3com wc4400

Upload: pablorovere2530

Post on 01-Jun-2018

252 views

Category:

Documents


2 download

TRANSCRIPT

  • 8/9/2019 3com wc4400

    1/751

    http://www.3Com.com/

    Part No. 10015909 Rev ADPublished July 2008

    Wireless LAN Mobility SystemWireless LAN Switch and ControllerConfiguration Guide

    WX4400 3CRWX440095AWX2200 3CRWX220095AWX1200 3CRWX120695AWXR100 3CRWXR10095A

  • 8/9/2019 3com wc4400

    2/751

    3Com Corporation

    350 Campus DriveMarlborough, MA USA01752-3064

    Copyright © 2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced

    in any form or by any means or used to make any derivative work (such as translation, transformation, oradaptation) without written permission from 3Com Corporation.

    3Com Corporation reserves the right to revise this documentation and to make changes in content from timeto time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

    3Com Corporation provides this documentation without warranty, term, or condition of any kind, eitherimplied or expressed, including, but not limited to, the implied warranties, terms or conditions ofmerchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements orchanges in the product(s) and/or the program(s) described in this documentation at any time.

    If there is any software on removable media described in this documentation, it is furnished under a licenseagreement included with the product as a separate document, in the hard copy documentation, or on theremovable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy,

    please contact 3Com and a copy will be provided to you.UNITED STATES GOVERNMENT LEGEND

    If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:

    All technical data and computer software are commercial in nature and developed solely at private expense.Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) oras a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as areprovided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rightsonly as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.You agree not to remove or deface any portion of any legend provided on any licensed program ordocumentation contained in, or delivered to you in conjunction with, this User Guide.

    Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or maynot be registered in other countries.

    3Com and the 3Com logo are registered trademarks of 3Com Corporation.

    Mobility Domain, Managed Access Point, Mobility Profile, Mobility System, Mobility System Software, , MSS,and SentrySweep are trademarks of Trapeze Networks, Inc.

    Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, Windows XP,and Windows NT are registered trademarks of Microsoft Corporation.

    All other company and product names may be trademarks of the respective companies with which they areassociated.

    ENVIRONMENTAL STATEMENT

    It is the policy of 3Com Corporation to be environmentally friendly in all operations. To uphold our policy, weare committed to:

    Establishing environmental performance standards that comply with national legislation and regulations.

    Conserving energy, materials and natural resources in all operations.

    Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmentalstandards. Maximizing the recyclable and reusable content of all products.

    Ensuring that all products can be recycled, reused and disposed of safely.

    Ensuring that all products are labelled according to recognized environmental standards.

    Improving our environmental record on a continual basis.

    End of Life Statement

    3Com processes allow for the recovery, reclamation, and safe disposal of all end-of-life electronic components.

    Regulated Materials Statement

    3Com products do not contain any hazardous or ozone-depleting material.

    Environmental Statement about the Documentation

    The documentation for this product is printed on paper that comes from sustainable, managed forests; it isfully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, andthe inks are vegetable-based with a low heavy-metal content.

  • 8/9/2019 3com wc4400

    3/751

    CONTENTS

    ABOUT THIS GUIDEConventions 25

    Documentation 26Documentation Comments 27

    NEW FEATURES SUMMARYVirtual Controller Clustering 30

    Virtual Controller Cluster Configuration Terminology 30Centralized Configuration Using Virtual Controller Cluster Mode 31Autodistribution of APs on the Virtual Controller Cluster 31“Hitless” Failover with Virtual Controller Cluster Configuration 32Additional Information 32Configuring Virtual Controller Clustering on a Mobility Domain 32

    Other Virtual Controller Cluster Configuration Parameters 33

    AP 3950 Support and 802.11n Configuration 34Power Over Ethernet (PoE) 34802.11n Configuration 35

    External Captive Portal Support 35Network Address Translation (NAT) Support 36MAC-based Access Control Lists (ACLs) 36Simultaneous Login Support 36

    Configuration 36Dynamic RADIUS Extensions 37

    Configuration 37termination-action Attribute for Dynamic RADIUS 38

    MAC User Range Authentication 38Configuration 38

    MAC Authentication Request Format 39

    Configuration 39User Attribute Enhancements 39

    Configuration 40

  • 8/9/2019 3com wc4400

    4/751

    Split Authentication and Authorization 41

    Enhancements to Location Policy Configuration 41Configuration 41

    RADIUS Ping Utility 41Configuration 42

    Unique AP Number Support 42Configuration 42

    Bandwidth Management 42Configuration 43

    Mesh Services Enhancements 45RF Scanning Enhancements 45

    Configuration 46RF Detection Enhancements 47

    RF Classification Rules 47

    Countermeasures Scaling and Resiliency in a Mobility Domain 48Configuration 48

    MSS display Command Enhancements 48

    1 USING THE COMMAND-LINE INTERFACEOverview 51CLI Conventions 51

    Command Prompts 52Syntax Notation 52Text Entry Conventions and Allowed Characters 52User Globs, MAC Address Globs, and VLAN Globs 54Port Lists 56Virtual LAN Identification 57

    Command-Line Editing 57Keyboard Shortcuts 57History Buffer 58Tabs 58

    Single-Asterisk (*) Wildcard Character 58Double-Asterisk (**) Wildcard Characters 58

    Using CLI Help 58

    Understanding Command Descriptions 60

  • 8/9/2019 3com wc4400

    5/751

    2 WX SETUP METHODSOverview 61

    Quick Starts 613Com Wireless Switch Manager 62

    CLI 62Web Manager 62

    How a WX Switch Gets its Configuration 63

    Web Quick Start (WXR100, WX1200 and WX2200 Only) 64Web Quick Start Parameters 64Web Quick Start Requirements 65Accessing the Web Quick Start 65

    CLI quickstart Command 68

    Quickstart Example 70Remote WX Configuration 73

    Opening the QuickStart Network Plan in 3Com Wireless SwitchManager 73

    3 CONFIGURING ADMINISTRATIVE AND LOCAL ACCESSOverview 75

    Before You Start 78

    About Administrative Access 78Access Modes 78Types of Administrative Access 78

    First-Time Configuration via the Console 79Logging Into the WX For the First Time 79Setting the WX Switch Enable Password 80Authenticating at the Console 81

    Setting User Passwords 82Adding and Clearing Local Users for Administrative Access 82

    Displaying the AAA Configuration 83Saving the Configuration 83

    Administrative Configuration Scenarios 84Local Authentication 84

    84

  • 8/9/2019 3com wc4400

    6/751

    4 MANAGING USER PASSWORDSOverview 85Configuring Passwords 86

    Setting Passwords for Local Users 86

    Enabling Password Restrictions 87Setting the Maximum Number of Login Attempts 87Specifying Minimum Password Length 88

    Configuring Password Expiration Time 89Restoring Access to a Locked-Out User 90Displaying Password Information 90

    5 CONFIGURING AND MANAGING PORTS AND VLANSConfiguring and Managing Ports 91

    Setting the Port Type 91Configuring a Port Name 97

    Configuring Interface Preference on a Dual-Interface Gigabit EthernetPort (WX4400 only) 97Configuring Port Operating Parameters 99Displaying Port Information 101

    Configuring Load-Sharing Port Groups 105Configuring and Managing VLANs 107

    Understanding VLANs in 3Com MSS 107Configuring a VLAN 111Changing Tunneling Affinity 113Restricting Layer 2 Forwarding Among Clients 114Displaying VLAN Information 115

    Managing the Layer 2 Forwarding Database 116

    Types of Forwarding Database Entries 116How Entries Enter the Forwarding Database 116Displaying Forwarding Database Information 117Adding an Entry to the Forwarding Database 118

    Removing Entries from the Forwarding Database 118Configuring the Aging Timeout Period 119

    Port and VLAN Configuration Scenario 120

  • 8/9/2019 3com wc4400

    7/751

    6 CONFIGURING AND MANAGING IP INTERFACES AND SERVICESMTU Support 123Configuring and Managing IP Interfaces 124

    Adding an IP Interface 124

    Disabling or Reenabling an IP Interface 127Removing an IP Interface 127Displaying IP Interface Information 127

    Configuring the System IP Address 128Designating the System IP Address 128Displaying the System IP Address 128Clearing the System IP Address 128

    Configuring and Managing IP Routes 128

    Displaying IP Routes 130Adding a Static Route 131

    Removing a Static Route 132Managing the Management Services 133

    Managing SSH 133Managing Telnet 136Managing HTTPS 138Changing the Idle Timeout for CLI Management Sessions 139Setting a Message of the Day (MOTD) Banner 140

    Prompting the User to Acknowledge the MOTD Banner 140Configuring and Managing DNS 141

    Enabling or Disabling the DNS Client 141

    Configuring DNS Servers 141Configuring a Default Domain Name 142Displaying DNS Server Information 142

    Configuring and Managing Aliases 143

    Adding an Alias 143Removing an Alias 143Displaying Aliases 143

    Configuring and Managing Time Parameters 144Setting the Time Zone 145Configuring the Summertime Period 145

    Statically Configuring the System Time and Date 147Displaying the Time and Date 147Configuring and Managing NTP 147

  • 8/9/2019 3com wc4400

    8/751

  • 8/9/2019 3com wc4400

    9/751

    8 CONFIGURING AND MANAGING MOBILITY DOMAIN ROAMINGAbout the Mobility Domain Feature 175Configuring a Mobility Domain 176

    Configuring the Seed 176

    Configuring Member WX Switches on the Seed 177Configuring a Member 177Configuring Mobility Domain Seed Redundancy 178

    Displaying Mobility Domain Status 179Displaying the Mobility Domain Configuration 179Clearing a Mobility Domain from a WX Switch 179Clearing a Mobility Domain Member from a Seed 179

    Configuring WX-WX Security 180

    Monitoring the VLANs and Tunnels in a Mobility Domain 181Displaying Roaming Stations 181

    Displaying Roaming VLANs and Their Affinities 182Displaying Tunnel Information 182

