485471

Trapeze smart mobile Mobility System Software 7.3 Handleiding

556
Verklein
Vergroot
Pagina terug
1/558
Pagina verder
Trapeze Networks, Inc.
5753 W. Las Positas Blvd.
Pleasanton, CA 94588
Tel: +1 925-474-2200
Fax: +1 925-251-0642
Toll-Free: 877-FLY-TRPZ (877-359-8779 Part Number: 730-9502-0314 Rev. A
For the most current version of all documentation, go to
www.trapezenetworks.com
Mobility System Software
7.3
Command Reference Guide
ii
Trapeze Networks
Mobility System Software 7.3 Command Reference
© 2010 Trapeze Networks, Inc. All rights reserved.
Trademarks
Trapeze Networks, the Trapeze Networks logo, Smart Mobile, Mobility Exchange, MX, Mobility Point, MP,
Mobility System Software, MSS, RingMaster, Mobility Domain, SentryScan, ActiveScan, Bonded Auth,
FastRoaming, Granular Transmit Power Setting, GTPS, Layer 3 Path Preservation, Location Policy Rule,
Mobility Profile, Passport Free Roaming, Time-of-Day Access, TAPA, Trapeze Access Point Access Protocol,
Virtual Private Group, VPG, Virtual Service Set, Virtual Site Survey and WebAAA are trademarks of Trapeze
Networks, Inc. Trapeze Networks SafetyNet is a service mark of Trapeze Networks, Inc. AirDefense.
AirDefense Enterprise, and AirDefense Personal are registered trademarks of AirDefense, Inc. All other
products and services are trademarks, registered trademarks, service marks or registered service marks of
their respective owners.
Disclaimer
All statements, specifications, recommendations, and technical information are current or planned as of the
date of the publication of this document. They are reliable as of the time of this writing and are presented
without warranty of any kind, expressed or implied. In an effort to continuously improve the product and add
features, Trapeze Networks reserves the right to change any specifications contained in this document without
prior notice of any kind.
Comments and Feedback
Your feedback on Trapeze documentation is important to us. Send any comments and suggestions to
doc-bugs@trapezenetworks.com.
For the most current version of this document, see www.trapezenetworks.com.
Trapeze Networks, Inc.
5753 W. Las Positas Blvd.
Pleasanton, CA 94588
Tel: +1 925-474-2200
Fax: +1 925-251-0642
Toll-Free: 877-FLY-TRPZ (877-359-8779)
www.trapezenetworks.com
1 – 1
1
Customer Service
For general information about Trapeze Networks Mobility System™ products and services, visit
www.trapezenetworks.com. For warranty, license, and support information, visit the following
sites:
Warranty and software licenses. Current Trapeze Networks warranty and software
licenses are available at www.trapezenetworks.com/support/warranty/.
Support services. For information about Trapeze support services, visit
www.trapezenetworks.com/support/. Or call 1-866-877-9822 (in the US or Canada) or +1
925-474-2400 and select option 5.
Contacting the Technical Assistance Center
Contact the Trapeze Networks Technical Assistance Center (TAC) by telephone, e-mail, or fax. If
you have a service contract or are a Trapeze Authorized Partner, log in to
www.trapezenetworks.com/support/ for more help.
Within the US and Canada, call 1-866-TRPZTAC (1-866-877-9822).
Within Europe, call +31 35 64 78 193.
From locations outside the US and Canada, call +1 925-474-2400.
In non-emergencies, send email to support@trapezenetworks.com.
When your case is active, you can fax more information to +1 925-474-2423.
TAC Response Time
TAC responds to service requests as follows:
Note:
TRAPEZE NETWORKS SELLS AND SERVICES ITS PRODUCTS PRIMARILY
THROUGH ITS AUTHORIZED RESELLERS AND DISTRIBUTORS. If you
purchased your product from an authorized Trapeze reseller or distributor and do not
have a service contract with Trapeze Networks, you must contact your local reseller
or distributor for technical assistance.
Contact
method Priority Response time
Telephone Emergency One hour
Non-emergency Next business day
Email Non-emergency Next business day
1 – 2
Information to Have Available
To expedite your service request, have the following information available when you call or write
to TAC for technical assistance:
Your company name and address
Your name, telephone number, cell phone or pager number, and email address
Name, model, and serial number of the product(s) requiring service
Software version and release number
Output of the show tech-support command
Wireless client information
License levels for RingMaster™ and Mobility Exchange™ (MX™) products
Description of the problem and status of the troubleshooting effort
TRAPEZE NETWORKS, INC.
TERMS AND CONDITIONS OF SALE
LIMITED WARRANTY - HARDWARE AND SOFTWARE
1. Software.
Any software provided is licensed pursuant to the terms of Trapeze Networks' Software License
Agreement, an electronic copy of which is provided with the Software and a printed copy of which
is available upon request. The terms and conditions of the Software License Agreement are
incorporated herein in its entirety in this Terms and Conditions of Sale ("Terms and Conditions of
Sale") by this reference. The terms of the Software License Agreement control, except for the
limited warranty set forth below ("Limited Warranty").
2. Limited Hardware Warranty.
Trapeze Networks, Inc. ("Trapeze Networks" or "Trapeze") warrants to Customer, subject to the
limitation and disclaimer below, that all Trapeze hardware will be free from defects in material
and workmanship under normal use as follows: (a) if the hardware was purchased directly from
Trapeze Networks, for a period of one (1) year after original shipment by Trapeze Networks to
Customer or (b) if the hardware was purchased from a Trapeze Networks Authorized Reseller, for
a period of one (1) year from the date of delivery to Customer, but in no event more than fifteen
(15) months after the original shipment date by Trapeze ("Limited Hardware Warranty"). The
date of original shipment from Trapeze Networks will be determined by shipping evidence on file
at Trapeze Networks. This Limited Hardware Warranty extends only to the Customer who was
the original purchaser of the hardware and may not be transferred to any subsequent
repurchasing entity. During the Limited Hardware Warranty period upon proper notice to
Trapeze Networks by Customer, Trapeze Networks will, at its sole option, either:
a. Repair and return of the defective hardware;
b. Replace the defective hardware with a new or refurbished component;
c. Replace the defective hardware with a different but similar component that contains
compatible features and functions; or
d. Refund the original purchase price upon presentation of proof of purchase to Trapeze
Networks.
3. Restrictions on the Limited Hardware Warranty.
1 – 3
This Limited Warranty does not apply if hardware (a) is altered from its original specifications, (b)
is installed, configured, implemented or operated in any way that is contrary to its documentation,
(c) has damage resulting from negligence, accident, or environmental stress, (d) was subject to
unauthorized repair or modification or (e) is provided to Customer for pre-production, evaluation
or charitable purposes.
4. Limited Software Warranty
Trapeze Networks warrants to Customer, subject to the limitation and disclaimer below, that the
software will substantially conform to its published specifications as follows: (a) if the software
was purchased directly from Trapeze Networks, for a period of ninety (90) days after original
shipment by Trapeze Networks to Customer or (b) if the software was purchased from a Trapeze
Networks Authorized Reseller, for a period of ninety (90) days from the date of delivery to
Customer commencing not more than ninety (90) days after original shipment date by Trapeze),
("Limited Hardware Warranty"). The date of original shipment from Trapeze Networks will be
determined by shipping evidence on file at Trapeze Networks. This Limited Software Warranty
extends only to the Customer of original purchaser of the software and may not be transferred to
any subsequent repurchasing entity.
During the Limited Software Warranty period upon proper notice to Trapeze Networks by
Customer, Trapeze Networks will, at its option, either:
a. Use reasonable commercial efforts to attempt to correct or provide workarounds for errors;
b. Replace the software with functionally equivalent software; or
c. Refund to Customer the license fees paid by Customer for the software.
Trapeze Networks does not warrant or represent that the software is error free or that the
software will operate without problems or disruptions. Additionally, and due to the steady and
ever-improving development of various attack and intrusion technologies, Trapeze Networks does
not warrant or represent that any networks, systems or software provided by Trapeze Networks
will be free of all possible methods of access, attack or intrusion.
5. Restrictions on the Limited Software Warranty
This Limited Software Warranty does not apply if software (a) is altered in any way from its
specifications, (b) is installed, configured, implemented or operated in any way that is contrary to
its documentation, (c) has damage resulting from negligence, accident, or environmental stress, (d)
was subject to unauthorized repair or modification, or (e) is provided to Customer for
pre-production, evaluation or charitable purposes.
6. General Warranty Disclaimer
EXCEPT AS SPECIFIED IN THIS LIMITED WARRANTY, ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR APPLICATION OR PURPOSE, NONINFRINGEMENT,
SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR
TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY
APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED,
SUCH WARRANTY IS LIMITED IN DURATION TO THE AFOREMENTIONED WARRANTY
PERIOD. BECAUSE SOME STATES, COUNTRIES OR JURISDICTIONS DO NOT ALLOW
LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION
MAY NOT APPLY. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND
YOU MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM JURISDICTION TO
JURISDICTION. THE LIMITED WARRANTY ABOVE IS THE SOLE REMEDY FOR ANY
BREACH OF ANY WARRANTY WITH RESPECT TO THE HARDWARE AND SOFTWARE AND
IS IN LIEU OF ANY AND ALL OTHER REMEDIES.
7. Limitation of Liabilities
IN NO EVENT SHALL TRAPEZE NETWORKS, ITS SUPPLIERS, OR ITS AUTHORIZED
RESELLERS BE LIABLE TO CUSTOMER OR ANY THRID PARTY FOR ANY LOST REVENUE,
PROFIT, OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR
1 – 4
PUNITIVE DAMAGES REGARDLESS OF HOW THOSE DAMAGES WERE CAUSED. NOR
WILL TRAPEZE NETWORKS, ITS SUPPLIERS, OR ITS AUTHORIZED RESELLERS BE
LIABLE FOR ANY MONETARY OR PUNITIVE DAMAGES ARISING OUT OF THE USE OF,
OR INABILITY TO USE TRAPEZE NETWORKS HARDWARE OR SOFTWARE. TRAPEZE
NETWORKS' LIABILITY SHALL NOT EXCEED THE PRICE PAID BY THE CUSTOMER FOR
ANY HARDWARE OR SOFTWARE COVERED UNDER THE TERMS AND CONDITIONS OF
THIS WARRANTY. THIS LIMITATION OF LIABILITY AND RESTRICTION ON DAMAGES
APPLIES WHETHER IN CONTRACT, TORT, NEGLIGENCE, OR OTHERWISE, AND SHALL
APPLY EVEN IF THE LIMITED WARRANTY FAILS OF ITS ESSENTIAL PURPOSE.
WARRANTY LAWS VARY FROM JURISDICTION TO JURISDICTION, AND THE ABOVE
LIMITATIONS AND EXCLUSION OF CONSEQUENTIAL AND INCIDENTAL DAMAGES MAY
NOT APPLY TO YOU, DEPENDING UPON YOUR STATE, COUNTRY OR JURISDICTION.
8. Procedures for Return of Hardware or Software under the Limited Warranty
Where repair or replacement is required under the Limited Warranty, Customer will contact
Trapeze Networks and obtain a Return Materials Authorization number ("RMA Number") prior to
returning any hardware and/or software, and will include the Trapeze Networks RMA Number on
all packaging. Trapeze Networks will ship repaired or replacement components within a
commercially reasonable time after receipt of any hardware and/or software returned for the
Limited Warranty purposes to the address provided by Customer. Customer will pay freight and
handling charges for defective return to the address specified by Trapeze Networks and Trapeze
Networks will pay freight and handling charges for return of the repair or replacement materials
to Customer.
9. Miscellaneous
The Limited Warranty shall be governed by and construed in accordance with the laws of the
State of California without reference to that State's conflict of laws rules and as if the contract
was wholly formed within the State of California. Customer agrees that jurisdiction and venue
shall be in Santa Clara County, California. Under no circumstances shall the United Nations
Convention on the International Sale of Goods be considered for redress of grievances or
adjudication of any warranty disputes that include Trapeze Networks hardware or software. If
any provision of these Terms and Conditions of Sale are held invalid, then the remainder of these
Terms and Conditions of Sale will continue in full force and effect. Where a Customer has entered
into a signed contractual agreement with Trapeze Networks for supply of hardware, software or
services, the terms of that agreement shall supersede any terms contained within this Limited
Warranty. Customer understands and acknowledges that the terms of this Limited Warranty, as
well as material information regarding the form, function, operation and limitations of Trapeze
Networks hardware and software will change from time to time, and that the most current
revisions will be publicly available at the Trapeze Networks corporate web site
(www.trapezenetworks.com).
Trapeze Networks, the Trapeze Networks logo design, Trapeze Networks Mobility System
Software, MX, MP, RingMaster, Mobility System, Mobility Exchange, Mobility Point, SafetyNet,
and Trapeze RingMaster are registered trademarks and/or registered service marks of Trapeze
Networks, Inc. Trapeze, Trapeze Smart Mobile, Smart Mobile, Trapeze Mobility System, Trapeze
Networks Mobility System, Trapeze Mobility System Software, Trapeze Networks Mobility
System Software, Mobility System Software, Mobility Exchanges, Trapeze Mobility Exchange,
Trapeze Networks Mobility Exchange, Trapeze MP, MXR-2, MX-8, MX-216, MX-200, MX-400,
MP-372, MP-620, MXR, Trapeze Networks MSS, MSS, Trapeze Networks MP, Trapeze MP,
Trapeze Mobility Point, Trapeze Networks Mobility Point, Indoor Mobility Point, Outdoor
Mobility Point, Mobility Domains, Network Domains, ActiveScan, SentryScan, Automatic
Distributed Access Point, Auto-DAP, and Wireless Without Limits are trademarks and/or service
marks of Trapeze Networks, Inc.
© 2009 Trapeze Networks, Inc. All rights reserved.
1
Introducing the Trapeze Networks
Mobility System
This command reference explains Mobility System Software (MSS™) command line interface
(CLI) commands that you enter on a Mobility Exchange™ to configure and manage the Trapeze
Networks Mobility System™ wireless LAN (WLAN).
Read this reference if you are a network administrator responsible for managing Mobility
Exchange (MX) switches and Mobility Point™ (MP™) access points in a network.
Trapeze Networks Mobility System
The Trapeze Networks Mobility System is an enterprise-class WLAN solution that seamlessly
integrates with an existing wired enterprise network. The Trapeze system provides secure
connectivity to both wireless and wired users in large environments such as office buildings,
hospitals, and university campuses and in small environments such as branch offices.
The Trapeze Mobility System fulfills the three fundamental requirements of an enterprise
WLAN: It eliminates the distinction between wired and wireless networks, allows users to work
safely from anywhere (secure mobility), and provides a comprehensive suite of intuitive tools for
planning and managing the network before and after deployment, greatly easing the operational
burden on IT resources.
The Trapeze Networks Mobility System consists of the following components:
RingMaster tool suite—A full-featured graphical user interface (GUI) application used to
plan, configure, deploy, and manage a WLAN and its users
One or more Mobility Exchange™ (MX™) switches—Distributed, intelligent machines
for managing user connectivity, connecting and powering Mobility Point (MP) access points,
and connecting the WLAN to the wired network backbone
Multiple Mobility Point™ (MP™) access points—Wireless access points (APs) that
transmit and receive radio frequency (RF) signals to and from wireless users and connect
them to an MX switch
Mobility System Software™ (MSS™)—The operating system that runs all MX switches
and MP access points in a WLAN, and is accessible through a command-line interface (CLI),
the Web View interface, or the RingMaster GUI
Trapeze Networks Mobility System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Mobility System Software Command Reference Guide
Version 7.3
2
Documentation
Consult the following documents to plan, install, configure, and manage a Trapeze Networks
Mobility System.
Planning, Configuration, and Deployment
Trapeze RingMaster Quick Start Guide. Instructions for installing and configuring RingMaster
services.
Trapeze RingMaster Planning Guide. Instructions for planning, , deploying, and managing the
entire WLAN with the RingMaster tool suite. Read this guide to learn how to plan wireless
services.
Trapeze RingMaster Configuration Guide. Instructions for configuring the WLAN with the
RingMaster tool suite. Read this guide to learn how to configure wireless services.
Trapeze RingMaster Managing and Monitoring Guide. Instructions for managing and monitoring
your WLAN using the RingMaster tool suite and and how to optimize and manage your WLAN.
Installation
Trapeze Mobility Exchange Hardware Installation Guide. Instructions and specifications for
installing an MX switch
Trapeze Mobility System Software Quick Start Guide. Instructions for performing basic setup
of secure (802.1X) and guest (WebAAA™) access, and for configuring a Mobility Domain for
roaming
Trapeze Mobility Point MP-372 Installation Guide. Instructions and specifications for
installing an MP access point and connecting it to an MX.
Trapeze Mobility Point MP-620 Installation Guide. Instructions and specifications for
installing the MP-620 access point and connecting to an MX.
Trapeze Regulatory Information. Important safety instructions and compliance information
that you must read before installing Trapeze Networks products
Configuration and Management
Trapeze RingMaster Reference Manual. Instructions for planning, configuring, deploying, and
managing the entire WLAN with the RingMaster tool suite
Trapeze Mobility System Software Configuration Guide. Instructions for configuring and
managing the system through the MSS CLI
Trapeze Mobility System Software Command Reference (this document). Functional and
alphabetic reference to all MSS commands supported on MX switches and MPs.
3
Safety and Advisory Notices
The following kinds of safety and advisory notices appear in this manual.
Text and Syntax Conventions
Trapeze manuals use the following text and syntax conventions:
Table 0-1.
W arning!
This situation or condition can lead to data loss or damage to the product or other
property.
Table 0-1.
Note:
This information is of special interest.
Convention Use
Monospace text Sets off command syntax or sample commands and system responses.
Bold text Highlights commands that you enter or items you select.
Italic text Designates command variables that you replace with appropriate values, or
highlights publication titles or words requiring special emphasis.
Menu Name > Command Indicates a menu item that you select. For example, File > New indicates
that you select New from the File menu.
[ ] (square brackets) Enclose optional parameters in command syntax.
{ } (curly brackets) Enclose mandatory parameters in command syntax.
| (vertical bar) Separates mutually exclusive options in command syntax.
Mobility System Software Command Reference Guide
Version 7.3
4
Access Commands 3 – 15
3
Access Commands
Use access commands to control access to the Mobility Software System (MSS) (CLI). This
chapter presents access commands alphabetically. Use the following table to locate commands in
this chapter based on their use.
disable
Changes the CLI session from enabled mode to restricted access.
Syntax
disable
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
The following command restricts access to the CLI for the current session:
MX# disable
MX>
See Also
enable on page 3-15
enable
Places the CLI session in enabled mode, which provides access to all commands required for
configuring and monitoring the system.
Syntax
enable
Access
All.
History
Introduced in MSS 1.0.
Usage
MSS displays a password prompt to challenge you with the enable password. To enable a
session, your or another administrator must have configured the enable password to this MX with
the set enablepass command.
Examples
The following command plus the enable password provides enabled access to the CLI
for the current sessions:
MX> enable
Enter password: password
MX#
See Also
set enablepass on page 3-16
Access Privileges enable on page 3-15
set enablepass on page 3-16
disable on page 3-15
quit on page 3-16
Access Commands
Mobility System Software Command Reference Guide
Version 7.3
3 – 16
set confirm on page 4-26
quit
Exit from the CLI session.
Syntax
quit
Defaults
None.
Access
All.
History
Introduced in MSS 1.0.
Examples
To end your session, type the following command:
MX> quit
set enablepass
Sets the password that provides enabled access (for configuration and monitoring) to the MX
switch.
Syntax
set enablepass
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
After typing the set enablepass command, press Enter. If you are entering the first
enable password on this MX, press Enter at the Enter old password prompt. Otherwise, type the
old password. Then type a password of up to 32 alphanumeric characters with no spaces, and
reenter it at the Retype new password prompt.
Examples
The following example illustrates the prompts that the system displays when the
enable password is changed. The passwords you enter are not displayed.
MX# set enablepass
Enter old password: old-password
Enter new password: new-password
Retype new password: new-password
Password changed
See Also
disable on page 3-15
enable on page 3-15
Note:
The enable password is case-sensitive.
!
Caution
Be sure to use a password that you can remember. If you lose the enable password,
the only way to restore it returns the MX to the default settings and erases the
configuration.
Access Commands
Access Commands
3 – 17
Access Commands
Mobility System Software Command Reference Guide
Version 7.3
3 – 18
System Services Commands 4 – 19
4
System Services Commands
Use system services commands to configure and monitor system information for a Mobility
Exchange (MX) switch. This chapter presents system services commands alphabetically. Use the
following table to located commands in this chapter based on their use.
clear banner motd
Deletes the message-of-the-day (MOTD) banner that is displayed before the login prompt for each
CLI session on the MX switch.
Configuration quickstart on page 4-23
Auto-Config set auto-config on page 4-23
New Run Scripts set run on page 4-29
clear run on page 4-21
Display clear banner motd on page 4-19
set banner motd on page 4-26
set banner acknowledge on page 4-25
show banner motd on page 4-36
set confirm on page 4-26
set length on page 4-27
System Identification set prompt on page 4-28
set system name on page 4-36
Updated set system location on page 4-35
New set system console-timeout on page 4-29
Updated set system contact on page 4-30
set system countrycode on page 4-30
set system idle-timeout on page 4-34
set system ip-address on page 4-35
show load on page 4-37
Updated show system on page 4-40
Updated clear system on page 4-21
clear prompt on page 4-20
Updated Help help on page 4-22
History history on page 4-23
clear history on page 4-20
Updated License set license on page 4-27
show license on page 4-37
Technical Support show tech-support on page 4-42
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 20
Syntax
clear banner motd
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To clear a banner, type the following command:
MX# clear banner motd
success: change accepted
See Also
set banner motd on page 4-26
show banner motd on page 4-36
clear history
Deletes the command history buffer for the current CLI session.
Syntax
clear history
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
To clear the history buffer, type the following command:
MX# clear history
success: command buffer was flushed.
See Also
history on page 4-23
clear prompt
Resets the system prompt to its previously configured value. If the prompt was not configured
previously, this command resets the prompt to the default.
Syntax
clear prompt
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To reset the prompt, type the following command:
wildebeest# clear prompt
success: change accepted.
MX#
Note:
As an alternative to clearing the banner, you can overwrite the existing banner with
an empty banner by typing the following command: set banner motd ^^
System Services Commands
System Services Commands
4 – 21
See Also
set prompt on page 4-28. (For information about default prompts, see “Command
Prompts” on page 2–5.)
clear run
Clear the rule associated with scriptname.
Syntax
clear run scriptfilename
Defaults
None
Access
Enabled
History
Added in MSS 7.1.
Examples
To clear the script, runmem, use the following command:
MX# clear run runmem
success: change accepted.
clear system
Clears the system configuration of the specified information.
Syntax
clear system [console-timeout | contact | countrycode | idle-timeout |
ip-address | location | mx-secret |name]
Defaults
None.
Access
Enabled.
History
W arning!
If you change the IP address, any currently configured Mobility Domain operations
cease. You must reset the Mobility Domain.
console-timeout Clears the configured timeout for the CLI.
contact Resets the name of contact person for the MX to null.
countrycode Resets the country code for the MX to null.
idle-timeout Resets the number of seconds a CLI management session can remain idle to
the default value (3600 seconds).
ip-address Resets the IP address of the MX to null.
location Resets the location of the MX to null.
mx-secret Clears the MX secret from the system.
name Resets the name of the MX to the default system name, which is
MX-mm-nnnnnn, where mm is the model number and nnnnnn is the
last 6 digits of the switch’s MAC address.
Version 1.0 Command introduced.
Version 4.1 Option idle-timeout added.
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 22
Examples
To clear the location of the MX, type the following command:
MX# clear system location
success: change accepted.
See Also
set system contact on page 4-30
set system countrycode on page 4-30
set system idle-timeout on page 4-34
set system ip-address on page 4-35
set system location on page 4-35
show config on page 21-499
show system on page 4-40
help
Displays a list of commands that can be used to configure and monitor the MX.
Syntax
help
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
Use this command to see a list of available commands. If you have restricted access, you
see fewer commands than if you have enabled access. To display a list of CLI commands available
at the enabled access level, type the following command at the enabled access level:
MX# help
Commands:
-------------------------------------------------------------------------
backup Backup system information to filename (or url)
clear Clear, use 'clear help' for more information
commit Commit the content of the ACL table
copy Copy from filename (or url) to filename (or url)
crypto Crypto, use 'crypto help' for more information
delete Delete url
dir Show list of files on flash device
disable Disable privileged mode
exit Exit from the Admin session
help Show this help screen
history Show contents of history substitution buffer
install Install sygate on-demand agent
ldap-ping test binding to a LDAP server or server-group
load Load, use 'load help' for more information
logout Exit from the Admin session
monitor Monitor, use 'monitor help' for more information
md5 md5 filename
mkdir Create a subdirectory on flash device
monitor monitor port counters
ping Send echo packets to hosts
quickstart Perform an initial configuration
Version 7.1 Option mx-secret added.
Version 7.3 Option console-timeout added.
System Services Commands
System Services Commands
4 – 23
quit Exit from the Admin session
radping Send requests to RADIUS server
reset Reset, use 'reset help' for more information
restore Restore system information from file name (or url)
rfping Rfping operations
rmdir Remove a directory created by mkdir
rollback Remove changes to the edited ACL table
run Evaluate contents of a cli file
save Save the running configuration to persistent storage
set Set, use 'set help' for more information
show Show, use 'show help' for more information
telnet telnet IP address [server port]
traceroute Print the route packets take to network host
uninstall Uninstall sygate on-demand agent files
upgrade Upgrade Resiliency Cluster
See Also
“Using CLI Help” on page 2–10
history
Displays the command history buffer for the current CLI session.
Syntax
history
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
To show the history of your session, type the following command:
MX> history
Show History (most recent first)
--------------------------------
[00] show config
[01] show version
[02] enable
See Also
clear history on page 4-20
quickstart
Runs a script that interactively helps you configure a new MX.
(For more information, see the Mobility System Software Quick Start Guide.)
set auto-config
Enables an MX switch to contact a RingMaster server for its configuration.
!
Caution
The quickstart command is for configuration of a new MX only. After
prompting you for verification, the command erases the MX configuration
before continuing. If you run this command on a MX with a configuration,
the configuration is erased. In addition, error messages such as Critical AP
Notice for directly connected MPs can appear.
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 24
Syntax
set auto-config {enable | disable}
Defaults
The auto-config option is automatically enabled on an unconfigured MXR-2 when the
factory reset switch is pressed during power on. However, auto-config is disabled by default on
other models.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Usage
A network administrator at the corporate office can preconfigure the switch in a
RingMaster network plan. The switch configuration must have a name for the switch, the model
must be MXR-2, and the serial number must match the switch’s serial number. The configuration
should also include all other settings required for the deployment, including MP configuration,
SSIDs, AAA settings, and so on.
When the RingMaster server in the corporate network receives the configuration request, the
server looks in the currently open network plan for a MX configuration with the same model and
serial number as the one in the configuration request.
If the network plan contains a configuration with a matching model and serial number,
RingMaster sends the configuration to the MX and restarts the MX. The MX boots using the
configuration received from RingMaster.
If the network plan does not have a configuration with a matching model and serial number, a
verification warning appears in RingMaster. The warning lists the MX serial number and IP
address. The network administrator can upload the MX into the network plan, configure MX
parameters, and deploy the configuration to the MX.
To use the auto-config option with a new (unconfigured) MXR-2, insert a paperclip or similar
object into the MXR-2 factory reset hole to press the switch. The factory reset switch must be held
for about 3 seconds while the factory reset LED (the right LED above port 1) is lit. Normally, this
LED remains solidly lit for 3 seconds after power on. However, when the factory reset switch is
pressed, the LED flashes for 3 seconds instead.
If you want another MX model to be able to access a RingMaster server for a configuration, you
also must preconfigure the MX with the following information:
IP address
Default router (gateway) address
Domain name and DNS server address
You can enable the MX to use the MSS DHCP client to obtain this information from a DHCP
server in the local network where the MX is deployed. Alternatively, you can statically configure
the information.
The IP address and DNS information are configured independently. You can configure the
combination of settings that work with the network resources available at the deployment site.
The following examples show some of the combinations you can configure.
Examples
The following commands stage an MX to use the auto-config option. The network where
the MX is installed has a DHCP server, so the MX is configured to use a MSS DHCP client to
obtain an IP address, default router address, DNS domain name, and DNS server IP addresses.
1. Configure a VLAN:
MX8# set vlan 1 port 7
success: change accepted.
2. Enable the DHCP client on VLAN 1:
MX# set interface 1 ip dhcp-client enable
success: change accepted.
enable Enables the switch to contact a RingMaster server to request a configuration.
disable Disables the auto-config option.
System Services Commands
System Services Commands
4 – 25
3. Enable the auto-config option:
MX# set auto-config enable
success: change accepted.
4. Save the configuration changes:
MX# save config
success: configuration saved.
See Also
crypto generate key on page 16-412
crypto generate self-signed on page 16-414
save config on page 21-495
set interface dhcp-client on page 8-103
set vlan port on page 6-74
set banner acknowledge
Configures a prompt that is displayed following the MOTD banner. The user must acknowledge
the prompt in order to gain access to the system.
Syntax
set banner acknowledge mode {enable | disable}
Syntax
set banner acknowledge message message
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
Enable the MOTD prompt, then optionally specify a prompt message. When a user logs
into the MX using the CLI, the configured MOTD banner is displayed, followed by the MOTD
prompt message (if one is specified). In response, the user has the option of entering y to proceed or
any other key to terminate the connection.
Examples
To enable the prompt for the MOTD banner, type the following command:
MX# set banner acknowledge enable
success: change accepted.
To set Do you agree? as the text to be displayed following the MOTD banner, type the following
command:
MX# set banner acknowledge message ‘Do you agree?’
success: change accepted.
After these commands are entered, when the user logs on, the MOTD banner is displayed, followed
by the text Do you agree? If the user enters y, then the login proceeds. If not, then the user is
disconnected.
enable Enables the prompt to acknowledge the MOTD banner.
disable Disables the prompt to acknowledge the MOTD banner.
Delimiting character that begins and ends the prompt message; for example,
double quotes ().
message Up to 32 alphanumeric characters, but not the delimiting character.
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 26
Quotation marks can be used in the message if they are enclosed by delimiting characters. For
example, to set the text “Do you agree?” (including the quotation marks) as the text to be displayed
following the MOTD banner, type the following command:
MX# set banner acknowledge message ‘"Do you agree?"‘
success: change accepted.
See Also
set banner motd on page 4-26
clear banner motd on page 4-19
show banner motd on page 4-36
set banner motd
Configures the banner string that is displayed before the beginning of each login prompt for each
CLI session on the MX.
Syntax
set banner motd “text
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Type a delimiting character, then the message, then another delimiting character.
Examples
To create a banner that says Meeting @ 4:00 p.m. in Conference Room #3, type the
following command:
MX# set banner motd "Meeting @ 4:00 p.m. in Conference Room #3"
success: motd changed.
See Also
set banner acknowledge on page 4-25
clear banner motd on page 4-19
show banner motd on page 4-36
set confirm
Enables or disables the display of confirmation messages for commands that might have a large
impact on the network.
Syntax
set confirm {on | off}
Defaults
Configuration messages are enabled.
Delimiting character that begins and ends the message; for example, double
quotes ().
text Up to 2000 alphanumeric characters, including tabs and carriage returns, but
not the delimiting character.
Note: The text cannot contain lines longer than 256 characters.
on Enables confirmation messages.
off Disables confirmation messages.
System Services Commands
System Services Commands
4 – 27
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
This command remains in effect for the duration of the session, until you enter an exit or
quit command, or until you enter another set confirm command.
MSS displays a message requiring confirmation when you enter certain commands that can have a
potentially large impact on the network. For example:
MX# clear vlan red
This may disrupt user connectivity. Do you wish to continue? (y/n) [n]
Examples
To turn off these confirmation messages, type the following command:
MX# set confirm off
success: Confirm state is off
set length
Defines the number of lines of CLI output to display between paging prompts. MSS displays the
set number of lines and waits for you to press any key to display another set, or type q to quit the
display.
Syntax
set length screenlength
Defaults
MSS displays 24 lines by default.
Access
All.
History
Usage
Use this command if the output of a CLI command is greater than the number of lines
allowed by default for a terminal type.
Examples
To set the number of lines displayed to 100, type the following command:
MX# set length 100
success: screen length for this session set to 100
set license
Installs an upgrade or feautre license key on an MX.
The MX-200 and MX-216 can boot and manage up to 32 MPs by default. You can increase the MP
support to 64, 96, or 128 MPs, by installing one or more activation keys. You can install a 32-MP
upgrade, 64-MP upgrade, or 96-MP upgrade. If you have already installed a 32-MP or 64-MP
upgrade, you can still install additional upgrades.
The entire upgrade matrix is available in the Release Notes for the latest released MSS version.
screenlength Number of lines of text to display between paging prompts. You can specify 0
and from 10 to 512. The 0 value disables the paging prompt action entirely.
Version 1.0 Command introduced.
Version 6.0 Minimum screen length set to 10 lines.
Version 7.0 Changed variable from number-of-lines to screenlength
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 28
Syntax
set license activation-key
Defaults
None.
Access
Enabled.
History
Examples
To install an activation key for an additional 80 MPs, type the following command:
MX# set license 3B02-D821-6C19-CE8B-F20E
success: license accepted
See Also
show license on page 4-37
set prompt
Changes the CLI prompt for the MX to a string you specify.
Syntax
set prompt string
Defaults
The factory default for the MX name is MX-mm-nnnnnn, where mm is the model
number and nnnnnn is the last 6 digits of the 12-digit system MAC address.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
When you first log in for the initial configuration of the MX, the CLI provides an
MX-mm-nnnnnn> prompt. After you become enabled by typing enable and giving a suitable
password, the MX-mm-nnnnnn# prompt is displayed.
If you use the set system name command to change the default system name, MSS uses that
name in the prompt, unless you also change the prompt with set prompt.
Examples
The following example sets the prompt from MX to happy_days:
MX# set prompt happy_days
success: change accepted.
happy_days#
activation-key Hexadecimal digits generated by the Trapeze Networks license server or
otherwise provided by Trapeze Networks for your MX.
The activation key is based on the serial number of the MX.
You can enter the number in either of the following formats:
xxxx-xxxx-xxxx-xxxx-xxxx
xxxxxxxxxxxxxxxxxxxx
xxxx-xxxx-xxxx-xxxx-xxxx-feature
Version 1.0 Command introduced.
Version 2.0 Command deprecated.
Version 3.1 Command readded to support new licensing scheme. In MSS Version 1.0,
switches were licensed based on the number of active user sessions
supported. In 3.1 and later, switches are licensed based on the number of
MPs they can boot and manage.
Version 7.1 Per feature licensing support added.
string Alphanumeric string up to 32 characters long. To include spaces in the prompt, you
must enclose the string in double quotation marks (“”).
System Services Commands
System Services Commands
4 – 29
See Also
clear prompt on page 4-20
set system name on page 4-36
show config on page 21-499
set run
Sets the timing for scripts to automatically run on the MX.
Syntax
set run scriptname on [interval intervalspec | startup | shutdown]
Defaults
None
Access
Enabled
History
Added in MSS 7.1
Usage
Use this command to run scripts in *.txt format that automatically run the specified
commands configured in the file.
To execute a script at a specified minute of a specified hour or every hour, in a specified day or
every week-day or everyday, use the interval specification format day, hour, and minute. For
example, to run a script every weekday at 18:15, use the format Wk1815. To run every Monday at 5
minutes after the hour,use the format, MoAll05. To run a script everyday at midnight, use the
format Any0000.
To run a script every X hours, use the format dayHrint/HHh. To run a script every X minutes, use
the format DayHrint/MMm. For example, to run a script every week day between 3-6 a.m.
excluding 6: a.m., use the format Wk03-06/01h.
Examples
To run a script called runmem every Saturday at 5 p.m. use the following command:
MX# set run runmem sa1800
success: change accepted.
set system console-timeout
Sets the timeout for the CLI console.
Syntax
set system console-timeout console-timeout
Defaults
None
scriptname Name of the script in *.txt format
intervalspec Specified intervals for the script to run on the MX.
Day - su|mo|tu|we|th|fr|sa|any
Hrnum - 00-23
Hrint - Hrnum1 - Hrnum2 where Hrnum2 is larger than
Hrnum1.
Hour - All | Hrnum
Min - 00-59
startup Execute the script when the MX booted up.
shutdown Execute the script when the MX is shutdown.
console-timeout Time, in seconds, with a range of 0 (off) to 86400.
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 30
Access
Enabled
History
Added in MSS 7.1.
Examples
To set the console timeout to 120 seconds (2 minutes), use the following command:
MX# set system console-timeout 120
success: change accepted.
set system contact
Stores a contact name for the MX.
Syntax
set system contact string
Defaults
None.
Access
Enabled.
History
To view the system contact string, type the show system command.
Examples
The following command sets the system contact information to tamara@example.com:
MX# set system contact tamara@example.com
success: change accepted.
See Also
clear system on page 4-21
set system location on page 4-35
set system name on page 4-36
show system on page 4-40
set system countrycode
Defines the country-specific IEEE 802.11 regulations to enforce on the MX.
Syntax
set system countrycode code
string Alphanumeric string up to 256 characters long.
MSS Version 1.0 Command introduced.
MSSVersion 7.3 Ability to include spaces added.
code Two-letter code for the country of operation for the MX. You can specify one
of the codes listed in Table 4– 1.
Table 4– 1. Country Codes
Country Code
Algeria DZ
Argentina AR
System Services Commands
System Services Commands
4 – 31
Anguilla AI
Australia AU
Austria AT
Bosnia and Herzegovia BA
Belgium BE
Bulgaria BG
Bahrain BH
Bolivia BO
Botswana BW
Brazil BR
Belize BZ
Canada CA
Chile CL
China CN
Colombia CO
Costa Rica CR
Cote D’Ivoire CI
Croatia HR
Cyprus CY
Czech Republic CZ
Denmark DK
Dominica DM
Dominican Republic DO
Ecuador EC
El Salvador SV
Egypt EG
Estonia EE
Finland FI
France FR
Germany DE
Greece GR
Grenada GD
Guatemala GT
Guam GU
Honduras HN
Hong Kong HK
Hungary HU
Iceland IS
Table 4– 1. Country Codes (continued)
Country Code
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 32
India IN
Indonesia ID
Ireland IE
Israel IL
Italy IT
Jamaica JM
Japan JP
Jordan JO
Kazakstan KZ
Kenya KE
St. Kitts and Nevis KN
Kuwait KW
Cayman Islands KY
Latvia LV
Lebanon LB
Liechtenstein LI
Lithuania LT
St. Lucia LC
Liechtenstein LI
Luxembourg LU
Macedonia, Former
Yuogoslave Republic of
MK
Malaysia MY
Malta MT
Mauritius MU
Mexico MX
Monserrat MS
Morocco MA
Namibia NA
Netherlands NL
New Zealand NZ
Nigeria NG
Norway NO
Oman OM
Pakistan PK
Panama PA
Paraguay PY
Peru PE
Table 4– 1. Country Codes (continued)
Country Code
System Services Commands
System Services Commands
4 – 33
Defaults
The factory default country code is None.
Philippines PH
Poland PL
Portugal PT
Puerto Rico PR
Qatar QA
Romania RO
Russia RU
Saudi Arabia SA
Serbia CS
Singapore SG
Slovakia SK
Slovenia SI
South Africa ZA
South Korea KR
Spain ES
Sri Lanka LK
Sweden SE
Switzerland CH
Taiwan TW
Tanzania TZ
Thailand TH
East Timor TP
Trinidad and Togo TT
Tunisia TN
Turkey TR
Ukraine UA
United Arab Emirates AE
United Kingdom GB
United States US
Uruguay UY
Venezuela VE
Vietnam VN
St. Vincent and the
Grenadines
VC
US Virgin Islands VI
Zambia ZM
Zimbabwe ZW
Table 4– 1. Country Codes (continued)
Country Code
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 34
Access
Enabled.
