was 24000 (24 Mbps). In controller software release 6.0, the default value for the bridge data rate is auto. If you configured the default bridge data rate value (24000) in a previous controller software release, the bridge data rate is configured with the new default value (auto) when you upgrade to controller software release 6.0. However, if you configured a non default value (for example, 18000) in a previous controller software release, that configuration setting is preserved when you upgrade to Cisco WLC Release 6.0.

When the bridge data rate is set to auto, the mesh backhaul chooses the highest rate where the next higher rate cannot be used due to unsuitable conditions for that specific rate (and not because of conditions that affect all rates).

Examples

The following example shows how to configure the Cisco bridge backhaul Tx rate to 54000 kbps:


config ap bhrate 54000 AP01

306


config ap bridgegroupname config ap bridgegroupname

To set or delete a bridge group name on a Cisco lightweight access point, use the config ap bridgegroupname command.

config ap bridgegroupname {set groupname | delete | {strict-matching {enable | disable}}}cisco_ap

Syntax Description set

groupname

delete

cisco_ap

strict-matching enable disable

Sets a Cisco lightweight access point’s bridge group name.

Bridge group name.

Deletes a Cisco lightweight access point’s bridge group name.


Restricts the possible parent list, if the MAP has a non-default BGN, and the potential parent has a different BGN

Enables a Cisco lightweight access point's group name.

Disables a Cisco lightweight access point's group name.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.

The strict-matching parameter was added.


Only access points with the same bridge group name can connect to each other. Changing the AP bridgegroupname may strand the bridge AP.

Examples

The following example shows how to delete a bridge group name on Cisco access point’s bridge group name

AP02:


config ap bridgegroupname delete AP02

Changing the AP's bridgegroupname may strand the bridge AP. Please continue with caution.

Changing the AP's bridgegroupname will also cause the AP to reboot.

Are you sure you want to continue? (y/n)


307

config ap bridging config ap bridging

To configure Ethernet-to-Ethernet bridging on a Cisco lightweight access point, use the config ap bridging command.

config ap bridging {enable | disable} cisco_ap


cisco_ap

Enables the Ethernet-to-Ethernet bridging on a Cisco lightweight access point.

Disables Ethernet-to-Ethernet bridging.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable bridging on an access point:


config ap bridging enable nyc04-44-1240

The following example shows hot to disable bridging on an access point:


config ap bridging disable nyc04-44-1240

308


config ap cdp config ap cdp

To configure the Cisco Discovery Protocol (CDP) on a Cisco lightweight access point, use the config ap cdp command.

config ap cdp {enable | disable | interface {ethernet interface_number | slot slot_id}} {cisco_ap | all}

Syntax Description enable disable interface ethernet

interface_number

slot

slot_id cisco_ap

all

Enables CDP on an access point.

Disables CDP on an access point.

Configures CDP in a specific interface.

Configures CDP for an ethernet interface.

Ethernet interface number between 0 and 3.

Configures CDP for a radio interface.

Slot number between 0 and 3.



Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

Command Default

Enabled on radio interfaces of mesh APs and disabled on radio interfaces of non-mesh APs. Enabled on

Ethernet interfaces of all APs.

Command History

Release

7.6

Modification


Release 7.6.


The config ap cdp disable all command disables CDP on all access points that are joined to the controller and all access points that join in the future. CDP remains disabled on both current and future access points even after the controller or access point reboots. To enable CDP, enter the config ap cdp enable all command.


309

config ap cdp

Examples

Note

CDP over Ethernet/radio interfaces is available only when CDP is enabled. After you enable CDP on all access points joined to the controller, you may disable and then reenable CDP on individual access points using the config ap cdp {enable | disable} cisco_ap command. After you disable CDP on all access points joined to the controller, you may not enable and then disable CDP on individual access points.

The following example shows how to enable CDP on all access points:


config ap cdp enable all

The following example shows how to disable CDP on ap02 access point:


config ap cdp disable ap02

The following example shows how to enable CDP for Ethernet interface number 2 on all access points:


config ap cdp ethernet 2 enable all

310


config ap core-dump config ap core-dump

To configure a Cisco lightweight access point’s memory core dump, use the config ap core-dump command.

config ap core-dump {disable | enable tftp_server_ipaddress filename {compress | uncompress} {cisco_ap

| all}


Enables the Cisco lightweight access point’s memory core dump setting.

Disables the Cisco lightweight access point’s memory core dump setting.

tftp_server_ipaddress

IP address of the TFTP server to which the access point sends core dump files.

filename

compress uncompress

cisco_ap

all

Name that the access point uses to label the core file.

Compresses the core dump file.

Uncompresses the core dump file.



Note

If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the

AP that is named ‘all’.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.

This command supports both IPv4 and IPv6.


The access point must be able to reach the TFTP server. This command is applicable for both IPv4 and IPv6 addresses.

Examples

The following example shows how to configure and compress the core dump file:


config ap core-dump enable 209.165.200.225 log compress AP02


311

config ap crash-file clear-all config ap crash-file clear-all

To delete all crash and radio core dump files, use the config ap crash-file clear-all command.

config ap crash-file clear-all



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to delete all crash files:


config ap crash-file clear-all

312


config ap crash-file delete config ap crash-file delete

To delete a single crash or radio core dump file, use the config ap crash-file delete command.

config ap crash-file delete filename


filename

Name of the file to delete.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to delete crash file 1:


config ap crash-file delete crash_file_1


313

config ap crash-file get-crash-file config ap crash-file get-crash-file

To collect the latest crash data for a Cisco lightweight access point, use the config ap crash-file get-crash-file command.

config ap crash-file get-crash-file cisco_ap


cisco_ap


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Use the transfer upload datatype command to transfer the collected data to the Cisco wireless LAN controller.

Examples

The following example shows how to collect the latest crash data for access point AP3:


config ap crash-file get-crash-file AP3

314


config ap crash-file get-radio-core-dump config ap crash-file get-radio-core-dump

To get a Cisco lightweight access point’s radio core dump, use the config ap crash-file get-radio-core-dump command.

config ap crash-file get-radio-core-dump slot_id cisco_ap


slot_id cisco_ap

Slot ID (either 0 or 1).


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to collect the radio core dump for access point AP02 and slot 0:


config ap crash-file get-radio-core-dump 0 AP02


315

config ap dhcp release-override config ap dhcp release-override

To configure DHCP release override on Cisco APs, use the config ap dhcp release-override command.

config ap dhcp release-override {enable | disable} {cisco-ap-name | all}


cisco-ap-name

all

Enables DHCP release override and sets number of DHCP releases sent by AP to 1.

To be used as a workaround for a few DHCP servers that mark the AP's IP address as bad. We recommend that you use this configuration only in highly reliable networks.

Disables DHCP release override and sets number of DHCP releases sent by AP to 3, which is the default value. This ensures that the DHCP server receives the release message even if one of the packets is lost.

Configuration is applied to the Cisco AP that you enter

Configuration is applied to all Cisco APs

Command Default

Disabled

Command History

Release

8.2

Modification



Use this command when you are using Cisco lightweight APs with Windows Server 2008 R2 or 2012 as the

DHCP server.

316


config ap dtls-cipher-suite config ap dtls-cipher-suite

To enable new cipher suites for DTLS connection between AP and controller, use the config ap

dtls-cipher-suite command.

config ap dtls-cipher-suite{RSA-AES256-SHA256 | RSA-AES256-SHA | RSA-AES128-SHA}


RSA-AES256-SHA256

RSA-AES256-SHA

RSA-AES128-SHA

Cipher suite using either RSA key exchange or authentication, using 256 bit AES and SHA 256.

Cipher suite using either RSA key exchange or authentication, using 256 bit AES and SHA.

Cipher suite using either RSA key exchange or authentication, using 128 bit AES and SHA.

Command Default

None

Command History

Release

8.0

Examples

Modification


The following example shows how to enable RSA cipher suites using 256 bit AES and SHA 256 for DTLS connection between AP and controller:


config ap dtls-cipher-suite RSA-AES256-SHA256


317

config ap dtls-version config ap dtls-version

To configure the cipher DTLS version, use the config ap dtls-version command.

config ap dtls-version{dtls1.0 | dtls1.2 | dtls_all}

Syntax Description dtls1.0

dtls1.2

dtls_all

Select DTLS 1.0 version

Select DTLS 1.2 version

Select all DTLS versions for backward compatibility

Command Default

None

Command History

Examples

Release

8.3.111.0

Modification


The following example shows how to configure cipher dtls version 1.2:


config ap dtls-version dtls1.2

318


config ap ethernet duplex config ap ethernet duplex

To configure the Ethernet port duplex and speed settings of the lightweight access points, use the config ap

ethernet duplex command.

config ap ethernet duplex [auto | half | full] speed [auto | 10 | 100 | 1000] { all | cisco_ap}

Syntax Description auto half full speed auto

10

100

1000 all

cisco_ap

(Optional) Specifies the Ethernet port duplex auto settings.

(Optional) Specifies the Ethernet port duplex half settings.

(Optional) Specifies the Ethernet port duplex full settings.

Specifies the Ethernet port speed settings.

(Optional) Specifies the Ethernet port speed to auto.

(Optional) Specifies the Ethernet port speed to 10

Mbps.


Mbps.


Mbps.

Specifies the Ethernet port setting for all connected access points.

Cisco access point.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


319

config ap ethernet duplex

Examples

The following example shows how to configure the Ethernet port duplex half settings as 10 Mbps for all access points:


config ap ethernet duplex half speed 10 all

320


config ap ethernet tag config ap ethernet tag

To configure VLAN tagging of the Control and Provisioning of Wireless Access Points protocol (CAPWAP) packets, use the config ap ethernet tag command.

config ap ethernet tag {id vlan_id | disable} {cisco_ap | all}

Syntax Description id

vlan_id

disable

cisco_ap

all

Specifies the VLAN id.

ID of the trunk VLAN.

Disables the VLAN tag feature. When you disable VLAN tagging, the access point untags the CAPWAP packets.

Name of the Cisco AP.

Configures VLAN tagging on all the Cisco access points.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


After you configure VLAN tagging, the configuration comes into effect only after the access point reboots.

You cannot configure VLAN tagging on mesh access points.

If the access point is unable to route traffic or reach the controller using the specified trunk VLAN, it falls back to the untagged configuration. If the access point joins the controller using this fallback configuration, the controller sends a trap to a trap server such as the Cisco Prime Infrastructure, which indicates the failure of the trunk VLAN. In this scenario, the "Failover to untagged" message appears in show command output.

Examples

The following example shows how to configure VLAN tagging on a trunk VLAN:


config ap ethernet tag 6 AP1


321

config ap autoconvert config ap autoconvert

To automatically convert all access points to FlexConnect mode or Monitor mode upon associating with the

Cisco WLC, use the config ap autoconvert command.

config ap autoconvert {flexconnect | monitor | disable}

Syntax Description flexconnect monitor disable

Configures all the access points automatically to FlexConnect mode.

Configures all the access points automatically to monitor mode.

Disables the autoconvert option on the access points.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


When access points in local mode connect to a Cisco 7500 Series Wireless Controller, they do not serve clients. The access point details are available in the controller. To enable access points to serve clients or perform monitoring related tasks when connected to the Cisco 7500 Series Wireless Controller, the access points must be in FlexConnect mode or Monitor mode.

The command can also be used for conversion of AP modes in Cisco 5520, 8540, and 8510 Series Wireless

Controller platforms.

Examples

The following example shows how to automatically convert all access points to the FlexConnect mode:


config ap autoconvert flexconnect

The following example shows how to disable the autoconvert option on the APs:


config ap autoconvert disable

322


config ap flexconnect central-dhcp config ap flexconnect central-dhcp

To enable central-DHCP on a FlexConnect access point in a WLAN, use the config ap flexconnect

central-dhcp command.

config ap flexconnect central-dhcp wlan_id cisco_ap [add | delete] {enable | disable} override dns {enable

| disable} nat-pat {enable | disable}


wlan_id cisco_ap

add delete enable disable override dns enable disable nat-pat enable disable

Wireless LAN identifier from 1 to 512.


(Optional) Adds a new WLAN DHCP mapping.

(Optional) Deletes a WLAN DHCP mapping.

Enables central-DHCP on a FlexConnect access point. When you enable this feature, the DHCP packets received from the access point are centrally switched to the controller and then forwarded to the corresponding VLAN based on the

AP and the SSID.

Disables central-DHCP on a FlexConnect access point.

Overrides the DNS server address on the interface assigned by the controller.

When you override DNS in centrally switched WLANs, the clients get their DNS server IP address from the AP and not from the controller.

Enables the Override DNS feature on a FlexConnect access point.

Disables the Override DNS feature on a FlexConnect access point.

Network Address Translation (NAT) and Port Address Translation (PAT) that you can enable or disable.

Enables NAT-PAT on a FlexConnect access point.

Deletes NAT-PAT on a FlexConnect access point.

Command Default

None

Command History

Release

7.6

Modification



323

config ap flexconnect central-dhcp

Examples

The following example shows how to enable central-DHCP, Override DNS, and NAT-PAT on a FlexConnect access point:


config ap flexconnect central-dhcp 1 ap1250 enable override dns enable nat-pat enable

324


config ap flexconnect local-split config ap flexconnect local-split

To configure a local-split tunnel on a FlexConnect access point, use the config ap flexconnect local-split command.

config ap flexconnect local-split wlan_id cisco_ap {enable | disable} acl acl_name


wlan_id cisco_ap

enable disable acl

acl_name

Wireless LAN identifier between 1 and 512.

Name of the FlexConnect access point.

Enables local-split tunnel on a FlexConnect access point.

Disables local-split tunnel feature on a FlexConnect access point.

Configures a FlexConnect local-split access control list.

Name of the FlexConnect access control list.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


This command allows you to configure a local-split tunnel in a centrally switched WLAN using a FlexConnect

ACL. A local split tunnel supports only for unicast Layer 4 IP traffic as NAT/PAT does not support multicast

IP traffic.

Examples

The following example shows how to configure a local-split tunnel using a FlexConnect ACL:


config ap flexconnect local-split 6 AP2 enable acl flex6


325

config ap flexconnect module-vlan config ap flexconnect module-vlan

To configure VLAN tagging for Cisco USC 8x18 Dual Mode Module in FlexConnect Local Switching, use the config ap flexconnect module-vlan command.

config ap flexconnect module-vlan {{enable ap-name [vlan vlan-id]} | {{disable | remove} ap-name}}


enable ap-name

enable ap-name vlan vlan-id

disable ap-name

remove ap-name

Enables FlexConnect local switching for the external module of the specified Cisco AP with native VLAN

Enables FlexConnect local switching with non-native VLAN for the external module of the specified Cisco AP

Disables FlexConnect local switching for the external module of the specified Cisco AP

Removes the AP-specific external module VLAN configuration

Command Default

None

Command History

Examples

Release

8.1

Modification


This example shows how to enable FlexConnect local switching with non-native VLAN for the external module of a Cisco AP:


config ap flexconnect module-vlan enable 3600i-ap vlan4

326


config ap flexconnect policy config ap flexconnect policy

To configure a policy ACL on a FlexConnect access point, use the config ap flexconnect policy command.

config ap flexconnect policy {add | delete} acl_name

Syntax Description add deletes

acl_name

Adds a policy ACL on a FlexConnect access point.

Deletes a policy ACL on a FlexConnect access point.

Name of the ACL.

Command Default

None

Command History

Release

7.5

Examples

Modification


The following example shows how to add a policy ACL on a FlexConnect access point:


config ap flexconnect policy add acl1


327

config ap flexconnect radius auth set config ap flexconnect radius auth set

To configure a primary or secondary RADIUS server for a specific FlexConnect access point, use the config

ap flexconnect radius auth set command.

config ap flexconnect radius auth set {primary | secondary} ip_address auth_port secret

Syntax Description primary secondary

ip_address auth_port secret secret

Specifies the primary RADIUS server for a specific

FlexConnect access point

Specifies the secondary RADIUS server for a specific

FlexConnect AP

IP address of the RADIUS server

Name of the port

RADIUS server secret

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure a primary RADIUS server for a specific access point:


config ap flexconnect radius auth set primary 192.12.12.1

328


config ap flexconnect vlan config ap flexconnect vlan

To enable or disable VLAN tagging for a FlexConnect access, use the config ap flexconnect vlan command.

config ap flexconnect vlan {enable | disable} cisco_ap


cisco_ap

Enables the access point’s VLAN tagging.

Disables the access point’s VLAN tagging.


Command Default

Disabled. Once enabled, WLANs enabled for local switching inherit the VLAN assigned at the Cisco WLC.

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to enable the access point’s VLAN tagging for a FlexConnect access:


config ap flexconnect vlan enable AP02


329

config ap flexconnect vlan add config ap flexconnect vlan add

To add a VLAN to a FlexConnect access point, use the config ap flexconnect vlan add command.

config ap flexconnect vlan add vlan-id acl in-acl out-acl cisco_ap


vlan-id acl in-acl out-acl cisco_ap

VLAN identifier.


Inbound ACL name that contains up to 32 alphanumeric characters.

Outbound ACL name that contains up to 32 alphanumeric characters.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the FlexConnect access point:


config ap flexconnect vlan add 21 acl inacl1 outacl1 ap1

330


config ap flexconnect vlan native config ap flexconnect vlan native

To configure a native VLAN for a FlexConnect access point, use the config ap flexconnect vlan native command.

config ap flexconnect vlan native vlan-id cisco_ap


vlan-id cisco_ap

VLAN identifier.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure a native VLAN for a FlexConnect access point mode:


config ap flexconnect vlan native 6 AP02


331

config ap flexconnect vlan wlan config ap flexconnect vlan wlan

To assign a VLAN ID to a FlexConnect access point, use the config ap flexconnect vlan wlan command.

config ap flexconnect vlan wlan wlan-id vlan-id cisco_ap


wlan-id vlan-id cisco_ap

WLAN identifier

VLAN identifier (1 - 4094).


Command Default

VLAN ID associated to the WLAN.

Command History

Release

7.6

Modification


Examples

The following example shows how to assign a VLAN ID to a FlexConnect access point:


config ap flexconnect vlan wlan 192.12.12.1 6 AP02

332


config ap flexconnect web-auth config ap flexconnect web-auth

To configure a FlexConnect ACL for external web authentication in locally switched WLANs, use the config

ap flexconnect web-auth command.

config ap flexconnect web-auth wlan wlan_id cisco_ap acl_name { enable | disable }

Syntax Description wlan

wlan_id cisco_ap acl_name

enable disable

Specifies the wireless LAN to be configured with a FlexConnect ACL.

Wireless LAN identifier between 1 and 512 (inclusive).


Name of the FlexConnect ACL.

Enables the FlexConnect ACL on the locally switched wireless LAN.

Disables the FlexConnect ACL on the locally switched wireless LAN.

Command Default

FlexConnect ACL for external web authentication in locally switched WLANs is disabled.

Command History

Release

7.6

Modification



The FlexConnect ACLs that are specific to an AP have the highest priority. The FlexConnect ACLs that are specific to WLANs have the lowest priority.

Examples

The following example shows how to enable FlexConnect ACL for external web authentication on WLAN

6:


config ap flexconnect web-auth wlan 6 AP2 flexacl2 enable


333

config ap flexconnect web-policy acl config ap flexconnect web-policy acl

To configure a Web Policy FlexConnect ACL on an access point, use the config ap flexconnect web-policy

acl command.

config ap flexconnect web-policy acl {add | delete} acl_name

Syntax Description add delete

acl_name

Adds a Web Policy FlexConnect ACL on an access point.

Deletes Web Policy FlexConnect ACL on an access point.

Name of the Web Policy FlexConnect ACL.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to add a Web Policy FlexConnect ACL on an access point:


config ap flexconnect web-policy acl add flexacl2

334


config ap flexconnect wlan config ap flexconnect wlan

To configure a FlexConnect access point in a locally switched WLAN, use the config ap flexconnect wlan command.

config ap flexconnect wlan l2acl {add wlan_id cisco_ap acl_name | delete wlan_id cisco_ap}

Syntax Description add

wlan_id cisco_ap acl_name

delete

Adds a Layer 2 ACL to the FlexConnect access point.



Layer 2 ACL name. The name can be up to 32 alphanumeric characters.

Deletes a Layer 2 ACL from the FlexConnect access point.

Command Default

None

Command History

Release

7.5

Modification



Examples

• You can create a maximum of 16 rules for a Layer 2 ACL.

• You can create a maximum of 64 Layer 2 ACLs on a Cisco WLC.

• A maximum of 16 Layer 2 ACLs are supported per AP because an AP supports a maximum of 16

WLANs.

• Ensure that the Layer 2 ACL names do not conflict with the FlexConnect ACL names because an AP does not support the same Layer 2 and Layer 3 ACL names.

The following example shows how to configure a Layer 2 ACL on a FlexConnect AP.


config ap flexconnect wlan add 1 AP1600_1 acl_l2_1


335

config ap group-name config ap group-name

To specify a descriptive group name for a Cisco lightweight access point, use the config ap group-name command.

config ap group-name groupname cisco_ap


groupname cisco_ap

Descriptive name for the access point group.


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The Cisco lightweight access point must be disabled before changing this parameter.

Examples

The following example shows how to configure a descriptive name for access point AP01:


config ap group-name superusers AP01

336


config ap hotspot config ap hotspot

To configure hotspot parameters on an access point, use the config ap hotspot command.

config ap hotspot venue {type group_code type_code | name {add language_code venue_name | delete}}

cisco_ap

Syntax Description venue type

group_code

Configures venue information for given AP group.

Configures the type of venue for given AP group.

Venue group information for given AP group.

The following options are available:

• 0—UNSPECIFIED

• 1—ASSEMBLY

• 2—BUSINESS

• 3—EDUCATIONAL

• 4—FACTORY-INDUSTRIAL

• 5—INSTITUTIONAL

• 6—MERCANTILE

• 7—RESIDENTIAL

• 8—STORAGE

• 9—UTILITY-MISC

• 10—VEHICULAR

• 11—OUTDOOR


337

config ap hotspot

type_code

338



Venue type information for the AP group.

For venue group 1 (ASSEMBLY), the following options are available:

• 0—UNSPECIFIED ASSEMBLY

• 1—ARENA

• 2—STADIUM

• 3—PASSENGER TERMINAL

• 4—AMPHITHEATER

• 5—AMUSEMENT PARK

• 6—PLACE OF WORSHIP

• 7—CONVENTION CENTER

• 8—LIBRARY

• 9—MUSEUM

• 10—RESTAURANT

• 11—THEATER

• 12—BAR

• 13—COFFEE SHOP

• 14—ZOO OR AQUARIUM

• 15—EMERGENCY COORDINATION CENTER

For venue group 2 (BUSINESS), the following options are available:

• 0—UNSPECIFIED BUSINESS

• 1—DOCTOR OR DENTIST OFFICE

• 2—BANK

• 3—FIRE STATION

• 4—POLICE STATION

• 6—POST OFFICE

• 7—PROFESSIONAL OFFICE

• 8—RESEARCH AND DEVELOPMENT FACILITY

• 9—ATTORNEY OFFICE

For venue group 3 (EDUCATIONAL), the following options are available:

• 0—UNSPECIFIED EDUCATIONAL

• 1—PRIMARY SCHOOL

• 2—SECONDARY SCHOOL


339


• 3—UNIVERSITY OR COLLEGE

For venue group 4 (FACTORY-INDUSTRIAL), the following options are available:

• 0—UNSPECIFIED FACTORY AND INDUSTRIAL

• 1—FACTORY

For venue group 5 (INSTITUTIONAL), the following options are available:

• 0—UNSPECIFIED INSTITUTIONAL

• 1—HOSPITAL

• 2—LONG-TERM CARE FACILITY

• 3—ALCOHOL AND DRUG RE-HABILITATION CENTER

• 4—GROUP HOME

• 5 :PRISON OR JAIL

340


type_code



341


For venue group 6 (MERCANTILE), the following options are available:

• 0—UNSPECIFIED MERCANTILE

• 1—RETAIL STORE

• 2—GROCERY MARKET

• 3—AUTOMOTIVE SERVICE STATION

• 4—SHOPPING MALL

• 5—GAS STATION

For venue group 7 (RESIDENTIAL), the following options are available:

• 0—UNSPECIFIED RESIDENTIAL

• 1—PRIVATE RESIDENCE

• 2—HOTEL OR MOTEL

• 3—DORMITORY

• 4—BOARDING HOUSE

For venue group 8 (STORAGE), the option is:

• 0—UNSPECIFIED STORAGE

For venue group 9 (UTILITY-MISC), the option is:

• 0—UNSPECIFIED UTILITY AND MISCELLANEOUS

For venue group 10 (VEHICULAR), the following options are available:

• 0—UNSPECIFIED VEHICULAR

• 1—AUTOMOBILE OR TRUCK

• 2—AIRPLANE

• 3—BUS

• 4—FERRY

• 5—SHIP OR BOAT

• 6—TRAIN

• 7—MOTOR BIKE

For venue group 11 (OUTDOOR), the following options are available:

• 0—UNSPECIFIED OUTDOOR

• 1—MINI-MESH NETWORK

• 2—CITY PARK

• 3—REST AREA

342



• 4—TRAFFIC CONTROL

• 5—BUS STOP

• 6—KIOSK

name

Configures the name of venue for this access point.

language_code

ISO-639 encoded string defining the language used at the venue. This string is a three-character language code. For example, you can enter ENG for English.

venue_name

Venue name for this access point. This name is associated with the basic service set (BSS) and is used in cases where the SSID does not provide enough information about the venue.

The venue name is case sensitive and can be up to 252 alphanumeric characters.

add delete

cisco_ap

Adds the HotSpot venue name for this access point.

Deletes the HotSpot venue name for this access point.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the venue group as educational and venue type as university:


config ap hotspot venue type 3 3


343

config ap image predownload config ap image predownload

To configure an image on a specified access point, use the config ap image predownload command.

config ap image predownload {abort | primary | backup} {cisco_ap | all}

Syntax Description abort primary

cisco_ap

all


Aborts the predownload image process.

Predownloads an image to a Cisco access point from the controller's primary image.


Specifies all access points to predownload an image.

Note


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to predownload an image to an access point from the primary image:


config ap image predownload primary all

344


config ap image swap config ap image swap

To swap an access point’s primary and backup images, use the config ap image swap command.

config ap image swap {cisco_ap | all}


cisco_ap

all


Specifies all access points to interchange the boot images.

Note


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to swap an access point’s primary and secondary images:


config ap image swap all


345

config ap led-state config ap led-state

To configure the LED state of an access point or to configure the flashing of LEDs, use the config ap led-state command.

config ap led-state {enable | disable} {cisco_ap | all}

config ap led-state flash {seconds | indefinite | disable} {cisco_ap | dual-band}


cisco_ap

flash

seconds

indefinite dual-band

Enables the LED state of an access point.

Disables the LED state of an access point.


Configure the flashing of LEDs for an access point.

Duration that the LEDs have to flash. The range is from 1 to 3600 seconds.

Configures indefinite flashing of the access point’s LED.

Configures the LED state for all dual-band access points.


Note


LEDs on access points with dual-band radio module will flash green and blue when you execute the led state flash command.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the LED state for an access point:


config ap led-state enable AP02

346


config ap led-state

The following example shows how to enable the flashing of LEDs for dual-band access points:


config ap led-state flash 20 dual-band


347

config ap link-encryption config ap link-encryption

To configure the Datagram Transport Layer Security (DTLS) data encryption for access points on the

5500 series controller, use the config ap link-encryption command.

Note


config ap link-encryption {enable | disable} {cisco_ap | all}


cisco_ap

all

Enables the DTLS data encryption for access points.

Disables the DTLS data encryption for access points.



Command Default

DTLS data encryption is enabled automatically for OfficeExtend access points but disabled by default for all other access points.

Command History

Release

7.6

Modification


Release 7.6.


Only Cisco 5500 Series Controllers support DTLS data encryption. This feature is not available on other controller platforms. If an access point with data encryption enabled tries to join any other controller, the access point joins the controller, but data packets are sent unencrypted.

Only Cisco 1130, 1140, 1240, and 1250 series access points support DTLS data encryption, and data-encrypted access points can join a Cisco 5500 Series Controller only if the wplus license is installed on the controller.

If the wplus license is not installed, the access points cannot join the controller.

Examples

The following example shows how to enable the data encryption for an access point:


config ap link-encryption enable AP02

348


config ap link-latency config ap link-latency

To configure link latency for a specific access point or for all access points currently associated to the controller, use the config ap link-latency command:

Note


config ap link-latency {enable | disable | reset} {cisco_ap | all}

Syntax Description enable disable reset

cisco_ap

all

Enables the link latency for an access point.

Disables the link latency for an access point.

Resets all link latency for all access points.



Command Default

By default, link latency is in disabled state.

Command History

Release

7.6

Modification


Release 7.6.


This command enables or disables link latency only for access points that are currently joined to the controller.

It does not apply to access points that join in the future.

Examples

The following example shows how to enable the link latency for all access points:


config ap link-latency enable all


349

config ap location config ap location

To modify the descriptive location of a Cisco lightweight access point, use the config ap location command.

config ap location location cisco_ap


location cisco_ap

Location name of the access point (enclosed by double quotation marks).


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The Cisco lightweight access point must be disabled before changing this parameter.

Examples

The following example shows how to configure the descriptive location for access point AP1:


config ap location

“Building 1” AP1

350


config ap logging syslog level config ap logging syslog level

To set the severity level for filtering syslog messages for a particular access point or for all access points, use the config ap logging syslog level command.

config ap logging syslog level severity_level {cisco_ap | all}


severity_level cisco_ap

all

Severity levels are as follows:

• emergencies—Severity level 0

• alerts—Severity level 1

• critical—Severity level 2

• errors—Severity level 3

• warnings—Severity level 4

• notifications—Severity level 5

• informational—Severity level 6

• debugging—Severity level 7

Cisco access point.


Note


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the access point. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the access point.


351

config ap logging syslog level

Examples

This example shows how to set the severity for filtering syslog messages to 3:


config ap logging syslog level 3

352


config ap logging syslog facility config ap logging syslog facility

To set the facility level for filtering syslog messages for a particular access point or for all access points, use the config ap logging syslog facility command.

config ap logging syslog facility facility-level {cisco_ap | all}


facility-level

Facility level is one of the following:

• auth = Authorization system.

• cron = Cron/at facility.

• daemon = System daemons.

• kern = Kernel.

• local0 = Local use.









• lpr = Line printer system.

• mail = Mail system.

• news = USENET news.

• sys10 = System use.






• syslog = Syslog itself.

• user = User process.

• uucp Unix-to-Unix copy system.


353

config ap logging syslog facility

cisco_ap

all

Configures for a specific access point.

Configures for all access points.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

This example shows how to set the facility level for filtering syslog messages to auth for all access points:


config ap logging syslog facility auth all

354


config ap max-count config ap max-count

To configure the maximum number of access points supported by the Cisco Wireless LAN Controller (WLC), use the config ap max-count command.

config ap max-count number


number

Number of access points supported by the Cisco WLC.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The access point count of the Cisco WLC license overrides this count if the configured value is greater than the access point count of the license. A value of 0 indicates that there is no restriction on the maximum number of access points. If high availability is configured, you must reboot both the active and the standby Cisco

WLCs after you configure the maximum number of access points supported by the Cisco WLC.

Examples

The following example shows how to configure the number of access points supported by the Cisco WLC:


config ap max-count 100


355

config ap mgmtuser add config ap mgmtuser add

To configure username, password, and secret password for AP management, use the config ap mgmtuser

add command.

config ap mgmtuser add username AP_username password AP_password secret secret {all | cisco_ap}

Syntax Description username

AP_username

password

AP_password

secret

secret

all

cisco_ap

Configures the username for AP management.

Management username.

Configures the password for AP management.

AP management password.

Configures the secret password for privileged AP management.

AP managemetn secret password.

Applies configuration to every AP that does not have a specific username.

Cisco access point.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The following requirements are enforced on the password:

• The password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.

• No character in the password can be repeated more than three times consecutively.

• The password sould not contain management username or reverse of usename.

• The password should not contain words like Cisco, oscic, admin, nimda or any variant obtained by changing the capitalization of letters by substituting 1, |, or ! or substituting 0 for o or substituting $ for s.

The following requirement is enforced on the secret password:

356


Examples config ap mgmtuser add

• The secret password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, or special characters.

The following example shows how to add a username, password, and secret password for AP management:


config ap mgmtuser add username acd password Arc_1234 secret Mid_45 all


357

config ap mgmtuser delete config ap mgmtuser delete

To force a specific access point to use the controller’s global credentials, use the config ap mgmtuser delete command.

config ap mgmtuser delete cisco_ap


cisco_ap

Access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to delete the credentials of an access point:


config ap mgmtuser delete cisco_ap1

358


config ap mode config ap mode

To change a Cisco WLC communication option for an individual Cisco lightweight access point, use the

config ap mode command.

config ap mode {bridge | flexconnect sensor submode {none | wips} | local submode {none | wips} | reap

| rogue | sniffer | se-connect | monitor submode {none | wips} |} cisco_ap

Syntax Description bridge flexconnect local reap rogue sniffer se-connect flex+bridge submode none wips sensor

cisco_ap

Converts from a lightweight access point to a mesh access point

(bridge mode).

Enables FlexConnect mode on an access point.

Converts from an indoor mesh access point (MAP or RAP) to a nonmesh lightweight access point (local mode).

Enables remote edge access point mode on an access point.

Enables wired rogue detector mode on an access point.

Enables wireless sniffer mode on an access point.

Enables flex+bridge mode on an access point.

Enables spectrum expert mode on an access point.

(Optional) Configures wIPS submode on an access point.

Disables the wIPS on an access point.

Enables the wIPS submode on an access point.

Enables sensor mode for the Cisco AP


Command Default

Local

Command History

Release

7.6

Modification


Release 7.6.


359

config ap mode


The sniffer mode captures and forwards all the packets from the clients on that channel to a remote machine that runs AiroPeek or other supported packet analyzer software. It includes information on the timestamp, signal strength, packet size and so on.

Examples

The following example shows how to set the controller to communicate with access point AP91 in bridge mode:


config ap mode bridge AP91

The following example shows how to set the controller to communicate with access point AP01 in local mode:


config ap mode local AP01

The following example shows how to set the controller to communicate with access point AP91 in remote office (REAP) mode:


config ap mode flexconnect AP91

The following example shows how to set the controller to communicate with access point AP91 in a wired rogue access point detector mode:


config ap mode rogue AP91

The following example shows how to set the controller to communicate with access point AP02 in wireless sniffer mode:


config ap mode sniffer AP02

360


config ap module3g config ap module3g

To configure the Cisco Universal Small Cell (USC) 8x18 Dual Mode Module, use the config ap module3g command.

config ap module3g {enable | disable} ap-name


ap-name

Enables the Cisco USC 8x18 Dual Mode Module on the specified Cisco AP.

Disables the Cisco USC 8x18 Dual Mode Module on the specified Cisco AP.

Name of the Cisco AP

Note

In Release 8.1, only Cisco Aironet 3600I and 3700I APs are supported.

Command Default

Enabled

Command History

Release

8.1

Modification



You might be prompted with a co-existence warning when Wi-Fi in 2.4-GHz and 3G/4G module are enabled.

Examples

This example shows how to enable Cisco USC 8x18 Dual Mode Module on a Cisco AP named my-ap


config ap module3g enable my-ap


361

config ap monitor-mode config ap monitor-mode

To configure Cisco lightweight access point channel optimization, use the config ap monitor-mode command.

config ap monitor-mode {802.11b fast-channel | no-optimization | tracking-opt | wips-optimized} cisco_ap


802.11b fast-channel no-optimization tracking-opt wips-optimized

cisco_ap

Configures 802.11b scanning channels for a monitor-mode access point.

Specifies no channel scanning optimization for the access point.

Enables tracking optimized channel scanning for the access point.

Enables wIPS optimized channel scanning for the access point.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure a Cisco wireless intrusion prevention system (wIPS) monitor mode on access point AP01:


config ap monitor-mode wips-optimized AP01

362


config ap name config ap name

To modify the name of a Cisco lightweight access point, use the config ap name command.

config ap name new_name old_name


new_name old_name

Desired Cisco lightweight access point name.

Current Cisco lightweight access point name.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to modify the name of access point AP1 to AP2:


config ap name AP1 AP2


363

config ap packet-dump config ap packet-dump

To configure the Packet Capture parameters on access points, use the config ap packet-dump command.

config ap packet-dump {buffer-size Size _in_KB| capture-time Time_in_Min| ftp serverip IP_addr path

path username usernamepassword password | start MAC_address Cisco_AP | stop | truncate

Length_in_Bytes}

config ap packet-dump classifier {{arp | broadcast | control | data | dot1x | iapp | ip | management |

multicast } {enable | disable} | tcp {enable | disable | port TCP_Port {enable | disable}} | udp {enable |

disable | port UDP_Port {enable | disable}}}

Syntax Description buffer-size

Size _in_KB

capture-time

Time_in_Min

ftp serverip

IP_addr

path path

username user_ID

password password

start

MAC_address

Cisco_AP

stop

Configures the buffer size for

Packet Capture in the access point.

Size of the buffer. The range is from 1024 to 4096 KB.

Configures the timer value for

Packet Capture.

Timer value for Packet Capture.

The range is from 1 to 60 minutes.

Configures FTP parameters for

Packet Capture.

Configures the FTP server.

IP address of the FTP server.

Configures FTP server path.

Configures the username for the

FTP server.

Configures the password for the

FTP server.

Starts Packet Capture from the access point.

Client MAC Address for Packet

Capture.


Stops Packet Capture from the access point.

364


disable broadcast control data dot1x iapp ip management multicast tcp

TCP_Port

udp truncate

Length_in_Bytes

classifier arp enable config ap packet-dump

Truncates the packet to the specified length during Packet

Capture.

Length of the packet after truncation. The range is from 20 to

1500.

Configures the classifier information for Packet Capture.

You can specify the type of packets that needs to be captured.

Captures ARP packets.

Enables capture of ARP, broadcast,

802.11 control, 802.11 data, dot1x,

Inter Access Point Protocol (IAPP),

IP, 802.11 management, or multicast packets.

Disables capture of ARP, broadcast, 802.11 control, 802.11

data, dot1x, IAPP, IP,

802.11management, or multicast packets.

Captures broadcast packets.

Captures 802.11 control packets.

Captures 802.11 data packets.

Captures dot1x packets.

Captures IAPP packets.

Captures IP packets.

Captures 802.11 management packets.

Captures multicast packets.

Captures TCP packets.

TCP port number. The range is from 1 to 65535.

Captures TCP packets.


365

config ap packet-dump

UDP_Port

ftp

server_ip

UDP port number. The range is from 1 to 65535.

Configures FTP parameters for

Packet Capture.

FTP server IP address.

Command Default

The default buffer size is 2 MB. The default capture time is 10 minutes.

Command History

Release

7.6

8.0

Modification


Release 7.6.



Packet Capture does not work during intercontroller roaming.

The controller does not capture packets created in the radio firmware and sent out of the access point, such as a beacon or probe response. Only packets that flow through the Radio driver in the Tx path will be captured.

Use the command config ap packet-dump start to start the Packet Capture from the access point. When you start Packet Capture, the controller sends a Control and Provisioning of Wireless Access Points protocol

(CAPWAP) message to the access point to which the client is associated and captures packets. You must configure the FTP server and ensure that the client is associated to the access point before you start Packet

Capture. If the client is not associated to the access point, you must specify the name of the access point.


Examples

The following example shows how to start Packet Capture from an access point:


config ap packet-dump start 00:0d:28:f4:c0:45 AP1

The following example shows how to capture 802.11 control packets from an access point:


config ap packet-dump classifier control enable

366


config ap port config ap port

To configure the port for a foreign access point, use the config ap port command.

config ap port MAC port


MAC port

Foreign access point MAC address.

Port number for accessing the foreign access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the port for a foreign access point MAC address:


config ap port 12:12:12:12:12:12 20


367

config ap power injector config ap power injector

To configure the power injector state for an access point, use the config ap power injector command.

config ap power injector {enable | disable} {cisco_ap | all} {installed | override | switch_MAC}


cisco_ap

all installed override

switch_MAC

Enables the power injector state for an access point.

Disables the power injector state for an access point.


Specifies all Cisco lightweight access points connected to the controller.

Detects the MAC address of the current switch port that has a power injector.

Overrides the safety checks and assumes a power injector is always installed.

MAC address of the switch port with an installed power injector.

Note


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the power injector state for all access points:


config ap power injector enable all 12:12:12:12:12:12

368


config ap power pre-standard config ap power pre-standard

To enable or disable the inline power Cisco pre-standard switch state for an access point, use the config ap

power pre-standard command.

config ap power pre-standard {enable | disable} cisco_ap


cisco_ap

Enables the inline power Cisco pre-standard switch state for an access point.

Disables the inline power Cisco pre-standard switch state for an access point.


Command Default

Disabled.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable the inline power Cisco pre-standard switch state for access point

AP02:


config ap power pre-standard enable AP02


369

config ap preferred-mode config ap preferred-mode

To configure the preferred mode, use the config ap preferred-mode command.

config appreferred-mode{ipv4 | ipv6|any}{AP_name | Ap-group_name | all }

Syntax Description ipv4 ipv6 any

AP_name

Ap-group_name all

Configures IPv4 as the preferred mode

Configures IPv6 as the preferred mode

Configures any as the preferred mode

Configures the preferred mode to the AP

Configures the preferred mode to the AP group members

Configures the preferred mode to all the APs

Command Default

None

Command History

Examples

Release

8.0

Modification

This command was introduced. It supports both IPv4 and IPv6.

The following example shows how to configure IPv6 as the preferred mode to lightweight access point AP1


config ap preferred-mode ipv6 AP1

370


config ap primary-base config ap primary-base

To set the Cisco lightweight access point primary Cisco WLC, use the config ap primary-base command.

config ap primary-base controller_name Cisco_AP[controller_ip_address]


controller_name

Cisco_AP controller_ip_address

Name of the Cisco WLC.


(Optional) If the backup controller is outside the mobility group to which the access point is connected, then you need to provide the IP address of the primary, secondary, or tertiary controller.

Note

For OfficeExtend access points, you must enter both the name and IP address of the controller. Otherwise, the access point cannot join this controller.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.



The Cisco lightweight access point associates with this Cisco WLC for all network operations and in the event of a hardware reset.

OfficeExtend access points do not use the generic broadcast or over-the air (OTAP) discovery process to find a controller. You must configure one or more controllers because OfficeExtend access points try to connect only to their configured controllers.


Examples

The following example shows how to set an access point primary Cisco WLC IPv4 address for an Cisco AP:


config ap primary-base SW_1 AP2 10.0.0.0



config ap primary-base SW_1 AP2 2001:DB8:0:1::1


371

config ap primary-base

Related Commands show ap config general

372


config ap priority config ap priority

To assign a priority designation to an access point that allows it to reauthenticate after a controller failure by priority rather than on a first-come-until-full basis, use the config ap priority command.

config ap priority {1 | 2 | 3 | 4} cisco_ap


3

4

1

2

cisco_ap

Specifies low priority.

Specifies medium priority.

Specifies high priority.

Specifies the highest (critical) priority.


Command Default

1 - Low priority.

Command History

Release

7.6

Modification


Release 7.6.


In a failover situation, if the backup controller does not have enough ports to allow all the access points in the affected area to reauthenticate, it gives priority to higher-priority access points over lower-priority ones, even if it means replacing lower-priority access points.

Examples

The following example shows how to assign a priority designation to access point AP02 that allows it to reauthenticate after a controller failure by assigning a reauthentication priority 3:


config ap priority 3 AP02


373

config ap reporting-period config ap reporting-period

To reset a Cisco lightweight access point, use the config ap reporting-period command.

config ap reporting-period period


period

Time period in seconds between 10 and 120.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to reset an access point reporting period to 120 seconds:

>

config ap reporting-period 120

374


config ap reset config ap reset

To reset a Cisco lightweight access point, use the config ap reset command.

config ap reset cisco_ap


cisco_ap


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to reset an access point:


config ap reset AP2


375

config ap retransmit interval config ap retransmit interval

To configure the access point control packet retransmission interval, use the config ap retransmit interval command.

config ap retransmit interval seconds {all | cisco_ap}


seconds

all

cisco_ap

AP control packet retransmission timeout between 2 and 5 seconds.



Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the retransmission interval for all access points globally:


config ap retransmit interval 4 all

376


config ap retransmit count config ap retransmit count

To configure the access point control packet retransmission count, use the config ap retransmit count command.

config ap retransmit count count {all | cisco_ap}


count

all

cisco_ap

Number of times control packet will be retransmitted.




Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the retransmission retry count for a specific access point:


config ap retransmit count 6 cisco_ap


377

config ap role config ap role

To specify the role of an access point in a mesh network, use the config ap role command.

config ap role {rootAP | meshAP} cisco_ap

Syntax Description rootAP meshAP

cisco_ap

Designates the mesh access point as a root access point (RAP).

Designates the mesh access point as a mesh access point (MAP).


Command Default

meshAP.

Command History

Release

7.6

Modification


Release 7.6.


Use the meshAP keyword if the access point has a wireless connection to the controller, or use the rootAP keyword if the access point has a wired connection to the controller. If you change the role of the AP, the AP will be rebooted.

Examples

The following example shows how to designate mesh access point AP02 as a root access point:


config ap role rootAP AP02

Changing the AP's role will cause the AP to reboot.


378


config ap rst-button config ap rst-button

To configure the Reset button for an access point, use the config ap rst-button command.

config ap rst-button {enable | disable} cisco_ap


cisco_ap

Enables the Reset button for an access point.

Disables the Reset button for an access point.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the Reset button for access point AP03:


config ap rst-button enable AP03


379

config ap secondary-base config ap secondary-base

To set the Cisco lightweight access point secondary Cisco WLC, use the config ap secondary-base command.

config ap secondary-base Controller_name Cisco_AP [Controller_IP_address]


controller_name

Cisco_AP

Controller_IP_address



(Optional). If the backup Cisco WLC is outside the mobility group to which the access point is connected, then you need to provide the IP address of the primary, secondary, or tertiary Cisco WLC.

Note

For OfficeExtend access points, you must enter both the name and IP address of the Cisco WLC. Otherwise, the access point cannot join this

Cisco WLC.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.




OfficeExtend access points do not use the generic broadcast or over-the air (OTAP) discovery process to find a Cisco WLC. You must configure one or more Cisco WLCs because OfficeExtend access points try to connect only to their configured Cisco WLCs.


Examples

The following example shows how to set an access point secondary Cisco WLC:


config ap secondary-base SW_1 AP2 10.0.0.0



config ap secondary-base SW_1 AP2 2001:DB8:0:1::1

380


Related Commands show ap config general config ap secondary-base


381

config ap sniff config ap sniff

To enable or disable sniffing on an access point, use the config ap sniff command.

config ap sniff {802.11a | 802.11b} {enable channel server_ip | disable} cisco_ap


802.11a

802.11b

enable

channel server_ip

disable

cisco_ap



Enables sniffing on an access point.

Channel to be sniffed.

IP address of the remote machine running Omnipeek, Airopeek,AirMagnet, or

Wireshark software.

Disables sniffing on an access point.

Access point configured as the sniffer.

Command Default

Channel 36.

Command History

Release

7.6

Modification


Release 7.6.


When the sniffer feature is enabled on an access point, it starts sniffing the signal on the given channel. It captures and forwards all the packets to the remote computer that runs Omnipeek, Airopeek, AirMagnet, or

Wireshark software. It includes information on the timestamp, signal strength, packet size and so on.

Before an access point can act as a sniffer, a remote computer that runs one of the listed packet analyzers must be set up so that it can receive packets sent by the access point. After the Airopeek installation, copy the following .dll files to the location where airopeek is installed:

• socket.dll file to the Plug-ins folder (for example, C:\Program Files\WildPackets\AiroPeek\Plugins)

• socketres.dll file to the PluginRes folder (for example, C:\Program Files\WildPackets\AiroPeek\

1033\PluginRes)

382


config ap sniff

Examples

The following example shows how to enable the sniffing on the 802.11a an access point from the primary

Cisco WLC:


config ap sniff 80211a enable 23 11.22.44.55 AP01


383

config ap ssh config ap ssh

To enable Secure Shell (SSH) connectivity on an access point, use the config ap ssh command.

config ap ssh {enable | disable | default} cisco_ap | all

Syntax Description enable disable default

cisco_ap all

Enables the SSH connectivity on an access point.

Disables the SSH connectivity on an access point.

Replaces the specific SSH configuration of an access point with the global SSH configuration.

Cisco access point name.

All access points.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The Cisco lightweight access point associates with this Cisco wireless LAN controller for all network operation and in the event of a hardware reset.

Examples

The following example shows how to enable SSH connectivity on access point Cisco_ap2:

>

config ap ssh enable cisco_ap2

384


config ap static-ip config ap static-ip

To configure Static IP address settings on Cisco lightweight access point , use the config ap static-ip command.

config ap static-ip {enable Cisco_AP AP_IP_addr IP_netmask /prefix_length gateway | disable Cisco_AP|

add {domain {Cisco_AP | all} domain_name | nameserver {Cisco_AP | all} nameserver-ip} | delete {domain

| nameserver} {Cisco_AP | all}}


Cisco_AP

AP_IP_addr

IP_netmask/prefix_length gateway

add domain all

domain_name

nameserver

nameserver-ip

delete

Enables the Cisco lightweight access point static IP address.

Disables the Cisco lightweight access point static IP address. The access point uses DHCP to get the IP address.


Cisco lightweight access point IP address

Cisco lightweight access point network mask.

IP address of the Cisco lightweight access point gateway.

Adds a domain or DNS server.

Specifies the domain to which a specific access point or all access points belong.


Specifies a domain name.

Specifies a DNS server so that a specific access point or all access points can discover the controller using DNS resolution.

DNS server IP address.

Deletes a domain or DNS server.

Note



385

config ap static-ip

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.



An access point cannot discover the controller using Domain Name System (DNS) resolution if a static IP address is configured for the access point, unless you specify a DNS server and the domain to which the access point belongs.

After you enter the IPv6 address, Prefix-length and IPv6 gateway address, the CAPWAP tunnel will restart for access point. Changing the AP's IP address will cause the AP to disjoin. After the access point rejoins the controller, you can enter the domain and IPv6 DNS server information.


Examples

The following example shows how to configure static IP address on an access point:


config ap static-ip enable AP2 1.1.1.1 255.255.255.0 209.165.200.254

The following example shows how to configure static IPv6 address on an access point:


config ap static-ip enable AP2 2001:DB8:0:1::1


386


config ap stats-timer config ap stats-timer

To set the time in seconds that the Cisco lightweight access point sends its DOT11 statistics to the Cisco wireless LAN controller, use the config ap stats-timer command.

config ap stats-timer period cisco_ap


period cisco_ap

Time in seconds from 0 to 65535. A zero value disables the timer.


Command Default

The default value is 0 (disabled state).

Command History

Release

7.6

Modification


Release 7.6.


A value of 0 (zero) means that the Cisco lightweight access point does not send any DOT11 statistics. The acceptable range for the timer is from 0 to 65535 seconds, and the Cisco lightweight access point must be disabled to set this value.

Examples

The following example shows how to set the stats timer to 600 seconds for access point AP2:


config ap stats-timer 600 AP2


387

config ap syslog host global config ap syslog host global

To configure a global syslog server for all access points that join the controller, use the config ap syslog host

global command.

config ap syslog host global ip_address


ip_address

IPv4/IPv6 address of the syslog server.

Command Default

The default value of the IPv4 address of the syslog server is 255.255.255.255.

Command History

Release

7.6

8.0

Modification


Release 7.6.



By default, the global syslog server IP address for all access points is 255.255.255.255. Make sure that the access points can reach the subnet on which the syslog server resides before configuring the syslog server on the controller. If the access points cannot reach this subnet, the access points are unable to send out syslog messages.


Examples

Examples

The following example shows how to configure a global syslog server, using IPv4 address, for all access points:


config ap syslog host global 255.255.255.255

The following example shows how to configure a global syslog server, using IPv6 address, for all access points:


config ap syslog host global 2001:9:10:56::100

388


config ap syslog host specific config ap syslog host specific

To configure a syslog server for a specific access point, use the config ap syslog host specific command.

config ap syslog host specific ap_nameip_address


ap_name ip_address


IPv4/IPv6 address of the syslog server.

Command Default

The default value of the syslog server IP address is 0.0.0.0.

Command History

Release

7.6

8.0

Modification


Release 7.6.



By default, the syslog server IP address for each access point is 0.0.0.0, indicating that it is not yet set. When the default value is used, the global access point syslog server IP address is pushed to the access point.


Examples

Examples

The following example shows how to configure a syslog server:


config ap syslog host specific 0.0.0.0

The following example shows how to configure a syslog server for a specific AP, using IPv6 address:


config ap syslog host specific AP3600 2001:9:10:56::100


389

config ap tcp-mss-adjust config ap tcp-mss-adjust

To enable or disable the TCP maximum segment size (MSS) on a particular access point or on all access points, use the config ap tcp-mss-adjust command.

config ap tcp-mss-adjust {enable | disable} {cisco_ap | all} size


cisco_ap

all

size

Enables the TCP maximum segment size on an access point.

Disables the TCP maximum segment size on an access point.



Maximum segment size.

• IPv4—Specify a value between 536 and 1363.

• IPv6—Specify a value between 1220 and 1331.

Note

Any TCP MSS value that is below 1220 and above 1331 will not be effective for CAPWAP v6 AP.

Note


Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.

This command supports only IPv6.


When you enable this feature, the access point checks for TCP packets to and from wireless clients in its data path. If the MSS of these packets is greater than the value that you configured or greater than the default value for the CAPWAP tunnel, the access point changes the MSS to the new configured value.

390


config ap tcp-mss-adjust

Examples

This example shows how to enable the TCP MSS on access point cisco_ap1 with a segment size of 1200 bytes:


config ap tcp-mss-adjust enable cisco_ap1 1200


391

config ap telnet config ap telnet

To enable Telnet connectivity on an access point, use the config ap telnet command.

config ap telnet {enable | disable | default} cisco_ap | all


cisco_ap all

Enables the Telnet connectivity on an access point.

Disables the Telnet connectivity on an access point.

Replaces the specific Telnet configuration of an access point with the global

Telnet configuration.


All access points.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Examples

• The Cisco lightweight access point associates with this Cisco WLC for all network operation and in the event of a hardware reset.

• Telnet is not supported on Cisco Aironet 1810 OEAP, 1810W, 1830, 1850, 2800, and 3800 Series APs.

The following example shows how to enable Telnet connectivity on access point cisco_ap1:


config ap telnet enable cisco_ap1

The following example shows how to disable Telnet connectivity on access point cisco_ap1:


config ap telnet disable cisco_ap1

392


config ap tertiary-base config ap tertiary-base

To set the Cisco lightweight access point tertiary Cisco WLC, use the config ap tertiary-base command.

config ap tertiary-base controller_name Cisco_AP [controller_ip_address]


controller_name

Cisco_AP controller_ip_address



(Optional) If the backup controller is outside the mobility group to which the access point is connected, then you need to provide the IP address of the primary, secondary, or tertiary Cisco WLC.

Note

For OfficeExtend access points, you must enter both the name and IP address of the Cisco WLC. Otherwise, the access point cannot join this

Cisco WLC.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.



OfficeExtend access points do not use the generic broadcast or over-the air (OTAP) discovery process to find a Cisco WLC. You must configure one or more controllers because OfficeExtend access points try to connect only to their configured Cisco WLCs.



Examples

This example shows how to set the access point tertiary Cisco WLC:


config ap tertiary-base SW_1 AP02 10.0.0.0

The following example shows how to set an access point tertiary Cisco WLC IPv6 address for an Cisco AP:


config ap tertiary-base SW_1 AP2 2001:DB8:0:1::1


393

config ap tertiary-base


394


config ap tftp-downgrade config ap tftp-downgrade

To configure the settings used for downgrading a lightweight access point to an autonomous access point, use the config ap ftp-downgrade command.

config ap tftp-downgrade tftp_ip_addressfilename Cisco_AP


tftp_ip_address filename

Cisco_AP

IP address of the TFTP server.

Filename of the access point image file on the TFTP server.

Access point name.

Command Default

None

Command History

Examples

Release

7.6

8.0

Modification


Release 7.6.


The following example shows how to configure the settings for downgrading access point ap1240_102301:


config ap ftp-downgrade 209.165.200.224 1238.tar ap1240_102301


395

config ap username config ap username

To assign a username and password to access either a specific access point or all access points, use the config

ap username command.

config ap username user_id password passwd [all | ap_name]


user_id passwd

all

ap_name

Administrator username.

Administrator password.

(Optional) Specifies all access points.

Name of a specific access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to assign a username and password to a specific access point:


config ap username jack password blue la204

The following example shows how to assign the same username and password to a all access points:


config ap username jack password blue all

396


config ap venue config ap venue

To configure the venue information for 802.11u network on an access point, use the config ap venue command.

config ap venue {addvenue_name venue-group venue-type lang-code cisco-ap | delete}


venue_name venue_group venue_type lang_code cisco_ap

deletes

Adds venue information.

Venue name.

Venue group category. See the table below for details on venue group mappings.

Venue type. This value depends on the venue-group specified. See the table below for venue group mappings.

Language used. An ISO-14962-1997 encoded string that defines the language. This string is a three character language code. Enter the first three letters of the language in English (for example, eng for English).

Name of the access point.

Deletes venue information.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to set the venue details for an access point named cisco-ap1:


config ap venue add test 11 34 eng cisco-ap1

This table lists the different venue types for each venue group.

Table 5: Venue Group Mapping

Venue Group Name

UNSPECIFIED

Value

0

Venue Type for Group


397

config ap venue


ASSEMBLY

Value

1

BUSINESS 2


• 0—UNSPECIFIED ASSEMBLY

• 1—ARENA

• 2—STADIUM

• 3—PASSENGER TERMINAL (E.G.,

AIRPORT, BUS, FERRY, TRAIN

STATION)

• 4—AMPHITHEATER

• 5—AMUSEMENT PARK

• 6—PLACE OF WORSHIP

• 7—CONVENTION CENTER

• 8—LIBRARY

• 9—MUSEUM

• 10—RESTAURANT

• 11—THEATER

• 12—BAR

• 13—COFFEE SHOP

• 14—ZOO OR AQUARIUM

• 15—EMERGENCY

COORDINATION CENTER

• 0—UNSPECIFIED BUSINESS

• 1—DOCTOR OR DENTIST OFFICE

• 2—BANK

• 3—FIRE STATION

• 4—POLICE STATION

• 6—POST OFFICE

• 7—PROFESSIONAL OFFICE

• 8—RESEARCH AND

DEVELOPMENT FACILITY

• 9—ATTORNEY OFFICE

398



EDUCATIONAL

Value

3

FACTORY-INDUSTRIAL

INSTITUTIONAL

MERCANTILE

RESIDENTIAL

4

5

6

7

config ap venue


• 0—UNSPECIFIED EDUCATIONAL

• 1—SCHOOL, PRIMARY

• 2—SCHOOL, SECONDARY

• 3—UNIVERSITY OR COLLEGE

• 0—UNSPECIFIED FACTORY AND

INDUSTRIAL

• 1—FACTORY

• 0—UNSPECIFIED

INSTITUTIONAL

• 1—HOSPITAL

• 2—LONG-TERM CARE FACILITY

(E.G., NURSING HOME, HOSPICE,

ETC.)

• 3—ALCOHOL AND DRUG

RE-HABILITATION CENTER

• 4—GROUP HOME

• 5—PRISON OR JAIL

• 0—UNSPECIFIED MERCANTILE

• 1—RETAIL STORE

• 2—GROCERY MARKET

• 3—AUTOMOTIVE SERVICE

STATION

• 4—SHOPPING MALL

• 5—GAS STATION

• 0—UNSPECIFIED RESIDENTIAL

• 1—PRIVATE RESIDENCE

• 2—HOTEL OR MOTEL

• 3—DORMITORY

• 4—BOARDING HOUSE


399

config ap venue


STORAGE

UTILITY-MISC

VEHICULAR

Value

8

9

10

OUTDOOR 11


UNSPECIFIED STORAGE

0—UNSPECIFIED UTILITY AND

MISCELLANEOUS

• 0—UNSPECIFIED VEHICULAR

• 1—AUTOMOBILE OR TRUCK

• 2—AIRPLANE

• 3—BUS

• 4—FERRY

• 5—SHIP OR BOAT

• 6—TRAIN

• 7—MOTOR BIKE

• 0—UNSPECIFIED OUTDOOR

• 1—MUNI-MESH NETWORK

• 2—CITY PARK

• 3—REST AREA

• 4—TRAFFIC CONTROL

• 5—BUS STOP

• 6—KIOSK

400


config ap wlan config ap wlan

To enable or disable wireless LAN override for a Cisco lightweight access point radio, use the config ap wlan command.

config ap wlan {enable | disable} {802.11a | 802.11b} wlan_id cisco_ap


802.11a

802.11b

wlan_id cisco_ap

Enables the wireless LAN override on an access point.

Disables the wireless LAN override on an access point.



Cisco wireless LAN controller ID assigned to a wireless LAN.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable wireless LAN override on the AP03 802.11a radio:


config ap wlan 802.11a AP03


401

config atf 802.11

config atf 802.11

Configure Cisco Air Time Fairness at the network level, at an AP group level, or at an AP radio level by using the config atf 802.11 command.

config atf 802.11{a | b} {mode {disable | monitor | enforce-policy} {[ap-group-name] | [ap-name]}} |

{optimization {enable | disable}}

Syntax Description a b mode disable monitor enforce-policy optimization enable disable




Disables Cisco ATF





Disabled airtime optimization

Command History

Release

8.1

Examples

Modification


• To configure Cisco ATF in monitor mode on an 802.11a network, enter this command:


config atf 802.11a mode monitor

• To enable airtime optimization on an 802.11a network, enter this command:


config atf 802.11a optimization enable

402


config atf policy config atf policy

To configure Cisco Air Time Fairness (ATF) policies, use the config atf policy command.

config atf policy {{create policy-id policy-name policy-weight} | {modify {weight policy-weight policy-name}

| {client-sharing {enable | disable} policy-name}} | {delete policy-name}}

Syntax Description create modify delete

client-sharing {enable | disable

policy-name}

policy-id policy-name policy-weight

Creates an air time policy

Modifies an air time policy

Deletes an air time policy

Enables or disables client fair sharing for the specified policy name

Policy ID between 1 and 511

Name of the Cisco ATF policy

Policy weight between 5 and 100

Command History

Release

8.1.122.0

8.2

Examples

Modification


client-sharing {enable | disable} option was added.

This example shows how to create a Cisco ATF policy:


config atf policy create 2 test-policy 70


403

config auth-list add config auth-list add

To create an authorized access point entry, use the config auth-list add command.

config auth-list add {mic | ssc} AP_MAC [AP_key]

Syntax Description mic ssc

AP_MAC

AP_key

Specifies that the access point has a manufacture-installed certificate.

Specifies that the access point has a self-signed certificate.


(Optional) Key hash value that is equal to 20 bytes or

40 digits.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to create an authorized access point entry with a manufacturer-installed certificate on MAC address 00:0b:85:02:0d:20:


config auth-list add 00:0b:85:02:0d:20

Related Commands config auth-list delete config auth-list ap-policy

404


config auth-list ap-policy config auth-list ap-policy

To configure an access point authorization policy, use the config auth-list ap-policy command.

config auth-list ap-policy {authorize-ap {enable | disable} | ssc {enable | disable}}

Syntax Description authorize-ap enable authorize-ap disable ssc enable ssc disable

Enables the authorization policy.

Disables the AP authorization policy.

Allows the APs with self-signed certificates to connect.

Disallows the APs with self-signed certificates to connect.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable an access point authorization policy:


config auth-list ap-policy authorize-ap enable

The following example shows how to enable an access point with a self-signed certificate to connect:


config auth-list ap-policy ssc disable

Related Commands config auth-list delete config auth-list add


405

config auth-list delete config auth-list delete

To delete an access point entry, use the config auth-list delete command.

config auth-list delete AP_MAC


AP_MAC


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to delete an access point entry for MAC address 00:1f:ca:cf:b6:60:


config auth-list delete 00:1f:ca:cf:b6:60

Related Commands config auth-list delete config auth-list add config auth-list ap-policy

406


config avc profile create config avc profile create

To create a new Application Visibility and Control (AVC) profile, use the config avc profile create command.

config avc profile profile_name create


profile_name

create

Name of the AVC profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Creates a new AVC profile.

Command Default

None

Command History

Release

7.4

Modification



You can configure up to 16 AVC profiles on a controller and associate an AVC profile with multiple WLANs.

You can configure only one AVC profile per WLAN and each AVC profile can have up to 32 rules. Each rule states a Mark or Drop action for an application, which allows you to configure up to 32 application actions per WLAN.

Examples

The following example shows how to create a new AVC profile:


config avc profile avcprofile1 create

Related Commands config avc profile delete config avc profile rule config wlan avc show avc profile show avc applications show avc statistics debug avc error debug avc events


407

config avc profile delete config avc profile delete

To delete an Application Visibility and Control (AVC) profile, use the config avc profile delete command.

config avc profile profile_name delete


profile_name

delete

Name of the AVC profile.

Deletes an AVC profile.

Command Default

The AVC profile is not deleted.

Command History

Release

7.4

Modification


Examples

The following example shows how to delete an AVC profile:


config avc profile avcprofile1 delete

Related Commands config avc profile create config avc profile rule config wlan avc show avc profile summary show avc profile detailed debug avc error debug avc events

408


config avc profile rule config avc profile rule

To configure a rule for an Application Visibility and Control (AVC) profile, use the config avc profile rule command.

config avc profile profile_name rule {add | remove} application application_name {drop | mark dscp}


profile_name

rule add remove application

application_name

drop mark

dscp

Name of the AVC profile.

Configures a rule for the AVC profile.

Creates a rule for the AVC profile.

Deletes a rule for the AVC profile.

Specifies the application that has to be dropped or marked.

Name of the application. The application name can be up to 32 case-sensitive, alphanumeric characters.

Drops the upstream and downstream packets that correspond to the chosen application.

Marks the upstream and downstream packets that correspond to the chosen application with the Differentiated Services Code Point (DSCP) value that you specify in the drop-down list. The DSCP value helps you provide differentiated services based on the QoS levels.

Packet header code that is used to define the QoS across the Internet. The range is from 0 to 63.

Command Default

None

Command History

Release

7.4

Modification


Examples

The following example shows how to configure a rule for an AVC profile:


config avc profile avcprofile1 rule add application gmail mark 10

Related Commands config avc profile delete


409

config avc profile rule config avc profile create config wlan avc show avc profile show avc applications show avc statistics debug avc error debug avc events

410


config band-select cycle-count config band-select cycle-count

To set the band select probe cycle count, use the config band-select cycle-count command.

config band-select cycle-count count


count

Value for the cycle count between 1 to 10.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the probe cycle count for band select to 8:


config band-select cycle-count 8

Related Commands config band-select cycle-threshold config band-select expire config band-select client-rssi


411

config band-select cycle-threshold config band-select cycle-threshold

To set the time threshold for a new scanning cycle, use the config band-select cycle-threshold command.

config band-select cycle-threshold threshold


threshold

Value for the cycle threshold between 1 and 1000 milliseconds.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the time threshold for a new scanning cycle with threshold value of

700 milliseconds:


config band-select cycle-threshold 700

Related Commands config band-select cycle-count config band-select expire config band-select client-rssi

412


config band-select expire config band-select expire

To set the entry expire for band select, use the config band-select expire command.

config band-select expire {suppression | dual-band} seconds

Syntax Description suppression dual-band

seconds

Sets the suppression expire to the band select.

Sets the dual band expire to the band select.

• Value for suppression between 10 to 200 seconds.

• Value for a dual-band between 10 to 300 seconds.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the suppression expire to 70 seconds:


config band-select expire suppression 70

Related Commands config band-select cycle-threshold config band-select client-rssi config band-select cycle-count


413

config band-select client-rssi config band-select client-rssi

To set the client received signal strength indicator (RSSI) threshold for band select, use the config band-select

client-rssi command.

config band-select client-rssi rssi


rssi

Minimum dBM of a client RSSI to respond to probe between

20 and 90.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the RSSI threshold for band select to 70:


config band-select client-rssi 70

Related Commands config band-select cycle-threshold config band-select expire config band-select cycle-count

414


config boot config boot

To change a Cisco wireless LAN controller boot option, use the config boot command.

config boot {primary | backup}

Syntax Description primary backup

Sets the primary image as active.

Sets the backup image as active.

Command Default

The default boot option is primary.

Command History

Release

7.6

Modification



Each Cisco wireless LAN controller can boot off the primary, last-loaded operating system image (OS) or boot off the backup, earlier-loaded OS image.

Examples

The following example shows how to set the primary image as active so that the LAN controller can boot off the primary, last loaded image:


config boot primary

The following example shows how to set the backup image as active so that the LAN controller can boot off the backup, earlier loaded OS image:


config boot backup

Related Commands show boot


415

config call-home contact email address config call-home contact email address

To configure the call-home contact email address, use the config call-home contact-email-addr command.

config call-home contact-email-addr email-address


email-address

call-home contact email address

Command History

Examples

Release

8.2

Modification


The following example shows how to add call-home contact email address:


config call-home contact-email-addr [email protected]

416


config call-home events config call-home events

To enable or disable the call-home event reporting, use the call-home events command.

config call-home events {enable | disable}


Enables the call-home event reporting.

Disables the call-home event reporting.

Command Default

Enable

Command History

Examples

Release

8.2

Modification


The following example shows how to disable call-home event reporting:


config call-home events disable


417

config call-home http-proxy ipaddr config call-home http-proxy ipaddr

To configure the http proxy address for reporting, use the config call-home http-proxy ipaddr command.

config call-home http-proxy ipaddr ip-address port port


ip-address port

the http-proxy IP address the http-proxy port number

Command History

Examples

Release

8.2

Modification


The following example shows how to configure call home with the http-proxy IP address:


config call-home http-proxy ipaddr 209.165.200.224 port 773

418


config call-home http-proxy ipaddr 0.0.0.0


To reset the http proxy settings for reporting, use the config call-home http-proxy ipaddr 0.0.0.0 command.

config call-home http-proxy ipaddr 0.0.0.0


0.0.0.0

resets the http-proxy settings

Command History

Examples

Release

8.2

Modification


The following example shows how to reset call home http-proxy settings:




419

config call-home profile config call-home profile

To create, update the call-home profile, use the config call-home profile command.

config call-home profile {create | update } profile-name {sm-license-data | all | call-home-data}{short-text

| long-text | xml } url

Syntax Description create update sm-license-data all call-home-data short-text long-text xml

url

create a Call-Home profile updates a Call-Home profile

Configures Smart license reporting profile

Configures reporting profile for all modules

Configures call home data reporting profile

Configures data reporting in short-text format

Configures data reporting in long-text format

Configures data reporting in XML format url name

Command History

Examples

Release

8.2

Modification


The following example shows how to create a xml format reporting Call-Home profile:


config call-home profile create example-profile sm-license-data xml internal.example.com

420


config call-home profile delete config call-home profile delete

To delete the call-home profile, use the config call-home profile delete command.

config call-home profile delete profile-name


profile-name

Call-Home profile to be deleted.

Command History

Examples

Release

8.2

Modification


The following example shows how to delete a Call-Home profile:


config call-home profile delete example-profile


421

config call-home profile status config call-home profile status

To enable or disable the user profile, use the config call-home profile status command.

config call-home profile status {enable | disable}


enables the status of call-home profile disables the status of call-home profile

Command History

Examples

Release

8.2

Modification


The following example shows how to disable a Call-Home profile:


config call-home profile status disable

422


config call-home reporting config call-home reporting

To set the privacy level for data reporting, use the config call-home reporting data-privacy level command.

config call-home reporting data-privacy level {normal | high}hostname host name

Syntax Description normal high hostname

scrubs all normal-level commands scrubs all normal-level commands, the IP domain name and

IP address commands scrubs all high-level commands plus the hostname command

Command History

Examples

Release

8.2

Modification


The following example shows how to configure normal privacy level:


config call-home reporting data-privacy- level normal hostname internal.example.com


423

config call-home tac-profile config call-home tac-profile

To enable or disable the tac-profile, use the config call-home tac-profile status command.

config call-home tac-profile status{enable | disable}


enables call-home TAC profile.

disables call-home TAC profile.

Command Default

Enable

Command History

Examples

Release

8.2

Modification


The following example shows how to disable call home tac-profile:


config call-home tac-profile status disable

424


config cdp config cdp

To configure the Cisco Discovery Protocol (CDP) on the controller, use the config cdp command.

config cdp {enable | disable | advertise-v2 {enable | disable} | timerseconds | holdtime holdtime_interval}

Syntax Description enable disable advertise-v2 timer

seconds

holdtime

holdtime_interval

Enables CDP on the controller.

Disables CDP on the controller.

Configures CDP version 2 advertisements.

Configures the interval at which CDP messages are to be generated.

Time interval at which CDP messages are to be generated. The range is from 5 to 254 seconds.

Configures the amount of time to be advertised as the time-to-live value in generated CDP packets.

Maximum hold timer value. The range is from

10 to 255 seconds.

Command Default

The default value for CDP timer is 60 seconds.

The default value for CDP holdtime is 180 seconds.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the CDP maximum hold timer to 150 seconds:


config cdp timer 150

Related Commands config ap cdp show cdp show ap cdp


425

config certificate config certificate

To configure Secure Sockets Layer (SSL) certificates, use the config certificate command.

config certificate {generate {csr-webadmin | csr-webauth | webadmin | webauth}

Syntax Description generate csr-webadmin csr-webauth webadmin webauth

Specifies authentication certificate generation settings.

Generates a new web administration certificate signing request

Generates a new web authentication signing request

Generates a new web administration certificate.

Generates a new web authentication certificate.

Command Default

None

Command History

Examples

Release

7.6

8.3

Modification


This command was enhanced with new keywords in Release 8.3.

The following example shows how to generate a new web administration SSL certificate:


config certificate generate webadmin

Creating a certificate may take some time. Do you wish to continue? (y/n)

426


config certificate lsc config certificate lsc

To configure Locally Significant Certificate (LSC) certificates, use the config certificate lsc command.

config certificate lsc {enable | disable | ca-server http://url:port/path | ca-cert {add | delete} |

subject-params country state city orgn dept email | other-params keysize} | ap-provision {auth-list {add

| delete} ap_mac | revert-cert retries}

Syntax Description enable disable ca-server

http://url:port/path

ca-cert add delete subject-params

country state city orgn dept email

other-params

keysize

ap-provision auth-list

ap_mac

revert-cert

retries

Enables LSC certificates on the controller.

Disables LSC certificates on the controller.

Specifies the Certificate Authority (CA) server settings.

Domain name or IP address of the CA server.

Specifies CA certificate database settings.

Obtains a CA certificate from the CA server and adds it to the controller’s certificate database.

Deletes a CA certificate from the controller’s certificate database.

Specifies the device certificate settings.

Country, state, city, organization, department, and email of the certificate authority.

Note

The common name (CN) is generated automatically on the access point using the current MIC/SSC format Cxxxx-MacAddr, where xxxx is the product number.

Specifies the device certificate key size settings.

Value from 384 to 2048 (in bits); the default value is 2048.

Specifies the access point provision list settings.

Specifies the provision list authorization settings.

MAC address of access point to be added or deleted from the provision list.

Specifies the number of times the access point attempts to join the controller using an LSC before reverting to the default certificate.

Value from 0 to 255; the default value is 3.

Note

If you set the number of retries to 0 and the access point fails to join the controller using an LSC, the access point does not attempt to join the controller using the default certificate. If you are configuring LSC for the first time, we recommend that you configure a nonzero value.


427

config certificate lsc

Command Default

The default value of keysize is 2048 bits. The default value of retries is 3.

Command History

Release

7.6

Modification



You can configure only one CA server. To configure a different CA server, delete the configured CA server by using the config certificate lsc ca-server delete command, and then configure a different CA server.

If you configure an access point provision list, only the access points in the provision list are provisioned when you enable AP provisioning (in Step 8). If you do not configure an access point provision list, all access points with an MIC or SSC certificate that join the controller are LSC provisioned.

Examples

The following example shows how to enable the LSC settings:


config certificate lsc enable

This example shows how to enable the LSC settings for Certificate Authority (CA) server settings:


config certificate lsc ca-server http://10.0.0.1:8080/caserver

The following example shows how to add a CA certificate from the CA server and add it to the controller’s certificate database:


config certificate lsc ca-cert add

The following example shows how to configure an LSC certificate with the keysize of 2048 bits:


config certificate lsc keysize 2048

428


config certificate ssc config certificate ssc

To configure Self Signed Certificates (SSC) certificates, use the config certificate ssc command.

config certificate ssc hash validation {enable | disable}

Syntax Description hash validation enable disable

Configures the SSC hash key.

Configures hash validation of the SSC certificate.

Enables hash validation of the SSC certificate.

Disables hash validation of the SSC certificate.

Command Default

The SSC certificate is enabled by default..

Command History

Release

7.6

Modification



When you enable the SSC hash validation, an AP validates the SSC certificate of the virtual controller. When an AP validates the SSC certificate, it checks if the hash key of the virtual controller matches the hash key stored in its flash. If a match is found, the validation passes and the AP moves to the Run state. If a match is not found, the validation fails and the AP disconnects from the controller and restarts the discovery process.

By default, hash validation is enabled. Hence, an AP must have the virtual controller hash key in its flash before associating with the virtual controller. If you disable hash validation of the SSC certificate, the AP bypasses the hash validation and directly moves to the Run state.

APs can associate with a physical controller, download the hash keys and then associate with a virtual controller.

If the AP is associated to a physical controller and if hash validation is disabled, it joins any virtual controller without hash validation.

Examples

The following example shows how to enable hash validation of the SSC certificate:


config certificate ssc hash validation enable

Related Commands show certificate ssc show mobility group member config mobility group member hash config certificate


429

config certificate ssc show certificate compatibility show certificate lsc show certificate summary show local-auth certificates

430


config certificate use-device-certificate webadmin config certificate use-device-certificate webadmin

To use a device certificate for web administration, use the config certificate use-device-certificate webadmin command.

config certificate use-device-certificate webadmin



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to use a device certificate for web administration:


config certificate use-device-certificate webadmin

Use device certificate for web administration. Do you wish to continue? (y/n) y

Using device certificate for web administration.

Save configuration and restart controller to use new certificate.

Related Commands config certificate show certificate compatibility show certificate lsc show certificate ssc show certificate summary show local-auth certificates


431

config client ccx clear-reports config client ccx clear-reports

To clear the client reporting information, use the config client ccx clear-reports command.

config client ccx clear-reports client_mac_address


client_mac_address


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to clear the reporting information of the client MAC address

00:1f:ca:cf:b6:60:


config client ccx clear-reports 00:1f:ca:cf:b6:60

432


config client ccx clear-results config client ccx clear-results

To clear the test results on the controller, use the config client ccx clear-results command.

config client ccx clear-results client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to clear the test results of the client MAC address 00:1f:ca:cf:b6:60:


config client ccx clear-results 00:1f:ca:cf:b6:60


433

config client ccx default-gw-ping config client ccx default-gw-ping

To send a request to the client to perform the default gateway ping test, use the config client ccx

default-gw-ping command.

config client ccx default-gw-ping client_mac_address




Command Default

None

Command History

Release

7.6

Modification



This test does not require the client to use the diagnostic channel.

Examples

The following example shows how to send a request to the client00:0b:85:02:0d:20 to perform the default gateway ping test:


config client ccx default-gw-ping 00:0b:85:02:0d:20

434


config client ccx dhcp-test config client ccx dhcp-test

To send a request to the client to perform the DHCP test, use the config client ccx dhcp-test command.

config client ccx dhcp-test client_mac_address




Command Default

None

Command History

Release

7.6

Modification




Examples

The following example shows how to send a request to the client 00:E0:77:31:A3:55 to perform the DHCP test:


config client ccx dhcp-test 00:E0:77:31:A3:55


435

config client ccx dns-ping config client ccx dns-ping

To send a request to the client to perform the Domain Name System (DNS) server IP address ping test, use the config client ccx dns-ping command.

config client ccx dns-ping client_mac_address




Command Default

None

Command History

Release

7.6

Modification




Examples

The following example shows how to send a request to a client to perform the DNS server IP address ping test:


config client ccx dns-ping 00:E0:77:31:A3:55

436


config client ccx dns-resolve config client ccx dns-resolve

To send a request to the client to perform the Domain Name System (DNS) resolution test to the specified hostname, use the config client ccx dns-resolve command.

config client ccx dns-resolve client_mac_address host_name


client_mac_address host_name


Hostname of the client.

Command Default

None

Command History

Release

7.6

Modification




Examples

The following example shows how to send a request to the client 00:E0:77:31:A3:55 to perform the DNS name resolution test to the specified hostname:


config client ccx dns-resolve 00:E0:77:31:A3:55 host_name


437

config client ccx get-client-capability config client ccx get-client-capability

To send a request to the client to send its capability information, use the config client ccx get-client-capability command.

config client ccx get-client-capability client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to send a request to the client 172.19.28.40 to send its capability information:


config client ccx get-client-capability 172.19.28.40

438


config client ccx get-manufacturer-info config client ccx get-manufacturer-info

To send a request to the client to send the manufacturer’s information, use the config client ccx

get-manufacturer-info command.

config client ccx get-manufacturer-info client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to send a request to the client 172.19.28.40 to send the manufacturer’s information:


config client ccx get-manufacturer-info 172.19.28.40


439

config client ccx get-operating-parameters config client ccx get-operating-parameters

To send a request to the client to send its current operating parameters, use the config client ccx

get-operating-parameters command.

config client ccx get-operating-parameters client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to send a request to the client 172.19.28.40 to send its current operating parameters:


config client ccx get-operating-parameters 172.19.28.40

440


config client ccx get-profiles config client ccx get-profiles

To send a request to the client to send its profiles, use the config client ccx get-profiles command.

config client ccx get-profiles client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to send a request to the client 172.19.28.40 to send its profile details:


config client ccx get-profiles 172.19.28.40


441

config client ccx log-request config client ccx log-request

To configure a Cisco client eXtension (CCX) log request for a specified client device, use the config client

ccx log-request command.

config client ccx log-request {roam | rsna | syslog} client_mac_address

Syntax Description roam rsna syslog


(Optional) Specifies the request to specify the client CCX roaming log.

(Optional) Specifies the request to specify the client CCX RSNA log.

(Optional) Specifies the request to specify the client CCX system log.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to specify the request to specify the client CCS system log:


config client ccx log-request syslog 00:40:96:a8:f7:98

Tue Oct 05 13:05:21 2006

SysLog Response LogID=1: Status=Successful

Event Timestamp=121212121212

Client SysLog = 'This is a test syslog 2'


Client SysLog = 'This is a test syslog 1'

Tue Oct 05 13:04:04 2006

SysLog Request LogID=1

The following example shows how to specify the client CCX roaming log:


config client ccx log-request roam 00:40:96:a8:f7:98

Thu Jun 22 11:55:14 2006

Roaming Response LogID=20: Status=Successful


Source BSSID=00:40:96:a8:f7:98, Target BSSID=00:0b:85:23:26:70,

Transition Time=100(ms)

Transition Reason: Unspecified Transition Result: Success

Thu Jun 22 11:55:04 2006

Roaming Request LogID=20

Thu Jun 22 11:54:54 2006

Roaming Response LogID=19: Status=Successful


Source BSSID=00:40:96:a8:f7:98, Target BSSID=00:0b:85:23:26:70,

442


config client ccx log-request

Transition Time=100(ms)

Transition Reason: Unspecified Transition Result: Success

Thu Jun 22 11:54:33 2006 Roaming Request LogID=19

The following example shows how to specify the client CCX RSNA log:


config client ccx log-request rsna 00:40:96:a8:f7:98

Tue Oct 05 11:06:48 2006

RSNA Response LogID=2: Status=Successful


Target BSSID=00:0b:85:23:26:70

RSNA Version=1

Group Cipher Suite=00-x0f-ac-01

Pairwise Cipher Suite Count = 2

Pairwise Cipher Suite 0 = 00-0f-ac-02

Pairwise Cipher Suite 1 = 00-0f-ac-04

AKM Suite Count = 2

KM Suite 0 = 00-0f-ac-01

KM Suite 1 = 00-0f-ac-02

SN Capability = 0x1

PMKID Count = 2

PMKID 0 = 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16

PMKID 1 = 0a 0b 0c 0d 0e 0f 17 18 19 20 1a 1b 1c 1d 1e 1f

802.11i Auth Type: EAP_FAST

RSNA Result: Success


443

config client ccx send-message config client ccx send-message

To send a message to the client, use the config client ccx send-message command.

config client ccx send-message client_mac_address message_id




444


config client ccx send-message

message_id

Message type that involves one of the following:

• 1—The SSID is invalid.

• 2—The network settings are invalid.

• 3—There is a WLAN credibility mismatch.

• 4—The user credentials are incorrect.

• 5—Please call support.

• 6—The problem is resolved.

• 7—The problem has not been resolved.

• 8—Please try again later.

• 9—Please correct the indicated problem.

• 10—Troubleshooting is refused by the network.

• 11—Retrieving client reports.

• 12—Retrieving client logs.

• 13—Retrieval complete.

• 14—Beginning association test.

• 15—Beginning DHCP test.

• 16—Beginning network connectivity test.

• 17—Beginning DNS ping test.

• 18—Beginning name resolution test.

• 19—Beginning 802.1X authentication test.

• 20—Redirecting client to a specific profile.

• 21—Test complete.

• 22—Test passed.

• 23—Test failed.

• 24—Cancel diagnostic channel operation or select a WLAN profile to resume normal operation.

• 25—Log retrieval refused by the client.

• 26—Client report retrieval refused by the client.

• 27—Test request refused by the client.

• 28—Invalid network (IP) setting.

• 29—There is a known outage or problem with the network.

• 30—Scheduled maintenance period.

(continued on next page)


445

config client ccx send-message

message_type (cont.)

• 31—The WLAN security method is not correct.

• 32—The WLAN encryption method is not correct.

• 33—The WLAN authentication method is not correct.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to send a message to the client MAC address 172.19.28.40 with the message user-action-required:


config client ccx send-message 172.19.28.40 user-action-required

446


config client ccx stats-request config client ccx stats-request

To send a request for statistics, use the config client ccx stats-request command.

config client ccx stats-request measurement_duration {dot11 | security} client_mac_address


measurement_duration

dot11 security


Measurement duration in seconds.

(Optional) Specifies dot11 counters.

(Optional) Specifies security counters.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to specify dot11 counter settings:


config client ccx stats-request 1 dot11 00:40:96:a8:f7:98

Measurement duration = 1 dot11TransmittedFragmentCount = 1 dot11MulticastTransmittedFrameCount = 2 dot11FailedCount = 3 dot11RetryCount dot11MultipleRetryCount dot11FrameDuplicateCount dot11RTSSuccessCount dot11RTSFailureCount dot11ACKFailureCount dot11ReceivedFragmentCount dot11MulticastReceivedFrameCount dot11FCSErrorCount dot11TransmittedFrameCount

= 4

= 5

= 6

= 7

= 8

= 9

= 10

= 11

= 12

= 13


447

config client ccx test-abort config client ccx test-abort

To send a request to the client to abort the current test, use the config client ccx test-abort command.

config client ccx test-abort client_mac_address




Command Default

None

Command History

Release

7.6

Modification



Only one test can be pending at a time.

Examples

The following example shows how to send a request to a client to abort the correct test settings:


config client ccx test-abort 11:11:11:11:11:11

448


config client ccx test-association config client ccx test-association

To send a request to the client to perform the association test, use the config client ccx test-association command.

config client ccx test-association client_mac_address ssid bssid 802.11{a | b | g} channel


client_mac_address ssid bssid

802.11a

802.11b

802.11g

channel


Network name.

Basic SSID.



Specifies the 802.11g network.

Channel number.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to send a request to the client MAC address 00:0E:77:31:A3:55 to perform the basic SSID association test:


config client ccx test-association 00:E0:77:31:A3:55 ssid bssid 802.11a


449

config client ccx test-dot1x config client ccx test-dot1x

To send a request to the client to perform the 802.1x test, use the config client ccx test-dot1x command.

config client ccx test-dot1x client_mac_address profile_id bssid 802.11 {a | b | g} channel


client_mac_address profile_id bssid

802.11a

802.11b

802.11g

channel


Test profile name.

Basic SSID.



Specifies the 802.11g network.

Channel number.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to send a request to the client to perform the 802.11b test with the profile name profile_01:


config client ccx test-dot1x 172.19.28.40 profile_01 bssid 802.11b

450


config client ccx test-profile config client ccx test-profile

To send a request to the client to perform the profile redirect test, use the config client ccx test-profile command.

config client ccx test-profile client_mac_address profile_id


client_mac_address profile_id


Test profile name.

Note

The profile_id should be from one of the client profiles for which client reporting is enabled.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to send a request to the client to perform the profile redirect test with the profile name profile_01:


config client ccx test-profile 11:11:11:11:11:11 profile_01


451

config client deauthenticate config client deauthenticate

To disconnect a client, use the config client deauthenticate command.

config client deauthenticate {MAC | IPv4/v6_address | user_name}


MAC

IPv4/v6_address user_name

Client MAC address.

IPv4 or IPv6 address.

Client user name.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to deauthenticate a client using its MAC address:


config client deauthenticate 11:11:11:11:11

452


config client location-calibration config client location-calibration

To configure link aggregation, use the config client location-calibration command.

config client location-calibration {enable mac_address interval | disable mac_address}

Syntax Description enable

mac_address interval

disable

(Optional) Specifies that client location calibration is enabled.


Measurement interval in seconds.

(Optional) Specifies that client location calibration is disabled.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the client location calibration for the client 37:15:85:2a with a measurement interval of 45 seconds:


config client location-calibration enable 37:15:86:2a:Bc:cf 45


453

config client profiling delete config client profiling delete

To delete client profile , use the config client profiling command.

config client profiling delete {mac_address}


mac_address


Command History

Release

8.2

Modification

This command was introduced in this release.

Examples

The following example shows how to delete a client profile:


config client profiling delete 37:15:86:2a:Bc:cf

Note

Executing the above command changes the Device Type to "Unknown". The Client does not get deleted but instead the profiling info of the client is removed, and retains the client as it is still associated. There is no confirmation message from the CLI, due to architecture limitation of the Cisco WLC.

454


config cloud-services cmx config cloud-services cmx

To enable or disable CMX Cloud Services, use the config cloud-services cmx command.

config cloud-services cmx {enable| disable}


Enables the CMX Cloud Services

Disables the CMX Cloud Services

Command Default

None

Command History

Examples

Release

8.3

Modification


This example shows how to enable the CMX Cloud Services:


config cloud-services cmx enable


455

config cloud-services server url config cloud-services server url

To configure the Cloud Server URL, use the config cloud-services server url command.

config cloud-services server url url


url

Enter the Cloud Server URL.

Command Default

None

Command History

Examples

Release

8.3

Modification


This example shows how to configure the Cloud Server URL:


config cloud-services server url www.example.com

456


config cloud-services server id-token config cloud-services server id-token

To configure the Cloud Server Id-Token, use the config cloud-services server id-token command.

config cloud-services server id-token id-token


id-token

Enter the cloud server id-token.

Command Default

None

Command History

Examples

Release

8.3

Modification


This example shows how to configure the Cloud Server Id-Token:


config cloud-services server id-token dzypisQ2#bo$iAQM


457

config coredump config coredump

To enable or disable the controller to generate a core dump file following a crash, use the config cordump command.

config coredump {enable | disable}


Enables the controller to generate a core dump file.

Disables the controller to generate a core dump file.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the controller to generate a core dump file following a crash:


config coredump enable

Related Commands config coredump ftp config coredump username show coredump summary

458


config coredump ftp config coredump ftp

To automatically upload a controller core dump file to an FTP server after experiencing a crash, use the config

coredump ftp command.

config coredump ftp server_ip_address filename


server_ip_address filename

IP address of the FTP server to which the controller sends its core dump file.

Name given to the controller core dump file.

Command Default

None

Command History

Release

7.6

8.0

Modification


This command supports only IPv4 address format.


The controller must be able to reach the FTP server to use this command.

Examples

The following example shows how to configure the controller to upload a core dump file named

core_dump_controller to an FTP server at network address 192.168.0.13:


config coredump ftp 192.168.0.13 core_dump_controller

Related Commands config coredump config coredump username show coredump summary


459

config coredump username config coredump username

To specify the FTP server username and password when uploading a controller core dump file after experiencing a crash, use the config coredump username command.

config coredump username ftp_username password ftp_password


ftp_username ftp_password

FTP server login username.

FTP server login password.

Command Default

None

Command History

Release

7.6

Modification



The controller must be able to reach the FTP server to use this command.

Examples

The following example shows how to specify a FTP server username of admin and password adminpassword for the core dump file upload:


config coredump username admin password adminpassword

Related Commands config coredump ftp config coredump show coredump summary

460


config country config country

To configure the controller’s country code, use the config country command.

config country country_code


country_code

Two-letter or three-letter country code.

Command Default

us (country code of the United States of America).

Command History

Release

7.6

Modification


Release 7.6.


Cisco WLCs must be installed by a network administrator or qualified IT professional and the installer must select the proper country code. Following installation, access to the unit should be password protected by the installer to maintain compliance with regulatory requirements and to ensure proper unit functionality. See the related product guide for the most recent country codes and regulatory domains.

You can use the show country command to display a list of supported countries.

Examples

The following example shows how to configure the controller’s country code to DE:


config country DE


461

config cts config cts

To enable or disable Cisco TrustSec on Cisco WLC, use the config cts command.

config cts {enable | disable}


Enables Cisco TrustSec on the Cisco WLC

Disables Cisco TrustSec on the Cisco WLC

Command Default

By default, Cisco TrustSec is in disabled state.

Command History

Release

8.4

Modification


462


config cts ap config cts ap

To configure inline tagging and security group access control list (SGACL) enforcement on APs, use the

config cts ap command.

config cts ap{inline-tagging | sgacl-enforcement} {enable | disable} {ap-name | all}

Syntax Description inline-tagging sgacl-enforcement enable disable

ap-name

all

Configures inline tagging on all the APs or a specific AP

Configures SGACL enforcement on all the APs or a specific AP

Enables the specified feature

Disables the specified feature

Name of the AP for which the specified feature has to be configured

Configures the specified feature for all APs associated with the Cisco

WLC.

Command Default

By default, both inline tagging and SGACL enforcement are in disabled state.

Command History

Release

8.4

Modification



Examples

Examples

• Inline tagging is supported only on the APs in FlexConnect mode.

• Inline tagging is not supported on Flex+Bridge 802.11ac lightweight APs.

• Inline tagging and SGACL download or enforcement are not supported on these Cisco WLCs: 5508,

WiSM2, 8510, 7510, and vWLC.

• If you enable SGACL enforcement for all the APs, the configuration is applied on all the APs except for the APs for which Cisco TrustSec override is enabled.

The following example shows how to enable inline tagging on an AP named cisco-flex-ap:


config cts ap inline-tagging enable cisco-flex-ap

The following example shows how to enable SGACL enforcement on an AP named cisco-flex-ap:


config cts ap sgacl-enforcement enable cisco-flex-ap


463

config cts inline-tag config cts inline-tag

To configure Cisco TrustSec inline tagging for a Cisco WLC, use the config cts inline-tag command.

config cts inline-tag {enable | disable}

Syntax Description inline-tag enable disable

Configures inline tagging for the Cisco WLC

Enables inline tagging

Disables inline tagging

Command Default

By default, inline tagging is in disabled state.

Command History

Release

8.4

Modification



Inline tagging is not supported on these Cisco WLCs: 5508, WiSM2, 8510, 7510, and vWLC.

464


config cts ap override config cts ap override

To configure Cisco TrustSec override for an AP, use the config cts ap override command.

config cts ap override {enable | disable} {ap-name}


ap-name

Enables CTS override for the corresponding AP

Disables CTS override for the corresponding AP

Name of the AP for which the CTS override has to be configured

Command Default

By default, CTS override for an AP is in disabled state.

Command History

Release

8.4

Modification



If you enable SGACL enforcement for all the APs, the configuration is applied on all the APs except the APs for which CTS override is enabled.

Examples

The following example shows how to enable CTS override on an AP named my-cisco-ap:


config cts ap override enable my-cisco-ap


465

config cts device-id config cts device-id

To configure a Cisco TrustSec device ID, use the config cts device-id command.

config cts device-id device-id password password


device-id password

CTS device ID

CTS device ID password

Command Default

None

Command History

Release

8.4

Examples

Modification


The following example shows how to configure a CTS device ID:


config cts device-id wlc-8540 password Cisco123

466


config cts refresh config cts refresh

To refresh Cisco TrustSec environment data or security group tag (SGT) policy, use the config cts refresh command.

config cts refresh{environment-data} | {policy sgt {all | sgt-tag}}

Syntax Description environment-data policy sgt all

sgt-tag

Refreshes CTS environment data

Refreshes SGT policy

Refreshes all SGT policies

Enter the CTS SGT tag (an integer) to be refreshed

Command Default

None

Command History

Examples

Release

8.4

Modification


This example shows how to refresh the SGT policy, Default-65535:


config cts refresh policy sgt 65535


467

config cts sxp ap connection delete config cts sxp ap connection delete

To delete an SXPv4 connection peer for all the APs or a specific AP, use the config cts sxp ap connection

delete command.

config cts sxp ap connection delete ip-addr {cisco-ap | all}


ip-addr cisco-ap

all

SXPv4 IP address of a peer

Name of the AP.

Applies the configuration to all the APs.

Command Default

None

Command History

Release

8.4

Modification


468


config cts sxp ap connection peer config cts sxp ap connection peer

To configure an SXPv4 peer connection for all the APs or a specific AP, use the config cts sxp ap connection

peer command.

config cts sxp ap connection peer ip-addr password {default | none} mode {both | listener | speaker}

{cisco-ap | all}


ip-addr

password default none

time-in-seconds

mode both listener speaker

cisco-ap

all

SXPv4 IP address of the peer

Configures password for the SXPv4 peer connection

Uses default pasword for MD5 encryption

Configures SXPv4 without password encryption

Time after which an SXPv4 connection should be tried again after a failure to connect.

Configures mode of the SXPv4 connection

Configures device as both SXP speaker and listener

Configures device as SXP listener

Configures device as SXP speaker

Name of the AP

Applies the configuration to all the APs associated with the corresponding Cisco WLC

Command Default

None

Command History

Examples

Release

8.4

Modification


This example shows how to configure an SXPv4 peer connection with a default password and operate in both listener and speaker mode for all the APs associated with the Cisco WLC:


config cts sxp ap connection peer 10.165.200.224 password default mode both all


469

config cts sxp ap default password config cts sxp ap default password

To configure the default password for an SXPv4 connection for all the APs or a specific AP, use the config

cts sxp ap default password command.

config cts sxp ap default password password {cisco-ap | all}


password cisco-ap

all

Default password for SXPv4 connection

Name of the AP

Applies the configuration to all the APs associated with the corresponding Cisco WLC

Command Default

None

Command History

Release

8.4

Modification


470


config cts sxp ap listener config cts sxp ap listener

To configure SXPv4 listener mode parameters, use the config cts sxp ap listener command.

config cts sxp ap listener hold-time min-hold-time max-hold-time {cisco-ap | all}


min-hold-time max-hold-time cisco-ap

all

Minimum SXPv4 connection hold time

Maximum SXPv4 connection hold time

Name of the AP for which SXPv4 has to be configured

Configures SXPv4 for all APs associated with the

Cisco WLC

Command Default

None

Command History

Release

8.4

Modification



471

config cts sxp ap reconciliation period config cts sxp ap reconciliation period

To configure SXPv4 connection reconciliation time period, use the config cts sxp ap reconciliation period command.

config cts sxp ap reconciliation period time-in-seconds {cisco-ap | all}


time-in-seconds cisco-ap

all

Time interval until when the SXPv4 connection reconciles. Valid range is between 0 and 64000 seconds.

Name of the AP

Applies the configuration to all the APs associated with the Cisco WLC

Command Default

None

Command History

Release

8.4

Modification


472


config cts sxp ap retry period config cts sxp ap retry period

To configure the interval between SXPv4 connection reattempts, use the config cts sxp ap retry period command.

config cts sxp ap retry period time-in-seconds {cisco-ap | all}



all

Time after which an SXPv4 connection should be attempted again for after a failure to connect. Valid range is between 0 and 64000 seconds.

Name of the AP

Applies the configuration to all the APs associated with the corresponding Cisco

WLC

Command Default

None

Command History

Release

8.4

Modification



473

config cts sxp ap speaker config cts sxp ap speaker

To configure SXPv4 speaker mode parameters, use the config cts sxp ap speaker command.

config cts sxp ap speaker hold-time time-in-seconds {cisco-ap | all}



all

Hold time interval, in seconds. Valid range is between

1 and 65534 seconds.

Name of the AP for which SXPv4 has to be configured

Configures SXPv4 for all APs associated with the corresponding Cisco WLC

Command Default

None

Command History

Release

8.4

Modification


474


config cts sxp config cts sxp

To enable or disable Cisco TrustSec SXP on a Cisco WLC, use the config cts sxp command.

config cts sxp {enable | disable}


Enables Cisco TrustSec SXP on the Cisco WLC

Disables Cisco TrustSec SXP on the Cisco WLC

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


475

config cts sxp connection config cts sxp connection

To configure the CTS SXP connection on the Cisco WLC, use the config cts sxp connection command.

config cts sxp connection {delete | peer} ipv4-addr

Syntax Description delete peer

ipv4-addr

Deletes the SXP connection

Configures the next hop switch with which the Cisco WLC is connected

IPv4 address of the SXP connection

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

476


config cts sxp default password config cts sxp default password

To configure the default password for CTS SXP, use the config cts sxp default password command.

config cts sxp default password password


password

Default password for MD5 Authentication of SXP messages. The password should contain a minimum of six characters.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


477

config cts sxp retry period config cts sxp retry period

To configure the interval between CTS SXP connection reattempts, use the config cts sxp retry period command.

config cts sxp retry period time-in-seconds


time-in-seconds

Time after which a CTS SXP connection should be attempted again for after a failure to connect. Valid range is between 0 and 64000 seconds.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

478


config cts sxp version config cts sxp version

To configure the CTS SXP connection version, use the config cts sxp version command.

config cts sxp version version-1-or-2


version-1-or-2

Enter the SXP version. Valid values are 1 and 2

Command Default

None

Command History

Release

8.4

Modification



479

config cts sxp config cts sxp

To configure Cisco TrustSec SXP (CTS) connections on the controller, use the config cts sxp command.

config cts sxp {enable | disable | connection {delete | peer} | default password password | retry period

time-in-seconds}

Syntax Description enable disable connection delete peer

ip-address

default password

password

retry period

time-in-seconds

Enables CTS connections on the controller.

Disables CTS connections on the controller.

Configures CTS connection on the controller.

Deletes the CTS connection on the controller.

Configures the next hop switch with which the controller is connected.

Only IPv4 address of the peer.

Configures the default password for MD5 authentication of SXP messages.

Default password for MD5 Authentication of SXP messages. The password should contain a minimum of six characters.

Configures the SXP retry period.

Time after which a CTS connection should be again tried for after a failure to connect.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


For release 8.0, only IPv4 is supported for TrustSec SXP configuration.

480


Examples

The following example shows how to enable CTS on the controller:


config cts sxp enable

The following example shows how to configure a peer for a CTS connection:

>

config cts sxp connection peer 209.165.200.224

Related Commands debug cts sxp config cts sxp


481

config custom-web ext-webauth-mode config custom-web ext-webauth-mode

To configure external URL web-based client authorization for the custom-web authentication page, use the

config custom-web ext-webauth-mode command.

config custom-web ext-webauth-mode {enable | disable}


Enables the external URL web-based client authorization.

Disables the external URL we-based client authentication.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the external URL web-based client authorization:


config custom-web ext-webauth-mode enable

Related Commands config custom-web redirectUrl config custom-web weblogo config custom-web webmessage config custom-web webtitle config custom-web ext-webauth-url show custom-web

482


config custom-web ext-webauth-url config custom-web ext-webauth-url

To configure the complete external web authentication URL for the custom-web authentication page, use the

config custom-web ext-webauth-url command.

config custom-web ext-webauth-url URL


URL

URL used for web-based client authorization.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the complete external web authentication URL http://www.AuthorizationURL.com/ for the web-based client authorization:


config custom-web ext-webauth-url http://www.AuthorizationURL.com/

Related Commands config custom-web redirectUrl config custom-web weblogo config custom-web webmessage config custom-web webtitle config custom-web ext-webauth-mode show custom-web


483

config custom-web ext-webserver config custom-web ext-webserver

To configure an external web server, use the config custom-web ext-webserver command.

config custom-web ext-webserver {add index IP_address | delete index}


index

IP_address

delete

Adds an external web server.

Index of the external web server in the list of external web server. The index must be a number between 1 and 20.

IP address of the external web server.

Deletes an external web server.

Command Default

None

Command History

Release

7.6

8.0

Modification



Examples

The following example shows how to add the index of the external web server 2 to the IP address of the external web server 192.23.32.19:


config custom-web ext-webserver add 2 192.23.32.19

Related Commands config custom-web redirectUrl config custom-web weblogo config custom-web webmessage config custom-web webtitle config custom-web ext-webauth-mode config custom-web ext-webauth-url show custom-web

484


config custom-web logout-popup config custom-web logout-popup

To enable or disable the custom web authentication logout popup, use the config custom-web logout-popup command.

config custom-web logout-popup {enable| disable}


Enables the custom web authentication logout popup. This page appears after a successful login or a redirect of the custom web authentication page.

Disables the custom web authentication logout popup.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the custom web authentication logout popup:


config custom-web logout-popup disable

Related Commands config custom-web redirectUrl config custom-web weblogo config custom-web webmessage config custom-web webtitle config custom-web ext-webauth-url show custom-web


485

config custom-web qrscan-bypass-opt config custom-web qrscan-bypass-opt

To configure the qrscan bypass authentication options, use the config custom-web qrscan-bypass-opt command.

config custom-web qrscan-bypass-opt timer count


timer count

Set the duration to bypass the traffic temporarily. The range is between 5 and

60.

Set the number of times the traffic can be bypassed before client rejoins. The range is between 1 and 9.

Command Default

None

Command History

Release

8.4

Examples

Modification


The following example shows how to set the custom qrscan bypass timer to 60 and number of times to 3 before the client rejoins:


config custom-web qrscan-bypass-opt 60 3

486


config custom-web radiusauth config custom-web radiusauth

To configure the RADIUS web authentication method, use the config custom-web radiusauth command.

config custom-web radiusauth {chap | md5chap | pap}

Syntax Description chap md5chap pap

Configures the RADIUS web authentication method as Challenge Handshake

Authentication Protocol (CHAP).

Configures the RADIUS web authentication method as Message Digest 5 CHAP

(MD5-CHAP).

Configures the RADIUS web authentication method as Password Authentication

Protocol (PAP).

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the RADIUS web authentication method as MD5-CHAP:


config custom-web radiusauth md5chap

Related Commands config custom-web redirectUrl config custom-web webmessage config custom-web webtitle config custom-web ext-webauth-mode config custom-web ext-webauth-url show custom-web


487

config custom-web redirectUrl config custom-web redirectUrl

To configure the redirect URL for the custom-web authentication page, use the config custom-web redirectUrl command.

config custom-web redirectUrl URL


URL

URL that is redirected to the specified address.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the URL that is redirected to abc.com:


config custom-web redirectUrl abc.com

Related Commands config custom-web weblogo config custom-web webmessage config custom-web webtitle config custom-web ext-webauth-mode config custom-web ext-webauth-url show custom-web

488


config custom-web sleep-client config custom-web sleep-client

To delete a web-authenticated sleeping client, use the config custom-web sleep-client command.

config custom-web sleep-client delete mac_address

Syntax Description delete

mac_address

Deletes a web-authenticated sleeping client with the help of the client MAC address.

MAC address of the sleeping client.

Command Default

The web-authenticated sleeping client is not deleted.

Command History

Release

7.5

Modification


Examples

The following example shows how to delete a web-authenticated sleeping client:


config custom-web sleep-client delete 0:18:74:c7:c0:90


489

config custom-web webauth-type config custom-web webauth-type

To configure the type of web authentication, use the config custom-web webauth-type command.

config custom-web webauth-type {internal | customized | external}

Syntax Description internal customized external

Configures the web authentication type to internal.

Configures the web authentication type to customized.

Configures the web authentication type to external.

Command Default

The default web authentication type is internal.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the type of the web authentication type to internal:


config custom-web webauth-type internal


490


config custom-web weblogo config custom-web weblogo

To configure the web authentication logo for the custom-web authentication page, use the config custom-web

weblogo command.

config custom-web weblogo {enable | disable}


Enables the web authentication logo settings.

Enable or disable the web authentication logo settings.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the web authentication logo:


config custom-web weblogo enable



491

config custom-web webmessage config custom-web webmessage

To configure the custom web authentication message text for the custom-web authentication page, use the

config custom-web webmessage command.

config custom-web webmessage message


message

Message text for web authentication.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the message text Thisistheplace for webauthentication:


config custom-web webmessage Thisistheplace

Related Commands config custom-web redirectUrl config custom-web weblogo config custom-web webtitle config custom-web ext-webauth-mode config custom-web ext-webauth-url show custom-web

492


config custom-web webtitle config custom-web webtitle

To configure the web authentication title text for the custom-web authentication page, use the config

custom-web webtitle command.

config custom-web webtitle title


title

Custom title text for web authentication.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the custom title text Helpdesk for web authentication:


config custom-web webtitle Helpdesk

Related Commands config custom-web redirectUrl config custom-web weblogo config custom-web webmessage config custom-web ext-webauth-mode config custom-web ext-webauth-url show custom-web


493

config database size config database size

To configure the local database, use the config database size command.

config database size count


count

Database size value between 512 and 2040

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Use the show database command to display local database configuration.

Examples

The following example shows how to configure the size of the local database:


config database size 1024

Related Commands show database

494


config dhcp config dhcp

To configure the internal DHCP, use the config dhcp command.

config dhcp {address-pool scope start end | create-scope scope | default-router scope router_1 [router_2]

[router_3] | delete-scope scope | disable scope | dns-servers scope dns1 [dns2] [dns3] | domain scope

domain | enable scope | lease scope lease_duration | netbios-name-server scope wins1 [wins2] [wins3] |

networkscope network netmask}

config dhcpopt-82 remote-id {ap_mac | ap_mac:ssid | ap-ethmac | apname:ssid | ap-group-name |

flex-group-name | ap-location | apmac-vlan_id | apname-vlan_id | ap-ethmac-ssid }


address-pool scope start end

create-scope name

default-router scope router_1 [router_2] [router_3]

delete-scope scope

disable scope

dns-servers scope dns1 [dns2] [dns3]

domain scope domain

enable scope

lease scope lease_duration

Configures an address range to allocate.

You must specify the scope name and the first and last addresses of the address range.

Creates a new DHCP scope. You must specify the scope name.

Configures the default routers for the specified scope and specify the

IP address of a router. Optionally, you can specify the IP addresses of secondary and tertiary routers.

Deletes the specified DHCP scope.

Disables the specified DHCP scope.

Configures the name servers for the given scope. You must also specify at least one name server. Optionally, you can specify secondary and tertiary name servers.

Configures the DNS domain name. You must specify the scope and domain names.

Enables the specified dhcp scope.

Configures the lease duration (in seconds) for the specified scope.


495

config dhcp

network scope network netmask

opt-82 remote-id

ap_mac

ap_mac:ssid

ap-ethmac apname:ssid ap-group-name flex-group-name ap-location apmac-vlan_id apname-vlan_id ap-ethmac-ssid

netbios-name-server scope wins1 [wins2] [wins3] Configures the netbios name servers.

You must specify the scope name and the IP address of a name server.

Optionally, you can specify the IP addresses of secondary and tertiary name servers.

Configures the network and netmask.

You must specify the scope name, the network address, and the network mask.

Configures the DHCP option 82 remote

ID field format.

DHCP option 82 provides additional security when DHCP is used to allocate network addresses. The controller acts as a DHCP relay agent to prevent

DHCP client requests from untrusted sources. The controller adds option 82 information to DHCP requests from clients before forwarding the requests to the DHCP server.

MAC address of the access point to the

DHCP option 82 payload.

MAC address and SSID of the access point to the DHCP option 82 payload.

Remote ID format as AP Ethernet MAC address.

Remote ID format as AP name:SSID.

Remote ID format as AP group name.

Remote ID format as FlexConnect group name .

Remote ID format as AP location.

Remote ID format as AP radio MAC address:VLAN_ID.

Remote ID format as AP

Name:VLAN_ID.

Remote ID format as AP Ethernet

MAC:SSID address.

496


config dhcp

Command Default

The default value for ap-group-name is default-group, and for ap-location, the default value is default location.

If ap-group-name and flex-group-name are null, the system MAC is sent as the remote ID field.

Command History

Release

7.6

Modification



Use the show dhcp command to display the internal DHCP configuration.

Examples

The following example shows how to configure the DHCP lease for the scope 003:


config dhcp lease 003


497

config dhcp opt-82 format config dhcp opt-82 format

To configure the DHCP option 82 format, use the config dhcp opt-82 format command.

config dhcp opt-82 format{binary | ascii}


binary ascii

Specifies the DHCP option 82 format as binary.

Specifies the DHCP option 82 format as ASCII.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the format of DHCP option 82 payload:


config dhcp opt-82 format binary

498


config dhcp opt-82 remote-id config dhcp opt-82 remote-id

To configure the format of the DHCP option 82 payload, use the config dhcp opt-82 remote-id command.

config dhcp opt-82 remote-id {ap_mac | ap_mac:ssid | ap-ethmac | apname:ssid | ap-group-name |

flex-group-name | ap-location | apmac-vlan-id | apname-vlan-id | ap-ethmac-ssid}


ap_mac ap_mac:ssid ap-ethmac apname:ssid ap-group-name flex-group-name ap-location apmac-vlan-id apname-vlan-id ap-ethmac-ssid

Specifies the radio MAC address of the access point to the DHCP option 82 payload.

Specifies the radio MAC address and SSID of the access point to the DHCP option 82 payload.

Specifies the Ethernet MAC address of the access point to the DHCP option 82 payload.

Specifies the AP name and SSID of the access point to the DHCP option 82 payload.

Specifies the AP group name to the DHCP option 82 payload.

Specifies the FlexConnect group name to the DHCP option 82 payload.

Specifies the AP location to the DHCP option 82 payload.

Specifies the radio MAC address of the access point and the VLAN ID to the DHCP option 82 payload.

Specifies the AP name and its VLAN ID to the DHCP option 82 payload.

Specifies the Ethernet MAC address of the access point and the SSID to the DHCP option 82 payload.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


499

config dhcp opt-82 remote-id

Examples

The following example shows how to configure the remote ID of DHCP option 82 payload:


config dhcp opt-82 remote-id apgroup1

500


config dhcp proxy config dhcp proxy

To specify the level at which DHCP packets are modified, use the config dhcp proxy command.

config dhcp proxy {enable | disable {bootp-broadcast [enable | disable]}

Syntax Description enable disable bootp-broadcast

Allows the controller to modify the DHCP packets without a limit.

Reduces the DHCP packet modification to the level of a relay.

Configures DHCP BootP broadcast option.

Command Default

DHCP is enabled.

Command History

Release

7.6

Modification



Use the show dhcp proxy command to display the status of DHCP proxy handling.

To enable third-party WGB support, you must enable the passive-client feature on the wirless LAN by entering the config wlan passive-client enable command.

Examples

The following example shows how to disable the DHCP packet modification:


config dhcp proxy disable

The following example shows how to enable the DHCP BootP broadcast option:


config dhcp proxy disable bootp-broadcast enable


501

config dhcp timeout config dhcp timeout

To configure a DHCP timeout value, use the config dhcp timeout command. If you have configured a WLAN to be in DHCP required state, this timer controls how long the WLC will wait for a client to get a DHCP lease through DHCP.

config dhcp timeout timeout-value


timeout-value

Timeout value in the range of 5 to 120 seconds.

Command Default

The default timeout value is 120 seconds.

Command History

Release

7.6

Modification


Examples

The following example shows how to set the DHCP timeout to 10 seconds:


config dhcp timeout 10

502


config exclusionlist config exclusionlist

To create or delete an exclusion list entry, use the config exclusionlist command.

config exclusionlist {add MAC [description] | delete MAC | description MAC [description]}

Syntax Description config exclusionlist add delete description

MAC description

Configures the exclusion list.

Creates a local exclusion-list entry.

Deletes a local exclusion-list entry

Specifies the description for an exclusion-list entry.

MAC address of the local Excluded entry.

(Optional) Description, up to 32 characters, for an excluded entry.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to create a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:


config exclusionlist add xx:xx:xx:xx:xx:xx lab

The following example shows how to delete a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:


config exclusionlist delete xx:xx:xx:xx:xx:xx lab

Related Commands show exclusionlist


503

config flexconnect acl config flexconnect acl

To apply access control lists that are configured on a FlexConnect access point, use the config flexconnect

acl command.

config flexconnect acl {apply | create | delete} acl_name

Syntax Description apply create delete

acl_name

Applies an ACL to the data path.

Creates an ACL.

Deletes an ACL.


Command History

Examples

Release

7.6

Modification


The following example shows how to apply the ACL configured on a FlexConnect access point:


config flexconnect acl apply acl1

504


config flexconnect acl rule config flexconnect acl rule

To configure access control list (ACL) rules on a FlexConnect access point, use the config flexconnect acl

rule command.

config flexconnect aclrule {action rule_name rule_index {permit | deny} | add rule_name rule_index |

change index rule_name old_index new_index | delete rule_name rule_index | destination address rule_name

rule_index ip_address netmask | destination port range rule_name rule_index start_port end_port | direction

rule_name rule_index {in | out | any} | dscp rule_name rule_index dscp | protocol rule_name rule_index

protocol | source address rule_name rule_index ip_address netmask | source port range rule_name

rule_index start_port end_port | swap index rule_name index_1 index_2}

Syntax Description in out any dscp action

rule_name rule_index

permit deny add change index delete destination address

ip_address netmask start_port end_port

direction

Configures whether to permit or deny access.


Rule index between 1 and 32.

Permits the rule action.

Denies the rule action.

Adds a new rule.


Specifies a rule index.

Deletes a rule.

Configures a rule’s destination IP address and netmask.

IP address of the rule.

Netmask of the rule.

Start port number (between 0 and 65535).

End port number (between 0 and 65535).


Configures a rule’s direction to in.

Configures a rule’s direction to out.

Configures a rule’s direction to any.



505

config flexconnect acl rule

dscp

protocol

protocol

source address source port range swap

index_1 index_2






Swaps two rules’ indices.

The rule first index to swap.

The rule index to swap the first index with.

Command Default

None

Command History

Examples

Release

7.6

Modification


This example shows how to configure an ACL to permit access:


config flexconnect acl rule action lab1 4 permit

506


config flexconnect arp-caching config flexconnect arp-caching

To save an ARP entry for a client in the cache with locally switched WLAN on FlexConnect APs use config

flexconnect arp-caching command.

config flexconnect arp-caching {enable } disable}

Syntax Description arp-caching enable arp-caching disable

Instructs the access point to save the ARP entry for a client in the cache and reply on its behalf of the client for locally switched WLAN.

Disables ARP caching.

Command Default

None

Command History

Examples

Release

8.0

Modification


The following example shows how to apply the proxy ARP with locally switched WLAN on FlexConnect

APs.


config flexconnect arp-caching enable


507

config flexconnect avc profile config flexconnect avc profile

To configure a Flexconnect Application Visibility and Control (AVC) profile, use the config flexconnect avc

profile command.

config flexconnect avc profile profilename {create | delete} | apply | rule {addapplication app-name {drop|

{mark dscp-value}}}| {remove application app-name}


proflie-name

create delete apply rule add application

app-name

drop mark

dscp-value

remove application

Name of the AVC profile. The range is from 0 to 32 alphanumeric characters.

Creates an AVC profile.

Deletes an AVC profile.

Applies an AVC profile.

Configures a Rule for an AVC profile.

Adds a rule for an AVC profile.

Name of the application. The range is from 0 to 32 alphanumeric characters.

Adds a rule to drop packets.

Adds a rule to mark packets with specific differentiated services code point (DSCP).

DSCP value for marking packets. The range is from 0 to 63.

Removes a rule for an AVC profile.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to create a FlexConnect profile:


config flexconnect avc profile profile1 create

508


config flexconnect fallback-radio-shut config flexconnect fallback-radio-shut

To configure the radio interface of an access point when the Ethernet link is not operational, use the config

flexconnect fallback-radio-shut command.

config flexconnect fallback-radio-shut {disable | enable delay delay-in-sec}

Syntax Description disable enable delay

delay-in-sec

Disables the radio interface shutdown.

Enables the radio interface shutdown.

Specifies the delay for the interface after which the radio interface has to be shut down.

Delay duration, in seconds.

Command Default

The radio interface shutdown is disabled.

Command History

Release

7.6

Modification



You can specify the delay duration only if you enable the radio interface shutdown.

Examples

The following example shows how to enable the radio interface shutdown after a delay duration of 5 seconds:


config flexconnect fallback-radio-shut enable delay 5


509

config flexconnect group config flexconnect group

To add, delete, or configure a FlexConnect group, use the config flexconnect group command.

config flexconnect group group_name {add | delete | ap {add | delete} ap-mac | radius {ap {authority

{id hex_id | info auth_info} | disable | eap-fast {enable | disable} | enable | leap {enable | disable} |

pac-timeout timeout | server-key {auto | key} | user {add {username password} | delete username}}} |

server auth {add | delete} {primary | secondary} IP_address auth_port secret} | predownload {disable

| enable} | master ap_name | slave {retry-count max_count | ap-name cisco_ap} | start {primary backup

abort} | local-split {wlan wlan_id acl acl_name {enable | disable}} | multicast overridden-interface

{enable | disable} | vlan {add vlan_id acl in-aclname out-aclname | delete vlan_id } | web-auth wlan wlan_id

acl acl_name {enable | disable} | web-policy acl {add | delete} acl_name}

config flexconnect group group_name radius ap {eap-cert download | eap-tls {enable | disable} | peap

{enable | disable}}

config flexconnect group group_name policy acl {add | delete} acl_name

config flexconnect group group_name {add | delete}http-proxy ipaddress ip-address port port -no


group_name

add delete ap add delete

ap_mac

radius ap authority id

Group name.

Adds a FlexConnect group.

Deletes a FlexConnect group.

Adds or deletes an access point to a

FlexConnect group.

Adds an access point to a FlexConnect group.

Deletes an access point to a FlexConnect group.

MAC address of the access point.

Configures the RADIUS server for client authentication for a FlexConnect group.

Configures an access point based RADIUS server for client authentication for a

FlexConnect group.

Configures the Extensible Authentication

Protocol-Flexible Authentication via Secure

Tunneling (EAP-FAST) authority parameters.

Configures the authority identifier of the local

EAP-FAST server.

510


hex_id

info

auth_info

disable eap-fast

timeout

server-key auto

key

user add

username

enable disable enable leap disable enable pac-timeout config flexconnect group

Authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal even number of characters.


EAP-FAST server in text format.

Authority identifier of the local EAP-FAST server in text format.

Disables an AP based RADIUS server.

Enables or disables Extensible Authentication

Protocol-Flexible Authentication via Secure

Tunneling (EAP-FAST) authentication.

Enables EAP-FAST authentication.

Disables EAP-FAST authentication.

Enables AP based RADIUS Server.

Enables or disables Lightweight Extensible

Authentication Protocol (LEAP) authentication.

Disables LEAP authentication.

Enables LEAP authentication.

Configures the EAP-FAST Protected Access

Credential (PAC) timeout parameters.

PAC timeout in days. The range is from 2 to

4095. A value of 0 indicates that it is disabled.

Configures the EAP-FAST server key. The server key is used to encrypt and decrypt PACs.

Automatically generates a random server key.

Key that disables efficient upgrade for a

FlexConnect group.

Manages the user list at the AP-based RADIUS server.

Adds a user. You can configure a maximum of 100 users.

Username that is case-sensitive and alphanumeric and can be up to 24 characters.


511

config flexconnect group

password

delete server add delete primary secondary

IP_address auth_port secret

predownload disable enable master

ap_name

slave retry-count

max_count

ap_name

512


Password of the user.

Deletes a user.

Configures an external RADIUS server.

Adds an external RADIUS server.

Deletes an external RADIUS server.

Configures an external primary RADIUS server.

Configures an external secondary RADIUS server.

IP address of the RADIUS server.

Port address of the RADIUS server.

Index of the RADIUS server.

Configures an efficient AP upgrade for the

FlexConnect group. You can download an upgrade image to the access point from the controller without resetting the access point or losing network connectivity.

Disables an efficient upgrade for a FlexConnect group.

Enables an efficient upgrade for a FlexConnect group.

Manually designates an access point in the

FlexConnect group as the master AP.

Access point name.

Manually designates an access point in the

FlexConnect group as the slave AP.

Configures the number of times the slave access point tries to predownload an image from the master.

Maximum number of times the slave access point tries to predownload an image from the master.

Override the manually configured master.

vlan add

vlan_id in-acl out-acl

delete web-auth wlan

cisco_ap

start primary backup abort local-split wlan

wlan_id

acl

acl_name

multicast overridden-interface config flexconnect group

Name of the master access point.

Starts the predownload image upgrade for the

FlexConnect group.

Starts the predownload primary image upgrade for the FlexConnect group.

Starts the predownload backup image upgrade for the FlexConnect group.

Aborts the predownload image upgrade for the

FlexConnect group.

Configures a local-split ACL on a FlexConnect

AP group per WLAN.

Configures a WLAN for a local split ACL on a FlexConnect AP group.

Wireless LAN identifier between 1 and 512

(inclusive).

Configures a local split ACL on a FlexConnect

AP group per WLAN.

Name of the ACL.

Configures multicast across the Layer 2 broadcast domain on the overridden interface for locally switched clients.

Configures a VLAN to the FlexConnect group.

Adds a VLAN to the FlexConnect group.

VLAN identifier.

Inbound ACL name that contains up to 32 alphanumeric characters.

Outbound ACL name that contains up to 32 alphanumeric characters.

Deletes a VLAN from the FlexConnect group.

Configures a FlexConnect ACL for external web authentication.

Specifies the wireless LAN to be configured with a FlexConnect ACL.


513


wlan_id cisco_ap

acl web-policy add delete eap-cert download eap-tls peap policy acl http-proxy ipaddress

ip-address port-no

Wireless LAN identifier between 1 and 512

(inclusive).


Configures a FlexConnect ACLs.

Configures a web policy FlexConnect ACL.

Adds a web policy FlexConnect ACL to the

FlexConnect group.

Deletes a web policy FlexConnect ACL from the FlexConnect group

Downloads the EAP root and device certificate.

Enables or disables EAP-Transport Layer

Security (EAP-TLS) authentication.

Enables or disables Protected Extensible

Authentication Protocol (PEAP) authentication.

Configures policy ACL on the FlexConnect group.

Configures http-proxy server.

IP address for flexgroup http-proxy.

Port number for flexgroup http-proxy.

Command Default

None

Command History

Release

7.6

8.3

Modification


This command was modified.


You can add up to 100 clients.

Beginning in Release 7.4 and later releases, the supported maximum number of RADIUS servers is 100.

514



Examples

The following example shows how to add a FlexConnect group for MAC address 192.12.1.2:


config flexconnect group 192.12.1.2 add

The following example shows how to add a RADIUS server as a primary server for a FlexConnect group with the server index number 1:


config flexconnect group 192.12.1.2 radius server add primary 1

The following example shows how to enable a local split ACL on a FlexConnect AP group for a WLAN:


config flexconnect group flexgroup1 local-split wlan 1 acl flexacl1 enable


515

config flexconnect group vlan config flexconnect group vlan

To configure VLAN for a FlexConnect group, use the config flexconnect group vlan command.

config flexconnect group group_name vlan {add vlan-id acl in-aclname out-aclname | delete vlan-id}


group_name

add

vlan-id

acl

in-aclname out-aclname

delete

FlexConnect group name.

Adds a VLAN for the FlexConnect group.

VLAN ID.

Specifies an access control list.

In-bound ACL name.

Out-bound ACL name.

Deletes a VLAN from the FlexConnect group.

Command History

Examples

Release

7.6

Modification


The following example shows how to add VLAN ID 1 for the FlexConnect group myflexacl where the in-bound

ACL name is in-acl and the out-bound ACL is out-acl:


config flexconnect group vlan myflexacl vlan add 1 acl in-acl out-acl

516


config flexconnect group group-name dhcp overridden-interface config flexconnect group

group-name

dhcp overridden-interface

To enable or disable the DHCP overridden interface for a FlexConnect group, use the config flexconnect

group group-name dhcp overridden-interface command.

config flexconnect group group-name dhcp overridden-interface {enable | disable}

Syntax Description overridden-interface

group-name

enable disable

The DHCP overridden interface for

FlexConnect group.

Name of the FlexConnect group.

Instructs the access point to enable

DHCP broadcast for locally switched clients.

Disables the feature.

Command Default

None

Command History

Release

8.0

Examples

Modification


The following example shows how to enable DHCP broadcast for locally switched clients.


config flexconnect group flexgroup dhcp overridden-interface enable


517

config flexconnect group web-auth config flexconnect group web-auth

To configure Web-Auth ACL for a FlexConnect group, use the config flexconnect group web-auth command.

config flexconnect group group_name web-auth wlan wlan-id acl acl-name {enable | disable}


group_name wlan-id acl-name

enable disable


WLAN ID.

ACL name.

Enables the Web-Auth ACL for a FlexConnect group.

Disables the Web-Auth ACL for a FlexConnect group.

Command History

Examples

Release

7.6

Modification


The following example shows how to enable Web-Auth ACL webauthacl for the FlexConnect group myflexacl on WLAN ID 1:


config flexconnect group myflexacl web-auth wlan 1 acl webauthacl enable

518


config flexconnect group web-policy config flexconnect group web-policy

To configure Web Policy ACL for a FlexConnect group, use the config flexconnect group web-policy command.

config flexconnect group group_name web-policy acl {add | delete} acl-name


group_name

add delete

acl-name


Adds the Web Policy ACL.

Deletes the Web Policy ACL.

Name of the Web Policy ACL.

Command History

Examples

Release

7.6

Modification


The following example shows how to add the Web Policy ACL mywebpolicyacl to the FlexConnect group myflexacl:


config flexconnect group myflexacl web-policy acl add mywebpolicyacl


519

config flexconnect join min-latency config flexconnect join min-latency

To enable or disable the access point to choose the controller with the least latency when joining, use the

config flexconnect join min-latency command.

config flexconnect join min-latency {enable | disable} cisco_ap


cisco_ap

Enables the access point to choose the controller with the least latency when joining.

Disables the access point to choose the controller with the least latency when joining.


Command Default

The access point cannot choose the controller with the least latency when joining.

Command History

Release

7.6

Modification



When you enable this feature, the access point calculates the time between the discovery request and discovery response and joins the controller that responds first. This command is supported only on the following controller releases:

• Cisco 2500 Series Controller

• Cisco 5500 Series Controller

• Cisco Flex 7500 Series Controllers

• Cisco 8500 Series Controllers

• Cisco Wireless Services Module 2

This configuration overrides the HA setting on the controller, and is applicable only for OEAP access points.

Examples

The following example shows how to enable the access point to choose the controller with the least latency when joining:


config flexconnect join min-latency enable CISCO_AP

520


config flexconnect office-extend config flexconnect office-extend

To configure FlexConnect mode for an OfficeExtend access point, use the config flexconnect office-extend command.

config flexconnect office-extend {{enable | disable} cisco_ap | clear-personalssid-config cisco_ap}

Syntax Description enable disable clear-personalssid-config

cisco_ap

Enables the OfficeExtend mode for an access point.

Disables the OfficeExtend mode for an access point.

Clears only the access point’s personal SSID.


Command Default

OfficeExtend mode is enabled automatically when you enable FlexConnect mode on the access point.

Command History

Release

7.6

Modification



Currently, only Cisco Aironet 1130 series and 1140 series access points that are joined to a Cisco 5500 Series

Controller with a WPlus license can be configured to operate as OfficeExtend access points.

Rogue detection is disabled automatically when you enable the OfficeExtend mode for an access point.

OfficeExtend access points, which are deployed in a home environment, are likely to detect a large number of rogue devices. You can enable or disable rogue detection for a specific access point or for all access points by using the config rogue detection command.

DTLS data encryption is enabled automatically when you enable the OfficeExtend mode for an access point.

However, you can enable or disable DTLS data encryption for a specific access point or for all access points by using the config ap link-encryption command.

Telnet and SSH access are disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable Telnet or SSH access for a specific access point by using the config

ap telnet or config ap ssh command.

Link latency is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable link latency for a specific access point or for all access points currently associated to the controller by using the config ap link-latency command.

Examples

The following example shows how to enable the office-extend mode for the access point Cisco_ap:


config flexconnect office-extend enable Cisco_ap


521

config flexconnect office-extend

The following example shows how to clear only the access point’s personal SSID for the access point Cisco_ap:


config flexconnect office-extend clear-personalssid-config Cisco_ap

522


config flow config flow

To configure a NetFlow Monitor and Exporter, use the config flow command.

config flow {add | delete} monitor monitor_name {exporter exporter_name |

record{ipv4_client_app_flow_record | ipv4_client_src_dst_flow_record}

Syntax Description add delete monitor

monitor_name

exporter

exporter_name

Associates either a NetFlow monitor with an exporter, or a NetFlow record with a NetFlow monitor.

Dissociates either a NetFlow monitor from an exporter, or a NetFlow record from a NetFlow monitor.

Configures a NetFlow monitor.

Name of the NetFlow monitor. The monitor name can be up to 32 case-sensitive, alphanumeric characters. You cannot include spaces in a monitor name.

Configures a NetFlow exporter.

Name of the NetFlow exporter. The exporter name can be up to 32 case-sensitive, alphanumeric characters. You cannot include spaces in an exporter name.

record

Associates a NetFlow record to the NetFlow monitor.

Existing record template for better performance.

ipv4_client_app_flow_record ipv4_client_src_dst_flow_record

Enhanced record template for better coverage.

Command Default

None

Command History

Release

7.6

Modification



An exporter is a network entity that exports the template with IP traffic information. The Cisco WLC acts as an exporter. A NetFlow record in the Cisco WLC contains the information about the traffic in a given flow, such as client MAC address, client source IP address, WLAN ID, incoming and outgoing bytes of data, incoming and outgoing packets, and incoming and outgoing Differentiated Services Code Point (DSCP).


523

config flow

Examples

The following example shows how to configure a NetFlow monitor and exporter:


config flow add monitor monitor1 exporter exporter1

524


config guest-lan config guest-lan

To create, delete, enable or disable a wireless LAN, use the config guest-lan command.

config guest-lan {create | delete} guest_lan_id interface_name | {enable | disable} guest_lan_id

Syntax Description create delete

guest_lan_id interface_name

enable disable

Creates a wired LAN settings.

Deletes a wired LAN settings:

LAN identifier between 1 and 5 (inclusive).

Interface name up to 32 alphanumeric characters.

Enables a wireless LAN.

Disables a wireless LAN.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable a wireless LAN with the LAN ID 16:


config guest-lan enable 16

Related Commands show wlan


525

config guest-lan custom-web ext-webauth-url config guest-lan custom-web ext-webauth-url

To redirect guest users to an external server before accessing the web login page, use the config guest-lan

custom-web ext-webauth-url command.

config guest-lan custom-web ext-webauth-url ext_web_url guest_lan_id


ext_web_url guest_lan_id

URL for the external server.

Guest LAN identifier between 1 and 5 (inclusive).

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable a wireless LAN with the LAN ID 16:


config guest-lan custom-web ext-webauth-url http://www.AuthorizationURL.com/ 1

Related Commands config guest-lan config guest-lan create config guest-lan custom-web login_page

526


config guest-lan custom-web global disable config guest-lan custom-web global disable

To use a guest-LAN specific custom web configuration rather than a global custom web configuration, use the config guest-lan custom-web global disable command.

config guest-lan custom-web global disable guest_lan_id


guest_lan_id Guest LAN identifier between 1 and 5 (inclusive).

Command Default

None

Command History

Release

7.6

Modification



If you enter the config guest-lan custom-web global enable guest_lan_id command, the custom web authentication configuration at the global level is used.

Examples

The following example shows how to disable the global web configuration for guest LAN ID 1:


config guest-lan custom-web global disable 1

Related Commands config guest-lan config guest-lan create config guest-lan custom-web ext-webauth-url config guest-lan custom-web login_page config guest-lan custom-web webauth-type


527

config guest-lan custom-web login_page config guest-lan custom-web login_page

To enable wired guest users to log into a customized web login page, use the config guest-lan custom-web

login_page command.

config guest-lan custom-web login_page page_name guest_lan_id


page_name guest_lan_id

Name of the customized web login page.


Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to customize a web login page custompage1 for guest LAN ID 1:


config guest-lan custom-web login_page custompage1 1

Related Commands config guest-lan config guest-lan create config guest-lan custom-web ext-webauth-url

528


config guest-lan custom-web webauth-type config guest-lan custom-web webauth-type

To define the web login page for wired guest users, use the config guest-lan custom-web webauth-type command.

config guest-lan custom-web webauth-type {internal | customized | external} guest_lan_id

Syntax Description internal customized external

guest_lan_id

Displays the default web login page for the controller. This is the default value.

Displays the custom web login page that was previously configured.

Redirects users to the URL that was previously configured.


Command Default

The default web login page for the controller is internal.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the guest LAN with the webauth-type as internal for guest

LAN ID 1:


config guest-lan custom-web webauth-type internal 1

Related Commands config guest-lan config guest-lan create config guest-lan custom-web ext-webauth-url


529

config guest-lan ingress-interface config guest-lan ingress-interface

To configure the wired guest VLAN’s ingress interface that provides a path between the wired guest client and the controller through the Layer 2 access switch, use the config guest-lan ingress-interface command.

config guest-lan ingress-interface guest_lan_id interface_name



Guest LAN identifier from 1 to 5 (inclusive).

Interface name.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to provide a path between the wired guest client and the controller with guest LAN ID 1 and the interface name guest01:


config guest-lan ingress-interface 1 guest01

Related Commands config interface guest-lan config guest-lan create

530


config guest-lan interface config guest-lan interface

To configure an egress interface to transmit wired guest traffic out of the controller, use the config guest-lan

interface command.

config guest-lan interface guest_lan_id interface_name




Interface name.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure an egress interface to transmit guest traffic out of the controller for guest LAN ID 1 and interface name guest01:


config guest-lan interface 1 guest01

Related Commands config ingress-interface guest-lan config guest-lan create


531

config guest-lan mobility anchor config guest-lan mobility anchor

To add or delete mobility anchor, use the config guest-lan mobility anchor command.

config guest-lan mobility anchor {add | delete} Guest LAN Id IP addr


Guest LAN Id

IP addr

Adds a mobility anchor to a WLAN.

Deletes a mobility anchor from a WLAN.

Guest LAN identifier between 1 and 5.

Member switch IPv4 or IPv6 address to anchor WLAN.

Command Default

None

Command History

Examples

Release

7.6

8.0

Modification



The following example shows how to delete a mobility anchor for WAN ID 4 and the anchor IP 192.168.0.14:


config guest-lan mobility anchor delete 4 192.168.0.14

532


config guest-lan nac config guest-lan nac

To enable or disable Network Admission Control (NAC) out-of-band support for a guest LAN, use the config

guest-lan nac command:

config guest-lan nac {enable | disable} guest_lan_id


guest_lan_id

Enables the NAC out-of-band support.

Disables the NAC out-of-band support.


Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the NAC out-of-band support for guest LAN ID 3:


config guest-lan nac enable 3

Related Commands show nac statistics show nac summary config wlan nac debug nac


533

config guest-lan security config guest-lan security

To configure the security policy for the wired guest LAN, use the config guest-lan security command.

config guest-lan security {web-auth {enable | disable | acl | server-precedence} guest_lan_id |

web-passthrough {acl | email-input | disable | enable} guest_lan_id}

Syntax Description web-auth enable disable acl server-precedence

guest_lan_id

web-passthrough email-input

Specifies web authentication.

Enables the web authentication settings.

Disables the web authentication settings.

Configures an access control list.

Configures the authentication server precedence order for web authentication users.

LAN identifier between 1 and 5 (inclusive).

Specifies the web captive portal with no authentication required.

Configures the web captive portal using an e-mail address.

Command Default

The default security policy for the wired guest LAN is web authentication.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the security web authentication policy for guest LAN ID 1:


config guest-lan security web-auth enable 1

Related Commands config ingress-interface guest-lan config guest-lan create config interface guest-lan

534


config interface 3g-vlan config interface 3g-vlan

To configure 3G/4G-VLAN interface, use the config interface 3g-vlan command.

config interface 3g-vlan interface-name {enable | disable}


interface-name enable

interface-name disable

Enables the specified 3G/4G-VLAN interface

Disables the specified 3G/4G-VLAN interface

Command Default

None

Command History

Release

8.1

Examples

Modification


The following example shows how to configure 3G/4G-VLAN interface,:


config interface 3g-vlan vlan-int enable


535

config interface acl config interface acl

To configure access control list of an interface, use the config interface acl command.

config interface acl {ap-manager | management | interface_name} {ACL | none}

Syntax Description ap-manager management

interface_name

ACL

none

Configures the access point manager interface.

Configures the management interface.

Interface name.

ACL name up to 32 alphanumeric characters.

Specifies none.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.





Examples

The following example shows how to configure an access control list with a value None:


config interface acl management none

536


config interface address config interface address

To configure address information for an interface, use the config interface address command.

config interface address {ap-manager IP_address netmask gateway | management IP_address netmask

gateway | service-port IP_address netmask | virtual IP_address | dynamic-interface IP_address

dynamic_interface netmask gateway | redundancy-management IP_address peer-redundancy-management

IP_address }

Syntax Description ap-manager

IP_address netmask gateway

management service-port virtual interface-name

interface-name

redundancy-management peer-redundancy-management

Specifies the access point manager interface.

IP address— IPv4 only.

Network mask.

IP address of the gateway.

Specifies the management interface.

Specifies the out-of-band service port interface.

Specifies the virtual gateway interface.

Specifies the interface identified by the interface-name parameter.

Interface name.

Configures redundancy management interface IP address.

Configures the peer redundancy management interface

IP address.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


For Cisco 5500 Series Controllers, you are not required to configure an AP-manager interface. The management interface acts like an AP-manager interface by default.


537

config interface address

Examples

This command is applicable for IPv4 addresses only.

Ensure that the management interfaces of both controllers are in the same subnet. Ensure that the Redundant

Management IP address for both controllers is the same. Likewise, ensure that the Peer Redundant Management

IP address for both the controllers is the same.

The following example shows how to configure an access point manager interface with IP address

209.165.201.31, network mask 255.255.0.0, and gateway address 209.165.201.30:


config interface address ap-manager 209.165.201.31 255.255.0.0

209.165.201.30

The following example shows how to configure a redundancy management interface on the controller:


config interface address redundancy-management 209.4.120.5

peer-redundancy-management 209.4.120.6

The following example shows how to configure a virtual interface:


config interface address virtual 1.1.1.1

Related Commands show interface

538


config interface address redundancy-management config interface address redundancy-management

To configure the management interface IP address, subnet and gateway of the controller, use the config

interface address redundancy-management command.

config interface address redundancy-management IP_address netmask gateway



Management interface IP address of the active controller.

Network mask.

IP address of the gateway.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


You can use this command to check the Active-Standby reachability when the keep-alive fails.

Examples

The following example shows how to configure the management IP addresses of the controller:


config interface address redundancy-management 209.165.201.31 255.255.0.0

209.165.201.30

Related Commands config redundancy mobilitymac config redundancy interface address peer-service-port config redundancy peer-route config redundancy unit config redundancy timer show redundancy timers show redundancy summary debug rmgr debug rsyncmgr


539

config interface ap-manager config interface ap-manager

To enable or disable access point manager features on the management or dynamic interface, use the config

interface ap-manager command.

config interface ap-manager {management | interface_name} {enable | disable}

Syntax Description management

interface_name

enable disable


Dynamic interface name.

Enables access point manager features on a dynamic interface.

Disables access point manager features on a dynamic interface.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Use the management option to enable or disable dynamic AP management for the management interface.

For Cisco 5500 Series Controllers, the management interface acts like an AP-manager interface by default.

If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager.

When you enable this feature for a dynamic interface, the dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.

Examples

The following example shows how to disable an access point manager myinterface:


config interface ap-manager myinterface disable

540


config interface create config interface create

To create a dynamic interface (VLAN) for wired guest user access, use the config interface create command.

config interface create interface_name vlan-id


interface_name vlan-id

Interface name.

VLAN identifier.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to create a dynamic interface with the interface named lab2 and VLAN

ID 6:


config interface create lab2 6


541

config interface delete config interface delete

To delete a dynamic interface, use the config interface delete command.

config interface delete interface-name


interface-name

interface-nameInterface name.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to delete a dynamic interface named VLAN501:


config interface delete VLAN501

542


config interface dhcp management config interface dhcp management

To configure DHCP options on a mangament interface, use the config interface dhcp management command.

config interface dhcp management {option-82 {bridge-mode-insertion {enable | disable} | enable |

disable | linksel {enable | disable | relaysrc interface-name} | vpnsel {enable | disable | vpnid vpn-id |

vrfname vrf-name}} | primary primary-dhcp_server [ secondary secondary-dhcp_server ] | proxy-mode

{enable | disable | global} }

Syntax Description option-82 bridge-mode-insertion disable enable linksel relaysrc

interface-name

vpnid

vpn-id

vrfname

vrf-name

primary

primary-dhcp-server

secondary

secondary-dhcp-server

proxy-mode global disable

Configures DHCP Option 82 on the interface.

Configures DHCP option 82 insertion in bridge mode.

Disables the feature.

Enables the feature.

Configures link select suboption 5 on a dynamic or management interface.

Configures Link select suboption 5 on relay source.

Name of an existing WLC interface reachable from the DHCP server.

Configures VPN select suboption 151 VPN Id.

VPN Id in oui:vpn-index format xxxxxx:xxxxxxxx.

Configures VPN select suboption 151 VRF name.

VRF name as string of length 7.

Specifies the primary DHCP server.

IP address of the server.

(Optional) Specifies the secondary DHCP server.

IP address of the server.

Configures the DHCP proxy mode on the interface.

Uses the global DHCP proxy mode on the interface.

(Optional) Disables the DHCP proxy mode on the interface.


543

config interface dhcp management global

(Optional) Uses the global DHCP proxy mode on the interface.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.

The new keywords linksel and vpnsel are added.

This command supports IPv6 from this release.


DHCP proxy is not supported for IPv6 and it works in disabled mode.

Examples

The following example shows how to configure option 82 on a management interface.


config interface dhcp management option-82 enable

Related Commands config dhcp config dhcp proxy config interface dhcp config wlan dhcp_server debug dhcp debug dhcp service-port debug disable-all show dhcp show dhcp proxy show interface

544


config interface dhcp config interface dhcp

Configure DHCP Option 82 insertion in Bridge mode on either management interface or dynamic interface by entering the config interface dhcp command:

config interface dhcp {management | dynamic-interface dynamic-interface-name} option-82

bridge-mode-insertion {enable | disable}

Syntax Description management dynamic-interface

dynamic-interface-name

option-82 bridge-mode-insertion

Management interface

Dynamic interface

Dynamic interface name

DHCP Option 82 on the interface

To configure Bridge mode insertion

Command Default

DHCP option 82 insertion in Bridge mode is disabled.

Command History

Release

8.0

Modification

The Bridge mode insertion parameter was introduced in this release.


545

config interface dhcp dynamic-interface config interface dhcp dynamic-interface

To configure the DHCP option 6 override on the interface to use OpenDNS server IPs or not, use the config

interface dhcp dynamic-interfacecommand.

config interface dhcp dynamic-interface intf-name option-6-opendns{ enable|disable}


intf-name

enable disable

Interface name.

Enables the DHCP option 6 override on the interface with OpenDNS IP address as default.

Disables the DHCP option 6 override on the interface and DHCP provided DNS IPs will be used..

Command Default

None

Command Modes

Controller Config >

Command History

Release

8.4

Modification



None

Examples

The following example shows how to configure the DHCP option 6 override on the interface to use OpenDNS server IPs:

(Cisco Controller) > config interface dhcp management option-6-opendns enable

546


config interface dhcp management option-6-opendns config interface dhcp management option-6-opendns

To configure the DHCP Option 6 override on the interface in order to use OpenDNS server IPs, use the config

interface dhcp management option-6-opendns command.

config interface dhcp management option-6-opendns{enable | disable}


Enables the DHCP Option 6 override on the interface, with the OpenDNS IP address as the default.

Disables the DHCP Option 6 override on the interface, and uses the DHCP-provided

DNS IPs.

Command Default

DHCP Option 6 override is not enabled.

Command Modes

(Controller Configuration) >

Command History

Release

8.4

Modification


Examples

The following example shows how to configure the DHCP Option 6 override on the interface in order to use

OpenDNS server IPs:

(Cisco Controller) > config interface dhcp management option-6-opendns enable


547

config interface address config interface address

To configure interface addresses, use the config interface address command.

config interface address {dynamic-interface dynamic_interface netmask gateway | management |

redundancy-management IP_address peer-redundancy-management | service-port netmask | virtual}

IP_address

Syntax Description dynamic-interface

dynamic_interface


management redundancy-management peer-redundancy-management service-port virtual

Configures the dynamic interface of the controller.

Dynamic interface of the controller.

IP address of the interface.

Netmask of the interface.

Gateway of the interface.

Configures the management interface IP address.

Configures redundancy management interface IP address.

Configures the peer redundancy management interface

IP address.

Configures the out-of-band service port.

Configures the virtual gateway interface.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Ensure that the management interfaces of both controllers are in the same subnet. Ensure that the redundant management IP address for both controllers is the same and that the peer redundant management IP address for both the controllers is the same.

548


config interface address

Examples

The following example shows how to configure a redundancy management interface on the controller:


config interface address redundancy-management 209.4.120.5

peer-redundancy-management 209.4.120.6

The following example shows how to configure a virtual interface:


config interface address virtual 1.1.1.1

Related Commands show interface group summary show interface summary


549

config interface guest-lan config interface guest-lan

To enable or disable the guest LAN VLAN, use the config interface guest-lan command.

config interface guest-lan interface_name {enable | disable}


interface_name

enable disable

Interface name.

Enables the guest LAN.

Disables the guest LAN.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the guest LAN feature on the interface named myinterface:


config interface guest-lan myinterface enable

Related Commands config guest-lan create

550


config interface hostname config interface hostname

To configure the Domain Name System (DNS) hostname of the virtual gateway interface, use the config

interface hostname command.

config interface hostname virtual DNS_host

Syntax Description virtual

DNS_host

Specifies the virtual gateway interface to use the specified virtual address of the fully qualified DNS name.

The virtual gateway IP address is any fictitious, unassigned IP address, such as 1.1.1.1, to be used by

Layer 3 security and mobility managers.

DNS hostname.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure virtual gateway interface to use the specified virtual address of the fully qualified DNS hostname DNS_Host:


config interface hostname virtual DNS_Host


551

config interface nasid config interface nasid

To configure the Network Access Server identifier (NAS-ID) for the interface, use the config interface nasid command.

config interface nasid {NAS-ID | none} interface_name


NAS-ID

none

interface_name

Network Access Server identifier (NAS-ID) for the interface. The NAS-ID is sent to the RADIUS server by the controller (as a RADIUS client) using the authentication request, which is used to classify users to different groups. You can enter up to 32 alphanumeric characters.

Beginning in Release 7.4 and later releases, you can configure the NAS-ID on the interface, WLAN, or an access point group. The order of priority is AP group

NAS-ID > WLAN NAS-ID > Interface NAS-ID.

Configures the controller system name as the NAS-ID.


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The NAS-ID configured on the controller for AP group or WLAN or interface is used for authentication. The

NAS-ID is not propagated across controllers.

Examples

The following example shows how to configure the NAS-ID for the interface:


config interface nasid

Related Commands config wlan nasid config wlan apgroup

552


config interface nat-address config interface nat-address

To deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT), use the config interface nat-address command.

config interface nat-address {management | dynamic-interface interface_name} {{enable | disable} | {set

public_IP_address}}


dynamic-interface interface_name

enable disable

public_IP_address


Specifies the dynamic interface name.

Enables one-to-one mapping NAT on the interface.

Disables one-to-one mapping NAT on the interface.

External NAT IP address.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


These NAT commands can be used only on Cisco 5500 Series Controllers and only if the management interface is configured for dynamic AP management.

These commands are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. They do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.

Examples

The following example shows how to enable one-to-one mapping NAT on the management interface:


config interface nat-address management enable

The following example shows how to set the external NAP IP address 10.10.10.10 on the management interface:


config interface nat-address management set 10.10.10.10


553

config interface port config interface port

To map a physical port to the interface (if a link aggregation trunk is not configured), use the config interface

port command.

config interface port {management | interface_name | redundancy-management} primary_port

[secondary_port]


interface_name

redundancy-management

primary_port secondary_port


Interface name.

Specifies the redundancy management interface.

Primary physical port number.

(Optional) Secondary physical port number.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


You can use the management option for all controllers except the Cisco 5500 Series Controllers.

Examples

The following example shows how to configure the primary port number of the LAb02 interface to 3:


config interface port lab02 3

554


config interface quarantine vlan config interface quarantine vlan

To configure a quarantine VLAN on any dynamic interface, use the config interface quarantine vlan command.

config interface quarantine vlan interface-name vlan_id


interface-name vlan_id

Interface’s name.

VLAN identifier.

Note

Enter 0 to disable quarantine processing.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure a quarantine VLAN on the quarantine interface with the

VLAN ID 10:


config interface quarantine vlan quarantine 10


555

config interface url-acl config interface url-acl

To Configures an interface's URL Access Control List, use the config interface url-aclcommand.

config interface url-acl {management | interface_name} {acl-name | none}


interface_name acl-name

none


Interface name.

ACL name up to 32 alphanumeric characters.

Disable the acl configured on the interface.

Command Default

None

Command History

Examples

Release

8.3

Modification


This example shows how to configure an interface's url acl:


config interface url-acl management test

556


config interface vlan config interface vlan

To configure an interface VLAN identifier, use the config interface vlan command.

config interface vlan {ap-manager | management | interface-name | redundancy-management} vlan

Syntax Description ap-manager management

interface_name vlan

redundancy-management

Configures the access point manager interface.


Interface name.

VLAN identifier.

Specifies the redundancy management interface.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


You cannot change the redundancy management VLAN when the system redundancy management interface is mapped to the redundancy port. You must configure the redundancy management port first.

Examples

The following example shows how to configure VLAN ID 10 on the management interface:


config interface vlan management 10


557

config interface group mdns-profile config interface group mdns-profile

To configure an mDNS (multicast DNS) profile for an interface group, use the config interface group

mdns-profile command.

config interface group mdns-profile {all | interface-group-name} {profile-name | none}


interface-group-name profile-name

none

Configures an mDNS profile for all interface groups.

Name of the interface group to which the mDNS profile has to be associated.

The interface group name can be up to 32 case-sensitive, alphanumeric characters.

Name of the mDNS profile.

Removes all existing mDNS profiles from the interface group. You cannot configure mDNS profiles on the interface group.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


If the mDNS profile is associated to a WLAN, an error appears.

Examples

The following example shows how to configure an mDNS profile for an interface group floor1:


config interface group mdns-profile floor1 profile1

Related Commands config mdns query interval config mdns service config mdns snooping config interface mdns-profile config mdns profile config wlan mdns show mdns profile show mnds service

558


clear mdns service-database debug mdns all debug mdns error debug mdns detail debug mdns message config interface group mdns-profile


559

config interface mdns-profile config interface mdns-profile

To configure an mDNS (multicast DNS) profile for an interface, use the config interface mdns-profile command.

config interface mdns-profile {management | all interface-name} {profile-name | none}

Syntax Description management all

interface-name profile-name

none

Configures an mDNS profile for the management interface.

Configures an mDNS profile for all interfaces.

Name of the interface on which the mDNS profile has to be configured. The interface name can be up to 32 case-sensitive, alphanumeric characters.


Removes all existing mDNS profiles from the interface. You cannot configure mDNS profiles on the interface.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


If the mDNS profile is associated to a WLAN, an error appears.

Examples

The following example shows how to configure an mDNS profile for an interface lab1:


config interface mdns-profile lab1 profile1

Related Commands config mdns query interval config mdns service config mdns snooping config mdns profile config interface group mdns-profile config wlan mdns show mdns profile

560


show mnds service clear mdns service-database debug mdns all debug mdns error debug mdns detail debug mdns message config interface mdns-profile


561

config icons delete config icons delete

To delete an icon or icons from flash, use the config icons delete command in the WLAN configuration mode.

config icons delete{ filename | all }


filename

all

Name of the icon to be deleted.

Deletes all the icon files from the system.

Command Default

None

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Examples

Modification


The following example shows how to delete an icon from flash:

Cisco Controller > config icons delete image-1

562


config icons file-info config icons file-info

To configure an icon parameter, use the config icons file-info command in WLAN configuration mode.

config icons file-info filename file-type lang-code width height


filename file-type lang-code width height

Icon filename. It can be up to 32 characters long.

Icon filename type or extension. It can be up to 32 characters long.

Language code of the icon. Enter 2 or 3 letters from ISO-639, for example:

eng for English.

Icon width. The range is from 1 to 65535.

Icon height. The range is from 1 to 65535.

Command Default

None

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Examples

Modification


This example shows how to configure icon parameters:

Cisco Controller > config icons file-info ima png eng 300 200


563

config ipv6 disable config ipv6 disable

To disable IPv6 globally on the Cisco WLC, use the config ipv6 disable command .

config ipv6 disable



Command Default

None

Command History

Release

7.6

Modification



When you use this command, the controller drops all IPv6 packets and the clients will not receive any IPv6 address.

Examples

The following example shows how to disable IPv6 on the controller:


config ipv6 disable

564


config ipv6 enable config ipv6 enable

To enable IPv6 globally on the Cisco WLC, use the config ipv6 enable command.

config ipv6 enable



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable IPv6 on the Cisco WLC:


config ipv6 enable


565

config ipv6 acl config ipv6 acl

To create or delete an IPv6 ACL on the Cisco wireless LAN controller, apply ACL to data path, and configure rules in the IPv6 ACL, use the config ipv6 acl command.

config ipv6 acl [apply | cpu | create | delete | rule]

config ipv6 acl apply name

config ipv6 acl cpu {name | none}

config ipv6 acl create name

config ipv6 acl delete name

]

config ipv6 acl rule [action | add | change | delete | destination | direction | dscp | protocol | source | swap

config ipv6 acl rule action name index {permit | deny}

config ipv6 acl rule add name index

config ipv6 acl rule change index name old_index new_index

config ipv6 acl rule delete name index

config ipv6 acl rule destination {address name index ip_address prefix-len | port range name index }

config ipv6 acl rule direction name index {in | out | any}

config ipv6 acl rule dscp name dscp

config ipv6 acl rule protocol name index protocol

config ipv6 acl rule source {address name index ip_address prefix-len | port range name index start_port

end_port}

config ipv6 acl rule swap index name index_1index_2


apply name

cpu name

cpu none create delete

rule (action) (name) (index)

{permit|deny}

add name index

Applies an IPv6 ACL. An IPv6 ACL can contain up to 32 alphanumeric characters.

Applies the IPv6 ACL to the CPU.

Configure none if you wish not to have a IPV6 ACL.

Creates an IPv6 ACL.

Deletes an IPv6 ACL.

Configures rules in the IPv6 ACL to either permit or deny access. IPv6

ACL name can contains up to 32 alphanumeric characters and IPv6 ACL rule index can be between 1 and 32.

Permit or deny the IPv6 rule action.

Adds a new rule and rule index.

566


config ipv6 acl

change name old_index

new_index

delete name index


Deletes a rule and rule index.

destination address name

index ip_addr prefix-len

destination port name index

Configures a rule’s destination IP address and prefix length (between 0 and

128).

Configure a rule's destination port range. Enter IPv6 ACL name and set an rule index for it.

direction name index

{in|out|any}

dscp name index dscp


Configures a rule’s DSCP. For rule index of DSCP, select a number between

0 and 63, or any.

protocol name index protocol

Configures a rule’s protocol. Enter a name and set an index between 0 and

255 or any

source address name index

ip_address prefix-len


source port range name index

start_port end_port


swap index name index_1

index_2

Swap’s two rules’ indices.

Command Default

After adding an ACL, the config ipv6 acl cpu is by default configured as enabled.

Command History

Release

7.6

8.0

Modification

This command was introduced in a release earlier than Release 7.6..

This command was updated by adding cpu and none keywords and the ipv6_acl_name variable.





Examples

The following example shows how to configure an IPv6 ACL to permit access:


config ipv6 acl rule action lab1 4 permit


567

config ipv6 acl

Examples

The following example shows how to configure an interface ACL:


config ipv6 interface acl management IPv6-Acl

Related Commands show ipv6 acl detailed show ipv6 acl cpu

568


config ipv6 capwap config ipv6 capwap

To enable or disable an IPv6 CAPWAP UDPLite for CAPWAP AP on the Cisco Wireless LAN Controller, use the config ipv6 capwap command.

config ipv6 capwap udplite {enable|disable} [all|<Cisco AP>]

Syntax Description udplite enable disable all

<Cisco AP>

Configure IPv6 for CAPWAP UDP Lite.

Enables IPv6 CAPWAP UDP Lite.

Disables IPv6 CAPWAP UDP Lite.

Enables or disables IPv6 CAPWAP UDP Lite on all Cisco

APs.

Enables or disables IPv6 CAPWAP UDP Lite on the user defined Cisco AP.

Command Default

The config ipv6 capwap udplite command is by default configured as enabled.

Command History

Release

8.0

Modification

This command was introduced in Release 8.0


• IPv6 CAPWAP UDP Lite configuration applies only to APs that are connected to controller using IPv6 tunnel.

• For APs connected to WLC using IPv4 Tunnel, IPv6 CAPWAP UDPLite command will not apply on either global configuration or on Per AP.

• IPv6 mandates complete payload checksum for UDP and this will have performance implications. To minimize the impact, UDPLite (mandates only header checksum) will be used for data traffic and UDP for control traffic.

• Usage UDP Lite will have an impact on the firewall. Intermediate firewall must be configured to allow

UDP Lite protocol (protocol ID of 136) packets.

• Turning off UDP Lite will cause performance issues on packet handling.

• Changing from UDP to UDPLite or vice-versa will enforce the AP to dis-join and re-join.


569

config ipv6 capwap

Examples

The following example shows how to configure an IPv6 CAPWAP UDP Lite on All Cisco APs or on a particular Cisco AP:


config ipv6 capwap udplite enable all

Changing AP's IPv6 Capwap UDP Lite mode will cause the AP to rejoin.

Are you sure you want to continue? (y/n)

570


config ipv6 interface config ipv6 interface

To configure IPv6 system interfaces, use the config ipv6 interfacecommand.

config ipv6 interface {acl|address|slaac}

config ipv6 interface acl management acl_name

config ipv6 interface address {management primary ipv6_address prefix_length ipv6_gateway_address

|service-port ipv6_address prefix-length}

config ipv6 interface slacc service-port [enable|disable]

Syntax Description acl management

acl_name

address management primary

ipv6_address prefix_length ipv6_gateway_address

service-port

ipv6_address prefix_length

slacc service-port enable disable

Configures IPv6 on an interface's Access Control List.


Enter IPv6 ACL name for the management ACL. It supports up to 32 alphanumeric characters.

Configures IPv6 on an interface's address information.


Configures the primary IPv6 Address for an interface

Configures an interface with IPv6 address information.

Configures IPv6 Prefix length. The range for prefix length is

1 to 127.

Configures the Link Layer IPv6 gateway Address.

Configures IPv6 on the out-of-band service Port.

Configures an interface with IPv6 address information.

Configures IPv6 Prefix length. The range for prefix length is

1 to 127.

Configures SLAAC options on an interface.

Configures IPv6 on the out-of-band service Port.

Enables SLAAC Option

Disables SLAAC Option


571

config ipv6 interface

Command Default

None.

Command History

Release

8.0

Modification

This command was introduced in Release 8.0.

Examples

The following example shows how to configure an IPv6 ACL management interface:


config ipv6 interface acl management Test_ACL

Examples

The following example shows how to configure an IPv6 address and primary interface:


config ipv6 interface address management primary 2001:9:10:56::44 64 fe80::aea0:16ff:fe4f:2244

Related Commands show interface detailed management show ipv6 interface summary

572


config ipv6 multicast config ipv6 multicast

To configure IPv6 multicast, use the config ipv6 multicastcommand.

config ipv6 multicast mode {unicast|multicast ipv6_address}

Syntax Description mode unicast multicast

ipv6_address

Configure the controller to AP Multicast or Broadcast IPv6 traffic forwarding mode.

Multicast/Broadcasted IPv6 packets are encapsulated in unicast

CAPWAP tunnel to AP.

Multicast/Broadcasted IPv6 packets are encapsulated in multicast CAPWAP tunnel to AP.

Configures IPv6 multicast address.

Command Default

• By default, multicast is enabled on Cisco WLC 8500 and Cisco WLC 2500.

• By default, unicast is enabled on Cisco WLC 5500.

Command History

Release

8.0

Modification



none...

Examples

The following example shows how to configure an IPv6 multicast on Cisco WLC, to permit access:


config ipv6 multicast 2001:DB8:0000:0000:0000:0000:0000:0001

Examples

The following example shows how to configure an IPv6 unicast on Cisco WLC, to permit access:


config ipv6 multicast mode unicast

Related Commands show network summary


573

config ipv6 neighbor-binding config ipv6 neighbor-binding

To configure the Neighbor Binding table on the Cisco wireless LAN controller, use the config ipv6

neighbor-binding command.

config ipv6 neighbor-binding {timers {down-lifetime down_time | reachable-lifetime reachable_time |

stale-lifetime stale_time } | { ra-throttle {allow at-least at_least_value} | enable | disable | interval-option

{ ignore | passthrough | throttle } | max-through {no_mcast_RA | no-limit} | throttle-period

throttle_period}}

Syntax Description timers down-lifetime

down_time

reachable-lifetime

reachable_time

stale-lifetime

stale_time

ra-throttle allow

at_least_value

enable disable interval-option ignore passthrough

Configures the neighbor binding table timeout timers.

Configures the down lifetime.

Down lifetime in seconds. The range is from 0 to

86400. The default is 30 seconds.

Configures the reachable lifetime.

Reachable lifetime in seconds. The range is from 0 to 86400. The default is 300 seconds.

Configures the stale lifetime.

Stale lifetime in seconds. The range is from 0 to

86400. The default is 86400 seconds.

Configures IPv6 RA throttling options.

Specifies the number of multicast RAs per router per throttle period.

Number of multicast RAs from router before throttling. The range is from 0 to 32. The default is

1.

Enables IPv6 RA throttling.

Disables IPv6 RA throttling.

Adjusts the behavior on RA with RFC3775 interval option.

Indicates interval option has no influence on throttling.

Indicates all RAs with RFC3775 interval option will be forwarded (default).

574


config ipv6 neighbor-binding throttle max-through

no_mcast_RA

no-limit throttle-period

throttle_period

Indicates all RAs with RFC3775 interval option will be throttled.

Specifies unthrottled multicast RAs per VLAN per throttle period.

Number of multicast RAs on VLAN by which throttling is enforced. The default multicast RAs on vlan is 10.

Configures no upper bound at the VLAN level.

Configures the throttle period.

Duration of the throttle period in seconds. The range is from 10 to 86400 seconds. The default is 600 seconds.

Command Default

This command is disabled by default.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the Neighbor Binding table:


config ipv6 neighbor-binding ra-throttle enable

Related Commands show ipv6 neighbor-binding


575

config ipv6 ns-mcast-fwd config ipv6 ns-mcast-fwd

To configure the nonstop multicast cache miss forwarding, use the config ipv6 ns-mcast-fwd command.

config ipv6 ns-mcast-fwd {enable | disable}


Enables nonstop multicast forwarding on a cache miss.

Disables nonstop multicast forwarding on a cache miss.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure an nonstop multicast forwarding:


config ipv6 ns-mcast-fwd enable

576


config ipv6 ra-guard config ipv6 ra-guard

To configure the filter for Router Advertisement (RA) packets that originate from a client on an AP, use the

config ipv6 ra-guard command.

config ipv6 ra-guard ap {enable | disable}


Enables RA guard on an AP.

Disables RA guard on an AP.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable IPv6 RA guard:


config ipv6 ra-guard enable

Related Commands show ipv6 ra-guard


577

config ipv6 route config ipv6 route

To add or delete an IPv6 network route, use the config ipv6 routecommand.

config ipv6 route {add network_ipv6_addr prefix-len ipv6_gw_addr |delete network _ipv6 addr }


network_ipv6_addr prefix-len ipv6_gw_addr

delete

network_ipv6_addr

Adds an IPv6 network route.

Enter the networks IPv6 address.

Enter the prefix length for the network.

Configures the system interfaces.

Deletes an IPv6 network route.

Enter the networks IPv6 address.

Command Default

None

Command History

Release

8.0

Modification



• This command is used to add and delete an IPv6 network route to access service interface over IPv6 from different network.

• While adding IPv6 route, IPv6 Gateway Address must be a link local scope (FE80::/64).

Examples

The following example shows how to add an IPv6 route:


config ipv6 route add 3010:1111:2222:abcd:abcd:abcd:abcd:1111 64 fe80::6616:8dff:fed3:c0cf

Examples

The following example shows how to delete an IPv6 route:


config ipv6 route delete 2001:9:5:90::115

Related Commands show ipv6 route summary

578


Config Commands: j to q

•

config known ap, page 586

•

config lag, page 587

•

config ldap, page 588

•

config local-auth active-timeout, page 591

•

config local-auth eap-profile, page 592

•

config local-auth method fast, page 595

•

config local-auth user-credentials, page 597

•

config lync-sdn, page 598

•

config licensing, page 599

•

config license boot, page 600

•

config load-balancing, page 602

•

config location, page 604

•

config location info rogue, page 606

•

config logging buffered, page 607

•

config logging console, page 608

•

config logging debug, page 609

•

config logging fileinfo, page 610

•

config logging procinfo, page 611

•

config logging traceinfo, page 612

•

config logging syslog host, page 613

•

config logging syslog facility, page 616

•

config logging syslog facility client, page 618

•

config logging syslog facility ap, page 619

•

config logging syslog level, page 620


579

•

config loginsession close, page 621

•

config macfilter , page 622

•

config macfilter description, page 624

•

config macfilter interface, page 625

•

config macfilter ip-address, page 626

•

config macfilter mac-delimiter, page 627

•

config macfilter radius-compat, page 628

•

config macfilter wlan-id, page 629

•

config mdns ap, page 630

•

config mdns profile, page 632

•

config mdns query interval, page 634

•

config mdns service , page 636

•

config mdns snooping , page 639

•

config mdns policy enable , page 641

•

config mdns policy service-group, page 642

•

config mdns policy service-group parameters, page 643

•

config mdns policy service-group user-name, page 644

•

config mdns policy service-group user-role, page 645

•

config media-stream multicast-direct, page 646

•

config media-stream message, page 647

•

config media-stream add, page 649

•

config media-stream admit, page 651

•

config media-stream deny, page 652

•

config media-stream delete, page 653

•

config memory monitor errors, page 654

•

config memory monitor leaks, page 655

•

config mesh alarm, page 657

•

config mesh astools, page 658

•

config mesh backhaul rate-adapt, page 659

•

config mesh backhaul slot, page 660

•

config mesh battery-state, page 661

•

config mesh client-access, page 662

•

config mesh ethernet-bridging allow-bpdu, page 664

580


•

config mesh ethernet-bridging vlan-transparent, page 665

•

config mesh full-sector-dfs, page 666

•

config mesh linkdata, page 667

•

config mesh linktest, page 669

•

config mesh lsc, page 672

•

config mesh lsc advanced, page 673

•

config mesh lsc advanced ap-provision, page 674

•

config mesh multicast, page 675

•

config mesh parent preferred, page 677

•

config mesh public-safety, page 678

•

config mesh radius-server, page 679

•

config mesh range, page 680

•

config mesh secondary-backhaul, page 681

•

config mesh security, page 682

•

config mesh slot-bias, page 684

•

config mgmtuser add, page 685

•

config mgmtuser delete, page 686

•

config mgmtuser description, page 687

•

config mgmtuser password, page 688

•

config mgmtuser telnet, page 689

•

config mgmtuser termination-interval, page 690

•

config mobility dscp, page 691

•

config mobility group anchor, page 692

•

config mobility group domain, page 693

•

config mobility group keepalive count, page 694

•

config mobility group keepalive interval, page 695

•

config mobility group member, page 696

•

config mobility group multicast-address, page 698

•

config mobility multicast-mode, page 699

•

config mobility new-architecture, page 700

•

config mobility oracle, page 701

•

config mobility secure-mode, page 702

•

config mobility statistics reset, page 703


581

•

config netuser add , page 704

•

config netuser delete, page 706

•

config netuser description, page 707

•

config network dns serverip, page 708

•

config netuser guest-lan-id, page 709

•

config netuser guest-role apply, page 710

•

config netuser guest-role create, page 711

•

config netuser guest-role delete, page 712

•

config netuser guest-role qos data-rate average-data-rate, page 713

•

config netuser guest-role qos data-rate average-realtime-rate, page 714

•

config netuser guest-role qos data-rate burst-data-rate, page 715

•

config netuser guest-role qos data-rate burst-realtime-rate, page 716

•

config netuser lifetime, page 717

•

config netuser maxUserLogin, page 718

•

config netuser password, page 719

•

config netuser wlan-id, page 720

•

config network client-ip-conflict-detection, page 721

•

config network http-proxy ip-address, page 722

•

config network bridging-shared-secret, page 723

•

config network web-auth captive-bypass, page 724

•

config network web-auth port, page 725

•

config network web-auth proxy-redirect, page 726

•

config network web-auth secureweb, page 727

•

config network webmode, page 728

•

config network web-auth, page 729

•

config network 802.3-bridging, page 730

•

config network allow-old-bridge-aps, page 731

•

config network ap-discovery, page 732

•

config network ap-easyadmin, page 733

•

config network ap-fallback, page 734

•

config network ap-priority, page 735

•

config network apple-talk, page 736

•

config network arptimeout, page 737

582


•

config assisted-roaming, page 738

•


•

config network broadcast, page 740

•

config network fast-ssid-change, page 741

•

config network ip-mac-binding, page 742

•

config network link local bridging, page 743

•

config network master-base, page 744

•

config network mgmt-via-wireless, page 745

•

config network multicast global, page 746

•

config network multicast igmp query interval, page 747

•

config network multicast igmp snooping, page 748

•

config network multicast igmp timeout, page 749

•

config network multicast l2mcast, page 750

•

config network multicast mld, page 751

•

config network multicast mode multicast, page 752

•

config network multicast mode unicast, page 753

•

config network oeap-600 dual-rlan-ports, page 754

•

config network oeap-600 local-network, page 755

•

config network otap-mode, page 756

•

config network profiling, page 757

•

config opendns, page 758

•

config opendns api-token , page 759

•

config opendns forced , page 760

•

config opendns profile, page 761

•

config pmipv6 domain, page 762

•

config pmipv6 add profile, page 763

•

config pmipv6 delete, page 765

•

config pmipv6 mag apn, page 766

•

config pmipv6 mag binding init-retx-time, page 767

•

config pmipv6 mag binding lifetime, page 768

•

config pmipv6 mag binding max-retx-time, page 769

•

config pmipv6 mag binding maximum, page 770

•

config pmipv6 mag binding refresh-time, page 771


583

•

config pmipv6 mag bri delay, page 772

•

config pmipv6 mag bri retries, page 773

•

config pmipv6 mag lma, page 774

•

config pmipv6 mag replay-protection, page 775

•

config port power, page 776

•

config policy action opendns-profile-name , page 777

•

config network rf-network-name, page 778

•

config network secureweb, page 779

•

config network secureweb cipher-option, page 780

•

config network ssh, page 782

•

config network telnet, page 783

•

config network usertimeout, page 784

•

config network web-auth captive-bypass, page 785

•

config network web-auth cmcc-support, page 786

•

config network web-auth port, page 787

•

config network web-auth proxy-redirect, page 788

•

config network web-auth secureweb, page 789

•

config network web-auth https-redirect, page 790

•

config network webmode, page 791

•

config network web-auth, page 792

•

config network zero-config, page 793

•

config network allow-old-bridge-aps, page 794

•

config network ap-discovery, page 795

•

config network ap-fallback, page 796

•

config network ap-priority, page 797

•

config network apple-talk, page 798

•


•

config network master-base, page 800

•

config network oeap-600 dual-rlan-ports, page 801

•

config network oeap-600 local-network, page 802

•

config network otap-mode, page 803

•

config network zero-config, page 804

•

config nmsp notify-interval measurement, page 805

584


•

config paging, page 806

•

config passwd-cleartext, page 807

•

config policy, page 808

•

config port adminmode, page 811

•

config port autoneg, page 812

•

config port linktrap, page 813

•

config port multicast appliance, page 814

•

config prompt, page 815

•

config qos average-data-rate, page 816

•

config qos average-realtime-rate, page 818

•

config qos burst-data-rate, page 820

•

config qos burst-realtime-rate, page 822

•

config qos description, page 824

•

config qos fastlane, page 825

•

config qos fastlane disable global, page 826

•

config qos max-rf-usage, page 827

•

config qos dot1p-tag, page 828

•

config qos priority, page 829

•

config qos protocol-type, page 831

•

config qos queue_length, page 832

•

config qos qosmap, page 833

•

config qos qosmap up-to-dscp-map, page 834

•

config qos qosmap dscp-to-up-exception, page 835

•

config qos qosmap delete-dscp-exception, page 836

•

config qos qosmap clear-all, page 837

•

config qos qosmap trust dscp upstream, page 838


585

config known ap config known ap

To configure a known Cisco lightweight access point, use the config known ap command.

config known ap {add | alert | delete} MAC

Syntax Description add alert delete

MAC

Adds a new known access point entry.

Generates a trap upon detection of the access point.

Deletes an existing known access point entry.

MAC address of the known Cisco lightweight access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to add a new access point entry ac:10:02:72:2f:bf on a known access point:


config known ap add ac:10:02:72:2f:bf 12

586


config lag config lag

To enable or disable link aggregation (LAG), use the config lag command.

config lag {enable | disable}


Enables the link aggregation (LAG) settings.

Disables the link aggregation (LAG) settings.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable LAG settings:


config lag enable

Enabling LAG will map your current interfaces setting to LAG interface,

All dynamic AP Manager interfaces and Untagged interfaces will be deleted

All WLANs will be disabled and mapped to Mgmt interface


You must now reboot for the settings to take effect.

The following example shows how to disable LAG settings:


config lag disable

Disabling LAG will map all existing interfaces to port 1.


You must now reboot for the settings to take effect.


587

config ldap config ldap

To configure the Lightweight Directory Access Protocol (LDAP) server settings, use the config ldap command.

config ldap {add | delete | enable | disable | retransmit-timeout | retry | user | security-mode | simple-bind}

index

config ldap add index server_ip_address port user_base user_attr user_type[ secure]

config ldap retransmit-timeout index retransmit-timeout

config ldap retry attempts

config ldap user {attr index user-attr | base index user-base | typeindex user-type}

config ldap security-mode {enable | disable}index

config ldap simple-bind {anonymous index | authenticated index username password}

Syntax Description add delete enable disable retransmit-timeout retry user security-mode simple-bind anonymous authenticated

index server_ip_address

Specifies that an LDAP server is being added.

Specifies that an LDAP server is being deleted.

Specifies that an LDAP serve is enabled.

Specifies that an LDAP server is disabled.

Changes the default retransmit timeout for an LDAP server.

Configures the retry attempts for an LDAP server.

Configures the user search parameters.

Configures the security mode.

Configures the local authentication bind method.

Allows anonymous access to the LDAP server.

Specifies that a username and password be entered to secure access to the LDAP server.

LDAP server index. The range is from 1 to 17.

IP address of the LDAP server.

588


config ldap

port user_base user_attr user_type

secure

retransmit-timeout attempts

attr base type

username password

Port number.

Distinguished name for the subtree that contains all of the users.

Attribute that contains the username.

ObjectType that identifies the user.

(Optional) Specifies that Transport Layer Security

(TLS) is used.

Retransmit timeout for an LDAP server. The range is from 2 to 30.

Number of attempts that each LDAP server is retried.

Configures the attribute that contains the username.

Configures the distinguished name of the subtree that contains all the users.

Configures the user type.

Username for the authenticated bind method.

Password for the authenticated bind method.

Command Default

None

Command History

Release

7.6

7.6

Modification


Release 7.6.

The secure keyword was added to support secure

LDAP.


When you enable secure LDAP, the controller does not validate the server certificate.

Examples

The following example shows how to enable LDAP server index 10:


config ldap enable 10


589

config ldap

Related Commands config ldap add config ldap simple-bind show ldap summary

590


config local-auth active-timeout config local-auth active-timeout

To specify the amount of time in which the controller attempts to authenticate wireless clients using local

Extensible Authentication Protocol (EAP) after any pair of configured RADIUS servers fails, use the config

local-auth active-timeout command.

config local-auth active-timeout timeout


timeout

Timeout measured in seconds. The range is from 1 to

3600.

Command Default

The default timeout value is 100 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to specify the active timeout to authenticate wireless clients using EAP to 500 seconds:


config local-auth active-timeout 500

Related Commands clear stats local-auth config local-auth eap-profile config local-auth method fast config local-auth user-credentials debug aaa local-auth show local-auth certificates show local-auth config show local-auth statistics


591

config local-auth eap-profile config local-auth eap-profile

To configure local Extensible Authentication Protocol (EAP) authentication profiles, use the config local-auth

eap-profile command.

config local-auth eap-profile {[add | delete] profile_name | cert-issuer {cisco | vendor} | method method

local-cert {enable | disable} profile_name | method method client-cert {enable | disable} profile_name |

method method peer-verify ca-issuer {enable | disable} | method method peer-verify cn-verify{enable |

disable} | method method peer-verify date-valid {enable | disable}


profile_name

cert-issuer cisco vendor method

method

local-cert enable disable client-cert peer-verify

(Optional) Specifies that an EAP profile or method is being added.

(Optional) Specifies that an EAP profile or method is being deleted.

EAP profile name (up to 63 alphanumeric characters).

Do not include spaces within a profile name.

(For use with EAP-TLS, PEAP, or EAP-FAST with certificates) Specifies the issuer of the certificates that will be sent to the client. The supported certificate issuers are Cisco or a third-party vendor.

Specifies the Cisco certificate issuer.

Specifies the third-party vendor.

Configures an EAP profile method.

EAP profile method name. The supported methods are leap, fast, tls, and peap.

(For use with EAP-FAST) Specifies whether the device certificate on the controller is required for authentication.

Specifies that the parameter is enabled.

Specifies that the parameter is disabled.

(For use with EAP-FAST) Specifies whether wireless clients are required to send their device certificates to the controller in order to authenticate.

Configures the peer certificate verification options.

592


config local-auth eap-profile ca-issuer cn-verify date-valid

(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the incoming certificate from the client is to be validated against the Certificate

Authority (CA) certificates on the controller.

(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the common name

(CN) in the incoming certificate is to be validated against the CA certificates’ CN on the controller.

(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the controller is to verify that the incoming device certificate is still valid and has not expired.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to create a local EAP profile named FAST01:


config local-auth eap-profile add FAST01

The following example shows how to add the EAP-FAST method to a local EAP profile:


config local-auth eap-profile method add fast FAST01

The following example shows how to specify Cisco as the issuer of the certificates that will be sent to the client for an EAP-FAST profile:


config local-auth eap-profile method fast cert-issuer cisco

The following example shows how to specify that the incoming certificate from the client be validated against the CA certificates on the controller:


config local-auth eap-profile method fast peer-verify ca-issuer enable

Related Commands config local-auth active-timeout config local-auth method fast config local-auth user-credentials debug aaa local-auth show local-auth certificates


593

config local-auth eap-profile show local-auth config show local-auth statistics

594


config local-auth method fast config local-auth method fast

To configure an EAP-FAST profile, use the config local-auth method fast command.

config local-auth method fast {anon-prov [enable | disable] | authority-id auth_id pac-ttl days | server-key

key_value}

Syntax Description anon-prov enable disable authority-id

auth_id

pac-ttl

days

server-key

key_value

Configures the controller to allow anonymous provisioning, which allows PACs to be sent automatically to clients that do not have one during

Protected Access Credentials (PAC) provisioning.

(Optional) Specifies that the parameter is enabled.

(Optional) Specifies that the parameter is disabled.


EAP-FAST server.

Authority identifier of the local EAP-FAST server (2 to 32 hexadecimal digits).

Configures the number of days for the Protected

Access Credentials (PAC) to remain viable (also known as the time-to-live [TTL] value).

Time-to-live value (TTL) value (1 to 1000 days).

Configures the server key to encrypt or decrypt PACs.

Encryption key value (2 to 32 hexadecimal digits).

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to disable the controller to allows anonymous provisioning:


config local-auth method fast anon-prov disable


595

config local-auth method fast

The following example shows how to configure the authority identifier 0125631177 of the local EAP-FAST server:


config local-auth method fast authority-id 0125631177

The following example shows how to configure the number of days to 10 for the PAC to remain viable:


config local-auth method fast pac-ttl 10

Related Commands clear stats local-auth config local-auth eap-profile config local-auth active-timeout config local-auth user-credentials debug aaa local-auth show local-auth certificates show local-auth config show local-auth statistics

596


config local-auth user-credentials config local-auth user-credentials

To configure the local Extensible Authentication Protocol (EAP) authentication database search order for user credentials, use the config local-auth user credentials command.

config local-auth user-credentials {local [ldap] | ldap [local] }

Syntax Description local ldap

Specifies that the local database is searched for the user credentials.

(Optional) Specifies that the Lightweight Directory

Access Protocol (LDAP) database is searched for the user credentials.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The order of the specified database parameters indicate the database search order.

Examples

The following example shows how to specify the order in which the local EAP authentication database is searched:


config local-auth user credentials local lda

In the above example, the local database is searched first and then the LDAP database.

Related Commands clear stats local-auth config local-auth eap-profile config local-auth method fast config local-auth active-timeout debug aaa local-auth show local-auth certificates show local-auth config show local-auth statistics


597

config lync-sdn config lync-sdn

To configure the Lync service, use the config lync-sdn command.

config lync-sdn {port port-number} | {enable | disable}

Syntax Description port

port-number

enable disable

Configures the Lync server port number.

Port number of the server.

Enables Lync service globally.

Disables Lync service globally.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to enable Lync service globally:


config lync-sdn enable

598


config licensing config licensing

To switch between Cisco Smart Software Licensing and RTU licensing platform, use the config licensing command.

config licensing {rtu | smart-license} dns-server ip address

Syntax Description rtu smart-license dns-server

Right To Use license platform.

Cisco Smart Software License platform.

Configures smart software licensing dns server parameters

Command History

Release

8.2

Modification


Command Default

The Right To Use (RTU) is the default license mechanism in the device.

Examples

The following example shows how to activate Cisco Smart Software License on the controller:


config licensing smart-license dns-server 209.165.200.224

Note

The controller needs to be rebooted to activate the change in the license platform.


599

config license boot config license boot

To specify the license level to be used on the next reboot of the Cisco 5500 Series Controller, use the config

license boot command.

config license boot {base | wplus | auto}

Syntax Description base wplus auto

Specifies the base boot level.

Specifies the wplus boot level.

Specifies the auto boot level.

Command Default

None

Command History

Release

7.6

Modification



If you enter auto, the licensing software automatically chooses the license level to use on the next reboot. It generally chooses permanent licenses over evaluation licenses and wplus licenses over base licenses.

Note

If you are considering upgrading from a base license to a wplus license, you can try an evaluation wplus license before upgrading to a permanent wplus license. To activate the evaluation license, you need to set the image level to wplus in order for the controller to use the wplus evaluation license instead of the base permanent license.

Examples

Note

To prevent disruptions in operation, the controller does not switch licenses when an evaluation license expires. You must reboot the controller in order to return to a permanent license. Following a reboot, the controller defaults to the same feature set level as the expired evaluation license. If no permanent license at the same feature set level is installed, the controller uses a permanent license at another level or an unexpired evaluation license.

The following example shows how to set the license boot settings to wplus:


config license boot wplus

600


Related Commands license install show license in-use license modify priority config license boot


601

config load-balancing config load-balancing

To globally configure aggressive load balancing on the controller, use the config load-balancing command.

config load-balancing {window client_count | status {enable | disable} | denial denial_count}

config load-balancing uplink-threshold traffic_threshold

Syntax Description window

client_count

status enable disable denial

denial_count

uplink-threshold

traffic_threshold

Specifies the aggressive load balancing client window.

Aggressive load balancing client window with the number of clients from 1 to 20.

Sets the load balancing status.

Enables load balancing feature.

Disables load balancing feature.

Specifies the number of association denials during load balancing.

Maximum number of association denials during load balancing.

from 0 to 10.

Specifies the threshold traffic for an access point to deny new associations.

Threshold traffic for an access point to deny new associations. This value is a percentage of the WAN utilization measured over a 90 second interval. For example, the default threshold value of 50 triggers the load balancing upon detecting an utilization of 50% or more on an access point WAN interface.

Command Default

By default, the aggressive load balancing is disabled.

Command History

Release

7.6

Modification



Load-balancing-enabled WLANs do not support time-sensitive applications like voice and video because of roaming delays.

602


config load-balancing

When you use Cisco 7921 and 7920 Wireless IP Phones with controllers, make sure that aggressive load balancing is disabled on the voice WLANs for each controller. Otherwise, the initial roam attempt by the phone might fail, causing a disruption in the audio path.

Clients can only be load balanced across access points joined to the same controller. The WAN utilization is calculated as a percentage using the following formula: (Transmitted Data Rate (per second) + Received Data

Rate (per second))/(1000Mbps TX + 1000Mbps RX) * 100

Examples

The following example shows how to enable the aggressive load-balancing settings:


config load-balancing aggressive enable

Related Commands show load-balancing config wlan load-balance


603

config location config location

To configure a location-based system, use the config location command.

config location {algorithm {simple | rssi-average} | {rssi-half-life | expiry} [client | calibrating-client |

tags | rogue-aps] seconds | notify-threshold [client | tags | rogue-aps] threshold | interface-mapping {add

| delete} location wlan_id interface_name | plm {client {enable | disable} burst_interval | calibrating

{enable | disable} {uniband | multiband}}}

Syntax Description algorithm simple rssi-average rssi-half-life expiry client calibrating-client tags rogue-aps

seconds

notify-threshold

threshold

interface-mapping

wlan_id interface_name

Note

We recommend that you do not use or modify the config location

algorithm command. It is set to optimal default values.

Configures the algorithm used to average RSSI and SNR values.

Specifies a faster algorithm that requires low CPU overhead but provides less accuracy.

Specifies a more accurate algorithm but requires more CPU overhead.

Note


rssi-half-life command. It is set to optimal default values.

Configures the half-life when averaging two RSSI readings.

Note

We recommend that you do not use or modify the config location expiry command. It is set to optimal default values.

Configures the timeout for RSSI values.

(Optional) Specifies the parameter applies to client devices.

(Optional) Specifies the parameter is used for calibrating client devices.

(Optional) Specifies the parameter applies to radio frequency identification (RFID) tags.

(Optional) Specifies the parameter applies to rogue access points.

Time value (0, 1, 2, 5, 10, 20, 30, 60, 90, 120, 180, 300 seconds).

Note


notify-threshold command. It is set to optimal default values.

Specifies the NMSP notification threshold for RSSI measurements.

Threshold parameter. The range is 0 to 10 dB, and the default value is 0 dB.

Adds or deletes a new location, wireless LAN, or interface mapping element.

WLAN identification name.

Name of interface to which mapping element applies.

604


config location plm client

burst_interval

calibrating uniband multiband

Specifies the path loss measurement (S60) request for normal clients or calibrating clients.

Specifies normal, noncalibrating clients.

Burst interval. The range is from 1 to 3600 seconds, and the default value is 60 seconds.

Specifies calibrating clients.

Specifies the associated 802.11a or 802.11b/g radio (uniband).

Specifies the associated 802.11a/b/g radio (multiband).

Command Default

See the “Syntax Description” section for default values of individual arguments and keywords.

Command History

Release

7.6

Modification


Examples

The following example shows how to specify the simple algorithm for averaging RSSI and SNR values on a location-based controller:


config location algorithm simple

Related Commands config location info rogue clear location rfid clear location statistics rfid show location show location statistics rfid


605

config location info rogue config location info rogue

To configure info-notification for rogue service, use the config location info rogue command.

config location info rogue {basic | extended}

Syntax Description basic extended

Configures basic rogue parameters such as mode, class, containmentlevel, numclients, firsttime, lasttime, ssid, and so on, for rogue info-notification service.

Note

Configure the basic parameters if the version of Cisco MSE is older than the version of the Cisco WLC.

Configures extended rogue parameters, which is basic parameters plus security type, detecting LRAD type, and so on, for rogue info-notification service.

Command History

Release

8.0

Modification


606


config logging buffered config logging buffered

To set the severity level for logging messages to the controller buffer, use the config logging buffered command.

config logging buffered security_level


security_level

Security level. Choose one of the following:









Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the controller buffer severity level for logging messages to 4:


config logging buffered 4

Related Commands config logging syslog facility config logging syslog level show logging


607

config logging console config logging console

To set the severity level for logging messages to the controller console, use the config logging console command.

config logging console security_level


security_level

Severity level. Choose one of the following:









Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the controller console severity level for logging messages to 3:


config logging console 3

Related Commands config logging syslog facility config logging syslog level show logging

608


config logging debug config logging debug

To save debug messages to the controller buffer, the controller console, or a syslog server, use the config

logging debug command.

config logging debug {buffered | console | syslog} {enable | disable}

Syntax Description buffered console syslog enable disable

Saves debug messages to the controller buffer.

Saves debug messages to the controller console.

Saves debug messages to the syslog server.

Enables logging of debug messages.

Disables logging of debug messages.

Command Default

The console command is enabled and the buffered and syslog commands are disabled by default.

Command History

Release

7.6

Modification


Examples

The following example shows how to save the debug messages to the controller console:


config logging debug console enable

Related Commands show logging


609

config logging fileinfo config logging fileinfo

To cause the controller to include information about the source file in the message logs or to prevent the controller from displaying this information, use the config logging fileinfo command.

config logging fileinfo {enable | disable}


Includes information about the source file in the message logs.

Prevents the controller from displaying information about the source file in the message logs.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the controller to include information about the source file in the message logs:


config logging fileinfo enable


610


config logging procinfo config logging procinfo

To cause the controller to include process information in the message logs or to prevent the controller from displaying this information, use the config logging procinfo command.

config logging procinfo {enable | disable}


Includes process information in the message logs.

Prevents the controller from displaying process information in the message logs.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the controller to include the process information in the message logs:


config logging procinfo enable



611

config logging traceinfo config logging traceinfo

To cause the controller to include traceback information in the message logs or to prevent the controller from displaying this information, use the config logging traceinfo command.

config logging traceinfo {enable | disable}


Includes traceback information in the message logs.

Prevents the controller from displaying traceback information in the message logs.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the controller to include the traceback information in the message logs:


config logging traceinfo disable


612


config logging syslog host config logging syslog host

To configure a remote host for sending syslog messages, use the config logging syslog host command.

config logging syslog host ip_addr


ip_addr

IP address for the remote host.

Command Default

None

Command History

Release

7.6

8.0

Modification




Examples

• To configure a remote host for sending syslog messages, use the config logging syslog host ip_addr command.

• To remove a remote host that was configured for sending syslog messages, use the config logging syslog

host ip_addr delete command.

• To display the configured syslog servers on the controller, use the show logging command.

The following example shows how to configure two remote hosts 10.92.125.52 and 2001:9:6:40::623 for sending the syslog messages and displaying the configured syslog servers on the controller:


config logging syslog host 10.92.125.52

System logs will be sent to 10.92.125.52 from now on


config logging syslog host 2001:9:6:40::623

System logs will be sent to 2001:9:6:40::623 from now on


show logging

Logging to buffer :

- Logging of system messages to buffer :

- Logging filter level.......................... errors

- Number of system messages logged.............. 1316

- Number of system messages dropped............. 6892

- Logging of debug messages to buffer ........... Disabled

- Number of debug messages logged............... 0

- Number of debug messages dropped.............. 0

- Cache of logging ............................. Disabled

- Cache of logging time(mins) ................... 10080

- Number of over cache time log dropped ........ 0

Logging to console :

- Logging of system messages to console :


613

config logging syslog host

- Logging filter level.......................... disabled



- Logging of debug messages to console .......... Enabled



Logging to syslog :

- Syslog facility................................ local0








- Logging of system messages to syslog :




- Logging of debug messages to syslog ........... Disabled



- Number of remote syslog hosts.................. 2

- syslog over tls................................ Disabled

- Host 0....................................... 10.92.125.52

- Host 1....................................... 2001:9:6:40::623

- Host 2.......................................

Logging of RFC 5424.............................. Disabled

Logging of Debug messages to file :

- Logging of Debug messages to file.............. Disabled

- Number of debug messages logged................ 0

- Number of debug messages dropped............... 0

Logging of traceback............................. Enabled

The following example shows how to remove two remote hosts 10.92.125.52 and 2001:9:6:40::623 that were configured for sending syslog messages and displaying that the configured syslog servers were removed from the controller:


config logging syslog host 10.92.125.52 delete

System logs will not be sent to 10.92.125.52 anymore


config logging syslog host 2001:9:6:40::623 delete

System logs will not be sent to 2001:9:6:40::623 anymore


show logging

Logging to buffer :



















Logging to syslog :







614






- Host 0.......................................

- Host 1.......................................

- Host 2.......................................







- Traceback logging level........................ errors

Logging of source file informational............. Enabled

Timestamping of messages.........................

- Timestamping of system messages................ Enabled

- Timestamp format.............................. Date and Time

config logging syslog host


615

config logging syslog facility config logging syslog facility

To set the facility for outgoing syslog messages to the remote host, use the config logging syslog facility command.

config logging syslog facility facility_code


facility_code

Facility code. Choose one of the following:

• authorization—Authorization system. Facility level—4.

• auth-private—Authorization system (private). Facility level—10.

• cron—Cron/at facility. Facility level—9.

• daemon—System daemons. Facility level—3.

• ftp—FTP daemon. Facility level—11.

• kern—Kernel. Facility level—0.

• local0—Local use. Facility level—16.








• lpr—Line printer system. Facility level—6.

• mail—Mail system. Facility level—2.

• news—USENET news. Facility level—7.

• sys12—System use. Facility level—12.




• syslog—The syslog itself. Facility level—5.

• user—User process. Facility level—1.

• uucp—UNIX-to-UNIX copy system. Facility level—8.

616


config logging syslog facility

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the facility for outgoing syslog messages to authorization:


config logging syslog facility authorization

Related Commands config logging syslog host config logging syslog level show logging


617

config logging syslog facility client config logging syslog facility client

To configure the syslog facility to AP, use the config logging syslog facility client { assocfail Dot11 | associate

Dot11 | authentication | authfail Dot11 | deauthenticate Dot11 | disassociate Dot11 | exclude}{ enable |

disable} command.

config logging syslog facility Client


Client

Facility Client. Has the following functions:

• assocfail Dot11—Association fail syslog for clients

• associate Dot11—Association syslog for clients

• authentication—Authentication success syslog for clients

• authfail Dot11—Authentication fail syslog for clients

• deauthenticate Dot11—Deauthentication syslog for clients

• disassociate Dot11—Disassociation syslog for clients

• excluded—Excluded syslog for clients

Command Default

None

Command History

Release

7.5

Modification


Examples

The following example shows how to set the facility syslog facility for client: cisco controller

config logging syslog facility client

Related Commands show logging flags client

618


config logging syslog facility ap config logging syslog facility ap

To configure the syslog facility to AP, use the config logging syslog facility ap{ associate | disassociate}{

enable | disable} command.

config logging syslog facility AP


AP

Facility AP. Has the following functions:

• associate—Association syslog for AP

• disassociate—Disassociation syslog for AP

Command Default

None

Command History

Release

7.5

Modification


Examples

The following example shows how to configure syslog facility for AP: cisco controller

config logging syslog facility ap

Related Commands show logging flags ap


619

config logging syslog level config logging syslog level

To set the severity level for filtering syslog messages to the remote host, use the config logging syslog level command.

config logging syslog level severity_level


severity_level

Severity level. Choose one of the following:









Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the severity level for syslog messages to 3:


config logging syslog level 3

Related Commands config logging syslog host config logging syslog facility show logging

620


config loginsession close config loginsession close

To close all active Telnet sessions, use the config loginsession close command.

config loginsession close {session_id | all}


session_id

all

ID of the session to close.

Closes all Telnet sessions.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to close all active Telnet sessions:


config loginsession close all

Related Commands show loginsession


621

config macfilter config macfilter

To create or delete a MAC filter entry on the Cisco wireless LAN controller, use the config macfilter {add

|delete}command.

config macfilter {add client_MAC wlan_id [interface_name] [description] [macfilter_IP] | delete client_MAC}


MAC_addr wlan_id interface_name description

IP Address

Adds a MAC filter entry on the controller.

Deletes a MAC filter entry on the controller.

Client MAC address.

Wireless LAN identifier with which the MAC filter entry should associate. A zero value associates the entry with any wireless LAN.

(Optional) Name of the interface. Enter 0 to specify no interface.

(Optional) Short description of the interface (up to 32 characters) in double quotes.

Note

A description is mandatory if macfilterIP is specified.

(Optional) IPv4 address of the local MAC filter database.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Use the config macfilter add command to add a client locally to a wireless LAN on the Cisco wireless LAN controller. This filter bypasses the RADIUS authentication process.

As on release 7.6, the optional macfilter_IP supports only IPv4 address.

622


config macfilter

Examples

The following example shows how to add a MAC filter entry 00:E0:77:31:A3:55 with the wireless LAN ID

1, interface name labconnect, and MAC filter IP 10.92.125.51 on the controller:


config macfilter add 00:E0:77:31:A3:55 1 lab02

“labconnect” 10.92.125.51

Related Commands show macfilter config macfilter ip-address


623

config macfilter description config macfilter description

To add a description to a MAC filter, use the config macfilter description command.

config macfilter description MAC addrdescription


MAC addr description

Client MAC address.

(Optional) Description within double quotes (up to

32 characters).

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the description MAC filter 01 to MAC address

11:11:11:11:11:11:


config macfilter description 11:11:11:11:11:11

“MAC Filter 01”

Related Commands show macfilter

624


config macfilter interface config macfilter interface

To create a MAC filter client interface, use the config macfilter interface command.

config macfilter interface MAC_addr interface


MAC addr interface

Client MAC address.

Interface name. A value of zero is equivalent to no name.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a MAC filer interface Lab01 on client 11:11:11:11:11:11:


config macfilter interface 11:11:11:11:11:11 Lab01



625

config macfilter ip-address config macfilter ip-address

To enter passive client IP address , use the config macfilter ip-address command.

config macfilterip-address MAC_addr IP Address


MAC_addr

IP Address


Adds an IP address for passive clients.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.


Examples

The following example shows how to add an IP address for a passive client:


config macfilter ip-address aa-bb-cc-dd-ee-ff 10.92.125.51


626


config macfilter mac-delimiter config macfilter mac-delimiter

To set the MAC delimiter (colon, hyphen, none, and single-hyphen) for MAC addresses sent to RADIUS servers, use the config macfilter mac-delimiter command.

config macfilter mac-delimiter {none | colon | hyphen | single-hyphen}

Syntax Description none colon hyphen single-hyphen

Disables the delimiters (for example, xxxxxxxxxx).

Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).

Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).

Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx).

Command Default

The default delimiter is hyphen.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to have the operating system send MAC addresses to the RADIUS server in the form aa:bb:cc:dd:ee:ff:


config macfilter mac-delimiter colon

The following example shows how to have the operating system send MAC addresses to the RADIUS server in the form aa-bb-cc-dd-ee-ff:


config macfilter mac-delimiter hyphen

The following example shows how to have the operating system send MAC addresses to the RADIUS server in the form aabbccddeeff:


config macfilter mac-delimiter none



627

config macfilter radius-compat config macfilter radius-compat

To configure the Cisco wireless LAN controller for compatibility with selected RADIUS servers, use the

config macfilter radius-compat command.

config macfilter radius-compat {cisco | free | other}

Syntax Description cisco free other

Configures the Cisco ACS compatibility mode

(password is the MAC address of the server).

Configures the Free RADIUS server compatibility mode (password is secret).

Configures for other server behaviors (no password is necessary).

Command Default

Other

Command History

Release

7.6

8.0

Modification


Release 7.6.


Examples

The following example shows how to configure the Cisco ACS compatibility mode to “other”:


config macfilter radius-compat other


628


config macfilter wlan-id config macfilter wlan-id

To modify a wireless LAN ID for a MAC filter, use the config macfilter wlan-id command.

config macfilter wlan-id MAC_addr WLAN_id


MAC addr

WLAN_id

Client MAC address.

Wireless LAN identifier to associate with. A value of zero is not allowed.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to modify client wireless LAN ID 2 for a MAC filter 11:11:11:11:11:11:


config macfilter wlan-id 11:11:11:11:11:11 2

Related Commands show macfilter show wlan


629

config mdns ap config mdns ap

To configure multicast Domain Name System (mDNS) snooping on an access point, use the config mdns ap command.

config mdns ap {enable {ap_name | all} [vlan vlan_id] | disable {ap_name | all} | vlan {add | delete} vlan

ap_name}


ap_name

all vlan

vlan_id

disable add delete

Enables mDNS snooping on an access point.

Name of the access point on which mDNS snooping has to be configured.

Configures mDNS snooping on all access points.

(Optional) Configures the VLAN on which the access point snoops and forwards the mDNS packets.

VLAN identifier.

Disables mDNS snooping on an access point.

Adds a VLAN from which the access point snoops and forwards the mDNS packets to the Cisco Wireless LAN Controller (WLC). You can configure up to 10 VLANs for an mDNS access point.

Deletes a VLAN from which the access point snoops and forwards the mDNS packets to the Cisco WLC.

Command Default

The mDNS-enabled access point snoops the access or native VLANs by default.

Command History

Release

7.5

Modification



Enabling mDNS snooping on access points allows the access points to snoop the wired services on VLANs that are invisible to the Cisco WLC. mDNS snooping is supported only on local-mode and monitor-mode access points. The access point must be in the access mode or trunk mode. If the access point is in the trunk mode, you must configure the VLAN on the Cisco WLC on which the access point snoops and forwards the mDNS packets. You must also configure the native VLAN from the Cisco WLC for the access point to snoop and send mDNS queries on. The access point also tags the packets with the native VLAN.

Global mDNS snooping overrides mDNS access point snooping.

630


config mdns ap

Examples

The following example shows how to enable mDNS snooping on an access point and the VLAN on which it must snoop for mDNS packets:


config mdns ap enable vlan 1


631

config mdns profile config mdns profile

To configure a multicast DNS (mDNS) profile and associate a service with the profile, use the config mdns

profile command.

config mdns profile {create | delete | service {add | delete} service _name profile_name

Syntax Description create delete service add delete

service -name profile_name

Creates an mDNS profile.

Deletes an mDNS profile. If the profile is associated to an interface group, an interface, or a WLAN, an error appears.

Configures an mDNS service.

Adds an mDNS service to an mDNS profile.

Deletes an mDNS service from an mDNS profile.

Name of the mDNS service.

Name of the mDNS profile. You can create a maximum of 16 profiles.

Command Default

By default, the controller has an mDNS profile, default-mdns-profile. You cannot delete this default profile.

Command History

Release

7.4

Modification



After creating a new profile, you must map the profile to an interface group, an interface, or a WLAN. Clients receive service advertisements only for the services associated with the profile. The controller gives the highest priority to the profiles associated to interface groups, followed by the interface profiles, and then the WLAN profiles. Each client is mapped to a profile based on the order of priority.

By default, the controller has an mDNS profile, default-mdns-profile. You cannot delete this default profile.

Examples

The following example shows how to add the Apple TV mDNS service to the mDNS profile1.


config mdns profile create profile1 Apple TV

Related Commands config mdns query interval config mdns service

632


config mdns snooping config interface mdns-profile config interface group mdns-profile config wlan mdns show mdns profile show mnds service clear mdns service-database debug mdns all debug mdns error debug mdns detail debug mdns message config mdns profile


633

config mdns query interval config mdns query interval

To configure the query interval for multicast DNS (mDNS) services, use the config mdns query interval command.

config mdns query interval interval_value


interval_value

mDNS query interval, in minutes, that you can set. The query interval is the frequency at which the controller sends periodic queries to all the services defined in the Master

Services database. The range is from 10 to 120.

Command Default

The default query interval for an mDNS service is 15 minutes.

Command History

Release

7.4

Modification



The controller snoops and learns about the mDNS service advertisements only if the service is available in the Master Services database. mDNS uses the multicast IP address 224.0.0.251 as the destination address and

5353 as UDP destination port.

Examples

The following example shows how to configure the query interval for mDNS services as 20 minutes.


config mdns query interval 20

Related Commands config mdns profile config mdns service config mdns snooping config interface mdns-profile config interface group mdns-profile config wlan mdns show mdns profile show mnds service clear mdns service-database debug mdns all debug mdns error

634


debug mdns detail debug mdns message config mdns query interval


635

config mdns service config mdns service

To configure multicast DNS (mDNS) services in the master services database, use the config mdns service command.

The following command is valid in Release 7.5 and later releases:

config mdns service {create service_name service_string origin {Wireless | Wired | All} lss {enable |

disable} [query {enable | disable}] | lss {enable | disable} {service_name | all} | priority-mac {add |

delete} priority-mac service_name [ap-group ap-group-name] | origin {Wireless | Wired | All} {service_name

| all}}

Syntax Description create

service_name service_string

delete query enable disable origin

Wireless

Wired

All lss all priority-mac

Adds a new mDNS service to the Master Services database.

Name of the mDNS service, for example, Air Tunes, iTunes Music Sharing,

FTP, Apple File Sharing Protocol (AFP).

Unique string associated to an mDNS service, for example,

_airplay._tcp.local. is the service string associated with Apple TV.

Deletes an mDNS service from the Master Services database. Before deleting the service, the controller checks if any profile is using the service.

Note

You must delete the service from all profiles before deleting it.

Configures the query status for the mDNS service.

Enables periodic query for an mDNS service by the controller.

Disables periodic query for an mDNS service by the controller.

Configures the origin of the mDNS service. You can restrict the origin of the service as wired or wireless.

Configures the origin of the mDNS service as wireless.

Configures the origin of the mDNS service as wired.

Configures the origin of the mDNS service as wireless or wired.

Configures Location Specific Services (LSS) for a service or all mDNS services. LSS is not applicable for registered service providers. The registered service providers are always included if the querying client corresponds to the user. You cannot configure LSS on the services configured as only wired.

Configures LSS for all mDNS services.

Configures the MAC address of a service provider device. This device gets a priority even if the service provider database is full.

636


config mdns service add delete

priority-mac

ap-group

ap-group-name

Adds the MAC address of a service provider device for priority.

You can configure up to 50 MAC addresses for a service.

Deletes the MAC address of a service provider device from the priority list.

MAC address of a service provider device that needs priority. The MAC address must be unique for each service.

Configures the access point group for wired service providers. These service providers get priority over others. When a client mNDS query originates from this AP group, the wired entries with priority MAC addresses and access point groups are listed first in the aggregated response.

Name of the access point group to which the service provider belongs.

Command Default

By default, LSS is disabled, but it is enabled for all the discovered services.

Command History

Release

7.4

7.5

Modification


This command was modified. The origin, Wireless, Wired, All, lss, priority-mac,

add, delete, ap-group keywords and priority-mac ap-group-name arguments were added.


In Release 7.5 and later releases, the maximum number of service providers for different controller models are as follows:

• Cisco 5500 Series Controller and Cisco 2500 Series Controller—6400

• Cisco Wireless Services Module 2—6400

• Cisco 8500 Series Controller and Cisco 7500 Series Controller—16000

You cannot change the services with the origin set to Wireless to Wired if LSS is enabled for the service.

Examples

The following example shows how to add the HTTP mDNS service to the Master Services database, configure the origin as wireless, and enable LSS for the service:


config mdns service create http _http._tcp.local. origin wireless lss enable


637

config mdns service

The following example shows how to add a priority MAC address of a HTTP service provider device:


config mdns service priority-mac add 44:03:a7:a3:04:45 http

638


config mdns snooping config mdns snooping

To enable or disable global multicast DNS (mDNS) snooping on the Cisco WLC, use the config mdns

snooping command.

config mdns snooping {enable | disable}


Enables mDNS snooping on the Cisco WLC.

Disables mDNS snooping on the Cisco WLC.

Command Default

By default, mDNS snooping is enabled on the Cisco WLC.

Command History

Release

7.4

Modification



mDNS service discovery provides a way to announce and discover services on the local network. mDNS perform DNS queries over IP multicast. mDNS supports zero configuration IP networking.

Examples

The following example shows how to enable mDNS snooping:


config mdns snooping enable

Related Commands config mdns query interval config mdns service config mdns profile config interface mdns-profile config interface group mdns-profile config wlan mdns show mdns profile show mnds service clear mdns service-database debug mdns all debug mdns error debug mdns detail


639

config mdns snooping debug mdns message

640


config mdns policy enable config mdns policy enable

To configure the mDNS policy use the config mdns policy enable | disable command.

config mdnspolicyenable | disable

Syntax Description policy enable disable

Name of the mDNS policy.

Enables the policy for an mDNS service by the controller.

Disables the policy for an mDNS service by the controller.

Command Default

None

Command History

Release

8.0

Modification



This command is valid for 8.0 release onwards.

Examples

The following example show how to configure the mDNS policy.


config mdns policy enable


641

config mdns policy service-group config mdns policy service-group

To create or delete mDNS policy service group use the config mdns policy service-group command.

config mdns policy service-group {create | delete} service-group-name

Syntax Description create delete

service-group-name

Creates the mDNS service group.

Deletes the mDNS service group.

Name of the service group.

Command Default

None

Command History

Examples

Release

8.0

Modification


The following example shows how to delete a mDNS service group.


config mdns policy service-group create <service-group-name>

642


config mdns policy service-group parameters config mdns policy service-group parameters

To configure the parameters of a service group, use the config mdns policy service-group command.

config mdnspolicyservice-group device-mac add service-group-name mac-addr device name location-type

[AP_LOCATION | AP_NAME |AP_GROUP] device-location [location string |any | same]

Syntax Description device-mac add

service-group-name device-name

location type

[AP_LOCATION | AP_NAME |

AP_GROUP]

device-location

[location string |any | same]

Configures MAC address of a service provider device.

Adds the service group name of the service provider device.

Name of a mDNS service group.

Name of a device to which the service provider belongs.

Configures a location type of a service provider device.

Name, location, group of the access point.

Configures location of a device to which the service provider belongs.

location string of a device.

Command Default

None

Command History

Release

8.0

Examples

Modification


The following example shows how to configure a location type of a service provider device.


config mdns policy service-group location type [AP_LOCATION | AP_NAME

| AP_GROUP]


643

config mdns policy service-group user-name config mdns policy service-group user-name

To configure a user role for a mDNS service group, use the config mdns policy service-group user-name

add | delete <service-group-name> <user-role-name>command

config mdnspolicyservice-groupuser-nameadd | deleteservice-group-name user-name

Syntax Description user-name

service-group-name user-name

Configures name of a user for mDNS service group.

Name of a mDNS service group

Name of the user role for mDNS service group

Command Default

None

Command History

Examples

Release

8.0

Modification


The following example show how to add user name for a mDNS service group


config mdns policy service-group user-name add <service-group-name>

<user-role-name>

644


config mdns policy service-group user-role config mdns policy service-group user-role

To configure a user role for a mDNS service group, use the config mdns policy service-group user-role add

| delete <service-group-name> <user-role-name>command.

config mdnspolicyservice-groupuser-roleadd | deleteservice-group-name user-role-name

Syntax Description user-role

service-group-name user-role-name

Configures a user role for mDNS service group.

Name of a mDNS service group

Name of the user role for mDNS service group

Command Default

None

Command History

Examples

Release

8.0

Modification


The following example show how to add user role details for a mDNS service group


config mdns policy service-group user-role add <service-group-name>

<user-role-name>


645

config media-stream multicast-direct config media-stream multicast-direct

To configure the media-stream multicast direct, use the config media-stream multicast direct command.

config media-stream multicast-direct {enable | disable}


Enables a media stream.

Disables a media stream.

Command Default

None.


Media-stream multicast-direct requires load based Call Admission Control (CAC) to run.

Examples

This example shows how to enable media-stream multicast-direct settings:

>

config media-stream multicast-direct enable

This example shows how to disable media-stream multicast-direct settings:

>

config media-stream multicast-direct disable

Related Commands config 802.11 media-stream video-redirect show 802.11a media-stream name show media-stream group summary show media-stream group detail

646


config media-stream message config media-stream message

To configure various parameters of message configuration, use the config media-stream message command.

config media-stream message {state [enable | disable] | url url | email email | phone phone_number |note

note}

Syntax Description state enable disable url

url

email

email

phone

phone_number

note

note

Specifies the media stream message state.

(Optional) Enables the session announcement message state.

(Optional) Disables the session announcement message state.

Configures the URL.

Session announcement URL.

Configures the email ID.

Specifies the session announcement e-mail.

Configures the phone number.

Session announcement phone number.

Configures the notes.

Session announcement notes.

Command Default

Disabled.


Media-stream multicast-direct requires load-based Call Admission Control (CAC) to run.

Examples

This example shows how to enable the session announcement message state:

>

config media-stream message state enable

This example shows how to configure the session announcement e-mail address:

>

config media-stream message mail [email protected]

Related Commands config media-stream show 802.11a media-stream name show media-stream group summary


647

config media-stream message show media-stream group detail

648


config media-stream add config media-stream add

To configure the various global media-stream configurations, use the config media-stream add command.

config media-stream add multicast-direct media_stream_name start-IP end-IP [template {very coarse |

coarse | ordinary | low-resolution | med-resolution | high-resolution} | detail {bandwidth packet-size

{periodic| initial}} qos priority {drop | fallback}

Syntax Description multicast-direct

media_stream_name start-IP end-IP

template very coarse coarse ordinary low-resolution med-resolution high-resolution detail

bandwidth packet-size

periodic initial

qos priority

drop fallback

Specifies the media stream for the multicast-direct setting.

Media-stream name.

IP multicast destination start address.

IP multicast destination end address.

(Optional) Configures the media stream from templates.

Applies a very-coarse template.

Applies a coarse template.

Applies an ordinary template.

Applies a low-resolution template.

Applies a medium-resolution template.

Applies a high-resolution template.

Configures the media stream with specific parameters.

Maximum expected stream bandwidth.

Average packet size.

Specifies the periodic admission evaluation.

Specifies the Initial admission evaluation.

AIR QoS class (video only).

Media-stream priority.

Specifies that the stream is dropped on a periodic reevaluation.

Specifies if the stream is demoted to the best-effort class on a periodic reevaluation.


649

config media-stream add

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.



Examples

This example shows how to configure a new media stream:

>

config media-stream add multicast-direct abc 227.8.8.8 227.9.9.9 detail 2 150 periodic video 1 drop

Related Commands show 802.11a media-stream name show media-stream group summary show media-stream group detail

650


config media-stream admit config media-stream admit

To allow traffic for a media stream group, use the config media-stream admit command.

config media-stream admit media_stream_name


media_stream_name

Media-stream group name.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


When you try to allow traffic for the media stream group, you will be prompted that IGMP snooping will be disabled and enabled again, and all clients might observe a glitch on the multicast traffic.

Examples

This example shows how to allow traffic for a media stream group:


config media-stream admit MymediaStream



651

config media-stream deny config media-stream deny

To block traffic for a media stream group, use the config media-stream deny command.


media_stream_name

Media-stream group name.

config media-stream deny media_stream_name

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


When you try to block traffic for the media stream group, you will be prompted that IGMP snooping will be disabled and enabled again, and all clients might observe a glitch on the multicast traffic.

Examples

This example shows how to block traffic for a media stream group:


config media-stream deny MymediaStream


652


config media-stream delete config media-stream delete

To configure the various global media-stream configurations, use the config media-stream delete command.

config media-stream delete media_stream_name


media_stream_name

Media-stream name.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.



Examples

This example shows how to delete the media stream named abc:


config media-stream delete abc



653

config memory monitor errors config memory monitor errors

To enable or disable monitoring for memory errors and leaks, use the config memory monitor errors command.

config memory monitor errors {enable | disable}

Caution

The config memory monitor commands can be disruptive to your system and should be run only when you are advised to do so by the Cisco TAC.


Enables the monitoring for memory settings.

Disables the monitoring for memory settings.

Command Default

Monitoring for memory errors and leaks is disabled by default.

Command History

Release

7.6

Modification



Be cautious about changing the defaults for the config memory monitor command unless you know what you are doing, you have detected a problem, or you are collecting troubleshooting information.

Examples

The following example shows how to enable monitoring for memory errors and leaks for a controller:


config memory monitor errors enable

Related Commands config memory monitor leaks debug memory show memory monitor

654


config memory monitor leaks config memory monitor leaks

To configure the controller to perform an auto-leak analysis between two memory thresholds, use the config

memory monitor leaks command.

config memory monitor leaks low_thresh high_thresh

Caution

The config memory monitor commands can be disruptive to your system and should be run only when you are advised to do so by the Cisco TAC.


low_thresh high_thresh

Value below which free memory cannot fall without crashing. This value cannot be set lower than 10000 KB.

Value below which the controller enters auto-leak-analysis mode. See the “Usage

Guidelines” section.

Command Default

The default value for low_thresh is 10000 KB; the default value for high_thresh is 30000 KB.

Command History

Release

7.6

Modification



Note

Be cautious about changing the defaults for the config memory monitor command unless you know what you are doing, you have detected a problem, or you are collecting troubleshooting information.

Use this command if you suspect that a memory leak has occurred.

If the free memory is lower than the low_thresh threshold, the system crashes, generating a crash file. The default value for this parameter is 10000 KB, and you cannot set it below this value.

Set the high_thresh threshold to the current free memory level or higher so that the system enters auto-leak-analysis mode. After the free memory reaches a level lower than the specified high_thresh threshold, the process of tracking and freeing memory allocation begins. As a result, the debug memory events enable command shows all allocations and frees, and the show memory monitor detail command starts to detect any suspected memory leaks.


655

config memory monitor leaks

Examples

The following example shows how to set the threshold values for auto-leak-analysis mode to 12000 KB for the low threshold and 35000 KB for the high threshold:


config memory monitor leaks 12000 35000

Related Commands config memory monitor leaks debug memory show memory monitor

656


config mesh alarm config mesh alarm

To configure alarm settings for outdoor mesh access points, use the config mesh alarm command.

config mesh alarm {max-hop | max-children | low-snr | high-snr | association | parent-change count}

value

Syntax Description max-hop max-children low-snr high-snr association parent-change count

value

Sets the maximum number of hops before triggering an alarm for traffic over the mesh network. The valid values are 1 to 16 (inclusive).

Sets the maximum number of mesh access points (MAPs) that can be assigned to a mesh router access point (RAP) before triggering an alarm.

The valid values are 1to 16 (inclusive).

Sets the low-end signal-to-noise ratio (SNR) value before triggering an alarm. The valid values are 1 to 30 (inclusive).

Sets the high-end SNR value before triggering an alarm. The valid values are 1 to 30 (inclusive).

Sets the mesh alarm association count value before triggering an alarm.

The valid values are 1 to 30 (inclusive).

Sets the number of times a MAP can change its RAP association before triggering an alarm. The valid values are 1 to 30 (inclusive).

Value above or below which an alarm is generated. The valid values vary for each command.

Command Default

See the “Syntax Description” section for command and argument value ranges.

Command History

Release

7.6

Modification


Examples

The following example shows how to set the maximum hops threshold to 8:


config mesh alarm max-hop 8

The following example shows how to set the upper SNR threshold to 25:


config mesh alarm high-snr 25


657

config mesh astools config mesh astools

To globally enable or disable the anti-stranding feature for outdoor mesh access points, use the config mesh

astools command.

config mesh astools {enable | disable}


Enables this feature for all outdoor mesh access points.

Disables this feature for all outdoor mesh access points.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable anti-stranding on all outdoor mesh access points:


config mesh astools enable

658


config mesh backhaul rate-adapt config mesh backhaul rate-adapt

To globally configure the backhaul Tx rate adaptation (universal access) settings for indoor and outdoor mesh access points, use the config mesh backhaul rate-adapt command.

config mesh backhaul rate-adapt [all | bronze | silver | gold | platinum] {enable | disable}

Syntax Description all bronze silver gold platinum enable disable

(Optional) Grants universal access privileges on mesh access points.

(Optional) Grants background-level client access privileges on mesh access points.

(Optional) Grants best effort-level client access privileges on mesh access points.

(Optional) Grants video-level client access privileges on mesh access points.

(Optional) Grants voice-level client access privileges on mesh access points.

Enables this backhaul access level for mesh access points.

Disables this backhaul access level for mesh access points.

Command Default

Backhaul access level for mesh access points is disabled.

Command History

Release

7.6

Modification



To use this command, mesh backhaul with client access must be enabled by using the config mesh client-access command.

Note

After this feature is enabled, all mesh access points reboot.

Examples

The following example shows how to set the backhaul client access to the best-effort level:


config mesh backhaul rate-adapt silver


659

config mesh backhaul slot config mesh backhaul slot

To configure the slot radio as a downlink backhaul, use the config mesh backhaul slot command.

config mesh backhaul slot slot_id {enable | disable} cisco_ap


slot_id

enable disable

cisco_ap

Slot number between 0 and 2.

Enables the entered slot radio as a downlink backhaul.

Disables the entered slot radio as a downlink backhaul.

Name of the Root AP of the sector on which the backhaul needs to be enabled or disabled.

Command Default

The entered slot radio as a downlink backhaul is disabled.

Command History

Release

7.6

Modification



For 2.4 GHz, only slot 0 and 1 are valid. If slot 0 is enabled, slot 1 is automatically be disabled. If slot 0 is disabled, slot 1 is automatically enabled.

Examples

The following example shows how to enable slot 1 as the preferred backhaul for the root AP myrootap1:


config mesh backhaul slot 1 enable myrootap1

660


config mesh battery-state config mesh battery-state

To configure the battery state for Cisco Aironet 1520 Series mesh access points, use the config mesh

battery-state command.

config mesh battery-state {enable | disable} {all | cisco_ap}

Syntax Description enable disable all

cisco_ap

Enables the battery-state for 1520 series mesh access points.

Disables the battery-state for 1520 series mesh access points.

Applies this command to all mesh access points.

Specific mesh access point.

Command Default

Battery state is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to set the backhaul client access to the best-effort level:


config mesh battery-state enable all


661

config mesh client-access config mesh client-access

To enable or disable client access to the mesh backhaul on indoor and outdoor mesh access points, use the

config mesh client-access command.

config mesh client-access {enable [extended] | disable}

Syntax Description enable extended disable

Allows wireless client association over the mesh access point backhaul 802.11a radio.

(Optional) Enables client access over both the backhaul radios for backhaul access points.

Restricts the 802.11a radio to backhaul traffic, and allows client association only over the 802.11b/g radio.

Command Default

Client access is disabled.

Command History

Release

7.6

Modification



Backhaul interfaces (802.11a radios) act as primary Ethernet interfaces. Backhauls function as trunks in the network and carry all VLAN traffic between the wireless and wired network. No configuration of primary

Ethernet interfaces is required.

When this feature is enabled, the mesh access points allow wireless client association over the 802.11a radio, which implies that a 152x mesh access point can carry both backhaul traffic and 802.11a client traffic over the same 802.11a radio.

When this feature is disabled, the mesh access points carry backhaul traffic over the 802.11a radio and allows client association only over the 802.11b/g radio.

Examples

The following example shows how to enable client access extended to allow a wireless client association over the 802.11a radio:


config mesh client-access enable extended

Enabling client access on both backhaul slots

Same BSSIDs will be used on both slots

All Mesh AP will be rebooted

Are you sure you want to start? (y/N)Y

The following example shows how to restrict a wireless client association to the 802.11b/g radio:


config mesh client-access disable

All Mesh AP will be rebooted

662


Are you sure you want to start? (Y/N) Y

Backhaul with client access is canceled.

config mesh client-access


663

config mesh ethernet-bridging allow-bpdu config mesh ethernet-bridging allow-bpdu

To configure STP BPDUs towards wired mesh uplink, use the config mesh ethernet-bridging allow-bpdu command.

config mesh ethernet-bridging allow-bpdu {enable | disable}


Enables STP BPDUs towards wired mesh uplink.

Disables STP BPDUs towards wired mesh uplink.

Command Default

Disabled

Command History

Release

8.0.110.0

Modification



Cisco WLC does not allow you to use this command if VLAN transparency is enabled.

664


config mesh ethernet-bridging vlan-transparent config mesh ethernet-bridging vlan-transparent

To configure how a mesh access point handles VLAN tags for Ethernet bridged traffic, use the config mesh

ethernet-bridging vlan-transparent command.

config mesh ethernet-bridging vlan-transparent {enable | disable}


Bridges packets as if they are untagged.

Drops all tagged packets.

Command Default

Bridges packets as if they are untagged.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure Ethernet packets as untagged:


config mesh ethernet-bridging vlan-transparent enable

The following example shows how to drop tagged Ethernet packets:


config mesh ethernet-bridging vlan-transparent disable


665

config mesh full-sector-dfs config mesh full-sector-dfs

To globally enable or disable full-sector Dynamic Frequency Selection (DFS) on mesh access points, use the

config mesh full-sector-dfs command.

config mesh full-sector-dfs {enable | disable}


Enables DFS for mesh access points.

Disables DFS for mesh access points.

Command Default

None

Command History

Release

7.6

Modification



This command instructs the mesh sector to make a coordinated channel change on the detection of a radar signal. For example, if a mesh access point (MAP) detects a radar signal, the MAP will notify the root access point (RAP), and the RAP will initiate a sector change.

All MAPs and the RAP that belong to that sector go to a new channel, which lowers the probability of MAPs stranding when radar is detected on the current backhaul channel, and no other valid parent is available as backup.

Each sector change causes the network to be silent for 60 seconds (as dictated by the DFS standard).

It is expected that after a half hour, the RAP will go back to the previously configured channel, which means that if radar is frequently observed on a RAP's channel, it is important that you configure a different channel for that RAP to exclude the radar affected channel at the controller.

Examples

This example shows to enable full-sector DFS on mesh access points:


config mesh full-sector-dfs enable

666


config mesh linkdata config mesh linkdata

To enable external MAC filtering of access points, use the config mesh linkdata command.

config mesh linkdata destination_ap_name


destination_ap_name

Destination access point name for MAC address filtering.

Command Default

External MAC filtering is disabled.


Note

The config mesh linktest and config mesh linkdata commands are designed to be used together to verify information between a source and a destination access point. To get this information, first execute the

config mesh linktest command with the access point that you want link data from in the dest_ap argument.

When the command completes, enter the config mesh linkdata command and list the same destination access point, to display the link data will display (see example).

MAC filtering uses the local MAC filter on the controller by default.

When external MAC filter authorization is enabled, if the MAC address is not found in the local MAC filter, then the MAC address in the external RADIUS server is used.

MAC filtering protects your network against rogue mesh access points by preventing access points that are not defined on the external server from joining.

Before employing external authentication within the mesh network, the following configuration is required:

• The RADUIS server to be used as an AAA server must be configured on the controller.

• The controller must also be configured on the RADIUS server.

• The mesh access point configured for external authorization and authentication must be added to the user list of the RADIUS server.

Examples

The following example shows how to enable external MAC address filtering on access point AP001d.710d.e300:


config mesh linkdata MAP2-1-1522.7400 AP001d.710d.e300 18 100 1000 30

LinkTest started on source AP, test ID: 0

[00:1D:71:0E:74:00]->[00:1D:71:0D:E3:0F]

Test config: 1000 byte packets at 100 pps for 30 seconds, a-link rate 18 Mb/s

In progress: | || || || || || || || || || || || || |

LinkTest complete

Results

======= txPkts: txBuffAllocErr: txQFullErrs:

2977

0

0

Total rx pkts heard at destination: rx pkts decoded correctly: err pkts: Total rx lost packets:

2977

2977

0 (PHY 0 + CRC 0 + Unknown 0), TooBig 0, TooSmall 0

0 (incr for each pkt seq missed or out of order)


667

config mesh linkdata

rx dup pkts: rx out of order:

0

0 avgSNR:

SNR profile

30, high: 33, low:

[0dB...60dB]

0 6

3

0

2888

0

(>60dB)

0

3

0

0 avgNf: -95, high: -67, low: -97

Noise Floor profile [-100dB...-40dB]

0 2948 19

0

1

0

0

0

2

0

0

0

77

0

0

0

3

0

(>-40dB)

0

3

0

0 avgRssi: 64, high: 68, low: 63

RSSI profile [-100dB...-40dB]

0

0

0

3

0

0

0

1

0

0

0

0

0

0

0

(>-40dB)

0

0

0

0

2977

0

0

0

0

0

0

0

0

0

0

0

0

Summary PktFailedRate (Total pkts sent/recvd): 0.000%

Physical layer Error rate (Total pkts with errors/Total pkts heard): 0.000%

This example shows how to enable external MAC filtering on access point AP001d.71d.e300:


config mesh linkdata AP001d.710d.e300

[SD:0,0,0(0,0,0), 0,0, 0,0]

[SD:1,105,0(0,0,0),30,704,95,707]

[SD:2,103,0(0,0,0),30,46,95,25]

[SD:3,105,0(0,0,0),30,73,95,29]

[SD:4,82,0(0,0,0),30,39,95,24]

[SD:5,82,0(0,0,0),30,60,95,26]

[SD:6,105,0(0,0,0),30,47,95,23]

[SD:7,103,0(0,0,0),30,51,95,24]

[SD:8,105,0(0,0,0),30,55,95,24]

[SD:9,103,0(0,0,0),30,740,95,749]

[SD:10,105,0(0,0,0),30,39,95,20]

[SD:11,104,0(0,0,0),30,58,95,23]

[SD:12,105,0(0,0,0),30,53,95,24]

[SD:13,103,0(0,0,0),30,64,95,43]

[SD:14,105,0(0,0,0),30,54,95,27]

[SD:15,103,0(0,0,0),31,51,95,24]

[SD:16,105,0(0,0,0),30,59,95,23]

[SD:17,104,0(0,0,0),30,53,95,25]

[SD:18,105,0(0,0,0),30,773,95,777]

[SD:19,103,0(0,0,0),30,745,95,736]

[SD:20,105,0(0,0,0),30,64,95,54]

[SD:21,103,0(0,0,0),30,747,95,751]

[SD:22,105,0(0,0,0),30,55,95,25]

[SD:23,104,0(0,0,0),30,52,95,35]

[SD:24,105,0(0,0,0),30,134,95,23]

[SD:25,103,0(0,0,0),30,110,95,76]

[SD:26,105,0(0,0,0),30,791,95,788]

[SD:27,103,0(0,0,0),30,53,95,23]

[SD:28,105,0(0,0,0),30,128,95,25]

[SD:29,104,0(0,0,0),30,49,95,24]

[SD:30,0,0(0,0,0), 0,0, 0,0]

668


config mesh linktest config mesh linktest

To verify client access between mesh access points, use the config mesh linktest command.

config mesh linktest source_ap {dest_ap | MAC addr} datarate packet_rate packet_size duration


source_ap dest_ap

MAC addr datarate packet_rate packet_size duration

Source access point.

Destination access point.

MAC address.

• Data rate for 802.11a radios. Valid values are 6, 9, 11, 12, 18, 24, 36, 48 and 54 Mbps.

• Data rate for 802.11b radios. Valid values are 6, 12, 18, 24, 36, 54, or 100 Mbps.

• Data rate for 802.11n radios. Valid values are MCS rates between m0 to m15.

Number of packets per second. Valid range is 1 through 3000, but the recommended default is 100.

(Optional) Packet size in bytes. If not specified, packet size defaults to 1500 bytes.

(Optional) Duration of the test in seconds. Valid values are 10-300 seconds, inclusive. If not specified, duration defaults to 30 seconds.

Command Default

100 packets per second, 1500 bytes, 30-second duration.

Command History

Release

7.6

Modification



The config mesh linktest and config mesh linkdata commands are designed to be used together to verify information between a source and a destination access point. To get this information, first enter the config

mesh linktest command with the access point that you want link data from in the dest_ap argument. When the command completes, enter the config mesh linkdata command and list the same destination access point, to display the link data.


669

config mesh linktest

Examples

The following warning message appears when you run a linktest that might oversubscribe the link:

Warning! Data Rate (100 Mbps) is not enough to perform this link test on packet size (2000bytes) and (1000) packets per second. This may cause AP to disconnect or reboot. Are you sure you want to continue?

The following example shows how to verify client access between mesh access points SB_MAP1 and SB_RAP2 at 36 Mbps, 20 fps, 100 frame size, and 15-second duration:


config mesh linktest SB_MAP1 SB_RAP1 36 20 100 15

LinkTest started on source AP, test ID: 0

[00:1D:71:0E:85:00]->[00:1D:71:0E:D0:0F]

Test config: 100 byte packets at 20 pps for 15 seconds, a-link rate 36 Mb/s

In progress: | || || || || || |

LinkTest complete

Results

======= txPkts: txBuffAllocErr:

290

0 txQFullErrs: 0

Total rx pkts heard at destination: rx pkts decoded correctly:

290 err pkts: Total rx lost packets: rx dup pkts: rx out of order:

0 (PHY 0 + CRC 0 + Unknown 0), TooBig 0, TooSmall 0

0 (incr for each pkt seq missed or out of order)

0

0 avgSNR:

SNR profile

37, high: 40, low:

[0dB...60dB]

0 1

5

3

8

0

(>60dB)

0

27

0

0

0

1

243

0

0

0

4

0

1

2

0

0 avgNf: -89, high: -58, low: -90

Noise Floor profile [-100dB...-40dB]

0 0 0

11

3

0

(>-40dB)

2

0

0

0 avgRssi: 51, high: 53, low: 50

RSSI profile [-100dB...-40dB]

0

1

0

145

1

0

0

126

0

1

0

0

0

0

0

(>-40dB)

0

0

0

7

0

0

0

0

283

0

0

0

0

0

0

0

0

Summary PktFailedRate (Total pkts sent/recvd): 0.000%

Physical layer Error rate (Total pkts with errors/Total pkts heard): 0.000%

The following table lists the output flags displayed for the config mesh linktest command.

Table 6: Output Flags for the Config Mesh Linktest Command

Output Flag

txPkts txBuffAllocErr txQFullErrs

Description

Number of packets sent by the source.

Number of linktest buffer allocation errors at the source (expected to be zero).

Number of linktest queue full errors at the source (expected to be zero).

670


config mesh linktest

Output Flag Description

Total rx pkts heard at destination

Number of linktest packets received at the destination (expected to be same as or close to the txPkts).

rx pkts decoded correctly

Number of linktest packets received and decoded correctly at the destination (expected to be same as close to txPkts).

err pkts: Total rx lost packets rx dup pkts

Packet error statistics for linktest packets with errors.

Total number of linktest packets not received at the destination.

Total number of duplicate linktest packets received at the destination.

rx out of order avgNF

Noise Floor profile avgSNR

SNR profile

[odb...60dB] avgRSSI

RSSI profile

[-100dB...-40dB]

Total number of linktest packets received out of order at the destination.

Average noise floor.

Noise floor profile in dB and are negative numbers.

Average SNR values.

Histogram samples received between 0 to 60 dB. The different colums in the SNR profile is the number of packets falling under the bucket 0-3, 3-6, 6-9, up to 57-60.

Average RSSI values. The average high and low RSSI values are positive numbers.

The RSSI profile in dB and are negative numbers.


671

config mesh lsc config mesh lsc

To configure a locally significant certificate (LSC) on mesh access points, use the config mesh lsc command.

config mesh lsc {enable | disable}


Enables an LSC on mesh access points.

Disables an LSC on mesh access points.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable LSC on mesh access points:


config mesh lsc enable

672


config mesh lsc advanced config mesh lsc advanced

To configure an advanced locally significant certificate (LSC) when a wildcard is used in an external authentication, authorization, and accounting (AAA) server for a mesh Access Point (AP), use the config

mesh lsc advanced command.

config mesh lsc advanced {enable | disable}


Enables advanced LSC for a mesh AP.

Disables advanced LSC for a mesh AP.

Command Default

None

Command History

Examples

Release

8.0

Modification


The following example shows how to enable advanced LSC for a mesh AP:


config mesh lsc advanced enable


673

config mesh lsc advanced ap-provision config mesh lsc advanced ap-provision

To configure advanced mesh locally significant certificate (LSC) Access Point (AP) provision if a wildcard is used in an external authentication, authorization, and accounting (AAA) server for a mesh AP, use the

config mesh lsc advanced ap-provision command.

config mesh lsc advanced ap-provision {enable | disable | open-window {enable | disable} |

provision-controller {enable | disable}}

Syntax Description enable disable open-window enable disable provision-controller enable disable

Enables advanced mesh LSC AP provision if a wildcard is used in an external

AAA server for a mesh AP.

Disables advanced mesh LSC AP provision if a wildcard is used in an external

AAA server for a mesh AP .

Configures mesh LSC provision for all mesh APs without MAC validation.

Enables AP provision for all mesh APs without MAC validation.

Disables AP provision for all mesh APs without MAC validation.

Configures the provision controller details for mesh APs to get an LSC.

Enables the provision controller option to get an LSC.

Disables the provision controller option to get an LSC.

Command Default

None

Command History

Examples

Release

8.0

Modification


The following example shows how to enable the advanced AP provision method:


config mesh lsc advanced ap-provision enable

674


config mesh multicast config mesh multicast

To configure multicast mode settings to manage multicast transmissions within the mesh network, use the

config mesh multicast command.

config mesh multicast {regular | in | in-out}

Syntax Description regular in in-out

Multicasts the video across the entire mesh network and all its segments by bridging-enabled root access points (RAPs) and mesh access points (MAPs).

Forwards the multicast video received from the Ethernet by a MAP to the RAP’s

Ethernet network. No additional forwarding occurs, which ensures that non-LWAPP multicasts received by the RAP are not sent back to the MAP

Ethernet networks within the mesh network (their point of origin), and

MAP-to-MAP multicasts do not occur because they are filtered out

Configures the RAP and MAP to multicast, but each in a different manner:

If multicast packets are received at a MAP over Ethernet, they are sent to the

RAP; however, they are not sent to other MAP Ethernets, and the MAP-to-MAP packets are filtered out of the multicast.

If multicast packets are received at a RAP over Ethernet, they are sent to all the

MAPs and their respective Ethernet networks. See the Usage Guidelines section for more information.

Command Default

In-out mode

Command History

Release

7.6

Modification



Multicast for mesh networks cannot be enabled using the controller GUI.

Mesh multicast modes determine how bridging-enabled access points mesh access points (MAPs) and root access points (RAPs) send multicasts among Ethernet LANs within a mesh network. Mesh multicast modes manage non-LWAPP multicast traffic only. LWAPP multicast traffic is governed by a different mechanism.

You can use the controller CLI to configure three mesh multicast modes to manage video camera broadcasts on all mesh access points. When enabled, these modes reduce unnecessary multicast transmissions within the mesh network and conserve backhaul bandwidth.

When using in-out mode, it is important to properly partition your network to ensure that a multicast sent by one RAP is not received by another RAP on the same Ethernet segment and then sent back into the network.


675

config mesh multicast

Examples

Note

If 802.11b clients need to receive CAPWAP multicasts, then multicast must be enabled globally on the controller as well as on the mesh network (by using the config network multicast global command). If multicast does not need to extend to 802.11b clients beyond the mesh network, you should disable the global multicast parameter.

The following example shows how to multicast video across the entire mesh network and all its segments by bridging-enabled RAPs and MAPs:


config mesh multicast regular

676


config mesh parent preferred config mesh parent preferred

To configure a preferred parent for a mesh access point, use the config mesh parent preferred command.

config mesh parent preferred cisco_ap {mac_address | none}


cisco_ap mac_address

none

Name of the child access point.

MAC address of the preferred parent.

Clears the configured parent.

Command Default

None

Command History

Release

7.6

Modification



A child AP selects the preferred parent based on the following conditions:

• The preferred parent is the best parent.

• The preferred parent has a link SNR of at least 20 dB (other parents, however good, are ignored).

• The preferred parent has a link SNR in the range of 12 dB and 20 dB, but no other parent is significantly better (that is, the SNR is more than 20 percent better). For an SNR lower than 12 dB, the configuration is ignored.

• The preferred parent is not blacklisted.

• The preferred parent is not in silent mode because of dynamic frequency selection (DFS).

• The preferred parent is in the same bridge group name (BGN). If the configured preferred parent is not in the same BGN and no other parent is available, the child joins the parent AP using the default BGN.

Examples

The following example shows how to configure a preferred parent with the MAC address 00:21:1b:ea:36:60 for a mesh access point myap1:


config mesh parent preferred myap1 00:21:1b:ea:36:60

The following example shows how to clear a preferred parent with the MAC address 00:21:1b:ea:36:60 for a mesh access point myap1, by using the keyword none:


config mesh parent preferred myap1 00:21:1b:ea:36:60 none


677

config mesh public-safety config mesh public-safety

To enable or disable the 4.9-GHz public safety band for mesh access points, use the config mesh public-safety command.

config mesh public-safety {enable | disable} {all | cisco_ap}


cisco_ap

Enables the 4.9-GHz public safety band.

Disables the 4.9-GHz public safety band.

Applies the command to all mesh access points.

Specific mesh access point.

Command Default

The 4.9-GHz public safety band is disabled.

Command History

Release

7.6

Modification



4.9 GHz is a licensed frequency band restricted to public-safety personnel.

Examples

The following example shows how to enable the 4.9-GHz public safety band for all mesh access points:


config mesh public-safety enable all

4.9GHz is a licensed frequency band in -A domain for public-safety usage

Are you sure you want to continue? (y/N) y

678


config mesh radius-server config mesh radius-server

To enable or disable external authentication for mesh access points, use the config mesh radius-server command.

config mesh radius-server index {enable | disable}


index

enable disable

RADIUS authentication method. Options are as follows:

• Enter eap to designate Extensible Authentication Protocol (EAP) for the mesh RADIUS server setting.

• Enter psk to designate Preshared Keys (PSKs) for the mesh RADIUS server setting.

Enables the external authentication for mesh access points.

Disables the external authentication for mesh access points.

Command Default

EAP is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable external authentication for mesh access points:


config mesh radius-server eap enable


679

config mesh range config mesh range

To globally set the maximum range between outdoor root access points (RAPs) and mesh access points

(MAPs), use the config mesh range command.

config mesh range [distance]


distance

(Optional) Maximum operating range (150 to 132000 ft) of the mesh access point.

Command Default

12,000 feet.

Command History

Release

7.6

Modification



After this command is enabled, all outdoor mesh access points reboot. This command does not affect indoor access points.

Examples

The following example shows how to set the range between an outdoor mesh RAP and a MAP:


config mesh range 300

Command not applicable for indoor mesh. All outdoor Mesh APs will be rebooted

Are you sure you want to start? (y/N) y

680


config mesh secondary-backhaul config mesh secondary-backhaul

To configure a secondary backhaul on the mesh network, use the config mesh secondary-backhaul command.

config mesh secondary-backhaul {enable [force-same-secondary-channel] | disable [rll-retransmit |

rll-transmit]}


Enables the secondary backhaul configuration.

force-same-secondarychannel

(Optional) Enables secondary-backhaul mesh capability. Forces all access points rooted at the first hop node to have the same secondary channel and ignores the automatic or manual channel assignments for the mesh access points (MAPs) at the second hop and beyond.

disable rll-transmit

Specifies the secondary backhaul configuration is disabled.

(Optional) Uses reliable link layer (RLL) at the second hop and beyond.

rll-retransmit

(Optional) Extends the number of RLL retry attempts in an effort to improve reliability.

Command Default

None

Command History

Release

7.6

Modification



This command uses a secondary backhaul radio as a temporary path for traffic that cannot be sent on the primary backhaul due to intermittent interference.

Examples

The following example shows ho to enable a secondary backhaul radio and force all access points rooted at the first hop node to have the same secondary channel:


config mesh secondary-backhaul enable force-same-secondary-channel


681

config mesh security config mesh security

To configure the security settings for mesh networks, use the config mesh security command.

config mesh security {{rad-mac-filter | force-ext-auth } {enable | disable}} | {{eap | psk provisioning |

provisioning window} | {enable | disable}} | {delete_psk | key}

Syntax Description rad-mac-filter force-ext-auth lsc-only-auth enable disable eap psk provisioning provisioning window enable disable key

Enables a Remote Authentication Dial-In User

Service (RADIUS) MAC address filter for the mesh security setting.

Disables forced external authentication for the mesh security setting.

Enables Locally Significant Certificate only authentication for the mesh security setting.

Enables the mesh security setting.

Disables the mesh security setting.

Designates the Extensible Authentication

Protocol (EAP) for the mesh security setting by default.

Designates a preshared key(PSK) for the mesh security setting.

Encrypts provisioning for the PSK in Cisco

Wireless Controller (WLC).

Encrypts provisioning window for the PSK in

Cisco WLC.

Enables provisioning of the PSK.

Disables provisioning of the PSK.

Specifies the key for the PSK.

Command Default

The EAP is designated as default for the mesh security.

Command History

Release

7.6

Modification


682


config mesh security

Examples

Release

8.2

Modification

This command was modified, the psk provisioning and psk provisioning keywords are added.

The following example shows how to configure EAP as the security option for all mesh access points:

(Cisco Controller)

config mesh security eap

The following example shows how to configure PSK as the security option for all mesh access points:

(Cisco Controller)

config mesh security psk

The following example shows how to enable PSK provisioning as the security option for all mesh access points:

(Cisco Controller)>

config mesh security psk provisioning enable

The following example shows how to configure a PSK provisioning key as the security option for all mesh access points:

(Cisco Controller)>

config mesh security psk provisioning key 5

The following example shows how to enable a PSK provisioning window as the security option for all mesh access points:

(Cisco Controller)>

config mesh security psk provisioning window enable

The following example shows how to delete the PSK provisioning for Cisco WLC :

(Cisco Controller)>

config mesh security psk provisioning delete_psk wlc

The following example shows how to delete the PSK provisioning for all mesh access points:

(Cisco Controller)>

config mesh security psk provisioning delete_psk ap

The following example shows how to delete PSK provisioning for all configurations in Cisco WLC :

(Cisco Controller)>

config mesh security psk provisioning delete_psk wlc all


683

config mesh slot-bias config mesh slot-bias

To enable or disable slot bias for serial backhaul mesh access points, use the config mesh slot-bias command.

config mesh slot-bias {enable | disable}


Enables slot bias for serial backhaul mesh APs.

Disables slot bias for serial backhaul mesh APs.

Command Default

By default, slot bias is in enabled state.

Command History

Release

7.6

Modification



Follow these guidelines when using this command:

• The config mesh slot-bias command is a global command and therefore applicable to all 1524SB APs associated with the same controller.

• Slot bias is applicable only when both slot 1 and slot 2 are available. If a slot radio does not have a channel that is available because of dynamic frequency selection (DFS), the other slot takes up both the uplink and downlink roles.

• If slot 2 is not available because of hardware issues, slot bias functions normally. Corrective action should be taken by disabling the slot bias or fixing the antenna.

Examples

The following example shows how to disable slot bias for serial backhaul mesh APs:


config mesh slot-bias disable

684


config mgmtuser add config mgmtuser add

To add a local management user to the controller, use the config mgmtuser add command.

config mgmtuser add username password {lobby-admin | read-write | read-only} [description]


username password

lobby-admin read-write read-only

description

Account username. The username can be up to 24 alphanumeric characters.

Account password. The password can be up to 24 alphanumeric characters.

Creates a management user with lobby ambassador privileges.

Creates a management user with read-write access.

Creates a management user with read-only access.

(Optional) Description of the account. The description can be up to 32 alphanumeric characters within double quotes.

Command Default

None

Command History

Release

7.6

8.4

Modification


This command creates lobby-admin user .

Examples

The following example shows how to create a management user account with read-write access.


config mgmtuser add admin admin read-write

“Main account“

Related Commands show mgmtuser


685

config mgmtuser delete config mgmtuser delete

To delete a management user from the controller, use the config mgmtuser delete command.

config mgmtuser delete username


username


Command Default

The management user is not deleted by default.

Command History

Release

7.6

Modification


Examples

The following example shows how to delete a management user account admin from the controller.


config mgmtuser delete admin

Deleted user admin


686


config mgmtuser description config mgmtuser description

To add a description to an existing management user login to the controller, use the config mgmtuser

description command.

config mgmtuser description username description


username description


Description of the account. The description can be up to 32 alphanumeric characters within double quotes.

Command Default

No description is added to the management user.

Command History

Release

7.6

Modification


Examples

The following example shows how to add a description “master-user” to the management user “admin”:


config mgmtuser description admin "master user"

Related Commands config mgmtuser add config mgmtuser delete config mgmtuser password show mgmtuser


687

config mgmtuser password config mgmtuser password

To configure a management user password, use the config mgmtuser password command.

config mgmtuser password username password


username password


Account password. The password can be up to 24 alphanumeric characters.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to change the password of the management user “admin” with the new password 5rTfm:


config mgmtuser password admin 5rTfm


688


config mgmtuser telnet config mgmtuser telnet

To enable local management users to use Telnet to connect to the Cisco Wireless LAN Controller, use the

config mgmtuser telnet command.

config mgmtuser telnet user_name {enable | disable}


user_name

enable disable

Username of a local management user.

Enables a local management user to use Telnet to connect to the Cisco WLC.

You can enter up to 24 alphanumeric characters.

Disables a local management user from using Telnet to connect to the Cisco

WLC.

Command Default

Local management users can use Telnet to connect to the Cisco WLC.

Command History

Release

7.5

Modification



You must enable global Telnet to enable this command. Secure Shell (SSH) connection is not affected when you enable this option.

Examples

The following example shows how to enable a local management user to use Telnet to connect to the Cisco

WLC:


config mgmtuser telnet admin1 enable


689

config mgmtuser termination-interval config mgmtuser termination-interval

To configure the user re-authentication terminal interval in seconds, use the config mgmtuser

termination-interval command.

config mgmtuser termination-interval {seconds }


seconds

Re-authentication terminal interval in seconds for a user before being logged out.

Default value is 0, the valid range is 0 to 300 seconds.

Command History

Examples

Release

8.2

Modification


The following example shows how to set the interval in seconds before the user is logged out:


config mgmtuser termination-interval 180

690


config mobility dscp config mobility dscp

To configure the mobility intercontroller DSCP value, use the config mobility dscp command.

config mobility dscp dscp_value


dscp_value

DSCP value ranging from 0 to 63.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the mobility intercontroller DSCP value to 40:


config mobility dscp 40


691

config mobility group anchor config mobility group anchor

To create a new mobility anchor for the WLAN or wired guest LAN, enter, use the config mobility group

anchor command.

config mobility group anchor {add | delete} {wlan wlan_id | guest-lan guest_lan_id} anchor_ip

Syntax Description add delete wlan

wlan_id

guest-lan

guest_lan_id anchor_ip

Adds or changes a mobility anchor to a wireless LAN.

Deletes a mobility anchor from a wireless LAN.

Specifies the wireless LAN anchor settings.


Specifies the guest LAN anchor settings.


IP address of the anchor controller.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The wlan_id or guest_lan_id must exist and be disabled.

Auto-anchor mobility is enabled for the WLAN or wired guest LAN when you configure the first mobility anchor. Deleting the last anchor disables the auto-anchor mobility feature and resumes normal mobility for new associations.

Examples

The following example shows how to add a mobility anchor with the IP address 192.12.1.5 to a wireless LAN

ID 2:


config mobility group anchor add wlan 2 192.12.1.5

The following example shows how to delete a mobility anchor with the IP address 193.13.1.15 from a wireless

LAN:


config mobility group anchor delete wlan 5 193.13.1.5

692


config mobility group domain config mobility group domain

To configure the mobility domain name, use the config mobility group domain command.

config mobility group domain domain_name


domain_name

Domain name. The domain name can be up to 31 case-sensitive characters.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure a mobility domain name lab1:


config mobility group domain lab1


693

config mobility group keepalive count config mobility group keepalive count

To configure the Cisco WLC to detect failed mobility group members (including anchor Cisco WLCs), use the config mobility group keepalive count command.

config mobility group keepalive count count


count

Number of times that a ping request is sent to a mobility group member before the member is considered unreachable. The range is from 3 to 20. The default is 3.

Command Default

The default number of times that a ping request is sent to a mobility group member is 3.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to specify the number of times a ping request is sent to a mobility group member before the member is considered unreachable to three counts:


config mobility group keepalive count 3

694


config mobility group keepalive interval config mobility group keepalive interval

To configure the controller to detect failed mobility group members (including anchor controllers), use the

config mobility group keepalive command.

config mobility group keepalive interval


interval

Interval of time between each ping request sent to a mobility group member. The range is from 1 to 30 seconds. The default value is 10 seconds.

Command Default

The default interval of time between each ping request is 10 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to specify the amount of time between each ping request sent to a mobility group member to 10 seconds:


config mobility group keepalive 10


695

config mobility group member config mobility group member

To add or delete users from the mobility group member list, use the config mobility group member command.

config mobility group member {add MAC-addr IP-addr [group_name] | delete MAC-addr | hash IP-addr

{key | none}}


MAC-addr

IP-addr group_name

delete hash

key

none

Adds or changes a mobility group member to the list.

Member switch MAC address.

Member switch IP address.

(Optional) Member switch group name (if different from the default group name).

(Optional) Deletes a mobility group member from the list.

Configures the hash key for authorization. You can configure the hash key only if the member is a virtual controller in the same domain.

Hash key of the virtual controller. For example, a819d479dcfeb3e0974421b6e8335582263d9169

Clears the previous hash key of the virtual controller.

Command Default

None

Command History

Examples

Release

7.6

8.0

Modification


Release 7.6.


The following example shows how to add a mobility group member with an IPv4 address to the list:


config mobility group member add 11:11:11:11:11:11 209.165.200.225

696


config mobility group member

The following example shows how to add a mobility group member with an IPv6 address to the list:


config mobility group member add 11:11:11:11:11:11 2001:DB8::1

The following example shows how to configure the hash key of a virtual controller in the same domain:

Note

The IP address in this example can be in either IPv4 or IPv6 format.


config mobility group member hash 209.165.201.1

a819d479dcfeb3e0974421b6e8335582263d9169


697

config mobility group multicast-address config mobility group multicast-address

To configure the multicast group IP address for nonlocal groups within the mobility list, use the config mobility

group multicast-address command.

config mobility group multicast-address group_name ip_address


group_name ip_address

Member switch group name (if different from the default group name).

Member switch IP address.

Command Default

None

Command History

Examples

Release

7.6

8.0

Modification


Release 7.6.


The following example shows how to configure the multicast group IP address 10.10.10.1 for a group named test:


config mobility group multicast-address test 10.10.10.1

The following example shows how to configure the multicast group IP address 2001:DB8::1 for a group named test:


config mobility group multicast-address test 2001:DB8::1

698


config mobility multicast-mode config mobility multicast-mode

To enable or disable mobility multicast mode, use the config mobility multicast-mode command.

config mobility multicast-mode {enable | disable} local_group_multicast_address


local_group_multicast_address

Enables the multicast mode; the controller uses multicast mode to send Mobile Announce messages to the local group.

Disables the multicast mode; the controller uses unicast mode to send the Mobile Announce messages to the local group.

IP address for the local mobility group.

Command Default

The mobility multicast mode is disabled.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable the multicast mobility mode for the local mobility group IP address 157.168.20.0:


config mobility multicast-mode enable 157.168.20.0


699

config mobility new-architecture config mobility new-architecture

To enable new mobility on the Cisco Wireless LAN Controller (WLC), use the config mobility

new-architecture command.

config mobility new-architecture {enable | disable}


Configures the Cisco WLC to switch to the new mobility architecture.

Configures the Cisco WLC to switch to the old flat mobility architecture.

Command Default

By default, new mobility is disabled.

Command History

Release

7.3.112.0

Modification



New mobility is supported only on Cisco WiSM2, Cisco 2500 Series Wireless Controllers, Cisco 5500 Series

Wireless Controllers, and Cisco 8500 Series Wireless Controllers. New mobility enables the Cisco WLC to be compatible with Converged Access controllers with Wireless Control Module (WCM), such as Cisco

Catalyst 3850 Series and the Cisco 5760 Wireless LAN Controllers.

Examples

The following example shows how to enable new mobility on the Cisco WLC:


config mobility new-architecture enable

700


config mobility oracle config mobility oracle

To configure the Mobility Oracle (MO), use the config mobility oracle command.

config mobility oracle {enable | disable | ip ip_address}

Syntax Description enable disable ip

ip_address

Enables the MO on startup.

Disables the MO on startup.

Specifies the IP address of the MO.

IP address of the MO.

Command Default

None

Command History

Release

7.3.112.0

8.0

Modification




The MO maintains the client database under one complete mobility domain. It consists of a station database, an interface to the mobility Cisco WLC, and an NTP server. There can be only one MO in the entire mobility domain.

The IPv6 address format for this command is not supported.

Examples

The following example shows how to configure the MO IP address:


config mobility oracle ip 27.0.0.1


701

config mobility secure-mode config mobility secure-mode

To configure the secure mode for mobility messages between Cisco WLCs, use the config mobility

secure-mode command.

config mobility secure-mode {enable | disable}


Enables the mobility group message security.

Disables mobility group message security.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable the secure mode for mobility messages:


config mobility secure-mode enable

702


config mobility statistics reset config mobility statistics reset

To reset the mobility statistics, use the config mobility statistics reset command.

config mobility statistics reset



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to reset the mobility group statistics:


config mobility statistics reset


703

config netuser add config netuser add

To add a guest user on a WLAN or wired guest LAN to the local user database on the controller, use the

config netuser add command.

config netuser add username password {wlan wlan_id | guestlan guestlan_id} userType guest lifetime

lifetime description description


username password

wlan

wlan_id

guestlan

guestlan_id

userType guest lifetime

lifetime description

Guest username. The username can be up to 50 alphanumeric characters.

User password. The password can be up to 24 alphanumeric characters.

Specifies the wireless LAN identifier to associate with or zero for any wireless

LAN.

Wireless LAN identifier assigned to the user. A zero value associates the user with any wireless LAN.

Specifies the guest LAN identifier to associate with or zero for any wireless

LAN.

Guest LAN ID.

Specifies the user type.

Specifies the guest for the guest user.

Specifies the lifetime.

Lifetime value (60 to 259200 or 0) in seconds for the guest user.

Note

A value of 0 indicates an unlimited lifetime.

Short description of user. The description can be up to 32 characters enclosed in double-quotes.

Command Default

None

Command History

Release

7.6

Modification



Local network usernames must be unique because they are stored in the same database.

704


config netuser add

Examples

The following example shows how to add a permanent username Jane to the wireless network for 1 hour:


config netuser add jane able2 1 wlan_id 1 userType permanent

The following example shows how to add a guest username George to the wireless network for 1 hour:


config netuser add george able1 guestlan 1 3600

Related Commands show netuser config netuser delete


705

config netuser delete config netuser delete

To delete an existing user from the local network, use the config netuser delete command.

config netuser delete username


username

Network username. The username can be up to 24 alphanumeric characters.

Command Default

None

Command History

Release

7.6

Modification



Local network usernames must be unique because they are stored in the same database.

Examples

The following example shows how to delete an existing username named able1 from the network:


config netuser delete able1

Deleted user able1

Related Commands show netuser

706


config netuser description config netuser description

To add a description to an existing net user, use the config netuser description command.

config netuser description username description


username description

Network username. The username can contain up to 24 alphanumeric characters.

(Optional) User description. The description can be up to 32 alphanumeric characters enclosed in double quotes.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to add a user description “HQ1 Contact” to an existing network user named able 1:


config netuser description able1

“HQ1 Contact”



707

config network dns serverip config network dns serverip

To configure the network dns server, use the config network dns serverip command.

config network dns serverip { ipaddr}


ipaddr

Specifies the ip-address.

Command Default

The default network-level web authentication value is disabled.

Command History

Release

8.3

Modification


Examples

The following example shows how to enable proxy redirect support for web authentication clients: cisco controller

config network dns serverip 198.172.202.252


708


config netuser guest-lan-id config netuser guest-lan-id

To configure a wired guest LAN ID for a network user, use the config netuser guest-lan-id command.

config netuser guest-lan-id username lan_id


username lan_id

Network username. The username can be 24 alphanumeric characters.

Wired guest LAN identifier to associate with the user. A zero value associates the user with any wired LAN.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure a wired LAN ID 2 to associate with the user named aire1:


config netuser guest- lan-id aire1 2

Related Commands show netuser show wlan summary


709

config netuser guest-role apply config netuser guest-role apply

To apply a quality of service (QoS) role to a guest user, use the config netuser guest-role apply command.

config netuser guest-role apply username role_name


username role_name

Name of the user.

QoS guest role name.

Command Default

None

Command History

Release

7.6

Modification



If you do not assign a QoS role to a guest user, the Role field in the User Details shows the role as default.

The bandwidth contracts for this user are defined in the QoS profile for the WLAN.

If you want to unassign a QoS role from a guest user, use the config netuser guest-role apply username

default. This user now uses the bandwidth contracts defined in the QoS profile for the WLAN.

Examples

The following example shows how to apply a QoS role to a guest user jsmith with the QoS guest role named

Contractor:


config netuser guest-role apply jsmith Contractor

Related Commands config netuser guest-role create config netuser guest-role delete

710


config netuser guest-role create config netuser guest-role create

To create a quality of service (QoS) role for a guest user, use the config netuser guest-role create command.

config netuser guest-role create role_name


role name

QoS guest role name.

Command Default

None

Command History

Release

7.6

Modification



To delete a QoS role, use the config netuser guest-role delete role-name .

Examples

The following example shows how to create a QoS role for the guest user named guestuser1:


config netuser guest-role create guestuser1

Related Commands config netuser guest-role delete


711

config netuser guest-role delete config netuser guest-role delete

To delete a quality of service (QoS) role for a guest user, use the config netuser guest-role delete command.

config netuser guest-role delete role_name


role name

Quality of service (QoS) guest role name.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to delete a quality of service (QoS) role for guestuser1:


config netuser guest-role delete guestuser1

Related Commands config netuser guest-role create

712


config netuser guest-role qos data-rate average-data-rate config netuser guest-role qos data-rate average-data-rate

To configure the average data rate for TCP traffic on a per user basis, use the config netuser guest-role qos

data-rate average-data-rate command.

config netuser guest-role qos data-rate average-data-rate role_name rate


role_name rate


Rate for TCP traffic on a per user basis.

Command Default

None


For the role_name parameter in each of these commands, enter a name for the new QoS role. The name uniquely identifies the role of the QoS user (such as contractor, vendor, and so on.). For the rate parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.

Examples

The following example shows how to configure an average rate for the QoS guest named guestuser1:


config netuser guest-role qos data-rate average-data-rate guestuser1

0

Related Commands config netuser guest-role create config netuser guest-role delete config netuser guest-role qos data-rate burst-data-rate


713

config netuser guest-role qos data-rate average-realtime-rate config netuser guest-role qos data-rate average-realtime-rate

To configure the average data rate for TCP traffic on a per user basis, use the config netuser guest-role qos

data-rate average-realtime-rate command.

config netuser guest-role qos data-rate average-realtime-rate role_name rate


role_name rate



Command Default

None



Examples

The following example shows how to configure an average data rate for the QoS guest user named guestuser1 with the rate for TCP traffic of 0 Kbps:


config netuser guest-role qos data-rate average-realtime-rate guestuser1

0

Related Commands config netuser guest-role config netuser guest-role qos data-rate average-data-rate

714


config netuser guest-role qos data-rate burst-data-rate config netuser guest-role qos data-rate burst-data-rate

To configure the peak data rate for TCP traffic on a per user basis, use the config netuser guest-role qos

data-rate burst-data-rate command.

config netuser guest-role qos data-rate burst-data-rate role_name rate


role_name rate



Command Default

None

Command History

Release

7.6

Modification



The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy may block traffic to and from the wireless client.


Examples

The following example shows how to configure the peak data rate for the QoS guest named guestuser1 with the rate for TCP traffic of 0 Kbps:


config netuser guest-role qos data-rate burst-data-rate guestuser1 0

Related Commands config netuser guest-role create config netuser guest-role delete config netuser guest-role qos data-rate average-data-rate


715

config netuser guest-role qos data-rate burst-realtime-rate config netuser guest-role qos data-rate burst-realtime-rate

To configure the burst real-time data rate for UDP traffic on a per user basis, use the config netuser guest-role

qos data-rate burst-realtime-rate command.

config netuser guest-role qos data-rate burst-realtime-rate role_name rate


role_name rate



Command Default

None

Command History

Release

7.6

Modification



The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the quality of service (QoS) policy may block traffic to and from the wireless client.


Examples

The following example shows how to configure a burst real-time rate for the QoS guest user named guestuser1 with the rate for TCP traffic of 0 Kbps:


config netuser guest-role qos data-rate burst-realtime-rate guestuser1

0

Related Commands config netuser guest-role config netuser guest-role qos data-rate average-data-rate config netuser guest-role qos data-rate burst-data-rate

716


config netuser lifetime config netuser lifetime

To configure the lifetime for a guest network user, use the config netuser lifetime command.

config netuser lifetime username time


username time


Llifetime between 60 to 31536000 seconds or 0 for no limit.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure lifetime for a guest network user:


config netuser lifetime guestuser1 22450



717

config netuser maxUserLogin config netuser maxUserLogin

To configure the maximum number of login sessions allowed for a network user, use the config netuser

maxUserLogin command.

config netuser maxUserLogin count


count

Maximum number of login sessions for a single user. The allowed values are from 0 (unlimited) to 8.

Command Default

By default, the maximum number of login sessions for a single user is 0 (unlimited).

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the maximum number of login sessions for a single user to

8:


config netuser maxUserLogin 8


718


config netuser password config netuser password

To change a local network user password, use the config netuser password command.

config netuser password username password


username password


Network user password. The password can contain up to 24 alphanumeric characters.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to change the network user password from aire1 to aire2:


config netuser password aire1 aire2



719

config netuser wlan-id config netuser wlan-id

To configure a wireless LAN ID for a network user, use the config netuser wlan-id command.

config netuser wlan-id username wlan_id


username wlan_id

Network username. The username can be 24 alphanumeric characters.

Wireless LAN identifier to associate with the user. A zero value associates the user with any wireless LAN.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure a wireless LAN ID 2 to associate with the user named aire1:


config netuser wlan-id aire1 2


720


config network client-ip-conflict-detection config network client-ip-conflict-detection

To enable or disable client DHCP address conflict detection in a network, use the config network

client-ip-conflict-detection command.

config network client-ip-conflict-detection {enable | disable}


If a wireless client receives a DHCP address, which is already registered to another client, the earlier client will be disconnected and will have to reconnect and get a new address.

Disables this feature.

Command Default

Disabled.

Command History

Release

8.1

Modification



721

config network http-proxy ip-address config network http-proxy ip-address

To configure network http proxy server ipaddress, use the config network http-proxy ip-address command.

config network http-proxy ip-address ip-addressportport-no


ip-address port-no

IP address for http-proxy.

Port number for http-proxy.

Command Default

None

Command History

Release

8.3

Modification


Examples

The following example shows how to enable configure network http proxy server ipaddress: cisco controller

config network http-proxy ip-address 10.10.10.11 port 8080


722


config network bridging-shared-secret config network bridging-shared-secret

To configure the bridging shared secret, use the config network bridging-shared-secret command.

config network bridging-shared-secret shared_secret


shared_secret

Bridging shared secret string. The string can contain up to 10 bytes.

Command Default

The bridging shared secret is enabled by default.

Command History

Release

7.6

Modification



This command creates a secret that encrypts backhaul user data for the mesh access points that connect to the switch.

The zero-touch configuration must be enabled for this command to work.

Examples

The following example shows how to configure the bridging shared secret string “shhh1”:


config network bridging-shared-secret shhh1



723

config network web-auth captive-bypass config network web-auth captive-bypass

To configure the controller to support bypass of captive portals at the network level, use the config network

web-auth captive-bypass command.

config network web-auth captive-bypass {enable | disable}


Allows the controller to support bypass of captive portals.

Disallows the controller to support bypass of captive portals.

Command Default

None

Examples

The following example shows how to configure the controller to support bypass of captive portals:


config network web-auth captive-bypass enable

Related Commands show network summary config network web-auth cmcc-support

724


config network web-auth port config network web-auth port

To configure an additional port to be redirected for web authentication at the network level, use the config

network web-auth port command.

config network web-auth port port


port

Port number. The valid range is from 0 to 65535.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure an additional port number 1200 to be redirected for web authentication:


config network web-auth port 1200



725

config network web-auth proxy-redirect config network web-auth proxy-redirect

To configure proxy redirect support for web authentication clients, use the config network web-auth

proxy-redirect command.

config network web-auth proxy-redirect {enable | disable}


Allows proxy redirect support for web authentication clients.