    Understanding the Sessions of Roaming Users 183Requirements for Roaming to Succeed 183Effects of Timers on Roaming 184Monitoring Roaming Sessions 184

    Mobility Domain Scenario 185

    9 CONFIGURING NETWORK DOMAINSAbout the Network Domain Feature 187

    Network Domain Seed Affinity 190Configuring a Network Domain 191

    Configuring Network Domain Seeds 191

    Specifying Network Domain Seed Peers 192Configuring Network Domain Members 193Displaying Network Domain Information 194Clearing Network Domain Configuration from a WX Switch 195

    Clearing a Network Domain Seed from a WX Switch 195Clearing a Network Domain Peer from a Network Domain Seed 195Clearing Network Domain Seed or Member Configuration from a WX

    Switch 195Network Domain Scenario 196

  • 8/9/2019 3com wc4400

    10/751

    10 CONFIGURING MAP ACCESS POINTSMAP Overview 199

    Country of Operation 201

    Directly Connected MAPs and Distributed MAPs 201Boot Process for Distributed MAPs 211Contacting a WX Switch 212

    Loading and Activating an Operational Image 217Obtaining Configuration Information from the WX Switch 217Service Profiles 224Radio Profiles 231

    Configuring MAPs 235Specifying the Country of Operation 235Configuring an Auto-AP Profile for Automatic MAP Configuration 240

    Configuring MAP Port Parameters 246Configuring MAP-WX Security 251

    Configuring a Service Profile 255Configuring a Radio Profile 262Configuring Radio-Specific Parameters 268Mapping the Radio Profile to Service Profiles 270

    Assigning a Radio Profile and Enabling Radios 270

    Disabling or Reenabling Radios 271Enabling or Disabling Individual Radios 271Disabling or Reenabling All Radios Using a Profile 271Resetting a Radio to its Factory Default Settings 272Restarting a MAP 272

    Configuring Local Packet Switching on MAPs 273Configuring Local Switching 274

    Displaying MAP Information 277Displaying MAP Configuration Information 278Displaying Connection Information for Distributed MAPs 279

    Displaying a List of Distributed MAPs that Are Not Configured 280Displaying Active Connection Information for Distributed MAPs 280Displaying Service Profile Information 280

    Displaying Radio Profile Information 282Displaying MAP Status Information 282Displaying Static IP Address Information for Distributed MAPs 283

  • 8/9/2019 3com wc4400

    11/751

    Displaying MAP Statistics Counters 284

    Displaying the Forwarding Database for a MAP 286Displaying VLAN Information for a MAP 286Displaying ACL Information for a MAP 287

    11 CONFIGURING RF LOAD BALANCING FOR MAPSRF Load Balancing Overview 289

    Configuring RF Load Balancing 290Disabling or Re-Enabling RF Load Balancing 290Assigning Radios to Load Balancing Groups 291Specifying Band Preference for RF Load Balancing 291Setting Strictness for RF Load Balancing 292

    Exempting an SSID from RF Load Balancing 293Displaying RF Load Balancing Information 293

    12 CONFIGURING WLAN MESH SERVICESWLAN Mesh Services Overview 295Configuring WLAN Mesh Services 296

    Configuring the Mesh AP 297

    Configuring the Service Profile for Mesh Services 298

    Configuring Security 298Enabling Link Calibration Packets on the Mesh Portal MAP 299Deploying the Mesh AP 299

    Configuring Wireless Bridging 300Displaying WLAN Mesh Services Information 301

    13 CONFIGURING

     USER

     ENCRYPTION

    Overview 303Configuring WPA 306

    WPA Cipher Suites 306

    TKIP Countermeasures 309WPA Authentication Methods 310WPA Information Element 310

    Client Support 311Configuring WPA 312

    Configuring RSN (802.11i) 318

  • 8/9/2019 3com wc4400

    12/751

    Creating a Service Profile for RSN 318

    Enabling RSN 318Specifying the RSN Cipher Suites 319Changing the TKIP Countermeasures Timer Value 320Enabling PSK Authentication 320Displaying RSN Settings 320Assigning the Service Profile to Radios and Enabling the Radios 320

    Configuring WEP 321

    Setting Static WEP Key Values 323Assigning Static WEP Keys 323

    Encryption Configuration Scenarios 324Enabling WPA with TKIP 324Enabling Dynamic WEP in a WPA Network 326Configuring Encryption for MAC Clients 328

    14 CONFIGURING RF AUTO-TUNINGOverview 333

    Initial Channel and Power Assignment 333Channel and Power Tuning 334RF Auto-Tuning Parameters 336

    Changing RF Auto-Tuning Settings 338

    Selecting Available Channels on the 802.11a Radio 338Changing Channel Tuning Settings 338Changing Power Tuning Settings 339

    Locking Down Tuned Settings 340Displaying RF Auto-Tuning Information 341

    Displaying RF Auto-Tuning Settings 341

    Displaying RF Neighbors 342Displaying RF Attributes 343

    CONFIGURING MAPS TO BE AEROSCOUT LISTENERS

    15 Configuring MAP Radios to Listen for AeroScout RFID Tags 346Locating an RFID Tag 347

    Using an AeroScout Engine 347Using 3Com Wireless Switch Manager 347

  • 8/9/2019 3com wc4400

    13/751

    16 CONFIGURING QUALITY OF SERVICEAbout QoS 349

    Summary of QoS Features 349QoS Mode 352

    WMM QoS Mode 353WMM QoS on a MAP 359Call Admission Control 362

    Broadcast Control 363Static CoS 363Overriding CoS 363

    Changing QoS Settings 364Changing the QoS Mode 364

    Enabling U-APSD Support 364Configuring Call Admission Control 365

    Configuring Static CoS 365Changing CoS Mappings 366

    Using the Client’s DSCP Value to Classify QoS Level 366Enabling Broadcast Control 367

    Displaying QoS Information 367Displaying a Radio Profile’s QoS Settings 367Displaying a Service Profile’s QoS Settings 368

    Displaying CoS Mappings 369Displaying the DSCP Table 371Displaying MAP Forwarding Queue Statistics 371

    17 CONFIGURING AND MANAGING SPANNING TREE PROTOCOLOverview 373

    Enabling the Spanning Tree Protocol 374Changing Standard Spanning Tree Parameters 374

    Bridge Priority 374Port Cost 375

    Port Priority 375Changing the Bridge Priority 375Changing STP Port Parameters 376

    Changing Spanning Tree Timers 379Configuring and Managing STP Fast Convergence Features 380

    Configuring Port Fast Convergence 381

  • 8/9/2019 3com wc4400

    14/751

    Displaying Port Fast Convergence Information 382

    Configuring Backbone Fast Convergence 382Displaying the Backbone Fast Convergence State 382Configuring Uplink Fast Convergence 383Displaying Uplink Fast Convergence Information 383

    Displaying Spanning Tree Information 383Displaying STP Bridge and Port Information 383Displaying the STP Port Cost on a VLAN Basis 384

    Displaying Blocked STP Ports 385Displaying Spanning Tree Statistics 385Clearing STP Statistics 387

    Spanning Tree Configuration Scenario 387

    18 CONFIGURING AND MANAGING IGMP SNOOPING

    Overview 391Disabling or Reenabling IGMP Snooping 391

    Disabling or Reenabling Proxy Reporting 392Enabling the Pseudo-Querier 392Changing IGMP Timers 392

    Changing the Query Interval 393Changing the Other-Querier-

    Present Interval 393Changing the Query Response Interval 393Changing the Last Member Query Interval 393

    Changing Robustness 393Enabling Router Solicitation 394

    Changing the Router Solicitation Interval 394Configuring Static Multicast Ports 394

    Adding or Removing a Static Multicast Router Port 395Adding or Removing a Static Multicast Receiver Port 395

    Displaying Multicast Information 395

    Displaying Multicast Configuration Information and Statistics 395Displaying Multicast Queriers 397Displaying Multicast Routers 397Displaying Multicast Receivers 398

  • 8/9/2019 3com wc4400

    15/751

  • 8/9/2019 3com wc4400

    16/751

    Public and Private Keys 438

    Digital Certificates 438PKCS #7, PKCS #10, and PKCS #12 Object Files 439

    Certificates Automatically Generated by MSS 440Creating Keys and Certificates 441

    Choosing the Appropriate Certificate Installation Method for YourNetwork 442Creating Public-Private Key Pairs 443

    Generating Self-Signed Certificates 444Installing a Key Pair and Certificate from a PKCS #12 Object File 445Creating a CSR and Installing a Certificate from a PKCS #7 ObjectFile 446Installing a CA’s Own Certificate 447

    Displaying Certificate and Key Information 448Key and Certificate Configuration Scenarios 449

    Creating Self-Signed Certificates 449Installing CA-Signed Certificates from PKCS #12 Object Files 451

    Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR) and aPKCS #7 Object File 453

    21 CONFIGURING AAA FOR NETWORK USERS

    About AAA for Network Users 455Authentication 455Authorization 460

    Accounting 462Summary of AAA Features 462

    AAA Tools for Network Users 463“Globs” and Groups for Network and Local User Classification 464

    AAA Methods for IEEE 802.1X and Web Network Access 464IEEE 802.1X Extensible Authentication Protocol Types 468Ways a WX Switch Can Use EAP 469Effects of Authentication Type on Encryption Method 470

    Configuring 802.1X Authentication 471Configuring EAP Offload 471Using Pass-Through 472

    Authenticating via a Local Database 472Binding User Authentication to Machine Authentication 473

    Configuring Authentication and Authorization by MAC Address 478

  • 8/9/2019 3com wc4400

    17/751

    Adding and Clearing MAC Users and User Groups Locally 478

    Configuring MAC Authentication and Authorization 479Changing the MAC Authorization Password for RADIUS 481

    Configuring Web Portal WebAAA 482How WebAAA Portal Works 482WebAAA Requirements and Recommendations 484Configuring Web Portal WebAAA 489Using a Custom Login Page 493