History
Usage
You must set the system county code to a valid value before using any set ap commands to
configure a Mobility Point (MP).
Examples
To set the country code to Canada, type the following command:
MX# set system country code CA
success: change accepted.
See Also
show config on page 21-499
set system idle-timeout
Specifies the maximum number of seconds a CLI management session with the switch can remain
idle before MSS terminates the session.
Syntax
set system idle-timeout seconds
Defaults
3600 seconds (one hour). Setting the value to 0 turns off the feature. A maximum of
86400 seconds can be configured.
Access
Enabled.
History
.
Usage
This command applies to all types of CLI management sessions: console, Telnet, and SSH.
The timeout change applies to existing sessions only, not to new sessions.
Examples
The following command sets the idle timeout to 1800 seconds (one half hour):
MX# set system idle-timeout 1800
success: change accepted.
Version 1.0 Command introduced
Version 1.1 New country codes added: AE, AU, BR, CN, CZ, ES, GR, HK, HU, KR, IL,
IN, LI, MX, MY, NZ, PL, SA, SG, SI, SK, TH, TW, ZA
Version 6.2 New country codes added: BH, BO, BW, CL, CO CR, CI, HR, CY, DM,
DO, EC, SV, EG, EE, GD, GT, HN, ID, JM, JO, KZ, KE, KN, KW, KY,
LV, LB, LI, LT, LC, MU, MS, MA, NA, NG, OM, PK, PA, PY, PE, PH,
PR, RO, RU, CS, LK, TZ, TT, TN, TR, UA, UY, VE, VN, VC, ZM, and
ZW.
seconds Number of seconds a CLI management session can remain idle before MSS
terminates the session. You can specify from 0 to 86400 seconds (one day). If
you specify 0, the idle timeout is disabled.
The timeout interval is in 30-second increments. For example, the interval
can be 0, or 30 seconds, or 60 seconds, or 90 seconds, and so on. If you enter
an interval that is not divisible by 30, the CLI rounds up to the next
30-second increment. For example, if you enter 31, the CLI rounds up to 60.
Version 4.1 Command introduced.
Version 7.0 Maximum value changed to 86400 seconds.
System Services Commands
System Services Commands
4 – 35
See Also
clear system on page 4-21
show system on page 4-40
set system ip-address
Sets the system IP address so that it can be used by various services in the MX.
Syntax
set system ip-address ip-addr
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command sets the IP address of the MX to 192.168.253.1:
MX# set system ip-address 192.168.253.1
success: change accepted.
See Also
clear system on page 4-21
set interface on page 8-102
show system on page 4-40
set system location
Stores location information for the MX.
Syntax
set system location string
Defaults
None.
Access
Enabled.
History
Usage
You can include spaces in the system location string, but cannot exceed 256 characters.
To view the system location string, type the show system command.
W arning!
Any currently configured Mobility Domain operations cease if you change the IP
address. If you change the address, you must reset the Mobility Domain.
ip-addr IP address, in dotted decimal notation.
string Alphanumeric string up to 256 characters long
MSS Version 1.0 Command introduced.
MSS Version 7.3 Ability to include spaces added.
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 36
Examples
To store the location of the MX in the configuration, type the following command:
MX# set system location first-floor-bldg3
success: change accepted.
See Also
clear system on page 4-21
set system contact on page 4-30
set system name on page 4-36
show system on page 4-40
set system name
Changes the name of the MX from the default system name and also provides content for the CLI
prompt, if you do not specify a prompt.
Syntax
set system name string
Defaults
By default, the system name and command prompt have the same value. The factory
default for both is MX-mm-nnnnnn, where mm is the model number and nnnnnn is the last 6 digits
of the 12-digit system MAC address.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Entering set system name with no string resets the system name to the factory default.
To view the system name string, type the show system command.
Examples
The following example sets the system name to a name that identifies the MX switch:
MX# set system name MX-bldg3
success: change accepted.
MX-bldg3#
See Also
clear system on page 4-21
set prompt on page 4-28
set system contact on page 4-30
set system location on page 4-35
show system on page 4-40
show banner motd
Shows the banner configured with the set banner motd command.
Syntax
show banner motd
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
string Alphanumeric string up to 256 characters long, with no blank spaces. RingMaster
requires unique MX names.
System Services Commands
System Services Commands
4 – 37
Examples
To display the banner with the message of the day, type the following command:
MX# show banner motd
hello world
See Also
clear banner motd on page 4-19
show license
Displays information about the license key(s) currently installed on an MX.
Syntax
show license keys
Defaults
None.
Access
All.
History
Examples
To view license keys, type the following command:
MX# show license keys
Serial Number : 0321300013
40 access points are supported
Additional Features:
Feature Description Installed Active
----------------------------------------------------
Installed License Authorization Keys
See Also
set license on page 4-27
show load
Changes to the show load command allows you to obtain instantaneous CPU and memory load
information in a more useful format. In addition, more information is provided that may assist
with troubleshooting the MX on the network.
The following information is displayed:
System CPU load
Summary data displayed:
Last second (also called instant load)
Last minute
Last 5 minutes
Last hour
Last day
Version 1.0 Command introduced.
Version 2.0 Current session count and Last sent alert time fields removed.
Version 3.1 Command readded as show licenses, with new output.
Version 7.0 Command changed to show license keys with new output.
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 38
Last three days
Historical values drawn as a graph, showing peaks and averages:
Last minute
Last hour
Last three days
System memory load
Summary data displayed:
Last second (also called instant load)
Last minute
Last 5 minutes
Last hour
Last day
Last three days
Historical values drawn as a graph, showing peaks and averages:
Last minute
Last hour
Last three days
Syntax
show load
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Version 4.1 Command introduced.
Version 6.2 Enhancements to output
format.
System Services Commands
System Services Commands
4 – 39
Usage
To display the CPU load recorded from the time the MX was booted, as well as from the
previous time the show load command was run, type the following command:
MXR2_desk# show load cpu
Period Usage
--------------------
Last second: 2%
Last minute: 2%
Last 5 minutes: 2%
Last hour: 2%
Last day: 1%
Last 3 days: 33141%
MXR2_desk# show load cpu history
|100
|90
|80
|70
|60
|50
|40
|30
|20
^ ^ ^ ^^ ^ ^ ^ ^ ^ ^|10
************************************************************|<5
6----5----5----4----4----3----3----2----2----1----1----5----0---
0 5 0 5 0 5 0 5 0 5 0 |
CPU load history for the past hour
* = average CPU load (%) ^ = peak CPU load (%)
MXR2_desk# show load memory history
|128
|112
|96
|80
|64
|48
************************************************************|32
************************************************************|16
************************************************************|<8
6----5----5----4----4----3----3----2----2----1----1----5----0---
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 40
0 5 0 5 0 5 0 5 0 5 0 |
Memory utilization history for the past hour
* = average utilization (MBytes) ^ = peak utilization (MBytes)
The overall field shows the CPU load as a percentage from the time the MX was booted. The delta
field shows CPU load as a percentage from the last time the show load command was entered.
See Also
show system on page 4-40
show system
Displays system information.
Syntax
show system
Defaults
None.
Access
Enabled.
History
Examples
To show system information, type the following command:
MX# show system
===============================================================================
Product Name: MX
System Name: MX-bldg3
System Countrycode: US
System Location: first-floor-bldg3
System Contact: tamara@example.com
System IP: 192.168.12.7
System Secret Encrypted:
System Console-Timeout: 120 seconds
System Idle Timeout:3600
System MAC: 00:0B:0E:00:04:30
===============================================================================
Boot Time: 2003-11-07 15:45:49
Uptime: 13 days 04:29:10
===============================================================================
Fan status: fan1 OK fan2 OK fan3 OK
Temperature: temp1 ok temp2 ok temp3 ok
PSU Status: Lower Power Supply DC ok AC ok Upper Power Supply missing
Memory: 97.04/744.03 (13%)
Total PoE Draw (W): 29.000
===============================================================================
Table 4– 2 describes the fields of show system output.
Version 1.0 Command introduced
Version 2.0 System Description field added
Version 3.0 System Description field removed
Version 4.0 License field removed. To display license information, use the show license
command.
Version 7.0 Total Power over Ethernet changed to Total PoE draw (W).
System Services Commands
System Services Commands
4 – 41
See Also
clear system on page 4-21
set system contact on page 4-30
set system countrycode on page 4-30
set system idle-timeout on page 4-34
set system ip-address on page 4-35
Table 4– 2. show system Output
Field Description
Product Name MX model number.
System Name System name (factory default, or optionally configured with set system name).
System
Countrycode
Country-specific 802.11 code required for MP operation (configured with set system
countrycode).
System Location Record of MX physical location (optionally configured with set system location).
System Contact Contact information about the system administrator or another person to contact
about the system (optionally configured with set system contact).
System IP Common interface, source, and default IP address for the MX, in dotted decimal
notation (configured with set system ip-address).
System Secret A password configured for MX-MX security.
System idle timeout Number of seconds MSS allows a CLI management session (console, Telnet, or SSH)
to remain idle before terminating the session. (The system idle timeout can be
configured using the set system idle-timeout command.)
System MAC MX media access control (MAC) machine address set at the factory, in 6-byte
hexadecimal format.
Boot Time Date and time of the last system reboot.
Uptime Number of days, hours, minutes, and seconds that the MX has been operating since
its last restart.
Fan status Operating status of the three MX cooling fans:
OK—Fan is operating.
Failed—Fan is not operating. MSS sends an alert to the system log every 5 minutes until
this condition is corrected.
Fan 1 is located nearest the front of the chassis, and fan 3 is located nearest the back.
Temperature Status of temperature sensors at three locations in the MX switch:
ok—Temperature is within the acceptable range of 0° C to 50° C (32° F to 122° F).
Alarm—Temperature is above or below the acceptable range. MSS sends an alert to the
system log every 5 minutes until this condition is corrected.
PSU Status Status of the lower and upper power supply units:
missing—Power supply is not installed or is inoperable.
DC ok—Power supply is producing DC power.
DC output failure—Power supply is not producing DC power. MSS sends an alert to the
system log every 5 minutes until this condition is corrected.
AC ok—Power supply is receiving AC power.
AC not present—Power supply is not receiving AC power.
Memory Current size (in megabytes) of nonvolatile memory (NVRAM) and synchronous
dynamic RAM (SDRAM), plus the percentage of total memory space in use, in the
following format:
NVRAM size /SDRAM size (percent of total)
Total PoE Draw (W) Total power that the MX is currently supplying to directly connected MPs, in watts.
System Services Commands
Mobility System Software Command Reference Guide
Version 7.3
4 – 42
set system location on page 4-35
set system name on page 4-36
show tech-support
Provides an in-depth snapshot of the status of the MX, which includes details about the boot
image, the version, ports, and other configuration values. This command also displays the last
100 log messages.
Syntax
show tech-support [file [subdirname/]filename]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Enter this command before calling the Trapeze Networks Technical Assistance Center
(TAC). See “Contacting the Technical Assistance Center” on page 1–1 for more information.
See Also
show boot on page 21-497
show config on page 21-499
show license on page 4-37
show system on page 4-40
show version on page 21-500
[subdirname/]filename Optional subdirectory name, and a string up to 32 alphanumeric
characters. The command’s output is saved into a file with the
specified name in nonvolatile storage.
Port Commands 5 – 43
5
Port Commands
Use port commands to configure and manage individual ports and load-sharing port groups. This
chapter presents port commands alphabetically. Use the following table to locate commands in
this chapter based on their use.
Port Type set port type ap on page 5-59
Updated set ap on page 5-52
Updated set port type wired-auth on page 5-60
clear port type on page 5-46
clear ap on page 5-44
Name set port name on page 5-56
clear port name on page 5-46
State set port on page 5-54
reset port on page 5-51
show port status on page 5-65
Gigabit interface type show port media-type(deprecated) on page 5-63
set port media-type(deprecated) on page 5-55
clear port media-type (deprecated) on page 5-45
Speed set port speed on page 5-58
Autonegotiation set port negotiation on page 5-57
PoE set port poe on page 5-57
show port poe on page 5-64
SNMP set port trap on page 5-59
Port Groups set port-group on page 5-54
show port-group on page 5-62
clear port-group on page 5-45
Port Mirroring set port mirror on page 5-55
show port mirror on page 5-64
clear port mirror on page 5-46
Statistics show port counters on page 5-61
monitor port counters on page 5-47
clear port counters on page 5-44
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 44
clear ap
Removes a Distributed MP.
clear ap {apnum | auto | fdb}
None.
Enabled.
History
The following command clears MP 1:
MX# clear ap 1
This will clear specified AP devices. Would you like to continue? (y/n) [n]y
set ap on page 5-52
set port type ap on page 5-59
clear port counters
Clears port statistics counters and resets them to 0.
Syntax
clear port counters
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command clears all port statistics counters and resets them to 0:
MX# clear port counters
success: cleared port counters
See Also
monitor port counters on page 5-47
show port counters on page 5-61
W arning!
When you clear a Distributed MP, MSS ends user sessions that are using
the MP.
apnum Number of the MP(s) to remove.
auto Clear all auto operations.
fdb Clear dynamic AP FDB entries.
MSS Version 2.0 Command introduced.
MSS Version 6.0 Command changed from dap to ap.
MSS Version 7.1 Attribute all deprecated. Attributes fdb and auto added.
Port Commands
Port Commands
5 – 45
clear port-group
Removes a port group.
Syntax
clear port-group name name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command clears port group server1:
MX# clear port-group name server1
success: change accepted.
See Also
set port-group on page 5-54
show port-group on page 5-62
clear port media-type (deprecated)
Disables the copper interface and reenables the fiber interface on an MX-400 gigabit Ethernet
port.
Syntax
clear port media-type name
Defaults
The GBIC (fiber) interface is enabled, and the copper interface is disabled, by default.
Access
Enabled.
History
Usage
This command applies only to the MX-400. This command does not affect a link that is
already active on the port.
Examples
The following command disables the copper interface and reenables the fiber interface
on port 2:
MX-400# clear port media-type name
See Also
set port media-type(deprecated) on page 5-55
show port media-type(deprecated) on page 5-63
name name Name of the port group.
name List of physical ports. MSS disables the copper interface and reenables the
fiber interface on all the specified ports.
MSS Version 4.0 Command introduced.
MSS Version 7.0 port-list changed to literal value of name.
MSS Version 7.1 Deprecated.
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 46
clear port mirror
Removes a port mirroring configuration.
Syntax
clear port mirror
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Examples
The following command clears the port mirroring configuration from the switch:
MX# clear port mirror
See Also
set port mirror on page 5-55
show port mirror on page 5-64
clear port name
Removes the name assigned to a port.
Syntax
clear port port-list name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command clears the names of ports 17 through 20:
MX# clear port 17-20 name
See Also
set port name on page 5-56
show port status on page 5-65
clear port preference
Deprecated in MSS Version 4.0. Use the clear port media-type command.
clear port type
Removes all configuration settings from a port and resets the port as a network port.
port-list List of physical ports. MSS removes the names from all the specified ports.
W arning!
When you clear a port, MSS ends user sessions that are using the port.
Port Commands
Port Commands
5 – 47
Syntax
clear port type port-list
Defaults
The cleared port becomes a network port but is not placed in any VLANs.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Use this command to change a port back to a network port. All configuration settings specific
to the port type are removed. For example, if you clear an MP port, all MP-specific settings are
removed. Table 5– 3 lists the default network port settings that MSS applies when you clear a port
type.
Examples
The following command clears port 5:
MX# clear port type 5
This may disrupt currently authenticated users. Are you sure? (y/n) [n]y
success: change accepted.
See Also
set port type ap on page 5-59
set port type wired-auth on page 5-60
monitor port counters
Displays and continually updates port statistics.
Syntax
monitor port counters [octets | packets | receive-errors | transmit-errors |
collisions | receive-etherstats | transmit-etherstats]
port-list List of physical ports. MSS resets and removes the configuration from all the
specified ports.
Table 5– 3. Network Port Defaults
Port Parameter Setting
VLAN membership None.
Note: Although the command changes a port
to a network port, the command does not
place the port in any VLAN. To use the port
in a VLAN, you must add the port to the
VLAN.
Spanning Tree Protocol (STP) Based on the VLAN(s) you add the port to.
802.1X No authorization.
Port groups None.
Internet Group Management
Protocol (IGMP) snooping
Enabled as port is added to VLANs.
Access point and radio
parameters
Not applicable
Maximum user sessions Not applicable
octets Displays octet statistics first.
packets Displays packet statistics first.
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 48
Defaults
All types of statistics are displayed for all ports. MSS refreshes the statistics every 5
seconds, and the interval cannot be configured. Statistics types are displayed in the following
order by default:
Octets
Packets
Receive errors
Transmit errors
Collisions
Receive Ethernet statistics
Transmit Ethernet statistics
Access
All.
History
Introduced in MSS Version 1.0.
Usage
Each type of statistic is displayed separately. Press the Spacebar to cycle through the
displays for each type.
If you use an option to specify a statistic type, the display begins with that statistic type. You can
use one statistic option with the command.
Use the keys listed in Table 5– 4 to control the monitor display.
For error reporting, the cyclic redundancy check (CRC) errors include misalignment errors.
Jumbo packets with valid CRCs are not counted. A short packet can be reported as a short packet,
a CRC error, or an overrun. In some circumstances, the transmitted octets counter might
increment a small amount for a port with nothing attached.
Examples
The following command starts the port statistics monitor beginning with octet statistics
(the default):
MX# monitor port counters
As soon as you press Enter, MSS clears the window and displays statistics at the top of the
window.
Port Status Rx Octets Tx Octets
===============================================================================
1 Up 27965420 34886544
...
To cycle the display to the next set of statistics, press the Spacebar. In this example, packet
statistics are displayed next:
receive-errors Displays errors in received packets first.
transmit-errors Displays errors in transmitted packets first.
collisions Displays collision statistics first.
receive-etherstats Displays Ethernet statistics for received packets first.
transmit-etherstats Displays Ethernet statistics for transmitted packets first.
Table 5– 4. Key Controls for Monitor Port Counters Display
Key Effect on Monitor Display
Spacebar Advances to the next statistic type.
Esc Exits the monitor. MSS stops displaying the statistics and displays
a new command prompt.
c Clears the statistics counters for the currently displayed statistics
type. The counters begin incrementing again.
Port Commands
Port Commands
5 – 49
Port Status Rx Unicast Rx NonUnicast Tx Unicast Tx NonUnicast
===============================================================================
1 Up 54620 62144 68318 62556
...
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 50
Table 5– 5 describes the port statistics displayed by each statistics option. The Port and Status fields
are displayed for each option.
Table 5– 5. Output for monitor port counters
Statistics Option Field Description
Displayed for All
Options
Port Displays the port statistics.
Status Port status. The status can be Up or Down.
octets Rx Octets Total number of octets received by the port.
This number includes octets received in frames that
contained errors.
Tx Octets Total number of octets received.
This number includes octets received in frames that
contained errors.
packets Rx Unicast Number of unicast packets received.
This number does not include packets that contain errors.
Rx NonUnicast Number of broadcast and multicast packets received.
This number does not include packets that contain errors.
Tx Unicast Number of unicast packets transmitted.
This number does not include packets that contain errors.
Tx NonUnicast Number of broadcast and multicast packets transmitted.
This number does not include packets that contain errors.
receive-errors Rx Crc Number of frames received by the port that had the correct
length but contained an invalid frame check sequence (FCS)
value. This statistic includes frames with misalignment
errors.
Rx Error Total number of frames received in which the Physical layer
(PHY) detected an error.
Rx Short Number of frames received by the port that were fewer than
64 bytes long.
Rx Overrun Number of frames received by the port that were valid but
were longer than 1518 bytes. This statistic does not include
jumbo packets with valid CRCs.
transmit-errors Tx Crc Number of frames transmitted by the port that had the
correct length but contained an invalid FCS value.
Tx Short Number of frames transmitted by the port that were fewer
than 64 bytes long.
Tx Fragment Total number of frames transmitted that were less than 64
octets long and had invalid CRCs.
Tx Abort Total number of frames that had a link pointer parity error.
Port Commands
Port Commands
5 – 51
See Also
show port counters on page 5-61
reset port
Resets a port by toggling the link state and Power over Ethernet (PoE) state.
Syntax
reset port port-list
Defaults
None.
Access
Enabled.
collisions Single Coll Total number of frames transmitted that experienced one
collision before 64 bytes of the frame were transmitted on the
network.
Multiple Coll Total number of frames transmitted that experienced more
than one collision before 64 bytes of the frame were
transmitted on the network.
Excessive Coll Total number of frames that experienced more than 16
collisions during transmit attempts. These frames are
dropped and not transmitted.
Total Coll Best estimate of the total number of collisions on this
Ethernet segment.
receive-etherstats Rx 64 Number of packets received that were 64 bytes long.
Rx 127 Number of packets received that were from 65 through 127
bytes long.
Rx 255 Number of packets received that were from 128 through 255
bytes long.
Rx 511 Number of packets received that were from 256 through 511
bytes long.
Rx 1023 Number of packets received that were from 512 through 1023
bytes long.
Rx 1518 Number of packets received that were from 1024 through
1518 bytes long.
transmit-etherstats Tx 64 Number of packets transmitted that were 64 bytes long.
Tx 127 Number of packets transmitted that were from 65 through
127 bytes long.
Tx 255 Number of packets transmitted that were from 128 through
255 bytes long.
Tx 511 Number of packets transmitted that were from 256 through
511 bytes long.
Tx 1023 Number of packets transmitted that were from 512 through
1023 bytes long.
Tx 1518 Number of packets transmitted that were from 1024 through
1518 bytes long.
port-list List of physical ports. MSS resets all the specified ports.
Table 5– 5. Output for monitor port counters (continued)
Statistics Option Field Description
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 52
History
Introduced in MSS Version 1.0.
Usage
The reset command disables the port link and PoE (if applicable) for at least 1 second, then
reenables them. This behavior is useful for forcing an MP that is connected to two MX switches to
reboot over the link to the other MX.
Examples
The following command resets port 5:
MX# reset port 5
See Also
set port on page 5-54
set ap
Configures an MP, either directly connected to the MX or indirectly connected through an
intermediate Layer 2 or Layer 3 network.
Syntax
set ap apnum serial-id serial-ID
model {2330 | 2330A | 2330B | 2332-A1 |AP-EASYA | AP1602 | AP1602C | AP2750 | AP3750 |
AP3850 | AP3950 | AP9551 |MP-371 | MP-371B | MP-372 | MP-372-JP| MP-372A | MP-372B |
MP-422 | MP-422A | MP-422B| MP-422FB |MP-422F|MP-432 | MP-432F | MP-522 | MP-522E
|MP-620 | MP-620A | MP-620B | MP-622 | MP-632 | MP-632F | MP-71| MP-82} [radiotype
{11a | 11b| 11g | 11na | 11ng}]
Note:
Before configuring a Distributed MP, you must use the set system countrycode
command to set the IEEE 802.11 country-specific regulations on the MX switch. See set
system countrycode on page 4-30.
apnum Number for the Distributed MP.
The range of valid connection numbers depends on the MX model:
MX-200—1 to 320
MX-216—1 to 320
MX-400—1 to 300
MX-20—1 to 100
MX-8—1 to 30
MXR-2—1 to 8
serial-id serial-ID MP access point serial ID. The serial ID is listed on the MP case.
To display the serial ID using the CLI, use the show version
details command.
model {2330 | 2330A | 2330B|
2332-A1 | AP1602 | AP1602C |
AP2750 | AP3750 | AP3850 |
AP3950 | MP-371 | MP-372 |
MP-372-JP |MP-372A | MP-422 |
MP-422A| MP-422F | MP-432|
MP-620 | |MP-620A | MP-622|
MP-82| MP-71}}
MP access point model.
radiotype 11a | 11b | 11g Radio type:
11a—802.11a
11b—802.11b
11g—802.11g
11na—802.11na
11ng—802.11ng
Note: This option applies only to single-radio models.
Port Commands
Port Commands
5 – 53
Defaults
The default vales are the same as the defaults for the set port type ap command.
Access
Enabled.
History
Examples
The following command configures MP 1 for MP model MP-372 with serial-ID 0322199999:
MX# set ap 1 serial-id 0322199999 model mp-372
success: change accepted.
The following command removes MP 1:
MX# clear ap 1
This will clear specified AP devices. Would you like to continue? (y/n) [n]y
See Also
clear ap on page 5-44
clear port type on page 5-46
set port type ap on page 5-59
set system countrycode on page 4-30
Version 2.0 Command introduced
Version 2.1 New values for model option added:
mp-52
mp-262
Version 3.0 New values for model option added:
AP2750
mp-341
mp-352
Version 3.2 New value for model option added: mp-372
Version 4.1 New values for model option added:
2330
2330A
AP3750
mp-372-CN
mp-372-JP
mp-620
Deprecated values for model option removed:
mp-101
mp122
Version 6.0 Changed dap to ap. Added MP-422 model and
MP-71.
Version 7.0 Added MP-371, MP-422A, MP-422F, MP-432,
MP-620A,
Removed MP-52, MP-252, MP-372-CN, MP-341,
and MP-352
Version 7.1 Added models MP-622, MP-632, and MP-82.
Version 7.3 Added models MP-522 and MP-522E
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 54
set port
Administratively disables or reenables a port.
Syntax
set port {enable | disable} port-list
Defaults
All ports are enabled.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
A port that is administratively disabled cannot send or receive packets. This command does
not affect the link state of the port.
Examples
The following command disables port 16:
MX# set port disable 16
success: set "disable" on port 16
The fol1owing command reenables the port:
MX# set port enable 16
success: set "enable" on port 16
See Also
reset port on page 5-51
set port-group
Configures a load-sharing port group. All ports in the group function as a single logical link.
Syntax
set port-group name group-name port-list mode {on | off}
Defaults
Once configured, a group is enabled by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Do not use dashes or hyphens in a port group name. If you do, MSS does not display or save
the port group.
You can configure up to 16 ports in a port group, in any combination of ports. The port numbers do not
need to be contiguous and you can use 10/100 Ethernet ports and gigabit Ethernet ports in the same
port group.
After adding a port to a port group, you cannot configure port parameters on the individual port.
Instead, change port parameters on the entire group. Specify the group name instead of an individual
port name or number in port configuration commands.
enable Enables the specified ports.
disable Disables the specified ports.
port-list List of physical ports. MSS disables or reenables all the specified ports.
name group-name Alphanumeric string of up to 255 characters, with no spaces. The port group
name must start with a letter.
port-list List of physical ports. All the ports you specify are configured together as a
single logical link.
mode {on | off} State of the group. Use on to enable the group or off to disable the group. The
group is enabled by default.
Port Commands
Port Commands
5 – 55
To add or remove ports in a group that is already configured, change the mode to off, add or remove
the ports, then change the mode to on.
Examples
The following command configures a port group named server1 containing ports 1 through
5, and enables the link:
MX# set port-group name server1 1-5 mode on
success: change accepted.
The following commands disable the link for port group server1, change the list of ports in the group,
and reenable the link:
MX# set port-group name server1 1-5 mode off
success: change accepted.
MX# set port-group name server1 1-4,7 mode on
success: change accepted.
See Also
clear port-group on page 5-45
show port-group on page 5-62
set port media-type(deprecated)
Disables the fiber interface and enables the copper interface on an MX-400 gigabit Ethernet port.
Syntax
set port media-type name port-name
Defaults
The GBIC (fiber) interface is enabled, and the copper interface is disabled, by default.
Access
Enabled.
History
Usage
This command applies only to the MX-400.
If you set the port interface to RJ-45 on a port that already has an active fiber link, MSS immediately
changes the link to the copper interface.
Examples
The following command disables the fiber interface and enables the copper interface on
port 2:
MX-400# set port media-type name port-name
See Also
clear port media-type (deprecated) on page 5-45
show port media-type(deprecated) on page 5-63
set port mirror
Configures port mirroring. Port mirroring is a troubleshooting feature that copies (mirrors) traffic
sent or received by an MX port (the source port) to another port (the observer) on the same MX. You
port-list List of physical ports. MSS sets the preference on all the
specified ports.
rj45 Uses the copper interface.
Version 4.0 Command introduced.
Version 7.1 Command deprecated.
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 56
can attach a protocol analyzer to the observer port to examine the source port’s traffic. Both traffic
directions (send and receive) are mirrored.
Syntax
set port mirror source-port observer observer-port
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
The MX can have one port mirroring pair (one source port and one observer port) at a time.
The source port can be a network port, MP access port, or wired authentication port. However, the
observer port must be a network port, and cannot be a member of any VLAN or port group.
Examples
The following command sets port 2 to monitor port 1 traffic:
MX# set port 1 observer 2
See Also
clear port mirror on page 5-46
show port mirror on page 5-64
set port name
Assigns a name to a port. After naming a port, you can use the port name or number in other CLI
commands.
Syntax
set port port name name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
To simplify configuration and avoid confusion between the number of a port and its name, it is
recommended that you do not use numbers as port names.
Examples
The following command sets the name of port 17 to adminpool:
MX# set port 17 name adminpool
success: change accepted.
See Also
clear port name on page 5-46
show port status on page 5-65
source-port Number of the port whose traffic you want to analyze. You can specify only one
port.
observer-port Number of the port to copy the traffic from the source port.
port Number of a physical port. You can specify only one port.
name name Alphanumeric string of up to 16 characters, with no
spaces.
Port Commands
Port Commands
5 – 57
set port negotiation
Disables or reenables autonegotiation on gigabit Ethernet or 10/100 Ethernet ports.
Syntax
set port negotiation port-list {enable | disable}
Defaults
Autonegotiation is enabled on all Ethernet ports by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
The gigabit Ethernet ports operate at 1000 Mbps only. They do not change speed to match
10-Mbps or 100-Mbps links.
MX-8, MX-200, and MX-216 10/100 Ethernet ports support half-duplex and full-duplex operation.
Table 5– 6 lists the supported configurations.
It is recommended that you do not configure the mode of an MX port so that one side of the link is set
to autonegotiation while the other side is set to full-duplex. Although MSS allows this configuration,
it can cause slow throughput on the link. The slow throughput occurs because the side that is
configured for autonegotiation falls back to half-duplex. A stream of large packets sent to an MX port
with this configuration can cause forwarding on the link to stop.
Examples
The following command disables autonegotiation on ports 3, 8, and 16 through 18:
MX# set port negotiation 3,8,16-18 disable
The following command enables autonegotiation on port 21:
MX# set port negotiation 21 enable
set port poe
Enables or disables Power over Ethernet (PoE) on ports connected to MPs.
Syntax
set port poe port-list enable | disable
Defaults
PoE is disabled on network and wired authentication ports. The state on MP ports depends
on whether you enabled or disabled PoE when setting the port type. See set port type ap on
page 5-59.
Access
Enabled.
port-list List of physical ports. MSS disables or reenables autonegotiation on all the
specified ports.
enable Enables autonegotiation on the specified ports.
disable Disables autonegotiation on the specified ports.
W arning!
When you set the port type for MP use, you can enable PoE on the port. Use the MX
PoE to power Trapeze Networks MP access points only. If you enable PoE on ports
connected to other devices, damage can result.
port-list List of physical ports. MSS disables or reenables PoE on all the specified ports.
enable Enables PoE on the specified ports.
disable Disables PoE on the specified ports.
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 58
History
Introduced in MSS Version 1.0.
Usage
This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the MX-8
switch, port 19 on the MX-216, or port 3 on the MX-200.
Examples
The following command disables PoE on ports 7 and 9, which are connected to an MP:
MX# set port poe 7,9 disable
If you are enabling power on these ports, they must be connected only to approved PoE devices
with the correct wiring. Do you wish to continue? (y/n) [n]y
The following command enables PoE on ports 7 and 9:
MX# set port poe 7,9 enable
If you are enabling power on these ports, they must be connected only to approved PoE devices
with the correct wiring. Do you wish to continue? (y/n) [n]y
See Also
set port type ap on page 5-59
set port type wired-auth on page 5-60
set port preference
Deprecated in MSS Version 4.0
set port speed
Changes the speed of a port.
Syntax
set port speed port-list {10 | 100 | 1000 | auto}
Defaults
All ports are set to auto.
Access
Enabled.
History
Introduced in MSS Version 1.0.
port-list List of physical ports. MSS sets the port speed on all the
specified ports.
10 Sets the port speed of a 10/100 Ethernet port to 10 Mbps
and sets the operating mode to full-duplex.
100 Sets the port speed of a 10/100 Ethernet port to 100 Mbps
and sets the operating mode to full-duplex.
1000 Sets the port speed of a gigabit Ethernet port to
1000 Mbps and sets the operating mode to full-duplex.
10000 Sets the port speed of a gigabit Ethernet port to 10000
Mbps and sets the operating mode to full-duplex.
auto Enables a port to detect the speed and operating mode of
the traffic on the link and set itself accordingly.
Version 1.0 Command introduced.
Version 7.0 Added 10000 as a port speed.
Port Commands
Port Commands
5 – 59
Usage
It is recommended that you do not configure the mode of an MX port so that one side of the
link is set to autonegotiation while the other side is set to full-duplex. Although MSS allows this
configuration, it can result in slow throughput on the link. The slow throughput occurs because
the side that is configured for autonegotiation falls back to half-duplex. A stream of large packets
sent to an MX port in such a configuration can cause forwarding on the link to stop.
Do not set the port speed of a gigabit port to auto. Although the CLI allows this setting, it is
invalid. If you set the port speed of a gigabit port to auto, the link will stop working.
Examples
The following command sets the port speed on ports 1, 7 through 11, and 14 to 10 Mbps
and sets the operating mode to full-duplex:
MX# set port speed 1,7-11,14 10
set port trap
Enables or disables Simple Network Management Protocol (SNMP) linkup and linkdown traps on
an individual port.
Syntax
set port trap port-list {enable | disable}
Defaults
SNMP linkup and linkdown traps are disabled by default.
Access
Enabled.
History
Introduced in MSS Version 1.1.
Usage
The set port trap command overrides the global setting of the set snmp trap command.
The set port type command does not affect the global trap information displayed by the show
snmp configuration command. For example, if you globally enable linkup and linkdown traps
but then disable the traps on a single port, the show snmp configuration command still
indicates that the traps are globally enabled.
Examples
The following command enables SNMP linkup and linkdown traps on ports 17 and 18:
MX# set port trap 17-18 enable
See Also
set ip snmp server on page 8-111
set snmp community on page 8-116
set snmp trap on page 8-125
set snmp trap receiver on page 8-125
show snmp configuration on page 8-141
set port type ap
Command deprecated in MSS Version 6.0. Use the command set ap instead.
port-list List of physical ports.
enable Enables the Telnet server.
disable Disables the Telnet server.
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 60
set port type wired-auth
Configures an MX port for a wired authentication user.
Syntax
set port type wired-auth port-list [auth-fall-thru
{last-resort | none | web-portal-form}][ idle-timeout timeout][tag tag-list]
[max-sessions num]
Defaults
The default tag-list is null (no tag values). The default number of sessions is 1. The default
fallthru authentication type is none. The default idle-timeout is 300 seconds.
Access
Enabled.
History
Usage
You cannot set a port type if the port is a member of a port VLAN. To remove a port from a
VLAN, use the clear vlan command. To reset a port as a network port, use the clear port type
command.
When you change port type, MSS applies default settings appropriate for the port type. Table 5– 6
lists the default settings that MSS applies when you set a port type to ap.
Note:
Before changing the port type from ap to wired-auth or from wired-auth to ap,
you must reset the port with the clear port type command.
port-list List of physical ports.
timeout Sets the idle-timeout for a client. Default value is 300 seconds.
tag-list One or more numbers between 1 and 4094 that subdivide a wired
authentication port into virtual ports.
num Maximum number of simultaneous user sessions supported.
last-resort Automatically authenticates the user, without requiring a username and
password.
none Denies authentication and prohibits the user from accessing the network
over this port.
web-portal Serves the user a web page from the MX nonvolatile storage for secure
login to the network.
Version 1.0 Command introduced.
Version 2.0 Maximum number of sessions increased from 16. You can specify as many as
you need. (There is no specific maximum.)
Version 3.0 Options added to change the fallthru authentication type. This is the
authentication type that MSS uses if the user does not support 802.1X and is
not authenticated by MAC authentication.
Version 4.0 Option for WebAAA fallthru authentication type changed from web-auth to
web-portal.
Version 7.1 Option web-portal changed to web-portal-form.
Port Commands
Port Commands
5 – 61
For 802.1X clients, wired authentication works only if the clients are directly attached to the wired
authentication port, or are attached through a hub that does not block forwarding of packets from
the client to the PAE group address (01:80:c2:00:00:03). Wired authentication works in accordance
with the 802.1X specification, which prohibits a client from sending traffic directly to an
authenticator MAC address until the client is authenticated. Instead of sending traffic to the
authenticator MAC address, the client sends packets to the PAE group address. The 802.1X
specification prohibits networking devices from forwarding PAE group address packets, because
this would make it possible for multiple authenticators to acquire the same client.
For non-802.1X clients, who use MAC authentication, WebAAA, or last-resort authentication,
wired authentication works if the clients are directly attached or indirectly attached.
Examples
The following command sets port 10 for a wired authentication user:
MX# set port type wired-auth 10
success: change accepted
Examples
The following command sets port 7 for a wired authentication user and specifies a
maximum of three simultaneous user sessions:
MX# set port type wired-auth 7 max-sessions 3
success: change accepted
See Also
clear port type on page 5-46
set port type ap on page 5-59
show port counters
Displays port statistics.
Syntax
show port counters [octets | packets | receive-errors | transmit-errors |
collisions | receive-etherstats | transmit-etherstats] [port
port-list]
Table 5– 6. Wired Authentication Port Defaults
Port Parameter Setting
VLAN membership Removed from all VLANs. You cannot assign an MP access
port to a VLAN. MSS automatically assigns MP access ports to
VLANs based on user traffic.
Spanning Tree Protocol (STP) Not applicable
802.1X Uses authentication parameters configured for users.
Port groups Not applicable
IGMP snooping Enabled as users are authenticated and join VLANs.
Maximum user sessions 1 (one).
Fallthru authentication type None.
octets Displays octet statistics.
packets Displays packet statistics.
receive-errors Displays errors in received packets.
transmit-errors Displays errors in transmitted packets.
collisions Displays collision statistics.
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 62
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Usage
You can specify one statistic type with the command.
Examples
The following command shows octet statistics for port 3:
MX> show port counters octets port 3
Port Status Rx Octets Tx Octets
=============================================================================
3 Up 27965420 34886544
This command’s output has the same fields as the monitor port counters command. For
descriptions of the fields, see Table 5– 5 on page 50.
See Also
clear port counters on page 5-44
monitor port counters on page 5-47
show port-group
Displays port group information.
Syntax
show port-group [name group-name]
Defaults
None.
Access
All.
History
Examples
The following command displays the configuration of port group server2:
MX# show port-group name server2
Port group: server2 is up
Ports: 15, 17
Table 5– 7 describes the fields in the show port-group output.
receive-etherstats Displays Ethernet statistics for received packets.
transmit-etherstats Displays Ethernet statistics for transmitted packets.
port port-list List of physical ports. If you do not specify a port list, MSS displays
statistics for all ports.
name group-name Displays information for the specified port group.
Version 1.0 Command introduced.
Version 4.2 Option all removed for simplicity. You can display information for
all groups by entering the command without specifying a group
name.
Port Commands
Port Commands
5 – 63
See Also
clear port-group on page 5-45
set port-group on page 5-54
show port media-type(deprecated)
Displays the enabled interface types on an MX-400 gigabit Ethernet ports.
Syntax
show port media-type [port-list]
Defaults
None.
Access
All.
History
Introduced in MSS Version 4.0.
Usage
This command applies only to the MX-400.
Examples
The following command displays the enabled interface types on all four ports of an
MX-400:
MX-400# show port media-type
Port Media Type
===========================================================
1 GBIC
2 RJ45
3 GBIC
4 GBIC
Table 5– 8 describes the fields in this display.
See Also
clear port media-type (deprecated) on page 5-45
Table 5– 7. Output for show port-group
Field Description
Port group Name and state (enabled or disabled) of the port
group.