Disallows proxy redirect support for web authentication clients.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable proxy redirect support for web authentication clients:


config network web-auth proxy-redirect enable


726


config network web-auth secureweb config network web-auth secureweb

To configure the secure web (https) authentication for clients, use the config network web-auth secureweb command.

config network web-auth secureweb {enable | disable}


Allows secure web (https) authentication for clients.

Disallows secure web (https) authentication for clients.

Enables http web authentication for clients.

Command Default

The default secure web (https) authentication for clients is enabled.

Command History

Release

7.6

Modification


Release 7.6.


If you configure the secure web (https) authentication for clients using the config network web-auth secureweb

disable command, then you must reboot the Cisco WLC to implement the change.

Examples

The following example shows how to enable the secure web (https) authentication for clients:


config network web-auth secureweb enable



727

config network webmode config network webmode

To enable or disable the web mode, use the config network webmode command.

config network webmode {enable | disable}


Enables the web interface.

Disables the web interface.

Command Default

The default value for the web mode is enable.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the web interface mode:


config network webmode disable


728


config network web-auth config network web-auth

To configure the network-level web authentication options, use the config network web-auth command.

config network web-auth {port port-number} | {proxy-redirect {enable | disable}}


port-number

proxy-redirect enable disable

Configures additional ports for web authentication redirection.

Port number (between 0 and 65535).

Configures proxy redirect support for web authentication clients.

Enables proxy redirect support for web authentication clients.

Note

Web-auth proxy redirection will be enabled for ports 80, 8080, and 3128, along with user defined port 345.

Disables proxy redirect support for web authentication clients.

Command Default


Command History

Release

7.6

Modification


Release 7.6.


You must reset the system for the configuration to take effect.

Examples




Related Commands show network summary show run-config config qos protocol-type


729

config network 802.3-bridging config network 802.3-bridging

To enable or disable 802.3 bridging on a controller, use the config network 802.3-bridging command.

config network 802.3-bridging {enable | disable}


Enables the 802.3 bridging.

Disables the 802.3 bridging.

Command Default

By default, 802.3 bridging on the controller is disabled.

Command History

Release

7.6

Modification



In controller software release 5.2, the software-based forwarding architecture for Cisco 2100 Series Controllers is being replaced with a new forwarding plane architecture. As a result, Cisco 2100 Series Controllers and the Cisco wireless LAN controller Network Module for Cisco Integrated Services Routers bridge 802.3 packets by default. Therefore, 802.3 bridging can now be disabled only on Cisco 4400 Series Controllers, the Cisco

WiSM, and the Catalyst 3750G Wireless LAN Controller Switch.

To determine the status of 802.3 bridging, enter the show netuser guest-roles command.

Examples

The following example shows how to enable the 802.3 bridging:


config network 802.3-bridging enable

Related Commands show netuser guest-roles show network

730


config network allow-old-bridge-aps config network allow-old-bridge-aps

To configure an old bridge access point’s ability to associate with a switch, use the config network

allow-old-bridge-aps command.

config network allow-old-bridge-aps {enable | disable}


Enables the switch association.

Disables the switch association.

Command Default

Switch association is enabled.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure an old bridge access point to associate with the switch:


config network allow-old-bridge-aps enable


731

config network ap-discovery config network ap-discovery

To enable or disable NAT IP in an AP discovery response, use the config network ap-discovery command.

config network ap-discovery nat-ip-only {enable | disable}


Enables use of NAT IP only in discovery response.

Enables use of both NAT IP and non NAT IP in discovery response.

Command Default

The use of NAT IP only in discovery response is enabled.

Command History

Release

7.6

Modification


Release 7.6.


If the config interface nat-address management command is set, this command controls which address(es) are sent in the CAPWAP discovery responses.

If all APs are on the outside of the NAT gateway of the controller, enter the config network ap-discovery

nat-ip-only enable command, and only the management NAT address is sent.

If the controller has both APs on the outside and the inside of its NAT gateway, enter the config network

ap-discovery nat-ip-only disable command, and both the management NAT address and the management inside address are sent. Ensure that you have entered the config ap link-latency disable all command to avoid stranding APs.

Examples

The following example shows how to enable NAT IP in an AP discovery response:


config network ap-discovery nat-ip-only enable

732


config network ap-easyadmin config network ap-easyadmin

To configure Cisco AP easyadmin feature, use the config network ap-easyadmin command.

config network ap-easyadmin {enable | disable}


Enables AP EasyAdmin.

Disables AP EasyAdmin.

Command Default

The easyadmin is disabled by default.

Command History

Examples

Release

8.4

Modification

This command was introduced in this release

The following example shows how to enable the Cisco AP easyadmin:


config network ap-easyadmin enable


733

config network ap-fallback config network ap-fallback

To configure Cisco lightweight access point fallback, use the config network ap-fallback command.

config network ap-fallback {enable | disable}


Enables the Cisco lightweight access point fallback.

Disables the Cisco lightweight access point fallback.

Command Default

The Cisco lightweight access point fallback is enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the Cisco lightweight access point fallback:


config network ap-fallback enable

734


config network ap-priority config network ap-priority

To enable or disable the option to prioritize lightweight access points so that after a controller failure they reauthenticate by priority rather than on a first-come-until-full basis, use the config network ap-priority command.

config network ap-priority {enable | disable}


Enables the lightweight access point priority reauthentication.

Disables the lightweight access point priority reauthentication.

Command Default

The lightweight access point priority reauthentication is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the lightweight access point priority reauthorization:


config network ap-priority enable


735

config network apple-talk config network apple-talk

To configure AppleTalk bridging, use the config network apple-talk command.

config network apple-talk {enable | disable}


Enables the AppleTalk bridging.

Disables the AppleTalk bridging.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure AppleTalk bridging:


config network apple-talk enable

736


config network arptimeout config network arptimeout

To set the Address Resolution Protocol (ARP) entry timeout value, use the config network arptimeout command.

config network arptimeout seconds


seconds

Timeout in seconds. The minimum value is 10 seconds. The default value is 300 seconds.

Command Default

The default ARP entry timeout value is 300 seconds.

Command History

Release

7.6

Modification


Examples

This example shows how to set the ARP entry timeout value to 240 seconds:


config network arptimeout 240



737

config assisted-roaming config assisted-roaming

To configure assisted roaming parameters on the controller, use the config assisted-roaming command.

config assisted-roaming {denial-maximum count | floor-bias RSSI | prediction-minimum number_of_APs}

Syntax Description denial-maximum

count

floor-bias

RSSI

prediction-minimum

number_of_APs

Configures the maximum number of counts for association denial.

Maximum number of times that a client is denied for association when the association request that was sent to an access point does not match any access point on the prediction list. The range is from 1 to 10.

Configures the RSSI bias for access points on the same floor.

RSSI bias for access points on the same floor. The range is from 5 to 25. Access points on the same floor have more preference.

Configures the minimum number of optimized access points for the assisted roaming feature.

Minimum number of optimized access points for the assisted roaming feature.

The range is from 1 to 6. If the number of access points in the prediction assigned to the client is smaller than this number, the assisted roaming feature does not work.

Command Default

The default RSSI bias for access points on the same floor is 15 dBm.


802.11k allows a client to request a neighbor report that contains information about known neighbor access points, which can be used for a service set transition. The neighbor list reduces the need for active and passive scanning.

Examples

This example shows how to configure the minimum number of optimized access points for the assisted roaming feature:


config assisted-roaming prediction-minimum 4

738






shared_secret


Command Default


Command History

Release

7.6

Modification





Examples






739

config network broadcast config network broadcast

To enable or disable broadcast packet forwarding, use the config network broadcast command.

config network broadcast {enable | disable}


Enables the broadcast packet forwarding.

Disables the broadcast packet forwarding.

Command Default

The broadcast packet forwarding is disabled by default.

Command History

Release

7.6

Modification



This command allows you to enable or disable broadcasting. You must enable multicast mode before enabling broadcast forwarding. Use the config network multicast mode command to configure multicast mode on the controller.

Note

The default multicast mode is unicast in case of all controllers except for Cisco 2106 Controllers. The broadcast packets and multicast packets can be independently controlled. If multicast is off and broadcast is on, broadcast packets still reach the access points, based on the configured multicast mode.

Examples

The following example shows how to enable broadcast packet forwarding:


config network broadcast enable

Related Commands show network summary config network multicast global config network multicast mode

740


config network fast-ssid-change config network fast-ssid-change

To enable or disable fast Service Set Identifier (SSID) changing for mobile stations, use the config network

fast-ssid-change command.

config network fast-ssid-change {enable | disable}


Enables the fast SSID changing for mobile stations

Disables the fast SSID changing for mobile stations.

Command Default

None

Command History

Release

7.6

Modification



When you enable the Fast SSID Change feature, the controller allows clients to move between SSIDs. When the client sends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID.

When you disable the FastSSID Change feature, the controller enforces a delay before clients are allowed to move to a new SSID.

Examples

The following example shows how to enable the fast SSID changing for mobile stations:


config network fast-ssid-change enable



741

config network ip-mac-binding config network ip-mac-binding

To validate the source IP address and MAC address binding within client packets, use the config network

ip-mac-binding command.

config network ip-network-binding {enable | disable}


Enables the validation of the source IP address to MAC address binding in clients packets.

Disables the validation of the source IP address to MAC address binding in clients packets.

Command Default

The validation of the source IP address to MAC address binding in clients packets is enabled by default.

Command History

Release

7.6

Modification



In controller software release 5.2, the controller enforces strict IP address-to-MAC address binding in client packets. The controller checks the IP address and MAC address in a packet, compares them to the addresses that are registered with the controller, and forwards the packet only if they both match. In previous releases, the controller checks only the MAC address of the client and ignores the IP address.

Note

You might want to disable this binding check if you have a routed network behind a workgroup bridge

(WGB).

Examples

The following example shows how to validate the source IP and MAC address within client packets:


config network ip-mac-binding enable

742


config network link local bridging config network link local bridging

To configure bridging of link local traffic at the local site, use the config network link-local-bridging command.

config network link-local-bridging {enable | disable}


Enables bridging of link local traffic at the local site

Disables bridging of link local traffic at the local site

Command Default

Disabled

Command History

Release

8.0

Modification



743

config network master-base config network master-base

To enable or disable the Cisco wireless LAN controller as an access point default master, use the config

network master-base command.

config network master-base {enable | disable}


Enables the Cisco wireless LAN controller acting as a Cisco lightweight access point default master.

Disables the Cisco wireless LAN controller acting as a Cisco lightweight access point default master.

Command Default

None

Command History

Release

7.6

Modification



This setting is only used upon network installation and should be disabled after the initial network configuration.

Because the Master Cisco wireless LAN controller is normally not used in a deployed network, the Master

Cisco wireless LAN controller setting can be saved from 6.0.199.0 or later releases.

Examples

The following example shows how to enable the Cisco wireless LAN controller as a default master:


config network master-base enable

744


config network mgmt-via-wireless config network mgmt-via-wireless

To enable Cisco wireless LAN controller management from an associated wireless client, use the config

network mgmt-via-wireless command.

config network mgmt-via-wireless {enable | disable}


Enables the switch management from a wireless interface.

Disables the switch management from a wireless interface.

Command Default

The switch management from a wireless interface is disabled by default.

Command History

Release

7.6

Modification



This feature allows wireless clients to manage only the Cisco wireless LAN controller associated with the client and the associated Cisco lightweight access point. That is, clients cannot manage another Cisco wireless

LAN controller with which they are not associated.

Examples

This example shows how to configure switch management from a wireless interface:


config network mgmt-via-wireless enable



745

config network multicast global config network multicast global

To enable or disable multicasting on the controller, use the config network multicast global command.

config network multicast global {enable | disable}


Enables the multicast global support.

Disables the multicast global support.

Command Default

Multicasting on the controller is disabled by default.

Command History

Release

7.6

Modification



The config network broadcast {enable | disable} command allows you to enable or disable broadcasting without enabling or disabling multicasting as well. This command uses the multicast mode configured on the controller (by using the config network multicast mode command) to operate.

Examples

The following example shows how to enable the global multicast support:


config network multicast global enable

Related Commands show network summary config network broadcast config network multicast mode

746


config network multicast igmp query interval config network multicast igmp query interval

To configure the IGMP query interval, use the config network multicast igmp query interval command.

config network multicast igmp query interval value


value

Frequency at which controller sends IGMP query messages. The range is from

15 to 2400 seconds.

Command Default

The default IGMP query interval is 20 seconds.

Command History

Release

7.6

Modification



To configure IGMP query interval, ensure that you do the following:

• Enable the global multicast by entering the config network multicast global enable command.

• Enable IGMP snooping by entering the config network multicast igmp snooping enable command.

Examples

The following example shows how to configure the IGMP query interval at 20 seconds:


config network multicast igmp query interval 20

Related Commands config network multicast global config network multicast igmp snooping config network multicast igmp timeout


747

config network multicast igmp snooping config network multicast igmp snooping

To enable or disable IGMP snooping, use the config network multicast igmp snooping command.

config network multicast igmp snooping {enable | disable}


Enables IGMP snooping.

Disables IGMP snooping.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable internet IGMP snooping settings:


config network multicast igmp snooping enable

Related Commands config network multicast global config network multicast igmp query interval config network multicast igmp timeout

748


config network multicast igmp timeout config network multicast igmp timeout

To set the IGMP timeout value, use the config network multicast igmp timeout command.

config network multicast igmp timeout value


value

Timeout range from 30 to 7200 seconds.

Command Default

None

Command History

Release

7.6

Modification



You can enter a timeout value between 30 and 7200 seconds. The controller sends three queries in one timeout value at an interval of timeout/3 to see if any clients exist for a particular multicast group. If the controller does not receive a response through an IGMP report from the client, the controller times out the client entry from the MGID table. When no clients are left for a particular multicast group, the controller waits for the

IGMP timeout value to expire and then deletes the MGID entry from the controller. The controller always generates a general IGMP query (to destination address 224.0.0.1) and sends it on all WLANs with an MGID value of 1.

Examples

The following example shows how to configure the timeout value 50 for IGMP network settings:


config network multicast igmp timeout 50

Related Commands config network multicast global config network igmp snooping config network multicast igmp query interval


749

config network multicast l2mcast config network multicast l2mcast

To configure the Layer 2 multicast on an interface or all interfaces, use the config network multicast l2mcast command.

config network multicast l2mcast {enable| disable {all | interface-name}


interface-name

Enables Layer 2 multicast.

Disables Layer 2 multicast.

Applies to all interfaces.

Interface name for which the Layer 2 multicast is to enabled or disabled.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable Layer 2 multicast for all interfaces:


config network multicast l2mcast enable all

Related Commands config network multicast global config network multicast igmp snooping config network multicast igmp query interval config network multicast mld

750


config network multicast mld config network multicast mld

To configure the Multicast Listener Discovery (MLD) parameters, use the config network multicast mld command.

config network multicast mld {query interval interval-value | snooping {enable | disable} | timeout

timeout-value}

Syntax Description query interval

interval-value

snooping enable disable timeout

timeout-value

Configures query interval to send MLD query messages.

Query interval in seconds. The range is from 15 to 2400 seconds.

Configures MLD snooping.

Enables MLD snooping.

Disables MLD snooping.

Configures MLD timeout.

Timeout value in seconds. The range is from 30 seconds to 7200 seconds.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set a query interval of 20 seconds for MLD query messages:


config network multicast mld query interval 20

Related Commands config network multicast global config network multicast igmp snooping config network multicast igmp query interval config network multicast l2mcast


751

config network multicast mode multicast config network multicast mode multicast

To configure the controller to use the multicast method to send broadcast or multicast packets to an access point, use the config network multicast mode multicast command.

config network multicast mode multicast



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the multicast mode to send a single copy of data to multiple receivers:


config network multicast mode multicast

Related Commands config network multicast global config network broadcast config network multicast mode unicast

752


config network multicast mode unicast config network multicast mode unicast

To configure the controller to use the unicast method to send broadcast or multicast packets to an access point, use the config network multicast mode unicast command.

config network multicast mode unicast



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the controller to use the unicast mode:


config network multicast mode unicast

Related Commands config network multicast global config network broadcast config network multicast mode multicast


753

config network oeap-600 dual-rlan-ports config network oeap-600 dual-rlan-ports

To configure the Ethernet port 3 of Cisco OfficeExtend 600 Series access points to operate as a remote LAN port in addition to port 4, use the config network oeap-600 dual-rlan-ports command.

config network oeap-600 dual-rlan-ports {enable | disable}


Enables Ethernet port 3 of Cisco OfficeExtend 600 Series access points to operate as a remote LAN port in addition to port 4.

Resets the Ethernet port 3 Cisco OfficeExtend 600 Series access points to function as a local LAN port.

Command Default

The Ethernet port 3 Cisco 600 Series OEAP is reset.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the Ethernet port 3 of Cisco OfficeExtend 600 Series access points to operate as a remote LAN port:


config network oeap-600 dual-rlan-ports enable

754


config network oeap-600 local-network config network oeap-600 local-network

To configure access to the local network for the Cisco 600 Series OfficeExtend access points, use the config

network oeap-600 local-network command.

config network oeap-600 local-network {enable | disable}


Enables access to the local network for the Cisco 600 Series OfficeExtend access points.

Disables access to the local network for the Cisco 600 Series OfficeExtend access points.

Command Default

Access to the local network for the Cisco 600 Series OEAPs is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable access to the local network for the Cisco 600 Series OfficeExtend access points:


config network oeap-600 local-network enable


755

config network otap-mode config network otap-mode

To enable or disable over-the-air provisioning (OTAP) of Cisco lightweight access points, use the config

network otap-mode command.

config network otap-mode {enable | disable}


Enables the OTAP provisioning.

Disables the OTAP provisioning.

Command Default

The OTAP provisioning is enabled.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to disable the OTAP provisioning:


config network otap-mode disable

756


config network profiling config network profiling

To profile http port for a specific port, use the config network profiling http-port command.

config network profiling http-port port number


port number

Interface port number. Default value is 80.

Command History

Release

8.2

Examples

Modification


The following example shows how to configure the http port in a network:


config network profiling http-port 80


757

config opendns config opendns

To enable or disable open Domain Name System (DNS) on the Cisco Wireless Controller (WLC), use the

config opendnscommand.

config opendns{ enable|disable}


Enables the opendns global configuration.

Disables the opendns global configuration.

Command Default

Open DNS is not configured.

Command Modes

Controller Config >

Command History

Release

8.4

Modification



None

Examples

The following example shows how to enable open DNS on the Cisco WLC:

(Cisco Controller) > config opendns enable

758


config opendns api-token config opendns api-token

To enable or disable OpenDNS API token help for registering on Cisco Wireless Controller (WLC), use the

config opendns api-token command.

config opendns api-token api-token


api-token

API token for the OpenDNS.

Command Modes


Command History

Release

8.4

Modification



None

Examples

The following example shows how to enable API token help for registering OpenDNS on the Cisco WLC:

(Cisco Controller) > config opendns api-token 12


759

config opendns forced config opendns forced

To enable or disable OpenDNS on Cisco Wireless Controller (WLC), use the config opendns forced command.

config opendns forced {enable | disable}


Enables the OpenDNS global configuration.

Disables the OpenDNS global configuration.

Command Default

OpenDNS is not configured.

Command Modes


Command History

Release

8.4

Modification



None

Examples

The following example shows how to enable OpenDNS on Cisco WLC:

(Cisco Controller) > config opendns forced enable

760


config opendns profile config opendns profile

To configure a profile for the OpenDNS, which can be applied to a user group, or wireless LAN (WLAN), or site, use the config opendns profile command.

config opendns profile{ create | delete | refresh} profile-name

Syntax Description create delete refresh

profile-name

Creates an OpenDNS identity name.

Removes an OpenDNS identity name.

Refreshes OpenDNS identity by retriggering the registration, irrespective of current state.

OpenDNS identity name.

Command Default

OpenDNS profile is not created.

Command Modes


Command History

Release

8.4

Modification



None

Examples

The following example shows how to configure a profile for OpenDNS, which can be applied to a user group:

(Cisco Controller) > config opendns profile create usergroup1


761

config pmipv6 domain config pmipv6 domain

To configure PMIPv6 and to enable Mobile Access Gateway (MAG) functionality on Cisco WLC, use the

config pmipv6 domain command.

config pmipv6 domain domain_name


domain_name

Name of the PMIPv6 domain. The domain name can be up to 127 case-sensitive, alphanumeric characters.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure a domain name for a PMIPv6 WLAN:


config pmipv6 domain floor1

762


config pmipv6 add profile config pmipv6 add profile

To create a Proxy Mobility IPv6 (PMIPv6) profile for the WLAN, use the config pmipv6 add profile command.

You can configure PMIPv6 profiles based on a realm or a service set identifier (SSID).

config pmipv6 add profile profile_name nai {user@realm | @realm | *} lma lma_name apn apn_name


profile_name

nai

user@realm

@realm

* lma

lma_name

apn

ap_name

Name of the profile. The profile name is case sensitive and can be up to 127 alphanumeric characters.

Specifies the Network Access Identifier of the client.

Network Access Identifier of the client in the format user@realm. The NAI name is case sensitive and can be up to 127 alphanumeric characters.

Network Access Identifier of the client in the format @realm.

All Network Access Identifiers. You can have profiles based on an SSID for all users.

Specifies the Local Mobility Anchor (LMA).

Name of LMA. The LMA name is case sensitive and can be up to 127 alphanumeric characters.

Specifies the access point.

Name of the access point. The access point name is case sensitive and can be up to 127 alphanumeric characters.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


This command is a prerequisite for using PMIPv6 configuration commands if the controller uses open authentication.


763

config pmipv6 add profile

Examples

The following example shows how to create a PMIPv6 profile:


config pmipv6 add profile profile1 nai @vodfone.com lma vodfonelma apn vodafoneapn

764


config pmipv6 delete config pmipv6 delete

To delete a Proxy Mobility IPv6 (PMIPv6) profile, domain, or Local Mobility Anchor (LMA), use the config

pmipv6 delete command.

config pmipv6 delete {profile profile_name nai { nai_id | all } | domain domain_name | lma lma_name}

Syntax Description profile

profile_name

nai

nai_id

all domain

domain_name

lma

lma_name

Specifies the PMIPv6 profile.

Name of the PMIPv6 profile. The profile name is case sensitive and can be up to 127 alphanumeric characters.

Specifies the Network Access Identifier (NAI) of a mobile client.

Network Access Identifier of a mobile client. The NAI is case sensitive and can be up to 127 alphanumeric characters.

Specifies all NAIs. When you delete all NAIs, the profile is deleted.

Specifies the PMIPv6 domain.

Name of the PMIPv6 domain. The domain name is case sensitive and can be up to 127 alphanumeric characters.

Specifies the LMA.

Name of the LMA. The LMA name is case sensitive and can be up to 127 alphanumeric characters.

Command Default

None

Command History

Examples

Release

7.6

The following example shows how to delete a domain:


config pmipv6 delete lab1

Modification


Release 7.6.


765

config pmipv6 mag apn config pmipv6 mag apn

To configure an Access Point Name (APN) for a mobile access gateway (MAG), use the config pmipv6 mag

apn command.

config pmipv6 mag apn apn-name


apn-name

Access point name for the MAG.

Command Default

None

Command History

Release

8.0

Modification



By default, the MAG role is WLAN. However, for the lightweight access points, MAG role should be configured as 3GPP. If the MAG role is 3GPP, it is mandatory to specify an APN for the MAG.

To delete an APN for a MAG, use the config pmipv6 delete mag apn apn-name command.

Examples

The following example shows how to add an APN for a MAG:


config pmipv6 mag apn myCiscoAP

766


config pmipv6 mag binding init-retx-time config pmipv6 mag binding init-retx-time

To configure the initial timeout between the proxy binding updates (PBUs) when the Mobile Access Gateway

(MAG) does not receive the proxy binding acknowledgements (PBAs), use the config pmipv6 mag binding

init-retx-time command.

config pmipv6 mag binding init-retx-time units


units

Initial timeout between the PBUs when the MAG does not receive the PBAs. The range is from 100 to 65535 seconds.

Command Default

The default initial timeout is 1000 seconds.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the initial timeout between the PBUs when the MAG does not receive the PBAs:


config pmipv6 mag binding init-retx-time 500


767

config pmipv6 mag binding lifetime config pmipv6 mag binding lifetime

To configure the lifetime of the binding entries in the Mobile Access Gateway (MAG), use the config pmipv6

mag binding lifetime command.

config pmipv6 mag binding lifetime units


units

Lifetime of the binding entries in the MAG. The binding lifetime must be a multiple of

4 seconds. The range is from 10 to 65535 seconds.

Command Default

The default lifetime of the binding entries is 65535 seconds.

Command History

Release

7.6

Modification



You must configure a Proxy Mobility IPv6 (PMIPv6) domain before you configure the lifetime of the binding entries in the controller.

Examples

The following example shows how to configure the lifetime of the binding entries in the controller:


config pmipv6 mag binding lifetime 5000

768


config pmipv6 mag binding max-retx-time config pmipv6 mag binding max-retx-time

To configure the maximum timeout between the proxy binding updates (PBUs) when the Mobility Access

Gateway (MAG) does not receive the proxy binding acknowledgments (PBAs), use the config pmipv6 mag

binding max-retx-time command.

config pmipv6 mag binding max-retx-time units


units

Maximum timeout between the PBUs when the MAG does not receive the PBAs. The range is from 100 to 65535 seconds.

Command Default

The default maximum timeout is 32000 seconds.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the maximum timeout between the PBUs when the MAG does not receive the PBAs:


config pmipv6 mag binding max-retx-time 50


769

config pmipv6 mag binding maximum config pmipv6 mag binding maximum

To configure the maximum number of binding entries in the Mobile Access Gateway (MAG), use the config

pmipv6 mag binding maximum command.

config pmipv6 mag binding maximum units


units

Maximum number of binding entries in the MAG. This number indicates the maximum number of users connected to the MAG. The range is from 0 to 40000.

Command Default

The default maximum number of binding entries in the MAG is 10000.

Command History

Release

7.6

Modification


Release 7.6.


You must configure a Proxy Mobility IPv6 (PMIPv6) domain before you configure the maximum number of binding entries in the MAG.

Examples

The following example shows how to configure the maximum number of binding entries in the MAG:


config pmipv6 mag binding maximum 20000

770


config pmipv6 mag binding refresh-time config pmipv6 mag binding refresh-time

To configure the refresh time of the binding entries in the MAG, use the config pmipv6 mag binding

refresh-time command.

config pmipv6 mag binding refresh-time units


units

Refresh time of the binding entries in the MAG. The binding refresh time must be a multiple of 4. The range is from 4 to 65535 seconds.

Command Default

The default refresh time of the binding entries in the MAG is 300 seconds.


You must configure a PMIPv6 domain before you configure the refresh time of the binding entries in the

MAG.

Examples

The following example shows how to configure the refresh time of the binding entries in the MAG:


config pmipv6 mag binding refresh-time 500


771

config pmipv6 mag bri delay config pmipv6 mag bri delay

To configure the maximum or minimum amount of time that the MAG waits before retransmitting a Binding

Revocation Indication (BRI) message, use the config pmipv6 mag bri delay command.

config pmipv6 mag bri delay {min | max} time

Syntax Description min max

time

Specifies the minimum amount of time that the MAG waits before retransmitting a

BRI message.

Specifies the maximum amount of time that the MAG waits before retransmitting a

BRI message.

Maximum or minimum amount of time that the Cisco WLC waits before retransmitting a BRI message. The range is from 500 to 65535 milliseconds.

Command Default

The default value of the maximum amount of time that the MAG waits before retransmitting a BRI message is 2 seconds.

The default value of the minimum amount of time that the MAG waits before retransmitting a BRI message is 1 second.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the minimum amount of time that the MAG waits before retransmitting a BRI message:


config pmipv6 mag bri delay min 500

772


config pmipv6 mag bri retries config pmipv6 mag bri retries

To configure the maximum number of times that the MAG retransmits the Binding Revocation Indication

(BRI) message before receiving the Binding Revocation Acknowledgment (BRA) message, use the config

pmipv6 mag bri retries command.

config pmipv6 mag bri retries retries


retries

Maximum number of times that the MAG retransmits the BRI message before receiving the BRA message. The range is from 1 to 10 retries.

Command Default

The default is 1 retry.

Examples

The following example shows how to configure the maximum number of times that the MAG retries:


config pmipv6 mag bri retries 5


773

config pmipv6 mag lma config pmipv6 mag lma

To configure a local mobility anchor (LMA) with the mobile access gateway (MAG), use the config pmipv6

mag lma command.

config pmipv6 mag lma lma_name ipv4-address address


lma_name

ipv4-address

address

Name of the LMA. The LMA name can be a NAI or a string that uniquely identifies the LMA.

Specifies the IP address of the LMA.

IP address of the LMA.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


This command is a prerequisite to configure PMIPv6 parameters on the MAG.

Examples

The following example shows how to configure an LMA with the MAG:


config pmipv6 mag lma vodafonelma ipv4-address 209.165.200.254

774


config pmipv6 mag replay-protection config pmipv6 mag replay-protection

To configure the maximum amount of time difference between the timestamp in the received proxy binding acknowledgment (PBA) and the current time of the day for replay protection, use the config pmipv6 mag

replay-protection command.

config pmipv6 mag replay-protection { timestamp window time | sequence-no sequence |

mobile-node-timestamp mobile_node_timestamp }

Syntax Description timestamp window

time

sequence-no

sequence

mobile_node_timestamp

mobile_node_timestamp

Specifies the time stamp of the PBA message.

Specifies the maximum time difference between the time stamp in the received PBA message and the current time of day.

Maximum time difference between the time stamp in the received

PBA message and the current time of day. The range is from 1 to

300 milliseconds.

(Optional) Specifies the sequence number in a Proxy Binding

Update message.

(Optional) Sequence number in the Proxy Binding Update message.

(Optional) Specifies the time stamp of the mobile node.

(Optional) Time stamp of the mobile node.

Command Default

The default maximum time difference is 300 milliseconds.


Only the timestamp option is supported.

Examples

The following example shows how to configure the maximum amount of time difference in milliseconds between the time stamp in the received PBA message and the current time of day:


config pmipv6 mag replay-protection timestamp window 200


775

config port power config port power

To enable or disable Power over Ethernet (PoE) for a specific controller port or for all ports, use the config

port power command.

config port power {all | port} {enable | disable}


port

enable disable

Configures all ports.

Port number.

Enables the specified ports.

Disables the specified ports.

Command Default

Enabled

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable PoE on all ports:


config port power all enable

The following example shows how to disable PoE on port 8:


config port power 8 disable

776


config policy action opendns-profile-name config policy action opendns-profile-name

To configure an OpenDNS action to a policy, use the config policy action opendns-profile-name command.

config policy policy-name action opendns-profile-name{enable | disable}


policy-name

enable disable

Policy name, for example, iPad, iPhone, smartphone.

Enables the action.

Disables the action.

Command Modes


Command History

Release

8.4

Modification



None

Examples

The following example shows how to configure an OpenDNS action to a policy:

(Cisco Controller) > config policy ipad action opendns-profile-name enable


777

config network rf-network-name config network rf-network-name

To set the RF-Network name, use the config network rf-network-name command.

config network rf-network-name name


name

RF-Network name. The name can contain up to 19 characters.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the RF-network name to travelers:


config network rf-network-name travelers


778


config network secureweb config network secureweb

To change the state of the secure web (https is http and SSL) interface for management users, use the config

network secureweb command.

config network secureweb {enable | disable}


Enables the secure web interface for management users.

Disables the secure web interface for management users.

Command Default

The secure web interface for management users is enabled by default.

Command History

Release

7.6

Modification



This command allows management users to access the controller GUI using an http://ip-address. Web mode is not a secure connection.

Examples

The following example shows how to enable the secure web interface settings for management users:


config network secureweb enable

You must reboot for the change to take effect.

Related Commands config network secureweb cipher-option show network summary


779

config network secureweb cipher-option config network secureweb cipher-option

To enable or disable secure web mode with increased security, or to enable or disable Secure Sockets Layer

(SSL v2) for web administration and web authentication, use the config network secureweb cipher-option command.

config network secureweb cipher-option {high | sslv2 | rc4-preference} {enable | disable}

Syntax Description high sslv2 rc4-preference enable disable

Configures whether or not 128-bit ciphers are required for web administration and web authentication.

Configures SSLv2 for both web administration and web authentication.

Configures preference for RC4-SHA (Rivest Cipher 4-Secure Hash

Algorithm) cipher suites (over CBC cipher suites) for web authentication and web administration.

Enables the secure web interface.

Disables the secure web interface.

Command Default

The default is disable for secure web mode with increased security and enable for SSL v2.

Command History

Release

7.6

Modification



Note

The config network secureweb cipher-option command allows users to access the controller GUI using an http://ip-address but only from browsers that support 128-bit (or larger) ciphers.

When cipher-option sslv2 is disabled, users cannot connect using a browser configured with SSLv2 only.

They must use a browser that is configured to use a more secure protocol such as SSLv3 or later.

In RC4-SHA based cipher suites, RC4 is used for encryption and SHA is used for message authentication.

Examples

The following example shows how to enable secure web mode with increased security:


config network secureweb cipher-option

780


config network secureweb cipher-option

The following example shows how to disable SSL v2:


config network secureweb cipher-option sslv2 disable

Related Commands config network secureweb show network summary


781

config network ssh config network ssh

To allow or disallow new Secure Shell (SSH) sessions, use the config network ssh command.

config network ssh {enable | disable}


Allows the new SSH sessions.

Disallows the new SSH sessions.

Command Default

The default value for the new SSH session is disable.

Examples

The following example shows how to enable the new SSH session:


config network ssh enable


782


config network telnet config network telnet

To allow or disallow new Telnet sessions, use the config network telnet command.

config network telnet {enable | disable}


Allows new Telnet sessions.

Disallows new Telnet sessions.

Command Default

By default, the new Telnet session is disallowed and the value is disable.


Telnet is not supported on Cisco Aironet 1830 and 1850 Series Access Points.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the new Telnet sessions:


config network telnet enable

Related Commands config ap telnet show network summary


783

config network usertimeout config network usertimeout

To change the timeout for idle client sessions, use the config network usertimeout command.

config network usertimeout seconds


seconds

Timeout duration in seconds. The minimum value is 90 seconds. The default value is 300 seconds.

Command Default

The default timeout value for idle client session is 300 seconds.


Use this command to set the idle client session duration on the Cisco wireless LAN controller. The minimum duration is 90 seconds.

Examples

The following example shows how to configure the idle session timeout to 1200 seconds:


config network usertimeout 1200


784


config network web-auth captive-bypass config network web-auth captive-bypass

To configure the controller to support bypass of captive portals at the network level, use the config network

web-auth captive-bypass command.

config network web-auth captive-bypass {enable | disable}


Allows the controller to support bypass of captive portals.

Disallows the controller to support bypass of captive portals.

Command Default

None

Examples

The following example shows how to configure the controller to support bypass of captive portals:


config network web-auth captive-bypass enable

Related Commands show network summary config network web-auth cmcc-support


785

config network web-auth cmcc-support config network web-auth cmcc-support

To configure eWalk on the controller, use the config network web-auth cmcc-support command.

config network web-auth cmcc-support {enable | disable}


Enables eWalk on the controller.

Disables eWalk on the controller.

Command Default

None

Examples

The following example shows how to enable eWalk on the controller:


config network web-auth cmcc-support enable

Related Commands show network summary config network web-auth captive-bypass

786


config network web-auth port config network web-auth port

To configure an additional port to be redirected for web authentication at the network level, use the config

network web-auth port command.

config network web-auth port port


port

Port number. The valid range is from 0 to 65535.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure an additional port number 1200 to be redirected for web authentication:


config network web-auth port 1200



787

config network web-auth proxy-redirect config network web-auth proxy-redirect

To configure proxy redirect support for web authentication clients, use the config network web-auth

proxy-redirect command.

config network web-auth proxy-redirect {enable | disable}


Allows proxy redirect support for web authentication clients.

Disallows proxy redirect support for web authentication clients.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples





788


config network web-auth secureweb config network web-auth secureweb

To configure the secure web (https) authentication for clients, use the config network web-auth secureweb command.

config network web-auth secureweb {enable | disable}


Allows secure web (https) authentication for clients.

Disallows secure web (https) authentication for clients.

Enables http web authentication for clients.

Command Default

The default secure web (https) authentication for clients is enabled.

Command History

Release

7.6

Modification


Release 7.6.


If you configure the secure web (https) authentication for clients using the config network web-auth secureweb

disable command, then you must reboot the Cisco WLC to implement the change.

Examples

The following example shows how to enable the secure web (https) authentication for clients:


config network web-auth secureweb enable



789

config network web-auth https-redirect config network web-auth https-redirect

To configure https redirect support for web authentication clients, use the config network web-auth

https-redirect command.

config network web-auth https-redirect {enable | disable}


Enables the secure redirection(https) for web-authentication clients.

Disables the secure redirection(https) for web-authentication clients.

Command Default

This command is by default disabled.

Command History

Release

8.0

Modification

This command was introduced in Release 8.0

Examples



config network web-auth https-redirect enable


790


config network webmode config network webmode

To enable or disable the web mode, use the config network webmode command.

config network webmode {enable | disable}


Enables the web interface.

Disables the web interface.

Command Default

The default value for the web mode is enable.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the web interface mode:


config network webmode disable



791

config network web-auth config network web-auth

To configure the network-level web authentication options, use the config network web-auth command.

config network web-auth {port port-number} | {proxy-redirect {enable | disable}}


port-number

proxy-redirect enable disable

Configures additional ports for web authentication redirection.

Port number (between 0 and 65535).

Configures proxy redirect support for web authentication clients.

Enables proxy redirect support for web authentication clients.

Note

Web-auth proxy redirection will be enabled for ports 80, 8080, and 3128, along with user defined port 345.

Disables proxy redirect support for web authentication clients.

Command Default


Command History

Release

7.6

Modification


Release 7.6.


You must reset the system for the configuration to take effect.

Examples




Related Commands show network summary show run-config config qos protocol-type

792


config network zero-config config network zero-config

To configure bridge access point ZeroConfig support, use the config network zero-config command.

config network zero-config {enable | disable}


Enables the bridge access point ZeroConfig support.

Disables the bridge access point ZeroConfig support.

Command Default

The bridge access point ZeroConfig support is enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the bridge access point ZeroConfig support:


config network zero-config enable


793

config network allow-old-bridge-aps config network allow-old-bridge-aps

To configure an old bridge access point’s ability to associate with a switch, use the config network

allow-old-bridge-aps command.

config network allow-old-bridge-aps {enable | disable}


Enables the switch association.

Disables the switch association.

Command Default

Switch association is enabled.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure an old bridge access point to associate with the switch:


config network allow-old-bridge-aps enable

794


config network ap-discovery config network ap-discovery

To enable or disable NAT IP in an AP discovery response, use the config network ap-discovery command.

config network ap-discovery nat-ip-only {enable | disable}


Enables use of NAT IP only in discovery response.

Enables use of both NAT IP and non NAT IP in discovery response.

Command Default

The use of NAT IP only in discovery response is enabled.

Command History

Release

7.6

Modification


Release 7.6.


If the config interface nat-address management command is set, this command controls which address(es) are sent in the CAPWAP discovery responses.

If all APs are on the outside of the NAT gateway of the controller, enter the config network ap-discovery

nat-ip-only enable command, and only the management NAT address is sent.

If the controller has both APs on the outside and the inside of its NAT gateway, enter the config network

ap-discovery nat-ip-only disable command, and both the management NAT address and the management inside address are sent. Ensure that you have entered the config ap link-latency disable all command to avoid stranding APs.

Examples

The following example shows how to enable NAT IP in an AP discovery response:


config network ap-discovery nat-ip-only enable


795

config network ap-fallback config network ap-fallback

To configure Cisco lightweight access point fallback, use the config network ap-fallback command.

config network ap-fallback {enable | disable}


Enables the Cisco lightweight access point fallback.

Disables the Cisco lightweight access point fallback.

Command Default

The Cisco lightweight access point fallback is enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the Cisco lightweight access point fallback:


config network ap-fallback enable

796


config network ap-priority config network ap-priority

To enable or disable the option to prioritize lightweight access points so that after a controller failure they reauthenticate by priority rather than on a first-come-until-full basis, use the config network ap-priority command.

config network ap-priority {enable | disable}


Enables the lightweight access point priority reauthentication.

Disables the lightweight access point priority reauthentication.

Command Default

The lightweight access point priority reauthentication is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the lightweight access point priority reauthorization:


config network ap-priority enable


797

config network apple-talk config network apple-talk

To configure AppleTalk bridging, use the config network apple-talk command.

config network apple-talk {enable | disable}


Enables the AppleTalk bridging.

Disables the AppleTalk bridging.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure AppleTalk bridging:


config network apple-talk enable

798






shared_secret


Command Default


Command History

Release

7.6

Modification





Examples






799

config network master-base config network master-base

To enable or disable the Cisco wireless LAN controller as an access point default master, use the config

network master-base command.

config network master-base {enable | disable}


Enables the Cisco wireless LAN controller acting as a Cisco lightweight access point default master.

Disables the Cisco wireless LAN controller acting as a Cisco lightweight access point default master.

Command Default

None

Command History

Release

7.6

Modification



This setting is only used upon network installation and should be disabled after the initial network configuration.

Because the Master Cisco wireless LAN controller is normally not used in a deployed network, the Master

Cisco wireless LAN controller setting can be saved from 6.0.199.0 or later releases.

Examples

The following example shows how to enable the Cisco wireless LAN controller as a default master:


config network master-base enable

800


config network oeap-600 dual-rlan-ports config network oeap-600 dual-rlan-ports

To configure the Ethernet port 3 of Cisco OfficeExtend 600 Series access points to operate as a remote LAN port in addition to port 4, use the config network oeap-600 dual-rlan-ports command.

config network oeap-600 dual-rlan-ports {enable | disable}


Enables Ethernet port 3 of Cisco OfficeExtend 600 Series access points to operate as a remote LAN port in addition to port 4.

Resets the Ethernet port 3 Cisco OfficeExtend 600 Series access points to function as a local LAN port.

Command Default

The Ethernet port 3 Cisco 600 Series OEAP is reset.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the Ethernet port 3 of Cisco OfficeExtend 600 Series access points to operate as a remote LAN port:


config network oeap-600 dual-rlan-ports enable


801

config network oeap-600 local-network config network oeap-600 local-network

To configure access to the local network for the Cisco 600 Series OfficeExtend access points, use the config

network oeap-600 local-network command.

config network oeap-600 local-network {enable | disable}


Enables access to the local network for the Cisco 600 Series OfficeExtend access points.

Disables access to the local network for the Cisco 600 Series OfficeExtend access points.

Command Default

Access to the local network for the Cisco 600 Series OEAPs is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable access to the local network for the Cisco 600 Series OfficeExtend access points:


config network oeap-600 local-network enable

802


config network otap-mode config network otap-mode

To enable or disable over-the-air provisioning (OTAP) of Cisco lightweight access points, use the config

network otap-mode command.

config network otap-mode {enable | disable}


Enables the OTAP provisioning.

Disables the OTAP provisioning.

Command Default

The OTAP provisioning is enabled.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to disable the OTAP provisioning:


config network otap-mode disable


803

config network zero-config config network zero-config

To configure bridge access point ZeroConfig support, use the config network zero-config command.

config network zero-config {enable | disable}


Enables the bridge access point ZeroConfig support.

Disables the bridge access point ZeroConfig support.

Command Default

The bridge access point ZeroConfig support is enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the bridge access point ZeroConfig support:


config network zero-config enable

804


config nmsp notify-interval measurement config nmsp notify-interval measurement

To modify the Network Mobility Services Protocol (NMSP) notification interval value on the controller to address latency in the network, use the config nmsp notify-interval measurement command.

config nmsp notify-interval measurement {client | rfid | rogue} interval

Syntax Description client rfid rogue

interval

Modifies the interval for clients.

Modifies the interval for active radio frequency identification (RFID) tags.

Modifies the interval for rogue access points and rogue clients.

Time interval. The range is from 1 to 30 seconds.

Command Default

None

Command History

Release

7.6

Modification



The TCP port (16113) that the controller and location appliance communicate over must be open (not blocked) on any firewall that exists between the controller and the location appliance for NMSP to function.

Examples

The following example shows how to modify the NMSP notification interval for the active RFID tags to 25 seconds:


config nmsp notify-interval measurement rfid 25

Related Commands clear locp statistics clear nmsp statistics show nmsp notify-interval summary show nmsp statistics show nmsp status


805

config paging config paging

To enable or disable scrolling of the page, use the config paging command.

config paging {enable | disable}


Enables the scrolling of the page.

Disables the scrolling of the page.

Command Default

By default, scrolling of the page is enabled.


Commands that produce a huge number of lines of output with the scrolling of the page disabled might result in the termination of SSH/Telnet connection or user session on the console.

Examples

The following example shows how to enable scrolling of the page:


config paging enable

Related Commands show run-config

806


config passwd-cleartext config passwd-cleartext

To enable or disable temporary display of passwords in plain text, use the config passwd-cleartext command.

config passwd-cleartext {enable | disable}


Enables the display of passwords in plain text.

Disables the display of passwords in plain text.

Command Default

By default, temporary display of passwords in plain text is disabled.

Command History

Release

7.6

Modification



This command must be enabled if you want to see user-assigned passwords displayed in clear text when using the show run-config command.

To execute this command, you must enter an admin password. This command is valid only for this particular session. It is not saved following a reboot.

Examples

The following example shows how to enable display of passwords in plain text:


config passwd-cleartext enable

The way you see your passwds will be changed

You are being warned.

Enter admin password:

Related Commands show run-config


807

config policy config policy

To configure a native profiling policy on the Cisco Wireless LAN Controller (WLC), use the config policy command.

config policypolicy_name {action {acl {enable | disable} acl_name | {average-data-rate |

average-realtime-rate | burst-data-rate | burst-realtime-rate | qos | session-timeout | sleeping-client-timeout

| vlan} {enable | disable}}} | active {add hours start _time end _time days day | delete days day} | create

| delete | match {device-type {add | delete} device-type | eap-type {add | delete} {eap-fast | eap-tls | leap

| peap} | role {role_name | none}}


policy_name

action acl enable disable

acl_name

average-data-rate average-realtime-rate burst-data-rate burst-realtime-rate qos session-timeout sleeping-client-timeout vlan active add hours

start _time end _time

Name of a profiling policy.

Configures an action for the policy.

Configures an ACL for the policy

Enables an action for the policy.

Disables an action for the policy.

Name of an ACL.

Configures the QoS average data rate.

Configures the QoS average real-time rate.

Configures the QoS burst data rate.

Configures the QoS burst real-time rate.

Configures a QoS action for the policy.

Configures a session timeout action for the policy.

Configures a sleeping client timeout for the policy.

Configures a VLAN action for the policy.

Configures the active hours and days for the policy.

Adds active hours and days.

Configures active hours for the policy.

Start time for the policy.

End time for the policy.

808


config policy days

day

delete create match device-type

device-type

eap-type eap-fast eap-tls leap peap role

role_name

none

Configures the day on the policy must work.

Day of the week, such as mon, tue, wed, thu, fri, sat,

sun. You can also specify daily or weekdays for the policy to occur daily or on all weekdays.

Deletes active hours and days.

Creates a policy.

Configures a match criteria for the policy.

Configures a device type match.

Device type on which the policy must be applied. You can configure up to 16 devices types for a policy.

Configures the Extensible Authentication Protocol (EAP) type as a match criteria.

Configures the EAP type as EAP Flexible Authentication via Secure Tunneling (FAST).

Configures the EAP type as EAP Transport Layer

Security (TLS).

Configures the EAP type as Lightweight EAP (LEAP).

Configures the EAP type as Protected EAP (PEAP).

Configures the user type or user group for the user.

User type or user group of the user, for example, student, employee.

You can configure only one role per policy.

Configures no user type or user group for the user.

Command Default

There is no native profiling policy on the Cisco WLC.

Command History

Release

7.5

Modification



The maximum number of policies that you can configure is 64.


809

config policy

Examples

The following example shows how to configure a role for a policy:


config policy student_policy role student

810


config port adminmode config port adminmode

To enable or disable the administrative mode for a specific controller port or for all ports, use the config port

adminmode command.

config port adminmode {all | port} {enable | disable}


port

enable disable


Number of the port.



Command Default

Enabled

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to disable port 8:


config port adminmode 8 disable

The following example shows how to enable all ports:


config port adminmode all enable


811

config port autoneg config port autoneg

To configure 10/100BASE-T Ethernet ports for physical port autonegotiation, use the config port autoneg command.

config port autoneg {all | port} {enable | disable}


port

enable disable


Number of the port.



Command Default

The default for all ports is that auto-negotiation is enabled.

Command History

Release

7.6

Modification


Release 7.6.


You must disable port auto-configuration before you make physical mode manual settings by using the config

port physicalmode command. The config port autoneg command overrides settings that you made using the config port physicalmode command.

Examples

The following example shows how to turn on physical port autonegotiation for all front-panel Ethernet ports:


config port autoneg all enable

The following example shows how to disable physical port autonegotiation for front-panel Ethernet port 19:


config port autoneg 19 disable

812


config port linktrap config port linktrap

To enable or disable the up and down link traps for a specific controller port or for all ports, use the config

port linktrap command.

config port linktrap {all | port} {enable | disable}


port

enable disable


Number of the port.



Command Default

The default value for down link traps for a specific controller port or for all ports is enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to disable port 8 traps:


config port linktrap 8 disable

The following example shows how to enable all port traps:


config port linktrap all enable


813

config port multicast appliance config port multicast appliance

To enable or disable the multicast appliance service for a specific controller port or for all ports, use the config

port multicast appliance commands.

config port multicast appliance {all | port} {enable | disable}


port

enable disable


Number of the port.



Command Default

The default multicast appliance service for a specific controller port or for all ports is enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable multicast appliance service on all ports:


config port multicast appliance all enable

The following example shows how to disable multicast appliance service on port 8:


config port multicast appliance 8 disable

814


config prompt config prompt

To change the CLI system prompt, use the config prompt command.

config prompt prompt


prompt

New CLI system prompt enclosed in double quotes. The prompt can be up to 31 alphanumeric characters and is case sensitive.

Command Default

The system prompt is configured using the startup wizard.

Command History

Release

7.6

Modification



Because the system prompt is a user-defined variable, it is omitted from the rest of this documentation.

Examples

The following example shows how to change the CLI system prompt to Cisco 4400:


config prompt

“Cisco 4400”


815

config qos average-data-rate config qos average-data-rate

To define the average data rate in Kbps for TCP traffic per user or per service set identifier (SSID), use the

config qos average-data-rate command.

config qos average-data-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream |

upstream} rate

Syntax Description bronze silver gold platinum per-ssid per-client downstream upstream

rate

Specifies the average data rate for the queue bronze.

Specifies the average data rate for the queue silver.

Specifies the average data rate for the queue gold.

Specifies the average data rate for the queue platinum.

Configures the rate limit for an SSID per radio. The combined traffic of all clients will not exceed this limit.

Configures the rate limit for each client associated with the SSID.

Configures the rate limit for downstream traffic.

Configures the rate limit for upstream traffic.

Average data rate for TCP traffic per user. A value between 0 and

51,2000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the average data rate 0 Kbps for the queue gold per SSID:


config qos average-data-rate gold per ssid downstream 0

Related Commands config qos burst-data-rate config qos average-realtime-rate

816


config qos burst-realtime-rate config wlan override-rate-limit config qos average-data-rate


817

config qos average-realtime-rate config qos average-realtime-rate

To define the average real-time data rate in Kbps for UDP traffic per user or per service set identifier (SSID), use the config qos average-realtime-rate command.

config qos average-realtime-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream

| upstream} rate


rate

Specifies the average real-time data rate for the queue bronze.

Specifies the average real-time data rate for the queue silver.

Specifies the average real-time data rate for the queue gold.

Specifies the average real-time data rate for the queue platinum.





Average real-time data rate for UDP traffic per user. A value between 0 and


Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the average real-time actual rate for queue gold:


config qos average-realtime-rate gold per ssid downstream 10

Related Commands config qos average-data-rate config qos burst-data-rate

818


config qos burst-realtime-rate config wlan override-rate-limit config qos average-realtime-rate


819

config qos burst-data-rate config qos burst-data-rate

To define the peak data rate in Kbps for TCP traffic per user or per service set identifier (SSID), use the config

qos burst-data-rate command.

config qos burst-data-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream |

upstream} rate


rate

Specifies the peak data rate for the queue bronze.

Specifies the peak data rate for the queue silver.

Specifies the peak data rate for the queue gold.

Specifies the peak data rate for the queue platinum.





Peak data rate for TCP traffic per user. A value between 0 and


Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the peak rate 30000 Kbps for the queue gold:


config qos burst-data-rate gold per ssid downstream 30000

Related Commands config qos average-data-rate config qos average-realtime-rate

820


config qos burst-realtime-rate config wlan override-rate-limit config qos burst-data-rate


821

config qos burst-realtime-rate config qos burst-realtime-rate

To define the burst real-time data rate in Kbps for UDP traffic per user or per service set identifier (SSID), use the config qos burst-realtime-rate command.

config qos burst-realtime-rate {bronze | silver | gold | platinum} { per-ssid | per-client } { downstream

| upstream } rate


rate

Specifies the burst real-time data rate for the queue bronze.

Specifies the burst real-time data rate for the queue silver.

Specifies the burst real-time data rate for the queue gold.

Specifies the burst real-time data rate for the queue platinum.





Burst real-time data rate for UDP traffic per user. A value between 0 and 51,2000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the burst real-time actual rate 2000 Kbps for the queue gold:


config qos burst-realtime-rate gold per ssid downstream 2000

822


Related Commands config qos average-data-rate config qos burst-data-rate config qos average-realtime-rate config wlan override-rate-limit config qos burst-realtime-rate


823

config qos description config qos description

To change the profile description, use the config qos description command.

config qos description {bronze | silver | gold | platinum} description

Syntax Description bronze silver gold platinum

description

Specifies the QoS profile description for the queue bronze.

Specifies the QoS profile description for the queue silver.

Specifies the QoS profile description for the queue gold.

Specifies the QoS profile description for the queue platinum.

QoS profile description.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the QoS profile description “description” for the queue gold:


config qos description gold abc

Related Commands show qos average-data-rate config qos burst-data-rate config qos average-realtime-rate config qos burst-realtime-rate config qos max-rf-usage

824


config qos fastlane config qos fastlane

To enable the Fastlane QoS feature on each WLAN, use the config qos fastlane command.

config qos fastlane {enable | disable} wlan-id


wlan-id

Enables Fastlane QoS on each WLAN.

Disables Fastlane QoS on each WLAN.

WLAN identifier.

Command Default

Fastlane is not configured.

Command Modes

WLAN configuration

Command History

Release

8.3

Examples

Modification


The following example shows how to configure Fastlane QoS on each WLAN:

Controller(config)# config qos fastlane enable 1


825

config qos fastlane disable global config qos fastlane disable global

To disable the Fastlane QoS feature globally, use the config qos fastlane disable global command.

config qos fastlane disable global


This command has no keywords or arguments.

Command Default

None

Command Modes

Global configuration (config)

Command History

Release

8.3

Modification



Fastlane QoS must be disabled on all WLANs before executing this command.

Examples

The following example shows how to disable Fastlane QoS globally for Apple wireless clients:

Controller(config)# config qos fastlane disable global

826


config qos max-rf-usage config qos max-rf-usage

To specify the maximum percentage of RF usage per access point, use the config qos max-rf-usage command.

config qos max-rf-usage {bronze | silver | gold | platinum} usage_percentage


usage-percentage

Specifies the maximum percentage of RF usage for the queue bronze.

Specifies the maximum percentage of RF usage for the queue silver.

Specifies the maximum percentage of RF usage for the queue gold.

Specifies the maximum percentage of RF usage for the queue platinum.

Maximum percentage of RF usage.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to specify the maximum percentage of RF usage for the queue gold:


config qos max-rf-usage gold 20

Related Commands show qos description config qos average-data-rate config qos burst-data-rate config qos average-realtime-rate config qos burst-realtime-rate


827

config qos dot1p-tag config qos dot1p-tag

To define the maximum value (0 to 7) for the priority tag associated with packets that fall within the profile, use the config qos dot1p-tag command.

config qos dot1p-tag {bronze | silver | gold | platinum} dot1p_tag


dot1p_tag

Specifies the QoS 802.1p tag for the queue bronze.

Specifies the QoS 802.1p tag for the queue silver.

Specifies the QoS 802.1p tag for the queue gold.

Specifies the QoS 802.1p tag for the queue platinum.

Dot1p tag value between 1 and 7.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the a QoS 802.1p tag for the queue gold with the dot1p tag value of 5:


config qos dot1p-tag gold 5

Related Commands show qos queue_length all config qos protocol-type

828


config qos priority config qos priority

To define the maximum and default QoS levels for unicast and multicast traffic when you assign a QoS profile to a WLAN, use the config qos priority command.

config qos priority {bronze | silver | gold | platinum} {maximum-priority | default-unicast-priority |

default-multicast-priority}


maximum-priority default-unicast-priority default-multicast-priority

Specifies a Bronze profile of the WLAN.

Specifies a Silver profile of the WLAN.

Specifies a Gold profile of the WLAN.

Specifies a Platinum profile of the WLAN.

Maximum QoS priority as one of the following:

• besteffort

• background

• video

• voice

Default unicast priority as one of the following:

• besteffort

• background

• video

• voice

Default multicast priority as one of the following:

• besteffort

• background

• video

• voice

Command History

Release

7.6

Modification



829

config qos priority


The maximum priority level should not be lower than the default unicast and multicast priority levels.

Examples

The following example shows how to configure the QoS priority for a gold profile of the WLAN with voice as the maximum priority, video as the default unicast priority, and besteffort as the default multicast priority.


config qos priority gold voice video besteffort

Related Commands config qos protocol-type

830


config qos protocol-type config qos protocol-type

To define the maximum value (0 to 7) for the priority tag associated with packets that fall within the profile, use the config qos protocol-type command.

config qos protocol-type {bronze | silver | gold | platinum} {none | dot1p}

Syntax Description bronze silver gold platinum none

dot1p

Specifies the QoS 802.1p tag for the queue bronze.

Specifies the QoS 802.1p tag for the queue silver.

Specifies the QoS 802.1p tag for the queue gold.

Specifies the QoS 802.1p tag for the queue platinum.

Specifies when no specific protocol is assigned.

Specifies when dot1p type protocol is assigned.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the QoS protocol type silver:


config qos protocol-type silver dot1p

Related Commands show qos queue_length all config qos dot1p-tag


831

config qos queue_length config qos queue_length

To specify the maximum number of packets that access points keep in their queues, use the config qos

queue_length command.

config qos queue_length {bronze | silver | gold | platinum} queue_length


queue_length

Specifies the QoS length for the queue bronze.

Specifies the QoS length for the queue silver.

Specifies the QoS length for the queue gold.

Specifies the QoS length for the queue platinum.

Maximum queue length values (10 to 255).

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the QoS length for the queue “gold” with the maximum queue length value as 12:


config qos queue_length gold 12

Related Commands show qos

832


config qos qosmap config qos qosmap

To configure QoS map, use the config qos qosmap command.

config qos qosmap {enable | disable | default }


Enables the QoS map feature.

Disables the QoS map feature.

Resets to default QoS map.

This resets the QoS map values to 255 (default), and also adds DSCP UP exceptions if not present previously. To clear the DSCP UP values, enter the config qos qosmap clear-all command.

Command History

Examples

Release

8.1

Modification


The following example shows how to enable the QoS map.


config qos qosmap enable


833

config qos qosmap up-to-dscp-map config qos qosmap up-to-dscp-map

To configure the DSCP range for UP, use the config qos qosmap command.

config qos qosmap up-to-dscp-map {up dscp-default dscp-start dscp-end}


up-to-dscp-map

up dscp-default dscp-start dscp-end

Sets the DSCP range for UP

Wireless UP value

Default DSCP value for this UP

The DSCP start range. Range is between 0-63

The DSCP stop range. Range is 0-63

Command History

Examples

Release

8.1

Modification


The following example shows how to set the DSCP range for UP.


config qos qosmap up-to-dscp-map 2 3 5 20

834


config qos qosmap dscp-to-up-exception config qos qosmap dscp-to-up-exception

To configure the DSCP exception, use the config qos qosmap command.

config qos qosmap dscp-to-up-exception {dscp up }


dscp-to-up-exception

dscp up

Allows to configure DSCP exception.

Exception DSCP value for the UP value

Links to the Wireless User Priority (UP) value

Examples

The following example shows how to configure the DSCP exception:


config qos qosmap dscp-to-up-exception 3 1


835

config qos qosmap delete-dscp-exception config qos qosmap delete-dscp-exception

To delete a dscp exception, use the config qos qosmap command.

config qos qosmap delete-dscp-exception dscp


delete-dscp-exception

dscp

Deletes exception for DSCP

DSCP exception for the UP

Command History

Release

8.1

Examples

Modification


The following example shows how to delete a exception for DSCP.


config qos qosmap delete-dscp-exception 23

836


config qos qosmap clear-all config qos qosmap clear-all

To delete all the exceptions from the QoS map, use the config qos qosmap command.

config qos qosmap clear-all

Syntax Description clear-all

Deletes all the exceptions

Command History

Examples

Release

8.1

Modification


The following example shows how to clear all the exceptions from the QoS map.


config qos qosmap clear-all


837

config qos qosmap trust dscp upstream config qos qosmap trust dscp upstream

To mark the upstream packets using the client dscp, use the config qos qosmap command.

config qos qosmap trust-dscp-upstream {enable | disable }

Syntax Description trust-dscp-upstream enable disable

Based on the client's DSCP the upstream packets are marked

Enables the upstream packet marking using the client dscp.

Disables the upstream packet marking using the client dscp.

Command History

Examples

Release

8.1

Modification


The following example shows how to enable client dscp based packet marking.


config qos qosmap trust-dscp-upstream enable

838


Config Commands: r to z

•

config radius acct, page 851

•

config radius acct ipsec authentication, page 854

•

config radius acct ipsec disable, page 855

•

config radius acct ipsec enable, page 856

•

config radius acct ipsec encryption, page 857

•

config radius acct ipsec ike, page 858

•

config radius acct mac-delimiter, page 859

•

config radius acct network, page 860

•

config radius acct realm, page 861

•

config radius acct retransmit-timeout, page 862

•

config radius auth, page 863

•

config radius auth callStationIdType, page 866

•

config radius auth framed-mtu, page 868

•

config radius auth IPsec authentication, page 869

•

config radius auth ipsec disable, page 870

•

config radius auth ipsec encryption, page 871

•

config radius auth ipsec ike, page 872

•

config radius auth keywrap, page 874

•

config radius auth mac-delimiter, page 875

•

config radius auth management, page 876

•

config radius auth mgmt-retransmit-timeout, page 877

•

config radius auth network, page 878

•

config radius auth realm, page 879

•

config radius auth retransmit-timeout, page 880


839

•

config radius auth rfc3576, page 881

•


•

config radius aggressive-failover disabled, page 883

•

config radius backward compatibility, page 884

•

config radius callStationIdCase, page 885

•

config radius callStationIdType, page 886

•

config radius dns, page 888

•

config radius fallback-test, page 890

•

config radius ext-source-ports, page 892

•

config radius acct retransmit-timeout, page 893

•

config radius auth mgmt-retransmit-timeout, page 894

•


•


•

config redundancy interface address peer-service-port, page 897

•

config redundancy mobilitymac, page 898

•

config redundancy mode, page 899

•

config redundancy peer-route, page 900

•

config redundancy timer keep-alive-timer, page 901

•

config redundancy timer peer-search-timer, page 902

•

config redundancy unit, page 903

•

config remote-lan, page 904

•

config remote-lan aaa-override, page 905

•

config remote-lan acl, page 906

•

config remote-lan apgroup, page 907

•

config remote-lan create, page 908

•

config remote-lan custom-web, page 909

•

config remote-lan delete, page 911

•

config remote-lan dhcp_server, page 912

•

config remote-lan exclusionlist, page 913

•

config remote-lan host-mode, page 914

•

config remote-lan interface, page 915

•

config remote-lan ldap, page 916

•

config remote-lan mac-filtering, page 917

840


•

config remote-lan mab, page 918

•

config remote-lan max-associated-clients, page 919

•

config remote-lan pre-auth, page 920

•

config remote-lan radius_server, page 921

•

config remote-lan security, page 923

•

config remote-lan session-timeout, page 924

•

config remote-lan violation-mode, page 925

•

config remote-lan webauth-exclude, page 926

•

config rf-profile band-select, page 927

•

config rf-profile client-trap-threshold, page 929

•

config rf-profile create, page 930

•

config rf-profile fra client-aware, page 931

•

config rf-profile data-rates, page 932

•

config rf-profile delete, page 933

•

config rf-profile description, page 934

•

config rf-profile load-balancing, page 935

•

config rf-profile max-clients, page 936

•

config rf-profile multicast data-rate, page 937

•

config rf-profile out-of-box, page 938

•

config rf-profile rx-sop threshold , page 939

•

config rf-profile tx-power-control-thresh-v1, page 940

•

config rf-profile tx-power-control-thresh-v2, page 941

•

config rf-profile tx-power-max, page 942

•

config rf-profile tx-power-min, page 943

•

config rogue ap timeout, page 944

•

config rogue adhoc, page 946

•

config rogue ap classify, page 949

•

config rogue ap friendly, page 951

•

config rogue ap rldp, page 953

•

config rogue ap ssid, page 955

•


•

config rogue auto-contain level, page 959

•

config rogue ap valid-client, page 961


841

•

config rogue client, page 963

•

config rogue containment, page 965

•

config rogue detection, page 966

•

config rogue detection client-threshold, page 968

•

config rogue detection min-rssi, page 969

•

config rogue detection monitor-ap, page 970

•

config rogue detection report-interval, page 972

•

config rogue detection security-level, page 973

•

config rogue detection transient-rogue-interval, page 974

•

config rogue rule, page 975

•

config rogue rule condition ap, page 979

•

config remote-lan session-timeout, page 981

•

config rfid auto-timeout, page 982

•

config rfid status, page 983

•

config rfid timeout, page 984

•


•

config route add, page 987

•

config route delete, page 988

•

config serial baudrate, page 989

•

config serial timeout, page 990

•

config service timestamps, page 991

•

config sessions maxsessions, page 992

•

config sessions timeout, page 993

•

config slot, page 994

•

config switchconfig boot-break, page 995

•

config switchconfig fips-prerequisite, page 996

•

config switchconfig ucapl, page 997

•

config switchconfig wlancc, page 998

•

config switchconfig strong-pwd, page 999

•

config switchconfig flowcontrol, page 1002

•

config switchconfig mode, page 1003

•

config switchconfig secret-obfuscation, page 1004

•

config sysname, page 1005

842


•

config snmp community accessmode, page 1006

•

config snmp community create, page 1007

•

config snmp community delete, page 1008

•

config snmp community ipaddr, page 1009

•

config snmp community mode, page 1010

•

config snmp engineID, page 1011

•

config snmp syscontact, page 1012

•

config snmp syslocation, page 1013

•

config snmp trapreceiver create, page 1014

•

config snmp trapreceiver delete, page 1015

•

config snmp trapreceiver mode, page 1016

•

config snmp v3user create, page 1017

•

config snmp v3user delete, page 1019

•

config snmp version, page 1020

•

config tacacs acct, page 1021

•

config tacacs athr, page 1023

•

config tacacs athr mgmt-server-timeout, page 1025

•

config tacacs auth, page 1026

•

config tacacs auth mgmt-server-timeout, page 1028

•

config tacacs dns, page 1029

•

config tacacs fallback-test interval, page 1031

•

config time manual, page 1032

•

config time ntp, page 1033

•

config time timezone, page 1036

•

config time timezone location, page 1037

•

config trapflags 802.11-Security, page 1040

•

config trapflags aaa, page 1041

•

config trapflags adjchannel-rogueap, page 1042

•

config trapflags ap, page 1044

•

config trapflags authentication, page 1045

•

config trapflags client, page 1046

•

config trapflags client max-warning-threshold, page 1047

•

config trapflags configsave, page 1049


843

•

config trapflags IPsec, page 1050

•

config trapflags linkmode, page 1051

•

config trapflags mesh, page 1052

•

config trapflags multiusers, page 1053

•

config trapflags rfid , page 1054

•

config trapflags rogueap, page 1056

•

config trapflags rrm-params, page 1057

•

config trapflags rrm-profile, page 1058

•

config trapflags stpmode, page 1059

•

config trapflags strong-pwdcheck, page 1060

•

config trapflags wps, page 1061

•

config tunnel eogre heart-beat, page 1062

•

config tunnel eogre gateway, page 1063

•

config tunnel eogre domain, page 1064

•

config tunnel profile, page 1065

•

config tunnel profile_rule, page 1066

•

config tunnel profile_rule-delete, page 1067

•

config tunnel profile eogre-DHCP82, page 1068

•

config tunnel profile eogre-gateway-radius-proxy, page 1069

•

config tunnel profile eogre-gateway-radius-proxy-accounting, page 1070

•

config tunnel profile eogre-DHCP82, page 1071

•

config tunnel profile eogre-DHCP82-circuit-id, page 1072

•

config tunnel profile eogre-DHCP82-delimiter, page 1073

•

config tunnel profile eogre-DHCP82-format, page 1074

•

config tunnel profile eogre-DHCP82-remote-id, page 1075

•

config watchlist add, page 1076

•

config watchlist delete, page 1077

•

config watchlist disable, page 1078

•

config watchlist enable, page 1079

•

config wgb vlan, page 1080

•

config wlan, page 1081

•

config wlan 7920-support, page 1083

•

config wlan 802.11e, page 1084

844


•

config wlan aaa-override, page 1085

•

config wlan acl, page 1086

•

config wlan apgroup, page 1087

•

config wlan apgroup atf 802.11, page 1094

•

config wlan apgroup atf 802.11 policy, page 1095

•

config wlan apgroup opendns-profile , page 1096

•

config wlan apgroup qinq, page 1097

•

config wlan assisted-roaming, page 1099

•

config wlan atf, page 1100

•

config wlan avc, page 1101

•

config wlan band-select allow, page 1102

•

config wlan broadcast-ssid, page 1103

•

config wlan call-snoop, page 1104

•

config wlan chd, page 1105

•

config wlan ccx aironet-ie, page 1106

•

config wlan channel-scan defer-priority, page 1107

•

config wlan channel-scan defer-time, page 1108

•

config wlan custom-web, page 1109

•

config wlan dhcp_server, page 1111

•

config wlan diag-channel, page 1112

•

config wlan dtim, page 1113

•

config wlan exclusionlist, page 1114

•

config wlan fabric , page 1115

•

config wlan flexconnect ap-auth, page 1116

•

config wlan flexconnect central-assoc, page 1117

•

config wlan flexconnect learn-ipaddr, page 1118

•

config wlan flexconnect local-switching, page 1119

•

config wlan flexconnect vlan-central-switching, page 1121

•

config wlan flow, page 1122

•

config wlan hotspot, page 1123

•

config wlan hotspot dot11u, page 1124

•

config wlan hotspot dot11u 3gpp-info, page 1125

•

config wlan hotspot dot11u auth-type, page 1126


845

•

config wlan hotspot dot11u disable, page 1127

•

config wlan hotspot dot11u domain, page 1128

•

config wlan hotspot dot11u enable, page 1129

•

config wlan hotspot dot11u hessid, page 1130

•

config wlan hotspot dot11u ipaddr-type, page 1131

•

config wlan hotspot dot11u nai-realm, page 1132

•

config wlan hotspot dot11u network-type, page 1135

•

config wlan hotspot dot11u roam-oi , page 1136

•

config wlan hotspot hs2, page 1137

•

config wlan hotspot hs2 domain-id, page 1140

•

config wlan hotspot hs2 osu legacy-ssid, page 1141

•

config wlan hotspot hs2 osu sp create, page 1142

•

config wlan hotspot hs2 osu sp delete, page 1143

•

config wlan hotspot hs2 osu sp icon-file add, page 1144

•

config wlan hotspot hs2 osu sp icon-file delete, page 1145

•

config wlan hotspot hs2 osu sp method add, page 1146

•

config wlan hotspot hs2 osu sp method delete, page 1147

•

config wlan hotspot hs2 osu sp nai add, page 1148

•

config wlan hotspot hs2 osu sp nai delete, page 1149

•

config wlan hotspot hs2 osu sp uri add, page 1150

•

config wlan hotspot hs2 osu sp uri delete, page 1151

•

config wlan hotspot hs2 wan-metrics downlink, page 1152

•

config wlan hotspot hs2 wan-metrics link-status, page 1153

•

config wlan hotspot hs2 wan-metrics lmd, page 1154

•

config wlan hotspot hs2 wan-metrics uplink, page 1155

•

config wlan hotspot msap, page 1156

•

config wlan interface, page 1157

•

config wlan ipv6 acl, page 1158

•

config wlan kts-cac, page 1159

•

config wlan layer2 acl, page 1160

•

config wlan ldap, page 1161

•

config wlan learn-ipaddr-cswlan, page 1162

•

config wlan load-balance, page 1163

846


•

config wlan lobby-admin-access, page 1164

•

config wlan mac-filtering, page 1165

•

config wlan max-associated-clients, page 1166

•

config wlan max-radio-clients, page 1167

•

config wlan mdns, page 1168

•

config wlan media-stream, page 1169

•

config wlan mfp, page 1170

•

config wlan mobility anchor, page 1171

•

config wlan mobility foreign-map, page 1172

•

config wlan multicast buffer, page 1173

•

config wlan multicast interface, page 1174

•

config wlan mu-mimo, page 1175

•

config wlan nac, page 1176

•

config wlan override-rate-limit, page 1177

•

config wlan opendns-mode, page 1179

•

config wlan opendns-profile, page 1180

•

config wlan passive-client, page 1181

•

config wlan peer-blocking, page 1182

•

config wlan pmipv6 default-realm, page 1183

•

config wlan pmipv6 mobility-type, page 1184

•

config wlan pmipv6 profile_name, page 1185

•

config wlan policy, page 1186

•

config wlan profiling, page 1187

•

config wlan qos, page 1189

•

config wlan radio, page 1190

•

config wlan radius_server acct, page 1191

•

config wlan radius_server acct interim-update, page 1192

•

config wlan radius_server auth, page 1193

•

config wlan radius_server acct interim-update, page 1194

•

config wlan radius_server overwrite-interface, page 1195

•

config wlan radius_server realm, page 1196

•

config wlan roamed-voice-client re-anchor, page 1197

•

config wlan security 802.1X, page 1198


847

•

config wlan security ckip, page 1200

•

config wlan security cond-web-redir, page 1202

•

config wlan security eap-params, page 1203

•

config wlan security eap-passthru, page 1205

•

config wlan security ft, page 1206

•

config wlan security ft over-the-ds, page 1207

•

config wlan security IPsec disable, page 1208

•

config wlan security IPsec enable, page 1209

•

config wlan security IPsec authentication, page 1210

•

config wlan security IPsec encryption, page 1211

•

config wlan security IPsec config, page 1212

•

config wlan security IPsec ike authentication, page 1213

•

config wlan security IPsec ike dh-group, page 1214

•

config wlan security IPsec ike lifetime, page 1215

•

config wlan security IPsec ike phase1, page 1216

•

config wlan security IPsec ike contivity, page 1217

•

config wlan security wpa akm ft, page 1218

•

config wlan security ft, page 1219

•

config wlan security passthru, page 1220

•

config wlan security pmf , page 1221

•

config wlan security sgt, page 1223

•

config wlan security splash-page-web-redir, page 1224

•

config wlan security static-wep-key authentication, page 1225

•

config wlan security static-wep-key disable, page 1226

•

config wlan security static-wep-key enable, page 1227

•

config wlan security static-wep-key encryption, page 1228

•

config wlan security tkip, page 1229

•

config wlan usertimeout, page 1230

•

config wlan security web-auth, page 1231

•

config wlan security web-auth captive-bypass, page 1233

•

config wlan security web-auth qrscan-des-key, page 1234

•

config wlan security web-passthrough acl, page 1235

•

config wlan security web-passthrough disable, page 1236

848


•

config wlan security web-passthrough email-input, page 1237

•

config wlan security web-passthrough enable, page 1238

•

config wlan security web-passthrough qr-scan, page 1239

•

config wlan security wpa akm 802.1x, page 1240

•

config wlan security wpa akm cckm, page 1241

•

config wlan security wpa akm ft, page 1242

•

config wlan security wpa akm pmf, page 1243

•

config wlan security wpa akm psk, page 1244

•

config wlan security wpa disable, page 1245

•

config wlan security wpa enable, page 1246

•

config wlan security wpa ciphers, page 1247

•

config wlan security wpa gtk-random, page 1248

•

config wlan security wpa osen disable, page 1249

•

config wlan security wpa osen enable, page 1250

•

config wlan security wpa wpa1 disable, page 1251

•

config wlan security wpa wpa1 enable, page 1252

•

config wlan security wpa wpa2 disable, page 1253

•

config wlan security wpa wpa2 enable, page 1254

•

config wlan security wpa wpa2 cache, page 1255

•

config wlan security wpa wpa2 cache sticky, page 1256

•

config wlan security wpa wpa2 ciphers, page 1257

•

config wlan session-timeout, page 1258

•

config wlan sip-cac disassoc-client, page 1260

•

config wlan sip-cac send-486busy, page 1261

•

config wlan static-ip tunneling, page 1262

•

config wlan uapsd compliant client enable, page 1263

•

config wlan uapsd compliant-client disable, page 1264

•

config wlan url-acl, page 1265

•

config wlan user-idle-threshold, page 1266

•

config wlan usertimeout, page 1267

•

config wlan webauth-exclude, page 1268

•

config wlan wifidirect, page 1269

•

config wlan wmm, page 1270


849

•

config wps ap-authentication, page 1271

•

config wps auto-immune, page 1272

•

config wps cids-sensor, page 1273

•

config wps client-exclusion, page 1275

•

config wps mfp, page 1277

•

config wps shun-list re-sync, page 1278

•

config wps signature, page 1279

•

config wps signature frequency, page 1281

•

config wps signature interval, page 1282

•

config wps signature mac-frequency, page 1283

•

config wps signature quiet-time, page 1284

•

config wps signature reset, page 1285

850


config radius acct config radius acct

To configure settings for a RADIUS accounting server for the Cisco wireless LAN controller, use the config

radius acct command.

config radius acct{ {add index IP addr port {ascii | hex} secret} | delete index | disable index | enable

index | ipsec {authentication {hmac-md5 index | hmac-sha1 index } | disable index | enable index |

encryption {256-aes | 3des | aes | des} index | ike {auth-mode {pre-shared-key index type shared_secret_key

| certificate index } | dh-group { 2048bit-group-14 | group-1 | group-2 | group-5} index | lifetime seconds

index | phase1 {aggressive | main} index } } | {mac-delimiter {colon | hyphen | none | single-hyphen}}

| {network index {disable | enable}} | {region {group | none | provincial}} | retransmit-timeout index

seconds | realm {add | delete} index realm-string}


index

IP addr port

ascii hex

secret

enable disable delete ipsec authentication hmac-md5 hmac-sha1 disable enable

Adds a RADIUS accounting server (IPv4 or IPv6).

RADIUS server index (1 to 17).

RADIUS server IP address (IPv4 or IPv6).

RADIUS server’s UDP port number for the interface protocols.

Specifies the RADIUS server’s secret type: ascii.

Specifies the RADIUS server’s secret type: hex.

RADIUS server’s secret.

Enables a RADIUS accounting server.

Disables a RADIUS accounting server.

Deletes a RADIUS accounting server.

Enables or disables IPSec support for an accounting server.

Note

IPSec is not supported for

IPv6.

Configures IPSec Authentication.

Enables IPSec HMAC-MD5 authentication.

Enables IPSec HMAC-SHA1 authentication.

Disables IPSec support for an accounting server.

Enables IPSec support for an accounting server.


851

config radius acct encryption

256-aes

3des aes des ike auth-mode pre-shared-key certificate dh-group

2048bit-group-14 group-1 group-2 group-5

lifetime seconds

phase1 aggressive main mac-delimiter colon hyphen none single-hyphen

852


Configures IPSec encryption.

Enables IPSec AES-256 encryption.

Enables IPSec 3DES encryption.


Enables IPSec DES encryption.

Configures Internet Key Exchange (IKE).

Configures IKE authentication method.

Pre-shared key for authentication.

Certificate used for authentication.

Configures IKE Diffie-Hellman group.

Configures DH group 14 (2048 bits).




Configures IKE lifetime in seconds. The range is from

1800 to 57600 seconds and the default is 28800.

Configures IKE phase1 mode.

Enables IKE aggressive mode.

Enables IKE main mode.

Configures MAC delimiter for caller station ID and calling station ID.

Sets the delimiter to colon (For example: xx:xx:xx:xx:xx:xx).

Sets the delimiter to hyphen (For example: xx-xx-xx-xx-xx-xx).

Disables delimiters (For example: xxxxxxxxxx).

Sets the delimiters to single hyphen (For example: xxxxxx-xxxxxx).

config radius acct network group none provincial retransmit-timeout

seconds

realm add delete

Command Default

When adding a RADIUS server, the port number defaults to 1813 and the state is enabled.


IPSec is not supported for IPv6.

Command History

Release

7.6

8.0

Modification


Release 7.6.


Examples

Configures a default RADIUS server for network users.

Specifies RADIUS server type group.

Specifies RADIUS server type none.

Specifies RADIUS server type provincial.

Changes the default retransmit timeout for the server.

The number of seconds between retransmissions.

Specifies radius acct realm.

Adds radius acct realm.

Deletes radius acct realm.

The following example shows how to configure a priority 1 RADIUS accounting server at 10.10.10.10 using port 1813 with a login password of admin:


config radius acct add 1 10.10.10.10 1813 ascii admin

The following example shows how to configure a priority 1 RADIUS accounting server at 2001:9:6:40::623 using port 1813 with a login password of admin:


config radius acct add 1 2001:9:6:40::623 1813 ascii admin


853

config radius acct ipsec authentication config radius acct ipsec authentication

To configure IPsec authentication for the Cisco wireless LAN controller, use the config radius acct ipsec

authentication command.

config radius acct ipsec authentication {hmac-md5 | hmac-sha1} index

Syntax Description hmac-md5 hmac-sha1

index

Enables IPsec HMAC-MD5 authentication.

Enables IPsec HMAC-SHA1 authentication.

RADIUS server index.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the IPsec hmac-md5 authentication service on the RADIUS accounting server index 1:


config radius acct ipsec authentication hmac-md5 1


854


config radius acct ipsec disable config radius acct ipsec disable

To disable IPsec support for an accounting server for the Cisco wireless LAN controller, use the config radius

acct ipsec disable command.

config radius acct ipsec disable index


index


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to disable the IPsec support for RADIUS accounting server index 1:


config radius acct ipsec disable 1



855

config radius acct ipsec enable config radius acct ipsec enable

To enable IPsec support for an accounting server for the Cisco wireless LAN controller, use the config radius

acct ipsec enable command.

config radius acct ipsec enable index


index


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the IPsec support for RADIUS accounting server index 1:


config radius acct ipsec enable 1


856


config radius acct ipsec encryption config radius acct ipsec encryption

To configure IPsec encryption for an accounting server for the Cisco wireless LAN controller, use the config

radius acct ipsec encryption command.

config radius acct ipsec encryption {3des | aes | des} index


256-aes

3des aes des

index


Enables IPsec 3DES encryption.

Enables IPsec AES encryption.

Enables IPsec DES encryption.

RADIUS server index value of between 1 and 17.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the IPsec 3DES encryption for RADIUS server index value

3:


config radius acct ipsec encryption 3des 3


857

config radius acct ipsec ike config radius acct ipsec ike

To configure Internet Key Exchange (IKE) for the Cisco WLC, use the config radius acct ipsec ike command.

config radius acct ipsec ike dh-group {group-1 | group-2 | group-5 | group-14} | lifetime seconds | phase1

{aggressive | main}} index

Syntax Description dh-group group-1 group-2 group-5 group-5 lifetime

seconds

phase1 aggressive main

index

Specifies the Dixie-Hellman (DH) group.

Configures the DH Group 1 (768 bits).




Configures the IKE lifetime.

IKE lifetime in seconds.

Configures the IKE phase1 node.

Enables the aggressive mode.

Enables the main mode.


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure an IKE lifetime of 23 seconds for RADIUS server index 1:


config radius acct ipsec ike lifetime 23 1


858


config radius acct mac-delimiter config radius acct mac-delimiter

To specify the delimiter to be used in the MAC addresses that are sent to the RADIUS accounting server, use the config radius acct mac-delimiter command.

config radius acct mac-delimiter {colon | hyphen | single-hyphen | none}

Syntax Description colon hyphen single-hyphen none

Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).

Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).

Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx).

Disables the delimiter (for example, xxxxxxxxxxxx).

Command Default

The default delimiter is a hyphen.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set the delimiter hyphen to be used in the MAC addresses that are sent to the RADIUS accounting server for the network users:


config radius acct mac-delimiter hyphen



859

config radius acct network config radius acct network

To configure a default RADIUS server for network users, use the config radius acct network command.

config radius acct network index {enable | disable}


index

enable disable


Enables the server as a network user’s default

RADIUS server.

Disables the server as a network user’s default

RADIUS server.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a default RADIUS accounting server for the network users with RADIUS server index1:


config radius acct network 1 enable


860


config radius acct realm config radius acct realm

To configure realm on RADIUS accounting server, use the config radius acct realm command.

config radius acct realm{add | delete} radius_index realm_string


radius_server

add delete

realm_string

Radius server index. The range is from 1 to 17.

Add realm to RADIUS accounting server.

Delete realm from RADIUS accounting server.

Unique string associated to RADIUS accounting realm.

Command Default

None

Command History

Examples

Release

8.0

Modification


The following example shows how add realm to the RADIUS accounting server:


config radius acct realm add 3 test


861

config radius acct retransmit-timeout config radius acct retransmit-timeout

To change the default transmission timeout for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct retransmit-timeout command.

config radius acct retransmit-timeout index timeout


index timeout


Number of seconds (from 2 to 30) between retransmissions.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure retransmission timeout value 5 seconds between the retransmission:


config radius acct retransmit-timeout 5


862


config radius auth config radius auth

To configure settings for a RADIUS authentication server for the Cisco wireless LAN controller, use the

config radius auth command.

config radius auth {add index IP addr portascii/hexsecret} | | delete index | disable index | enable index |

framed-mtu mtu | { ipsec {authentication {hmac-md5 index | hmac-sha1 index } | disable index | enable

index | encryption {256-aes | 3des | aes | des} index | ike {auth-mode {pre-shared-key index ascii/hex

shared_secret | certificate index } | dh-group { 2048bit-group-14 | group-1 | group-2 | group-5} index |

lifetime seconds index | phase1 {aggressive | main} index } } | { { keywrap{add ascii/hex kek mack index

} | delete index | disable | enable} } | {mac-delimiter {colon | hyphen | none | single-hyphen}} |

{{management index {enable | disable}} | { mgmt-retransmit-timeout index Retransmit Timeout } | {

network index {enable | disable}} | {realm {add | delete} radius-index realm-string} } | {region {group

| none | provincial}} | {retransmit-timeout index Retransmit Timeout} | { rfc3576 {enable | disable} index

}

Syntax Description enable disable delete

index

add

IP addr port ascii/hex secret

callStationIdType framed-mtu ipsec

Enables a RADIUS authentication server.

Disables a RADIUS authentication server.

Deletes a RADIUS authentication server.

RADIUS server index. The controller begins the search with 1. The server index range is from 1 to 17.

Adds a RADIUS authentication server. See the

“Defaults” section.

IP address (IPv4 or IPv6) of the RADIUS server.

RADIUS server’s UDP port number for the interface protocols.

Specifies RADIUS server’s secret type: ascii or hex.

RADIUS server’s secret.

Configures Called Station Id information sent in

RADIUS authentication messages.

Configures the Framed-MTU for all the RADIUS servers. The framed-mtu range is from 64 to 1300 bytes.

Enables or disables IPSEC support for an authentication server.

Note

IPSec is not supported for

IPv6.


863

config radius auth keywrap

ascii/hex kek mack

mac-delimiter management mgmt-retransmit-timeout network realm region retransmit-timeout rfc3576

Configures RADIUS keywrap.

Specifies the input format of the keywrap keys.

Enters the 16-byte key-encryption-key.

Enters the 20-byte message-authenticator-code-key.

Configures MAC delimiter for caller station ID and calling station ID.

Configures a RADIUS Server for management users.

Changes the default management login retransmission timeout for the server.

Configures a default RADIUS server for network users.

Configures radius auth realm.

Configures RADIUS region property.

Changes the default network login retransmission timeout for the server.

Enables or disables RFC-3576 support for an authentication server.

Command Default

When adding a RADIUS server, the port number defaults to 1812 and the state is enabled.


IPSec is not supported for IPv6.

Command History

Release

7.6

8.0

Modification


Release 7.6.


Examples

The following example shows how to configure a priority 3 RADIUS authentication server at 10.10.10.10 using port 1812 with a login password of admin:


config radius auth add 3 10.10.10.10 1812 ascii admin

864


config radius auth

The following example shows how to configure a priority 3 RADIUS authentication server at 2001:9:6:40::623 using port 1812 with a login password of admin:


config radius auth add 3 2001:9:6:40::623 1812 ascii admin


865

config radius auth callStationIdType config radius auth callStationIdType

To configure the RADIUS authentication server, use the config radius auth callStationIdType command.

config radius auth callStationIdType {ap-ethmac-only | ap-ethmac-ssid | ap-group-name |

ap-label-address | ap-label-address-ssid| ap-location | ap-mac-ssid-ap-group | ap-macaddr-only |

ap-macaddr-ssid | ap-name | ap-name-ssid | flex-group-name | ipaddr | macaddr| vlan-id}

Syntax Description ipaddr macaddr ap-macaddr-only ap-macaddr-ssid ap-ethmac-only ap-ethmac-ssid ap-group-name flex-group-name ap-name ap-name-ssid ap-location ap-mac-ssid-ap-group

Configures the Call Station ID type to use the IP address (only Layer 3).

Configures the Call Station ID type to use the system’s

MAC address (Layers 2 and 3).

Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3).

Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format

AP MAC address:SSID.

Configures the Called Station ID type to use the access point’s Ethernet MAC address.

Configures the Called Station ID type to use the access point’s Ethernet MAC address in the format AP

Ethernet MAC address:SSID.

Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group name.

Configures the Call Station ID type to use the

FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID.

Configures the Call Station ID type to use the access point’s name.

Configures the Call Station ID type to use the access point’s name in the format AP name:SSID

Configures the Call Station ID type to use the access point’s location.

Sets Called Station ID type to the format <AP MAC address>:<SSID>:<AP Group>

866


config radius auth callStationIdType vlan-id

Command Default

The MAC address of the system.


The controller sends the Called Station ID attribute to the RADIUS server in all authentication and accounting packets. The Called Station ID attribute can be used to classify users to different groups based on the attribute value. The command is applicable only for the Called Station and not for the Calling Station.

You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.

Command History

Release

7.6

7.6

8.0

8.3

Modification


Release 7.6.

The ap-ethmac-only and ap-ethmac-ssid keywords were added to support the access point’s Ethernet

MAC address.

The ap-label-address and ap-label-address-ssid keywords were added.


The ap-mac-ssid-ap-group keyword was added.

Examples


VLAN-ID.

The following example shows how to configure the call station ID type to use the IP address:


config radius auth callStationIdType ipAddr

The following example shows how to configure the call station ID type to use the system’s MAC address:


config radius auth callStationIdType macAddr

The following example shows how to configure the call station ID type to use the access point’s MAC address:


config radius auth callStationIdType ap-macAddr


867

config radius auth framed-mtu config radius auth framed-mtu

To configure the framed-mtu value for all RADIUS servers, use the config radius auth framed-mtu command.

config radius auth framed-mtu mtu


mtu

Framed-MTU value range between 64 and 1300 bytes

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to set the framed-mtu value for a RADIUS authentication server:


config radius auth framed-mtu 500

868


config radius auth IPsec authentication config radius auth IPsec authentication

To configure IPsec support for an authentication server for the Cisco wireless LAN controller, use the config

radius auth IPsec authentication command.

config radius auth IPsec authentication {hmac-md5 | hmac-sha1} index

Syntax Description hmac-md5 hmac-shal

index

Enables IPsec HMAC-MD5 authentication.

Enables IPsec HMAC-SHA1 authentication.


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the IPsec hmac-md5 support for RADIUS authentication server index 1:


config radius auth IPsec authentication hmac-md5 1



869

config radius auth ipsec disable config radius auth ipsec disable

To disable IPsec support for an authentication server for the Cisco wireless LAN controller, use the config

radius auth IPsec disable command.

config radius auth ipsec {enable | disable} index


index

Enables the IPsec support for an authentication server.

Disables the IPsec support for an authentication server.


Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to enable the IPsec support for RADIUS authentication server index 1:


config radius auth ipsec enable 1

This example shows how to disable the IPsec support for RADIUS authentication server index 1:


config radius auth ipsec disable 1


870


config radius auth ipsec encryption config radius auth ipsec encryption

To configure IPsec encryption support for an authentication server for the Cisco wireless LAN controller, use the config radius auth ipsec encryption command.

config radius auth IPsec encryption {256-aes | 3des | aes | des} index


256-aes

3des aes des

index

Enables the IPsec 256 AES encryption.

Enables the IPsec 3DES encryption.

Enables the IPsec AES encryption.

Enables the IPsec DES encryption.


Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.

The keyword 256-aes was added.

Examples

The following example shows how to configure IPsec 3dec encryption RADIUS authentication server index

3:


config radius auth ipsec encryption 3des 3



871

config radius auth ipsec ike config radius auth ipsec ike

To configure Internet Key Exchange (IKE) for the Cisco wireless LAN controller, use the config radius auth

IPsec ike command.

config radius auth ipsec ike {auth-mode {pre-shared-keyindex {ascii | hex shared-secret} | certificate

index } dh-group {2048bit-group-14 | group-1 | group-2 | group-5} | lifetime seconds | phase1 {aggressive

| main}} index

Syntax Description auth-mode pre-shared-key

index

ascii hex

shared-secret

certificate dh-group

2048bit-group-14 group-1 group-2 group-5 lifetime

seconds

phase1 aggressive main

index

Configures the IKE authentication method.

Configures the preshared key for IKE authentication method.

RADIUS server index between 1 and 17.

Configures RADIUS IPsec IKE secret in an ASCII format.

Configures RADIUS IPsec IKE secret in a hexadecimal format.

Configures the shared RADIUS IPsec secret.

Configures the certificate for IKE authentication.

Configures the IKE Diffe-Hellman group.

Configures the DH Group14 (2048 bits).




Configures the IKE lifetime.

IKE lifetime in seconds. The range is from 1800 to

57600 seconds.

Configures the IKE phase1 mode.

Enables the aggressive mode.

Enables the main mode.


872


config radius auth ipsec ike

Command Default

By default, preshared key is used for IPsec sessions and IKE lifetime is 28800 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure IKE lifetime of 23 seconds for RADIUS authentication server index 1:


config radius auth ipsec ike lifetime 23 1



873

config radius auth keywrap config radius auth keywrap

To enable and configure Advanced Encryption Standard (AES) key wrap, which makes the shared secret between the controller and the RADIUS server more secure, use the config radius auth keywrap command.

config radius auth keywrap {enable | disable | add {ascii | hex} kek mack | delete} index

Syntax Description enable disable add ascii hex

kek mack

delete

index

Enables AES key wrap.

Disables AES key wrap.

Configures AES key wrap attributes.

Configures key wrap in an ASCII format.

Configures key wrap in a hexadecimal format.

16-byte Key Encryption Key (KEK).

20-byte Message Authentication Code Key (MACK).

Deletes AES key wrap attributes.

Index of the RADIUS authentication server on which to configure the AES key wrap.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the AES key wrap for a RADIUS authentication server:


config radius auth keywrap enable

Related Commands show radius auth statistics

874


config radius auth mac-delimiter config radius auth mac-delimiter

To specify a delimiter to be used in the MAC addresses that are sent to the RADIUS authentication server, use the config radius auth mac-delimiter command.

config radius auth mac-delimiter {colon | hyphen | single-hyphen | none}

Syntax Description colon hyphen single-hyphen none

Sets a delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).

Sets a delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).

Sets a delimiter to a single hyphen (for example, xxxxxx-xxxxxx).

Disables the delimiter (for example, xxxxxxxxxxxx).

Command Default

The default delimiter is a hyphen.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to specify a delimiter hyphen to be used for a RADIUS authentication server:


config radius auth mac-delimiter hyphen



875

config radius auth management config radius auth management

To configure a default RADIUS server for management users, use the config radius auth management command.

config radius auth management index {enable | disable}


index

enable disable


Enables the server as a management user’s default

RADIUS server.

Disables the server as a management user’s default

RADIUS server.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a RADIUS server for management users:


config radius auth management 1 enable

Related Commands show radius acct statistics config radius acct network config radius auth mgmt-retransmit-timeout

876


config radius auth mgmt-retransmit-timeout config radius auth mgmt-retransmit-timeout

To configure a default RADIUS server retransmission timeout for management users, use the config radius

auth mgmt-retransmit-timeout command.

config radius auth mgmt-retransmit-timeout index retransmit-timeout


index retransmit-timeout


Timeout value. The range is from 1 to 30 seconds.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a default RADIUS server retransmission timeout for management users:


config radius auth mgmt-retransmit-timeout 1 10

Related Commands config radius auth management


877

config radius auth network config radius auth network

To configure a default RADIUS server for network users, use the config radius auth network command.

config radius auth network index {enable | disable}


index

enable disable


Enables the server as a network user default RADIUS server.

Disables the server as a network user default RADIUS server.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a default RADIUS server for network users:


config radius auth network 1 enable

Related Commands show radius acct statistics config radius acct network

878


config radius auth realm config radius auth realm

To configure realm on RADIUS authentication server, use the config radius auth realm command.

config radius auth realm{add | delete} radius_index realm_string


radius_server

add delete

realm_string


Add realm to RADIUS authentication server.

Delete realm from RADIUS authentication server.

Unique string associated to RADIUS authentication realm.

Command Default

None

Command History

Examples

Release

8.0

Modification


The following example shows how add realm to the RADIUS authentication server:


config radius auth realm add 3 test


879

config radius auth retransmit-timeout config radius auth retransmit-timeout

To change a default transmission timeout for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth retransmit-timeout command.

config radius auth retransmit-timeout index timeout


index timeout



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a retransmission timeout of 5 seconds for a RADIUS authentication server:


config radius auth retransmit-timeout 5


880


config radius auth rfc3576 config radius auth rfc3576

To configure RADIUS RFC-3576 support for the authentication server for the Cisco WLC, use the config

radius auth rfc3576 command.

config radius auth rfc3576 {enable | disable} index


index

Enables RFC-3576 support for an authentication server.

Disables RFC-3576 support for an authentication server.


Command Default

Disabled

Command History

Release

7.6

Modification


Release 7.6.


RFC 3576, which is an extension to the RADIUS protocol, allows dynamic changes to a user session. RFC

3576 includes support for disconnecting users and changing authorizations applicable to a user session.

Disconnect messages cause a user session to be terminated immediately; CoA messages modify session authorization attributes such as data filters.

Examples

The following example shows how to enable the RADIUS RFC-3576 support for a RADIUS authentication server:


config radius auth rfc3576 enable 2

Related Commands show radius auth statistics show radius summary show radius rfc3576


881


To configure a retransmission timeout value for a RADIUS accounting server, use the config radius auth

server-timeout command.



index timeout



Command Default

The default timeout is 2 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a server timeout value of 2 seconds for RADIUS authentication server index 10:


config radius auth retransmit-timeout 2 10

Related Commands show radius auth statistics show radius summary

882


config radius aggressive-failover disabled config radius aggressive-failover disabled

To configure the controller to mark a RADIUS server as down (not responding) after the server does not reply to three consecutive clients, use the config radius aggressive-failover disabled command.

config radius aggressive-failover disabled



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the controller to mark a RADIUS server as down:


config radius aggressive-failover disabled

Related Commands show radius summary


883

config radius backward compatibility config radius backward compatibility

To configure RADIUS backward compatibility for the Cisco wireless LAN controller, use the config radius

backward compatibility command.

config radius backward compatibility {enable | disable}


Enables RADIUS vendor ID backward compatibility.

Disables RADIUS vendor ID backward compatibility.

Command Default

Enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the RADIUS backward compatibility settings:


config radius backward compatibility disable


884


config radius callStationIdCase config radius callStationIdCase

To configure callStationIdCase information sent in RADIUS messages for the Cisco WLC, use the config

radius callStationIdCase command.

config radius callStationIdCase {legacy | lower | upper}

Syntax Description legacy lower upper

Configures Call Station IDs for Layer 2 authentication to RADIUS in uppercase.

Configures all Call Station IDs to RADIUS in lowercase.

Configures all Call Station IDs to RADIUS in uppercase.

Command Default

Enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to send the call station ID in lowercase:


config radius callStationIdCase lower



885

config radius callStationIdType config radius callStationIdType

To configure the Called Station ID type information sent in RADIUS accounting messages for the Cisco wireless LAN controller, use the config radius callStationIdType command.

config radius callStationIdType {ap-ethmac-only | ap-ethmac-ssid | ap-group-name | ap-label-address

| ap-label-address-ssid| ap-location | ap-mac-ssid-ap-group | ap-macaddr-only | ap-macaddr-ssid |

ap-name | ap-name-ssid | flex-group-name | ipaddr | macaddr| vlan-id}

Syntax Description ipaddr macaddr ap-macaddr-only ap-macaddr-ssid ap-ethmac-only ap-ethmac-ssid ap-group-name flex-group-name ap-name ap-name-ssid ap-location ap-mac-ssid-ap-group

Configures the Call Station ID type to use the IP address (only Layer 3).


MAC address (Layers 2 and 3).

Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3).

Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format

AP MAC address:SSID.

Configures the Called Station ID type to use the access point’s Ethernet MAC address.

Configures the Called Station ID type to use the access point’s Ethernet MAC address in the format AP

Ethernet MAC address:SSID.

Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group name.

Configures the Call Station ID type to use the

FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID.

Configures the Call Station ID type to use the access point’s name.

Configures the Call Station ID type to use the access point’s name in the format AP name:SSID

Configures the Call Station ID type to use the access point’s location.

Sets Called Station ID type to the format <AP MAC address>:<SSID>:<AP Group>

886


config radius callStationIdType vlan-id

Command Default

The IP address of the system.


The controller sends the Called Station ID attribute to the RADIUS server in all authentication and accounting packets. The Called Station ID attribute can be used to classify users to different groups based on the attribute value. The command is applicable only for the Called Station and not for the Calling Station.

You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.

Command History

Release

7.6

7.6

8.0

8.3

Modification


Release 7.6.

The ap-ethmac-only and ap-ethmac-ssid keywords were added to support the access point’s Ethernet

MAC address.

The ap-label-address and ap-label-address-ssid keywords were added.


The ap-mac-ssid-ap-group keyword was added.

Examples


VLAN-ID.

The following example shows how to configure the call station ID type to use the IP address:


config radius callStationIdType ipaddr

The following example shows how to configure the call station ID type to use the system’s MAC address:


config radius callStationIdType macaddr

The following example shows how to configure the call station ID type to use the access point’s MAC address:


config radius callStationIdType ap-macaddr-only


887

config radius dns config radius dns

To retrieve the RADIUS IP information from a DNS server, use the config radius dns command.

config radius dns {global port {ascii | hex} secret | queryurl timeout | serverip ip_address | disable | enable}

Syntax Description global

port ascii hex secret

query

url timeout

serverip

ip_address

disable enable

Configures the global port and secret to retrieve the RADIUS IP information from a DNS server.

Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port.

Format of the shared secret that you should set to ASCII.

Format of the shared secret that you should set to hexadecimal.

RADIUS server login secret.

Configures the fully qualified domain name (FQDN) of the RADIUS server and

DNS timeout.

FQDN of the RADIUS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters.

Maximum time that the Cisco WLC waits for, in days, before timing out the request and resending it. The range is from 1 to 180.

Configures the DNS server IP address.


Disables the RADIUS DNS feature. By default, this feature is disabled.

Enables the Cisco WLC to retrieve the RADIUS IP information from a DNS server.

When you enable a DNS query, the static configurations are overridden, that is, the DNS list overrides the static AAA list.

Command Default

You cannot configure the global port and secret to retrieve the RADIUS IP information.

Command History

Release

7.5

Modification


888


config radius dns


The accounting port is derived from the authentication port. All the DNS servers should use the same secret.

Examples

The following example shows how to enable the RADIUS DNS feature on the Cisco WLC:


config radius dns enable


889

config radius fallback-test config radius fallback-test

To configure the RADIUS server fallback behavior, use the config radius fallback-test command.

config radius fallback-test mode {off | passive | active} | username username} | {interval interval}

Syntax Description mode off passive active username

username

interval

interval

Specifies the mode.

Disables RADIUS server fallback.

Causes the controller to revert to a preferable server

(with a lower server index) from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.

Causes the controller to revert to a preferable server

(with a lower server index) from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller ignores all inactive servers for all active RADIUS requests.

Specifies the username.

Username. The username can be up to 16 alphanumeric characters.

Specifies the probe interval value.

Probe interval. The range is 180 to 3600.

Command Default

The default probe interval is 300.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to disable the RADIUS accounting server fallback behavior:


config radius fallback-test mode off

890


config radius fallback-test

The following example shows how to configure the controller to revert to a preferable server from the available backup servers without using the extraneous probe messages:


config radius fallback-test mode passive

The following example shows how to configure the controller to revert to a preferable server from the available backup servers by using RADIUS probe messages:


config radius fallback-test mode active

Related Commands config advanced probe filter config advanced probe limit show advanced probe show radius acct statistics


891

config radius ext-source-ports config radius ext-source-ports

To configure support for extended source ports in the RADIUS servers, use the config radius ext-source-ports command.

config radius ext-source-ports { enable | disable }


Enables Radius source port support.

Disables Radius source port support.

Command Default

None

Command Modes

Config

Command History

Release

8.1

Examples

Modification


The following example shows how to enable the extended source ports in the RADIUS servers:

config radius ext-source-ports enable

892


config radius acct retransmit-timeout config radius acct retransmit-timeout

To change the default transmission timeout for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct retransmit-timeout command.

config radius acct retransmit-timeout index timeout


index timeout



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure retransmission timeout value 5 seconds between the retransmission:


config radius acct retransmit-timeout 5



893

config radius auth mgmt-retransmit-timeout config radius auth mgmt-retransmit-timeout

To configure a default RADIUS server retransmission timeout for management users, use the config radius

auth mgmt-retransmit-timeout command.

config radius auth mgmt-retransmit-timeout index retransmit-timeout


index retransmit-timeout



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a default RADIUS server retransmission timeout for management users:


config radius auth mgmt-retransmit-timeout 1 10

Related Commands config radius auth management

894



To change a default transmission timeout for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth retransmit-timeout command.



index timeout



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a retransmission timeout of 5 seconds for a RADIUS authentication server:


config radius auth retransmit-timeout 5



895


To configure a retransmission timeout value for a RADIUS accounting server, use the config radius auth

server-timeout command.



index timeout



Command Default

The default timeout is 2 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a server timeout value of 2 seconds for RADIUS authentication server index 10:


config radius auth retransmit-timeout 2 10

Related Commands show radius auth statistics show radius summary

896


config redundancy interface address peer-service-port config redundancy interface address peer-service-port

To configure the service port IP and netmask of the peer or standby controller, use the config redundancy

interface address peer-service-port command.

config redundancy interface address peer-service-port ip_address netmask


ip_address netmask

IP address of the peer service port.

Netmask of the peer service port.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


You can configure this command only from the Active controller. For the HA feature, the service port configurations are made per controller. You will loose these configurations if you change the mode from HA to non-HA and vice-versa.

Examples

The following example shows how to configure the service port IP and netmask of the peer or standby controller:


config redundancy interface address peer-service-port 11.22.44.55


897

config redundancy mobilitymac config redundancy mobilitymac

To configure the HA mobility MAC address to be used as an identifier, use the config redundancy

mobilitymac command.

config redundancy mobilitymac mac_address


mac_address

MAC address that is an identifier for the active and standby controller pair.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


If you upgrade from Release 8.0.110.0 to a later release, the command's setting is removed. You must manually reconfigure the mobility MAC address after the upgrade.

Examples

The following example shows how to configure the HA mobility MAC address:


config redundancy mobilitymac ff:ff:ff:ff:ff:ff

898


config redundancy mode config redundancy mode

To enable or disable redundancy or High Availability (HA), use the config redundancy mode command.

config redundancy mode {sso | none}

Syntax Description sso none

Enables a stateful switch over (SSO) or hot standby redundancy mode.

Disables redundancy mode.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


You must configure local and peer redundancy management IP addresses before you configure redundancy.

Examples

The following example shows how to enable redundancy:


config redundancy mode sso


899

config redundancy peer-route config redundancy peer-route

To configure the route configurations of the peer or standby controller, use the config redundancy peer-route command.

config redundancy peer-route {add | delete} network_ip_address netmask gateway


network_ip_address netmask gateway

Adds a network route.

Deletes a network route specific to standby controller.

Network IP address.

Subnet mask of the network.

IP address of the gateway for the route network.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


You can configure this command only from the Active controller. For the HA feature, the service port configurations are made per controller. You will lose these configurations if you change the mode from HA to non-HA and vice-versa.

Examples

The following example shows how to configure route configurations of a peer or standby controller.


config redundancy peer-route add 10.1.1.0 255.255.255.0 10.1.1.1

900


config redundancy timer keep-alive-timer config redundancy timer keep-alive-timer

To configure the keep-alive timeout value, use the config redundancy timer keep-alive-timer command.

config redundancy timer keep-alive-timer milliseconds


milliseconds

Keep-alive timeout value in milliseconds. The range is from 100 to 400 milliseconds.

Command Default

The default keep-alive timeout value is 100 milliseconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the keep-alive timeout value:


config redundancy timer keep-alive-timer 200


901

config redundancy timer peer-search-timer config redundancy timer peer-search-timer

To configure the peer search timer, use the config redundancy timer peer-search-timer command.

config redundancy timer peer-search-timer seconds


seconds

Value of the peer search timer in seconds. The range is from 60 to 180 secs.

Command Default

The default value of the peer search timer is 120 seconds.

Command History

Release

7.6

Modification


Release 7.6.


You can use this command to configure the boot up role negotiation timeout value in seconds.

Examples

The following example shows how to configure the redundancy peer search timer:


config redundancy timer peer-search-timer 100

902


config redundancy unit config redundancy unit

To configure a Cisco WLC as a primary or secondary WLC, use the config redundancy unit command.

config redundancy unit {primary | secondary}

Syntax Description primary secondary

Configures the Cisco WLC as the primary WLC.

Configures the Cisco WLC as the secondary WLC.

Command Default

The default state is as the primary WLC.

Command History

Release

7.6

Modification


Release 7.6.


When you configure a Cisco WLC as the secondary WLC, it becomes the HA Stakable Unit (SKU) without any valid AP licenses.

Examples

The following example shows how to configure a Cisco WLC as the primary WLC:


config redundancy unit primary


903

config remote-lan config remote-lan

To configure a remote LAN, use the config remote-lan command.

config remote-lan {enable | disable} {remote-lan-id | all}


remote-lan-id

all

Enables a remote LAN.

Disables a remote LAN.

Remote LAN identifier. Valid values are between 1 and 512.

Configures all wireless LANs.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable a remote LAN with ID 2:


config remote-lan enable 2

904


config remote-lan aaa-override config remote-lan aaa-override

To configure user policy override through AAA on a remote LAN, use the config remote-lan aaa-override command.

config remote-lan aaa-override {enable | disable} remote-lan-id


remote-lan-id

Enables user policy override through AAA on a remote LAN.

Disables user policy override through AAA on a remote LAN.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable user policy override through AAA on a remote LAN where the remote LAN ID is 2:


config remote-lan aaa-override enable 2


905

config remote-lan acl config remote-lan acl

To specify an access control list (ACL) for a remote LAN, use the config remote-lan acl command.

config remote-lan acl remote-lan-id acl_name


remote-lan-id acl_name


ACL name.

Note

Use the show acl summary command to know the ACLs available.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to specify ACL1 for a remote LAN whose ID is 2:


config remote-lan acl 2 ACL1

906


config remote-lan apgroup config remote-lan apgroup

To add an access point (AP) group to remote LAN IEEE 802.1X, use the config remote-lan apgroup command.

config remote-lan apgroup add apgroup-name description


apgroup-name description

Creates a new AP group.

Name of an AP group to configure.

(Optional) Description of the AP group.

Command Default

None

Command Modes

Controller Configuration

Command History

Release

8.4

Modification



Examples

The following example shows how to add an AP group to remote LAN IEEE 802.1X:


config remote-lan apgroup add testap


907

config remote-lan create config remote-lan create

To configure a new remote LAN connection, use the config remote-lan create command.

config remote-lan create remote-lan-id name


remote-lan-id

name


Remote LAN name. Valid values are up to 32 alphanumeric characters.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure a new remote LAN, MyRemoteLAN, with the LAN ID as

3:


config remote-lan create 3 MyRemoteLAN

908


config remote-lan custom-web config remote-lan custom-web

To configure web authentication for a remote LAN, use the config remote-lan custom-web command.

config remote-lan custom-web {ext-webauth-url URL } | global {enable | disable} | login-page page-name

| loginfailure-page {page-name | none} | logout-page {page-name | none} | webauth-type {internal

|customized | external}} remote-lan-id

Syntax Description ext-webauth-url

URL

global enable disable login-page

page-name

none logout-page none webauth-type internal customized external

name remote-lan-id

Configures an external web authentication URL.

Web authentication URL for the Login page.

Configures the global status for the remote LAN.

Enables the global status for the remote LAN.

Disables the global status for the remote LAN.

Configures a login page.

Login page name.

Configures no login page.

Configures a logout page.

Configures no logout page.

Configures the web authentication type for the remote LAN.

Displays the default login page.

Displays a downloaded login page.

Displays a login page that is on an external server.

Remote LAN name. Valid values are up to 32 alphanumeric characters.

Remote LAN identifier. Valid values are from 1 to 512.

Command Default

None

Command History

Release

7.6

Modification



909

config remote-lan custom-web


Follow these guidelines when you use the config remote-lan custom-web command:

• When you configure the external Web-Auth URL, do the following:

◦Ensure that Web-Auth or Web-Passthrough Security is in enabled state. To enable Web-Auth, use the config remote-lan security web-auth enable command. To enable Web-Passthrough, use the

config remote-lan security web-passthrough enable command.

◦Ensure that the global status of the remote LAN is in disabled state. To enable the global status of the remote LAN, use the config remote-lan custom-web global disable command.

◦Ensure that the remote LAN is in disabled state. To disable a remote LAN, use the config remote-lan


• When you configure the Web-Auth type for the remote LAN, do the following:

◦When you configure a customized login page, ensure that you have a login page configured. To configure a login page, use the config remote-lan custom-web login-page command.

◦When you configure an external login page, ensure that you have configured preauthentication

ACL for external web authentication to function.

Examples

The following example shows how to configure an external web authentication URL for a remote LAN with

ID 3:


config remote-lan custom-web ext-webauth-url http://www.AuthorizationURL.com/ 3

The following example shows how to enable the global status of a remote LAN with ID 3:


config remote-lan custom-web global enable 3

The following example shows how to configure the login page for a remote LAN with ID 3:


config remote-lan custom-web login-page custompage1 3

The following example shows how to configure a web authentication type with the default login page for a remote LAN with ID 3:


config remote-lan custom-web webauth-type internal 3

910


config remote-lan delete config remote-lan delete

To delete a remote LAN connection, use the config remote-lan delete command.

config remote-lan delete remote-lan-id


remote-lan-id


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to delete a remote LAN with ID 3:


config remote-lan delete 3


911

config remote-lan dhcp_server config remote-lan dhcp_server

To configure a dynamic host configuration protocol (DHCP) server for a remote LAN, use the config

remote-lan dhcp_server command.

config remote-lan dhcp_server remote-lan-id ip_address


remote-lan-id ip_addr


IPv4 address of the override DHCP server.

Command Default

0.0.0.0 is set as the default interface value.

Command History

Release

7.6

8.0

Modification



Examples

The following example shows how to configure a DHCP server for a remote LAN with ID 3:


config remote-lan dhcp_server 3 209.165.200.225

Related Commands show remote-lan

912


config remote-lan exclusionlist config remote-lan exclusionlist

To configure the exclusion list timeout on a remote LAN, use the config remote-lan exclusionlist command.

config remote-lan exclusionlist remote-lan-id {seconds | disabled | enabled}


remote-lan-id seconds

disabled enabled


Exclusion list timeout in seconds. A value of 0 requires an administrator override.

Disables exclusion listing.

Enables exclusion listing.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the exclusion list timeout to 20 seconds on a remote LAN with ID 3:


config remote-lan exclusionlist 3 20


913

config remote-lan host-mode config remote-lan host-mode

To configure a host mode for remote LAN IEEE 802.1X, use the config remote-lan host-mode command.

config remote-lan host-mode {singlehost | multihost } remote-lan-id

Syntax Description singlehost multihost

remote-lan-id

Configures the remote LAN single-host mode.

Configures the remote LAN multi-host mode.

WLAN identifier. The range is from 1 to 512.

Command Default

None

Command Modes


Command History

Release

8.4

Examples

Modification


The following example shows how to configure the host mode as single for remote LAN IEEE 802.1X:


config remote-lan host-mode singlehost 1

914


config remote-lan interface config remote-lan interface

To configure an interface for a remote LAN, use the config remote-lan interface command.

config remote-lan interface remote-lan-id interface_name


remote-lan-id interface_name


Interface name.

Note

Interface name should not be in upper case characters.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure an interface myinterface for a remote LAN with ID 3:


config remote-lan interface 3 myinterface


915

config remote-lan ldap config remote-lan ldap

To configure a remote LAN’s LDAP servers, use the config remote-lan ldap command.

config remote-lan ldap {add | delete} remote-lan-id index


remote-lan-id index

Adds a link to a configured LDAP server (maximum of three).

Deletes a link to a configured LDAP server.


LDAP server index.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to add an LDAP server with the index number 10 for a remote LAN with

ID 3:


config remote-lan ldap add 3 10

916


config remote-lan mac-filtering config remote-lan mac-filtering

To configure MAC filtering on a remote LAN, use the config remote-lan mac-filtering command.

config remote-lan mac-filtering {enable | disable} remote-lan-id


remote-lan-id

Enables MAC filtering on a remote LAN.

Disables MAC filtering on a remote LAN.


Command Default

MAC filtering on a remote LAN is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable MAC filtering on a remote LAN with ID 3:


config remote-lan mac-filtering disable 3


917

config remote-lan mab config remote-lan mab

To configure MAC Authentication Bypass (MAB) authentication support for AP Port LAN clients, use the

config remote-lan mab command.

config remote-lan mab{enable | disable} remote-lan-id


disable remote-lan-id

Enables MAB authentication support.

Disables MAB authentication support.

WLAN Identifier. The valid range is between 1 and 512.

Command Default

None

Command Modes


Command History

Release

8.4

Examples

Modification


The following example shows how to enable MAB authentication support for AP Port LAN clients:

(Cisco Controller) >config remote-lan mab enable 8

918


config remote-lan max-associated-clients config remote-lan max-associated-clients

To configure the maximum number of client connections on a remote LAN, use the config remote-lan

max-associated-clients command.

config remote-lan max-associated-clients remote-lan-id max-clients


remote-lan-id max-clients


Configures the maximum number of client connections on a remote LAN.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure 10 client connections on a remote LAN with ID 3:


config remote-lan max-associated-clients 3 10


919

config remote-lan pre-auth config remote-lan pre-auth

To configure a preauthentication VLAN for RLAN IEEE 802.1X, use the config remote-lan pre-auth command.

config remote-lan pre-auth {enable | disable} remote-lan-id vlan vlan-id


remote-lan-id

vlan

vlan-id

Enables RLAN preauthentication.

Disables RLAN preauthentication.


Configures preauthentication VLAN for RLAN IEEE 802.1X.

Remote LAN preauthentication VLAN identifier.

Command Default

None

Command Modes

(Controller Configuration)

Command History

Release

8.4

Modification


Examples

The following example shows how to enable preauthentication VLAN for remote LAN IEEE 802.1X:


config remote-lan pre-auth enable 1 vlan vlan1

920


config remote-lan radius_server config remote-lan radius_server

To configure the RADIUS servers on a remote LAN, use the config remote-lan radius_server command.

config remote-lan radius_server {acct {{add | delete} server-index | {enable | disable} | interim-update

{interval | enable | disable}} | auth {{add | delete} server-index | {enable | disable }} | overwrite-interface

{enable | disable}} remote-lan-id

Syntax Description acct add delete

remote-lan-id server-index

enable disable interim-update

interval

enable disable auth enable disable overwrite-interface enable disable

Configures a RADIUS accounting server.

Adds a link to a configured RADIUS server.

Deletes a link to a configured RADIUS server.



Enables RADIUS accounting for this remote LAN.

Disables RADIUS accounting for this remote LAN.

Enables RADIUS accounting for this remote LAN.

Accounting interim interval. The range is from 180 to 3600 seconds.

Enables accounting interim update.

Disables accounting interim update.

Configures a RADIUS authentication server.

Enables RADIUS authentication for this remote LAN.

Disables RADIUS authentication for this remote LAN.

Configures a RADIUS dynamic interface for the remote LAN.

Enables a RADIUS dynamic interface for the remote LAN.

Disables a RADIUS dynamic interface for the remote LAN.

Command Default

The interim update interval is set to 600 seconds.


921

config remote-lan radius_server

Command History

Examples

Release

7.6

Modification


The following example shows how to enable RADIUS accounting for a remote LAN with ID 3:


config remote-lan radius_server acct enable 3

922


config remote-lan security config remote-lan security

To configure security policy for a remote LAN, use the config remote-lan security command.

config remote-lan security {{web-auth {enable | disable | acl | server-precedence} remote-lan-id |

{web-passthrough {enable | disable | acl | email-input} remote-lan-id}}

Syntax Description web-auth enable disable acl server-precedence

remote-lan-id

email-input web-passthrough

Specifies web authentication.

Enables the web authentication settings.

Disables the web authentication settings.

Configures an access control list.

Configures the authentication server precedence order for web authentication users.


Configures the web captive portal using an e-mail address.

Specifies the web captive portal with no authentication required.

Command Default

None

Command History

Examples

Release

7.6

8.4

Modification


The 802.1X keyword was added.

The following example shows how to configure the security web authentication policy for remote LAN ID

1:


config remote-lan security web-auth enable 1


923

config remote-lan session-timeout config remote-lan session-timeout

To configure client session timeout, use the config remote-lan session-timeout command.

config remote-lan session-timeout remote-lan-id seconds




Timeout or session duration in seconds. A value of zero is equivalent to no timeout.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the client session timeout to 6000 seconds for a remote LAN with ID 1:


config remote-lan session-timeout 1 6000

924


config remote-lan violation-mode config remote-lan violation-mode

To configure the violation mode for remote LAN IEEE 802.1X, use the config remote-lan violation-mode command.

config remote-lan violation-mode {protect | replace | shutdown} remote-lan-id

Syntax Description protect replace shutdown

remote-lan-id

Configures the remote LAN protect mode.

Configures the remote LAN replace mode.

Configures the remote LAN shutdown mode.


Command Default

None

Command Modes


Command History

Release

8.4

Modification



Examples

The following example shows how to configure the violation mode as protect for remote LAN IEEE 802.1X:


config remote-lan violation-mode protect 1


925

config remote-lan webauth-exclude config remote-lan webauth-exclude

To configure web authentication exclusion on a remote LAN, use the config remote-lan webauth-exclude command.

config remote-lan webauth-exclude remote-lan-id {enable | disable}


remote-lan-id

enable disable


Enables web authentication exclusion on the remote LAN.

Disables web authentication exclusion on the remote LAN.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable web authentication exclusion on a remote LAN with ID 1:


config remote-lan webauth-exclude 1 enable

926


config rf-profile band-select config rf-profile band-select

To configure the RF profile band selection parameters, use the config rf-profile band-select command.

config rf-profile band-select {client-rssi rssi | cycle-count cycles | cycle-threshold value | expire {dual-band

value | suppression value} | probe-response {enable | disable}} profile_name

Syntax Description client-rssi

rssi

cycle-count

cycles

cycle-threshold

value

expire dual-band

value

suppression

value

probe-response enable disable

profile name

Configures the client Received Signal Strength Indicator (RSSI) threshold for the RF profile.

Minimum RSSI for a client to respond to a probe. The range is from -20 to -90 dBm.

Configures the probe cycle count for the RF profile. The cycle count sets the number of suppression cycles for a new client.

Value of the cycle count. The range is from 1 to 10.

Configures the time threshold for a new scanning RF Profile band select cycle period. This setting determines the time threshold during which new probe requests from a client come in a new scanning cycle.

Value of the cycle threshold for the RF profile. The range is from 1 to 1000 milliseconds.

Configures the expiration time of clients for band select.

Configures the expiration time for pruning previously known dual-band clients.

After this time elapses, clients become new and are subject to probe response suppression.

Value for a dual band. The range is from 10 to 300 seconds.

Configures the expiration time for pruning previously known 802.11b/g clients.

After this time elapses, clients become new and are subject to probe response suppression.

Value for suppression. The range is from 10 to 200 seconds.

Configures the probe response for a RF profile.

Enables probe response suppression on clients operating in the 2.4-GHz band for a RF profile.

Disables probe response suppression on clients operating in the 2.4-GHz band for a RF profile.

Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.


927

config rf-profile band-select

Command Default

The default value for client RSSI is –80 dBm.

The default cycle count is 2.

The default cycle threshold is 200 milliseconds.

The default value for dual-band expiration is 60 seconds.

The default value for suppression expiration is 20 seconds.

Command History

Release

7.6

Modification



When you enable band select on a WLAN, the access point suppresses client probes on 2.4-GHz and moves the dual band clients to the 5-Ghz spectrum. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running. Band selection can be used only with Cisco Aironet 1040,

1140, and 1250 Series and the 3500 series access points.

Examples

The following example shows how to configure the client RSSI:


config rf-profile band-select client-rssi -70

928


config rf-profile client-trap-threshold config rf-profile client-trap-threshold

To configure the threshold value of the number of clients that associate with an access point, after which an

SNMP trap is sent to the controller, use the config rf-profile client-trap-threshold command.

config rf-profile client-trap-threshold threshold profile_name


threshold profile_name

Threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller. The range is from 0 to 200. Traps are disabled if the threshold value is configured as zero.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the threshold value of the number of clients that associate with an access point:


config rf-profile client-trap-threshold 150


929

config rf-profile create config rf-profile create

To create a RF profile, use the config rf-profile create command.

config rf-profile create {802.11a | 802.11b/g} profile-name


802.11a

802.11b/g

profile-name

Configures the RF profile for the 2.4GHz band.

Configures the RF profile for the 5GHz band.

Name of the RF profile.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to create a new RF profile:


config rf-profile create 802.11a RFtestgroup1

930


config rf-profile fra client-aware config rf-profile fra client-aware

To configure the RF profile client-aware FRA feature, use the config rf-profile fra client-aware command.

config rf-profile fra client-aware {client-reset percent rf-profile-name | client-select percent rf-profile-name

| disable rf-profile-name | enable rf-profile-name}

Syntax Description client-reset

percent rf-profile-name

client-select

percent

disable enable

Configures the RF profile AP utilization threshold for radio to switch back to Monitor mode.

Utilization percentage value ranges from 0 to 100. The default is 5%.

Name of the RF Profile.

Configures the RF profile utilization threshold for radio to switch to 5GHz.

Utilization percentage value ranges from 0 to 100. The default is 50%.

Disables the RF profile client-aware FRA feature.

Enables the RF profile client-aware FRA feature.

Command Default

The default percent value for client-select and client-reset is 50% and 5% respectively.

Command History

Release

8.5

Modification


Examples

The following example shows how to configure the RF profile utilization threshold for redundant dual-band radios to switch back from 5GHz client-serving role to Monitor mode:


config rf-profile fra client-aware client-reset 15 profile1

The following example shows how to configure the RF profile utilization threshold for redundant dual-band radios to switch from Monitor mode to 5GHz client-serving role:


config rf-profile fra client-aware client-select 20 profile1

The following example shows how to disable the RF profile client-aware FRA feature:


config rf-profile fra client-aware disable profile1

The following example shows how to enable the RF profile client-aware FRA feature:


config rf-profile fra client-aware enable profile1


931

config rf-profile data-rates config rf-profile data-rates

To configure the data rate on a RF profile, use the config rf-profile data-rates command.

config rf-profile data-rates {802.11a |802.11b } {disabled | mandatory | supported} data-rate profile-name


802.11a

802.11b

disabled mandatory supported

data-rate profile-name

Specifies 802.11a as the radio policy of the RF profile.

Specifies 802.11b as the radio policy of the RF profile.

Disables a rate.

Sets a rate to mandatory.

Sets a rate to supported.

802.11 operational rates, which are 1*, 2*, 5.5*, 6, 9, 11*,

12, 18, 24, 36, 48 and 54, where * denotes 802.11b only rates.


Command Default

Default data rates for RF profiles are derived from the controller system defaults, the global data rate configurations. For example, if the RF profile's radio policy is mapped to 802.11a then the global 802.11a

data rates are copied into the RF profiles at the time of creation.

The data rates set with this command are negotiated between the client and the Cisco wireless LAN controller.

If the data rate is set to mandatory, the client must support it in order to use the network. If a data rate is set as supported by the Cisco wireless LAN controller, any associated client that also supports that rate may communicate with the Cisco lightweight access point using that rate. It is not required that a client is able to use all the rates marked supported in order to associate.

Command History

Release

7.6

Modification


Examples

The following example shows how to set the 802.11b transmission of an RF profile at a mandatory rate at 12

Mbps:


config rf-profile 802.11b data-rates mandatory 12 RFGroup1

932


config rf-profile delete config rf-profile delete

To delete a RF profile, use the config rf-profile delete command.

config rf-profile delete profile-name


profile-name


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to delete a RF profile:


config rf-profile delete RFGroup1


933

config rf-profile description config rf-profile description

To provide a description to a RF profile, use the config rf-profile description command.

config rf-profile description description profile-name


description profile-name

Description of the RF profile.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to add a description to a RF profile:


config rf-profile description This is a demo desciption RFGroup1

934


config rf-profile load-balancing config rf-profile load-balancing

To configure load balancing on an RF profile, use the config rf-profile load-balancing command.

config rf-profile load-balancing {window clients | denial value} profile_name

Syntax Description window

clients

denial

value profile_name

Configures the client window for load balancing of an RF profile.

Client window size that limits the number of client associations with an access point. The range is from 0 to 20. The default value is 5.

The window size is part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:

load-balancing window + client associations on AP with lightest load = load-balancing threshold

Access points with more client associations than this threshold are considered busy, and clients can associate only to access points with client counts lower than the threshold. This window also helps to disassociate sticky clients.

Configures the client denial count for load balancing of an RF profile.

Maximum number of association denials during load balancing. The range is from 1 to 10.


When a client tries to associate on a wireless network, it sends an association request to the access point. If the access point is overloaded and load balancing is enabled on the controller, the access point sends a denial to the association request. If there are no other access points in the range of the client, the client tries to associate the same access point again. After the maximum denial count is reached, the client is able to associate. Association attempts on an access point from any client before associating any AP is called a sequence of association. The default is 3.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the client window size for an RF profile:


config rf-profile load-balancing window 15


935

config rf-profile max-clients config rf-profile max-clients

To configure the maximum number of client connections per access point of an RF profile, use the config

rf-profile max-clients commands.

config rf-profile max-clients clients


clients

Maximum number of client connections per access point of an RF profile. The range is from 1 to 200.

Command Default

None

Command History

Release

7.6

Modification



You can use this command to configure the maximum number of clients on access points that are in client dense areas, or serving high bandwidth video or mission critical voice applications.

Examples

The following example shows how to set the maximum number of clients at 50:


config rf-profile max-clients 50

936


config rf-profile multicast data-rate config rf-profile multicast data-rate

To configure the minimum RF profile multicast data rate, use the config rf-profile multicast data-rate command.

config rf-profile multicast data-rate value profile_name


value profile_name

Minimum RF profile multicast data rate. The options are 6, 9, 12, 18, 24, 36, 48,

54. Enter 0 to specify that access points will dynamically adjust the data rate.


Command Default

The minimum RF profile multicast data rate is 0.

Command History

Release

7.6

Modification


Examples

The following example shows how to set the multicast data rate for an RF profile:


config rf-profile multicast data-rate 24


937

config rf-profile out-of-box config rf-profile out-of-box

To create an out-of-box AP group consisting of newly installed access points, use the config rf-profile

out-of-box command.

config rf-profile out-of-box {enable | disable}


Enables the creation of an out-of-box AP group. When you enable this command, the following occurs:

• Newly installed access points that are part of the default AP group will be part of the out-of-box AP group and their radios will be switched off, which eliminates any RF instability caused by the new access points.

• All access points that do not have a group name become part of the out-of-box AP group.

• Special RF profiles are created per 802.11 band. These RF profiles have default-settings for all the existing RF parameters and additional new configurations.

Disables the out-of-box AP group. When you disable this feature, only the subscription of new APs to the out-of-box AP group stops. All APs that are subscribed to the out-of-box AP group remain in this AP group. You can move APs to the default group or a custom AP group upon network convergence.

Command Default

None

Command History

Release

7.6

Modification



When an out-of-box AP associates with the controller for the first time, it will be redirected to a special AP group and the RF profiles applicable to this AP Group will control the radio admin state configuration of the

AP. You can move APs to the default group or a custom group upon network convergence.

Examples

The following example shows how to enable the creation of an out-of-box AP group:


config rf-profile out-of-box enable

938


config rf-profile rx-sop threshold config rf-profile rx-sop threshold

To configure high, medium or low Rx SOP threshold values for each 802.11 band, use the config rf-profile

rx-sop threshold command.

config rf-profile rx-sop threshold {high | medium | low | auto} profile_name

Syntax Description high medium low auto

profile_name

Configures the high Rx SOP threshold value for an RF profile.

Configures the medium Rx SOP threshold value for an RF profile.

Configures the low Rx SOP threshold value for an RF profile.

Configures an auto Rx SOP threshold value for an RF profile. When you choose auto, the access point determines the best Rx SOP threshold value.

RF profile on which the Rx SOP threshold value will be configured.

Command Default

The default Rx SOP threshold option is auto.

Command History

Release

8.0

Modification


Examples

The following example shows how to configure the high Rx SOP threshold value on an RF profile:


config 802.11 rx-sop threshold high T1a


939

config rf-profile tx-power-control-thresh-v1 config rf-profile tx-power-control-thresh-v1

To configure Transmit Power Control version1 (TPCv1) to an RF profile, use the config rf-profile

tx-power-control-thresh-v1 command.

config rf-profile tx-power-control-thresh-v1 tpc-threshold profile_name


tpc-threshold profile-name

TPC threshold.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure TPCv1 on an RF profile:


config rf-profile tx-power-control-thresh-v1 RFGroup1

940


config rf-profile tx-power-control-thresh-v2 config rf-profile tx-power-control-thresh-v2

To configure Transmit Power Control version 2 (TPCv2) to an RF profile, use the config rf-profile

tx-power-control-thresh-v2 command.

config rf-profile tx-power-control-thresh-v2 tpc-threshold profile-name


tpc-threshold profile-name

TPC threshold.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure TPCv2 on an RF profile:


config rf-profile tx-power-control-thresh-v2 RFGroup1


941

config rf-profile tx-power-max config rf-profile tx-power-max

To configure maximum auto-rf to an RF profile, use the config rf-profile tx-power-max command.

config rf-profile tx-power-max profile-name


tx-power-max profile-name

Maximum auto-rf tx power.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure tx-power-max on an RF profile:


config rf-profile tx-power-max RFGroup1

942


config rf-profile tx-power-min config rf-profile tx-power-min

To configure minimum auto-rf to an RF profile, use the config rf-profile tx-power-min command.

config rf-profile tx-power-min tx-power-min profile-name


tx-power-min profile-name

Minimum auto-rf tx power.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure tx-power-min on an RF profile:


config rf-profile tx-power-min RFGroup1


943

config rogue ap timeout config rogue ap timeout

To specify the number of seconds after which the rogue access point and client entries expire and are removed from the list, use the config rogue ap timeout command.

config rogue ap timeout seconds


seconds

Value of 240 to 3600 seconds (inclusive), with a default value of 1200 seconds.