    Using Dynamic Fields in WebAAA Redirect URLs 497Using an ACL Other Than portalacl 498

    Configuring the Web Portal WebAAA Session Timeout Period 499Configuring the Web Portal Logout Function 500

    Configuring Last-Resort Access 501Configuring Last-Resort Access for Wired Authentication Ports 503

    Configuring AAA for Users of Third-Party APs 504Authentication Process for Users of a Third-Party AP 504

    Requirements 505Configuring Authentication for 802.1X Users of a Third-Party AP withTagged SSIDs 506Configuring Authentication for Non-802.1X Users of a Third-Party APwith Tagged SSIDs 509Configuring Access for Any Users of a Non-Tagged SSID 509

    Assigning Authorization Attributes 509Assigning Attributes to Users and Groups 514Assigning SSID Default Attributes to a Service Profile 515

    Assigning a Security ACL to a User or a Group 516Clearing a Security ACL from a User or Group 518Assigning Encryption Types to Wireless Users 519

    Keeping Users on the Same VLAN Even After Roaming 521Overriding or Adding Attributes Locally with a Location Policy 522

    About the Location Policy 523How the Location Policy Differs from a Security ACL 523

    Setting the Location Policy 524Clearing Location Policy Rules and Disabling the Location Policy 526

    Configuring Accounting for Wireless Network Users 527

    Viewing Local Accounting Records 528Viewing Roaming Accounting Records 528Displaying the AAA Configuration 530

  • 8/9/2019 3com wc4400

    18/751

    Avoiding AAA Problems in Configuration Order 531

    Using the Wildcard “Any” as the SSID Name in AuthenticationRules 531Using Authentication and Accounting Rules Together 531

    Configuring a Mobility Profile 533Network User Configuration Scenarios 535

    General Use of Network User Commands 535Enabling RADIUS Pass-Through Authentication 537

    Enabling PEAP-MS-CHAP-V2 Authentication 537Enabling PEAP-MS-CHAP-V2 Offload 538Combining EAP Offload with Pass-Through Authentication 539Overriding AAA-Assigned VLANs 539

    22 CONFIGURING COMMUNICATION WITH RADIUS

    RADIUS Overview 541Before You Begin 543

    Configuring RADIUS Servers 543Configuring Global RADIUS Defaults 544Setting the System IP Address as the Source Address 545Configuring Individual RADIUS Servers 545Deleting RADIUS Servers 546

    Configuring RADIUS Server Groups 546Creating Server Groups 547Deleting a Server Group 549

    RADIUS and Server Group Configuration Scenario 550

    23 MANAGING 802.1X ON THE WX SWITCH

    Managing 802.1X on Wired Authentication Ports 553Enabling and Disabling 802.1X Globally 553Setting 802.1X Port Control 554

    Managing 802.1X Encryption Keys 555

    Enabling 802.1X Key Transmission 555Configuring 802.1X Key Transmission Time Intervals 555Managing WEP Keys 556

    Setting EAP Retransmission Attempts 557Managing 802.1X Client Reauthentication 558

    Enabling and Disabling 802.1X Reauthentication 558

  • 8/9/2019 3com wc4400

    19/751

    Setting the Maximum Number of 802.1X Reauthentication

    Attempts 558Setting the 802.1X Reauthentication Period 559Setting the Bonded Authentication Period 560

    Managing Other Timers 560Setting the 802.1X Quiet Period 560Setting the 802.1X Timeout for an Authorization Server 561Setting the 802.1X Timeout for a Client 561

    Displaying 802.1X Information 562Viewing 802.1X Clients 562Viewing the 802.1X Configuration 562Viewing 802.1X Statistics 563

    24 CONFIGURING SODA ENDPOINT SECURITY FOR A WX SWITCH

    About SODA Endpoint Security 565SODA Endpoint Security Support on WX Switches 566

    How SODA Functionality Works on WX Switches 567Configuring SODA Functionality 568

    Configuring Web Portal WebAAA for the Service Profile 569Creating the SODA Agent with SODA Manager 569Copying the SODA Agent to the WX Switch 571

    Installing the SODA Agent Files on the WX Switch 571Enabling SODA Functionality for the Service Profile 572Disabling Enforcement of SODA Agent Checks 572

    Specifying a SODA Agent Success Page 573Specifying a SODA Agent Failure Page 573Specifying a Remediation ACL 574Specifying a SODA Agent Logout Page 575

    Specifying an Alternate SODA Agent Directory for a Service Profile 576Uninstalling the SODA Agent Files from the WX Switch 576Displaying SODA Configuration Information 577

    25 MANAGING SESSIONSAbout the Session Manager 579

    Displaying and Clearing Administrative Sessions 579Displaying and Clearing All Administrative Sessions 580Displaying and Clearing an Administrative Console Session 580

  • 8/9/2019 3com wc4400

    20/751

    Displaying and Clearing Administrative Telnet Sessions 581

    Displaying and Clearing Client Telnet Sessions 581Displaying and Clearing Network Sessions 582

    Displaying Verbose Network Session Information 583Displaying and Clearing Network Sessions by Username 584Displaying and Clearing Network Sessions by MAC Address 585Displaying and Clearing Network Sessions by VLAN Name 585Displaying and Clearing Network Sessions by Session ID 586

    Displaying and Changing Network Session Timers 587Disabling Keepalive Probes 588Changing or Disabling the User Idle Timeout 588

    26 ROGUE DETECTION AND COUNTERMEASURESOverview 589

    About Rogues and RF Detection 589Rogue Access Points and Clients 589

    RF Detection Scans 593Countermeasures 594Mobility Domain Requirement 594

    Summary of Rogue Detection Features 595Configuring Rogue Detection Lists 596

    Configuring a Permitted Vendor List 596Configuring a Permitted SSID List 598Configuring a Client Black List 599Configuring an Attack List 600Configuring an Ignore List 601

    Enabling Countermeasures 602

    Using On-Demand Countermeasures in a Mobility Domain 603Disabling or Reenabling Active Scan 604Enabling MAP Signatures 604

    Creating an Encrypted RF Fingerprint Key as a MAP Signature 605

    Disabling or Reenabling Logging of Rogues 606Enabling Rogue and Countermeasures Notifications 606IDS and DoS Alerts 606

    Flood Attacks 607DoS Attacks 607Netstumbler and Wellenreiter Applications 608

  • 8/9/2019 3com wc4400

    21/751

    Wireless Bridge 608

    Ad-Hoc Network 608Weak WEP Key Used by Client 609Disallowed Devices or SSIDs 609Displaying Statistics Counters 609IDS Log Message Examples 609

    Displaying RF Detection Information 612Displaying Rogue Clients 614

    Displaying Rogue Detection Counters 615Displaying SSID or BSSID Information for a Mobility Domain 616Displaying RF Detect Data 618Displaying the APs Detected by MAP Radio 618Displaying Countermeasures Information 619

    27 MANAGING SYSTEM FILESAbout System Files 621

    Displaying Software Version Information 621Displaying Boot Information 623

    Working with Files 624Displaying a List of Files 624Copying a File 626

    Using an Image File’s MD5 Checksum To Verify Its Integrity 628Deleting a File 629Creating a Subdirectory 630Removing a Subdirectory 630

    Managing Configuration Files 631Displaying the Running Configuration 631

    Saving Configuration Changes 632Specifying the Configuration File to Use After the Next Reboot 633Loading a Configuration File 633Specifying a Backup Configuration File 634

    Resetting to the Factory Default Configuration 634Backing Up and Restoring the System 635

    Managing Configuration Changes 637

    Backup and Restore Examples 637Upgrading the System Image 638Preparing the WX Switch for the Upgrade 638

  • 8/9/2019 3com wc4400

    22/751

    Upgrading an Individual Switch Using the CLI 639

    Command Changes During Upgrade 640

    A TROUBLESHOOTING A WX SWITCHFixing Common WX Setup Problems 641Recovering the System When the Enable Password is Lost 644

    WXR100 644

    WX1200, WX2200, or WX4400 644Configuring and Managing the System Log 645Log Message Components 645Logging Destinations and Levels 645Using Log Commands 647

    Running Traces 653Using the Trace Command 653

    Displaying a Trace 654Stopping a Trace 654

    About Trace Results 655Displaying Trace Results 655Copying Trace Results to a Server 656Clearing the Trace Log 656List of Trace Areas 656

    Using display Commands 657Viewing VLAN Interfaces 657Viewing AAA Session Statistics 657

    Viewing FDB Information 658Viewing ARP Information 658

    Port Mirroring 659

    Configuration Requirements 659Configuring Port Mirroring 659Displaying the Port Mirroring Configuration 659Clearing the Port Mirroring Configuration 659

    Remotely Monitoring Traffic 660How Remote Traffic Monitoring Works 660Best Practices for Remote Traffic Monitoring 661

    Configuring a Snoop Filter 661Mapping a Snoop Filter to a Radio 663Enabling or Disabling a Snoop Filter 665

  • 8/9/2019 3com wc4400

    23/751

    Displaying Remote Traffic Monitoring Statistics 665

    Preparing an Observer and Capturing Traffic 665Capturing System Information and Sending it to Technical Support 667

    The display tech-support Command 667Core Files 668Debug Messages 669Sending Information to 3Com Technical Support 670

    B ENABLING AND LOGGING INTO WEB VIEWSystem Requirements 671

    Browser Requirements 671WX Switch Requirements 671

    Logging Into Web View 672

    C SUPPORTED RADIUS ATTRIBUTESAttributes 673Supported Standard and Extended Attributes 6743Com Vendor-Specific Attributes 681

    D TRAFFIC PORTS USED BY MSS

    E DHCP SERVERHow the MSS DHCP Server Works 686Configuring the DHCP Server 687Displaying DHCP Server Information 688

    F OBTAINING SUPPORT FOR YOUR 3COM PRODUCTSRegister Your Product to Gain Service Benefits 689Solve Problems Online 689

    Purchase Extended Warranty and Professional Services 690Access Software Downloads 690Contact Us 690

    Telephone Technical Support and Repair 691

  • 8/9/2019 3com wc4400

    24/751

    GLOSSARY

    INDEX

    COMMAND INDEX

  • 8/9/2019 3com wc4400

    25/751

    ABOUT THIS GUIDE

    This guide describes the configuration commands for the 3Com WirelessLAN Switch WXR100, WX1200, or 3Com Wireless LAN ControllerWX4400, WX2200.