Ports Ports contained in the port group.
port-list List of physical ports. MSS displays the enabled interface types for all
specified ports.
Version 4.0 Command introduced.
Version 7.1 Command deprecated.
Table 5– 8. Output for show port media-type
Field Description
Port Port number.
Preference Preference setting:
GBIC—The GBIC (fiber) interface is enabled.
RJ45—The RJ-45 (copper) interface is enabled.
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 64
set port media-type(deprecated) on page 5-55
show port mirror
Displays the port mirroring configuration.
Syntax
show port mirror
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Examples
The following command displays the port mirroring configuration on the MX:
MX# show port mirror
Port 1 is mirrored to port 2
If port mirroring is not configured, the message in the following example is displayed instead:
MX# show port mirror
No ports are mirrored
See Also
clear port mirror on page 5-46
set port mirror on page 5-55
show port poe
Displays status information for ports with Power over Ethernet (PoE) enabled.
Syntax
show port poe [port-list]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command displays PoE information for all ports on a 22-port MX:
MX# show port poe
Link Port PoE PoE
Port Name Status Type config Draw(Watts)
===============================================================================
1 1 up - disabled off
2 2 down - disabled off
3 3 down - disabled off
4 4 down - disabled off
5 5 down - disabled off
6 6 down - disabled off
7 7 down - disabled off
8 8 down - disabled off
9 9 up MP enabled 1.44
10 10 up - disabled off
11 11 down - disabled off
12 12 down - disabled off
port-list List of physical ports. If you do not specify a port list, PoE information is
displayed for all ports.
Port Commands
Port Commands
5 – 65
13 13 down - disabled off
14 14 down - disabled off
15 15 down - disabled off
16 16 down - disabled off
17 17 down - disabled off
18 18 down - disabled off
19 19 down - disabled off
20 20 down - disabled off
21 21 down - disabled invalid
22 22 down - disabled invalid
Table 5– 9 describes the fields in this display.
See Also
set port poe on page 5-57
show port preference
Deprecated in MSS Version 4.0
show port status
Displays configuration and status information for ports.
Syntax
show port status [port-list]
Defaults
None.
Access
All.
Table 5– 9. Output for show port poe
Field Description
Port Port number.
Name Port name. If the port does not have a name, the port number is
listed.
Link status Link status of the port:
up—The port is connected.
down—The port is not connected.
Port type Port type:
MP—The port is an MP access port.
- (The port is not an MP access port.)
PoE config PoE state:
enabled
disabled
PoE Draw Power draw on the port, in watts.
For 10/100 Ethernet ports on which PoE is disabled, this field
displays off. For gigabit Ethernet ports, this field displays invalid,
because PoE is not supported on gigabit Ethernet ports.
The value overcurrent indicates a PoE problem such as a short in the
cable.
port-list List of physical ports. If you do not specify a port list, information is displayed
for all ports.
Port Commands
Mobility System Software Command Reference Guide
Version 7.3
5 – 66
History
Introduced in MSS Version 1.0.
Examples
The following command displays information for all ports on a 22-port MX switch:
MX# show port status
Port Name Admin Oper Config Actual Type Media
===============================================================================
1 1 up up auto 100/full network 10/100BaseTx
2 2 up down auto network 10/100BaseTx
3 3 up down auto network 10/100BaseTx
4 4 up down auto network 10/100BaseTx
5 5 up down auto network 10/100BaseTx
6 6 up down auto network 10/100BaseTx
7 7 up down auto network 10/100BaseTx
8 8 up down auto network 10/100BaseTx
9 9 up up auto 100/full ap 10/100BaseTx
10 10 up up auto 100/full network 10/100BaseTx
11 11 up down auto network 10/100BaseTx
12 12 up down auto network 10/100BaseTx
13 13 up down auto network 10/100BaseTx
14 14 up down auto network 10/100BaseTx
15 15 up down auto network 10/100BaseTx
16 16 up down auto network 10/100BaseTx
17 17 up down auto network 10/100BaseTx
18 18 up down auto network 10/100BaseTx
19 19 up down auto network 10/100BaseTx
20 20 up down auto network 10/100BaseTx
21 21 up down auto network no connector
22 22 up down auto network no connector
Table 5– 10 describes the fields in this display.
Table 5– 10. Output for show port status
Field Description
Port Port number.
Name Port name. If the port does not have a name, the port number is listed.
Admin Administrative status of the port:
up—The port is enabled.
down—The port is disabled.
Oper Operational status of the port:
up—The port is operational.
down—The port is not operational.
Config Port speed configured on the port:
10—10 Mbps.
100—100 Mbps.
1000—1000 Mbps.
auto—The port sets its own speed.
Actual Speed and operating mode in effect on the port.
Port Commands
Port Commands
5 – 67
See Also
clear port type on page 5-46
set port on page 5-54
set port name on page 5-56
set port negotiation on page 5-57
set port speed on page 5-58
set port type ap on page 5-59
set port type wired-auth on page 5-60
Type Port type:
ap—MP port
network—Network port
wa—Wired authentication port
Media Link type:
10/100BaseTX—10/100BASE-T.
GBIC—1000BASE-SX or 1000BASE-LX GBIC.
1000BaseT—1000BASE-T.
No connector—GBIC slot is empty.
Table 5– 10. Output for show port status (continued)
Field Description
VLAN Commands 6 – 67
6
VLAN Commands
Use virtual LAN (VLAN) commands to configure and manage parameters for individual port
VLANs on network ports, and to display information about clients roaming within a mobility
domain. This chapter presents VLAN commands alphabetically. Use the following table to locate
commands in this chapter based on use.
clear fdb
Deletes an entry from the forwarding database (FDB).
Syntax
clear fdb {address-mode static |permanent | system} [mac-addr] [dynamic |
port port-list | [vlan vlan-id]
Creation set vlan name on page 6-73
Ports set vlan port on page 6-74
clear vlan on page 6-70
show vlan config on page 6-81
Roaming and Tunnels show roaming station on page 6-78
show roaming vlan on page 6-79
show tunnel on page 6-81
Restriction of Client
Layer 2 Forwarding
set security l2-restrict on page 6-72
show security l2-restrict on page 6-80
clear security l2-restrict on page 6-68
clear security l2-restrict counters on page 6-69
Tunnel Affinity set vlan tunnel-affinity on page 6-75
FDB Entries set fdb on page 6-71
show fdb on page 6-76
show fdb count on page 6-78
clear fdb on page 6-67
FDB Aging Timeout set fdb agingtime on page 6-72
show fdb agingtime on page 6-77
VLAN Profiles for MP
local switching
set vlan-profile on page 6-75
show vlan-profile on page 6-83
clear vlan-profile on page 6-71
address-mode
perm
Clears permanent entries. A permanent entry does not age out and remains in the
database even after a reboot, reset, or power cycle. You must specify a VLAN name or
number with this option.
static Clears static entries. A static entry does not age out, but is removed from the
database after a reboot, reset, or power cycle. You must specify a VLAN name or
number with this option.
VLAN Commands
Mobility System Software Command Reference Guide
Version 7.3
6 – 68
Defaults
None.
Access
Enabled.
History
Usage
You can delete forwarding database entries based on entry type, port, or VLAN. A VLAN
name or number is required for deleting permanent or static entries.
Examples
The following command clears all static forwarding database entries that match VLAN
blue:
MX# clear fdb static vlan blue
success: change accepted.
The following command clears all dynamic forwarding database entries that match all VLANs:
MX# clear fdb dynamic
success: change accepted.
The following command clears all dynamic forwarding database entries that match ports 3 and 5:
MX# clear fdb port 3,5
success: change accepted.
See Also
set fdb on page 6-71
show fdb on page 6-76
clear security l2-restrict
Removes one or more MAC addresses from the list of destination MAC addresses that clients in a
VLAN are allowed to send traffic at Layer 2.
Syntax
clear security l2-restrict vlan vlan-id
[permit-mac mac-addr [mac-addr] | all]
system Clears system entries from the FDB. You must specify a VLAN name or number with
this option.
dynamic Clears dynamic entries. A dynamic entry is automatically removed through aging or
after a reboot, reset, or power cycle. You are not required to specify a VLAN name or
number with this option.
mac-addr Clears MAC addresses from the FDB. You must specify a MAC address in the format
a:b:c:d:e:f or a-b-c-d-e-f.
port port-list Clears dynamic entries that match destination ports in the port list. You are not
required to specify a VLAN name or number with this option.
vlan vlan-id VLAN name or number—required for removing permanent and static entries. For
dynamic entries, specifying a VLAN removes entries that match only that VLAN.
Otherwise, dynamic entries that match all VLANs are removed.
tag tag-value VLAN tag value that identifies a virtual port. If you do not specify a tag value, MSS
deletes only entries that match untagged interfaces. Specifying a tag value deletes
entries that match only the specified tagged interface.
MSS Version 1.0 Command introduced.
MSS Version 7.0 Added address-mode and MAC address option.
vlan-id VLAN name or number.
VLAN Commands
VLAN Commands
6 – 69
Defaults
If you do not specify a list of MAC addresses or all, all addresses are removed.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Usage
If you clear all MAC addresses, Layer 2 forwarding is no longer restricted in the VLAN.
Clients within the VLAN can communicate directly.
There can be a slight delay before functions such as pinging between clients become available
again after Layer 2 restrictions are lifted. Even though packets are passed immediately once
Layer 2 restrictions are gone, it can take 10 seconds or more for upper-layer protocols to update
their ARP caches and regain their functionality.
To clear the statistics counters without removing any MAC addresses, use the clear security
l2-restrict counters command instead.
Examples
The following command removes MAC address aa:bb:cc:dd:ee:ff from the list of
addresses that clients in VLAN abc_air are allowed to send traffic at Layer 2:
MX# clear security l2-restrict vlan abc_air permit-mac aa:bb:cc:dd:ee:ff
success: change accepted.
See Also
clear security l2-restrict counters on page 6-69
set security l2-restrict on page 6-72
show security l2-restrict on page 6-80
clear security l2-restrict counters
Clear statistics counters for Layer 2 forwarding restriction.
Syntax
clear security l2-restrict counters [vlan vlan-id | all]
Defaults
If you do not specify a VLAN or all, counters for all VLANs are cleared.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Usage
To clear MAC addresses from the list of addresses that clients are allowed to send data,
use the clear security l2-restrict command instead.
Examples
The following command clears Layer 2 forwarding restriction statistics for VLAN
abc_air:
MX# clear security l2-restrict counters vlan abc_air
success: change accepted.
See Also
clear security l2-restrict on page 6-68
set security l2-restrict on page 6-72
show security l2-restrict on page 6-80
permit-mac mac-addr
[mac-addr]
List of MAC addresses. MSS no longer allows clients in the VLAN to send traffic to
the MAC addresses at Layer 2.
all Removes all MAC addresses from the list.
vlan-id VLAN name or number.
all Clears Layer 2 forwarding restriction counters for all VLANs.
VLAN Commands
Mobility System Software Command Reference Guide
Version 7.3
6 – 70
clear vlan
Removes physical or virtual ports from a VLAN or removes a VLAN entirely.
Syntax
clear vlan vlan-id [port port-list [tag tag-value]]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
If you do not specify a port-list, the entire VLAN is removed from the configuration.
Examples
The following command removes port 1 from VLAN green:
MX# clear vlan green port 1
This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y
success: change accepted.
The following command removes port 4, which uses tag value 69, from VLAN red:
MX# clear vlan red port 4 tag 69
This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y
success: change accepted.
The following command completely removes VLAN marigold:
MX# clear vlan marigold
This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y
success: change accepted.
See Also
set vlan port on page 6-74
show vlan config on page 6-81
W arning!
When you remove a VLAN, MSS completely removes the VLAN from the
configuration and also removes all configuration information for that VLAN. If you
want to remove only a specific port from the VLAN, make sure you specify the port
number in the command.
vlan-id VLAN name or number.
port
port-list
List of physical ports. MSS removes the specified ports from the VLAN. If you do not
specify a list of ports, MSS removes the VLAN entirely.
tag
tag-value
Tag number that identifies a virtual port. MSS removes only the specified virtual
port from the specified physical ports.
Note:
You cannot delete the default VLAN but you can remove ports from it. To remove
ports from the default VLAN, use the port port-list option.
VLAN Commands
VLAN Commands
6 – 71
clear vlan-profile
Removes a VLAN profile or individual entries from a VLAN profile.
Syntax
clear vlan-profile profile-name [vlan vlan-name]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
A VLAN profile lists the VLANs that locally switch traffic by MPs where the VLAN profile
is applied. Use this command to remove individual VLANs from a VLAN profile, or to remove an
entire VLAN profile. If you remove all of the entries from a VLAN profile, the VLAN profile is
removed.
If a VLAN profile is changed so that traffic that had been tunneled to an MX is now locally
switched by MPs, or vice-versa, the sessions of clients associated with the MPs where the VLAN
profile is applied are terminated, and the clients must re-associate with the MPs.
Examples
The following command removes the entry for VLAN red from VLAN profile locals:
MX# clear vlan-profile locals vlan red
MX#
The following command removes VLAN profile locals:
MX# clear vlan-profile locals
MX#
See Also
set ap local-switching vlan-profile on page 12-245
set vlan-profile on page 6-75
show vlan-profile on page 6-83
set fdb
Adds a permanent or static entry to the forwarding database.
Syntax
set fdb {perm | static} mac-addr port port-list
vlan vlan-id [tag tag-value]
profile-name VLAN profile name
vlan-name Name of a VLAN to remove from the VLAN profile.
perm Adds a permanent entry. A permanent entry does not age out and remains in the
database even after a reboot, reset, or power cycle.
static Adds a static entry. A static entry does not age out, but is removed from the database
after a reboot, reset, or power cycle.
mac-addr Destination MAC address of the entry. Use colons to separate the octets (for example,
00:11:22:aa:bb:cc).
port
port-list
List of physical destination ports for which to add the entry. A separate entry is added
for each port you specify.
VLAN Commands
Mobility System Software Command Reference Guide
Version 7.3
6 – 72
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You cannot add a multicast or broadcast address as a permanent or static FDB entry.
Examples
The following command adds a permanent entry for MAC address 00:11:22:aa:bb:cc on
ports 3 and 5 in VLAN blue:
MX# set fdb perm 00:11:22:aa:bb:cc port 3,5 vlan blue
success: change accepted.
The following command adds a static entry for MAC address 00:2b:3c:4d:5e:6f on port 1 in the
default VLAN:
MX# set fdb static 00:2b:3c:4d:5e:6f port 1 vlan default
success: change accepted.
See Also
clear fdb on page 6-67
show fdb on page 6-76
set fdb agingtime
Changes the aging timeout period for dynamic entries in the forwarding database.
Syntax
set fdb agingtime vlan-id age seconds
Defaults
The aging timeout period is 300 seconds (5 minutes).
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command changes the aging timeout period to 600 seconds for entries
that match VLAN orange:
MX# set fdb agingtime orange age 600
success: change accepted.
See Also
show fdb agingtime on page 6-77
set security l2-restrict
Restricts Layer 2 forwarding between clients in the same VLAN. When you restrict Layer 2
forwarding in a VLAN, MSS allows Layer 2 forwarding only between a client and a set of MAC
addresses, generally the VLAN default routers. Clients within the VLAN are not permitted to
vlan vlan-id
Name or number of a VLAN of which the port is a member. The entry is added only for
the specified VLAN.
tag tag-value VLAN tag value that identifies a virtual port. You can specify a number from 1
through 4093. If you do not specify a tag value, an entry is created for an untagged
interface only. If you specify a tag value, an entry is created only for the specified
tagged interface.
vlan-id VLAN name or number. The timeout period change applies only to entries that
match the specified VLAN.
age
seconds
Value for the timeout period, in seconds. You can specify a value from 0 through
1,000,000. If you change the timeout period to 0, aging is disabled.
VLAN Commands
VLAN Commands
6 – 73
communicate directly to each other. To communicate with another client, the client must use one
of the specified default routers.
Syntax
set security l2-restrict vlan vlan-id
[mode {enable | disable}] [permit-mac mac-addr [mac-addr]]
Defaults
Layer 2 restriction is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Usage
You can specify multiple addresses by listing them on the same command line or by
entering multiple commands. To change a MAC address, use the clear security l2-restrict
command to remove it, and then use the set security l2-restrict command to add the correct
address.
Restriction of client traffic does not begin until you enable the permitted MAC list. Use the mode
enable option with this command.
Examples
The following command restricts Layer 2 forwarding of client data in VLAN abc_air to
the default routers with MAC address aa:bb:cc:dd:ee:ff and 11:22:33:44:55:66:
MX# set security l2-restrict vlan abc_air mode enable permit-mac aa:bb:cc:dd:ee:ff
11:22:33:44:55:66
success: change accepted.
See Also
clear security l2-restrict on page 6-68
clear security l2-restrict counters on page 6-69
show security l2-restrict on page 6-80
set vlan name
Creates a VLAN and assigns a number and name to it.
Syntax
set vlan vlan-num name name
Defaults
VLAN 1 is named default by default. No other VLANs have default names.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You must assign a name to a VLAN (other than the default VLAN) before you can add
ports to the VLAN.
It is recommended that you do not use the name default. This name is already used for VLAN 1. It
is also recommended that you do not rename the default VLAN.
vlan-id VLAN name or number.
mode
{enable | disable}
Enables or disables restriction of Layer 2 forwarding.
permit-mac mac-addr
[mac-addr]
MAC addresses to which clients are allowed to forward data at Layer 2. You can
specify up to four addresses.
vlan-num VLAN number. You can specify a number from 2 through 4093.
name String up to 16 alphabetic characters long.
VLAN Commands
Mobility System Software Command Reference Guide
Version 7.3
6 – 74
You cannot use a number as the first character in the VLAN name. It is recommended that you do
not use the same name with different capitalizations for VLANs. For example, do not configure
two separate VLANs with the names red and RED.
VLAN names are case-sensitive for RADIUS authorization when a client roams to an MX. If the
switch is not configured with the VLAN of the client, but is configured with a VLAN with the same
spelling but different capitalization, authorization for the client fails. For example, if the client is
on VLAN red but the MX to which the client roams has VLAN RED instead, RADIUS
authorization fails.
Examples
The following command assigns the name marigold to VLAN 3:
MX# set vlan 3 name marigold
success: change accepted.
See Also
set vlan port on page 6-74
set vlan port
Assigns one or more network ports to a VLAN. You also can add a virtual port to each network
port by adding a tag value to the network port.
Syntax
set vlan vlan-id port port-list [tag tag-value]
Defaults
By default, no ports are members of any VLANs. An MX cannot forward traffic on the
network until you configure VLANs and add network ports to the VLANs.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You can combine this command with the set port name command to assign the name and
add the ports at the same time.
If you do not specify a tag value, the MX sends untagged frames for the VLAN. If you do specify a
tag value, the MX sends tagged frames only for the VLAN.
If you do specify a tag value, it is recommended to use the same value as the VLAN number. MSS
does not require the VLAN number and tag value to be the same but it can be required by devices
from other vendors.
Examples
The following command assigns the name beige to VLAN 11 and adds ports 1 through 3
to the VLAN:
MX# set vlan 11 name beige port 1-3
success: change accepted.
The following command adds port 16 to VLAN beige and assigns tag value 86 to the port:
MX# set vlan beige port 16 tag 86
success: change accepted.
See Also
clear vlan on page 6-70
set vlan name on page 6-73
show vlan config on page 6-81
vlan-id VLAN name or number.
port
port-list
List of physical ports.
tag
tag-value
Tag value that identifies a virtual port. You can specify a value from 1 through 4093.
VLAN Commands
VLAN Commands
6 – 75
set vlan tunnel-affinity
Changes an MX preferences within a mobility domain for tunneling user traffic for a VLAN. When
a user roams to an MX that is not a member of the user’s VLAN, the MX can forward the user
traffic by tunneling to another MX that is a member of the VLAN.
Syntax
set vlan vlan-id tunnel-affinity affinity
Defaults
Each VLAN on an MX network ports has an affinity value of 5 by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Increasing a MX affinity value increases the preferability of the MX for forwarding user
traffic for the VLAN.
If more than one MX has the highest affinity value, MSS randomly selects one of the switches for
the tunnel.
Examples
The following command changes the VLAN affinity for VLAN beige to 10:
MX# set vlan beige tunnel-affinity 10
success: change accepted.
See Also
show roaming vlan on page 6-79
show vlan config on page 6-81
set vlan-profile
Configures entries in a VLAN profile that can be applied to an MP for local switching.
Syntax
set vlan-profile profile-name vlan vlan-name [mode {overlay|local-switching}
[tag tag-value]
Defaults
If local switching is enabled on an MP, but no VLAN profile is configured, then a default
VLAN profile is used. The default VLAN profile includes a single VLAN named default that is
untagged.
Access
Enabled.
History
Introduced in MSS Version 6.0.
vlan-id VLAN name or number.
affinity Preference of this MX for forwarding user traffic for the VLAN. You can specify a
value from 1 through 10. A higher number indicates a greater preference.
profile-name VLAN profile name.
vlan-name Name of a VLAN.
mode Select overlay or local-switching.
tag-value Optional tag value associated with the VLAN. When this value is set, it is used as the
802.1Q tag for the VLAN.
Version 6.0 Command introduced.
Version 7.1 Attribute mode added.
VLAN Commands
Mobility System Software Command Reference Guide
Version 7.3
6 – 76
Usage
A VLAN profile consists of a list of VLANs and tags. When a VLAN profile is applied to an
MP, traffic for the VLANs specified in the VLAN profile is locally switched by the MP instead of
being tunneled back to an MX.
You enter a separate set vlan-profile command for each VLAN you want to add to the VLAN
profile. A VLAN profile can contain up to 128 entries.
Examples
The following command adds an entry for VLAN red to VLAN profile locals:
MX# set vlan-profile locals vlan red
success: change accepted.
See Also
set ap local-switching vlan-profile on page 12-245
clear vlan-profile on page 6-71
show vlan-profile on page 6-83
show fdb
Displays entries in the forwarding database.
Syntax
show fdb [mac-addr-glob [vlan vlan-id]]
show fdb {perm | static | dynamic | system | all} [port port-list | vlan vlan-id]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Usage
To display the entire forwarding database, enter the show fdb command without options.
To display only a portion of the database, use optional parameters to specify the types of entries to
display.
Examples
The following command displays all entries in the forwarding database:
MX# show fdb all
* = Static Entry. + = Permanent Entry. # = System Entry.
VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type]
---- ---- ------------------ ----- -----------------------------------------
1 00:01:97:13:0b:1f 1 [ALL]
1 aa:bb:cc:dd:ee:ff * 3 [ALL]
mac-addr-glob A single MAC address or set of MAC addresses. Specify a MAC address, or use the
wildcard character (*) to specify a set of MAC addresses. (For details, see “MAC
Address Globs” on page 2–7.)
vlan vlan-id Name or number of a VLAN to display entries.
perm Displays permanent entries. A permanent entry does not age out and remains in the
database even after a reboot, reset, or power cycle.
static Displays static entries. A static entry does not age out, but is removed from the
database after a reboot, reset, or power cycle.
dynamic Displays dynamic entries. A dynamic entry is automatically removed through aging
or after a reboot, reset, or power cycle.
system Displays system entries. A system entry is added by MSS. For example, the
authentication protocols can add entries for wired and wireless authentication
users.
all Displays all entries in the database, or all the entries that match a particular port
or ports or a particular VLAN.
port
port-list
Destination port(s) for which to display entries.
VLAN Commands
VLAN Commands
6 – 77
1 00:0b:0e:02:76:f5 1 [ALL]
Total Matching FDB Entries Displayed = 3
The top line of the display identifies the characters to distinguish among the entry types.
The following command displays all entries that begin with the MAC address glob 00:
MX# show fdb 00:*
* = Static Entry. + = Permanent Entry. # = System Entry.
VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type]
---- ---- ------------------ ----- -----------------------------------------
1 00:01:97:13:0b:1f 1 [ALL]
1 00:0b:0e:02:76:f5 1 [ALL]
Total Matching FDB Entries Displayed = 2
Table 6– 12 describes the fields in the show fdb output.
See Also
clear fdb on page 6-67
set fdb on page 6-71
show fdb agingtime
Displays the aging timeout period for forwarding database entries.
Syntax
show fdb agingtime [vlan vlan-id]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command displays the aging timeout period for all VLANs:
MX# show fdb agingtime
VLAN 2 aging time = 600 sec
VLAN 1 aging time = 300 sec
Table 6– 12. Output for show fdb
Field Description
VLAN VLAN number.
TAG VLAN tag value. If the interface is untagged, the TAG field is blank.
Dest MAC/Route Des MAC address of the forwarding entry destination.
CoS Type of entry. The entry types are explained in the first row of the command
output.
Note: This Class of Service (CoS) value is not associated with MSS
quality of service (QoS) features.
Destination Ports MX port associated with the entry. A MX sends traffic to the destination MAC
address through this port.
Protocol Type Layer 3 protocol address types that can be mapped to this entry.
Total Matching FDB
Entries Displayed
Number of entries displayed by the command.
vlan vlan-id VLAN name or number. If you do not specify a VLAN, the aging timeout period for
each VLAN is displayed.
VLAN Commands
Mobility System Software Command Reference Guide
Version 7.3
6 – 78
Because the forwarding database aging timeout period can be configured on an individual VLAN
basis, the command lists the aging timeout period for each VLAN separately.
See Also
set fdb agingtime on page 6-72
show fdb count
Lists the number of entries in the forwarding database.
Syntax
show fdb count {perm | static | dynamic} [vlan vlan-id]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command lists the number of dynamic entries that the forwarding
database contains:
MX# show fdb count dynamic
Total Matching Entries = 2
See Also
show fdb on page 6-76
show roaming station
Displays a list of the stations roaming to the MX through a VLAN tunnel.
Syntax
show roaming station [vlan vlan-id] [peer ip-addr]
Defaults
None.
Access
Enabled.
History
History
Introduced in MSS Version 1.0.
Usage
The output displays roaming stations within the previous 1 second.
Examples
To display all stations roaming to the MX switch, type the following command:
MX# show roaming station
perm Lists the number of permanent entries. A permanent entry does not age out and
remains in the database even after a reboot, reset, or power cycle.
static Lists the number of static entries. A static entry does not age out, but is removed from
the database after a reboot, reset, or power cycle.
dynamic Lists the number of dynamic entries. A dynamic entry is automatically removed
through aging or after a reboot, reset, or power cycle.
vlan vlan-id VLAN name or number. Entries are listed for only the specified VLAN.
vlan vlan-id Output is restricted to stations using this VLAN.
peer ip-addr Output is restricted to stations tunnelling through this peer MX in the Mobility
Domain.
Version 1.0 Command introduced.
Version 4.0 Old AP MAC field removed.
VLAN Commands
VLAN Commands
6 – 79
User Name Station Address VLAN State
---------------------- ----------------- --------------- -----
redsqa 10.10.10.5 violet Up
Table 6– 13 describes the fields in the display.
See Also
show roaming vlan on page 6-79
show roaming vlan
Shows all VLANs in the mobility domain, the MX switches servicing the VLANs, and the tunnel
affinity values configured on each MX for the VLANs.
Syntax
show roaming vlan
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command shows the current roaming VLANs:
MX# show roaming vlan
VLAN Switch IP Address Affinity
---------------- --------------- --------
vlan-cs 192.168.14.2 5
vlan-eng 192.168.14.4 5
vlan-fin 192.168.14.2 5
vlan-it 192.168.14.4 5
vlan-it 192.168.14.2 5
vlan-pm 192.168.14.2 5
vlan-sm 192.168.14.2 5
vlan-tp 192.168.14.4 5
vlan-tp 192.168.14.2 5
Table 6– 14 describes the fields in the display.
Table 6– 13. Output for show roaming station
Field Description
User Name Name of the user. This is the name used for authentication. The name resides in a RADIUS
server database or the local user database on an MX.
Station Address IP address of the user device.
VLAN Name of the VLAN that the RADIUS server or MX local user database assigned the user.
State State of the session:
Setup—Station is attempting to roam to this MX. This switch has asked the MX from
which the station is roaming for the station session information and is waiting for a reply.
Up—MSS has established a tunnel between the MX switches and the station has
successfully roamed to this MX over the tunnel.
Chck—This MX is in the process of accepting a reassociation request from the roaming
peer MX for a station currently roaming to the peer switch.
TChck—This MX is in the process of accepting a reassociation request from the roaming
peer MX for a station currently roaming to this switch.
WInd—This MX is waiting for network congestion to clear before sending the roaming
indication to the roaming peer MX.
WResp—This MX is waiting for network congestion to clear before sending the roaming
response to the roaming peer MX.
VLAN Commands
Mobility System Software Command Reference Guide
Version 7.3
6 – 80
See Also
show roaming station on page 6-78
show vlan config on page 6-81
show security l2-restrict
Displays configuration information and statistics for Layer 2 forwarding restriction.
Syntax
show security l2-restrict [vlan vlan-id | all]
Defaults
If you do not specify a VLAN name or all, information is displayed for all VLANs.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Examples
The following command shows Layer 2 forwarding restriction information for all
VLANs:
MX# show security l2-restrict
VLAN Name En Drops Permit MAC Hits
---- ---------------- -- ---------- ------------------- ----------
1 default Y 0 00:0b:0e:02:53:3e 5947
00:30:b6:3e:5c:a8 9
2 vlan-2 Y 0 04:04:04:04:04:04 0
Table 6– 15 describes the fields in the display.
Table 6– 14. Output for show roaming vlan
Field Description
VLAN VLAN name.
MX System IP address of the MX on which the VLAN is configured.
Affinity Preference of this MX for forwarding user traffic for the VLAN. A higher
number indicates a greater preference.
vlan-id VLAN name or number.
all Displays information for all VLANs.
Table 6– 15. Output for show security l2-restrict
Field Description
VLAN VLAN number.
Name VLAN name.
En Enabled state of the feature for the VLAN:
Y—Enabled. Forwarding of Layer 2 traffic from clients is restricted to the MAC
address(es) listed under Permit MAC.
N—Disabled. Layer 2 forwarding is not restricted.
Drops Number of packets dropped because the destination MAC address is not one of the
addresses listed under Permit MAC.
Permit MAC MAC addresses that clients in the VLAN are allowed to send traffic at Layer 2.
Hits Number of packets with the source MAC address of a client in this VLAN, and the
destination MAC address was one of those listed under Permit MAC.
VLAN Commands
VLAN Commands
6 – 81
See Also
clear security l2-restrict on page 6-68
clear security l2-restrict counters on page 6-69
set security l2-restrict on page 6-72
show tunnel
Displays the tunnels from the MX where you type the command.
Syntax
show tunnel
Defaults
None.
Access
Enabled
History
Introduced in MSS Version 1.0.
Examples
To display all tunnels from an MX to other switches in the Mobility Domain, type the
following command.
MX# show tunnel
VLAN Local Address Remote Address State Port LVID RVID
--------------- --------------- --------------- ------- ----- ----- -----
vlan-eng 192.168.14.2 192.168.14.4 DORMANT 1024 4096 130
Table 6– 16 describes the fields in the display.
See Also
show vlan config on page 6-81
show vlan config
Displays VLAN information.
Syntax
show vlan config [vlan-id]
Defaults
None.
Table 6– 16. Output for show tunnel
Field Description
VLAN VLAN name.
Local Address IP address of the local end of the tunnel. This is the MX IP address where you enter the
command.
Remote Address IP address of the remote end of the tunnel. This is the system IP address of another MX
in the mobility domain.
State Tunnel state:
Up
Dormant
Port Tunnel port ID.
LVID Local VLAN ID.
RVID Remote VLAN ID.
vlan-id VLAN name or number. If you do not specify a VLAN,
information for all VLANs is displayed.
VLAN Commands
Mobility System Software Command Reference Guide
Version 7.3
6 – 82
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command displays information for VLAN burgundy:
MX# show vlan config burgundy
Admin VLAN Tunl Port
VLAN Name Status State Affin Port Tag State
---- ---------------- ------ ----- ----- ---------------- ----- -----
2 burgundy Up Up 5
2 none Up
3 none Up
4 none Up
6 none Up
11 none Up
t:10.10.40.4 none Up
Table 6– 17 describes the fields in this display.
See Also
clear vlan on page 6-70
set vlan name on page 6-73
set vlan port on page 6-74
set vlan tunnel-affinity on page 6-75
Table 6– 17. Output for show vlan config
Field Description
VLAN VLAN number.
Name VLAN name.
Admin Status Administrative status of the VLAN:
Down—The VLAN is disabled.
Up—The VLAN is enabled.
VLAN State Link status of the VLAN:
Down—The VLAN is not connected.
Up—The VLAN is connected.
Tunl Affin Tunnel affinity value assigned to the VLAN.
Port Member port of the VLAN. The port can be a physical port or a virtual port.
Physical ports are 10/100 Ethernet or gigabit Ethernet ports on the switch,
and are listed by port number.
Virtual ports are tunnels to other switches in a mobility domain, and are
listed as follows: t:ip-addr, where ip-addr is the system IP address of the
MX switch at the other end of the tunnel.
Note: This field can include MP access ports and wired authentication
ports, because MSS dynamically adds these ports to a VLAN when
handling user traffic for the VLAN.
Tag Tag value assigned to the port.
Port State Link state of the port:
Down—The port is not connected.
Up—The port is connected.
VLAN Commands
VLAN Commands
6 – 83
show vlan-profile
Displays the contents of the VLAN profiles configured on the MX. A VLAN profile lists the VLANs
that traffic is locally switched by MPs with the VLAN profile.
Syntax
show vlan-profile [profile-name]
Defaults
If a profile-name is not specified, the contents of all VLAN profiles configured on the MX
switch are displayed.
Access
All.
History
Introduced in MSS Version 6.0.
Examples
The following command displays the contents of VLAN profile locals:
MX# show vlan-profile locals
vlan-profile: locals
AP list: 1,2,3
Vlan Name Tag
--------- ---
blue none
red 45
ap numbers: 67
Table 6– 18 describes the fields in the show vlan-profile output.
See Also
set ap local-switching vlan-profile on page 12-245
clear vlan-profile on page 6-71
set vlan-profile on page 6-75
profile-name VLAN profile name
Table 6– 18. Output for show vlan-profile
Field Description
vlan-profile Name of the VLAN profile.
Vlan Name Name of the VLAN for which local switching is performed.
Mode Value of the 802.1Q tag used for the VLAN.
ap numbers The index numbers of the APs where this VLAN profile is applied.
VLAN Commands
Mobility System Software Command Reference Guide
Version 7.3
6 – 84
Quality of Service Commands 7 – 85
7
Quality of Service Commands
Use Quality of Service (QoS) commands to configure packet prioritization in MSS. Packet
prioritization ensures that MX switches and MPs give preferential treatment to high-priority
traffic such as voice and video.
(To override the prioritization for specific traffic, use access controls lists [ACLs] to set the Class
of Service [CoS] for the packets. See Chapter , “Security ACL Commands,” on page 391.)
This chapter presents QoS commands alphabetically. Use the following table to locate commands
in this chapter based on their use.
clear qos
Resets the MX mapping of Differentiated Services Code Point (DSCP) values to internal QoS
values.
The MX internal QoS map ensures that prioritized traffic remains prioritized while transiting the
MX. An MX uses the QoS map to do the following:
Classify inbound packets by mapping the DSCP values to one of eight internal QoS values
Classify outbound packets by marking the DSCP values based on the MX internal QoS values
Syntax
clear qos
[cos-to-dscp-map [from-qos] | dscp-to-cos-map [from-dscp]| [flow sip-data]|
[traffic-class voip-data]]
Defaults
None.
Access
Enabled.
QoS Settings show qos on page 7-88
show qos dscp-table on page 7-89
Updated set qos cos-to-dscp-map on page 7-86
set qos dscp-to-cos-map on page 7-87
set qos flow on page 7-87
Updated set qos flow on page 7-87
set qos traffic-class on page 7-87
clear qos on page 7-85
clear qos-profile on page 7-86
cos-to-dscp-map
[from-qos]
Resets the mapping between the specified internal QoS value and the DSCP
values with which MSS marks outbound packets.
QoS values are from 0 to 7.
dscp-to-cos-map
[from-dscp]
Resets the mapping between the specified range of DSCP values and internal
QoS value with which MSS classifies inbound packets.
flow
sip-data
Resets the flow of SIP data.
traffic-class
voip-data
Resets the traffic class.
Quality of Service Commands
Mobility System Software Command Reference Guide
Version 7.3
7 – 86
History
Introduced in MSS Version 4.1.
Usage
To reset all mappings to the default values, use the clear qos command without the
optional parameters.
Examples
The following command resets all QoS mappings:
MX# clear qos
success: change accepted.
The following command resets the mapping used to classify packets with DSCP value 44:
MX# clear qos dscp-to-qos-map 44
success: change accepted.
clear qos-profile
Clears a QoS profile from the configuration.
Syntax
clear qos-profile profile-name
Defaults
None
Access
Enabled
History
Introduced in MSS Version 6.2.
Examples
To clear a QoS profile with the profile name, best_voice, from the MSS configuration,
use the following command:
MX# clear qos-profile best_voice
success: change accepted
set qos cos-to-dscp-map
Changes the value that MSS maps an internal QoS value when marking outbound packets.
Syntax
set qos cos-to-dscp-map level dscp dscp-value
Defaults
The defaults are listed by the show qos command.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Examples
The following command maps internal CoS value 5 to DSCP value 50:
MX# set qos cos-to-dscp-map 5 dscp 50
warning: cos 5 is marked with dscp 50 which will be classified as cos 6
If the change results in a change to CoS, MSS displays a warning message indicating the change.
In this example, packets receiving CoS 5 upon ingress are marked with a DSCP value equivalent
to CoS 6 upon egress.
MSS Version 4.1 Introduced
MSS Version 7.1 sip-data and traffic-class added.
level Internal CoS value. You can specify a number from 1 to 7.
dscp dscp-value DSCP value. You can specify the value as a decimal number. Valid values are 0
to 63.
Quality of Service Commands
Quality of Service Commands
7 – 87
See Also
set qos dscp-to-cos-map on page 7-87
show qos on page 7-88
set qos dscp-to-cos-map
Changes the internal QoS value that MSS maps to a packet DSCP value when classifying inbound
packets.
Syntax
set qos dscp-to-cos-map dscp-range cos level
Defaults
The defaults are listed by the show qos command.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Examples
The following command maps DSCP values 40-56 to internal CoS value 6:
MX# set qos dscp-to-cos-map 40-56 cos 6
warning: cos 5 is marked with dscp 63 which will be classified as cos 7
warning: cos 7 is marked with dscp 56 which will be classified as cos 6
As shown in this example, if the change results in a change to CoS, MSS displays a warning
message indicating the change.
See Also
set qos cos-to-dscp-map on page 7-86
show qos on page 7-88
set qos flow
Create and modify QoS traffic flows.
Syntax
set qos flow sip-data
Defaults
Enabled
History
Introduced in MSS Version 7.1
Usage
Used in VoIP configurations.
set qos traffic-class
Create and modify classes of traffic on the network.
Syntax
set qos traffic-class voip-data flow sip-data
Defaults
None
Access
Enable
History
Introduced in MSS Version 7.1.
dscp-range DSCP range. You can specify the values as decimal numbers. Valid decimal
values are 0 to 63.
To specify a range, use the following format: 40-56. Specify the lower number
first.
cos level Internal QoS value. You can specify a number from 1 to 7.
Quality of Service Commands
Mobility System Software Command Reference Guide
Version 7.3
7 – 88
Usage
Used in VoIP configurations.
set qos-profile
Configures QoS parameters to apply to multiple clients.
Syntax
set qos-profile profile-name [access-category background | best effort |
video | voice]|[cos static-cos-value][max-bandwidth max-bw-kb][use-client-dscp
enable | disable] trust-client-dscp [enable | disable]
Defaults
None
Access
Enabled
History
Command introduced in MSS Version 6.2.
show qos
Displays the MX QoS settings.