Command Default

The default number of seconds after which the rogue access point and client entries expire is 1200 seconds.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to set an expiration time for entries in the rogue access point and client list to 2400 seconds:


config rogue ap timeout 2400

Related Commands config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap ssid config rogue rule config trapflags rogueap show rogue ap clients show rogue ap detailed show rogue ap summary show rogue ap friendly summary show rogue ap malicious summary show rogue ap unclassified summary show rogue ignore-list show rogue rule detailed

944


show rogue rule summary config rogue ap timeout


945

config rogue adhoc config rogue adhoc

To globally or individually configure the status of an Independent Basic Service Set (IBSS or ad-hoc) rogue access point, use the config rogue adhoc command.

config rogue adhoc {enable | disable | external rogue_MAC | alert {rogue_MAC | all} | auto-contain

[monitor_ap] | contain rogue_MAC 1234_aps| }

config rogue adhoc {delete {all | mac-address mac-address} | classify {friendly state {external | internal}

mac-address | malicious state {alert | contain} mac-address | unclassified state {alert | contain }

mac-address}

Syntax Description enable disable external

rogue_MAC

alert all auto-contain

monitor_ap

contain

1234_aps

delete all mac-address

Globally enables detection and reporting of ad-hoc rogues.

Globally disables detection and reporting of ad-hoc rogues.

Configure external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point.

MAC address of the ad-hoc rogue access point.

Generates an SMNP trap upon detection of the ad-hoc rogue, and generates an immediate alert to the system administrator for further action.

Enables alerts for all ad-hoc rogue access points.

Contains all wired ad-hoc rogues detected by the controller.

(Optional) IP address of the ad-hoc rogue access point.

Contains the offending device so that its signals no longer interfere with authorized clients.

Maximum number of Cisco access points assigned to actively contain the ad-hoc rogue access point (1 through 4, inclusive).

Deletes ad-hoc rogue access points.

Deletes all ad-hoc rogue access points.

Deletes ad-hoc rogue access point with the specified

MAC address.

946


config rogue adhoc

mac-address

classify friendly state internal malicious state alert contain unclassified state

MAC address of the ad-hoc rogue access point.

Configures ad-hoc rogue access point classification.

Classifies ad-hoc rogue access points as friendly.

Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point.

Classifies ad-hoc rogue access points as malicious.

Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action.

Configures contain state on the rogue access point.

Controller contains the offending device so that its signals no longer interfere with authorized clients.

Classifies ad-hoc rogue access points as unclassified.

Command Default

The default for this command is enabled and is set to alert. The default for auto-containment is disabled.

Command History

Release

7.6

Modification


Release 7.6.


The controller continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses

RLDP to determine if the rogue is attached to your wired network.

Note

RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the

DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS).

When you enter any of the containment commands, the following warning appears:

Using this feature may have legal consequences. Do you want to continue? (y/n) :


947

config rogue adhoc

The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Enter the auto-contain command with the monitor_ap argument to monitor the rogue access point without containing it. Enter the auto-contain command without the optional monitor_ap to automatically contain all wired ad-hoc rogues detected by the controller.

Examples

The following example shows how to enable the detection and reporting of ad-hoc rogues:


config rogue adhoc enable

The following example shows how to enable alerts for all ad-hoc rogue access points:


config rogue adhoc alert all

The following example shows how to classify an ad-hoc rogue access point as friendly and configure external state on it:


config rogue adhoc classify friendly state internal 11:11:11:11:11:11

Related Commands config rogue auto-contain level show rogue ignore-list show rogue rule detailed show rogue rule summary

948


config rogue ap classify config rogue ap classify

To classify the status of a rogue access point, use the config rogue ap classify command.

config rogue ap classify {friendly state {internal | external} ap_mac }

config rogue ap classify {malicious | unclassified} state {alert | contain} ap_mac

Syntax Description friendly state internal external

ap_mac

malicious unclassified alert contain

Classifies a rogue access point as friendly.

Specifies a response to classification.

Configures the controller to trust this rogue access point.

Configures the controller to acknowledge the presence of this access point.

MAC address of the rogue access point.

Classifies a rogue access point as potentially malicious.

Classifies a rogue access point as unknown.

Configures the controller to forward an immediate alert to the system administrator for further action.

Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients.

Command Default

These commands are disabled by default. Therefore, all unknown access points are categorized as unclassified by default.

Command History

Release

7.6

Modification


Release 7.6.


A rogue access point cannot be moved to the unclassified class if its current state is contain.

When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial,


949

config rogue ap classify

Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Examples

The following example shows how to classify a rogue access point as friendly and can be trusted:


config rogue ap classify friendly state internal 11:11:11:11:11:11

The following example shows how to classify a rogue access point as malicious and to send an alert:


config rogue ap classify malicious state alert 11:11:11:11:11:11

The following example shows how to classify a rogue access point as unclassified and to contain it:


config rogue ap classify unclassified state contain 11:11:11:11:11:11

Related Commands config rogue adhoc config rogue ap friendly config rogue ap rldp config rogue ap ssid config rogue ap timeout config rogue ap valid-client config rogue client config trapflags rogueap show rogue ap clients show rogue ap detailed show rogue ap summary show rogue ap friendly summary show rogue ap malicious summary show rogue ap unclassified summary show rogue client detailed show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary

950


config rogue ap friendly config rogue ap friendly

To add a new friendly access point entry to the friendly MAC address list, or delete an existing friendly access point entry from the list, use the config rogue ap friendly command.

config rogue ap friendly {add | delete} ap_mac


ap_mac

Adds this rogue access point from the friendly MAC address list.

Deletes this rogue access point from the friendly MAC address list.

MAC address of the rogue access point that you want to add or delete.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to add a new friendly access point with MAC address 11:11:11:11:11:11 to the friendly MAC address list.


config rogue ap friendly add 11:11:11:11:11:11

Related Commands config rogue adhoc config rogue ap classify config rogue ap rldp config rogue ap ssid config rogue ap timeout config rogue ap valid-client config rogue client config trapflags rogueap show rogue ap clients show rogue ap detailed


951

config rogue ap friendly show rogue ap summary show rogue ap friendly summary show rogue ap malicious summary show rogue ap unclassified summary show rogue client detailed show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary

952


config rogue ap rldp config rogue ap rldp

To enable, disable, or initiate the Rogue Location Discovery Protocol (RLDP), use the config rogue ap rldp command.

config rogue ap rldp enable {alarm-only | auto-contain} [monitor_ap_only]

config rogue ap rldp initiate rogue_mac_address

config rogue ap rldp disable

Syntax Description alarm-only auto-contain

monitor_ap_only

initiate

rogue_mac_address

disable

When entered without the optional argument

monitor_ap_only, enables RLDP on all access points.

When entered without the optional argument

monitor_ap_only, automatically contains all rogue access points.

(Optional) RLDP is enabled (when used with

alarm-only keyword), or automatically contained

(when used with auto-contain keyword) is enabled only on the designated monitor access point.

Initiates RLDP on a specific rogue access point.

MAC address of specific rogue access point.

Disables RLDP on all access points.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.





953

config rogue ap rldp

Examples

The following example shows how to enable RLDP on all access points:


config rogue ap rldp enable alarm-only

The following example shows how to enable RLDP on monitor-mode access point ap_1:


config rogue ap rldp enable alarm-only ap_1

The following example shows how to start RLDP on the rogue access point with MAC address 123.456.789.000:


config rogue ap rldp initiate 123.456.789.000

The following example shows how to disable RLDP on all access points:


config rogue ap rldp disable

Related Commands config rogue adhoc config rogue ap classify config rogue ap friendly config rogue ap ssid config rogue ap timeout config rogue ap valid-client config rogue client config trapflags rogueap show rogue ap clients show rogue ap detailed show rogue ap summary show rogue ap friendly summary show rogue ap malicious summary show rogue ap unclassified summary show rogue client detailed show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary

954


config rogue ap ssid config rogue ap ssid

To generate an alarm only, or to automatically contain a rogue access point that is advertising your network’s service set identifier (SSID), use the config rogue ap ssid command.

config rogue ap ssid {alarm | auto-contain}

Syntax Description alarm auto-contain

Generates only an alarm when a rogue access point is discovered to be advertising your network’s SSID.

Automatically contains the rogue access point that is advertising your network’s SSID.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.




Examples

The following example shows how to automatically contain a rogue access point that is advertising your network’s SSID:


config rogue ap ssid auto-contain

Related Commands config rogue adhoc config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap timeout config rogue ap valid-client config rogue client config trapflags rogueap


955

config rogue ap ssid show rogue ap clients show rogue ap detailed show rogue ap summary show rogue ap friendly summary show rogue ap malicious summary show rogue ap unclassified summary show rogue client detailed show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary

956






seconds


Command Default


Command History

Release

7.6

Modification


Release 7.6.

Examples






957

config rogue ap timeout show rogue rule summary

958


config rogue auto-contain level config rogue auto-contain level

To configure rogue the auto-containment level, use the config rogue auto-contain level command.

config rogue auto-contain level level [monitor_ap_only]


level

monitor_ap_only

Rogue auto-containment level in the range of 1 to 4.

You can enter a value of 0 to enable the Cisco WLC to automatically select the number of APs used for auto containment. The controller chooses the required number of APs based on the RSSI for effective containment.

Note

Up to four APs can be used to auto-contain when a rogue AP is moved to contained state through any of the auto-containment policies.

(Optional) Configures auto-containment using only monitor AP mode.

Command Default

The default auto-containment level is 1.

Command History

Release

7.6

Modification


Release 7.6.


The controller continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses any of the configured auto-containment policies to start autocontainment. The policies for initiating autocontainment are rogue on wire (detected through RLDP or rogue detector AP), rogue using managed

SSID, Valid client on Rogue AP, and AdHoc Rogue.

This table lists the RSSI value associated with each containment level.

Table 7: RSSI Associated with Each Containment Level

2

3

Auto-containment

Level

1

RSSI

0 to –55 dBm

–75 to –55 dBm

–85 to –75 dBm


959

config rogue auto-contain level

Auto-containment

Level

4

RSSI

Less than –85 dBm

Note

RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the

DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS).

When you enter any of the containment commands, the following warning appears:

Using this feature may have legal consequences. Do you want to continue? (y/n) :

The 2.4-GHz and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Examples

The following example shows how to configure the auto-contain level to 3:


config rogue auto-contain level 3

Related Commands config rogue adhoc show rogue adhoc summary show rogue client summary show rogue ignore-list show rogue rule summary

960


config rogue ap valid-client config rogue ap valid-client

To generate an alarm only, or to automatically contain a rogue access point to which a trusted client is associated, use the config rogue ap valid-client command.

config rogue ap valid-client {alarm | auto-contain}

Syntax Description alarm auto-contain

Generates only an alarm when a rogue access point is discovered to be associated with a valid client.

Automatically contains a rogue access point to which a trusted client is associated.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.




Examples

The following example shows how to automatically contain a rogue access point that is associated with a valid client:


config rogue ap valid-client auto-contain

Related Commands config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap timeout config rogue ap ssid config rogue rule config trapflags rogueap show rogue ap clients


961

config rogue ap valid-client show rogue ap detailed show rogue ap summary show rogue ap friendly summary show rogue ap malicious summary show rogue ap unclassified summary show rogue ignore-list show rogue rule detailed show rogue rule summary

962


config rogue client config rogue client

To configure rogue clients, use the config rogue client command.

config rogue client {aaa {enable | disable} | alert ap_mac | contain client_mac | delete {state {alert | any

| contained | contained-pending} | all | mac-address client_mac} | mse{enable | disable} } }

Syntax Description aaa enable disable alert

ap_mac

contain

client_mac

delete state alert any contained contained-pending all mac-address mse

Configures AAA server or local database to validate whether rogue clients are valid clients. The default is disabled.

Enables the AAA server or local database to check rogue client MAC addresses for validity.

Disables the AAA server or local database to check rogue client MAC addresses for validity.

Configures the controller to forward an immediate alert to the system administrator for further action.

Access point MAC address.

Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients.

MAC address of the rogue client.

Deletes the rogue client.

Deletes the rogue clients according to their state.

Deletes the rogue clients in alert state.

Deletes the rogue clients in any state.

Deletes all rogue clients that are in contained state.

Deletes all rogue clients that are in contained pending state.

Deletes all rogue clients.

Deletes a rogue client with the configured MAC address.

Validates if the rogue clients are valid clients using

MSE. The default is disabled.


963

config rogue client

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


You cannot validate rogue clients against MSE and AAA at the same time.

Examples

The following example shows how to enable the AAA server or local database to check MAC addresses:


config rogue client aaa enable

The following example shows how to disable the AAA server or local database from checking MAC addresses:


config rogue client aaa disable

Related Commands config rogue rule config trapflags rogueap show rogue ap clients show rogue ap detailed show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary

964


config rogue containment config rogue containment

To configure rogue containment, use the config rogue containment command.

config rogue containment {flexconnect | auto-rate} {enable | disable}

Syntax Description flexconnect auto-rate enable disable

Configures rogue containment for standalone FlexConnect APs.

Configures automatic rate selection for rogue containment.

Enables the rogue containment.

Disables the rogue containment.

Command Default

None

Command History

Release

7.5

Modification



The following table lists the rogue containment automatic rate selection details.

Table 8: Rogue Containment Automatic Rate Selection

RSSI (dBm)

–74

–70

–55

< –40

802.11b/g Tx Rate (Mbps)

1

2

5.5

5.5

802.11a Tx Rate (Mbps)

6

12

12

18

Examples

The following example shows how to enable automatic rate selection for rogue containment:


config rogue containment auto-rate enable


965

config rogue detection config rogue detection

To enable or disable rogue detection, use the config rogue detection command.

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the

AP that is with the keyword all.

config rogue detection {enable | disable} {cisco_ap | all}


cisco_ap

all

Enables rogue detection on this access point.

Disables rogue detection on this access point.

Cisco access point.


Command Default

The default rogue detection value is enabled.

Command History

Release

7.6

Modification


Release 7.6.


Rogue detection is enabled by default for all access points joined to the controller except for OfficeExtend access points. OfficeExtend access points are deployed in a home environment and are likely to detect a large number of rogue devices.

Examples

The following example shows how to enable rogue detection on the access point Cisco_AP:


config rogue detection enable Cisco_AP

Related Commands config rogue rule config trapflags rogueap show rogue client detailed show rogue client summary show rogue ignore-list

966


show rogue rule detailed show rogue rule summary config rogue detection


967

config rogue detection client-threshold config rogue detection client-threshold

To configure the rogue client threshold for access points, use the config rogue detection client-threshold command.

config rogue detection client-threshold value


value

Threshold rogue client count on an access point after which a trap is sent from the Cisco

Wireless LAN Controller (WLC). The range is from 1 to 256. Enter 0 to disable the feature.

Command Default

The default rogue client threshold is 0.

Command History

Release

7.5

Modification


Examples

The following example shows how to configure the rogue client threshold:


config rogue detection client-threshold 200

968


config rogue detection min-rssi config rogue detection min-rssi

To configure the minimum Received Signal Strength Indicator (RSSI) value at which APs can detect rogues and create a rogue entry in the controller, use the config rogue detection min-rssi command.

config rogue detection min-rssi rssi-in-dBm


rssi-in-dBm

Minimum RSSI value. The valid range is from –70 dBm to –128 dBm, and the default value is –128 dBm.

Command Default

The default RSSI value to detect rogues in APs is -128 dBm.

Command History

Release

7.6

Modification


Release 7.6.


This feature is applicable to all the AP modes.

There can be many rogues with very weak RSSI values that do not provide any valuable information in rogue analysis. Therefore, you can use this option to filter rogues by specifying the minimum RSSI value at which

APs should detect rogues.

Examples

The following example shows how to configure the minimum RSSI value:


config rogue detection min-rssi

–80

Related Commands config rogue detection show rogue ap clients config rogue rule config trapflags rogueap show rogue client detailed show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary


969

config rogue detection monitor-ap config rogue detection monitor-ap

To configure the rogue report interval for all monitor mode Cisco APs, use the config rogue detection

monitor-ap command.

config rogue detection monitor-ap {report-interval | transient-rogue-interval} time-in-seconds

Syntax Description report-interval transient-rogue-interval

time-in-seconds

Specifies the interval at which rogue reports are sent.

Specifies the interval at which rogues are consistently scanned for by APs after the first time the rogues are scanned.

Time in seconds. The valid range is as follows:

• 10 to 300 for report-interval

• 120 to 1800 for transient-rogue-interval

Command History

Release

7.6

Modification


Release 7.6.


This feature is applicable to APs that are in monitor mode only.

Using the transient interval values, you can control the time interval at which APs should scan for rogues.

APs can also filter the rogues based on their transient interval values.

This feature has the following advantages:

• Rogue reports from APs to the controller are shorter.

• Transient rogue entries are avoided in the controller.

• Unnecessary memory allocation for transient rogues are avoided.

Examples

The following example shows how to configure the rogue report interval to 60 seconds:


config rogue detection monitor-ap report-interval 60

The following example shows how to configure the transient rogue interval to 300 seconds:


config rogue detection monitor-ap transient-rogue-interval 300

970


Related Commands config rogue detection config rogue detection min-rssi config rogue rule config trapflags rogueap show rogue ap clients show rogue client detailed show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary config rogue detection monitor-ap


971

config rogue detection report-interval config rogue detection report-interval

To configure the rogue detection report interval, use the config rogue detection report-interval command.

config rogue detection report-interval time


time

Time interval, in seconds, at which the access points send the rogue detection report to the controller. The range is from 10 to 300.

Command Default

The default rogue detection report interval is 10 seconds.

Command History

Release

7.5

Modification



This feature is applicable only to the access points that are in the monitor mode.

Examples

The following example shows how to configure the rogue detection report interval:


config rogue detection report-interval 60

972


config rogue detection security-level config rogue detection security-level

To configure the rogue detection security level, use the config rogue detection security-level command.

config rogue detection security-level {critical | custom | high | low}

Syntax Description critical custom high low

Configures the rogue detection security level to critical.

Configures the rogue detection security level to custom, and allows you to configure the rogue policy parameters.

Configures the rogue detection security level to high. This security level configures basic rogue detection and auto containment for medium-scale or less critical deployments.

The Rogue Location Discovery Protocol (RLDP) is disabled for this security level.

Configures the rogue detection security level to low. This security level configures basic rogue detection for small-scale deployments. Auto containment is not supported for this security level.

Command Default

The default rogue detection security level is custom.

Command History

Release

7.5

Modification


Examples

The following example shows how to configure the rogue detection security level to high:


config rogue detection security-level high


973

config rogue detection transient-rogue-interval config rogue detection transient-rogue-interval

To configure the rogue-detection transient interval, use the config rogue detection transient-rogue-interval command.

config rogue detection transient-rogue-interval time


time

Time interval, in seconds, at which a rogue should be consistently scanned by the access point after the rogue is scanned for the first time. The range is from 120 to 1800.

Command Default

The default rogue-detection transient interval for each security level is as follows:

• Low—120 seconds

• High—300 seconds

• Critical—600 seconds

Command History

Release

7.5

Modification



This feature applies only to the access points that are in the monitor mode.

After the rogue is scanned consistently, updates are sent periodically to the Cisco Wireless LAN Controller

(WLC). The access points filter the active transient rogues for a very short period and are then silent.

Examples

The following example shows how to configure the rogue detection transient interval:


config rogue detection transient-rogue-interval 200

974


config rogue rule config rogue rule

To add and configure rogue classification rules, use the config rogue rule command.

config rogue rule {add ap priority priority classify {custom severity-score classification-name | friendly

| malicious} notify {all | global | none | local} state {alert | contain | delete | internal | external} rule_name

| classify {custom severity-score classification-name | friendly | malicious} rule_name | condition ap {set

| delete} condition_type condition_value rule_name | {enable | delete | disable} {all | rule_name} | match

{all | any} | priority priority| notify {all | global | none | local} rule_name |state {alert | contain | internal

| external}rule_name}

Syntax Description add ap priority

priority

classify custom

severity-score classification-name

friendly malicious notify all global local none state

Adds a rule with match any criteria and the priority that you specify.

Priority of this rule within the list of rules.

Specifies the classification of a rule.

Classifies devices matching the rule as custom.

Custom classification severity score of the rule. The range is from 1 to 100.

Custom classification name. The name can be up to

32 case-sensitive, alphanumeric characters.

Classifies a rule as friendly.

Classifies a rule as malicious.

Configures type of notification upon rule match.

Notifies the controller and a trap receiver such as

Cisco Prime Infrastructure.

Notifies only a trap receiver such as Cisco Prime

Infrastructure.

Notifies only the controller.

Notifies neither the controller nor a trap receiver such as Cisco Prime Infrastructure.

Configures state of the rogue access point after a rule match.


975

config rogue rule alert contain delete external internal

rule_name

condition ap set delete

Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action.

Configures contain state on the rogue access point.

Controller contains the offending device so that its signals no longer interfere with authorized clients.

Configures delete state on the rogue access point.

Configures external state on the rogue access point that is outside the network and poses no threat to

WLAN security. The controller acknowledges the presence of this rogue access point.

Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point.

Rule to which the command applies, or the name of a new rule.

Specifies the conditions for a rule that the rogue access point must meet.

Adds conditions to a rule that the rogue access point must meet.

Removes conditions to a rule that the rogue access point must meet.

976


condition_type condition_value

enable delete disable match all any priority config rogue rule

Type of the condition to be configured. The condition types are listed below:

• client-count—Requires that a minimum number of clients be associated to a rogue access point.

The valid range is 1 to 10 (inclusive).

• duration—Requires that a rogue access point be detected for a minimum period of time. The valid range is 0 to 3600 seconds (inclusive).

• managed-ssid—Requires that a rogue access point’s SSID be known to the controller.

• no-encryption—Requires that a rogue access point’s advertised WLAN does not have encryption enabled.

• rssi—Requires that a rogue access point have a minimum RSSI value. The range is from –95 to

–50 dBm (inclusive).

• ssid—Requires that a rogue access point have a specific SSID.

• substring-ssid—Requires that a rogue access point have a substring of a user-configured

SSID.

Value of the condition. This value is dependent upon the condition_type. For instance, if the condition type is ssid, then the condition value is either the SSID name or all.

Enables all rules or a single specific rule.

Deletes all rules or a single specific rule.

Deletes all rules or a single specific rule.

Specifies whether a detected rogue access point must meet all or any of the conditions specified by the rule in order for the rule to be matched and the rogue access point to adopt the classification type of the rule.

Specifies all rules defined.

Specifies any rule meeting certain criteria.

Changes the priority of a specific rule and shifts others in the list accordingly.


977

config rogue rule

Command Default

No rogue rules are configured.

Command History

Release

7.6

Modification


Release 7.6.


For your changes to be effective, you must enable the rule. You can configure up to 64 rules.

Reclassification of rogue APs according to the RSSI condition of the rogue rule occurs only when the RSSI changes more than +/- 2 dBm of the configured RSSI value. Manual and automatic classification override custom rogue rules. Rules are applied to manually changed rogues if their class type changes to unclassified and state changes to alert. Adhoc rogues are classified and do not go to the pending state. You can have up to 50 classification types.

Examples

The following example shows how to create a rule called rule_1 with a priority of 1 and a classification as friendly.


config rogue rule add ap priority 1 classify friendly rule_1

The following example shows how to enable rule_1.


config rogue rule enable rule_1

The following example shows how to change the priority of the last command.


config rogue rule priority 2 rule_1

The following example shows how to change the classification of the last command.


config rogue rule classify malicious rule_1

The following example shows how to disable the last command.


config rogue rule disable rule_1

The following example shows how to delete SSID_2 from the user-configured SSID list in rule-5.


config rogue rule condition ap delete ssid ssid_2 rule-5

The following example shows how to create a custom rogue rule.


config rogue rule classify custom 1 VeryMalicious rule6

978


config rogue rule condition ap config rogue rule condition ap

To configure a condition of a rogue rule for rogue access points, use the config rogue rule condition ap command.

config rogue rule condition ap {set {client-count count | duration time | managed-ssid | no-encryption |

rssi rssi | ssid ssid | substring-ssid substring-ssid} | delete {all | client-count | duration | managed-ssid |

no-encryption | rssi | ssid | substring-ssid} rule_name

Syntax Description set client-count

count

duration

time

managed-ssid no-encryption rssi

rssi

ssid

ssid

substring-ssid

substring-ssid

delete all

Configures conditions to a rule that the rogue access point must meet.

Enables a minimum number of clients to be associated to the rogue access point.

Minimum number of clients to be associated to the rogue access point. The range is from 1 to 10 (inclusive). For example, if the number of clients associated to a rogue access point is greater than or equal to the configured value, the access point is classified as malicious.

Enables a rogue access point to be detected for a minimum period of time.

Minimum time period, in seconds, to detect the rogue access point. The range is from 0 to 3600.

Enables a rogue access point’s SSID to be known to the controller.

Enables a rogue access point’s advertised WLAN to not have encryption enabled.

If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it.

Enables a rogue access point to have a minimum Received Signal Strength Indicator

(RSSI) value.

Minimum RSSI value, in dBm, required for the access point. The range is from

–95 to –50 (inclusive). For example, if the rogue access point has an RSSI that is greater than the configured value, the access point is classified as malicious.

Enables a rogue access point have a specific SSID.

SSID of the rogue access point.

Enables a rogue access point to have a substring of a user-configured SSID.

Substring of a user-configured SSID. For example, if you have an SSID as ABCDE, you can specify the substring as ABCD or ABC. You can classify multiple SSIDs with matching patterns.

Removes the conditions to a rule that a rogue access point must comply with.

Deletes all the rogue rule conditions.


979

config rogue rule condition ap

rule_name

Rogue rule to which the command applies.

Command Default

The default value for RSSI is 0 dBm.

The default value for duration is 0 seconds.

The default value for client count is 0.

Command History

Release

7.6

Modification


Release 7.6.


You can configure up to 25 SSIDs per rogue rule. You can configure up to 25 SSID substrings per rogue rule.

Examples

The following example shows how to configure the RSSI rogue rule condition:


config rogue rule condition ap set rssi

–50

980


config remote-lan session-timeout config remote-lan session-timeout

To configure client session timeout, use the config remote-lan session-timeout command.

config remote-lan session-timeout remote-lan-id seconds





Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the client session timeout to 6000 seconds for a remote LAN with ID 1:


config remote-lan session-timeout 1 6000


981

config rfid auto-timeout config rfid auto-timeout

To configure an automatic timeout of radio frequency identification (RFID) tags, use the config rfid

auto-timeout command.

config rfid auto-timeout {enable | disable}


Enables an automatic timeout.

Disables an automatic timeout.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable an automatic timeout of RFID tags:


config rfid auto-timeout enable

Related Commands show rfid summary config rfid status config rfid timeout

982


config rfid status config rfid status

To configure radio frequency identification (RFID) tag data tracking, use the config rfid status command.

config rfid status {enable | disable}


Enables RFID tag tracking.

Enables RFID tag tracking.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure RFID tag tracking settings:


config rfid status enable

Related Commands show rfid summary config rfid auto-timeout config rfid timeout


983

config rfid timeout config rfid timeout

To configure a static radio frequency identification (RFID) tag data timeout, use the config rfid timeout command.

config rfid timeout seconds


seconds

Timeout in seconds (from 60 to 7200).

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure a static RFID tag data timeout of 60 seconds:


config rfid timeout 60

Related Commands show rfid summary config rfid statistics

984






seconds


Command Default


Command History

Release

7.6

Modification


Release 7.6.

Examples






985

config rogue ap timeout show rogue rule summary

986


config route add config route add

To configure a network route from the service port to a dedicated workstation IP address range, use the config

route add command.

config route add ip_address netmask gateway


ip_address netmask gateway

Network IP address.

Subnet mask for the network.

IP address of the gateway for the route network.

Command Default

None


As on release 7.6, IP_address supports only IPv4 addresses.

Command History

Release

7.6

Modification


Release 7.6.


Examples

The following example shows how to configure a network route to a dedicated workstation IP address 10.1.1.0, subnet mask 255.255.255.0, and gateway 10.1.1.1:


config route add 10.1.1.0 255.255.255.0 10.1.1.1


987

config route delete config route delete

To remove a network route from the service port, use the config route delete command.

config route delete ip_address


ip_address

Network IP address.

Command Default

None


As on release 7.6, IP_address supports only IPv4 addresses.

Command History

Release

7.6

8.0

Modification


Release 7.6.


Examples

The following example shows how to delete a route from the network IP address 10.1.1.0:


config route delete 10.1.1.0

988


config serial baudrate config serial baudrate

To set the serial port baud rate, use the config serial baudrate command.

config serial baudrate {1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600}


1200

2400

4800

9600

19200

38400

57600

Specifies the supported connection speeds to 1200.







Command Default

The default serial port baud rate is 9600.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure a serial baud rate with the default connection speed of 9600:


config serial baudrate 9600


989

config serial timeout config serial timeout

To set the timeout of a serial port session, use the config serial timeout command.

config serial timeout minutes


minutes

Timeout in minutes from 0 to 160. A value of 0 indicates no timeout.

Command Default

0 (no timeout)

Command History

Release

7.6

Modification


Release 7.6.


Use this command to set the timeout for a serial connection to the front of the Cisco wireless LAN controller from 0 to 160 minutes where 0 is no timeout.

Examples

The following example shows how to configure the timeout of a serial port session to 10 minutes:


config serial timeout 10

990


config service timestamps config service timestamps

To enable or disable time stamps in message logs, use the config service timestamps command.

config service timestamps {debug | log} {datetime | disable}

Syntax Description debug log datetime disable

Configures time stamps in debug messages.

Configures time stamps in log messages.

Specifies to time-stamp message logs with the standard date and time.

Specifies to prevent message logs being time-stamped.

Command Default

By default, the time stamps in message logs are disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure time-stamp message logs with the standard date and time:


config service timestamps log datetime

The following example shows how to prevent message logs being time-stamped:


config service timestamps debug disable



991

config sessions maxsessions config sessions maxsessions

To configure the number of Telnet CLI sessions allowed by the Cisco wireless LAN controller, use the config

sessions maxsessions command.

config sessions maxsessions session_num


session_num

Number of sessions from 0 to 5.

Command Default

The default number of Telnet CLI sessions allowed by the Cisco WLC is 5.

Command History

Release

7.6

Modification



Up to five sessions are possible while a setting of zero prohibits any Telnet CLI sessions.

Examples

The following example shows how to configure the number of allowed CLI sessions to 2:


config sessions maxsessions 2

Related Commands show sessions

992


config sessions timeout config sessions timeout

To configure the inactivity timeout for Telnet CLI sessions, use the config sessions timeout command.

config sessions timeout timeout


timeout

Timeout of Telnet session in minutes (from 0 to 160). A value of 0 indicates no timeout.

Command Default

The default inactivity timeout for Telnet CLI sessions is 5 minutes.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the inactivity timeout for Telnet sessions to 20 minutes:


config sessions timeout 20

Related Commands show sessions


993

config slot config slot

To configure various slot parameters, use the config slot command.

config slot slot_id {enable | disable | channel ap | chan_width | txpower ap | antenna extAntGain

antenna_gain | rts} cisco_ap


slot_id

enable disable channel ap chan_width txpower antenna extAntGain

antenna_gain

rts

cisco_ap

Slot downlink radio to which the channel is assigned. Beginning in Release 7.5

and later releases, you can configure 802.11a on slot 1 and 802.11ac on slot 2.

Enables the slot.

Disables the slot.

Configures the channel for the slot.

Configures one 802.11a Cisco access point.

Configures channel width for the slot.

Configures Tx power for the slot.

Configures the 802.11a antenna.

Configures the 802.11a external antenna gain.

External antenna gain value in .5 dBi units (such as 2.5 dBi = 5).

Configures RTS/CTS for an access point.

Name of the Cisco access point on which the channel is configured.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to enable slot 3 for the access point abc:


config slot 3 enable abc

The following example shows how to configure RTS for the access point abc:


config slot 2 rts abc

994


config switchconfig boot-break config switchconfig boot-break

To enable or disable the breaking into boot prompt by pressing the Esc key at system startup, use the config

switchconfig boot-break command.

config switchconfig boot-break {enable | disable}


Enables the breaking into boot prompt by pressing the Esc key at system startup.

Disables the breaking into boot prompt by pressing the Esc key at system startup.

Command Default

By default, the breaking into boot prompt by pressing the Esc key at system startup is disabled.


You must enable the features that are prerequisites for the Federal Information Processing Standard (FIPS) mode before enabling or disabling the breaking into boot prompt.

Examples

The following example shows how to enable the breaking into boot prompt by pressing the Esc key at system startup:


config switchconfig boot-break enable

Related Commands show switchconfig config switchconfig flowcontrol config switchconfig mode config switchconfig secret-obfuscation config switchconfig fips-prerequisite config switchconfig strong-pwd


995

config switchconfig fips-prerequisite config switchconfig fips-prerequisite

To enable or disable the features that are prerequisites for the Federal Information Processing Standard (FIPS) mode, use the config switchconfig fips-prerequisite command.

config switchconfig fips-prerequisite {enable | disable}


Enables the features that are prerequisites for the FIPS mode.

Disables the features that are prerequisites for the FIPS mode.

Command Default

By default, the features that are prerequisites for the FIPS mode are disabled.


You must configure the FIPS authorization secret before you can enable or disable the FIPS prerequisite features.

Examples

The following example shows how to enable the features that are prerequisites for the FIPS mode:


config switchconfig fips-prerequisite enable

Related Commands show switchconfig config switchconfig flowcontrol config switchconfig mode config switchconfig secret-obfuscation config switchconfig boot-break config switchconfig strong-pwd

996


config switchconfig ucapl config switchconfig ucapl

To configure US Department of Defense (DoD) Unified Capabilities Approved Product List (APL) certification on the controller, use the config switchconfig wlancc command.

config switchconfig ucapl {enable | disable}


Enables UCAPL on the controller.

Disables UCAPL on the controller.

Command Default

None

Command History

Release

8.0

Examples

The following example shows how to enable UCAPL on the controller:


config switchconfig ucapl enable

Modification



997

config switchconfig wlancc config switchconfig wlancc

To configure WLAN Common Criteria (CC) on the controller, use the config switchconfig wlancc command.

config switchconfig wlancc {enable | disable}


Enables WLAN CC on the controller.

Disables WLAN CC on the controller.

Command Default

None

Command History

Examples

Release

8.0

The following example shows how to enable WLAN CC on the controller:


config switchconfig wlancc enable

Modification


998


config switchconfig strong-pwd config switchconfig strong-pwd

To enable or disable your controller to check the strength of newly created passwords, use the config

switchconfig strong-pwd command.

config switchconfig strong-pwd {case-check | consecutive-check | default-check | username-check |

position-check | case-digit-check | minimum {upper-case | lower-case | digits | special-chars}

no._of_characters | min-length | password_length | lockout{mgmtuser | snmpv3user | time | attempts} |

lifetime {mgmtuser | snmpv3user} lifetime | all-checks} {enable | disable}

Syntax Description case-check consecutive-check default-check username-check position-check case-digit-check minimum upper-case lower-case digits special-chars min-length

password_length

Checks at least three combinations: lowercase characters, uppercase characters, digits, or special characters.

Checks the occurrence of the same character three times.

Checks for default values or use of their variants.

Checks whether the username is specified or not.

Checks whether the password has a four-character change from the old password.

Checks whether the password has all the four combinations: lower, upper, digits, or special characters.

Checks whether the password has a minimum number of upper case and lower case characters, digits, or special characters.

Checks whether the password has a minimum number of upper case characters.

Checks whether the password has a minimum number of lower case characters.

Checks whether the password has a minimum number of digits.

Checks whether the password has a minimum number of special characters.

Configures the minimum length for the password.

Minimum length for the password. The range is from

3 to 24 case-sensitive characters.


999

config switchconfig strong-pwd lockout mgmtuser snmpv3user time attempts lifetime mgmtuser snmpv3user

lifetime

all-checks enable disable

Command Default

None

Command History

Release

7.6

Configures the lockout feature for a management user or Simple Network Management Protocol version 3

(SNMPv3) user.

Locks out a management user when the number of successive failed attempts exceed the management user lockout attempts.

Locks out a SNMPv3 user when the number of successive failed attempts exceeds the SNMPv3 user lockout attempts.

Configures the time duration after the lockout attempts when the management user or SNMPv3 user is locked.

Configures the number of successive incorrect password attempts after which the management user or SNMPv3 user is locked.

Configures the number of days before the management user or SNMPv3 user requires a change of password due to the age of the password.

Configures the number of days before the management user requires a change of password due to the password age.

Configures the number of days before the SNMPv3 user requires a change of password due to the age of the password.

Number of days before the management user or

SNMPv3 user requirlifetimees a change of password due to the age of the password.

Checks all the cases.

Enables a strong password check for the access point and Cisco WLC.

Disables a strong password check for the access point and Cisco WLC.

Modification


1000


config switchconfig strong-pwd

Examples

The following example shows how to enable the Strong Password Check feature:


config switchconfig strong-pwd case-check enable

Related Commands show switchconfig config switchconfig flowcontrol config switchconfig mode config switchconfig secret-obfuscation config switchconfig fips-prerequisite config switchconfig boot-break


1001

config switchconfig flowcontrol config switchconfig flowcontrol

To enable or disable 802.3x flow control, use the config switchconfig flowcontrol command.

config switchconfig flowcontrol {enable | disable}


Enables 802.3x flow control.

Disables 802.3x flow control.

Command Default

By default, 802.3x flow control is disabled.

Examples

The following example shows how to enable 802.3x flow control on Cisco wireless LAN controller parameters:


config switchconfig flowcontrol enable

Related Commands show switchconfig

1002


config switchconfig mode config switchconfig mode

To configure Lightweight Access Port Protocol (LWAPP) transport mode for Layer 2 or Layer 3, use the

config switchconfig mode command.

config switchconfig mode {L2 | L3}


L2

L3

Specifies Layer 2 as the transport mode.

Specifies Layer 3 as the transport mode.

Command Default

The default transport mode is L3.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure LWAPP transport mode to Layer 3:


config switchconfig mode L3



1003

config switchconfig secret-obfuscation config switchconfig secret-obfuscation

To enable or disable secret obfuscation, use the config switchconfig secret-obfuscation command.

config switchconfig secret-obfuscation {enable | disable}


Enables secret obfuscation.

Disables secret obfuscation.

Command Default

Secrets and user passwords are obfuscated in the exported XML configuration file.

Command History

Release

7.6

Modification



To keep the secret contents of your configuration file secure, do not disable secret obfuscation. To further enhance the security of the configuration file, enable configuration file encryption.

Examples

The following example shows how to enable secret obfuscation:


config switchconfig secret-obfuscation enable


1004


config sysname config sysname

To set the Cisco wireless LAN controller system name, use the config sysname command.

config sysname name


name

System name. The name can contain up to 31 alphanumeric characters.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the system named Ent_01:


config sysname Ent_01

Related Commands show sysinfo


1005

config snmp community accessmode config snmp community accessmode

To modify the access mode (read only or read/write) of an SNMP community, use the config snmp community

accessmode command.

config snmp community accessmode {ro | rw} name

Syntax Description ro rw

name

Specifies a read-only mode.

Specifies a read/write mode.

SNMP community name.

Command Default

Two communities are provided by default with the following settings:

SNMP Community Name Client IP Address Client IP Mask Access Mode Status

------------------- ----------------- ---------------- ----------- -----public 0.0.0.0

0.0.0.0

Read Only Enable private 0.0.0.0

0.0.0.0

Read/Write Enable

Command History

Release

7.6

Modification


Examples

The following example shows how to configure read/write access mode for SNMP community:


config snmp community accessmode rw private

Related Commands show snmp community config snmp community mode config snmp community create config snmp community delete config snmp community ipaddr

1006


config snmp community create config snmp community create

To create a new SNMP community, use the config snmp community create command.

config snmp community create name


name

SNMP community name of up to 16 characters.

Command Default

None

Command History

Release

7.6

Modification



Use this command to create a new community with the default configuration.

Examples

The following example shows how to create a new SNMP community named test:


config snmp community create test

Related Commands show snmp community config snmp community mode config snmp community accessmode config snmp community delete config snmp community ipaddr


1007

config snmp community delete config snmp community delete

To delete an SNMP community, use the config snmp community delete command.

config snmp community delete name


name


Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to delete an SNMP community named test:


config snmp community delete test

Related Commands show snmp community config snmp community mode config snmp community accessmode config snmp community create config snmp community ipaddr

1008


config snmp community ipaddr config snmp community ipaddr

To configure the IPv4 or IPv6 address of an SNMP community, use the config snmp community ipaddr command.

config snmp community ipaddr IP addr IPv4 mask/IPv6 Prefix lengthname


IP addr

IPv4 mask/IPv6 Prefix length name

SNMP community IPv4 or IPv6 address.

SNMP community IP mask (IPv4 mask or IPv6 Prefix length). The IPv6 prefix length is from 0 to 128.


Command Default

None

Command History

Release

7.6

8.0

Modification




Examples

• This command is applicable for both IPv4 and IPv6 addresses.

• This command is not applicable for default SNMP community (public, private).

The following example shows how to configure an SNMP community with the IPv4 address 10.10.10.10,

IPv4 mask 255.255.255.0, and SNMP community named comaccess:


config snmp community ipaddr 10.10.10.10 255.255.255.0 comaccess

The following example shows how to configure an SNMP community with the IPv6 address 2001:9:2:16::1,

IPv6 prefix length 64, and SNMP community named comaccess:


config snmp community ipaddr 2001:9:2:16::1 64 comaccess


1009

config snmp community mode config snmp community mode

To enable or disable an SNMP community, use the config snmp community mode command.

config snmp community mode {enable | disable} name


name

Enables the community.

Disables the community.


Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the SNMP community named public:


config snmp community mode disable public

Related Commands show snmp community config snmp community delete config snmp community accessmode config snmp community create config snmp community ipaddr

1010


config snmp engineID config snmp engineID

To configure the SNMP engine ID, use the config snmp engineID command.

config snmp engineID {engine_id | default}


engine_id

default

Engine ID in hexadecimal characters (a minimum of 10 and a maximum of 24 characters are allowed).

Restores the default engine ID.

Command Default

None

Command History

Release

7.6

Modification



The SNMP engine ID is a unique string used to identify the device for administration purposes. You do need to specify an engine ID for the device because a default string is automatically generated using Cisco’s enterprise number and the MAC address of the first interface on the device.

If you change the engine ID, then a reboot is required for the change to take effect.

Caution If you change the value of the SNMP engine ID, then the password of the user entered on the command line is converted to an MD5 (Message-Digest algorithm 5) or SHA (Secure Hash Algorithm) security digest.

This digest is based on both the password and the local engine ID. The command line password is then deleted.

Because of this deletion, if the local value of the engine ID changes, the security digests of the SNMP users will become invalid, and the users will have to be reconfigured.

Examples

The following example shows how to configure the SNMP engine ID with the value fffffffffff:


config snmp engineID fffffffffff

Related Commands show snmpengineID


1011

config snmp syscontact config snmp syscontact

To set the SNMP system contact name, use the config snmp syscontact command.

config snmp syscontact contact


contact

SNMP system contact name. Valid value can be up to 255 printable characters.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to set the SMNP system contact named Cisco WLAN

Solution_administrator:


config snmp syscontact Cisco WLAN Solution_administrator

1012


config snmp syslocation config snmp syslocation

To configure the SNMP system location name, use the config snmp syslocation command.

config snmp syslocation location


location

SNMP system location name. Valid value can be up to 255 printable characters.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to configure the SNMP system location name to Building_2a:


config snmp syslocation Building_2a


1013

config snmp trapreceiver create config snmp trapreceiver create

To configure a server to receive SNMP traps, use the config snmp trapreceiver create command.

config snmp trapreceiver create name IP addr


name

IP addr

SNMP community name. The name contain up to 31 characters.

Configure the IPv4 or IPv6 address of where to send SNMP traps.

Command Default

None

Command History

Release

7.6

8.0

Modification




The IPv4 or IPv6 address must be valid for the command to add the new server.

Examples

The following example shows how to add a new SNMP trap receiver with the SNMP trap receiver named test and IP address 10.1.1.1:


config snmp trapreceiver create test 10.1.1.1

The following example shows how to add a new SNMP trap receiver with the SNMP trap receiver named test and IP address 2001:10:1:1::1:


config snmp trapreceiver create test 2001:10:1:1::1

1014


config snmp trapreceiver delete config snmp trapreceiver delete

To delete a server from the trap receiver list, use the config snmp trapreceiver delete command.

config snmp trapreceiver delete name


name

SNMP community name. The name can contain up to 16 characters.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to delete a server named test from the SNMP trap receiver list:


config snmp trapreceiver delete test

Related Commands show snmp trap


1015

config snmp trapreceiver mode config snmp trapreceiver mode

To send or disable sending traps to a selected server, use the config snmp trapreceiver mode command.

config snmp trapreceiver mode {enable | disable} name


name

Enables an SNMP trap receiver.

Disables an SNMP trap receiver.


Command Default

None

Command History

Release

7.6

Modification



This command enables or disables the Cisco wireless LAN controller from sending the traps to the selected server.

Examples

The following example shows how to disable an SNMP trap receiver from sending traps to a server named server1:


config snmp trapreceiver mode disable server1

Related Commands show snmp trap

1016


config snmp v3user create config snmp v3user create

To create a version 3 SNMP user, use the config snmp v3user create command.

config snmp v3user create username {ro | rw} {none | hmacmd5 | hmacsha} {none | des | aescfb128}

[auth_key] [encrypt_key]


username

ro rw none hmacmd5 hmacsha none des aescfb128

auth_key encrypt_key

Version 3 SNMP username.

Specifies a read-only user privilege.

Specifies a read-write user privilege.

Specifies if no authentication is required.

Specifies Hashed Message Authentication

Coding Message Digest 5 (HMAC-MD5) for authentication.

Specifies Hashed Message Authentication

Coding-Secure Hashing Algorithm

(HMAC-SHA) for authentication.

Specifies if no encryption is required.

Specifies to use Cipher Block

Chaining-Digital Encryption Standard

(CBC-DES) encryption.

Specifies to use Cipher Feedback

Mode-Advanced Encryption Standard-128

(CFB-AES-128) encryption.

(Optional) Authentication key for the

HMAC-MD5 or HMAC-SHA authentication protocol.

(Optional) Encryption key for the CBC-DES or CFB-AES-128 encryption protocol.

Command Default

SNMP v3 username AccessMode Authentication Encryption

-------------------- ------------- -------------- ----------default Read/Write HMAC-SHA CFB-AES


1017

config snmp v3user create

Command History

Release

7.6

Modification


Examples

The following example shows how to add an SNMP username named test with read-only privileges and no encryption or authentication:


config snmp v3user create test ro none none

Related Commands show snmpv3user

1018


config snmp v3user delete config snmp v3user delete

To delete a version 3 SNMP user, use the config snmp v3user delete command.

config snmp v3user delete username


username

Username to delete.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to remove an SNMP user named test:


config snmp v3user delete test

Related Commands show snmp v3user


1019

config snmp version config snmp version

To enable or disable selected SNMP versions, use the config snmp version command.

config snmp version {v1 | v2 | v3} {enable | disable}

Syntax Description v1 v2 v3 enable disable

Specifies an SNMP version to enable or disable.



Enables a specified version.

Disables a specified version.

Command Default

By default, all the SNMP versions are enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable SNMP version v1:


config snmp version v1 enable

Related Commands show snmpversion

1020


config tacacs acct config tacacs acct

To configure TACACS+ accounting server settings, use the config tacacs acct command.

config tacacs acct {add1-3 IP addr port ascii/hex secret | delete 1-3 | disable 1-3 | enable 1-3 |

server-timeout 1-3 seconds}


1-3


delete disable enable server-timeout

seconds

Adds a new TACACS+ accounting server.

Specifies TACACS+ accounting server index from 1 to 3.

Specifies IPv4 or IPv6 address of the TACACS+ accounting server.

Specifies TACACS+ Server's TCP port.

Specifies type of TACACS+ server's secret being used

(ASCII or HEX).

Specifies secret key in ASCII or hexadecimal characters.

Deletes a TACACS+ server.

Disables a TACACS+ server.

Enables a TACACS+ server.

Changes the default server timeout for the TACACS+ server.

Specifies the number of seconds before the TACACS+ server times out. The server timeout range is from 5 to 30 seconds.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.



1021

config tacacs acct

Examples

The following example shows how to add a new TACACS+ accounting server index 1 with the IPv4 address

10.0.0.0, port number 49, and secret key 12345678 in ASCII:


config tacacs acct add 1 10.0.0.0 10 ascii 12345678

The following example shows how to add a new TACACS+ accounting server index 1 with the IPv6 address

2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:


config tacacs acct add 1 2001:9:6:40::623 10 ascii 12345678

The following example shows how to configure the server timeout of 5 seconds for the TACACS+ accounting server:


config tacacs acct server-timeout 1 5

1022


config tacacs athr config tacacs athr

To configure TACACS+ authorization server settings, use the config tacacs athr command.

config tacacs athr {add1-3 IP addr port ascii/hex secret | delete 1-3 | disable 1-3 | enable 1-3 |

mgmt-server-timeout 1-3 seconds | server-timeout 1-3 seconds}


1-3


delete disable enable

mgmt-server-timeout 1-3seconds

server-timeout 1-3 seconds

Adds a new TACACS+ authorization server (IPv4 or

IPv6).

TACACS+ server index from 1 to 3.

TACACS+ authorization server IP address (IPv4 or

IPv6).

TACACS+ server TCP port.

Type of secret key being used (ASCII or HEX).

Secret key in ASCII or hexadecimal characters.




Changes the default management login server timeout for the server. The number of seconds before server times out is from 1 to 30 seconds.

Changes the default network login server timeout for the server. The number of seconds before server times out is from 5 to 30 seconds.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.



1023

config tacacs athr

Examples

The following example shows how to add a new TACACS+ authorization server index 1 with the IPv4 address

10.0.0.0, port number 49, and secret key 12345678 in ASCII:


config tacacs athr add 1 10.0.0.0 49 ascii 12345678

The following example shows how to add a new TACACS+ authorization server index 1 with the IPv6 address

2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:


config tacacs athr add 1 2001:9:6:40::623 49 ascii 12345678

The following example shows how to configure the retransmit timeout of 5 seconds for the TACACS+ authorization server:


config tacacs athr server-timeout 1 5

1024


config tacacs athr mgmt-server-timeout config tacacs athr mgmt-server-timeout

To configure a default TACACS+ authorization server timeout for management users, use the config tacacs

athr mgmt-server-timeout command.

config tacacs athr mgmt-server-timeout index timeout


index timeout

TACACS+ authorization server index.

Timeout value. The range is 1 to 30 seconds.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a default TACACS+ authorization server timeout for management users:


config tacacs athr mgmt-server-timeout 1 10

Related Commands config tacacs athr


1025

config tacacs auth config tacacs auth

To configure TACACS+ authentication server settings, use the config tacacs auth command.

config tacacs auth{ add1-3 IP addr port ascii/hex secret | delete 1-3 | disable 1-3 | enable 1-3 |

mgmt-server-timeout 1-3 seconds | server-timeout 1-3seconds}


1-3


delete disable enable

mgmt-server-timeout 1-3 seconds

server-timeout 1-3 seconds

Adds a new TACACS+ accounting server.

TACACS+ accounting server index from 1 to 3.

IP address for the TACACS+ accounting server.

Controller port used for the TACACS+ accounting server.

Type of secret key being used (ASCII or HEX).

Secret key in ASCII or hexadecimal characters.




Changes the default management login server timeout for the server. The number of seconds before server times out is from 1 to 30 seconds.

Changes the default network login server timeout for the server. The number of seconds before server times out is from 5 to 30 seconds.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.


1026


config tacacs auth

Examples

The following example shows how to add a new TACACS+ authentication server index 1 with the IPv4 address 10.0.0.3, port number 49, and secret key 12345678 in ASCII:


config tacacs auth add 1 10.0.0.3 49 ascii 12345678

The following example shows how to add a new TACACS+ authentication server index 1 with the IPv6 address 2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:


config tacacs auth add 1 2001:9:6:40::623 49 ascii 12345678

The following example shows how to configure the server timeout for TACACS+ authentication server:


config tacacs auth server-timeout 1 5


1027

config tacacs auth mgmt-server-timeout config tacacs auth mgmt-server-timeout

To configure a default TACACS+ authentication server timeout for management users, use the config tacacs

auth mgmt-server-timeout command.

config tacacs auth mgmt-server-timeout index timeout


index timeout

TACACS+ authentication server index.

Timeout value. The range is 1 to 30 seconds.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure a default TACACS+ authentication server timeout for management users:


config tacacs auth mgmt-server-timeout 1 10

Related Commands config tacacs auth

1028


config tacacs dns config tacacs dns

To retrieve the TACACS IP information from a DNS server, use the config radius dns command.

config radius dns {global port {ascii | hex} secret | query url timeout | serverip ip_address | disable |

enable}

Syntax Description global

port ascii hex secret

query

url timeout

serverip

ip_address

disable enable

Configures the global port and secret to retrieve the TACACS IP information from a DNS server.

Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port.

Format of the shared secret that you should set to ASCII.

Format of the shared secret that you should set to hexadecimal.

TACACS server login secret.

Configures the fully qualified domain name (FQDN) of the TACACS server and

DNS timeout.

FQDN of the TACACS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters.

Maximum time that the Cisco Wireless LAN Controller (WLC) waits for, in days, before timing out a request and resending it. The range is from 1 to 180.

Configures the DNS server IP address.


Disables the TACACS DNS feature. The default is disabled.

Enables the Cisco WLC to retrieve the TACACS IP information from a DNS server.

Command Default

You cannot retrieve the TACACS IP information from a DNS server.

Command History

Release

7.6

Modification


Release 7.6.


1029

config tacacs dns


The accounting port is derived from the authentication port. All the DNS servers should use the same secret.

When you enable a DNS query, the static configurations will be overridden. The DNS list overrides the static

AAA list.

Examples

The following example shows how to enable the TACACS DNS feature on the Cisco WLC:


config tacacs dns enable

1030


config tacacs fallback-test interval config tacacs fallback-test interval

To configure TACACS+ probing interval, use the config tacacs fallback-test interval command.

config tacacs fallback-test interval { seconds }


seconds

TACACS+ probing interval in seconds. Disable is 0,

Range from 180 to 3600 seconds.

Command Default

None

Command History

Examples

Release

8.2

Modification


The following example shows how to configure TACACS+ probing interval:


config tacacs fallback-test interval 200


1031

config time manual config time manual

To set the system time, use the config time manual command.

config time manual MM |DD | YY HH:MM:SS


MM/DD/YY

HH:MM:SS

Date.

Time.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the system date to 04/04/2010 and time to 15:29:00:


config time manual 04/04/2010 15:29:00

Related Commands show time

1032


config time ntp config time ntp

To set the Network Time Protocol (NTP), use the config time ntp command.

config time ntp {auth {enable server-index key-index | disable server-index} | interval interval | key-auth

{add key-index md5 {ascii | hex} key} | delete key-index} | server index IP Address}

Syntax Description add md5 ascii hex

key

auth enable

server-index key-index

disable interval

interval

key-auth delete server

IP Address

Configures the NTP authentication.

Enables the NTP authentication.

NTP server index.

Key index between 1 and 4294967295.

Disables the NTP authentication.

Configures the NTP polling interval.

NTP polling interval in seconds. The range is from 3600 and 604800 seconds.

Configures the NTP authentication key.

Adds an NTP authentication key.

Specifies the authentication protocol.

Specifies the ASCII key type.

Specifies the hexadecimal key type.

Specifies the ASCII key format with a maximum of 16 characters or the hexadecimal key format with a maximum of 32 digits.

Deletes an NTP authentication key.

Configures the NTP servers.

NTP server's IP address. Use 0.0.0.0 or :: to delete entry.

Command Default

None

Command History

Release

7.6

Modification



1033

config time ntp

Release

8.0

Modification



Examples

• To add the NTP server to the controller, use the config time ntp server index IP Address command.

• To delete the NTP server (IPv4) from the controller, use the config time ntp serverindex 0.0.0.0 command.

• To delete the NTP server (IPv6) from the controller, use the config time ntp serverindex :: command.

• To display configured NTP server on the controller, use the show time command.

The following example shows how to configure the NTP polling interval to 7000 seconds:


config time ntp interval 7000

The following example shows how to enable NTP authentication where the server index is 4 and the key index is 1:


config time ntp auth enable 4 1

The following example shows how to add an NTP authentication key of value ff where the key format is in hexadecimal characters and the key index is 1:


config time ntp key-auth add 1 md5 hex ff

The following example shows how to add an NTP authentication key of value ff where the key format is in

ASCII characters and the key index is 1:


config time ntp key-auth add 1 md5 ascii ciscokey

The following example shows how to add NTP servers and display the servers configured to controllers:


config time ntp server 1 10.92.125.52


config time ntp server 2 2001:9:6:40::623


show time

Time............................................. Fri May 23 12:04:18 2014

Timezone delta................................... 0:0

Timezone location................................ (GMT +5:30) Colombo, New Delhi, Chennai,

Kolkata

NTP Servers

NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server NTP Msg Auth Status

------- --------------------------------------------------

1

2

1

1

10.92.125.52

2001:9:6:40::623

AUTH SUCCESS

AUTH SUCCESS

The following example shows how to delete NTP servers and verify that the servers are deleted removed from the NTP server list:


config time ntp server 1 0.0.0.0


config time ntp server 2 ::


show time

1034


config time ntp

Time............................................. Fri May 23 12:04:18 2014

Timezone delta................................... 0:0


Kolkata

NTP Servers

NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server NTP Msg Auth Status

------- --------------------------------------------------


1035

config time timezone config time timezone

To configure the system time zone, use the config time timezone command.

config time timezone {enable | disable} delta_hours delta_mins


delta_hours delta_mins

Enables daylight saving time.

Disables daylight saving time.

Local hour difference from the Universal Coordinated Time (UCT).

Local minute difference from UCT.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the daylight saving time:


config time timezone enable 2 0


1036


config time timezone location config time timezone location

To set the location of the time zone in order to have daylight saving time set automatically when it occurs, use the config time timezone location command.

config time timezone location location_index


1037

config time timezone location


location_index

Number representing the time zone required. The time zones are as follows:

• (GMT-12:00) International Date Line West

• (GMT-11:00) Samoa

• (GMT-10:00) Hawaii

• (GMT-9:00) Alaska

• (GMT-8:00) Pacific Time (US and Canada)

• (GMT-7:00) Mountain Time (US and Canada)

• (GMT-6:00) Central Time (US and Canada)

• (GMT-5:00) Eastern Time (US and Canada)

• (GMT-4:00) Atlantic Time (Canada)

• (GMT-3:00) Buenos Aires (Argentina)

• (GMT-2:00) Mid-Atlantic

• (GMT-1:00) Azores

• (GMT) London, Lisbon, Dublin, Edinburgh (default value)

• (GMT +1:00) Amsterdam, Berlin, Rome, Vienna

• (GMT +2:00) Jerusalem

• (GMT +3:00) Baghdad

• (GMT +4:00) Muscat, Abu Dhabi

• (GMT +4:30) Kabul

• (GMT +5:00) Karachi, Islamabad, Tashkent

• (GMT +5:30) Colombo, Kolkata, Mumbai, New Delhi

• (GMT +5:45) Katmandu

• (GMT +6:00) Almaty, Novosibirsk

• (GMT +6:30) Rangoon

• (GMT +7:00) Saigon, Hanoi, Bangkok, Jakatar

• (GMT +8:00) Hong Kong, Bejing, Chongquing

• (GMT +9:00) Tokyo, Osaka, Sapporo

• (GMT +9:30) Darwin

• (GMT+10:00) Sydney, Melbourne, Canberra

• (GMT+11:00) Magadan, Solomon Is., New Caledonia

• (GMT+12:00) Kamchatka, Marshall Is., Fiji

• (GMT+12:00) Auckland (New Zealand)

1038


config time timezone location

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to set the location of the time zone in order to set the daylight saving time to location index 10 automatically:


config time timezone location 10



1039

config trapflags 802.11-Security config trapflags 802.11-Security

To enable or disable sending 802.11 security-related traps, use the config trapflags 802.11-Security command.

config trapflags 802.11-Security wepDecryptError {enable | disable}


Enables sending 802.11 security-related traps.

Disables sending 802.11 security-related traps.

Command Default

By default, sending the 802.11 security-related traps is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the 802.11 security related traps:


config trapflags 802.11-Security wepDecryptError disable

Related Commands show trapflags

1040


config trapflags aaa config trapflags aaa

To enable or disable the sending of AAA server-related traps, use the config trapflags aaa command.

config trapflags aaa {auth | servers} {enable | disable}

Syntax Description auth servers enable disable

Enables trap sending when an AAA authentication failure occurs for management user, net user, or MAC filter.

Enables trap sending when no RADIUS servers are responding.

Enables the sending of AAA server-related traps.

Disables the sending of AAA server-related traps.

Command Default

By default, the sending of AAA server-related traps is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the sending of AAA server-related traps:


config trapflags aaa auth enable

Related Commands show watchlist


1041

config trapflags adjchannel-rogueap config trapflags adjchannel-rogueap

To configure trap notifications when a rogue access point is detected at the adjacent channel, use the config

trapflags adjchannel-rogueap command.

config trapflags adjchannel-rogueap {enable | disable}


Enables trap notifications when a rogue access point is detected at the adjacent channel.

Disables trap notifications when a rogue access point is detected at the adjacent channel.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable trap notifications when a rogue access point is detected at the adjacent channel:


config trapflags adjchannel-rogueap enable

Related Commands config trapflags 802.11-Security config trapflags aaa config trapflags ap config trapflags authentication config trapflags client config trapflags configsave config trapflags IPsec config trapflags linkmode config trapflags multiusers config trapflags mesh config trapflags strong-pwdcheck config trapflags rfid config trapflags rogueap

1042


show trapflags config trapflags adjchannel-rogueap


1043

config trapflags ap config trapflags ap

To enable or disable the sending of Cisco lightweight access point traps, use the config trapflags ap command.

config trapflags ap {register | interfaceUp} {enable | disable}

Syntax Description register interfaceUp enable disable

Enables sending a trap when a Cisco lightweight access point registers with Cisco switch.

Enables sending a trap when a Cisco lightweight access point interface (A or B) comes up.

Enables sending access point-related traps.

Disables sending access point-related traps.

Command Default

By default, the sending of Cisco lightweight access point traps is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to prevent traps from sending access point-related traps:


config trapflags ap register disable


1044


config trapflags authentication config trapflags authentication

To enable or disable sending traps with invalid SNMP access, use the config trapflags authentication command.

config trapflags authentication {enable | disable}


Enables sending traps with invalid SNMP access.

Disables sending traps with invalid SNMP access.

Command Default

By default, the sending traps with invalid SNMP access is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to prevent sending traps on invalid SNMP access:


config trapflags authentication disable



1045

config trapflags client config trapflags client

To enable or disable the sending of client-related DOT11 traps, use the config trapflags client command.

config trapflags client {802.11-associate 802.11-disassociate | 802.11-deauthenticate | 802.11-authfail |

802.11-assocfail | authentication | excluded} {enable | disable}


802.11-associate

802.11-disassociate

802.11-deauthenticate

802.11-authfail

802.11-assocfail authentication excluded enable disable

Enables the sending of Dot11 association traps to clients.

Enables the sending of Dot11 disassociation traps to clients.

Enables the sending of Dot11 deauthentication traps to clients.

Enables the sending of Dot11 authentication fail traps to clients.

Enables the sending of Dot11 association fail traps to clients.

Enables the sending of authentication success traps to clients.

Enables the sending of excluded trap to clients.

Enables sending of client-related DOT11 traps.

Disables sending of client-related DOT11 traps.

Command Default

By default, the sending of client-related DOT11 traps is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the sending of Dot11 disassociation trap to clients:


config trapflags client 802.11-disassociate enable


1046


config trapflags client max-warning-threshold config trapflags client max-warning-threshold

To configure the threshold value of the number of clients that associate with the controller, after which an

SNMP trap and a syslog message is sent to the controller, use the config trapflags client

max-warning-threshold command.

config trapflags client max-warning-threshold {threshold | enable | disable}

Syntax Description threshold enable disable

Configures the threshold percentage value of the number of clients that associate with the controller, after which an SNMP trap and a syslog message is sent to the controller. The range is from 80 to 100.

The minimum interval between two warnings is 10 mins You cannot configure this interval.

Enables the generation of the traps and syslog messages.

Disables the generation of the traps and syslog messages.

Command Default

The default threshold value of the number of clients that associate with the controller is 90 %.

Command History

Release

7.6

Modification



This table lists the maximum number of clients for different controllers.

Table 9: Maximum Number of Clients Supported on Different Controllers

Controller

Cisco 5500 Series Controllers


Cisco Wireless Services Module 2

Cisco Flex 7500 Series Controllers


Cisco Virtual Wireless LAN Controllers

Maximum Number of Supported Clients

7000

500

15000

64000

64000

30000


1047

config trapflags client max-warning-threshold

Examples

The following example shows how to configure the threshold value of the number of clients that associate with the controller:


config trapflags client max-warning-threshold 80

Related Commands show trapflags config trapflags client

1048


config trapflags configsave config trapflags configsave

To enable or disable the sending of configuration-saved traps, use the config trapflags configsave command.

config trapflags configsave {enable | disable}


Enables sending of configuration-saved traps.

Disables the sending of configuration-saved traps.

Command Default

By default, the sending of configuration-saved traps is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the sending of configuration-saved traps:


config trapflags configsave enable



1049

config trapflags IPsec config trapflags IPsec

To enable or disable the sending of IPsec traps, use the config trapflags IPsec command.

config trapflags IPsec {esp-auth | esp-reply | invalidSPI | ike-neg | suite-neg | invalid-cookie} {enable |

disable}

Syntax Description esp-auth esp-reply invalidSPI ike-neg suite-neg invalid-cookie enable disable

Enables the sending of IPsec traps when an ESP authentication failure occurs.

Enables the sending of IPsec traps when an ESP replay failure occurs.

Enables the sending of IPsec traps when an ESP invalid SPI is detected.

Enables the sending of IPsec traps when an IKE negotiation failure occurs.

Enables the sending of IPsec traps when a suite negotiation failure occurs.

Enables the sending of IPsec traps when a Isakamp invalid cookie is detected.

Enables sending of IPsec traps.

Disables sending of IPsec traps.

Command Default

By default, the sending of IPsec traps is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the sending of IPsec traps when ESP authentication failure occurs:


config trapflags IPsec esp-auth enable


1050


config trapflags linkmode config trapflags linkmode

To enable or disable Cisco wireless LAN controller level link up/down trap flags, use the config trapflags

linkmode command.

config trapflags linkmode {enable | disable}


Enables Cisco wireless LAN controller level link up/down trap flags.

Disables Cisco wireless LAN controller level link up/down trap flags.

Command Default

By default, the Cisco WLC level link up/down trap flags are enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the Cisco wireless LAN controller level link up/down trap:


config trapflags linkmode disable



1051

config trapflags mesh config trapflags mesh

To configure trap notifications when a mesh access point is detected, use the config trapflags mesh command.

config trapflags mesh {enable | disable}


Enables trap notifications when a mesh access point is detected.

Disables trap notifications when a mesh access point is detected.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable trap notifications when a mesh access point is detected:


config trapflags mesh enable

Related Commands config trapflags 802.11-Security config trapflags aaa config trapflags ap config trapflags adjchannel-rogueap config trapflags authentication config trapflags client config trapflags configsave config trapflags IPsec config trapflags linkmode config trapflags multiusers config trapflags strong-pwdcheck config trapflags rfid config trapflags rogueap show trapflags

1052


config trapflags multiusers config trapflags multiusers

To enable or disable the sending of traps when multiple logins are active, use the config trapflags multiusers command.

config trapflags multiusers {enable | disable}


Enables the sending of traps when multiple logins are active.

Disables the sending of traps when multiple logins are active.

Command Default

By default, the sending of traps when multiple logins are active is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the sending of traps when multiple logins are active:


config trapflags multiusers disable



1053

config trapflags rfid config trapflags rfid

To configure the threshold value of the maximum number of radio frequency identification (RFID) tags, after which an SNMP trap and a syslog message is sent to the controller, use the config trapflags rfid command.

config trapflags rfid {threshold | enable | disable}

Syntax Description threshold enable disable

Configures the threshold percentage value of the maximum number of RFID tags, after which an SNMP trap and a syslog message is sent to the controller. The range is from 80 to 100.

The traps and syslog messages are generated every 10 minutes. You cannot configure this interval.

Enables the generation of the traps and syslog messages.

Disables the generation of the traps and syslog messages.

Command Default

The default threshold value of the maximum number of RFID tags is 90 %.

Command History

Release

7.6

Modification



The following table shows the maximum number of RFID tags supported on different controllers:

Table 10: Maximum Number of RFID Tags Supported on Different Controllers

Controller



Cisco Wireless Services Module 2

Cisco Flex 7500 Series Controllers


Cisco Virtual Wireless LAN Controllers

Maximum Number of Supported Clients

5000

500

10000

50000

50000

3000

1054


config trapflags rfid

Examples

The following example shows how to configure the threshold value of the maximum number of RFID tags:


config trapflags rfid 80

Related Commands config trapflags 802.11-Security config trapflags aaa config trapflags ap config trapflags adjchannel-rogueap config trapflags authentication config trapflags client config trapflags configsave config trapflags IPsec config trapflags linkmode config trapflags multiusers config trapflags mesh config trapflags strong-pwdcheck config trapflags rogueap config trapflags mesh show trapflags


1055

config trapflags rogueap config trapflags rogueap

To enable or disable sending rogue access point detection traps, use the config trapflags rogueap command.

config trapflags rogueap {enable | disable}


Enables the sending of rogue access point detection traps.

Disables the sending of rogue access point detection traps.

Command Default

By default, the sending of rogue access point detection traps is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the sending of rogue access point detection traps:


config trapflags rogueap disable

Related Commands config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap ssid config rogue ap timeout config rogue ap valid-client show rogue ap clients show rogue ap detailed show rogue ap summary show rogue ap friendly summary show rogue ap malicious summary show rogue ap unclassified summary show trapflags

1056


config trapflags rrm-params config trapflags rrm-params

To enable or disable the sending of Radio Resource Management (RRM) parameters traps, use the config

trapflags rrm-params command.

config trapflags rrm-params {tx-power | channel | antenna} {enable | disable}

Syntax Description tx-power channel antenna enable disable

Enables trap sending when the RF manager automatically changes the tx-power level for the Cisco lightweight access point interface.

Enables trap sending when the RF manager automatically changes the channel for the Cisco lightweight access point interface.

Enables trap sending when the RF manager automatically changes the antenna for the Cisco lightweight access point interface.

Enables the sending of RRM parameter-related traps.

Disables the sending of RRM parameter-related traps.

Command Default

By default, the sending of RRM parameters traps is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the sending of RRM parameter-related traps:


config trapflags rrm-params tx-power enable



1057

config trapflags rrm-profile config trapflags rrm-profile

To enable or disable the sending of Radio Resource Management (RRM) profile-related traps, use the config

trapflags rrm-profile command.

config trapflags rrm-profile {load | noise | interference | coverage} {enable | disable}

Syntax Description load noise interference coverage enable disable

Enables trap sending when the load profile maintained by the RF manager fails.

Enables trap sending when the noise profile maintained by the RF manager fails.

Enables trap sending when the interference profile maintained by the RF manager fails.

Enables trap sending when the coverage profile maintained by the RF manager fails.

Enables the sending of RRM profile-related traps.

Disables the sending of RRM profile-related traps.

Command Default

By default, the sending of RRM profile-related traps is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the sending of RRM profile-related traps:


config trapflags rrm-profile load disable


1058


config trapflags stpmode config trapflags stpmode

To enable or disable the sending of spanning tree traps, use the config trapflags stpmode command.

config trapflags stpmode {enable | disable}


Enables the sending of spanning tree traps.

Disables the sending of spanning tree traps.

Command Default

By default, the sending of spanning tree traps is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the sending of spanning tree traps:


config trapflags stpmode disable



1059

config trapflags strong-pwdcheck config trapflags strong-pwdcheck

To configure trap notifications for strong password checks, use the config trapflags strong-pwdcheck command.

config trapflags strong-pwdcheck {enable | disable}


Enables trap notifications for strong password checks.

Disables trap notifications for strong password checks.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable trap notifications for strong password checks:


config trapflags strong-pwdcheck enable

Related Commands config trapflags 802.11-Security config trapflags aaa config trapflags ap config trapflags adjchannel-rogueap config trapflags authentication config trapflags client config trapflags configsave config trapflags IPsec config trapflags linkmode config trapflags multiusers config trapflags mesh config trapflags rfid config trapflags rogueap show trapflags

1060


config trapflags wps config trapflags wps

To enable or disable Wireless Protection System (WPS) trap sending, use the config trapflags wps command.

config trapflags wps {enable | disable}


Enables WPS trap sending.

Disables WPS trap sending.

Command Default

By default, the WPS trap sending is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the WPS traps sending:


config trapflags wps disable



1061

config tunnel eogre heart-beat config tunnel eogre heart-beat

To configure the keep alive ping interval duration, use the config tunnel eogre command.

config tunnel eogre heart-beat {interval | max-skip-count} number-value


interval number-value

max-skip-count number-value

Time interval between echo request message in seconds.

Maximum number of retries before the member is considered non functional.

Command Default

The default value of heart-beat interval is 60 seconds. Range is between 10 to 600 seconds.

The default value of heart-beat max-skip-count is 3 retries. Range is between 3 to 10 retries.

Command History

Release

8.1

Modification


Examples

The following example shows how to set the heart-beat interval value '45 seconds' :

config tunnel eogre heart-beat interval 45

1062


config tunnel eogre gateway config tunnel eogre gateway

To configure the Ethernet over GRE gateway IPv4 address, use the config tunnel eogre gateway command.

config tunnel eogre gateway {{{add | modify} gateway-name {ipv4-address | ipv6-address}

gateway-ip-address} | {delete gateway-name}}

Syntax Description add delete modify ipv4-address ipv6-address

gateway-ip-address gateway-name

Adds new gateway.

Removes a gateway.

Modifies an existing gateway.

To enter the IPv4 address of the gateway.

To enter the IPv6 address of the gateway.

IPv4 or IPv6 address of the gateway.

Tunnel gateway name.

Command Default

None

Command History

Release

8.1

8.3

Examples

Modification


The IPv6 address format option for the tunnel gateway was added.

• IPv4 address example

config tunnel eogre gateway add hurricane ipv4 192.168.10.1

• IPv6 address example

config tunnel eogre gateway add hurricane ipv6 2001:DB8::1


1063

config tunnel eogre domain config tunnel eogre domain

To perform tunnel gateway domain configuration, use the config tunnel eogre domain command.

config tunnel eogre domain {{create | delete}domain-name} {add | remove}domain-name gateway-name

Syntax Description create delete add remove

domain-name gateway-name

Creates new gateway domain name.

Deletes gateway domain.

Add gateway name to domain

Remove gateway name from domain

Domain name

Gateway name

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to create new gateway domain name:

config tunnel eogre domain create web.com data

1064


config tunnel profile

To create, copy, or delete a profile, use the config tunnel profile command.

config tunnel profile {copy | create | delete}profile-name

Syntax Description copy create delete

Copies an existing profile.

Creates a new profile.

Deletes an existing profile.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to create a profile:

config tunnel profile create floorone config tunnel profile


1065

config tunnel profile_rule config tunnel profile_rule

To add or modify a rule in a profile, use the config tunnel profile command.

config tunnel profile rule {add | modify }profile-name realm-filter realm-string eogre vlan vlan-id

gateway-domain-name

Syntax Description add modify

Adds a new rule.

Modifies an existing rule.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to add a rule to a profile:

config tunnel profile add table realm filter 5 eogre vlan 3 web.com

1066


config tunnel profile_rule-delete

To delete a rule from a profile, use the config tunnel profile command.

config tunnel profile ruledelete profile-name realm-filter realm-string

Syntax Description delete

Deletes an existing rule from a profile.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to delete a rule from a profile:

config tunnel profile delete table realm filter 5 config tunnel profile_rule-delete


1067

config tunnel profile eogre-DHCP82 config tunnel profile eogre-DHCP82

To enable or disable the DHCP option 82 parameter, use the config tunnel profile command.

config tunnel profile eogre profile-name DHCP-Opt-82 {enable | disable}


Enables DHCP option 82 parameter in the system.

Disables DHCP option 82 parameter in the system.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to enable the DHCP option 82 parameter:

config tunnel profile eogre test dhcp-opt-82 enable

1068


config tunnel profile eogre-gateway-radius-proxy config tunnel profile eogre-gateway-radius-proxy

To enable or disable the gateway-radius-proxy, use the config tunnel profile command.

config tunnel profile eogre profile-name gateway-radius-proxy {enable | disable}


Enables Gateway as Radius Proxy.

Disables Gateway as Radius Proxy.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to enable the gateway proxy:

config tunnel profile eogre test gateway-radius-proxy enable


1069

config tunnel profile eogre-gateway-radius-proxy-accounting config tunnel profile eogre-gateway-radius-proxy-accounting

To enable or disable the gateway as accounting radius-proxy, use the config tunnel profile command.

config tunnel profile eogre profile-name gateway-radius-proxy accounting {enable | disable}


Enables Gateway as accounting Radius Proxy.

Disables Gateway as accounting Radius Proxy.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to disable the gateway as accounting radius proxy:

config tunnel profile eogre test gateway-radius-proxy accounting disable

1070


config tunnel profile eogre-DHCP82 config tunnel profile eogre-DHCP82

To enable or disable the DHCP option 82 parameter, use the config tunnel profile command.

config tunnel profile eogre profile-name DHCP-Opt-82 {enable | disable}


Enables DHCP option 82 parameter in the system.

Disables DHCP option 82 parameter in the system.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to enable the DHCP option 82 parameter:

config tunnel profile eogre test dhcp-opt-82 enable


1071

config tunnel profile eogre-DHCP82-circuit-id config tunnel profile eogre-DHCP82-circuit-id

To set format for circuit-id field in DHCP option 82 parameter, use the config tunnel profile command.

config tunnel profile eogre profile-name DHCP-Opt-82 circuit-id parameter-id

Syntax Description circuit-id

parameter-id

Sets the format for the Circuit-ID field in DHCP option 82

List of supported parameters:

• ap-mac

• ap-ethmac

• ap-name

• ap-group-name

• flex-group-name

• ap-location

• vlan-id

• SSID-name

• SSID-TYPE

• Client-mac

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to set the format for circuit-id in the DHCP option 82 parameter:

config tunnel profile eogre test dhcp-opt-82 circuit-id access1bldg

1072


config tunnel profile eogre-DHCP82-delimiter config tunnel profile eogre-DHCP82-delimiter

To set the delimiter for the DHCP option 82 parameter, use the config tunnel profile command.

config tunnel profile eogre profile-name DHCP-Opt-82 delimiter delimiter character

Syntax Description delimiter

delimiter character

Sets the delimiter for the DHCP option 82 parameter in the system.

Delimiter is used to separate the DHCP option 82 parameter.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to delimit the DHCP option 82 parameter:

config tunnel profile eogre test dhcp-opt-82 delimiter -


1073

config tunnel profile eogre-DHCP82-format config tunnel profile eogre-DHCP82-format

To set the required format for DCHP option 82, use the config tunnel profile command.

config tunnel profile eogre profile-name dhcp-opt-82 format {binary | ascii}

Syntax Description binary ascii

Set Format for DHCP option 82 as Binary

Set Format for DHCP option 82 as Ascii

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to set 'binary' format to the DHCP option 82 parameter:

config tunnel profile eogre test dhcp-opt-82 format binary

1074


config tunnel profile eogre-DHCP82-remote-id config tunnel profile eogre-DHCP82-remote-id

To set format for remote-id field in DHC P option 82 parameter, use the config tunnel profile command.

config tunnel profile eogre profile-name DHCP-Opt-82 remote-id parameter-id

Syntax Description remote-id

parameter-id

Sets the format for the Remote-ID field in DHCP option 82

List of supported parameters:

• ap-mac

• ap-ethmac

• ap-name

• ap-group-name

• flex-group-name

• ap-location

• vlan-id

• SSID-name

• SSID-TYPE

• Client-mac

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to set the format for remote-id in the DHCP option 82 parameter:

config tunnel profile eogre test dhcp-opt-82 remote-id access1flr


1075

config watchlist add config watchlist add

To add a watchlist entry for a wireless LAN, use the config watchlist add command.

config watchlist add {mac MAC | username username}


mac MAC

username username

Specifies the MAC address of the wireless LAN.

Specifies the name of the user to watch.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to add a watchlist entry for the MAC address a5:6b:ac:10:01:6b:


config watchlist add mac a5:6b:ac:10:01:6b

1076


config watchlist delete config watchlist delete

To delete a watchlist entry for a wireless LAN, use the config watchlist delete command.

config watchlist delete {mac MAC | username username}


mac MAC

username username

Specifies the MAC address of the wireless LAN to delete from the list.

Specifies the name of the user to delete from the list.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to delete a watchlist entry for the MAC address a5:6b:ac:10:01:6b:


config watchlist delete mac a5:6b:ac:10:01:6b


1077

config watchlist disable config watchlist disable

To disable the client watchlist, use the config watchlist disable command.

config watchlist disable



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to disable the client watchlist:


config watchlist disable

1078


config watchlist enable config watchlist enable

To enable a watchlist entry for a wireless LAN, use the config watchlist enable command.

config watchlist enable



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable a watchlist entry:


config watchlist enable


1079

config wgb vlan config wgb vlan

To configure the Workgroup Bridge (WGB) VLAN client support, use the config wgb vlan command.

config wgb vlan {enable | disable}


Enables wired clients behind a WGB to connect to an anchor controller in a Data

Management Zone (DMZ).

Disables wired clients behind a WGB from connecting to an anchor controller in a DMZ.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable WGB VLAN client support:


config wgb vlan enable

1080


config wlan config wlan

To create, delete, enable, or disable a wireless LAN, use the config wlan command.

config wlan {enable | disable | create | delete} wlan_id [name | foreignAp name ssid | all]

Syntax Description enable disable create delete

wlan_id name

foreignAp

ssid

all

Enables a wireless LAN.

Disables a wireless LAN.

Creates a wireless LAN.

Deletes a wireless LAN.


(Optional) WLAN profile name up to 32 alphanumeric characters.

(Optional) Specifies the third-party access point settings.

SSID (network name) up to 32 alphanumeric characters.

(Optional) Specifies all wireless LANs.

Command Default

None

Command History

Release

7.6

Modification



When you create a new WLAN using the config wlan create command, it is created in disabled mode. Leave it disabled until you have finished configuring it.

If you do not specify an SSID, the profile name parameter is used for both the profile name and the SSID.

If the management and AP-manager interfaces are mapped to the same port and are members of the same

VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the

WLAN.

An error message appears if you try to delete a WLAN that is assigned to an access point group. If you proceed, the WLAN is removed from the access point group and from the access point’s radio.


1081

config wlan

Examples

The following example shows how to enable wireless LAN identifier 16:


config wlan enable 16

1082


config wlan 7920-support config wlan 7920-support

To configure support for phones, use the config wlan 7920-support command.

config wlan 7920-support {client-cac-limit | ap-cac-limit} {enable | disable} wlan_id

Syntax Description ap-cac-limit client-cac-limit enable disable

wlan_id

Supports phones that require client-controlled Call Admission Control (CAC) that expect the Cisco vendor-specific information element (IE).

Supports phones that require access point-controlled CAC that expect the IEEE

802.11e Draft 6 QBSS-load.

Enables phone support.

Disables phone support.


Command Default

None

Command History

Release

7.6

Modification



You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.

Examples

The following example shows how to enable the phone support that requires client-controlled CAC with wireless LAN ID 8:


config wlan 7920-support ap-cac-limit enable 8


1083

config wlan 802.11e

config wlan 802.11e

To configure 802.11e support on a wireless LAN, use the config wlan 802.11e command.

config wlan 802.11e {allow | disable | require} wlan_id

Syntax Description allow disable require

wlan_id

Allows 802.11e-enabled clients on the wireless LAN.

Disables 802.11e on the wireless LAN.

Requires 802.11e-enabled clients on the wireless LAN.


Command Default

None

Command History

Release

7.6

Modification



802.11e provides quality of service (QoS) support for LAN applications, which are critical for delay sensitive applications such as Voice over Wireless IP (VoWIP).

802.11e enhances the 802.11 Media Access Control layer (MAC layer) with a coordinated time division multiple access (TDMA) construct, and adds error-correcting mechanisms for delay sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability and is especially well suited for use in networks that include a multimedia capability.

Examples

The following example shows how to allow 802.11e on the wireless LAN with LAN ID 1:


config wlan 802.11e allow 1

1084


config wlan aaa-override config wlan aaa-override

To configure a user policy override via AAA on a wireless LAN, use the config wlan aaa-override command.

config wlan aaa-override {enable | disable} {wlan_id | foreignAp}


wlan_id

foreignAp

Enables a policy override.

Disables a policy override.


Specifies third-party access points.

Command Default

AAA is disabled.

Command History

Release

7.6

Modification



When AAA override is enabled and a client has conflicting AAA and Cisco wireless LAN controller wireless

LAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system will move clients from the default Cisco wireless LAN VLAN to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system will also use QoS,

DSCP, 802.1p priority tag values, and ACLs provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as Identity

Networking.)

If the corporate wireless LAN uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.

When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is performed by the AAA server if the controller wireless LAN does not contain any client-specific authentication parameters.

The AAA override values might come from a RADIUS server.

Examples

The following example shows how to configure user policy override via AAA on WLAN ID 1:


config wlan aaa-override enable 1


1085

config wlan acl config wlan acl

To configure a wireless LAN access control list (ACL), use the config wlan acl command.

config wlan acl [acl_name | none]


wlan_id acl_name

none

Wireless LAN identifier (1 to 512).

(Optional) ACL name.

(Optional) Clears the ACL settings for the specified wireless LAN.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure a WLAN access control list with WLAN ID 1 and ACL named office_1:


config wlan acl 1 office_1

1086


config wlan apgroup config wlan apgroup

To manage access point group VLAN features, use the config wlan apgroup command.

config wlan apgroup {add apgroup_name [description] | delete apgroup_name | description apgroup_name

description | interface-mapping {add | delete} apgroup_name wlan_id interface_name | nac-snmp {enable

| disable} apgroup_name wlan_id | nasid NAS-ID apgroup_name | profile-mapping {add | delete}

apgroup_name profile_name | wlan-radio-policy apgroup_name wlan-id {802.11a-only | 802.11bg |

802.11g-only | all} | hotspot {venue {type apgroup_name group_codetype_code| name apgroup_name

language_codevenue_name } | operating-class {add | delete} apgroup_name operating_class_value}}


apgroup_name wlan_id

delete description

description

interface-mapping

interface_name

nac-snmp enable disable

NAS-ID

none

Creates a new access point group (AP group).

Access point group name.


Removes a wireless LAN from an AP group.

Describes an AP group.

Description of the AP group.

(Optional) Assigns or removes a Wireless LAN from an AP group.

(Optional) Interface to which you want to map an AP group.

Configures NAC SNMP functionality on given AP group. Enables or disables Network Admission Control

(NAC) out-of-band support on an access point group.

Enables NAC out-of-band support on an AP group.

Disables NAC out-of-band support on an AP group.

Network Access Server identifier (NAS-ID) for the AP group. The NAS-ID is sent to the RADIUS server by the controller (as a RADIUS client) using the authentication request, which is used to classify users to different groups. You can enter up to 32 alphanumeric characters. Beginning in Release 7.4 and later releases, you can configure the NAS-ID on the interface, WLAN, or an access point group. The order of priority is AP group NAS-ID > WLAN NAS-ID > Interface NAS-ID.

Configures the controller system name as the NAS-ID.


1087

config wlan apgroup profile-mapping

profile_name

wlan-radio-policy

802.11a-only

802.11bg

802.11g-only all hotspot venue type

group_code

Configures RF profile mapping on an AP group.

RF profile name for a specified AP group.

Configures WLAN radio policy on an AP group.





Configures a HotSpot on an AP group.

Configures venue information for an AP group.

Configures the type of venue for an AP group.

Venue group information for an AP group.

The following options are available:

• 0 : UNSPECIFIED

• 1 : ASSEMBLY

• 2 : BUSINESS

• 3 : EDUCATIONAL

• 4 : FACTORY-INDUSTRIAL

• 5 : INSTITUTIONAL

• 6 : MERCANTILE

• 7 : RESIDENTIAL

• 8 : STORAGE

• 9 : UTILITY-MISC

• 10 : VEHICULAR

• 11 : OUTDOOR

1088


type_code

config wlan apgroup


1089


1090


Venue type information for an AP group.

For venue group 1 (ASSEMBLY), the following options are available:

• 0 : UNSPECIFIED ASSEMBLY

• 1 : ARENA

• 2 : STADIUM

• 3 : PASSENGER TERMINAL

• 4 : AMPHITHEATER

• 5 : AMUSEMENT PARK

• 6 : PLACE OF WORSHIP

• 7 : CONVENTION CENTER

• 8 : LIBRARY

• 9 : MUSEUM

• 10 : RESTAURANT

• 11 : THEATER

• 12 : BAR

• 13 : COFFEE SHOP

• 14 : ZOO OR AQUARIUM

• 15 : EMERGENCY COORDINATION CENTER

For venue group 2 (BUSINESS), the following options are available:

• 0 : UNSPECIFIED BUSINESS

• 1 : DOCTOR OR DENTIST OFFICE

• 2 : BANK

• 3 : FIRE STATION

• 4 : POLICE STATION

• 6 : POST OFFICE

• 7 : PROFESSIONAL OFFICE

• 8 : RESEARCH AND DEVELOPMENT

FACILITY

• 9 : ATTORNEY OFFICE

For venue group 3 (EDUCATIONAL), the following options are available:

• 0 : UNSPECIFIED EDUCATIONAL


• 1 : PRIMARY SCHOOL

• 2 : SECONDARY SCHOOL

• 3 : UNIVERSITY OR COLLEGE

For venue group 4 (FACTORY-INDUSTRIAL), the following options are available:

• 0 : UNSPECIFIED FACTORY AND

INDUSTRIAL

• 1 : FACTORY

For venue group 5 (INSTITUTIONAL), the following options are available:

• 0 : UNSPECIFIED INSTITUTIONAL

• 1 : HOSPITAL

• 2 : LONG-TERM CARE FACILITY

• 3 : ALCOHOL AND DRUG RE-HABILITATION

CENTER

• 4 :GROUP HOME

• 5 :PRISON OR JAIL

For venue group 6 (MERCANTILE), the following options are available:

• 0 : UNSPECIFIED MERCANTILE

• 1 : RETAIL STORE

• 2 : GROCERY MARKET

• 3 : AUTOMOTIVE SERVICE STATION

• 4 : SHOPPING MALL

• 5 : GAS STATION

For venue group 7 (RESIDENTIAL), the following options are available:

• 0 : UNSPECIFIED RESIDENTIAL

• 1 : PRIVATE RESIDENCE

• 2 : HOTEL OR MOTEL

• 3 : DORMITORY

• 4 : BOARDING HOUSE


1091

config wlan apgroup name

language_code venue_name

1092


For venue group 8 (STORAGE), the following options are available:

• 0 : UNSPECIFIED STORAGE

For venue group 9 (UTILITY-MISC), the following options are available:

• 0 : UNSPECIFIED UTILITY AND

MISCELLANEOUS

For venue group 10 (VEHICULAR), the following options are available:

• 0 : UNSPECIFIED VEHICULAR

• 1 : AUTOMOBILE OR TRUCK

• 2 : AIRPLANE

• 3 : BUS

• 4 : FERRY

• 5 : SHIP OR BOAT

• 6 : TRAIN

• 7 : MOTOR BIKE

For venue group 11 (OUTDOOR), the following options are available:

• 0 : UNSPECIFIED OUTDOOR

• 1 : MINI-MESH NETWORK

• 2 : CITY PARK

• 3 : REST AREA

• 4 : TRAFFIC CONTROL

• 5 : BUS STOP

• 6 : KIOSK

Configures the name of venue for an AP group.

An ISO-639 encoded string defining the language used at the venue. This string is a three character language code. For example, you can enter ENG for English.

Venue name for this AP group. This name is associated with the basic service set (BSS) and is used in cases where the SSID does not provide enough information about the venue. The venue name is case-sensitive and can be up to 252 alphanumeric characters.

config wlan apgroup add delete

operating_class_value

Adds an operating class for an AP group.

Deletes an operating class for an AP group.

Operating class for an AP group. The available operating classes are 81, 83, 84, 112, 113, 115, 116, 117, 118, 119,

120, 121, 122, 123, 124, 125, 126, 127.

Command Default

AP Group VLAN is disabled.

Command History

Release

7.6

Modification



An error message appears if you try to delete an access point group that is used by at least one access point.

Before you can delete an AP group in controller software release 6.0, move all APs in this group to another group. The access points are not moved to the default-group access point group as in previous releases. To see the APs, enter the show wlan apgroups command. To move APs, enter the config ap group-name

groupname cisco_ap command.

The NAS-ID configured on the controller for AP group or WLAN or interface is used for authentication. The

NAS-ID is not propagated across controllers.

Examples

The following example shows how to enable the NAC out-of band support on access point group 4:


config wlan apgroup nac enable apgroup 4


1093

config wlan apgroup atf 802.11

config wlan apgroup atf 802.11

Configure Cisco Airtime Fairness at an AP group level by using the config wlan apgroup atf 802.11 command.

config wlan apgroups atf 802.11{a | b} {mode {disable | monitor | enforce-policy} ap-group-name} |

{optimization {enable | disable}}

Syntax Description a b mode disable monitor enforce-policy

ap-group-name

optimization enable disable




Disables Cisco ATF



AP group name that you must specify



Disabled airtime optimization

Command History

Examples

Release

8.1

Modification


To configure Cisco ATF in enforcement mode on an 802.11a network, for an AP group my-ap-group, enter the following command:


config wlan apgroup atf 802.11a mode enforce-policy my-ap-group

1094


config wlan apgroup atf 802.11 policy config wlan apgroup atf 802.11 policy

To configure AP group-level override for Cisco ATF policy on a WLAN by using this command:

config wlan apgroup atf 802.11{a | b} policy ap-group-name wlan-id policy-name override {enable |

disable}

Syntax Description a b policy

ap-group-name wlan-id policy-name



Specifies the 802.11b network settings


Name of the AP group that you must specify

WLAN ID or Remote LAN ID that you must specify

Cisco ATF policy name that you must specify

Configures ATF policy override for a WLAN in the AP group

Enables ATF policy override for a WLAN in the AP group

Disables ATF policy override for a WLAN in the AP group

Command History

Release

8.1

Modification



1095

config wlan apgroup opendns-profile config wlan apgroup opendns-profile

To configure an open Domain Name System (DNS) profile to an access point (AP) group wireless LAN

(WLAN), use the config wlan apgroup opendns-profile command.

config wlan apgroup opendns-profilewlan-id site-name profile-name enable


wlan-id site-name profile-name

enable disable

WLAN identifier.

Name of the AP group to configure.

OpenDNS profile name used for tracking this profile.

Enables OpenDNS identity.

Disables OpenDNS identity.

Command Default

The OpenDNS profile for an AP group WLAN is not created.

Command Modes


Command History

Release

8.4

Modification



None

Examples

The following example shows how to configure an openDNS profile to an AP group WLAN:

(Cisco Controller) > config wlan apgroup opendns-profile wlan1 site1 user1

1096


config wlan apgroup qinq config wlan apgroup qinq

To configure 802.1Q-in-Q VLAN tagging of traffic for an AP group, use the config wlan apgroup qinq command.

config wlan apgroup qinq {tagging {client-traffic | dhcp-v4 | eap-sim-aka} apgroup_name {enable |

disable}| service-vlan apgroup_name vlan_id}

Syntax Description tagging client-traffic dhcp-v4 eap-sim-aka enable disable service-vlan

apgroup_name vlan_id

Configures 802.1Q-in-Q VLAN tagging of traffic.

Configures 802.1Q-in-Q tagging of client traffic for an AP group.

Configures 802.1Q-in-Q tagging of DHCPv4 traffic for an AP group.

Configures 802.1Q-in-Q tagging of Extensible Authentication Protocol for

Authentication and Key Agreement (EAP-AKA) and EAP for Global System for Mobile Communications Subscriber Identity Module (EAP-SIM) traffic for an AP group.

Enables 802.1Q-in-Q tagging of traffic.

Disables 802.1Q-in-Q tagging of traffic.

Configures service VLAN for an AP group.

Name of the access point group.

VLAN identifier.

Command Default

By default, 802.1Q-in-Q tagging of client and DHCPv4 traffic for an AP group is disabled.

Command History

Release

8.0

Modification



Note

You must enable 802.1Q-in-Q tagging of client traffic before you enable 802.1Q-in-Q tagging of DHCPv4 traffic.

When you enable 802.1Q-in-Q tagging of client traffic, the 802.1Q-in-Q tagging of EAP-AKA and EAP-SIM traffic is also enabled.


1097

config wlan apgroup qinq

Examples

The following example shows how to enable 802.1Q-in-Q tagging of client traffic for an AP group:


config wlan apgroup qinq tagging client-traffic APg1 enable

The following example shows how to configure the service VLAN for an AP group:


config wlan apgroup qinq service-vlan APg1 10

1098


config wlan assisted-roaming config wlan assisted-roaming

To configure assisted roaming on a WLAN, use the config wlan assisted-roaming command.

config wlan assisted-roaming {neighbor-list | dual-list | prediction} {enable | disable} wlan_id

Syntax Description neighbor-list dual-list prediction enable disable

wlan_id

Configures an 802.11k neighbor list for a WLAN.

Configures a dual band 802.11k neighbor list for a WLAN. The default is the band that the client is currently associated with.

Configures an assisted roaming optimization prediction for a WLAN.

Enables the configuration on the WLAN.

Disables the configuration on the WLAN.


Command Default

The 802.11k neighbor list is enabled for all WLANs.

By default, dual band list is enabled if the neighbor list feature is enabled for the WLAN.

Command History

Release

7.6

Modification



When you enable the assisted roaming prediction list, a warning appears and load balancing is disabled for the WLAN, if load balancing is already enabled on the WLAN.

Examples

The following example shows how to enable an 802.11k neighbor list for a WLAN:


config wlan assisted-roaming neighbor-list enable 1


1099

config wlan atf config wlan atf

Map a WLAN to a Cisco ATF policy using the config wlan atf command.

config wlan atf wlan-id policy policy-id


wlan-id

policy

policy-id

WLAN ID that you must specify to which the Cisco ATF policy has to be mapped.


Cisco ATF policy ID that you must specify

Command History

Release

8.1

Modification


1100


config wlan avc config wlan avc

To configure Application Visibility and Control (AVC) on a WLAN, use the config wlan avc command.

config wlan avc wlan_id {profile profile_name | visibility} {enable | disable}


wlan_id

profile

profile_name

visibility enable disable


Associates or removes an AVC profile from a WLAN.


Configures application visibility on a WLAN.

Enables application visibility on a WLAN. You can view the classification of applications based on the Network Based

Application Recognition (NBAR) deep packet inspection technology.

Use the show avc statistics client command to view the client AVC statistics.

Disables application visibility on a WLAN.

Command Default

None

Command History

Release

7.6

Modification



You can configure only one AVC profile per WLAN and each AVC profile can have up to 32 rules. Each rule states a Mark or Drop action for an application, which allows you to configure up to 32 application actions per WLAN. You can configure up to 16 AVC profiles on a controller and associate an AVC profile with multiple WLANs.

Examples

The following example shows how to associate an AVC profile with a WLAN:


config wlan avc 5 profile profile1 enable


1101

config wlan band-select allow config wlan band-select allow

To configure band selection on a WLAN, use the config wlan band-select allow command.

config wlan band-select allow {enable | disable} wlan_id


wlan_id

Enables band selection on a WLAN.

Disables band selection on a WLAN.


Command Default

None

Command History

Release

7.6

Modification



When you enable band select on a WLAN, the access point suppresses client probes on 2.4-GHz and moves the dual band clients to the 5-Ghz spectrum. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running. Band selection can be used only with Cisco Aironet 1040,

1140, and 1250 Series and the 3500 series access points.

Examples

The following example shows how to enable band selection on a WLAN:


config wlan band-select allow enable 6

1102


config wlan broadcast-ssid config wlan broadcast-ssid

To configure an Service Set Identifier (SSID) broadcast on a wireless LAN, use the config wlan broadcast-ssid command.

config wlan broadcast-ssid {enable | disable} wlan_id


wlan_id

Enables SSID broadcasts on a wireless LAN.

Disables SSID broadcasts on a wireless LAN.


Command Default

Broadcasting of SSID is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure an SSID broadcast on wireless LAN ID 1:


config wlan broadcast-ssid enable 1


1103

config wlan call-snoop config wlan call-snoop

To enable or disable Voice-over-IP (VoIP) snooping for a particular WLAN, use the config wlan call-snoop command.

config wlan call-snoop {enable | disable} wlan_id


wlan_id

Enables VoIP snooping on a wireless LAN.

Disables VoIP snooping on a wireless LAN.


Command Default

None

Command History

Release

7.6

Modification



WLAN should be with Platinum QoS and it needs to be disabled while invoking this CLI

Examples

The following example shows how to enable VoIP snooping for WLAN 3:


config wlan call-snoop 3 enable

1104


config wlan chd config wlan chd

To enable or disable Coverage Hole Detection (CHD) for a wireless LAN, use the config wlan chd command.

config wlan chd wlan_id {enable | disable}


wlan_id

enable disable


Enables SSID broadcasts on a wireless LAN.

Disables SSID broadcasts on a wireless LAN.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable CHD for WLAN 3:


config wlan chd 3 enable


1105

config wlan ccx aironet-ie config wlan ccx aironet-ie

To enable or disable Aironet information elements (IEs) for a WLAN, use the config wlan ccx aironet-ie command.

config wlan ccx aironet-ie {enable | disable}


Enables the Aironet information elements.

Disables the Aironet information elements.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable Aironet information elements for a WLAN:


config wlan ccx aironet-ie enable

1106


config wlan channel-scan defer-priority config wlan channel-scan defer-priority

To configure the controller to defer priority markings for packets that can defer off channel scanning, use the

config wlan channel-scan defer-priority command.

config wlan channel-scan defer-priority priority [enable | disable] wlan_id


priority

enable disable

wlan_id

User priority value (0 to 7).

(Optional) Enables packet at given priority to defer off channel scanning.

(Optional) Disables packet at gven priority to defer off channel scanning.


Command Default

None

Command History

Release

7.6

Modification



The priority value should be set to 6 on the client and on the WLAN.

Examples

The following example shows how to enable the controller to defer priority markings that can defer off channel scanning with user priority value 6 and WLAN id 30:


config wlan channel-scan defer-priority 6 enable 30


1107

config wlan channel-scan defer-time config wlan channel-scan defer-time

To assign the channel scan defer time in milliseconds, use the config wlan channel-scan defer-time command.

config wlan channel-scan defer-time msecs wlan_id


msecs wlan_id

Deferral time in milliseconds (0 to 60000 milliseconds).


Command Default

None

Command History

Release

7.6

Modification



The time value in milliseconds should match the requirements of the equipment on your WLAN.

Examples

The following example shows how to assign the scan defer time to 40 milliseconds for WLAN with ID 50:


config wlan channel-scan defer-time 40 50

1108


config wlan custom-web config wlan custom-web

To configure the web authentication page for a WLAN, use the config wlan custom-web command.

config wlan custom-web{ {ext-webauth-url ext-webauth-url wlan_id } | {global {enable | disable}} |

{ms-open {enable | disable |url}} | {login-page page-name } | {loginfailure-page {page-name | none}} |

{logout-page {page-name | none}} | {sleep-client {enable | disable} wlan_id timeout duration} |

{webauth-type {internal | customized | external} wlan_id}}

Syntax Description ext-webauth-url

ext-webauth-url wlan_id

global enable disable ms-open enable disable url login-page

page-name

loginfailure-page none logout-page sleep-client timeout

Configures an external web authentication URL.

External web authentication URL.

WLAN identifier. Default range is from 1 to 512.

Configures the global status for a WLAN.

Enables the global status for a WLAN.

Disables the global status for a WLAN.

Configures the ms-open feature on the WLAN.

Enables the ms-open feature on the WLAN.

Disables the ms-open feature on the WLAN.

Configures ms-open URL.

Configures the name of the login page for an external web authentication

URL.

Login page name for an external web authentication URL.

Configures the name of the login failure page for an external web authentication URL.

Does not configure a login failure page for an external web authentication

URL.

Configures the name of the logout page for an external web authentication

URL.

Configures the sleep client feature on the WLAN.

Configures the sleep client timeout on the WLAN.


1109

config wlan custom-web

duration

webauth-type internal customized external

Maximum amount of time after the idle timeout, in hours, before a sleeping client is forced to reauthenticate. The range is from 1 to 720. The default is 12. When the sleep client feature is enabled, the clients need not provide the login credentials when they move from one Cisco WLC to another (if the Cisco WLCs are in the same mobility group) between the sleep and wake-up times.

Configures the type of web authentication for the WLAN.

Displays the default login page.

Displays a customized login page.

Displays a login page on an external web server.

Command Default

None

Command History

Examples

Release

7.6

8.2

Modification


This command was modified and the ms-open parameters were added.

The following example shows how to configure web authentication type in the WLAN.

Cisco Controller

config wlan custom-web webauth-type external

1110


config wlan dhcp_server config wlan dhcp_server

To configure the internal DHCP server for a wireless LAN, use the config wlan dhcp_server command.

config wlan dhcp_server {wlan_id | foreignAp} ip_address [required]


wlan_id

foreignAp

ip_address

required



IP address of the internal DHCP server (this parameter is required).

(Optional) Specifies whether DHCP address assignment is required.

Command Default

None

Command History

Release

7.6

Modification



The preferred method for configuring DHCP is to use the primary DHCP address assigned to a particular interface instead of the DHCP server override. If you enable the override, you can use the show wlan command to verify that the DHCP server has been assigned to the WLAN.

Examples

The following example shows how to configure an IP address 10.10.2.1 of the internal DHCP server for wireless LAN ID 16:


config wlan dhcp_server 16 10.10.2.1


1111

config wlan diag-channel config wlan diag-channel

To enable the diagnostic channel troubleshooting on a particular WLAN, use the config wlan diag-channel command.

config wlan diag-channel [enable | disable] wlan_id


wlan_id

(Optional) Enables the wireless LAN diagnostic channel.

(Optional) Disables the wireless LAN diagnostic channel.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the wireless LAN diagnostic channel for WLAN ID 1:


config wlan diag-channel enable 1

1112


config wlan dtim config wlan dtim

To configure a Delivery Traffic Indicator Message (DTIM) for 802.11 radio network config wlan dtim command.

config wlan dtim {802.11a | 802.11b} dtim wlan_id


802.11a

802.11b

dtim wlan_id

Configures DTIM for the 802.11a radio network.

Configures DTIM for the 802.11b radio network.

Value for DTIM (between 1 to 255 inclusive).

Number of the WLAN to be configured.

Command Default

The default is DTIM 1.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure DTIM for 802.11a radio network with DTIM value 128 and

WLAN ID 1:


config wlan dtim 802.11a 128 1


1113

config wlan exclusionlist config wlan exclusionlist

To configure the wireless LAN exclusion list, use the config wlan exclusionlist command.

config wlan exclusionlist {wlan_id [enabled | disabled | time] | foreignAp [enabled | disabled | time]}


wlan_id

enabled disabled

time

foreignAp


(Optional) Enables the exclusion list for the specified wireless LAN or foreign access point.

(Optional) Disables the exclusion list for the specified wireless LAN or a foreign access point.

(Optional) Exclusion list timeout in seconds. A value of zero (0) specifies infinite time.

Specifies a third-party access point.

Command Default

None

Command History

Release

7.6

Modification



This command replaces the config wlan blacklist command.

Examples

The following example shows how to enable the exclusion list for WLAN ID 1:


config wlan exclusionlist 1 enabled

1114


config wlan fabric

To enable or disable fabric on a WLAN, use the config wlan fabric command.

config wlan fabric {enable|disable}wlan-id


wlan-id

Enables fabric on a WLAN.

Disables fabric on a WLAN.

WLAN identifier.

Command Default

Command Modes

Command History

Release

8.5

Modification



Non-fabric APs are not configured with fabric WLAN.

Examples

The following example shows how to enable fabric on a WLAN: config wlan fabric enable wlan1

config wlan fabric


1115

config wlan flexconnect ap-auth config wlan flexconnect ap-auth

To configure local authentication of clients associated with FlexConnect on a locally switched WLAN, use the config wlan flexconnect ap-auth command.

config wlan flexconnect ap-auth wlan_id {enable | disable}

Syntax Description ap-auth

wlan_id

enable disable

Configures local authentication of clients associated with an FlexConnect on a locally switched WLAN.


Enables AP authentication on a WLAN.

Disables AP authentication on a WLAN.

Command Default

None

Command History

Release

7.6

Modification



Local switching must be enabled on the WLAN where you want to configure local authentication of clients associated with FlexConnect.

Examples

The following example shows how to enable authentication of clients associated with FlexConnect on a specified WLAN:


config wlan flexconnect ap-auth 6 enable

1116


config wlan flexconnect central-assoc config wlan flexconnect central-assoc

To configure client reassociation and security key caching on the Cisco WLC, use the config wlan flexconnect

central-assoc command.

config wlan flexconnect central-assoc wlan-id {enable | disable}


wlan-id

enable disable

ID of the WLAN

Enables client reassociation and security key caching on the Cisco

WLC

Disables client reassociation and security key caching on the Cisco

WLC

Command Default

Client reassociation and security key caching on the Cisco WLC is in disabled state.

Command History

Release

8.0

Modification



A use case for this configuration is a large-scale deployment with fast roaming.

Configuration of central association with local authentication is not supported for the WLAN. After the

PMIPv6 tunnel is set up, all data traffic from the PMIPv6 clients are forwarded from the Cisco AP to the local mobility anchor (LMA) in the Generic Routing Encapsulation (GRE) tunnel. If the connectivity between the

Cisco AP and the Cisco WLC is lost, the data traffic for the existing PMIPv6 clients continue to flow until the connectivity between the Cisco AP and the client is lost. When the AP is in stand-alone mode, no new client associations are accepted on the PMIPv6 enabled WLAN.

Examples

The following example shows how to enable client reassociation and security key caching on the Cisco WLC for a WLAN whose ID is 2:


config wlan flexconnect central-assoc 2 enable


1117

config wlan flexconnect learn-ipaddr config wlan flexconnect learn-ipaddr

To enable or disable client IP address learning for the Cisco WLAN controller, use the config wlan flexconnect

learn-ipaddr command.

config wlan flexconnect learn-ipaddr wlan_id {enable | disable}


wlan_id

enable disable


Enables client IPv4 address learning on a wireless LAN.

Disables client IPv4 address learning on a wireless LAN.

Command Default

Disabled when the config wlan flexconnect local-switching command is disabled. Enabled when the config

wlan flexconnect local-switching command is enabled.

Command History

Release

7.6

8.0

Modification




If the client is configured with Layer 2 encryption, the controller cannot learn the client IP address, and the controller will periodically drop the client. Disable this option to keep the client connection without waiting to learn the client IP address.

Note

This command is valid only for IPv4.

Note

The ability to disable IP address learning is not supported with FlexConnect central switching.

Examples

The following example shows how to disable client IP address learning for WLAN 6:


config wlan flexconnect learn-ipaddr disable 6


1118


config wlan flexconnect local-switching config wlan flexconnect local-switching

To configure local switching, central DHCP, NAT-PAT, or the override DNS option on a FlexConnect WLAN, use the config wlan flexconnect local switching command.

config wlan flexconnect local-switching wlan_id {enable | disable} { {central-dhcp {enable | disable}

nat-pat {enable | disable} } | {override option dns { enable | disable} } }


wlan_id

enable disable central-dhcp enable disable nat-pat enable disable override option dns enable disable


Enables local switching on a FlexConnect WLAN.

Disables local switching on a FlexConnect WLAN.

Configures central switching of DHCP packets on the local switching

FlexConnect WLAN. When you enable this feature, the DHCP packets received from the AP are centrally switched to the controller and forwarded to the corresponding VLAN based on the AP and the

SSID.

Enables central DHCP on a FlexConnect WLAN.

Disables central DHCP on a FlexConnect WLAN.

Configures Network Address Translation (NAT) and Port Address

Translation (PAT) on the local switching FlexConnect WLAN.

Enables NAT-PAT on the FlexConnect WLAN.

Disables NAT-PAT on the FlexConnect WLAN.

Specifies the DHCP override options on the FlexConnect WLAN.

Specifies the override DNS option on the FlexConnect WLAN.

When you override this option, the clients get their DNS server IP address from the AP, not from the controller.

Enables the override DNS option on the FlexConnect WLAN.

Disables the override DNS option on the FlexConnect WLAN.

Command Default

This feature is disabled.


1119

config wlan flexconnect local-switching

Command History

Release

7.6

8.0

Modification




When you enable the config wlan flexconnect local-switching command, the config wlan flexconnect

learn-ipaddr command is enabled by default.

Note

This command is valid only for IPv4.

Examples

Note

The ability to disable IP address learning is not supported with FlexConnect central switching.

The following example shows how to enable WLAN 6 for local switching and enable central DHCP and

NAT-PAT:


config wlan flexconnect local-switching 6 enable central-dhcp enable nat-pat enable

The following example shows how to enable the override DNS option on WLAN 6:


config wlan flexconnect local-switching 6 override option dns enable

1120


config wlan flexconnect vlan-central-switching config wlan flexconnect vlan-central-switching

To configure central switching on a locally switched WLAN, use the config wlan flexconnect

vlan-central-switching command.

config wlan flexconnect vlan-central-switching wlan_id { enable | disable }


wlan_id

enable disable


Enables central switching on a locally switched wireless LAN.

Disables central switching on a locally switched wireless LAN.

Command Default

Central switching is disabled.

Command History

Release

7.6

Modification



You must enable Flexconnect local switching to enable VLAN central switching. When you enable WLAN central switching, the access point bridges the traffic locally if the WLAN is configured on the local IEEE

802.1Q link. If the VLAN is not configured on the access point, the AP tunnels the traffic back to the controller and the controller bridges the traffic to the corresponding VLAN.

WLAN central switching does not support:

• FlexConnect local authentication.

• Layer 3 roaming of local switching client.

Examples

The following example shows how to enable WLAN 6 for central switching:


config wlan flexconnect vlan-central-switching 6 enable


1121

config wlan flow config wlan flow

To associate a NetFlow monitor with a WLAN, use the config wlan flow command.

config wlan flow wlan_id monitor monitor_name {enable | disable}


wlan_id

monitor

monitor_name

enable disable

Wireless LAN identifier from 1 to 512 (inclusive).

Configures a NetFlow monitor.

Name of the NetFlow monitor. The monitor name can be up to 32 case-sensitive, alphanumeric characters. You cannot include spaces for a monitor name.

Associates a NetFlow monitor with a WLAN.

Dissociates a NetFlow monitor from a WLAN.

Command Default

None

Command History

Release

7.6

Modification



You can use the config flow command to create a new NetFlow monitor.

Examples

The following example shows how to associate a NetFlow monitor with a WLAN:


config wlan flow 5 monitor monitor1 enable

1122


config wlan hotspot config wlan hotspot

To configure a HotSpot on a WLAN, use the config wlan hotspot command.

config wlan hotspot {clear-all wlan_id | dot11u | hs2 | msap}

Syntax Description clear-all

wlan_id

dot11u hs2 msap

Clears the HotSpot configurations on a WLAN.


Configures an 802.11u HotSpot on a WLAN.

Configures HotSpot2 on a WLAN.

Configures the Mobility Services Advertisement Protocol (MSAP) on a

WLAN.

Command Default

None

Command History

Release

7.6

Modification



You can configure up to 32 HotSpot WLANs.

Examples

The following example shows how to configure HotSpot2 for a WLAN:


config wlan hotspot hs2 enable 2


1123

config wlan hotspot dot11u config wlan hotspot dot11u

To configure an 802.11u HotSpot on a WLAN, use the config wlan hotspot dot11u command.

config wlan hotspot dot11u {3gpp-info | auth-type | enable | disable | domain | hessid | ipaddr-type |

nai-realm | network-type | roam-oi}


3gpp-info auth-type disable domain enable hessid ipaddr-type nai-realm network-type roam-oi

Configures 3GPP cellular network information.

Configures the network authentication type.

Disables 802.11u on the HotSpot profile.

Configures a domain.

Enables 802.11u on the HotSpot profile. IEEE 802.11u enables automatic

WLAN offload for 802.1X devices at the HotSpot of mobile or roaming partners.

Configures the Homogenous Extended Service Set Identifier (HESSID). The

HESSID is a 6-octet MAC address that uniquely identifies the network.

Configures the IPv4 address availability type.

Configures a realm for 802.11u enabled WLANs.

Configures the 802.11u network type and Internet access.

Configures the roaming consortium Organizational Identifier (OI) list.

Command Default

None.

Command History

Examples

Release

7.6

8.0

Modification



The following example shows how to enable 802.11u on a HotSpot profile:


config wlan hotspot dot11u enable 6

1124


config wlan hotspot dot11u 3gpp-info config wlan hotspot dot11u 3gpp-info

To configure 3GPP cellular network information on an 802.11u HotSpot WLAN, use the config wlan hotspot

dot11u 3gpp-info command.

config wlan hotspot dot11u 3gpp-info {add | delete} index country_code network_code wlan_id


index country_code network_code wlan_id

Adds mobile cellular network information.

Deletes mobile cellular network information.

Cellular index. The range is from 1 to 32.

Mobile Country Code (MCC) in Binary Coded Decimal (BCD) format. The country code can be up to 3 characters. For example, the MCC for USA is 310.

Mobile Network Code (MNC) in BCD format. An MNC is used in combination with a Mobile Country Code (MCC) to uniquely identify a mobile phone operator or carrier. The network code can be up to 3 characters. For example, the MNC for T- Mobile is 026.


Command Default

None

Command History

Release

7.6

Modification



Number of mobile network codes supported is 32 per WLAN.

Examples

The following example shows how to configure 3GPP cellular network information on a WLAN:


config wlan hotspot dot11u 3gpp-info add


1125

config wlan hotspot dot11u auth-type config wlan hotspot dot11u auth-type

To configure the network authentication type on an 802.11u HotSpot WLAN, use the config wlan hotspot

dot11u auth-type command.

config wlan hotspot dot11u auth-type network-auth wlan_id


network-auth wlan_id

Network authentication that you would like to configure on the WLAN. The available values are as follows:

• 0—Acceptance of terms and conditions

• 1—On-line enrollment

• 2—HTTP/HTTPS redirection

• 3—DNS Redirection

• 4—Not Applicable


Command Default

None

Command History

Release

7.6

Modification



The DNS redirection option is not supported in Release 7.3.

Examples

The following example shows how to configure HTTP/HTTPS redirection as the network authentication type on an 802.11u HotSpot WLAN:


config wlan hotspot dot11u auth-type 2 1

1126


config wlan hotspot dot11u disable config wlan hotspot dot11u disable

To disable an 802.11u HotSpot on a WLAN, use the config wlan hotspot dot11u disable command.

config wlan hotspot dot11u disable wlan_id


wlan_id


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to disable an 802.11u HotSpot on a WLAN:


config wlan hotspot dot11u disable 6


1127

config wlan hotspot dot11u domain config wlan hotspot dot11u domain

To configure a domain operating in the 802.11 access network, use the config wlan hotspot dot11u domain command.

config wlan hotspot dot11u domain {add wlan_id domain-index domain_name | delete wlan_id domain-index

| modify wlan_id domain-index domain_name}


wlan_id domain-index domain_name

delete modify

Adds a domain.


Domain index in the range 1 to 32.

Domain name. The domain name is case sensitive and can be up to

255 alphanumeric characters.

Deletes a domain.

Modifies a domain.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to add a domain in the 802.11 access network:


config wlan hotspot dot11u domain add 6 30 domain1

1128


config wlan hotspot dot11u enable config wlan hotspot dot11u enable

To enable an 802.11u HotSpot on a WLAN, use the config wlan hotspot dot11u enable command.

config wlan hotspot dot11u enable wlan_id


wlan_id


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable an 802.11u HotSpot on a WLAN:


config wlan hotspot dot11u enable 6


1129

config wlan hotspot dot11u hessid config wlan hotspot dot11u hessid

To configure a Homogenous Extended Service Set Identifier (HESSID) on an 802.11u HotSpot WLAN, use the config wlan hotspot dot11u hessid command.

config wlan hotspot dot11u hessid hessid wlan_id


hessid wlan_id

MAC address that can be configured as an HESSID. The HESSID is a 6-octet MAC address that uniquely identifies the network. For example, Basic Service Set

Identification (BSSID) of the WLAN can be used as the HESSID.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure an HESSID on an 802.11u HotSpot WLAN:


config wlan hotspot dot11u hessid 00:21:1b:ea:36:60 6

1130


config wlan hotspot dot11u ipaddr-type config wlan hotspot dot11u ipaddr-type

To configure the type of IP address available on an 802.11u HotSpot WLAN, use the config wlan hotspot

dot11u ipaddr-type command.

config wlan hotspot dot11u ipaddr-type IPv4Type {0 - 7} IPv6Type {0 - 2}wlan_id


IPv4Type

IPv6Type wlan_id

IPv4 type address. Enter one of the following values:

0—IPv4 address not available.

1—Public IPv4 address available.

2—Port restricted IPv4 address available.

3—Single NAT enabled private IPv4 address available.

4—Double NAT enabled private IPv4 address available.

5—Port restricted IPv4 address and single NAT enabled IPv4 address available.

6—Port restricted IPv4 address and double NAT enabled IPv4 address available.

7— Availability of the IPv4 address is not known.

IPv6 type address. Enter one of the following values:

0—IPv6 address not available.

1—IPv6 address available.

2—Availability of the IPv6 address is not known.


Command Default

The default values for IPv4 type address is 1.

Command History

Release

7.6

8.0

Modification



Examples

The following example shows how to configure the IP address availability type on an 802.11u HotSpot WLAN:


config wlan hotspot dot11u ipaddr-type 6 2 6



1131

config wlan hotspot dot11u nai-realm config wlan hotspot dot11u nai-realm

To configure realms for an 802.11u HotSpot WLANs, use the config wlan hotspot dot11u nai-realm command.

config wlan hotspot dot11u nai-realm {add | delete | modify} {auth-method wlan_id realm-index eap-index

auth-index auth-method auth-parameter | eap-method wlan_id realm-index eap-index eap-method |

realm-name wlan_id realm-index realm}

Syntax Description add delete modify auth-method

wlan_id realm-index eap-index auth-index auth-method auth-parameter

eap-method

Adds a realm.

Deletes a realm.

Modifies a realm.

Specifies the authentication method used.


Realm index. The range is from 1 to 32.

EAP index. The range is from 1 to 4.

Authentication index value. The range is from 1 to 10.

Authentication method to be used. The range is from 1 to 4. The following options are available:

• 1—Non-EAP Inner Auth Method

• 2—Inner Auth Type

• 3—Credential Type

• 4—Tunneled EAP Method Credential Type

Authentication parameter to use. This value depends on the authentication method used. See the following table for more details.

Specifies the Extensible Authentication Protocol (EAP) method used.

1132


config wlan hotspot dot11u nai-realm

eap-method

realm-name

realm

EAP Method. The range is from 0 to 7. The following options are available:

• 0—Not Applicable

• 1—Lightweight Extensible Authentication Protocol (LEAP)

• 2—Protected EAP (PEAP)

• 3—EAP-Transport Layer Security (EAP-TLS)

• 4—EAP-FAST (Flexible Authentication via Secure Tunneling)

• 5—EAP for GSM Subscriber Identity Module (EAP-SIM)

• 6—EAP-Tunneled Transport Layer Security (EAP-TTLS)

• 7—EAP for UMTS Authentication and Key Agreement (EAP-AKA)

Specifies the name of the realm.

Name of the realm. The realm name should be RFC 4282 compliant. For example,

Cisco. The realm name is case-sensitive and can be up to 255 alphanumeric characters.

Command Default

None

Command History

Release

7.6

Modification



This table lists the authentication parameters.


1133

config wlan hotspot dot11u nai-realm

Examples

Table 11: Authentication Parameters

Non-EAP Inner Method(1) Inner Authentication EAP Method

Type(2)

Credential Type(3)/Tunneled EAP

Credential Type(4)

0—Reserved 1—LEAP

1—Password authentication protocol (PAP)

2—PEAP

3—EAP-TLS

2—Challenge-Handshake

Authentication Protocol (CHAP)

4—EAP-FAST

3—Microsoft Challenge

Handshake Authentication Protocol

(MS-CHAP)

5—EAP-SIM

6—EAP-TTLS

7—EAP-AKA

4—MSCHAPV2

1—SIM

2—USIM

3—NFC Secure Element

4—Hardware Token

5—Soft Token

6—Certificate

7—Username/Password

8—Reserver

9—Anonymous

10—Vendor Specific

The following example shows how to add the Tunneled EAP Method Credential authentication method on

WLAN 4:


config wlan hotspot dot11u nai-realm add auth-method 4 10 3 5 4 6

1134


config wlan hotspot dot11u network-type config wlan hotspot dot11u network-type

To configure the network type and internet availability on an 802.11u HotSpot WLAN, use the config wlan

hotspot dot11u network-type command.

config wlan hotspot dot11u network-type wlan_id network-type internet-access


wlan_id network-type internet-access


Network type. The available options are as follows:

• 0—Private Network

• 1—Private Network with Guest Access

• 2—Chargeable Public Network

• 3—Free Public Network

• 4—Personal Device Network

• 5—Emergency Services Only Network

• 14—Test or Experimental

• 15—Wildcard

Internet availability status. A value of zero indicates no Internet availability and

1 indicates Internet availability.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to configure the network type and Internet availability on an 802.11u

HotSpot WLAN:


config wlan hotspot dot11u network-type 2 1


1135

config wlan hotspot dot11u roam-oi config wlan hotspot dot11u roam-oi

To configure a roaming consortium Organizational Identifier (OI) list on a 802.11u HotSpot WLAN, use the

config wlan hotspot dot11u roam-oi command.

config wlan hotspot dot11u roam-oi {add wlan_id oi-index oi is-beacon | modify wlan_id oi-index oi

is-beacon | delete wlan_id oi-index}


wlan-id oi-index oi is-beacon

modify delete

Adds an OI.


Index in the range 1 to 32.

Number that must be a valid 6 digit hexadecimal number and 6 bytes in length. For example, 004096 or AABBDF.

Beacon flag used to add an OI to the beacon. 0 indicates disable and 1 indicates enable. You can add a maximum of 3 OIs for a WLAN with this flag set.

Modifies an OI.

Deletes an OI.

Command Default

None.

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the roaming consortium OI list:


config wlan hotspot dot11u roam-oi add 4 10 004096 1

1136


config wlan hotspot hs2 config wlan hotspot hs2

To configure the HotSpot2 parameters, use the config wlan hotspot hs2 command.

config wlan hotspot hs2 {disable wlan_id | enable wlan_id | operator-name {add wlan_id index

operator_name language-code | delete wlan_id index | modify wlan_id index operator-name language-code}

| port-config {add wlan_id port_config_index ip-protocol port-number status | delete wlan_id

port-config-index | modify wlan_id port-config-index ip-protocol port-number status} | wan-metrics wlan_id

link-status symet-link downlink-speed uplink-speed }

Syntax Description disable

wlan-id

enable operator-name add

index operator-name language-code

delete modify port-config

port_config_index

Disables HotSpot2.


Enables HotSpot2.

Specifies the name of the 802.11 operator.

Adds the operator name, port configuration, or WAN metrics parameters to the WLAN configuration.

Index of the operator. The range is from 1 to 32.

Name of the operator.

Language used. An ISO-14962-1997 encoded string that defines the language. This string is a three character language code. Enter the first three letters of the language in English. For example, eng for English.

Deletes the operator name, port configuration, or WAN metrics parameters from the WLAN.

Modifies the operator name, port configuration, or WAN metrics parameters of the WLAN.

Configures the port configuration values.

Port configuration index. The range is from 1 to 32. The default value is 1.


1137

config wlan hotspot hs2

ip-protocol port-number status

wan-metrics

link-status symet-link downlink-speed

1138


Protocol to use. This parameter provides information on the connection status of the most commonly used communication protocols and ports. The following options are available:

1—ICMP

6—FTP/SSH/TLS/PPTP-VPN/VoIP

17—IKEv2 (IPSec-VPN/VoIP/ESP)

50—ESP (IPSec-VPN)

Port number. The following options are available:

0—ICMP/ESP (IPSec-VPN)

20—FTP

22—SSH

443—TLS-VPN

500—IKEv2

1723—PPTP-VPN

4500—IKEv2

5060—VoIP

Status of the IP port. The following options are available:

0—Closed

1—Open

2—Unknown

Configures the WAN metrics.

Link status. The following options are available:

• 0—Unknown

• 1—Link up

• 2—Link down

• 3—Link in test state

Symmetric link status. The following options are available:

• 0—Link speed is different for uplink and downlink.

For example: ADSL

• 1—Link speed is the same for uplink and downlink.

For example: DS1

Downlink speed of the WAN backhaul link in kbps.

Maximum value is 4,194,304 kbps.

config wlan hotspot hs2

uplink-speed

Uplink speed of the WAN backhaul link in kbps. The maximum value is 4,194,304 kbps.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to configure the WAN metrics parameters:


config wlan hotspot hs2 wan-metrics add 345 1 0 3333


1139

config wlan hotspot hs2 domain-id config wlan hotspot hs2 domain-id

To configure a domain ID, use the config wlan hotspot hs2 domain-id command in WLAN configuration mode.

config wlan hotspot hs2 domain-id wlan-id domain-id


wlan-id domain-id

WLAN identification number. Enter a value between 1 and 512.

Domain ID. Enter a value between 0 to 65535.

Command Default

The domain ID is not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to configure a domain ID:

Cisco Controller > config wlan hotspot hs2 domain-id 12 2

1140


config wlan hotspot hs2 osu legacy-ssid config wlan hotspot hs2 osu legacy-ssid

To configure Online Sign Up (OSU) Service Set Identifier (SSID) name, use the config wlan hotspot hs2

osu legacy-ssid command in WLAN configuration mode.

config wlan hotspot hs2 osu legacy-ssid wlan-id ssid-name


wlan-id ssid-name


SSID name.

Command Default

OSU SSID name is not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to configure an OSU SSID name:

Cisco Controller > config wlan hotspot hs2 osu legacy-ssid 12 cisco


1141

config wlan hotspot hs2 osu sp create config wlan hotspot hs2 osu sp create

To create the Online Sign Up (OSU) service provider name, use the config wlan hotspot hs2 osu sp create command in WLAN configuration node.

config wlan hotspot hs2 osu sp create wlan-id osu-index lang-code ascii/hex friendly-name [description ]


wlan-id osu-index lang-code

ascii/hex

friendly-name description


OSU index. Enter a value between 1 and 16.

Language code. Enter 2 or 3 letters from ISO-639, for example,eng for

English.

Specifies the text format, whether ASCII or Hex.

Service provider name. The maximum limit is 252 characters.

(Optional) Server description. The maximum limit is 252 characters.

Command Default

The OSU service provider name is not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to configure an OSU service provider name:

Cisco Controller > config wlan hotspot hs2 osu sp create 12 2 eng ascii cisco server-1

1142


config wlan hotspot hs2 osu sp delete config wlan hotspot hs2 osu sp delete

To delete the Online Sign Up (OSU) service provider, use the config wlan hotspot hs2 osu sp delete command.

config wlan hotspot hs2 osu sp delete wlan-idosu-index lang-code


wlan-id osu-index lang-code



Language code. Enter 2 or 3 letters from ISO-639, for example, eng for

English.

Command Default

The OSU service provider is configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to delete an OSU service provider:

Cisco Controller > config wlan hotspot hs2 osu sp delete 12 2 eng


1143

config wlan hotspot hs2 osu sp icon-file add config wlan hotspot hs2 osu sp icon-file add

To configure an Online Sign Up (OSU) icon file on a particular WLAN, use the config wlan hotspot hs2 osu

sp icon-file add command in WLAN configuration mode.

config wlan hotspot hs2 osu sp icon-file add wlan-idosu-index icon-filename


wlan-id osu-index icon-filename



Filename of the icon.

Command Default

The OSU icon file is not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification



Before using this command, configure icon parameters using the config icon file-info command.

Examples

This example shows how to configure an OSU icon file on a WLAN:

Cisco Controller > config wlan hotspot hs2 osu sp icon-file add 12 2 test-icon

1144


config wlan hotspot hs2 osu sp icon-file delete config wlan hotspot hs2 osu sp icon-file delete

To delete an Online Sign Up (OSU) icon file from a WLAN, use the config wlan hotspot hs2 osu sp icon-file

delete command in WLAN configuration mode.

config wlan hotspot hs2 osu sp icon-file delete wlan-idosu-index icon-filename


wlan-id osu-index icon-filename



Filename of the icon.

Command Default

The OSU icon file is configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Examples

Modification


This example shows how to delete an OSU icon file from a WLAN:

Cisco Controller > config wlan hotspot hs2 osu sp icon-file delete 12 2 test-icon


1145

config wlan hotspot hs2 osu sp method add config wlan hotspot hs2 osu sp method add

To configure an Online Sign Up (OSU) method list, use the config wlan hotspot hs2 osu sp method add command in WLAN configuration mode.

config wlan hotspot hs2 osu sp method add wlan-id osu-index method-primary method-secondary


wlan-id osu-index method-primary method-secondary



Primary OSU encoding method. Valid values are: oma-dm or soap-xml.

(Optional) Secondary OSU encoding method. Valid values are: oma-dm or soap-xml.

Command Default

The OSU method list is not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to configure an OSU method list:

Cisco Controller > config wlan hotspot hs2 osu sp method add 12 2 oma-dm oma-dm

1146


config wlan hotspot hs2 osu sp method delete config wlan hotspot hs2 osu sp method delete

To delete an Online Sign Up (OSU) method list, use the config wlan hotspot hs2 osu sp method delete command in WLAN configuration mode.

config wlan hotspot hs2 osu sp method delete wlan-id osu-index method


wlan-id osu-index method



The OSU encoding method. Valid values are oma-dm or soap-xml.

Command Default

The OSU method list is configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to delete an OSU method list:

Cisco Controller > config wlan hotspot hs2 osu sp method delete 12 2 oma-dm


1147

config wlan hotspot hs2 osu sp nai add config wlan hotspot hs2 osu sp nai add

To create an Online Sign Up (OSU) Network Access Identifier (NAI), use the config wlan hotspot hs2 osu

sp nai add command in WLAN configuration mode.

config wlan hotspot hs2 osu sp nai add wlan-id osu-index nai


wlan-id osu-index nai



OSU Server NAI. Enter a name within a maximum limit of 255 characters.

Command Default

The OSU NAI is not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Examples

Modification


This example shows how to configure an OSU NAI:

Cisco Controller > config wlan hotspot hs2 osu sp nai add 12 2 nai-1

1148


config wlan hotspot hs2 osu sp nai delete config wlan hotspot hs2 osu sp nai delete

To delete an Online Sign Up (OSU) Network Access Identifier (NAI), use the config wlan hotspot hs2 osu

sp nai delete command in WLAN configuration mode.

config wlan hotspot hs2 osu sp nai delete wlan-id osu-index


wlan-id osu-index



Command Default

The OSU NAI is configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Examples

Modification


This example shows how to delete an OSU NAI:

Cisco Controller > config wlan hotspot hs2 osu sp nai delete 12 2


1149

config wlan hotspot hs2 osu sp uri add config wlan hotspot hs2 osu sp uri add

To create an Online Sign Up (OSU) URI, use the config wlan hotspot hs2 osu sp uri add command in WLAN configuration mode.

config wlan hotspot hs2 osu sp uri add wlan-id osu-index uri


wlan-id osu-index uri



OSU server name. Enter a Uniform Resource Identifier (URI) with a maximum of 255 characters.

Command Default

The OSU URI is not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Examples

Modification


This example shows how to create an OSU URI:

Cisco Controller > config wlan hotspot hs2 osu sp uri add 12 2 server

1150


config wlan hotspot hs2 osu sp uri delete config wlan hotspot hs2 osu sp uri delete

To delete an Online Sign Up (OSU) URI, use the config wlan hotspot hs2 osu sp uri delete command.

config wlan hotspot hs2 osu sp uri delete wlan-idosu-index


wlan-id osu-index



Command Default

The OSU URI is configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Examples

Modification


This example shows how to delete an OSU URI:

Cisco Controller > config wlan hotspot hs2 osu sp uri delete 12 2


1151

config wlan hotspot hs2 wan-metrics downlink config wlan hotspot hs2 wan-metrics downlink

To configure the downlink WAN metrics, use the config wlan hotspot hs2 wan-metrics downlink command in WLAN configuration mode.

config wlan hotspot hs2 wan-metrics downlink wlan-id dlink-speed dlink-load


wlan-id dlink-speed dlink-load


WAN backhaul link speed, in Kbps. The range is from 0 to 4,294,967,295.