    This guide is intended for System integrators who are configuring theWXR100, WX1200, WX4400, or WX2200.

    If release notes are shipped with your product and the information therediffers from the information in this guide, follow the instructions in therelease notes.

    Most user guides and release notes are available in Adobe AcrobatReader Portable Document Format (PDF) or HTML on the 3ComWorld Wide Web site:

    http://www.3com.com/

    Conventions Table 1 and Table 2 list conventions that are used throughout this guide.

    Table 1 Notice Icons

    Icon Notice Type Description

    Information note Information that describes important features orinstructions

    Caution Information that alerts you to potential loss of data orpotential damage to an application, system, or device

    26 ABOUT THIS GUIDE

  • 8/9/2019 3com wc4400

    26/751

    26 ABOUT THIS GUIDE

    This manual uses the following text and syntax conventions:

    Documentation The MSS documentation set includes the following documents.

    Wireless Switch Manager (3WXM) Release Notes

    These notes provide information about the 3WXM software release,including new features and bug fixes.

    Wireless LAN Switch and Controller Release Notes

    These notes provide information about the MSS software release,including new features and bug fixes.

    Wireless LAN Switch and Controller Quick Start Guide

    This guide provides instructions for performing basic setup of secure(802.1X) and guest (WebAAA™) access, for configuring a MobilityDomain for roaming, and for accessing a sample network plan in3WXM for advanced configuration and management.

    Table 2 Text Conventions

    Convention Description

    Monospace text Sets off command syntax or sample commands and systemresponses.

    Bold text Highlights commands that you enter or items you select.

    Italic text  Designates command variables that you replace with

    appropriate values, or highlights publication titles or wordsrequiring special emphasis.

    [ ] (square brackets) Enclose optional parameters in command syntax.

    { } (curly brackets) Enclose mandatory parameters in command syntax.

    | (vertical bar) Separates mutually exclusive options in command syntax.

    Keyboard key names If you must press two or more keys simultaneously, the keynames are linked with a plus sign (+). Example:

    Press Ctrl+Alt+DelWords in italics Italics are used to:

    Emphasize a point.

    Denote a new term at the place where it is defined in thetext.

    Highlight an example string, such as a username or SSID.

    Documentation Comments 27

    http://mssquickstart6-0.pdf/http://mssquickstart6-0.pdf/http://mssquickstart6-0.pdf/

  • 8/9/2019 3com wc4400

    27/751

    Wireless Switch Manager Reference Manual 

    This manual shows you how to plan, configure, deploy, and manage aMobility System wireless LAN (WLAN) using the 3Com Wireless SwitchManager (3WXM).

    Wireless Switch Manager User’s Guide

    This manual shows you how to plan, configure, deploy, and manage theentire WLAN with the 3WXM tool suite. Read this guide to learn how toplan wireless services, how to configure and deploy 3Com equipment toprovide those services, and how to optimize and manage your WLAN.

    Wireless LAN Switch and Controller Hardware Installation Guide

    This guide provides instructions and specifications for installing a WXwireless switch in a Mobility System WLAN.

    Wireless LAN Switch and Controller Configuration Guide

    This guide provides instructions for configuring and managing thesystem through the Mobility System Software (MSS) CLI.

    Wireless LAN Switch and Controller Command Reference

    This reference provides syntax information for all MSS commandssupported on WX switches.

    DocumentationComments Your suggestions are very important to us. They will help make ourdocumentation more useful to you. Please e-mail comments about thisdocument to 3Com at:

    [email protected]

    Please include the following information when contacting us:

    Document title

    Document part number and revision (on the title page)

    Page number (if appropriate)

    Example:

    Wireless LAN Switch and Controller Configuration Guide

    Part number 730-9502-0071, Revision B

    Page 25 

    28 ABOUT THIS GUIDE

    http://3wxmref6-0.pdf/http://3wxmref6-0.pdf/http://3wxmug6-0.pdf/http://3wxmug6-0.pdf/http://wxinstall6-0.pdf/http://wxinstall6-0.pdf/http://msscfgguide6-0.pdf/http://msscfgguide6-0.pdf/http://msscmdref6-0.pdf/http://msscmdref6-0.pdf/http://msscmdref6-0.pdf/http://msscfgguide6-0.pdf/http://wxinstall6-0.pdf/http://3wxmug6-0.pdf/http://3wxmref6-0.pdf/

  • 8/9/2019 3com wc4400

    28/751

    Please note that we can only respond to comments and questions about

    3Com product documentation at this e-mail address. Questions related totechnical support or sales should be directed in the first instance to yournetwork supplier.

  • 8/9/2019 3com wc4400

    29/751

    NEW FEATURES SUMMARY

    This summary describes new features available in Version 7.0 of theWireless LAN Mobility System that affect this guide. Each feature sectionincludes:

    A brief description of the feature

    Basic configuration procedures, if applicable

    It is important to note that new MSS 7.0 features are not  described withinthe individual chapters of this guide. They are only  covered in this summary section.

    This summary covers the following topics:

    Virtual Controller Clustering on page 30

    AP 3950 Support and 802.11n Configuration on page 34

    Network Address Translation (NAT) Support on page 36 External Captive Portal Support on page 35

    MAC-based Access Control Lists (ACLs) on page 36

    Simultaneous Login Support on page 36

    Dynamic RADIUS Extensions on page 37

    MAC User Range Authentication on page 38

    MAC Authentication Request Format on page 39

    User Attribute Enhancements on page 39

    Split Authentication and Authorization on page 41

    RADIUS Ping Utility on page 41

    Unique AP Number Support on page 42

    Bandwidth Management on page 42

    Mesh Services Enhancements on page 45

    30 NEW FEATURES SUMMARY

  • 8/9/2019 3com wc4400

    30/751

    RF Scanning Enhancements on page 45

    RF Detection Enhancements on page 47 MSS display Command Enhancements on page 48

    Virtual ControllerClustering

    WX switches use innovative clustering technology to ensure mobilityacross an entire wireless network. With clustering, you can create logicalgroups of WX switches and APs, which proactively share network and

    user information for hitless failover support. You can also create a singlepoint of configuration for small and large WLAN deployments to reducethe cost of installation and network management. Adding WXs and APsis seamless and does not require an interruption of connectivity in yourexisting network.

    Virtual Controller Clustering provides distributed network intelligencethat enables fast, transparent failover to overcome network and deviceinterruptions and provides a means of central configuration anddistribution for WXs and APs on the network.

    The features of cluster configuration include the following:

    Centralized configuration of WXs and APs.

    Autodistribution of configuration parameters to APs.

    “Hitless” failover on the network if a WX is unavailable. Automatic load balancing of APs across any WXs in the cluster.

    The number of APs supported on a cluster member is limited to thenumber supported on a WX. It is recommended that you use largercapacity WXs, such as WX 2200s, in your configuration to obtain themaximum benefits of cluster configuration.

    Virtual Controller

    Cluster Configuration

    Terminology

    Domain configuration – Wireless parameters in the configurationfile, including radio profiles, service profiles, AP configuration, andmore. The domain configuration is typically duplicated among morethan one WX in a cluster.

    Configuration cluster – The cluster subset of WXs in a mobilitydomain that share a domain configuration.

    Primary AP Manager (PAM) – The WX in the cluster responsible foractively managing APs that receive configuration information from thePAM.

    Virtual Controller Clustering 31

  • 8/9/2019 3com wc4400

    31/751

    Secondary AP Manager (SAM) – The WX in the cluster acting as the

    hot standby for an AP.

    Centralized

    Configuration Using

    Virtual Controller

    Cluster Mode

    Cluster mode is a subset of a mobility domain.

    A predetermined set of configuration parameters are distributed fromthe primary seed to members of the cluster in a load-balancedmanner. The AP parameters are then distributed to the APs on eachWX.

    A member of a configuration cluster does not have a local copy of thedomain configuration unless it is the primary or secondary seed.

    A WX cannot boot an AP without network connectivity to the primary

    or secondary seed.

    The domain configuration is created and managed by the active seed.

    The secondary seed provides redundancy for configuration

    management to the primary seed.

    The primary seed takes precedence over the secondary seed if there are

    conflicting configurations between them. The only exception is if you

    explicitly override the configuration.

    Changes to the secondary seed are not allowed while the primary seed

    is active on the network.

    Adding more WXs to the cluster to increase AP booting capacity isseamless and requires no configuration changes to more than one WXin the cluster.

    Configuration changes for WXs can only be performed on the primaryseed of the mobility domain, or the secondary seed if one isconfigured and the primary seed is unavailable.

    Autodistribution of APson the Virtual

    Controller Cluster

    Load balancing of APs is supported across the cluster without anyexplicit configuration.

    The maximum number of configured APs on the cluster is restricted bythe maximum number of configured APs on the primary or secondaryseed. Larger capacity WXs should be used for larger deployments ofAPs.

    Client session states are shared among WXs in the cluster

    configuration.

    32 NEW FEATURES SUMMARY

  • 8/9/2019 3com wc4400

    32/751

    “Hitless” Failover with

    Virtual ControllerCluster Configuration

    Failure of a WX has no adverse impact on the current installation.

    Existing clients and APs remain active on the network and there is noimpact on the ability to make cluster configuration changes while theWX is in a failure state.

    APs connected to a WX failover to another WX in the cluster withoutresetting on the network.

    Existing client sessions on an AP are not disconnected if the WX is inthe process of failing.

    Client session states are shared between WXs with a configurationprofile for an AP. This ensures proper network resiliency capability.

    Keepalive packets are sent between the primary seed and the clustermembers to ensure that all members are available.