Syntax
show qos [default]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Examples
The following command displays the default QoS settings:
MX# show qos default
Ingress QoS Classification Map (dscp-to-cos)
profile-name
Name of the QoS profile
access-category
background
best-effort
video
voice
Four types of forwarding queues to configure QoS.
cos
static-cos-value
Mark QoS traffic with a specific CoS value from 0 to 7.
max-bandwidth
max-bw-kb
Configure the bandwidth for the QoS profile. You can configure it as 1 to
100000 Kbps with 0 as unlimited bandwidth.
trust-client-dscp
{enable|disable }
Allows the MX to use the client DSCP for radio ingress traffic and ignore WMM.
Version 6.2 Command introduced.
Version 7.1 The attribute trust-client-dscp added.
Version 7.3
The attribute
use-client-dscp is deprecated.
default Displays the default mappings.
Quality of Service Commands
Quality of Service Commands
7 – 89
Ingress DSCP CoS Level
===============================================================================
00-09 0 0 0 0 0 0 0 0 1 1
10-19 1 1 1 1 1 1 2 2 2 2
20-29 2 2 2 2 3 3 3 3 3 3
30-39 3 3 4 4 4 4 4 4 4 4
40-49 5 5 5 5 5 5 5 5 6 6
50-59 6 6 6 6 6 6 7 7 7 7
60-63 7 7 7 7
Egress QoS Marking Map (cos-to-dscp)
CoS Level 0 1 2 3 4 5 6 7
===============================================================================
Egress DSCP 0 8 16 24 32 40 48 56
Egress ToS byte 0x00 0x20 0x40 0x60 0x80 0xA0 0xC0 0xE0
See Also
show qos dscp-table on page 7-89
show qos dscp-table
Displays a table that maps Differentiated Services Code Point (DSCP) values to the equivalent
combinations of IP precedence values and IP ToS values.
Syntax
show qos dscp-table
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0 as the show security acl dscp command and renamed in
MSS Version 4.1.
Examples
The following command displays the table:
MX# show qos dscp-table
DSCP TOS precedence tos
dec hex dec hex
-----------------------------------------------
0 0x00 0 0x00 0 0
1 0x01 4 0x04 0 2
2 0x02 8 0x08 0 4
...
63 0x3f 252 0xfc 7 14
See Also
show qos on page 7-88
show qos traffic-class
Displays the traffic classes configured for QoS.
Syntax
show qos traffic-class traffic-class-name
Defaults
The default traffic-class name is voip-data.
History
Introduced in MSS Version 7.1.
Quality of Service Commands
Mobility System Software Command Reference Guide
Version 7.3
7 – 90
IP Services Commands 8 – 91
8
IP Services Commands
Use IP services commands to configure and manage IP interfaces, management services, the
Domain Name Service (DNS), Network Time Protocol (NTP), aliases, and to ping a host or trace a
route. This chapter presents IP services commands alphabetically. Use the following table to
locate commands in this chapter based on their use.
IP Interface set interface on page 8-102
set interface dhcp-client on page 8-103
New set interface security on page 8-105
set interface status on page 8-106
show interface on page 8-135
show dhcp-client on page 8-132
Updated clear interface on page 8-92
New clear interface security on page 8-93
System IP Address set system ip-address on page 8-129
clear system ip-address on page 8-99
IP Route set ip route on page 8-109
show ip route on page 8-138
Updated clear ip route on page 8-95
SSH Management set ip ssh server on page 8-112
set ip ssh on page 8-111
Telnet Management set ip telnet on page 8-112
set ip telnet server on page 8-113
show ip telnet on page 8-139
clear ip telnet on page 8-95
HTTPS Management set ip https server on page 8-109
set ip https authentication on page 8-108
show ip https on page 8-137
DNS set ip dns on page 8-107
set ip dns domain on page 8-107
set ip dns server on page 8-108
show ip dns on page 8-136
clear ip dns domain on page 8-94
clear ip dns server on page 8-94
IP Alias set ip alias on page 8-106
show ip alias on page 8-136
clear ip alias on page 8-93
Time and Date set timedate on page 8-130
set timezone on page 8-130
set summertime on page 8-128
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 92
clear interface
Removes an IP interface.
show timedate on page 8-144
show timezone on page 8-144
show summertime on page 8-143
clear timezone on page 8-100
clear summertime on page 8-99
NTP set ntp on page 8-114
set ntp server on page 8-114
set ntp update-interval on page 8-115
show ntp on page 8-140
clear ntp server on page 8-96
clear ntp update-interval on page 8-96
ARP set arp on page 8-101
set arp agingtime on page 8-102
show arp on page 8-131
SNMP set snmp protocol on page 8-124
set snmp security on page 8-125
Updated set snmp community on page 8-116
set snmp community group on page 8-117
set snmp usm on page 8-126
set snmp notify profile on page 8-118
set snmp notify target on page 8-121
set ip snmp server on page 8-111
show snmp status on page 8-142
show snmp community on page 8-141
show snmp usm on page 8-143
show snmp notify profile on page 8-142
show snmp notify target on page 8-142
show snmp counters on page 8-142
clear snmp community on page 8-97
clear snmp usm on page 8-98
clear snmp notify profile on page 8-97
clear snmp notify target on page 8-98
Ping ping on page 8-100
Telnet client telnet on page 8-145
Traceroute traceroute on page 8-146
DHCP server set interface dhcp-server on page 8-104
show dhcp-server on page 8-133
IP Services Commands
IP Services Commands
8 – 93
Syntax
clear interface vlan-id ip
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
If the interface you want to remove is configured as the system IP address, removing the
address can interfere with system tasks using the system IP address, including the following:
Mobility domain operations
Topology reporting for dual-homed MPs
Default source IP address used in unsolicited communications such as AAA accounting reports
and SNMP traps
Examples
The following command removes the IP interface configured on VLAN mauve:
MX# clear interface mauve ip
success: cleared ip on vlan mauve
See Also
set interface on page 8-102
set interface status on page 8-106
show interface on page 8-135
clear interface security
Clears default IP security operations.
Syntax
clear interface vlanid ip security destination ipaddr
Defaults
None
Access
Enabled
History
Added in MSS 7.1
Examples
To clear 172.21.25.1 on the VLAN fast1 from the security destination, use the following
command:
MX# clear interface fast1 ip security destination 172.21.25.1
success: change accepted.
clear ip alias
Removes an alias, which is a string that represents an IP address.
Syntax
clear ip alias name
vlan-id VLAN name or number.
vlanid The name of the VLAN to set security operations.
ipaddr
The IP address of the security destination
name Alias name.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 94
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command removes the alias server1:
MX# clear ip alias server1
success: change accepted.
See Also
set ip alias on page 8-106
show ip alias on page 8-136
clear ip dns domain
Removes the default DNS domain name.
Syntax
clear ip dns domain
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command removes the default DNS domain name from an MX:
MX# clear ip dns domain
Default DNS domain name cleared.
See Also
clear ip dns server on page 8-94
set ip dns on page 8-107
set ip dns domain on page 8-107
set ip dns server on page 8-108
show ip dns on page 8-136
clear ip dns server
Removes a DNS server from an MX configuration.
Syntax
clear ip dns server ip-addr
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command removes DNS server 10.10.10.69 from an MX configuration:
MX# clear ip dns server 10.10.10.69
success: change accepted.
See Also
clear ip dns domain on page 8-94
ip-addr IP address of a DNS server.
IP Services Commands
IP Services Commands
8 – 95
set ip dns on page 8-107
set ip dns domain on page 8-107
set ip dns server on page 8-108
show ip dns on page 8-136
clear ip route
Removes a route from the IP route table.
Syntax
clear ip route {default | ip-addr mask | ip-addr/mask-length} default-router
Defaults
None.
Access
Enabled.
History
Examples
The following command removes the route to destination 10.10.10.68/24 through router
10.10.10.1:
MX# clear ip route 10.10.10.68/24 10.10.10.1
success: change accepted.
See Also
set ip route on page 8-109
show ip route on page 8-138
clear ip telnet
Resets the Telnet server TCP port number to the default value. An MX listens for Telnet
management traffic on the Telnet server port.
Syntax
clear ip telnet
Defaults
The default Telnet port number is 23.
Access
Enabled.
History
Introduced in MSS Version 1.0.
default Default route.
Note: default is an alias for IP address 0.0.0.0/0.
ip-addr mask IP address and subnet mask for the route destination, in dotted decimal
notation (for example, 10.10.10.10 255.255.255.0).
ip-addr/mask-length IP address and subnet mask length in CIDR format (for example, 10.10.10.10/
24).
default-router IP address, DNS hostname, or alias of the next-hop router.
Version 1.0 Command introduced.
Version 1.1
mask and /mask-length options added. These options are required in MSS version
1.1.
default-router option added, because MSS 1.1 supports multiple routes to the same
destination. This option is required in MSS version 1.1.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 96
Examples
The following command resets the TCP port number for Telnet management traffic to
its default:
MX# clear ip telnet
success: change accepted.
See Also
set ip https server on page 8-109
set ip telnet on page 8-112
set ip telnet server on page 8-113
show ip https on page 8-137
show ip telnet on page 8-139
clear ntp server
Removes an NTP server from an MX configuration.
Syntax
clear ntp server {ip-addr | all}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command removes NTP server 192.168.40.240 from an MX configuration:
MX# clear ntp server 192.168.40.240
success: change accepted.
See Also
clear ntp update-interval on page 8-96
set ntp on page 8-114
set ntp server on page 8-114
set ntp update-interval on page 8-115
show ntp on page 8-140
clear ntp update-interval
Resets the NTP update interval to the default value.
Syntax
clear ntp update-interval
Defaults
The default NTP update interval is 64 seconds.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To reset the NTP interval to the default value, type the following command:
MX# clear ntp update-interval
success: change accepted.
ip-addr IP address of the server to remove, in dotted decimal notation.
all Removes all NTP servers from the configuration.
IP Services Commands
IP Services Commands
8 – 97
See Also
clear ntp server on page 8-96
set ntp on page 8-114
set ntp server on page 8-114
set ntp update-interval on page 8-115
show ntp on page 8-140
clear snmp community
Clears an SNMP community string.
Syntax
clear snmp community name community-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command clears community string setswitch2:
MX# clear snmp community name setswitch2
success: change accepted.
See Also
set snmp community on page 8-116
show snmp community on page 8-141
clear snmp notify profile
Clears an SNMP notification profile.
Syntax
clear snmp notify profile profile-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command clears notification profile snmpprof_rfdetect:
MX# clear snmp notify profile snmpprof_rfdetect
success: change accepted.
community-name Name of the SNMP community you want to clear.
profile-name Name of the notification profile you are clearing.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 98
See Also
set snmp notify profile on page 8-118
show snmp notify profile on page 8-142
clear snmp notify target
Clears an SNMP notification target.
Syntax
clear snmp notify target notify-target-id
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command clears notification target 3:
MX# clear snmp notify target 3
success: change accepted.
See Also
set snmp notify target on page 8-121
show snmp notify target on page 8-142
clear snmp trap receiver
This command is deprecated in MSS Version 4.0. To clear an SNMP notification target (also called
trap receiver), see clear snmp notify target on page 8-98.
clear snmp usm
Clears an SNMPv3 user.
Syntax
clear snmp usm usm-user-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command clears SNMPv3 user snmpmgr1:
MX# clear snmp usm snmpmgr1
success: change accepted.
notify-target-id
ID of the target.
MSS Version 4.0 Command introduced.
MSS Version 7.0 target-num changed to notify-target-id
usm-user-name Name of the SNMPv3 user to clear.
IP Services Commands
IP Services Commands
8 – 99
See Also
set snmp usm on page 8-126
show snmp usm on page 8-143
clear summertime
Clears the summertime setting from an MX.
Syntax
clear summertime
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To clear the summertime setting from an MX, type the following command:
MX# clear summertime
success: change accepted.
See Also
clear timezone on page 8-100
set summertime on page 8-128
set timedate on page 8-130
set timezone on page 8-130
show summertime on page 8-143
show timedate on page 8-144
show timezone on page 8-144
clear system ip-address
Clears the system IP address.
Syntax
clear system ip-address
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Clearing the system IP address can interfere with system tasks using the system IP
address, including the following:
Mobility Domain operations
Topology reporting for dual-homed MPs
Default source IP address used in unsolicited communications such as AAA accounting reports
and SNMP traps
Examples
To clear the system IP address, type the following command:
W arning!
Clearing the system IP address disrupts the system tasks that use the address.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 100
MX# clear system ip-address
success: change accepted.
See Also
set system ip-address on page 8-129
show system on page 4-40
clear timezone
Clears the time offset for the MX real-time clock from Coordinated Universal Time (UTC). UTC is also
know as Greenwich Mean Time (GMT).
Syntax
clear timezone
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To return the MX real-time clock to UTC, type the following command:
MX# clear timezone
success: change accepted.
See Also
Syntax
clear summertime on page 8-99
set summertime on page 8-128
set timedate on page 8-130
set timezone on page 8-130
show summertime on page 8-143
show timedate on page 8-144
show timezone on page 8-144
ping
Tests IP connectivity between an MX and another device. MSS sends an Internet Control Message
Protocol (ICMP) echo packet to the specified device and listens for a reply packet.
Syntax
ping host [count num-packets] [dnf] [flood] [interval time] [size size][tos tos]
[user count
num-packets] [dnf] [flood] [interval time] [size size][tos tos]]
host IP address, MAC address, hostname, alias, or user to ping.
count
num-packets
Number of ping packets to send. You can specify from 0 through 2,147,483,647. If
you enter 0, MSS pings continuously until you interrupt the command.
dnf Enables the Do Not Fragment bit in the ping packet to prevent fragmenting the
packet.
flood Sends new ping packets as quickly as replies are received, or 100 times per second,
whichever is greater.
Note: Use the flood option sparingly. This option creates a lot of traffic
and can affect other traffic on the network.
IP Services Commands
IP Services Commands
8 – 101
Defaults
count—5.
dnf—Disabled.
interval—100 (one tenth of a second)
size—56.
Access
Enabled.
History
Usage
To stop a ping command in progress, press Ctrl+C.
An MX cannot ping its IP address. MSS does not support this.
Examples
The following command pings a device that has IP address 10.1.1.1:
MX# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) from 10.9.4.34 : 56(84) bytes of data.
64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=0.769 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.628 ms
64 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.676 ms
64 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.619 ms
64 bytes from 10.1.1.1: icmp_seq=5 ttl=255 time=0.608 ms
--- 10.1.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0 errors, 0% packet loss
See Also
traceroute on page 8-146
set arp
Adds an ARP entry to the ARP table.
Syntax
set arp {permanent | static | dynamic} ip-addr mac-addr
interval time
Time interval between ping packets, in milliseconds. You can specify from 100
through 10,000.
size size Packet size, in bytes. You can specify from 56 through 65,507.
Note: Because the MX adds header information, the ICMP packet size is 8 bytes
larger than the specified size.
tos tos Set the tos byte in the IP header. You can specify an integer from 0 to 255.
user Interpret 'host' argument as a user name.
Version 1.0 Command introduced.
Version 3.0 user option deprecated.
Version 7.0 tos and user options added.
permanent Adds a permanent entry. A permanent entry does not age out and remains in the
database even after a reboot, reset, or power cycle.
static Adds a static entry. A static entry does not age out, but the entry does not remain in
the database after a reboot, reset, or power cycle.
dynamic Adds a dynamic entry. A dynamic entry is automatically removed if the entry ages out,
or after a reboot, reset, or power cycle.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 102
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command adds a static ARP entry that maps IP address 10.10.10.1 to MAC
address 00:bb:cc:dd:ee:ff:
MX# set arp static 10.10.10.1 00:bb:cc:dd:ee:ff
success: added arp 10.10.10.1 at 00:bb:cc:dd:ee:ff on VLAN 1
See Also
set arp agingtime on page 8-102
show arp on page 8-131
set arp agingtime
Changes the aging timeout for dynamic ARP entries.
Syntax
set arp agingtime seconds
Defaults
The default aging timeout is 1200 seconds.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Aging applies only to dynamic entries.
To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command.
Examples
The following command changes the ARP aging timeout to 1800 seconds:
MX# set arp agingtime 1800
success: set arp aging time to 1800 seconds
The following command disables ARP aging:
MX# set arp agingtime 0
success: set arp aging time to 0 seconds
See Also
set arp on page 8-101
show arp on page 8-131
set interface
Configures an IP interface on a VLAN.
ip-addr IP address of the entry, in dotted decimal notation.
mac-addr MAC address to map to the IP address. Use colons to separate the octets (for example,
00:11:22:aa:bb:cc).
seconds Number of seconds an entry can remain unused before MSS removes the entry. You can
specify from 0 through 1,000,000. To disable aging, specify 0.
IP Services Commands
IP Services Commands
8 – 103
Syntax
set interface vlan-id ip {ip-addr mask | ip-addr/mask-length}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You can assign one IP interface to each VLAN.
If an interface is already configured on the specified VLAN, this command replaces the interface.
If you replace an interface in use as the system IP address, replacing the interface can interfere
with system tasks that use the system IP address, including the following:
Mobility domain operations
Topology reporting for dual-homed MPs
Default source IP address used in unsolicited communications such as AAA accounting reports
and SNMP traps
Examples
The following command configures IP interface 10.10.10.10/24 on VLAN default:
MX# set interface default ip 10.10.10.10/24
success: set ip address 10.10.10.10 netmask 255.255.255.0 on vlan default
The following command configures IP interface 10.10.20.10 255.255.255.0 on VLAN mauve:
MX# set interface mauve ip 10.10.20.10 255.255.255.0
success: set ip address 10.10.20.10 netmask 255.255.255.0 on vlan mauve
See Also
clear interface on page 8-92
set interface status on page 8-106
show interface on page 8-135
set interface dhcp-client
Configures the DHCP client on a VLAN and allows the VLAN to obtain an IP interface from a
DHCP server.
Syntax
set interface vlan-id ip dhcp-client {enable | disable}
Defaults
The DHCP client is enabled by default on an unconfigured MXR-2 when the factory reset
switch is pressed and held during power on.
The DHCP client is disabled by default on all other MX models, and is disabled on an MXR-2 if it is
already configured, or the factory reset switch is not pressed and held during power on.
Access
Enabled.
vlan-id VLAN name or number.
ip-addr mask IP address and subnet mask in dotted decimal notation (for example, 10.10.10.10
255.255.255.0).
ip-addr/mask-length IP address and subnet mask length in CIDR format (for example, 10.10.10.10/
24).
vlan-id VLAN name or number.
enable Enables the DHCP client on the VLAN.
disable Disables the DHCP client on the VLAN.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 104
History
Introduced in MSS Version 4.0.
Usage
You can enable the DHCP client on one VLAN only. You can configure the DHCP client on
more than one VLAN, but the client can be active on only one VLAN.
MSS also has a configurable DHCP server. (See set interface dhcp-server on page 8-104.) You
can configure a DHCP client and DHCP server on the same VLAN, but only the client or the
server can be enabled. The DHCP client and DHCP server cannot both be enabled on the same
VLAN at the same time.
Examples
The following command enables the DHCP client on VLAN corpvlan:
MX# set interface corpvlan ip dhcp-client enable
success: change accepted.
See Also
clear interface on page 8-92
show dhcp-client on page 8-132
show interface on page 8-135
set interface dhcp-server
Configures the MSS DHCP server.
Syntax
set interface vlan-id ip dhcp-server [enable | disable] [start ip-addr1 stop
ip-addr2] [dns-domain domain-name] [primary-dns ip-addr [secondary-dns ip-addr]]
[default-router ip-addr]
Defaults
The DHCP server is enabled by default on a new (unconfigured) MXR-2, MX-8, MX-200,
or MX-216, in order to provide an IP address to the host connected to the MX for access to the Web
Quick Start. On all MX models, the DHCP server is enabled and cannot be disabled for directly
connected MPs.
The DHCP server is disabled by default for any other use.
Access
Enabled.
History
Note:
Use of the MSS DHCP server to allocate client addresses is intended for temporary,
demonstration deployments and not for production networks. It is recommended that
you do not use the MSS DHCP server to allocate client addresses in a production
network.
vlan-id VLAN name or number.
enable Enables the DHCP server.
disable Disables the DHCP server.
start ip-addr1 Specifies the beginning address of the address range.
stop ip-addr2 Specifies the ending address of the address range.
dns-domain domain-name Name of the DHCP client’s default DNS domain.
primary-dns ip-addr
[secondary-dns ip-addr]
IP addresses of the DNS servers for the DHCP client.
default-router ip-addr IP address of the DHCP client default router.
Version 4.0 Command introduced
IP Services Commands
IP Services Commands
8 – 105
Usage
By default, all addresses except the host address of the VLAN, the network broadcast
address, and the subnet broadcast address are included in the range. If you specify the range, the
start address must be lower than the stop address, and all addresses must be in the same subnet.
The IP interface of the VLAN must be within the same subnet but is not required to be within the
range.
Specification of the DNS domain name, DNS servers, and default router are optional. If you omit
one or more of these options, the MSS DHCP server uses oath values configured elsewhere on the
switch:
DNS domain name—If this option is not set with the set interface dhcp-server command
dns-domain option, the MSS DHCP server uses the value set by the set ip dns domain
command.
DNS servers—If these options are not set with the set interface dhcp-server command
primary-dns and secondary-dns options, the MSS DHCP server uses the values set by the
set ip dns server command.
Default router—If this option is not set with the set interface dhcp-server command
default-router option, the MSS DHCP server can use the value set by the set ip route
command. A default route configured by set ip route can be used if the route is in the DHCP
client subnet. Otherwise, the MSS DHCP server does not specify a router address.
Examples
The following command enables the DHCP server on VLAN red-vlan to serve addresses
from the 192.168.1.5 to 192.168.1.25 range:
MX# set interface red-vlan ip dhcp-server enable start 192.168.1.5 stop 192.168.1.25
success: change accepted.
See Also
set ip dns domain on page 8-107
set ip dns server on page 8-108
show dhcp-server on page 8-133
set interface security
Configures the IPSec client for the interface.
Syntax
set interface int_id ip security destination dst_addr spi spi encrypt-algo
[3des-cbc 3des_cbc_key | aes-cbc aes_cbc_key]
auth-algo [hmac hmac_key | sha1 sha1_key]
Defaults
None
Access
Enabled
History
Added in MSS 7.1
Usage
IPSec is a general purpose internet security protocol, and can be used for protecting layer 4
protocols, including both TCP and UDP. IPSec has an advantage over SSL and other methods
because the application does not need to be designed to use IPSec like other higher-layer protocol
that must beincorporated into the design of an application.
Examples
To set the IPSec parameters, use the following command:
MX# set interface 1 ip security destination 192.168.1.100 spi 200
encrypt-algo aes-cbc thisistheencrkey auth-algo hmac -sha1 theauthenticationkey
Version 5.0 New options added:
dns-domain
primary-dns and secondary-dns
default-router
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 106
To enable the IPSec parameters, use the following command:
MX# set interface <int id> ip security destination <dst_addr> <enable|disable>
set interface status
Administratively disables or reenables an IP interface.
Syntax
set interface vlan-id status {up | down}
Defaults
IP interfaces are enabled by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command disables the IP interface on VLAN mauve:
MX# set interface mauve status down
success: set interface mauve to down
See Also
clear interface on page 8-92
set interface on page 8-102
show interface on page 8-135
set ip alias
Configures an alias, which maps a name to an IP address. You can use aliases as shortcuts in CLI
commands.
Syntax
set ip alias name ip-addr
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command configures the alias HR1 for IP address 192.168.1.2:
MX# set ip alias HR1 192.168.1.2
success: change accepted.
See Also
clear ip alias on page 8-93
show ip alias on page 8-136
vlan-id VLAN name or number.
up Enables the interface.
down Disables the interface.
name String of up to 32 alphanumeric characters, with no spaces.
ip-addr IP address in dotted decimal notation.
IP Services Commands
IP Services Commands
8 – 107
set ip dns
Enables or disables DNS on an MX.
Syntax
set ip dns {enable | disable}
Defaults
DNS is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command enables DNS on an MX:
MX# set ip dns enable
Start DNS Client
See Also
clear ip dns domain on page 8-94
clear ip dns server on page 8-94
set ip dns domain on page 8-107
set ip dns server on page 8-108
show ip dns on page 8-136
set ip dns domain
Configures a default domain name for DNS queries. The MX appends the default domain name to
domain names or hostnames you enter in commands.
Syntax
set ip dns domain name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
To override the default domain name when entering a hostname in a CLI command, enter
a period at the end of the hostname. For example, if the default domain name is example.com,
enter chris. if the fully qualified hostname is chris and not chris.example.com.
Aliases take precedence over DNS. When you enter a hostname, MSS checks for an alias with that
name first, before using DNS to resolve the name.
Examples
The following command configures the default domain name example.com:
MX# set ip dns domain example.com
Domain name changed
See Also
clear ip dns domain on page 8-94
clear ip dns server on page 8-94
set ip dns on page 8-107
enable Enables DNS.
disable Disables DNS.
name Domain name of between 1 and 64 alphanumeric characters with no spaces (for example,
example.org).
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 108
set ip dns server on page 8-108
show ip dns on page 8-136
set ip dns server
Specifies a DNS server to use for resolving hostnames you enter in CLI commands.
Syntax
set ip dns server ip-addr {primary | secondary}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You can configure an MX to use one primary DNS server and up to five secondary DNS
servers.
Examples
The following commands configure an MX to use a primary DNS server and two
secondary DNS servers:
MX# set ip dns server 10.10.10.50/24 primary
success: change accepted.
MX# set ip dns server 10.10.20.69/24 secondary
success: change accepted.
MX# set ip dns server 10.10.30.69/24 secondary
success: change accepted.
See Also
clear ip dns domain on page 8-94
clear ip dns server on page 8-94
set ip dns on page 8-107
set ip dns domain on page 8-107
show ip dns on page 8-136
set ip https authentication
Authenticates incoming HTTPS requests using AAA for authentication.
Syntax
set ip https authentication {legacy | aaa}
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
ip-addr IP address of a DNS server, in dotted decimal or CIDR notation.
primary Defines the server as the primary server that MSS always consults first for resolving
DNS queries.
secondary Defines the server as a secondary server. MSS consults a secondary server only if the
primary server does not reply.
legacy Uses the enable password on the MX.
aaa Requires a configured user with service-type 6 (administrative) privileges.
IP Services Commands
IP Services Commands
8 – 109
set ip https server
Enables the HTTPS server on an MX. The HTTPS server is required for Web View access to the
switch.
Syntax
set ip https server {enable | disable}
Defaults
The HTTPS server is disabled by default.
Access
Enabled.
History
Examples
The following command enables the HTTPS server on an MX:
MX# set ip https server enable
success: change accepted.
See Also
clear ip telnet on page 8-95
set ip telnet on page 8-112
set ip telnet server on page 8-113
show ip https on page 8-137
show ip telnet on page 8-139
set ip route
Adds a static route to the IP route table.
Syntax
set ip route {default | ip-addr mask | ip-addr/mask-length} default-router
metric
W arning!
If you disable the HTTPS server, Web View access to the MX is disabled.
enable Enables the HTTPS server.
disable Disables the HTTPS server.
Version 1.0 Command introduced
Version 3.2
Default changed to disabled
HTTPS server no longer required for WebAAA
default Default route. An MX uses the default route if an explicit route is not
available for the destination.
Note: default is an alias for IP address 0.0.0.0/0.
ip-addr mask IP address and subnet mask for the route destination, in dotted decimal
notation (for example, 10.10.10.10 255.255.255.0).
ip-addr/mask-length IP address and subnet mask length in CIDR format (for example,
10.10.10.10/24).
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 110
Defaults
None.
Access
Enabled.
History
Usage
MSS can use a static route only if a direct route in the route table resolves the static route.
MSS adds routes with next-hop types Local and Direct when you add an IP interface to a VLAN, if
the VLAN is available. If one of the added routes can resolve the static route, MSS can use the
static route.
Before you add a static route, use the show interface command to verify that the MX has an IP
interface in the same subnet as the next-hop router. If not, the VLAN:Interface field of the show
ip route command output shows that the route is down.
You can configure a maximum of 4 routes per destination. This includes default routes, which
have destination 0.0.0.0/0. Each route to a given destination must have a unique router address.
When the route table contains multiple default or explicit routes to the same destination, MSS
uses the route with the lowest cost. If two or more routes to the same destination have the lowest
cost, MSS selects the first route in the route table.
When you add multiple routes to the same destination, MSS groups the routes and lists them from
lowest cost at the top of the group to highest cost at the bottom of the group. If you add a new
route with the same destination and cost as a route already in the table, MSS places the new route
at the top of the group of routes with the same cost.
Examples
The following command adds a default route that uses default router 10.5.4.1 and gives
the route a cost of 1:
MX# set ip route default 10.5.4.1 1
success: change accepted.
The following commands add two default routes, and configure MSS to always use the route
through 10.2.4.69 when the MX interface to that default router is up:
MX# set ip route default 10.2.4.69 1
success: change accepted.
MX# set ip route default 10.2.4.17 2
success: change accepted.
The following command adds an explicit route from an MX to any host on the 192.168.4.x subnet
through the local router 10.5.4.2, and gives the route a cost of 1:
MX# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1
success: change accepted.
The following command adds another explicit route, using CIDR notation to specify the subnet
mask:
MX# set ip route 192.168.5.0/24 10.5.5.2 1
success: change accepted.
clear ip route on page 8-95
show interface on page 8-135
default-router IP address, DNS hostname, or alias of the next-hop router.
metric Cost for using the route. You can specify a value from 0 through
2,147,483,647. Lower-cost routes are preferred over higher-cost routes.
Version 1.0 Command introduced
Version 1.1
Support added for CIDR notation
Support added for up to 4 default routes and four static routes to an explicit
destination
IP Services Commands
IP Services Commands
8 – 111
show ip route on page 8-138
set ip snmp server
Enables or disables the SNMP service on the MX.
Syntax
set ip snmp server {enable | disable}
Defaults
The SNMP service is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command enables the SNMP server on an MX:
MX# set ip snmp server enable
success: change accepted.
See Also
clear snmp trap receiver on page 8-98
set port trap on page 5-59
set snmp community on page 8-116
set snmp trap on page 8-125
set snmp trap receiver on page 8-125
show snmp configuration on page 8-141
set ip ssh
Changes the TCP port number on which an MX listens for Secure Shell (SSH) management traffic.
Syntax
set ip ssh port port-num
Defaults
The default SSH port number is 22.
Access
Enabled.
History
Introduced in MSS Version 2.0.
Examples
The following command changes the SSH port number on an MX to 6000:
MX# set ip ssh port 6000
success: change accepted.
enable Enables the SNMP service.
disable Disables the SNMP service.
W arning!
If you change the SSH port number from an SSH session, MSS immediately ends the
session. To open a new management session, you must configure the SSH client to
use the new TCP port number.
port-num TCP port number.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 112
See Also
set ip ssh server on page 8-112
set ip ssh server on page 8-112
set ip ssh server on page 8-112
set ip ssh server
Disables or reenables the SSH server on an MX.
Syntax
set ip ssh server {enable | disable}
Defaults
The SSH server is enabled by default.
Access
Enabled.
History
Usage
SSH requires an SSH authentication key. You can generate one or allow MSS to generate
one. The first time an SSH client attempts to access the SSH server on an MX, the MX
automatically generates a 1024-byte SSH key. If you want to use a 2048-byte key instead, use the
crypto generate key ssh 2048 command to generate one.
The maximum number of SSH sessions supported on an MX is eight. If Telnet is also enabled, the
MX can have up to eight Telnet or SSH sessions, in any combination, and one Console session.
See Also
crypto generate key on page 16-412
set ip ssh on page 8-111
set ip ssh server on page 8-112
set ip ssh server on page 8-112
set ip telnet
Changes the TCP port number that an MX listens for Telnet management traffic.
W arning!
If you disable the SSH server, SSH access to the MX is also disabled.
enable Enables the SSH server.
disable Disables the SSH server.
Version 2.0 Command introduced
Version 2.1 Default changed from disabled to enabled.
W arning!
If you change the Telnet port number from a Telnet session, MSS
immediately ends the session. To open a new management session, you must
Telnet to the switch with the new Telnet port number.
IP Services Commands
IP Services Commands
8 – 113
Syntax
set ip telnet port-num
Defaults
The default Telnet port number is 23.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command changes the Telnet port number on an MX to 5000:
MX# set ip telnet 5000
success: change accepted.
See Also
clear ip telnet on page 8-95
set ip https server on page 8-109
set ip telnet server on page 8-113
show ip https on page 8-137
show ip telnet on page 8-139
set ip telnet server
Enables the Telnet server on an MX.
Syntax
set ip telnet server {enable | disable}
Defaults
The Telnet server is disabled by default.
Access
Enabled.
History
Usage
The maximum number of Telnet sessions supported on an MX is eight. If SSH is also
enabled, the MX can have up to eight Telnet or SSH sessions, in any combination, and one console
session.
Examples
The following command enables the Telnet server on an MX:
MX# set ip telnet server enable
success: change accepted.
port-num TCP port number.
W arning!
If you disable the Telnet server, Telnet access to the MX is also disabled.
enable Enables the Telnet server.
disable Disables the Telnet server.
Version 1.0 Command introduced
Version 2.1 Default changed from enabled to disabled.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 114
See Also
clear ip telnet on page 8-95
set ip https server on page 8-109
set ip telnet on page 8-112
show ip https on page 8-137
show ip telnet on page 8-139
set ntp
Enables or disables the NTP client on an MX.
Syntax
set ntp {enable | disable}
Defaults
The NTP client is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
If NTP is configured on a system whose current time differs from the NTP server time by
more than 10 minutes, convergence of the MX time can take many NTP update intervals. It is
recommended that you set the time manually to the NTP server time before enabling NTP to
avoid a significant delay in convergence.
Examples
The following command enables the NTP client:
MX# set ntp enable
success: NTP Client enabled
See Also
clear ntp server on page 8-96
clear ntp update-interval on page 8-96
set ntp server on page 8-114
set ntp update-interval on page 8-115
show ntp on page 8-140
set ntp server
Configures an MX to use an NTP server.
Syntax
set ntp server ip-addr
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
enable Enables the NTP client.
disable Disables the NTP client.
ip-addr IP address of the NTP server, in dotted decimal notation.
IP Services Commands
IP Services Commands
8 – 115
Usage
You can configure up to three NTP servers. MSS queries all the servers and selects the best
response based on the method described in RFC 1305, Network Time Protocol (Version 3)
Specification, Implementation and Analysis.
To use NTP, you also must enable the NTP client with the set ntp command.
Examples
The following command configures an MX to use NTP server 192.168.1.5:
MX# set ntp server 192.168.1.5
See Also
clear ntp server on page 8-96
clear ntp update-interval on page 8-96
set ntp on page 8-114
set ntp update-interval on page 8-115
show ntp on page 8-140
set ntp update-interval
Changes how often an MX sends queries to the NTP servers for updates.
Syntax
set ntp update-interval seconds
Defaults
The default NTP update interval is 64 seconds.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command changes the NTP update interval to 128 seconds:
MX# set ntp update-interval 128
success: change accepted.
See Also
clear ntp server on page 8-96
clear ntp update-interval on page 8-96
set ntp on page 8-114
set ntp server on page 8-114
show ntp on page 8-140
seconds Number of seconds between queries. You can specify from 16 through 1024 seconds.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 116
set snmp community
Configures a community string for SNMPv1 or SNMPv2c.
Syntax
set snmp community name comm-string
access {read-only | read-notify | notify-only | read-write | notify-read-write}
Defaults
None.
Access
Enabled.
History
Usage
SNMP community strings are passed as clear text in SNMPv1 and SNMPv2c. Trapeze
Networks recommends that you use strings that cannot easily be guessed by unauthorized users. For
example, do not use the well-known strings public and private.
If you are using SNMPv3, you can configure SNMPv3 users to use authentication and to encrypt
SNMP data.
Examples
The following command configures the read-write community good_community:
MX# set snmp community read-write good_community
success: change accepted.
The following command configures community string switchmgr1 with access level
notify-read-write:
MX# set snmp community name switchmgr1 notify-read-write
success: change accepted.
Note:
For SNMPv3, use the set snmp usm command to configure an SNMPv3 user. SNMPv3
does not use community strings.
comm-string Name of the SNMP community. Specify between 1 and 32 alphanumeric
characters, with no spaces.
read-only Allows an SNMP management application using the string to get (read) object
values on the switch but not to set (write) them.
read-notify Allows an SNMP management application using the string to get object values
on the MX but not to set them. The switch can use the string to send
notifications.
notify-only Allows the MX to use the string to send notifications.
read-write Allows an SNMP management application using the string to get and set object
values on the switch.
notify-read-write Allows an SNMP management application using the string to get and set object
values on the switch. The MX also can use the string to send notifications.
Version 1.0 Command introduced.
Version 3.1 Default community strings changed from public (for read-only) and private (for
read-write) to blank.
Version 4.0 Default strings removed. There are no default strings in MSS Version 4.0.
New access types added for SNMPv3:
read-notify
notify-only
notify-read-write
IP Services Commands
IP Services Commands
8 – 117
See Also
clear snmp community on page 8-97
set ip snmp server on page 8-111
set snmp notify target on page 8-121
set snmp notify profile on page 8-118
set snmp protocol on page 8-124
set snmp usm on page 8-126
show snmp community on page 8-141
set snmp community group
Sets the security group for the SNMP community. You can select from administrator or monitor.
Syntax
set snmp community name name group [group-name | admin | monitor]
Defaults
None
Access
Enabled
History
Added in Version 7.0
Usage
SNMPv3 is based on SNMPv1 and SNMPv2 but with the added capability of security and
administration. The Mobility System Software has a limited implementation of SNMPv3 that has
two predefined groups: Administration and Monitoring. These roles are defined as follows:
Monitoring – read access for everything but SNMP security configurations and prevents write
access.
Administration – read access for everything and write access for the MIBs sysName, sysContact,
sysLocation.
set snmp group
A group defines access rights afforded to users assigned to it.
Syntax
set snmp group name description description security-model [1 | 2 | usm]
security-level [noAuthNoPriv | authNoPriv | authPriv]
Defaults
None
Access
Enabled
History
Added in Version 7.0
Usage
Used to comply with the US Army TIC requirements.
Examples
To set the group eng_dev to security model usm with authorization privileges, use the
following command:
MX# set snmp group eng_dev security-model usm security-level authPriv
success: change accepted
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 118
set snmp notify profile
Configures an SNMP notification profile. A notification profile is a named list of all the
notification types that can be generated by a MX, and for each notification type, the action to take
(drop or send) when an event occurs.
You can configure up to ten notification profiles.
Syntax
set snmp notify profile {default | profile-name} {drop | send}
{notification-type | all}
default |
profile-name
Name of the notification profile you are creating or modifying. The profile-name can
be up to 32 alphanumeric characters long, with no spaces.
To modify the default notification profile, specify default.
drop | send Specifies the action that the SNMP engine takes with regard to the notifications
you specify with notification-type or all.
IP Services Commands
IP Services Commands
8 – 119
notification-type Name of the notification type:
ApManagerChangeTraps—Generated when a change occurs on an MX
managing MPs.
ApNonOperStatusTraps—Generated to indicate an MP radio is
nonoperational.
ApOperRadioStatusTraps—Generated when the status of an MP radio
changes.
ApRejectLicenseExceededTraps–Generated when the number of MPs
exceeds the licenses.
AuthenTraps—Generated when the MX switch’s SNMP engine receives a bad
community string.
AutoTuneRadioChannelChangeTraps—Generated when the
RF Auto-Tuning feature changes the channel on a radio.
AutoTuneRadioPowerChangeTraps—Generated when the RF Auto-Tuning
feature changes the power setting on a radio.
ClientAssociationFailureTraps—Generated when a client’s attempt to
associate with a radio fails.
ClientAssociationSuccessTraps—Generated when a client associates
successfully.
ClientAuthenticationSuccessTraps—Generated when a client successfully
authenticates on the network.
ClientAuthenticationFailureTraps—Generated when authentication fails
for a client.
ClientAuthorizationSuccessTraps—Generated when a client is successfully
authorized.
ClientAuthorizationFailureTraps—Generated when authorization fails for a
client.