WAN backhaul link load. The range is from 0 to 100.

Command Default

The downlink WAN metrics are not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to configure downlink WAN metrics:

Cisco Controller > config wlan hotspot hs2 wan-metrics downlink 12 2468 10

1152


config wlan hotspot hs2 wan-metrics link-status config wlan hotspot hs2 wan-metrics link-status

To configure the link status of WAN metrics, use the config wlan hotspot hs2 wan-metrics link-status command in WLAN configuration mode.

config wlan hotspot hs2 wan-metrics link-status wlan-id link-status


wlan-id link-status


Link status. Valid values are:

• 0—Unknown

• 1—Up

• 2—Down

• 3—Test

Command Default

The link status is not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Examples

Modification


This example shows how to configure the link status of WAN metrics:

Cisco Controller > config wlan hotspot hs2 wan-metrics link-status 12 1


1153

config wlan hotspot hs2 wan-metrics lmd config wlan hotspot hs2 wan-metrics lmd

To configure the load measurement duration of WAN metrics, use the config wlan hotspot hs2 wan-metrics

lmd command in WLAN configuration mode.

config wlan hotspot hs2 wan-metrics lmd wlan-id lmd-value


wlan-id lmd-value


Load measurement duration of WAN. The range is from 0 to 65535.

Command Default

Load measurement duration of WAN is not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to configure load measurement duration of WAN metrics:

Cisco Controller > config wlan hotspot hs2 wan-metrics lmd 1 2456

1154


config wlan hotspot hs2 wan-metrics uplink config wlan hotspot hs2 wan-metrics uplink

To configure the uplink WAN metrics, use the config wlan hotspot hs2 wan-metrics uplink command in

WLAN configuration mode.

config wlan hotspot hs2 wan-metrics uplink wlan-id ulink-speed ulink-load


wlan-id ulink-speed ulink-load


WAN backhaul link speed, in Kbps. The range is from 0 to 4,294,967,295.

WAN backhaul link load. The range is from 0 to 100.

Command Default

The uplink WAN metrics are not configured.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to configure the uplink WAN metrics:

Cisco Controller > config wlan hotspot hs2 wan-metrics uplink 12 2468 10


1155

config wlan hotspot msap config wlan hotspot msap

To configure the Mobility Service Advertisement Protocol (MSAP) parameters on a WLAN, use the config

wlan hotspot msap command.

config wlan hotspot msap {enable | disable | server-id server_id} wlan_id

Syntax Description enable disable server-id

server_id wlan_id

Enables MSAP on the WLAN.

Disables MSAP on the WLAN.

Specifies the MSAP server id.

MSAP server ID. The range is from 1 to 10.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable MSAP on a WLAN:


config wlan hotspot msap enable 4

1156


config wlan interface config wlan interface

To configure a wireless LAN interface or an interface group, use the config wlan interface command.

config wlan interface {wlan_id | foreignAp} {interface-name | interface-group-name}


wlan_id

foreignAp

interface-name interface-group-name

(Optional) Wireless LAN identifier (1 to 512).


Interface name.

Interface group name.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure an interface named VLAN901:


config wlan interface 16 VLAN901


1157

config wlan ipv6 acl config wlan ipv6 acl

To configure IPv6 access control list (ACL) on a wireless LAN, use the config wlan ipv6 acl command.

config wlan ipv6 acl wlan_id acl_name


wlan_id acl_name


IPv6 ACL name.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure an IPv6 ACL for local switching:


config wlan ipv6 acl 22 acl_sample

1158


config wlan kts-cac config wlan kts-cac

To configure the Key Telephone System-based CAC policy for a WLAN, use the config wlan kts-cac command.

config wlan kts-cac {enable | disable} wlan_id


wlan_id

Enables the KTS-based CAC policy.

Disables the KTS-based CAC policy.


Command Default

None

Command History

Release

7.6

Modification



To enable the KTS-based CAC policy for a WLAN, ensure that you do the following:

• Configure the QoS profile for the WLAN to Platinum by entering the following command:

config wlan qos wlan-id platinum

• Disable the WLAN by entering the following command:

config wlan disable wlan-id

• Disable FlexConnect local switching for the WLAN by entering the following command:

config wlan flexconnect local-switching wlan-id disable

Examples

The following example shows how to enable the KTS-based CAC policy for a WLAN with the ID 4:


config wlan kts-cac enable 4


1159

config wlan layer2 acl config wlan layer2 acl

To configure a Layer 2 access control list (ACL) on a centrally switched WLAN, use the config wlan acl

layer2 command.

config wlan layer2 aclwlan_id {acl_name | none}


wlan_id acl_name

none

Wireless LAN identifier. The range is from 1 to 512.

Layer2 ACL name. The name can be up to 32 alphanumeric characters.

Clears any Layer2 ACL mapped to the WLAN.

Command Default

None

Command History

Release

7.5

Modification



You can create a maximum of 16 rules for a Layer 2 ACL.

You can create a maximum of 64 Layer 2 ACLs on a Cisco WLC.

A maximum of 16 Layer 2 ACLs are supported per access point because an access point supports a maximum of 16 WLANs.

Ensure that the Layer 2 ACL names do not conflict with the FlexConnect ACL names because an access point does not support the same Layer 2 and Layer 3 ACL names.

Examples

The following example shows how to apply a Layer 2 ACL on a WLAN:


config wlan layer2 acl 1 acl_l2_1

1160


config wlan ldap config wlan ldap

To add or delete a link to a configured Lightweight Directory Access Protocol (LDAP) server, use the config

wlan ldap command.

config wlan ldap {add wlan_id server_id | delete wlan_id {all | server_id}}


wlan_id server_id

delete all

Adds a link to a configured LDAP server.


LDAP server index.

Removes the link to a configured LDAP server.

Specifies all LDAP servers.

Command Default

None

Command History

Release

7.6

Modification



Use this command to specify the LDAP server priority for the WLAN.

To specify the LDAP server priority, one of the following must be configured and enabled:

• 802.1X authentication and Local EAP

• Web authentication and LDAP

Note

Local EAP was introduced in controller software release 4.1; LDAP support on Web authentication was introduced in controller software release 4.2.

Examples

The following example shows how to add a link to a configured LDAP server with the WLAN ID 100 and server ID 4:


config wlan ldap add 100 4


1161

config wlan learn-ipaddr-cswlan config wlan learn-ipaddr-cswlan

To configure client IP address learning on a centrally switched WLAN, use theconfig wlan

learn-ipaddr-cswlan command.

config wlan learn-ipaddr-cswlan wlan_id {enable | disable}


wlan_id

enable disable


Enables client IPv4 address learning on the centrally switched WLAN

Disables client IPv4 address learning on the centrally switched WLAN

Command Default

None

Command History

Release

7.6

8.0

Modification




If the client is configured with Layer 2 encryption, the Cisco WLC cannot learn the client IP address and will periodically drop the client. Disable this option so that the Cisco WLC maintains the client connection without waiting to learn the client IP address.

Examples

The following example shows how to enable client IP address learning on a centrally switched WLAN:


config wlan learn-ipaddr-cswlan 2 enable


1162


config wlan load-balance config wlan load-balance

To override the global load balance configuration and enable or disable load balancing on a particular WLAN, use the config wlan load-balance command.

config wlan load-balance allow {enable | disable} wlan_id


wlan_id

Enables band selection on a wireless LAN.

Disables band selection on a wireless LAN.


Command Default

Load balancing is enabled by default.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable band selection on a wireless LAN with WLAN ID 3:


config wlan load-balance allow enable 3


1163

config wlan lobby-admin-access config wlan lobby-admin-access

To provide admin access to the lobby user on a particular WLAN, use the config wlan lobby-admin-access command.

config wlan lobby-admin-access {enable | disable} wlan_id


wlan_id

Enables band selection on a wireless LAN.

Disables band selection on a wireless LAN.


Command Default

Lobby admin user is disabled by default.

Command History

Release

8.4

Modification


Examples

The following example shows how to enable lobby admin on a WLAN:


config wlan lobby-admin-access enable 2

1164


config wlan mac-filtering config wlan mac-filtering

To change the state of MAC filtering on a wireless LAN, use the config wlan mac-filtering command.

config wlan mac-filtering {enable | disable} {wlan_id | foreignAp}


wlan_id

foreignAp

Enables MAC filtering on a wireless LAN.

Disables MAC filtering on a wireless LAN.



Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the MAC filtering on WLAN ID 1:


config wlan mac-filtering enable 1


1165

config wlan max-associated-clients config wlan max-associated-clients

To configure the maximum number of client connections on a wireless LAN, guest LAN, or remote LAN, use the config wlan max-associated-clients command.

config wlan max-associated-clients max_clients wlan_id


max_clients wlan_id

Maximum number of client connections to be accepted.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to specify the maximum number of client connections on WLAN ID 2:


config wlan max-associated-clients 25 2

1166


config wlan max-radio-clients config wlan max-radio-clients

To configure the maximum number of WLAN client per access point, use the config wlan max-radio-clients command.

config wlan max-radio-clients max_radio_clients wlan_id


max_radio_clients wlan_id

Maximum number of client connections to be accepted per access point radio.

The valid range is from 1 to 200.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to specify the maximum number of client connections per access point radio on WLAN ID 2:


config wlan max-radio-clients 25 2


1167

config wlan mdns config wlan mdns

To configure an multicast DNS (mDNS) profile for a WLAN, use the config wlan mdns command.

config wlan mdns {enable | disable | profile {profile-name | none}} {wlan_id | all}

Syntax Description enable disable profile

profile-name

none

wlan_id

all

Enables mDNS snooping on a WLAN.

Disables mDNS snooping on a WLAN.

Configures an mDNS profile for a WLAN.

Name of the mDNS profile to be associated with a WLAN.

Removes all existing mDNS profiles from the WLAN. You cannot configure mDNS profiles on the WLAN.


Configures the mDNS profile for all WLANs.

Command Default

By default, mDNS snooping is enabled on WLANs.

Command History

Release

7.4

Modification



You must disable the WLAN before you use this command. Clients receive service advertisements only for the services associated with the profile. The controller gives the highest priority to the profiles associated to interface groups, followed by the interface profiles, and then the WLAN profiles. Each client is mapped to a profile based on the order of priority.

Examples

The following example shows how to configure an mDNS profile for a WLAN.


config wlan mdns profile profile1 1

1168


config wlan media-stream config wlan media-stream

To configure multicast-direct for a wireless LAN media stream, use the config wlan media-stream command.

config wlan media-stream multicast-direct {wlan_id | all} {enable | disable}

Syntax Description multicast-direct

wlan_id

all enable disable

Configures multicast-direct for a wireless LAN media stream.


Configures the wireless LAN on all media streams.

Enables global multicast to unicast conversion.

Disables global multicast to unicast conversion.

Command Default

None

Command History

Release

7.6

Modification



Media stream multicast-direct requires load based Call Admission Control (CAC) to run. WLAN quality of service (QoS) needs to be set to either gold or platinum.

Examples

The following example shows how to enable the global multicast-direct media stream with WLAN ID 2:


config wlan media-stream multicast-direct 2 enable


1169

config wlan mfp config wlan mfp

To configure management frame protection (MFP) options for the wireless LAN, use the config wlan mfp command.

config wlan mfp {client [enable | disable] wlan_id | infrastructure protection [enable | disable] wlan_id}

Syntax Description client enable disable

wlan_id

infrastructure protection

Configures client MFP for the wireless LAN.

(Optional) Enables the feature.

(Optional) Disables the feature.


(Optional) Configures the infrastructure MFP for the wireless LAN.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure client management frame protection for WLAN ID 1:


config wlan mfp client enable 1

1170


config wlan mobility anchor config wlan mobility anchor

To change the state of MAC filtering on a wireless LAN, use the config wlan mobility anchor command.

config wlan mobility anchor {add | delete} wlan_id ip_addr priority priority-number


wlan_id ip_addr

priority

priority-number

Enables MAC filtering on a wireless LAN.

Disables MAC filtering on a wireless LAN.


Member switch IPv4 address for anchoring the wireless LAN.

Sets priority to the anchored wireless LAN IP address.

Range between 1 to 3.

Command Default

None

Command History

Release

7.6

8.0

8.1

Modification



prioritypriority number parameter introduced.

Examples

The following example shows how to configure and set priority to the mobility wireless LAN anchor list with

WLAN ID 4 and IPv4 address 192.168.0.14


config wlan mobility anchor add 4 192.168.0.14 priority 1



1171

config wlan mobility foreign-map config wlan mobility foreign-map

To configure interfaces or interface groups for foreign Cisco WLCs, use the config wlan mobility foreign-map command.

config wlan mobility foreign-map {add | delete} wlan_id foreign_mac_address {interface_name |

interface_group_name}


wlan_id foreign_mac_address interface_name interface_group_name

Adds an interface or interface group to the map of foreign controllers.

Deletes an interface or interface group from the map of foreign controllers.


Foreign switch MAC address on a WLAN.


Interface group name up to 32 alphanumeric characters.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to add an interface group for foreign Cisco WLCs with WLAN ID 4 and a foreign switch MAC address on WLAN 00:21:1b:ea:36:60:


config wlan mobility foreign-map add 4 00:21:1b:ea:36:60 mygroup1

1172


config wlan multicast buffer config wlan multicast buffer

To configure the radio multicast packet buffer size, use the config wlan multicast buffer command.

config wlan multicast buffer {enable | disable} buffer-size


buffer-size wlan_id

Enables the multicast interface feature for a wireless LAN.

Disables the multicast interface feature on a wireless LAN.

Radio multicast packet buffer size. The range is from 30 to 60. Enter 0 to indicate

APs will dynamically adjust the number of buffers allocated for multicast.


Command Default

The default buffer size is 30

Command History

Release

7.6

Modification


Examples

The following example shows how to configure radio multicast buffer settings:


config wlan multicast buffer enable 45 222


1173

config wlan multicast interface config wlan multicast interface

To configure a multicast interface for a wireless LAN, use the config wlan multicast interface command.

config wlan multicast interface wlan_id {enable | disable} interface_name


wlan_id

enable delete

interface_name


Enables multicast interface feature for a wireless LAN.

Disables multicast interface feature on a wireless LAN.

Interface name.

Note

The interface name can only be specified in lower case characters.

Command Default

Multicast is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the multicast interface feature for a wireless LAN with WLAN

ID 4 and interface name myinterface1:


config wlan multicast interface 4 enable myinterface1

1174


config wlan mu-mimo config wlan mu-mimo

To enable Multi-User, Multiple-Input, Multiple-Output (MU-MIMO) on a WLAN, enter the config wlan

mu-mimo command.

config wlan mu-mimo {enable | disable} wlan-id


enable wlan-id

disable wlan-id

Enables MU-MIMO on the WLAN that is specified

Disables MU-MIMO on the WLAN that is specified

Command History

Release

8.1

Modification



1175

config wlan nac config wlan nac

To enable or disable Network Admission Control (NAC) out-of-band support for a WLAN, use the config

wlan nac command.

config wlan nac {snmp | radius} {enable | disable} wlan_id

Syntax Description snmp radius enable disable

wlan_id

Configures SNMP NAC support.

Configures RADIUS NAC support.

Enables NAC for the WLAN.

Disables NAC for the WLAN.

WLAN identifier from 1 to 512.

Command Default

None

Command History

Release

7.6

Modification



You should enable AAA override before you enable the RADIUS NAC state. You also should disable

FlexConnect local switching before you enable the RADIUS NAC state.

Examples

The following example shows how to configure SNMP NAC support for WLAN 13:


config wlan nac snmp enable 13

The following example shows how to configure RADIUS NAC support for WLAN 34:


config wlan nac radius enable 20

1176


config wlan override-rate-limit config wlan override-rate-limit

To override the bandwidth limits for upstream and downstream traffic per user and per service set identifier

(SSID) defined in the QoS profile, use the config wlan override-rate-limit command.

config wlan override-rate-limit wlan_id { average-data-rate | average-realtime-rate | burst-data-rate |

burst-realtime-rate } { per-ssid | per-client } { downstream | upstream } rate


wlan_id

average-data-rate average-realtime-rate burst-data-rate burst-realtime-rate per-ssid per-client downstream upstream

rate


Specifies the average data rate for TCP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.

Specifies the average real-time data rate for UDP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.

Specifies the peak data rate for TCP traffic per user or per

SSID. The range is from 0 to 51,2000 Kbps.

Specifies the peak real-time data rate for UDP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.


Configures the rate limit for each client associated with the

SSID.



Data rate for TCP or UDP traffic per user or per SSID. The range is form 0 to 51,2000 Kbps. A value of 0 imposes no bandwidth restriction on the QoS profile.

Command Default

None

Command History

Release

7.6

Modification



1177

config wlan override-rate-limit


The rate limits are enforced by the controller and the AP. For central switching, the controller handles the downstream enforcement of per-client rate limit and the AP handles the enforcement of the upstream traffic and per-SSID rate limit for downstream traffic. When the AP enters standalone mode it handles the downstream enforcement of per-client rate limits too.

In FlexConnect local switching and standalone modes, per-client and per-SSID rate limiting is done by the

AP for downstream and upstream traffic. However, in FlexConnect standalone mode, the configuration is not saved on the AP, so when the AP reloads, the configuration is lost and rate limiting does not happen after reboot.

For roaming clients, if the client roams between the APs on the same controller, same rate limit parameters are applied on the client. However, if the client roams from an anchor to a foreign controller, the per-client downstream rate limiting uses the parameters configured on the anchor controller while upstream rate limiting uses the parameters of the foreign controller.

Examples

The following example shows how to configure the burst real-time actual rate 2000 Kbps for the upstream traffic per SSID:


config wlan override-rate-limit 2 burst-realtime-rate per-ssid upstream

2000

1178


config wlan opendns-mode config wlan opendns-mode

To configure WLAN OpenDNS mode to force or copy or ignore the DNS to OpenDNS server access, use the

config wlan opendns-modecommand.

config wlan opendns-mode wlan-id { ignore|force|copy}


wlan-id

ignore force copy

Wireless LAN (WLAN) identifier.

Ignores the OpenDNS mode.

Forces the OpenDNS mode.

Copies the OpenDNS mode.

Command Modes


Command History

Release

8.4

Modification


Examples

The following example shows how to configure per WLAN OpenDNS mode to copy DNS to OpenDNS server:

(Cisco Controller) > config wlan opendns-mode wlan1 copy


1179

config wlan opendns-profile config wlan opendns-profile

To configure per WLAN OpenDNS profile to force or copy or ignore the Domain Name System (DNS) to

OpenDNS server access, use the config wlan opendns-profile command.

config wlan opendns profile wlan-id profile-name {enable | disable}


wlan-id profile-name

enable disable

Wireless LAN network.

OpenDNS profile name used for tracking this profile.

Maps OpenDNS identity.

Removes OpenDNS identity.

Command Modes


Command History

Release

8.4

Modification



None

Examples

The following example shows how to configure a WLAN on OpenDNS profile to force the DNS to OpenDNS server:

(Cisco Controller) > config wlan opendns-profile wlan1 user1 enable

1180


config wlan passive-client config wlan passive-client

To configure passive-client feature on a wireless LAN, use the config wlan passive-client command.

config wlan passive-client {enable | disable} wlan_id


wlan_id

Enables the passive-client feature on a WLAN.

Disables the passive-client feature on a WLAN.

WLAN identifier between 1 and 512.

Command Default

None

Command History

Release

7.6

Modification



You need to enable the global multicast mode and multicast-multicast mode by using the config network

multicast global and config network multicast mode commands before entering this command.

Note

You should configure the multicast in multicast-multicast mode only not in unicast mode. The passive client feature does not work with multicast-unicast mode in this release.

Examples

The following example shows how to configure the passive client on wireless LAN ID 2:


config wlan passive-client enable 2


1181

config wlan peer-blocking config wlan peer-blocking

To configure peer-to-peer blocking on a WLAN, use the config wlan peer-blocking command.

config wlan peer-blocking {disable | drop | forward-upstream} wlan_id

Syntax Description disable drop forward-upstream

wlan_id

Disables peer-to-peer blocking and bridge traffic locally within the controller whenever possible.

Causes the controller to discard the packets.

Causes the packets to be forwarded on the upstream VLAN. The device above the controller decides what action to take regarding the packets.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to disable the peer-to-peer blocking for WLAN ID 1:


config wlan peer-blocking disable 1

1182


config wlan pmipv6 default-realm config wlan pmipv6 default-realm

To configure a default realm for a PMIPv6 WLAN, use the config wlan pmipv6 default-realm command.

config wlan pmipv6 default-realm { default-realm-name | none } wlan_id


default-realm-name

Default realm name for the WLAN.

none

wlan_id

Clears the realm name for the WLAN.


Command Default

None.

Command History

Examples

Release

7.6

Modification


The following example shows how to configure a default realm name on a PMIPv6 WLAN:


config wlan pmipv6 default-realm XYZ 6


1183

config wlan pmipv6 mobility-type config wlan pmipv6 mobility-type

To configure the mobility type on a WLAN, use the config wlan pmipv6 mobility-type command.

config wlan pmipv6 mobility-type {none | pmipv6 } { wlan_id | all }

Syntax Description none pmipv6 all

wlan_id

Configures a WLAN with Simple IP mobility.

Configures a WLAN with PMIPv6 mobility.

Enables the specified type of mobility for all WLANs.


Command Default

None

Command History

Release

7.6

Modification



You must disable the WLAN when you configure the mobility type.

Examples

The following example shows how to configure the mobility type as PMIPv6 on a WLAN:


config wlan pmipv6 mobility-type pmipv6 16

1184


config wlan pmipv6 profile_name config wlan pmipv6 profile_name

To configure a profile name for the PMIPv6 WLAN, use the config wlan pmipv6 profile_name command.

config wlan pmipv6 profile_name profile_name wlan_id


profile_name wlan_id

Profile name for the PMIPv6 WLAN.


Command Default

None

Command History

Release

7.6

Modification



This command binds a profile name to the PMIPv6 WLAN or SSID. Each time that a mobile node associates with the controller, it uses the profile name and NAI in the trigger to the PMIPV6 module. The PMIPV6 module extracts all the profile specific parameters such as LMA IP, APN, and NAI and sends the PBU to the

ASR5K.

Examples

The following example shows how to create a profile named ABC01 on a PMIPv6 WLAN:


config wlan pmipv6 profile_name ABC01 16


1185

config wlan policy config wlan policy

To configure a policy on a WLAN, use the config wlan policy command.

config wlan policy {add | delete} priority-index wlan-id


priority-index policy_name wlan-id

Adds a policy on a WLAN.

Deletes an existing policy from a WLAN.

Priority index of the policy to be configured on the WLAN. The policies are applied to the clients according to the priority index.


Name of the profiling policy.


Command Default

There is no WLAN policy.

Command History

Release

7.5

Modification



You can apply up to 16 policies on a WLAN.

Examples

The following example shows how to configure a policy on a WLAN:


config wlan policy add 1 teacher_policy 1

1186


config wlan profiling config wlan profiling

To configure client profiling on a WLAN, use the config wlan profiling command.

config wlan profiling {local | radius} {all | dhcp | http} {enable | disable} wlan_id

Syntax Description local radius all dhcp http enable disable

wlan_id

Configures client profiling in Local mode for a WLAN.

Configures client profiling in RADIUS mode on a WLAN.

Configures DHCP and HTTP client profiling in a WLAN.

Configures DHCP client profiling alone in a WLAN.

Configures HTTP client profiling in a WLAN.

Enables the specific type of client profiling in a WLAN.

When you enable HTTP profiling, the Cisco WLC collects the HTTP attributes of clients for profiling.

When you enable DHCP profiling, the Cisco WLC collects the DHCP attributes of clients for profiling.

Disables the specific type of client profiling in a WLAN.



Ensure that you have disabled the WLAN before configuring client profiling on the WLAN.

Command Default

Client profiling is disabled.

Command History

Release

7.6

Modification



Only clients connected to port 80 for HTTP can be profiled. IPv6 only clients are not profiled.

If a session timeout is configured for a WLAN, clients must send the HTTP traffic before the configured timeout to get profiled.

This feature is not supported on the following:

• FlexConnect Standalone mode


1187

config wlan profiling

Examples

• FlexConnect Local Authentication

The following example shows how to enable both DHCP and HTTP profiling on a WLAN:


config wlan profiling radius all enable 6

HTTP Profiling successfully enabled.

DHCP Profiling successfully enabled.

1188


config wlan qos config wlan qos

To change the quality of service (QoS) for a wireless LAN, use the config wlan qos command.

config wlan qos wlan_id {bronze | silver | gold | platinum}

config wlan qos foreignAp {bronze | silver | gold | platinum}


wlan_id

bronze silver gold platinum foreignAp


Specifies the bronze QoS policy.

Specifies the silver QoS policy.

Specifies the gold QoS policy.

Specifies the platinum QoS policy.


Command Default

The default QoS policy is silver.

Command History

Release

7.6

Modification


Examples

The following example shows how to set the highest level of service on wireless LAN 1:


config wlan qos 1 gold


1189

config wlan radio config wlan radio

To set the Cisco radio policy on a wireless LAN, use the config wlan radio command.

config wlan radio wlan_id {all | 802.11a | 802.11bg | 802.11g | 802.11ag}


wlan_id

all

802.11a

802.11bg

802.11g


Configures the wireless LAN on all radio bands.

Configures the wireless LAN on only 802.11a.

Configures the wireless LAN on only 802.11b/g (only 802.11b if 802.11g is disabled).

Configures the wireless LAN on 802.11g only.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the wireless LAN on all radio bands:


config wlan radio 1 all

1190


config wlan radius_server acct config wlan radius_server acct

To configure RADIUS accounting servers of a WLAN, use the config wlan radius_server acct command.

config wlan radius_server acct {enable | disable} wlan_id | add wlan_id server_id | delete wlan_id {all |

server_id} | framed-ipv6 { address | both | prefix } wlan_id}


wlan_id

add

server_id

delete address both prefix

Enables RADIUS accounting for the WLAN.

Disables RADIUS accounting for the WLAN.


Adds a link to a configured RADIUS accounting server.


Deletes a link to a configured RADIUS accounting server.

Configures an accounting framed IPv6 attribute to an IPv6 address.

Configures the accounting framed IPv6 attribute to an IPv6 address and prefix.

Configures the accounting framed IPv6 attribute to an IPv6 prefix.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to enable RADIUS accounting for the WLAN 2:


config wlan radius_server acct enable 2

The following example shows how to add a link to a configured RADIUS accounting server:


config wlan radius_server acct add 2 5


1191

config wlan radius_server acct interim-update config wlan radius_server acct interim-update

To configure the interim update of a RADIUS accounting server of a WLAN, use the config wlan

radius_server acct interim-update command.

config wlan radius_serveracctinterim-update {interval | enable | disable} wlan_id

Syntax Description interim-update

interval

enable disable

wlan_id

Configures the interim update of the RADIUS accounting server.

Interim update interval that you specify. The valid range is 180 seconds to 3600 seconds.

Enables interim update of the RADIUS accounting server for the WLAN.

Disables interim update of the RADIUS accounting server for the WLAN.


Command Default

Interim update of a RADIUS accounting sever is set at 600 seconds.

Command History

Release

7.6

Modification


Examples

The following example shows how to specify an interim update of 200 seconds to a RADIUS accounting server of WLAN 2:


config wlan radius_server acct interim-update 200 2

1192


config wlan radius_server auth config wlan radius_server auth

To configure RADIUS authentication servers of a WLAN, use the config wlan radius_server auth command.

config wlan radius_server auth {enable wlan_id | disable wlan_id} {add wlan_id server_id | delete wlan_id

{all | server_id}}

Syntax Description auth enable

wlan_id

disable add

server_id

delete all

Configures a RADIUS authentication

Enables RADIUS authentication for this WLAN.


Disables RADIUS authentication for this WLAN.

Adds a link to a configured RADIUS server.


Deletes a link to a configured RADIUS server.

Deletes all links to configured RADIUS servers.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to add a link to a configured RADIUS authentication server with WLAN

ID 1 and Server ID 1:


config wlan radius_server auth add 1 1


1193

config wlan radius_server acct interim-update config wlan radius_server acct interim-update

To configure a wireless LAN’s RADIUS servers, use the config wlan radius_server acct interim-update command.

config wlan radius_serveracct interim-update {enable wlan_id | disable wlan_id} {interval wlan_id}


wlan_id

disable

interval

Enables RADIUS authentication or accounting for this WLAN.


Disables RADIUS authentication or accounting for this WLAN.

Accounting interim interval between 180 to 3600 seconds.

Command Default

None

Command History

Release

7.6

Modification



This command helps to set some time as a default if the timeout interval is not specified.

Examples

The following example shows how to force the 10 minutes as the default, if timeout interval is not specified:


config wlan radius_server acct interim-update 600 1

1194


config wlan radius_server overwrite-interface config wlan radius_server overwrite-interface

To configure a wireless LAN’s RADIUS dynamic interface, use the config wlan radius_server

overwrite-interface command.

config wlan radius_server overwrite-interface {enable | disable} wlan_id


wlan_id

Enables RADIUS dynamic interface for this WLAN.

Disables RADIUS dynamic interface for this WLAN.


Command Default

None

Command History

Release

7.6

Modification



The controller uses the management interface as identity. If the RADIUS server is on a directly connected dynamic interface, the traffic is sourced from the dynamic interface. Otherwise, the management IP address is used.

If the feature is enabled, controller uses the interface specified on the WLAN configuration as identity and source for all RADIUS related traffic on the WLAN.

Examples

The following example shows how to enable RADIUS dynamic interface for a WLAN with an ID 1:


config wlan radius_server overwrite-interface enable 1


1195

config wlan radius_server realm config wlan radius_server realm

To configure realm on a WLAN, use the config wlan radius_server realm command.

config wlan radius_serverrealm{enable | disable} wlan-id


radius_server

enable disable

wlan-id


Enable realm on a WLAN.

Disable realm on a WLAN.

WLAN ID. The range is from 1 to 512.

Command Default

None

Command History

Examples

Release

8.0

Modification


The following example shows how to enable realm on a WLAN:


config wlan 2 realm enable 50

1196


config wlan roamed-voice-client re-anchor config wlan roamed-voice-client re-anchor

To configure a roamed voice client’s reanchor policy, use the config wlan roamed-voice-client re-anchor command.

config wlan roamed-voice-client re-anchor {enable | disable} wlan_id


wlan_id

Enables the roamed client’s reanchor policy.

Disables the roamed client’s reanchor policy.


Command Default

The roamed client reanchor policy is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable a roamed voice client’s reanchor policy where WLAN ID is 1:


config wlan roamed-voice-client re-anchor enable 1


1197

config wlan security 802.1X


To change the state of 802.1X security on the wireless LAN Cisco radios, use the config wlan security 802.1X command.

config wlan security 802.1X {enable {wlan_id | foreignAp} | disable {wlan_id | foreignAp} | encryption

{wlan_id | foreignAp} {0 | 40 | 104} | on-macfilter-failure {enable | disable}}


wlan_id

foreignAp disable encryption

0

40

104 on-macfilter-failure enable disable

Enables the 802.1X settings.



Disables the 802.1X settings.

Specifies the static WEP keys and indexes.

Specifies a WEP key size of 0 (no encryption) bits. The default value is 104.

Note

All keys within a wireless LAN must be the same size.

Specifies a WEP key size of 40 bits. The default value is 104.

Note


Specifies a WEP key size of 104 bits. The default value is 104.

Note


Configures 802.1X on MAC filter failure.

Enables 802.1X authentication on MAC filter failure.

Disables 802.1X authentication on MAC filter failure.

Command Default

None

Command History

Release

7.6

Modification


1198




To change the encryption level of 802.1X security on the wireless LAN Cisco radios, use the following key sizes:

• 0—no 802.1X encryption.

• 40—40/64-bit encryption.

• 104—104/128-bit encryption. (This is the default encryption setting.)

Examples

The following example shows how to configure 802.1X security on WLAN ID 16.


config wlan security 802.1X enable 16


1199

config wlan security ckip config wlan security ckip

To configure Cisco Key Integrity Protocol (CKIP) security options for the wireless LAN, use the config wlan

security ckip command.

config wlan security ckip {enable | disable} wlan_id [akm psk set-key {hex | ascii} {40 | 104} key

key_index wlan_id | mmh-mic {enable | disable} wlan_id | kp {enable | disable} wlan_id]


wlan_id


akm psk set-key

(Optional) Configures encryption key management for the CKIP wireless LAN.

hex ascii

Specifies a hexadecimal encryption key.

Specifies an ASCII encryption key.

40

Enables CKIP security.

Disables CKIP security.

104 key

Sets the static encryption key length to 40 bits for the CKIP WLAN. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters.

Sets the static encryption key length to 104 bits for the CKIP WLAN. 104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters.

Specifies the CKIP WLAN key settings.

Configured PSK key index.

key_index

mmh-mic kp

(Optional) Configures multi-modular hash message integrity check (MMH MIC) validation for the CKIP wireless LAN.

(Optional) Configures key-permutation for the CKIP wireless LAN.

Command Default

None

Command History

Release

7.6

Modification


1200


config wlan security ckip

Examples

The following example shows how to configure a CKIP WLAN encryption key of 104 bits (26 hexadecimal characters) for PSK key index 2 on WLAN 03:


config wlan security ckip akm psk set-key hex 104 key 2 03


1201

config wlan security cond-web-redir config wlan security cond-web-redir

To enable or disable conditional web redirect, use the config wlan security cond-web-redir command.

config wlan security cond-web-redir {enable | disable} wlan_id


wlan_id

Enables conditional web redirect.

Disables conditional web redirect.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the conditional web direct on WLAN ID 2:


config wlan security cond-web-redir enable 2

1202


config wlan security eap-params config wlan security eap-params

To configure local EAP timers on a WLAN, use the config wlan security eap-params command.

config wlan security eap-params{ {enable| disbale} | eapol-key-timeouttimeout| eap-key-retries retries

| identity-request-timeout timeout | identity-request-retries retries | request-timeout timeout | request-retries

retries}wlan_id


{enable |disable }

eapol-key-timeout timeout

eapol-key-retries retries

identity-request- timeout timeout

identity-request-retries retries

request-timeout

request-retriesretries

Specifies to enable or disable SSID specific EAP timeouts or retries. The default value is disabled.

Specifies the amount of time (200 to 5000 milliseconds) that the controller attempts to send an

EAP key over the WLAN to wireless clients using local EAP. The valid range is 200 to 5000 milliseconds.

The default value is 1000 milliseconds.

Specifies the maximum number of times (0 to 4 retries) that the controller attempts to send an EAP key over the WLAN to wireless clients using local

EAP.


Specifies the amount of time (1 to 120 seconds) that the controller attempts to send an EAP identity request to wireless clients within WLAN using local EAP.


Specifies the maximum number of times (0 to 4 retries) that the controller attempts to retransmit the

EAP identity request to wireless clients within WLAN using local EAP.


Specifies the amount of time (1 to 120 seconds) in which the controller attempts to send an EAP parameter request to wireless clients within WLAN using local EAP.


Specifies the maximum number of times (0 to 20 retries) that the controller attempts to retransmit the

EAP parameter request to wireless clients within

WLAN using local EAP.



1203

config wlan security eap-params

wlan-id

WLAN identification number.

Command Default

The default EAPOL key timeout is 1000 milliseconds.

The default for EAPOL key retries is 2.

The default identity request timeout is 30 seconds.

The default identity request retries is 2.

The default request timeout is 30 seconds.

The default request retries is 2.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable SSID specific EAP parameters on a WLAN:


config wlan security eap-params enable 4

The following example shows how to set EAPOL key timeout parameter on a WLAN:


config wlan security eap-params eapol-key-retries 4

The following example shows how to set EAPOL key retries on a WLAN:


config wlan security eap-params eapol-key-retries 4

1204


config wlan security eap-passthru config wlan security eap-passthru

To configure the 802.1X frames pass through on to the external authenticator, use the config wlan security

eap-passthru command.

config wlan security eap-passthru {enable | disable} wlan_id


wlan_id

Enables 802.1X frames pass through to external authenticator.

Disables 802.1X frames pass through to external authenticator.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the 802.1X frames pass through to external authenticator on

WLAN ID 2:


config wlan security eap-passthru enable 2


1205

config wlan security ft config wlan security ft

To configure 802.11r Fast Transition Roaming parameters, use the config wlan security ft command.

config wlan security ft {adaptive | enable | disable | reassociation-timeout timeout-in-seconds} wlan_id

Syntax Description adaptive enable disable reassociation-timeout

timeout-in-seconds wlan_id

Configures 802.11r Fast Transition Roaming adaptive support. This is the default option.

Enables 802.11r Fast Transition Roaming support.

Disables 802.11r Fast Transition Roaming support.

Configures reassociation deadline interval.

Reassociation timeout value, in seconds. The valid range is 1 to 100 seconds.


Command Default

None

Command History

Release

7.6

8.3

Modification


This command was modified. The adaptive keyword was added.


Ensure that you have disabled the WLAN before you proceed.

Examples

The following example shows how to enable 802.11r Fast Transition Roaming support on WLAN 2:


config wlan security ft enable 2

The following example shows how to set a reassociation timeout value of 20 seconds for 802.11r Fast Transition

Roaming support on WLAN 2:


config wlan security ft reassociation-timeout 20 2

1206


config wlan security ft over-the-ds config wlan security ft over-the-ds

To configure 802.11r fast transition parameters over a distributed system, use the config wlan security ft

over-the-ds command.

config wlan security ft over-the-ds {enable | disable} wlan_id


wlan_id

Enables 802.11r fast transition roaming support over a distributed system.

Disables 802.11r fast transition roaming support over a distributed system.


Command Default

Enabled.

Command History

Release

7.6

Modification




Ensure that 802.11r fast transition is enabled on the WLAN.

Examples

The following example shows how to enable 802.11r fast transition roaming support over a distributed system on WLAN ID 2:


config wlan security ft over-the-ds enable 2


1207

config wlan security IPsec disable config wlan security IPsec disable

To disable IPsec security, use the config wlan security IPsec disable command.

config wlan security IPsec disable {wlan_id | foreignAp}


wlan_id

foreignAp



Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to disable the IPsec for WLAN ID 16:


config wlan security IPsec disable 16

1208


config wlan security IPsec enable config wlan security IPsec enable

To enable IPsec security, use the config wlan security IPsec enable command.

config wlan security IPsec enable {wlan_id | foreignAp}


wlan_id

foreignAp



Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the IPsec for WLAN ID 16:


config wlan security IPsec enable 16


1209

config wlan security IPsec authentication config wlan security IPsec authentication

To modify the IPsec security authentication protocol used on the wireless LAN, use the config wlan security

IPsec authentication command.

config wlan security IPsec authentication {hmac-md5 | hmac-sha-1} {wlan_id | foreignAp}

Syntax Description hmac-md5 hmac-sha-1

wlan_id

foreignAp

Specifies the IPsec HMAC-MD5 authentication protocol.

Specifies the IPsec HMAC-SHA-1 authentication protocol.



Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the IPsec HMAC-SHA-1 security authentication parameter for WLAN ID 1:


config wlan security IPsec authentication hmac-sha-1 1

1210


config wlan security IPsec encryption config wlan security IPsec encryption

To modify the IPsec security encryption protocol used on the wireless LAN, use the config wlan security

IPsec encryption command.

config wlan security IPsec encryption {3des | aes | des} {wlan_id | foreignAp}


3des aes des

wlan_id

foreignAp

Enables IPsec 3DES encryption.

Enables IPsec AES 128-bit encryption.

Enables IPsec DES encryption.



Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to configure the IPsec AES encryption:


config wlan security IPsec encryption aes 1


1211

config wlan security IPsec config config wlan security IPsec config

To configure the proprietary Internet Key Exchange (IKE) CFG-Mode parameters used on the wireless LAN, use the config wlan security IPsec config command.

config wlan security IPsec config qotd ip_address {wlan_id | foreignAp}

Syntax Description qotd

ip_address wlan_id

foreignAp

Configures the quote-of-the day server IP for cfg-mode.

Quote-of-the-day server IP for cfg-mode.



Command Default

None

Command History

Release

7.6

Modification



IKE is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how the data should be protected. IKE keeps track of connections by assigning a bundle of Security Associations (SAs), to each connection.

Examples

The following example shows how to configure the quote-of-the-day server IP 44.55.66.77 for cfg-mode for

WLAN 1:


config wlan security IPsec config qotd 44.55.66.77 1

1212


config wlan security IPsec ike authentication config wlan security IPsec ike authentication

To modify the IPsec Internet Key Exchange (IKE) authentication protocol used on the wireless LAN, use the

config wlan security IPsec ike authentication command.

config wlan security IPsec ike authentication {certificates {wlan_id | foreignAp} | pre-share-key {wlan_id

| foreignAp} key | xauth-psk {wlan_id | foreignAp} key}

Syntax Description certificates

wlan_id

foreignAp pre-share-key xauth-psk

key

Enables the IKE certificate mode.



Enables the IKE Xauth with preshared keys.

Enables the IKE preshared key.

Key required for preshare and xauth-psk.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the IKE certification mode:


config wlan security IPsec ike authentication certificates 16


1213

config wlan security IPsec ike dh-group config wlan security IPsec ike dh-group

To modify the IPsec Internet Key Exchange (IKE) Diffie Hellman group used on the wireless LAN, use the

config wlan security IPsec ike dh-group command.

config wlan security IPsec ike dh-group {wlan_id | foreignAp} {group-1 | group-2 | group-5}


wlan_id

foreignAp group-1 group-2 group-5



Specifies DH group 1 (768 bits).



Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the Diffe Hellman group parameter for group-1:


config wlan security IPsec ike dh-group 1 group-1

1214


config wlan security IPsec ike lifetime config wlan security IPsec ike lifetime

To modify the IPsec Internet Key Exchange (IKE) lifetime used on the wireless LAN, use the config wlan

security IPsec ike lifetime command.

config wlan security IPsec ike lifetime {wlan_id | foreignAp} seconds


wlan_id

foreignAp

seconds



IKE lifetime in seconds, between 1800 and 345600.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the IPsec IKE lifetime use on the wireless LAN:


config wlan security IPsec ike lifetime 1 1900


1215

config wlan security IPsec ike phase1 config wlan security IPsec ike phase1

To modify IPsec Internet Key Exchange (IKE) Phase 1 used on the wireless LAN, use the config wlan security

IPsec ike phase1 command.

config wlan security IPsec ike phase1 {aggressive | main} {wlan_id | foreignAp}

Syntax Description aggressive main

wlan_id

foreignAp

Enables the IKE aggressive mode.

Enables the IKE main mode.



Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to modify IPsec IKE Phase 1:


config wlan security IPsec ike phase1 aggressive 16

1216


config wlan security IPsec ike contivity config wlan security IPsec ike contivity

To modify Nortel’s Contivity VPN client support on the wireless LAN, use the config wlan security IPsec

ike contivity command.

config wlan security IPsec ike contivity {enable | disable} {wlan_id | foreignAp}


wlan_id

foreignAp

Enables contivity support for this WLAN.

Disables contivity support for this WLAN.



Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to modify Contivity VPN client support:


config wlan security IPsec ike contivity enable 14


1217

config wlan security wpa akm ft config wlan security wpa akm ft

To configure authentication key-management using 802.11r fast transition 802.1X, use the config wlan

security wpa akm ft command.

config wlan security wpa akm ft [over-the-air | over-the-ds | psk | [reassociation-timeout seconds]] {enable

| disable} wlan_id

Syntax Description over-the-air over-the-ds psk reassociation-timeout

seconds

enable disable

wlan_id

(Optional) Configures 802.11r fast transition roaming over-the-air support.

(Optional) Configures 802.11r fast transition roaming DS support.

(Optional) Configures 802.11r fast transition PSK support.

(Optional) Configures the reassociation deadline interval.

The valid range is between 1 to 100 seconds. The default value is 20 seconds.

Reassociation deadline interval in seconds.

Enables 802.11r fast transition 802.1X support.

Disables 802.11r fast transition 802.1X support.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure authentication key-management using 802.11r fast transition:


config wlan security wpa akm ft reassociation-timeout 25 1

1218


config wlan security ft config wlan security ft

To configure 802.11r Fast Transition Roaming parameters, use the config wlan security ft command.

config wlan security ft {adaptive | enable | disable | reassociation-timeout timeout-in-seconds} wlan_id

Syntax Description adaptive enable disable reassociation-timeout

timeout-in-seconds wlan_id

Configures 802.11r Fast Transition Roaming adaptive support. This is the default option.

Enables 802.11r Fast Transition Roaming support.

Disables 802.11r Fast Transition Roaming support.

Configures reassociation deadline interval.

Reassociation timeout value, in seconds. The valid range is 1 to 100 seconds.


Command Default

None

Command History

Release

7.6

8.3

Modification


This command was modified. The adaptive keyword was added.



Examples

The following example shows how to enable 802.11r Fast Transition Roaming support on WLAN 2:


config wlan security ft enable 2

The following example shows how to set a reassociation timeout value of 20 seconds for 802.11r Fast Transition

Roaming support on WLAN 2:


config wlan security ft reassociation-timeout 20 2


1219

config wlan security passthru config wlan security passthru

To modify the IPsec pass-through used on the wireless LAN, use the config wlan security passthru command.

config wlan security passthru {enable | disable} {wlan_id | foreignAp} [ip_address]


wlan_id

foreignAp

ip_address

Enables IPsec pass-through.

Disables IPsec pass-through.



(Optional) IP address of the IPsec gateway (router) that is terminating the VPN tunnel.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to modify IPsec pass-through used on the wireless LAN:


config wlan security passthru enable 3 192.12.1.1

1220


config wlan security pmf config wlan security pmf

To configure 802.11w Management Frame Protection (MFP) on a WLAN, use the config wlan security pmf command.

config wlan security pmf {disable | optional | required | association-comeback

association-comeback_timeout | saquery-retrytimeout saquery-retry_timeout} wlan_id

Syntax Description disable optional

Disables 802.11w MFP protection on a WLAN.

Enables 802.11w MFP protection on a WLAN.

required

saquery-retry_timeout wlan_id

Requires clients to negotiate 802.11w MFP protection on a WLAN.

Configures the 802.11w association comeback time.

association-comeback

association-comeback_timeout

Association comeback interval in seconds. Time interval that an associated client must wait before the association is tried again after it is denied with a status code 30. The status code 30 message is "Association request rejected temporarily; Try again later”.

The range is from 1 to 20 seconds.

saquery-retrytimeout

Configures the 802.11w Security Association (SA) query retry timeout.

Time interval identified in the association response to an already associated client before the association can be tried again. This time interval checks if the client is a real client and not a rogue client during the association comeback time. If the client does not respond within this time, the client association is deleted from the controller. The range is from 100 to 500 ms.


Command Default

Default SA query retry timeout is 200 milliseconds.

Default association comeback timeout is 1 second.

Command History

Release

7.6

Modification



802.11w introduces an Integrity Group Temporal Key (IGTK) that is used to protect broadcast or multicast robust management frames. IGTK is a random value, assigned by the authenticator station (controller) used to protect MAC management protocol data units (MMPDUs) from the source STA. The 802.11w IGTK key


1221

Examples

Examples config wlan security pmf

is derived using the four way handshake and is used only on WLANs that are configured with WPA or WPA2 security at Layer 2.

The following example shows how to enable 802.11w MFP protection on a WLAN:


config wlan security pmf optional 1

The following example shows how to configure the SA query retry timeout on a WLAN:


config wlan security pmf saquery-retrytimeout 300 1

1222


config wlan security sgt config wlan security sgt

To configures Secure Group Tag (SGT) for a WLAN, use the config wlan security sgt command.

config wlan security sgt {value | wlan-id} wlan_id


value wlan-id

SGT value

WLAN ID

Command Default

None

Command History

Release

8.4

Modification



1223

config wlan security splash-page-web-redir config wlan security splash-page-web-redir

To enable or disable splash page web redirect, use the config wlan security splash-page-web-redir command.

config wlan security splash-page-web-redir {enable | disable} wlan_id


wlan_id

Enables splash page web redirect.

Disables splash page web redirect.


Command Default

Splash page web redirect is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable spash page web redirect:


config wlan security splash-page-web-redir enable 2

1224


config wlan security static-wep-key authentication config wlan security static-wep-key authentication

To configure static Wired Equivalent Privacy (WEP) key 802.11 authentication on a wireless LAN, use the

config wlan security static-wep-key authentication command.

config wlan security static-wep-key authentication {shared-key | open} wlan_id

Syntax Description shared-key open

wlan_id

Enables shared key authentication.

Enables open system authentication.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the static WEP shared key authentication for WLAN ID 1:


config wlan security static-wep-key authentication shared-key 1


1225

config wlan security static-wep-key disable config wlan security static-wep-key disable

To disable the use of static Wired Equivalent Privacy (WEP) keys, use the config wlan security static-wep-key


config wlan security static-wep-key disable wlan_id


wlan_id


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to disable the static WEP keys for WLAN ID 1:


config wlan security static-wep-key disable 1

1226


config wlan security static-wep-key enable config wlan security static-wep-key enable

To enable the use of static Wired Equivalent Privacy (WEP) keys, use the config wlan security static-wep-key

enable command.

config wlan security static-wep-key enable wlan_id


wlan_id


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the use of static WEK keys for WLAN ID 1:


config wlan security static-wep-key enable 1


1227

config wlan security static-wep-key encryption config wlan security static-wep-key encryption

To configure the static Wired Equivalent Privacy (WEP) keys and indexes, use the config wlan security

static-wep-key encryption command.

config wlan security static-wep-key encryption wlan_id {40 | 104} {hex | ascii} key key-index


wlan_id

40

104 hex ascii

key key-index


Specifies the encryption level of 40.

Specifies the encryption level of 104.

Specifies to use hexadecimal characters to enter key.

Specifies whether to use ASCII characters to enter key.

WEP key in ASCII.

Key index (1 to 4).

Command Default

None

Command History

Release

7.6

Modification



One unique WEP key index can be applied to each wireless LAN. Because there are only four WEP key indexes, only four wireless LANs can be configured for static WEP Layer 2 encryption.

Make sure to disable 802.1X before using this command.

Examples

The following example shows how to configure the static WEP keys for WLAN ID 1 that uses hexadecimal character 0201702001 and key index 2:


config wlan security static-wep-key encryption 1 40 hex 0201702001 2

1228


config wlan security tkip config wlan security tkip

To configure the Temporal Key Integrity Protocol (TKIP) Message Integrity Check (MIC) countermeasure hold-down timer, use the config wlan security tkip command.

config wlan security tkip hold-down time wlan_id

Syntax Description hold-down

time wlan_id

Configures the TKIP MIC countermeasure hold-down timer.

TKIP MIC countermeasure hold-down time in seconds. The range is from 0 to 60 seconds.


Command Default

The default TKIP countermeasure is set to 60 seconds.

Command History

Release

7.6

Modification



TKIP countermeasure mode can occur if the access point receives 2 MIC errors within a 60 second period.

When this situation occurs, the access point deauthenticates all TKIP clients that are associated to that 802.11

radio and holds off any clients for the countermeasure holdoff time.

Examples

The following example shows how to configure the TKIP MIC countermeasure hold-down timer:


config wlan security tkip


1229

config wlan usertimeout config wlan usertimeout

To configure the timeout for idle client sessions for a WLAN, use the config wlan usertimeout command.

config wlan usertimeout timeout wlan_id


timeout wlan_id

Timeout for idle client sessions for a WLAN. If the client sends traffic less than the threshold, the client is removed on timeout. The range is from 15 to 100000 seconds.


Command Default

The default client session idle timeout is 300 seconds.

Command History

Release

7.6

Modification



The timeout value that you configure here overrides the global timeout that you define using the command

config network usertimeout.

Examples

The following example shows how to configure the idle client sessions for a WLAN:


config wlan usertimeout 100 1

1230


config wlan security web-auth config wlan security web-auth

To change the status of web authentication used on a wireless LAN, use the config wlan security web-auth command.

config wlan security web-auth {{acl | enable | disable} {wlan_id | foreignAp} [acl_name | none]} |

{on-macfilter-failure wlan_id} | {server-precedence wlan_id | local | ldap | radius} | {flexacl wlan_id

[ipv4_acl_name | none]} | {ipv6 acl wlan_id [ipv6_acl_name | none]} | {mac-auth-server {ip_address

wlan_id }} | {timeout {value_in_seconds wlan_id }} | {web-portal-server {ip_address wlan_id }}

Syntax Description acl enable disable

wlan_id

foreignAp

acl_name

none on-macfilter-failure server-precendence local ldap radius flexacl

ipv4_acl_name ipv6_acl_name ipv6

mac-auth-server

Configures the access control list.

Enables web authentication.

Disables web authentication.



(Optional) ACL name (up to 32 alphanumeric characters).

(Optional) Specifies no ACL name.

Enables web authentication on MAC filter failure.

Configures the authentication server precedence order for Web-Auth users.

Specifies the server type.



Configures Flexconnect Access Control List.

(Optional) IPv4 ACL name. You can enter up to 32 alphanumeric characters.

(Optional) IPv6 ACL name. You can enter up to 32 alphanumeric characters.

Configures IPv6 related parameters.

Configures MAC authentication server for the

WLAN.


1231

config wlan security web-auth timeout

value_in_seconds

web-portal-server

Configures Web authentication Timeout.

Timeout value in seconds; valid range is between 300 and 14400 seconds.

Configures CMCC web portal server for the WLAN.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to configure the security policy for WLAN ID 1 and an ACL named

ACL03:


config wlan security web-auth acl 1 ACL03

1232


config wlan security web-auth captive-bypass config wlan security web-auth captive-bypass

To configure captive-bypass on a wireless LAN, use the config wlan security web-auth captive-bypass command.

config wlan security web-auth captive-bypass {enable | disable | none }

Syntax Description enable disable none

wlan-id

Enable the captive-bypass for WLAN.

Disable the captive-bypass for WLAN.

Clear the captive-bypass configuration for WLAN.

And global captive netwrok assistant bypass setting will get applied

Enter WLAN identifier between 1 and 16.

Command History

Examples

Release

8.4

Modification

This command is introduced.

The following example shows how to enable Captive Network Bypass:


config wlan security web-auth captive-bypass enable 1


1233

config wlan security web-auth qrscan-des-key config wlan security web-auth qrscan-des-key

To configure the QR-scan DES key in a WLAN, use the config wlan security web-auth qrscan-des-key command.

config wlan security web-auth qrscan-des-key {DES key stringwlan_id }


DES key string wlan-id

Enter the DES key of 8 characters.

Enter WLAN Identifier between 1 and 16.

Command History

Release

8.4

Examples

Modification


The following example shows how to configure the QR-scan DES key:


config wlan security web-auth qrscan-des-key 1

1234


config wlan security web-passthrough acl config wlan security web-passthrough acl

To add an access control list (ACL) to the wireless LAN definition, use the config wlan security

web-passthrough acl command.

config wlan security web-passthrough acl {wlan_id | foreignAp} {acl_name | none}


wlan_id

foreignAp

acl_name

none



ACL name (up to 32 alphanumeric characters).

Specifies that there is no ACL.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to add an ACL to the wireless LAN definition:


config wlan security web-passthrough acl 1 ACL03


1235

config wlan security web-passthrough disable config wlan security web-passthrough disable

To disable a web captive portal with no authentication required on a wireless LAN, use the config wlan

security web-passthrough disable command.

config wlan security web-passthrough disable {wlan_id | foreignAp}


wlan_id

foreignAp



Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to disable a web captive portal with no authentication required on wireless

LAN ID 1:


config wlan security web-passthrough disable 1

1236


config wlan security web-passthrough email-input config wlan security web-passthrough email-input

To configure a web captive portal using an e-mail address, use the config wlan security web-passthrough

email-input command.

config wlan security web-passthrough email-input {enable | disable} {wlan_id | foreignAp}

Syntax Description email-input enable disable

wlan_id

foreignAp

Configures a web captive portal using an e-mail address.

Enables a web captive portal using an e-mail address.

Disables a web captive portal using an e-mail address.



Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to configure a web captive portal using an e-mail address:


config wlan security web-passthrough email-input enable 1


1237

config wlan security web-passthrough enable config wlan security web-passthrough enable

To enable a web captive portal with no authentication required on the wireless LAN, use the config wlan

security web-passthrough enable command.

config wlan security web-passthrough enable {wlan_id | foreignAp}


wlan_id

foreignAp



Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable a web captive portal with no authentication required on wireless

LAN ID 1:


config wlan security web-passthrough enable 1

1238


config wlan security web-passthrough qr-scan config wlan security web-passthrough qr-scan

To enable or disable qr-scan on the WLAN, use the config wlan security web-passthrough qr-scan command.

config wlan security web-passthrough qr-scan {{localenable | disable} | enable | disable}

Syntax Description local enable disable

wlan-id

Configures QR code scanning support locally on AP for clients.

• enable–enables QR code scanning support for clients.

• disable–disables QR code scanning support for clients.

Enables QR code scanning support for clients.

Disables QR code scanning support for clients.

Enter WLAN Identifier between 1 and 16.

Command Default

None

Command History

Examples

Release

8.4

Modification


The following example shows how to enable qr-scan on WLAN ID 1:


config wlan security web-passthrough qr-scan enable 1


1239

config wlan security wpa akm 802.1x

config wlan security wpa akm 802.1x

To configure authentication key-management (AKM) using 802.1X, use the config wlan security wpa akm

802.1x command.

config wlan security wpa akm 802.1x {enable | disable} wlan_id


wlan_id

Enables the 802.1X support.

Disables the 802.1X support.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure authentication using 802.1X.


config wlan security wpa akm 802.1x enable 1

1240


config wlan security wpa akm cckm config wlan security wpa akm cckm

To configure authentication key-management using Cisco Centralized Key Management (CCKM), use the

config wlan security wpa akm cckm command.

config wlan security wpa akm cckm {enable wlan_id | disable wlan_id | timestamp-tolerance }


wlan_id timestamp-tolerance

Enables CCKM support.

Disables CCKM support.


CCKM IE time-stamp tolerance. The range is between 1000 to 5000 milliseconds; the default is 1000 milliseconds.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure authentication key-management using CCKM.


config wlan security wpa akm cckm 1500


1241

config wlan security wpa akm ft config wlan security wpa akm ft

To configure authentication key-management using 802.11r fast transition 802.1X, use the config wlan

security wpa akm ft command.

config wlan security wpa akm ft [over-the-air | over-the-ds | psk | [reassociation-timeout seconds]] {enable

| disable} wlan_id

Syntax Description over-the-air over-the-ds psk reassociation-timeout

seconds

enable disable

wlan_id

(Optional) Configures 802.11r fast transition roaming over-the-air support.

(Optional) Configures 802.11r fast transition roaming DS support.

(Optional) Configures 802.11r fast transition PSK support.

(Optional) Configures the reassociation deadline interval.

The valid range is between 1 to 100 seconds. The default value is 20 seconds.

Reassociation deadline interval in seconds.

Enables 802.11r fast transition 802.1X support.

Disables 802.11r fast transition 802.1X support.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure authentication key-management using 802.11r fast transition:


config wlan security wpa akm ft reassociation-timeout 25 1

1242


config wlan security wpa akm pmf config wlan security wpa akm pmf

To configure Authenticated Key Management (AKM) of management frames, use the config wlan security

wpa akm pmf command.

config wlan security wpa akm pmf {802.1x | psk} {enable | disable}wlan_id


802.1x

psk enable disable

wlan_id

Configures 802.1X authentication for protection of management frames

(PMF).

Configures preshared keys (PSK) for PMF.

Enables 802.1X authentication or PSK for PMF.

Disables 802.1X authentication or PSK for PMF.


Command Default

Disabled.

Command History

Release

7.6

Modification



802.11w has two new AKM suites: 00-0F-AC:5 or 00-0F-AC:6. You must enable WPA and then disable the

WLAN to configure PMF on the WLAN.

Examples

The following example shows how to enable 802.1X authentication for PMF in a WLAN:


config wlan security wpa akm pmf 802.1x enable 1


1243

config wlan security wpa akm psk config wlan security wpa akm psk

To configure the Wi-Fi protected access (WPA) preshared key mode, use the config wlan security wpa akm

psk command.

config wlan security wpa akm psk {enable | disable | set-key key-format key} wlan_id

Syntax Description enable disable set-key

key-format key wlan_id

Enables WPA-PSK.

Disables WPA-PSK.

Configures a preshared key.

Specifies key format. Either ASCII or hexadecimal.

WPA preshared key.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the WPA preshared key mode:


config wlan security wpa akm psk disable 1

1244


config wlan security wpa disable config wlan security wpa disable

To disable WPA1, use the config wlan security wpa disable command.

config wlan security wpa disable wlan_id


wlan_id


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to disable WPA:


config wlan security wpa disable 1


1245

config wlan security wpa enable config wlan security wpa enable

To enable WPA1, use the config wlan security wpa enable command.

config wlan security wpa enable wlan_id


wlan_id


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the WPA on WLAN ID 1:


config wlan security wpa enable 1

1246


config wlan security wpa ciphers config wlan security wpa ciphers

To configure the Wi-Fi protected authentication (WPA1) or Wi-Fi protected authentication (WPA2), use the

config wlan security wpa ciphers command.

config wlan security wpa {wpa1 | wpa2} ciphers {aes | tkip} {enable | disable} wlan_id

Syntax Description wpa1 wpa2 ciphers aes tkip enable disable

wlan_id

Configures WPA1 support.

Configures WPA2 support.

Configures WPA ciphers.

Configures AES encryption support.

Configures TKIP encryption support.

Enables WPA AES/TKIP mode.

Disables WPA AES/TKIP mode.


Command Default

None

Command History

Release

7.6

Modification



If you are not specifying the WPA versions, it implies the following:

• If the cipher enabled is AES, you are configuring WPA2/AES.

• If the ciphers enabled is AES+TKIP, you are configuring WPA/TKIP, WPA2/AES,or WPA/TKIP.

• If the cipher enabled is TKIP, you are configuring WPA/TKIP or WPA2/TKIP.

Examples

The following example shows how to encrypt the WPA:


config wlan security wpa wpa1 ciphers aes enable 1


1247

config wlan security wpa gtk-random config wlan security wpa gtk-random

To enable the randomization of group temporal keys (GTK) between access points and clients on a WLAN, use the config wlan security wpa gtk-random command.

config wlan security wpa gtk-random {enable | disable} wlan_id


wlan_id

Enables the randomization of GTK keys between the access point and clients.

Disables the randomization of GTK keys between the access point and clients.


Command Default

None

Command History

Release

7.6

Modification



When you enable this command, the clients in the Basic Service Set (BSS) get a unique GTK key. The clients do not receive multicast or broadcast traffic.

Examples

The following example shows how to enable the GTK randomization for each client associated on a WLAN:


config wlan security wpa gtk-random enable 3

1248


config wlan security wpa osen disable config wlan security wpa osen disable

To disable OSU Server-Only Authenticated L2 Encryption Network (OSEN) on a WLAN, use the config

wlan security wpa osen enable command in WLAN configuration mode.

config wlan security wpa osen disable wlan-id


wlan-id


Command Default

OSEN is enabled.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to disable OSEN on a WLAN:

Cisco Controller > config wlan security wpa osen disable 12


1249

config wlan security wpa osen enable config wlan security wpa osen enable

To enable OSU Server-Only Authenticated L2 Encryption Network (OSEN) on a WLAN, use the config

wlan security wpa osen enable command in WLAN configuration mode.

config wlan security wpa osen enable wlan-id


wlan-id


Command Default

OSEN is not enabled.

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification


Examples

This example shows how to enable an OSEN on a WLAN:

Cisco Controller > config wlan security wpa osen enable 12

1250


config wlan security wpa wpa1 disable config wlan security wpa wpa1 disable

To disable WPA1, use the config wlan security wpa wpa1 disable command.

config wlan security wpa wpa1 disable wlan_id


wlan_id


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to disable WPA1:


config wlan security wpa wpa1 disable 1


1251

config wlan security wpa wpa1 enable config wlan security wpa wpa1 enable

To enable WPA1, use the config wlan security wpa wpa1 enable command.

config wlan security wpa wpa1 enable wlan_id


wlan_id


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable WPA1:


config wlan security wpa wpa1 enable 1

1252


config wlan security wpa wpa2 disable config wlan security wpa wpa2 disable

To disable WPA2, use the config wlan security wpa wpa2 disable command.

config wlan security wpa wpa2 disable wlan_id


wlan_id


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to disable WPA2:


config wlan security wpa wpa2 disable 1


1253

config wlan security wpa wpa2 enable config wlan security wpa wpa2 enable

To enable WPA2, use the config wlan security wpa wpa2 enable command.

config wlan security wpa wpa2 enable wlan_id


wlan_id


Command Default

None

Command History

Examples

Release

7.6

Modification




config wlan security wpa wpa2 enable 1

1254


config wlan security wpa wpa2 cache config wlan security wpa wpa2 cache

To configure caching methods on a WLAN, use the config wlan security wpa wpa2 cache command.

config wlan security wpa wpa2 cache sticky {enable | disable} wlan_id

Syntax Description sticky enable disable

wlan_id

Configures Sticky Key Caching (SKC) roaming support on the WLAN.

Enables SKC roaming support on the WLAN.

Disables SKC roaming support on the WLAN.


Command Default

None

Command History

Release

7.6

Modification



In SKC (Sticky Key caching) also known as PKC (Pro Active Key caching), the client stores each Pairwise

Master Key (PMK) ID (PMKID) against a Pairwise Master Key Security Association (PMKSA). When a client finds an AP for which it has a PMKSA, it sends the PMKID in the association request to the AP. If the

PMKSA is alive in the AP, the AP provides support for fast roaming. In SKC, full authentication is done on each new AP to which the client associates and the client must keep the PMKSA associated with all APs.

Examples

The following example shows how to enable SKC roaming support on a WLAN:


config wlan security wpa wpa2 cache sticky enable 1


1255

config wlan security wpa wpa2 cache sticky config wlan security wpa wpa2 cache sticky

To configure Sticky PMKID Caching (SKC) on a WLAN, use the config wlan security wpa wpa2 cache

sticky command.

config wlan security wpa wpa2 cache sticky {enable |disable} wlan_id


wlan_id

Enables SKC on a WLAN.

Disables SKC on a WLAN.


Command Default

Stkcky PMKID Caching is disabled.

Command History

Release

7.6

Modification



Beginning in Release 7.2 and later releases, the controller supports Sticky PMKID Caching (SKC). With sticky PMKID caching, the client receives and stores a different PMKID for every AP it associates with. The

APs also maintain a database of the PMKID issued to the client. In SKC also known as PKC (Pro Active Key caching), the client stores each Pairwise Master Key (PMK) ID (PMKID) against a Pairwise Master Key

Security Association (PMKSA). When a client finds an AP for which it has the PMKSA, it sends the PMKID in the association request to the AP. If the PMKSA is alive in the AP, the AP provides support for fast roaming.

In SKC, full authentication is done on each new AP to which the client associates and the client must keep the PMKSA associated with all APs. For SKC, PMKSA is a per AP cache that the client stores and PMKSA is precalculated based on the BSSID of the new AP.

• You cannot use SKC for large scale deployments as the controller supports SKC only up to eight APs.

• SKC does not work across controllers in a mobility group.

• SKC works only on WPA2-enabled WLANs.

• SKC works only on local mode APs.

Examples

The following example shows how to enable Sticky PMKID Caching on WLAN 5:


config wlan security wpa wpa2 cache sticky enable 5

1256


config wlan security wpa wpa2 ciphers config wlan security wpa wpa2 ciphers

To configure WPA2 ciphers and enable or disable Advanced Encryption Standard (AES) or Temporal Key

Integrity Protocol (TKIP) data encryption for WPA2, use the config wlan security wpa wpa2 ciphers command

config wlan security wpa wpa2 ciphers {aes | tkip} {enable | disable} wlan_id


(Cisco Controller) > aes

tkip enable disable

wlan_id

Configures AES data encryption for WPA2.

Configures TKIP data encryption for WPA2.

Enables AES or TKIP data encryption for WPA2.

Disables AES or TKIP data encryption for WPA2.


Command Default

AES is enabled by default.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable AES data encryption for WPA2:


config wlan security wpa wpa2 ciphers aes enable 1


1257

config wlan session-timeout config wlan session-timeout

To change the timeout of wireless LAN clients, use the config wlan session-timeout command.

config wlan session-timeout {wlan_id | foreignAp} seconds


wlan_id

foreignAp

seconds




Note

The range of session timeout depends on the security type:

• Open system: 0-65535 (sec)

• 802.1x: 300-86400 (sec)

• static wep: 0-65535 (sec)

• cranite: 0-65535 (sec)

• fortress: 0-65535 (sec)

• CKIP: 0-65535 (sec)

• open+web auth: 0-65535 (sec)

• web pass-thru: 0-65535 (sec)

• wpa-psk: 0-65535 (sec)

• disable: To disable reauth/session-timeout timers.

Command Default

None


For 802.1X client security type, which creates the PMK cache, the maximum session timeout that can be set is 86400 seconds when the session timeout is disabled. For other client security such as open, WebAuth, and

PSK for which the PMK cache is not created, the session timeout value is shown as infinite when session timeout is disabled.

Command History

Release

7.6

Modification


1258


config wlan session-timeout

Examples

The following example shows how to configure the client timeout to 6000 seconds for WLAN ID 1:


config wlan session-timeout 1 6000


1259

config wlan sip-cac disassoc-client config wlan sip-cac disassoc-client

To enable client disassociation in case of session initiation protocol (SIP) call admission control (CAC) failure, use the config wlan sip-cac disassoc-client command.

config wlan sip-cac disassoc-client {enable | disable} wlan_id


wlan_id

Enables a client disassociation on a SIP CAC failure.

Disables a client disassociation on a SIP CAC failure.


Command Default

Client disassociation for SIP CAC is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable a client disassociation on a SIP CAC failure where the WLAN

ID is 1:


config wlan sip-cac disassoc-client enable 1

1260


config wlan sip-cac send-486busy config wlan sip-cac send-486busy

To configure sending session initiation protocol (SIP) 486 busy message if a SIP call admission control (CAC) failure occurs, use the config wlan sip-cac send-486busy command:

config wlan sip-cac send-486busy {enable | disable} wlan_id


wlan_id

Enables sending a SIP 486 busy message upon a SIP CAC failure.

Disables sending a SIP 486 busy message upon a SIP CAC failure.


Command Default

Session initiation protocol is enabled by default.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable sending a SIP 486 busy message upon a SIP CAC failure where the WLAN ID is 1:


config wlan sip-cac send-busy486 enable 1


1261

config wlan static-ip tunneling config wlan static-ip tunneling

To configure static IP client tunneling support on a WLAN, use the config wlan static-ip tunneling command.

config wlan static-ip tunneling {enable | disable} wlan_id

Syntax Description tunneling enable disable

wlan_id

Configures static IP client tunneling support on a WLAN.

Enables static IP client tunneling support on a WLAN.

Disables static IP client tunneling support on a WLAN.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable static IP client tunneling support for WLAN ID 3:


config wlan static-ip tunneling enable 34

1262


config wlan uapsd compliant client enable config wlan uapsd compliant client enable

To enable WPA1, use the config wlan uapsd compliant-client enable command.

Note

This was introduced for Ascom non-wmm capable phones and is not applicable for Cisco 792x/9971 IP phones.

config wlan uapsd compliant-client enablewlan-id


wlan_id


Command Default

Examples

None

Release

7.6

Modification




config wlan uapsd compliant-client enable 1

Property Type Property Value Property Description


1263

config wlan uapsd compliant-client disable config wlan uapsd compliant-client disable

To disable WPA1, use the config wlan uapsd compliant-client disable command.

Note

This was introduced for Ascom non-wmm capable phones and is not applicable for Cisco 792x/9971 IP phones.

config wlan uapsd compliant-client disablewlan-id


wlan_id


Command Default

Examples

None

Release

7.6

Modification




config wlan uapsd compliant-client disable 1

1264


config wlan url-acl config wlan url-acl

To configure the WLAN's URL ACL, use the config wlan url-acl command.

config wlan url-aclWLAN-id acl-name


WLAN-id acl-name

WLAN Identifier. The range is between 1 and 512.

Name of the ACL.

Command Default

None

Command History

Examples

Release

8.3

Modification


This example shows how to cofigure a WLAN URL ACL:


config wlan url-acl 3 testacl


1265

config wlan user-idle-threshold config wlan user-idle-threshold

To configure the threshold data sent by the client during the idle timeout for client sessions for a WLAN, use the config wlan user-idle-threshold command.

config wlan user-idle-threshold bytes wlan_id


bytes wlan_id

Threshold data sent by the client during the idle timeout for the client session for a

WLAN. If the client send traffic less than the defined threshold, the client is removed on timeout. The range is from 0 to 10000000 bytes.


Command Default

The default timeout for threshold data sent by client during the idle timeout is 0 bytes.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the threshold data sent by the client during the idle timeout for client sessions for a WLAN:


config wlan user-idle-threshold 100 1

1266


config wlan usertimeout config wlan usertimeout

To configure the timeout for idle client sessions for a WLAN, use the config wlan usertimeout command.

config wlan usertimeout timeout wlan_id


timeout wlan_id

Timeout for idle client sessions for a WLAN. If the client sends traffic less than the threshold, the client is removed on timeout. The range is from 15 to 100000 seconds.


Command Default

The default client session idle timeout is 300 seconds.

Command History

Release

7.6

Modification



The timeout value that you configure here overrides the global timeout that you define using the command

config network usertimeout.

Examples

The following example shows how to configure the idle client sessions for a WLAN:


config wlan usertimeout 100 1


1267

config wlan webauth-exclude config wlan webauth-exclude

To release the guest user IP address when the web authentication policy time expires and exclude the guest user from acquiring an IP address for three minutes, use the config wlan webauth-exclude command.

config wlan webauth-exclude wlan_id {enable | disable}


wlan_id

enable disable


Enables web authentication exclusion.

Disables web authentication exclusion.

Command Default

Disabled.

Command History

Release

7.6

Modification



You can use this command for guest WLANs that are configured with web authentication.

This command is applicable when you configure the internal DHCP scope on the controller.

By default, when the web authentication timer expires for a guest user, the guest user can immediately reassociate with the same IP address before another guest user can acquire the IP address. If there are many guest users or limited IP address in the DHCP pool, some guest users might not be able to acquire an IP address.

When you enable this feature on the guest WLAN, the guest user’s IP address is released when the web authentication policy time expires and the guest user is excluded from acquiring an IP address for three minutes.

The IP address is available for another guest user to use. After three minutes, the excluded guest user can reassociate and acquire an IP address, if available.

Examples

The following example shows how to enable the web authentication exclusion for WLAN ID 5:


config wlan webauth-exclude 5 enable

1268


config wlan wifidirect config wlan wifidirect

To configure Wi-Fi Direct Client Policy on a WLAN, use the config wlan wifidirect command.

config wlan wifidirect {allow | disable | not-allow | xconnect-not-allow} wlan_id

Syntax Description allow disable not-allow xconnect-not-allow

wlan_id

Allows Wi-Fi Direct clients to associate with the WLAN

Ignores the Wi-Fi Direct status of clients thereby allowing

Wi-Fi Direct clients to associate

Disallows the Wi-Fi Direct clients from associating with the WLAN

Enables AP to allow a client with the Wi-Fi Direct option enabled to associate, but the client (if it works according to the Wi-Fi standards) will refrain from setting up a peer-to-peer connection


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to allow Wi-Fi Direct Client Policy on WLAN ID 1:


config wlan wifidirect allow 1


1269

config wlan wmm config wlan wmm

To configure Wi-Fi Multimedia (WMM) mode on a wireless LAN, use the config wlan wmm command.

config wlan wmm {allow | disable | require} wlan_id

Syntax Description allow disable require

wlan_id

Allows WMM on the wireless LAN.

Disables WMM on the wireless LAN.

Specifies that clients use WMM on the specified wireless LAN.


Command Default

None

Command History

Release

7.6

Modification



When the controller is in Layer 2 mode and WMM is enabled, you must put the access points on a trunk port in order to allow them to join the controller.

Examples

The following example shows how to configure wireless LAN ID 1 to allow WMM:


config wlan wmm allow 1

The following example shows how to configure wireless LAN ID 1 to specify that clients use WMM:


config wlan wmm require 1

1270


config wps ap-authentication config wps ap-authentication

To configure access point neighbor authentication, use the config wps ap-authentication command.

config wps ap-authentication [enable | disable threshold threshold_value]

Syntax Description enable disable threshold

threshold_value

(Optional) Enables WMM on the wireless LAN.

(Optional) Disables WMM on the wireless LAN.

(Optional) Specifies that WMM-enabled clients are on the wireless LAN.

Threshold value (1 to 255).

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the access point neighbor authentication:


config wps ap-authentication threshold 25

Related Commands show wps ap-authentication summary


1271

config wps auto-immune config wps auto-immune

To enable or disable protection from Denial of Service (DoS) attacks, use the config wps auto-immune command.

config wps auto-immune {enable | disable | stop}

Syntax Description enable disable stop

Enables the auto-immune feature.

Disables the auto-immune feature.

Stops dynamic auto-immune feature.

Command Default

Disabled

Command History

Release

7.6

Modification


Release 7.6.


A potential attacker can use specially crafted packets to mislead the Intrusion Detection System (IDS) into treating a legitimate client as an attacker. It causes the controller to disconnect this legitimate client and launch a DoS attack. The auto-immune feature, when enabled, is designed to protect against such attacks. However, conversations using Cisco 792x phones might be interrupted intermittently when the auto-immune feature is enabled. If you experience frequent disruptions when using 792x phones, you might want to disable this feature.

Examples

The following example shows how to configure the auto-immune mode:


config wps auto-immune enable

The following example shows how to stop the auto-immune mode:


config wps auto-immune stop

Dynamic Auto Immune by WIPS is stopped

Related Commands show wps summary

1272


config wps cids-sensor config wps cids-sensor

To configure Intrusion Detection System (IDS) sensors for the Wireless Protection System (WPS), use the

config wps cids-sensor command.

config wps cids-sensor { [add index ip_address username password] | [delete index] | [enable index] |

[disable index] | [port index port] | [interval index query_interval] | [fingerprint sha1 fingerprint] }


index ip_address username password

delete enable disable port

port

interval

query_interval

fingerprint sha1

fingerprint

(Optional) Configures a new IDS sensor.

IDS sensor internal index.

IDS sensor IP address.

IDS sensor username.

IDS sensor password.

(Optional) Deletes an IDS sensor.

(Optional) Enables an IDS sensor.

(Optional) Disables an IDS sensor.

(Optional) Configures the IDS sensor’s port number.

Port number.

(Optional) Specifies the IDS sensor’s query interval.

Query interval setting.

(Optional) Specifies the IDS sensor’s TLS fingerprint.

(Optional) Specifies the TLS fingerprint.

TLS fingerprint.

Command Default

Command defaults are listed below as follows:

Port

Query interval

Certification fingerprint

443

60

00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00


1273

config wps cids-sensor

Query state Disabled

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the intrusion detection system with the IDS index 1, IDS sensor IP address 10.0.0.51, IDS username Sensor_user0doc1, and IDS password passowrd01:


config wps cids-sensor add 1 10.0.0.51 Sensor_user0doc1 password01

Related Commands show wps cids-sensor detail

1274


config wps client-exclusion config wps client-exclusion

To configure client exclusion policies, use the config wps client-exclusion command.

config wps client-exclusion {802.11-assoc | 802.11-auth | 802.11x-auth | ip-theft | web-auth | all} {enable

| disable}


802.11-assoc

802.11-auth

802.1x-auth ip-theft web-auth all enable disable

Specifies that the controller excludes clients on the sixth 802.11 association attempt, after five consecutive failures.

Specifies that the controller excludes clients on the sixth 802.11 authentication attempt, after five consecutive failures.

Specifies that the controller excludes clients on the sixth 802.11X authentication attempt, after five consecutive failures.

Specifies that the control excludes clients if the IP address is already assigned to another device.

Specifies that the controller excludes clients on the fourth web authentication attempt, after three consecutive failures.

Specifies that the controller excludes clients for all of the above reasons.

Enables client exclusion policies.

Disables client exclusion policies.

Command Default

All policies are enabled.

Command History

Release

7.6

Modification


Release 7.6.


1275

config wps client-exclusion

Examples

The following example shows how to disable clients on the 802.11 association attempt after five consecutive failures:


config wps client-exclusion 802.11-assoc disable

Related Commands show wps summary

1276


config wps mfp config wps mfp

To configure Management Frame Protection (MFP), use the config wps mfp command.

config wps mfp {infrastructure| ap-impersonation} {enable | disable}

Syntax Description infrastructure ap-impersonation enable disable

Configures the MFP infrastructure.

Configures ap impersonation detection by MFP.

Enables the MFP feature.

Disables the MFP feature.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the infrastructure MFP:


config wps mfp infrastructure enable

Related Commands show wps mfp


1277

config wps shun-list re-sync config wps shun-list re-sync

To force the controller to synchronization with other controllers in the mobility group for the shun list, use the config wps shun-list re-sync command.

config wps shun-list re-sync



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the controller to synchronize with other controllers for the shun list:


config wps shun-list re-sync

Related Commands show wps shun-list

1278


config wps signature config wps signature

To enable or disable Intrusion Detection System (IDS) signature processing, or to enable or disable a specific

IDS signature, use the config wps signature command.

config wps signature {standard | custom} state signature_id {enable | disable}

Syntax Description standard custom state

signature_id

enable disable

Configures a standard IDS signature.

Configures a standard IDS signature.

Specifies the state of the IDS signature.

Identifier for the signature to be enabled or disabled.

Enables the IDS signature processing or a specific

IDS signature.

Disables IDS signature processing or a specific IDS signature.

Command Default

IDS signature processing is enabled by default.

Command History

Release

7.6

Modification


Release 7.6.


If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.

Examples

The following example shows how to enable IDS signature processing, which enables the processing of all

IDS signatures:


config wps signature enable

The following example shows how to disable a standard individual IDS signature:


config wps signature standard state 15 disable

Related Commands config wps signature frequency


1279

config wps signature config wps signature interval config wps signature mac-frequency config wps signature quiet-time config wps signature reset show wps signature events show wps signature summary show wps summary

1280


config wps signature frequency config wps signature frequency

To specify the number of matching packets per interval that must be identified at the individual access point level before an attack is detected, use the config wps signature frequency command.

config wps signature frequency signature_id frequency


signature_id frequency

Identifier for the signature to be configured.

Number of matching packets per interval that must be at the individual access point level before an attack is detected. The range is 1 to 32,000 packets per interval.

Command Default

The frequency default value varies per signature.

Command History

Release

7.6

Modification


Release 7.6.



Examples

The following example shows how to set the number of matching packets per interval per access point before an attack is detected to 1800 for signature ID 4:


config wps signature frequency 4 1800

Related Commands config wps signature frequency config wps signature interval config wps signature quiet-time config wps signature reset show wps signature events show wps signature summary show wps summary


1281

config wps signature interval config wps signature interval

To specify the number of seconds that must elapse before the signature frequency threshold is reached within the configured interval, use the config wps signature interval command.

config wps signature interval signature_id interval


signature_id interval


Number of seconds that must elapse before the signature frequency threshold is reached. The range is 1 to 3,600 seconds.

Command Default

The default value of interval varies per signature.

Command History

Release

7.6

Modification


Release 7.6.



Examples

The following example shows how to set the number of seconds to elapse before reaching the signature frequency threshold to 200 for signature ID 1:


config wps signature interval 1 200

Related Commands config wps signature frequency config wps signature config wps signature mac-frequency config wps signature quiet-time config wps signature reset show wps signature events show wps signature summary show wps summary

1282


config wps signature mac-frequency config wps signature mac-frequency

To specify the number of matching packets per interval that must be identified per client per access point before an attack is detected, use the config wps signature mac-frequency command.

config wps signature mac-frequency signature_id mac_frequency


signature_id mac_frequency


Number of matching packets per interval that must be identified per client per access point before an attack is detected. The range is 1 to 32,000 packets per interval.

Command Default

The mac_frequency default value varies per signature.

Command History

Release

7.6

Modification


Release 7.6.



Examples

The following example shows how to set the number of matching packets per interval per client before an attack is detected to 50 for signature ID 3:


config wps signature mac-frequency 3 50

Related Commands config wps signature frequency config wps signature interval config wps signature config wps signature quiet-time config wps signature reset show wps signature events show wps signature summary show wps summary


1283

config wps signature quiet-time config wps signature quiet-time

To specify the length of time after which no attacks have been detected at the individual access point level and the alarm can stop, use the config wps signature quiet-time command.

config wps signature quiet-time signature_id quiet_time


signature_id quiet_time


Length of time after which no attacks have been detected at the individual access point level and the alarm can stop. The range is 60 to 32,000 seconds.

Command Default

The default value of quiet_time varies per signature.

Command History

Release

7.6

Modification


Release 7.6.



Examples

The following example shows how to set the number of seconds after which no attacks have been detected per access point to 60 for signature ID 1:


config wps signature quiet-time 1 60

Related Commands config wps signature config wps signature frequency config wps signature interval config wps signature mac-frequency config wps signature reset show wps signature events show wps signature summary show wps summary

1284


config wps signature reset config wps signature reset

To reset a specific Intrusion Detection System (IDS) signature or all IDS signatures to default values, use the

config wps signature reset command.

config wps signature reset {signature_id | all}


signature_id

all

Identifier for the specific IDS signature to be reset.

Resets all IDS signatures.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.



Examples

The following example shows how to reset the IDS signature 1 to default values:


config wps signature reset 1

Related Commands config wps signature config wps signature frequency config wps signature interval config wps signature mac-frequency config wps signature quiet-time show wps signature events show wps signature summary show wps summary


1285

config wps signature reset

1286


P A R T

IV

Debug Commands

•

Debug Commands: 802.11, page 1289

•

Debug Commands: a to i, page 1297

•

Debug Commands: j to q, page 1371

•

Debug Commands: r to z, page 1397

Debug Commands: 802.11

•

debug 11k, page 1290

•

debug 11w-pmf, page 1291

•

debug 11v all, page 1292

•

debug 11v detail, page 1293

•

debug 11v error, page 1294

•

debug 11w-pmf, page 1295


1289

debug 11k debug 11k

To configure the debugging of 802.11k settings, use the debug 11k command.

debug 11k {all | detail | errors| events | history | optimization | simulation} {enable | disable}

Syntax Description all detail errors events history optimization simulation enable disable

Configures the debugging of all 802.11k messages.

Configures the debugging of 802.11k details.

Configures the debugging of 802.11k errors.

Configures the debugging of all 802.11k events.

Configures the debugging of all 802.11k history. The Cisco WLC collects roam history of the client.

Configures the debugging of 802.11k optimizations. You can view optimization steps of neighbor lists.

Configures the debugging of 802.11k simulation data. You can view details of client roaming parameters and import them for offline simulation.

Enables the 802.1k debugging.

Disables the 802.1k debugging.

Command Default

None.

Examples

This example shows how to enable the debugging of 802.11k simulation data:


debug 11k simulation enable

Related Commands config assisted-roaming config wlan assisted-roaming show assisted-roaming

1290


debug 11w-pmf

To configure the debugging of 802.11w, use the debug 11w-pmf command.

debug 11w-pmf {all | events| keys} {enable | disable}

Syntax Description all keys events enable disable

Configures the debugging of all 802.11w messages.

Configures the debugging of 802.11w keys.

Configures the debugging of 802.11w events.

Enables the debugging of 802.1w options.

Disables the debugging of 802.1w options.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of 802.11w keys:


debug 11w-pmf keys enable debug 11w-pmf


1291

debug 11v all debug 11v all

To configure the 802.11v debug options, use the debug 11v all command.

debug 11v all {enable | disable}


Enables all the debug.

Disables all the debug.

Command Default

None

Command History

Release

8.1

Examples

Modification


The following example shows how to enable all the debug:


debug 11v all enable

1292


debug 11v detail

To configure the 802.11v debug details, use the debug 11v detail command.

debug 11v detail {enable | disable}


Enables debug details.

Disables debug details.

Command Default

None

Command History

Release

8.1

Examples

Modification


The following example shows how to enable 802.11v debug details:


debug 11v detail enable debug 11v detail


1293

debug 11v error debug 11v error

To configure the 802.11v error debug options, use the debug 11v errors command.

debug 11v errors {enable | disable}


Enables error debug.

Disables error debug.

Command Default

None

Command History

Release

8.1

Examples

Modification


The following example shows how to enable 802.11v error debug:


debug 11v error enable

1294


debug 11w-pmf

To configure the debugging of 802.11w, use the debug 11w-pmf command.

debug 11w-pmf {all | events| keys} {enable | disable}

Syntax Description all keys events enable disable

Configures the debugging of all 802.11w messages.

Configures the debugging of 802.11w keys.

Configures the debugging of 802.11w events.

Enables the debugging of 802.1w options.

Disables the debugging of 802.1w options.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of 802.11w keys:


debug 11w-pmf keys enable debug 11w-pmf


1295

debug 11w-pmf

1296


Debug Commands: a to i

•

debug aaa, page 1300

•

debug aaa events, page 1302

•

debug aaa local-auth, page 1303

•

debug airewave-director, page 1305

•

debug ap, page 1307

•

debug ap enable, page 1308

•

debug ap packet-dump, page 1309

•

debug ap show stats, page 1310

•

debug ap show stats video, page 1312

•

debug arp, page 1313

•

debug avc, page 1314

•

debug bcast, page 1315

•

debug call-control, page 1316

•

debug capwap, page 1317

•

debug capwap reap, page 1318

•

debug ccxdiag, page 1319

•

debug ccxrm, page 1320

•

debug ccxs69, page 1321

•

debug cckm, page 1322

•

debug client, page 1323

•

debug cts aaa, page 1324

•

debug cts authz, page 1325

•

debug cts capwap, page 1326

•

debug cts env-data, page 1327


1297

•

debug cts ha, page 1328

•

debug cts key-store, page 1329

•

debug cts provisioning, page 1330

•

debug cts sgt, page 1331

•

debug cts sxp, page 1332

•

debug cac, page 1333

•

debug cdp, page 1334

•

debug crypto, page 1335

•

debug dhcp, page 1336

•

debug dhcp service-port, page 1337

•

debug disable-all, page 1338

•

debug dns, page 1339

•

debug dot11, page 1340

•

debug dot11, page 1342

•

debug dot11 mgmt interface, page 1344

•

debug dot11 mgmt msg, page 1345

•

debug dot11 mgmt ssid, page 1346

•

debug dot11 mgmt state-machine, page 1347

•

debug dot11 mgmt station, page 1348

•

debug dot1x, page 1349

•

debug dtls, page 1350

•

debug fastpath , page 1351

•

debug flexconnect avc, page 1356

•

debug flexconnect aaa, page 1357

•

debug flexconnect acl, page 1358

•

debug flexconnect cckm, page 1359

•

debug group, page 1360

•

debug fmchs, page 1361

•

debug flexconnect client ap, page 1362

•

debug flexconnect client ap syslog, page 1363

•

debug flexconnect client group, page 1364

•

debug flexconnect client group syslog, page 1365

•

debug flexconnect group, page 1366

1298


•

debug ft, page 1367

•

debug hotspot, page 1368

•

debug ipv6, page 1369


1299

debug aaa debug aaa

To configure the debugging of AAA settings, use the debug aaa command.

debug aaa {[all | detail | events | packet | ldap | local-auth | tacacs] [enable | disable]}

Syntax Description all detail events packet ldap local-auth tacacs enable disable

(Optional) Configures the debugging of all AAA messages.

(Optional) Configures the debugging of AAA errors.

(Optional) Configures the debugging of AAA events.

(Optional) Configures the debugging of AAA packets.

(Optional) Configures the debugging of the AAA

Lightweight Directory Access Protocol (LDAP) events.

(Optional) Configures the debugging of the AAA local Extensible Authentication Protocol (EAP) events.

(Optional) Configures the debugging of the AAA

TACACS+ events.

(Optional) Enables the debugging.

(Optional) Disables the debugging.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the debugging of AAA LDAP events:


debug aaa ldap enable

Related Commands debug aaa local-auth eap

1300


show running-config debug aaa


1301

debug aaa events debug aaa events

To configure the debugging related to DNS-based ACLs, use the debug aaa events enable command.

debug aaa events enable

Syntax Description events

Configures the debugging of DNS-based ACLs.

Command History

Release

7.6

Examples

Modification

This command is introduced.

The following example shows how to enable the debugging for DNS-based ACLs:


debug aaa events enble

1302


debug aaa local-auth debug aaa local-auth

To configure the debugging of AAA local authentication on the Cisco WLC, use the debug aaa local-auth command.

debug aaa local-auth {db | shim | eap {framework | method} {all | errors | events | packets | sm}} {enable

| disable}

Syntax Description db shim eap framework method all errors events packets sm enable disable

Configures the debugging of the AAA local authentication back-end messages and events.

Configures the debugging of the AAA local authentication shim layer events.

Configures the debugging of the AAA local Extensible

Authentication Protocol (EAP) authentication.

Configures the debugging of the local EAP framework.

Configures the debugging of local EAP methods.

Configures the debugging of local EAP messages.

Configures the debugging of local EAP errors.

Configures the debugging of local EAP events.

Configures the debugging of local EAP packets.

Configures the debugging of the local EAP state machine.

Starts the debugging.

Stops the debugging.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


1303

debug aaa local-auth

Examples

The following example shows how to enable the debugging of the AAA local EAP authentication:


debug aaa local-auth eap method all enable

Related Commands clear stats local-auth config local-auth active-timeout config local-auth eap-profile config local-auth method fast config local-auth user-credentials show local-auth certificates show local-auth config show local-auth statistics

1304


debug airewave-director debug airewave-director

To configure the debugging of Airewave Director software, use the debug airwave-director command.

debug airewave-director {all | channel | detail | error | group | manager | message | packet | power |

profile | radar | rf-change} {enable | disable}

Syntax Description all channel detail error group manager message packet power profile radar rf-change enable disable

Configures the debugging of all Airewave Director logs.

Configures the debugging of the Airewave Director channel assignment protocol.

Configures the debugging of the Airewave Director detail logs.

Configures the debugging of the Airewave Director error logs.

Configures the debugging of the Airewave Director grouping protocol.

Configures the debugging of the Airewave Director manager.

Configures the debugging of the Airewave Director messages.

Configures the debugging of the Airewave Director packets.

Configures the debugging of the Airewave Director power assignment protocol and coverage hole detection.

Configures the debugging of the Airewave Director profile events.

Configures the debugging of the Airewave Director radar detection/avoidance protocol.

Configures the debugging of the Airewave Director rf changes.

Enables the Airewave Director debugging.

Disables the Airewave Director debugging.


1305

debug airewave-director

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the debugging of Airewave Director profile events:


debug airewave-director profile enable

Related Commands debug disable-all show sysinfo

1306


debug ap debug ap

To configure the remote debugging of Cisco lightweight access points or to remotely execute a command on a lightweight access point, use the debug ap command.

debug ap {enable | disable | command cmd} cisco_ap

Syntax Description enable disable command

cmd cisco_ap

Enables the debugging on a lightweight access point.

Note

The debugging information is displayed only to the controller console and does not send output to a controller Telnet/SSH CLI session.

Disables the debugging on a lightweight access point.

Note


Specifies that a CLI command is to be executed on the access point.

Command to be executed.

Note

The command to be executed must be enclosed in double quotes, such as debug ap command “led flash 30” AP03.

The output of the command displays only to the controller console and does not send output to a controller Telnet/SSH CLI session.


Command Default

The remote debugging of Cisco lightweight access points is disabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the remote debugging on access point AP01:


debug ap enable AP01

The following example shows how to execute the config ap location command on access point AP02:


debug ap command

“config ap location "Building 1" AP02”

The following example shows how to execute the flash LED command on access point AP03:



“led flash 30” AP03


1307

debug ap enable debug ap enable

To configure the remote debugging of Cisco lightweight access points or to remotely execute a command on a lightweight access point, use the debug ap enable command.

debug ap {enable | disable | command cmd} cisco_ap

Syntax Description enable disable command

cmd cisco_ap

Enables the remote debugging.

Note


Disables the remote debugging.

Specifies that a CLI command is to be executed on the access point.

Command to be executed.

Note

The command to be executed must be enclosed in double quotes, such as debug ap command “led flash 30” AP03.

The output of the command displays only to the controller console and does not send output to a controller Telnet/SSH CLI session.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable the remote debugging on access point AP01:


debug ap enable AP01

The following example shows how to disable the remote debugging on access point AP02:


debug ap disable AP02

The following example shows how to execute the flash LED command on access point AP03:



“led flash 30” AP03

1308


debug ap packet-dump debug ap packet-dump

To configure the debugging of Packet Capture, use the debug ap packet-dump command.

debug ap packet-dump {enable | disable}


Enables the debugging of Packet Capture of an access point.

Disables the debugging of Packet Capture of an access point.

Command Default

Debugging of Packet Capture is disabled.

Command History

Release

7.6

Modification


Release 7.6.


Packet Capture does not work during inter-Cisco WLC roaming.

The Cisco WLC does not capture packets created in the radio firmware and sent out of the access point, such as beacon or probe response. Only packets that flow through the radio driver in the Tx path will be captured.

Examples

The following example shows how to enable the debugging of Packet Capture from an access point:


debug ap packet-dump enable


1309

debug ap show stats debug ap show stats

To debug video messages and statistics of Cisco lightweight access points, use the debug ap show stats command.

debug ap show stats {802.11a | 802.11b} cisco_ap {tx-queue | packet | load | multicast | client {client_MAC

| video | all} | video metrics}

debug ap show stats video cisco_ap {multicast mgid mgid_database_number | admission | bandwidth}


802.11a

802.11b

cisco_ap

tx-queue packet load multicast client

client_MAC

video all video metrics mgid

mgid_database_number

admission bandwidth




Displays the transmit queue traffic statistics of the AP.

Displays the packet statistics of the AP.

Displays the QoS Basic Service Set (QBSS) and other statistics of the AP.

Displays the multicast supported rate statistics of the AP.

Displays the specified client metric statistics.


Displays video statistics of all clients on the AP.

Displays statistics of all clients on the AP.

Displays the video metric statistics.

Displays detailed multicast information for a single multicast group ID

(MGID).

Layer 2 MGID database number.

Displays video admission control on the AP.

Displays video bandwidth on the AP.

Command Default

None

1310


debug ap show stats

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to troubleshoot the access point AP01’s transmit queue traffic on an 802.11a

network:


debug ap show stats 802.11a AP01 tx-queue

The following example shows how to troubleshoot the access point AP02’s multicast supported rates on an

802.11b/g network:


debug ap show stats 802.11b AP02 multicast

The following example shows how to troubleshoot the metrics of a client identified by its MAC address, associated with the access point AP01 on an 802.11a network:


debug ap show stats 802.11a AP01 client 00:40:96:a8:f7:98

The following example shows how to troubleshoot the metrics of all clients associated with the access point

AP01 on an 802.11a network:


debug ap show stats 802.11a AP01 client all


1311

debug ap show stats video debug ap show stats video

To configure the debugging of video messages and statistics of Cisco lightweight access points, use the debug

ap show stats video command.

debug ap show stats video cisco_ap {multicast mgid mgid_value | admission | bandwidth}


cisco_ap

multicast mgid

mgid_value

admission bandwidth


Displays multicast database related information for the specified MGID of an access point.

Layer 2 MGID database number from 1 to 4095.

Displays the video admission control.

Displays the video bandwidth.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to configure the debugging of an access point AP01’s multicast group that is identified by the group’s Layer 2 MGID database number:


debug ap show stats video AP01 multicast mgid 50

This example shows how to configure the debugging of an access point AP01’s video bandwidth:


debug ap show stats video AP01 bandwidth

1312


debug arp debug arp

To configure the debugging of Address Resolution Protocol (ARP) options, use the debug arp command.

debug arp {all | detail | events | message} {enable | disable}

Syntax Description all detail error message enable disable

Configures the debugging of all ARP logs.

Configures the debugging of ARP detail messages.

Configures the debugging of ARP errors.

Configures the debugging of ARP messages.

Enables the ARP debugging.

Disables the ARP debugging.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable ARP debug settings:


debug arp error enable

The following example shows how to disable ARP debug settings:


debug arp error disable



1313

debug avc debug avc

To configure the debugging of Application Visibility and Control (AVC) options, use the debug avc error command.

debug avc {events | error} {enable | disable}

Syntax Description events error enable disable

Configures the debugging of AVC events.

Configures the debugging of AVC errors.

Enables the debugging of AVC events or errors.

Disables the debugging of AVC events or errors.

Command Default

By default, the debugging of AVC options is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the debugging of AVC errors:


debug avc error enable

Related Commands config avc profile delete config avc profile rule config wlan avc show avc profile show avc applications show avc statistics

1314


debug bcast debug bcast

To configure the debugging of broadcast options, use the debug bcast command.

debug bcast {all | error | message | igmp | detail} {enable | disable}

Syntax Description all error message igmp detail enable disable

Configures the debugging of all broadcast logs.

Configures the debugging of broadcast errors.

Configures the debugging of broadcast messages.

Configures the debugging of broadcast IGMP messages.

Configures the debugging of broadcast detailed messages.

Enables the broadcast debugging.

Disables the broadcast debugging.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the debugging of broadcast messages:


debug bcast message enable

The following example shows how to disable the debugging of broadcast mesages:


debug bcast message disable



1315

debug call-control debug call-control

To configure the debugging of the SIP call control settings, use the debug call-control command.

debug call-control {all | event} {enable | disable}

Syntax Description all event enable disable

Configures the debugging options for all SIP call control messages.

Configures the debugging options for SIP call control events.

Enables the debugging of SIP call control messages or events.

Disables the debugging of SIP call control messages or events.

Command Default

Disabled.

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of all SIP call control messages:


debug call-control all enable

1316


debug capwap debug capwap

To configure the debugging of Control and Provisioning of Wireless Access Points (CAPWAP) settings, use the debug capwap command.

debug capwap {detail | dtls-keepalive | errors | events | hexdump | info | packet | payload | mfp} {enable

| disable}

Syntax Description detail dtls-keepalive errors events hexdump info packet payload mfp enable disable

Configures the debugging for CAPWAP detail settings.

Configures the debugging for CAPWAP DTLS data keepalive packets settings.

Configures the debugging for CAPWAP error settings.

Configures the debugging for CAPWAP events settings.

Configures the debugging for CAPWAP hexadecimal dump settings.

Configures the debugging for CAPWAP info settings.

Configures the debugging for CAPWAP packet settings.

Configures the debugging for CAPWAP payload settings.

Configures the debugging for CAPWAP mfp settings.

Enables the debugging of the CAPWAP command.

Disables the debugging of the CAPWAP command.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable the debugging of CAPWAP details:


debug capwap detail enable


1317

debug capwap reap debug capwap reap

To configure the debugging of Control and Provisioning of Wireless Access Points (CAPWAP) settings on a FlexConnect access point, use the debug capwap reap command.

debug capwap reap [mgmt | load]

Syntax Description mgmt load

(Optional) Configures the debugging for client authentication and association messages.

(Optional) Configures the debugging for payload activities, which is useful when the FlexConnect access point boots up in standalone mode.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the debugging of FlexConnect client authentication and association messages:


debug capwap reap mgmt

1318


debug ccxdiag debug ccxdiag

To configure debugging of Cisco Compatible Extensions (CCX) diagnostic options, use the debug ccxdiag command.

debug ccxdiag {all | error | event | packet} {enable | disable}

Syntax Description all error event packet enable disable

Configures debugging of all the CCX S69 messages.

Configures debugging of the CCX S69 errors.

Configures debugging of the CCX S69 events.

Configures debugging of the CCX S69 packets.

Enables debugging of the CCX S69 options.

Disables debugging of the CCX S69 options.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable CCX S69 packets debugging:


debug ccxdiag packets enable


1319

debug ccxrm debug ccxrm

To configure debugging of the CCX Cisco Client eXtension (CCX) Radio Management (RM), use the debug

ccxrm command.

debug ccxrm {all | detail | error | location-calibration | message | packet | warning} {enable| disable}

Syntax Description all detail error location-calibration message packet warning enable disable

Configures debugging of all CCX RM messages.

Configures detailed debugging of CCX RM.

Configures debugging of the CCX RM errors.

Configures debugging of the CCX RM location calibration.

Configures debugging of CCX RM messages.

Configures debugging of the CCX RM packets.

Configures debugging of the CCX RM warnings.

Enables debugging of the CCX RM options.

Disables debugging of the CCX RM options.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to enable CCX RM debugging:

(Cisco Controller) > debug ccxrm all enable

1320


debug ccxs69

To configure debugging of CCX S69 tasks, use the debug ccxs69 command.

debug ccxs69 {all | error | event} {enable| disable}

Syntax Description all error event enable disable

Configures debugging of all the CCX S69 messages.

Configures debugging of the CCX S69 errors.

Configures debugging of the CCX S69 events.

Enables debugging of the CCX S69 options.

Disables debugging of the CCX S69 options.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable CCX S69 debugging:


debug ccxs69 all enable debug ccxs69


1321

debug cckm debug cckm

To configure the debugging of the Cisco Centralized Key Management options, use the debug cckm

debug cckm {client | detailed} {enable| disable}

Syntax Description client detailed enable disable

Configures debugging of the Cisco Centralized Key Management of clients.

Configures detailed debugging of Cisco Centralized Key Management.

Enables debugging of Cisco Centralized Key Management.

Disables debugging of Cisco Centralized Key Management.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable detailed debugging of Cisco Centralized Key Management:


debug cckm detailed enable

1322


debug client debug client

To configure the debugging for a specific client, use the debug client command.

debug client mac_address


mac_address


Command Default

None


After entering the debug client mac_address command, if you enter the debug aaa events enable command, then the AAA events logs are displayed for that particular client MAC address.

Command History

Release

7.6

Modification


Examples

The following example shows how to debug a specific client:


debug client 01:35:6x:yy:21:00


1323

debug cts aaa debug cts aaa

To configure the Cisco TrustSec AAA debug options, use the debug cts aaa command.

debug cts aaa {all | errors | events} {enable | disable}

Syntax Description all errors events enable disable

Configures debugging of all the CTS AAA debug options

Configures debugging of all the CTS AAA errors

Configures debugging of all the CTS AAA events

Enables debugging

Disables debugging

Command Default

None

Command History

Release

8.4

Modification


1324


debug cts authz debug cts authz

To configure the Cisco TrustSec security group access control list (SGACL) download debug options, use the debug cts authz command.

debug cts authz {aaa | all | errors | events} {enable | disable}

Syntax Description aaa all errors events enable disable

Configures debugging of CTS AAA policy

Configures debugging of all the CTS policies

Configures debugging of all the CTS policy errors

Configures debugging of all the CTS policy events

Enables debugging

Disables debugging

Command Default

None

Command History

Release

8.4

Modification



1325

debug cts capwap debug cts capwap

To configure the debug options for Cisco TrustSec policy download over CAPWAP messages, use the debug

cts capwap command.

debug cts capwap {messages | all | errors | events} {enable | disable}

Syntax Description messages all errors events enable disable

Configures debugging of Protected Access Credential (PAC) CAPWAP messages

Configures debugging of all the CTS CAPWAP messages

Configures debugging of the PAC CAPWAP errors

Configures debugging of the PAC CAPWAP events

Enables debugging

Disables debugging

Command Default

None

Command History

Release

8.4

Modification


1326


debug cts env-data debug cts env-data

To configure Cisco TrustSec environment data debugs, use the debug cts env-data command.

debug cts env-data {all | errors | events} {enable | disable}


Configures debugging of all the CTS environment data

Configures debugging of CTS environment data errors

Configures debugging of CTS environment data events

Enables debugging

Disables debugging

Command Default

None

Command History

Release

8.4

Modification



1327

debug cts ha debug cts ha

To configure the Cisco TrustSec High Availability (HA) debug options, use the debug cts ha command.

debug cts ha {all | errors | events} {enable | disable}


Configures debugging of all the CTS HA options

Configures debugging of CTS HA errors

Configures debugging of CTS HA events

Enables debugging

Disables debugging

Command Default

None

Command History

Release

8.4

Modification


1328


debug cts key-store debug cts key-store

To configure the Cisco TrustSec Key-store debug options, use the debug cts key-store command.

debug cts key-store {enable | disable}


Enables debugging

Disables debugging

Command Default

None

Command History

Release

8.4

Modification



1329

debug cts provisioning debug cts provisioning

To configure the Cisco TrustSec PAC Provisioning debug options, use the debug cts provisioning command.

debug cts provisioning {packets | all | errors | events} {enable | disable}

Syntax Description packets all errors events enable disable

Configures debugging of PAC provisioning packets

Configures debugging of all the PAC provisioning options

Configures debugging of the PAC provisioning errors

Configures debugging of the PAC provisioning events

Enables debugging

Disables debugging

Command Default

None

Command History

Release

8.4

Modification


1330


debug cts sgt

To configure debugging of up to 10 SGTs, use the debug cts sgt command.

debug cts sgt {sgt-1 | sgt-2 | sgt-3 | sgt-4 | sgt-5 | sgt-6 | sgt-7 | sgt-8 | sgt-9 | sgt-10}


sgt-1 to sgt-10 SGT IDs that you have to enter.

Command Default

None

Command History

Release

8.4

Modification


debug cts sgt


1331

debug cts sxp debug cts sxp

To configure debugging of Cisco TrustSec SXP options, use the debug cts sxp command.

debug cts sxp {all | errors | events | framework | message} {enable | disable}

Syntax Description all errors events framework message enable disable

Configures debugging of all the CTS SXP options

Configures debugging of the CTS SXP errors

Configures debugging of the CTS SXP events

Configures debugging of the CTS SXP framework

Configures debugging of the CTS SXP messages

Enables debugging

Disables debugging

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

1332


debug cac debug cac

To configure the debugging of Call Admission Control (CAC) options, use the debug cac command.

debug cac {all | event | packet} {enable | disable}

Syntax Description all event packet kts enable disable

Configures the debugging options for all CAC messages.

Configures the debugging options for CAC events.

Configures the debugging options for selected CAC packets.

Configures the debugging options for KTS-based CAC messages.

Enables the debugging of CAC settings.

Disables the debugging of CAC settings.

Command Default

By default, the debugging of CAC options is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable debugging of CAC settings:


debug cac event enable


debug cac packet enable

Related Commands config 802.11 cac video acm config 802.11 cac video max-bandwidth config 802.11 video roam-bandwidth config 802.11 cac video tspec-inactivity-timeout config 802.11 cac voice load-based config 802.11 cac voice roam-bandwidth config 802.11cac voice stream-size config 802.11cac voice tspec-inactivity-timeout


1333

debug cdp debug cdp

To configure debugging of CDP, use the debug cdp command.

debug cdp {events | packets} {enable | disable}

Syntax Description events packets enable disable

Configures debugging of the CDP events.

Configures debugging of the CDP packets.

Enables debugging of the CDP options.

Disables debugging of the CDP options.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable CDP event debugging in a Cisco controller:


debug cdp

1334


debug crypto debug crypto

To configure the debugging of the hardware cryptographic options, use the debug crypto command.

debug crypto {all | sessions | trace | warning} {enable | disable}

Syntax Description all sessions trace warning enable disable

Configures the debugging of all hardware crypto messages.

Configures the debugging of hardware crypto sessions.



Enables the debugging of hardware cryptographic sessions.

Disables the debugging of hardware cryptographic sessions.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the debugging of hardware crypto sessions:


debug crypto sessions enable



1335

debug dhcp debug dhcp

To configure the debugging of DHCP, use the debug dhcp command.

debug dhcp {message | packet} {enable | disable}

Syntax Description message packet enable disable

Configures the debugging of DHCP error messages.

Configures the debugging of DHCP packets.

Enables the debugging DHCP messages or packets.

Disables the debugging of DHCP messages or packets.

Command Default

None

Examples

The following example shows how to enable the debugging of DHCP messages:


debug dhcp message enable

1336


debug dhcp service-port debug dhcp service-port

To enable or disable debugging of the Dynamic Host Configuration Protocol (DHCP) packets on the service port, use the debug dhcp service-port command.

debug dhcp service-port {enable | disable}


Enables the debugging of DHCP packets on the service port.

Disables the debugging of DHCP packets on the service port.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of DHCP packets on a service port:


debug dhcp service-port enable


1337

debug disable-all debug disable-all

To disable all debug messages, use the debug disable-all command.

debug disable-all



Command Default

Disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to disable all debug messages:


debug disable-all

1338


debug dns debug dns

To configure debugging of Domain Name System (DNS) options, use the debug dns command.

debug dns {all | detail | error | message} {enable | disable}

Syntax Description all detail error message enable disable

Configures debugging of all the DNS options.

Configures debugging of the DNS details.

Configures debugging of the DNS errors.

Configures debugging of the DNS messages.

Enables debugging of the DNS options.

Disables debugging of the DNS options.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable DNS error debugging:


debug dns error enable


1339

debug dot11 debug dot11

To configure the debugging of 802.11 events, use the debug dot11 command.

debug dot11 {all | load-balancing | management | mobile | nmsp | probe | rldp | rogue | state} {enable |

disable}

Syntax Description all load-balancing management mobile nmsp probe rldp rogue state enable disable

Configures the debugging of all 802.11 messages.

Configures the debugging of 802.11 load balancing events.

Configures the debugging of 802.11 MAC management messages.

Configures the debugging of 802.11 mobile events.

Configures the debugging of the 802.11 NMSP interface events.

Configures the debugging of probe.

Configures the debugging of 802.11 Rogue Location

Discovery.

Configures the debugging of 802.11 rogue events.

Configures the debugging of 802.11 mobile state transitions.

Enables the 802.11 debugging.

Disables the 802.11 debugging.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

1340


Examples

The following example shows how to enable the debugging of 802.11 settings:


debug dot11 state enable


debug dot11 mobile enable debug dot11


1341

debug dot11 debug dot11

To configure the debugging of 802.11 events, use the debug dot11 command.

debug dot11 {all | load-balancing | management | mobile | nmsp | probe | rldp | rogue | state} {enable |

disable}

Syntax Description all load-balancing management mobile nmsp probe rldp rogue state enable disable

Configures the debugging of all 802.11 messages.

Configures the debugging of 802.11 load balancing events.

Configures the debugging of 802.11 MAC management messages.

Configures the debugging of 802.11 mobile events.

Configures the debugging of the 802.11 NMSP interface events.

Configures the debugging of probe.

Configures the debugging of 802.11 Rogue Location

Discovery.

Configures the debugging of 802.11 rogue events.

Configures the debugging of 802.11 mobile state transitions.

Enables the 802.11 debugging.

Disables the 802.11 debugging.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

1342


Examples

The following example shows how to enable the debugging of 802.11 settings:


debug dot11 state enable


debug dot11 mobile enable debug dot11


1343

debug dot11 mgmt interface debug dot11 mgmt interface

To configure debugging of 802.11 management interface events, use the debug dot11 mgmt interface command.

debug dot11 mgmt interface



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to debug 802.11 management interface events:


debug dot11 mgmt interface

1344


debug dot11 mgmt msg debug dot11 mgmt msg

To configure debugging of 802.11 management messages, use the debug dot11 mgmt msg command.

debug dot11 mgmt msg



Command Default

None

Command History

Release

7.6

Modification


Examples

This example shows how to debug dot11 management messages:


debug dot11 mgmt msg


1345

debug dot11 mgmt ssid debug dot11 mgmt ssid

To configure debugging of 802.11 SSID management events, use the debug dot11 mgmt ssid command.

debug dot11 mgmt ssid



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the debugging of 802.11 SSID management events:


debug dot11 mgmt ssid

1346


debug dot11 mgmt state-machine debug dot11 mgmt state-machine

To configure debugging of the 802.11 state machine, use the debug dot11 mgmt state-machine command.

debug dot11 mgmt state-machine



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the debugging of 802.11 state machine:


debug dot11 mgmt state-machine


1347

debug dot11 mgmt station debug dot11 mgmt station

To configure the debugging of the management station settings, use the debug dot11 mgmt station command.

debug dot11 mgmt station



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the debugging of the management station settings:


debug dot11 mgmt station

1348


debug dot1x debug dot1x

To configure debugging of the 802.1X options, use the debug dot1x command.

debug dot1x {aaa | all | events | packets | states} {enable | disable}

Syntax Description aaa all events packets states enable disable

Configures debugging of the 802.1X AAA interactions.

Configures debugging of all the 802.1X messages.

Configures debugging of the 802.1X events.

Configures debugging of the 802.1X packets.

Configures debugging of the 802.1X state transitions.

Enables debugging of the 802.1X options.

Disables debugging of the 802.1X options.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable 802.1X state transitions debugging:


debug dot1x states enable


1349

debug dtls debug dtls

To configure debugging of the Datagram Transport Layer Security (DTLS) options, use the debug dtls command.

debug dtls {all | event | packet | trace} {enable | disable}

Syntax Description all event packet trace enable disable

Configures debugging of all the DTLS messages.

Configures debugging of the DTLS events.

Configures debugging of the DTLS packets.

Configures debugging of the DTLS trace messages.

Enables debugging of the DTLS options.

Disables debugging of the DTLS options.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The debug actions described here are used in conjunction with CAPWAP troubleshooting.

Examples

The following example shows how to enable DTLS packet debugging:


debug dtls packet enable

1350


debug fastpath debug fastpath

To debug the issues in the 10-Gigabit Ethernet interface of the controller and to view details of all the management and control features of the controller, use the debug fastpath command.

debug fastpath [disable| enable| errors| events| warning| log| status| dump| audit| clear]

debug fastpath log [{error | events | show}]

debug fastpath dump [{stats DP_number} | {fpapoolDP_number} | {ownerdb}|{portdb} |{tun4db| index|

DP_number} | {scbdb| index| DP_number} | {cfgtool -- dump.sfp} |{urlacldb| start-acl-id start-rule-index

} |{vlandb} | { dpcp-stats} | { clear| stats} | {systemdb} | {debug| {wlanappstats| wlan_id}} | { appqosdb}]

Syntax Description disable enable errors events warnings log

errors events show

status dump stats

Enables debug of fastpath messages.

Disables debug of fastpath messages.

Displays the debug messages related to the fastpath errors.

Displays the debug messages related to the fastpath events.

Displays the debug messages related to the fastpath warnings.

Configures debug of log messages.

Configures debug of fastpath errors.

Configures debug of fastpath events.

Displays log of most recent events related to fastpath.

Displays status of fastpath configuration.

Displays the CLI dump commands.

Displays the debug statistics from the data plane.


1351

debug fastpath

DP_number

fpapool

DP_number

ownerdb portdb tun4db

index

DP_number

1352


Displays the statistic counters at data plane based on selected data plane number. Values include 0, 1, and

All. The default option is All. You must select:

• The index 0 for the Cisco Wireless LAN

Controller 2504 Series, Cisco Wireless LAN



Controller 8500 Series.

• The index 0 and/or 1 respectively for the two data planes in WiSM2 to view statistics of individual data plane or from both.

Displays statistics of packet buffer in data plane.

Displays statistics of packet buffer based on data plane number. Values include 0, 1, and All. The default option is All. You must select:







Displays the data plane owner information.

Displays the port database at data plane.

Dumps the first 20 tunnels from the data plane.

Dumps 20 tunnel entries from index provided. You must use data plane number 0/1 to denote WISM2 data plane processor.

Dumps the first twenty client entries from the data plane. Values include 0, 1, and All. The default option is All. You must select:







scbdb

index

DP_number

cfgtool -- dump.sfp

urlacldb start-acl-id start-rule-index

vlandb dpcp-stats clear stats systemdb debug wlanappstats

wlan_id

appqosdb clear debug fastpath

Dumps 20 client entries starting from index provided.

You must use data plane number 0/1 to denote

WISM2 data plane processor.

Dumps client information for the selected MAC address.

Dumps the first twenty client entries from the data plane. Values include 0, 1, and All. The default option is All. You must select:







Displays the model/type of SX/LC/T small form-factor plug-in (SFP) modules with the OUI

Partnumber.

Dumps the URL ACL database.

Dumps the VLAN database in the dataplane.

Displays the dataplane to controlplane message statistics.

Clears the data plane statistic counters.

Displays the global data plane configuration.

Displays the few latest messages of the data plane to enable troubleshooting.

Displays Application Visibility and Control (AVC) statistics of a WLAN.

The WLAN identifier of the WLAN you need identify the AVC statistics.

Displays Application Visibility and Control (AVC) database statistics of the data plane.

Clear command.


1353

debug fastpath

Command Default

None

Command History

Release

7.6

8.3

Modification


This command was enhanced in this release. The new keyword added is urlacldb


None

Examples

Examples

The following is an example of the SX/LC/T small form-factor plug-in (SFP) modules model/type with the respective OUI Partnumber.


debug fastpath status

STP Admin Physical Physical Link Link

Pr Type Stat Mode Mode Status Status Trap POE

SFPType

-- ------- ---- ------- ---------- ---------- ------ ------- -------

----------

1 Normal Forw Enable Auto

1000BaseTX

2 Normal Forw Enable Auto

1000BaseTX

1000 Full

1000 Full

Up

Up

Enable

Enable

N/A

N/A

The following is an example of the fastpath status displayed while you execute the status command.


debug fastpath status

FP0.03:(119115)Received command: FP_CMD_ACL_COUNTER_GET










The following is an example of the fastpath errors displayed while you execute the debug fastpath log errors command.


debug fastpath log errors

FP0.04:(873365)[fp_ingress_capwap:429]Discarding Control/Data

Plane DTLS-Application packets after Lookup Failed

FP0.02:(873418)Change logDebugLevel from: 0x1e to 0x9

The following is an example of the fastpath events displayed while you execute the debug fastpath log events command.


debug fastpath log events

1354


debug fastpath

FP0.09:(873796)[fp_ingress_capwap:429]Discarding Control/Dat a Plane DTLS-Application packets after Lookup Failed

FP0.06:(873921)Change logDebugLevel from: 0x9 to 0x1e

The following is an example displayed while you execute the debug fastpath log show command.


debug fastpath log show

FP0.07:(874033)Change logDebugLevel from: 0x1e to 0x9

Fastpath CPU0.02: FAST CACHE DISABLED

Fastpath CPU0.02: FAST CACHE ENABLED

Fastpath CPU0.00: Received command: FP_CMD_ADD_AP

Fastpath CPU0.05: Received command: FP_CMD_DEL_TUN4 ifTun=1113


Fastpath CPU0.03: Received command: FP_CMD_DEL_AP

FP0.02:[cmdDelMcastRgTun:6733]failed to delete mcast rg tun 0 ifTun=3161

FP0.07:[fp_ingress_capwap:429]Discarding Control/Data Plane

DTLS-Application packets after Lookup Failed

FP0.01:[fp_ingress_capwap:429]Discarding Control/Data Plane

DTLS-Application packets after Lookup Failed

Fastpath CPU0.01: Received command: FP_CMD_ADD_TUN4 type=CAPWAP ifTun=1114 dstIP

=9.4.110.100 dstMac=2037.06e2.5ec4 dstIPv6=

0000:0000:0000:0000:0000:0000:0000:0000

Fastpath CPU0.01: Tunnel 1114 srcip=9041820 dstip=9046e64 xor=0x7644(30276)

LAG Offset=0,0,0,0,1,0,1,4

Fastpath CPU0.09: Received command: FP_CMD_ADD_TUN4 type=CAPWAP ifTun=3162 dstIP

=9.4.110.100 dstMac=2037.06e2.5ec4 dstIPv6=

0000:0000:0000:0000:0000:0000:0000:0000

Fastpath CPU0.09: Tunnel 3162 srcip=9041820 dstip=9046e64 xor=0x7644(30276)

LAG Offset=0,0,0,0,1,0,1,4

Fastpath CPU0.00: Received command: FP_CMD_SET_INTERFACE_MTU

Fastpath CPU0.00: FAST CACHE DISABLED

Fastpath CPU0.00: FAST CACHE ENABLED

Fastpath CPU0.00: Received command: FP_CMD_ADD_AP

Fastpath CPU0.03: Received command: FP_CMD_UPDATE_EOIP for index=5122

Fastpath CPU0.02: Received command: FP_CMD_UPDATE_EOIP for index=5122



Fastpath CPU0.03: Received command: FP_CMD_DEL_AP

FP0.04:[cmdDelMcastRgTun:6733]failed to delete mcast rg tun 0 ifTun=3162


1355

debug flexconnect avc debug flexconnect avc

To debug a Flexconnect Application Visibility and Control (AVC) event, use the debug flexconnect avc command.

debug flexconnect ave {event | error | detail} {enable | disable}

Syntax Description event error detail enable disable

Debugsa FlexConnect AVC event.

Debugs a FlexConnect AVC error.

Debugs a FlexConnect AVC details.

Enables debug.

Disables debug.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to enable a debug action for an event:


debug flexconnect avc event enable

1356


debug flexconnect aaa debug flexconnect aaa

To configure debugging of FlexConnect backup RADIUS server events or errors, use the debug flexconnect

aaa command.

debug flexconnect aaa {event | error} {enable | disable}

Syntax Description event error enable disable

Configures the debugging for FlexConnect RADIUS server events.

Configures the debugging for FlexConnect RADIUS server errors.

Enables the debugging of FlexConnect RADIUS server settings.

Disables the debugging of FlexConnect RADIUS server settings.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to enable the debugging of FlexConnect RADIUS server events:


debug flexconnect aaa event enable


1357

debug flexconnect acl debug flexconnect acl

Configures debugging of FlexConnect access control lists (ACLs), use the debug flexconnect acl command.

debug flexconnect acl {enable | disable}


Enables the debugging of FlexConnect ACLs.

Disables the debugging of FlexConnect ACLs.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of FlexConnect ACLs:


debug flexconnect acl enable

1358


debug flexconnect cckm debug flexconnect cckm

Configure debugging of FlexConnect Cisco Centralized Key Management (CCKM) fast roaming, use the

debug flexconnect cckm command.

debug flexconnect cckm {enable | disable}


Enables the debugging of FlexConnect CCKM fast roaming settings.

Disables the debugging of FlexConnect CCKM fast roaming settings.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of FlexConnect CCKM fast roaming events:


debug flexconnect cckm event enable


1359

debug group debug group

To configure the debugging of access point groups, use the debug group command.

debug group {enable | disable}


Enables the debugging of access point groups.

Disables the debugging of access point groups.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable the debugging of access point groups:


debug group enable

1360


debug fmchs debug fmchs

To configure debugging of Fixed Mobile Convergence Handover Service (FMCHS) of the controller, use the

debug fmchscommand.

debug fmchs {all | error | event | nmsp | packet} {enable | disable}

Syntax Description all error event nmsp packet enable disable

Configures debugging of all FMCHS messages.

Configures debugging of the FMCHS errors.

Configures debugging of the FMCHS events.

Configures debugging of the FMCHS NMSP events.

Configures debugging of the FMCHS packets.

Enables debugging of the FMCHS options.

Disables debugging of the FMCHS options.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable FMCHS event debugging:


debug fmchs event enable


1361

debug flexconnect client ap debug flexconnect client ap

To debug FlexConnect client access point MAC addresses, use the debug flexconnect client ap command.

debug flexconnect client ap ap-name {add | delete} MAC-address1 MAC-address2 MAC-address3

MAC-address4


MAC-address

Adds the MAC address to the group.

Deletes the MAC address from the group.

MAC address of the client

Command Default

None

Command History

Examples

Release

8.1

Modification

This command was added

The following example shows how to debug FlexConnect client ap 'room' MAC addresses:


debug flexconnect client ap room add 00.0c.41.07.33.a6 0A.0c.52.17.97.b6

1362


debug flexconnect client ap syslog debug flexconnect client ap syslog

To configure debug logging of the syslog server for a FlexConnect client AP, use the debug flexconnect

client ap command.

debug flexconnect client ap ap-name syslog {ip-address |disable}


ip-address

disable

Configures the syslog server ip-address for debug logging.

Disables the debug logging to the syslog server.

Command Default

None

Command History

Examples

Release

8.1

Modification

This command was added.

The following example shows how to configure syslog server for debug log for the FlexConnect client AP

'room':


debug flexconnect client ap room syslog 192.168.1.1


1363

debug flexconnect client group debug flexconnect client group

To debug FlexConnect client group MAC addresses, use the debug flexconnect client group command.

debug flexconnect client group group-name {add | delete} MAC-address1 MAC-address2 MAC-address3

MAC-address4


MAC-address

Adds the MAC address to the group.

Deletes the MAC address from the group.


Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to debug FlexConnect client group MAC addresses:


debug flexconnect client group school add 00.0c.41.07.33.a6

0A.0c.52.17.97.b6

1364


debug flexconnect client group syslog debug flexconnect client group syslog

To debug FlexConnect group access point syslog, use the debug flexconnect client group command.

debug flexconnect client group group-name syslog ip-address | disable

Syntax Description ip-address disable

Configures the syslog server ip-address for debug logging.

Disables the debug logging to the syslog server.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to configure FlexConnect client group 'school' for debug logging purposes:


debug flexconnect client group school syslog 192.168.1.1


1365

debug flexconnect group debug flexconnect group

To configure debugging of FlexConnect access point groups, use the debug flexconnect group command.

debug flexconnect group {enable | disable}


Enables the debugging of FlexConnect access point groups.

Disables the debugging of FlexConnect access point groups.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of FlexConnect access point groups:


debug flexconnect group enable

1366


debug ft

To configure debugging of 802.11r, use the debug ft command.

debug ft {events | keys} {enable | disable}

Syntax Description events keys enable disable

Configures debugging of the 802.11r events.

Configures debugging of the 802.11r keys.

Enables debugging of the 802.11r options.

Disables debugging of the 802.11r options.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable 802.11r debugging:


debug ft events enable debug ft


1367

debug hotspot debug hotspot

To configure debugging of HotSpot events or packets, use the debug hotspot command.

debug hotspot {events | packets} {enable | disable} {enable | disable}

Syntax Description events packets enable disable

Configures debugging of HotSpot events.

Configures debugging of HotSpot packets.

Enables the debugging of HotSpot options.

Disables the debugging of HotSpot options.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable debugging of hotspot events:


debug hotspot events enable

1368


debug ipv6 debug ipv6

To configure debugging of IPv6 options, use the debug ipv6 command.

debug ipv6 {all | bt | classifier | errors | events | filter | fsm | gleaner | hwapi | memory | ndsuppress |

parser | policy | ra_throttler | switcher} {enable | disable}

Syntax Description all bt classifier errors events filter fsm gleaner hwapi memory ndsuppress parser policy ra_throttler switcher enable disable

Configures debugging of all the IPv6 information.

Configures debugging of the IPv6 neighbor binding table.

Configures debugging of the IPv6 packet classifiers.

Configures debugging of the IPv6 errors.

Configures debugging of the IPv6 events.

Configures filters for the IPv6 debugs.

Configures debugging of the IPv6 finite state machine (FSM).

Configures debugging of the IPv6 gleaner. Learning of entries is called gleaning.

Configures debugging of the IPv6 hardware APIs.

Configures debugging of the IPv6 binding table memory usage.

Configures debugging of the suppressed IPv6 neighbor discoveries.

Configures debugging of the IPv6 parser.

Configures debugging of the IPv6 policies.

Configures debugging of the IPv6 router advertising throttler.

Configures debugging of the IPv6 switcher.

Enables debugging of the IPv6 options.

Disables debugging of the IPv6 options.

Command Default

None


1369

debug ipv6

Command History

Examples

Release

7.6

Modification


The following example shows how to configure the debugging of IPv6 policies:


debug ipv6 policy enable

1370


Debug Commands: j to q

•

debug l2age, page 1372

•

debug mac, page 1373

•

debug mdns all, page 1374

•

debug mdns detail , page 1375

•

debug mdns error , page 1376

•

debug mdns message , page 1377

•

debug mdns ha, page 1378

•

debug memory, page 1379

•

debug mesh security, page 1380

•

debug mobility, page 1381

•

debug nac, page 1383

•

debug nmsp, page 1384

•

debug ntp, page 1385

•

debug packet error, page 1386

•

debug packet logging, page 1387

•

debug pem, page 1390

•

debug pm, page 1391

•

debug poe, page 1393

•

debug policy, page 1394

•

debug profiling, page 1395


1371

debug l2age debug l2age

To configure the debugging of Layer 2 age timeout messages, use the debug l2age command.

debug l2age {enable | disable}


Enables the debugging of Layer2 age settings.

Disables the debugging Layer2 age settings.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the debugging of Layer2 age settings:


debug l2age enable

Related Commands debug disable-all

1372


debug mac debug mac

To configure the debugging of the client MAC address, use the debug mac command.

debug mac {disable | addr MAC}

Syntax Description disable addr

MAC

Disables the debugging of the client using the MAC address.

Configures the debugging of the client using the MAC address.


Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the debugging of the client using the MAC address:


debug mac addr 00.0c.41.07.33.a6



1373

debug mdns all debug mdns all

To debug all multicast DNS (mDNS) messages, details, and errors, use the debug mdns all command.

debug mdns all {enable | disable}


Enables the debugging of all mDNS messages, details, and errors.

Disables the debugging of all mDNS messages, details, and errors.

Command Default

By default, the debugging of all mDNS messages, details, and errors is disabled.

Command History

Release

7.4

Modification


Examples

The following example shows how to enable debugging of all mDNS messages, details, and errors:


debug mdns all enable

Related Commands config mdns profile config mdns query interval config mdns service config mdns snooping config interface mdns-profile config interface group mdns-profile config wlan mdns show mdns profile show mnds service clear mdns service-database debug mdns error debug mdns detail

1374


debug mdns detail

To debug multicast DNS (mDNS) details, use the debug mdns detail command.

debug mdns detail {enable | disable}


Enables the debugging of mDNS details.

Disables the debugging of mDNS details.

Command Default


Command History

Release

7.4

Modification


Examples

The following example shows how to enable the debugging of mDNS details:


debug mdns detail enable

Related Commands config mdns profile config mdns query interval config mdns service config mdns snooping config interface mdns-profile config interface group mdns-profile config wlan mdns show mdns profile show mnds service clear mdns service-database debug mdns all debug mdns error debug mdns detail


1375

debug mdns error debug mdns error

To debug multicast DNS (mDNS) errors, use the debug mdns error command.

debug mdns error {enable | disable}


Enables the debugging of mDNS errors.

Disables the debugging of mDNS errors.

Command Default


Command History

Release

7.4

Modification


Examples

The following example shows how to enable the debugging of mDNS errors.


debug mdns error enable

Related Commands config mdns profile config mdns query interval config mdns service config mdns snooping config interface mdns-profile config interface group mdns-profile config wlan mdns show mdns profile show mnds service clear mdns service-database debug mdns all debug mdns detail debug mdns message

1376


debug mdns message debug mdns message

To debug multicast DNS (mDNS) messages, use the debug mdns message command.

debug mdns message {enable | disable}


Enables the debugging of mDNS messages.

Disables the debugging of mDNS messages.

Command Default

Disabled.

Command History

Release

7.4

Modification


Examples

The following example shows how to enable the debugging of mDNS messages:


debug mdns message enable

Related Commands config mdns profile config mdns query interval config mdns service config mdns snooping config interface mdns-profile config interface group mdns-profile config wlan mdns show mdns profile show mnds service clear mdns service-database debug mdns all debug mdns error debug mdns detail


1377

debug mdns ha debug mdns ha

To debug all the multicast Domain Name System (mDNS) High Availability (HA) messages, use the debug

mdns ha command.

debug mdns ha {enable | disable}


Enables debugging of all the mDNS HA messages.

Disables debugging of all the mDNS HA messages.

Command Default


Command History

Release

7.5

Modification



This command is automatically enabled when the debug mdns all command is enabled.

Examples

The following example shows how to enable debugging of all the mDNS HA messages:


debug mdns ha enable

1378


debug memory debug memory

To enable or disable the debugging of errors or events during the memory allocation of the Cisco WLC, use the debug memory command.

debug memory {errors | events} {enable | disable}

Syntax Description errors events enable disable

Configures the debugging of memory leak errors.

Configures debugging of memory leak events.

Enables the debugging of memory leak events.

Disables the debugging of memory leak events.

Command Default

By default, the debugging of errors or events during the memory allocation of the Cisco WLC is disabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the debugging of memory leak events:


debug memory events enable

Related Commands config memory monitor errors show memory monitor config memory monitor leaks


1379

debug mesh security debug mesh security

To configure the debugging of mesh security issues, use the debug mesh security command.

debug mesh security {all | events | errors} {enable | disable}

Syntax Description all events errors enable disable

Configures the debugging of all mesh security messages.

Configures the debugging of mesh security event messages.

Configures the debugging of mesh security error messages.

Enables the debugging of mesh security error messages.