    Additional Information   Only one cluster can be configured on a mobility domain.

    In MSS Version 7.0, the maximum number of APs supported in acluster is 2048.

    AP-WX load balancing automatically occurs on the mobility domain toensure maximum failover capability.

    Cluster configuration is not supported on releases earlier than MSSVersion 7.0.

    All WXs configured as part of a cluster must have MSS Version 7.0 asthe operating software.

    All WXs configured as part of the cluster must run the same level offirmware and be of the same type (e.g. two WX-4400s).

    Directly attached APs cannot be configured on any WX in a clusterconfiguration. 

    I

    t is recommended that you back up the existing configuration on each WXthat is a member of the cluster configuration. If you disable cluster mode, you can return to the previous configuration without reconfiguring theWX. 

    Configuring Virtual

    Controller Clustering

    on a Mobility Domain

    On the primary seed for the mobility domain, enter the followingcommand:

     WX_PS# set cluster mode enablesuccess:change accepted

    Virtual Controller Clustering 33

  • 8/9/2019 3com wc4400

    33/751

    On the secondary seed for the mobility domain, enter the following

    command to provide cluster redundancy on the network: WX_SS# set cluster mode preempt enable

    On each mobility domain member, enter the following command:

     WX1# set cluster mode enablesuccess:change accepted

     WX2# set cluster mode enablesuccess:change accepted

     WX3# set cluster mode enablesuccess:change accepted

    If the primary and secondary seed become disconnected and if you haveconfigured one as part of the mobility domain, use the command setcluster preempt enable on the secondary seed WX to override theprimary seed configuration. Once the primary seed WX is available, theprimary seed manages the cluster configuration again.

    This command is not persistent and you must set preempt again if theWX resets.

    Use the restore-backup-config command to restore the previousconfiguration on the WX before cluster mode was enabled.

    Other VirtualController Cluster

    Configuration

    Parameters

    The following configuration parameters are also shared as part of thevirtual cluster controller configuration:

    ACLs are implemented as follows:

    ACLs that refer to an AP must be configured on the seed WX.

    ACLs defined on a seed WX are shared with members.

    ACL mapping to ports, VLANs, and vports can be defined on the

    member WXs for locally defined ACLs.

    If there are conflicting ACL names, the local ACL takes precedence

    and the incident is logged to the event log.

    Mobility profiles have the following configuration constraints:

    Mobility profiles must be configured on the Primary seed.

    Mobility profiles that reference ports are not accepted by the

    configuration.

    Location policies can be configured as follows:

    34 NEW FEATURES SUMMARY

  • 8/9/2019 3com wc4400

    34/751

    Must be configured on the seed WX.

    Profiles with port references are not allowed.

    QoS profiles

    AP 3950 Supportand 802.11nConfiguration

    With the introduction of the AP-3950, MSS 7.0 now supports 802.11n.Some of the features of the AP-3950 include:

    40 MHz channels

    High throughput

    Additional Rates

    MPDU aggregation

    MIMO

    Legacy clients and APs

    2.4 GHz and 5 GHz capabilities

    You can configure different data rates on the AP-3950 for 802.11b,802.11ng, and 802.11na.

    For instructions on how to install the AP-3950, refer to the AP3950Managed Access Point Quick Start Guide.

    Power Over Ethernet

    (PoE)

    Because the AP-3950 has two 802.11n radios, it requires more PoEsupport than a single 802.3af power source.

    Use the following command to configure PoE:

    set ap apnum  power-mode {auto | high}

    Table 3 AP-3950 Data Rates

    Radio Type Data Rates

    802.11na 6.0, 9.0,12.0, 18.0, 24.0, 36.0, 48.0, 54.0, MCS0-15

    802.11b 1.0, 2.0, 5.5, 11.0

    802.11ng 1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0,54.0, MCS0-15

    External Captive Portal Support  35

  • 8/9/2019 3com wc4400

    35/751

    There are two possible configurations for supplying power to the

    AP-3950: If the power mode is set to auto, the power is managed automatically

    by sensing the power level on the AP. If low power is detected, unusedEthernet is disabled and reduces the traffic on the 2.4 GHz radio. Ifhigh power is detected, then both radios operate at 3x3 (3 transmitchains and 3 receive chains).

    If the power mode is set to high, both radios operate at the maximum

    power available which requires either 802.3at PoE or both ports using802.3af PoE.

    802.11n Configuration It is recommended that you follow these best practices when configuring802.11n:

    Use separate radio profiles for long and short guard intervals. A shortguard interval is used to prevent inter-symbol interference for

    802.11n. When enabled, the interval is 400 nanoseconds and itenhances throughput when multipath delay is low.

    Do not configure 40 MHz channels on the 2.4 GHz radio.

    40 MHz channels may not be optimal in areas with high client density,such as auditoriums or large classrooms. Consider using twoAP-3950s on different 20 MHz channels and load-balance the trafficbetween the two APs.

    For information on 802.11n frame aggregation, data rate, and channelcommands, refer to the New Features Summary section of the WirelessLAN Switch and Controller Command Reference Guide

    External Captive

    Portal Support

    The ability to redirect Web portal authentication to a Web server on a

    network rather than a local WX database or RADIUS is now available inMSS 7.0. The feature works in the following manner:

    A user connects to the local WX with web portal enabled.

    The WX redirects the user via HTTP or HTTPS to an externalauthentication web server.

    After the user credentials are verified, the external server sends aChange of Attribute (CoA) to the WX. The CoA requests a change in

    the session username on the WX.

    36 NEW FEATURES SUMMARY

  • 8/9/2019 3com wc4400

    36/751

    The Web server can also change or set any other allowed CoAs at the

    same time. WX# set service-profile profile-name web-portal-form URL

    Network AddressTranslation (NAT)Support

    MSS Version 6.2 supports NAT, which provides the translation of IPaddresses in one network for those in a different network. NAT is typicallyused in firewall applications in which one network (private) is hiddenbehind the firewall to protect it from the public network. In somenetwork configurations, a firewall appliance or other network appliancemay be placed between an AP and a WX and use NAT in a configuration.

    Changes to the MSS architecture affect the WX-AP control plane, WX-APclient data transport, and the WX-WX roaming client data transportportions of MSS. NAT support is transparent to the end user and does notrequire explicit MSS or 3WXM configuration.

    MAC-based AccessControl Lists (ACLs)

    Access Control Lists (ACLs) filter packets based on certain fields in thepacket such as ICMP, IP address, TCP, CoS, or UDP. With the release ofMSS 7.0, you can now configure ACLs using MAC addresses. The MACaddress mask is similar to IP address masks, but specified in hexidecimalformat.

    Simultaneous LoginSupport

    As part of the administrative and user configuration enhancements toMSS 7.0, you can now limit the number of concurrent sessions that a usercan have on the network. You can use a vendor-specific attribute (VSA)on a RADIUS server or configure it as part of a service profile. You canapply the attribute to users and user groups.

    Configuration To configure simultaneous logins for a user, enter the followingcommand:

     WX# set user username attr simultaneous-logins value 

    where value is between 0-1000. If you set the value to 0, then the user islocked out of the network. The default value is unlimited access. Inaddition, setting this value applies only to user sessions in the mobility

    domain and not a specific WX. Additional commands include thefollowing:

     WX# set usergroup group  attr simultaneous-logins value 

    Dynamic RADIUS Extensions 37

  • 8/9/2019 3com wc4400

    37/751

     WX# set service-profile  profile-name attr simultaneous-loginsvalue

    To clear the configuration, enter:

     WX# clear user username attr simultaneous-logins

    Dynamic RADIUS

    Extensions

    This feature allows administrators supporting a RADIUS server to

    disconnect a user and change the authorization attributes of an existinguser session. New terminology is introduced in support of RFC 3576(Dynamic Authorization Server MIB):

    Dynamic Authorization Server (DAS) — The component residingon the NAS and processes the Disconnect andChange-of-Authorization requests sent by the Dynamic AuthorizationClient (DAC).

    Dynamic Authorization Client (DAC) — The component sendingthe Disconnect and Change of Attribute requests to the DAS. Thoughthe DAC often resides on the RADIUS server, it can be located on aseparated host, such as a rating engine.

    Dynamic Authorization Server Port — The UDP that the DASlistens for Disconnect and Change of Attribute requests sent by theDAC.

    Configuration To configure a RADIUS DAC server on a WX, use the followingcommands:

     WX# set radius dac dac-name ip-address key string 

    Additional attributes include the following:

    [disconnect [enable | disable] | [change-of-author [enable |disable] | replay-protection [enable | disable] |replay-window seconds]

    To configure the dynamic authorization server port, use the followingcommand:

     WX# set radius das-port portnum 

    To clear the das-port, use the following command: WX# clear radius das-port

    38 NEW FEATURES SUMMARY

  • 8/9/2019 3com wc4400

    38/751

    To configure SSIDs for RADIUS DAC, use the following commands:

     WX# set authorization dynamic {ssid [wireless_8021X | 8021x |any |name]| wired name}

    You can configure up to four SSIDs and four wired rule names for RADIUSDAC.

    termination-action

    Attribute for Dynamic

    RADIUS

    The termination-action RADIUS attribute is now supported in MSS7.0. This attribute supports reauthentication of all access types: dot1x,web-portal, MAC, and last-resort. When the value is set to 0, the usersession is terminated after the session expires. If the value is set to 1, theuser session is reauthenticated by sending a RADIUS request messageafter the session expires. The command syntax is shown below:

     WX# set usergroup groupname attr termination-action [0 | 1] WX# set user username attr termination-action [0 | 1]

    MAC User RangeAuthentication

    3WXM and MSS allow authentication of users based on the MediaAccess Control (MAC) address of a device. This enables a set ofMAC-authenticated devices like VoIP phones to authenticate through aRADIUS server and through the WX local database, without additionalconfiguration.

    Version 7.0 modifies the User MAC Address field to allow input such as00:11:00:* instead of just a single MAC address in previous versions.Only one * (asterisk) is allowed in the address format and it must be thelast character.