ClientClearedTraps—Generated when a client’s session is cleared.
ClientDeAssociationTraps—Generated when a client is dissociated from a
radio.
ClientDeAuthenticationTraps—Generated when a client
deauthenticates from a radio.
ClientDisconnectTraps—Generated when a client disconnects from the
radio.
ClientDot1xFailureTraps—Generated when a client experiences an 802.1X
failure.
ClientDynAuthorChangeFailureTraps—Generated when a RADIUS client
fails to dynamically change authorization on a RADIUS server.
ClientDynAuthorChangeSuccessTraps—Generated when a RADIUS client
successfully dynamically changes authorization on a RADIUS server.
ClientIPAddrChangeTraps—Generated when the IP address for a client
changes.
ClientRoamingTraps—Generated when a client roams.
ClusterFailureTraps—Generated when the cluster configuration fails on the
network.
ConfigurationsSavedTraps—Generated when a configuration is saved on an
MX.
CounterMeasureStartTraps—Generated when MSS begins countermeasures
against a rogue access point.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 120
Defaults
A default notification profile (named default) is already configured on the MX. All
notifications in the default profile are dropped by default.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command changes the action in the default notification profile from drop
to send for all notification types:
MX# set snmp notify profile default send all
success: change accepted.
notification-type
(cont.)
CounterMeasureStopTraps—Generated when MSS stops countermeasures
against a rogue access point.
DeviceFailTraps—Generated when an event with an Alert severity occurs.
DeviceOkayTraps—Generated when a device returns to its normal state.
LinkDownTraps—Generated when the link is lost on a port.
LinkUpTraps—Generated when the link is detected on a port.
MichaelMICFailureTraps—Generated when two Michael message integrity
code (MIC) failures occur within 60 seconds, triggering Wi-Fi Protected Access
(WPA) countermeasures.
MobilityDomainFailBackTraps—Generated when a primary seed returns to
primary status after a failover to a secondary seed.
MobilityDomainFailOverTraps—Generated when a secondary mobility
domain seed becomes the primary seed when a failover occurs on the network.
MobilityDomainJoinTraps—Generated when the MX switch is initially able
to contact a mobility domain seed member, or can contact the seed member after
a timeout.
MobilityDomainResiliencyStatusTraps—Generated status information
about the cluster configuration on the network.
MobilityDomainTimeoutTraps—Generated when a timeout occurs after an
MX switch has unsuccessfully tried to communicate with a seed member.
PoEFailTraps—Generated when a serious PoE problem, such as a short
circuit, occurs.
RFDetectAdhocUserTraps—Generated when MSS detects an ad-hoc user.
RFDetectAdhocUserDisappearTraps—Generated when an ad hoc user is no
longer detected on the network.
RFDetectBlacklistedTraps—Generated when blacklisted APs are detected on
the network.
RFDetectClassificationChangeTraps—Generated when the classification of
a device changes.
RFDetectClientViaRogueWiredAPTraps—Generated when MSS detects, on
the wired part of the network, the MAC address of a wireless client associated
with a third-party AP.
RFDetectDoSPortTraps—Generated when MSS detects an associate request
flood, reassociate request flood, or disassociate request flood.
RFDetectDoSTraps—Generated when MSS detects a DoS attack other than
an associate request flood, reassociate request flood, or disassociate request
flood.
RFDetectRogueDeviceTraps—Generated when MSS detects a rogue device .
RFDetectRogueDeviceDisappearTraps—Generated when a rogue device is
no longer being detected.
)
RFDetectSuspectDeviceDisappearTraps—Generated when a suspect
device disappears from the network.
RFDetectSuspectDeviceTraps—Generated when a wireless device not on the
list of permitted vendors is detected.
all Sends or drops all notifications.
MSS Version 4.0 Introduced command.
MSS Version 7.0 Updated traps to reflect RF changes.
IP Services Commands
IP Services Commands
8 – 121
The following commands create notification profile snmpprof_rfdetect, and change the action to
send for all RF detection notification types:
MX# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps
success: change accepted.
MX# set snmp notify profile snmp_rfdetect send RFDetectAdhocUserDisappearTraps
success: change accepted
MX# set snmp notify profile snmpprof_rfdetect send RFDetectClientViaRogueWiredAPTraps
success: change accepted.
MX# set snmp notify profile snmpprof_rfdetect send RFDetectDoSTraps
success: change accepted.
MX# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps
success: change accepted.
MX# set snmp notify profile snmpprof_rfdetect send RFDetectRogueAPTraps
success: change accepted.
MX# set snmp notify profile snmpprof_rfdetect send RFDetectRogueDeviceDisappearTraps
success: change accepted.
See Also
clear snmp notify profile on page 8-97
set ip snmp server on page 8-111
set snmp community on page 8-116
set snmp notify target on page 8-121
set snmp protocol on page 8-124
set snmp usm on page 8-126
show snmp notify profile on page 8-142
set snmp notify target
Configures a notification target for notifications from SNMP.
A notification target is a remote device that the MX sends SNMP notifications. You can configure
the MSS SNMP engine to send confirmed notifications (informs) or unconfirmed notifications
(traps). Some of the command options differ depending on the SNMP version and the type of
notification you specify. You can configure up to 10 notification targets.
SNMPv3 with Informs
To configure a notification target for informs from SNMPv3, use the following command:
Syntax
set snmp notify target target-num ip-addr[:udp-port-number]
usm inform user username
snmp-engine-id {ip | hex hex-string}
[profile profile-name]
[security {unsecured | authenticated | encrypted}]
[retries num][timeout num]
target-num ID for the target. This ID is local to the MX and does not need to
correspond to a value on the target. You can specify a number from 1 to
10.
ip-addr[:udp-port-number] IP address of the server. You also can specify the UDP port number to
send notifications to.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 122
SNMPv3 with Traps
To configure a notification target for traps from SNMPv3, use the following command:
Syntax
set snmp notify target target-num ip-addr[:udp-port-number]
usm trap user username
[profile profile-name]
[security {unsecured | authenticated | encrypted}]
username USM username. This option is applicable only when the SNMP version
is usm.
If the user sends informs rather than traps, you also must specify the
snmp-engine-id of the target.
snmp-engine-id
{ip | hex hex-string}
SNMP engine ID of the target. Specify ip if the target SNMP engine ID
is based on the IP address. If the target SNMP engine ID is a
hexadecimal value, use hex hex-string to specify the value.
profile profile-name Notification profile that the SNMP user use to specify the notification
types to send or drop.
security {unsecured |
authenticated | encrypted}
Specifies the security level, and is applicable only when the SNMP
version is usm:
unsecured—Message exchanges are not authenticated, nor are they
encrypted. This is the default.
authenticated—Message exchanges are authenticated, but are not
encrypted.
encrypted—Message exchanges are authenticated and encrypted.
retries num Specifies the number of times the MSS SNMP engine resends a
notification that has not been acknowledged by the target. You can
specify from 0 to 3 retries.
timeout num Specifies the number of seconds MSS waits for acknowledgement of a
notification. You can specify from 1 to 5 seconds.
target-num ID for the target. This ID is local to the MX and does not need to
correspond to a value on the target. You can specify a number from 1
to 10.
ip-addr[:udp-port-number] IP address of the server. You also can specify the UDP port number
to send notifications to.
username USM username. This option is applicable only when the SNMP
version is usm.
profile profile-name Notification profile this SNMP user uses to specify the notification
types to send or drop.
security {unsecured | authenticated
| encrypted}
Specifies the security level, and is applicable only when the SNMP
version is usm:
unsecured—Message exchanges are not authenticated, nor are
they encrypted. This is the default.
authenticated—Message exchanges are authenticated, but are
not encrypted.
encrypted—Message exchanges are authenticated and
encrypted.
IP Services Commands
IP Services Commands
8 – 123
SNMPv2c with Informs
To configure a notification target for informs from SNMPv2c, use the following command:
Syntax
set snmp notify target target-num ip-addr[:udp-port-number]
v2c community-string inform [profile profile-name] [retries num][timeout num]
SNMPv2c with Traps
To configure a notification target for traps from SNMPv2c, use the following command:
Syntax
set snmp notify target target-num ip-addr[:udp-port-number]
v2c community-string trap
[profile profile-name]
SNMPv1 with Traps
To configure a notification target for traps from SNMPv1, use the following command:
Syntax
set snmp notify target target-num ip-addr[:udp-port-number]
v1 community-string
[profile profile-name]
target-num ID for the target. This ID is local to the MX and does not need to
correspond to a value on the target. You can specify a number from 1
to 10.
ip-addr[:udp-port-number] IP address of the server. You also can specify the UDP port number
to send notifications to.
community-string Community string.
profile profile-name Notification profile this SNMP user will use to specify the
notification types to send or drop.
retries num Specifies the number of times the MSS SNMP engine resends a
notification that has not been acknowledged by the target. You can
specify from 0 to 3 retries.
timeout num Specifies the number of seconds MSS waits for acknowledgement of a
notification. You can specify from 1 to 5 seconds.
target-num ID for the target. This ID is local to the MX and does not need to
correspond to a value on the target itself. You can specify a number
from 1 to 10.
ip-addr[:udp-port-number] IP address of the server. You also can specify the UDP port number
to send notifications to.
community-string Community string.
profile profile-name Notification profile this SNMP user will use to specify the
notification types to send or drop.
target-num ID for the target. This ID is local to the MX and does not need to
correspond to a value on the target. You can specify a number from 1
to 10.
ip-addr[:udp-port-number] IP address of the server. You also can specify the UDP port number
to send notifications to.
community-string Community string.
profile profile-name Notification profile this SNMP user will use to specify the
notification types to send or drop.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 124
Defaults
The default UDP port number on the target is 162. The default minimum required security
level is unsecured. The default number of retries is 0 and the default timeout is 2 seconds.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Usage
The inform or trap option specifies whether the MSS SNMP engine expects the target to
acknowledge notifications sent to the target by the MX . Use inform if you want acknowledgements.
Use trap if you do not want acknowledgements. The inform option is applicable to SNMP version
v2c or usm only.
Examples
The following command configures a notification target for acknowledged notifications:
MX# set snmp notify target 1 10.10.40.9 usm inform user securesnmpmgr1 snmp-engine-id ip
success: change accepted.
This command configures target 1 at IP address 10.10.40.9. The target SNMP engine ID is based on
its address. The MSS SNMP engine sends notifications based on the default profile, and requires the
target to acknowledge receiving them.
The following command configures a notification target for unacknowledged notifications:
MX# set snmp notify target 2 10.10.40.10 v1 trap
success: change accepted.
See Also
clear snmp notify target on page 8-98
set ip snmp server on page 8-111
set snmp community on page 8-116
set snmp notify profile on page 8-118
set snmp protocol on page 8-124
set snmp usm on page 8-126
show snmp notify target on page 8-142
set snmp protocol
Enables an SNMP protocol. MSS supports SNMPv1, SNMPv2c, and SNMPv3.
Syntax
set snmp protocol {v1 | v2c | usm | all} {enable | disable}
Defaults
All SNMP versions are disabled by default.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Usage
SNMP requires the MX system IP address to be set. SNMP does not work without the system
IP address.
You also must enable the SNMP service using the set ip snmp server command.
v1 SNMPv1
v2c SNMPv2c
usm SNMPv3 (with the user security model)
all Enables all supported versions of SNMP.
enable Enables the specified SNMP version(s).
disable Disables the specified SNMP version(s).
IP Services Commands
IP Services Commands
8 – 125
Examples
The following command enables all SNMP versions:
MX# set snmp protocol all enable
success: change accepted.
See Also
set ip snmp server on page 8-111
set snmp community on page 8-116
set snmp notify target on page 8-121
set snmp notify profile on page 8-118
set snmp usm on page 8-126
show snmp status on page 8-142
set snmp security
This command is deprecated in MSS Version 7.0.
set snmp trap
This command is deprecated in MSS Version 4.0. To enable or disable SNMP notifications, configure a
notification profile. See set snmp notify profile on page 8-118.
set snmp traplog
Records traps sent by the SNMP agent as an index of oldest and newest trap occurence.
Syntax
set snmp traplog mode {enable | disable}
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
set snmp traplog filter
Controls the content of the SNMP traplog.
Syntax
set snmp traplog filter {log | ignore} {all | notify_name}
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
set snmp trap receiver
This command is deprecated in MSS Version 4.0. To configure an SNMP notification target (also
called trap receiver), see set snmp notify target on page 8-121.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 126
set snmp usm
Creates a USM user for SNMPv3.
Syntax
set snmp usm usm-user-name snmp-engine-id {ip ip-addr | local | hex hex-string}
access {read-only | read-notify | notify-only | read-write | notify-read-write}
auth-type {none | md5 | sha} {auth-pass-phrase string | auth-key hex-string}
encrypt-type {none | des | 3des | aes} {encrypt-pass-phrase string |
encrypt-key hex-string}
Note:
This command does not apply to SNMPv1 or SNMPv2c. For these SNMP
versions, use the set snmp community command to configure community
strings.
usm-user-name Name of the SNMPv3 user. Specify between 1 and 32
alphanumeric characters, with no spaces.
snmp-engine-id {ip ip-addr | local | hex
hex-string}
Specifies a unique identifier for the SNMP engine.
To send informs, you must specify the engine ID of the inform
receiver. To send traps and to allow get and set operations and
so on, specify local as the engine ID.
hex hex-string—ID is a hexadecimal string.
ip ip-addr—ID is based on the IP address of the station
running the management application. Enter the IP address
of the station. MSS calculates the engine ID based on the
address.
local—Uses the value computed from the switch’s system
IP address.
access {read-only | read-notify |
notify-only | read-write |
notify-read-write}
Specifies the access level of the user:
read-only—An SNMP management application using the
string can get (read) object values on the switch but cannot
set (write) them.
read-notify—An SNMP management application using
the string can get object values on the switch but cannot set
them. The switch can use the string to send notifications.
notify-only—The switch can use the string to send
notifications.
read-write—An SNMP management application using the
string can get and set object values on the switch.
notify-read-write—An SNMP management application
using the string can get and set object values on the switch.
The switch can use the string to send notifications.
IP Services Commands
IP Services Commands
8 – 127
Defaults
No SNMPv3 users are configured by default. When you configure an SNMPv3 user, the
default access is read-only, and the default authentication and encryption types are both none.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command creates USM user snmpmgr1, associated with the local SNMP
engine ID. This user can send traps to notification receivers.
MX# set snmp usm snmpmgr1 snmp-engine-id local
success: change accepted.
The following command creates USM user securesnmpmgr1, which uses SHA authentication and
3DES encryption with passphrases. This user can send informs to the notification receiver that has
engine ID 192.168.40.2.
MX# set snmp usm securesnmpmgr1 snmp-engine-id ip 192.168.40.2 auth-type sha auth-pass-phrase
myauthpword encrypt-type 3des encrypt-pass-phrase mycryptpword
success: change accepted.
See Also
clear snmp usm on page 8-98
set ip snmp server on page 8-111
set snmp community on page 8-116
set snmp group on page 8-117
set snmp notify target on page 8-121
set snmp notify profile on page 8-118
set snmp protocol on page 8-124
show snmp usm on page 8-143
auth-type {none | md5 | sha}
{auth-pass-phrase string | auth-key
hex-string}
Specifies the authentication type used to authenticate
communications with the remote SNMP engine. You can
specify one of the following:
none—No authentication is used.
md5—Message-digest algorithm 5 is used.
sha—Secure Hashing Algorithm (SHA) is used.
If the authentication type is md5 or sha, you can specify a
passphrase or a hexadecimal key.
To specify a passphrase, use the auth-pass-phrase string
option. The string can be from 8 to 32 alphanumeric
characters long, with no spaces.
To specify a key, use the auth-key hex-string option.
encrypt-type {none | des | 3des | aes}
{encrypt-pass-phrase string |
encrypt-key hex-string}
Specifies the encryption type used for SNMP traffic. You can
specify one of the following:
none—No encryption is used. This is the default.
des—Data Encryption Standard (DES) encryption is used.
3des—Triple DES encryption is used.
aes—Advanced Encryption Standard (AES) encryption is
used.
If the encryption type is des, 3des, or aes, you can specify a
passphrase or a hexadecimal key.
To specify a passphrase, use the encrypt-pass-phrase
string option. The string can be from 8 to 32 alphanumeric
characters long, with no spaces.
To specify a key, use the encrypt-key hex-string option.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 128
set snmp view
Controls SNMP view operations to allow difference levels of access to management information.
Syntax
set snmp view view-name description description [root included | excluded]
treefamily oid-subtree [included| excluded]
Defaults
All views excluded.
Access
Enabled
History
Added in MSS Version 7.0
Usage
Controls access to SNMP operations.
Examples
To include the root of the OIC tree, use the following command:
MX# set snmp view eng_dev description labs root include
success: change accepted
See Also
clear snmp usm on page 8-98
set ip snmp server on page 8-111
set snmp community on page 8-116
set snmp group on page 8-117
set snmp notify target on page 8-121
set snmp notify profile on page 8-118
set snmp protocol on page 8-124
show snmp usm on page 8-143
set summertime
Offsets the real-time clock of an MX by +1 hour and returns it to standard time for daylight savings
time or a similar summertime period.
Syntax
set summertime summername [start week weekday month hour min end week weekday
month hour min]
view view-name The name configured for a view.
description description A text description of the view
root [included | excluded] Include or exclude the root of the OID tree.
treefamily [included | excluded] Include or exclude the OID treefamily.
summername Name of up to 32 alphanumeric characters that describes the summertime offset. You
can use a standard name or any name you like.
start Start of the time change period.
week Week of the month to start or end the time change. Valid values are first, second, third,
fourth, or last.
weekday Day of the week to start or end the time change. Valid values are sun, mon, tue, wed,
thu, fri, and sat.
month Month of the year to start or end the time change. Valid values are jan, feb, mar, apr,
may, jun, jul, aug, sep, oct, nov, and dec.
hour Hour to start or end the time change—a value between 0 and 23 on the 24-hour clock.
IP Services Commands
IP Services Commands
8 – 129
Defaults
If you do not specify a start and end time, the system implements the time change
starting at 2:00 a.m. on the first Sunday in April and ending at 2:00 a.m. on the last Sunday in
October, according to the North American standard.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You must first set the time zone with the set timezone command for the offset to work
properly without the start and end values.
Configure summertime before you set the time and date. Otherwise, the summertime adjustment
of the time makes the time incorrect, if the date is within the summertime period.
Examples
To enable summertime and set the summertime time zone to PDT (Pacific Daylight
Time), type the following command:
MX-20# set summertime PDT
success: change accepted
See Also
clear summertime on page 8-99
clear timezone on page 8-100
set timedate on page 8-130
set timezone on page 8-130
show summertime on page 8-143
show timedate on page 8-144
show timezone on page 8-144
set system ip-address
Configures the system IP address. The system IP address determines the interface or source IP
address MSS uses for system tasks, including the following:
Mobility domain operations
Topology reporting for dual-homed MP access points
Default source IP address used in unsolicited communications such as AAA accounting reports
and SNMP traps
Syntax
set system ip-address ip-addr
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You must use an address that is configured on one of the MX VLANs.
To display the system IP address, use the show system command.
Examples
The following commands configure an IP interface on VLAN taupe and configure the
interface to be the system IP address:
MX# set interface taupe ip 10.10.20.20/24
min Minute to start or end the time change—a value between 0 and 59.
end End of the time change period.
ip-addr IP address, in dotted decimal notation. The address must be configured as part of the MX VLANs.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 130
success: set ip address 10.10.20.20 netmask 255.255.255.0 on vlan taupe
MX# set system ip-address 10.10.20.20
success: change accepted.
See Also
clear system ip-address on page 8-99
set interface on page 8-102
show system on page 4-40
set timedate
Sets the time of day and date on the MX.
Syntax
set timedate {date mmm dd yyyy [time hh:mm:ss]}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
The day of week is automatically calculated from the day that you set. The time displayed
by the CLI after you type the command might be slightly later than the time entered due to the
interval between pressing Enter and when the CLI reads and displays the new time and date.
Configure summertime before you set the time and date. Otherwise, the summertime adjustment
makes the time incorrect, if the date is within the summertime period.
Examples
The following command sets the date to March 13, 2003 and time to 11:11:12:
MX# set timedate date feb 29 2004 time 23:58:00
Time now is: Sun Feb 29 2004, 23:58:02 PST
See Also
clear summertime on page 8-99
clear timezone on page 8-100
set summertime on page 8-128
set timezone on page 8-130
show summertime on page 8-143
show timedate on page 8-144
show timezone on page 8-144
set timezone
Sets the number of hours, and optionally, the number of minutes, that the MX real-time clock is
offset from Coordinated Universal Time (UTC). These values are also used by Network Time
Protocol (NTP), if it is enabled.
date mmm dd yyyy System date:
mmm—month.
dd—day.
yyyy—year.
time hh:mm:ss System time, in hours, minutes, and seconds.
IP Services Commands
IP Services Commands
8 – 131
Syntax
set timezone zonename {-hours [minutes]}
Defaults
If this command is not used, then the default time zone is UTC.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To set the time zone for Pacific Standard Time (PST), type the following command:
MX-20# set timezone PST -8
Timezone is set to 'PST', offset from UTC is -8:0 hours.
See Also
clear summertime on page 8-99
clear timezone on page 8-100
set summertime on page 8-128
set timedate on page 8-130
show summertime on page 8-143
show timedate on page 8-144
show timezone on page 8-144
show arp
Displays the ARP table.
Syntax
show arp [ip-addr]
Defaults
If you do not specify an IP address, the entire ARP table is displayed.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command displays ARP entries:
MX# show arp
ARP aging time: 1200 seconds
Host HW Address VLAN Type State
------------------------------ ----------------- ----- ------- --------
10.5.4.51 00:0b:0e:02:76:f5 1 DYNAMIC RESOLVED
10.5.4.53 00:0b:0e:02:76:f7 1 LOCAL RESOLVED
Table 8– 19 describes the fields in this display.
zonename Time zone name of up to 32 alphabetic characters. You can use a standard name or any
name you like.
- Minus time to indicate hours (and minutes) to be subtracted from UTC. Otherwise, hours
and minutes are added by default.
hours Number of hours to add or subtract from UTC.
minutes Number of minutes to add or subtract from UTC.
ip-addr IP address.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 132
See Also
set arp on page 8-101
set arp agingtime on page 8-102
show dhcp-client
Displays DHCP client information for all VLANs.
Syntax
show dhcp-client
Defaults
None.
Access
All.
History
Introduced in MSS Version 4.0.
Examples
The following command displays DHCP client information:
MX# show dhcp-client
Interface: corpvlan(4)
Configuration Status: Enabled
DHCP State: IF_UP
Lease Allocation: 65535 seconds
Lease Remaining: 65532 seconds
IP Address: 10.3.1.110
Subnet Mask: 255.255.255.0
Default Gateway: 10.3.1.1
DHCP Server: 10.3.1.4
DNS Servers: 10.3.1.29
DNS Domain Name: mycorp.com
Table 9 describes the fields in this display.
Table 8– 19. Output for show arp
Field Description
ARP aging time Number of seconds a dynamic entry can remain unused before MSS removes the
entry from the ARP table.
Host IP address, hostname, or alias.
HW Address MAC address mapped to the IP address, hostname, or alias.
VLAN VLAN the entry is for.
Type Entry type:
DYNAMIC—Entry was learned from network traffic and ages out if unused for
longer than the ARP aging timeout.
LOCAL—Entry for the MX MAC address. Each VLAN has one local entry for
the switch MAC address.
PERMANENT—Entry does not age out and remains in the configuration even
following a reboot.
STATIC—Entry does not age out but is removed after a reboot.
State Entry state:
RESOLVING—MSS sent an ARP request for the entry and is waiting for the
reply.
RESOLVED—Entry is resolved.
IP Services Commands
IP Services Commands
8 – 133
See Also
set interface dhcp-client on page 8-103
show dhcp-server
Displays MSS DHCP server information.
Syntax
show dhcp-server [interface vlan-id] [verbose]
Defaults
None.
Access
All.
History
Introduced in MSS Version 4.0.
Examples
The following command displays the addresses leased by the MSS DHCP server:
MX# show dhcp-server
VLAN Name Address MAC Lease Remaining (sec)
---- -------------- --------------- ----------------- --------------------
1 default 10.10.20.2 00:01:02:03:04:05 12345
1 default 10.10.20.3 00:01:03:04:06:07 2103
2 red-vlan 192.168.1.5 00:01:03:04:06:08 102
2 red-vlan 192.168.1.7 00:01:03:04:06:09 16789
The following command displays configuration and status information for each VLAN that the
DHCP server is configured:
MX# show dhcp-server verbose
Interface: 0 (Direct AP)
Status: UP
Address Range: 10.0.0.1-10.0.0.253
Table 9.Output for show dhcp-client
Field Description
Interface VLAN name and number.
Configuration Status Status of the DHCP client on this VLAN:
Enabled
Disabled
DHCP State State of the IP interface:
IF_UP
IF_DOWN
Lease Allocation Duration of the address lease.
Lease Remaining Number of seconds remaining before the address lease expires.
IP Address IP address received from the DHCP server.
Subnet Mask Network mask of the IP address received from the DHCP server.
Default Gateway Default router (gateway) IP address received from the DHCP server. If the
address is 0.0.0.0, the server did not provide an address.
DHCP Server IP address of the DHCP server.
DNS Servers DNS server IP address(es) received from the DHCP server.
DNS Domain Name Default DNS domain name received from the DHCP server.
interface vlan-id Displays the IP addresses leased by the specified VLAN.
verbose Displays configuration and status information for the MSS DHCP server.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 134
Interface: default(1)
Status: UP
Address Range: 10.10.20.2-10.10.20.254
Hardware Address: 00:01:02:03:04:05
State: BOUND
Lease Allocation: 43200 seconds
Lease Remaining: 12345 seconds
IP Address: 10.10.20.2
Subnet Mask: 255.255.255.0
Default Router: 10.10.20.1
DNS Servers: 10.10.20.4 10.10.20.5
DNS Domain Name: mycorp.com
Table 10 and Table 11 describe the fields in these displays.
Table 10.Output for show dhcp-server
Field Description
VLAN VLAN number.
Name VLAN name.
Address IP address leased by the server.
MAC Address MAC address of the device that holds the lease for the address.
Lease Remaining Number of seconds remaining before the address lease expires.
Table 11.Output for show dhcp-server verbose
Field Description
Interface VLAN name and number.
Status Status of the interface:
UP
DOWN
Address Range Range from which the server can lease addresses.
Hardware Address MAC address of the DHCP client.
State State of the address lease:
SUSPEND—MSS is checking for the presence of another DHCP server on the
subnet. This is the initial state of the MSS DHCP server. The MSS DHCP server
remains in this state if another DHCP server is detected.
CHECKING—MSS is using ARP to verify whether the address is available.
OFFERING—MSS offered the address to the client and is waiting for the client to
send a DHCPREQUEST for the address.
BOUND—The client accepted the address.
HOLDING—The address is already in use and is therefore unavailable.
Lease Allocation Duration of the address lease, in seconds.
Lease Remaining Number of seconds remaining before the address lease expires.
IP Address IP address leased to the client.
Subnet Mask Network mask of the IP address leased to the client.
Default Router Default router IP address included in the DHCP Offer to the client.
DNS Servers DNS server IP address(es) included in the DHCP Offer to the client.
DNS Domain Name Default DNS domain name included in the DHCP Offer to the client.
IP Services Commands
IP Services Commands
8 – 135
See Also
set interface dhcp-server on page 8-104
show interface
Displays the IP interfaces configured on the MX.
Syntax
show interface [vlan-id]
Defaults
If you do not specify a VLAN ID, interfaces for all VLANs are displayed.
Access
All.
History
Usage
The IP interface table flags an address assigned by a DHCP server with an asterisk ( * ).
Examples
The following command displays all the IP interfaces configured on an MX:
MX# show interface
VLAN Name Address Mask Enabled State RIB
---- --------------- --------------- --------------- ------- ----- ---------
1 default 10.10.10.10 255.255.255.0 YES Up ipv4
2 mauve 10.10.20.10 255.255.255.0 NO Down ipv4
4 corpvlan *10.3.1.110 255.255.255.0 YES Up ipv4
Table 8– 1 describes the fields in this display.
See Also
clear interface on page 8-92
set interface on page 8-102
set interface status on page 8-106
vlan-id VLAN name or number.
Version 1.0 Command introduced.
Version 4.0 RIB field added.
Table 8– 1. Output for show interface
Field Description
VLAN VLAN number
Name VLAN name
Address IP address
Mask Subnet mask
Enabled Administrative state:
YES (enabled)
NO (disabled)
State Link state:
Up (operational)
Down (unavailable)
RIB Routing Information Base
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 136
show ip alias
Displays the IP aliases configured on the MX.
Syntax
show ip alias [name]
Defaults
If you do not specify an alias name, all aliases are displayed.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command displays all the aliases configured on an MX:
MX# show ip alias
Name IP Address
-------------------- --------------------
HR1 192.168.1.2
payroll 192.168.1.3
radius1 192.168.7.2
Table 8– 2 describes the fields in this display.
See Also
clear ip alias on page 8-93
set ip alias on page 8-106
show ip dns
Displays the DNS servers used by the MX.
Syntax
show ip dns
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command displays the DNS information:
MX# show ip dns
Domain Name: example.com
DNS Status: enabled
IP Address Type
-----------------------------------
10.1.1.1 PRIMARY
10.1.1.2 SECONDARY
10.1.2.1 SECONDARY
Table 8– 3 describes the fields in this display.
name Alias string.
Table 8– 2. Output for show ip alias
Field Description
Name Alias string.
IP Address IP address associated with the alias.
IP Services Commands
IP Services Commands
8 – 137
See Also
clear ip dns domain on page 8-94
clear ip dns server on page 8-94
set ip dns on page 8-107
set ip dns domain on page 8-107
set ip dns server on page 8-108
show ip https
Displays information about the HTTPS management port.
Syntax
show ip https
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command shows the status and port number for the HTTPS management
interface to the MX switch:
MX> show ip https
HTTPS is enabled
HTTPS is set to use port 443
Last 10 Connections:
IP Address Last Connected
------------ ----------------------- ------------
10.10.10.56 2003/05/09 15:51:26 pst 349
Table 8– 4 describes the fields in this display.
Table 8– 3. Output for show ip dns
Field Description
Domain Name Default domain name configured on the MX
DNS Status Status of the MX DNS client:
Enabled
Disabled
IP Address IP address of the DNS server
Type Server type:
PRIMARY
SECONDARY
Table 8– 4. Output for show ip https
Field Description
HTTPS is enabled/disabled State of the HTTPS server:
Enabled
Disabled
HTTPS is set to use port TCP port number on which the MX listens for HTTPS connections.
Last 10 connections List of the last 10 devices to establish connections to the MX HTTPS server.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 138
See Also
clear ip telnet on page 8-95
set ip https server on page 8-109
set ip telnet on page 8-112
set ip telnet server on page 8-113
show ip telnet on page 8-139
show ip route
Displays the IP route table on the MX.
Syntax
show ip route [destination]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Usage
When you add an IP interface to an available VLAN, MSS adds direct and local routes for
the interface to the route table. If the VLAN is down, MSS does not add the routes. If you add an
interface to a VLAN but the routes for that interface do not appear in the route table, use the
show vlan config command to check the VLAN state.
If you add a static route and the route state is shown as Down, use the show interface command
to verify that the MX has an IP interface in the default router subnet. MSS cannot resolve a static
route unless one of the MX VLANs has an interface in the default router subnet. If the MX has
such an interface but the static route is still down, use the show vlan config command to check
the state of the VLAN ports.
Examples
The following command shows all routes in an MX IP route table:
MX# show ip route
Router table for IPv4
Destination/Mask Proto Metric NH-Type Gateway VLAN:Interface
__________________ _______ ______ _______ _______________ _______________
0.0.0.0/ 0 Static 1 Router 10.0.1.17 Down
0.0.0.0/ 0 Static 2 Router 10.0.2.17 vlan:2:ip
10.0.2.1/24 IP 0 Direct vlan:2:ip
10.0.2.1/32 IP 0 Direct vlan:2:ip:10.0.1.1/24
10.0.2.255/32 IP 0 Direct vlan:2:ip:10.0.1.1/24
224.0.0.0/ 4 IP 0 Local MULTICAST
Table 8– 5 describes the fields in this display.
IP Address IP address of the device that established the connection.
Note: If a browser connects to an MX from behind a proxy, then only the
proxy IP address is shown. If multiple browsers connect using the same
proxy, the proxy address appears only once in the output.
Last Connected Time when the device established the HTTPS connection to the MX.
Time Ago (s) Number of seconds since the device established the HTTPS connection to the
switch.
destination Route destination IP address, in dotted decimal notation.
Table 8– 4. Output for show ip https (continued)
Field Description
IP Services Commands
IP Services Commands
8 – 139
See Also
clear ip route on page 8-95
set interface on page 8-102
set ip route on page 8-109
show interface on page 8-135
show vlan config on page 6-81
show ip telnet
Displays information about the Telnet management port.
Syntax
show ip telnet
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command shows the status and port number for the Telnet management
interface to the MX:
MX> show ip telnet
Server Status Port
----------------------------------
Enabled 23
Table 8– 6 describes the fields in this display.
Table 8– 5. Output for show ip route
Field Description
Destination/Mask IP address and subnet mask of the route destination.
The 244.0.0.0 route is automatically added by MSS and supports the IGMP
snooping feature.
Proto Protocol that added the route to the IP route table. The protocol can be one of the
following:
IP—MSS added the route.
Static—An administrator added the route.
Metric Cost for using the route.
NH-Type Next-hop type:
Local—Route is for a local interface. MSS adds the route when you configure
an IP address on an MX.
Direct—Route is for a locally attached subnet. MSS adds the route when you
add an interface in the same subnet as the MX.
Router—Route is for a remote destination. An MX switch forwards traffic for
the destination to the default router (gateway).
Gateway Next-hop router for reaching the route destination.
Note: This field applies only to static routes.
VLAN:Interface Destination VLAN, protocol type, and IP address of the route. Because direct
routes are for local interfaces, a destination IP address is not listed.
The destination for the IP multicast route is MULTICAST.
For static routes, the value Down means the MX does not have an interface to the
destination next-hop router. To provide an interface, configure an IP interface that
is in the same IP subnet as the next-hop router. The IP interface must be on a
VLAN with the port attached to the default router.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 140
See Also
clear ip telnet on page 8-95
set ip https server on page 8-109
set ip telnet on page 8-112
set ip telnet server on page 8-113
show ip https on page 8-137
show ntp
Displays NTP client information.
Syntax
show ntp
Defaults
None.
Access
All.
History
Examples
To display NTP information for an MX, type the following command:
MX> show ntp
NTP client: enabled
Current update-interval: 20(secs)
Current time: Fri Feb 06 2004, 12:02:57
Timezone is set to 'PST', offset from UTC is -8:0 hours.
Summertime is enabled.
Last NTP update: Fri Feb 06 2004, 12:02:46
NTP Server Peer state Local State
---------------------------------------------------
192.168.1.5 SYSPEER SYNCED
Table 8– 7 describes the fields in this display.
Table 8– 6. Output for show ip telnet
Field Description
Server Status State of the HTTPS server:
Enabled
Disabled
Port TCP port number that the MX listens for Telnet management traffic.
Version 1.0 Command introduced
Version 2.0 Peer State and Local State fields added
Table 8– 7. Output for show ntp
Field Description
NTP client State of the NTP client. The state can be one of the following:
Enabled
Disabled
Current update-interval Number of seconds between queries sent by the MX to the NTP servers for
updates.
IP Services Commands
IP Services Commands
8 – 141
See Also
clear ntp server on page 8-96
clear summertime on page 8-99
clear timezone on page 8-100
set ntp on page 8-114
set ntp server on page 8-114
set summertime on page 8-128
set timezone on page 8-130
show timezone on page 8-144
show snmp configuration
This command is deprecated in MSS Version 4.0. Use the show snmp status command instead.
show snmp community
Displays the configured SNMP community strings.
Syntax
show snmp community
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Current time System time that was current on the MX when you pressed Enter after typing
the show ntp command.
Timezone Time zone configured on the switch. MSS offsets the time reported by the NTP
server based on the time zone.
Note: This field is displayed only if you change the time zone.
Summertime Summertime period configured on the switch. MSS offsets the system time +1
hour and returns it to standard time for daylight savings time or a similar
summertime period that you set.
Note: This field is displayed only if you enable summertime.
Last NTP update Time when the MX received the most recent update from an NTP server.
NTP Server IP address of the NTP server.
Peer state State of the NTP session from the point of view of the NTP server:
CORRECT
REJECT
SELCAND
SYNCCAND
SYSPEER
Local state State of the NTP session on the MX NTP client:
INITED
START
SYNCED
Table 8– 7. Output for show ntp (continued)
Field Description
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 142
See Also
clear snmp community on page 8-97
set snmp community on page 8-116
show snmp counters
Displays SNMP statistics counters.
Syntax
show snmp counters
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
show snmp notify profile
Displays SNMP notification profiles.
Syntax
show snmp notify profile
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
clear snmp notify profile on page 8-97
set snmp notify profile on page 8-118
show snmp notify target
Displays SNMP notification targets.
Syntax
show snmp notify target
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
See Also
clear snmp notify target on page 8-98
set snmp notify target on page 8-121
show snmp status
Displays SNMP version and status information.
Syntax
show snmp status
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
IP Services Commands
IP Services Commands
8 – 143
See Also
set snmp community on page 8-116
set snmp notify target on page 8-121
set snmp notify profile on page 8-118
set snmp protocol on page 8-124
set snmp security on page 8-125
set snmp usm on page 8-126
show snmp community on page 8-141
show snmp counters on page 8-142
show snmp notify profile on page 8-142
show snmp notify target on page 8-142
show snmp usm on page 8-143
show snmp usm
Displays information about SNMPv3 users.
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
See Also
clear snmp usm on page 8-98
show snmp usm on page 8-143
show summertime
Shows an MX offset time from the real-time clock time.
Syntax
show summertime
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
To display the summertime setting on an MX, type the following command:
MX-20# show summertime
Summertime is enabled, and set to 'PDT'.
Start : Sun Apr 04 2004, 02:00:00
End : Sun Oct 31 2004, 02:00:00
Offset : 60 minutes
Recurring : yes, starting at 2:00 am of first Sunday of April
and ending at 2:00 am on last Sunday of October.
See Also
clear summertime on page 8-99
clear timezone on page 8-100
set summertime on page 8-128
set timedate on page 8-130
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 144
set timezone on page 8-130
show timedate on page 8-144
show timezone on page 8-144
show timedate
Shows the date and time of day currently set on an MX real-time clock.
Syntax
show timedate
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
To display the time and date set on an MX real-time clock, type the following command:
MX-20# show timedate
Sun Feb 29 2004, 23:59:02 PST
See Also
clear summertime on page 8-99
clear timezone on page 8-100
set summertime on page 8-128
set timedate on page 8-130
set timezone on page 8-130
show summertime on page 8-143
show timezone on page 8-144
show timezone
Shows the time offset for the real-time clock from UTC on an MX.
Syntax
show timezone
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
To display the offset from UTC, type the following command:
MX# show timezone
Timezone set to 'pst', offset from UTC is -8 hours
See Also
clear summertime on page 8-99
clear timezone on page 8-100
set summertime on page 8-128
set timedate on page 8-130
set timezone on page 8-130
show summertime on page 8-143
show timedate on page 8-144
IP Services Commands
IP Services Commands
8 – 145
telnet
Opens a Telnet client session with a remote device.
Syntax
telnet {ip-addr | hostname} [port port-num]
Defaults
MSS attempts to establish Telnet connections with TCP port 23 by default.
Access
Enabled.
History
Introduced in MSS Version 1.1.
Usage
To end a Telnet session from the remote device, press Ctrl+t or type exit in the management
session on the remote device. To end a client session from the local device, use the clear sessions
telnet client command.
If the configuration of the MX on which you enter the telnet command has an ACL that denies Telnet
client traffic, the ACL also denies access by the telnet command.