Disables the debugging of mesh security error messages.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of mesh security error messages:


debug mesh security errors enable

1380


debug mobility debug mobility

To configure the debugging of wireless mobility, use the debug mobility command.

debug mobility {ap-list | config | directory | dtls | handoff | keep-alive | multicast | oracle | packet | peer-ip

IP-address | pmk | pmtu-discovery | redha} {enable | disable}

Syntax Description ap-list config directory dtls handoff keep-alive multicast oracle packet peer-ip

IP-address

pmk pmtu-discovery

Configures the debugging of wireless mobility access point list.

Configures the debugging of wireless mobility configuration.

Configures the debugging of wireless mobility error messages.

Configures the debugging of wireless mobility

Datagram Transport Layer Security (DTLS) options.

Configures the debugging of wireless mobility handoff messages.

Configures the debugging of wireless mobility

CAPWAP data DTLS keep-alive packets.

Configures the debugging of multicast mobility packets.

Starts the debugging of wireless mobility oracle options.

Configures the debugging of wireless mobility packets.

Configures IP address of the mobility peer for which incoming and outgoing mobility messages should be displayed.

IP address of the mobility peer for which incoming and outgoing mobility messages should be displayed.

Configures the debugging of wireless mobility pairwise master key (PMK).

Configures the debugging of the wireless mobility path MTU discovery.


1381

debug mobility redha enable disable

Configures the debugging of the multicast mobility high availability.

Enables the debugging of the wireless mobility feature.

Disables the debugging of the wireless mobility feature.

Command Default

None

Command History

Examples

Release

7.6

8.0

Modification


Release 7.6.


The following example shows how to enable the debugging of wireless mobility packets.


debug mobility handoff enable

1382


debug nac debug nac

To configure the debugging of Network Access Control (NAC), use the debug nac command.

debug nac {events | packet} {enable | disable}

Syntax Description events packet enable disable

Configures the debugging of NAC events.

Configures the debugging of NAC packets.

Enables the NAC debugging.

Disables the NAC debugging.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the debugging of NAC settings:


debug nac events enable

Related Commands show nac statistics show nac summary config guest-lan nac config wlan nac


1383

debug nmsp debug nmsp

To configure the debugging of the Network Mobility Services Protocol (NMSP), use the debug nmsp command.

debug nmsp {all | connection | detail | error | event | message | packet}

Syntax Description all connection detail error event message packet

Configures the debugging for all NMSP messages.

Configures the debugging for NMSP connection events.

Configures the debugging for NMSP events in detail.

Configures the debugging for NMSP error messages.

Configures the debugging for NMSP events.

Configures the debugging for NMSP transmit and receive messages.

Configures the debugging for NMSP packet events.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the debugging of NMSP connection events:


debug nmsp connection

Related Commands clear nmsp statistics debug disable-all config nmsp notify-interval measurement

1384


debug ntp debug ntp

To configure the debugging of the Network Time Protocol (NTP), use the debug ntp command.

debug ntp {detail | low | packet} {enable | disable}

Syntax Description detail low packet enable disable

Configures the debugging of detailed NTP messages.

Configures the debugging of NTP messages.

Configures the debugging of NTP packets.

Enables the NTP debugging.

Disables the NTP debugging.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the debugging of NTP settings:


debug ntp packet enable



1385

debug packet error debug packet error

To configure debugging of the packets sent to the Cisco Wireless LAN Controller (WLC) CPU , use the debug

packet error command.

debug packet error {enable | disable}


Enables debugging of the packets sent to the Cisco WLC CPU.

Disables debugging of the packets sent to the Cisco WLC CPU.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of the packets sent to the Cisco WLC CPU:


debug packet error enable

1386


debug packet logging debug packet logging

To configure logging of the packets sent to the Cisco Wireless LAN Controller CPU, use the debug packet

logging command.

debug packet logging {acl | disable | enable {rx | tx | all} packet_count display_size | format {hex2pcap |

text2pcap}}

debug packet logging acl {clear-all | driver rule_index action npu_encap port | eoip-eth rule_index action

dst src type vlan | eoip-ip rule_index action src dst proto src_port dst_port | eth rule_index action dst src

type vlan | ip rule_index action src dst proto src_port dst_port | lwapp-dot11rule_index action dst src bssid

type | lwapp-ip rule_index action src dst proto src_port dst_port}

Syntax Description acl disable enable rx tx all

packet_count display_size

format hex2pcap text2pcap clear-all driver

rule_index action

Filters the displayed packets according to a rule.

Disables logging of all the packets.

Enables logging of all the packets.

Displays all the received packets.

Displays all the transmitted packets.

Displays both the transmitted and the received packets.

Maximum number of packets to be logged. The range is from 1 to

65535. The default value is 25.

Number of bytes to be displayed when printing a packet. By default, the entire packet is displayed.

Configures the format of the debug output.

Configures the output format to be compatible with the hex2pcap format. The standard format used by Cisco IOS supports the use of hex2pcap and can be decoded using an HTML front end.

Configures the output format to be compatible with the text2pcap format. In this format, the sequence of packets can be decoded from the same console log file. .

Clears all the existing rules pertaining to the packets.

Filters the packets based on an incoming port or a Network

Processing Unit (NPU) encapsulation type.

Index of the rule that is a value between 1 and 6 (inclusive).

Action for the rule, which can be permit, deny, or disable.


1387

debug packet logging

npu_encap port

eoip-eth

dst src type vlan

eoip-ip

proto src_port dst_port

eth ip lwapp-dot11

bssid

lwapp-ip

1388


NPU encapsulation type that determines how the packets are filtered. The possible values are dhcp, dot11-mgmt, dot11-probe,

dot1x, eoip-ping, iapp, ip, lwapp, multicast, orphan-from-sta,

orphan-to-sta, rbcp, wired-guest, or any.

Physical port for packet transmission or reception.

Filters packets based on the Ethernet II header in the Ethernet over

IP (EoIP) payload.

Destination MAC address.

Source MAC address.

Two-byte type code, such as 0x800 for IP, 0x806 for Address

Resolution Protocol (ARP). You can also enter a few common string values such as ip (for 0x800) or arp (for 0x806).

Two-byte VLAN identifier.

Filters packets based on the IP header in the EoIP payload.

Protocol. Valide values are: ip, icmp, igmp, ggp, ipencap, st, tcp,

egp, pup, udp, hmp, xns-idp, rdp, iso-tp4, xtp, ddp, idpr-cmtp, rspf,

vmtp, ospf, ipip, and encap.

User Datagram Protocol or Transmission Control Protocol (UDP or TCP) two-byte source port, such as telnet, 23 , or any. The Cisco

WLC supports the following strings: tcpmux, echo, discard, systat,

daytime, netstat, qotd, msp, chargen, ftp-data, ftp, fsp, ssh, telnet, smtp, time, rlp, nameserver, whois, re-mail-ck, domain, mtp, bootps, bootpc, tftp, gopher, rje, finger, www, link, kerberos, supdup, hostnames, iso-tsap, csnet-ns, 3com-tsmux, rtelnet, pop-2, pop-3, sunrpc, auth, sftp, uucp-path, nntp, ntp, netbios-ns, netbios-dgm, netbios-ssn, imap2, snmp, snmp-trap, cmip-man, cmip-agent, xdmcp, nextstep, bgp, prospero, irc, smux, at-rtmp, at-nbp, at-echo, at-zis, qmtp, z3950, ipx, imap3, ulistserv, https, snpp, saft, npmp-local,

npmp-gui, and hmmp-ind.

UDP or TCP two-byte destination port, such as telnet, 23, or any.

The Cisco WLC supports the same strings as those for the src_port.

Filters packets based on the values in the Ethernet II header.

Filters packets based on the values in the IP header.

Filters packets based on the 802.11 header in the Lightweight

Access Point Protocol (LWAPP) payload.

Basic Service Set Identifier of the VLAN.

Filters packets based on the IP header in the LWAPP payload.

debug packet logging

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable logging of a packet:


debug packet logging enable


1389

debug pem debug pem

To configure debugging of the access policy manager, use the debug pem command.

debug pem {events | state} {enable | disable}

Syntax Description events state enable disable

Configures the debugging of the policy manager events.

Configures the debugging of the policy manager state machine.

Enables the debugging of the access policy manager.

Disables the debugging of the access policy manager.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of the access policy manager:


debug pem state enable

1390


debug pm debug pm

To configure the debugging of the security policy manager module, use the debug pm command.

debug pm {all disable | {config | hwcrypto | ikemsg | init | list | message | pki | rng | rules | sa-export |

sa-import | ssh-l2tp | ssh-appgw | ssh-engine | ssh-int | ssh-pmgr | ssh-ppp | ssh-tcp} {enable | disable}}

Syntax Description all disable config hwcrypto ikemsg init list message pki rng rules sa-export sa-import ssh-l2tp ssh-appgw ssh-engine ssh-int

Disables all debugging in the policy manager module.

Configures the debugging of the policy manager configuration.

Configures the debugging of hardware offload events.

Configures the debugging of Internet Key Exchange

(IKE) messages.

Configures the debugging of policy manager initialization events.

Configures the debugging of policy manager list mgmt.

Configures the debugging of policy manager message queue events.

Configures the debugging of Public Key Infrastructure

(PKI) related events.

Configures the debugging of random number generation.

Configures the debugging of Layer 3 policy events.

Configures the debugging of SA export (mobility).

Configures the debugging of SA import (mobility).

Configures the debugging of policy manager Layer

2 Tunneling Protocol (l2TP) handling.

Configures the debugging of application gateways.

Configures the debugging of the policy manager engine.

Configures the debugging of the policy manager intercepter.


1391

debug pm ssh-pmgr ssh-ppp ssh-tcp enable disable

Configures the debugging of the policy manager.

Configures the debugging of policy manager Point

To Point Protocol (PPP) handling.

Configures the debugging of policy manager TCP handling.

Enables the debugging.

Disables the debugging.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to configure the debugging of PKI-related events:


debug pm pki enable


1392


debug poe debug poe

To configure the debugging of Power over Ethernet (PoE), use the debug poe command.

debug poe {detail | message | error} {enable | disable}

Syntax Description detail error message enable disable

Configures the debugging of PoE detail logs.

Configures the debugging of PoE error logs.

Configures the debugging of PoE messages.

Enables the debugging of PoE logs.

Disables the debugging of PoE logs.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to enable the PoE debugging:


debug poe message enable



1393

debug policy debug policy

To configure debugging of policy settings, use the debug policy command.

debug policy {errors | events} {enable | disable}

Syntax Description errors events enable disable

Configures debugging of policy errors.

Configures debugging of policy events.

Enables debugging of policy events.

Disables debugging of policy events.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable debugging of policy errors:


debug policy errors enable

1394


debug profiling debug profiling

To configure the debugging of client profiling, use the debug profiling command.

debug profiling {enable | disable}


Enables the debugging of client profiling (HTTP and DHCP profiling).

Disables the debugging of client profiling (HTTP and DHCP profiling).

Command Default

Disabled.

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of client profiling:


debug profiling enable


1395

debug profiling

1396


Debug Commands: r to z

•

debug rbcp, page 1398

•

debug rfid, page 1399

•

debug snmp, page 1400

•

debug transfer, page 1401

•

debug voice-diag, page 1402

•

debug wcp, page 1403

•

debug web-auth, page 1404

•

debug wips, page 1405

•

debug wps sig, page 1406

•

debug wps mfp, page 1407


1397

debug rbcp debug rbcp

To configure Router Blade Control (RBCP) debug options, use the debug rbcp command.

debug rbcp {all | detail | errors | packet} {enable | disable}

Syntax Description all detail errors packet enable disable

Configures the debugging of RBCP.

Configures the debugging of RBCP detail.

Configures the debugging of RBCP errors.

Configures the debugging of RBCP packet trace.

Enables the RBCP debugging.

Disables the RBCP debugging.

Command Default

None

Examples

The following example shows how to enable the debugging of RBCP settings:


debug rbcp packet enable


1398


debug rfid debug rfid

To configure radio frequency identification (RFID) debug options, use the debug rfid command.

debug rfid {all | detail | errors | nmsp | receive} {enable | disable}

Syntax Description all detail errors nmsp receive enable disable

Configures the debugging of all RFID.

Configures the debugging of RFID detail.

Configures the debugging of RFID error messages.

Configures the debugging of RFID Network Mobility Services

Protocol (NMSP) messages.

Configures the debugging of incoming RFID tag messages.

Enables the RFID debugging.

Disables the RFID debugging.

Command Default

None

Examples

The following example shows how to enable the debugging of RFID error messages:


debug rfid errors enable



1399

debug snmp debug snmp

To configure SNMP debug options, use the debug snmp command.

debug snmp {agent | all | mib | trap} {enable | disable}

Syntax Description agent all mib trap enable disable

Configures the debugging of the SNMP agent.

Configures the debugging of all SNMP messages.

Configures the debugging of the SNMP MIB.

Configures the debugging of SNMP traps.

Enables the SNMP debugging.

Disables the SNMP debugging.

Command Default

None

Examples

The following example shows how to enable the SNMP debugging:


debug snmp trap enable


1400


debug transfer

To configure transfer debug options, use the debug transfer command.

debug transfer {all | tftp | trace} {enable | disable}

Syntax Description all tftp trace enable disable

Configures the debugging of all transfer messages.

Configures the debugging of TFTP transfers.

Configures the debugging of transfer messages.

Enables the debugging of transfer messages.

Disables the debugging of transfer messages.

Command Default

None

Examples

The following example shows how to enable the debugging of transfer messages:


debug transfer trace enable

Related Commands debug disable-all debug transfer


1401

debug voice-diag debug voice-diag

To trace call or packet flow, use the debug voice-diag command.

debug voice-diag {enable client_mac1 [client_mac2] [verbose] | disable}


client_mac1 client_mac2

verbose disable

Enables the debugging of voice diagnostics for voice clients involved in a call.

MAC address of a voice client.

(Optional) MAC address of an additional voice client.

Note

Voice diagnostics can be enabled or disabled for a maximum of two voice clients at a time.

(Optional) Enables debug information to be displayed on the console.

Note

When voice diagnostics is enabled from the NCS or Prime Infrastructure, the verbose option is not available.

Disables the debugging of voice diagnostics for voice clients involved in a call.

Command Default

None


Follow these guidelines when you use the debug voice-diag command:

• When the command is entered, the validity of the clients is not checked.

• A few output messages of the command are sent to the NCS or Prime Infrastructure.

• The command expires automatically after 60 minutes.

• The command provides the details of the call flow between a pair of client MACs involved in an active call.

Note

Voice diagnostics can be enabled for a maximum of two voice clients at a time.

Examples

The following example shows how to enable transfer/upgrade settings:


debug voice-diag enable 00:1a:a1:92:b9:5c 00:1a:a1:92:b5:9c verbose

Related Commands show client voice-diag show client calls

1402


debug wcp debug wcp

To configure the debugging of WLAN Control Protocol (WCP), use the debug wcp command.

debug wcp {events | packet} {enable | disable}

Syntax Description events packet enable disable

Configures the debugging of WCP events.

Configures the debugging of WCP packets.

Enables the debugging of WCP settings.

Disables the debugging of WCP settings.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the debugging of WCP settings:


debug wcp packet enable


1403

debug web-auth debug web-auth

To configure debugging of web-authenticated clients, use the debug web-auth command.

debug web-auth {redirect{ enable mac mac_address | disable} | webportal-server {enable | disable}}

Syntax Description redirect enable mac

mac_address

disable webportal-server

Configures debugging of web-authenticated and redirected clients.

Enables the debugging of web-authenticated clients.

Configures the MAC address of the web-authenticated client.

MAC address of the web-authenticated client.

Disables the debugging of web-authenticated clients.

Configures the debugging of portal authentication of clients.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to enable the debugging of a web authenticated and redirected client:


debug web-auth redirect enable mac xx:xx:xx:xx:xx:xx

1404


debug wips debug wips

To configure debugging of wireless intrusion prevention system (WIPS), use the debug wips command.

debug wips {all | error | event | nmsp | packet} {enable | disable}

Syntax Description all error event nmsp packet enable disable

Configures debugging of all WIPS messages.

Configures debugging of WIPS errors.

Configures debugging of WIPS events.

Configures debugging of WIPS Network Mobility

Services Protocol (NMSP) events.

Configures debugging of WIPS packets.

Enables debugging of WIPS.

Disables debugging of WIPS.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable debugging of all WIPS messages:


debug wips all enable

Related Commands debug client debug dot11 rogue show wps summary show wps wips


1405

debug wps sig debug wps sig

To configure the debugging of Wireless Provisioning Service (WPS) signature settings, use the debug wps

sig command.

debug wps sig {enable | disable}


Enables the debugging for WPS settings.

Disables the debugging for WPS settings.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the debugging of WPS signature settings:


debug wps sig enable

Related Commands debug wps mfp debug disable-all

1406


debug wps mfp debug wps mfp

To configure the debugging of WPS Management Frame Protection (MFP) settings, use the debug wps mfp command.

debug wps mfp {client | capwap | detail | report | mm} {enable | disable}

Syntax Description client capwap detail report mm enable disable

Configures the debugging for client MFP messages.

Configures the debugging for MFP messages between the controller and access points.

Configures the detailed debugging for MFP messages.

Configures the debugging for MFP reporting.

Configures the debugging for MFP mobility

(inter-Cisco WLC) messages.

Enables the debugging for WPS MFP settings.

Disables the debugging for WPS MFP settings.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to enable the debugging of WPS MFP settings:


debug wps mfp detail enable

Related Commands debug disable-all debug wps sig


1407

debug wps mfp

1408


P A R T

V

IMM Commands

•

IMM Commands, page 1411

IMM Commands

•

imm address, page 1412

•

imm dhcp, page 1413

•

imm mode, page 1414

•

imm restart, page 1415

•

imm summary, page 1416

•

imm username, page 1417


1411

imm address imm address

To configure the static IP address of the IMM, use the imm address command.

imm address ip-addr netmask gateway


ip-addr netmask gateway

IP address of the IMM

Netmask of the IMM

Gateway of the IMM

Command Default

None

Command History

Release

7.6

8.0

Examples

Modification



The following example shows how to set the static IP address of an IMM:


imm address 209.165.200.225 255.255.255.224 10.1.1.1

1412


imm dhcp imm dhcp

To configure DHCP for the IMM, use the imm dhcp command.

imm dhcp {enable | disable | fallback}

Syntax Description enable disable fallback

Enables DHCP for the IMM

Disables DHCP for the IMM

Enables DHCP for the IMM, but if it fails, then uses static IP of the IMM

Command Default

DHCP for IMM is enabled.

Command History

Release

7.6

Modification


Examples

The following example shows how to enable DHCP for the IMM:


imm dhcp enable


1413

imm mode imm mode

To configure the IMM mode, use the imm mode command.

imm mode {shared | dedicated}

Syntax Description shared dedicated

Sets IMM in shared mode

Sets IMM in dedicated mode

Command Default

Dedicated

Command History

Examples

Release

7.6

Modification


The following example shows how to set the IMM in shared mode:


imm mode

1414


imm restart

To restart the IMM, use the imm restart command.

imm restart

Syntax Description restart

Saves your settings and restarts the IMM

Command Default

None

Command History

Release

7.6

Modification


imm restart


1415

imm summary imm summary

To view the IMM parameters, use the imm summary command.

imm summary

Syntax Description summary

Lists the IMM parameters

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows a typical summary of the IMM:


imm summary

User ID..........................................username1

Mode............................................. Shared

DHCP............................................. Enabled

IP Address....................................... 209.165.200.225

Subnet Mask...................................... 255.255.255.224

Gateway.......................................... 10.1.1.1

1416


imm username

To configure the logon credentials for an IMM user, use the imm username command.

imm username username password


username password

Username for the user

Password for the user

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to set the logon credentials of an IMM user:


imm username username1 password1 imm username


1417

imm username

1418


P A R T

VI


•

License Commands, page 1421


•

license activate ap-count eval, page 1422

•

license activate feature, page 1423

•

license add ap-count, page 1424

•

license add feature, page 1425

•

license clear, page 1426

•

license comment, page 1427

•

license deactivate ap-count eval, page 1428

•

license deactivate feature, page 1429

•

license delete ap-count, page 1430

•

license delete feature, page 1431

•

license install, page 1432

•

license modify priority, page 1433

•

license revoke, page 1435

•

license save, page 1436

•

license smart, page 1437


1421

license activate ap-count eval license activate ap-count eval

To activate an evaluation access point license on the Cisco Flex 7500 Series and Cisco 8500 Series Wireless

LAN Controllers, use the license activate ap-count eval command.

license activate ap-count eval



Command Default

By default, in release 7.3 Cisco Flex 7500 Series Controllers and Cisco 8500 Series Wireless LAN Controllers support 6000 APs.

Command History

Release

7.6

Modification



When you activate this license, the controller prompts you to accept or reject the End User License Agreement

(EULA) for the given license. If you activate a license that supports a smaller number of APs than the current number of APs connected to the controller, the activation command fails.

Examples

The following example shows how to activate an evaluation AP-count license on a Cisco Flex 7500 Series controller:


license activate ap-count eval

1422


license activate feature license activate feature

To activate a feature license on Cisco Flex 7500 Series and Cisco 8500 Series Wireless LAN Controllers, use the license activate feature command.

license activate feature license_name


license_name

Name of the feature license. The license name can be up to 50 case-sensitive characters.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to activate a data DTLS feature license on a Cisco Flex 7500 Series controller:


license activate feature data-DTLS


1423

license add ap-count license add ap-count

To configure the number of access points (APs) that an AP license can support on Cisco Flex 7500 and 8500

Series Wireless LAN controllers, use the license add ap-count command.

license add ap-count count


count

Number of APs that the AP license supports. The range is from 1 to the maximum number of APs that the controller can support. The count must be a multiple of 5.

Command Default

None

Command History

Release

7.6

Modification



Right to Use (RTU) licensing allows you to enable a desired AP license count on the controller after accepting the End User License Agreement (EULA). You can now easily add AP counts on a controller without using external tools. RTU licensing is available only on Cisco Flex 7500 and 8500 series Wireless LAN controllers.

You can use this command to increase the count of an existing AP license. When you activate a license that supports a smaller number of APs than the current number of APs connected to the controller, the activation command fails.

Examples

The following example shows how to configure the count of an AP license on a Cisco Flex 7500 Series controller:


license add ap-count 5000

1424


license add feature license add feature

To add a license for a feature on the Cisco 5520 WLC, Cisco Flex 7510 WLC, Cisco 8510 WLC, Cisco 8540

WLC, and Cisco Virtual Controller, use the license add feature command.

license add feature license_name


license_name

Name of the feature license. The license name can be up to 50 case-sensitive characters. For example, data_encryption.

Command Default

None

Command History

Examples

Release

7.6

8.1

Modification


This command is applicable to Cisco Flex 7510 WLC and Cisco 8510 WLC.

This command is applicable to Cisco 5520 WLC, Cisco Flex 7510 WLC, Cisco 8510

WLC, Cisco 8540 WLC, and Cisco vWLC.

The following example shows how to add a data_encryption feature license:


license add feature data_encryption


1425

license clear license clear

To remove a license from the Cisco 5500 Series Controller, use the license clear command.

license clear license_name


license_name

Name of the license.

Command Default

None

Command History

Release

7.6

Modification



You can delete an expired evaluation license or any unused license. You cannot delete unexpired evaluation licenses, the permanent base image license, or licenses that are in use by the controller.

Examples

The following example shows how to remove the license settings of the license named wplus-ap-count:


license clear wplus-ap-count

1426


license comment license comment

To add comments to a license or delete comments from a license on the Cisco 5500 Series Controller, use the

license comment command.

license comment {add | delete} license_name comment_string


license_name comment_string

Adds a comment.

Deletes a comment.

Name of the license.

License comment.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to add a comment “wplus ap count license” to the license name wplus-ap-count:


license comment add wplus-ap-count Comment for wplus ap count license


1427

license deactivate ap-count eval license deactivate ap-count eval

To deactivate an evaluation access point license on the Cisco Flex 7500 Series and Cisco 8500 Series Wireless

LAN Controllers, use the license deactivate ap-count eval command.

license deactivate ap-count eval



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to deactivate an evaluation AP license on a Cisco Flex 7500 Series controller:


license deactivate ap-count eval

1428


license deactivate feature license deactivate feature

To deactivate a feature license on Cisco Flex 7500 Series and Cisco 8500 Series Wireless LAN controllers, use the license deactivate feature command.

license deactivate feature license_name


license_name

Name of the feature license. The license name can be up to 50 case-sensitive characters.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to deactivate a data DTLS feature license on a Cisco Flex 7500 Series controller:


license deactivate feature data_DTLS


1429

license delete ap-count license delete ap-count

To delete an access point (AP) count license on the Cisco Flex 7500 Series and Cisco 8500 Series Wireless

LAN Controllers, use the license delete ap-count command.

license delete ap-count count


count

Number of APs that the AP license supports. The range is from 1 to the maximum number of APs that the controller can support. The count must be a multiple of 5.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to delete an AP count license on a Cisco Flex 7500 Series controller:


license delete ap-count 5000

1430


license delete feature license delete feature

To delete a license for a feature on Cisco Flex 7500 Series and Cisco 8500 Series Wireless LAN controllers, use the license delete feature command.

license delete feature license_name


license_name

Name of the feature license.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to delete the High Availability feature license on a Cisco Flex 7500 Series controller:


license delete feature high_availability


1431

license install license install

To install a license on the Cisco 5500 Series Controller, use the license install command.

license install url


url

URL of the TFTP server (tftp://server_ip/path/filename).

Command Default

None

Command History

Release

7.6

Modification



We recommend that the access point count be the same for the base-ap-count and wplus-ap-count licenses installed on your controller. If your controller has a base-ap-count license of 100 and you install a wplus-ap-count license of 12, the controller supports up to 100 access points when the base license is in use but only a maximum of 12 access points when the wplus license is in use.

You cannot install a wplus license that has an access point count greater than the controller's base license. For example, you cannot apply a wplus-ap-count 100 license to a controller with an existing base-ap-count 12 license. If you attempt to register for such a license, an error message appears indicating that the license registration has failed. Before upgrading to a wplus-ap-count 100 license, you would first have to upgrade the controller to a base-ap-count 100 or 250 license.

Examples

The following example shows how to install a license on the controller from the URL tftp://10.10.10.10/path/license.lic:


license install tftp://10.10.10.10/path/license.lic

1432


license modify priority license modify priority

To raise or lower the priority of the base-ap-count or wplus-ap-count evaluation license on a Cisco 5500 Series

Controller, use the license modify priority command.

license modify priority license_name {high | low}


license_name

high low

Ap-count evaluation license.

Modifies the priority of an ap-count evaluation license.

Modifies the priority of an ap-count evaluation license.

Command Default

None

Command History

Release

7.6

Modification



If you are considering upgrading to a license with a higher access point count, you can try an evaluation license before upgrading to a permanent version of the license. For example, if you are using a permanent license with a 50 access point count and want to try an evaluation license with a 100 access point count, you can try out the evaluation license for 60 days.

AP-count evaluation licenses are set to low priority by default so that the controller uses the ap-count permanent license. If you want to try an evaluation license with an increased access point count, you must change its priority to high. If you no longer want to have this higher capacity, you can lower the priority of the ap-count evaluation license, which forces the controller to use the permanent license.

Note

You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses always have a medium priority, which cannot be configured.

Note

If the ap-count evaluation license is a wplus license and the ap-count permanent license is a base license, you must also change the feature set to wplus.


1433

license modify priority

Examples

Note

To prevent disruptions in operation, the controller does not switch licenses when an evaluation license expires. You must reboot the controller in order to return to a permanent license. Following a reboot, the controller defaults to the same feature set level as the expired evaluation license. If no permanent license at the same feature set level is installed, the controller uses a permanent license at another level or an unexpired evaluation license.

The following example shows how to set the priority of the wplus-ap-count to high:


license modify priority wplus-ap-count high

1434


license revoke license revoke

To rehost a license on a Cisco 5500 Series WLC, use the license revoke command.

license revoke {permission_ticket_url | rehost rehost_ticket_url}


permission_ticket_url

rehost

rehost_ticket_url

URL of the TFTP server (tftp://server_ip/path/filename) where you saved the permission ticket.

Specifies the rehost license settings.

URL of the TFTP server (tftp://server_ip/path/filename) where you saved the rehost ticket.

Command Default

None

Command History

Release

7.6

Modification



Before you revoke a license, save the device credentials by using the license save credential url command.

You can rehost all permanent licenses except the permanent base image license. Evaluation licenses and the permanent base image license cannot be rehosted.

In order to rehost a license, you must generate credential information from the controller and use it to obtain a permission ticket to revoke the license from the Cisco licensing site, https://tools.cisco.com/SWIFT/

LicensingUI/Quickstart . Next, you must obtain a rehost ticket and use it to obtain a license installation file for the controller on which you want to install the license.

For detailed information on rehosting licenses, see the “Installing and Configuring Licenses” section in the

Cisco Wireless LAN Controller Configuration Guide.

Examples

The following example shows how to revoke the license settings from the saved permission ticket URL tftp://10.10.10.10/path/permit_ticket.lic:


license revoke tftp://10.10.10.10/path/permit_ticket.lic

The following example shows how to revoke the license settings from the saved rehost ticket URL tftp://10.10.10.10/path/rehost_ticket.lic:


license revoke rehost tftp://10.10.10.10/path/rehost_ticket.lic


1435

license save license save

To save a backup copy of all installed licenses or license credentials on the Cisco 5500 Series Controller, use the license save command.

license save credential url


credential url

Device credential information.

URL of the TFTP server (tftp://server_ip/path/filename).

Command Default

None

Command History

Release

7.6

Modification



Save the device credentials before you revoke the license by using the license revoke command.

Examples

The following example shows how to save a backup copy of all installed licenses or license credentials on tftp://10.10.10.10/path/cred.lic:


license save credential tftp://10.10.10.10/path/cred.lic

1436


license smart license smart

To register or deregister a device using Cisco Smart Software Licensing platform, use the license smart command.

license smart {register | deregister} idtoken

Syntax Description register deregister

idtoken

To add and activate a device on Cisco Smart Software License platform

To delete a device on Cisco Smart Software License platform unique id for the device

Command History

Release

8.2

Modification


Examples

The following example shows how to register a device on Cisco Smart Software License platform:


license smart register

RkMxJbjKMV11hmpgh46mAgXSNKmticyJzu0xDfYgf8xflkiYbZsCqprt


1437

license smart

1438


P A R T

VII

Show Commands

•

Show Commands: 802.11, page 1441

•

Show Commands: a to i, page 1457

•

Show Commands: j to q, page 1671

•

Show Commands: r to z, page 1789

Show Commands: 802.11

•

show 802.11, page 1442

•

show 802.11, page 1444

•

show 802.11 cleanair, page 1446

•

show 802.11 cleanair air-quality summary, page 1448

•

show 802.11 cleanair air-quality worst, page 1449

•

show 802.11 cleanair device ap, page 1450

•

show 802.11 cleanair device type, page 1451

•

show 802.11 cu-metrics, page 1453

•

show 802.11 extended, page 1454

•

show 802.11 media-stream, page 1456


1441

show 802.11

show 802.11

To display basic 802.11a, 802.11b/g, or 802.11h network settings, use the show 802.11 command.

show 802.11{a | b | h}

Syntax Description a b h



Specifies the 802.11h network.

Command Default

None.

Examples

This example shows to display basic 802.11a network settings:

>

show 802.11a

802.11a Network.................................. Enabled

11nSupport....................................... Enabled

802.11a Low Band........................... Enabled

802.11a Mid Band........................... Enabled

802.11a High Band.......................... Enabled

802.11a Operational Rates

802.11a 6M Rate.............................. Mandatory

802.11a 9M Rate.............................. Supported

802.11a 12M Rate............................. Mandatory

802.11a 18M Rate............................. Supported





802.11n MCS Settings:

MCS 0........................................ Supported

MCS 1........................................ Supported

MCS 2........................................ Supported

MCS 3........................................ Supported

MCS 4........................................ Supported

MCS 5........................................ Supported

MCS 6........................................ Supported

MCS 7........................................ Supported

MCS 8........................................ Supported

MCS 9........................................ Supported

MCS 10....................................... Supported

MCS 11....................................... Supported

MCS 12....................................... Supported

MCS 13....................................... Supported

MCS 14....................................... Supported

MCS 15....................................... Supported

802.11n Status:

A-MPDU Tx:

Priority 0............................... Enabled

Priority 1............................... Disabled






1442



Beacon Interval.................................. 100

CF Pollable mandatory............................ Disabled

CF Poll Request mandatory........................ Disabled

--More-- or (q)uit

CFP Period....................................... 4

CFP Maximum Duration............................. 60

Default Channel.................................. 36

Default Tx Power Level........................... 0

DTPC Status..................................... Enabled

Fragmentation Threshold.......................... 2346

TI Threshold..................................... -50

Legacy Tx Beamforming setting.................... Disabled

Traffic Stream Metrics Status.................... Enabled

Expedited BW Request Status...................... Disabled

World Mode....................................... Enabled

EDCA profile type................................ default-wmm

Voice MAC optimization status.................... Disabled

Call Admission Control (CAC) configuration

Voice AC:

Voice AC - Admission control (ACM)............ Disabled

Voice max RF bandwidth........................ 75

Voice reserved roaming bandwidth.............. 6

Voice load-based CAC mode..................... Disabled

Voice tspec inactivity timeout................ Disabled

Voice Stream-Size............................. 84000

Voice Max-Streams............................. 2

Video AC:

Video AC - Admission control (ACM)............ Disabled

Video max RF bandwidth........................ Infinite

Video reserved roaming bandwidth.............. 0

This example shows how to display basic 802.11h network settings:

>

show 802.11h

802.11h ......................................... powerconstraint : 0

802.11h ......................................... channelswitch : Disable

802.11h ......................................... channelswitch mode : 0

Related Commands show ap stats show ap summary show client summary show network show network summary show port show wlan show 802.11


1443

show 802.11

show 802.11

To display basic 802.11a, 802.11b/g, or 802.11h network settings, use the show 802.11 command.

show 802.11{a | b | h}





Command Default

None.

Examples

This example shows to display basic 802.11a network settings:

>

show 802.11a

802.11a Network.................................. Enabled

11nSupport....................................... Enabled

802.11a Low Band........................... Enabled

802.11a Mid Band........................... Enabled

802.11a High Band.......................... Enabled










802.11n MCS Settings:

MCS 0........................................ Supported

MCS 1........................................ Supported

MCS 2........................................ Supported

MCS 3........................................ Supported

MCS 4........................................ Supported

MCS 5........................................ Supported

MCS 6........................................ Supported

MCS 7........................................ Supported

MCS 8........................................ Supported

MCS 9........................................ Supported

MCS 10....................................... Supported

MCS 11....................................... Supported

MCS 12....................................... Supported

MCS 13....................................... Supported

MCS 14....................................... Supported

MCS 15....................................... Supported

802.11n Status:

A-MPDU Tx:

Priority 0............................... Enabled







1444



Beacon Interval.................................. 100

CF Pollable mandatory............................ Disabled

CF Poll Request mandatory........................ Disabled

--More-- or (q)uit

CFP Period....................................... 4

CFP Maximum Duration............................. 60

Default Channel.................................. 36

Default Tx Power Level........................... 0

DTPC Status..................................... Enabled

Fragmentation Threshold.......................... 2346

TI Threshold..................................... -50

Legacy Tx Beamforming setting.................... Disabled

Traffic Stream Metrics Status.................... Enabled

Expedited BW Request Status...................... Disabled

World Mode....................................... Enabled

EDCA profile type................................ default-wmm

Voice MAC optimization status.................... Disabled

Call Admission Control (CAC) configuration

Voice AC:

Voice AC - Admission control (ACM)............ Disabled

Voice max RF bandwidth........................ 75

Voice reserved roaming bandwidth.............. 6

Voice load-based CAC mode..................... Disabled

Voice tspec inactivity timeout................ Disabled

Voice Stream-Size............................. 84000

Voice Max-Streams............................. 2

Video AC:

Video AC - Admission control (ACM)............ Disabled

Video max RF bandwidth........................ Infinite

Video reserved roaming bandwidth.............. 0

This example shows how to display basic 802.11h network settings:

>

show 802.11h

802.11h ......................................... powerconstraint : 0

802.11h ......................................... channelswitch : Disable

802.11h ......................................... channelswitch mode : 0

Related Commands show ap stats show ap summary show client summary show network show network summary show port show wlan show 802.11


1445

show 802.11 cleanair show 802.11 cleanair

To display the multicast-direct configuration state, use the show 802.11 cleanair command.

show 802.11{a | b | h} cleanair config

Syntax Description a b h config




Displays the network Cleanair configuration.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the 802.11a cleanair configuration:


show 802.11a cleanair

Clean Air Solution............................... Enabled

Air Quality Settings:

Air Quality Reporting........................ Enabled

Air Quality Reporting Period (min)........... 15

Air Quality Alarms........................... Enabled

Air Quality Alarm Threshold.................. 35 Interference Device

Settings:

Interference Device Reporting................ Enabled

Interference Device Types:

TDD Transmitter.......................... Disabled

Jammer................................... Disabled

Continuous Transmitter................... Disabled

DECT-like Phone.......................... Disabled

Video Camera............................. Disabled

WiFi Inverted............................ Disabled

WiFi Invalid Channel..................... Disabled

SuperAG.................................. Disabled

Radar.................................... Disabled

Canopy................................... Disabled

WiMax Mobile............................. Disabled

WiMax Fixed.............................. Disabled

Interference Device Alarms................... Enabled

Interference Device Types Triggering Alarms:

1446


show 802.11 cleanair

TDD Transmitter.......................... Disabled

Jammer................................... Disabled

Continuous Transmitter................... Disabled

DECT-like Phone.......................... Disabled

Video Camera............................. Disabled

WiFi Inverted............................ Disabled

WiFi Invalid Channel..................... Disabled

SuperAG.................................. Disabled

Radar.................................... Disabled

Canopy................................... Disabled

WiMax Mobile............................. Disabled

WiMax Fixed.............................. Disabled Additional

Clean Air Settings:

CleanAir Event-driven RRM State.............. Enabled

CleanAir Driven RRM Sensitivity.............. Medium

CleanAir Persistent Devices state............ Disabled


1447

show 802.11 cleanair air-quality summary show 802.11 cleanair air-quality summary

To display the air quality summary information for the 802.11 networks, use the show 802.11 cleanair

air-quality summary command.

show 802.11 {a | b | h} cleanair air-quality summary

Syntax Description a b h summary




Displays a summary of 802.11 radio band air quality information.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display a summary of the air quality information for the 802.11a network:


show 802.11a cleanair air-quality summary

AQ = Air Quality

DFS = Dynamic Frequency Selection

AP Name Channel Avg AQ Min AQ Interferers DFS

------------------ -----------------------------

CISCO_AP3500 36 95 70 0

CISCO_AP3500 40 93 75 0

1448


show 802.11 cleanair air-quality worst show 802.11 cleanair air-quality worst

To display the worst air quality information for the 802.11 networks, use the show 802.11 cleanair air-quality

worst command.

show 802.11{a | b | h} cleanair air-quality worst

Syntax Description a b h worst




Displays the worst air quality information for 802.11

networks.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display worst air quality information for the 802.11a network:


show 802.11 cleanair air-quality worst

AQ = Air Quality

DFS = Dynamic Frequency Selection

AP Name Channel Avg AQ Min AQ Interferers DFS

------------------ -----------------------------

CISCO_AP3500 1 83 57 3 5


1449

show 802.11 cleanair device ap show 802.11 cleanair device ap

To display the information of the device access point on the 802.11 radio band, use the show 802.11 cleanair

device ap command.

show 802.11 {a | b | h} cleanair device ap cisco_ap


cisco_ap




Specified access point name.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the device access point for the 802.11a network:


show 802.11a cleanair device ap AP_3500

DC = Duty Cycle (%)

ISI = Interference Severity Index (1-Low Interference, 100-High

Interference)

RSSI = Received Signal Strength Index (dBm)

DevID = Device ID

No ClusterID

RSSI DC Channel

DevID Type AP Name ISI

--- ------------------ ------ ---------- --------------- ---- ----- ----

-------------

1 c2:f7:40:00:00:03 0x8001 DECT phone CISCO_AP3500 1

149,153,157,161

2 c2:f7:40:00:00:51 0x8002 Radar CISCO_AP3500 1

153,157,161,165

3 c2:f7:40:00:00:03 0x8005 Canopy

153,157,161,165

CISCO_AP3500 2

-43

-81

-62

3

2

2

1450


show 802.11 cleanair device type show 802.11 cleanair device type

To display the information of all the interferers device type detected by a specific access point on the 802.11

radio band, use the show 802.11 cleanair device type command.

show 802.11{a | b | h} cleanair device type device_type


device_type




Interferer device type for a specified radio band. The device type is one of the following:

• tdd-tx—Tdd-transmitter device information.

• jammer—Jammer device information.

• cont-tx—Continuous-transmitter devices information.

• dect-like—Dect-like phone devices information.

• video—Video devices information.

• 802.11-inv—WiFi inverted devices information.

• 802.11-nonstd—Nonstandard WiFi devices information.

• superag—Superag devices information.

• canopy—Canopy devices information.

• wimax-mobile—WiMax mobile devices information.

• wimax-fixed—WiMax fixed devices information.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


1451

show 802.11 cleanair device type

Examples

The following example shows how to display the information of all the interferers detected by a specified access point for the 802.11a network:


show 802.11a cleanair device type canopy

DC = Duty Cycle (%)

ISI = Interference Severity Index (1-Low Interference, 100-High

Interference)

RSSI = Received Signal Strength Index (dBm)

DevID = Device ID

No ClusterID DevID Type AP Name ISI

RSSI DC Channel

--- ------------------ ------ ---------- --------------- ---- ----- ----

-------------

1c2:f7:40:00:00:03 0x8005 Canopy

153,157,161,165

CISCO_AP3500 2 -62 2

1452


show 802.11 cu-metrics show 802.11 cu-metrics

To display access point channel utilization metrics, use the show 802.11 cu-metrics command.

show 802.11{a | b} cu-metrics cisco_ap


cisco_ap



Access point name.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show 802.11a cu-metrics command:


show 802.11a cu-metrics AP1

AP Interface Mac: 30:37:a6:c8:8a:50

Measurement Duration: 90sec

Timestamp Thu Jan 27 09:08:48 2011

Channel Utilization stats

================

Picc (50th Percentile)...................... 0

Pib (50th Percentile)....................... 76

Picc (90th Percentile)...................... 0

Pib (90th Percentile)....................... 77

Timestamp Thu Jan 27 09:34:34 2011


1453

show 802.11 extended show 802.11 extended

To display access point radio extended configurations, use the show 802.11 extended command.

show 802.11 {a | b} extended


extended



Displays the 802.11a/b radio extended configurations.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.

The command output was expanded to include the Rx

SOP threshold.

Examples

The following example shows how to display radio extended configurations:


show 802.11a extended

Default 802.11a band radio extended configurations: beacon period 300, range 60; multicast buffer 45, rate 200;

RX SOP -80; CCA threshold -90;

AP0022.9090.b618 00:24:97:88:99:60 beacon period 300, range 60; multicast buffer 45, rate 200;

RX SOP -80; CCA threshold -77

AP0022.9090.bb3e 00:24:97:88:c5:d0 beacon period 300, range 0; multicast buffer 0, rate 0;

RX SOP -80; CCA threshold -0 ironRap.ddbf 00:17:df:36:dd:b0 beacon period 300, range 0; multicast buffer 0, rate 0;

RX SOP -80; CCA threshold -0

The following example shows how to display radio extended configurations and the Rx SOP threshold:


show 802.11a extended

Default 802.11a band Radio Extended Configurations:

Beacon period: 100, range: 0 (AUTO);

Multicast buffer: 0 (AUTO), rate: 0 (AUTO);

RX SOP threshold: -76; CCA threshold: 0 (AUTO);

AP3600-XALE3 34:a8:4e:6a:7b:00

Beacon period: 100, range: 0 (AUTO);

Multicast buffer: 0 (AUTO), rate: 0 (AUTO);

1454


RX SOP threshold: -76; CCA threshold: 0 (AUTO);

show 802.11 extended


1455

show 802.11 media-stream show 802.11 media-stream

To display the multicast-direct configuration state, use the show 802.11 media-stream command.

show 802.11 {a | b | h} media-stream media_stream_name


media_stream_name




Specified media stream name.

Command Default

None.

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to display the media-stream configuration:

>

show 802.11a media-stream rrc

Multicast-direct................................. Enabled

Best Effort...................................... Disabled

Video Re-Direct.................................. Enabled

Max Allowed Streams Per Radio.................... Auto

Max Allowed Streams Per Client................... Auto

Max Video Bandwidth.............................. 0

Max Voice Bandwidth.............................. 75

Max Media Bandwidth.............................. 85

Min PHY Rate..................................... 6000

Max Retry Percentage............................. 80

Related Commands show media-stream group summary

1456


Show Commands: a to i

•

show aaa auth, page 1463

•

show acl, page 1464

•

show acl detailed, page 1466

•

show acl url-acl detailed, page 1467

•

show acl summary, page 1468

•

show acl url-acl summary, page 1469

•

show advanced 802.11 channel, page 1470

•

show advanced 802.11 coverage, page 1471

•

show advanced 802.11 group, page 1472

•

show advanced 802.11 l2roam, page 1473

•

show advanced 802.11 logging, page 1474

•

show advanced 802.11 monitor, page 1475

•

show advanced 802.11 optimized roaming, page 1476

•

show advanced 802.11 profile, page 1477

•

show advanced 802.11 receiver, page 1478

•

show advanced 802.11 summary, page 1479

•

show advanced 802.11 txpower, page 1480

•

show advanced backup-controller, page 1481

•

show advanced dot11-padding, page 1482

•

show advanced hotspot, page 1483

•

show advanced max-1x-sessions, page 1484

•

show advanced probe, page 1485

•

show advanced rate, page 1486

•

show advanced timers, page 1487


1457

•

show advanced client-handoff, page 1488

•

show advanced eap, page 1489

•

show advanced send-disassoc-on-handoff, page 1490

•

show advanced sip-preferred-call-no, page 1491

•

show advanced sip-snooping-ports, page 1492

•

show arp kernel, page 1493

•

show arp switch, page 1494

•

show ap auto-rf, page 1495

•

show ap ccx rm, page 1497

•

show ap cdp, page 1498

•

show ap channel, page 1500

•

show ap config, page 1501

•

show ap config general , page 1507

•

show ap config global, page 1509

•

show ap core-dump, page 1510

•

show ap crash-file, page 1511

•

show ap data-plane, page 1512

•

show ap dtls-cipher-suite, page 1513

•

show ap ethernet tag, page 1514

•

show ap eventlog, page 1515

•

show ap flexconnect, page 1516

•

show ap image, page 1517

•

show ap inventory, page 1518

•

show ap join stats detailed, page 1519

•

show ap join stats summary, page 1521

•

show ap join stats summary all, page 1522

•

show ap led-state, page 1523

•

show ap led-flash, page 1524

•

show ap link-encryption, page 1525

•

show ap max-count summary, page 1526

•

show ap monitor-mode summary, page 1527

•

show ap module summary, page 1528

•

show ap packet-dump status, page 1529

1458


•

show ap prefer-mode stats, page 1530

•

show ap retransmit, page 1531

•

show ap stats, page 1532

•

show ap summary, page 1535

•

show ap tcp-mss-adjust, page 1536

•

show ap wlan, page 1537

•

show assisted-roaming , page 1538

•

show atf config, page 1539

•

show atf statistics ap, page 1540

•

show auth-list, page 1541

•

show avc applications, page 1542

•

show avc profile, page 1543

•

show avc statistics application, page 1544

•

show avc statistics client, page 1546

•

show avc statistics guest-lan, page 1548

•

show avc statistics remote-lan, page 1550

•

show avc statistics top-apps, page 1552

•

show avc statistics wlan, page 1554

•

show boot, page 1556

•

show band-select, page 1557

•

show buffers, page 1558

•

show cac voice stats, page 1560

•

show cac voice summary, page 1561

•

show cac video stats, page 1562

•

show cac video summary, page 1564

•

show call-control ap, page 1565

•

show call-control client, page 1569

•

show call-home summary, page 1570

•

show capwap reap association, page 1571

•

show capwap reap status, page 1572

•

show cdp, page 1573

•

show certificate compatibility, page 1574

•

show certificate lsc, page 1575


1459

•

show certificate ssc, page 1576

•

show certificate summary, page 1577

•

show client ap, page 1578

•

show client calls, page 1579

•

show client ccx client-capability, page 1580

•

show client ccx frame-data, page 1581

•

show client ccx last-response-status, page 1582

•

show client ccx last-test-status, page 1583

•

show client ccx log-response, page 1584

•

show client ccx manufacturer-info, page 1586

•

show client ccx operating-parameters, page 1587

•

show client ccx profiles, page 1588

•

show client ccx results, page 1590

•

show client ccx rm, page 1591

•

show client ccx stats-report, page 1593

•

show client detail, page 1594

•

show client location-calibration summary, page 1598

•

show client roam-history, page 1599

•

show client summary, page 1600

•

show client summary guest-lan, page 1602

•

show client tsm, page 1603

•

show client username, page 1605

•

show client voice-diag, page 1606

•

show client detail, page 1607

•

show client location-calibration summary, page 1609

•

show client probing, page 1610

•

show client roam-history, page 1611

•

show client summary, page 1612

•

show client wlan, page 1614

•

show cloud-services cmx summary, page 1615

•

show cloud-services cmx statistics, page 1616

•

show cts ap, page 1617

•

show cts environment-data, page 1618

1460


•

show cts pacs, page 1619

•

show cts policy, page 1620

•

show cts sgacl, page 1621

•

show cts summary, page 1622

•

show cts sxp, page 1623

•

show coredump summary, page 1624

•

show country, page 1625

•

show country channels, page 1626

•

show country supported, page 1627

•

show cpu, page 1629

•

show custom-web, page 1630

•

show database summary, page 1631

•

show dhcp, page 1632

•

show dhcp proxy, page 1633

•

show dhcp timeout, page 1634

•

show dtls connections, page 1635

•

show exclusionlist, page 1636

•

show flexconnect acl detailed, page 1637

•

show flexconnect acl summary, page 1638

•

show flexconnect group detail, page 1639

•

show flexconnect group summary, page 1640

•

show flexconnect office-extend, page 1641

•

show flow exporter, page 1642

•

show flow monitor summary, page 1643

•

show guest-lan, page 1644

•

show icons summary, page 1645

•

show ike, page 1646

•

show interface summary, page 1647

•

show interface detailed, page 1648

•

show interface group, page 1650

•

show invalid-config, page 1652

•

show inventory, page 1653

•

show IPsec, page 1654


1461

•

show ipv6 acl, page 1656

•

show ipv6 summary, page 1657

•

show guest-lan, page 1658

•

show icons file-info, page 1659

•

show ipv6 acl, page 1660

•

show ipv6 acl cpu, page 1661

•

show ipv6 acl detailed, page 1662

•

show ipv6 neighbor-binding, page 1663

•

show ipv6 ra-guard, page 1667

•

show ipv6 route summary, page 1668

•

show ipv6 summary, page 1669

•

show known ap, page 1670

1462


show aaa auth show aaa auth

To display the configuration settings for the AAA authentication server database, use the show aaa auth command.

show aaa auth



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the configuration settings for the AAA authentication server database:


show aaa auth

Management authentication server order:

1............................................ local

2............................................ tacacs

Related Commands config aaa auth config aaa auth mgmt


1463

show acl show acl

To display the access control lists (ACLs) that are configured on the controller, use the show acl command.

show acl {cpu | detailed acl_name | summary | layer2 { summary | detailed acl_name } }

Syntax Description cpu detailed

acl_name

summary layer2

Displays the ACLs configured on the Cisco WLC's central processing unit (CPU).

Displays detailed information about a specific ACL.

ACL name. The name can be up to 32 alphanumeric characters.

Displays a summary of all ACLs configured on the controller.

Displays the Layer 2 ACLs.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the access control lists on the CPU.


show acl cpu

CPU Acl Name................................

Wireless Traffic............................ Disabled

Wired Traffic............................... Disabled

Applied to NPU.............................. No

The following example shows how to display a summary of the access control lists.


show acl summary

ACL Counter Status Disabled

----------------------------------------

IPv4 ACL Name Applied

-------------------------------- ------acl1 acl2 acl3

Yes

Yes

Yes

1464


show acl

----------------------------------------


-------------------------------- ------acl6 No

The following example shows how to display the detailed information of the access control lists.


show acl detailed acl_name

Source Destination Source Port Dest Port

I Dir IP Address/Netmask IP Address/Netmask Prot Range

Action Counter

Range DSCP

- --- ------------------ ------------------ ---- --------- --------- -----

------ -------

1

Any 0.0.0.0/0.0.0.0

0.0.0.0/0.0.0.0

Any 0-65535 0-65535 0 Deny

2

In 0.0.0.0/0.0.0.0

200.200.200.0/ 6 80-80 0-65535 Any Permit

0

0

255.255.255.0

DenyCounter : 0

Note

The Counter field increments each time a packet matches an ACL rule, and the DenyCounter field increments each time a packet does not match any of the rules.

Related Commands clear acl counters config acl apply config acl counter config acl cpu config acl create config acl delete config interface acl config acl rule


1465

show acl detailed show acl detailed

To display detailed DNS-based ACL information, use the show acl detailed command.

show acl detailedacl_name


acl_name


Command Default

None

Command History

Release

7.6

Examples

Modification


The following is a sample output of the show acl detailed acl_name command.


show acl detailed android

No rules are configured for this ACL.

DenyCounter : 0

URLs configured in this ACL

---------------------------

*.play.google.com

*.store.google.com

1466


show acl url-acl detailed show acl url-acl detailed

To display detailed URL ACL profile information, use the show acl url-acl detailed command.

show acl url-acl detailed acl_name


acl_name


Command Default

None

Command History

Examples

Release

8.3

Modification


This example shows detailed information of a specific URL ACL profile:


show acl url-acl detailed


1467

show acl summary show acl summary

To display DNS-based ACL information, use the show acl summary command.

show aclsummary


Displays DNS-based ACL information.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following is a sample output of the show acl summary command.



ACL Counter Status Disabled

----------------------------------------


-------------------------------- ------android

StoreACL

No

Yes

----------------------------------------


-------------------------------- -------

1

1468


show acl url-acl summary show acl url-acl summary

To display a summary of the URL ACL profiles, use the show acl url-acl summary command.

show acl url-acl summary


Displays URL ACL profiles information.

Command Default

None

Command History

Examples

Release

8.3

This example shows a summary of URL ACL profiles:



URL ACL Feature

ACL Counter Status

Disabled

Enabled

----------------------------------------

URL ACL Name Applied

--------------test

-------

No

Modification



1469

show advanced 802.11 channel show advanced 802.11 channel

To display the automatic channel assignment configuration and statistics, use the show advanced 802.11

channel command.

show advanced 802.11{a | b} channel




Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the automatic channel assignment configuration and statistics:


show advanced 802.11a channel

Automatic Channel Assignment

Channel Assignment Mode........................ AUTO

Channel Update Interval........................ 600 seconds [startup]

Anchor time (Hour of the day).................. 0

Channel Update Contribution.................... SNI.

Channel Assignment Leader...................... 00:1a:6d:dd:1e:40

Last Run....................................... 129 seconds ago

DCA Sensitivity Level: ...................... STARTUP (5 dB)

DCA Minimum Energy Limit....................... -95 dBm

Channel Energy Levels

Minimum...................................... unknown

Average...................................... unknown

Maximum...................................... unknown

Channel Dwell Times

Minimum...................................... unknown

Average...................................... unknown

Maximum...................................... unknown

Auto-RF Allowed Channel List...................

36,40,44,48,52,56,60,64,149,

............................................. 153,157,161

Auto-RF Unused Channel List....................

100,104,108,112,116,132,136,

............................................. 140,165,190,196

DCA Outdoor AP option.......................... Enabled

1470


show advanced 802.11 coverage show advanced 802.11 coverage

To display the configuration and statistics for coverage hole detection, use the show advanced 802.11 coverage command.

show advanced 802.11{a | b} coverage




Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the statistics for coverage hole detection:


show advanced 802.11a coverage

Coverage Hole Detection

802.11a Coverage Hole Detection Mode........... Enabled

802.11a Coverage Voice Packet Count............ 100 packets

802.11a Coverage Voice Packet Percentage....... 50%

802.11a Coverage Voice RSSI Threshold.......... -80 dBm

802.11a Coverage Data Packet Count............. 50 packets

802.11a Coverage Data Packet Percentage........ 50%

802.11a Coverage Data RSSI Threshold........... -80 dBm

802.11a Global coverage exception level........ 25 %

802.11a Global client minimum exception lev.... 3 clients


1471

show advanced 802.11 group show advanced 802.11 group

To display 802.11a or 802.11b Cisco radio RF grouping, use the show advanced 802.11 group command.

show advanced 802.11{a | b} group




Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display Cisco radio RF group settings:


show advanced 802.11a group

Radio RF Grouping

802.11a Group Mode................................... AUTO

802.11a Group Update Interval........................ 600 seconds

802.11a Group Leader................................. xx:xx:xx:xx:xx:xx

802.11a Group Member............................... xx:xx:xx:xx:xx:xx

802.11a Last Run..................................... 133 seconds ago

1472


show advanced 802.11 l2roam show advanced 802.11 l2roam

To display 802.11a or 802.11b/g Layer 2 client roaming information, use the show advanced 802.11 l2roam command.

show advanced 802.11{a | b} l2roam {rf-param | statistics} mac_address}

Syntax Description a b rf-param statistics

mac_address



Specifies the Layer 2 frequency parameters.

Specifies the Layer 2 client roaming statistics.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show advanced 802.11b l2roam rf-param command:


show advanced 802.11b l2roam rf-param

L2Roam 802.11bg RF Parameters.....................

Config Mode.................................. Default

Minimum RSSI................................. -85

Roam Hysteresis.............................. 2

Scan Threshold............................... -72

Transition time.............................. 5


1473

show advanced 802.11 logging show advanced 802.11 logging

To display 802.11a or 802.11b RF event and performance logging, use the show advanced 802.11 logging command.

show advanced 802.11{a | b} logging




Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display 802.11b RF event and performance logging:


show advanced 802.11b logging

RF Event and Performance Logging

Channel Update Logging......................... Off

Coverage Profile Logging....................... Off

Foreign Profile Logging........................ Off

Load Profile Logging........................... Off

Noise Profile Logging.......................... Off

Performance Profile Logging.................... Off

TxPower Update Logging......................... Off

1474


show advanced 802.11 monitor show advanced 802.11 monitor

To display the 802.11a or 802.11b default Cisco radio monitoring, use the show advanced 802.11 monitor command.

show advanced 802.11{a | b} monitor




Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the radio monitoring for the 802.11b network:


show advanced 802.11b monitor

Default 802.11b AP monitoring

802.11b Monitor Mode........................... enable

802.11b Monitor Channels....................... Country channels

802.11b RRM Neighbor Discovery Type............ Transparent

802.11b AP Coverage Interval................... 180 seconds

802.11b AP Load Interval....................... 60 seconds

802.11b AP Noise Interval...................... 180 seconds

802.11b AP Signal Strength Interval............ 60 seconds


1475

show advanced 802.11 optimized roaming show advanced 802.11 optimized roaming

To display the optimized roaming configurations for 802.11a/b networks, use the show advanced 802.11

optimized roaming command.

show advanced 802.11 {a | b} optimized roaming [stats]

Syntax Description stats

(Optional) Displays optimized roaming statistics for a 802.11a/b network.

Command Default

None

Command History

Release

8.0

Modification


Examples

The following example shows how to display the optimized roaming configurations for an 802.11a network:


show advanced 802.11a optimized roaming

OptimizedRoaming

802.11a OptimizedRoaming Mode.................. Enabled

802.11a OptimizedRoaming Reporting Interval.... 20 seconds

802.11a OptimizedRoaming Rate Threshold........ disabled

The following example shows how to display the optimized roaming statistics for an 802.11a network:


show advanced 802.11a optimized roaming stats

OptimizedRoaming Stats

802.11a OptimizedRoaming Disassociations....... 2

802.11a OptimizedRoaming Rejections............ 1

1476


show advanced 802.11 profile show advanced 802.11 profile

To display the 802.11a or 802.11b lightweight access point performance profiles, use the show advanced

802.11 profile command.

show advanced 802.11{a | b} profile {global | cisco_ap}


cisco_ap



Specifies all Cisco lightweight access points.

Name of a specific Cisco lightweight access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the global configuration and statistics of an 802.11a profile:


show advanced 802.11 profile global

Default 802.11a AP performance profiles

802.11a Global Interference threshold.............. 10%

802.11a Global noise threshold..................... -70 dBm

802.11a Global RF utilization threshold............ 80%

802.11a Global throughput threshold................ 1000000 bps

802.11a Global clients threshold................... 12 clients

802.11a Global coverage threshold.................. 12 dB

802.11a Global coverage exception level............ 80%

802.11a Global client minimum exception lev........ 3 clients

The following example shows how to display the configuration and statistics of a specific access point profile:


show advanced 802.11 profile AP1

Cisco AP performance profile not customized

This response indicates that the performance profile for this lightweight access point is using the global defaults and has not been individually configured.


1477

show advanced 802.11 receiver show advanced 802.11 receiver

To display the configuration and statistics of the 802.11a or 802.11b receiver, use the show advanced 802.11

receiver command.

show advanced 802.11{a | b} receiver




Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the configuration and statistics of the 802.11a network settings:


show advanced 802.11 receiver

802.11a Receiver Settings

RxStart : Signal Threshold........................... 15

RxStart : Signal Lamp Threshold...................... 5

RxStart : Preamble Power Threshold................... 2

RxReStart : Signal Jump Status......................... Enabled

RxReStart : Signal Jump Threshold...................... 10

TxStomp : Low RSSI Status.............................. Enabled

TxStomp : Low RSSI Threshold........................... 30

TxStomp : Wrong BSSID Status........................... Enabled

TxStomp : Wrong BSSID Data Only Status................. Enabled

RxAbort : Raw Power Drop Status........................ Disabled

RxAbort : Raw Power Drop Threshold..................... 10

RxAbort : Low RSSI Status.............................. Disabled

RxAbort : Low RSSI Threshold........................... 0

RxAbort : Wrong BSSID Status........................... Disabled

RxAbort : Wrong BSSID Data Only Status................. Disabled

1478


show advanced 802.11 summary show advanced 802.11 summary

To display the 802.11a or 802.11b Cisco lightweight access point name, channel, and transmit level summary, use the show advanced 802.11 summary command.

show advanced 802.11{a | b} summary




Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of the 802.11b access point settings:


show advanced 802.11b summary

AP Name MAC Address Admin State Operation State Channel

TxPower

------------ ------------------ ------------ ----------------- -------

--------

CJ-1240

1( )

CJ-1130

1(*)

00:21:1b:ea:36:60

00:1f:ca:cf:b6:60

ENABLED

ENABLED

UP

UP

161

56*

Note

An asterisk (*) next to a channel number or power level indicates that it is being controlled by the global algorithm settings.


1479

show advanced 802.11 txpower show advanced 802.11 txpower

To display the 802.11a or 802.11b automatic transmit power assignment, use the show advanced 802.11

txpower command.

show advanced 802.11{a | b} txpower




Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the configuration and statistics of the 802.11b transmit power cost:


show advanced 802.11b txpower

Automatic Transmit Power Assignment

Transmit Power Assignment Mode.................. AUTO

Transmit Power Update Interval.................. 600 seconds

Transmit Power Threshold........................ -65 dBm

Transmit Power Neighbor Count................... 3 APs

Transmit Power Update Contribution.............. SN.

Transmit Power Assignment Leader................ xx:xx:xx:xx:xx:xx

Last Run........................................ 384 seconds ago

1480


show advanced backup-controller show advanced backup-controller

To display a list of primary and secondary backup WLCs, use the show advanced backup-controller command.

show advanced backup-controller



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the backup controller information:


show advanced backup-controller

AP primary Backup Controller ....................

controller 10.10.10.10

AP secondary Backup Controller ..................

0.0.0.0


1481

show advanced dot11-padding show advanced dot11-padding

To display the state of over-the-air frame padding on a wireless LAN controller, use the show advanced

dot11-padding command.

show advanced dot11-padding



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to view the state of over-the-air frame padding:


show advanced dot11-padding

dot11-padding.................................... Disabled

1482


show advanced hotspot show advanced hotspot

To display the advanced HotSpot parameters, use the show advanced hotspot command.

show advanced hotspot



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to display the advanced HotSpot parameters:


show advanced hotspot

ANQP 4-way state................................. Disabled

GARP Broadcast state: ........................... Enabled

GAS request rate limit .......................... Disabled

ANQP comeback delay in TUs(TU=1024usec).......... 50


1483

show advanced max-1x-sessions show advanced max-1x-sessions

To display the maximum number of simultaneous 802.1X sessions allowed per access point, use the show

advanced max-1x-sessions command.

show advanced max-1x-sessions



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the maximum 802.1X sessions per access point:


show advanced max-1x-sessions

Max 802.1x session per AP at a given time........ 0

1484


show advanced probe show advanced probe

To display the number of probes sent to the Cisco WLC per access point per client and the probe interval in milliseconds, use the show advanced probe command.



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the probe settings for the WLAN controller:


show advanced probe

Probe request filtering.......................... Enabled

Probes fwd to controller per client per radio.... 12

Probe request rate-limiting interval............. 100 msec


1485

show advanced rate show advanced rate

To display whether control path rate limiting is enabled or disabled, use the show advanced rate command.

show advanced rate



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the switch control path rate limiting mode:


show advanced rate

Control Path Rate Limiting.......................

Disabled

1486


show advanced timers show advanced timers

To display the mobility anchor, authentication response, and rogue access point entry timers, use the show

advanced timers command.

show advanced timers



Command Default

The defaults are shown in the “Examples” section.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the system timers setting:


show advanced timers

Authentication Response Timeout (seconds)........ 10

Rogue Entry Timeout (seconds).................... 1200

AP Heart Beat Timeout (seconds).................. 30

AP Discovery Timeout (seconds)................... 10

AP Local mode Fast Heartbeat (seconds)........... disable

AP flexconnect mode Fast Heartbeat (seconds)........... disable

AP Primary Discovery Timeout (seconds)........... 120


1487

show advanced client-handoff show advanced client-handoff

To display the number of automatic client handoffs after retries, use the show advanced client-handoff command.

show advanced client-handoff



Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the client auto handoff mode after excessive retries:


show advanced client-handoff

Client auto handoff after retries................

130

1488


show advanced eap show advanced eap

To display Extensible Authentication Protocol (EAP) settings, use the show advanced eap command.

show advanced eap



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the EAP settings:


show advanced eap

EAP-Identity-Request Timeout (seconds)........... 1

EAP-Identity-Request Max Retries................. 20

EAP Key-Index for Dynamic WEP.................... 0

EAP Max-Login Ignore Identity Response........... enable

EAP-Request Timeout (seconds).................... 1

EAP-Request Max Retries.......................... 20

EAPOL-Key Timeout (milliseconds)................. 1000

EAPOL-Key Max Retries............................ 2

Related Commands config advanced eap config advanced timers eap-identity-request-delay config advanced timers eap-timeout


1489

show advanced send-disassoc-on-handoff show advanced send-disassoc-on-handoff

To display whether the WLAN controller disassociates clients after a handoff, use the show advanced

send-disassoc-on-handoff command.

show advanced send-disassoc-on-handoff



Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show advanced send-disassoc-on-handoff command:


show advanced send-disassoc-on-handoff

Send Disassociate on Handoff..................... Disabled

1490


show advanced sip-preferred-call-no show advanced sip-preferred-call-no

To display the list of preferred call numbers, use the show advanced sip-preferred-call-no command.

show advanced sip-preferred-call-no



Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show advanced sip-preferred-call-no command:

2

3

4

5

6


show advanced sip-preferred-call-no

Preferred Call Numbers List

Call Index Preferred Call No

-----------

1

------------------

911

100

101

102

103

104


1491

show advanced sip-snooping-ports show advanced sip-snooping-ports

To display the port range for call snooping, use the show advanced sip-snooping-ports command.

show advanced sip-snooping-ports



Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show advanced sip-snooping-ports command:


show advanced sip-snooping-ports

SIP Call Snoop Ports: 1000 - 2000

1492


show arp kernel show arp kernel

To display the kernel Address Resolution Protocol (ARP) cache information, use the show arp kernel command.

show arp kernel


Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show arp kernel command:


show arp kernel

IP address

192.0.2.1

192.0.2.8

HW type

0x1

0x1

Flags

0x2

0x6

HW address

00:1A:6C:2A:09:C2

00:1E:E5:E6:DB:56

Mask

*

*

Device dtl0 dtl0


1493

show arp switch show arp switch

To display the Cisco wireless LAN controller MAC addresses, IP addresses, and port types, use the show arp

switch command.

show arp switch



Command History

Release

7.6

Modification


Examples

The following is a sample output of the show arp switch command:


show arp switch

MAC Address IP Address Port VLAN Type

------------------- ---------------- ------------ ---- ------------------xx:xx:xx:xx:xx:xx xxx.xxx.xxx.xxx

service port xx:xx:xx:xx:xx:xx xxx.xxx.xxx.xxx

service port

1 xx:xx:xx:xx:xx:xx xxx.xxx.xxx.xxx

service port

1494


show ap auto-rf show ap auto-rf

To display the auto-RF settings for a Cisco lightweight access point, use the show ap auto-rf command.

show ap auto-rf 802.11{a | b} cisco_ap


cisco_ap




Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display auto-RF information for an access point:


show ap auto-rf 802.11a AP1

Number Of Slots.................................. 2

AP Name.......................................... AP03

MAC Address...................................... 00:0b:85:01:18:b7

Radio Type..................................... RADIO_TYPE_80211a

Noise Information

Noise Profile................................ PASSED

Channel 36...................................

-88 dBm

Channel 40...................................

-86 dBm

Channel 44...................................

-87 dBm

Channel 48...................................

-85 dBm

Channel 52...................................

-84 dBm

Channel 56...................................

-83 dBm

Channel 60...................................

-84 dBm

Channel 64...................................

-85 dBm

Interference Information

Interference Profile......................... PASSED

Channel 36...................................

-66 dBm @ 1% busy

Channel 40................................... -128 dBm @ 0% busy

Channel 44................................... -128 dBm @ 0% busy

Channel 48................................... -128 dBm @ 0% busy

Channel 52................................... -128 dBm @ 0% busy

Channel 56...................................

-73 dBm @ 1% busy

Channel 60...................................

-55 dBm @ 1% busy

Channel 64...................................

-69 dBm @ 1% busy

Rogue Histogram (20/40_ABOVE/40_BELOW)

Channel 36................................... 16/ 0/ 0


1495

show ap auto-rf

Channel 40................................... 28/ 0/ 0

Channel 44...................................

9/ 0/ 0

Channel 48...................................

9/ 0/ 0

Channel 52...................................

3/ 0/ 0

Channel 56...................................

4/ 0/ 0

Channel 60...................................

7/ 1/ 0

Channel 64...................................

2/ 0/ 0

Load Information

Load Profile................................. PASSED

Receive Utilization.......................... 0%

Transmit Utilization......................... 0%

Channel Utilization.......................... 1%

Attached Clients............................. 1 clients

Coverage Information

Coverage Profile............................. PASSED

Failed Clients............................... 0 clients

Client Signal Strengths

RSSI -100 dBm................................ 0 clients

RSSI -92 dBm................................ 0 clients

RSSI -84 dBm................................ 0 clients

RSSI -76 dBm................................ 0 clients

RSSI -68 dBm................................ 0 clients

RSSI -60 dBm................................ 0 clients

RSSI -52 dBm................................ 0 clients

Client Signal To Noise Ratios

SNR 0 dBm................................. 0 clients

SNR 5 dBm................................. 0 clients

SNR 10 dBm................................. 0 clients

SNR 15 dBm................................. 0 clients

SNR 20 dBm................................. 0 clients

SNR 25 dBm................................. 0 clients

SNR 30 dBm................................. 0 clients

SNR 35 dBm................................. 0 clients

SNR 40 dBm................................. 0 clients

SNR 45 dBm................................. 0 clients

Nearby RADs

RAD 00:0b:85:01:05:08 slot 0.................

-46 dBm on 10.1.30.170

RAD 00:0b:85:01:12:65 slot 0.................

-24 dBm on 10.1.30.170

Channel Assignment Information

Current Channel Average Energy...............

-86 dBm

Previous Channel Average Energy..............

-75 dBm

Channel Change Count.........................

109

2004

Last Channel Change Time..................... Wed Sep 29 12:53e:34

Recommended Best Channel..................... 44

RF Parameter Recommendations

Power Level.................................. 1

RTS/CTS Threshold............................ 2347

Fragmentation Threshold...................... 2346

Antenna Pattern.............................. 0

1496


show ap ccx rm show ap ccx rm

To display an access point’s Cisco Client eXtensions (CCX) radio management status information, use the

show ap ccx rm command.

show ap ccx rm ap_name status


ap_name

status


Displays the CCX radio management status information for an access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the status of the CCX radio management:


show ap ccx rm AP1240-21ac status

A Radio

Channel Load Request ..................... Disabled

Noise Histogram Request .................. Disabled

Beacon Request ........................... Disabled

Frame Request ............................ Disabled

Interval ................................. 60

Iteration ................................ 10

G Radio

Channel Load Request ..................... Disabled

Noise Histogram Request .................. Disabled

Beacon Request ........................... Disabled

Frame Request ............................ Disabled

Interval ................................. 60

Iteration ................................ 10


1497

show ap cdp show ap cdp

To display the Cisco Discovery Protocol (CDP) information for an access point, use the show ap cdp command.

show ap cdp {all | ap-name cisco_ap | neighbors {all | ap-name cisco_ap | detail cisco_ap}}

Syntax Description all ap-name

cisco_ap

neighbors detail

Displays the CDP status on all access points.

Displays the CDP status for a specified access point.


Displays neighbors using CDP.

Displays details about a specific access point neighbor using CDP.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the CDP status of all access points:


show ap cdp all

AP CDP State

AP Name AP CDP State

---------------------------

SB_RAP1 enable

SB_MAP1

SB_MAP2

SB_MAP3 enable enable enable

The following example shows how to display the CDP status of a specified access point:


show ap cdp ap-name SB_RAP1

AP CDP State

AP Name AP CDP State

---------------------------

AP CDP State.......................Enabled

AP Interface-Based CDP state

Ethernet 0.....................Enabled

Slot 0.........................Enabled

Slot 1.........................Enabled

1498


show ap cdp

The following example shows how to display details about all neighbors using CDP:


show ap cdp neighbor all

AP Name AP IP Neighbor Name Neighbor IP Neighbor Port

-----------------------------------------------------------------

SB_RAP1 192.168.102.154

sjc14-41a-sw1 192.168.102.2

GigabitEthernet1/0/13

SB_RAP1

SB_MAP1

SB_MAP1

SB_MAP2

SB_MAP2

SB_MAP3

192.168.102.154

192.168.102.137

192.168.102.137

192.168.102.138

192.168.102.138

192.168.102.139

SB_MAP1

SB_RAP1

SB_MAP2

SB_MAP1

SB_MAP3

SB_MAP2

192.168.102.137

192.168.102.154

192.168.102.138

192.168.102.137

192.168.102.139

192.168.102.138

Virtual-Dot11Radio0

Virtual-Dot11Radio0

Virtual-Dot11Radio0

Virtual-Dot11Radio1

Virtual-Dot11Radio0

Virtual-Dot11Radio1

The following example shows how to display details about a specific neighbor with a specified access point using CDP:


show ap cdp neighbors ap-name SB_MAP2

AP Name AP IP Neighbor Name Neighbor IP Neighbor Port

----------------------------------------------------------------

SB_MAP2

SB_MAP2

192.168.102.138

SB_MAP1

192.168.102.138

SB_MAP3

192.168.102.137

Virtual-Dot11Radio1

192.168.102.139

Virtual-Dot11Radio0

The following example shows how to display details about neighbors using CDP:


show ap cdp neighbors detail SB_MAP2

AP Name:SB_MAP2

AP IP address:192.168.102.138

-------------------------

Device ID: SB_MAP1

Entry address(es): 192.168.102.137

Platform: cisco AIR-LAP1522AG-A-K9 , Cap

Interface: Virtual-Dot11Radio0, Port ID (outgoing port): Virtual-Dot11Radio1

Holdtime : 180 sec

Version :

Cisco IOS Software, C1520 Software (C1520-K9W8-M), Experimental Version 12.4(200

81114:084420) [BLD-v124_18a_ja_throttle.20081114 208] Copyright (c) 1986-2008 by

Cisco Systems, Inc. Compiled Fri 14-Nov-08 23:08 by advertisement version: 2

-------------------------

Device ID: SB_MAP3

Entry address(es): 192.168.102.139

Platform: cisco AIR-LAP1522AG-A-K9 , Capabilities: Trans-Bridge

Interface: Virtual-Dot11Radio1, Port ID (outgoing port): Virtual-Dot11Radio0

Holdtime : 180 sec

Version :

Cisco IOS Software, C1520 Software (C1520-K9W8-M), Experimental Version 12.4(200

81114:084420) [BLD-v124_18a_ja_throttle.20081114 208] Copyright (c) 1986-2008 by

Cisco Systems, Inc. Compiled Fri 14-Nov-08 23:08 by advertisement version: 2


1499

show ap channel show ap channel

To display the available channels for a specific mesh access point, use the show ap channel command.

show ap channel ap_name


ap_name

Name of the mesh access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the available channels for a particular access point:


show ap channel AP47

802.11b/g Current Channel ...........1

Allowed Channel List.....................1,2,3,4,5,6,7,8,9,10,11

802.11a Current Channel .................161

Allowed Channel List.....................36,40,44,48,52,56,60,64,100,

.........................................104,108,112,116,132,136,140,

.........................................149,153,157,161

1500


show ap config show ap config

To display the detailed configuration for a lightweight access point, use the show ap config command.

show ap config 802.11{a | b} [summary] cisco_ap


802.11a

802.11b

summary

cisco_ap

Specifies the 802.11a or 802.11b/g network.


(Optional) Displays radio summary of all APs

Lightweight access point name.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the detailed configuration for an access point:


show ap config 802.11a AP02

Cisco AP Identifier.............................. 0

Cisco AP Name.................................... AP02

Country code..................................... US - United States

Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A

AP Regulatory Domain............................. Unconfigured

Switch Port Number .............................. 1

MAC Address...................................... 00:0b:85:18:b6:50

IP Address Configuration......................... DHCP

IP Address....................................... 1.100.49.240

IP NetMask....................................... 255.255.255.0

Gateway IP Addr.................................. 1.100.49.1

CAPWAP Path MTU.................................. 1485

Telnet State..................................... Disabled

Ssh State........................................ Disabled

Cisco AP Location................................ default-location

Cisco AP Group Name.............................. default-group

Primary Cisco Switch............................. Cisco_32:ab:63

Primary Cisco Switch IP Address.................. Not Configured

Secondary Cisco Switch...........................

Secondary Cisco Switch IP Address................ Not Configured

Tertiary Cisco Switch............................

Tertiary Cisco Switch IP Address................. Not Configured

Administrative State ............................ ADMIN_ENABLED

Operation State ................................. REGISTERED

Mirroring Mode .................................. Disabled

AP Mode ........................................... Sniffer

Public Safety ..................................... Global: Disabled, Local: Disabled


1501

show ap config

AP SubMode ...................................... Not Configured

Remote AP Debug ................................. Disabled

Logging trap severity level ..................... informational

Logging syslog facility ......................... kern

S/W Version .................................... 7.0.110.6

Boot Version ................................... 12.4.18.0

Mini IOS Version ................................ 3.0.51.0

Stats Reporting Period .......................... 180

Stats Re--More-- or (q)uit

LED State........................................ Enabled

PoE Pre-Standard Switch.......................... Enabled

PoE Power Injector MAC Addr...................... Disabled

Power Type/Mode.................................. Power injector / Normal mode

Number Of Slots.................................. 2

AP Model......................................... AIR-LAP1142N-A-K9

AP Image......................................... C1140-K9W8-M

IOS Version...................................... 12.4(20100502:031212)

Reset Button..................................... Enabled

AP Serial Number................................. FTX1305S180

AP Certificate Type.............................. Manufacture Installed

AP User Mode..................................... AUTOMATIC

AP User Name..................................... Not Configured

AP Dot1x User Mode............................... Not Configured

AP Dot1x User Name............................... Not Configured

Cisco AP system logging host..................... 255.255.255.255

AP Up Time....................................... 47 days, 23 h 47 m 47 s

AP LWAPP Up Time................................. 47 days, 23 h 10 m 37 s

Join Date and Time............................... Tue May 4 16:05:00 2010

Join Taken Time.................................. 0 days, 00 h 01 m 37 s

Attributes for Slot 1

Radio Type................................... RADIO_TYPE_80211n-5

Radio Subband................................ RADIO_SUBBAND_ALL

Administrative State ........................ ADMIN_ENABLED

Operation State ............................. UP

Radio Role .................................. ACCESS

CellId ...................................... 0

Station Configuration

Configuration ............................. AUTOMATIC

Number Of WLANs ........................... 2

Medium Occupancy Limit .................... 100

CFP Period ................................ 4

CFP MaxDuration ........................... 60

BSSID ..................................... 00:24:97:88:99:60

Operation Rate Set

6000 Kilo Bits........................... MANDATORY

9000 Kilo Bits........................... SUPPORTED

12000 Kilo Bits.......................... MANDATORY

18000 Kilo Bits.......................... SUPPORTED





MCS Set

MCS 0.................................... SUPPORTED

MCS 1.................................... SUPPORTED

MCS 2.................................... SUPPORTED

MCS 3.................................... SUPPORTED

MCS 4.................................... SUPPORTED

MCS 5.................................... SUPPORTED

MCS 6.................................... SUPPORTED

MCS 7.................................... SUPPORTED

MCS 8.................................... SUPPORTED

MCS 9.................................... SUPPORTED

MCS 10................................... SUPPORTED

MCS 11................................... SUPPORTED

MCS 12................................... SUPPORTED

MCS 13................................... SUPPORTED

MCS 14................................... SUPPORTED

MCS 15................................... SUPPORTED

Beacon Period ............................. 100

Fragmentation Threshold ................... 2346

Multi Domain Capability Implemented ....... TRUE

Multi Domain Capability Enabled ........... TRUE

1502


show ap config

Country String ............................ US

Multi Domain Capability


First Chan Num ............................ 36

Number Of Channels ........................ 21

MAC Operation Parameters



Packet Retry Limit ........................ 64

Tx Power

Num Of Supported Power Levels ............. 6

Tx Power Level 1 .......................... 14 dBm





Tx Power Level 6 .......................... -1 dBm

Tx Power Configuration .................... AUTOMATIC

Current Tx Power Level .................... 0

Phy OFDM parameters


Current Channel ........................... 36

Extension Channel ......................... NONE

Channel Width.............................. 20 Mhz

Allowed Channel List....................... 36,40,44,48,52,56,60,64,100,

......................................... 104,108,112,116,132,136,140,

......................................... 149,153,157,161,165

TI Threshold .............................. -50

Legacy Tx Beamforming Configuration ....... AUTOMATIC

Legacy Tx Beamforming ..................... DISABLED

Antenna Type............................... INTERNAL_ANTENNA

Internal Antenna Gain (in .5 dBi units).... 6

Diversity.................................. DIVERSITY_ENABLED

802.11n Antennas

Tx

A....................................... ENABLED

B....................................... ENABLED

Rx

A....................................... ENABLED

B....................................... ENABLED

C....................................... ENABLED

Performance Profile Parameters


Interference threshold..................... 10 %

Noise threshold............................

-70 dBm

RF utilization threshold................... 80 %

Data-rate threshold........................ 1000000 bps

Client threshold........................... 12 clients

Coverage SNR threshold..................... 16 dB

Coverage exception level................... 25 %

Client minimum exception level............. 3 clients

Rogue Containment Information

Containment Count............................ 0

CleanAir Management Information

CleanAir Capable......................... No

Radio Extended Configurations:

Buffer size

……………………….30

Data-rate

…………………………..0

Beacon strt

………………………..90 ms

Rx-Sensitivity SOP threshold

………….. -80 dB

CCA threshold

……………………. -60 dB

The following example shows how to display the detailed configuration for another access point:


show ap config 802.11b AP02


Cisco AP Name.................................... AP02

AP Regulatory Domain............................. Unconfigured


MAC Address...................................... 00:0b:85:18:b6:50



1503

show ap config

IP Address....................................... 1.100.49.240

IP NetMask....................................... 255.255.255.0

Gateway IP Addr.................................. 1.100.49.1

Cisco AP Location................................ default-location


Primary Cisco Switch............................. Cisco_32:ab:63

Secondary Cisco Switch...........................

Tertiary Cisco Switch............................




AP Mode ......................................... Local


S/W Version .................................... 3.1.61.0

Boot Version ................................... 1.2.59.6



ILP Pre Standard Switch.......................... Disabled

ILP Power Injector............................... Disabled

Number Of Slots.................................. 2

AP Model......................................... AS-1200

AP Serial Number................................. 044110223A


Attributes for Slot 1

Radio Type................................... RADIO_TYPE_80211g



CellId ...................................... 0

Station Configuration


Number Of WLANs ........................... 1

Medium Occupancy Limit .................... 100

CFP Period ................................ 4

CFP MaxDuration ........................... 60

BSSID ..................................... 00:0b:85:18:b6:50

Operation Rate Set













Beacon Period ............................. 100

DTIM Period ............................... 1


Multi Domain Capability Implemented ....... TRUE

Multi Domain Capability Enabled ........... TRUE

Country String ............................ US

Multi Domain Capability


First Chan Num ............................ 1

Number Of Channels ........................ 11

MAC Operation Parameters


RTS Threshold ............................. 2347

Short Retry Limit ......................... 7

Long Retry Limit .......................... 4


Maximum Tx MSDU Life Time ................. 512

Maximum Rx Life Time....................... 512

Tx Power

Num Of Supported Power Levels.............. 5


Tx Power Level 2........................... 14 dBm




1504


show ap config

Tx Power Configuration..................... CUSTOMIZED

Current Tx Power Level..................... 5

Phy OFDM parameters

Configuration.............................. CUSTOMIZED

Current Channel............................ 1

TI Threshold............................... -50

Legacy Tx Beamforming Configuration ....... CUSTOMIZED

Legacy Tx Beamforming ..................... ENABLED

Antenna Type............................... INTERNAL_ANTENNA

Internal Antenna Gain (in5 dBm units)...... 11

Diversity.................................. DIVERSITY_ENABLED

Performance Profile Parameters

Configuration.............................. AUTOMATIC

Interference threshold..................... 10%

Noise threshold............................

-70 dBm

RF utilization threshold................... 80%

Data-rate threshold........................ 1000000 bps

Client threshold........................... 12 clients

Coverage SNR threshold..................... 12 dB

Coverage exception level................... 25%

Client minimum exception level............. 3 clients

Rogue Containment Information

Containment Count............................ 0

The following example shows how to display the general configuration of a Cisco access point:


show ap config general cisco-ap


Cisco AP Name.................................... cisco-ap

Country code..................................... US - United States

Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A

AP Country code.................................. US - United States

AP Regulatory Domain............................. 802.11bg:-A 802.11a:-A


MAC Address...................................... 12:12:12:12:12:12


IP Address....................................... 10.10.10.21

IP NetMask....................................... 255.255.255.0

CAPWAP Path MTU.................................. 1485

Domain...........................................

Name Server......................................

Telnet State..................................... Disabled

Ssh State........................................ Disabled

Cisco AP Location................................ default location


Primary Cisco Switch Name........................ 4404

Primary Cisco Switch IP Address.................. 10.10.10.32

Secondary Cisco Switch Name......................


Tertiary Cisco Switch Name....................... 4404

Tertiary Cisco Switch IP Address................. 3.3.3.3




AP Mode ......................................... Local

Public Safety ................................... Global: Disabled, Local: Disabled

AP subMode ...................................... WIPS


S/W Version .................................... 5.1.0.0

Boot Version ................................... 12.4.10.0

Mini IOS Version ................................ 0.0.0.0



PoE Pre-Standard Switch.......................... Enabled


Power Type/Mode.................................. PoE/Low Power (degraded mode)

Number Of Slots.................................. 2

AP Model......................................... AIR-LAP1252AG-A-K9

IOS Version...................................... 12.4(10:0)


AP Serial Number................................. serial_number



1505

show ap config

Management Frame Protection Validation........... Enabled (Global MFP Disabled)

AP User Mode..................................... CUSTOMIZED

AP username..................................... maria


AP Dot1x username............................... Not Configured




Join Date and Time............................... Mon Mar 3 06:19:47 2008

Ethernet Port Duplex............................. Auto

Ethernet Port Speed.............................. Auto

AP Link Latency.................................. Enabled

Current Delay................................... 0 ms

Maximum Delay................................... 240 ms

Minimum Delay................................... 0 ms

Last updated (based on AP Up Time).............. 4 days, 06 h 17 m 20 s

Rogue Detection.................................. Enabled

AP TCP MSS Adjust................................ Disabled

Mesh preferred parent............................ 00:24:13:0f:92:00

1506


show ap config general show ap config general

To display the access point specific syslog server settings for all access points, use the show ap config general command.

show ap config general


This command has no arguments and keywords.

Command History

Release

8.0

Modification

This command was introduced in the Release 8.0

Examples

The following example shows how to display AP specific server settings: ap_console >

show ap config general APc89c.1d53.6799


Cisco AP Name.................................... APc89c.1d53.6799

Country code..................................... Multiple Countries:IN,JP,US

Regulatory Domain allowed by Country............. 802.11bg:-AJPU 802.11a:-AJN

AP Country code.................................. US - United States

AP Regulatory Domain............................. 802.11bg:-A 802.11a:-A


MAC Address...................................... c8:9c:1d:53:67:99


IP Address....................................... 10.8.77.103

IP NetMask....................................... 255.255.255.0

Gateway IP Addr.................................. 10.8.77.1

NAT External IP Address.......................... None

CAPWAP Path MTU.................................. 1485

Telnet State..................................... Globally Disabled

Ssh State........................................ Globally Disabled

Cisco AP Location................................ default location

Cisco AP Floor Label............................. 0

Cisco AP Group Name.............................. apGroup2

Primary Cisco Switch Name........................

Primary Cisco Switch IP Address.................. Not Configured

Secondary Cisco Switch Name......................


Tertiary Cisco Switch Name.......................

Tertiary Cisco Switch IP Address................. Not Configured




AP Mode ......................................... Local

Public Safety ................................... Disabled

AP SubMode ...................................... Not Configured


Logging trap severity level ..................... informational

Logging syslog facility ......................... system

S/W Version .................................... 8.0.72.132

Boot Version ................................... 12.4.23.0

Mini IOS Version ................................ 3.0.51.0


Stats Collection Mode ........................... normal


PoE Pre-Standard Switch.......................... Disabled


Power Type/Mode.................................. PoE/Full Power

Number Of Slots.................................. 2


1507

show ap config general

AP Model......................................... AIR-LAP1142N-A-K9

AP Image......................................... C1140-K9W8-M

IOS Version...................................... 15.3(20140302:180954)$


AP Serial Number................................. FGL1510S3VZ


AP User Mode..................................... AUTOMATIC

AP User Name..................................... cisco


AP Dot1x User Name............................... Not Configured




Join Date and Time............................... Wed Mar 5 07:26:07 2014

Join Taken Time.................................. 0 days, 00 h 01 m 11 s

Memory Type...................................... DDR3

Memory Size...................................... 98294 KBytes

CPU Type......................................... PowerPC405ex CPU at 586Mhz, revision number 0x147E

Flash Type....................................... Onboard Flash

Flash Size....................................... 31374 KBytes

GPS Present...................................... NO

Ethernet Vlan Tag................................ Disabled

Ethernet Port Duplex............................. Auto

Ethernet Port Speed.............................. Auto

AP Link Latency.................................. Disabled

Rogue Detection.................................. Enabled

AP TCP MSS Adjust................................ Disabled

Hotspot Venue Group.............................. Unspecified

Hotspot Venue Type............................... Unspecified

DNS server IP ............................. Not Available

1508


show ap config global show ap config global

To display the global syslog server settings for all access points that join the controller, use the show ap config

global command.

show ap config global


This command has no arguments and keywords.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display global syslog server settings:


show ap config global

AP global system logging host.............................. 255.255.255.255


1509

show ap core-dump show ap core-dump

To display the memory core dump information for a lightweight access point, use the show ap core-dump command.

show ap core-dump cisco_ap


cisco_ap


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display memory core dump information:


show ap core-dump AP02

Memory core dump is disabled.

1510


show ap crash-file show ap crash-file

To display the list of both crash and radio core dump files generated by lightweight access points, use the

show ap crash-file command.

show ap crash-file



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the crash file generated by the access point:


show ap crash-file


1511

show ap data-plane show ap data-plane

To display the data plane status for all access points or a specific access point, use the show ap data-plane command.

show ap data-plane {all | cisco_ap}


cisco_ap

Specifies all Cisco lightweight access points.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the data plane status of all access points:


show ap data-plane all

Min Data

AP Name

Data

Round Trip

Max Data Last

Round Trip Round Trip Update

--------------------------------------------------------------

1130 0.000s

0.000s

0.002s

18:51:23

1240 0.000s

0.000s

0.000s

18:50:45

1512


show ap dtls-cipher-suite show ap dtls-cipher-suite

To display the DTLS show cipher suite information, use the show ap dtls-cipher-suite command.

show ap dtls-cipher-suite



Command Default

None

Command History

Release

8.0

Modification


Examples

The following example shows how to display DTLS cipher suite information:


show ap dtls-cipher-suite

DTLS Cipher Suite................................ RSA-AES256-SHA


1513

show ap ethernet tag show ap ethernet tag

To display the VLAN tagging information of an Ethernet interface, use the show ap ethernet tag command.

show ap ethernet tag {summary | cisco_ap}


cisco_ap

Displays the VLAN tagging information for all access points associated to the controller.

Name of the Cisco lightweight access point. Displays the VLAN tagging information for a specific access point associated to the controller.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


If the access point is unable to route traffic or reach the controller using the specified trunk VLAN, it falls back to the untagged configuration. If the access point joins the controller using this fallback configuration, the controller sends a trap to a trap server such as the WCS, which indicates the failure of the trunk VLAN.

In this scenario, the "Failover to untagged" message appears in show command output.

Examples

The following example shows how to display the VLAN tagging information for all access points associated to the controller:


show ap ethernet tag summary

AP Name Vlan Tag Configuration

------------------------

AP2 7 (Failover to untagged) charan.AP1140.II

disabled

1514


show ap eventlog show ap eventlog

To display the contents of the event log file for an access point that is joined to the controller, use the show ap

eventlog command.

show ap eventlog ap_name


ap_name

Event log for the specified access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the event log of an access point:


show ap eventlog ciscoAP

AP event log download has been initiated

Waiting for download to complete

AP event log download completed.

======================= AP Event log Contents =====================

*Feb 13 11:54:17.146: %CAPWAP-3-CLIENTEVENTLOG: AP event log has been cleared from the contoller 'admin'

*Feb 13 11:54:32.874: *** Access point reloading. Reason: Reload Command ***

*Mar 1 00:00:39.134: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source

*Mar 1 00:00:39.174: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up

*Mar 1 00:00:39.211: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

*Mar 1 00:00:49.947: %CAPWAP-3-CLIENTEVENTLOG: Did not get vendor specific options from

DHCP.

...


1515

show ap flexconnect show ap flexconnect

To view the details of APs in FlexConnect mode, use the show ap flexconnect command.

show ap flexconnect module-vlan ap-name

Syntax Description module-vlan

ap-name

Displays the status of FlexConnect local switching and VLAN ID value

Cisco AP name

Command History

Release

8.1

Modification


1516


show ap image show ap image

To display the detailed information about the predownloaded image for specified access points, use the show

ap image command.

show ap image {cisco_ap | all}


cisco_ap

all

Name of the lightweight access point.


Note

If you have an AP that has the name all, it conflicts with the keyword all that specifies all access points.

In this scenario, the keyword all takes precedence over the AP that is named all.

Command History

Release

7.6

Modification


Release 7.6.


1517

show ap inventory show ap inventory

To display inventory information for an access point, use the show ap inventory command.

show ap inventory {ap-name | all}


ap-name

all

Inventory for the specified AP.

Inventory for all the APs.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the inventory of an access point:


show ap inventory test101

NAME: "test101" , DESCR: "Cisco Wireless Access Point"

PID: AIR-LAP1131AG-A-K9 , VID: V01, SN: FTX1123T2XX

1518


show ap join stats detailed show ap join stats detailed

To display all join-related statistics collected for a specific access point, use the show ap join stats detailed command.

show ap join stats detailed ap_mac


ap_mac

Access point Ethernet MAC address or the MAC address of the 802.11 radio interface.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display join information for a specific access point trying to join the controller:


show ap join stats detailed 00:0b:85:02:0d:20

Discovery phase statistics

- Discovery requests received.......................... 2

- Successful discovery responses sent.................. 2

- Unsuccessful discovery request processing............ 0

- Reason for last unsuccessful discovery attempt....... Not applicable

- Time at last successful discovery attempt............ Aug 21 12:50:23:335

- Time at last unsuccessful discovery attempt.......... Not applicable

Join phase statistics

- Join requests received............................... 1

- Successful join responses sent....................... 1

- Unsuccessful join request processing................. 1

- Reason for last unsuccessful join attempt.............RADIUS authorization is pending for the AP

- Time at last successful join attempt................. Aug 21 12:50:34:481

- Time at last unsuccessful join attempt............... Aug 21 12:50:34:374

Configuration phase statistics

- Configuration requests received...................... 1

- Successful configuration responses sent.............. 1

- Unsuccessful configuration request processing........ 0

- Reason for last unsuccessful configuration attempt... Not applicable

- Time at last successful configuration attempt........ Aug 21 12:50:34:374

- Time at last unsuccessful configuration attempt...... Not applicable

Last AP message decryption failure details

- Reason for last message decryption failure........... Not applicable

Last AP disconnect details

- Reason for last AP connection failure................ Not applicable

Last join error summary

- Type of error that occurred last..................... Lwapp join request rejected

- Reason for error that occurred last.................. RADIUS authorization is pending for the AP


1519

show ap join stats detailed

- Time at which the last join error occurred........... Aug 21 12:50:34:374

1520


show ap join stats summary show ap join stats summary

To display the last join error detail for a specific access point, use the show ap join stats summary command.

show ap join stats summary ap_mac


ap_mac

Access point Ethernet MAC address or the MAC address of the 802.11 radio interface.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


To obtain the MAC address of the 802.11 radio interface, enter the show interface command on the access point.

Examples

The following example shows how to display specific join information for an access point:


show ap join stats summary 00:0b:85:02:0d:20

Is the AP currently connected to controller.......................... No

Time at which the AP joined this controller last time................ Aug 21 12:50:36:061

Type of error that occurred last..................................... Lwapp join request rejected

Reason for error that occurred last.................................. RADIUS authorization is pending for the AP

Time at which the last join error occurred........................... Aug 21 12:50:34:374


1521

show ap join stats summary all show ap join stats summary all

To display the MAC addresses of all the access points that are joined to the controller or that have tried to join, use the show ap join stats summary all command.

show ap join stats summary all



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of join information for all access points:


show ap join stats summary all

Number of APs.............................................. 4

Base Mac AP EthernetMac AP Name IP Address

00:0b:85:57:bc:c0 00:0b:85:57:bc:c0 AP1130 10.10.163.217

00:1c:0f:81:db:80

00:1c:0f:81:fc:20

00:21:1b:ea:36:60

00:1c:63:23:ac:a0

00:1b:d5:9f:7d:b2

00:0c:d4:8a:6b:c1

AP1140

AP1

AP2

10.10.163.216

10.10.163.215

10.10.163.214

Status

Joined

Not joined

Joined

Not joined

1522


show ap led-state show ap led-state

To view the LED state of all access points or a specific access point, use the show ap led-state command.

show ap led-state {all | cisco_ap}


cisco_ap

Shows the LED state for all access points.

Name of the access point whose LED state is to be shown.

Command Default

The AP LED state is enabled.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to get the LED state of all access points:


show ap led-state all

Global LED State: Enabled (default)


1523

show ap led-flash show ap led-flash

To display the LED flash status of an access point, use the show ap led-flash command.

show ap led-flash cisco_ap


cisco_ap

Enter the name of the Cisco AP.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the LED flash status of an access point:


show ap led-flash

1524


show ap link-encryption show ap link-encryption

To display the MAC addresses of all the access points that are joined to the controller or that have tried to join, use the show ap link-encryption command.

show ap link-encryption {all | cisco_ap}


cisco_ap



Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the link encryption status of all access points:


show ap link-encryption all

Encryption Dnstream Upstream Last

AP Name State Count Count Update

---------------------------------------

1240 Dis 4406 237553 Never

1130 En 2484 276308 19:31


1525

show ap max-count summary show ap max-count summary

To display the maximum number of access points supported by the Cisco WLC, use the show ap max-count

summarycommand.

show ap max-count summary



Command Default

None

Command History

Release

7.5

Modification


Examples

The following is a sample output of the show ap max-count summarycommand:


show ap max-count

The max number of AP's supported................. 500

1526


show ap monitor-mode summary show ap monitor-mode summary

To display the current channel-optimized monitor mode settings, use the show ap monitor-mode summary command.

show ap monitor-mode summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display current channel-optimized monitor mode settings:


show ap monitor-mode summary

AP Name Ethernet MAC Status Scanning Channel List

---------------------------- ----------------------

AP_004 xx:xx:xx:xx:xx:xx Tracking 1, 6, 11, 4


1527

show ap module summary show ap module summary

To view detailed information about the external module, for a specific Cisco AP or for all Cisco APs, use the

show ap module summary command.

show ap module summary {ap-name | all}


ap-name

all

Cisco AP name that has the external module

All Cisco APs that have the external module

Command History

Release

8.1

Modification


1528


show ap packet-dump status show ap packet-dump status

To display access point Packet Capture configurations, use the show ap packet-dump status command.

show ap packet-dump status



Command History

Release

7.6

Modification


Release 7.6.


Packet Capture does not work during intercontroller roaming.

The controller does not capture packets created in the radio firmware and sent out of the access point, such as the beacon or probe response. Only packets that flow through the Radio driver in the Tx path are captured.

Examples

The following example shows how to display the access point Packet Capture configurations:


show ap packet-dump status

Packet Capture Status............................ Stopped

FTP Server IP Address............................ 0.0.0.0

FTP Server Path..................................

FTP Server Username..............................

FTP Server Password.............................. ********

Buffer Size for Capture.......................... 2048 KB

Packet Capture Time.............................. 45 Minutes

Packet Truncate Length........................... Unspecified

Packet Capture Classifier........................ None


1529

show ap prefer-mode stats show ap prefer-mode stats

To view prefer-mode global and per AP group statistics, use the show ap prefer-mode stats command.

show ap prefer-mode stats

Syntax Description stats

Displays prefer-mode global and per AP group statistics

Command History

Release

7.6

Modification


1530


show ap retransmit show ap retransmit

To display access point control packet retransmission parameters, use theshow ap retransmit command.

show ap retransmit {all | cisco_ap}


cisco_ap



Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the control packet retransmission parameters of all access points on a network:


show ap retransmit all

Global control packet retransmit interval: 3 (default)

Global control packet retransmit count: 5 (default)

AP Name Retransmit Interval Retransmit count

------------------------------------------------------

AP_004 3 (default) 5 (WLC default),5 (AP default)


1531

show ap stats show ap stats

To display the statistics for a Cisco lightweight access point, use the show ap stats command.

show ap stats {802.11{a | b} | wlan | ethernet summary} cisco_ap [tsm {client_mac | all}]


802.11a

802.11b

wlan ethernet summary

cisco_ap

tsm

client_mac

all

Specifies the 802.11a network


Specifies WLAN statistics.

Specifies AP ethernet interface statistics.

Displays ethernet interface summary of all the connected

Cisco access points.


(Optional) Specifies the traffic stream metrics.

(Optional) MAC address of the client.

(Optional) Specifies all access points.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.

This command was modified. The OEAP WMM

Counters were added to the output.

Examples

The following example shows how to display statistics of an access point for the 802.11b network:


show ap stats 802.11a Ibiza

Number Of Slots.................................. 2

AP Name.......................................... Ibiza

MAC Address...................................... 44:2b:03:9a:8a:73

Radio Type....................................... RADIO_TYPE_80211a

Stats Information

Number of Users................................ 0

TxFragmentCount................................ 84628

1532


show ap stats

MulticastTxFrameCnt............................ 84628

FailedCount.................................... 0

RetryCount..................................... 0

MultipleRetryCount............................. 0

FrameDuplicateCount............................ 0

RtsSuccessCount................................ 1

RtsFailureCount................................ 0

AckFailureCount................................ 0

RxIncompleteFragment........................... 0

MulticastRxFrameCnt............................ 0

FcsErrorCount.................................. 20348857

TxFrameCount................................... 84628

WepUndecryptableCount.......................... 19907

TxFramesDropped................................ 0

OEAP WMM Stats :

Best Effort:

Tx Frame Count............................... 0

Tx Failed Frame Count........................ 0

Tx Expired Count............................. 0

Tx Overflow Count............................ 0

Tx Queue Count............................... 0

Tx Queue Max Count........................... 0

Rx Frame Count............................... 0

Rx Failed Frame Count........................ 0

Background:

Tx Frame Count............................... 0


Tx Expired Count............................. 0


Tx Queue Count............................... 0


Rx Frame Count............................... 0


Video:

Tx Frame Count............................... 0


Tx Expired Count............................. 0


Tx Queue Count............................... 0


Rx Frame Count............................... 0


Voice:

Tx Frame Count............................... 0


Tx Expired Count............................. 0


Tx Queue Count............................... 0


Rx Frame Count............................... 0


Rate Limiting Stats:

Wlan 1:

Number of Data Packets Received.............. 592

Number of Data Rx Packets Dropped............ 160

Number of Data Bytes Received................ 160783

Number of Data Rx Bytes Dropped.............. 0

Number of Realtime Packets Received.......... 592

Number of Realtime Rx Packets Dropped........ 0

Number of Realtime Bytes Received............ 160783

Number of Realtime Rx Bytes Dropped.......... 0

Number of Data Packets Sent.................. 131

Number of Data Tx Packets Dropped............ 0

Number of Data Bytes Sent.................... 23436

Number of Data Tx Bytes Dropped.............. 0

Number of Realtime Packets Sent.............. 131

Number of Realtime Tx Packets Dropped........ 0

Number of Realtime Bytes Sent................ 23436

Number of Realtime Tx Bytes Dropped.......... 0

Call Admission Control (CAC) Stats

Voice Bandwidth in use(% of config bw)......... 0

Voice Roam Bandwidth in use(% of config bw).... 0


1533

show ap stats

Total channel MT free........................ 0

Total voice MT free.......................... 0

Na Direct.................................... 0

Na Roam...................................... 0

Video Bandwidth in use(% of config bw)......... 0

Video Roam Bandwidth in use(% of config bw).... 0

Total BW in use for Voice(%)................... 0

Total BW in use for SIP Preferred call(%)...... 0

WMM TSPEC CAC Call Stats

Total num of voice calls in progress........... 0

Num of roaming voice calls in progress......... 0

Total Num of voice calls since AP joined....... 0

Total Num of roaming calls since AP joined..... 0

Total Num of exp bw requests received.......... 0

Total Num of exp bw requests admitted.......... 0

Num of voice calls rejected since AP joined.... 0

Num of roam calls rejected since AP joined..... 0

Num of calls rejected due to insufficent bw.... 0

Num of calls rejected due to invalid params.... 0

Num of calls rejected due to PHY rate.......... 0

Num of calls rejected due to QoS policy........ 0

SIP CAC Call Stats

Total Num of calls in progress................. 0

Num of roaming calls in progress............... 0

Total Num of calls since AP joined............. 0

Total Num of roaming calls since AP joined..... 0

Total Num of Preferred calls received.......... 0

Total Num of Preferred calls accepted.......... 0

Total Num of ongoing Preferred calls........... 0

Total Num of calls rejected(Insuff BW)......... 0

Total Num of roam calls rejected(Insuff BW).... 0

WMM Video TSPEC CAC Call Stats

Total num of video calls in progress........... 0

Num of roaming video calls in progress......... 0

Total Num of video calls since AP joined....... 0

Total Num of video roaming calls since AP j.... 0

Num of video calls rejected since AP joined.... 0

Num of video roam calls rejected since AP j.... 0

Num of video calls rejected due to insuffic.... 0

Num of video calls rejected due to invalid .... 0

Num of video calls rejected due to PHY rate.... 0

Num of video calls rejected due to QoS poli.... 0

SIP Video CAC Call Stats

Total Num of video calls in progress........... 0

Num of video roaming calls in progress......... 0

Total Num of video calls since AP joined....... 0

Total Num of video roaming calls since AP j.... 0

Total Num of video calls rejected(Insuff BW.... 0

Total Num of video roam calls rejected(Insu.... 0

Band Select Stats

Num of dual band client ....................... 0

Num of dual band client added.................. 0

Num of dual band client expired ............... 0

Num of dual band client replaced............... 0

Num of dual band client detected .............. 0

Num of suppressed client ...................... 0

Num of suppressed client expired............... 0

Num of suppressed client replaced.............. 0

1534


show ap summary show ap summary

To display a summary of all lightweight access points attached to the controller, use the show ap summary command.

show ap summary [cisco_ap]


cisco_ap

(Optional) Type sequence of characters that make up the name of a specific AP or a group of APs, or enter a wild character search pattern.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


A list that contains each lightweight access point name, number of slots, manufacturer, MAC address, location, and the controller port number appears. When you specify

Examples

The following example shows how to display a summary of all connected access points:


show ap summary

Number of APs.................................... 2

Global AP username.............................. user

Global AP Dot1x username........................ Not Configured

Number of APs.................................... 2

Global AP username.............................. user

Global AP Dot1x username........................ Not Configured

AP Name

Country IP Address

AP1140 location

Slots AP Model

Clients

Ethernet MAC Location

------------------------------------------------------------------------------

---------------------

2 AIR-LAP1142N-A-K9

US 192.168.0.0

0 f0:f7:55:75:f3:29 default

Access Points using IPv6 transport:

AP Name Slots AP Model Ethernet MAC Location Country

Address Clients

------------------ ----- ------------------------------------- ------------

------------------ ----- ---------------------------- ------

AP1040 2

2001:DB8:0:1::1

AIR-LAP1042N-A-K9 00:40:96:b9:4b:89 default location US

0

IPv6


1535

show ap tcp-mss-adjust show ap tcp-mss-adjust

To display the Basic Service Set Identifier (BSSID) value for each WLAN defined on an access point, use the show ap tcp-mss-adjust command.

show ap tcp-mss-adjust {cisco_ap | all}


cisco_ap

all

Specified lightweight access point name.


Note


Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display Transmission Control Protocol (TCP) maximum segment size

(MSS) information of all access points:


show ap tcp-mss-adjust all

AP Name TCP State MSS Size

------------------ --------- -------

AP-1140

AP-1240

AP-1130 enabled disabled disabled

536

-

-

1536


show ap wlan show ap wlan

To display the Basic Service Set Identifier (BSSID) value for each WLAN defined on an access point, use the show ap wlan command.

show ap wlan 802.11{a | b} cisco_ap


802.11a

802.11b

ap_name



Lightweight access point name.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display BSSIDs of an access point for the 802.11b network:


show ap wlan 802.11b AP01

Site Name........................................ MY_AP_GROUP1

Site Description................................. MY_AP_GROUP1

WLAN ID

-------

Interface

-----------

BSSID

--------------------------

1

2 management dynamic

00:1c:0f:81:fc:20

00:1c:0f:81:fc:21


1537

show assisted-roaming show assisted-roaming

To display assisted roaming and 802.11k configurations, use the show assisted-roaming command.

show assisted-roaming



Command Default

None.

Examples

This example shows how to display assisted roaming and 802.11k configurations:


show assisted-roaming

Assisted Roaming and 80211k Information:

Floor RSSI Bias.................................. 15 dBm

Maximum Denial................................... 2 counts

Minimium Optimized Neighbor Assigned............. 2 neighbors

Assisted Roaming Performance Chart:

Matching Assigned Neighbor....................... [0] = 0








No Matching Neighbor............................. [8] = 0

No Neighbor Assigned............................. [9] = 0

Related Commands config assisted-roaming config wlan assisted-roaming debug 11k

1538


show atf config

To monitor Cisco Airtime Fairness configuration, use the show atf config command.

show atf config {all | {ap-nameap-name} | {802.11{a | b}} | policy | wlan}

Syntax Description all ap-name

ap-name

802.11a

802.11b

policy wlan

Shows Cisco ATF configuration of all radios

Shows Cisco ATF configuration of an AP

AP name that you must specify

Shows Cisco ATF configuration of all 5-GHz radios

Shows Cisco ATF configuration of all 2.4-GHz radios

Shows configuration of all airtime policies

Shows Cisco ATF configuration of all WLANs

Command Default

None

Command History

Examples

Release

8.1

Modification


This example shows how to monitor Cisco Airtime Fairness configuration:


show atf config all show atf config


1539

show atf statistics ap show atf statistics ap

To monitor Cisco Airtime Fairness statistics, use the show atf statistics command.

show atf statistics ap ap-name 802.11{a | b} {summary | wlan-id | policy-id}


802.11a

802.11b

summary

wlan wlan-id

policy policy-name

Shows detailed statistics on all 5-GHz radios.

Shows detailed statistics on all 2.4-GHz radios.

Shows summary statistics for the AP.

Shows detailed ATF statistics for the specified WLAN.

Shows detailed ATF statistics for the specified policy name.

Command Default

None

Command History

Examples

Release

8.1

Modification


This example shows how to monitor Cisco Airtime Fairness statistics:


show atf statistics ap Ap01323 802.11a summary

1540


show auth-list show auth-list

To display the access point authorization list, use the show auth-list command.

show auth-list



Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the access point authorization list:


show auth-list

Authorize APs against AAA...................... disabled

Allow APs with Self-signed Certificate (SSC)... disabled

Mac Addr Cert Type Key Hash

------------------------------------------------------------------------xx:xx:xx:xx:xx:xx MIC


1541

show avc applications show avc applications

To display all the supported Application Visibility and Control (AVC) applications, use the show avc

applications command.

show avc applications



Command Default

None

Command History

Release

7.4

Modification



AVC uses the Network-Based Application Recognition (NBAR) deep packet inspection technology to classify applications based on the protocol they use. Using AVC, the controller can detect more than 1500 Layer 4 to

Layer 7 protocols.

Examples

The following is a sample output of the show avc applications command:


show avc applications

Application-Name

================

3com-amp3

3com-tsmux

3pc

914c/g

9pfs acap acas accessbuilder accessnetwork acp acr-nema active-directory activesync

App-ID Engine-ID Selector-ID Application-Group-Name

====== ========= =========== ======================

538

977

3

3

629

106 other obsolete

788

1109

479

582

939

662

607

513

975

1194

1419

13

13

1

3

3

3

3

3

3

3

3

34

211

564

674

62

888

699

599

104

473

490 layer3-over-ip net-admin net-admin net-admin other other other other industrial-protocols other business-and-productivity-tools adobe-connect aed-512 afpovertcp agentx alpes aminet an

----

1441

963

1327

609

377

558

861

----

13

3

3

3

3

3

1

---

505

149

548

705

463

2639

107

----other obsolete business-and-productivity-tools net-admin net-admin file-sharing layer3-over-ip

-------------

1542


show avc profile show avc profile

To display Application Visibility and Control (AVC) profiles, use the show avc profile command.

show avc profile {summary | detailed profile_name }

Syntax Description summary detailed

profile_name

Displays a summary of AVC profiles.

Displays the details of an AVC profile.


Command Default

None

Command History

Release

7.4

Examples

Modification


The following is a sample output of the show avc profile summary command.


show avc profile summary

Profile-Name

============ profile 1 avc_profile2

Number of Rules

==============

3

1

The following is a sample output of the show avc profile detailed command.


show avc profile detailed

Application-Name

================ ftp flash-video facebook

Associated WLAN IDs :

Associated Remote LAN IDs :

Associated Guest LAN IDs :

Application-Group-Name

======================= file-sharing browsing browsing

Action DSCP

====== ====

Drop

Mark

Mark

-

10

10


1543

show avc statistics application show avc statistics application

To display the statistics of an application, use the show avc statistics application command.

show avc statistics application application_name top-users [downstream wlan | upstream wlan | wlan]

[wlan_id ]}


application_name

top-users downstream wlan

wlan_id

upstream


Displays AVC statistics for top application users.

(Optional) Displays statistics of top downstream applications.

(Optional) Displays AVC statistics of a WLAN.


(Optional) Displays statistics of top upstream applications.

Command Default

None

Command History

Examples

Release

7.4

Modification


The following is a sample output of the show avc statistics application command:


show avc statistics application ftp top-users downstream wlan 1

Client MAC

Bytes DSCP

(Up/Down)

(Total) In Out

Client IP

===========

======= === ===

=========

00:0a:ab:15:00:9c(U) 172.16.31.156

338 0 0

(D) 172.16.31.156

6409 0 0

00:0a:ab:15:00:5a(U) 172.16.31.90

84 0 0

(D) 172.16.31.90

5869 0 0

00:0a:ab:15:00:60(U) 172.16.31.96

8666 0 0

(D) 172.16.31.96

9595 0 0

00:0a:ab:15:00:a4(U) 172.16.31.164

161 0 0

WLAN ID Packets Bytes Avg Pkt Packets

(n secs) (n secs) Size (Total)

====== ======= ======= ====== =======

1

1

1

1

1

1

1

16

22

7

12

19

19

18

91 5

5911 268

39 5

5723 476

117 6

4433 233

139 7

43

48

13

18

75

83

21

1544


show avc statistics application

(D) 172.16.31.164

4439 0 0

00:0a:ab:15:00:48(U) 172.16.31.72

2738 0 0

(D) 172.16.31.72

4367 0 0

00:0a:ab:15:00:87(U) 172.16.31.135

301 0 0

(D) 172.16.31.135

7755 0 0

00:0a:ab:15:00:92(U) 172.16.31.146

84 0 0

(D) 172.16.31.146

4201 0 0

00:0a:ab:15:00:31(U) 172.16.31.49

250 0 0

(D) 172.16.31.49

3755 0 0

00:0a:ab:15:00:46(U) 172.16.31.70

175 0 0

(D) 172.16.31.70

3448 0 0

00:0a:ab:15:00:b3(U) 172.16.31.179

241 0 0

1

1

1

1

1

1

1

1

1

1

1

1

18

7

10

10

12

10

9

11

23

21

22

11

4409 191

2738 130

4367 198

47 4

4208 350

73 7

4168 463

95 8

3201 177

47 6

3162 316

85 8

43

20

23

34

48

11

11

34

24

21

22

49


1545

show avc statistics client show avc statistics client

To display the client Application Visibility and Control (AVC) statistics, use the show avc statistics client command.

show avc statistics client client_MAC {application application_name | top-apps [upstream | downstream]}


client_MAC

upstream


Displays AVC statistics for an application.

application

application_name


top-apps

Displays AVC statistics for top applications.


downstream


Command Default

None

Command History

Examples

Release

7.4

Modification


The following is a sample output of the show avc statistics client command:


show avc statistics client 00:0a:ab:15:00:01 application http

Description

===========

Number of Packtes(n secs)

Number of Bytes(n secs)

Average Packet size(n secs)

Total Number of Packtes

Total Number of Bytes

DSCP Incoming packet

DSCP Outgoing Packet

Upstream

========

5059

170144

33

131878

6054464

16

16

Downstream

==========

6369

8655115

1358

150169

205239972

0

0

The following is a sample output of the show avc statistics client command.


show avc statistics client 00:0a:ab:15:00:01 top-apps

Application-Name

(Up/Down)

================ http ggp

(U)

(D)

(U)

Packets Bytes Avg Pkt Packets Bytes

(n secs) (n secs) Size (Total) (Total)

======= ====== ====== ======= ======

6035

5420

1331

637728

7218796

1362944

105

1331

1024

6035

5420

1331

637728

7218796

1362944

DSCP DSCP

In Out

==== ====

16

0

0

16

0

0

1546


smp vrrp bittorrent icmp edonkey dns realmedia

show avc statistics client

(D)

(U)

(D)

(U)

(D)

(U)

(D)

(U)

(D)

(U)

(D)

(U)

(D)

(U)

(D)

0 0 0

1046 1071104 1024

0 0 0

205 209920 1024

0 0 0

117

121

0

72

1604

70469

0

40032

13

582

0

556

112

105

10

7

2

2

4620

33076

380

1743

158

65

41

315

38

249

79

32

0

1046

0

205

0

117

121

0

72

112

105

10

7

2

2

0

1071104

0

209920

0

1604

70469

0

40032

4620

33076

380

1743

158

65

0

0

0

0

0

0

0

0

48

0

24

0

0

0

0

0

0

0

0

0

0

0

0

48

0

24

0

0

0

0


1547

show avc statistics guest-lan show avc statistics guest-lan

To display the Application Visibility and Control (AVC) statistics of a guest LAN, use the show avc statistics

guest-lan command.

show avc statistics guest-lan guest-lan_id {application application_name | top-app-groups [upstream |

downstream] | top-apps [upstream | downstream]}


guest-lan_id

application

application_name

top-app-groups upstream downstream top-apps

Guest LAN identifier from 1 to 5.



Displays AVC statistics for top application groups.




Command Default

None

Command History

Examples

Release

7.4

Modification


The following is a sample output of the show avc statistics command.


show avc statistics guest-lan 1

Application-Name

(Up/Down)

================ unclassified ftp http gre icmp ipinip imap

Packets Bytes Avg Pkt Packets


Bytes

(Total)

(U)

======= ======

805 72880

====== ======

(U) 191464 208627

(D) 63427 53440610 842

1

90

92208613

16295621

172939

=======

11138796586

9657054635

11206202

(D) 911 58143

(U) 264904 12508288

63

47

(D) 319894 436915253 1365

(U) 0 0 0

190900 17418653

27493945 2837672192

29850934 36817587924

10158872 10402684928

(D)

(U)

0

1

0

40

0

40

(D) 7262 4034576 555

(U) 62565 64066560 1024

(D) 0 0 0

(U) 1430 16798 11

0

323

0

98476

2888266 1605133372

11992305 12280120320

0 0

305161 3795766

1548


irc nntp

show avc statistics guest-lan

(D) 1555

(U) 9

(D)

(U)

(D)

11

22

22

576371 370

74 8

371

158

372

33

7

16

332290

1736

1972

1705

2047

125799465

9133

173381

9612

214391


1549

show avc statistics remote-lan show avc statistics remote-lan

To display the Application Visibility and Control (AVC) statistics of a remote LAN, use the show avc statistics

remote-lan command.

show avc statistics remote-lan remote-lan_id{application application_name | top-app-groups [upstream

| downstream] | top-apps [upstream | downstream]}


remote-lan_id

application

application_name


Remote LAN identifier from 1 to 512.







Command Default

None

Command History

Examples

Release

7.4

Modification


The following is a sample output of the show avc statistics remote-lan command.


show avc statistics remote-lan 1

Application-Name

(Up/Down)




Bytes

(Total)

(U)

======= ======

805 72880

====== ======

(U) 191464 208627

(D) 63427 53440610 842

1

90

92208613

16295621

172939

=======

11138796586

9657054635

11206202

(D) 911 58143

(U) 264904 12508288

63

47

(D) 319894 436915253 1365

(U) 0 0 0

190900 17418653

27493945 2837672192

29850934 36817587924

10158872 10402684928

(D)

(U)

0

1

0

40

0

40

(D) 7262 4034576 555

(U) 62565 64066560 1024

(D) 0 0 0

(U) 1430 16798 11

0

323

0

98476

2888266 1605133372

11992305 12280120320

0 0

305161 3795766

1550


irc nntp

show avc statistics remote-lan

(D) 1555

(U) 9

(D)

(U)

(D)

11

22

22

576371 370

74 8

371

158

372

33

7

16

332290

1736

1972

1705

2047

125799465

9133

173381

9612

214391


1551

show avc statistics top-apps show avc statistics top-apps

To display the Application Visibility and Control (AVC) statistics for the most used applications, use the

show avc statistics top-apps command.

show avc statistics top-apps [upstream | downstream]

Syntax Description upstream downstream

(Optional) Displays statistics of the most used upstream applications.

(Optional) Displays statistics of the most used downstream applications.

Command Default

None

Command History

Release

7.4

Modification


Examples

The following is a sample output of the show avc statistics top-aps command:


show avc statistics top-apps

Application-Name

(Up/Down)

================ http realmedia mpls-in-ip fire pipe gre crudp rtp icmp

(D)

(U)

(D)

(U)

(D)

(U)

(D)

Packets Bytes Avg Pkt

(n secs) (n secs) Size

======= ======= =======

(U) 204570 10610912 51

(D) 240936 327624221 1359

(U) 908 62154 68

(D) 166694 220522943 1322

(U)

(D)

(U)

77448 79306752 1024

0 0 0

70890 72591360 1024

(U)

(D)

(U)

(D)

0

68296

0

60982

0

26430

0

0

7482

0

10155

0

69935104

0

62445568

0

27064320

0

0

0

5640504

0

1024

0

1024

0

1024

0

0

9936096 1328

0

555

Packets

(Total)

=======

28272539

30750570

400698

35802836

10292787

0

10242484

0

10224255

0

10340221

0

10109812

0

0

2603923

323

2924693

Bytes

(Total)

========

2882294016

38026889010

26470359

47131836785

10539813888

0

10488303616

0

10469637120

0

10588386304

0

10352447488

0

0

3458009744

98476

1625363564

Related Commands config avc profile delete config avc profile create config avc profile rule config wlan avc

1552


show avc profile show avc applications show avc statistics client show avc statistics wlan show avc statistics applications show avc statistics guest-lan show avc statistics remote-lan debug avc error debug avc events show avc statistics top-apps


1553

show avc statistics wlan show avc statistics wlan

To display the Application Visibility and Control (AVC) statistics of a WLAN, use the show avc statistics

wlan command.

show avc statistics wlan wlan_id {application application_name | top-app-groups [upstream | downstream]

| top-apps [upstream | downstream]}


wlan_id

application

application_name









Command Default

None

Command History

Examples

Release

7.4

Modification


The following is a sample output of the show avc statistics command.


show avc statistics wlan 1

Application-Name

(Up/Down)




Bytes

(Total)

(U)

======= ======

805 72880

====== ======

(U) 191464 208627

(D) 63427 53440610 842

1

90

92208613

16295621

172939

=======

11138796586

9657054635

11206202

(D) 911 58143

(U) 264904 12508288

63

47

(D) 319894 436915253 1365

(U) 0 0 0

190900 17418653

27493945 2837672192

29850934 36817587924

10158872 10402684928

(D)

(U)

0

1

0

40

0

40

(D) 7262 4034576 555

(U) 62565 64066560 1024

(D) 0 0 0

(U) 1430 16798 11

0

323

0

98476

2888266 1605133372

11992305 12280120320

0 0

305161 3795766

1554


show avc statistics wlan

irc nntp

(D) 1555

(U) 9

(D)

(U)

(D)

11

22

22

576371 370

74 8

371

158

372

33

7

16

332290

1736

1972

1705

2047

The following is a sample output of the show avc statistics wlan command.


show avc statistics wlan 1 application ftp

Description

===========

Number of Packtes(n secs)

Number of Bytes(n secs)

Average Packet size(n secs)

Total Number of Packtes

Total Number of Bytes

Upstream

========

0

0

0

32459

274

Downstream

==========

0

0

0

64888

94673983

125799465

9133

173381

9612

214391


1555

show boot show boot

To display the primary and backup software build numbers with an indication of which is active, use the show

boot command.

show boot



Command Default

None

Command History

Release

7.6

Modification



Each Cisco wireless LAN controller retains one primary and one backup operating system software load in nonvolatile RAM to allow controllers to boot off the primary load (default) or revert to the backup load when desired.

Examples

The following is a sample output of the show boot command:


show boot

Primary Boot Image............................... 3.2.13.0 (active)

Backup Boot Image................................ 3.2.15.0

Related Commands config boot

1556


show band-select show band-select

To display band selection information, use the show band-select command.

show band-select



Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show band-select command:


show band-select

Band Select Probe Response....................... per WLAN enabling

Cycle Count................................... 3 cycles

Cycle Threshold............................... 200 milliseconds

Age Out Suppression........................... 20 seconds

Age Out Dual Band............................. 60 seconds

Client RSSI................................... -80 dBm

Related Commands config band-select config wlan band-select


1557

show buffers show buffers

To display buffer information of the controller, use the show buffers command.

show buffers



Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show buffers command:


show buffers

Pool[00]: 16 byte chunks chunks in pool: chunks in use:

50000

9196 bytes in use: 147136 bytes requested: 73218 (73918 overhead bytes)

Pool[01]: 64 byte chunks chunks in pool: 50100 chunks in use: 19222 bytes in use: 1230208 bytes requested: 729199 (501009 overhead bytes)

Pool[02]: 128 byte chunks chunks in pool: 26200 chunks in use: bytes in use:

9861

1262208 bytes requested: 848732 (413476 overhead bytes)


596



258


Pool[05]: 512 byte chunks chunks in pool: chunks in use:

18700


Pool[06]: 1024 byte chunks chunks in pool: 3500 chunks in use: 94 bytes in use: 96256 bytes requested: 75598 (20658 overhead bytes)


54


Pool[08]: 4096 byte chunks

1558


chunks in pool: chunks in use:

1000


Raw Pool: chunks in use: 256 bytes requested: 289575125

show buffers


1559

show cac voice stats show cac voice stats

To view the detailed voice CAC statistics of the 802.11a or 802.11b radio, use the show cac voice stats command.

show cac voice stats {802.11a | 802.11b}


802.11a

802.11b

Displays detailed voice CAC statistics for 802.11a.

Displays detailed voice CAC statistics for 802.11b/g.

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show cac voice stats 802.11b command:


show cac voice stats 802.11b

WLC Voice Call Statistics for 802.11b Radio


Total num of Calls in progress................. 0

Num of Roam Calls in progress.................. 0

Total Num of Calls Admitted.................... 0

Total Num of Roam Calls Admitted............... 0

Total Num of exp bw requests received.......... 0

Total Num of exp bw requests Admitted.......... 0

Total Num of Calls Rejected.................... 0

Total Num of Roam Calls Rejected............... 0

Num of Calls Rejected due to insufficent bw.... 0

Num of Calls Rejected due to invalid params.... 0

Num of Calls Rejected due to PHY rate.......... 0

Num of Calls Rejected due to QoS policy........ 0

SIP CAC Call Stats

Total Num of Calls in progress................. 0




Total Num of Preferred Calls Received.......... 0

Total Num of Preferred Calls Admitted.......... 0

Total Num of Ongoing Preferred Calls........... 0

Total Num of Calls Rejected(Insuff BW)......... 0

Total Num of Roam Calls Rejected(Insuff BW).... 0

KTS based CAC Call Stats







1560


show cac voice summary show cac voice summary

To view the list of all APs with brief voice statistics (includes bandwidth used, maximum bandwidth available, and the number of calls information), use the show cac voice summary command.

show cac voice summary



Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show cac voice summary command:


show cac voice summary

AP Name Slot# Radio BW Used/Max Calls

-----------------------------------------

APc47d.4f3a.3547

1 11a

0 11b/g

1072/23437 1

0/23437 0


1561

show cac video stats show cac video stats

To view the detailed video CAC statistics of the 802.11a or 802.11b radio, use the show cac video stats command.

show cac video stats {802.11a | 802.11b}


802.11a

802.11b

Displays detailed video CAC statistics for 802.11a.

Displays detailed video CAC statistics for 802.11b/g.

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show cac video stats 802.11b command:


show cac video stats 802.11b

WLC Video Call Statistics for 802.11b Radio


Total num of Calls in progress................. 0




Total Num of Calls Rejected.................... 0

Total Num of Roam Calls Rejected............... 0

Num of Calls Rejected due to insufficent bw.... 0

Num of Calls Rejected due to invalid params.... 0

Num of Calls Rejected due to PHY rate.......... 0

Num of Calls Rejected due to QoS policy........ 0

SIP CAC Call Stats







Related Commands config 802.11 cac voice config 802.11 cac defaults config 802.11 cac video config 802.11 cac multimedia show cac voice stats show cac voice summary show cac video stats

1562


show cac video summary config 802.11 cac video load-based config 802.11 cac video cac-method config 802.11 cac video sip show cac video stats


1563

show cac video summary show cac video summary

To view the list of all access points with brief video statistics (includes bandwidth used, maximum bandwidth available, and the number of calls information), use the show cac video summary command.

show cac video summary



Command History

Release

7.6

Modification


Examples

The following is a sample output of the show cac video summary command:


show cac video summary


-----------------------------------------

AP001b.d571.88e0

0

1

11b/g

11a

0/10937

0/18750

0

0

AP5_1250 0

1

11b/g

11a

0/10937

0/18750

0

0

Related Commands config 802.11 cac voice config 802.11 cac defaults config 802.11 cac video config 802.11 cac multimedia show cac voice stats show cac voice summary show cac video stats show cac video summary config 802.11 cac video load-based config 802.11 cac video cac-method config 802.11 cac video sip

1564


show call-control ap show call-control ap

Note

The show call-control ap command is applicable only for SIP based calls.

To see the metrics for successful calls or the traps generated for failed calls, use the show call-control ap command.

show call-control ap {802.11a | 802.11b} cisco_ap {metrics | traps}


802.11a

802.11b

cisco_ap

metrics traps

Specifies the 802.11a network



Specifies the call metrics information.

Specifies the trap information for call control.

Command Default

None

Command History

Release

7.6

Modification



To aid in troubleshooting, the output of this command shows an error code for any failed calls. This table explains the possible error codes for failed calls.

Table 12: Error Codes for Failed VoIP Calls

Error Code Integer

1 unknown

400 badRequest

401

402 unauthorized paymentRequired

Description

Unknown error.

The request could not be understood because of malformed syntax.

The request requires user authentication.

Reserved for future use.


1565

show call-control ap


403

404

405

406

407

408

409

410

411

413

414

415

420

480

481

482 forbidden notFound methodNotallowed notAcceptable proxyAuthenticationRequired requestTimeout conflict gone lengthRequired requestEntityTooLarge requestURITooLarge unsupportedMediaType badExtension temporarilyNotAvailable callLegDoesNotExist loopDetected

Description

The server understood the request but refuses to fulfill it.

The server has information that the user does not exist at the domain specified in the Request-URI.

The method specified in the Request-Line is understood but not allowed for the address identified by the Request-URI.

The resource identified by the request is only capable of generating response entities with content characteristics that are not acceptable according to the Accept header field sent in the request.

The client must first authenticate with the proxy.

The server could not produce a response within a suitable amount of time.

The request could not be completed due to a conflict with the current state of the resource.

The requested resource is no longer available at the server, and no forwarding address is known.

The server is refusing to process a request because the request entity-body is larger than the server is willing or able to process.

The server is refusing to process a request because the request entity-body is larger than the server is willing or able to process.

The server is refusing to service the request because the

Request-URI is longer than the server is willing to interpret.

The server is refusing to service the request because the message body of the request is in a format not supported by the server for the requested method.

The server did not understand the protocol extension specified in a Proxy-Require or Require header field.

The callee’s end system was contacted successfully, but the callee is currently unavailable.

The UAS received a request that does not match any existing dialog or transaction.

The server has detected a loop.

1566




483 tooManyHops

484 addressIncomplete

485

486 ambiguous busy

500

501

502 internalServerError notImplemented badGateway

503 serviceUnavailable

504

505

600

603

604

606 serverTimeout versionNotSupported busyEverywhere decline doesNotExistAnywhere notAcceptable

Description

The server received a request that contains a Max-Forwards header field with the value zero.

The server received a request with a Request-URI that was incomplete.

The Request-URI was ambiguous.

The callee’s end system was contacted successfully, but the callee is currently not willing or able to take additional calls at this end system.

The server encountered an unexpected condition that prevented it from fulfilling the request.

The server does not support the functionality required to fulfill the request.

The server, while acting as a gateway or proxy, received an invalid response from the downstream server it accessed in attempting to fulfill the request.

The server is temporarily unable to process the request because of a temporary overloading or maintenance of the server.

The server did not receive a timely response from an external server it accessed in attempting to process the request.

The server does not support or refuses to support the SIP protocol version that was used in the request.

The callee’s end system was contacted successfully, but the callee is busy or does not want to take the call at this time.

The callee’s machine was contacted successfully, but the user does not want to or cannot participate.

The server has information that the user indicated in the

Request-URI does not exist anywhere.

The user’s agent was contacted successfully, but some aspects of the session description (such as the requested media, bandwidth, or addressing style) were not acceptable.