    During authentication of the MAC User client, the most specific entrythat matches the MAC-user glob is selected. Therefore, an entry for00:11:30:21:ab:cd overrides an entry for 00:11:30:21:*, and an entry

    for 00:11:30:21:* overrides an entry for 00:11:30:*.

    Configuration To configure a MAC User Range with MSS, use these commands:

     WX# set mac-user 00:11:* WX# set mac-user 00:11:* attr attribute-name value WX# set mac-user 00:11:* [group group_name]

    MAC Authentication Request Format  39

  • 8/9/2019 3com wc4400

    39/751

    To configure this feature for authentication on a RADIUS server, use thefollowing command:

     WX# set authentication mac-prefix {ssid name | wired}mac-glob  radius-server-group

    The parameter mac-glob  represents the range of MAC addresses for thisrule and determines the prefix used for authentication. Duringauthentication, the MAC prefix is extracted from the MAC-glob and usedas the user-name in the Access-Request portion of the handshake.

    MACAuthenticationRequest Format

    MAC Authentication Request is an enhancement to the current usernameand password format available in MSS for authentication through aRADIUS server. Changes to this feature allow for better interoperabilitywith third-party vendors who may use different formats for MAC addressauthentication.

    Configuration A new parameter is available to configure a MAC address format to besent as a username to a RADIUS server for MAC authentication. Toconfigure the MAC address format with MSS, use the followingcommand:

     WX# set radius server name mac-addr-format {hyphens | colons| one-hyphen | raw}

    For example:

     WX# set radius server sp1 mac-addr-format ?

    You can also configure all RADIUS servers to use a specific MAC addressformat with the following command:

     WX# set radius mac-addr-format {hyphens | colons | one-hyphen| raw}

    User AttributeEnhancements

    The RADIUS standard (RFC 2865) allows the attribute user-name to bereturned as part of the access-accept handshake. The user-name string is

    hyphens 12-34-56-78-9a-bc

    colons 12:34:56:78:9a:bc

    one-hyphen 123456-789abc

    raw 123456789abc

    40 NEW FEATURES SUMMARY

  • 8/9/2019 3com wc4400

    40/751

    used as the user-name for the session. MSS supports this functionality onthe RADIUS server but not the WX local database. With the release ofMSS and 3WXM Version 7.0, this attribute is now supported as part ofthe login session.

    This attribute is particularly useful when the user-name is a MAC addressfor an MAC-authenticated session. When a different user name isconfigured for each session, then interpretation of the sessioninformation and the accounting logs is easier and simpler.

    Configuration A new command allows you to configure a user name as an attribute:

    set user name attr user-name newname WX# set mac-user 00:01:02:03:04:05 attr user-name johndoe

    The new attribute has the same constraints that currently exist for theuser name in the local database. The user-name attribute can be a

    maximum of 80 characters, including numbers and special characters.The user-name attribute can also be configured as part of a usergroup ormac-usergroup:

     WX# set usergroup name attr user-name name WX# set mac-usergroup name attr user-name name

    The corresponding clear commands are also available:

     WX# clear user name attr user-name WX# clear user-group name attr user-name WX# clear mac-usergroup name attr user-name

    If configured, usernames are now part of display output such asdisplay sessions:

     WX# display sessions

    UserName-----------------

    SessID------------

    IP or MAC Address----------------------

    VLANName------

    Port/Radio------

    engineering-05:0c:78 28* 10.7.255.2 yellow 5/1

    engineering-79:86:73 29* 10.7.254.3 red 2/1

    engineering-1a:68:78 30* 10.7.254.8 red 7/1

    engineering-45:12:34 35* 10.9.254.7 blue 2/1

    Split Authentication and Authorization 41

  • 8/9/2019 3com wc4400

    41/751

    Since the session user name is replaced by the user-name attribute, thedisplay sessions output displays this attribute as the user name forthe session. When the attribute is obtained from a user group, the username of all users in the group appears the same and you cannotdifferentiate between them. However, the MAC address is added to theuser group name in the output.

    Split

    Authentication andAuthorization

    With the implementation of this feature, a RADIUS server authenticates a

    user but authorization attributes are taken from the WX local userdatabase. This is accomplished by including a Vendor Specific Attribute(VSA) in the RADIUS Accept response. When the WX receives the RADIUSAccept response, the WX uses the group name and attempts to match itto authorization attributes of a corresponding user group in the local userdatabase.

    For MSS Version 7.0, additional attributes must be configured on theRADIUS server. For the user-group name, specify a value consisting of astring 1-32 characters long. Additional values consist of Type - 26, VendorID- 43, Vendor Type - 9 (3Com VSA).

    Attributes that appear in the RADIUS Access Accept response are addedto the session attributes. If the Access Accept has a 3Com group-nameVSA, the attributes from the corresponding user group in the local

    database are applied.

    Enhancements toLocation PolicyConfiguration

    MSS Version 7.0 adds support for controlling wireless access duringcertain times of day—for example, to prevent university students fromInternet surfing during a professor’s lecture. It also adds support for localcustomization of the redirection URL.

    Configuration To add location policy attributes using MSS, use the following commands:

     WX# set location policy {deny | permit} if [time-of-dayoperator  time-of-day ]

    RADIUS Ping Utility This feature provides a RADIUS ping utility for troubleshooting if there areproblems communicating with a RADIUS server. The radping commandallows the WX to send an authentication request to a RADIUS server to

    42 NEW FEATURES SUMMARY

  • 8/9/2019 3com wc4400

    42/751

    determine if the server is active or offline. You must authenticate on theRADIUS server using MSCHAPv2 authentication.

    Configuration This command sends an authentication request with the specifiedusername and password to the RADIUS server or RADIUS server group:

     WX# radping {server servername | group servergroup} requestauthentication user username password password  auth-type{plain | mschapv2}

    This command sends an accounting request from the specified user tothe specified server or server group:

     WX# radping {server servername | group servergroup} request{acct-start | acct-stop | acct-update} user username  

     WX# radping {server servername | group servergroup} request{acct-on | acct-off}

    Unique AP NumberSupport

    As of today, APs can be numbered from 1 to the maximum number ofAPs configured on a WX. This numbering scheme may cause confusionwhen multiple WX appliances are configured on the network and thesame AP can be identified by different numbers on different WXs. MSS7.0 now allows APs to be numbered from 1 to 9999 on a network.However, there is no change to the maximum number of APs that can beconfigured on a WX.

    Configuration There are no changes to the CLI, except to allow a range of 1 to 9999 forapnum .

     WX# set ap apnum 

    BandwidthManagement Bandwidth management allows you to manage network traffic on yournetwork by configuring certain traffic for higher priority over othertraffic—for example, VoIP traffic over normal network traffic. You canconfigure this feature when you implement QoS profiles. You canconfigure bandwidth management on a per-SSID, per-user, or queuingweights basis.

    You can control access to priority-based queues on a per-user basis, and

    also permit or deny access to certain queues configured for VoIP traffic.Managing radio time by “medium time” rather than packet count allowsmore efficient clients (high speed) to obtain higher data rates than less

    Bandwidth Management  43

  • 8/9/2019 3com wc4400

    43/751

    efficient clients. You can guarantee a minimum service level on a per-SSIDbasis and service providers can control access to the network uplink.

    Configuration The QoS profile contains a set of parameters that are applied to clients toassure a specific service level on the network. A QoS profile is an AAAattribute assigned to a client when the client associates on the network.Prior to this release, some QoS parameters were configured as part of theservice profile attributes.

    Static CoS assigns a value to all upstream and downstream packets. Toconfigure static CoS for a QoS profile, use the following command:

     WX# set qos-profile profile-name cos number 

    number  is configured as an integer from 0 (highest) to 7 (lowest) priority.When static CoS is enabled, an ACL can override an upstream packet, butdownstream packets are determined by the static CoS value.

    The user-client-dscp attribute defines upstream packets classification.When disabled, non-WMM packets are marked best-effort. Whenenabled, upstream packets are marked based on the client DSCP value.To configure this attribute, use the following command:

     WX# set qos-profile profile-name use-client-dscp [enable |disable]

    You can configure maximum bandwidth (full duplex rate) for aggregatesof access categories (AC) for a wireless client. Downstream packets areshaped and upstream packets are policed. The AP has one queue per ACand each queue is a finite size (

  • 8/9/2019 3com wc4400

    44/751

    To configure SSID medium time weights, use the following command:

     WX# set radio-profile profile-name weighted-fair-queuingservice-profile-weight

    You can configure SSID bandwidth limits to restrict traffic through aservice profile. The configured limit is full duplex in increments of Kbpsand is only enforced on transmitted packets. SSID weights do not restrictbandwidth unless the radio is congested. Therefore, you may choose SSIDbandwidth limits over SSID weights because bandwidth limits place a

    measurable cap on bandwidth through the AP uplink. To configurebandwidth limits, use the following command:

     WX# set service-profile profile-name max-bw [max-bw-kb ]

    max-bw-kb can be a value from 1 to 100000 Kbps with 0 as unlimitedbandwidth.

    Access categories (AC) can be configured to define access and classifytraffic behavior. The default behavior allows a packet flow access to theAC matching the CoS. Downstream packets are classified on ingress tothe AP. In some instances, access to a voice AC must be restricted. Withlegacy clients such as SVP, access to a voice AC can be blocked byconfiguring an AC for a QoS profile.

    To configure an AC for a QoS profile, use the following command:

     WX# set qos-profile profile-name access-category [background| best-effort | video | voice] [permit | demote]

    Selecting demote has no effect on background ACs, and can override astatic CoS configuration.

    For example, using the following commands...

    set qos-profile qp_voice cos 7set qos-profile qp_data cos 0set qos-profile qp_test mac-bw 100

    creates the following system behavior:

    All users with the profile qp_voice are given voice priority on thenetwork. All packets are forwarded through the voice AC and markedwith CoS=7.