Examples
In the following example, an administrator establishes a Telnet session with another MX
and enters a command on the remote MX:
MX# telnet 10.10.10.90
Session 0 pty tty2.d Trying 10.10.10.90...
Connected to 10.10.10.90
Disconnect character is '^t'
Copyright (c) 2002, 2003
Trapeze Networks, Inc.
Username: username
Password: password
MX-remote> show vlan
Admin VLAN Tunl Port
VLAN Name Status State Affin Port Tag State
---- ---------------- ------ ----- ----- ---------------- ----- -----
1 default Up Up 5
1 none Up
3 red Up Up 5
10 backbone Up Up 5
21 none Up
22 none Up
When the administrator presses Ctrl+t to end the Telnet connection, the management session returns
to the local MX prompt:
MX-remote> Session 0 pty tty2.d terminated tt name tty2.d
MX#
See Also
clear sessions on page 19-449
show sessions on page 19-451
ip-addr IP address of the remote device.
hostname Hostname of the remote device.
port port-num TCP port number that the TCP server on the remote device listens for Telnet
connections.
IP Services Commands
Mobility System Software Command Reference Guide
Version 7.3
8 – 146
traceroute
Traces the route from the MX to an IP host.
Syntax
traceroute host [dnf] [no-dns] [port port-num] [queries num] [size size]
[ttl hops] [wait ms]
Defaults
dnf—Disabled
no-dns—Disabled
port—33434
queries—3
size—38
ttl—30
wait—5000
Access
All.
History
Introduced in MSS Version 1.0.
Usage
To stop a traceroute command that is in progress, press Ctrl+C.
Examples
The following example traces the route to host server1:
MX# traceroute server1
traceroute to server1.example.com (192.168.22.7), 30 hops max, 38 byte packets
1 engineering-1.example.com (192.168.192.206) 2 ms 1 ms 1 ms
2 engineering-2.example.com (192.168.196.204) 2 ms 3 ms 2 ms
3 gateway_a.example.com (192.168.1.201) 6 ms 3 ms 3 ms
4 server1.example.com (192.168.22.7) 3 ms * 2 ms
The first row of the display indicates the target host, the maximum number of hops, and the packet
size. Each numbered row displays information about one hop. The rows are displayed in the order
that the hops occur, beginning with the hop closest to the MX.
The row for a hop lists the total time in milliseconds for each ICMP packet to reach the router or host,
plus the time for the ICMP Time Exceeded message to return to the host.
An exclamation point (!) following any of these values indicates that the Port Unreachable message
returned by the destination has a maximum hop count of 0 or 1. This can occur if the destination uses
the maximum hop count value from the arriving packet as the maximum hop count in its ICMP reply.
The reply does not arrive at the source until the destination receives a traceroute packet with a
maximum hop count equal to the number of hops between the source and destination.
An asterisk (*) indicates that the timeout period expired before MSS received a Time Exceeded
message for the packet.
host IP address, hostname, or alias of the destination host. Specify the IP address in dotted
decimal notation.
dnf Sets the Do Not Fragment bit in the ping packet to prevent the packet from being
fragmented.
no-dns Prevents MSS from performing a DNS lookup for each hop to the destination host.
port port-num TCP port number listening for the traceroute probes.
queries num Number of probes per hop.
size size Probe packet size in bytes. You can specify from 40 through 1460.
ttl hops Maximum number of hops, which can be from 1 through 255.
wait ms Probe wait in milliseconds. You can specify from 1 through 100,000.
IP Services Commands
IP Services Commands
8 – 147
If Traceroute receives an ICMP error message other than a Time Exceeded or Port Unreachable
message, MSS displays one of the error codes described in Table 8– 8 instead of displaying the
round-trip time or an asterisk (*).
Table 8– 8 describes the traceroute error messages.
See Also
ping on page 8-100
Table 8– 8. Error Messages for traceroute
Field Description
!N No route to host. The network is unreachable.
!H No route to host. The host is unreachable.
!P Connection refused. The protocol is unreachable.
!F Fragmentation needed but Do Not Fragment (DNF) bit was set.
!S Source route failed.
!A Communication administratively prohibited.
? Unknown error occurred.
AAA Commands 9 – 147
9
AAA Commands
Use authentication, authorization, and accounting (AAA) commands to provide a secure network
connection and a record of user activity. Location policy commands override any virtual LAN
(VLAN) or security ACL assignment by AAA or the local MX database to help you control access
locally.
(Security ACLs are packet filters. For command descriptions, see “Security ACL Commands,” on
page 15-391.)
This chapter presents AAA commands alphabetically. Use the following table to locate commands
in this chapter based on their use.
Authentication set authentication console on page 9-165
Updated set authentication admin on page 9-164
set authentication dot1x on page 9-167
set authentication mac on page 9-170
set authentication mac-prefix on page 9-171
Updated set authentication proxy on page 9-173
set authentication web on page 9-174
clear authentication admin on page 9-149
clear authentication console on page 9-150
clear authentication dot1x on page 9-151
clear authentication mac on page 9-151
clear authentication proxy on page 9-152
clear authentication web on page 9-152
Local Authorization for
Password Users
set user on page 9-185
clear user on page 9-157
set user attr on page 9-186
clear user attr on page 9-157
set usergroup on page 9-188
clear usergroup on page 9-159
set user group on page 9-187
clear user group on page 9-158
clear usergroup attr on page 9-159
Local Authorization for
MAC Users
set mac-user on page 9-177
clear mac-user on page 9-154
show mac-user on page 9-190
set mac-user attr on page 9-178
clear mac-user attr on page 9-154
set mac-usergroup attr on page 9-182
clear mac-usergroup attr on page 9-156
clear mac-user group on page 9-155
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 148
clear accounting
Removes accounting services for specified wireless users with administrative access or network
access.
Syntax
clear accounting {admin| console | [mac | dot1x | web | system [ssid ssid| wired
user-glob]]|last-resort | statistics | system} {user-glob}
clear mac-usergroup on page 9-155
Web authorization set web-portal on page 9-189
Accounting set accounting {admin | console} on page 9-160
New set accounting cdr on page 9-161
set accounting {dot1x | mac | web | last-resort} on
page 9-161
Updated set accounting command on page 9-163
Updated set accounting system on page 9-163
show accounting statistics on page 9-199
clear accounting on page 9-148
clear accounting command on page 9-149
AAA information show aaa on page 9-190
show mac-user on page 9-190
show mac-usergroup on page 9-193
show user on page 9-195
show usergroup on page 9-197
Mobility Profiles set mobility-profile on page 9-183
set mobility-profile mode on page 9-184
show mobility-profile on page 9-201
clear mobility-profile on page 9-156
Location Policy set location policy on page 9-175
show location policy on page 9-201
clear location policy on page 9-153
Password and User
Login Restrictions
set authentication password-restrict on page 9-172
set authentication max-attempts on page 9-171
set authentication minimum-password-length on
page 9-172
set user expire-password-in on page 9-187
set usergroup expire-password-in on page 9-189
clear user lockout on page 9-158
admin Users with administrative access to the MX through a console connection or through
a Telnet or Web View connection.
dot1x Users with network access through the MX. Users with network access are
authorized to use the network through either an IEEE 802.1X method or their media
access control (MAC) address.
AAA Commands
AAA Commands
9 – 149
Defaults
None.
Access
Enabled.
History
Examples
The following command removes accounting services for authorized network user Nin:
MX# clear accounting dot1x Nin
success: change accepted.
See Also
set accounting {admin | console} on page 9-160
set accounting system on page 9-163
show accounting statistics on page 9-199
clear accounting command
Removes command auditing from the configuration and commands are no longer sent to an
external RADIUS server for logging.
Syntax
clear accounting command
Defaults
None
Access
Enabled
History
Added in MSS 7.1
clear authentication admin
Removes an authentication rule for administrative access through Telnet or Web View.
Syntax
clear authentication admin user-glob
Defaults
None.
Access
Enabled.
system Disables sending of Accounting-On and Accounting-Off messages to a RADIUS
server, if previously enabled.
When this command is entered, an Accounting-Off message is generated and sent to
the server or server group specified with the set accounting system command.
user-glob Single user or set of users with administrative access or network access.
Specify a username, use the double-asterisk wildcard character (**) to specify all
usernames, or use the single-asterisk wildcard character (*) to specify a set of
usernames up to or following the first delimiter character—either an at sign (@) or a
period (.). (For details, see “User Globs” on page 2–7.)
Version 1.0 Command introduced
Version 5.0 system option added
Version 7.0 mac and web options added
user-glob A single user or set of users.
Specify a username, use the double-asterisk wildcard character (**) to specify all
usernames, or use the single-asterisk wildcard character (*) to specify a set of
usernames up to or following the first delimiter character, either an at sign (@) or a
period (.). (For details, see “User Globs” on page 2–7.)
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 150
History
Introduced in MSS 1.0.
Examples
The following command clears authentication for administrator Jose:
MX# clear authentication admin Jose
success: change accepted.
See Also
clear authentication console on page 9-150
clear authentication dot1x on page 9-151
clear location policy on page 9-153
clear authentication web on page 9-152
set authentication admin on page 9-164
show aaa on page 9-190
clear authentication console
Removes an authentication rule for administrative access through the Console.
Syntax
clear authentication console user-glob
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
The following command clears authentication for administrator Regina:
MX# clear authentication console Regina
success: change accepted.
See Also
clear authentication admin on page 9-149
clear authentication dot1x on page 9-151
clear authentication mac on page 9-151
clear authentication web on page 9-152
set authentication console on page 9-165
Note:
The syntax descriptions for the clear authentication commands are separate for
clarity. However, the options and behavior for the clear authentication admin
command are the same as in previous releases.
user-glob A single user or set of users.
Specify a username, use the double-asterisk wildcard character (**) to specify all
usernames, or use the single-asterisk wildcard character (*) to specify a set of
usernames up to or following the first delimiter character, either an at sign (@) or a
period (.). (For details, see “User Globs” on page 2–7.)
Note:
The syntax descriptions for the clear authentication commands are separate for
clarity. However, the options and behavior for the clear authentication console
command are the same as in previous releases.
AAA Commands
AAA Commands
9 – 151
show aaa on page 9-190
clear authentication dot1x
Removes an 802.1X authentication rule.
Syntax
clear authentication dot1x {ssid ssid-name | wired} user-glob
Defaults
None.
Access
Enabled.
History
Examples
The following command removes 802.1X authentication for network users with
usernames ending in @thiscorp.com who try to access SSID finance:
MX# clear authentication dot1x ssid finance *@thiscorp.com
See Also
clear authentication admin on page 9-149
clear authentication console on page 9-150
clear authentication mac on page 9-151
clear authentication web on page 9-152
set authentication dot1x on page 9-167
show aaa on page 9-190
clear authentication last-resort
Deprecated in MSS Version 5.0. The last-resort user is not required or supported in MSS Version
5.0. Instead, a user who accesses the network on an SSID by using the fallthru access type
last-resort is automatically a last-resort user. The authorization attributes assigned to the user
come from the default authorization attributes set on the SSID.
clear authentication mac
Removes a MAC authentication rule.
Syntax
clear authentication mac {ssid ssid-name | wired} mac-addr-glob
ssid
ssid-name
SSID name to which this authentication rule applies.
wired Clears a rule used for access over an MX wired-authentication port.
user-glob User-glob associated with the rule you are removing.
Version 1.0 Command introduced
Version 3.0 ssid ssid-name and wired options added
ssid ssid-name SSID name to apply the authentication.
wired Clears a rule used for access over an MX wired-authentication port.
mac-addr-glob MAC address glob associated with the rule you are removing.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 152
Defaults
None.
Access
Enabled.
History
Examples
The following command removes a MAC authentication rule for access to SSID thatcorp
by MAC addresses beginning with aa:bb:cc:
MX# clear authentication mac ssid thatcorp aa:bb:cc:*
See Also
clear authentication admin on page 9-149
clear authentication console on page 9-150
clear authentication dot1x on page 9-151
clear authentication web on page 9-152
set authentication mac on page 9-170
show aaa on page 9-190
clear authentication proxy
Removes a proxy rule for third-party AP users.
Syntax
clear authentication proxy ssid ssid-name user-glob
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.0.
Examples
The following command removes the proxy rule for SSID mycorp and userglob **:
MX# clear authentication proxy ssid mycorp **
See Also
set authentication proxy on page 9-173
show aaa on page 9-190
clear authentication web
Removes a WebAAA rule.
Syntax
clear authentication web {ssid ssid-name | wired} user-glob
Version 1.0 Command introduced
Version 3.0 ssid ssid-name and wired options added
ssid
ssid-name
SSID name to which this authentication rule applies.
user-glob User-glob associated with the rule you are removing.
ssid
ssid-name
SSID name to which this authentication rule applies.
AAA Commands
AAA Commands
9 – 153
Defaults
None.
Access
Enabled.
History
Introduced in MSS 3.0.
Examples
The following command removes WebAAA for SSID research and userglob
temp*@thiscorp.com:
MX# clear authentication web ssid research temp*@thiscorp.com
See Also
clear authentication admin on page 9-149
clear authentication console on page 9-150
clear authentication dot1x on page 9-151
clear authentication mac on page 9-151
set authentication web on page 9-174
show aaa on page 9-190
clear location policy
Removes a rule from the location policy on an MX.
Syntax
clear location policy [ index | all ]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.1.
Usage
To determine the index numbers of location policy rules, use the show location policy
command. Removing all the ACEs from the location policy disables this function on the MX.
Examples
The following command removes location policy rule 4 from an MX location policy:
MX# clear location policy 4
success: clause 4 is removed.
See Also
set location policy on page 9-175
show location policy on page 9-201
wired Clears a rule used for access over an MX wired-authentication port.
user-glob User-glob associated with the rule you are removing.
index Index of MACE to clear ( 1...)
all Clears all policies
Version 1.1 Command introduced.
Version 7.0 rule-number replaced by the options index and all.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 154
clear mac-user
Removes a user profile from the local database on the MX for a user authenticated by a MAC
address.
(To remove a user profile in RADIUS, see the documentation for your RADIUS server.)
Syntax
clear mac-user mac-address-glob
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
Deleting a MAC user profile from the database deletes the assignment of any profile
attributes to the user.
Examples
The following command removes user profiles at MAC address 01:02:*
MX# clear mac-user 01:02:*
success: change accepted.
See Also
set mac-usergroup attr on page 9-182
set mac-user attr on page 9-178
show aaa on page 9-190
clear mac-user attr
For a user authenticating with a MAC address, this command removes an authorization attribute
from the user profile in the local database on the MX.
(To remove an authorization attribute in RADIUS, see the documentation for your RADIUS
server.)
Syntax
clear mac-user mac-address-glob attr attribute-name
Defaults
None.
Access
Enabled.
History
.
mac-address-glob MAC address of the user, in hexadecimal numbers separated by colons (:). You can
omit leading zeros.
Version 1.0 Command introduced.
Version 7.0 mac-addr changed to mac-address-glob.
mac-address-glob MAC address of the user, in hexadecimal numbers separated by colons (:). You can
omit leading zeros.
attribute-name Name of an attribute used to authorize the MAC user for a particular service or
session characteristic. (For a list of authorization attributes, see Table 9– 9 on
page 179.)
Version 1.0 Command introduced.
Version 7.0 MAC glob support added.
AAA Commands
AAA Commands
9 – 155
Examples
The following command removes an access control list (ACL) from the profile of a user
at MAC address 01:02:03:04:05:06:
MX# clear mac-user 01:02:03:04:05:06 attr filter-id
success: change accepted.
See Also
set mac-user attr on page 9-178
show aaa on page 9-190
clear mac-user group
Removes a user profile from a MAC user group in the local database on the MX for a user
authenticating with a MAC address.
(To remove a MAC user group profile in RADIUS, see the documentation for your RADIUS server.)
Syntax
clear mac-user mac-address-glob group
Defaults
None.
Access
Enabled.
History
Usage
Removing a MAC user from a MAC user group removes the group name from the user
profile, but does not delete the user group from the local MX database. To remove the group, use
clear mac-usergroup.
Examples
The following command deletes a user profile at MAC address 01:02:03:04:05:06 from
its user group:
MX# clear mac-user 01:02:03:04:05:06 group
success: change accepted.
See Also
clear mac-usergroup on page 9-155
set mac-user on page 9-177
show aaa on page 9-190
clear mac-usergroup
Removes a user group from the local database on the MX for a group of users authenticating with
a MAC address.
(To delete a MAC user group in RADIUS, see the documentation for your RADIUS server.)
Syntax
clear mac-usergroup group-name
Defaults
None.
mac-address-glob MAC address of the user, in hexadecimal numbers separated by colons (:). You
can omit leading zeros.
Version 1.0 Command introduced.
Version 7.0 MAC glob support added.
group-name Name of an existing MAC user group.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 156
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
To remove a user from a MAC user group, use the clear mac-user group command.
Examples
The following command deletes the MAC user group eastcoasters from the local
database:
MX# clear mac-usergroup eastcoasters
success: change accepted.
See Also
clear mac-usergroup attr on page 9-156
set mac-usergroup attr on page 9-182
show aaa on page 9-190
clear mac-usergroup attr
Removes an authorization attribute from a MAC user group in the local database on the MX, for a
group of users who are authenticated by a MAC address.
(To unconfigure an authorization attribute in RADIUS, see the documentation for your RADIUS
server.)
Syntax
clear mac-usergroup group-name attr attribute-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
To remove the group itself, use the clear mac-usergroup command.
Examples
The following command removes the members of the MAC user group eastcoasters from
a VLAN assignment by deleting the VLAN-Name attribute from the group:
MX# clear mac-usergroup eastcoasters attr vlan-name
success: change accepted.
See Also
clear mac-usergroup on page 9-155
set mac-usergroup attr on page 9-182
show aaa on page 9-190
clear mobility-profile
Removes a Mobility Profile entirely.
Syntax
clear mobility-profile mprofile-name
group-name Name of an existing MAC user group.
attribute-name Name of an attribute used to authorize the MAC users in the user group for a
particular service or session characteristic. (For a list of authorization
attributes, see Table 9– 9 on page 179.)
mprofile-name Name of an existing Mobility Profile.
AAA Commands
AAA Commands
9 – 157
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
The following command removes the Mobility Profile for user Nin:
MX# clear mobility-profile Nin
success: change accepted.
See Also
set mobility-profile on page 9-183
set mobility-profile mode on page 9-184
show mobility-profile on page 9-201
clear user
Removes a user profile from the local database on the MX.
(To remove a user profile in RADIUS, see the documentation for your RADIUS server.)
Syntax
clear user username
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
Deleting the user profile from the database deletes the assignment of any profile attributes
to the user.
Examples
The following command deletes the user profile for user Nin:
MX# clear user Nin
success: change accepted.
See Also
set user on page 9-185
show aaa on page 9-190
clear user attr
Removes an authorization attribute from the user profile in the local database on the MX for a
user with a password.
(To remove an authorization attribute from a RADIUS user profile, see the documentation for your
RADIUS server.)
Syntax
clear user username attr attribute-name
Defaults
None.
username Username
username Username of a user with a password.
attribute-name Name of an attribute used to authorize the user for a particular service or session
characteristic. (For a list of authorization attributes, see Table 9– 9 on page 179.)
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 158
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
The following command removes the Session-Timeout attribute from jsmith user
profile:
MX# clear user jsmith attr session-timeout
success: change accepted.
See Also
set user attr on page 9-186
show aaa on page 9-190
clear user group
Removes a user with a password from membership in a user group in the local database on the
MX.
(To remove a user from a user group in RADIUS, see the documentation for your RADIUS server.)
Syntax
clear user username group
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
Removing the user from the group removes the group name from the user profile, but does
not delete either the user or the user group from the local MX database. To remove the group, use
clear usergroup.
Examples
The following command removes the user Nin from the user group Nin is in:
MX# clear user Nin group
success: change accepted.
See Also
clear usergroup on page 9-159
set user group on page 9-187
show aaa on page 9-190
clear user lockout
Restores access to a user who has been locked out of the system due to an expired password or
exceeding the maximum number of failed login attempts.
Syntax
clear user username lockout
Defaults
None.
Access
Enabled.
History
Introduced in MSS 6.0.
username Username
username Username of a user with a password.
AAA Commands
AAA Commands
9 – 159
Usage
If a user’s password has expired, or the user is unable to log in within the configured limit
for login attempts, then the user is locked out of the system, and cannot gain access without the
intervention of an adminstrator. Use this command to restore access to the user.
Examples
The following command restores access to user Nin, who was previously locked out of
the system:
MX# clear user Nin lockout
success: change accepted.
See Also
set authentication minimum-password-length on page 9-172
set authentication password-restrict on page 9-172
set user on page 9-185
set user expire-password-in on page 9-187
clear usergroup
Removes a user group and its attributes from the local database on the MX for users with
passwords.
(To delete a user group in RADIUS, see the documentation for your RADIUS server.)
Syntax
clear usergroup group-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
Removing a user group from the local MX database does not remove the user profiles of the
group members from the database.
Examples
The following command deletes the cardiology user group from the local database:
MX# clear usergroup cardiology
success: change accepted.
See Also
clear usergroup attr on page 9-159
set usergroup on page 9-188
show aaa on page 9-190
clear usergroup attr
Removes an authorization attribute from a user group in the local database on the MX.
(To remove an authorization attribute in RADIUS, see the documentation for your RADIUS
server.)
group-name Name of an existing user group.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 160
Syntax
clear usergroup group-name attr attribute-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
The following command removes the members of the user group cardiology from a
network access time restriction by deleting the Time-Of-Day attribute from the group:
MX# clear usergroup cardiology attr time-of-day
success: change accepted.
See Also
clear usergroup on page 9-159
set usergroup on page 9-188
show aaa on page 9-190
set accounting {admin | console}
Sets up accounting services for specified wireless users with administrative access, and defines
the accounting records and where they are sent.
Syntax
set accounting {admin | console} {user-glob} {start-stop | stop-only} method1
[method2] [method3] [method4]
group-name Name of an existing user group.
attribute-name Name of an attribute used to authorize all the users in
the group for a particular service or session
characteristic. (For a list of authorization attributes, see
Table 9– 9 on page 179.)
admin Users with administrative access to the MX switch through
Telnet or Web View.
console Users with administrative access to the MX switch through a
console connection.
user-glob Single user or set of users with administrative access or
network access.
Specify a username, use the double-asterisk wildcard character
(**) to specify all usernames, or use the single-asterisk wildcard
character (*) to specify a set of usernames up to or following the
first delimiter character—either an at sign (@) or a period (.).
(For details, see “User Globs” on page 2–7.)
Note: This option does not apply if mac is specified. For mac,
specify a mac-addr-glob. (See “MAC Address Globs” on
page 2–7.)
start-stop Sends accounting records at the start and end of a network
session.
stop-only Sends accounting records only at the end of a network session.
AAA Commands
AAA Commands
9 – 161
Defaults
Accounting is disabled for all users by default.
Access
Enabled.
History
Usage
For network users with start-stop accounting whose records are sent to a RADIUS server,
MSS sends interim updates to the RADIUS server when the user roams.
Examples
The following command issues start-and-stop accounting records at the local MX
database for administrator Natasha, when she accesses the switch using Telnet or Web View:
MX# set accounting admin Natasha start-stop local
success: change accepted.
See Also
clear accounting on page 9-148
show accounting statistics on page 9-199
set accounting cdr
Sets the accounting services for SIP VoIP calls.
Syntax
set accounting cdr radius-server-group
Defaults
None
Access
Enabled
History
Added in MSS Version 7.1
Usage
Use this command to set accounting services for SIP Call Detail Records.
Examples
To begin accounting services for SIP on a RADIUS server group named sipaccount, use
the following command:
MX# set accounting cdr sipaccount
success: change accepted.
set accounting {dot1x | mac | web | last-resort}
Sets up accounting services for specified wireless users with network access, and defines the
accounting records and where they are sent.
method1
method2
method3
method4
At least one of up to four methods that MSS uses to process
accounting records. Specify one or more of the following
methods in priority order. If the first method does not succeed,
MSS tries the second method, and so on.
A method can be one of the following:
local—Stores accounting records in the local database on
the MX switch. When the local accounting storage space is
full, MSS overwrites older records with new ones.
server-group-name—Stores accounting records on one or
more Remote Authentication Dial-In User Service
(RADIUS) servers. You can also enter the names of existing
RADIUS server groups as methods.
Version 1.0 Command introduced
Version 3.0 console option added
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 162
Syntax
set accounting {dot1x | mac | web | last-resort} {ssid ssid-name | wired}
{user-glob | mac-addr-glob} {start-stop | stop-only}
method1 [method2] [method3] [method4]
Defaults
Accounting is disabled for all users by default.
Access
Enabled.
History
Usage
For network users with start-stop accounting profiles whose records are sent to a RADIUS
server, MSS sends interim updates to the RADIUS server when the user roams.
Examples
The following command issues stop-only records to the RADIUS server group sg2 for
network user Nin, who is authenticated by 802.1X:
MX# set accounting dot1x Nin stop-only sg2
dot1x Users with network access through the MX switch who are
authenticated by 802.1X.
mac Users with network access through the MX switch who are
authenticated by MAC authentication
web Users with network access through the MX switch who are
authenticated by WebAAA
ssid ssid-name SSID name to which this accounting rule applies. To apply the
rule to all SSIDs, type any.
wired Applies this accounting rule specifically to users who are
authenticated on a wired authentication port.
user-glob Single user or set of users with administrative access or
network access.
Specify a username, use the double-asterisk wildcard character
(**) to specify all usernames, or use the single-asterisk wildcard
character (*) to specify a set of usernames up to or following the
first delimiter character—either an at sign (@) or a period (.).
(For details, see “User Globs” on page 2–7.)
Note: This option does not apply if mac or last-resort is
specified. For mac, specify a mac-addr-glob.
mac-addr-glob A single user or set of users with access via a MAC address.
Specify a MAC address, or use the wildcard (*) character to
specify a set of MAC addresses. (For details, see “MAC
Address Globs” on page 2–7.)
This option applies only when mac is specified.
start-stop Sends accounting records at the start and end of a network
session.
stop-only Sends accounting records only at the end of a network session.
method1
method2
method3
method4
At least one of up to four methods that MSS uses to process
accounting records. Specify one or more of the following
methods in priority order. If the first method does not succeed,
MSS tries the second method, and so on.
A method can be one of the following:
local—Stores accounting records in the local database on
the MX switch. When the local accounting storage space is
full, MSS overwrites older records with new ones.
server-group-name—Stores accounting records on one or
more Remote Authentication Dial-In User Service
(RADIUS) servers. You can also enter the names of existing
RADIUS server groups as methods.
Version 1.0 Command introduced
Version 3.0 web option added
AAA Commands
AAA Commands
9 – 163
success: change accepted.
See Also
clear accounting on page 9-148
show accounting statistics on page 9-199
set accounting command
Provides the ability to log all CLI commands to an external server for auditing purposes. The
following capabilities are available:
All successfully completed commands are logged.
Commands are logged to an external RADIUS server or servers.
Password/key data is obscured.
Configuration is handled as an additional RADIUS accounting type:
VSA 13
Each command accounting message contains the following information:
Timestamp
tty port
Username
Source IP address
Command issued
Command status (success/failure)
Syntax
set accounting command radius-server-group
Defaults
None
Access
Enabled
History
Added in MSS 7.1
Examples
To begin command auditing and logging commands to the RADIUS server group,
corpsecure, use the following command:
MX# set accounting command corpsecure
success: change accepted.
set accounting system
Configures MSS to send Accounting-On and Accounting-Off messages to a specified RADIUS
server group.
Syntax
set accounting system method1 [method2] [method3] [method4]
Defaults
By default MSS does not send Accounting-On or Accounting-Off messages.
Access
Enabled.
History
Introduced in MSS 5.0.
method1
method2
method3
method4
At least one of up to four methods that MSS uses to process
accounting records. Specify one or more methods in priority
order. If the first method does not succeed, MSS tries the
second method, and so on.
Note: The local method is not valid for this command.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 164
Usage
Use this command to configure MSS to send an Accounting-On message (Acct-Status-Type
= 7) to a RADIUS server when the MX switch starts, and an Accounting-Off message
(Acct-Status-Type = 8) to the RADIUS server when the MX switch is adminstratively shut down.
When you enable this command, an Accounting-On message is generated and sent to the specified
server or server group. Subsequent Accounting-On messages are generated each time the MX
starts. When the MX is administratively shut down, an Accounting-Off message is generated.
Accounting-Off messages are sent only when the MX is administratively shut down, not when a
critical failure causes the MX to reset. The MX does not wait for a RADIUS server to acknowledge
the Accounting-Off message; the MX makes one attempt to send the Accounting-Off message, then
shuts down.
Examples
The following command causes Accounting-On and Accounting-Off messages to be sent
to RADIUS server group shorebirds:
MX# set accounting system shorebirds
success: change accepted.
See Also
clear accounting on page 9-148
show accounting statistics on page 9-199
set authentication admin
Configures authentication and defines where it is performed for specified users with
administrative access through Telnet or Web View.
Syntax
set authentication admin user-glob
method1 [method2] [method3] [method4]
user-glob Single user or set of users with administrative access over the network through
Telnet or Web View.
Specify a username, use the double-asterisk wildcard character (**) to specify all
usernames, or use the single-asterisk wildcard character (*) to specify a set of
usernames up to or following the first delimiter character—either an at sign (@) or a
period (.). (For details, see “User Globs” on page 2–7.)
method1
method2
method3
method4
At least one of up to four methods that MSS uses to handle authentication. Specify
one or more of the following methods in priority order. MSS applies multiple
methods in the order you enter them.
A method can be one of the following:
local—Uses the local database of usernames and user groups on the MX switch
for authentication.
server-group-name—Uses the defined group of RADIUS servers for
authentication. You can enter up to four names of existing RADIUS server
groups as methods.
noneFor users with administrative access only, MSS performs no
authentication, but prompts for a username and password and accepts any
combination of entries, including blanks.
ldap_group_name —Uses the defined group of LDAP servers for authentication.
You can configure up to four LDAP server groups.
Note: The authentication method none you can specify for administrative access is
different from the fallthru authentication type none, which applies only to network
access. The authentication method none allows access to the MX switch by an
administrator. The fallthru authentication type none denies access to a network
user. (See “set service-profile [rsn-id | wpa-ie] auth-fallthru” on page 12–
287.)
For more information, see “Usage.”
AAA Commands
AAA Commands
9 – 165
Defaults
By default, authentication is deactivated for all admin users. The default authentication
method in an admin authentication rule is local. MSS checks the local MX database for
authentication.
Access
Enabled.
History
Usage
You can configure different authentication methods for different groups of users. (For
details, see “User Globs, MAC Address Globs, and VLAN Globs” on page 2–7.)
If you specify multiple authentication methods in the set authentication console command,
MSS applies them in the order that they appear in the command, with these results:
If the first method responds with pass or fail, the evaluation is final.
If the first method does not respond, MSS tries the second method, and so on.
However, if local appears first, followed by a RADIUS server group, MSS ignores any failed
searches in the local MX database and sends an authentication request to the RADIUS server
group.
Examples
The following command configures administrator Jose, who connects via Telnet, for
authentication on RADIUS server group sg3:
MX# set authentication admin Jose sg3
success: change accepted.
See Also
clear authentication admin on page 9-149
set authentication console on page 9-165
set authentication dot1x on page 9-167
set authentication mac on page 9-170
set authentication web on page 9-174
show aaa on page 9-190
set authentication console
Configures authentication and defines where it is performed for specified users with
administrative access through a console connection.
MSS 1.0 Command introduced.
MSS 7.1 LDAP added as an authentication method.
Note:
The syntax descriptions for the set authentication commands are separated for
clarity. However, the options and behavior for the set authentication admin
command are the same as in previous releases.
Note:
If a AAA rule specifies local as a secondary AAA method, to be used if the RADIUS
servers are unavailable, and MSS authenticates a client with the local method, MSS
starts again at the beginning of the method list when attempting to authorize the
client. This can cause unexpected delays during client processing and can cause the
client to time out before completing logon.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 166
Syntax
set authentication console user-glob
method1 [method2] [method3] [method4]
Defaults
By default, authentication is deactivated for all console users, and the default
authentication method in a console authentication rule is none. MSS requires no username or
password, by default. These users can press Enter at the prompts for administrative access.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
You can configure different authentication methods for different groups of users. (For
details, see “User Globs, MAC Address Globs, and VLAN Globs” on page 2–7.)
user-glob Single user or set of users with administrative access through
the switch’s console.
Specify a username, use the double-asterisk wildcard character
(**) to specify all usernames, or use the single-asterisk wildcard
character (*) to specify a set of usernames up to or following the
first delimiter character—either an at sign (@) or a period (.).
(For details, see “User Globs” on page 2–7.)
method1
method2
method3
method4
At least one of up to four methods that MSS uses to handle
authentication. Specify one or more of the following methods in
priority order. MSS applies multiple methods in the order you
enter them.
A method can be one of the following:
local—Uses the local database of usernames and user
groups on the MX switch for authentication.
server-group-name—Uses the defined group of RADIUS
servers for authentication. You can enter up to four names
of existing RADIUS server groups as methods.
noneFor users with administrative access only, MSS
performs no authentication, but prompts for a username
and password and accepts any combination of entries,
including blanks.
ldap_group_name —Uses the defined group of LDAP
servers for authentication. You can configure up to four
LDAP server groups.
Note: The authentication method none you can specify for
administrative access is different from the fallthru
authentication type none, which applies only to network
access. The authentication method none allows access to the
MX by an administrator. The fallthru authentication type
none denies access to a network user. (See “set
service-profile [rsn-id | wpa-ie] auth-fallthru” on
page 12–287.)
Note: You must configure an LDAP server group before you
can use LDAP as an authentication method
.
For more information, see “Usage.”
Note:
It is recommended that you change the default setting unless the MX is in a
secure physical location.
Note:
The syntax descriptions for the set authentication commands are
separated for clarity. However, the options and behavior for the set
authentication console command are the same as in previous releases.
AAA Commands
AAA Commands
9 – 167
If you specify multiple authentication methods in the set authentication console command,
MSS applies them in the order in which they appear in the command, with these results:
If the first method responds with pass or fail, the evaluation is final.
If the first method does not respond, MSS tries the second method, and so on.
However, if local appears first, followed by a RADIUS server group, MSS ignores any failed
searches in the local MX database and sends an authentication request to the RADIUS server
group.
Examples
To set the console port so that it does not enforce username-password authentication for
administrators, type the following command:
MX# set authentication console * none
success: change accepted.
See Also
clear authentication console on page 9-150
set authentication admin on page 9-164
set authentication dot1x on page 9-167
set authentication mac on page 9-170
set authentication web on page 9-174
show aaa on page 9-190
set authentication dot1x
Configures authentication and defines how it is performed for specified wireless or wired
authentication clients who use an IEEE 802.1X authentication protocol to access the network
through the MX.
Syntax
set authentication dot1x {ssid ssid-name | wired} user-glob [bonded] protocol
method1 [method2] [method3] [method4]
ssid
ssid-name
SSID name to which this authentication rule applies. To apply the
rule to all SSIDs, type any.
wired Applies this authentication rule specifically to users connected to a
wired authentication port.
user-glob A single user or a set of users with 802.1X network access.
Specify a username, use the double-asterisk wildcard character (**)
to specify all usernames, or use the single-asterisk wildcard character
(*) to specify a set of usernames up to or following the first delimiter
character—either an at sign (@) or a period (.). (For details, see “User
Globs” on page 2–7.)
bonded Enables Bonded Auth™ (bonded authentication). When this feature
is enabled, MSS authenticates the user only if the computer that the
user is on has already been authenticated.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 168
Defaults
By default, authentication is unconfigured for all clients with network access through
MP ports or wired authentication ports on the MX. Connection, authorization, and accounting are
also disabled for these users.
Bonded authentication is disabled by default.
Access
Enabled.
History
Usage
You can configure different authentication methods for different groups of users by
“globbing.” (For details, see “User Globs” on page 2–7.)
You can configure a rule either for wireless access to an SSID, or for wired access through an MX
wired authentication port. If the rule is for wireless access to an SSID, specify the SSID name or
protocol Protocol used for authentication. Specify one of the following:
eap-md5—Extensible Authentication Protocol (EAP) with
message-digest algorithm 5. For wired authentication clients:
Uses challenge-response to compare hashes
Provides no encryption or integrity checking for the connection
Note: The eap-md5 option does not work with Microsoft wired
authentication clients.
eap-tls—EAP with Transport Layer Security (TLS):
Provides mutual authentication, integrity-protected
negotiation, and key exchange
Requires X.509 public key certificates on both sides of the
connection
Provides encryption and integrity checking for the connection
Cannot be used with RADIUS server authentication (requires
user information to be in the MX local database)
peap-mschapv2—Protected EAP (PEAP) with Microsoft
Challenge Handshake Authentication Protocol version 2
(MS-CHAP-V2). For wireless clients:
Uses TLS for encryption and data integrity checking and
server-side authentication.
Provides MS-CHAP-V2 mutual authentication.
Only the server side of the connection needs a certificate.
The wireless client authenticates using TLS to set up an
encrypted session. Then MS-CHAP-V2 performs mutual
authentication using the specified AAA method.
pass-through—MSS sends all the EAP protocol processing to a
RADIUS server.
method1
method2
method3
method4
At least one and up to four methods that MSS uses to handle
authentication. Specify one or more of the following methods in
priority order. MSS applies multiple methods in the order you enter
them.
A method can be one of the following:
local—Uses the local database of usernames and user groups on
the MX switch for authentication.
server-group-name—Uses the defined group of RADIUS servers
for authentication. You can enter up to four names of existing
RADIUS server groups as methods.
RADIUS servers cannot be used with the EAP-TLS protocol.
For more information, see “Usage.”
Version 1.0 Command introduced
Version 2.1 bonded option added for bonded authentication
Version 3.0 ssid ssid-name and wired options added
AAA Commands
AAA Commands
9 – 169
specify any to match on all SSID names. If the rule is for wired access, specify wired instead of an
SSID name.
You cannot configure client authentication that uses both EAP-TLS protocol and one or more
RADIUS servers. EAP-TLS authentication is supported only on the local MX database.
If you specify multiple authentication methods in the set authentication dot1x command, MSS
applies them in the order in which they appear in the command, with these results:
If the first method responds with pass or fail, the evaluation is final.
If the first method does not respond, MSS tries the second method, and so on.
However, if local appears first, followed by a RADIUS server group, MSS overrides any failed
searches in the local MX database and sends an authentication request to the server group.
If the user does not support 802.1X, MSS attempts to perform MAC authentication for the user. In
this case, if the MX configuration contains a set authentication mac command that matches the
SSID the user is attempting to access and the user MAC address, MSS uses the method specified
by the command. Otherwise, MSS uses local MAC authentication by default.
If the username does not match an authentication rule for the SSID the user is attempting to
access, MSS uses the fallthru authentication type configured for the SSID, which can be
last-resort, web-portal (for WebAAA), or none. The following command configures EAP-TLS
authentication in the local MX database for SSID mycorp and 802.1X client Geetha:
MX# set authentication dot1x ssid mycorp Geetha eap-tls local
success: change accepted.
The following command configures PEAP-MS-CHAP-V2 authentication at RADIUS server groups
sg1 through sg3 for all 802.1X clients at example.com who want to access SSID examplecorp:
MX# set authentication dot1x ssid examplecorp *@example.com peap-mschapv2 sg1 sg2 sg3
success: change accepted.
See Also
clear authentication dot1x on page 9-151
set authentication admin on page 9-164
set authentication console on page 9-165
set authentication mac on page 9-170
set authentication web on page 9-174
set service-profile [rsn-id | wpa-ie] auth-fallthru on page 12-287
show aaa on page 9-190
set authentication last-resort
Deprecated in MSS Version 5.0. The last-resort user is not required or supported in MSS Version
5.0. Instead, a user who accesses the network on an SSID by using the fallthru access type
last-resort is automatically a last-resort user. The authorization attributes assigned to the user
come from the default authorization attributes set on the SSID.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 170
set authentication mac
Configures authentication and defines where it is performed for specified non-802.1X users with
network access through a media access control (MAC) address.