1567


Examples

The following is a sample output of the show call-controller ap command that displays successful calls generated for an access point:


show call-control ap 802.11a Cisco_AP metrics

Total Call Duration in Seconds................... 120

Number of Calls.................................. 10

Number of calls for given client is................. 1

The following is a sample output of the show call-control ap command that displays metrics of traps generated for an AP.


show call-control ap 802.11a Cisco_AP traps

Number of traps sent in one min.................. 2

Last SIP error code.............................. 404

Last sent trap timestamp...................... Jun 20 10:05:06

1568


show call-control client show call-control client

To see call information for a call-aware client when Voice-over-IP (VoIP) snooping is enabled and the call is active, use the show call-control client command

show call-control client callInfo client_MAC_address

Syntax Description callInfo

client_MAC_address

Specifies the call-control information.

Client MAC address.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example is a sample output of the show call-controller client command:


show call-control client callInfo 10.10.10.10.10.10

Uplink IP/port................................... 0.0.0.0 / 0

Downlink IP/port................................ 9.47.96.107 / 5006

UP...............................................

6

Calling Party.................................... sip:1021

Called Party..................................... sip:1000

Call ID.......................................... 38423970c3fca477

Call on hold: ................................... FALSE

Number of calls for given client is.............. 1


1569

show call-home summary show call-home summary

To view the Call Home details, use the show call-home summary command.

show call-home summary

Command History

Release

8.2

Modification


Examples

The following example shows the call-home summary:

(Cisco Controller) > show call-home summaryCurrent call home settings: call home feature : enabled contact person's email address: [email protected]

Mail-server: Not yet set up http proxy: Not yet set up

Smart licensing messages: disabled data-privacy: normal

Event throttling: Off

Rate-limit: 20 message(s) per minute

Profile name: CiscoTAC-1

Status: Inactive

TAC profile: Yes

Mode: Full reporting

Report data: SCH SL

Msg Format: XML

Msg size limit: 3145728

Transport method: HTTP

--More-- or (q)uit In slWlcProcessSLStatsClearMsg https://tools.cisco.com/its/service/oddce/services/DDCEService

1570


show capwap reap association show capwap reap association

To display the list of clients associated with an access point and their SSIDs, use the show capwap reap

association command.

show capwap reap association



Command History

Release

7.6

Modification


Examples

The following example shows how to display clients associated to an access point and their SSIDs:


show capwap reap association


1571

show capwap reap status show capwap reap status

To display the status of the FlexConnect access point (connected or standalone), use the show capwap reap

status command.

show capwap reap status



Command Default

None

Command History

Release

7.6

Modification



The command shows only the VLAN when configured as AP-specific.

Examples

The following example shows how to display the status of the FlexConnect access point:


show capwap reap status

1572


show cdp show cdp

To display the status and details of the Cisco Discovery Protocol (CDP), use the show cdp command.

show cdp {neighbors [detail] | entry all | traffic}

Syntax Description neighbors detail entry all traffic

Displays a list of all CDP neighbors on all interfaces.

(Optional) Displays detailed information of the controller’s CDP neighbors. This command shows only the CDP neighbors of the controller; it does not show the

CDP neighbors of the controller’s associated access points.

Displays all CDP entries in the database.

Displays CDP traffic information.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show cdp command:


show cdp

CDP counters :

Total packets output: 0, Input: 0

Chksum error: 0

No memory: 0, Invalid packet: 0,

Related Commands config cdp config ap cdp show ap cdp


1573

show certificate compatibility show certificate compatibility

To display whether or not certificates are verified as compatible in the Cisco wireless LAN controller, use the show certificate compatibility command.

show certificate compatibility



Command History

Release

7.6

Modification


Examples

The following is a sample output of the show certificate compatibility command:


show certificate compatibility

Certificate compatibility mode:................ off

1574


show certificate lsc show certificate lsc

To verify that the controller has generated a Locally Significant Certificate (LSC), use the show certificate

lsc summary command.

show certificate lsc {summary | ap-provision}

Syntax Description summary ap-provision

Displays a summary of LSC certificate settings and certificates.

Displays details about the access points that are provisioned using the LSC.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show certificate lsc summary command:


show certificate lsc summary

LSC Enabled...................................... Yes

LSC CA-Server.................................... http://10.0.0.1:8080/caserver

LSC AP-Provisioning.............................. Yes

Provision-List............................... Not Configured

LSC Revert Count in AP reboots............... 3

LSC Params:

Country...................................... 4

State........................................ ca

City......................................... ss

Orgn......................................... org

Dept......................................... dep

Email........................................ [email protected]

KeySize...................................... 390

LSC Certs:

CA Cert...................................... Not Configured

RA Cert...................................... Not Configured

This example shows how to display the details about the access points that are provisioned using the LSC:


show certificate lsc ap-provision

LSC AP-Provisioning.............................. Yes

Provision-List................................... Present

Idx Mac Address

--- -------------

1 00:18:74:c7:c0:90


1575

show certificate ssc show certificate ssc

To view the Self Signed Device Certificate (SSC) and hash key of the virtual controller, use the show certificate

ssc command.

show certificate ssc



Command History

Release

7.6

Modification


Examples

The following is a sample output of the show certificate ssc command :


show certificate ssc

SSC Hash validation.............................. Enabled.

SSC Device Certificate details:

Subject Name :

C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN Controller,

CN=DEVICE-vWLC-AIR-CTVM-K9-000C297F2CF7, [email protected]

Validity :

Start : 2012 Jul 23rd, 15:47:53 GMT

End : 2022 Jun 1st, 15:47:53 GMT

Hash key : 5870ffabb15de2a617132bafcd73

1576


show certificate summary show certificate summary

To verify that the controller has generated a certificate, use the show certificate summary command.

show certificate summary



Command History

Release

7.6

Modification


Examples

The following is a sample output of the show certificate summary command:


show certificate summary

Web Administration Certificate................. Locally Generated

Web Authentication Certificate................. Locally Generated

Certificate compatibility mode:................ off


1577

show client ap show client ap

To display the clients on a Cisco lightweight access point, use the show client ap command.

show client ap 802.11{a | b} cisco_ap


802.11a

802.11b

cisco_ap




Command Default

None


The show client ap command may list the status of automatically disabled clients. Use the show exclusionlist command to view clients on the exclusion list (blacklisted).

Examples

This example shows how to display client information on an access point:


show client ap 802.11b AP1

MAC Address AP Id Status WLAN Id Authenticated

-----------------------------------------------------xx:xx:xx:xx:xx:xx 1 Associated 1 No

1578


show client calls show client calls

To display the total number of active or rejected calls on the controller, use the show client calls command.

show client calls {active | rejected} {802.11a | 802.11bg | all}

Syntax Description active rejected

802.11a

802.11bg

all

Specifies active calls.

Specifies rejected calls.



Specifies both the 802.11a and 802.11b/g network.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following is a sample output of the show client calls active 802.11a command :


show client calls active 802.11a

Client MAC Username Total Call

--------------------

00:09: ef: 02:65:70

00:13: ce: cc: 51:39

00:40:96: af: 15:15

00:40:96:b2:69: df

--------abc xyz def def

Duration (sec)

----------

45

45

45

45

AP Name

---------------

VJ-1240C-ed45cc

AP1130-a416

AP1130-a416

AP1130-a416

Number of Active Calls ------------------------------------ 4

Radio Type

----------

802.11a

802.11a

802.11a

802.11a


1579

show client ccx client-capability show client ccx client-capability

To display the client’s capability information, use the show client ccx client-capability command.

show client ccx client-capability client_mac_address




Command Default

None

Command History

Release

7.6

Modification



This command displays the client’s available capabilities, not the current settings for the capabilities.

Examples

The following is a sample output of the show client ccx client-capability command:


show client ccx client-capability 00:40:96:a8:f7:98

Service Capability.................................. Voice, Streaming(uni-directional)

Video, Interactive(bi-directional) Video

Radio Type.......................................... DSSS OFDM(802.11a) HRDSSS(802.11b)

ERP(802.11g)

Radio Type.......................................... DSSS

Radio Channels.................................. 1 2 3 4 5 6 7 8 9 10 11

Tx Power Mode................................... Automatic

Rate List(MB)................................... 1.0 2.0

Radio Type.......................................... HRDSSS(802.11b)

Radio Channels.................................. 1 2 3 4 5 6 7 8 9 10 11


Rate List(MB)................................... 5.5 11.0

Radio Type.......................................... ERP(802.11g)

Radio Channels.................................. 1 2 3 4 5 6 7 8 9 10 11


Rate List(MB)................................... 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

Are you sure you want to start? (y/N)y Are you sure you want to start? (y/N)

1580


show client ccx frame-data show client ccx frame-data

To display the data frames sent from the client for the last test, use the show client ccx frame-data command.

show client ccx frame-data client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client ccx frame-data command:


show client ccx frame-data

xx:xx:xx:xx:xx:xx


1581

show client ccx last-response-status show client ccx last-response-status

To display the status of the last test response, use the show client ccx last-response-status command.

show client ccx last-response-status client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client ccx last-response-status command:


show client ccx last-response-status

Test Status ........................ Success

Response Dialog Token.............. 87

Response Status.................... Successful

Response Test Type................. 802.1x Authentication Test

Response Time...................... 3476 seconds since system boot

1582


show client ccx last-test-status show client ccx last-test-status

To display the status of the last test, use the show client ccx last-test-status command.

show client ccx last-test-status client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client ccx last-test-status command:


show client ccx last-test-status

Test Type ........................ Gateway Ping Test

Test Status ...................... Pending/Success/Timeout

Dialog Token ..................... 15

Timeout .......................... 15000 ms

Request Time ..................... 1329 seconds since system boot


1583

show client ccx log-response show client ccx log-response

To display a log response, use the show client ccx log-response command.

show client ccx log-response {roam | rsna | syslog} client_mac_address

Syntax Description roam rsna syslog


(Optional) Displays the CCX client roaming log response.

(Optional) Displays the CCX client RSNA log response.

(Optional) Displays the CCX client system log response.

Inventory for the specified access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client ccx log-response syslog command:


show client ccx log-response syslog 00:40:96:a8:f7:98

Tue Jun 26 18:07:48 2007 Syslog Response LogID=131: Status=Successful

Event Timestamp=0d 00h 19m 42s 278987us

Client SysLog =

‘<11> Jun 19 11:49:47 unraval13777 Mandatory elements missing in the

OID response

’


Client SysLog =


OID response

’

Tue Jun 26 18:07:48 2007 Syslog Response LogID=131: Status=Successful


Client SysLog =


OID response

’


Client SysLog =


OID response

’

The following example shows how to display the client roaming log response:


show client ccx log-response roam 00:40:96:a8:f7:98

Thu Jun 22 11:55:14 2007 Roaming Response LogID=20: Status=Successful

Event Timestamp=0d 00h 00m 13s 322396us Source BSSID=00:40:96:a8:f7:98

Target BSSID=00:0b:85:23:26:70, Transition Time=100(ms)

Transition Reason: Normal roam, poor link Transition Result: Success


Event Timestamp=0d 00h 00m 16s 599006us Source BSSID=00:0b:85:81:06:c2

Target BSSID=00:0b:85:81:06:c2, Transition Time=3235(ms)

Transition Reason: Normal roam, poor link Transition Result: Success


Event Timestamp=0d 00h 00m 08s 815477us Source BSSID=00:0b:85:81:06:c2

1584


show client ccx log-response

Target BSSID=00:0b:85:81:06:d2, Transition Time=3281(ms)

Transition Reason: First association to WLAN Transition Result: Success


1585

show client ccx manufacturer-info show client ccx manufacturer-info

To display the client manufacturing information, use the show client ccx manufacturer-info command.

show client ccx manufacturer-info client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client ccx manufacturer-info command:


show client ccx manufacturer-info 00:40:96:a8:f7:98

Manufacturer OUI .............................. 00:40:96

Manufacturer ID ............................... Cisco

Manufacturer Model ............................ Cisco Aironet 802.11a/b/g Wireless Adapter

Manufacturer Serial ........................... FOC1046N3SX

Mac Address ................................... 00:40:96:b2:8d:5e

Radio Type .................................... DSSS OFDM(802.11a) HRDSSS(802.11b)

ERP(802.11g)

Antenna Type .................................. Omni-directional diversity

Antenna Gain .................................. 2 dBi

Rx Sensitivity:

Radio Type ...................................... DSSS

Rx Sensitivity .................................. Rate:1.0 Mbps, MinRssi:-95, MaxRss1:-30


Radio Type ...................................... HRDSSS(802.11b)



Radio Type ...................................... ERP(802.11g)




Rx Sensitivity .................................. Rate:18.0 Mbps, MinRss1:-95, MaxRss1:-30

1586


show client ccx operating-parameters show client ccx operating-parameters

To display the client operating-parameters, use the show client ccx operating-parameters command.

show client ccx operating-parameters client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client ccx operating-parameters command:


show client ccx operating-parameters 00:40:96:b2:8d:5e

Client Mac ......................................... 00:40:96:b2:8d:5e

Radio Type ......................................... OFDM(802.11a)

Radio Type ......................................... OFDM(802.11a)

Radio Channels ................................. 36 40 44 48 52 56 60 64 100 104 108 112

116 120 124 128 132 136 140 149 153 157 161 165

Tx Power Mode .................................. Automatic

Rate List(MB)................................... 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

Power Save Mode .................................... Normal Power Save

SSID ............................................... wifi

Security Parameters[EAP Method, Credential]......... None

Auth Method ........................................ None

Key Management...................................... None

Encryption ......................................... None

Device Name ........................................ Wireless Network Connection 15

Device Type ........................................ 0

OS Id .............................................. Windows XP

OS Version ......................................... 5.1.6.2600 Service Pack 2

IP Type ............................................ DHCP address

IPv4 Address ....................................... Available

IP Address ......................................... 70.0.4.66

Subnet Mask ........................................ 255.0.0.0

Default Gateway .................................... 70.1.0.1

IPv6 Address ....................................... Not Available

IPv6 Address ....................................... 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:

IPv6 Subnet Mask ................................... 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:

DNS Servers ........................................ 103.0.48.0

WINS Servers .......................................

System Name ........................................ URAVAL3777

Firmware Version ................................... 4.0.0.187

Driver Version ..................................... 4.0.0.187


1587

show client ccx profiles show client ccx profiles

To display the client profiles, use the show client ccx profiles command.

show client ccx profiles client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client ccx profiles command:


show client ccx profiles 00:40:96:15:21:ac

Number of Profiles .................................. 1

Current Profile ..................................... 1

Profile ID .......................................... 1

Profile Name ........................................ wifiEAP

SSID ................................................ wifiEAP

Security Parameters [EAP Method, Credential]......... EAP-TLS, Host OS Login Credentials

Auth Method ......................................... EAP

Key Management ...................................... WPA2+CCKM

Encryption .......................................... AES-CCMP

Power Save Mode ..................................... Constantly Awake

Radio Configuration:

Radio Type........................................... DSSS

Preamble Type.................................... Long preamble

CCA Method....................................... Energy Detect + Carrier

Detect/Correlation

Data Retries..................................... 6

Fragment Threshold............................... 2342

Radio Channels................................... 1 2 3 4 5 6 7 8 9 10 11

Tx Power Mode.................................... Automatic

Rate List (MB)................................... 1.0 2.0

Radio Type........................................... HRDSSS(802.11b)



Detect/Correlation

Data Retries..................................... 6


Radio Channels................................... 1 2 3 4 5 6 7 8 9 10 11


Rate List(MB).................................... 5.5 11.0

Radio Type........................................... ERP(802.11g)



Detect/Correlation

Data Retries..................................... 6


Radio Channels................................... 1 2 3 4 5 6 7 8 9 10 11


Rate List (MB)................................... 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

1588


show client ccx profiles

Radio Type........................................... OFDM(802.11a)



Detect/Correlation

Data Retries..................................... 6


Radio Channels................................... 36 40 44 48 52 56 60 64 149 153 157 161

165


Rate List (MB)................................... 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0


1589

show client ccx results show client ccx results

To display the results from the last successful diagnostic test, use the show client ccx results command.

show client ccx results client_mac_address




Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client ccx results command:


show client ccx results xx.xx.xx.xx

dot1x Complete....................................... Success

EAP Method........................................... *1,Host OS Login Credentials dot1x Status......................................... 255

1590


show client ccx rm show client ccx rm

To display Cisco Client eXtension (CCX) client radio management report information, use the show client

ccx rm command.

show client ccx rm client_MAC {status | {report {chan-load | noise-hist | frame | beacon | pathloss}}}


client_MAC

status report chan-load noise-hist beacon frame pathloss

Client MAC address.

Displays the client CCX radio management status information.

Displays the client CCX radio management report.

Displays radio management channel load reports.

Displays radio management noise histogram reports.

Displays radio management beacon load reports.

Displays radio management frame reports.

Displays radio management path loss reports.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to display the client radio management status information:


show client ccx rm 00:40:96:15:21:ac status

Client Mac Address............................... 00:40:96:15:21:ac

Channel Load Request............................. Enabled

Noise Histogram Request.......................... Enabled

Beacon Request................................... Enabled

Frame Request.................................... Enabled

Interval......................................... 30

Iteration........................................... 10

The following example shows how to display the client radio management load reports:


show client ccx rm 00:40:96:15:21:ac report chan-load

Channel Load Report

Client Mac Address............................... 00:40:96:ae:53:bc

Timestamp........................................ 788751121


1591

show client ccx rm

Incapable Flag................................... On

Refused Flag........................................ On

Chan CCA Busy Fraction

-----------------------

1 194

2 86

3 103

4 0

5 178

6 82

7 103

8 95

9 13

10 222

11 75

The following example shows how to display the client radio management noise histogram reports:


show client ccx rm 00:40:96:15:21:ac report noise-hist

Noise Histogram Report

Client Mac Address............................... 00:40:96:15:21:ac

Timestamp........................................ 4294967295

Incapable Flag................................... Off

Refused Flag........................................ Off

Chan RPI0 RPI1 RPI2 RPI3 RPI4 RPI5 RPI6 RPI7

1592


show client ccx stats-report show client ccx stats-report

To display the Cisco Client eXtensions (CCX) statistics report from a specified client device, use the show

client ccx stats-report command.

show client ccx stats-report client_mac_address



Client MAC address.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client ccx stats-report command:


show client ccx stats-report 00:0c:41:07:33:a6

Measurement duration = 1 dot11TransmittedFragmentCount = 1 dot11MulticastTransmittedFrameCount = 2 dot11FailedCount = 3 dot11RetryCount dot11MultipleRetryCount

= 4

= 5 dot11FrameDuplicateCount dot11RTSSuccessCount dot11RTSFailureCount dot11ACKFailureCount dot11ReceivedFragmentCount dot11MulticastReceivedFrameCount dot11FCSErrorCount dot11TransmittedFrameCount

= 6

= 7

= 8

= 9

= 10

= 11

= 12

= 13


1593

show client detail show client detail

To display IP addresses per client learned through DNS snooping (DNS-based ACL), use the show client

detail mac_address command.

show client detail mac_address


mac_address


Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show client detail mac_address command.


show client detail 01:35:6x:yy:21:00

Client MAC Address............................... 01:35:6x:yy:21:00

Client Username ................................. test

AP MAC Address................................... 00:11:22:33:44:x0

AP Name.......................................... AP0011.2020.x111

AP radio slot Id................................. 1

Client State..................................... Associated

Client NAC OOB State............................. Access

Wireless LAN Id.................................. 7

Hotspot (802.11u)................................ Not Supported

BSSID............................................ 00:11:22:33:44:xx

Connected For ................................... 28 secs

Channel.......................................... 56

IP Address....................................... 10.0.0.1

Gateway Address.................................. Unknown

Netmask.......................................... Unknown

IPv6 Address..................................... xx20::222:6xyy:zeeb:2233

Association Id................................... 1

Authentication Algorithm......................... Open System

Reason Code...................................... 1

Status Code...................................... 0

Client CCX version............................... No CCX support

Re-Authentication Timeout........................ 1756

QoS Level........................................ Silver

Avg data Rate.................................... 0

Burst data Rate.................................. 0

Avg Real time data Rate.......................... 0

Burst Real Time data Rate........................ 0

802.1P Priority Tag.............................. disabled

CTS Security Group Tag........................... Not Applicable

KTS CAC Capability............................... No

1594


show client detail

WMM Support...................................... Enabled

APSD ACs.......................................

BK BE VI VO

Power Save....................................... ON

Current Rate..................................... m7

Supported Rates..................................

6.0,9.0,12.0,18.0,24.0,36.0,

............................................. 48.0,54.0

Mobility State................................... Local

Mobility Move Count.............................. 0

Security Policy Completed........................ No

Policy Manager State............................. SUPPLICANT_PROVISIONING

Policy Manager Rule Created...................... Yes

AAA Override ACL Name............................ android

AAA Override ACL Applied Status.................. Yes

AAA Override Flex ACL Name....................... none

AAA Override Flex ACL Applied Status............. Unavailable

AAA URL redirect.................................

https://10.0.0.3:8443/guestportal/gateway?sessionId=0a68aa72000000015272404e&action=nsp

Audit Session ID................................. 0a68aa72000000015272404e

AAA Role Type.................................... none

Local Policy Applied............................. p1

IPv4 ACL Name.................................... none

FlexConnect ACL Applied Status................... Unavailable

IPv4 ACL Applied Status.......................... Unavailable

IPv6 ACL Name.................................... none

IPv6 ACL Applied Status.......................... Unavailable

Layer2 ACL Name.................................. none

Layer2 ACL Applied Status........................ Unavailable

Client Type...................................... SimpleIP mDNS Status...................................... Enabled mDNS Profile Name................................ default-mdns-profile

No. of mDNS Services Advertised.................. 0

Policy Type...................................... WPA2

Authentication Key Management.................... 802.1x

Encryption Cipher................................ CCMP (AES)

Protected Management Frame ...................... No

Management Frame Protection...................... No

EAP Type......................................... PEAP

Interface......................................

.. management

VLAN............................................. 0

Quarantine VLAN.................................. 0

Access VLAN...................................... 0

Client Capabilities:

CF Pollable................................ Not implemented

CF Poll Request............................ Not implemented

Short Preamble............................. Not implemented

PBCC....................................... Not implemented

Channel Agility............................ Not implemented

Listen Interval............................ 10

Fast BSS Transition........................ Not implemented

Client Wifi Direct Capabilities:

WFD capable................................ No

Manged WFD capable......................... No

Cross Connection Capable................... No

Support Concurrent Operation............... No

Fast BSS Transition Details:

Client Statistics:

Number of Bytes Received................... 123659

Number of Bytes Sent....................... 120564

Number of Packets Received................. 1375


1595


Number of Packets Sent..................... 276

Number of Interim-Update Sent.............. 0

Number of EAP Id Request Msg Timeouts...... 0

Number of EAP Id Request Msg Failures...... 0

Number of EAP Request Msg Timeouts......... 2

Number of EAP Request Msg Failures......... 0

Number of EAP Key Msg Timeouts............. 0

Number of EAP Key Msg Failures............. 0

Number of Data Retries..................... 82

Number of RTS Retries...................... 0

Number of Duplicate Received Packets....... 0

Number of Decrypt Failed Packets........... 0

Number of Mic Failured Packets............. 0

Number of Mic Missing Packets.............. 0

Number of RA Packets Dropped............... 0

Number of Policy Errors.................... 0

Radio Signal Strength Indicator............ -51 dBm

Signal to Noise Ratio...................... 46 dB

Client Rate Limiting Statistics:

Number of Data Packets Recieved............ 0

Number of Data Rx Packets Dropped.......... 0

Number of Data Bytes Recieved.............. 0

Number of Data Rx Bytes Dropped............ 0

Number of Realtime Packets Recieved........ 0

Number of Realtime Rx Packets Dropped...... 0

Number of Realtime Bytes Recieved.......... 0

Number of Realtime Rx Bytes Dropped........ 0

Number of Data Packets Sent................ 0

Number of Data Tx Packets Dropped.......... 0

Number of Data Bytes Sent.................. 0

Number of Data Tx Bytes Dropped............ 0

Number of Realtime Packets Sent............ 0

Number of Realtime Tx Packets Dropped...... 0

Number of Realtime Bytes Sent.............. 0

Number of Realtime Tx Bytes Dropped........ 0

Nearby AP Statistics:

AP0022.9090.c545(slot 0) antenna0: 26 secs ago.................... -33 dBm antenna1: 26 secs ago.................... -35 dBm

AP0022.9090.c545(slot 1) antenna0: 25 secs ago.................... -41 dBm antenna1: 25 secs ago.................... -44 dBm

APc47d.4f3a.35c2(slot 0) antenna0: 26 secs ago.................... -30 dBm antenna1: 26 secs ago.................... -36 dBm

APc47d.4f3a.35c2(slot 1) antenna0: 24 secs ago.................... -43 dBm antenna1: 24 secs ago.................... -45 dBm

DNS Server details:

DNS server IP ............................. 0.0.0.0

DNS server IP ............................. 0.0.0.0

Client Dhcp Required:

Allowed (URL)IP Addresses

-------------------------

209.165.200.225

209.165.200.226

209.165.200.227

209.165.200.228

209.165.200.229

209.165.200.230

False

1596


209.165.200.231

209.165.200.232

209.165.200.233

209.165.200.234

209.165.200.235

209.165.200.236

209.165.200.237

209.165.200.238

209.165.201.1

209.165.201.2

209.165.201.3

209.165.201.4

209.165.201.5

209.165.201.6

209.165.201.7

209.165.201.8

209.165.201.9

209.165.201.10



1597

show client location-calibration summary show client location-calibration summary

To display client location calibration summary information, use the show client location-calibration summary command.

show client location-calibration summary



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to display the location calibration summary information:



MAC Address Interval

----------- ----------

10:10:10:10:10:10 60

21:21:21:21:21:21 45

1598


show client roam-history show client roam-history

To display the roaming history of a specified client, use the show client roam-history command.

show client roam-history mac_address


mac_address

Client MAC address.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client roam-history command:


show client roam-history 00:14:6c:0a:57:77


1599

show client summary show client summary

To display a summary of clients associated with a Cisco lightweight access point, use the show client summary command.

show client summary [ssid / ip / username / devicetype]




ssid / ip / username / devicetype

(Optional) Displays active clients selective details on any of the following parameters or all the parameters in any order:

• SSID

• IP addresss

• Username

• Device type (such as Samsung-Device or

WindowsXP-Workstation)

Command Default

None

Command History

Release

7.6

Modification



Use show client ap command to list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list (blacklisted).

Examples

The following example shows how to display a summary of the active clients:


show client summary

Number of Clients................................ 24

Number of PMIPV6 Clients......................... 200

MAC Address

Wired PMIPV6

AP Name Status WLAN/GLAN/RLAN Auth Protocol Port

----------------- ----------------- ------------- -------------- ---- ---------------- ----

----------

00:00:15:01:00:01 NMSP-TalwarSIM1-2 Associated

No Yes


No No


No Yes


1

1

1

1

Yes 802.11a

Yes 802.11a

Yes 802.11a

Yes 802.11a

13

13

13

13

1600


Examples show client summary

No No

The following example shows how to display all clients that are WindowsXP-Workstation device type:


show client summary WindowsXP-Workstation

Number of Clients in WLAN........................ 0

MAC Address AP Name Status Auth Protocol

----------------- -------- ------------- ----------------

Number of Clients with requested device type..... 0

Port Wired Mobility Role

---------- --------------


1601

show client summary guest-lan show client summary guest-lan

To display the active wired guest LAN clients, use the show client summary guest-lan command.

show client summary guest-lan



Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show client summary guest-lan command:


show client summary guest-lan


MAC Address AP Name Status WLAN Auth Protocol Port Wired

-------------------

00:16:36:40:ac:58 N/A

----------

Associated

----------------- -----

1 No 802.3

1 Yes

Related Commands show client summary

1602


show client tsm show client tsm

To display the client traffic stream metrics (TSM) statistics, use the show client tsm command.

show client tsm 802.11{a | b} client_mac {ap_mac | all}


802.11a

802.11b

client_mac ap_mac

all


Specifies the 802.11 b/g network.


MAC address of the tsm access point.

Specifies the list of all access points to which the client has associations.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client tsm 802.11a command:


show client tsm 802.11a xx:xx:xx:xx:xx:xx all

AP Interface MAC: 00:0b:85:01:02:03

Client Interface Mac:

Measurement Duration:

Timestamp

UpLink Stats

================

00:01:02:03:04:05

90 seconds

1st Jan 2006, 06:35:80

Average Delay (5sec intervals)............................35

Delay less than 10 ms.....................................20

Delay bet 10 - 20 ms......................................20

Delay bet 20 - 40 ms......................................20

Delay greater than 40 ms..................................20

Total packet Count.........................................80

Total packet lost count (5sec).............................10

Maximum Lost Packet count(5sec)............................5

Average Lost Packet count(5secs)...........................2

DownLink Stats

================

Average Delay (5sec intervals)............................35

Delay less than 10 ms.....................................20

Delay bet 10 - 20 ms......................................20

Delay bet 20 - 40 ms......................................20

Delay greater than 40 ms..................................20

Total packet Count.........................................80

Total packet lost count (5sec).............................10

Maximum Lost Packet count(5sec)............................5

Average Lost Packet count(5secs)...........................2


1603

show client tsm

Related Commands show client ap show client detail show client summary

1604


show client username show client username

To display the client data by the username, use the show client username command.

show client username username


username

Client’s username.

You can view a list of the first eight clients that are in RUN state associated to controller's access points.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client username command:


show client username local

MAC Address AP Name Status WLAN Auth Protocol Port

Device Type

---------------------------------------------------------------------

-----------

Associated 1 Yes 802.11g

1 12:22:64:64:00:01 WEB-AUTH-AP-1

Unknown

12:22:64:64:00:02 WEB-AUTH-AP-1

Unknown

12:22:64:64:00:03 WEB-AUTH-AP-1

Unknown

12:22:64:64:00:04 WEB-AUTH-AP-1

Unknown

12:22:64:64:00:05 WEB-AUTH-AP-1

Unknown

12:22:64:64:00:06 WEB-AUTH-AP-1

Unknown

12:22:64:64:00:07 WEB-AUTH-AP-1

Unknown

12:22:64:64:00:08 WEB-AUTH-AP-1

Unknown

Associated

Associated

Associated

Associated

Associated

Associated

Associated

1

1

1

1

1

1

1

Yes

Yes

Yes

Yes

Yes

Yes

Yes

802.11g

802.11g

802.11g

802.11g

802.11g

802.11g

802.11g

1

1

1

1

1

1

1


1605

show client voice-diag show client voice-diag

To display voice diagnostics statistics, use the show client voice-diag command.

show client voice-diag {quos-map | roam-history | rssi | status | tspec}

Syntax Description quos-map roam-history rssi status tspec

Displays information about the QoS/DSCP mapping and packet statistics in each of the four queues: VO, VI, BE, BK. The different DSCP values are also displayed.

Displays information about history of the last three roamings. The output contains the timestamp, access point associated with the roaming, the roaming reason, and if there is a roaming failure, the reason for the roaming failure.

Displays the client’s RSSI values in the last 5 seconds when voice diagnostics are enabled.

Displays the status of voice diagnostics for clients.

Displays TSPEC for the voice diagnostic for clients.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show client voice-diag status command:


show client voice-diag status

Voice Diagnostics Status: FALSE

Related Commands show client ap show client detail show client summary debug voice-diag

1606


show client detail show client detail

To display detailed information for a client on a Cisco lightweight access point, use the show client detail command.

show client detail mac_address


mac_address

Client MAC address.

Command Default

None

Command History

Release

7.6

Modification



The show client ap command may list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list (blacklisted).

Examples

The following example shows how to display the client detailed information:


show client detail 00:0c:41:07:33:a6

Policy Manager State..............................POSTURE_REQD

Policy Manager Rule Created.......................Yes

Client MAC Address............................... 00:16:36:40:ac:58

Client Username.................................. N/A

Client State..................................... Associated

Client NAC OOB State............................. QUARANTINE

Guest LAN Id..................................... 1

IP Address....................................... Unknown

Session Timeout.................................. 0

QoS Level........................................ Platinum

802.1P Priority Tag.............................. disabled

KTS CAC Capability............................... Yes

WMM Support...................................... Enabled

Power Save....................................... ON

Diff Serv Code Point (DSPC)...................... disabled

Mobility State................................... Local

Internal Mobility State.......................... apfMsMmInitial

Security Policy Completed........................ No

Policy Manager State............................. WEBAUTH_REQD

Policy Manager Rule Created...................... Yes

NPU Fast Fast Notified........................... Yes

Last Policy Manager State........................ WEBAUTH_REQD

Client Entry Create Time......................... 460 seconds

Interface........................................ wired-guest

FlexConnect Authentication....................... Local

FlexConnect Data Switching....................... Local

VLAN............................................. 236

Quarantine VLAN.................................. 0

Client Statistics:

Number of Bytes Received................... 66806

Number of Data Bytes Received................... 160783


1607


Number of Realtime Bytes Received............... 160783

Number of Data Bytes Sent....................... 23436

Number of Realtime Bytes Sent................... 23436

Number of Data Packets Received................. 592

Number of Realtime Packets Received............. 592

Number of Data Packets Sent..................... 131

Number of Realtime Packets Sent................. 131

Number of Interim-Update Sent.............. 0

Number of EAP Id Request Msg Timeouts...... 0

Number of EAP Request Msg Timeouts......... 0

Number of EAP Key Msg Timeouts............. 0

Number of Data Retries..................... 0

Number of RTS Retries...................... 0

Number of Duplicate Received Packets....... 3

Number of Decrypt Failed Packets........... 0

Number of Mic Failured Packets............. 0

Number of Mic Missing Packets.............. 0

Number of RA Packets Dropped............... 6

Number of Policy Errors.................... 0

Radio Signal Strength Indicator............ -50 dBm

Signal to Noise Ratio...................... 43 dB

...

1608


show client location-calibration summary show client location-calibration summary

To display client location calibration summary information, use the show client location-calibration summary command.




Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to display the location calibration summary information:



MAC Address Interval

----------- ----------

10:10:10:10:10:10 60

21:21:21:21:21:21 45


1609

show client probing show client probing

To display the number of probing clients, use the show client probing command.

show client probing



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to display the number of probing clients:


show client probing

Number of Probing Clients........................ 0

1610


show client roam-history show client roam-history

To display the roaming history of a specified client, use the show client roam-history command.

show client roam-history mac_address


mac_address

Client MAC address.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show client roam-history command:


show client roam-history 00:14:6c:0a:57:77


1611

show client summary show client summary

To display a summary of clients associated with a Cisco lightweight access point, use the show client summary command.

show client summary [ssid / ip / username / devicetype]




ssid / ip / username / devicetype

(Optional) Displays active clients selective details on any of the following parameters or all the parameters in any order:

• SSID

• IP addresss

• Username

• Device type (such as Samsung-Device or

WindowsXP-Workstation)

Command Default

None

Command History

Release

7.6

Modification



Use show client ap command to list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list (blacklisted).

Examples

The following example shows how to display a summary of the active clients:


show client summary


Number of PMIPV6 Clients......................... 200

MAC Address

Wired PMIPV6

AP Name Status WLAN/GLAN/RLAN Auth Protocol Port

----------------- ----------------- ------------- -------------- ---- ---------------- ----

----------


No Yes


No No


No Yes


1

1

1

1

Yes 802.11a

Yes 802.11a

Yes 802.11a

Yes 802.11a

13

13

13

13

1612


Examples show client summary

No No

The following example shows how to display all clients that are WindowsXP-Workstation device type:


show client summary WindowsXP-Workstation



----------------- -------- ------------- ----------------



---------- --------------


1613

show client wlan show client wlan

To display the summary of clients associated with a WLAN, use the show client wlan command.

show client wlan wlan_id [devicetype device]


wlan_id

devicetype

device


(Optional) Displays all clients with the specified device type.

Device type. For example, Samsung-Device or

WindowsXP-Workstation.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following are sample outputs of the show client wlan command:


show client wlan 1



show client devicetype WindowsXP-Workstation



----------------- -------- ------------- ----------------



---------- --------------

1614


show cloud-services cmx summary show cloud-services cmx summary

To view the cmx cloud services summary, use the show cloud-services cmx summary command.

show cloud-services cmx summary



Command Default

None

Command History

Release

8.3

Modification


Examples

This example shows the CMX Cloud Services summary:


show cloud-services cmx summary


1615

show cloud-services cmx statistics show cloud-services cmx statistics

To view the cmx cloud services statistics, use the show cloud-services cmx statistics command.

show cloud-services cmx statistics


Command Default

None

Command History

Release

8.3

Modification


Examples

This example shows the CMX Cloud Services statistics:


show cloud-services cmx statistics

1616


show cts ap show cts ap

To view CTS AP SGT information, use the show cts ap command.

show cts ap {sgt-info cisco-ap | summary}


sgt-info cisco-ap

summary

Shows CTS SGT information for a specific AP

Shows CTS SGT information for all APs.

Command Default

None

Command History

Examples

Release

8.4

Modification


This example shows how to view CTS SGT information for all APs:


show cts ap summary

Inline Tag Status................................ Disabled

SGACL enforcement................................ Disabled

SXP State........................................ Enabled

Default Password................................. ****

Listener hold-time min .......................... 2

Listener hold-time max .......................... 3

Speaker hold-time ............................... 120

Reconciliation time period....................... 120

Retry time period ............................... 120

Total num of SXP Connections..................... 0

Peer IP Password Mode

-------------------------------


1617

show cts environment-data show cts environment-data

To view CTS Environment data, use the show cts environment-data command.

show cts environment-data

Command Default

None

Command History

Release

8.4

Modification


Examples


show cts environment-data

CTS Environment Data

====================

Current State.................................... START

Last status...................................... WAITING_RESPONSE

Environment data is empty

1618


show cts pacs show cts pacs

To view CTS Protected Access Credential (PAC) provisioning information, use the show cts pacs command.

show cts pacs

Command Default

None

Command History

Release

8.4

Modification



1619

show cts policy show cts policy

To view CTS SGT policy information, use the show cts policy command.

show cts policy {all | sgt-tag}


sgt-tag

Shows all SGT policy information

Shows policy information of a specific SGT

Command Default

None

Command History

Release

8.4

Examples

Modification


This example shows how to view all SGT policy information:


show cts policy all

Policy Matrix for SGT.......................... Unknown-0

Generation Id.................................. 0x0

Policy Download Status.........................

Failed

Number of clients with this SGT................ 0

Policy Matrix for SGT.......................... Default-65535

Generation Id.................................. 0x0

Policy Download Status.........................

Failed

Number of clients with this SGT................ 0

1620


show cts sgacl show cts sgacl

To view CTS SGACL information, use the show cts sgacl command.

show cts sgacl {all | sgacl-name}


sgt-tag

Shows all SGACL information

Shows information for a specific SGACL

Command Default

None

Command History

Release

8.4

Modification



1621

show cts summary show cts summary

To view CTS summary, use the show cts summary command.

show cts summary

Command Default

None

Command History

Release

8.4

Modification


Examples


show cts summary

CTS Status.................................... Enabled

CTS Device Identity............................. Not Configured

Inline Tag Status............................... Disabled

1622


show cts sxp

To view CTS SXP information, use the show cts sxp command.

show cts sxp {{ap {connections | summary} cisco-ap} | connections | summary}

Command Default

None

Command History

Release

8.4

Modification


show cts sxp


1623

show coredump summary show coredump summary

To display a summary of the controller’s core dump file, use the show coredump summary command.

show coredump summary



Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show coredump summary command:


show coredump summary

Core Dump is enabled

FTP Server IP.................................... 10.10.10.17

FTP Filename..................................... file1

FTP Username..................................... ftpuser

FTP Password.................................. *********

Related Commands config coredump config coredump ftp config coredump username

1624


show country show country

To display the configured country and the radio types that are supported, use the show country command.

show country



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the configured countries and supported radio types:


show country

Configured Country............................. United States

Configured Country Codes

US - United States............................. 802.11a / 802.11b / 802.11g


1625

show country channels show country channels

To display the radio channels supported in the configured country, use the show country channels command.

show country channels



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the auto-RF channels for the configured countries:


show country channels


KEY: * = Channel is legal in this country and may be configured manually.


KEY: * = Channel is legal in this country and may be configured manually.

A = Channel is the Auto-RF default in this country.

. = Channel is not legal in this country.

C = Channel has been configured for use by Auto-RF.

x = Channel is available to be configured for use by Auto-RF.

---------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-

802.11BG :

Channels : 1 1 1 1 1

: 1 2 3 4 5 6 7 8 9 0 1 2 3 4

---------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-

US : A * * * * A * * * * A . . .

---------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

802.11A : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Channels : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6

: 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5

---------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

US : . A . A . A . A A A A A * * * * * . . . * * * A A A A *

---------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

1626


show country supported show country supported

To display a list of the supported country options, use the show country supported command.

show country supported



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a list of all the supported countries:




Supported Country Codes

AR - Argentina................................. 802.11a / 802.11b / 802.11g

AT - Austria................................... 802.11a / 802.11b / 802.11g

AU - Australia................................. 802.11a / 802.11b / 802.11g

BR - Brazil.................................... 802.11a / 802.11b / 802.11g

BE - Belgium................................... 802.11a / 802.11b / 802.11g

BG - Bulgaria.................................. 802.11a / 802.11b / 802.11g

CA - Canada.................................... 802.11a / 802.11b / 802.11g

CH - Switzerland............................... 802.11a / 802.11b / 802.11g

CL - Chile.....................................

802.11b / 802.11g

CN - China..................................... 802.11a / 802.11b / 802.11g

CO - Colombia..................................

802.11b / 802.11g

CY - Cyprus.................................... 802.11a / 802.11b / 802.11g

CZ - Czech Republic............................ 802.11a / 802.11b

DE - Germany................................... 802.11a / 802.11b / 802.11g

DK - Denmark................................... 802.11a / 802.11b / 802.11g

EE - Estonia................................... 802.11a / 802.11b / 802.11g

ES - Spain..................................... 802.11a / 802.11b / 802.11g

FI - Finland................................... 802.11a / 802.11b / 802.11g

FR - France.................................... 802.11a / 802.11b / 802.11g

GB - United Kingdom............................ 802.11a / 802.11b / 802.11g

GI - Gibraltar................................. 802.11a / 802.11b / 802.11g

GR - Greece.................................... 802.11a / 802.11b / 802.11g

HK - Hong Kong................................. 802.11a / 802.11b / 802.11g

HU - Hungary................................... 802.11a / 802.11b / 802.11g

ID - Indonesia.................................

802.11b / 802.11g

IE - Ireland................................... 802.11a / 802.11b / 802.11g

IN - India..................................... 802.11a / 802.11b / 802.11g

IL - Israel.................................... 802.11a / 802.11b / 802.11g

ILO - Israel (outdoor)..........................

802.11b / 802.11g

IS - Iceland................................... 802.11a / 802.11b / 802.11g

IT - Italy..................................... 802.11a / 802.11b / 802.11g

JP - Japan (J)................................. 802.11a / 802.11b / 802.11g

J2 - Japan 2(P)................................ 802.11a / 802.11b / 802.11g

J3 - Japan 3(U)................................ 802.11a / 802.11b / 802.11g

KR - Korea Republic (C)........................ 802.11a / 802.11b / 802.11g

KE - Korea Extended (K)........................ 802.11a / 802.11b / 802.11g


1627


LI - Liechtenstein............................. 802.11a / 802.11b / 802.11g

LT - Lithuania................................. 802.11a / 802.11b / 802.11g

LU - Luxembourg................................ 802.11a / 802.11b / 802.11g

LV - Latvia.................................... 802.11a / 802.11b / 802.11g

MC - Monaco.................................... 802.11a / 802.11b / 802.11g

MT - Malta..................................... 802.11a / 802.11b / 802.11g

MX - Mexico.................................... 802.11a / 802.11b / 802.11g

MY - Malaysia.................................. 802.11a / 802.11b / 802.11g

NL - Netherlands............................... 802.11a / 802.11b / 802.11g

NZ - New Zealand............................... 802.11a / 802.11b / 802.11g

NO - Norway.................................... 802.11a / 802.11b / 802.11g

PA - Panama....................................

802.11b / 802.11g

PE - Peru......................................

802.11b / 802.11g

PH - Philippines............................... 802.11a / 802.11b / 802.11g

PL - Poland.................................... 802.11a / 802.11b / 802.11g

PT - Portugal.................................. 802.11a / 802.11b / 802.11g

RU - Russian Federation........................ 802.11a / 802.11b / 802.11g

RO - Romania................................... 802.11a / 802.11b / 802.11g

SA - Saudi Arabia.............................. 802.11a / 802.11b / 802.11g

SE - Sweden.................................... 802.11a / 802.11b / 802.11g

SG - Singapore................................. 802.11a / 802.11b / 802.11g

SI - Slovenia.................................. 802.11a / 802.11b / 802.11g

SK - Slovak Republic........................... 802.11a / 802.11b / 802.11g

TH - Thailand..................................

TR - Turkey....................................

802.11b / 802.11g

802.11b / 802.11g

TW - Taiwan.................................... 802.11a / 802.11b / 802.11g

UA - Ukraine................................... 802.11a / 802.11b / 802.11g

US - United States............................. 802.11a / 802.11b / 802.11g

USL - United States (Legacy).................... 802.11a / 802.11b / 802.11g

USX - United States (US + chan165).............. 802.11a / 802.11b / 802.11g

VE - Venezuela.................................

802.11b / 802.11g

ZA - South Africa.............................. 802.11a / 802.11b / 802.11g

1628


show cpu

To display current WLAN controller CPU usage information, use the show cpu command.

show cpu



Command History

Release

7.6

Modification


Examples

The following is a sample output of the show cpu command:


show cpu

Current CPU load: 2.50%

show cpu


1629

show custom-web show custom-web

To display all the web authentication customization information, use the show custom-web command.

show custom-web all remote-lan guest-lan sleep-client webauth-bundle wlan

Syntax Description all remote-lan guest-lan sleep-client webauth-bundle wlan

Display all Web-Auth customization information.

Display per WLAN Web-Auth customization information.

Display per Guest LAN Web-Auth customization information.

Display all Web-Auth Sleeping Client entries summary.

Display the content of Web-Auth Bundle.

Display per WLAN Web-Auth customization information.

Command History

Examples

Release

7.6

8.2

Modification

This command was introduced in the release earlier than 7.6.

This command was modified and the all, remote-lan, guest-lan, sleep-client, webauth-bundle, and wlan keywords are added.

The following is a sample output of the show custom-web all command:


show custom-web all

Radius Authentication Method..................... PAP

Cisco Logo....................................... Enabled

CustomLogo....................................... None

Custom Title..................................... None

Custom Message................................... None

Custom Redirect URL.............................. None

Web Authentication Type.......................... Internal Default

Logout-popup..................................... Enabled

External Web Authentication URL.................. None

1630


show database summary show database summary

To display the maximum number of entries in the database, use the show database summary command.

show database summary



Command Default

None

Examples

The following is a sample output of the show database summary command:


show database summary

Maximum Database Entries......................... 2048

Maximum Database Entries On Next Reboot.......... 2048

Database Contents

MAC Filter Entries........................... 2

Exclusion List Entries....................... 0

AP Authorization List Entries................ 1

Management Users............................. 1

Local Network Users.......................... 1

Local Users.............................. 1

Guest Users.............................. 0

Total..................................... 5

Related Commands config database size


1631

show dhcp show dhcp

To display the internal Dynamic Host Configuration Protocol (DHCP) server configuration, use the show

dhcp command.

show dhcp {leases | summary | scope}

Syntax Description leases summary

scope

Displays allocated DHCP leases.

Displays DHCP summary information.

Name of a scope to display the DHCP information for that scope.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display the allocated DHCP leases:


show dhcp leases

No leases allocated.

The following example shows how to display the DHCP summary information:


show dhcp summary

Scope Name Enabled

003 No

Address Range

0.0.0.0 -> 0.0.0.0

The following example shows how to display the DHCP information for the scope 003:


show dhcp 003

Enabled....................................... No

Lease Time.................................... 0

Pool Start.................................... 0.0.0.0

Pool End...................................... 0.0.0.0

Network....................................... 0.0.0.0

Netmask....................................... 0.0.0.0

Default Routers............................... 0.0.0.0 0.0.0.0 0.0.0.0

DNS Domain....................................

DNS........................................... 0.0.0.0 0.0.0.0 0.0.0.0

Netbios Name Servers.......................... 0.0.0.0 0.0.0.0 0.0.0.0

1632


show dhcp proxy show dhcp proxy

To display the status of DHCP proxy handling, use the show dhcp proxy command.

show dhcp proxy



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to display the status of DHCP proxy information:


show dhcp proxy

DHCP Proxy Behavior: enabled


1633

show dhcp timeout show dhcp timeout

To display the DHCP timeout value, use the show dhcp timeout command.

show dhcp timeout



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to display the DHCP timeout value:


show dhcp timeout

DHCP Timeout (seconds)................. 10

1634


show dtls connections show dtls connections

To display the Datagram Transport Layer Security (DTLS) server status, use the show dtls connections command.

show dtls connections



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following is a sample output of the show dtls connections command.

Device >

show dtls connections

AP Name Local Port Peer IP Peer Port Ciphersuite

--------------- ------------- --------------- ------------- -----------------------

1130

1130

1240

Capwap_Ctrl 1.100.163.210

23678

Capwap_Data 1.100.163.210

23678

Capwap_Ctrl 1.100.163.209

59674

TLS_RSA _WITH_AES_128_CBC_SHA




1635

show exclusionlist show exclusionlist

To display a summary of all clients on the manual exclusion list (blacklisted) from associating with this Cisco wireless LAN controller, use the show exclusionlist command.

show exclusionlist



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


This command displays all manually excluded MAC addresses.

Examples

The following example shows how to display the exclusion list:


show exclusionlist

No manually disabled clients.

Dynamically Disabled Clients

----------------------------

MAC Address

-----------

00:40:96:b4:82:55

Exclusion Reason

----------------

802.1X Failure

Time Remaining (in secs)

------------------------

51

Related Commands config exclusionlist

1636


show flexconnect acl detailed show flexconnect acl detailed

To display a detailed summary of FlexConnect access control lists, use the show flexconnect acl detailed command.

show flexconnect acl detailed acl-name


acl-name


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display the FlexConnect detailed ACLs:


show flexconnect acl detailed acl-2


1637

show flexconnect acl summary show flexconnect acl summary

To display a summary of all access control lists on FlexConnect access points, use the show flexconnect acl

summary command.

show flexconnect acl summary



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to display the FlexConnect ACL summary:


show flexconnect acl summary

ACL Name Status

-------------------------------- ------acl1 Modified acl10 acl100 acl101 acl102 acl103 acl104 acl105 acl106

Modified

Modified

Modified

Modified

Modified

Modified

Modified

Modified

1638


show flexconnect group detail show flexconnect group detail

To display details of a FlexConnect group, use the show flexconnect group detail command.

show flexconnect group detail {group_name | default-flex-group} | [module-vlan | aps]


group_name

module-vlan aps

default-flex-group

Name of the FlexConnect group.

Displays status of the FlexConnect local switching and VLAN

ID in the group

Displays list of APs that are part of the FlexConnect group

Displays configuration of the default-flexgroup and the APs that are part of it.

Command History

Examples

Release

7.6

8.1

8.3

Modification


The module-vlan and aps parameters were added.

The default-flex-group option was added.

The following example shows how to display the detailed information for a specific FlexConnect group:


show flexconnect group detail myflexgroup

Number of Ap

’s in Group:

1

00:0a:b8:3b:0b:c2 AP1200

Group Radius Auth Servers:

Joined

Primary Server Index ..................... Disabled

Secondary Server Index ................... Disabled


1639

show flexconnect group summary show flexconnect group summary

To display the current list of FlexConnect groups, use the show flexconnect group summary command.

show flexconnect group summary



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to display the current list of FlexConnect groups:


show flexconnect group summary

flexconnect Group Summary: Count 1

Group Name

Group 1 1

# APs

1640


show flexconnect office-extend show flexconnect office-extend

To view information about OfficeExtend access points that in FlexConnect mode, use the show flexconnect

office-extend command.

show flexconnect office-extend {summary | latency}

Syntax Description summary latency

Displays a list of all OfficeExtend access points.

Displays the link delay for OfficeExtend access points.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display information about the list of FlexConnect OfficeExtend access points:


show flexconnect office-extend summary

Summary of OfficeExtend AP

AP Name Ethernet MAC Encryption Join-Mode Join-Time

------------------ ------------------------------------ ----------

AP1130

AP1140

00:22:90:e3:37:70 Enabled

01:40:91:b5:31:70 Enabled

Latency

Latency

Sun Jan 4 21:46:07 2009

Sat Jan 3 19:30:25 2009

The following example shows how to display the FlexConnect OfficeExtend access point’s link delay:


show flexconnect office-extend latency

Summary of OfficeExtend AP link latency

AP Name Status Current Maximum Minimum

--------------------------------------------------------------------------

AP1130

AP1140

Enabled 15 ms

Enabled 14 ms

45 ms

179 ms

12 ms

12 ms


1641

show flow exporter show flow exporter

To display the details or the statistics of the flow exporter, use the show flow exporter command.

show flow exporter {summary | statistics}

Syntax Description summary statistics

Displays a summary of the flow exporter.

Displays the statistics of flow exporters such as the number of records sent, or the time when the last record was sent.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following is a sample output of the show flow exporter summary command:


show flow exporter summary

Exporter-Name Exporter-IP Port

============= expo1

===========

9.9.120.115

=====

800

1642


show flow monitor summary show flow monitor summary

To display the details of the NetFlow monitor, use the show flow monitor summary command.



Command Default

None

Command History

Release

7.6

Modification



Netflow record monitoring and export are used for integration with an NMS or any Netflow analysis tool.

Examples

The following is a sample output of the show flow monitor summary:


show flow monitor summary

Monitor-Name Exporter-Name

============ mon1

============= expo1 ipv4_client_app_flow_record

Exporter-IP

===========

9.9.120.115

Port Record Name

==== ===========

800


1643

show guest-lan show guest-lan

To display the configuration of a specific wired guest LAN, use the show guest-lan command.

show guest-lan guest_lan_id


guest_lan_id

ID of the selected wired guest LAN.

Command Default

None

Command History

Release

7.6

Modification



To display all wired guest LANs configured on the controller, use the show guest-lan summary command.

Examples

The following is a sample output of the show guest-lan guest_lan_id command:


show guest-lan 2

Guest LAN Identifier........................... 1

Profile Name................................... guestlan

Network Name (SSID)............................ guestlan

Status......................................... Enabled

AAA Policy Override............................ Disabled

Number of Active Clients....................... 1

Exclusionlist Timeout.......................... 60 seconds

Session Timeout................................ Infinity

Interface...................................... wired

Ingress Interface.............................. wired-guest

WLAN ACL....................................... unconfigured

DHCP Server.................................... 10.20.236.90

DHCP Address Assignment Required............... Disabled

Quality of Service............................. Silver (best effort)

Security

Web Based Authentication................... Enabled

ACL........................................ Unconfigured

Web-Passthrough............................ Disabled

Conditional Web Redirect................... Disabled

Auto Anchor................................ Disabled

Mobility Anchor List

GLAN ID IP Address Status

1644


show icons summary show icons summary

To display a summary of the icons present in the flash memory of the system, use the show icons summary command.

show icons summary



Command Default

None

Command History

Release

Release 8.2

Examples

Modification


The following is sample output from the show icons summary command::

Cisco Controller > show icons summary

Icon files (downloaded) in Flash memory

No.

Filename

-------------------------

Size

-----

1.

dhk_icon.png

2.

myIconCopy1.png

3.

myIconCopy2.png

120694

120694

120694


1645

show ike show ike

To display active Internet Key Exchange (IKE) security associations (SAs), use the show ike command.

show ike {brief | detailed} IP_or_MAC_address

Syntax Description brief detailed

IP_or_MAC_address

Displays a brief summary of all active IKE SAs.

Displays a detailed summary of all active IKE SAs.

IP or MAC address of active IKE SA.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the active Internet Key Exchange security associations:


show ike brief 209.165.200.254

1646


show interface summary show interface summary

To display summary details of the system interfaces, use the show interface summary command.

show interface summary



Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.

This command was updated and displays IPv6 related details

Examples

Examples

The following example displays the summary of the local IPv4 interfaces:


show interface summary

Number of Interfaces.......................... 6

Interface Name Port Vlan Id IP Address Type Ap Mgr Guest

-------------------------------- ---- -------- --------------- ------- ------ ----dyn59 management redundancy-management redundancy-port service-port virtual

LAG 59

LAG 56

LAG 56

-

N/A

N/A untagged 0.0.0.0

N/A

N/A

9.10.59.66

9.10.56.60

0.0.0.0

2.2.2.2

1.2.3.4

Dynamic No

Static Yes

Static No

Static

Static

Static

No

No

No

No

No

No

No

No

No

The following example displays the summary of the local IPv6 interfaces: show ipv6 interface summary

Number of Interfaces.......................... 2

Interface Name Port Vlan Id IPv6 Address/Prefix Length

----------------------- ---- -------- -----------------------------------------management LAG 56 fe80::224:97ff:fe69:69af/64 service-port

LAG 56

N/A N/A

N/A N/A

2001:9:10:56::60/64 fe80::224:97ff:fe69:69a1/64

::/128


1647

show interface detailed show interface detailed

To display details of the system interfaces, use the show interface command.

show interfacedetailed {interface_name | management | redundancy-management | redundancy-port |

service-port | virtual}

Syntax Description detailed

interface_name

management redundancy-management redundancy-port service-port virtual

Displays detailed interface information.

Interface name for detailed display.

Displays detailed management interface information.

Displays detailed redundancy management interface information.

Displays detailed redundancy port information.

Displays detailed service port information.

Displays detailed virtual gateway interface information.

Command Default

None

Command History

Examples

Release

7.6

8.0

Modification


Release 7.6.

This command was updated in Release 8.0 and displays IPv6 related details

The following example shows how to display the detailed interface information:


show interface detailed management

Interface Name................................... management

MAC Address...................................... 00:24:97:69:69:af

IP Address....................................... 9.10.56.60

IP Netmask....................................... 255.255.255.0

IP Gateway....................................... 9.10.56.1

External NAT IP State............................ Disabled

External NAT IP Address.......................... 0.0.0.0

Link Local IPv6 Address.......................... fe80::224:97ff:fe69:69af/64

STATE ........................................... REACHABLE

Primary IPv6 Address............................. 2001:9:10:56::60/64

1648


show interface detailed

STATE ........................................... REACHABLE

Primary IPv6 Gateway............................. fe80::aea0:16ff:fe4f:2242

Primary IPv6 Gateway Mac Address................. ac:a0:16:4f:22:42

STATE ........................................... REACHABLE

VLAN............................................. 56

Quarantine-vlan.................................. 0

NAS-Identifier................................... Building1

Active Physical Port............................. LAG (13)

Primary Physical Port............................ LAG (13)

Backup Physical Port............................. Unconfigured

DHCP Proxy Mode.................................. Global

Primary DHCP Server.............................. 9.1.0.100

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

DHCP Option 82 bridge mode insertion............. Disabled

IPv4 ACL......................................... Unconfigured

IPv6 ACL......................................... Unconfigured mDNS Profile Name................................ Unconfigured

AP Manager....................................... Yes

Guest Interface.................................. No

L2 Multicast..................................... Enabled

Note

Some WLAN controllers may have only one physical port listed because they have only one physical port.

The following example shows how to display the detailed redundancy management interface information:


show interface detailed redundancy-management

Interface Name................................... redundancy-management

MAC Address...................................... 88:43:e1:7e:0b:20

IP Address....................................... 209.165.201.2

The following example shows how to display the detailed redundancy port information:


show interface detailed redundancy-port

Interface Name................................... redundancy-port

MAC Address...................................... 88:43:e1:7e:0b:22

IP Address....................................... 169.254.120.5

The following example shows how to display the detailed service port information:


show interface detailed service-port

Interface Name................................... redundancy-port

MAC Address...................................... 88:43:e1:7e:0b:22

IP Address....................................... 169.254.120.5

The following example shows how to display the detailed virtual gateway interface information:


show interface detailed virtual

Interface Name................................... virtual

MAC Address...................................... 88:43:e1:7e:0b:20

IP Address....................................... 1.1.1.1

Virtual DNS Host Name............................ Disabled

AP Manager....................................... No

Guest Interface.................................. No


1649

show interface group show interface group

To display details of system interface groups, use the show interface group command.

show interface group {summary | detailed interface_group_name}


interface_group_name

Displays a summary of the local interface groups.

Displays detailed interface group information.

Interface group name for a detailed display.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display a summary of local interface groups:


show interface group summary

Interface Group Name Total Interfaces Total WLANs

Groups Quarantine

------------------------------------------mygroup1 1 0

--------------

0

Total AP

---------

No mygroup2 mygroup3

1

5

0

1

0

0

No

No

The following example shows how to display the detailed interface group information:


show interface group detailed mygroup1

I nterface Group Name............................. mygroup1

Quarantine ...................................... No

Number of Wlans using the Interface Group........ 0

Number of AP Groups using the Interface Group.... 0

Number of Interfaces Contained................... 1 mDNS Profile Name................................ NCS12Prof

Interface Group Description...................... My Interface Group

Next interface for allocation to client.......... testabc

Interfaces Contained in this group .............. testabc

Interface marked with * indicates DHCP dirty interface

Interface list sorted based on vlan:

Index Vlan Interface Name

1650


--------

0 42

-------------------------------testabc

show interface group


1651

show invalid-config show invalid-config

To see any ignored commands or invalid configuration values in an edited configuration file, use the show

invalid-config command.

show invalid-config



Command Default

None

Command History

Release

7.6

Modification



You can enter this command only before the clear config or save config command.

Examples

The following is a sample output of the show invalid-config command:


show invalid-config

config wlan peer-blocking drop 3 config wlan dhcp_server 3 192.168.0.44 required

1652


show inventory show inventory

To display a physical inventory of the Cisco wireless LAN controller, use the show inventory command.

show inventory



Command Default

None

Command History

Release

7.6

Modification



Some wireless LAN controllers may have no crypto accelerator (VPN termination module) or power supplies listed because they have no provisions for VPN termination modules or power supplies.

Examples

The following is a sample output of the show inventory command:


show inventory

Burned-in MAC Address............................ 50:3D:E5:1A:31:A0

Power Supply 1................................... Present, OK

Power Supply 2................................... Absent

Maximum number of APs supported.................. 500

NAME: "Chassis" , DESCR: "Cisco 5500 Series Wireless LAN Controller"

PID: AIR-CT5508-K9, VID: V01, SN: XXXXXXXXXXX


1653

show IPsec show IPsec

To display active Internet Protocol Security (IPsec) security associations (SAs), use the show IPsec command.

show IPsec {brief | detailed} IP_or_MAC_address

Syntax Description brief detailed

IP_or_MAC_address

Displays a brief summary of active IPsec SAs.

Displays a detailed summary of active IPsec SAs.

IP address or MAC address of a device.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display brief information about the active Internet Protocol Security

(IPsec) security associations (SAs):


show IPsec brief 209.165.200.254

Related Commands config radius acct ipsec authentication config radius acct ipsec disable config radius acct ipsec enable config radius acct ipsec encryption config radius auth IPsec encryption config radius auth IPsec authentication config radius auth IPsec disable config radius auth IPsec encryption config radius auth IPsec ike config trapflags IPsec config wlan security IPsec disable config wlan security IPsec enable config wlan security IPsec authentication

1654


config wlan security IPsec encryption config wlan security IPsec config config wlan security IPsec ike authentication config wlan security IPsec ike dh-group config wlan security IPsec ike lifetime config wlan security IPsec ike phase1 config wlan security IPsec ike contivity show IPsec


1655

show ipv6 acl show ipv6 acl

To display the IPv6 access control lists (ACLs) that are configured on the controller, use the show ipv6 acl command.

show ipv6 acl detailed {acl_name | summary}


acl_name

detailed

IPv6 ACL name. The name can be up to 32 alphanumeric characters.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display the detailed information of the access control lists:


show ipv6 acl detailed acl6

Rule Index....................................... 1

Direction........................................ Any

IPv6 source prefix............................... ::/0

IPv6 destination prefix.......................... ::/0

Protocol......................................... Any

Source Port Range................................ 0-65535

Destination Port Range........................... 0-65535

DSCP............................................. Any

Flow label....................................... 0

Action........................................... Permit

Counter.......................................... 0

Deny Counter................................... 0

1656


show ipv6 summary show ipv6 summary

To display the IPv6 configuration settings, use the show ipv6 summary command.

show ipv6 summary



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example displays the output of the show ipv6 summary command:



Global Config............................... Enabled

Reachable-lifetime value.................... 30

Stale-lifetime value........................ 300

Down-lifetime value......................... 300

RA Throttling............................... Disabled

RA Throttling allow at-least................ 1

RA Throttling allow at-most................. no-limit

RA Throttling max-through................... 5

RA Throttling throttle-period............... 600

RA Throttling interval-option............... ignore

NS Mulitcast CacheMiss Forwarding........... Enabled

NA Mulitcast Forwarding..................... Enabled

IPv6 Capwap UDP Lite........................ Enabled

Operating System IPv6 state ................ Enabled


1657

show guest-lan show guest-lan

To display the configuration of a specific wired guest LAN, use the show guest-lan command.

show guest-lan guest_lan_id


guest_lan_id

ID of the selected wired guest LAN.

Command Default

None

Command History

Release

7.6

Modification



To display all wired guest LANs configured on the controller, use the show guest-lan summary command.

Examples

The following is a sample output of the show guest-lan guest_lan_id command:


show guest-lan 2

Guest LAN Identifier........................... 1

Profile Name................................... guestlan

Network Name (SSID)............................ guestlan

Status......................................... Enabled

AAA Policy Override............................ Disabled

Number of Active Clients....................... 1

Exclusionlist Timeout.......................... 60 seconds

Session Timeout................................ Infinity

Interface...................................... wired

Ingress Interface.............................. wired-guest

WLAN ACL....................................... unconfigured

DHCP Server.................................... 10.20.236.90

DHCP Address Assignment Required............... Disabled

Quality of Service............................. Silver (best effort)

Security

Web Based Authentication................... Enabled

ACL........................................ Unconfigured

Web-Passthrough............................ Disabled

Conditional Web Redirect................... Disabled

Auto Anchor................................ Disabled


GLAN ID IP Address Status

1658


show icons file-info

To display icon parameters, use the show icons file-info command.




Command Default

None

Command History

Release

Release 8.2

Examples

Modification


The following is sample output from the show icons file-info command:

Cisco Controller > show icons file-info

ICON File Info:

No.

Filename

--------------------------

1

2

3 dhk_icon.png

myIconCopy2.png

myIconCopy1.png

Type

-----png png png

Lang Width Height

------------eng 200 eng 222 eng 555

300

333

444



1659

show ipv6 acl show ipv6 acl

To display the IPv6 access control lists (ACLs) that are configured on the controller, use the show ipv6 acl command.

show ipv6 acl detailed {acl_name | summary}


acl_name

detailed

IPv6 ACL name. The name can be up to 32 alphanumeric characters.


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display the detailed information of the access control lists:


show ipv6 acl detailed acl6

Rule Index....................................... 1

Direction........................................ Any



Protocol......................................... Any



DSCP............................................. Any

Flow label....................................... 0

Action........................................... Permit

Counter.......................................... 0

Deny Counter................................... 0

1660


show ipv6 acl cpu show ipv6 acl cpu

To display the IPv6 ACL CPU details, use the show ipv6 acl cpu command.

show ipv6 acl cpu



Command Default

None

Command History

Release

7.6

8.0

Modification


This command supports IPv6 address format.

Examples

The following is a sample output of the show ipv6 acl cpu command:

(Cisco Controller) > show ipv6 acl cpu

CPU Acl Name................................ NOT CONFIGURED

Wireless Traffic............................ Disabled

Wired Traffic............................... Disabled


1661

show ipv6 acl detailed show ipv6 acl detailed

To display the IPv6 ACL details, use the show ipv6 acl detailed command.

show ipv6 acl detailed



Command Default

None

Command History

Release

7.6

8.0

Modification


This command supports IPv6 address format.

Examples

The following is a sample output of the show ipv6 acl detailed TestACL command:

(Cisco Controller) > show ipv6 acl detailed ddd

Rule Index....................................... 1

Direction........................................ Any

IPv6 source prefix............................... 2001:9:5:90::115/128


Protocol......................................... 6



DSCP............................................. Any

Action........................................... Permit

Counter.......................................... 0

Rule Index....................................... 2

Direction........................................ Any


IPv6 destination prefix.......................... 2001:9:5:90::115/128

Protocol......................................... 6



DSCP............................................. Any

Action........................................... Permit

Counter.......................................... 0

1662


show ipv6 neighbor-binding show ipv6 neighbor-binding

To display the IPv6 neighbor binding data that are configured on the controller, use the show ipv6

neighbor-binding command.

show ipv6 neighbor-binding {capture-policy| counters | detailed {mac mac_address| port port_number|

vlanvlan_id} | features | policies | ra-throttle {statistics vlan_id | routers vlan_id} | summary}

Syntax Description capture-policy counters detailed mac

mac_address

port

port_number

vlan

vlan_id

features policies ra-throttle statistics routers summary

Displays IPv6 next-hop message capture policies.

Displays IPv6 next-hop counters (Bridging mode only).

Displays the IPv6 neighbor binding table.

Displays the IPv6 binding table entries for a specific MAC address.

Displays the IPv6 binding table entries for a specific MAC address.

Displays the IPv6 binding table entries for a specific port.

Port Number. You can enter ap for an access point or LAG for a LAG port.

Displays the IPv6 neighbor binding table entries for a specific VLAN.

VLAN identifier.

Displays IPv6 next-hop registered features.

Displays IPv6 next-hop policies.

Displays RA throttle information.

Displays RA throttle statistics.

Displays RA throttle routers.

Displays the IPv6 neighbor binding table.

Command Default

None

Command History

Release

7.6

Modification



1663

show ipv6 neighbor-binding


DHCPv6 counters are applicable only for IPv6 bridging mode.

Examples

The following is the output of the show ipv6 neighbor-binding summary command:


show ipv6 neighbor-binding summary

Binding Table has 6 entries, 5 dynamic

Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DDCP

Preflevel flags (prlvl):

0001:MAC and LLA match 0002:Orig trunk

0008:Orig trusted access 0010:Orig trusted trunk

0040:Cga authenticated

IPv6 address

0004:Orig access

0020:DHCP assigned

0080:Cert authenticated 0100:Statically assigned

MAC Address Port VLAN Type state Time left

-- -------------------------------------------------------- ---- ---- -------- -----

---- --------- ----------

ND fe80::216:46ff:fe43:eb01 00:16:46:43:eb:01 1 980 wired prlvl age

0005

2 REACHABLE 157

ND fe80::9cf9:b009:b1b4:1ed9

2 REACHABLE 157

ND fe80::6233:4bff:fe05:25ef

2 REACHABLE 203

ND fe80::250:56ff:fe8b:4a8f

2 REACHABLE 157

ND 2001:410:0:1:51be:2219:56c6:a8ad

5 REACHABLE 157

S 2001:410:0:1::9

1 REACHABLE 205

70:f1:a1:dd:cb:d4

60:33:4b:05:25:ef

00:50:56:8b:4a:8f

70:f1:a1:dd:cb:d4

00:00:00:00:00:08

AP

AP

AP

AP

AP

980 wireless

980 wireless

980 wireless

980 wireless

980 wireless

0005

0005

0005

0005

0100

The following is the output of the show ipv6 neighbor-binding detailed command:


show ipv6 neighbor-binding detailed mac 60:33:4b:05:25:ef

macDB has 3 entries for mac 60:33:4b:05:25:ef, 3 dynamic

Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DDCP

Preflevel flags (prlvl):

0001:MAC and LLA match 0002:Orig trunk

0008:Orig trusted access 0010:Orig trusted trunk

0004:Orig access

0020:DHCP assigned

0040:Cga authenticated

IPv6 address state Time left

0080:Cert authenticated 0100:Statically assigned

MAC Address Port VLAN Type prlvl age

-- -------------------------------------------------------- ---- ---- -------- -----

---- --------- ----------

ND fe80::6233:4bff:fe05:25ef

0 REACHABLE 303

ND 2001:420:0:1:6233:4bff:fe05:25ef

0 REACHABLE 300

ND 2001:410:0:1:6233:4bff:fe05:25ef

0 REACHABLE 301

60:33:4b:05:25:ef

60:33:4b:05:25:ef

60:33:4b:05:25:ef

AP

AP

AP

980 wireless

980 wireless

980 wireless

0009

0009

0009

The following is the output of the show ipv6 neighbor-binding counters command:


show ipv6 neighbor-binding counters

Received Messages

NDP Router Solicitation

NDP Router Advertisement

NDP Neighbor Solicitation

NDP Neighbor Advertisement

NDP Redirect

NDP Certificate Solicit

NDP Certificate Advert

DHCPv6 Solicitation

DHCPv6 Advertisement

DHCPv6 Request

DHCPv6 Reply

DHCPv6 Inform

DHCPv6 Confirm

0

0

0

0

0

0

0

0

0

6

19

557

48

1664



DHCPv6 Renew

DHCPv6 Rebind

DHCPv6 Release

DHCPv6 Decline

DHCPv6 Reconfigure

DHCPv6 Relay Forward

DHCPv6 Relay Rep

Bridged Messages

NDP Router Solicitation

NDP Router Advertisement

NDP Neighbor Solicitation

NDP Neighbor Advertisement

NDP Redirect

NDP Certificate Solicit

NDP Certificate Advert

DHCPv6 Solicitation

DHCPv6 Advertisement

DHCPv6 Request

DHCPv6 Reply

DHCPv6 Inform

DHCPv6 Confirm

DHCPv6 Renew

DHCPv6 Rebind

DHCPv6 Release

DHCPv6 Decline

DHCPv6 Reconfigure

DHCPv6 Relay Forward

DHCPv6 Relay Rep

NDSUPRRESS Drop counters

0

0

0

0

0

0

0

6

19

471

16

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0 total silent ns_in_out ns_dad unicast multicast internal

------------------------------------------------------------------------

0 0 0 0 0 0 0

SNOOPING Drop counters

Dropped Msgs total silent internal CGA_vfy RSA_vfy limit martian martian_mac no_trust not_auth stop

--------------------------------------------------------------------------------------------------------------------

NDP RS 0 0 0 0 0 0 0 0

NDP RA

0 0 0

0 0 0 0 0 0 0 0

0 0

NDP NS

0

0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 NDP NA

0

NDP Redirect

0

NDP CERT SOL

0

NDP CERT ADV

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0 0

DHCPv6 Sol

0

DHCPv6 Adv

0

0

0

DHCPv6 Req

0

0

0

DHCPv6 Confirm

0 0

DHCPv6 Renew

0

DHCPv6 Rebind

0

0

0

DHCPv6 Reply

0 0

DHCPv6 Release

0 0

DHCPv6 Decline

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0


1665


0

DHCPv6 Recfg

0

0

DHCPv6 Infreq

0

0

0

DHCPv6 Relayfwd

0 0

DHCPv6 Relayreply

0 0

0

0

0

0

0

CacheMiss Statistics

Multicast NS Forwarded

To STA 0

To DS 0

Multicast NS Dropped

To STA 467

To DS 467

Multicast NA Statistics

Multicast NA Forwarded

To STA 0

To DS 0

Multicast NA Dropped

To STA 0

To DS 0

0

0

0

0

(Cisco Controller) > >

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1666


show ipv6 ra-guard show ipv6 ra-guard

To display the RA guard statistics, use the show ipv6 ra-guard command.

show ipv6 ra-guard {ap | wlc} summary

Syntax Description ap wlc summary

Displays Cisco access point details.

Displays Cisco controller details.

Displays RA guard statistics.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example show the output of the show ipv6 ra-guard ap summary command:


show ipv6 ra-guard ap summary

IPv6 RA Guard on AP..................... Enabled

RA Dropped per client:

MAC Address AP Name WLAN/GLAN Number of RA Dropped

----------------- ----------------- -------------- ---------------------

00:40:96:b9:4b:89 Bhavik_1130_1_p13 2 19

----------------- ----------------- -------------- ---------------------

Total RA Dropped on AP......................

19

The following example shows how to display the RA guard statistics for a controller:


show ipv6 ra-guard wlc summary

IPv6 RA Guard on WLC.................... Enabled


1667

show ipv6 route summary show ipv6 route summary

To display configuration information for IPv6 route, use the show ipv6 route summary command.

show ipv6 route summary


Command Default

None

Command History

Release

8.0

Modification

This command was introduced in a Release 8.0.

Examples

The following is a sample output of the show ipv6 route summary command:


show ipv6 route summary

Number of Routes................................. 1

Destination Network PrefixLength Gateway

------------------- ------------- -------------------

2001:9:5:90::115 /128 2001:9:5:91::1

1668


show ipv6 summary show ipv6 summary

To display the IPv6 configuration settings, use the show ipv6 summary command.




Command Default

None

Command History

Release

7.6

Modification


Examples




Global Config............................... Enabled

Reachable-lifetime value.................... 30

Stale-lifetime value........................ 300

Down-lifetime value......................... 300

RA Throttling............................... Disabled

RA Throttling allow at-least................ 1

RA Throttling allow at-most................. no-limit

RA Throttling max-through................... 5

RA Throttling throttle-period............... 600

RA Throttling interval-option............... ignore

NS Mulitcast CacheMiss Forwarding........... Enabled

NA Mulitcast Forwarding..................... Enabled

IPv6 Capwap UDP Lite........................ Enabled

Operating System IPv6 state ................ Enabled


1669

show known ap show known ap

To display known Cisco lightweight access point information, use the show known ap command.

show known ap {summary | detailed MAC}


MAC

Displays a list of all known access points.

Provides detailed information for all known access points.

MAC address of the known AP.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display a summary of all known access points:


show known ap summary

MAC Address State # APs # Clients Last Heard

------------------------------------------------

1670


Show Commands: j to q

•

show l2tp, page 1675

•

show lag eth-port-hash, page 1676

•

show lag ip-port-hash, page 1677

•

show lag summary, page 1678

•

show ldap, page 1679

•

show ldap statistics, page 1680

•

show ldap summary, page 1681

•

show license all, page 1682

•

show license capacity, page 1684

•

show license detail, page 1685

•

show license expiring, page 1686

•

show license evaluation, page 1687

•

show license feature, page 1688

•

show license file, page 1689

•

show license handle, page 1690

•

show license image-level, page 1691

•

show license in-use, page 1692

•

show license permanent, page 1693

•

show license status, page 1694

•

show license statistics, page 1695

•

show license summary, page 1696

•

show license udi, page 1697

•

show license usage, page 1698

•

show load-balancing, page 1699


1671

•

show local-auth config, page 1700

•

show local-auth statistics, page 1702

•

show local-auth certificates, page 1704

•

show logging, page 1705

•

show logging last-reset, page 1707

•

show logging flags, page 1708

•

show loginsession, page 1709

•

show macfilter, page 1710

•

show mdns ap summary, page 1711

•

show mdns domain-name-ip summary, page 1712

•

show mdns profile, page 1714

•

show mdns service , page 1716

•

show media-stream client, page 1718

•

show media-stream group detail, page 1719

•

show media-stream group summary, page 1720

•

show mesh ap, page 1721

•

show mesh astools stats, page 1722

•

show mesh backhaul, page 1723

•

show mesh bgscan, page 1724

•

show mesh cac, page 1725

•

show mesh client-access, page 1727

•

show mesh config, page 1728

•

show mesh env, page 1729

•

show mesh neigh, page 1730

•

show mesh path, page 1733

•

show mesh per-stats, page 1734

•

show mesh public-safety, page 1735

•

show mesh queue-stats, page 1736

•

show mesh security-stats, page 1737

•

show mesh stats, page 1739

•

show mgmtuser, page 1740

•

show mobility anchor, page 1741

•

show mobility ap-list, page 1742

1672


•

show mobility foreign-map, page 1743

•

show mobility group member, page 1744

•

show mobility oracle, page 1745

•

show mobility statistics, page 1747

•

show mobility summary, page 1748

•

show msglog, page 1750

•

show nac statistics, page 1751

•

show nac summary, page 1752

•

show network, page 1753

•

show network summary, page 1754

•

show netuser, page 1756

•

show netuser guest-roles, page 1757

•

show network multicast mgid detail, page 1758

•

show network multicast mgid summary, page 1759

•

show network summary, page 1760

•

show nmsp notify-interval summary, page 1762

•

show nmsp status, page 1763

•

show nmsp statistics, page 1764

•

show nmsp subscription, page 1766

•

show nmsp subscription summary, page 1767

•

show ntp-keys, page 1768

•

show ntp-keys, page 1769

•

show opendns summary, page 1770

•

show policy, page 1771

•

show port, page 1773

•

show profiling policy summary, page 1775

•

show qos, page 1777

•

show qos qosmap, page 1778

•

show queue-info, page 1779

•

show pmk-cache, page 1781

•

show pmipv6 domain, page 1782

•

show pmipv6 mag bindings, page 1783

•

show pmipv6 mag globals, page 1784


1673

•

show pmipv6 mag stats, page 1785

•

show pmipv6 profile summary, page 1787

1674


show l2tp show l2tp

To display Layer 2 Tunneling Protocol (L2TP) sessions, use the show l2tp command.

show l2tp {summary | ip_address}


ip_address

Displays all L2TP sessions.

IP address.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display a summary of all L2TP sessions:


show l2tp summary

LAC_IPaddr LTid LSid RTid RSid ATid ASid State

---------- ---- ---- ---- ---- ---- ---- -----


1675

show lag eth-port-hash show lag eth-port-hash

To display the physical port used for specific MAC addresses, use the show lag eth-port-hash command.

show lag eth-port-hash dest_MAC [source_MAC]


dest_MAC source_MAC

MAC address to determine output port for non-IP packets.

(Optional) MAC address to determine output port for non-IP packets.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the physical port used for a specific MAC address:


show lag eth-port-hash 11:11:11:11:11:11

Destination MAC 11:11:11:11:11:11 currently maps to port 1

1676


show lag ip-port-hash show lag ip-port-hash

To display the physical port used for specific IP addresses, use the show lag ip-port-hash command.

show lag ip-port-hash dest_IP [source_IP]


dest_IP source_IP

IP address to determine the output port for IP packets.

(Optional) IP address to determine the output port for

IP packets.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.

This command supports both— IPv4 and IPv6 addresses.


For CAPWAP packets, enter the IP address of the access points. For EOIP packets, enter the IP address of the controller. For WIRED_GUEST packets, enter its IP address. For non tunneled IP packets from WLC, enter the destination IP address. For other non tunneled IP packets, enter both destination and source IP addresses.

This command is applicable for both IPv4 and IPv6 addresses.

Examples

The following example shows how to display the physical port used for a specific IP address:


show lag ip-port-hash 192.168.102.138

Destination IP 192.168.102.138 currently maps to port 1


1677

show lag summary show lag summary

To display the current link aggregation (LAG) status, use the show lag summary command.

show lag summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the current status of the LAG configuration:


show lag summary

LAG Enabled

1678


show ldap show ldap

To display the Lightweight Directory Access Protocol (LDAP) server information for a particular LDAP server, use the show ldap command.

show ldap index


index

LDAP server index. Valid values are from 1 to 17.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the detailed LDAP server information:


show ldap 1

Server Index..................................... 1

Address.......................................... 2.3.1.4

Port............................................. 389

Enabled.......................................... Yes

User DN.......................................... name1

User Attribute................................... attr1

User Type........................................ username1

Retransmit Timeout............................... 3 seconds

Bind Method ..................................... Anonymous

Related Commands config ldap config ldap add config ldap simple-bind show ldap statistics show ldap summary


1679

show ldap statistics show ldap statistics

To display all Lightweight Directory Access Protocol (LDAP) server information, use the show ldap statistics command.

show ldap statistics



Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the LDAP server statistics:


show ldap statistics

Server Index..................................... 1

Server statistics:

Initialized OK................................. 0

Initialization failed.......................... 0

Initialization retries......................... 0

Closed OK...................................... 0

Request statistics:

Received....................................... 0

Sent........................................... 0

OK............................................. 0

Success........................................ 0

Authentication failed.......................... 0

Server not found............................... 0

No received attributes......................... 0

No passed username............................. 0

Not connected to server........................ 0

Internal error................................. 0

Retries........................................ 0

Server Index..................................... 2

...

Related Commands config ldap config ldap add config ldap simple-bind show ldap show ldap summary

1680


show ldap summary show ldap summary

To display the current Lightweight Directory Access Protocol (LDAP) server status, use the show ldap


show ldap summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of configured LDAP servers:


show ldap summary

Idx Server Address Port Enabled

--------------------------

1 2.3.1.4

389 Yes

2 10.10.20.22

389 Yes

Related Commands config ldap config ldap add config ldap simple-bind show ldap statistics show ldap


1681

show license all show license all

To display information for all licenses on the Cisco WLCs, use the show license all command.

show license all



Command Default

None.

Examples

This example shows how to display all the licenses:

>


License Store: Primary License Storage

StoreIndex: 0 Feature: wplus-ap-count Version: 1.0

License Type: Permanent

License State: Inactive

License Count: 12/0/0

License Priority: Medium

StoreIndex: 1 Feature: base Version: 1.0


License State: Active, Not in Use

License Count: Non-Counted


StoreIndex: 2 Feature: wplus Version: 1.0


License State: Active, In Use



License Store: Evaluation License Storage


License Type: Evaluation


Evaluation total period: 8 weeks 4 days

Evaluation period left: 6 weeks 6 days


License Priority: Low






Expiry date: Thu Jun 25 18:09:43 2009


License Priority: High








StoreIndex: 3 Feature: base-ap-count Version: 1.0


License State: Active, Not in Use, EULA accepted





1682


Examples

This example shows how to view all the licenses on the Smart License mechanism:



Smart Licensing Status

======================

Smart Licensing is ENABLED

Registration:

Status: REGISTERED

Smart Account: vWLC-Prod

Virtual Account: Default

Export-Controlled Functionality: Allowed

Initial Registration: SUCCEEDED on Dec 11 12:19:38 2015 UTC

Last Renewal Attempt: None

Next Renewal Attempt: Jun 08 12:19:37 2016 UTC

Registration Expires: Dec 10 12:16:56 2016 UTC

License Authorization:

Status: AUTHORIZED on Dec 11 12:20:12 2015 UTC

Last Communication Attempt: SUCCEEDED on Dec 11 12:20:12 2015 UTC

Next Communication Attempt: Jan 10 12:20:11 2016 UTC

Communication Deadline: Mar 10 12:17:43 2016 UTC

--More-- or (q)uit

License Usage

==============

No licenses in use

Product Information

===================

UDI: PID:AIR-CTVM-K9,SN:91U8NQ5XDBE

Agent Version

=============

Smart Agent for Licensing: 1.4.0_rel/25

Component Versions: SA:1.4, SI:0.1, CH:rel_1, PK:x.x



1683

show license capacity show license capacity

To display the maximum number of access points allowed for this license on the Cisco 5500 Series Controller, the number of access points currently joined to the controller, and the number of access points that can still join the controller, use the show license capacity command.

show license capacity



Command Default

None.

Examples

This example shows how to display the license capacity:

>

show license capacity

Licensed Feature Max Count Current Count Remaining Count

-----------------------------------------------------------------------

AP Count 250 47 203

Related Commands license install show license all show license detail show license feature show license image-level show license summary license modify priority show license evaluation

1684


show license detail show license detail

To display details of a specific license on the Cisco 5500 Series Controller, use the show license detail command.

show license detail license-name


license-name

Name of a specific license.

Command Default

None.

Examples

This example shows how to display the license details:

>

show license detail wplus

Feature: wplus Period left: Life time

Index: 1 Feature: wplus Version: 1.0





Store Index: 2

Store Name: Primary License Storage

Index: 2 Feature: wplus Version: 1.0







Store Index: 0

Related Commands license install show license agent show license all show license feature show license image-level show license summary license modify priority


1685

show license expiring show license expiring

To display details of expiring licenses on the Cisco 5500 Series Controller, use the show license expiring command.

show license expiring



Command Default

None.

Examples

This example shows how to display the details of the expiring licenses:

>

show license expiring






























Related Commands license install show license all show license detail show license in-use show license summary license modify priority show license evaluation

1686


show license evaluation show license evaluation

To display details of evaluation licenses on the Cisco 5500 Series Controller, use the show license evaluation command.

show license evaluation



Command Default

None.

Examples

This example shows how to display the details of the evaluation licenses:

>

show license evaluation






























Related Commands license install show license all show license detail show license expiring show license in-use show license summary license modify priority


1687

show license feature show license feature

To display a summary of license-enabled features on the Cisco 5500 Series Controller, use the show license

feature command.

show license feature



Command Default

None.

Examples

This example shows how to display the license-enabled features:

>

show license feature

Feature name Enforcement Evaluation Clear Allowed Enabled wplus wplus-ap-count yes yes yes yes yes yes yes yes base base-ap-count no yes yes yes yes yes no no

Related Commands license install show license all show license detail show license expiring show license image-level show license in-use show license summary show license modify priority show license evaluation

1688


show license file show license file

To display a summary of license-enabled features on the Cisco 5500 Series Controller, use the show license

file command.

show license file



Examples

This example shows how to display the license files:

>

show license file

License Store: Primary License Storage

Store Index: 0

License: 11 wplus-ap-count 1.0 LONG NORMAL STANDALONE EXCL 12_KEYS INFINIT

E_KEYS NEVER NEVER NiL SLM_CODE CL_ND_LCK NiL *1AR5NS7M5AD8PPU400

NiL NiL NiL 5_MINS <UDI><PID>AIR-CT5508-K9</PID><SN>RFD000P2D27<

/SN></UDI> Pe0L7tv8KDUqo:zlPe423S5wasgM8G,tTs0i,7zLyA3VfxhnIe5aJa m63lR5l8JM3DPkr4O2DI43iLlKn7jomo3RFl1LjMRqLkKhiLJ2tOyuftQSq2bCAO6 nR3wIb38xKi3t$<WLC>AQEBIQAB//++mCzRUbOhw28vz0czAY0iAm7ocDLUMb9ER0

+BD3w2PhNEYwsBN/T3xXBqJqfC+oKRqwInXo3s+nsLU7rOtdOxoIxYZAo3LYmUJ+M

FzsqlhKoJVlPyEvQ8H21MNUjVbhoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJf

EPQIx6tZ++/Vtc/q3SF/5Ko8XCY=</WLC>

Comment:

Hash: iOGjuLlXgLhcTB113ohIzxVioHA=

. . .

Related Commands license install show license all show license detail show license expiring show license feature show license image-level show license in-use show license summary show license evaluation


1689

show license handle show license handle

To display the license handles on the Cisco 5500 Series Controller, use the show license handle command.

show license handle



Command Default

None.

Examples

This example shows how to display the license handles:

>

show license handle

Feature: wplus , Handle Count: 1

Units: 01( 0), ID: 0x5e000001, NotifyPC: 0x1001e8f4 LS-Handle (0x00000001),

Units: ( 1)

Registered clients: 1

Context 0x1051b610, epID 0x10029378

Feature: base , Handle Count: 0

Registered clients: 1

Context 0x1053ace0, epID 0x10029378

Feature: wplus-ap-count , Handle Count: 1

Units: 250( 0), ID: 0xd4000002, NotifyPC: 0x1001e8f4 LS-Handle (0x000

00002), Units: (250)

Registered clients: None

Feature: base-ap-count

Registered clients: None

Global Registered clients: 2

, Handle Count: 0

Context 0x10546270, epID 0x100294cc

Context 0x1053bae8, epID 0x100294cc

Related Commands license install show license all show license detail show license expiring show license feature show license image-level show license in-use show license summary

1690


show license image-level show license image-level

To display the license image level that is in use on the Cisco 5500 Series Controller, use the show license

image-level command.

show license image-level



Command Default

None.

Examples

This example shows how to display the image level license settings:

>

show license image-level

Module name Image level Priority Configured Valid license wnbu wplus base

1

2

YES

NO wplus

NOTE: wplus includes two additional features: Office Extend AP, Mesh AP.

Related Commands license install show license all show license detail show license expiring show license feature license modify priority show license in-use show license summary


1691

show license in-use show license in-use

To display the licenses that are in use on the Cisco 5500 Series Controller, use the show license in-use command.

show license in-use



Command Default

None.

Examples

This example shows how to display the licenses that are in use:

>

show license in-use














Related Commands license install show license all show license detail show license expiring show license feature show license image-level show license modify priority show license summary show license permanent show license evaluation

1692


show license permanent show license permanent

To display the permanent licenses on the Cisco 5500 Series Controller, use the show license permanent command.

show license permanent



Command Default

None.

Examples

This example shows how to display the permanent license’s information:

>

show license permanent
















Related Commands license install show license all show license detail show license expiring show license feature show license image-level show license in-use show license summary license modify priority show license evaluation


1693

show license status show license status

To display the license status on the Cisco Wireless Controller, use the show license status command.

show license status



Command Default

None.

Examples

Examples

This example shows how to view the license status on the RTU license mechanism:

>


License Type Supported permanent Non-expiring node locked license extension Expiring node locked license evaluation Expiring non node locked license

License Operation Supported install clear

Install license

Clear license annotate Comment license save revoke

Save license

Revoke license

Device status

Device Credential type: DEVICE

Device Credential Verification: PASS

Rehost Type: DC_OR_IC

This example shows how to view the license status on the Smart License mechanism:




Registration:

Status: REGISTERED




Initial Registration: SUCCEEDED on Dec 11 12:19:38 2015 UTC



Registration Expires: Dec 10 12:16:56 2016 UTC


Status: AUTHORIZED on Dec 11 12:20:12 2015 UTC

Last Communication Attempt: SUCCEEDED on Dec 11 12:20:12 2015 UTC


Communication Deadline: Mar 10 12:17:43 2016 UTC

1694


show license statistics show license statistics

To display license statistics on the Cisco 5500 Series Controller, use the show license statistics command.

show license statistics



Command Default

None.

Examples

This example shows how to display the license statistics:

>

show license statistics

Administrative statistics

Install success count:

Install failure count:

Install duplicate count:

0

0

0 c

Comment add count:

Comment delete count:

Clear count:

Save count:

Save cred count:

Client status

Request success count

Request failure count

Release count

Global Notify count

2

0

0

0

0

0

0

0

0

Related Commands license install show license all show license detail show license expiring show license feature show license image-level show license in-use show license summary license modify priority show license evaluation


1695

show license summary show license summary

To display a brief summary of all licenses on the Cisco WLCs, use the show license summary command.

show license summary



Command Default

None.

Examples

Examples

This example shows how to display a brief summary of all licenses:

>


Index 1 Feature: wplus

Period left: Life time





Index 2 Feature: wplus-ap-count

Period left: 2 weeks 3 days





Index 3 Feature: base

Period left: Life time





Index 4 Feature: base-ap-count

Period left: 8 weeks 3 days





This example shows how to view the license summary on the Smart License mechanism:




Registration:

Status: REGISTERED







Status: AUTHORIZED

Last Communication Attempt: SUCCEEDED


1696


show license udi show license udi

To display unique device identifier (UDI) values for licenses on the Cisco WLCs, use the show license udi command.

show license udi



Command Default

None.

Examples

Examples

This example shows how to view the UDI values for licenses on the RTU license mechanism:



Device# PID SN UDI

-------------------------------------------------------------------------------------

*0 AIR-CT5508-K9 RFD000P2D27 AIR-CT5508-K9:RFD000P2D27

This example shows how to view the UDI values for licenses on the Smart License mechanism:



UDI: PID:AIR-CTVM-K9,SN:91U8NQ5XDBE


1697

show license usage show license usage

To display the entitlement details and usage per handle and its entitlement tag, use the show license usage command.

show license usage

Command History

Release

8.2

Modification

This command was introduced in a 8.2 release.

Examples

This example shows how to display the entitlement details:


show license usage

1698


show load-balancing show load-balancing

To display the status of the load-balancing feature, use the show load-balancing command.

show load-balancing



Command Default

None.

Examples

This example shows how to display the load-balancing status:

>

show load-balancing

Aggressive Load Balancing........................ Enabled

Aggressive Load Balancing Window................. 0 clients

Aggressive Load Balancing Denial Count........... 3

Statistics

Total Denied Count............................... 10 clients

Total Denial Sent................................ 20 messages

Exceeded Denial Max Limit Count.................. 0 times

None 5G Candidate Count.......................... 0 times

None 2.4G Candidate Count..................... 0 times

Related Commands config load-balancing


1699

show local-auth config show local-auth config

To display local authentication configuration information, use the show local-auth config command.

show local-auth config



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the local authentication configuration information:


show local-auth config

User credentials database search order:

Primary ................................... Local DB

Configured EAP profiles:

Name ...................................... fast-test

Certificate issuer .................... default

Enabled methods ....................... fast

Configured on WLANs ................... 2

EAP Method configuration:

EAP-TLS:

Certificate issuer .................... default

Peer verification options:

Check against CA certificates ..... Enabled

Verify certificate CN identity .... Disabled

Check certificate date validity ... Enabled

EAP-FAST:

TTL for the PAC ....................... 3 600

Initial client message ................ <none>

Local certificate required ............ No

Client certificate required ........... No

Vendor certificate required ........... No

Anonymous provision allowed ........... Yes

Authenticator ID ...................... 7b7fffffff0000000000000000000000

Authority Information ................. Test

EAP Profile.................................... tls-prof

Enabled methods for this profile .......... tls

Active on WLANs ........................... 1 3EAP Method configuration:

EAP-TLS:

Certificate issuer used ............... cisco

Peer verification options:

Check against CA certificates ..... disabled

Verify certificate CN identity .... disabled

Check certificate date validity ... disabled

1700


Related Commands clear stats local-auth config local-auth active-timeout config local-auth eap-profile config local-auth method fast config local-auth user-credentials debug aaa local-auth show local-auth certificates show local-auth statistics show local-auth config


1701

show local-auth statistics show local-auth statistics

To display local Extensible Authentication Protocol (EAP) authentication statistics, use the show local-auth

statistics command:

show local-auth statistics



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the local authentication certificate statistics:


show local-auth statistics

Local EAP authentication DB statistics:

Requests received ............................... 14

Responses returned .............................. 14

Requests dropped (no EAP AVP) ................... 0

Requests dropped (other reasons) ................ 0

Authentication timeouts ......................... 0

Authentication statistics:

Method Success Fail

------------------------------------

Unknown 0 0

LEAP

EAP-FAST

0

2

0

0

EAP-TLS

PEAP

0

0

0

0

Local EAP credential request statistics:

Requests sent to LDAP DB ........................ 0

Requests sent to File DB ........................ 2

Requests failed (unable to send) ................ 0

Authentication results received:

Success ....................................... 2

Fail .......................................... 0

Certificate operations:

Local device certificate load failures .......... 0

Total peer certificates checked ................. 0

Failures:

CA issuer check ............................... 0

CN name not equal to identity ................. 0

Dates not valid or expired .................... 0

1702


Related Commands clear stats local-auth config local-auth active-timeout config local-auth eap-profile config local-auth method fast config local-auth user-credentials debug aaa local-auth show local-auth config show local-auth certificates show local-auth statistics


1703

show local-auth certificates show local-auth certificates

To display local authentication certificate information, use the show local-auth certificates command:

show local-auth certificates



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the authentication certificate information stored locally:


show local-auth certificates

Related Commands clear stats local-auth config local-auth active-timeout config local-auth eap-profile config local-auth method fast config local-auth user-credentials debug aaa local-auth show local-auth config show local-auth statistics

1704


show logging show logging

To display the syslog facility logging parameters and buffer contents, use the show logging command.

show logging



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the current settings and buffer content details:


show logging


config logging syslog host 10.92.125.52

System logs will be sent to 10.92.125.52 from now on


config logging syslog host 2001:9:6:40::623

System logs will be sent to 2001:9:6:40::623 from now on


show logging

Logging to buffer :



















Logging to syslog :













1705

show logging







- Host 0....................................... 10.92.125.52

- Host 1....................................... 2001:9:6:40::623

- Host 2.......................................







1706


show logging last-reset show logging last-reset

To display the logging buffer saved on last reset or power cycle of the controller, use the show logging

last-reset command.

show logging last-reset



Command Default

None

Command History

Release

8.0

Modification

This command was introduced in 8.0.140.0.


1707

show logging flags show logging flags

To display the existing flags, use the show logging flags command.

show logging flags AP |Cilent



Command Default

None.

Examples

This example shows how to display the current flags details:

>

show logging flags

ID username Connection From Idle Time Login Time

-- ---------------------------------------------------

00 admin EIA-232 00:00:00 00:19:04

Related Commands config logging flags close

1708


show loginsession

To display the existing sessions, use the show loginsession command.




Command Default

None.

Examples

This example shows how to display the current session details:

>


ID username Connection From Idle Time Session Time

-- ---------------------------------------------------

00 admin EIA-232 00:00:00 00:19:04

Related Commands config loginsession close show loginsession


1709

show macfilter show macfilter

To display the MAC filter parameters, use the show macfilter command.

show macfilter {summary | detailMAC | mesh | {wlan wlan-id}}


detail MAC

mesh

wlan wlan-id

Displays a summary of all MAC filter entries.

Displays details of a MAC filter entry.

Display a summary of all MESH AP MAC filter entries.

Display a summary of all MAC filter entries on given wlan.

Command Default

None

Command History

Release

7.6

8.4

Modification


wlan wlan-id was added.


The MAC delimiter (none, colon, or hyphen) for MAC addresses sent to RADIUS servers is displayed. The

MAC filter table lists the clients that are always allowed to associate with a wireless LAN.

Examples

The following example shows how to display the detailed display of a MAC filter entry:


show macfilter detail xx:xx:xx:xx:xx:xx

MAC Address...................................... xx:xx:xx:xx:xx:xx

WLAN Identifier.................................. Any

Interface Name................................... management

Description...................................... RAP

The following example shows how to display a summary of the MAC filter parameters:


show macfilter summary

MAC Filter RADIUS Compatibility mode............. Cisco ACS

MAC Filter Delimiter............................. None

Local Mac Filter Table

MAC Address WLAN Id Description

------------------------------------------------------------------xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx

Any

Any

Any

RAP

PAP2 (2nd hop)

PAP1 (1st hop)

1710


show mdns ap summary show mdns ap summary

To display all the access points for which multicast Domain Name System (mDNS) forwarding is enabled, use the show mnds ap summary command.

show mdns ap summary



Command Default

None

Command History

Release

7.5

Modification


Examples

The following is a sample output of the show mnds ap summary command:


show mdns ap summary

Number of mDNS APs............................. 2

AP Name

--------ap-3500 ap-3600

Ethernet MAC

---------------cc:ef:48:72:0d:d9

00:22:bd:df:04:68

Number of Vlans

-----------------

0

2

VlanIdentifiers

------------------

Not applicable

124,122

The following table describes the significant fields shown in the display.

Table 13: show mdns ap summary Field Descriptions

Field

AP Name

Ethernet MAC

Number of VLANs

VLAN Identifiers

Description

Name of the mDNS access point (access point for which mDNS forwarding is enabled).

MAC address of the mDNS access point.

Number of VLANs from which the access point snoops the mDNS advertisements from the wired side. An access point can snoop on a maximum of 10

VLANs.

Identifiers of the VLANs the access point snoops on.


1711

show mdns domain-name-ip summary show mdns domain-name-ip summary

To display the summary of the multicast Domain Name System (mDNS) domain names, use the show mdns

domain-name-ip summary command.

show mdns domain-name-ip summary



Command Default

None

Command History

Release

7.5

Modification



Each service advertisement contains a record that maps the domain name of the service provider to the IP address. The mapping also contains details such as the client MAC address, VLAN ID, Time to Live (TTL), and IPv4 address.

Examples

The following is a sample output of the show mdns domain-name-ip summary command:



Number of Domain Name-IP Entries................. 1

DomainName MAC Address IP Address Vlan Id Type TTL Time left

------------tixp77.local.

-------------

00:50:b6:4f:69:70

-----------

(in seconds) (in seconds)

-------------------- ------

209.165. 202.128

999 mDNSAP 4725 906


Table 14: show mdns domain-name-ip summary Field Descriptions

Field

Domain Name

MAC Address

IP Address

VLAN ID

Description

Domain name of the service provider.

MAC address of the service provider.

IP address of the service provider.

VLAN ID of the service provider.

1712


Field

Type

TTL

Time Left


Description

Origin of service that can be one of the following:

• Wired

• Wireless

• Wired guest

• mDNS AP

TTL value, in seconds, that determines the validity of the service offered by the service provider. The service provider is removed from the Cisco Wireless

LAN Controller when the TTL expires.

Time remaining, in seconds, before the service provider is removed from the Cisco WLC.


1713

show mdns profile show mdns profile

To display mDNS profile information, use the show mdns profile command.

show mdns profile {summary | detailed profile-name}


profile-name

Displays the summary of the mDNS profiles.

Displays details of an mDNS profile.


Command Default

None

Command History

Release

7.4

Modification


Examples

This example shows how to display a summary of all the mDNS profiles:

>

show mdns profile summary

Number of Profiles............................... 2

ProfileName No. Of Services

---------------------------------------------default-mdns-profile profile1

5

2

This example shows how to display the detailed information of an mDNS profile:

>

show mdns profile detailed default-mdns-profile

Profile Name..................................... default-mdns-profile

Profile Id....................................... 1

No of Services................................... 5

Services......................................... AirPrint

AppleTV

HP_Photosmart_Printer_1

HP_Photosmart_Printer_2

Printer

No. Interfaces Attached.......................... 0

No. Interface Groups Attached.................... 0

No. Wlans Attached............................... 1

Wlan Ids......................................... 1

Related Commands config mdns query interval config mdns service

1714


config mdns snooping config interface mdns-profile config interface group mdns-profile config wlan mdns config mdns profile show mdns ap config mdns ap show mnds service clear mdns service-database debug mdns all debug mdns error debug mdns detail debug mdns message show mdns profile


1715

show mdns service show mdns service

To display multicast Domain Name System (mDNS) service information, use the show mnds service command.

show mdns service {summary | detailed service-name | not-learnt}


service-name

not-learnt

Displays the summary of all mDNS services.

Displays the details of an mDNS service.

Name of the mDNS service.

Displays the summary of all the service advertisements that were received by the controller but were not discovered because the service query status was disabled.

Service advertisements for all VLANs and origin types that are not learned are displayed in the output. The top 500 services appear in the summary list.

Command Default

None

Command History

Examples

Release

7.4

7.5

Modification


The not-learnt keyword was added.

The following is a sample output of the show mnds summary command:

Device >

show mdns service summary

Number of Services............................... 5

Service-Name LSS Origin No SP Service-string

-------------------------------------------------

AirPrint Yes Wireless

AppleTV Yes Wireless

HP_Photosmart_Printer_1 Yes Wireless

HP_Photosmart_Printer_2 No Wired

Printer No Wired

1

1

1

0

0

_ipp._tcp.local.

_airplay._tcp.local.

_universal._sub._ipp._tcp.local.

_cups._sub._ipp._tcp.local.

_printer._tcp.local.

The following is a sample output of the show mnds service detailed command:

Device >

show mdns service detailed AirPrint

Service Name..................................... AirPrint

Service Id....................................... 1

Service query status............................. Enabled

Service LSS status............................... Disabled

1716


show mdns service

Service learn origin............................. Wired

Number of Profiles............................... 2

Profile.......................................... student-profile, guest-profile

Number of Service Providers ..................... 2

Service Provider MAC-Address AP Radio MAC

---------------- ---------------------user1 laptopa

VLAN ID

-------

Type

----

TTL

60:33:4b:2b:a6:9a ----104 Wired 4500

00:21:1b:ea:36:60 3c:ce:73:1e:69:20 105 Wireless 4500

Time left

----------------

4484

4484

Number of priority MAC addresses ................ 1

Sl.No

-----

1

MAC Address

-------------------

44:03:a7:a3:04:45

AP group name

--------------

AP_floor1

The following is a sample output of the show mnds service not-learntcommand:

Device >

show mdns service not-learnt

Number of Services............................... 4

Origin VLAN

Service-string

TTL TTL left Client MAC AP-MAC

(sec) (sec)

-----------------------------------------------------------

----------------------

105 00:21:6a:76:88:04 04:da:d2:b3:11:00 Wireless 106 120

100.106.11.9.in-addr.arpa.

Wireless 106 120

102.106.11.9.in-addr.arpa.

Wireless 106 120

108.104.11.9.in-addr.arpa.

112

75

00:21:6a:78:ff:82

00:21:6a:78:ff:82

04:da:d2:b3:11:00

04:da:d2:b3:11:00

Wireless 106

_airplayit._tcp.local.

120 119 00:21:6a:78:ff:82 04:da:d2:b3:11:00


1717

show media-stream client show media-stream client

To display the details for a specific media-stream client or a set of clients, use the show media-stream client command.

show media-stream client {media-stream_name | summary}


media-stream_name

summary

Name of the media-stream client of which the details is to be displayed.

Displays the details for a set of media-stream clients.

Command Default

None.

Examples

This example shows how to display a summary media-stream clients:

>

show media-stream client summary


Client Mac Stream Name Stream Type Radio WLAN QoS Status

------------------------------------------------ -------

00:1a:73:dd:b1:12 mountainview MC-direct 2.4

2 Video Admitted


1718


show media-stream group detail show media-stream group detail

To display the details for a specific media-stream group, use the show media-stream group detail command.

show media-stream group detail media-stream_name


media-stream_name

Name of the media-stream group.

Command Default

None.

Examples

This example shows how to display media-stream group configuration details:

>

show media-stream group detail abc

Media Stream Name................................ abc

Start IP Address................................. 227.8.8.8

End IP Address................................... 227.9.9.9

RRC Parameters

Avg Packet Size(Bytes).......................... 1200

Expected Bandwidth(Kbps)........................ 300

Policy.......................................... Admit

RRC re-evaluation............................... periodic

QoS............................................. Video

Status.......................................... Multicast-direct

Usage Priority.................................. 5

Violation....................................... drop



1719

show media-stream group summary show media-stream group summary

To display the summary of the media stream and client information, use the show media-stream group


show media-stream group summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to display a summary of the media-stream group:


show media-stream group summary

Stream Name Start IP End IP Operation Status

------------- -------------- -------------- ---------------abc 227.8.8.8

227.9.9.9

Multicast-direct

Related Commands show 802.11 media-stream client show media-stream client show media-stream group detail

1720


show mesh ap show mesh ap

To display settings for mesh access points, use the show mesh ap command.

show mesh ap {summary | tree}

Syntax Description summary tree

Displays a summary of mesh access point information including the name, model, bridge virtual interface (BVI) MAC address, United States Computer Emergency

Response Team (US-CERT) MAC address, hop, and bridge group name.

Displays a summary of mesh access point information in a tree configuration, including the name, hop counter, link signal-to-noise ratio (SNR), and bridge group name.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display a summary format:


show mesh ap summary

AP Name AP Model BVI MAC CERT MAC Hop Bridge Group Name

--------------------------------------------------------------------------

SB_RAP1 AIR-LAP1522AG-A-K9 00:1d:71:0e:d0:00 00:1d:71:0e:d0:00 0

SB_MAP1 AIR-LAP1522AG-A-K9 00:1d:71:0e:85:00 00:1d:71:0e:85:00 1 sbox sbox

SB_MAP2 AIR-LAP1522AG-A-K9

SB_MAP3 AIR-LAP1522AG-A-K9

00:1b:d4:a7:8b:00

00:1d:71:0d:ee:00

00:1b:d4:a7:8b:00

00:1d:71:0d:ee:00

Number of Mesh APs............................... 4

Number of RAPs................................... 1

Number of MAPs................................... 3

2

3 sbox sbox

The following example shows how to display settings in a hierarchical (tree) format:


show mesh ap tree

=======================================================

|| AP Name [Hop Counter, Link SNR, Bridge Group Name] ||

=======================================================

[Sector 1]

----------

SB_RAP1[0,0,sbox]

|-SB_MAP1[1,32,sbox]



----------------------------------------------------

Number of Mesh APs............................... 4

Number of RAPs................................... 1

Number of MAPs................................... 3

----------------------------------------------------


1721

show mesh astools stats show mesh astools stats

To display antistranding statistics for outdoor mesh access points, use the show mesh astools stats command.

show mesh astools stats [cisco_ap]


cisco_ap

(Optional) Antistranding feature statistics for a designated mesh access point.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display anti-stranding statistics on all outdoor mesh access points:


show mesh astools stats

Total No of Aps stranded : 0

The following example shows how to display anti-stranding statistics for access point sb_map1:


show mesh astools stats sb_map1

Total No of Aps stranded : 0

1722


show mesh backhaul show mesh backhaul

To check the current backhaul information, use the show mesh backhaul command.

show mesh backhaul cisco_ap


cisco_ap


Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display the current backhaul:


show mesh backhaul

If the current backhaul is 5 GHz, the output is as follows:

Basic Basic Attributes for Slot 0

Radio Type................................... RADIO_TYPE_80211g

Radio Role................................... DOWNLINK ACCESS




If the current backhaul is 2.4 GHz, the output is as follows:

Basic Attributes for Slot 1

Radio Type................................... RADIO_TYPE_80211a

Radio Subband................................ RADIO_SUBBAND_ALL

Radio Role................................... DOWNLINK ACCESS




Current Channel ........................... 165

Antenna Type............................... EXTERNAL_ANTENNA

External Antenna Gain (in .5 dBm units).... 0

Current Channel...................................6

Antenna Type......................................Externa_ANTENNA

External Antenna Gain (in .5 dBm units)...........0


1723

show mesh bgscan show mesh bgscan

To see the details of mesh background scan, use the show mesh bgscan command.

show mesh bgscan



Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release

8.3

Modification


Examples

Cisco Controller# show mesh bgscan

Background Scanning: enabled

Off Channel Neighbors

---------------------

Channel:165

Mac:5835.d9aa.9acf MissCnt:0 NDRespCnt:1078 HopCnt:1 AdjustedEase:4096

Flags: NEIGH BEACON

Mac:5017.ffdc.2eaf MissCnt:0 NDRespCnt:38 HopCnt:1 AdjustedEase:18648576 StickyEase:23448576

Flags: NEIGH PARENT BEACON

Channel:157

Mac:ece1.a930.bc8f MissCnt:0 NDRespCnt:5 HopCnt:1 AdjustedEase:3048576

Flags: NEIGH BEACON

Channel:161

Mac:f8c2.8883.fadf MissCnt:0 NDRespCnt:20 HopCnt:1 AdjustedEase:262144

Flags: NEIGH

Aligned Offchannel neighbors

----------------------------

Channel:165 (ON-CHANNEL)

Mac:5017.ffdc.2eaf Ease:18648576

Mac:5835.d9aa.9acf Ease:4096

Channel:157 (POTENTIAL OFFCHAN

NEL)

Mac:ece1.a930.bc8f Ease:3048576

Mac:0021.d8d6.a6cf Ease:0

Channel:161

Mac:f8c2.8883.fadf Ease:262144

1724


show mesh cac show mesh cac

To display call admission control (CAC) topology and the bandwidth used or available in a mesh network, use the show mesh cac command.

show mesh cac {summary | {bwused {voice | video} | access | callpath | rejected} cisco_ap}

Syntax Description summary bwused voice video access callpath rejected

cisco_ap

Displays the total number of voice calls and voice bandwidth used for each mesh access point.

Displays the bandwidth for a selected access point in a tree topology.

Displays the mesh topology and the voice bandwidth used or available.

Displays the mesh topology and the video bandwidth used or available.

Displays access voice calls in progress in a tree topology.

Displays the call bandwidth distributed across the mesh tree.

Displays voice calls rejected for insufficient bandwidth in a tree topology.

Mesh access point name.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display a summary of the call admission control settings:


show mesh cac summary


-----------------------------------------

SB_RAP1 0 11b/g 0/23437 0

SB_MAP1

1

0

11a 0/23437

11b/g 0/23437

0

0

SB_MAP2

SB_MAP3

1

0

1

0

1

11a

11b/g

11a

11a

0/23437

0/23437

0/23437

11b/g 0/23437

0/23437

0

0

0

0

0

The following example shows how to display the mesh topology and the voice bandwidth used or available:


show mesh cac bwused voice SB_MAP1

AP Name Slot# Radio BW Used/Max

-------------

SB_RAP1

-------

0

-----

11b/g

-----------

0/23437


1725

show mesh cac

| SB_MAP1

|| SB_MAP2

||| SB_MAP3

1

0

1

0

1

0

1

11a

11b/g

11a

11b/g

11a

11b/g

11a

0/23437

0/23437

0/23437

0/23437

0/23437

0/23437

0/23437

The following example shows how to display the access voice calls in progress in a tree topology:


show mesh cac access 1524_Map1

AP Name Slot# Radio Calls

-------------

1524_Rap

-------

0

1

-----

11b/g

11a

-----

0

0

|

||

1524_Map1

1524_Map2

2

0

1

2

0

1

2

11a

11b/g

11a

11a

11b/g

11a

11a

0

0

0

0

0

0

0

1726


show mesh client-access show mesh client-access

To display the backhaul client access configuration setting, use the show mesh client-access command.

show mesh client-access



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to display backhaul client access configuration settings for a mesh access point:


show mesh client-access

Backhaul with client access status: enabled

Backhaul with client access extended status(3 radio AP): disabled


1727

show mesh config show mesh config

To display mesh configuration settings, use the show mesh config command.

show mesh config



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to display global mesh configuration settings:


show mesh config

Mesh Range....................................... 12000

Mesh Statistics update period.................... 3 minutes

Backhaul with client access status............... disabled

Backhaul with extended client access status...... disabled

Background Scanning State........................ enabled

Backhaul Amsdu State............................. disabled

Mesh Security

Security Mode................................. EAP

External-Auth................................. disabled

Use MAC Filter in External AAA server......... disabled

Force External Authentication................. disabled

Mesh Alarm Criteria

Max Hop Count................................. 4

Recommended Max Children for MAP.............. 10

Recommended Max Children for RAP.............. 20

Low Link SNR.................................. 12

High Link SNR................................. 60

Max Association Number........................ 10

Association Interval.......................... 60 minutes

Parent Change Numbers......................... 3

Parent Change Interval........................ 60 minutes

Mesh Multicast Mode.............................. In-Out

Mesh Full Sector DFS............................. enabled

Mesh Ethernet Bridging VLAN Transparent Mode..... disabled

Mesh DCA channels for serial backhaul APs........ enabled

Mesh Slot Bias................................... enabled

1728


show mesh env show mesh env

To display global or specific environment summary information for mesh networks, use the show mesh env command.

show mesh env {summary | cisco_ap}


cisco_ap

Displays global environment summary information.

Name of access point for which environment summary information is requested.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display global environment summary information:


show mesh env summary

AP Name Temperature(C) Heater Ethernet Battery

------------------------------------------------ap1130:5f:be:90 N/A N/A DOWN N/A

AP1242:b2.31.ea

AP1131:f2.8d.92

N/A

N/A

N/A

N/A

DOWN

DOWN

N/A

N/A

AP1131:46f2.98ac

ap1500:62:39:70

N/A

-36

N/A

OFF

DOWN

UP

N/A

N/A

The following example shows how to display an environment summary for an access point:


show mesh env SB_RAP1

AP Name.......................................... SB_RAP1

AP Model......................................... AIR-LAP1522AG-A-K9

AP Role.......................................... RootAP

Temperature...................................... 21 C, 69 F

Heater........................................... OFF

Backhaul......................................... GigabitEthernet0

GigabitEthernet0 Status.......................... UP

Duplex....................................... FULL

Speed........................................ 100

Rx Unicast Packets........................... 114754

Rx Non-Unicast Packets....................... 1464

Tx Unicast Packets........................... 9630

Tx Non-Unicast Packets....................... 3331

GigabitEthernet1 Status.......................... DOWN

POE Out........................................ OFF

Battery.......................................... N/A


1729

show mesh neigh show mesh neigh

To display summary or detailed information about the mesh neighbors of a mesh access point, use the show

mesh neigh command.

show mesh neigh {detail | summary} {cisco_ap | all}

Syntax Description detail summary

cisco_ap

all

Displays the channel and signal-to-noise ratio (SNR) details between the designated mesh access point and its neighbor.

Displays the mesh neighbors for a designated mesh access point.


Displays all access points.

Note

If an AP itself is configured with the allkeyword, the allkeyword access points take precedence over the

AP that is named all.

Command History

Release

7.6

Modification


Examples

The following example shows how to display a neighbor summary of an access point:


show mesh neigh summary RAP1

AP Name/Radio Mac Channel Rate Link-Snr Flags State

----------------- ------- ----- -------- ---------------

00:1D:71:0F:CA:00 157 54 6 0x0 BEACON

00:1E:14:48:25:00 157

MAP1-BB00 157

24

54

1

41

0x0

0x11

BEACON

CHILD BEACON

The following example shows how to display the detailed neighbor statistics of an access point:


show mesh neigh detail RAP1

AP MAC : 00:1E:BD:1A:1A:00 AP Name: HOR1522_MINE06_MAP_S_Dyke backhaul rate 54

FLAGS : 860 BEACON worstDv 255, Ant 0, channel 153, biters 0, ppiters 0

Numroutes 0, snr 0, snrUp 8, snrDown 8, linkSnr 8 adjustedEase 0, unadjustedEase 0 txParent 0, rxParent 0 poorSnr 0 lastUpdate 2483353214 (Sun Aug 4 23:51:58 1912) parentChange 0

Per antenna smoothed snr values: 0 0 0 0

Vector through 00:1E:BD:1A:1A:00

The following table lists the output flags displayed for the show mesh neigh detail command.

1730


show mesh neigh

worstDv

Ant channel biters ppiters

Numroutes snr snrUp snrDown linkSnr adjustedEase

Table 15: Output Flags for the show mesh neigh detail command

Output Flag

AP MAC

AP Name

FLAGS

Description

MAC address of a mesh neighbor for a designated mesh access point.

Name of the mesh access point.

Describes adjacency. The possible values are as follows:

• UPDATED—Recently updated neighbor.

• NEIGH—One of the top neighbors.

• EXCLUDED—Neighbor is currently excluded.

• WASEXCLUDED—Neighbor was recently removed from the exclusion list.

• PERMSNR—Permanent SNR neighbor.

• CHILD—A child neighbor.

• PARENT—A parent neighbor.

• NEEDUPDATE—Not a current neighbor and needs an update.

• BEACON—Heard a beacon from this neighbor.

• ETHER—Ethernet neighbor.

unadjustedEase

Worst distance vector through the neighbor.

Antenna on which the route was received.

Channel of the neighbor.

Number of black list timeouts left.

Number of potential parent timeouts left.

Number of distance routes.

Signal to Noise Ratio.

SNR of the link to the AP.

SNR of the link from the AP.

Calculated SNR of the link.

Ease to the root AP through this AP. It is based on the current SNR and threshold

SNR values.

Ease to the root AP through this AP after applying correct for number of hops.


1731

show mesh neigh

Output Flag

txParent rxparent poorSnr lastUpdate parentChange

Description

Packets sent to this node while it was a parent.

Packets received from this node while it was a parent.

Packets with poor SNR received from a node.

Timestamp of the last received message for this neighbor

When this node last became parent.

per antenna smoother

SNR values

SNR value is populated only for antenna 0.

1732


show mesh path show mesh path

To display the channel and signal-to-noise ratio (SNR) details for a link between a mesh access point and its neighbor, use the show mesh path command.

show mesh path cisco_ap


cisco_ap

Mesh access point name.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display channel and SNR details for a designated link path:


show mesh path mesh-45-rap1

AP Name/Radio Mac Channel Rate Link-Snr Flags State

----------------- ------- ----- -------- ---------------

MAP1-BB00

RAP1

157

157

54

54

32

37

0x0

0x0

UPDATED NEIGH PARENT BEACON

BEACON


1733

show mesh per-stats show mesh per-stats

To display the percentage of packet errors for packets transmitted by the neighbors of a specified mesh access point, use the show mesh per-stats command.

show mesh per-stats summary {cisco_ap | all}


cisco_ap

all

Displays the packet error rate stats summary.

Name of mesh access point.

Displays all mesh access points.

Note



Command History

Release

7.6

Modification



The packet error rate percentage equals 1, which is the number of successfully transmitted packets divided by the number of total packets transmitted.

Examples

The following example shows how to display the percentage of packet errors for packets transmitted by the neighbors to a mesh access point:


show mesh per-stats summary ap_12

Neighbor MAC Address 00:0B:85:5F:FA:F0

Total Packets transmitted: 104833

Total Packets transmitted successfully: 104833

Total Packets retried for transmission: 33028

RTS Attempts: 0

RTS Success:

Neighbor MAC Address:

0

00:0B:85:80:ED:D0

Total Packets transmitted: 0



Neighbor MAC Address:

Total Packets transmitted:

00:17:94:FE:C3:5F

0



RTS Attempts:

RTS Success:

0

0

1734


show mesh public-safety show mesh public-safety

To display 4.8-GHz public safety settings, use the show mesh public-safety command.

show mesh public-safety



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to view 4.8-GHz public safety settings:

(Cisco Controller) >(Cisco Controller) >

show mesh public-safety

Global Public Safety status: disabled


1735

show mesh queue-stats show mesh queue-stats

To display the number of packets in a client access queue by type for a mesh access point, use the show mesh

queue-stats command.

show mesh queue-stats {cisco_ap | all}

Note




cisco_ap

all

Name of access point for which you want packet queue statistics.


Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to display packet queue statistics for access point ap417:


show mesh queue-stats ap417

Queue Type Overflows Peak length Average length

---------- --------- ----------- --------------

Silver 0 1 0.000

Gold 0

Platinum 0

Bronze 0

Management 0

4

4

0

0

0.004

0.001

0.000

0.000

1736


show mesh security-stats show mesh security-stats

To display packet error statistics for a specific access point, use the show mesh security-stats command.

show mesh security-stats {cisco_ap | all}


cisco_ap

all

Name of access point for which you want packet error statistics.


Note

If an AP itself is configured with the all keyword, the all keyword access points take precedence over the


Command Default

None

Command History

Release

7.6

Modification



This command shows packet error statistics and a count of failures, timeouts, and successes with respect to associations and authentications as well as reassociations and reauthentications for the specified access point and its child.

Examples

The following example shows how to view packet error statistics for access point ap417:


show mesh security-stats ap417

AP MAC : 00:0B:85:5F:FA:F0

Packet/Error Statistics:

----------------------------x Packets 14, Rx Packets 19, Rx Error Packets 0

Parent-Side Statistics:

--------------------------

Unknown Association Requests 0

Invalid Association Requests 0

Unknown Re-Authentication Requests 0

Invalid Re-Authentication Requests 0

Unknown Re-Association Requests 0

Invalid Re-Association Requests 0

Child-Side Statistics:

--------------------------

Association Failures 0

Association Timeouts 0

Association Successes 0

Authentication Failures 0

Authentication Timeouts 0

Authentication Successes 0


1737

show mesh security-stats

Re-Association Failures 0

Re-Association Timeouts 0

Re-Association Successes 0

Re-Authentication Failures 0

Re-Authentication Timeouts 0

Re-Authentication Successes 0

1738


show mesh stats show mesh stats

To display the mesh statistics for an access point, use the show mesh stats command.

show mesh stats cisco_ap


cisco_ap

Access point name.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display statistics of an access point:


show mesh stats RAP_AP1

RAP in state Maint rxNeighReq 759978, rxNeighRsp 568673 txNeighReq 115433, txNeighRsp 759978 rxNeighUpd 8266447 txNeighUpd 693062 tnextchan 0, nextant 0, downAnt 0, downChan 0, curAnts 0 tnextNeigh 0, malformedNeighPackets 244, poorNeighSnr 27901 blacklistPackets 0, insufficientMemory 0 authenticationFailures 0

Parent Changes 1, Neighbor Timeouts 16625


1739

show mgmtuser show mgmtuser

To display the local management user accounts on the Cisco wireless LAN controller, use the show mgmtuser command.

show mgmtuser



Command Default

None.

Examples

This example shows how to display a list of management users:

>

show mgmtuser

User Name Permissions Description

----------------------------------------------admin read-write

Related Commands config mgmtuser add config mgmtuser delete config mgmtuser description config mgmtuser password

Password Strength

------------------

Weak

1740


show mobility anchor show mobility anchor

To display the wireless LAN anchor export list for the Cisco wireless LAN controller mobility groups or to display a list and status of controllers configured as mobility anchors for a specific WLAN or wired guest

LAN, use the show mobility anchor command.

show mobility anchor [wlan wlan_id | guest-lan guest_lan_id]


wlan_id

guest-lan

guest_lan_id

(Optional) Displays wireless LAN mobility group settings.

Wireless LAN identifier from 1 to 512 (inclusive).

(Optional) Displays guest LAN mobility group settings.

Guest LAN identifier from 1 to 5 (inclusive).

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


The status field display (see example) shows one of the following values:

• UP—The controller is reachable and able to pass data.

• CNTRL_PATH_DOWN—The mpings failed. The controller cannot be reached through the control path and is considered failed.

• DATA_PATH_DOWN—The epings failed. The controller cannot be reached and is considered failed.

• CNTRL_DATA_PATH_DOWN—Both the mpings and epings failed. The controller cannot be reached and is considered failed.

Examples

The following example shows how to display a mobility wireless LAN anchor list:


show mobility anchor

Mobility Anchor Export List

WLAN ID IP Address

-------

12

---------------

192.168.0.15

Status

------

UP

GLAN ID

-------

1

IP Address

---------------

192.168.0.9

Status

-------

CNTRL_DATA_PATH_DOWN


1741

show mobility ap-list show mobility ap-list

To display the mobility AP list, use the show mobility ap-list command.

show mobility ap-list



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the mobility AP list:

Note

The AP name is displayed only with New Mobility. With Old Mobility, the AP name is displayed as

Unknown

.


show mobility ap-list

AP Name AP Radio MAC address Controller

---------------------------------------------------------------

AP30e4.dbc5.38ab

b8:62:1f:e5:33:10 9.7.104.10

Learnt From

----------------

Self

1742


show mobility foreign-map show mobility foreign-map

To display a mobility wireless LAN foreign map list, use the show mobility foreign-map command.

show mobility foreign-map wlan wlan_id


wlan_id

Displays the mobility WLAN foreign-map list.


Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to get a mobility wireless LAN foreign map list:


show mobility foreign-map wlan 2

Mobility Foreign Map List

WLAN ID

-------

2

Foreign MAC Address

-------------------

00:1b:d4:6b:87:20

Interface

--------dynamic-105


1743

show mobility group member show mobility group member

To display the details of the mobility group members in the same domain, use the show mobility group

member command.

show mobility group member hash

Syntax Description hash

Displays the hash keys of the mobility group members in the same domain.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the hash keys of the mobility group members:


show mobility group member hash

Default Mobility Domain.......................... new-mob

IP Address Hash Key

---------------------------------------------------------

9.2.115.68

9.6.99.10

a819d479dcfeb3e0974421b6e8335582263d9169

0974421b6e8335582263d9169a819d479dcfeb3e

9.7.7.7

feb3e0974421b6e8335582263d9169a819d479dc

1744


show mobility oracle show mobility oracle

To display the status of the mobility controllers known to the Mobility Oracle (MO) or display the details of the MO client database, use the show mobility oracle command.

show mobility oracle {client {detail | summary} | summary}

Syntax Description client detail summary

Displays the MO client database.

Displays details pertaining to a client in MO client database.

Displays the summary of the MO database.

Command Default

None

Command History

Release

7.3.112.0

Examples

Modification


The following is a sample output of the show mobility oracle summary command:


show mobility oracle summary

Number of MCs.................................... 2

IP Address MAC Address Link Status Client Count

-----------------------------------------------------------

9.71.104.10

9.71.104.250

88:43:e1:7d:fe:00 e8:b7:48:a2:16:e0

Control Path Down

Up

0

2

The following is a sample output of the show mobility oracle client summary command:


show mobility oracle client summary


MAC Address Anchor MC Foreign MC AssocTime

----------------- --------------------- ----------------- --------------

00:18:de:b0:5c:91 9.72.104.250

00:1e:e5:f9:c9:e2 9.72.104.250

-

-

0

0

The following is a sample output of the show mobility oracle client detail command:


show mobility oracle client detail 00:1e:e5:f9:c9:e2

Client MAC Address : ............................ 00:1e:e5:f9:c9:e2

Client IP address : ............................. 0.0.0.0

Anchor MC IP address : .......................... 9.71.104.250

Anchor MC NAT IP address : ...................... 9.71.104.250

Foreign MC IP address : ......................... -


1745

show mobility oracle

Foreign MC NAT IP address : ..................... -

Client Association Time : ....................... 0

Client Entry update timestamp : ................. 1278543135.0

1746


show mobility statistics show mobility statistics

To display the statistics information for the Cisco wireless LAN controller mobility groups, use the show

mobility statistics command.

show mobility statistics



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display statistics of the mobility manager:


show mobility statistics

Global Mobility Statistics

Rx Errors..................................... 0

Tx Errors..................................... 0

Responses Retransmitted....................... 0

Handoff Requests Received..................... 0

Handoff End Requests Received................. 0

State Transitions Disallowed.................. 0

Resource Unavailable.......................... 0

Mobility Initiator Statistics

Handoff Requests Sent......................... 0

Handoff Replies Received...................... 0

Handoff as Local Received..................... 2

Handoff as Foreign Received................... 0

Handoff Denys Received........................ 0

Anchor Request Sent........................... 0

Anchor Deny Received.......................... 0

Anchor Grant Received......................... 0

Anchor Transfer Received...................... 0

Mobility Responder Statistics

Handoff Requests Ignored...................... 0

Ping Pong Handoff Requests Dropped............ 0

Handoff Requests Dropped...................... 0

Handoff Requests Denied....................... 0

Client Handoff as Local....................... 0

Client Handoff as Foreign ................... 0

Client Handoff Inter Group ................... 0

Anchor Requests Received...................... 0

Anchor Requests Denied........................ 0

Anchor Requests Granted....................... 0

Anchor Transferred............................ 0


1747

show mobility summary show mobility summary

To display the summary information for the Cisco WLC mobility groups, use the show mobility summary command.

show mobility summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Some WLAN controllers may list no mobility security mode.

Examples

The following is a sample output of the show mobility summary command.



Symmetric Mobility Tunneling (current) .......... Disabled

Symmetric Mobility Tunneling (after reboot) ..... Disabled

Mobility Protocol Port........................... 16666

Mobility Security Mode........................... Disabled

Default Mobility Domain.......................... snmp_gui

Multicast Mode .................................. Disabled

Mobility Domain ID for 802.11r................... 0x66bd

Mobility Keepalive Interval...................... 10

Mobility Keepalive Count......................... 3

Mobility Group Members Configured................ 1

Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group

MAC Address IP Address Group Name

00:1b:d4:6b:87:20 1.100.163.70

snmp_gui

Multicast IP

0.0.0.0

Status

Up

The following is a sample output of the show mobility summary command with new mobility architecture.



Mobility Protocol Port........................... 16666

Default Mobility Domain.......................... Mobility

Multicast Mode .................................. Disabled

Mobility Domain ID for 802.11r................... 0xb348

Mobility Keepalive Interval...................... 10

Mobility Keepalive Count......................... 3

Mobility Group Members Configured................ 3

Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group

IP Address Public IP Address Group Name

Status

9.71.106.2

9.72.106.2

Data Path Down

Mobility

Multicast IP

0.0.0.0

MAC Address

00:00:00:00:00:00 Control and

1748



9.71.106.3

9.72.106.3

Data Path Down

9.71.106.69 9.72.106.69

Mobility

Mobility

0.0.0.0

0.0.0.0

00:00:00:00:00:00 Control and

68:ef:bd:8e:5f:20 Up


1749

show msglog show msglog

To display the message logs written to the Cisco WLC database, use the show msglog command.

show msglog



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


If there are more that 15 entries, you are prompted to display the messages shown in the example.

Examples

The following example shows how to display message logs:


show msglog

Message Log Severity Level..................... ERROR

Thu Aug 4 14:30:08 2005 [ERROR] spam_lrad.c 1540: AP 00:0b:85:18:b6:50 associated. Last

AP failure was due to Link Failure

Thu Aug 4 14:30:08 2005 [ERROR] spam_lrad.c 13840: Updating IP info for AP 00:

0b:85:18:b6:50 -- static 0, 1.100.49.240/255.255.255.0, gtw 1.100.49.1

Thu Aug 4 14:29:32 2005 [ERROR] dhcpd.c 78: dhcp server: binding to 0.0.0.0

Thu Aug 4 14:29:32 2005 [ERROR] rrmgroup.c 733: Airewave Director: 802.11a switch group reset

Thu Aug 4 14:29:32 2005 [ERROR] rrmgroup.c 733: Airewave Director: 802.11bg sw itch group reset

Thu Aug 4 14:29:22 2005 [ERROR] sim.c 2841: Unable to get link state for primary port 0 of interface ap-manager

Thu Aug 4 14:29:22 2005 [ERROR] dtl_l2_dot1q.c 767: Unable to get USP

Thu Aug 4 14:29:22 2005 Previous message occurred 2 times

Thu Aug 4 14:29:14 2005 [CRITICAL] osapi_sem.c 794: Error!

osapiMutexTake called with

NULL pointer: osapi_bsntime.c:927

Thu Aug 4 14:29:14 2005 [CRITICAL] osapi_sem.c 794: Error!

osapiMutexTake called with

NULL pointer: osapi_bsntime.c:919

Thu Aug 4 14:29:14 2005 [CRITICAL] hwutils.c 1861: Security Module not found

Thu Aug 4 14:29:13 2005 [CRITICAL] bootos.c 791: Starting code...