    Mesh Services Enhancements 45

  • 8/9/2019 3com wc4400

    45/751

    All users with the profile qp_data are given best effort priority.Packets are dropped if the bandwidth exceeds 1Mbps. All packets areforwarded through the best-effort AC and marked with CoS=0.

    All users with the profile qp_test use the AC based on packet CoSmarkings and ACLs. Bandwidth for all other ACs is not limited.

    Total bandwidth for users with qp_test is limited to 100 Kbps.

    To clear QoS profiles and configurations, use the following commands:

    clear qos-profile profile-name cosclear qos-profile profile-name use-client-dscpclear qos-profile profile-name max-bw clear qos-profile profile-name

    Mesh ServicesEnhancements

    Multi-hop is now available when configuring Mesh Services. The systemcan support up to 16 Mesh Portals with each Mesh Portal supporting a

    six-Mesh AP fan-out with a depth of four Mesh APs. Also, a single MeshAP can perform two roles: Mesh Portal and Mesh Link.

    Mesh Services reliability has been improved with the followingenhancements:

    Improved transmission of station session record.

    Ability to manage link loss between Mesh Portals and Mesh APs.

    Improved management of duplicate messages for SSR updates frommultiple Mesh APs.

    Mesh Portal selection has been improved by scanning for Mesh Link SSIDsand sorting them by RSSI values. The Mesh AP establishes a link using theRSSI values in descending order. If all attempts fail, the Mesh AP scansfrom the beginning of the table. After 60 seconds, if no link is

    established, the Mesh AP reboots.

    If the Mesh Link is using a DFS channel, then the Mesh Link has a timeoutof 140 seconds to allow for DFS channel assessment.

    RF ScanningEnhancements

    You can now use attributes to independently configure and controlscanning behaviors on radios. For example, a disabled radio does nottransmit or receive, and a radio that is scanning, but not providing radioservice to clients, is in sentry mode.

    46 NEW FEATURES SUMMARY

  • 8/9/2019 3com wc4400

    46/751

    You can also assign a weight to the scanning time on each radio. Byassigning a weight to the scanning time, a higher proportion of time isspent on “operational” channels. This enhancement increases theprobability that an event of interest is detected within a short time.

    Configuration New CLI commands are available to configure the radio in disabled orsentry mode:

     WX# set ap apnum  radio [1 | 2] mode [enable | sentry |disable]

     WX# set radio-profile profile-name mode [enable | sentry |disable]

    The attribute sentry allows longer dwell times on scanning channelsthan the enable mode. After configuring a radio for sentry mode, thecountermeasures feature of MSS looks for any APs in sentry mode beforethose APs configured in other modes. Also, you cannot configure

    autotuning for radios configured in sentry mode.The radio profile must be explicitly configured, since it is disabled bydefault. To configure RF scanning on radios with MSS 7.0, use thefollowing command:

     WX# set radio-profile profile-name rf-scanning mode [passive| active]

    If you select passive mode, the radio scans once per predefined time,and audits packets on the wireless network. The default time is onesecond. If you select active mode, the radio actively sends probes toother channels and then audits the packets on the wireless network.

    To configure the channel scope for RF scanning, use the followingcommand:

     WX# set radio-profile profile-name rf-scanning channel-scope[operating | regulatory | all]

    When you select operating, only the current channel is scanned andaudited. If you select regulatory, only regulatory channels are scannedand audited. If the radio is configured for 802.11b/g, the most commonlyused channels, 1, 6, or 11, are scanned and audited more frequently. Ifyou select all, all channels are scanned and audited.

    RF Detection Enhancements 47

  • 8/9/2019 3com wc4400

    47/751

    AP LED behavior has changed to support this feature. If the AP is in sentrymode, the LEDs alternate between green and yellow/amber. If the radio isdisabled, the LED is a solid yellow/amber color.

    RF DetectionEnhancements

    RF Classification Rules Modifications to the RF Detect List are required due to the complex

    nature of rogue detection and countermeasures. The naming of each listhas changed as follows:

    The ability to classify all types of RF devices is now available in 3WXM andMSS 7.0. This functionality addresses aggressive APs on the network thatdo not appear on the Vendor or SSID list. The enhancements allow full

    control over the classification of APs as rogue or suspect devices. Thetypes of devices are now:

    AP

    Client

    Ad hoc

    Tag

    Unknown

    A new category of known devices is now available to distinguish betweendevices that are part of the mobility domain (members) and those

    Table 4 RF Detect List Names

    Old List Name New List Name (or no longer supported)

    Ignore List Neighbor List

    Attack List Rogue List

    Black List Black ListSSID List SSID List

    Vendor List (List no longer supported in MSS 7.0)

    48 NEW FEATURES SUMMARY

  • 8/9/2019 3com wc4400

    48/751

    allowed on the system (neighbors). The new list of classifications is asfollows:

    Devices that were previously classified as interfering are now identified assuspect, because a suspect device may be potentially more threateningthan an interfering device (but not as threatening as a rogue device).

    Countermeasures

    Scaling and Resiliency

    in a Mobility Domain

    The countermeasures feature has been updated for MSS 7.0. The abilityto launch countermeasures is now assigned to each WX and RF data is no

    longer shared across the mobility domain. When an AP assigned to a WXsees a rogue on the network, the WX begins countermeasures againstthe rogue without relying on the WX seed configuration. This introduceslocalized FDB lookups and minimizes the amount of information sharedacross the mobility domain.

    Configuration The list of deprecated, changed, and new rfdetect commands for

    configuring RF classifications in MSS 7.0 is described in the New FeaturesSummary section of the Wireless LAN Switch and Controller CommandReference Guide.

    MSS display CommandEnhancements

    Various enhancements to the MSS 7.0 CLI’s display commands allowyou to quickly and easily identify elements of the output generated byMSS. Refer to the New Features Summary section of the Wireless LANSwitch and Controller Command Reference Guide for more information.

    Table 5 Device Classifications

    Old Classification New Classification Description of New Classification

    None None Unclassified device on the network

    Known Member Device is part of a mobility domain

    Known Neighbor Device is part of a neighboringnetwork and is nonthreatening

    Interfering Suspect Device is detected on the networkbut is not part of a mobility domain,nor does it appear in a configuredVendor or SSID list

    Rogue Rogue Device is identified as a threat on thenetwork, either through aconfigured attack list or clientsappearing in the forwardingdatabase (FDB) of a WX.

    MSS display  Command Enhancements 49

  • 8/9/2019 3com wc4400

    49/751

    50 NEW FEATURES SUMMARY

  • 8/9/2019 3com wc4400

    50/751

    U C L

  • 8/9/2019 3com wc4400

    51/751

    1USING THE COMMAND-LINE INTERFACE

    Mobility System Software (MSS) operates a 3Com Mobility Systemwireless LAN (WLAN) consisting of 3Com Wireless Switch Managersoftware, Wireless LAN Switches (WX1200 or WXR100), Wireless LANControllers (WX4400 or WX2200), and Managed Access Points (MAPs).MSS has a command-line interface (CLI) on a WX switch that you can useto configure and manage the switch and its attached MAPs.

    Overview You configure the WX switch and MAPs primarily with set, clear, anddisplay commands. Use set commands to change parameters. Use clear commands to reset parameters to their defaults. In many cases, you canoverwrite a parameter with another set command. Use display commands to display the current configuration and monitor the status ofnetwork operations.

    The WX switch supports two connection modes: Administrative access mode, which enables the network administrator

    to connect to the WX and configure the network

    Network access mode, which enables network users to connectthrough the WX to access the network

    CLI Conventions Be aware of the following MSS CLI conventions for command entry: “Command Prompts” on page 52

    “Syntax Notation” on page 52

    “Text Entry Conventions and Allowed Characters” on page 52

    “User Globs, MAC Address Globs, and VLAN Globs” on page 54

    “Port Lists” on page 56 “Virtual LAN Identification” on page 57

    52 CHAPTER 1: USING THE COMMAND-LINE INTERFACE

    C d P t B d f lt th MSS CLI id th f ll i t f t i t d

  • 8/9/2019 3com wc4400

    52/751

    Command Prompts By default, the MSS CLI provides the following prompt for restrictedusers. The mmmm portion shows the WX model number (for example,

    1200) and the nnnnnn portion shows the last 6 digits of the WX mediaaccess control (MAC) address.

    WXmmmm >

    After you become enabled as an administrative user by typing enable and supplying a suitable password, MSS displays the following prompt:

    WXmmmm #

    For information about changing the CLI prompt on a WX, see the setprompt command description in the Wireless LAN Switch and ControllerCommand Reference.

    Syntax Notation The MSS CLI uses standard syntax notation:

    Bold monospace font identifies the command and keywords you must

    type. For example:set enablepass

    Italic monospace font indicates a placeholder for a value. For example,you replace vlan-id  in the following command with a virtual LAN(VLAN) ID:

    clear interface vlan-id  ip

    Curly brackets ({ }) indicate a mandatory parameter, and squarebrackets ([ ]) indicate an optional parameter. For example, you mustenter dynamic or port and a port list in the following command, buta VLAN ID is optional:

    clear fdb {dynamic | port  port-list} [vlan vlan-id ]

    A vertical bar (|) separates mutually exclusive options within a list ofpossibilities. For example, you enter either enable or disable, not

    both, in the following command:set port {enable | disable} port-list

    Text EntryConventions and

    Allowed Characters

    Unless otherwise indicated, the MSS CLI accepts standard ASCIIalphanumeric characters, except for tabs and spaces, and iscase-insensitive.

    CLI Conventions 53

    The CLI has specific notation requirements for MAC addresses IP

    http://msscmdref6-0.pdf/http://msscmdref6-0.pdf/http://msscmdref6-0.pdf/http://msscmdref6-0.pdf/

  • 8/9/2019 3com wc4400

    53/751

    The CLI has specific notation requirements for MAC addresses, IPaddresses, and masks, and allows you to group usernames, MAC

    addresses, virtual LAN (VLAN) names, and ports in a single command.