Syntax
set authentication mac {ssid ssid-name | wired} mac-address-glob method1 [method2]
[method3] [method4]
Defaults
By default, authentication is deactivated for all MAC users, which means MAC address
authentication fails by default. When using RADIUS for authentication, the default password for
MAC and last-resort users is trapeze.
Access
Enabled.
History
Usage
You can configure different authentication methods for different groups of MAC addresses
by “globbing.” (For details, see “User Globs, MAC Address Globs, and VLAN Globs” on
page 2–7.)
If you specify multiple authentication methods in the set authentication mac command, MSS
applies them in the order in which they appear in the command, with these results:
If the first method responds with pass or fail, the evaluation is final.
If the first method does not respond, MSS tries the second method, and so on.
However, if local appears first, followed by a RADIUS server group, MSS ignores any failed
searches in the local MX database and sends an authentication request to the RADIUS server
group.
If the MX configuration contains a set authentication mac command that matches the SSID the
user is attempting to access and the user MAC address, MSS uses the method specified by the
command. Otherwise, MSS uses local MAC authentication by default.
ssid ssid-name SSID name to which this authentication rule applies. To apply
the rule to all SSIDs, type any.
wired Applies this authentication rule specifically to users connected
to a wired authentication port.
mac-addr-glob A single user or set of users with access via a MAC address.
Specify a MAC address, or use the wildcard (*) character to
specify a set of MAC addresses. (For details, see “MAC
Address Globs” on page 2–7.)
method1
method2
method3
method4
At least one of up to four methods that MSS uses to handle
authentication. Specify one or more of the following methods in
priority order. MSS applies multiple methods in the order you
enter them.
A method can be one of the following:
local—Uses the local database of usernames and user
groups on the MX switch for authentication.
server-group-name—Uses the defined group of RADIUS
servers for authentication. You can enter up to four names
of existing RADIUS server groups as methods.
ldap_group_name —Uses the defined group of LDAP
servers for authentication. You can configure up to four
LDAP server groups.
For more information, see “Usage.”
Version 1.0 Command introduced
Version 3.0 ssid ssid-name and wired options added
Version 7.1 Added LDAP as an authentication option.
AAA Commands
AAA Commands
9 – 171
If the username does not match an authentication rule for the SSID the user is attempting to
access, MSS uses the fallthru authentication type configured for the SSID, which can be
last-resort, web-portal (for WebAAA), or none.
Examples
To use the local MX database to authenticate all users who access the mycorp2 SSID by
their MAC address, type the following command:
MX# set authentication ssid mycorp2 mac ** local
success: change accepted.
See Also
clear authentication mac on page 9-151
set authentication admin on page 9-164
set authentication console on page 9-165
set authentication dot1x on page 9-167
set authentication web on page 9-174
show aaa on page 9-190
set authentication mac-prefix
Specifies the MAC address prefix for SSID authentication.
Syntax
set authentication mac-prefix {ssid [ ssid | any]} wired mac-glob
Defaults
None
Access
Enabled.
History
Introduced in MSS Version 7.0.
Usage
You can configure different authentication methods for different groups of MAC addresses
by “globbing.” (For details, see “User Globs, MAC Address Globs, and VLAN Globs” on
page 2–7.)
Examples
To set the MAC address glob for authenticating an SSID, use the following command:
MX# set authentication mac-prefix ssid any 00:00*
success: change accepted.
set authentication max-attempts
Specifies the maximum number of login attempts users can make before being locked out of the
system.
Syntax
set authentication max-attempts number
Defaults
For Telnet or SSH sessions, a maximum of 4 failed login attempts are allowed by default.
For console or network sessions, an unlimited number of failed login attempts are allowed by
default.
Access
Enabled.
History
Introduced in MSS 6.0.
Usage
Use this command to specify the maximum number of failed login attempts allowed for a
user. If the user is unable to log in within the specified number of attempts, the user is locked out
of the system, and access must be manually restored with the clear user lockout command.
number Number of allowable login attempts for a user. You can specify a
number between 0 – 1000. Specifying 0 causes the number of allowable
login attempts to reset to the default values.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 172
Examples
To allow users a maximum of 3 attempts to log into the system, type the following
command:
MX# set authentication max-attempts 3
success: change accepted.
See Also
clear user lockout on page 9-158
set authentication minimum-password-length on page 9-172
set authentication password-restrict on page 9-172
set authentication minimum-password-length
Specifies the minimum allowable length for user passwords.
Syntax
set authentication minimum-password-length length
Defaults
By default, there is no minimum length for user passwords.
Access
Enabled.
History
Introduced in MSS 6.0.
Usage
Use this command to specify the minimum length for user passwords. When this
command is configured, you cannot configure a password shorter than the specified length.
When you enable this command, MSS evaluates the passwords configured on the MX switch and
displays a list of users whose password does not meet the minimum length restriction.
Examples
To set the minimum length for user passwords at 7 characters, type the following
command:
MX# set authentication minimum-password-length 7
warning: the following users have passwords that are shorter than the minimum password
length -
dan
admin
user2
goofball
success: change accepted.
See Also
clear user lockout on page 9-158
set authentication minimum-password-length on page 9-172
set user on page 9-185
set authentication password-restrict
Activates password restrictions for network and administrative users.
Syntax
set authentication password-restrict {enable | disable}
length Minimum number of characters that can be in a user password. You
can specify a minimum password length between 0 – 32 characters.
Specifying 0 removes the restriction on password length.
enable Enables password restrictions on the MX.
disable Disables password restrictions on the MX.
AAA Commands
AAA Commands
9 – 173
Defaults
By default the password restrictions are disabled.
Access
Enabled.
History
Introduced in MSS 6.0.
Usage
When this command is enabled, the following password restrictions take effect:
Passwords must be a minimum of 10 characters in length, and a mix of uppercase letters,
lowercase letters, numbers, and special characters, including at least two of each (for example,
Tre%Pag32!).
A user cannot reuse any of his or her 10 previous passwords (not applicable to network users).
When a user changes his or her password, at least 4 characters must be different from the
previous password.
When you enable the password restrictions, MSS evaluates the passwords configured on the MX
switch and displays a list of users whose password does not meet the restriction on length and
character types.
Examples
To enable password restrictions on the MX switch, type the following command:
MX# set authentication password-restrict enable
warning: the following users have passwords that do not have atleast 2 each of upper-case
letters, lower-case letters, numbers and special characters -
dan
admin
user1
user2
jdoe
jsmith
success: change accepted.
See Also
set authentication minimum-password-length on page 9-172
set authentication max-attempts on page 9-171
clear user lockout on page 9-158
set authentication proxy
Configures a proxy authentication rule for wireless users on a third-party AP.
Syntax
set authentication proxy ssid ssid-name user-glob server-group-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.0.
Usage
AAA for third-party AP users has additional configuration requirements. See the
“Configuring AAA for Users of Third-Party APs” section in the “Configuring AAA for Network
Users” chapter of the Trapeze Mobility System Software Configuration Guide.
ssid ssid-name SSID name to which this authentication rule applies.
user-glob A single user or a set of users.
Specify a username, use the double-asterisk wildcard
character (**) to specify all usernames, or use the
single-asterisk wildcard character (*) to specify a set of
usernames up to or following the first delimiter
character—either an at sign (@) or a period (.). (For
details, see “User Globs” on page 2–7.)
radius-server-group A group of RADIUS servers used for authentication.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 174
Examples
The following command configures a proxy authentication rule that matches on all
usernames associated with SSID mycorp. MSS uses RADIUS server group srvrgrp1 to proxy
RADIUS requests and hence to authenticate and authorize the users.
MX# set authentication proxy ssid mycorp ** srvrgrp1
See Also
clear authentication proxy on page 9-152
set radius proxy client on page 17-432
set radius proxy port on page 17-433
set authentication web
Configures an authentication rule that allows a user to log into the network using a web page
served by the MX. The rule can be activated if the user is not otherwise granted or denied access
by 802.1X, or granted access by MAC authentication.
Syntax
set authentication web {ssid ssid-name | wired} user-glob
method1 [method2] [method3] [method4]
Defaults
By default, authentication is unconfigured for all clients with network access through
MP ports or wired authentication ports on the MX switch. Connection, authorization, and
accounting are also disabled for these users.
Access
Enabled.
History
Introduced in MSS 3.0. Added LDAP in MSS 7.1.
Usage
You can configure different authentication methods for different groups of users by
“globbing.” (For details, see “User Globs” on page 2–7.)
You can configure a rule either for wireless access to an SSID, or for wired access through an MX
wired authentication port. If the rule is for wireless access to an SSID, specify the SSID name or
specify any to match on all SSID names. If the rule is for wired access, specify wired instead of
an SSID name.
user-glob A single user or a set of users.
Specify a username, use the double-asterisk wildcard character (**)
to specify all usernames, or use the single-asterisk wildcard character
(*) to specify a set of usernames up to or following the first delimiter
character—either an at sign (@) or a period (.). (For details, see “User
Globs” on page 2–7.)
ssid
ssid-name
SSID name to which this authentication rule applies. To apply the
rule to all SSIDs, type any.
wired Applies this authentication rule specifically to users connected to a
wired authentication port.
method1
method2
method3
method4
At least one and up to four methods that MSS uses to handle
authentication. Specify one or more of the following methods in
priority order. MSS applies multiple methods in the order you enter
them.
A method can be one of the following:
local—Uses the local database of usernames and user groups on
the MX switch for authentication.
server-group-name—Uses the defined group of RADIUS servers
for authentication. You can enter up to four names of existing
RADIUS server groups as methods.
RADIUS servers cannot be used with the EAP-TLS protocol.
ldap_group_name —Uses the defined group of LDAP servers for
authentication. You can configure up to four LDAP server groups.
For more information, see “Usage.”
AAA Commands
AAA Commands
9 – 175
If you specify multiple authentication methods in the set authentication web command, MSS
applies them in the order in which they appear in the command, with these results:
If the first method responds with pass or fail, the evaluation is final.
If the first method does not respond, MSS tries the second method, and so on.
However, if local appears first, followed by a RADIUS server group, MSS overrides any failed
searches in the local MX database and sends an authentication request to the server group.
MSS uses a WebAAA rule only under the following conditions:
The client is not denied access by 802.1X or does not support 802.1X.
The client MAC address does not match a MAC authentication rule.
The fallthru type is web-portal. (For a wireless authentication rule, the fallthru type is
specified by the set service-profile auth-fallthru command. For a wired authentication
rule, the type is specified by the auth-fall-thru option of the set port type wired-auth
command.)
Examples
The following command configures a WebAAA rule in the local MX database for SSID
ourcorp and userglob rnd*:
MX# set authentication web ssid ourcorp rnd* local
success: change accepted.
See Also
clear authentication web on page 9-152
set authentication admin on page 9-164
set authentication console on page 9-165
set authentication dot1x on page 9-167
show aaa on page 9-190
set location policy
Creates and enables a location policy on an MX. A location policy enables you to locally set or
change authorization attributes for a user after the user is authorized by AAA, without making
changes to the AAA server.
Syntax
set location policy deny if {ssid operator ssid-name | time-of-day
operator time-of-day|vlan operator vlan-glob | user operator user-glob |
port port-list | ap ap-num | all }
[before rule-number | modify rule-number]
Syntax
set location policy permit {vlan vlan-name | inacl inacl-name | outacl outacl-name}
if {ssid operator ssid-name | vlan operator vlan-glob | user operator user-glob | port
port-list | ap ap-num | all}
[before rule-number | modify rule-number]
deny Denies access to the network to users with attributes that
match the location policy rule.
permit Allows access to the network or to a specified VLAN, and/or
assigns a particular security ACL to users with attributes
matching the location policy rule.
Action options—For a permit rule, MSS changes the attributes assigned to the user
to the values specified by the following options:
vlan vlan-name Name of an existing VLAN to assign to users with attributes
matching the location policy rule.
inacl inacl-name Name of an existing security ACL to apply to packets sent to the
MX switch with attributes matching the location policy rule.
Optionally, you can add the suffix .in to the name.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 176
Defaults
By default, users are permitted VLAN access and assigned security ACLs according to
the VLAN-Name and Filter-Id attributes applied to the users during normal authentication and
authorization.
Access
Enabled.
History
outacl outacl-name Name of an existing security ACL to apply to packets sent from
the MX switch with characteristics that match the location
policy rule.
Optionally, you can add the suffix .out to the name.
Condition options—MSS takes the action specified by the rule if all conditions in
the rule are met. You can specify one or more of the following conditions:
ssid operator
ssid-name
SSID with which the user is associated. The operator must be
eq, which applies the location policy rule to all users associated
with the SSID.
Asterisks (wildcards) are not supported in SSID names. You
must specify the complete SSID name.
time-of-day
operator
time-of-day
Time of day that the user is allowed or denied access to the
wireless network.
eq—Defines a specific timeframe.
neq—Defines any other time than the specified timeframe.
vlan operator
vlan-glob
VLAN-Name attribute assigned by AAA and condition that
determines if the location policy rule applies. Replace operator
with one of the following operands:
eq—Applies the location policy rule to all users assigned
VLAN names matching vlan-glob.
neq—Applies the location policy rule to all users assigned
VLAN names not matching vlan-glob.
For vlan-glob, specify a VLAN name, use the double-asterisk
wildcard character (**) to specify all VLAN names, or use the
single-asterisk wildcard character (*) to specify a set of VLAN
names up to or following the first delimiter character, either an
at sign (@) or a period (.). (For details, see “VLAN Globs” on
page 2–8.)
user operator
user-glob
Username and condition that determines if the location policy
rule applies. Replace operator with one of the following
operands:
eq—Applies the location policy rule to all usernames
matching user-glob.
neq—Applies the location policy rule to all usernames not
matching user-glob.
For user-glob, specify a username, use the double-asterisk
wildcard character (**) to specify all usernames, or use the
single-asterisk wildcard character (*) to specify a set of
usernames up to or following the first delimiter character,
either an at sign (@) or a period (.). (For details, see “User
Globs” on page 2–7.)
before rule-number Inserts the new location policy rule in front of another rule in
the location policy. Specify the number of the existing location
policy rule. (To determine the number, use the show location
policy command.)
modify rule-number Replaces the rule in the location policy with the new rule.
Specify the number of the existing location policy rule. (To
determine the number, use the show location policy
command.)
port port-list List of physical port(s) that determines if the location policy
rule applies.
Version 1.1 Command introduced
Version 3.2 ssid option added
AAA Commands
AAA Commands
9 – 177
Usage
Only a single location policy is allowed per MX switch. The location policy can contain up
to 150 rules. Once configured, the location policy becomes effective immediately. To disable
location policy operation, use the clear location policy command.
Conditions within a rule are AND’ed. All conditions in the rule must match in order for MSS to
take the specified action. If the location policy contains multiple rules, MSS compares the user
information to the rules one at a time, in the order the rules appear in the MX configuration file,
beginning with the rule at the top of the list. MSS continues comparing until a user matches all
conditions in a rule or until there are no more rules.
The order of rules in the location policy is important to ensure users are properly granted or
denied access. To position rules within the location policy, use before rule-number and
modify rule-number in the set location policy command, and the clear location policy
rule-number command.
When applying security ACLs:
Use inacl inacl-name to filter traffic that enters the MX from users via an MP access port or
wired authentication port, or from the network via a network port.
Use outacl outacl-name to filter traffic sent from the switch to users via an MP access port or
wired authentication port, or from the network via a network port.
You can optionally add the suffixes .in and .out to inacl-name and outacl-name so that they
match the names of security ACLs stored in the local MX database.
Examples
The following command denies network access to all users at *.theirfirm.com, causing
them to fail authorization:
MX# set location policy deny if user eq *.theirfirm.com
The following command authorizes access to the guest_1 VLAN for all users who are not at
*.wodefirm.com:
MX# set location policy permit vlan guest_1 if user neq *.wodefirm.com
The following command authorizes users at *.ny.ourfirm.com to access the bld4.tac VLAN instead,
and applies the security ACL tac_24 to the traffic they receive:
MX# set location policy permit vlan bld4.tac outacl tac_24 if user eq *.ny.ourfirm.com
The following command authorizes access to users on VLANs with names matching bld4.* and
applies security ACLs svcs_2 to the traffic they send and svcs_3 to the traffic they receive:
MX# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4.*
The following command authorizes users entering the network on MX ports 3 through 7 and
port 12 to use the floor2 VLAN, overriding any settings from AAA:
MX# set location policy permit vlan floor2 if port 3-7,12
The following command places all users who are authorized for SSID tempvendor_a into VLAN
kiosk_1:
MX# set location policy permit vlan kiosk_1 if ssid eq tempvendor_a
success: change accepted.
See Also
clear location policy on page 9-153
show location policy on page 9-201
set mac-user
Configures a user profile in the local database on the MX for a user who can authenticate by a
MAC address, and optionally adds the user to a MAC user group.
(To configure a MAC user profile in RADIUS, see the documentation for your RADIUS server.)
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 178
Syntax
set mac-user mac-address-glob[group group-name]
Defaults
None.
Access
Enabled.
History
Usage
MSS does not require MAC users to belong to user groups.
Users authenticated by MAC address are authenticated only for network access through the MX.
MSS does not support passwords for MAC users.
Examples
The following command creates a user profile for a user at MAC address
01:02:03:04:05:* and assigns the user to the eastcoasters user group:
MX# set mac-user 01:02:03:04:05:* group eastcoasters
success: change accepted.
See Also
clear mac-user on page 9-154
show aaa on page 9-190
set mac-user attr
Assigns an authorization attribute in the local database on the MX to a user authenticating with a
MAC address.
(To assign authorization attributes through RADIUS, see the documentation for your RADIUS
server.)
Syntax
set mac-user mac-address-glob attr attribute-name value
Defaults
None.
Access
Enabled.
mac-addr-glob . Allows a group of MAC devices to authenticate, such as a group
of VoIP phones. Ony ine asterisk is allowed and it must be the
last character.
The most specific format overrides other formats. For instance,
00:11:30:21:ab:cd overrides an entry of 00:11:30:*.
group-name Name of an existing MAC user group.
MSS Version 1.0 Introduced command
MSS Version 6.2 MAC glob introduced.
mac-address-glob MAC address of the user, in hexadecimal numbers
separated by colons (:). You can omit leading zeros.
attribute-name value Name and value of an attribute used to authorize the
MAC user for a particular service or session
characteristic. For a list of authorization attributes and
values that you can assign to local users, see Table 9– 9
on page 179.
AAA Commands
AAA Commands
9 – 179
History
Usage
To change the value of an attribute, enter set mac-user attr with the new value. To delete
an attribute, use clear mac-user attr.
You can assign attributes to individual MAC users and to MAC user groups. If attributes are
configured for a MAC user and also for the group the MAC user is in, the attributes assigned to the
individual MAC user take precedence for that user. For example, if the start-date attribute
configured for a MAC user is earlier than the start-date configured for the MAC user group for the
user, the MAC user network access can begin as soon as the user start-date. The MAC user does
not need to wait for the MAC user group start date.
Version 1.0 Command introduced
Version 1.1 Authorization attributes encryption-type and time-of-day
added
Version 3.0 Authorization attributes end-date, ssid, start-date, and url
added
Version 5.0 Authorization attribute acct-interim-interval added
Version 7.1 Attributes qos-profile, simultaneous-logins, and
termination-action added.
Table 9– 9. Authentication Attributes for Local Users
Attribute Description Valid Value(s)
encryption-type Type of encryption required for
access by the client. Clients who
attempt to use an unauthorized
encryption method are rejected.
Note: Encryption-Type is a
Trapeze vendor-specific
attribute (VSA). The vendor ID
is 14525, and the vendor type is
3.
One of the following numbers that identifies an
encryption algorithm:
1—AES_CCM (Advanced Encryption Standard using
Counter with CBC-MAC)
2—Reserved
4—TKIP (Temporal Key Integrity Protocol)
8—WEP_104 (the default) (Wired-Equivalent Privacy
protocol using 104 bits of key strength)
16—WEP_40 (Wired-Equivalent Privacy protocol
using 40 bits of key strength)
32—NONE (no encryption)
64—Static WEP
In addition to these values, you can specify a sum of them
for a combination of allowed encryption types. For
example, to specify WEP_104 and WEP_40, use 24.
end-date Date and time user access
expires.
Date and time, in the following format:
YY/MM/DD-HH:MM
You can use end-date alone or with start-date. You also
can use start-date, end-date, or both in conjunction with
time-of-day.
filter-id
(network access mode
only)
Security access control list
(ACL), to permit or deny traffic
received (input) or sent (output)
by the MX switch.
(For more information about
security ACLs, see “Security
ACL Commands,” on
page 15-391.)
Name of an existing security ACL, up to 32 alphanumeric
characters, with no tabs or spaces.
Use acl-name.in to filter traffic that enters the MX
from users via an MP or wired authentication port, or
from the network via a network port.
Use acl-name.out to filter traffic sent from the MX to
users via an MP port or wired authentication port, or
from the network via a network port.
Note: If the Filter-Id value returned through the
authentication and authorization process does not match
the name of a committed security ACL in the MX, the
user fails to authorize and is unable to authenticate.
idle-timeout This option is not implemented in the current MSS version.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 180
mobility-profile
(network access mode
only)
Mobility Profile attribute for the
user. (For more information, see
set mobility-profile on
page 9-183.)
Note: Mobility-Profile is a
Trapeze vendor-specific
attribute (VSA). The vendor ID
is 14525, and the vendor type is
2.
Name of an existing Mobility Profile, up to
32 alphanumeric characters, with no tabs or spaces.
Note: If the Mobility Profile feature is enabled, and a user
is assigned a Mobility Profile name that does not exist on
the MX, the user is denied access.
qos-profile The name of an associated QoS
profile.
You must have configured a QoS profile before youcan
apply this attribute.
service-type Type of access requested by the
user.
One of the following numbers:
2—Framed; for network user access
6—Administrative; for administrative access to the
MX, with authorization to access the enabled
(configuration) mode. The user must enter the enable
command and the correct enable password to access
the enabled mode.
7—NAS-Prompt; for administrative access to the
nonenabled mode only. In this mode, the user can still
enter the enable command and the correct enable
password to access the enabled mode.
For administrative sessions, the MX always sends 6
(Administrative).
The RADIUS server can reply with one of the values
listed above.
If the service-type is not set on the RADIUS server,
administrative users receive NAS-Prompt access, and
network users receive Framed access.
session-timeout
(network access mode
only)
Maximum number of seconds
for the user’s session.
Number between 0 and 4,294,967,296 seconds
(approximately 136.2 years).
Note: If the global reauthentication timeout (set by the
set dot1x reauth-period command) is shorter than the
session-timeout, MSS uses the global timeout instead.
simultaneous-
logins
Maximum number of time s a
client can log onto the network.
You can configure a value from 0 to 1000.
ssid
(network access mode
only)
SSID accessible by the user
after authentication.
Name of the SSID you want the user to use. The SSID
must be configured in a service profile, and the service
profile must be used by a radio profile assigned to Trapeze
radios in the Mobility Domain.
start-date Date and time at which the user
becomes eligible to access the
network.
MSS does not authenticate the
user unless the attempt to
access the network occurs at or
after the specified date and
time, but before the end-date (if
specified).
Date and time, in the following format:
YY/MM/DD-HH:MM
You can use start-date alone or with end-date. You also
can use start-date, end-date, or both in conjunction with
time-of-day.
termination-action The type of action taken to
terminate a client on the
network.
You can select one of two options:
0 (Default for Disconnect)
1 (Radius-request for Re-authentication)
Table 9– 9. Authentication Attributes for Local Users (continued)
Attribute Description Valid Value(s)
AAA Commands
AAA Commands
9 – 181
time-of-day
(network access mode
only)
Day(s) and time(s) during which
the user is permitted to log into
the network.
After authorization, the user
session can last until either the
Time-Of-Day range or the
Session-Timeout duration (if
set) expires, whichever is
shorter.
Note: Time-Of-Day is a Trapeze
vendor-specific attribute (VSA).
The vendor ID is 14525, and the
vendor type is 4.
One of the following:
never—Access is always denied.
any—Access is always allowed.
al—Access is always allowed.
One or more ranges of values that consist of one of the
following day designations (required), and a time
range in hhmm-hhmm 4-digit 24-hour format
(optional):
mo—Monday
tu—Tuesday
we—Wednesday
th—Thursday
fr—Friday
sa—Saturday
su—Sunday
wk—Any day between Monday and Friday
Separate values or a series of ranges (except time ranges)
with commas (,) or a vertical bar (|). Do not use spaces.
The maximum number of characters is 253.
For example, to allow access only on Tuesdays and
Thursdays between 10 a.m. and 4 p.m., specify the
following: time-of-day tu1000-1600,th1000-1600
time-of-day
(network access mode
only)
(cont.)
To allow access only on weekdays between 9 a.m and
5 p.m., and on Saturdays from 10 p.m. until 2 a.m.,
specify the following:
time-of-day wk0900-1700,sa2200-0200
(Also see the examples for set user attr on page 9-186.)
Note: You can use time-of-day in conjunction with
start-date, end-date, or both.
url
(network access mode
only)
URL to redirect the user after
successful WebAAA.
Web URL, in standard format. For example:
http://www.example.com
Note: You must include the http:// portion.
You can dynamically include any of the variables in the
URL string:
$u—Username
$v—VLAN
$s—SSID
$p—Service profile name
To use the literal character $ or ?, use the following:
$$
$q
user-name
name
User name to be displayed User name up to 80 characters and can be numbers and
special characters.
vlan-name
(network access mode
only)
Virtual LAN (VLAN)
assignment.
Note: VLAN-Name is a Trapeze
vendor-specific attribute (VSA).
The vendor ID is 14525, and the
vendor type is 1.
Note: On some RADIUS
servers, you might need to use
the standard RADIUS attribute
Tunnel-Pvt-Group-ID, instead
of VLAN-Name.
Name of a VLAN that you want the user to use. The
VLAN must be configured on an MX within the Mobility
Domain to which this MX belongs.
Table 9– 9. Authentication Attributes for Local Users (continued)
Attribute Description Valid Value(s)
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 182
Examples
The following command assigns input access control list (ACL) acl-03 to filter packets
from a user at MAC address 01:02:03:04:05:06:
MX# set mac-user 01:02:03:04:05:06 attr filter-id acl-03.in
success: change accepted.
The following command restricts a user at MAC address 06:05:04:03:02:01 to network access
between 7 p.m. on Mondays and Wednesdays and 7 a.m. on Tuesdays and Thursdays:
MX# set mac-user
06:05:04:03:02:01 attr time-of-day
mo1900-1159,tu0000-0700,we1900-1159,th0000-0700
success: change accepted.
See Also
clear mac-user attr on page 9-154
show aaa on page 9-190
set mac-usergroup attr
Creates a user group in the local database on the MX for users authenticated by a MAC address,
and assigns authorization attributes for the group.
(To configure a user group and assign authorization attributes through RADIUS, see the
documentation for your RADIUS server.)
Syntax
set mac-usergroup group-name attr attribute-name value
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
To change the value of an attribute, enter set mac-usergroup attr with the new value.
To delete an attribute, use clear mac-usergroup attr.
You can assign attributes to individual MAC users and to MAC user groups. If attributes are
configured for a MAC user and also for the group of the MAC user, the attributes assigned to the
individual MAC user take precedence for that user. For example, if the start-date attribute
configured for a MAC user is earlier than the start-date configured for the MAC user group, the
MAC user network access can begin as soon as the user start-date. The MAC user does not need to
wait for the MAC user group start date.
acct-interim-interv
al
Interval in seconds between
accounting updates, if start-stop
accounting mode is enabled.
Number between 180 and 3,600 seconds, or 0 to disable
periodic accounting updates.
The MX ignores the acct-interim-interval value and issues
a log message if the value is below 60 seconds.
Note: If both a RADIUS server and the MX supply a
value for the acct-interim-interval attribute, then the
value from the MX takes precedence.
group-name Name of a MAC user group. Specify a name of up to
32 alphanumeric characters, with no spaces. The name
must begin with an alphabetic character.
attribute-name value Name and value of an attribute used to authorize all
MAC users in the group for a particular service or session
characteristic. (For a list of authorization attributes, see
Table 9– 9 on page 179.)
Table 9– 9. Authentication Attributes for Local Users (continued)
Attribute Description Valid Value(s)
AAA Commands
AAA Commands
9 – 183
Examples
The following command creates the MAC user group eastcoasters and assigns the group
members to VLAN orange:
MX# set mac-usergroup eastcoasters attr
vlan-name orange
success: change accepted.
See Also
clear mac-usergroup attr on page 9-156
show aaa on page 9-190
set mobility-profile
Creates a Mobility Profile and specifies the MP and/or wired authentication ports on the MX
through which any user assigned to the profile is allowed access.
Syntax
set mobility-profile name name
{port {none | all | port-list}} | {ap {none | all | apnum}}
Defaults
No default Mobility Profile exists on the MX. If you do not assign Mobility Profile
attributes, all users have access through all ports, unless denied access by other AAA servers or by
access control lists (ACLs).
Access
Enabled.
History
Usage
To assign a Mobility Profile to a user or group, specify it as an authorization attribute in
one of the following commands:
set user attr mobility-profile name
set usergroup attr mobility-profile name
set mac-user attr mobility-profile name
set mac-usergroup attr mobility-profile name
name Name of the Mobility Profile. Specify up to 32 alphanumeric
characters, with no spaces.
none Prevents any user to whom this profile is assigned from
accessing any MP access point or wired authentication port on
the MX switch.
all Allows any user to whom this profile is assigned to access all
MP access ports and wired authentication port on the MX
switch.
port-list List of MP access ports or wired authentication ports through
which any user assigned this profile is allowed access. The
same port can be used in multiple Mobility Profile port lists.
ap-num List of MP connections through which any user assigned this
profile is allowed access. The same MP can be used in multiple
Mobility Profile port lists.
Version 1.0 Command introduced
Version 2.0 Option dap added for Distributed MPs
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 184
To enable the use of the Mobility Profile feature on the MX switch, use the set mobility-profile
mode command.
To change the ports in a profile, use set mobility-profile again with the updated port list.
Examples
The following commands create the Mobility Profile magnolia, which restricts user
access to port 12; enable the Mobility Profile feature on the MX switch; and assign the magnolia
Mobility Profile to user Jose.
MX# set mobility-profile name magnolia port 12
success: change accepted.
MX# set mobility-profile mode enable
success: change accepted.
MX# set user Jose attr mobility-profile magnolia
success: change accepted.
The following command adds port 13 to the magnolia Mobility Profile (which is already assigned
to port 12):
MX# set mobility-profile name magnolia port 12-13
success: change accepted.
See Also
clear mobility-profile on page 9-156
set mac-user attr on page 9-178
set mac-usergroup attr on page 9-182
set mobility-profile mode on page 9-184
set user attr on page 9-186
set usergroup on page 9-188
show mobility-profile on page 9-201
set mobility-profile mode
Enables or disables the Mobility Profile feature on the MX switch.
Syntax
set mobility-profile mode {enable | disable}
Defaults
The Mobility Profile feature is disabled by default.
Access
Enabled.
W arning!
When the Mobility Profile feature is enabled, a user is denied access if
assigned a Mobility-Profile attribute in the local MX database or RADIUS
server when no Mobility Profile of that name exists on the MX.
W arning!
When the Mobility Profile feature is enabled, a user is denied access if
assigned a Mobility-Profile attribute in the local MX database or RADIUS
server if no Mobility Profile of that name exists on the MX.
enable Enables the use of the Mobility Profile feature on the MX.
disable Specifies that all Mobility Profile attributes are ignored by the MX.
AAA Commands
AAA Commands
9 – 185
History
Introduced in MSS 1.0.
Examples
To enable the use of the Mobility Profile feature, type the following command:
MX# set mobility-profile mode enable
success: change accepted.
See Also
clear mobility-profile on page 9-156
set mobility-profile on page 9-183
show mobility-profile on page 9-201
set user
Configures a user profile in the local database on the MX for a user with a password.
(To configure a user profile in RADIUS, see the documentation for your RADIUS server.)
Syntax
set user username password [encrypted] string
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
The show config command shows the encrypted option with this command, even when
you omit the option. The encrypted option appears in the configuration because MSS
automatically encrypts the password when you create the user (unless you use the encrypted
option when you enter the password).
Although MSS allows you to configure a user password for the special “last-resort” guest user, the
password has no effect. Last-resort users can never access an MX in administrative mode and
never require a password.
The only valid username of the form last-resort-* is last-resort-wired. The last-resort-wired user
allows last-resort access on a wired authentication port.
Examples
The following command creates a user profile for user Nin in the local database, and
assigns the password goody:
MX# set user Nin password goody
success: User Nin created
The following command assigns the password chey3nne to the admin user:
MX# set user admin password chey3nne
success: User admin created
The following command changes the password for Nin from goody to 29Jan04:
MX# set user Nin password 29Jan04
username Username of a user with a password.
encrypted Indicates that the password string you entered is
already in its encrypted form. If you use this option,
MSS does not encrypt the displayed form of the
password string, and instead displays the string exactly
as you entered it. If you omit this option, MSS does
encrypt the displayed form of the string.
password string Password of up to 32 alphanumeric characters, with no
spaces.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 186
See Also
clear user on page 9-157
show aaa on page 9-190
set user attr
Configures an authorization attribute in the local database on the MX for a user with a password.
(To assign authorization attributes in RADIUS, see the documentation for your RADIUS server.)
Syntax
set user username attr attribute-name value
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
To change the value of an attribute, enter set user attr with the new value. To delete an
attribute, use clear user attr.
You can assign attributes to individual users and to user groups. If attributes are configured for a
user and also for the group the user belongs, the attributes assigned to the individual user take
precedence for that user. For example, if the start-date attribute configured for a user is earlier
than the start-date configured for the user group the user is in, the user has network access as
soon as the user start-date. The user does not need to wait for the user group start date.
Examples
The following command assigns user Tamara to VLAN orange:
MX# set user Tamara attr vlan-name orange
success: change accepted.
The following command assigns Tamara to the Mobility Profile tulip.
MX# set user Tamara attr mobility-profile tulip
success: change accepted.
The following command limits the days and times when user Student1 can access the network, to
5 p.m. to 2 a.m. every weekday, and all day Saturday and Sunday:
MX# set user Student1 attr time-of-day Wk1700-0200,Sa,Su
success: change accepted.
username Username of a user with a password.
attribute-name value Name and value of an attribute you are using to
authorize the user for a particular service or session
characteristic. For a list of authorization attributes and
values that you can assign to network users, see
Table 9– 9 on page 179.
MSS Version 1.0 Command introduced.
MSS Version 7.0 The following attributes were added:
simultaneous-loginsrange from 0 (none) to 1000.
termination-actions—select 0 (terminate session when it
expires) or 1 (re-authenticate by sending a request to the
RADIUS server).
user-name—type the username to display in the session
information.
AAA Commands
AAA Commands
9 – 187
See Also
clear user attr on page 9-157
show aaa on page 9-190
set user expire-password-in
Specifies how long a user’s password is valid before it must be reset.
Syntax
set user username expire-password-in time
Defaults
By default, user passwords do not expire.
Access
Enabled.
History
Introduced in MSS 6.0.
Usage
Use this command to specify how long a specified user’s password is valid. After this
amount of time, the user’s password expires, and a new password will have to be set.
Examples
The following command sets user Student1’s password to be valid for 30 days:
MX# set user Student1 expire-password-in 30
success: change accepted.
See Also
clear user lockout on page 9-158
set authentication minimum-password-length on page 9-172
set authentication password-restrict on page 9-172
set user on page 9-185
set user group
Adds a user to a user group. The user must have a password and a profile that exists in the local
database on the MX.
(To configure a user in RADIUS, see the documentation for your RADIUS server.)
Syntax
set user username group group-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
MSS does not require users to belong to user groups.
To create a user group, user the command set usergroup.
username Username of a user with a password.
time How long the specified user’s password is valid. The
amount of time can be specified in days (for example, 30
or 30d), hours (720h), or a combination of days and hours
(30d12h).
username Username of a user with a password.
group-name Name of an existing user group for password users.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 188
Examples
The following command adds user Hosni to the cardiology user group:
MX# set user Hosni group cardiology
success: change accepted.
See Also
clear user group on page 9-158
show aaa on page 9-190
set usergroup
Creates a user group in the local database on the MX for users and assigns authorization
attributes for the group.
(To create user groups and assign authorization attributes in RADIUS, see the documentation for
your RADIUS server.)
Syntax
set usergroup group-name attr attribute-name value
Defaults
None.
Access
Enabled.
History
Usage
To change the value of an attribute, enter set usergroup attr with the new value. To
delete an attribute, use clear usergroup attr.
To add a user to a group, user the command set user group.
You can assign attributes to individual users and to user groups. If attributes are configured for a
user and also for the group the user belongs, the attributes assigned to the individual user take
precedence for that user. For example, if the start-date attribute configured for a user is earlier
than the start-date configured for the user group the user belongs, network access for the user can
begin as soon as the user start-date. The user does not need to wait for the user group start date.
Examples
The following command adds the user group cardiology to the local database and
assigns all the group members to VLAN crimson:
MX# set usergroup cardiology attr vlan-name crimson
success: change accepted.
See Also
clear usergroup on page 9-159
clear usergroup attr on page 9-159
group-name Name of a group for password users. Specify a name of up to
32 alphanumeric characters, with no spaces. The name must begin
with an alphabetic character.
attribute-name value Name and value of an attribute you are using to authorize all users in
the group for a particular service or session characteristic. For a list of
authorization attributes and values that you can assign to users, see
Table 9– 9 on page 179.
MSS Version 1.0 Command introduced.
MSS Version 7.0 The following attributes were added:
simultaneous-loginsrange from 0 (none) to 1000.
termination-actions—select 0 (terminate session when it expires) or 1
(re-authenticate by sending a request to the RADIUS server).
user-name—type the username to display in the session information.
AAA Commands
AAA Commands
9 – 189
show aaa on page 9-190
set usergroup expire-password-in
Specifies how long the passwords for the users in user group are valid before they must be reset.
Syntax
set usergroup group-name expire-password-in time
Defaults
By default, user passwords do not expire.
Access
Enabled.
History
Introduced in MSS 6.0.
Usage
Use this command to specify how long the passwords for the users in a group are valid.
After this amount of time, the passwords expire, and must be reset.
Examples
The following command sets the passwords for the users in user group cardiology to be
valid for 30 days:
MX# set usergroup cardiology expire-password-in 30
success: change accepted.
See Also
clear user lockout on page 9-158
set authentication minimum-password-length on page 9-172
set authentication password-restrict on page 9-172
set user on page 9-185
set web-portal
Globally enables or disables WebAAA on an MX.
Syntax
set web-portal {enable | disable}
Defaults
Enabled.
Access
Enabled.
History
Usage
This command disables or reenables support for WebAAA. However, WebAAA has
additional configuration requirements. For information, see the “Configuring AAA for Network
Users” chapter in the Trapeze Mobility System Software Configuration Guide.
group-name Name of a group for password users.
time How long the passwords for the users in the specified
group are valid. The amount of time can be specified in
days (for example, 30 or 30d), hours (720h), or a
combination of days and hours (30d12h).
enable Enables WebAAA on the switch.
disable Disables WebAAA on the switch.
Version 3.0 Command introduced.
Version 4.0 Command name changed from set web-aaa to set
web-portal, to match change to portal-based
implementation.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 190
Examples
To disable WebAAA, type the following command:
MX# set web-portal disable
success: change accepted.
See Also
clear authentication web on page 9-152
set service-profile [rsn-id | wpa-ie] auth-fallthru on page 12-287
set user on page 9-185
show aaa
Deprecated command.
Syntax
show aaa
Defaults
None.
Access
Enabled.
History
show mac-user
Displays a summary or verbose status relating to a specific MAC user or all MAC users.