1750


show nac statistics show nac statistics

To display detailed Network Access Control (NAC) information about a Cisco wireless LAN controller, use the show nac statistics command.

show nac statistics



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display detailed statistics of network access control settings:


show nac statistics

Server Index....................................................... 1

Server Address.....................................................

xxx.xxx.xxx.xxx

Number of requests sent............................................ 0

Number of retransmissions.......................................... 0

Number of requests received........................................ 0

Number of malformed requests received.............................. 0

Number of bad auth requests received............................... 0

Number of pending requests......................................... 0

Number of timed out requests....................................... 0

Number of misc dropped request received............................ 0

Number of requests sent............................................ 0

Related Commands show nac summary config guest-lan nac config wlan nac debug nac


1751

show nac summary show nac summary

To display NAC summary information for a Cisco wireless LAN controller, use the show nac summary command.

show nac summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary information of network access control settings:


show nac summary

NAC ACL Name ...............................................

Index Server Address Port

-----------------------------------------------

1 xxx.xxx.xxx.xxx

13336

State

-----

Enabled

Related Commands show nac statistics config guest-lan nac config wlan nac debug nac

1752


show network show network

To display the current status of 802.3 bridging for all WLANs, use the show network command.

show network



Command Default

None.

Examples

This example shows how to display the network details:


show network

Related Commands config network show network summary show network multicast mgid detail show network multicast mgid summary


1753

show network summary show network summary

To display the network configuration of the Cisco wireless LAN controller, use the show network summary command.

show network summary



Command Default

None.

Examples

This example shows how to display a summary configuration:



RF-Network Name............................. RF

Web Mode.................................... Disable

Secure Web Mode............................. Enable

Secure Web Mode Cipher-Option High.......... Disable

Secure Web Mode Cipher-Option SSLv2......... Disable

Secure Web Mode RC4 Cipher Preference....... Disable

OCSP........................................ Disabled

OCSP responder URL..........................

Secure Shell (ssh).......................... Enable

Telnet...................................... Enable

Ethernet Multicast Mode..................... Disable Mode: Ucast

Ethernet Broadcast Mode..................... Disable

Ethernet Multicast Forwarding............... Disable

Ethernet Broadcast Forwarding............... Disable

AP Multicast/Broadcast Mode................. Unicast

IGMP snooping............................... Disabled

IGMP timeout................................ 60 seconds

IGMP Query Interval......................... 20 seconds

MLD snooping................................ Disabled

MLD timeout................................. 60 seconds

MLD query interval.......................... 20 seconds

User Idle Timeout........................... 300 seconds

AP Join Priority............................ Disable

ARP Idle Timeout............................ 300 seconds

ARP Unicast Mode............................ Disabled

Cisco AP Default Master..................... Disable

Mgmt Via Wireless Interface................. Disable

Mgmt Via Dynamic Interface.................. Disable

Bridge MAC filter Config.................... Enable

Bridge Security Mode........................ EAP

Over The Air Provisioning of AP's........... Enable

Apple Talk ................................. Disable

Mesh Full Sector DFS........................ Enable

AP Fallback ................................ Disable

Web Auth CMCC Support ...................... Disabled

Web Auth Redirect Ports .................... 80

Web Auth Proxy Redirect ................... Disable

Web Auth Captive-Bypass .................. Disable

Web Auth Secure Web ....................... Enable

Fast SSID Change ........................... Disabled

AP Discovery - NAT IP Only ................. Enabled

IP/MAC Addr Binding Check .................. Enabled

CCX-lite status ............................ Disable oeap-600 dual-rlan-ports ................... Disable oeap-600 local-network ..................... Enable mDNS snooping............................... Disabled mDNS Query Interval......................... 15 minutes

1754


Web Color Theme............................. Default

CAPWAP Prefer Mode.......................... IPv4



1755

show netuser show netuser

To display the configuration of a particular user in the local user database, use the show netuser command.

show netuser {detail user_name | guest-roles | summary}

Syntax Description detail

user_name

guest_roles summary

Displays detailed information about the specified network user.

Network user.

Displays configured roles for guest users.

Displays a summary of all users in the local user database.

Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show netuser summary command:


show netuser summary

Maximum logins allowed for a given username ........Unlimited

The following is a sample output of the show netuser detail command:


show netuser detail john10

username........................................... abc

WLAN Id............................................. Any

Lifetime............................................ Permanent

Description......................................... test user

Related Commands config netuser add config netuser delete config netuser description config netuser guest-role apply config netuser wlan-id config netuser guest-roles

1756


show netuser guest-roles show netuser guest-roles

To display a list of the current quality of service (QoS) roles and their bandwidth parameters, use the show

netuser guest-roles command.

show netuser guest-roles



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to display a QoS role for the guest network user:


show netuser guest-roles

Role Name.............................. Contractor

Average Data Rate.................. 10

Burst Data Rate.................... 10

Average Realtime Rate.............. 100

Burst Realtime Rate................ 100

Role Name.............................. Vendor

Average Data Rate.................. unconfigured

Burst Data Rate.................... unconfigured

Average Realtime Rate.............. unconfigured

Burst Realtime Rate................ unconfigured

Related Commands config netuser add config netuser delete config netuser description config netuser guest-role apply config netuser wlan-id show netuser guest-roles show netuser


1757

show network multicast mgid detail show network multicast mgid detail

To display all the clients joined to the multicast group in a specific multicast group identification (MGID), use the show network multicast mgid detail command.

show network multicast mgid detail mgid_value


mgid_value

Number between 550 and 4095.

Command Default

None.

Examples

This example shows how to display details of the multicast database:

>

show network multicast mgid detail

Mgid ............................... 550

Multicast Group Address ............ 239.255.255.250

Vlan ............................... 0

Rx Packet Count .................... 807399588

No of clients ...................... 1

Client List ........................

Client MAC Expire TIme (mm:ss)

00:13:02:23:82:ad 0:20

Related Commands show network summary show network multicast mgid detail show network

1758


show network multicast mgid summary show network multicast mgid summary

To display all the multicast groups and their corresponding multicast group identifications (MGIDs), use the

show network multicast mgid summary command.

show network multicast mgid summary



Command Default

None.

Examples

This example shows how to display a summary of multicast groups and their MGIDs:

>

show network multicast mgid summary

Layer2 MGID Mapping:

-------------------

InterfaceName vlanId MGID

----------------------------- ----------

0 0 management test wired

0

20

Layer3 MGID Mapping:

9

8

-------------------

Number of Layer3 MGIDs ................ 1

Group address Vlan MGID

---------------------------

239.255.255.250

0 550

Related Commands show network summary show network multicast mgid detail show network


1759

show network summary show network summary

To display the network configuration settings, use the show network summary command.




Command Default

None

Command History

Release

7.6

8.0

Modification


This command updated to display the IPv6 multicast details in the network summary.

Examples




RF-Network Name............................. johnny

Web Mode.................................... Enable

Secure Web Mode............................. Enable

Secure Web Mode Cipher-Option High.......... Disable

Secure Web Mode Cipher-Option SSLv2......... Disable

Secure Web Mode RC4 Cipher Preference....... Disable

OCSP........................................ Disabled

OCSP responder URL..........................

Secure Shell (ssh).......................... Enable

Telnet...................................... Enable

Ethernet Multicast Forwarding............... Enable

Ethernet Broadcast Forwarding............... Enable

IPv4 AP Multicast/Broadcast Mode............ Multicast Address : 239.9.9.9

IPv6 AP Multicast/Broadcast Mode............ Multicast Address : ff1e::6:9

IGMP snooping............................... Enabled

IGMP timeout................................ 60 seconds

IGMP Query Interval......................... 20 seconds

MLD snooping................................ Enabled

MLD timeout................................. 60 seconds

MLD query interval.......................... 20 seconds

User Idle Timeout........................... 300 seconds

ARP Idle Timeout............................ 300 seconds

Cisco AP Default Master..................... Disable

AP Join Priority............................ Disable

Mgmt Via Wireless Interface................. Enable

Mgmt Via Dynamic Interface.................. Enable

Bridge MAC filter Config.................... Enable

Bridge Security Mode........................ EAP

Mesh Full Sector DFS........................ Enable

AP Fallback ................................ Enable

Web Auth CMCC Support ...................... Disabled

Web Auth Redirect Ports .................... 80

Web Auth Proxy Redirect ................... Disable

Web Auth Captive-Bypass .................. Disable

Web Auth Secure Web ....................... Enable

Fast SSID Change ........................... Disabled

AP Discovery - NAT IP Only ................. Enabled

IP/MAC Addr Binding Check .................. Enabled

1760


Link Local Bridging Status ................. Disabled

CCX-lite status ............................ Disable oeap-600 dual-rlan-ports ................... Disable oeap-600 local-network ..................... Enable oeap-600 Split Tunneling (Printers)......... Disable

WebPortal Online Client .................... 0

WebPortal NTF_LOGOUT Client ................ 0 mDNS snooping............................... Disabled mDNS Query Interval......................... 15 minutes

Web Color Theme............................. Default

L3 Prefer Mode.............................. IPv4 show network summary


1761

show nmsp notify-interval summary show nmsp notify-interval summary

To display the Network Mobility Services Protocol (NMSP) configuration settings, use the show nmsp

notify-interval summary command.

show nmsp notify-interval summary



Command Default

None.

Examples

This example shows how to display NMSP configuration settings:

>

show nmsp notify-interval summary

NMSP Notification Interval Summary

Client

Measurement interval: 2 sec

RFID

Measurement interval:

Rogue AP


Rogue Client


8 sec

2 sec

2 sec

Related Commands clear locp statistics clear nmsp statistics config nmsp notify-interval measurement show nmsp statistics show nmsp status

1762


show nmsp status

To view the active NMSP connections status, use the show nmsp statuscommand.

show nmsp status


Command Default

None

Command History

Release

8.3

Modification


Examples

This example shows the active nmsp connections status:


show nmsp status show nmsp status


1763

show nmsp statistics show nmsp statistics

To display Network Mobility Services Protocol (NMSP) counters, use the show nmsp statistics command.

show nmsp statistics {summary | connection all}

Syntax Description summary connection all

Displays common NMSP counters.

Displays all connection-specific counters.

Command Default

None.

Examples

This example shows how to display a summary of common NMSP counters:

>

show nmsp statistics summary

Send RSSI with no entry:

Send too big msg:

Failed SSL write:

Partial SSL write:

SSL write attempts to want write:

Transmit Q full:0

Max Measure Notify Msg:

Max Info Notify Msg:

Max Tx Q Size:

Max Rx Size:

Max Info Notify Q Size:

Max Client Info Notify Delay:

Max Rogue AP Info Notify Delay:

Max Rogue Client Info Notify Delay:

Max Client Measure Notify Delay:

Max Tag Measure Notify Delay:

Max Rogue AP Measure Notify Delay:

Max Rogue Client Measure Notify Delay: 0

Max Client Stats Notify Delay: 0

Max Tag Stats Notify Delay:

RFID Measurement Periodic :

RFID Measurement Immediate :

Reconnect Before Conn Timeout:

0

0

0

0

0

0

0

0

0

0

0

0

0

0

2

1

0

0

0

This example shows how to display all the connection-specific NMSP counters:

>

show nmsp statistics connection all

NMSP Connection Counters

Connection 1 :

Connection status: UP

Freed Connection: 0

Nmsp Subscr Req:

Info Req:

0

1

NMSP Subscr Resp:

Info Resp:

0

1

Measure Req:

Stats Req:

Info Notify:

Loc Capability:

Location Req:

Loc Subscr Req:

Loc Notif:

Loc Unsubscr Req:

IDS Get Req:

2

2

0

2

0

0

0

0

0

Measure Resp:

Stats Resp:

Measure Notify:

Location Rsp:

Loc Subscr Rsp:

Loc Unsubscr Rsp:

IDS Get Resp:

2

2

0

0

0

0

0

1764


IDS Notif:

IDS Set Req:

0

0 IDS Set Resp:

Related Commands show nmsp notify-interval summary clear nmsp statistics config nmsp notify-interval measurement show nmsp status

0

show nmsp statistics


1765

show nmsp subscription show nmsp subscription

To display the Network Mobility Services Protocol (NMSP) services that are active on the controller, use the

show nmsp subscription command.

show nmsp subscription {summary | detail ip-addr}

Syntax Description summary detail

ip-addr

Displays all of the NMSP services to which the controller is subscribed.

Displays details for all of the NMSP services to which the controller is subscribed.

Details only for the NMSP services subscribed to by a specific IPv4 or IPv6 address.

Command Default

None

Command History

Release

7.6

8.0

Modification



Examples

This example shows how to display a summary of all the NMSP services to which the controller is subscribed:

>

show nmsp subscription summary

Mobility Services Subscribed:

Server IP

---------

10.10.10.31

Services

--------

RSSI, Info, Statistics

This example shows how to display details of all the NMSP services:

>

show nmsp subscription detail 10.10.10.31

Mobility Services Subscribed by 10.10.10.31

Services

--------

Sub-services

------------

RSSI

Info

Statistics

Mobile Station, Tags,

Mobile Station,


>

show nmsp subscription detail 2001:9:6:40::623

Mobility Services Subscribed by 2001:9:6:40::623

Services

--------

RSSI

Info

Statistics

Sub-services

------------


Mobile Station,


1766


show nmsp subscription summary show nmsp subscription summary

To view the mobility services subscribed on controller by Mobility Services Engine, use the show nmsp

subscription summary command.



Command Default

None

Command History

Release

8.3

Modification


Examples

This example shows the subscribed mobility services on controller:




1767

show ntp-keys show ntp-keys

To display network time protocol authentication key details, use the show ntp-keys command.

show ntp-keys



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to display NTP authentication key details:


show ntp-keys

Ntp Authentication Key Details...................

Key Index

-----------

1

3

Related Commands config time ntp

1768


show ntp-keys show ntp-keys

To display network time protocol authentication key details, use the show ntp-keys command.

show ntp-keys



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to display NTP authentication key details:


show ntp-keys

Ntp Authentication Key Details...................

Key Index

-----------

1

3

Related Commands config time ntp


1769

show opendns summary show opendns summary

To display OpenDNS configuration details, use the show opendns summary command.

show opendns summary



Command Default

None

Command History

Release

8.4

Examples

Modification


The following example shows how to view an OpenDNS configuration:


show opendns summary

OpenDnsGlobalStatus.............................. Enabled

OpenDns-ApiToken................................. 12

Profile-Name

============ guest1

Device ID

==============

010a8501693bf162

State

=============

Profile Registered

Profiles Mapped to WLANIDs

=========================

Profile Name

---------------guest1

WLAN IDs (Mapped)

-----------------

7

Profiles Mapped to APGroup WLAN-IDs

===============================

Profile Name

---------------guest1

Site Name / WLAN IDs (Mapped)

------------------

NONE

Profiles Mapped to Local Policies

--More-- or (q)uit

=========================

Profile Name

---------------guest1 NONE

Local Policies (Mapped)

-----------------

1770


show policy show policy

To display the summary of the configured policies, and the details and statistics of a policy, use the show

policy command.

show policy {summary | policy-name [statistics]}


policy-name

statistics

Displays the summary of configured policies.

Name of the policy.

(Optional) Displays the statistics of a policy.

Command Default

None

Command History

Release

7.5

Examples

Modification


The following is a sample output of the show policy summary command:


show policy summary

Number of Policies............................. 2

Policy Index Policy Name

------------ ----------------

1 student-FullAccess

2 teacher-FullAccess

The following example shows how to display the details of a policy:


show policy student-FullAccess

Policy Index..................................... 1

Match Role....................................... <none>

Match Eap Type................................... EAP-TLS

ACL.............................................. <none>

QOS.............................................. <none>

Average Data Rate................................ 0

Average Real Time Rate........................... 0

Burst Data Rate.................................. 0

Burst Real Time Rate............................. 0

Vlan Id.......................................... 155

Session Timeout.................................. 1800

Sleeping client timeout.......................... 12

Active Hours

------------

Start Time End Time Day


1771

show policy

-------------------

Match Device Types

------------------

Android

The following example shows how to display the statistics of a policy:


show policy student-FullAccess statistics

Policy Index..................................... student-FullAccess

Matching Attributes None......................... 619

No Policy Match.................................. 224

Device Type Match................................ 0

EAP Type Match................................... 0

Role Type Match.................................. 0

Client Disconnected.............................. 4

Acl Applied...................................... 0

Vlan changed..................................... 614

Session Timeout Applied.......................... 4

QoS Applied...................................... 0

Avg Data Rate Applied............................ 0

Avg Real Time Rate Applied....................... 0

Burst Data Rate Applied.......................... 0

Burst Real Time Rate Applied..................... 0

Sleeping-Client-Timeout Applied.................. 0

1772


show port show port

To display the Cisco wireless LAN controller port settings on an individual or global basis, use the show port command.

show port {port | summary}


port

summary

Information on the individual ports.

Displays all ports.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display information about an individual wireless LAN controller port:


show port 1

Pr Type

STP

Stat

Admin

Mode

Physical

Mode

Physical Link Link Mcast

Status Status Trap Appliance POE

-- ------- ---- ------- ---------- ---------- ------ ------- ---------

-------

1 Normal Disa Enable Auto 1000 Full Down Enable Enable N/A

Note

Some WLAN controllers may not have multicast or Power over Ethernet (PoE) listed because they do not support those features.

The following example shows how to display a summary of all ports:


show port summary

STP Admin Physical Physical Link Link Mcast

Pr Type Stat Mode

SFPType

1 Normal

NotPresent

Forw Enable

Mode

Auto

Status Status Trap Appliance POE

-- ------- ---- ------- ---------- ---------- ------ ------- ---------

-------------

1000 Full Up Enable Enable N/A

2 Normal Disa Enable Auto

NotPresent

1000 Full Down Enable Enable N/A

3 Normal Disa Enable Auto 1000 Full Down Enable Enable N/A


1773

show port

NotPresent

4 Normal Disa Enable Auto

NotPresent

1000 Full Down Enable Enable

Note

Some WLAN controllers may have only one port listed because they have only one physical port.

N/A

1774


show profiling policy summary show profiling policy summary

To display local device classification of the Cisco Wireless LAN Controller (WLC), use the show profiling

policy summary command.



Command Default

None

Command History

Release

7.5

Modification


Examples

The following is a sample output of the show profiling policy summary command:


show profiling policy summary

Number of Builtin Classification Profiles: 88

ID Name Parent Min CM Valid

==== ================================================ ====== ====== =====

0 Android

1 Apple-Device

None

None

30

10

Yes

Yes

2 Apple-MacBook

3 Apple-iPad

4 Apple-iPhone

5 Apple-iPod

1

1

1

1

20

20

20

20

Yes

Yes

Yes

Yes

6 Aruba-Device

7 Avaya-Device

8 Avaya-IP-Phone

9 BlackBerry

10 Brother-Device

11 Canon-Device

12 Cisco-Device

13 Cisco-IP-Phone

14 Cisco-IP-Phone-7945G

None

None

7

None

None

None

None

12

13

10 Yes

10 Yes

20 Yes

20 Yes

10 Yes

10 Yes

10 Yes

20 Yes

70 Yes


1775

show profiling policy summary

15 Cisco-IP-Phone-7975

16 Cisco-IP-Phone-9971

17 Cisco-DMP

18 Cisco-DMP-4400

19 Cisco-DMP-4310

20 Cisco-DMP-4305

21 DLink-Device

22 Enterasys-Device

23 HP-Device

24 HP-JetDirect-Printer

25 Lexmark-Device

26 Lexmark-Printer-E260dn

27 Microsoft-Device

28 Netgear-Device

29 NintendoWII

30 Nortel-Device

31 Nortel-IP-Phone-2000-Series

32 SonyPS3

33 XBOX360

34 Xerox-Device

35 Xerox-Printer-Phaser3250

36 Aruba-AP

37 Cisco-Access-Point

38 Cisco-IP-Conference-Station-7935



10 Yes

10 Yes

20 Yes

10 Yes

20 Yes

10 Yes

30 Yes

20 Yes

10 Yes

70 Yes

70 Yes

70 Yes

70 Yes

70 Yes

20 Yes

70 Yes

70 Yes

70 Yes

10 Yes

10 Yes

10 Yes

30 Yes

10 Yes

30 Yes

10 Yes

10 Yes

None

None

30

None

27

None

34

6

12

13

13

13

None

None

None

23

None

25

None

None

13

13

12

17

17

17

1776


show qos

To display quality of service (QoS) information, use the show qos command.

show qos {bronze | gold | platinum | silver}

Syntax Description bronze gold platinum silver

Displays QoS information for the bronze profile of the WLAN.

Displays QoS information for the gold profile of the WLAN.

Displays QoS information for the platinum profile of the WLAN.

Displays QoS information for the silver profile of the WLAN.

Command Default

None.

Examples

This example shows how to display QoS information for the gold profile:

>

show qos gold

Description...................................... For Video Applications

Maximum Priority................................. video

Unicast Default Priority......................... video

Multicast Default Priority....................... video

Per-SSID Rate Limits............................. UpstreamDownstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... UpstreamDownstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0 protocol......................................... none

802.11a Customized EDCA Settings: ecwmin....................................... 3 ecwmax....................................... 4 aifs......................................... 7 txop......................................... 94

802.11a Customized packet parameter Settings:

Packet retry time............................ 3

Not retrying threshold....................... 100

Disassociating threshold..................... 500

Time out value............................... 35

Related Commands config qos protocol-type show qos


1777

show qos qosmap show qos qosmap

To see the current QoS map configuration, use the show qos command.

show qos qosmap

Syntax Description qosmap

Displays the current QoS map

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows the current QoS map configuration:

show qos qosmap

1778


show queue-info show queue-info

To display all the message queue information pertaining to the system, use the show queue-info command.

show queue-info



Command Default

None

Command History

Release

7.5

Modification


Examples

The following is a sample output of the show queue-info command.


show queue-info

Total message queue count = 123

Queue Name Allocated InUse MaxUsed

---------------------------------------------------------------

PRINTF-Q dtlqueue

256

4096

0

0

0

6

GRE Queue dtlarpqueue

NIM-Q

SIM-Q

DHCP Client Queue

100

4096

116

116

8

0

0

0

0

0

1

6

1

6

0 dhcpv6ProxyMsgQueue

FDQ-Q dot1d_Queue

Garp-Q dot3ad_queue

DEBUG-Q

LOGGER-Q

TS-Q

250

30300

512

256

1024

8192

8192

256

0

0

0

0

0

0

0

0

0

3

29

1

0

8

5

0


Table 16: show queue-info Field Descriptions

Field

Queue Name

Allocated

Description

Name of the task message queue.

Memory size, in bytes, of the message queue.


1779

show queue-info

Field

InUse

MaxUsed

Description

Queue that is currently used. A value of 0 indicates that there are no messages that have to be processed by the task.

Maximum number of messages processed by the task after the controller is up.

1780


show pmk-cache show pmk-cache

To display information about the pairwise master key (PMK) cache, use the show pmk-cache command.

show pmk-cache {all | MAC}


MAC

Displays information about all entries in the PMK cache.

Information about a single entry in the PMK cache.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display information about a single entry in the PMK cache:


show pmk-cache xx:xx:xx:xx:xx:xx

The following example shows how to display information about all entries in the PMK cache:


show pmk-cache all

PMK Cache

Entry

Station Lifetime VLAN Override IP Override

---------------------------------------------------------


1781

show pmipv6 domain show pmipv6 domain

To display the summary information of a PMIPv6 domain, use the show pmipv6 domain command.

show pmipv6 domain domain_name profile profile_name


domain_name

profile

profile_name

Name of the PMIPv6 domain. The domain name can be up to 127 case-sensitive alphanumeric characters.

Specifies the PMIPv6 profile.

Name of the profile associated with the PMIPv6 domain.

The profile name can be up to 127 case-sensitive alphanumeric characters.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the summary information of a PMIPv6 domain:


show pmipv6 domain floor1 profile profile1

NAI: @example.com

APN: Example

LMA: Examplelma

NAI: *

APN: ciscoapn

LMA: ciscolma

1782


show pmipv6 mag bindings show pmipv6 mag bindings

To display the binding information of a Mobile Access Gateway (MAG), use the show pmipv6 mag binding command.

show pmipv6 mag bindings [lma lma_name | nai nai_string]

Syntax Description lma

lma_name

nai

nai_string

(Optional) Displays the binding details of the MAG to an Local Mobility Anchor (LMA).

Name of the LMA. The LMA name is case-sensitive and can be up to 127 alphanumeric characters.

(Optional) Displays the binding details of the MAG to a client.

Network Access Identifier (NAI) of the client. The NAI is case-sensitive and can be up to 127 alphanumeric characters. You can use all special characters except a colon.

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the MAG bindings:


show pmipv6 mag binding

[Binding][MN]: Domain: D1, Nai: [email protected]

[Binding][MN]: State: ACTIVE

[Binding][MN]: Interface: Management

[Binding][MN]: Hoa: 0xE0E0E02, att: 3, llid: aabb.cc00.c800

[Binding][MN][LMA]: Id: LMA1

[Binding][MN][LMA]: lifetime: 3600

[Binding][MN][GREKEY]: Upstream: 102, Downstream: 1


1783

show pmipv6 mag globals show pmipv6 mag globals

To display the global PMIPv6 parameters of the Mobile Access Gateway (MAG), use the show pmipv6 mag

globals command.

show pmipv6 mag globals



Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the global PMIPv6 parameters of a MAG:


show pmipv6 mag globals

Domain : D1

MAG Identifier : M1

MAG Interface

Max Bindings

Registration Lifetime

BRI Init-delay time

BRI Max-delay time

BRI Max retries

Refresh time

Refresh RetxInit time

Refresh RetxMax time

Timestamp option

Validity Window

Peer#1:

LMA Name: AN-LMA-5K

Peer#2:

LMA Name: AN-LMA

Peer#3:

LMA Name: AN-LMA

: Management

: 10000

: 3600 (sec)

: 1000 (msec)

: 2000 (msec)

: 1

: 300 (sec)

: 1000 (msec)

: 32000 (msec)

: Enabled

: 7

LMA IP: 209.165.201.10

LMA IP: 209.165.201.4

LMA IP: 209.165.201.4

1784


show pmipv6 mag stats show pmipv6 mag stats

To display the statistics of the Mobile Access Gateway (MAG), use the show pmipv6 mag stats command.

show pmipv6 mag stats [domain domain_name peer lma_name]

Syntax Description domain

domain_name

peer

lma_name

(Optional) Displays the MAG statistics for a Local Mobility Anchor

(LMA) in the domain.

Name of the PMIPv6 domain. The domain name is case-sensitive and can be up to 127 alphanumeric characters.

(Optional) Displays the MAG statistics for an LMA.

Name of the LMA. The LMA name is case sensitive and can be up to 127 alphanumeric characters.

Command History

Release

7.6

Modification


Release 7.6.


This table lists the descriptions of the LMA statistics.

Table 17: Descriptions of the LMA Statistics:

LMA Statistics

PBU Sent

PBA Received

PBRI Sent

Description

Total number of Proxy Binding Updates (PBUs) sent to the LMA by the MAG.

PBU is a request message sent by the MAG to a mobile node’s LMA for establishing a binding between the mobile node’s interface and its current care-of address (Proxy-CoA).

Total number of Proxy Binding Acknowledgements

(PBAs) received by the MAG from the LMA.

PBA is a reply message sent by an LMA in response to a PBU message that it receives from a MAG.

Total number of Proxy Binding Revocation

Indications (PBRIs) sent by the MAG to the LMA.


1785

show pmipv6 mag stats

Examples

LMA Statistics

PBRI Received

PBRA Sent

PBRA Received

Number of Handoff

Description

Total number of PBRIs received from the LMA by the MAG.

Total number of Proxy Binding Revocation

Acknowledgements (PBRAs) sent by the MAG to the LMA.

Total number of PBRAs that the MAG receives from the LMA.

Number of handoffs between the MAG and the LMA.

The following example shows how to display the LMA statistics:


show pmipv6 mag stats

[M1]: Total Bindings : 1

[M1]: PBU Sent

[M1]: PBA Rcvd

: 7

: 4

[M1]: PBRI Sent

[M1]: PBRI Rcvd

[M1]: PBRA Sent

[M1]: PBRA Rcvd

[M1]: No Of handoff

: 0

: 0

: 0

: 0

: 0

1786


show pmipv6 profile summary show pmipv6 profile summary

To display the summary of the PMIPv6 profiles, use the show pmipv6 profile summary command.

show pmipv6 profile summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the summary of the PMIPv6 profiles:



Profile Name WLAN IDS (Mapped)

------------

Group1

-----------------

6


1787


1788


Show Commands: r to z

•

show radius acct detailed, page 1792

•

show radius acct statistics, page 1793

•

show radius auth detailed, page 1794

•

show radius auth statistics, page 1795

•

show radius avp-list, page 1796

•

show radius summary, page 1797

•

show redundancy interfaces, page 1798

•

show redundancy latency, page 1799

•

show redundancy mobilitymac, page 1800

•

show redundancy peer-route summary, page 1801

•

show redundancy statistics, page 1802

•

show redundancy summary, page 1803

•

show redundancy timers, page 1804

•

show remote-lan, page 1805

•

show reset, page 1807

•

show rfid client, page 1808

•

show rfid config, page 1809

•

show rfid detail, page 1810

•

show rfid summary, page 1811

•

show rf-profile summary, page 1812

•

show rf-profile details, page 1813

•

show rogue adhoc custom summary, page 1814

•

show rogue adhoc detailed, page 1815

•

show rogue adhoc friendly summary , page 1817


1789

•

show rogue adhoc malicious summary, page 1818

•

show rogue adhoc unclassified summary , page 1819

•

show rogue adhoc summary, page 1820

•

show rogue ap clients, page 1821

•

show rogue ap custom summary , page 1823

•

show rogue ap detailed, page 1825

•

show rogue ap friendly summary, page 1827

•

show rogue ap malicious summary, page 1829

•

show rogue ap summary, page 1831

•

show rogue ap unclassified summary, page 1834

•

show rogue auto-contain, page 1835

•

show rogue client detailed, page 1836

•

show rogue client summary, page 1837

•

show rogue ignore-list, page 1838

•

show rogue rule detailed, page 1840

•

show rogue rule summary, page 1842

•

show route kernel, page 1843

•

show route summary, page 1844

•

show rules, page 1845

•

show run-config, page 1846

•

show run-config startup-commands , page 1847

•

show serial, page 1848

•

show sessions, page 1849

•

show snmpcommunity, page 1850

•

show snmpengineID, page 1851

•

show snmptrap, page 1852

•

show snmpv3user, page 1853

•

show snmpversion, page 1854

•

show spanningtree port, page 1855

•

show spanningtree switch, page 1856

•

show stats port, page 1857

•

show stats switch, page 1859

•

show switchconfig, page 1861

1790


•

show sysinfo, page 1862

•

show tacacs acct statistics, page 1864

•

show tacacs athr statistics, page 1865

•

show tacacs auth statistics, page 1866

•

show tacacs summary, page 1867

•

show tech-support, page 1868

•

show time, page 1869

•

show trapflags, page 1871

•

show traplog, page 1873

•

show tunnel profile-summary, page 1874

•

show tunnel profile-detail, page 1875

•

show tunnel eogre-summary, page 1876

•

show tunnel eogre-statistics, page 1877

•

show tunnel eogre-domain-summary, page 1878

•

show tunnel eogre gateway, page 1879

•

show watchlist, page 1880

•

show wlan, page 1881

•

show wps ap-authentication summary, page 1886

•

show wps cids-sensor, page 1887

•

show wps mfp, page 1888

•

show wps shun-list, page 1889

•

show wps signature detail, page 1890

•

show wps signature events, page 1892

•

show wps signature summary, page 1894

•

show wps summary, page 1896

•

show wps wips statistics, page 1898

•

show wps wips summary, page 1899

•

show wps ap-authentication summary, page 1900


1791

show radius acct detailed show radius acct detailed

To display RADIUS accounting server information, use the show radius acct detailed command.

show radius acct detailed radius_index


radius_index


Command Default

None

Command History

Release

8.0

Examples

Modification


The following example shows how to display RADIUS accounting server information:


show radius acct detailed 5

Radius Index........5

NAI Realms..........LAB.VTV.BLR.cisco.co.in

1792


show radius acct statistics show radius acct statistics

To display the RADIUS accounting server statistics for the Cisco wireless LAN controller, use the show

radius acct statistics command.

show radius acct statistics



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display RADIUS accounting server statistics:


show radius acct statistics

Accounting Servers:

Server Index..................................... 1

Server Address................................... 10.1.17.10

Msg Round Trip Time.............................. 0 (1/100 second)

First Requests................................... 0

Retry Requests................................... 0

Accounting Responses............................. 0

Malformed Msgs................................... 0

Bad Authenticator Msgs........................... 0

Pending Requests................................. 0

Timeout Requests................................. 0

Unknowntype Msgs................................. 0

Other Drops...................................... 0

Related Commands config radius acct config radius acct ipsec authentication config radius acct ipsec disable config radius acct network show radius auth statistics show radius summary


1793

show radius auth detailed show radius auth detailed

To display RADIUS authentication server information, use the show radius auth detailed command.

show radius auth detailed radius_index


radius_index


Command Default

None

Command History

Release

8.0

Examples

Modification


The following example shows how to display RADIUS authentication server information:


show radius auth detailed 1

Radius Index........1

NAI Realms..........LAB.VTV.BLR.cisco.co.in

1794


show radius auth statistics show radius auth statistics

To display the RADIUS authentication server statistics for the Cisco wireless LAN controller, use the show

radius auth statistics command.

show radius auth statistics

This command has no arguments or keyword.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display RADIUS authentication server statistics:


show radius auth statistics

Authentication Servers:

Server Index..................................... 1

Server Address................................... 1.1.1.1


First Requests................................... 0

Retry Requests................................... 0

Accept Responses................................. 0

Reject Responses................................. 0

Challenge Responses.............................. 0

Malformed Msgs................................... 0





Other Drops...................................... 0

Related Commands config radius auth config radius auth management config radius auth network show radius summary


1795

show radius avp-list show radius avp-list

To display RADIUS VSA AVPs, use the show radius avp-list command.

show radius avp-list profile-name


profile-name

Profile name for which downloaded AVPs to be shown.

Command Default

None

Command History

Release

8.0

Examples

Modification


The following example shows how to display RADIUS VSA AVPs:


show radius avp-list

1796


show radius summary show radius summary

To display the RADIUS authentication and accounting server summary, use the show radius summary command.

show radius summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a RADIUS authentication server summary:


show radius summary

Vendor Id Backward Compatibility................. Disabled

Credentials Caching.............................. Disabled

Call Station Id Type............................. IP Address

Administrative Authentication via RADIUS......... Enabled

Authentication Servers

Index Type

AuthMod

Server Address Port State Tout RFC-3576 IPsec e/Phase1/Group/Lifetime/Auth/Encr

-----------------------------------------------------------

---------------------------------

Accounting Servers

Index Type Server Address Port State Tout RFC-3576 IPsec -

AuthMod e/Phase1/Group/Lifetime/Auth/Encr

-----------------------------------------------------------

---------------------------------

Related Commands show radius auth statistics show radius acct statistics


1797

show redundancy interfaces show redundancy interfaces

To display details of redundancy and service port IP addresses, use the show redundancy interfaces command.

show redundancy interfaces



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the redundancy and service port IP addresses information:


show redundancy interfaces

Redundancy Management IP Address................. 9.4.120.5

Peer Redundancy Management IP Address............ 9.4.120.3

Redundancy Port IP Address....................... 169.254.120.5

Peer Redundancy Port IP Address.................. 169.254.120.3

Peer Service Port IP Address..................... 10.104.175.189

1798


show redundancy latency show redundancy latency

To display the average latency to reach the management gateway and the peer redundancy management IP address, use the show redundancy latency command .

show redundancy latency



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the average latency to reach the management gateway and the peer redundancy management IP address:


show redundancy latency

Network Latencies (RTT) for the Peer Reachability on the Redundancy Port in micro seconds for the past 10 intervals

Peer Reachability Latency[ 1 ] : 524 usecs

Peer Reachability Latency[ 2 ]




: 524 usecs

: 522 usecs

: 526 usecs

: 524 usecs






: 524 usecs

: 522 usecs

: 522 usecs

: 526 usecs

: 523 usecs

Network Latencies (RTT) for the Management Gateway Reachability in micro seconds for the past 10 intervals

Gateway Reachability Latency[ 1 ]


: 1347 usecs

: 2427 usecs









: 1329 usecs

: 2014 usecs

: 2675 usecs

: 731 usecs

: 1882 usecs

: 2853 usecs

: 832 usecs

: 3708 usecs


1799

show redundancy mobilitymac show redundancy mobilitymac

To display the High Availability (HA) mobility MAC address that is used to communicate with the peer, use the show redundancy mobilitymac command.

show redundancy mobilitymac



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the HA mobility MAC address used to communicate with the peer:


show redundancy mobilitymac

ff:ff:ff:ff:ff:ff

1800


show redundancy peer-route summary show redundancy peer-route summary

To display the routes assigned to the standby WLC, use the show redundancy peer-route summary command.

show redundancy peer-route summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display all the configured routes of the standby WLC:


show redundancy peer-route summary

Number of Routes................................. 1

Destination Network

------------------xxx.xxx.xxx.xxx

Netmask Gateway

-------------------------------------

255.255.255.0

xxx.xxx.xxx.xxx


1801

show redundancy statistics show redundancy statistics

To display the statistics information of the Redundancy Manager, use the show redundancy statistics command.

show redundancy statistics



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


This command displays the statistics of different redundancy counters.

Local Physical Ports - Connectivity status of each physical port of the controller. 1 indicates that the port is up and 0 indicates that the port is down.

Peer Physical Ports - Connectivity status of each physical port of the peer controller. 1 indicates that the port is up and 0 indicates that the port is down.

Examples

The following example shows how to display the statistics information of the Redundancy Manager:


show redundancy statistics

Redundancy Manager Statistics

Keep Alive Request Send Counter

Keep Alive Response Receive Counter

Keep Alive Request Receive Counter

Keep Alive Response Send Counter

Ping Request to Default GW Counter

Ping Response from Default GW Counter

Ping Request to Peer Counter

Ping Response from Peer Counter

Keep Alive Loss Counter

Default GW Loss Counter

Local Physical Ports 1...8

Peer Physical Ports 1...8

: 16

: 16

: 500322

: 500322

: 63360

: 63360

: 12

: 3

: 0

: 0

: 10000000

: 10000000

1802


show redundancy summary show redundancy summary

To display the redundancy summary information, use the show redundancy summary command.

show redundancy summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the redundancy summary information of the controller:


show redundancy summary

Redundancy Mode = SSO DISABLED

Local State = ACTIVE

Peer State = N/A

Unit = Primary

Unit ID = 88:43:E1:7E:03:80

Redundancy State = N/A

Mobility MAC = 88:43:E1:7E:03:80

Network Monitor = ENABLED

Link Encryption = DISABLED

BulkSync Status = <Status>

Average Redundancy Peer Reachability Latency = 1390 usecs

Average Management Gateway Reachability Latency = 1165 usecs

Redundancy Management IP Address................. 9.4.92.12

Peer Redundancy Management IP Address............ 9.4.92.14

Redundancy Port IP Address....................... 169.254.92.12

Peer Redundancy Port IP Address.................. 169.254.92.14


1803

show redundancy timers show redundancy timers

To display details of the Redundancy Manager timers, use the show redundancy timers command.

show redundancy timers



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the details of the Redundancy Manager timers:


show redundancy timers

Keep Alive Timer

Peer Search Timer

: 100 msecs

: 120 secs

1804


show remote-lan show remote-lan

To display information about remote LAN configuration, use the show remote-lan command.

show remote-lan { summary | remote-lan-id }


remote-lan-id

Displays a summary of all remote LANs.

Remote LAN identifier.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to display a summary of all remote LANs:


show remote-lan summary

Number of Remote LANS............................ 2

RLAN ID RLAN Profile Name Status Interface Name

---------------------------------------------------------------------

2 remote Disabled management

8 test Disabled management

The following example shows configuration information about the remote LAN with the remote-lan-id 2:


show remote-lan 2

Remote LAN Identifier............................ 2

Profile Name..................................... remote

Status........................................... Disabled

MAC Filtering.................................... Disabled

AAA Policy Override.............................. Disabled

Network Admission Control

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 0

Exclusionlist.................................... Disabled

Session Timeout.................................. Infinity

CHD per Remote LAN............................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Remote LAN ACL................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Radius Servers

Authentication................................ Global Servers

Accounting.................................... Global Servers

Dynamic Interface............................. Disabled


1805

show remote-lan

Security

Web Based Authentication...................... Enabled

ACL............................................. Unconfigured

Web Authentication server precedence:

1............................................... local

2............................................... radius

3............................................... ldap

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

1806


show reset

To display the scheduled system reset parameters, use the show reset command.

show reset



Command Default

None.

Examples

This example shows how to display the scheduled system reset parameters:

>

show reset

System reset is scheduled for Mar 27 01 :01 :01 2010

Current local time and date is Mar 24 02:57:44 2010

A trap will be generated 10 minutes before each scheduled system reset.

Use

‘reset system cancel’ to cancel the reset.

Configuration will be saved before the system reset.

Related Commands reset system at reset system in reset system cancel reset system notify-time show reset


1807

show rfid client show rfid client

To display the radio frequency identification (RFID) tags that are associated to the controller as clients, use the show rfid client command.

show rfid client



Command Default

None.


When the RFID tag is not in client mode, the above fields are blank.

Examples

This example shows how to display the RFID tag that is associated to the controller as clients:

>

show rfid client

------------------------- --------- ----------------- ------ ----------------

RFID Mac VENDOR

Heard

Sec Ago Associated AP Chnl Client State

------------------------- --------- ----------------- ------ ----------------

00:14:7e:00:0b:b1 Pango 35 AP0019.e75c.fef4

1 Probing

Related Commands config rfid status config rfid timeout show rfid config show rfid detail show rfid summary

1808


show rfid config show rfid config

To display the current radio frequency identification (RFID) configuration settings, use the show rfid config command.

show rfid config



Command Default

None.

Examples

This example shows how to display the current RFID configuration settings:

>

show rfid config

RFID Tag Data Collection ............................... Enabled

RFID Tag Auto-Timeout .................................. Enabled

RFID Client Data Collection ............................ Disabled

RFID Data Timeout ...................................... 200 seconds

Related Commands config rfid status config rfid timeout show rfid client show rfid detail show rfid summary


1809

show rfid detail show rfid detail

To display detailed radio frequency identification (RFID) information for a specified tag, use the show rfid

detail command.

show rfid detail mac_address


mac_address

MAC address of an RFID tag.

Command Default

None.

Examples

This example shows how to display detailed RFID information:

>

show rfid detail 00:12:b8:00:20:52

RFID address..................................... 00:12:b8:00:20:52

Vendor........................................... G2

Last Heard....................................... 51 seconds ago

Packets Received................................. 2

Bytes Received................................... 324

Cisco Type.......................................

Content Header

=================

Version.......................................... 0

Tx Power......................................... 12 dBm

Channel.......................................... 1

Reg Class........................................ 12

Burst Length..................................... 1

CCX Payload

===========

Last Sequence Control............................ 0

Payload length................................... 127

Last Sequence Control............................ 0

Payload length................................... 127

Payload Data Hex Dump

01 09 00 00 00 00 0b 85 52 52 52 02 07 4b ff ff

7f ff ff ff 03 14 00 12 7b 10 48 53 c1 f7 51 4b

50 ba 5b 97 27 80 00 67 00 01 03 05 01 42 34 00

00 03 05 02 42 5c 00 00 03 05 03 42 82 00 00 03

05 04 42 96 00 00 03 05 05 00 00 00 55 03 05 06

42 be 00 00 03 02 07 05 03 12 08 10 00 01 02 03

04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 03 0d 09 03

08 05 07 a8 02 00 10 00 23 b2 4e 03 02 0a 03

Nearby AP Statistics: lap1242-2(slot 0, chan 1) 50 seconds ag.... -76 dBm lap1242(slot 0, chan 1) 50 seconds ago..... -65 dBm

Related Commands config rfid status config rfid timeout show rfid config show rfid client show rfid summary

1810


show rfid summary show rfid summary

To display a summary of the radio frequency identification (RFID) information for a specified tag, use the

show rfid summary command.

show rfid summary



Command Default

None.

Examples

This example shows how to display a summary of RFID information:

>

show rfid summary

Total Number of RFID : 5

----------------- -------- ------------------ ------ ---------------------

RFID ID VENDOR Closest AP RSSI Time Since Last Heard

----------------- -------- ------------------ ------ ---------------------

00:04:f1:00:00:04 Wherenet ap:1120

00:0c:cc:5c:06:d3 Aerosct ap:1120

00:0c:cc:5c:08:45 Aerosct AP_1130

00:0c:cc:5c:08:4b Aerosct wolverine

00:0c:cc:5c:08:52 Aerosct ap:1120

-51

-51

-54

-54

-51

858 seconds ago

68 seconds ago

477 seconds ago

332 seconds ago

699 seconds ago

Related Commands config rfid status config rfid timeout show rfid client show rfid detail show rfid config


1811

show rf-profile summary show rf-profile summary

To display a summary of RF profiles in the controller, use the show rf-profile summary command.

show rf-profile summary



Command Default

None

Command History

Release

7.6

Modification


Examples

The following is the output of the show rf-profile summary command:


show rf-profile summary

Number of RF Profiles............................ 2

Out Of Box State................................. Disabled

RF Profile Name Band Description Applied

-------------------------------------------------------------

T1a

T1b

5 GHz <none>

2.4 GHz <none>

No

No

1812


show rf-profile details show rf-profile details

To display the RF profile details in the Cisco wireless LAN controller, use the show rf-profile details command.

show rf-profile details rf-profile-name


rf-profile-name


Command Default

None

Command History

Release

7.6

8.0

Examples

Modification


The output was updated to include the Rx SOP threshold.

The following is the output of the show rf-profile details command::


show rf-profile details T1a

Description...................................... <none>

Radio policy..................................... 5 GHz

Transmit Power Threshold v1...................... -70 dBm

Transmit Power Threshold v2...................... -67 dBm

Min Transmit Power............................... -10 dBm

Max Transmit Power............................... 30 dBm

Rx Sop Threshold................................. Medium










Max Clients...................................... 200

Client Trap Threshold............................ 50

Multicast Data Rate.............................. 0

Rx Sop Threshold................................. 0 dBm

Cca Threshold.................................... 0 dBm

Slot Admin State:................................ Enabled

Band Select Probe Response....................... Disabled

Band Select Cycle Count.......................... 2 cycles

Band Select Cycle Threshold...................... 200 milliseconds

Band Select Expire Suppression................... 20 seconds

Band Select Expire Dual Band..................... 60 seconds

Band Select Client Rssi.......................... -80 dBm

Load Balancing Denial............................ 3 count

Load Balancing Window............................ 5 clients

Coverage Data.................................... -80 dBm

Coverage Voice................................... -80 dBm

Coverage Exception............................... 3 clients

Coverage Level................................... 25 %


1813

show rogue adhoc custom summary show rogue adhoc custom summary

To display information about custom rogue ad-hoc rogue access points, use the show rogue adhoc custom


show rogue adhoc custom summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display details of custom rogue ad-hoc rogue access points:


show rogue adhoc custom summary

Number of Adhocs............................0


---------------------------------- ----- ---------

-----------------------

Related Commands show rogue adhoc detailed show rogue adhoc summary show rogue adhoc friendly summary show rogue adhoc malicious summary show rogue adhoc unclassified summary config rogue adhoc

1814


show rogue adhoc detailed show rogue adhoc detailed

To display details of an ad-hoc rogue access point detected by the Cisco wireless LAN controller, use the

show rogue adhoc client detailed command.

show rogue adhoc detailed MAC_address


MAC_address

Adhoc rogue MAC address.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display detailed ad-hoc rogue MAC address information:


show rogue adhoc client detailed 02:61:ce:8e:a8:8c

Adhoc Rogue MAC address.......................... 02:61:ce:8e:a8:8c

Adhoc Rogue BSSID................................ 02:61:ce:8e:a8:8c

State............................................ Alert

First Time Adhoc Rogue was Reported.............. Tue Dec 11 20:45:45

2007

Last Time Adhoc Rogue was Reported............... Tue Dec 11 20:45:45

2007

Reported By

AP 1

MAC Address.............................. 00:14:1b:58:4a:e0

Name..................................... AP0014.1ced.2a60

Radio Type............................... 802.11b

SSID..................................... rf4k3ap

Channel.................................. 3

RSSI..................................... -56 dBm

SNR...................................... 15 dB

Encryption............................... Disabled

ShortPreamble............................ Disabled

WPA Support.............................. Disabled

Last reported by this AP............... Tue Dec 11 20:45:45 2007

Related Commands config rogue adhoc show rogue ignore-list show rogue rule summary show rogue rule detailed


1815

show rogue adhoc detailed config rogue rule show rogue adhoc summary

1816


show rogue adhoc friendly summary show rogue adhoc friendly summary

To display information about friendly rogue ad-hoc rogue access points, use the show rogue adhoc friendly


show rogue adhoc friendly summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display information about friendly rogue ad-hoc rogue access points:


show rogue adhoc friendly summary

Number of Adhocs............................0


---------------------------------- ----- ---------

-----------------------

Related Commands show rogue adhoc custom summary show rogue adhoc detailed show rogue adhoc summary show rogue adhoc malicious summary show rogue adhoc unclassified summary config rogue adhoc


1817

show rogue adhoc malicious summary show rogue adhoc malicious summary

To display information about malicious rogue ad-hoc rogue access points, use the show rogue adhoc malicious


show rogue adhoc malicious summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display details of malicious rogue ad-hoc rogue access points:


show rogue adhoc malicious summary

Number of Adhocs............................0


---------------------------------- ----- ---------

-----------------------

Related Commands show rogue adhoc custom summary show rogue adhoc detailed show rogue adhoc summary show rogue adhoc friendly summary show rogue adhoc unclassified summary config rogue adhoc

1818


show rogue adhoc unclassified summary show rogue adhoc unclassified summary

To display information about unclassified rogue ad-hoc rogue access points, use the show rogue adhoc

unclassified summary command.

show rogue adhoc unclassified summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display information about unclassified rogue ad-hoc rogue access points:


show rogue adhoc unclassified summary

Number of Adhocs............................0


---------------------------------- ----- ---------

-----------------------

Related Commands show rogue adhoc custom summary show rogue adhoc detailed show rogue adhoc summary show rogue adhoc friendly summary show rogue adhoc malicious summary config rogue adhoc


1819

show rogue adhoc summary show rogue adhoc summary

To display a summary of the ad-hoc rogue access points detected by the Cisco wireless LAN controller, use the show rogue adhoc summary command.

show rogue adhoc summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of all ad-hoc rogues:


show rogue adhoc summary

Detect and report Ad-Hoc Networks................ Enabled

Client MAC Address Adhoc BSSID

---------------------------xx:xx:xx:xx:xx:xx

2004 super

State

-----

Alert

# APs

1

---

Last Heard

-------

Sat Aug 9 21:12:50

Alert 1 Aug 9 21:12:50 xx:xx:xx:xx:xx:xx

2003 xx:xx:xx:xx:xx:xx Alert 1 Sat Aug 9 21:10:50

2003

Related Commands config rogue adhoc show rogue ignore-list show rogue rule summary show rogue rule detailed config rogue rule show rogue adhoc detailed

1820


show rogue ap clients show rogue ap clients

To display details of rogue access point clients detected by the Cisco wireless LAN controller, use the show

rogue ap clients command.

show rogue ap clients ap_mac_address


ap_mac_address

Rogue access point MAC address.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display details of rogue access point clients:


show rogue ap clients xx:xx:xx:xx:xx:xx

MAC Address State # APs Last Heard

----------------- ------------------ ----- -------------------------

00:bb:cd:12:ab:ff Alert 1 Fri Nov 30 11:26:23 2007

Related Commands config rogue adhoc config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap timeout config rogue ap valid-client config rogue client config trapflags rogueap show rogue ap detailed show rogue ap summary show rogue ap friendly summary show rogue ap malicious summary show rogue ap unclassified summary show rogue client detailed


1821

show rogue ap clients show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary

1822


show rogue ap custom summary show rogue ap custom summary

To display information about custom rogue ad-hoc rogue access points, use the show rogue ap custom


show rogue ap custom summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display details of custom rogue ad-hoc rogue access points:


show rogue ap custom summary

Number of APs............................0


---------------------------------- ----- ---------

-----------------------

Related Commands config rogue adhoc config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap timeout config rogue ap valid-client config rogue client config trapflags rogueap show rogue ap clients show rogue ap detailed show rogue ap summary show rogue ap malicious summary show rogue ap unclassified summary show rogue client detailed


1823

show rogue ap custom summary show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary

1824


show rogue ap detailed show rogue ap detailed

To display details of a rogue access point detected by the Cisco wireless LAN controller, use the show rogue-ap

detailed command.

show rogue ap detailed ap_mac_address


ap_mac_address

Rogue access point MAC address.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display detailed information of a rogue access point:


show rogue ap detailed xx:xx:xx:xx:xx:xx

Rogue BSSID...................................... 00:0b:85:63:d1:94

Is Rogue on Wired Network........................ No

Classification................................... Unclassified

State............................................ Alert

First Time Rogue was Reported.................... Fri Nov 30 11:24:56

2007

Last Time Rogue was Reported..................... Fri Nov 30 11:24:56

2007

Reported By

AP 1

MAC Address.............................. 00:12:44:bb:25:d0

Name..................................... flexconnect

Radio Type............................... 802.11g

SSID..................................... edu-eap

Channel.................................. 6

RSSI..................................... -61 dBm

SNR...................................... -1 dB

Encryption............................... Enabled

ShortPreamble............................ Enabled

WPA Support.............................. Disabled

Last reported by this AP.............. Fri Nov 30 11:24:56 2007

This example shows how to display detailed information of a rogue access point with a customized classification:


show rogue ap detailed xx:xx:xx:xx:xx:xx

Rogue BSSID...................................... 00:17:0f:34:48:a0

Is Rogue on Wired Network........................ No


1825

show rogue ap detailed

Classification................................... custom

Severity Score .................................. 1

Class Name........................................VeryMalicious

Class Change by.................................. Rogue Rule

Classified at ................................... -60 dBm

Classified by.................................... c4:0a:cb:a1:18:80

State............................................ Contained

State change by.................................. Rogue Rule

First Time Rogue was Reported.................... Mon Jun 4 10:31:18

2012

Last Time Rogue was Reported..................... Mon Jun 4 10:31:18

2012

Reported By

AP 1

MAC Address.............................. c4:0a:cb:a1:18:80

Name..................................... SHIELD-3600-2027

Radio Type............................... 802.11g

SSID..................................... sri

Channel.................................. 11

RSSI..................................... -87 dBm

SNR...................................... 4 dB

Encryption............................... Enabled

ShortPreamble............................ Enabled

WPA Support.............................. Enabled

Last reported by this AP................. Mon Jun 4 10:31:18

2012

Related Commands config rogue adhoc config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap timeout config rogue ap valid-client config rogue client config trapflags rogueap show rogue ap clients show rogue ap summary show rogue ap friendly summary show rogue ap malicious summary show rogue ap unclassified summary show rogue client detailed show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary

1826


show rogue ap friendly summary show rogue ap friendly summary

To display a list of the friendly rogue access points detected by the controller, use the show rogue ap friendly


show rogue ap friendly summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of all friendly rogue access points:


show rogue ap friendly summary

Number of APs.................................... 1


----------------- ------------------ ----- ---------

---------------------------

XX:XX:XX:XX:XX:XX Internal 1 0 Tue Nov 27 13:52:04 2007

Related Commands config rogue adhoc config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap timeout config rogue ap valid-client config rogue client config trapflags rogueap show rogue ap clients show rogue ap detailed show rogue ap summary show rogue ap malicious summary show rogue ap unclassified summary show rogue client detailed


1827

show rogue ap friendly summary show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary

1828


show rogue ap malicious summary show rogue ap malicious summary

To display a list of the malicious rogue access points detected by the controller, use the show rogue ap

malicious summary command.

show rogue ap malicious summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of all malicious rogue access points:


show rogue ap malicious summary

Number of APs.................................... 2


----------------- ------------------ ----- ---------

---------------------------

XX:XX:XX:XX:XX:XX Alert

XX:XX:XX:XX:XX:XX Alert

1

1

0

0

Tue Nov 27 13:52:04 2007

Tue Nov 27 13:52:04 2007

Related Commands config rogue adhoc config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap timeout config rogue ap valid-client config rogue client config trapflags rogueap show rogue ap clients show rogue ap detailed show rogue ap summary show rogue ap friendly summary show rogue ap unclassified summary


1829

show rogue ap malicious summary show rogue client detailed show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary

1830


show rogue ap summary show rogue ap summary

To display a summary of the rogue access points detected by the Cisco wireless LAN controller, use the show

rogue-ap summary command.

show rogue ap summary{ssid | channel}


ssid channel

Displays specific user-configured SSID of the rogue access point.

Displays specific user-configured radio type and channel of the rogue access point.

Command Default

None

Command History

Examples

Release

7.6

8.0

Modification


Release 7.6.

The new keywords SSID and channel are added.

The following example shows how to display a summary of all rogue access points:


show rogue ap summary

Rogue Location Discovery Protocol................

Disabled

Rogue ap timeout.................................

1200

Rogue on wire Auto-Contain....................... Disabled

Rogue using our SSID Auto-Contain................ Disabled

Valid client on rogue AP Auto-Contain............ Disabled

Rogue AP timeout................................. 1200

Rogue Detection Report Interval.................. 10

Rogue Detection Min Rssi......................... -128

Rogue Detection Transient Interval............... 0

Rogue Detection Client Num Thershold............. 0

Total Rogues(AP+Ad-hoc) supported................ 2000

Total Rogues classified.......................... 729

MAC Address Classification # APs # Clients Last Heard

---------------------------------- ----- --------- ----------------------xx:xx:xx:xx:xx:xx friendly xx:xx:xx:xx:xx:xx malicious

1

1

0

0

Thu Aug 4 18:57:11 2005

Thu Aug 4 19:00:11 2005 xx:xx:xx:xx:xx:xx malicious xx:xx:xx:xx:xx:xx malicious

1

1

0

0

Thu Aug 4 18:57:11 2005

Thu Aug 4 18:57:11 2005

The following example shows how to display a summary of all rogue access points with SSID as extended parameter.


show rogue ap summary ssid


1831

show rogue ap summary

MAC Address Class State SSID Security

-------------------------------------------------------------------------------------xx:xx:xx:xx:xx:xx Unclassified xx:xx:xx:xx:xx:xx Unclassified xx:xx:xx:xx:xx:xx Pending xx:xx:xx:xx:xx:xx Unclassified

Alert

Alert

Pending

Alert

The following example shows how to display a summary of all rogue access points with channel as extended parameter.


show rogue ap summary channel

xxx Open xxx Open xxx Open xxx WEP/WPA

MAC Address Class State Det RadioType Channel RSSIlast/Max)

-------------------------------------------------------------------------------------------------------------------xx:xx:xx:xx:xx:xx Unclassified xx:xx:xx:xx:xx:xx Unclassified xx:xx:xx:xx:xx:xx Unclassified xx:xx:xx:xx:xx:xx Unclassified xx:xx:xx:xx:xx:xx Unclassified

Alert 802.11g

Alert 802.11g

Alert 802.11a

Alert 802.11a

Alert 802.11a

11

11

149

149

149

-53 / -48

-53 / -48

-74 / -69

-74 / -69

-74 / -69

The following example shows how to display a summary of all rogue access points with both SSID and channel as extended parameters.


show rogue ap summary ssid channel

MAC Address Class

Channel RSSI(last/Max)

State SSID Security Det RadioType

----------------------------------------------------------------------------------------------------------------xx:xx:xx:xx:xx:xx Unclassified Alert dd WEP/WPA 802.11n5G

56 -73 / -62 xx:xx:xx:xx:xx:xx Unclassified Alert SSID IS HIDDEN

149 -68 / -66 xx:xx:xx:xx:xx:xx Unclassified Alert wlan16

149 -71 / -71

Open

WEP/WPA

802.11a

802.11n5G

xx:xx:xx:xx:xx:xx Unclassified Alert wlan15




149 -71 / -71

WEP/WPA

WEP/WPA

WEP/WPA

WEP/WPA

802.11n5G

802.11n5G

802.11n5G

802.11n5G

Related Commands config rogue adhoc config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap timeout config rogue ap valid-client config rogue client config trapflags rogueap show rogue ap clients show rogue ap detailed show rogue ap friendly summary show rogue ap malicious summary show rogue ap unclassified summary

1832


show rogue client detailed show rogue client summary show rogue ignore-list show rogue rule detailed show rogue rule summary show rogue ap summary


1833

show rogue ap unclassified summary show rogue ap unclassified summary

To display a list of the unclassified rogue access points detected by the controller, use the show rogue ap

unclassified summary command.

show rogue ap unclassified summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a list of all unclassified rogue access points:


show rogue ap unclassified summary

Number of APs.................................... 164


----------------- ------------- ----- --------- ---------------

XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:12:52 2007

XX:XX:XX:XX:XX:XX Alert 1



0

0

0

Fri Nov 30 11:29:01 2007

Fri Nov 30 11:26:23 2007

Fri Nov 30 11:26:23 2007

1834


show rogue auto-contain show rogue auto-contain

To display information about rogue auto-containment, use the show rogue auto-contain command.

show rogue auto-contain



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display information about rogue auto-containment:


show rogue auto-contain

Containment Level................................ 3 monitor_ap_only.................................. false

Related Commands config rogue adhoc config rogue auto-contain level


1835

show rogue client detailed show rogue client detailed

To display details of a rogue client detected by a Cisco wireless LAN controller, use the show rogue client

detailed command.

show rogue client detailed Rogue_AP MAC_address


Rogue_AP

MAC_address

Rogue AP address.

Rogue client MAC address.

Command Default

None

Command History

Release

7.6

8.1

Modification


Release 7.6.

The Rogue_AP parameter to the show rogue client

detailed command is added.

Examples

The following example shows how to display detailed information for a rogue client:


show rogue client detailed xx:xx:xx:xx:xx:xx

Rogue BSSID...................................... 00:0b:85:23:ea:d1

State............................................ Alert

First Time Rogue was Reported.................... Mon Dec 3 21:50:36 2007

Last Time Rogue was Reported..................... Mon Dec 3 21:50:36 2007

Rogue Client IP address.......................... Not known

Reported By

AP 1

MAC Address.............................. 00:15:c7:82:b6:b0

Name..................................... AP0016.47b2.31ea

Radio Type............................... 802.11a

RSSI..................................... -71 dBm

SNR...................................... 23 dB

Channel.................................. 149

Last reported by this AP.............. Mon Dec 3 21:50:36 2007

Related Commands show rogue client summary show rogue ignore-list config rogue rule client config rogue rule

1836


show rogue client summary show rogue client summary

To display a summary of the rogue clients detected by the Cisco wireless LAN controller, use the show rogue

client summary command.

show rogue client summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a list of all rogue clients:


show rogue client summary

Validate rogue clients against AAA............... Disabled

Total Rogue Clients supported.................... 2500

Total Rogue Clients present...................... 3

MAC Address State # APs Last Heard

---------------------------------- ----- ----------------------xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert xx:xx:xx:xx:xx:xx Alert xx:xx:xx:xx:xx:xx Alert xx:xx:xx:xx:xx:xx Alert

1

1

1

1

Thu Aug

Thu Aug

Thu Aug

Thu Aug

4 19:00:08 2005

4 19:00:08 2005

4 19:00:08 2005

4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert xx:xx:xx:xx:xx:xx Alert xx:xx:xx:xx:xx:xx Alert xx:xx:xx:xx:xx:xx Alert xx:xx:xx:xx:xx:xx Alert xx:xx:xx:xx:xx:xx Alert

1

1

1

1

1

1

Thu Aug 4 19:09:11 2005

Thu Aug 4 19:03:11 2005

Thu Aug 4 19:03:11 2005

Thu Aug 4 19:09:11 2005

Thu Aug 4 18:57:08 2005

Thu Aug 4 19:12:08 2005

Related Commands show rogue client detailed show rogue ignore-list config rogue client config rogue rule


1837

show rogue ignore-list show rogue ignore-list

To display a list of rogue access points that are configured to be ignored, use the show rogue ignore-list command.

show rogue ignore-list



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a list of all rogue access points that are configured to be ignored.


show rogue ignore-list

MAC Address

----------------xx:xx:xx:xx:xx:xx

Related Commands config rogue adhoc config rogue ap classify config rogue ap friendly config rogue ap rldp config rogue ap ssid config rogue ap timeout config rogue ap valid-client config rogue rule config trapflags rogueap show rogue client detailed show rogue ignore-list show rogue rule summary show rogue client summary show rogue ap unclassified summary show rogue ap malicious summary

1838


show rogue ap friendly summary config rogue client show rogue ap summary show rogue ap clients show rogue ap detailed config rogue rule show rogue ignore-list


1839

show rogue rule detailed show rogue rule detailed

To display detailed information for a specific rogue classification rule, use the show rogue rule detailed command.

show rogue rule detailed rule_name


rule_name

Rogue rule name.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display detailed information on a specific rogue classification rule:


show rogue rule detailed Rule2

Priority......................................... 2

Rule Name........................................ Rule2

State............................................ Enabled

Type............................................. Malicious

Severity Score................................... 1

Class Name....................................... Very_Malicious

Notify........................................... All

State ........................................... Contain

Match Operation.................................. Any

Hit Count........................................ 352

Total Conditions................................. 2

Condition 1 type......................................... Client-count value........................................ 10

Condition 2 type......................................... Duration value (seconds).............................. 2000

Condition 3 type......................................... Managed-ssid value........................................ Enabled

Condition 4 type......................................... No-encryption value........................................ Enabled

Condition 5 type......................................... Rssi value (dBm).................................. -50

Condition 6 type......................................... Ssid

SSID Count................................... 1

SSID 1.................................... test

Related Commands config rogue rule

1840


show rogue ignore-list show rogue rule summary show rogue rule detailed


1841

show rogue rule summary show rogue rule summary

To display the rogue classification rules that are configured on the controller, use the show rogue rule


show rogue rule summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a list of all rogue rules that are configured on the controller:



Priority Rule Name State Type Match Hit Count

-------- ----------------------- -------- ------------- ----- ---------

1

2 mtest asdfasdf

Enabled

Enabled

Malicious

Malicious

All

All

0

0

The following example shows how to display a list of all rogue rules that are configured on the controller:



Priority Rule Name

State Match Hit Count

Rule state Class Type Notify

-------- -------------------------------- ----------- ----------- --------

-------- ------ ---------

1

Alert rule2

All 234

Enabled Friendly Global

2

Alert rule1

All 0

Enabled Custom Global

Related Commands config rogue rule show rogue ignore-list show rogue rule detailed

1842


show route kernel show route kernel

To display the kernel route cache information, use the show route kernel command.

show route kernel



Command Default

None.

Examples

This example shows how to display the kernel route cache information:

>

show route kernel

Iface Destination Gateway Flags dtl0 dtl0 dtl0

14010100

28282800

34010100

00000000

00000000

00000000

0001

0001

0001 eth0 dtl0 dtl0 dtl0 dtl0 lo dtl0

02020200

33010100

0A010100

32010100

0A000000

7F000000

00000000

00000000

00000000

00000000

00000000

0202020A

00000000

0A010109

0001

0001

0001

0001

0003

0001

0003

0

0

0

0

RefCnt Use Metric Mask MTU Window IRTT

0

0

0

0

0

0

0

0

0

FFFFFF00

FFFFFF00

FFFFFF00

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

FFFFFF00

FFFFFF00

FFFFFF00

FFFFFF00

FF000000

FF000000

00000000

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Related Commands clear ap debug arp show arp kernel config route add config route delete


1843

show route summary show route summary

To display the routes assigned to the Cisco wireless LAN controller service port, use the show route summary command.

show route summary



Command Default

None.

Examples

This example shows how to display all the configured routes:

>

show route summary

Number of Routes............................... 1

Destination Network

------------------xxx.xxx.xxx.xxx

Genmask Gateway

-------------------------------------

255.255.255.0

xxx.xxx.xxx.xxx

Related Commands config route

1844


show rules show rules

To display the active internal firewall rules, use the show rules command.

show rules



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display active internal firewall rules:


show rules

--------------------------------------------------------

Rule ID.............: 3

Ref count...........: 0

Precedence..........: 99999999

Flags...............: 00000001 ( PASS )

Source IP range:

(Local stack)

Destination IP range:

(Local stack)

--------------------------------------------------------

Rule ID.............: 25

Ref count...........: 0

Precedence..........: 99999999

Flags...............: 00000001 ( PASS )

Service Info

Service name........: GDB

Protocol............: 6

Source port low.....: 0

Source port high....: 0

Dest port low.......: 1000

Dest port high......: 1000

Source IP range:

IP High............: 0.0.0.0

Interface..........: ANY

Destination IP range:

(Local stack)

--------------------------------------------------------


1845

show run-config show run-config

To display a comprehensive view of the current Cisco wireless LAN controller configuration, use the show

run-config all command.

show run-config {all | commands} [no-ap | commands]

Syntax Description all no-ap commands

Shows all the commands under the show run-config.

(Optional) Excludes access point configuration settings.

(Optional) Displays a list of user-configured commands on the controller.

Command Default

None

Command History

Release

7.6

8.2

Modification


This command was introduced .


These commands have replaced the show running-config command.

Some WLAN controllers may have no Crypto Accelerator (VPN termination module) or power supplies listed because they have no provisions for VPN termination modules or power supplies.

The show run-config all command shows only values configured by the user. It does not show system-configured default values.

Examples

The following is a sample output of the show run-config all command:


show run-config all

Press Enter to continue...

System Inventory

Switch Description............................... Cisco Controller

Machine Model....................................

Serial Number.................................... FLS0923003B

Burned-in MAC Address............................ xx:xx:xx:xx:xx:xx

Crypto Accelerator 1............................. Absent

Crypto Accelerator 2............................. Absent

Power Supply 1................................... Absent


Press Enter to continue Or <Ctl Z> to abort...

1846


show run-config startup-commands show run-config startup-commands

To display a comprehensive view of the current Cisco wireless LAN controller configuration, use the

showrun-configstartup-commands command.

show run-configstartup-commands

Syntax Description run-config startup-commands

Displays the running configuration commands.

Display list of configured startup commands on Wireless LAN

Controller.

Command Default

None

Command History

Release

8.0

Modification


The configuration commands on the Wireless LAN controller are uploaded to the TFTP or NCS servers using the transfer upload process. The show run-config startup-commands command enables the Wireless LAN controller to generate running-configuration in CLI format. The configuration commands generated can be used as backup configuration to restore the network.

Examples

The following is a sample output of the show run-config startup-commands command:

show run-config startup-commands


show run-config startup-commands

(Cisco Controller) >show run-config startup-commands

This may take some time.

Are you sure you want to proceed? (y/N) y config location expiry tags 5 config mdns profile service add default-mdns-profile AirPrint config mdns profile service add default-mdns-profile AirTunes config mdns profile service add default-mdns-profile AppleTV config mdns profile service add default-mdns-profile HP_Photosmart_Printer_1 config mdns profile service add default-mdns-profile HP_Photosmart_Printer_2 config mdns profile service add default-mdns-profile Printer config mdns profile create default-


1847

show serial show serial

To display the serial (console) port configuration, use the show serial command.

show serial



Command Default

The default values for Baud rate, Character, Flow Control, Stop Bits, Parity type of the port configuration are

9600, 8, off, 1, none.

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display EIA-232 parameters and the serial port inactivity timeout:


show serial

Serial Port Login Timeout (minutes)......... 45

Baud Rate................................... 9600

Character Size.............................. 8

Flow Control:............................... Disable

Stop Bits................................... 1

Parity Type:................................ none

1848


show sessions show sessions

To display the console port login timeout and maximum number of simultaneous command-line interface

(CLI) sessions, use the show sessions command.

show sessions



Command Default

5 minutes, 5 sessions.

Examples

This example shows how to display the CLI session configuration setting:

>

show sessions

CLI Login Timeout (minutes)............ 0

Maximum Number of CLI Sessions......... 5

The response indicates that the CLI sessions never time out and that the Cisco wireless LAN controller can host up to five simultaneous CLI sessions.

Related Commands config sessions maxsessions config sessions timeout


1849

show snmpcommunity show snmpcommunity

To display Simple Network Management Protocol (SNMP) community entries, use the show snmpcommunity command.

show snmpcommunity



Command Default

None.

Examples

This example shows how to display SNMP community entries:

>

show snmpcommunity

SNMP Community Name Client IP Address Client IP Mask Access Mode Status

------------------- ----------------- ----------------- ----------- -------public 0.0.0.0

0.0.0.0

Read Only Enable

********** 0.0.0.0

0.0.0.0

Read/Write Enable

Related Commands config snmp community accessmode config snmp community create config snmp community delete config snmp community ipaddr config snmp community mode config snmp syscontact

1850


show snmpengineID

To display the SNMP engine ID, use the show snmpengineID command.




Command Default

None.

Examples

This example shows how to display the SNMP engine ID:

>


SNMP EngineId... ffffffffffff

Related Commands config snmp engineID show snmpengineID


1851

show snmptrap show snmptrap

To display Cisco wireless LAN controller Simple Network Management Protocol (SNMP) trap receivers and their status, use the show snmptrap command.

show snmptrap



Command Default

None.

Examples

This example shows how to display SNMP trap receivers and their status:

>

show snmptrap

SNMP Trap Receiver Name IP Address Status

---------------------------------------- -------xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx

Enable

1852


show snmpv3user show snmpv3user

To display Simple Network Management Protocol (SNMP) version 3 configuration, use the show snmpv3user command.

show snmpv3user



Command Default

None.

Examples

This example shows how to display SNMP version 3 configuration information:

>

show snmpv3user

SNMP v3 username AccessMode Authentication Encryption

-------------------- ----------- -------------- ---------default Read/Write HMAC-SHA CFB-AES

Related Commands config snmp v3user create config snmp v3user delete


1853

show snmpversion show snmpversion

To display which versions of Simple Network Management Protocol (SNMP) are enabled or disabled on your controller, use the show snmpversion command.

show snmpversion



Command Default

Enable.

Examples

This example shows how to display the SNMP v1/v2/v3 status:

>

show snmpversion

SNMP v1 Mode.................................. Disable

SNMP v2c Mode.................................. Enable

SNMP v3 Mode.................................. Enable

Related Commands config snmp version

1854


show spanningtree port show spanningtree port

To display the Cisco wireless LAN controller spanning tree port configuration, use the show spanningtree

port command.

show spanningtree port port


port

Physical port number:

• 1 through 4 on Cisco 2100 Series Wireless LAN

Controller.

• 1 or 2 on Cisco 4402 Series Wireless LAN

Controller.


Controller.

Command Default

The default SPT configuration output values are 800C, Disabled, 802.1D, 128, 100, Auto.

Command History

Release

7.6

Modification


Release 7.6.


When the a Cisco 4400 Series wireless LAN controller is configured for port redundancy, the Spanning Tree

Protocol (STP) must be disabled for all ports on the Cisco 4400 Series Wireless LAN Controller. STP can remain enabled on the switch connected to the Cisco 4400 Series Wireless LAN Controller.

Note

Some WLAN controllers do not support the spanning tree function.

Examples

The following example shows how to display spanning tree values on a per port basis:


show spanningtree port 3

STP Port ID................................. 800C

STP Port State.............................. Disabled

STP Port Administrative Mode................ 802.1D

STP Port Priority........................... 128

STP Port Path Cost.......................... 100

STP Port Path Cost Mode..................... Auto


1855

show spanningtree switch show spanningtree switch

To display the Cisco wireless LAN controller network (DS port) spanning tree configuration, use the show

spanningtree switch command.

show spanningtree switch



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


Some WLAN controllers do not support the spanning tree function.

Examples

The following example shows how to display spanning tree values on a per switch basis:


show spanningtree switch

STP Specification...................... IEEE 802.1D

STP Base MAC Address................... 00:0B:85:02:0D:20

Spanning Tree Algorithm................ Disable

STP Bridge Priority.................... 32768

STP Bridge Max. Age (seconds).......... 20

STP Bridge Hello Time (seconds)........ 2

STP Bridge Forward Delay (seconds)..... 15

1856


show stats port show stats port

To display physical port receive and transmit statistics, use the show stats port command.

show stats port {detailed port | summary port}

Syntax Description detailed summary

port

Displays detailed port statistics.

Displays port summary statistics.

Physical port number:


Controllers.

• 1 or 2 on Cisco 4402 Series Wireless LAN

Controllers.


Controllers.

• 1 on Cisco WLCM Series Wireless LAN

Controllers.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the port summary information:


show stats port summary

Packets Received Without Error................. 399958

Packets Received With Error.................... 0

Broadcast Packets Received..................... 8350

Packets Transmitted Without Error.............. 106060

Transmit Packets Errors........................ 0

Collisions Frames.............................. 0

Time Since Counters Last Cleared............... 2 day 11 hr 16 min 23 sec

The following example shows how to display the detailed port information:


show stats port detailed 1


1857

show stats port

PACKETS RECEIVED (OCTETS)

Total Bytes...................................... 267799881

64 byte pkts

65-127 byte pkts

:918281

:354016 128-255 byte pkts :1283092

256-511 byte pkts :8406

1024-1518 byte pkts :1184

> 1530 byte pkts :2

PACKETS RECEIVED SUCCESSFULLY

512-1023 byte pkts :3006

1519-1530 byte pkts :0

Total............................................ 2567987

Unicast Pkts :2547844 Multicast Pkts:0 Broadcast Pkts:20143

PACKETS RECEIVED WITH MAC ERRORS

Total............................................ 0

Jabbers :0

FCS Errors:0

Undersize :0

Overruns :0

RECEIVED PACKETS NOT FORWARDED

Total............................................ 0

Local Traffic Frames:0

Unacceptable Frames :0

VLAN Viable Discards:0

ReserveAddr Discards:0

Alignment :0

RX Pause Frames

VLAN Membership

:0

:0

MulticastTree Viable:0

CFI Discards :0

PACKETS TRANSMITTED (OCTETS)

Upstream Threshold :0

Total Bytes...................................... 353831

64 byte pkts :0 65-127 byte pkts :0

128-255 byte pkts

512-1023 byte pkts

:0

:0

1519-1530 byte pkts :0

PACKETS TRANSMITTED SUCCESSFULLY

256-511 byte pkts :0

1024-1518 byte pkts :2

Max Info :1522

Total............................................ 5875

Unicast Pkts :5868 Multicast Pkts:0

TRANSMIT ERRORS

Total Errors..................................... 0

FCS Error :0

TRANSMIT DISCARDS

TX Oversized :0

Broadcast Pkts:7

Underrun Error:0

Total Discards................................... 0

Single Coll Frames :0 Multiple Coll Frames:0

Excessive Coll Frame:0

VLAN Viable Discards:0

PROTOCOL STATISTICS

BPDUs Received :6

802.3x RX PauseFrame:0

Port Membership

BPDUs Transmitted

:0

:0


1858


show stats switch show stats switch

To display the network (DS port) receive and transmit statistics, use the show stats switch command.

show stats switch {detailed | summary}

Syntax Description detailed summary

Displays detailed switch statistics.

Displays switch summary statistics.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display switch summary statistics:


show stats switch summary

Packets Received Without Error................. 136410

Broadcast Packets Received..................... 18805

Packets Received With Error.................... 0

Packets Transmitted Without Error.............. 78002

Broadcast Packets Transmitted.................. 3340

Transmit Packet Errors......................... 2

Address Entries Currently In Use............... 26

VLAN Entries Currently In Use.................. 1


The following example shows how to display detailed switch statistics:


show stats switch detailed

RECEIVE

Octets........................................... 19351718

Total Pkts....................................... 183468

Unicast Pkts..................................... 180230

Multicast Pkts................................... 3219

Broadcast Pkts................................... 19

Pkts Discarded................................... 0

TRANSMIT

Octets........................................... 354251

Total Pkts....................................... 5882

Unicast Pkts..................................... 5875

Multicast Pkts................................... 0

Broadcast Pkts................................... 7

Pkts Discarded................................... 0


1859

show stats switch

ADDRESS ENTRIES

Most Ever Used................................... 1

Currently In Use................................. 1

VLAN ENTRIES

Maximum.......................................... 128

Most Ever Used................................... 1

Static In Use.................................... 1

Dynamic In Use................................... 0

VLANs Deleted.................................... 0

Time Since Ctrs Last Cleared..................... 2 day 0 hr 43 min 22 sec

1860


show switchconfig show switchconfig

To display parameters that apply to the Cisco wireless LAN controller, use the show switchconfig command.

show switchconfig



Command Default

Enabled.

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to display parameters that apply to the Cisco wireless LAN controller:

(Cisco Controller) >>

show switchconfig

802.3x Flow Control Mode......................... Disabled

FIPS prerequisite features....................... Enabled

Boot Break....................................... Enabled secret obfuscation............................... Enabled

Strong Password Check Features: case-check ...........Disabled

consecutive-check ....Disabled

default-check .......Disabled

username-check ......Disabled

Related Commands config switchconfig mode config switchconfig secret-obfuscation config switchconfig strong-pwd config switchconfig flowcontrol config switchconfig fips-prerequisite show stats switch


1861

show sysinfo show sysinfo

To display high-level Cisco WLC information, use the show sysinfo command.

show sysinfo



Command Default

None

Examples

This example shows a sample output of the command run on Cisco 8540 Wireless Controller using Release

8.3:


show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 8.3.100.0

RTOS Version..................................... 8.3.100.0

Bootloader Version............................... 8.0.110.0

Emergency Image Version.......................... 8.0.110.0

OUI File Last Update Time........................ Sun Sep 07 10:44:07 IST 2014

Build Type....................................... DATA + WPS

System Name...................................... TestSpartan8500Dev1

System Location..................................

System Contact...................................

System ObjectID.................................. 1.3.6.1.4.1.9.1.1615

Redundancy Mode.................................. Disabled

IP Address....................................... 8.1.4.2

IPv6 Address..................................... ::

System Up Time................................... 0 days 17 hrs 20 mins 58 secs

--More-- or (q)uit

System Timezone Location.........................

System Stats Realtime Interval................... 5

System Stats Normal Interval..................... 180

Configured Country............................... Multiple Countries : IN,US

Operating Environment............................ Commercial (10 to 35 C)

Internal Temp Alarm Limits....................... 10 to 38 C

Internal Temperature............................. +21 C

Fan Status....................................... OK

RAID Volume Status

Drive 0.......................................... Good

Drive 1.......................................... Good

State of 802.11b Network......................... Enabled

State of 802.11a Network......................... Enabled

Number of WLANs.................................. 7


OUI Classification Failure Count................. 0

Burned-in MAC Address............................ F4:CF:E2:0A:27:00


1862


--More-- or (q)uit


Maximum number of APs supported.................. 6000

System Nas-Id....................................

WLC MIC Certificate Types........................ SHA1/SHA2

Licensing Type................................... RTU

show sysinfo


1863

show tacacs acct statistics show tacacs acct statistics

To display detailed radio frequency identification (RFID) information for a specified tag, use the show tacacs

acct statistics command.

show tacacs acct statistics



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display detailed RFID information:


show tacacs acct statistics

Accounting Servers:

Server Index..................................... 1

Server Address................................... 10.0.0.0


First Requests................................... 1

Retry Requests................................... 0

Accounting Response.............................. 0

Accounting Request Success....................... 0

Accounting Request Failure....................... 0

Malformed Msgs................................... 0


Pending Requests................................. -1



Other Drops...................................... 0

Related Commands config tacacs acct config tacacs athr config tacacs auth show tacacs summary

1864


show tacacs athr statistics show tacacs athr statistics

To display TACACS+ server authorization statistics, use the show tacacs athr statistics command.

show tacacs athr statistics



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display TACACS server authorization statistics:


show tacacs athr statistics

Authorization Servers:

Server Index..................................... 3

Server Address................................... 10.0.0.3


First Requests................................... 0

Retry Requests................................... 0

Received Responses............................... 0

Authorization Success............................ 0

Authorization Failure............................ 0


Malformed Msgs................................... 0





Other Drops...................................... 0

Related Commands config tacacs acct config tacacs athr config tacacs auth show tacacs auth statistics show tacacs summary


1865

show tacacs auth statistics show tacacs auth statistics

To display TACACS+ server authentication statistics, use the show tacacs auth statistics command.

show tacacs auth statistics



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display TACACS server authentication statistics:


show tacacs auth statistics

Authentication Servers:

Server Index..................................... 2

Server Address................................... 10.0.0.2

Msg Round Trip Time.............................. 0 (msec)

First Requests................................... 0

Retry Requests................................... 0

Accept Responses................................. 0

Reject Responses................................. 0

Error Responses.................................. 0

Restart Responses................................ 0

Follow Responses................................. 0

GetData Responses................................ 0

Encrypt no secret Responses...................... 0


Malformed Msgs................................... 0





Other Drops...................................... 0

Related Commands config tacacs acct config tacacs athr config tacacs auth show tacacs summary

1866


show tacacs summary show tacacs summary

To display TACACS+ server summary information, use the show tacacs summary command.

show tacacs summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display TACACS server summary information:


show tacacs summary

Authentication Servers

Idx Server Address Port State Tout

---------------------------------

2 10.0.0.1

Accounting Servers

49 Enabled 30


---------------------------------

1 10.0.0.0

49 Enabled 5

Authorization Servers


---------------------------------

3 10.0.0.3

Idx Server Address

49

Port

Enabled

State

5

Tout

---------------------------------

4 2001:9:6:40::623 49 Enabled 5

...

Related Commands config tacacs acct config tacacs athr config tacacs auth show tacacs summary show tacacs athr statistics show tacacs auth statistics


1867

show tech-support show tech-support

To display Cisco wireless LAN controller variables frequently requested by Cisco Technical Assistance Center

(TAC), use the show tech-support command.

show tech-support



Command Default

None.

Examples

This example shows how to display system resource information:

>

show tech-support

Current CPU Load................................. 0%

System Buffers

Max Free Buffers.............................. 4608

Free Buffers.................................. 4604

Buffers In Use................................ 4

Web Server Resources

Descriptors Allocated......................... 152

Descriptors Used.............................. 3

Segments Allocated............................ 152

Segments Used................................. 3

System Resources

Uptime........................................ 747040 Secs

Total Ram..................................... 127552 Kbytes

Free Ram...................................... 19540 Kbytes

Shared Ram.................................... 0 Kbytes

Buffer Ram.................................... 460 Kbytes

1868


show time show time

To display the Cisco wireless LAN controller time and date, use the show time command.

show time



Command Default

None.

Examples

This example shows how to display the controller time and date when authentication is not enabled:

>

show time

Time............................................. Wed Apr 13 09:29:15 2011

Timezone delta................................... 0:0

Timezone location........................ (GMT +5:30) Colombo, New Delhi, Chennai, Kolkata

NTP Servers

NTP Polling Interval.........................

Index NTP Key Index NTP Server

3600

NTP Msg Auth Status

---------------------------------------------------------------------

1 0 9.2.60.60

AUTH DISABLED

This example shows successful authentication of NTP Message results in the AUTH Success:

>

show time

Time............................................. Thu Apr 7 13:56:37 2011

Timezone delta................................... 0:0


NTP Servers



3600

NTP Msg Auth Status

---------------------------------------------------------------------

1 1 9.2.60.60

AUTH SUCCESS

This example shows that if the packet received has errors, then the NTP Msg Auth status will show AUTH

Failure:

>

show time

Time............................................. Thu Apr 7 13:56:37 2011

Timezone delta................................... 0:0


NTP Servers



3600

NTP Msg Auth Status

---------------------------------------------------------------------

1 10 9.2.60.60

AUTH FAILURE

This example shows that if there is no response from NTP server for the packets, the NTP Msg Auth status will be blank:

>

show time

Time............................................. Thu Apr 7 13:56:37 2011

Timezone delta................................... 0:0


Kolkata

NTP Servers



3600

NTP Msg Auth Status


1869

show time

---------------------------------------------------------------------

1 11 9.2.60.60

Related Commands config time manual config time ntp config time timezone config time timezone location

1870


show trapflags show trapflags

To display the Cisco wireless LAN controller Simple Network Management Protocol (SNMP) trap flags, use the show trapflags command.

show trapflags



Command Default

None.

Examples

This example shows how to display controller SNMP trap flags:

>

show trapflags

Authentication Flag............................ Enable

Link Up/Down Flag.............................. Enable

Multiple Users Flag............................ Enable

Spanning Tree Flag............................. Enable

Client Related Traps

802.11 Disassociation......................... Disable

802.11 Association.............................Disabled

802.11 Deauthenticate......................... Disable

802.11 Authenticate Failure................... Disable

802.11 Association Failure.................... Disable

Authentication.................................Disabled

Excluded...................................... Disable

Max Client Warning Threshold.................. 90%

Nac-Alert Traps................................. Disabled

RFID Related Traps

Max RFIDs Warning Threshold..................... 90%

802.11 Security related traps

WEP Decrypt Error............................. Enable

IDS Signature Attack............................ Disable

Cisco AP

Register...................................... Enable

InterfaceUp................................... Enable

Auto-RF Profiles

Load.......................................... Enable

Noise......................................... Enable

Interference.................................. Enable

Coverage...................................... Enable

Auto-RF Thresholds tx-power...................................... Enable channel....................................... Enable antenna....................................... Enable

AAA auth.......................................... Enable servers....................................... Enable rogueap........................................ Enable adjchannel-rogueap............................... Disabled wps............................................ Enable configsave..................................... Enable

IP Security esp-auth...................................... Enable esp-replay.................................... Enable invalidSPI.................................... Enable ike-neg....................................... Enable suite-neg..................................... Enable invalid-cookie................................ Enable


1871

show trapflags

Mesh auth failure.................................... Enabled child excluded parent........................... Enabled parent change................................... Enabled child moved..................................... Enabled excessive parent change......................... Enabled onset SNR....................................... Enabled abate SNR....................................... Enabled console login................................... Enabled excessive association........................... Enabled default bridge group name....................... Enabled excessive hop count............................. Disabled excessive children.............................. Enabled sec backhaul change............................. Disabled

Related Commands config trapflags 802.11-Security config trapflags aaa config trapflags ap config trapflags authentication config trapflags client config trapflags configsave config trapflags IPsec config trapflags linkmode

1872


show traplog show traplog

To display the Cisco wireless LAN controller Simple Network Management Protocol (SNMP) trap log, use the show traplog command.

show traplog



Command Default

None

Command History

Release

7.6

Modification


Examples

The following is a sample output of the show traplog command:


show traplog

Number of Traps Since Last Reset........... 2447

Number of Traps Since Log Last Displayed... 2447

Log System Time Trap

--- ------------------------ -------------------------------------------------

0 Thu Aug 4 19:54:14 2005 Rogue AP : 00:0b:85:52:62:fe detected on Base Rad io MAC : 00:0b:85:18:b6:50 Interface no:1(802.11

b/g) with RSSI: -78 and SNR: 10

1 Thu Aug 4 19:54:14 2005 Rogue AP : 00:0b:85:52:19:d8 detected on Base Rad io MAC : 00:0b:85:18:b6:50 Interface no:1(802.11


2 Thu Aug 4 19:54:14 2005 Rogue AP : 00:0b:85:26:a1:8d detected on Base Rad io MAC : 00:0b:85:18:b6:50 Interface no:1(802.11


3 Thu Aug 4 19:54:14 2005 Rogue AP : 00:0b:85:14:b3:4f detected on Base Rad io MAC : 00:0b:85:18:b6:50 Interface no:1(802.11


Would you like to display more entries? (y/n)


1873

show tunnel profile-summary show tunnel profile-summary

To show the summary of all the profiles, use the show tunnel profile command.

show tunnel profilesummary


Displays the summary of all the profiles.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to display the summary of all the profiles:

show tunnel profile summary

1874


show tunnel profile-detail

To show details of a specific profile, use the show tunnel profile command.

show tunnel profiledetailprofile-name

Syntax Description detail

profile-name

Displays details of a specific profile.

Name of the profile.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to display specific profile details:

show tunnel profile detail test show tunnel profile-detail


1875

show tunnel eogre-summary show tunnel eogre-summary

To show the global configuration summary, use the show tunnel eogre command.

show tunnel eogre summary


Displays the global configuration summary.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to display the global configuration details:


show tunnel eogre summary

1876


show tunnel eogre-statistics show tunnel eogre-statistics

To display the EoGRE Tunnel statistics, use the show tunnel eogre command.

show tunnel eogrestatistics

Syntax Description statistics

Displays the EoGRE Tunnel statistics.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to display the EoGRE Tunnel statistics details:

show tunnel eogre statistics


1877

show tunnel eogre-domain-summary show tunnel eogre-domain-summary

To display the EoGRE domain summary, use the show tunnel eogre command.

show tunnel eogredomainsummary


Displays the EoGRE domain summary.

Command Default

None

Command History

Examples

Release

8.1

Modification


The following example shows how to display the EoGRE domain summary:

show tunnel eogre domain summary

1878


show tunnel eogre gateway show tunnel eogre gateway

To view the EoGRE tunnel gateway summary and statistics, use the show tunnel eogre command.

show tunnel eogre gateway {summary | statistics}


Displays the EoGRE tunnel gateway summary.

Displays the EoGRE tunnel gateway statistics.

Command Default

None


The show tunnel eogre gateway summary command lists details of only the FlexConnect central switching clients and Local Mode AP clients. To view the details of FlexConnect local switching clients, use the show

ap eogre gateway ap-name command.

Command History

Release

8.1

8.5

Modification


The statistics parameter was added.


1879

show watchlist show watchlist

To display the client watchlist, use the show watchlist command.

show watchlist



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the client watchlist information:


show watchlist

client watchlist state is disabled

1880


show wlan show wlan

To display configuration information for a specified wireless LAN or a foreign access point, or to display wireless LAN summary information, use the show wlan command.

show wlan { apgroups | summary | wlan_id | foreignAp | lobby-admin-access}

Syntax Description apgroups summary

wlan_id

foreignAp lobby-admin-access

Displays access point group information.

Displays a summary of all wireless LANs.

Displays the configuration of a WLAN. The Wireless LAN identifier range is from 1 to 512.

Displays the configuration for support of foreign access points.

Display all wlans that have lobby-admin-access enabled.

Command Default

None


For 802.1X client security type, which creates the PMK cache, the maximum session timeout that can be set is 86400 seconds when the session timeout is disabled. For other client security such as open, WebAuth, and

PSK for which the PMK cache is not created, the session timeout value is shown as infinite when session timeout is disabled.

Command History

Release

7.6

8.4

Modification


Shows WLANs which have lobby-admin-access enabled.

Examples

The following example shows how to display a summary of wireless LANs for wlan_id 1:


show wlan 1

WLAN Identifier.................................. 1

Profile Name..................................... aicha

Network Name (SSID).............................. aicha

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled


RADIUS Profiling Status ...................... Disabled

DHCP ......................................... Disabled

HTTP ......................................... Disabled

Client Profiling Status ...................... Disabled


1881

show wlan

DHCP ......................................... Disabled

HTTP ......................................... Disabled

Radius-NAC State.............................. Enabled

SNMP-NAC State................................ Enabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200


Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 1800 seconds

User Idle Timeout................................ 300 seconds

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... Talwar1

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured mDNS Status...................................... Disabled mDNS Profile Name................................ unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Enabled

PMIPv6 Mobility Type............................. none

Quality of Service............................... Silver (best effort)

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................

0

Average Realtime Data Rate.......................

0

Burst Data Rate..................................

0

0

0

0

Burst Realtime Data Rate.........................

Average Data Rate................................

Average Realtime Data Rate.......................

Burst Data Rate..................................

Burst Realtime Data Rate.........................

0

Per-Client Rate Limits........................... Upstream

0

0

0

0

Scan Defer Priority.............................. 4,5,6

0

Downstream

0

0

0

0

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

IPv6 Support..................................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

Authentication................................ Global Servers

Accounting.................................... Global Servers

Interim Update............................. Disabled

Dynamic Interface............................. Disabled

Local EAP Authentication......................... Enabled (Profile 'Controller_Local_EAP')

Radius NAI-Realm................................. Enabled

Security

802.11 Authentication:........................ Open System

FT Support.................................... Disabled

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Enabled

WPA (SSN IE)............................... Enabled

TKIP Cipher............................. Disabled

AES Cipher.............................. Enabled

WPA2 (RSN IE).............................. Enabled

TKIP Cipher............................. Disabled

AES Cipher.............................. Enabled

Auth Key Management

802.1x.................................. Enabled

1882


show wlan

PSK..................................... Disabled

CCKM.................................... Enabled

FT(802.11r)............................. Disabled

FT-PSK(802.11r)......................... Disabled

PMF-1X(802.11w)......................... Enabled

PMF-PSK(802.11w)........................ Disabled

FT Reassociation Timeout......................... 20

FT Over-The-Air mode............................. Enabled

FT Over-The-Ds mode.............................. Enabled

GTK Randomization.......................... Disabled

SKC Cache Support.......................... Disabled

CCKM TSF Tolerance......................... 1000

Wi-Fi Direct policy configured................ Disabled

EAP-Passthrough............................... Disabled

CKIP ......................................... Disabled

IP Security................................... Disabled

IP Security Passthru.......................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

FlexConnect Local Switching................... Enabled flexconnect Central Dhcp Flag................. Disabled flexconnect nat-pat Flag...................... Disabled flexconnect Dns Override Flag................. Disabled

FlexConnect Vlan based Central Switching ..... Disabled

FlexConnect Local Authentication.............. Disabled

FlexConnect Learn IP Address.................. Enabled

Client MFP.................................... Optional

PMF........................................... Disabled

PMF Association Comeback Time................. 1

PMF SA Query RetryTimeout..................... 200

Tkip MIC Countermeasure Hold-down Timer....... 60

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled


WLAN ID

-------

IP Address

---------------

Status

------

802.11u........................................ Enabled

Network Access type............................ Chargeable Public Network

Internet service............................... Enabled

Network Authentication type.................... Not Applicable

HESSID......................................... 00:00:00:00:00:00

IP Address Type Configuration

IPv4 Address type............................

Available

IPv6 Address type............................

Not Known

Roaming Consortium List

Index OUI List In Beacon

--------------------------

1 313131 Yes

2

3

DDBBCC

DDDDDD

No

Yes

Realm configuration summary

Realm index.................................. 1

Realm name................................... jobin

EAP index.................................. 1

EAP method................................. Unsupported

Index Inner Authentication

------------------------

1 Credential Type

2 Tunneled Eap Credential Type

Authentication Method

---------------------

SIM

SIM

3

4

Credential Type

Credential Type

5

6

Credential Type

Credential Type

Domain name configuration summary

SIM

USIM

Hardware Token

SoftToken


1883

show wlan

Index Domain name

-------------------

1 rom3

2 ram

3 rom1

Hotspot 2.0.................................... Enabled

Operator name configuration summary

Index Language Operator name

------------------------

1 ros Robin

Port config summary

Index IP protocol Port number Status

-------------------------------

1

2

1

1

0

0

Closed

Closed

3

4

1

1

0

0

Closed

Closed

5

6

7

1

1

1

0

0

0

Closed

Closed

Closed

WAN Metrics Info

Link status.................................. Up

Symmetric Link............................... No

Downlink speed............................... 4 kbps

Uplink speed................................. 4 kbps

MSAP Services.................................. Disabled

Local Policy

----------------

Priority Policy Name

----------------------

1 Teacher_access_policy

The following example shows how to display a summary of all WLANs:


show wlan summary

Number of WLANs.................................. 1

WLAN ID WLAN Profile Name / SSID Status Interface Name

Mobility

---------------------------------------------------------------------

---------------

1 apsso / apsso Disabled management

PMIPv6 none

The following example shows how to display the configuration for support of foreign access points:


show wlan foreignap

Foreign AP support is not enabled.

The following example shows how to display the AP groups:


show wlan apgroups

Total Number of AP Groups........................ 1

Site Name........................................ APuser

Site Description................................. <none>

Venue Name....................................... Not configured

Venue Group Code..................................Unspecified

Venue Type Code...................................Unspecified

Language Code.................................... Not configured

AP Operating Class............................... 83,84,112,113,115,116,117,118,123

RF Profile

----------

2.4 GHz band..................................... <none>

5 GHz band....................................... <none>

WLAN ID

-------

14

Interface

----------int_4


--------------------------

Disabled

Radio Policy

------------

All

1884


show wlan

AP Name

Country Priority

Slots AP Model Ethernet MAC Location Port

--------------------------------------------------------------------------

--------------

Ibiza 2 AIR-CAP2602I-A-K9 44:2b:03:9a:8a:73 default location 1

1 US

Larch

US 1

2 AIR-CAP3502E-A-K9 f8:66:f2:ab:23:95 default location 1

Zest

US 1

2 AIR-CAP3502I-A-K9 00:22:90:91:6d:b6 ren 1


MAC Address AP Name Status Device Type

----------------- ------------- ------------- -----------------

24:77:03:89:9b:f8 ap2 Associated Android


1885

show wps ap-authentication summary show wps ap-authentication summary

To display the access point neighbor authentication configuration on the controller, use the show wps

ap-authentication summary command.

show wps ap-authentication summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of the Wireless Protection System (WPS) access point neighbor authentication:



AP neighbor authentication is <disabled>.

Authentication alarm threshold is 1.

RF-Network Name: <B1>

Related Commands config wps ap-authentication

1886


show wps cids-sensor show wps cids-sensor

To display Intrusion Detection System (IDS) sensor summary information or detailed information on a specified

Wireless Protection System (WPS) IDS sensor, use the show wps cids-sensor command.

show wps cids-sensor {summary | detail index}

Syntax Description summary detail

index

Displays a summary of sensor settings.

Displays all settings for the selected sensor.

IDS sensor identifier.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display all settings for the selected sensor:


show wps cids-sensor detail1

IP Address....................................... 10.0.0.51

Port............................................. 443

Query Interval................................... 60

Username......................................... Sensor_user1

Cert Fingerprint................................. SHA1:

00:00:00:00:00:00:00:00:

00:00:00:00:00:00:00:00:00:00:00:00

Query State...................................... Disabled

Last Query Result................................ Unknown

Number of Queries Sent........................... 0



1887

show wps mfp show wps mfp

To display Management Frame Protection (MFP) information, use the show wps mfp command.

show wps mfp {summary | statistics}


Displays the MFP configuration and status.

Displays MFP statistics.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of the MFP configuration and status:


show wps mfp summary

Global Infrastructure MFP state.................. DISABLED (*all infrastructure settings are overridden)

Controller Time Source Valid..................... False

WLAN ID WLAN Name

WLAN

Status

Infra.

Client

Protection Protection

---------------------------------------------------------

1 homeap Disabled *Enabled Optional but inactive

2

(WPA2 not configured)

7921

3

(WPA2 not configured) open1

Enabled

Enabled

*Enabled

*Enabled

Optional but inactive


4


7920


AP Name

Infra.

Enabled *Enabled

Operational

Validation Radio State


--Infra. Capability--

Protection Validation

----------------------------------------------------------------

AP1252AG-EW *Enabled b/g Down Full Full a Down Full Full

The following example shows how to display the MFP statistics:


show wps mfp statistics

BSSID Radio Validator AP Last Source Addr Found Error Type

Count Frame Types

----------------- ----- -------------------- ----------------- ------ ----------

---- ---------- ----------no errors

Related Commands config wps mfp

1888


show wps shun-list show wps shun-list

To display the Intrusion Detection System (IDS) sensor shun list, use the show wps shun-list command.

show wps shun-list



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the IDS system sensor shun list:


show wps shun-list

Related Commands config wps shun-list re-sync


1889

show wps signature detail show wps signature detail

To display installed signatures, use the show wps signature detail command.

show wps signature detail sig-id


sig-id

Signature ID of an installed signature.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

This example shows how to display information on the attacks detected by standard signature 1:


show wps signature detail 1

Signature-ID..................................... 1

Precedence....................................... 1

Signature Name................................... Bcast deauth

Type............................................. standard

FrameType........................................ management

State............................................ enabled

Action........................................... report

Tracking......................................... per Signature and Mac

Signature Frequency.............................. 500 pkts/interval

Signature Mac Frequency.......................... 300 pkts/interval

Interval......................................... 10 sec

Quiet Time....................................... 300 sec

Description...................................... Broadcast Deauthentication Frame

Patterns:

0(Header):0x0:0x0

4(Header):0x0:0x0

Related Commands config wps signature config wps signature frequency config wps signature mac-frequency config wps signature interval config wps signature quiet-time config wps signature reset show wps signature events show wps signature summary

1890


show wps summary show wps signature detail


1891

show wps signature events show wps signature events

To display more information about the attacks detected by a particular standard or custom signature, use the

show wps signature events command.

show wps signature events {summary | {standard | custom} precedenceID {summary | detailed}

Syntax Description summary standard custom

precedenceID

detailed

Displays all tracking signature summary information.

Displays Standard Intrusion Detection System (IDS) signature settings.

Displays custom IDS signature settings.

Signature precedence identification value.

Displays tracking source MAC address details.

Command Default

None

Command History

Examples

Release

7.6

Modification


Release 7.6.

The following example shows how to display the number of attacks detected by all enabled signatures:


show wps signature events summary

Precedence Signature Name Type # Events

----------------------------- ---------------

1 Bcast deauth Standard 2

2 NULL probe resp 1 Standard 1

This example shows how to display a summary of information on the attacks detected by standard signature

1:


show wps signature events standard 1 summary

Precedence....................................... 1


Type............................................. Standard

Number of active events.......................... 2

Source MAC Addr Track Method Frequency # APs Last Heard

------------------------------ --------- ----- ------------------------

00:a0:f8:58:60:dd Per Signature 50 1 Wed Oct 25 15:03:05

2006

1892


show wps signature events

00:a0:f8:58:60:dd Per Mac

2006

Related Commands config wps signature frequency config wps signature mac-frequency config wps signature interval config wps signature quiet-time config wps signature reset config wps signature show wps signature summary show wps summary

30 1 Wed Oct 25 15:02:53


1893

show wps signature summary show wps signature summary

To see individual summaries of all of the standard and custom signatures installed on the controller, use the

show wps signature summary command.

show wps signature summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of all of the standard and custom signatures:


show wps signature summary

Signature-ID..................................... 1

Precedence....................................... 1


Type............................................. standard

FrameType........................................ management

State............................................ enabled

Action........................................... report

Tracking......................................... per Signature and Mac

Signature Frequency.............................. 50 pkts/interval

Signature Mac Frequency.......................... 30 pkts/interval

Interval......................................... 1 sec

Quiet Time....................................... 300 sec

Description...................................... Broadcast

Deauthentication Frame

Patterns:

0(Header):0x00c0:0x00ff

4(Header):0x01:0x01

...

Related Commands config wps signature frequency config wps signature interval config wps signature quiet-time config wps signature reset show wps signature events show wps summary

1894


config wps signature mac-frequency config wps signature show wps signature summary


1895

show wps summary show wps summary

To display Wireless Protection System (WPS) summary information, use the show wps summary command.

show wps summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display WPS summary information:


show wps summary

Auto-Immune

Auto-Immune.................................... Disabled

Client Exclusion Policy

Excessive 802.11-association failures.......... Enabled

Excessive 802.11-authentication failures....... Enabled

Excessive 802.1x-authentication................ Enabled

IP-theft....................................... Enabled

Excessive Web authentication failure........... Enabled

Trusted AP Policy

Management Frame Protection.................... Disabled

Mis-configured AP Action....................... Alarm Only

Enforced encryption policy................... none

Enforced preamble policy..................... none

Enforced radio type policy................... none

Validate SSID................................ Disabled

Alert if Trusted AP is missing................. Disabled

Trusted AP timeout............................. 120

Untrusted AP Policy

Rogue Location Discovery Protocol.............. Disabled

RLDP Action.................................. Alarm Only

Rogue APs

Rogues AP advertising my SSID................ Alarm Only

Detect and report Ad-Hoc Networks............ Enabled

Rogue Clients

Validate rogue clients against AAA........... Enabled

Detect trusted clients on rogue APs.......... Alarm Only

Rogue AP timeout............................... 1300

Signature Policy

Signature Processing........................... Enabled

...

1896


Related Commands config wps signature frequency config wps signature interval config wps signature quiet-time config wps signature reset show wps signature events show wps signature mac-frequency show wps summary config wps signature config wps signature interval show wps summary


1897

show wps wips statistics show wps wips statistics

To display the current state of the Cisco Wireless Intrusion Prevention System (wIPS) operation on the controller, use the show wps wips statistics command.

show wps wips statistics



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display the statistics of the wIPS operation:


show wps wips statistics

Policy Assignment Requests............ 1

Policy Assignment Responses........... 1

Policy Update Requests................ 0

Policy Update Responses............... 0

Policy Delete Requests................ 0

Policy Delete Responses............... 0

Alarm Updates......................... 13572

Device Updates........................ 8376

Device Update Requests................ 0

Device Update Responses............... 0

Forensic Updates...................... 1001

Invalid WIPS Payloads................. 0

Invalid Messages Received............. 0

NMSP Transmitted Packets.............. 22950

NMSP Transmit Packets Dropped......... 0

NMSP Largest Packet................... 1377

Related Commands config 802.11 enable config ap mode config ap monitor-mode show ap config show ap monitor-mode summary show wps wips summary

1898


show wps wips summary show wps wips summary

To display the adaptive Cisco Wireless Intrusion Prevention System (wIPS) configuration that the Wireless

Control System (WCS) forwards to the controller, use the show wps wips summary command.

show wps wips summary



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of the wIPS configuration:


show wps wips summary

Policy Name...................................... Default

Policy Version................................... 3

Related Commands config 802.11 enable config ap mode config ap monitor-mode show ap config show ap monitor-mode summary show wps wips statistics


1899

show wps ap-authentication summary show wps ap-authentication summary

To display the access point neighbor authentication configuration on the controller, use the show wps

ap-authentication summary command.




Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to display a summary of the Wireless Protection System (WPS) access point neighbor authentication:



AP neighbor authentication is <disabled>.

Authentication alarm threshold is 1.

RF-Network Name: <B1>


1900


P A R T

VIII

Miscellaneous Commands

•

Miscellaneous Commands: 1, page 1903

•

Miscellaneous Commands: 2, page 1909


•

cping, page 1904

•

eping, page 1905

•

mping, page 1906

•

ping, page 1907


1903

cping cping

To test mobility data traffic using CAPWAP, use the cping command.

cping mobility_peer_IP_address


mobility_peer_IP_address

IP address of a peer mobility controller.

Command Default

None

Command History

Release

7.5

Modification

This command was introduced in the controller 7.5

Release.


This command tests the mobility data traffic using the new mobility architecture.

Examples

The following example shows how to test the data traffic of a controller with peer mobility IP address as

172.12.35.31:


cping 172.12.35.31

1904


eping eping

To test the mobility Ethernet over IP (EoIP) data packet communication between two Cisco WLCs, use the

eping command.

eping mobility_peer_IP_address



IP address of a controller that belongs to a mobility group.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.



This command tests the mobility data traffic over the management interface.

Examples

Note

This ping test is not Internet Control Message Protocol (ICMP) based. The term “ping” is used to indicate an echo request and an echo reply message.

The IPv6 address format for this command is not supported.

The following example shows how to test EoIP data packets and to set the IP address of a controller that belongs to a mobility group to 172.12.35.31:


eping 172.12.35.31


1905

mping mping

To test mobility UDP control packet communication between two Cisco WLCs, use the mping command.

mping mobility_peer_IP_address



IP address of a controller that belongs to a mobility group.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.



This test runs over mobility UDP port 16666. It tests whether the mobility control packet can be reached over the management interface.

Note

This ping test is not Internet Control Message Protocol (ICMP) based. The term “ping” is used to indicate an echo request and an echo reply message.

Examples

The following example shows how to test mobility UDP control packet communications and to set the IP address of a Cisco WLC that belongs to a mobility group to 172.12.35.31:


mping 172.12.35.31

1906


ping ping

To send ICMP echo packets to a specified IP address, use the ping command:

ping ip-addr interface-name


ip-addr interface-name

IP address of the interface that you are trying to send ICMP echo packets to

Name of the interface to which you are trying to send ICMP echo packets

Command Default

None

Command History

Release

7.6

Modification



When you run the ping command, the CPU spikes up to 98 percent in the “osapi_ping_rx process”. While the

ping command is running, the terminal and web activity on the Cisco WLC is blocked.

Examples

The following example shows how to send ICMP echo packets to an interface:

(Cisco Controller) >ping 209.165.200.225 dyn-interface-1


1907

ping

1908



•

capwap ap controller ip address, page 1911

•

config ap dhcp release-override, page 1912

•

capwap ap dot1x, page 1913

•

capwap ap hostname, page 1914

•

capwap ap ip address, page 1915

•

capwap ap ip default-gateway, page 1916

•

capwap ap log-server, page 1917

•

capwap ap primary-base, page 1918

•

capwap ap primed-timer, page 1919

•

capwap ap secondary-base, page 1920

•

capwap ap tertiary-base, page 1921

•

lwapp ap controller ip address, page 1922

•

reset system at, page 1923

•

reset system in, page 1924

•

reset system cancel, page 1925

•

reset system notify-time, page 1926

•

reset peer-system, page 1927

•

save config, page 1928

•

transfer download certpasswor, page 1929

•

transfer download datatype, page 1930

•

transfer download datatype icon, page 1932

•

transfer download filename, page 1933

•

transfer download mode, page 1934

•

transfer download password, page 1935


1909

•

transfer download path, page 1936

•

transfer download port, page 1937

•

transfer download serverip, page 1938

•

transfer download start, page 1939

•

transfer download tftpPktTimeout, page 1940

•

transfer download tftpMaxRetries, page 1941

•

transfer download username, page 1942

•

transfer encrypt, page 1943

•

transfer upload datatype, page 1944

•

transfer upload filename, page 1946

•

transfer upload mode, page 1947

•

transfer upload pac, page 1948

•

transfer upload password, page 1949

•

transfer upload path, page 1950

•

transfer upload peer-start, page 1951

•

transfer upload port, page 1952

•

transfer upload serverip, page 1953

•

transfer upload start, page 1954

•

transfer upload username, page 1955

1910


capwap ap controller ip address capwap ap controller ip address

To configure the controller IP address into the CAPWAP access point from the access point’s console port, use the capwap ap controller ip address command.

capwap ap controller ip address A.B.C.D


A.B.C.D

IP address of the controller.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.

This command supports only IPv4 address format .


This command must be entered from an access point’s console port. This command is applicable for IPv4 addresses only.

Note

The access point must be running Cisco IOS Release 12.3(11)JX1 or later releases.

Examples

The following example shows how to configure the controller IP address 10.23.90.81 into the CAPWAP access point: ap_console >

capwap ap controller ip address 10.23.90.81


1911

config ap dhcp release-override config ap dhcp release-override

To configure DHCP release override on Cisco APs, use the config ap dhcp release-override command.

config ap dhcp release-override {enable | disable} {cisco-ap-name | all}


cisco-ap-name

all

Enables DHCP release override and sets number of DHCP releases sent by AP to 1.

To be used as a workaround for a few DHCP servers that mark the AP's IP address as bad. We recommend that you use this configuration only in highly reliable networks.

Disables DHCP release override and sets number of DHCP releases sent by AP to 3, which is the default value. This ensures that the DHCP server receives the release message even if one of the packets is lost.

Configuration is applied to the Cisco AP that you enter

Configuration is applied to all Cisco APs

Command Default

Disabled

Command History

Release

8.2

Modification



Use this command when you are using Cisco lightweight APs with Windows Server 2008 R2 or 2012 as the

DHCP server.

1912


capwap ap dot1x capwap ap dot1x

To configure the dot1x username and password into the CAPWAP access point from the access point’s console port, use the capwap ap dot1x command.

capwap ap dot1x username user_name password password


user_name password

Dot1x username.

Dot1x password.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.


This command must be entered from an access point’s console port.

Note


Examples

This example shows how to configure the dot1x username ABC and password pass01: ap_console >

capwap ap dot1x username ABC password pass01


1913

capwap ap hostname capwap ap hostname

To configure the access point host name from the access point’s console port, use the capwap ap hostname command.

capwap ap hostname host_name


host_name

Hostname of the access point.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.



Note

The access point must be running Cisco IOS Release 12.3(11)JX1 or later releases. This command is available only for the Cisco Lightweight AP IOS Software recovery image (rcvk9w8) without any private-config. You can remove the private-config by using the clear capwap private-config command.

Examples

This example shows how to configure the hostname WLC into the capwap access point: ap_console >

capwap ap hostname WLC

1914


capwap ap ip address capwap ap ip address

To configure the IP address into the CAPWAP access point from the access point’s console port, use the

capwap ap ip address command.

capwap ap ip address A.B.C.D


A.B.C.D

IP address.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.



This command must be entered from an access point’s console port. This command supports only IPv4 address format.

Note


Examples

This example shows how to configure the IP address 10.0.0.1 into CAPWAP access point: ap_console >

capwap ap ip address 10.0.0.1


1915

capwap ap ip default-gateway capwap ap ip default-gateway

To configure the default gateway from the access point’s console port, use the capwap ap ip default-gateway command.

capwap ap ip default-gateway A.B.C.D


A.B.C.D

Default gateway address of the capwap access point.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.




Note


Examples

This example shows how to configure the CAPWAP access point with the default gateway address 10.0.0.1: ap_console >

capwap ap ip default-gateway 10.0.0.1

1916


capwap ap log-server capwap ap log-server

To configure the system log server to log all the CAPWAP errors, use the capwap ap log-server command.

capwap ap log-server A.B.C.D


A.B.C.D

IP address of the syslog server.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.




Note


Examples

This example shows how to configure the syslog server with the IP address 10.0.0.1: ap_console >

capwap ap log-server 10.0.0.1


1917

capwap ap primary-base capwap ap primary-base

To configure the primary controller name and IP address into the CAPWAP access point from the access point’s console port, use the capwap ap primary-base command.

capwap ap primary-base WORD A.B.C.D


WORD

A.B.C.D

Name of the primary controller.

IP address of the primary controller.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.




Note


Examples

This example shows how to configure the primary controller name WLC1 and primary controller IP address

209.165.200.225 into the CAPWAP access point: ap_console >

capwap ap primary-base WLC1 209.165.200.225

1918


capwap ap primed-timer capwap ap primed-timer

To configure the primed timer into the CAPWAP access point, use the capwap ap primed-timer command.

capwap ap primed-timer {enable | disable}


Enables the primed timer settings

Disables the primed timer settings.

Command Default

None

Command History

Release

7.6

Modification


Release 7.6.



Note


Examples

This example shows how to enable the primed-timer settings: ap_console >

capwap ap primed-timer enable


1919

capwap ap secondary-base capwap ap secondary-base

To configure the name and IP address of the secondary Cisco WLC into the CAPWAP access point from the access point’s console port, use the capwap ap secondary-base command.

capwap ap secondary-base controller_name controller_ip_address


controller_name controller_ip_address

Name of the secondary Cisco WLC.

IP address of the secondary Cisco WLC.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.




Note


Examples

This example shows how to configure the secondary Cisco WLC name as WLC2 and secondary Cisco WLC

IP address 209.165.200.226 into the CAPWAP access point: ap_console >

capwap ap secondary-base WLC2 209.165.200.226

1920


capwap ap tertiary-base capwap ap tertiary-base

To configure the name and IP address of the tertiary Cisco WLC into the CAPWAP access point from the access point’s console port, use the capwap ap tertiary-base command.

capwap ap tertiary-base WORDA.B.C.D


WORD

A.B.C.D

Name of the tertiary Cisco WLC.

IP address of the tertiary Cisco WLC.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.




Note

The access point must be running Cisco IOS Release 12.3(11)JX1 or later releases.

Examples

This example shows how to configure the tertiary Cisco WLC with the name WLC3 and secondary Cisco

WLC IP address 209.165.200.227 into the CAPWAP access point: ap_console >

capwap ap tertiary-base WLC3 209.165.200.227


1921

lwapp ap controller ip address lwapp ap controller ip address

To configure the Cisco WLC IP address into the FlexConnect access point from the access point’s console port, use the lwapp ap controller ip address command.

lwapp ap controller ip address A.B.C.D


A.B.C.D

IP address of the controller.

Command Default

None

Command History

Release

7.6

8.0

Modification


Release 7.6.



This command must be entered from an access point’s console port. This command is applicable for IPv4 addresses only.

Prior to changing the FlexConnect configuration on an access point using the access point’s console port, the access point must be in standalone mode (not connected to a controller) and you must remove the current

LWAPP private configuration by using the clear lwapp private-config command.

Note

The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.

Examples

The following example shows how to configure the controller IP address 10.92.109.1 into the FlexConnect access point: ap_console >

lwapp ap controller ip address 10.92.109.1

1922


reset system at reset system at

To reset the system at a specified time, use the reset system at command.

reset system at YYYY-MM-DD HH:MM:SS image {no-swap|swap} reset-aps [save-config]


YYYY-MM-DD

HH: MM: SS image swap no-swap reset-aps save-config

Specifies the date.

Specifies the time in a 24-hour format.

Configures the image to be rebooted.

Changes the active boot image.

Boots from the active image.

Resets all access points during the system reset.

(Optional) Saves the configuration before the system reset.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to reset the system at 2010-03-29 and 12:01:01 time:


reset system at 2010-03-29 12:01:01 image swap reset-aps save-config


1923

reset system in reset system in

To specify the amount of time delay before the devices reboot, use the reset system in command.

reset system in HH:MM:SS image {swap | no-swap} reset-aps save-config


HH :MM :SS image swap no-swap reset-aps save-config

Specifies a delay in duration.

Configures the image to be rebooted.

Changes the active boot image.

Boots from the active image.

Resets all access points during the system reset.

Saves the configuration before the system reset.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to reset the system after a delay of 00:01:01:


reset system in 00:01:01 image swap reset-aps save-config

1924


reset system cancel reset system cancel

To cancel a scheduled reset, use the reset system cancel command.

reset system cancel



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to cancel a scheduled reset:


reset system cancel


1925

reset system notify-time reset system notify-time

To configure the trap generation prior to scheduled resets, use the reset system notify-time command.

reset system notify-time minutes


minutes

Number of minutes before each scheduled reset at which to generate a trap.

Command Default

The default time period to configure the trap generation prior to scheduled resets is 10 minutes.

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the trap generation to 10 minutes before the scheduled resets:


reset system notify-time 55

1926


reset peer-system reset peer-system

To reset the peer controller, use the reset peer-system command.

reset peer-system



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to reset the peer controller:

>

reset peer-system


1927

save config save config

To save the controller configurations, use the save config command.

save config



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to save the controller settings:


save config

Are you sure you want to save? (y/n) y

Configuration Saved!

1928


transfer download certpasswor transfer download certpasswor

To set the password for the .PEM file so that the operating system can decrypt the web administration SSL key and certificate, use the transfer download certpassword command.

transfer download certpassword private_key_password


private_key_password

Certificate’s private key password.

Command Default

None

Command History

Release

7.6

Examples

Modification


The following example shows how to transfer a file to the switch with the certificate’s private key password certpassword:


transfer download certpassword

Clearing password


1929

transfer download datatype transfer download datatype

To set the download file type, use the transfer download datatype command.

transfer download datatype {code | config | eapdevcert | eapcacert | icon | image | ipseccacert |

ipsecdevcert| login-banner | radius-avplist |signature | webadmincert | webauthbundle | webauthcert}

Syntax Description code config eapcacert eapdevcert icon image ipseccacert ipsecdevcert login-banner radius-avplist signature webadmincert webauthbundle webauthcert

Downloads an executable image to the system.

Downloads the configuration file.

Downloads an EAP ca certificate to the system.

Downloads an EAP dev certificate to the system.

Downloads an executable image to the system.

Downloads a web page login to the system.

Downloads an IPSec Certificate Authority (CA) certificate to the system.

Downloads an IPSec dev certificate to the system.

Downloads the controller login banner. Only text file is supported with a maximum of 1500 bytes.

Downloads the RADIUS AVPs in the XML file format from the

FTP server.

Downloads a signature file to the system.

Downloads a certificate for web administration to the system.

Downloads a custom webauth bundle to the system.

Downloads a web certificate for the web portal to the system.

Command Default

None

Command History

Release

7.6

8.0

Modification


The ipseccacert, ipsecdevcert, and radius-avplist options were introduced.

1930


transfer download datatype

Examples

The following example shows how to download an executable image to the system:


transfer download datatype code


1931

transfer download datatype icon transfer download datatype icon

To download icon from TFTP or FTP server onto the controller, use the transfer download datatype icon command.

transfer download datatype icon


None

Command Default

None

Command Modes

WLAN configuration

Command History

Release

Release 8.2

Modification



Examples

This example shows how to download icon from TFTP or FTP server onto the controller:

Cisco Controller > transfer download datatype icon

1932


transfer download filename transfer download filename

To download a specific file, use the transfer download filename command.

transfer download filename filename


filename

Filename that contains up to 512 alphanumeric characters.

Command Default

None

Command History

Release

7.6

Modification



You cannot use special characters such as \ : * ? " < > | for the filename.

Examples

The following example shows how to transfer a file named build603:


transfer download filename build603


1933

transfer download mode transfer download mode

To set the transfer mode, use the transfer download mode command.

transfer upload mode {ftp | tftp | sftp}

Syntax Description ftp tftp sftp

Sets the transfer mode to FTP.

Sets the transfer mode to TFTP.

Sets the transfer mode to SFTP.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to transfer a file using the TFTP mode:


transfer download mode tftp

1934


transfer download password transfer download password

To set the password for an FTP transfer, use the transfer download password command.

transfer download password password


password

Password.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to set the password for FTP transfer to pass01:


transfer download password pass01


1935

transfer download path transfer download path

To set a specific FTP or TFTP path, use the transfer download path command.

transfer download path path


path

Directory path.

Note

Path names on a TFTP or FTP server are relative to the server’s default or root directory. For example, in the case of the Solarwinds TFTP server, the path is “/”.

Command Default

None

Command History

Release

7.6

Modification



You cannot use special characters such as \ : * ? " < > | for the file path.

Examples

The following example shows how to transfer a file to the path c:\install\version2:


transfer download path c:\install\version2

1936


transfer download port transfer download port

To specify the FTP port, use the transfer download port command.

transfer download port port


port

FTP port.

Command Default

The default FTP port is 21.

Command History

Release

7.6

Modification


Examples

Examples

ch

The following example shows how to specify FTP port number 23:


transfer download port 23


1937

transfer download serverip transfer download serverip

To configure the IPv4 or IPv6 address of the TFTP server from which to download information, use the

transfer download serverip command.

transfer download serverip IP addr


IP addr

TFTP server IPv4 or IPv6 address.

Command Default

None

Command History

Examples

Release

7.6

8.0

Modification



The following example shows how to configure the IPv4 address of the TFTP server:


transfer download serverip 175.34.56.78

The following example shows how to configure the IPv6 address of the TFTP server:


transfer download serverip 2001:10:1:1::1

1938


transfer download start transfer download start

To initiate a download, use the transfer download start command.

transfer download start



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to initiate a download:


transfer download start

Mode........................................... TFTP

Data Type...................................... Site Cert

TFTP Server IP................................. 172.16.16.78

TFTP Path...................................... directory path

TFTP Filename.................................. webadmincert_name

This may take some time.

Are you sure you want to start? (y/n) Y

TFTP Webadmin cert transfer starting.

Certificate installed.

Please restart the switch (reset system) to use the new certificate.


1939

transfer download tftpPktTimeout transfer download tftpPktTimeout

To specify the TFTP packet timeout, use the transfer download tftpPktTimeout command.

transfer download tftpPktTimeout timeout


timeout

Timeout in seconds between 1 and 254.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to transfer a file with the TFTP packet timeout of 55 seconds:


transfer download tftpPktTimeout 55

1940


transfer download tftpMaxRetries transfer download tftpMaxRetries

To specify the number of allowed TFTP packet retries, use the transfer download tftpMaxRetries command.

transfer download tftpMaxRetries retries


retries

Number of allowed TFTP packet retries between 1 and 254 seconds.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to set the number of allowed TFTP packet retries to 55:


transfer download tftpMaxRetries 55


1941

transfer download username transfer download username

To specify the FTP username, use the transfer download username command.

transfer download username username


username

Username.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to set the FTP username to ftp_username:


transfer download username ftp_username

1942


transfer encrypt transfer encrypt

To configure encryption for configuration file transfers, use the transfer encrypt command.

transfer encrypt {enable | disable | set-key key}

Syntax Description enable disable set-key

key

Enables the encryption settings.

Disables the encryption settings.

Specifies the encryption key for configuration file transfers.

Encryption key for config file transfers.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to enable the encryption settings:


transfer encrypt enable


1943

transfer upload datatype transfer upload datatype

To set the controller to upload specified log and crash files, use the transfer upload datatype command.

transfer upload datatype {ap-crash-data | config | coredump | crashfile | debug-file | eapcacert | eapdevcert

| errorlog | invalid-config | pac | packet-capture | panic-crash-file | radio-core-dump | radius-avplist |

rrm-log | run-config | signature | systemtrace | traplog | watchdog-crash-filewebadmincert | webauthbundle

| webauthcert}

Syntax Description ap-crash-data config coredump crashfile debug-file eapcacert eapdevcert errorlog invalid-config pac packet-capture panic-crash-file radio-core-dump radius-avplist rrm-log run-config signature systemtrace traplog watchdog-crash-file

Uploads the AP crash files.

Uploads the system configuration file.

Uploads the core-dump file.

Uploads the system crash file.

Uploads the system's debug log file.

Uploads an EAP CA certificate.

Uploads an EAP Dev certificate.

Uploads the system error log file.

Uploads the system invalid-config file.

Uploads a Protected Access Credential (PAC).

Uploads a packet capture file.

Uploads the kernel panic information file.

Uploads the system error log.

Uploads the XML file from the controller to the RADIUS server.

Uploads the system's trap log.

Upload the WLC's running configuration

Uploads the system signature file.

Uploads the system trace file.

Uploads the system trap log.

Uploads a console dump file resulting from a software-watchdog-initiated controller reboot following a crash.

1944


transfer upload datatype webadmincert webauthbundle webauthcert

Uploads Web Admin certificate.

Uploads a Web Auth bundle.

Upload a web certificate

Command Default

None

Command History

Examples

Release

7.6

8.0

Modification


The ipseccacert, ipsecdevcert, and radius-avplist options were introduced.

The following example shows how to upload the system error log file:


transfer upload datatype errorlog


1945

transfer upload filename transfer upload filename

To upload a specific file, use the transfer upload filename command.

transfer upload filename filename


filename

Filename that contains up to 16 alphanumeric characters.

Command Default

None

Command History

Release

7.6

Modification



You cannot use special characters such as \ : * ? " < > | for the filename.

Examples

The following example shows how to upload a file build603:


transfer upload filename build603

1946


transfer upload mode transfer upload mode

To configure the transfer mode, use the transfer upload mode command.

transfer upload mode {ftp | tftp | sftp}

Syntax Description ftp tftp sftp

Sets the transfer mode to FTP.

Sets the transfer mode to TFTP.

Sets the transfer mode to SFTP.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to set the transfer mode to TFTP:


transfer upload mode tftp


1947

transfer upload pac transfer upload pac

To load a Protected Access Credential (PAC) to support the local authentication feature and allow a client to import the PAC, use the transfer upload pac command.

transfer upload pac username validity password


username validity password

User identity of the PAC.

Validity period (days) of the PAC.

Password to protect the PAC.

Command Default

None

Command History

Release

7.6

Modification



The client upload process uses a TFTP or FTP server.

Examples

The following example shows how to upload a PAC with the username user1, validity period 53, and password pass01:


transfer upload pac user1 53 pass01

1948


transfer upload password transfer upload password

To configure the password for FTP transfer, use the transfer upload password command.


password

Password needed to access the FTP server.

transfer upload password password

Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to configure the password for the FTP transfer to pass01:


transfer upload password pass01


1949

transfer upload path transfer upload path

To set a specific upload path, use the transfer upload path command.

transfer upload path path


path

Server path to file.

Command Default

None

Command History

Release

7.6

Modification



You cannot use special characters such as \ : * ? " < > | for the file path.

Examples

The following example shows how to set the upload path to c:\install\version2:


transfer upload path c:\install\version2

1950


transfer upload peer-start transfer upload peer-start

To upload a file to the peer WLC, use the transfer upload peer-start command.

transfer upload peer-start



Command Default

None

Command History

Release

7.6

Modification


Release 7.6.

Examples

The following example shows how to start uploading a file to the peer controller:


transfer upload peer-start

Mode............................................. FTP

FTP Server IP.................................... 209.165.201.1

FTP Server Port.................................. 21

FTP Path......................................... /builds/nimm/

FTP Filename..................................... AS_5500_7_4_1_20.aes

FTP Username..................................... wnbu

FTP Password..................................... *********

Data Type........................................ Error Log

Are you sure you want to start upload from standby? (y/N) n

Transfer Canceled


1951

transfer upload port transfer upload port

To specify the FTP port, use the transfer upload port command.

transfer upload port port


port

Port number.

Command Default

The default FTP port is 21.

Command History

Release

7.6

Modification


Examples

The following example shows how to specify FTP port 23:


transfer upload port 23

1952


transfer upload serverip transfer upload serverip

To configure the IPv4 or IPv6 address of the TFTP server to upload files to, use the transfer upload serverip command.

transfer upload serverip IP addr


IP addr

TFTP Server IPv4 or IPv6 address.

Command Default

None

Command History

Examples

Release

7.6

8.0

Modification



The following example shows how to set the IPv4 address of the TFTP server to 175.31.56.78:


transfer upload serverip 175.31.56.78

The following example shows how to set the IPv6 address of the TFTP server to 175.31.56.78:


transfer upload serverip 2001:10:1:1::1


1953

transfer upload start transfer upload start

To initiate an upload, use the transfer upload start command.

transfer upload start



Command Default

None

Command History

Release

7.6

Modification


Examples

The following example shows how to initiate an upload of a file:


transfer upload start

Mode........................................... TFTP

TFTP Server IP................................. 172.16.16.78

TFTP Path...................................... c:\find\off/

TFTP Filename.................................. wps_2_0_75_0.aes

Data Type...................................... Code

Are you sure you want to start? (y/n) n

Transfer Cancelled

1954


transfer upload username transfer upload username

To specify the FTP username, use the transfer upload username command.

transfer upload username


username

Username required to access the FTP server. The username can contain up to 31 characters.

Command Default

None

Command History

Examples

Release

7.6

Modification


The following example shows how to set the FTP username to ftp_username:


transfer upload username ftp_username


1955

transfer upload username

1956


PDF - Complete Book

Preface

Audience

Document Conventions

Related Documentation

Obtaining Documentation and Submitting a Service Request

Using the Command-Line Interface

Using the Command-Line Interface

Clear Commands

Clear Commands: a to l

Clear Commands: m to z

Config Commands

Config Commands: 802.11

Config Commands: a to i

group-name

Config Commands: j to q

Config Commands: r to z

Debug Commands

Debug Commands: 802.11

Debug Commands: a to i

Debug Commands: j to q

Debug Commands: r to z

IMM Commands

IMM Commands

License Commands

License Commands

Show Commands

Show Commands: 802.11

Show Commands: a to i

Show Commands: j to q

Show Commands: r to z

Miscellaneous Commands

Miscellaneous Commands: 1

Miscellaneous Commands: 2

Related manuals

Table of contents

PDF - Complete Book

Preface

Audience

Document Conventions

Related Documentation

Obtaining Documentation and Submitting a Service Request

Using the Command-Line Interface

Using the Command-Line Interface

Clear Commands

Clear Commands: a to l

Clear Commands: m to z

Config Commands

Config Commands: 802.11

Config Commands: a to i

group-name

Config Commands: j to q

Config Commands: r to z

Debug Commands

Debug Commands: 802.11

Debug Commands: a to i

Debug Commands: j to q

Debug Commands: r to z

IMM Commands

IMM Commands

License Commands

License Commands

Show Commands

Show Commands: 802.11

Show Commands: a to i

Show Commands: j to q

Show Commands: r to z

Miscellaneous Commands

Miscellaneous Commands: 1

Miscellaneous Commands: 2

Related manuals

Cisco

Cisco

3500 Series Wireless Controllers

Cisco

3500 Series Wireless Controllers

Cisco

3500 Series Wireless Controllers

Cisco

3500 Series Wireless Controllers

Cisco

3500 Series Wireless Controllers

Table of contents