    3Com recommends that you do not use the same name with differentcapitalizations for VLANs or access control lists (ACLs). For example, donot configure two separate VLANs with the names red  and RED.

    The CLI does not support the use of special characters including thefollowing in any named elements such as SSIDs and VLANs: ampersand(&), angle brackets (< >), number sign (#), question mark (?), or quotationmarks (“”).

    In addition, the CLI does not support the use of international characterssuch as the accented É  in DÉCOR.

    MAC Address Notation

    MSS displays MAC addresses in hexadecimal numbers with a colon (:)delimiter between bytes—for example, 00:01:02:1a:00:01. You can enterMAC addresses with either hyphen (-) or colon (:) delimiters, but colonsare preferred.

    For shortcuts:

    You can exclude leading zeros when typing a MAC address. MSS

    displays of MAC addresses include all leading zeros. In some specified commands, you can use the single-asterisk (*)

    wildcard character to represent an entire MAC address or from 1 byteto 5 bytes of the address. (For more information, see “MAC AddressGlobs” on page 55.)

    IP Address and Mask Notation

    MSS displays IP addresses in dotted decimal notation—for example,192.168.1.111. MSS makes use of both subnet masks and wildcardmasks.

    Subnet Masks Unless otherwise noted, use classless interdomainrouting (CIDR) format to express subnet masks—for example,192.168.1.112/24. You indicate the subnet mask with a forward slash (/)and specify the number of bits in the mask.

    54 CHAPTER 1: USING THE COMMAND-LINE INTERFACE

    Wildcard Masks Security access control lists (ACLs) use source and

  • 8/9/2019 3com wc4400

    54/751

    Wildcard Masks Security access control lists (ACLs) use source anddestination IP addresses and wildcard masks to determine whether the

    WX filters or forwards IP packets. Matching packets are either permittedor denied network access. The ACL checks the bits in IP addresses thatcorrespond to any 0s (zeros) in the mask, but does not check the bits thatcorrespond to 1s (ones) in the mask. You specify the wildcard mask indotted decimal notation.

    For example, the address 10.0.0.0 and mask 0.255.255.255 match all IP

    addresses that begin with 10 in the first octet.The ACL mask must be a contiguous set of zeroes starting from the firstbit. For example, 0.255.255.255, 0.0.255.255, and 0.0.0.255 are validACL masks. However, 0.255.0.255 is not a valid ACL mask.

    User Globs, MACAddress Globs, and

    VLAN Globs

    Name “globbing” is a way of using a wildcard pattern to expand a singleelement into a list of elements that match the pattern. MSS accepts user

    globs, MAC address globs, and VLAN globs. The order in which globsappear in the configuration is important, because once a glob is matched,processing stops on the list of globs

    User Globs

    A user glob is shorthand method for matching an authentication,authorization, and accounting (AAA) command to either a single user or

    a set of users.

    A user glob can be up to 80 characters long and cannot contain spaces ortabs. The double-asterisk (**) wildcard characters with no delimitercharacters match all  usernames. The single-asterisk (*) wildcard charactermatches any number of characters up to, but not including, a delimitercharacter in the glob. Valid user glob delimiter characters are the at  (@)sign and the period (.).

    For example, in Table 6, the following globs identify the following users:

    Table 6 User Globs

    User Glob User(s) Designated

     [email protected] User jose at example.com

    CLI Conventions 55

    Table 6 User Globs (continued)

  • 8/9/2019 3com wc4400

    55/751

    MAC Address Globs

    A media access control (MAC) address glob is a similar method formatching some authentication, authorization, and accounting (AAA) andforwarding database (FDB) commands to one or more 6-byte MACaddresses. In a MAC address glob, you can use a single asterisk (*) as awildcard to match all  MAC addresses, or as follows to match from 1 byte

    to 5 bytes of the MAC address:00:*

    00:01:*00:01:02:*00:01:02:03:*00:01:02:03:04:*

    For example, the MAC address glob 02:06:8c* represents all MAC

    addresses starting with 02:06:8c. Specifying only the first 3 bytes of aMAC address allows you to apply commands to MAC addresses based onan organizationally unique identity (OUI).

    VLAN Globs

    A VLAN glob is a method for matching one of a set of local rules on a WXswitch, known as the location policy, to one or more users. MSS

    compares the VLAN glob, which can optionally contain wildcardcharacters, against the VLAN-Name attribute returned by AAA, todetermine whether to apply the rule.

    *@example.com All users at example.com whose usernames do notcontain periods—for example, [email protected] and [email protected], but [email protected], because nin.wongcontains a period

    *@marketing.example.com All marketing users at example.com whoseusernames do not contain periods

    *.*@marketing.example.com All marketing users at example.com whoseusernames contain a period

    * All users with usernames that have no delimiters

    EXAMPLE\* All users in the Windows Domain EXAMPLE withusernames that have no delimiters

    EXAMPLE\*.* All users in the Windows Domain EXAMPLE whoseusernames contain a period

    ** All users

    Table 6 User Globs (continued)

    User Glob User(s) Designated

    56 CHAPTER 1: USING THE COMMAND-LINE INTERFACE

    To match all VLANs, use the double-asterisk (**) wildcard characters with

  • 8/9/2019 3com wc4400

    56/751

    To match all  VLANs, use the double asterisk ( ) wildcard characters withno delimiters. To match any number of characters up to, but not

    including, a delimiter character in the glob, use the single-asterisk (*)wildcard. Valid VLAN glob delimiter characters are the at  (@) sign and theperiod (.).

    For example, the VLAN glob bldg4.* matches bldg4.security  and bldg4.hr  and all other VLAN names with bldg4. at the beginning.

    Matching Order for Globs

    In general, the order in which you enter AAA commands determines theorder in which MSS matches the user, MAC address, or VLAN to a glob.To verify the order, view the output of the display aaa or display config command. MSS checks globs that appear higher in the list before itemslower in the list and uses the first successful match.

    Port Lists The physical Ethernet ports on a WX can be set for connection to MAPs,authenticated wired users, or the network backbone. You can include asingle port or multiple ports in one MSS CLI command by using theappropriate list format.

    The ports on a WX are numbered 1 through as high as 22, depending onthe WX model. No port 0 exists on the WX. You can include a single portor multiple ports in a command that includes port  port-list . Use one of

    the following formats for port-list : A single port number. For example:

    WX1200# set port enable 6

    A comma-separated list of port numbers, with no spaces. Forexample:

    WX1200# display port poe 1,2,4,6

    A hyphen-separated range of port numbers, with no spaces. Forexample:

    WX1200# reset port 1-8

    Any combination of single numbers, lists, and ranges. Hyphens takeprecedence over commas. For example:

    WX1200# display port status 1-3,5

    Command-Line Editing 57

    Virtual LAN The names of virtual LANs (VLANs), which are used in Mobility Domain™

  • 8/9/2019 3com wc4400

    57/751

    Identificationy

    communications, are set by you and can be changed. In contrast, VLAN

    ID numbers, which the WX switch uses locally, are determined when theVLAN is first configured and cannot be changed. Unless otherwiseindicated, you can refer to a VLAN by either its VLAN name or its VLANnumber. CLI set and display commands use a VLAN’s name or numberto uniquely identify the VLAN within the WX switch.

    Command-LineEditing MSS editing functions are similar to those of many other networkoperating systems.

    Keyboard Shortcuts Table 7 lists the keyboard shortcuts available for entering and editing CLIcommands.

    Table 7 CLI Keyboard Shortcuts

    Keyboard Shortcut(s) FunctionCtrl+A Jumps to the first character of the command line.

    Ctrl+B or Left Arrow key Moves the cursor back one character.

    Ctrl+C Escapes and terminates prompts and tasks.

    Ctrl+D Deletes the character at the cursor.

    Ctrl+E Jumps to the end of the current command line.

    Ctrl+F or Right Arrow key Moves the cursor forward one character.

    Ctrl+K Deletes from the cursor to the end of the commandline.

    Ctrl+L or Ctrl+R Repeats the current command line on a new line.

    Ctrl+N or Down Arrowkey

    Enters the next command line in the history buffer.

    Ctrl+P or Up Arrow key Enters the previous command line in the history buffer.

    Ctrl+U or Ctrl+X Deletes characters from the cursor to the beginning ofthe command line.

    Ctrl+W Deletes the last word typed.

    Esc B Moves the cursor back one word.

    Esc D Deletes characters from the cursor forward to the endof the word.

    Delete key or Backspacekey

    Erases mistake made during command entry. Reenterthe command after using this key.

    58 CHAPTER 1: USING THE COMMAND-LINE INTERFACE

    History Buffer The history buffer stores the last 63 commands you entered during a

  • 8/9/2019 3com wc4400

    58/751

    terminal session. You can use the Up Arrow and Down Arrow keys to

    select a command that you want to repeat from the history buffer.

    Tabs The MSS CLI uses the Tab key for command completion. You can type thefirst few characters of a command and press the Tab key to display thecommand(s) that begin with those characters. For example:

    WX1200# display i ifm display interfaces maintained by the interface manager

    igmp display igmp informationinterface display interfacesip display ip information

    Single-Asterisk (*)Wildcard Character

    You can use the single-asterisk (*) wildcard character in globbing. (Fordetails, see “User Globs, MAC Address Globs, and VLAN Globs” onpage 54.)

    Double-Asterisk (**)Wildcard Characters

    The double-asterisk (**) wildcard character matches all usernames. Fordetails, see “User Globs” on page 54.

    Using CLI Help The CLI provides online help. To see the full range of commands availableat your access level, type the following command:

    WX1200# helpCommands:-----------------------------------------------------------------------

    clear Clear, use 'clear help' for more informationcommit Commit the content of the ACL tablecopy Copy from filename (or url) to filename (or url)crypto Crypto, use 'crypto help' for more informationdelete Delete url

    dir display list of files on flash devicedisable Disable privileged modedisplay Display, use 'display help' for more informationhelp display this help screen

    history display contents of histo