Syntax
show mac-user [mac-glob|verbose]
Defaults
None
Access
Enabled
History
Version 1.0 Command introduced
Version 4.0 Web Portal section added, to indicate the state of the
WebAAA feature
Version 6.2 Deprecated
mac-glob
Displays MAC addresses based on the MAC format
verbose
Displays all MAC user information
Version 6.2 Command introduced
AAA Commands
AAA Commands
9 – 191
Examples
To display all MAC users, type the following command:
MX# show mac-user
MX# show mac-user [<mac-glob>|verbose]
MX# show mac-user 00:11:11:21:11:12
MAC
----------------
Group
--------
VLAN
-------
00:11:11:21:11:1
2
Guests insecure
00:11:11:21:11:* Guests red
MAC
----------------
Group
--------
VLAN
-------
00:11:11:21:11:1
2
Guests insecure
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 192
MX# show mac-user verbose
MAC: 00:11:11:21:12
Group: Guests
VLAN insecure
Other attributes:
ssid: trapeze
end-date: 01/08/23-12:00
idle-timeout: 120
acct-interim-interval: 180
MAC: 00:11:11:21:*
Group: Guests
VLAN insecure
Other attributes:
ssid: trapeze
end-date: 01/08/23-12:00
idle-timeout: 120
acct-interim-interval: 180
AAA Commands
AAA Commands
9 – 193
MX# show mac-user 00:11:11:21:11* verbose
Table 9– 14 describes the fields that can appear in the show mac-user output.
show mac-usergroup
Displays summary status for all MAC usergroups or verbose status for a specific MAC usergroup.
Syntax
show mac-usergroup [mac-ug-name|verbose]
Defaults
None
Access
Enabled
MAC: 00:11:11:21:*
Group: Guests
VLAN insecure
Other attributes:
ssid: trapeze
end-date: 01/08/23-12:00
idle-timeout: 120
acct-interim-interval: 180
Table 9– 10. show mac-user output
Field Description
MAC MAC address
Group Member of a configured group
VLAN Current VLAN of the MAC user
Other attributes Other AAA attributes
ssid Current SSID configured for the MAC user
end-date The expiration date fo the MAC user
idle-timeout Number of seconds the user is idle before the connection is lost.
acct-interim-interval
Interval in seconds
between accounting updates, if start-stop accounting mode
is enabled.
mac-ug-name Configured usergroup name
verbose Detailed information about a MAC usergroup
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 194
History
Introduced in MSS Version 6.2
Examples
The following command displays information about MAC usergroups:
MX# show mac-usergroup [<mac-ug-name>|verbose]
MX# show mac-usergroup Guests
MAC users in this group:
MX# show mac-usergroup Admin
No MAC users in this group.
Table 9– 11 describes the fields that can appear in the show mac-usergroup output.
MAC Usergroup
------------------
Users Mapped
to Group
--------------
VLAN
------
Other
Attr. of
Group
Admin 0 red 3
Guests 2 insecure 4
MAC Usergroup: Guests2
VLAN: blue
Other attributes:
ssid: trapeze
end-date: 01/08/23-12:00
idle-timeout: 120
acct-interim-interval: 180
MAC
------------
VLAN
--------
00:11:11:21:11:
12
insecure
00:11:11:21:11:
*
red
MAC Usergroup: Admin
VLAN: red
Other attributes:
ssid: trapeze
idle-timeout: 120
acct-interim-interval: 180
Table 9– 11. show mac-usergroup output
Field Description
MAC Usergroup List of the configured MC Usergroups
Users Mapped to Group The number of users configured in each group
VLAN The VLAN configured for a usergroup
Other attr of the group The number of configured attributes for the group
AAA Commands
AAA Commands
9 – 195
show user
Displays a summary of users configured on the MX. For user globs, wildcards (*) are allowed at the
beginning or end of the string.
Syntax
show user [name-glob|verbose]
Defaults
None
Access
Enabled
History
Introduced in MSS 6.2.
Examples
Use the following command to display information about configured users on the MX.
MX# show user john* verbose
MX# show user *john*
MAC MAC address
Group Member of a configured group
VLAN Current VLAN of the MAC user
Other attributes Other AAA attributes
ssid Current SSID configured for the MAC user
end-date The expiration date fo the MAC user
idle-timeout Number of seconds the user is idle before the connection is lost.
acct-interim-interval Interval in seconds between accounting updates, if start-stop
accounting mode is enabled.
name-glob
The name of configured user or user glob
verbose
Displays details about users
User Name
--------------
Status
------------
Group
--------
VLAN
-------
johndoe disabled Admin red
johnsmith enabled Admin red
guest_access disabled Guests red
User Name
--------------
Status
------------
Group
--------
VLAN
-------
johndoe disabled Admin red
johnsmith enabled Admin red
Table 9– 11. show mac-usergroup output
Field Description
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 196
MX# show user verbose
MX# show user *john* verbose
User name: johndoe
Status: disabled
Password: iforgot(encypted)
Group: Admin
VLAN: red
Password-expires-in: 12 days
Other attributes:
ssid: trapeze
end-date: 01/08/23-12:00
idle-timeout: 120
acct-interim-interval: 180
User name: johnsmith
Status: enabled
Password: iforgot2(encypted)
Group: Admin
VLAN: red
Password-expires-in: 12 days
Other attributes:
None
User name: guest_access
Status: disabled
Password: iforgot3(encypted)
Group: Admin
VLAN: red
Password-expires-in: 5 days
Other attributes:
ssid: trapeze1
end-date: 01/08/20-9:00
idle-timeout: 100
acct-interim-interval: 600
User name: johndoe
Status: disabled
Password: iforgot(encypted)
Group: Admin
VLAN: red
Password-expires-in: 12 days
Other attributes:
ssid: trapeze
end-date: 01/08/23-12:00
AAA Commands
AAA Commands
9 – 197
Table 9– 12 decscribes the fields tht can appear in show user output.
show usergroup
Displays summary status for a single user group or all user groups.
Syntax
show usergroup ug-name
Defaults
None
Access
Enabled
History
Command introduced in MSS 6.2
idle-timeout: 120
acct-interim-interval: 180
User name: johnsmith
Status: enabled
Password: iforgot2(encypted)
Group: Admin
VLAN: red
Password-expires-in: 12 days
Other attributes:
None
Table 9– 12. show user Output
Field Description
User Name Name configured for a user on the MX.
Status Current condition of the client:
Enabled—
Disabled
Password Displays a user’s password and if it is encrypted or not.
Group Name of a usergroup if configured
VLAN The name of the VLAN configured for the user.
Password-expires-in The length of time, in days, before a user’s password expires.
Other attributes Additional attributes configured for user.
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 198
Examples
MX# show usergroup [<ug-name>}
MX# show usergroup Admin
Users in this group:
MX# show usergroup Guests2
No users in this group.
Table 9– 13 describes the fields that can appear in the show usergroup output.
Usergroup
------------------
Users Mapped
to Group
--------------
VLAN
------
Other
Attr. of
Group
Admin 2 red 4
Guests 1 red 2
Guests2 0 blue 0
Usergroup: Admin
VLAN: red
Password-expires-in: 12 days
Other attributes:
ssid: trapeze
end-date: 01/08/23-12:00
idle-timeout: 120
acct-interim-interval: 180
User Name
------------
VLAN
--------
johndoe red
johnsmith red
Usergroup: Guests2
VLAN: blue
Other attributes:
None
Table 9– 13. show usergroup Output
Field Description
Usergroup All usergroups configured on the MX.
Users Mapped to Group Number of users mapped to a single group.
VLAN The VLAN configured for the usergroup.
Other Attr of Group Number of attributes configured for each group.
Password-expires-in The length of time, in days, that the password is valid.
Other attributes: Displayed for single usergroup
SSID The SSID configured for the usergroup.
AAA Commands
AAA Commands
9 – 199
See Also
set accounting {admin | console} on page 9-160
set authentication admin on page 9-164
set authentication console on page 9-165
set authentication dot1x on page 9-167
set authentication mac on page 9-170
set authentication web on page 9-174
show accounting statistics
Displays the AAA accounting records for wireless users. The records are stored in the local
database on the MX.
(To display RADIUS accounting records, see the documentation for your RADIUS server.)
Syntax
show accounting statistics
Defaults
None.
Access
Enabled.
History
Examples
To display the locally stored accounting records, type the following command:
MX# show accounting statistics
Dec 14 00:39:48
Acct-Status-Type=STOP
Acct-Authentic=0
Acct-Multi-Session-Id=SESS-3-01f82f-520236-24bb1223
end-date The date and time that the usergroup is no longer valid.
idle-timeout The length of time, in seconds, that a user can be idle before logging out of the
network.
acct-interm-interval
Interval in seconds
between accounting updates, if start-stop accounting mode is
enabled
Users in this group: All users configured in the usergroup
User Name Configured user names in this group
VLAN Assigned VLAN for each user.
Table 9– 14. show mac-user Output
Field Description
MAC MAC address of the user
Group The user group for the MAC-user
VLAN The VLAN assigned to the mac-user
Version 1.0 Command introduced
Version 4.2 Formatting of output enhanced for readability
Table 9– 13. show usergroup Output
Field Description
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 200
Acct-Session-Id=SESS-3-01f82f-520236-24bb1223
User-Name=vineet
AAA_ACCT_SVC_ATTR=2
Acct-Session-Time=551
Event-Timestamp=1134520788
Acct-Output-Octets=3204
Acct-Input-Octets=1691
Acct-Output-Packets=20
Acct-Input-Packets=19
AAA_VLAN_NAME_ATTR=default
Calling-Station-Id=00-06-25-12-06-38
Nas-Port-Id=3/1
Called-Station-Id=00-0B-0E-00-CC-01
AAA_SSID_ATTR=vineet-dot1x
Dec 14 00:39:53
Acct-Status-Type=START
Acct-Authentic=0
User-Name=vineet
Acct-Multi-Session-Id=SESS-4-01f82f-520793-bd779517
Acct-Session-Id=SESS-4-01f82f-520793-bd779517
Event-Timestamp=1134520793
AAA_ACCT_SVC_ATTR=2
AAA_VLAN_NAME_ATTR=default
Calling-Station-Id=00-06-25-12-06-38
Nas-Port-Id=3/1
Called-Station-Id=00-0B-0E-00-CC-01
AAA_SSID_ATTR=vineet-dot1x
Table 9– 15 describes the fields that can appear in show accounting statistics output.
Table 9– 15. show accounting statistics Output
Field Description
Date and time Date and time of the accounting record.
Acct-Status-Type Type of accounting record:
START
STOP
UPDATE
Acct-Authentic Location where the user was authenticated (if
authentication took place) for the session:
1—RADIUS server
2—Local MX database
User-Name Username of a user with a password.
Acct-Multi-Session-Id Unique accounting ID for multiple related sessions in a
log file.
AAA_TTY_ATTR For sessions conducted through a console or
administrative Telnet connection, the Telnet terminal
number.
Event-Timestamp Time (in seconds since January 1, 1970) at which the
event was triggered. (See RFC 2869 for more
information.)
Acct-Session-Time Number of seconds that the session has been online.
Acct-Output-Octets Number of octets the MX sent during the session.
Acct-Input-Octets Number of octets the MX received during the session.
AAA Commands
AAA Commands
9 – 201
See Also
clear accounting on page 9-148
set accounting {admin | console} on page 9-160
show aaa on page 9-190
show location policy
Displays the list of location policy rules that make up the location policy on an MX.
Syntax
show location policy
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.1.
Examples
The following command displays the list of location policy rules in the location policy on
an MX :
MX show location policy
Id Clauses
----------------------------------------------------------------
1) deny if user eq *.theirfirm.com
2) permit vlan guest_1 if vlan neq *.wodefirm.com
3) permit vlan bld4.tac inacl tac_24.in if user eq *.ny.wodefirm.com
See Also
clear location policy on page 9-153
set location policy on page 9-175
show mobility-profile
Displays the named Mobility Profile. If you do not specify a Mobility Profile name, this command
shows all Mobility Profile names and port lists on the MX.
Syntax
show mobility-profile [name]
Defaults
None.
Access
Enabled.
Acct-Output-Packets Number of packets the MX sent during the session.
Acct-Input-Packets Number of packets the MX received during the session.
Vlan-Name Name of the client VLAN.
Calling-Station-Id MAC address of the supplicant (client).
Nas-Port-Id Number of the port and radio on the MP through which
the session was conducted.
Called-Station-Id MAC address of the MP through which the client reached
the network.
name Name of an existing Mobility Profile.
Table 9– 15. show accounting statistics Output (continued)
Field Description
AAA Commands
Mobility System Software Command Reference Guide
Version 7.3
9 – 202
History
Examples
The following command displays the Mobility Profile magnolia:
MX# show mobility-profile magnolia
Mobility Profiles
Name Ports
=========================
magnolia AP 12
See Also
clear mobility-profile on page 9-156
set mobility-profile on page 9-183
Version 1.0 Command introduced
Version 2.0 Port type description added:
AP—MP access port
DAP—Distributed MP connection
Mobility Domain Commands 10 – 203
10
Mobility Domain Commands
Use Mobility Domain commands to configure and manage Mobility Domain groups.
A Mobility Domain is a system of MXs and MPs working together to support a roaming user
(client). One MX acts as a seed MX, which maintains and distributes a list of IP addresses of the
domain members.
Smart Cluster is a network resiliency feature added in MSS 7.0. It has the following features:
Centralized configuration of MXs and MPs.
Autodistribution of configuration parameters to MPs.
“Hitless” failover on the network if an MX is unavailable.
Automatic load balancing of MPs across any MXs in the cluster.
This chapter presents Mobility Domain commands alphabetically. Use the following table to
locate commands in this chapter based on their use.
Note:
The number of MPs supported on a cluster member is limited to the number
supported on an MX. It is recommended to use larger capacity MXs, such as
MX-200s, MX-216s, or MX-2800s in your configuration to obtain the maximum
benefits of cluster configuration.
Note:
Trapeze Networks recommends that you run the same MSS version on all the MX
switches in a Mobility Domain and Smart Cluster.
Mobility Domain set mobility-domain mode seed domain-name on page 10-210
set domain security on page 10-206
set mobility-domain ap-affinity-group on page 10-207
set mobility-domain member on page 10-207
set mobility-domain mode member seed-ip on page 10-208
show mobility-domain on page 10-212
show mobility-domain config on page 10-212
clear mobility-domain ap-affinity-group on page 10-204
clear mobility-domain member on page 10-205
clear domain security on page 10-204
clear mobility-domain on page 10-204
Virtual
Controller
Cluster
load configuration cluster on page 10-205
set cluster mode on page 10-205
set cluster preempt on page 10-206
Mobility Domain Commands
Mobility System Software Command Reference Guide
Version 7.3
10 – 204
clear domain security
Disables MX-MX security.
Syntax
clear domain security
Defaults
None.
Access
Enabled.
History
Introduced in MSS 5.0.
Usage
This command is equivalent to the set domain security none command.
Examples
The following command disables MX-MX security on an MX:
MX-20# clear domain security
success: change accepted.
clear mobility-domain
Clears all Mobility Domain configuration and information from an MX, regardless of whether the
MX is a seed or a member of a Mobility Domain.
Syntax
clear mobility-domain
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
This command has no effect if the MX is not configured as part of a Mobility Domain.
Examples
To clear a Mobility Domain from an MX within the domain, type the following
command:
MX-20# clear mobility-domain
success: change accepted.
See Also
clear mobility-domain member on page 10-205
set mobility-domain member on page 10-207
set mobility-domain mode member seed-ip on page 10-208
set mobility-domain mode seed domain-name on page 10-210
clear mobility-domain ap-affinity-group
Clears the AP affinity configuration from the Mobility Domain.
show cluster on page 10-210
sshow cluster ap on page 10-211
Mobility Domain Commands
Mobility Domain Commands
10 – 205
Syntax
clear mobility-domain ap-affinity-group [address ipaddr netmask netmask |
ip/netmask]
Defaults
None
Access
Enabled.
History
Introduced in MSS 7.1
clear mobility-domain member
On the seed MX, the command removes the identified member from the Mobility Domain.
Syntax
clear mobility-domain member ip-addr
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
This command has no effect if the MX member is not configured as part of a Mobility
Domain or the current MX is not the seed.
Examples
The following command clears a Mobility Domain member with the IP address
192.168.0.1:
MX-20# clear mobility-domain member 192.168.0.1
See Also
set mobility-domain member on page 10-207
load configuration cluster
Load a previous cluster configuration on the MX.
Syntax
load configuration cluster filename
Defaults
None
Access
Enabled
History
Introduced in MSS Version 7.0
Usage
This command is only allowed on a Mobility Domain member when Virtual Controller
Cluster is enabled.
set cluster mode
Enable cluster configuration on MXs in a mobility domain.
Syntax
set cluster mode [enable | disable [restore-backup-config]]
ip-addr IP address of the Mobility Domain member, in dotted decimal notation.
enable Enables cluster mode.
disable Disables cluster mode after the feature is enabled.
Mobility Domain Commands
Mobility System Software Command Reference Guide
Version 7.3
10 – 206
Defaults
None
Access
Enabled.
History
.
Usage
You must enable cluster mode on all MXs that are members of the cluster.
Examples
The following command enables cluster mode on an MX in a mobility domain:
MX# set cluster mode enable
success: change accepted.
set cluster preempt
Use this command on the secondary seed of the cluster to allow the secondary seed to become
active if the primary seed fails.
Syntax
set cluster preempt [enable | disable]
Defaults
None
Access
Enabled
History
Introduced in MSS 7.0.
Usage
You can only use this command on the secondary seed of the mobility domain.
Examples
The following command enables preempt mode on a secondary seed:
MX# set cluster preempt enable
success: change accepted.
set domain security
Enables MX-MX security on the MX Mobility Domain.
Syntax
set domain security {none | required}
Defaults
The default is none. (MX-MX security is disabled.)
Access
Enabled.
History
Introduced in MSS 5.0.
Usage
The setting must be the same (none or required) on all switches, the seed and all
members, in the Mobility Domain.
The set domain security none command is equivalent to the clear domain security
command.
Examples
The following command enables MX-MX security on an MX:
MX# set domain security required
MSS 7.0 Command introduced.
MSS 7.3 restore-backup-config deprecated.
none MX-MX security is disabled.
required MX-MX security is enabled.
Mobility Domain Commands
Mobility Domain Commands
10 – 207
success: change accepted.
set mobility-domain ap-affinity-group
Allows you to specify prefered IP subnets for a primary and backup MX on the network. It places
APs in affinity groups based on the subnets. A cluster member can belong to multiple affinity
groups.
Syntax
set mobility-domain ap-affinity-group address [ipaddr netmask netmask |ip/
masklen]
Defaults
None
Access
Enabled.
History
Introduced in MSS 7.1
Usage
Extends the configuration between the PAM and members.
Examples
The following command sets the affinity for the primary MX, 172.21.26.135:
MX# set mobility-domain ap-affinity-group address 172.21.26.135 netmask 255.255.255.0
success: change accepted.
set mobility-domain member
On the seed MX, adds a member to the list of Mobility Domain members. If the current MX is not
configured as a seed, this command is rejected.
Syntax
set mobility-domain member ip-addr [key hex-bytes | keyfile filename]
Defaults
None.
Access
Enabled.
History
Usage
This command must be entered from the seed MX.
Examples
The following commands add three MX switches with the IP addresses 192.168.1.8,
192.168.1.9, and 192.168.1.10 as members of a Mobility Domain with a seed as the current MX:
MX# set mobility-domain member 192.168.1.8
success: change accepted.
MX# set mobility-domain member 192.168.1.9
ip-addr IP address of the Mobility Domain member in dotted decimal notation.
key hex-bytes Fingerprint of the public key to use for MX-MX security. Specify the key as 16
hexadecimal bytes. Use a colon between each byte, as in the following example:
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
keyfile Name of the file that contains the key in the above format.
Version 1.0 Command introduced
Version 5.0 Option key hex-bytes added.
Version 7.1 Option keyfile added.
Mobility Domain Commands
Mobility System Software Command Reference Guide
Version 7.3
10 – 208
success: change accepted.
MX# set mobility-domain member 192.168.1.10
success: change accepted.
See Also
clear mobility-domain member on page 10-205
set mobility-domain mode seed domain-name on page 10-210
show mobility-domain config on page 10-212
set mobility-domain mode member secondary-seed-ip
Sets the IP address of the secondary seed MX on a nonseed MX.
Syntax
set mobility-domain mode member ip-addr secondary-seed-ip
secondary-seed-ip-addr key hex-bytes
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0
Examples
The following command sets the current MX as a nonseed member of the Mobility
Domain whose secondary seed has the IP address 192.168.1.8:
MX# set mobility-domain mode member seed-ip 192.168.1.8
mode is: member
seed IP is: 192.168.1.8
See Also
clear mobility-domain on page 10-204
show mobility-domain config on page 10-212
set mobility-domain mode member seed-ip
On a nonseed MX, sets the IP address of the seed MX. This command is used on a member MX to
configure it as a member. If the MX is currently part of another Mobility Domain or using another
seed, this command overwrites that configuration.
Syntax
set mobility-domain mode member seed-ip ip-addr key hex-bytes
Defaults
None.
ip-addr IP address of the mobility domain member.
secondary-seed-ip-addr IP address of the secondary seed, in dotted decimal notation.
key hex-bytes Fingerprint of the public key to use for MX-MX security. Specify the key
as 16 hexadecimal bytes. Use a colon between each byte, as in the
following example:
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
ip-addr IP address of the Mobility Domain member, in dotted decimal notation.
key hex-bytes Fingerprint of the public key to use for MX-MX security. Specify the key as 16
hexadecimal bytes. Use a colon between each byte, as in the following example:
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
Mobility Domain Commands
Mobility Domain Commands
10 – 209
Access
Enabled.
History
Examples
The following command sets the current MX as a nonseed member of the Mobility
Domain whose seed has the IP address 192.168.1.8:
MX# set mobility-domain mode member secondary-seed-ip 192.168.1.8
See Also
clear mobility-domain on page 10-204
show mobility-domain config on page 10-212
set mobility-domain mode secondary-seed domain-name on page 10-209
set mobility-domain mode secondary-seed
domain-name
Ses the current MX as a secondary-seed device for the Mobility Domain.
Syntax
set mobility-domain mode secondary-seed domain-name mob-domain-name seed-ip
primary-seed-ip-addr
Defaults
None.
Access
Enabled.
History
Introduced in MSS 6.0.
Usage
You can optionally specify a secondary seed in a Mobility Domain. The secondary seed
provides redundancy for the primary seed switch in the Mobility Domain. If the primary seed
becomes unavailable, the secondary seed assumes the role of the seed MX. This allows the Mobility
Domain to continue functioning if the primary seed becomes unavailable.
When the primary seed MX fails, the remaining members form a Mobility Domain, with the
secondary seed taking over as the primary seed MX.
If countermeasures had been in effect on the primary seed, they are stopped while the
secondary seed gathers RF data from the member switches. Once the secondary seed has
rebuilt the RF database, countermeasures can be restored.
VLAN tunnels (other than those between the member switches and the primary seed) continue
to operate normally.
Roaming and session statistics continue to be gathered, providing that the primary seed is
uninvolved with roaming.
When the primary seed is restored, the seed resumes the role of the primary seed MX in the
Mobility Domain. The secondary seed returns to the role of a regular member of the Mobility
Domain.
Version 1.0 Command introduced
Version 5.0 Option key hex-bytes added.
mob-domain-name Name of the Mobility Domain. Specify between 1 and 32 characters with no
spaces.
primary-seed-ip-addr The address of the seed device in the Mobility Domain
Mobility Domain Commands
Mobility System Software Command Reference Guide
Version 7.3
10 – 210
Examples
The following command configures this MX as the secondary seed in a Mobility Domain
named Pleasanton:
MX# set mobility-domain mode secondary-seed domain-name Pleasanton
mode is: secondary-seed
domain name is: Pleasanton
See Also
clear mobility-domain member on page 10-205
show mobility-domain on page 10-212
set mobility-domain mode seed domain-name
Creates a Mobility Domain by setting the current MX as the seed device and naming the Mobility
Domain.
Syntax
set mobility-domain mode seed domain-name mob-domain-name
Defaults
None.
Access
Enabled.
History
Usage
Before you use this command, the current MX must have an IP address set with the set
system ip-address command. After you enter this command, all Mobility Domain traffic is sent
and received from the specified IP address.
You must explicitly configure only one MX per domain as the seed. All other MX switches in the
domain receive their Mobility Domain information from the seed.
Examples
The following command creates a Mobility Domain named Pleasanton with the current
MX as the seed:
MX# set mobility-domain mode seed domain-name Pleasanton
mode is: seed
domain name is: Pleasanton
See Also
clear mobility-domain member on page 10-205
show mobility-domain on page 10-212
show cluster
Displays the cluster configuration and resiliency state on a Mobility Domain.
Syntax
show cluster
Defaults
None
Access
Enabled
mob-domain-name Name of the Mobility Domain. Specify between 1 and 32 characters with no spaces.
Version 1.0 Command introduced
Version 4.1 Maximum length of mob-domain-name increased to 32 characters.
Mobility Domain Commands
Mobility Domain Commands
10 – 211
History
Introduced in MSS 7.0.
Examples
The following command displays the cluster configuration and resiliency state:
Network Resiliency Cluster Enabled
Mode : PRIMARY-SEED
Active Seed : YES
Network is Resilient
show cluster ap
Displays all MPs configured on cluster member.
Syntax
show cluster ap
Defaults
None
Access
Enabled
History
Introduced in MSS 7.0.
Examples
The following command displays the MPs configured on a cluster member:
MX# show cluster ap
Primary AP Manager(PAM) and Secondary AP manager(SAM) List:
Flags:L - Cluster Load Balancing; C - Connection Wait; S - Session setup Wait
AP PAM MX IP SAM MX IP AP connected to PAM AP connected to SAM
---- --------------- --------------- ------------------- -------------------
3 192.168.254.85 192.168.254.83 YES YES
12 192.168.254.83 192.168.254.85 YES YES
6 192.168.254.85 192.168.254.83 YES YES
15 192.168.254.85 192.168.254.83 YES YES
9 192.168.254.85 192.168.254.83 YES YES
14 192.168.254.83 192.168.254.85 YES YES
10 192.168.254.83 192.168.254.85 YES YES
4 192.168.254.85 192.168.254.83 YES YES
5 192.168.254.85 192.168.254.83 YES YES
1 192.168.254.85 192.168.254.83 YES YES
2 192.168.254.85 192.168.254.83 YES YES
8 192.168.254.83 192.168.254.85 YES YES
7 192.168.254.85 192.168.254.83 YES YES
show cluster upgrade
Displays the upgrade status of each member in the cluster and displays the number of APs that
have been upgraded and how many upgrades are pending on APs.
Mobility Domain Commands
Mobility System Software Command Reference Guide
Version 7.3
10 – 212
Syntax
show cluster upgrade
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1.
show mobility-domain config
This command was deprecated in MSS 7.0
show mobility-domain
On the seed MX, displays the Mobility Domain status and members.
Syntax
show mobility-domain
Defaults
None.
Access
Enabled.
History
Examples
To display Mobility Domain status, type the following command:
MX# show mobility-domain
Mobility Domain name: Mobility1
Flags: u = up[2], d = down[2], c = cluster enabled[1], p = primary seed,
s = secondary seed (S = cluster preempt mode enabled), m = member, a = active seed, y =
syncing, w = waiting to sync, n = sync completed, f = sync failed
Member Flags Model Version NoAPs APCap
--------------- ----- -------- ---------- ----- -----
10.8.107.1 upacn MX-20 7.0.1.0 0 40
10.2.28.71 dm--- Unknown Unknown 0 0
10.2.28.72 dm--- Unknown Unknown 0 0
10.2.28.74 um--- MX-20 7.0.1.0 0 40
Table 10– 1 describes the fields in the display.
Version 1.0 Command introduced
Version 7.0 Updated with cluster information
Table 10– 1. show mobility-domain Output
Field Description
Mobility Domain name Name of the Mobility Domain
Mobility Domain Commands
Mobility Domain Commands
10 – 213
See Also
clear mobility-domain on page 10-204
set mobility-domain member on page 10-207
set mobility-domain mode member seed-ip on page 10-208
show mobility-domain ap-affinity-groups
Displays affinity information for a Mobility Domain configuration.
Syntax
show mobility-domain ap-affinity-groups
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1.
upgrade cluster
Network resiliency enhancements now allows you to perform an in-service software upgrade on a
cluster configuration.
Access
Enabled
History
Added in MSS 7.1
Usage
The upgrade assumes that the old and new versions of MSS are 7.1 and higher.
Syntax
upgrade cluster [force]
Flags Indicates various states of the Mobility Domain
members.
u = up
d = down
c = cluster enabled
p = primary seed
s = secondary seed
m = member
a = active seed
y = syncing
w = waiting to sync
n = sync completed
f = sync failed
Member IP addresses of the seed MX and members in the
Mobility Domain
Flags State of the MX in the Mobility Domain:
Letters indicate which flags are present.
Model Model of MX switch
Version MSS version running on the MX.
NoAPs Number of APs per MX
APLic Number of AP licensed per MX.
Table 10– 1. show mobility-domain Output (continued)
Mobility Domain Commands
Mobility System Software Command Reference Guide
Version 7.3
10 – 214
Network Domain Commands 11 – 213
11
Network Domain Commands
Use Network Domain commands to configure and manage Network Domain groups.
A Network Domain is a group of geographically dispersed Mobility Domains that share
information over a WAN link. This shared information allows a user configured on an MX in one
Mobility Domain to establish connectivity with an MX in another Mobility Domain in the same
Network Domain. The MX forwards the user traffic by creating a VLAN tunnel to an MX in the
remote Mobility Domain.
In a Network Domain, one or more MX switches serve as a seed switch. At least one of the
Network Domain seeds maintains a connection with each of the member MX switches in the
Network Domain. The Network Domain seeds share information about the VLANs configured on
their members, so that all the Network Domain seeds have a common database of VLAN
information.
This chapter presents Network Domain commands alphabetically. Use the following table to
locate commands in this chapter based on their use.
clear network-domain
Clears all Network Domain configuration and information from an MX, regardless of whether the
MX is a seed or a member of a Network Domain.
Syntax
clear network-domain
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.1.
Usage
This command has no effect if the MX is not configured as part of a Network Domain.
Examples
To clear a Network Domain from an MX within the domain, type the following
command:
MX-20# clear network-domain
This will clear all network-domain configuration. Would you like to continue? (y/n) [n] y
success: change accepted.
See Also
set network-domain mode member seed-ip on page 11-215
set network-domain peer on page 11-216
Network Domain set network-domain mode seed domain-name on page 11-216
set network-domain mode member seed-ip on page 11-215
set network-domain peer on page 11-216
show network-domain on page 11-217
clear network-domain on page 11-213
clear network-domain mode on page 11-214
clear network-domain peer on page 11-214
clear network-domain seed-ip on page 11-215
Network Domain Commands
Mobility System Software Command Reference
Version 7.3
11 – 214
set network-domain mode seed domain-name on page 11-216
clear network-domain mode
Removes the Network Domain seed or member configuration from the MX.
Syntax
clear network-domain mode {seed | member}
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.1.
Usage
This command has no effect if the MX is not configured as part of a Network Domain.
Examples
The following command clears the Network Domain member configuration from the
MX:
MX-20# clear network-domain mode member
success: change accepted.
The following command clears the Network Domain seed configuration from the MX:
MX-20# clear network-domain mode seed
success: change accepted.
See Also
set network-domain mode member seed-ip on page 11-215
set network-domain mode seed domain-name on page 11-216
clear network-domain peer
Removes the configuration of a Network Domain peer from an MX configured as a Network
Domain seed.
Syntax
clear network-domain peer {peer-ip | all}
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.1.
Usage
This command has no effect if the MX is not configured as a Network Domain seed.
Examples
The following command clears the Network Domain peer configuration for peer
192.168.9.254 from the MX:
MX-20# clear network-domain peer 192.168.9.254
success: change accepted.
The following command clears the Network Domain peer configuration for all peers from the MX:
MX-20# clear network-domain peer all
seed Clears the Network Domain seed configuration from the MX.
member Clears the Network Domain member configuration from the MX.
ip-addr IP address of the Network Domain peer in dotted decimal notation.
all Clears the Network Domain peer configuration for all peers from the MX.
Network Domain Commands
Network Domain Commands
11 – 215
success: change accepted.
See Also
set network-domain peer on page 11-216
clear network-domain seed-ip
Removes the specified Network Domain seed from the MX configuration. When you enter this
command, the Network Domain TCP connections between the MX switch and the specified
Network Domain seed are closed.
Syntax
clear network-domain seed-ip seed-ip
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.1.
Usage
This command has no effect if the MX is not configured as part of a Network Domain, or if
the MX is not configured as a member of a Network Domain using the specified Network Domain
seed.
Examples
The following command removes the Network Domain seed with IP address
192.168.9.254 from the MX configuration:
MX-20# clear network-domain seed-ip 192.168.9.254
success: change accepted.
See Also
set network-domain mode member seed-ip on page 11-215
set network-domain mode member seed-ip
Sets the IP address of a Network Domain seed. This command is used for configuring an MX as a
member of a Network Domain. You can specify multiple Network Domain seeds and configure one
as the primary seed.
Syntax
set network-domain mode member seed-ip seed-ip
[affinity num]
Defaults
The default affinity for a Network Domain seed is 5.
Access
Enabled.
History
Introduced in MSS 4.1.
Usage
You can specify multiple Network Domain seeds on the MX. When the MX needs to
connect to a Network Domain seed, the MX first attempts to connect to the seed with the highest
affinity. If that seed is unavailable, the MX attempts to connect to the seed with the next-highest
affinity. After a connection is made to a non-highest-affinity seed, the MX switch then periodically
attempts to connect to the highest-affinity seed.
Examples
The following command sets the MX switch as a member of the Network Domain whose
seed has the IP address 192.168.1.8:
MX# set network-domain mode member seed-ip 192.168.1.8
ip-addr IP address of the Network Domain seed in dotted decimal notation.
ip-addr IP address of the Network Domain seed, in dotted decimal notation.
num Preference for using the specified Network Domain seed. You can specify a value from
1 through 10. A higher number indicates a greater preference.
Network Domain Commands
Mobility System Software Command Reference
Version 7.3
11 – 216
success: change accepted.
The following command sets the MX as a member of a Network Domain with a seed that has the
IP address 192.168.9.254 and sets the affinity for that seed to 7. If the MX specifies other Network
Domain seeds, and they are configured with the default affinity of 5, then 192.168.9.254 becomes
the primary Network Domain seed for the MX.
MX# set network-domain mode member seed-ip 192.168.9.254 affinity 7
success: change accepted.
See Also
clear network-domain on page 11-213
show network-domain on page 11-217
set network-domain peer
On a Network Domain seed, configures one or more MX switches as redundant Network Domain
seeds. The seeds in a Network Domain share information about the VLANs configured on the
member devices, so that all the Network Domain seeds have the same database of VLAN
information.
Syntax
set network-domain peer peer-ip
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.1.
Usage
This command must be entered on an MX configured as a Network Domain seed.
Examples
The following command sets the MX with IP address 192.168.9.254 as a peer of this
Network Domain seed:
MX# set network-domain peer 192.168.9.254
success: change accepted.
See Also
clear network-domain on page 11-213
show network-domain on page 11-217
set network-domain mode seed domain-name
Creates a Network Domain by setting the current MX as a seed device and naming the Network
Domain.
Syntax
set network-domain mode seed domain-name net-domain-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.1.
ip-addr IP address of the Network Domain seed to specify as a peer, in dotted decimal
notation.
net-domain-name Name of the Network Domain. Specify between 1 and
16 characters with no spaces.
Network Domain Commands
Network Domain Commands
11 – 217
Usage
Before you use this command, the current MX must have an IP address set with the set
system ip-address command. After you enter this command, Network Domain traffic is sent and
received from the specified IP address.
You can configure multiple MX switches as Network Domain seeds. If you do this, you must
identify them as peers by using the set network domain peer command.
Examples
The following command creates a Network Domain named California with the current
MX as a seed:
MX# set network-domain mode seed domain-name California
success: change accepted.
See Also
clear network-domain on page 11-213
show network-domain on page 11-217
show network-domain
Displays the status of Network Domain seeds and members.
Syntax
show network-domain
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.1.
Examples
The output of the command differs based on whether the MX is a member of a Network
Domain or a Network Domain seed. To display Network Domain status, type the following
command:
MX# show network-domain
On an MX that is a Network Domain member, the following output is displayed:
MX# show network-domain
Member Network Domain name: California
Member State Mode
--------------- ------------- -----------
10.67.1.201 UP MEMBER
10.67.1.200 UP SEED
On an MX that is a Network Domain seed, information is displayed about the Network Domains
that MX is a member, as well as Network Domain seeds with that the MX has a peer relationship.
For example:
MX# show network-domain
Network Domain name: California
Peer State
--------------- -------------
10.67.1.200 UP
Member State Mode
--------------- ------------- -----------
10.67.1.201 UP MEMBER
Table 11– 1 describes the fields in the display.
Network Domain Commands
Mobility System Software Command Reference
Version 7.3
11 – 218
See Also
clear network-domain on page 11-213
set network-domain mode member seed-ip on page 11-215
set network-domain mode seed domain-name on page 11-216
set network-domain peer on page 11-216
Table 11– 1. show network-domain Output
Field Description
Output if MX is the Network Domain seed:
Network Domain name Name of the Network Domain for which the MX is a seed.
Peer IP addresses of the other seeds in the Network Domain.
State State of the connection between the MX and the peer Network Domain seeds:
UP
DOWN
Member IP addresses of the seed MX and members in the Network Domain
State State of the MX in the Network Domain:
UP
DOWN
Mode Role of the MX in the Network Domain:
MEMBER
SEED
Output if MX is a Network Domain member:
Member Network Domain
name
Name of the Network Domain with the MX as a member.
Member IP addresses of the seed MX and members in the Network Domain
State State of the MX in the Network Domain:
UP
DOWN
Mode Role of the MX in the Network Domain:
MEMBER
SEED
MP Access Point Commands 12 – 219
12
MP Access Point Commands
Use MP access point commands to configure and manage MP access points. Be sure to do the
following before using the commands:
Define the country-specific IEEE 802.11 regulations on the MX. (See set system
countrycode on page 4-30.)
Install the MP and connect it to a port on the MX. (See the Trapeze Indoor Mobility Point
Installation Guide or Trapeze Mobility Point MP-620 Installation Guide.)
Configure an MP as a directly connected MP or a Distributed MP.
Mixed Cipher Support
All cipher options are now grouped under the command rsn-ie or wpa-ie to allow multiple ciphers
per service profile.
This chapter presents MP access point commands alphabetically. Use the following table to locate
commands in this chapter based on their use.
W arning!
Changing the system country code after MP configuration disables MPs and deletes
the configuration. If you change the country code on an MX, you must reconfigure all
MPs.
Note:
You must enable a cipher such as cipher-tkip before enabling rsn-ie or wpa-ie. For
example to enable cipher-tkip on a service profile, you must use the following
sequence of commands:
MX# set service-profile profile-name wpa-ie cipher-tkip enable
success:change accepted.
MX# set service-profile profile-name wpa-ie enable
success:change accepted.
Automatic
Configuration of
Distributed MPs
set ap auto on page 12-230
set ap auto mode on page 12-232
set ap auto radiotype on page 12-233
set ap auto persistent on page 12-233
set ap bias on page 12-234
set ap blink on page 12-236
set ap group on page 12-243
set ap radio auto-tune max-power on page 12-248
set ap radio auto-tune max-retransmissions on
page 12-249
set ap radio mode on page 12-253
set ap radio radio-profile on page 12-254
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 220
set ap auto radiotype on page 12-233
set ap upgrade-firmware on page 12-257
External Antennas set ap radio antennatype on page 12-247
set ap radio antenna-location on page 12-247
MP-MP Tunneling set ap tunnel-affinity on page 12-256
MP-MX security set ap fingerprint on page 12-242
set ap security on page 12-255
Static IP Address
Assignment for
Distributed MPs
set ap boot-configuration ip on page 12-236
set ap boot-configuration switch on page 12-240
set ap boot-configuration vlan on page 12-241
clear ap boot-configuration on page 12-226
show ap boot-configuration on page 12-348
Radio Profile
Assignment
set ap radio radio-profile on page 12-254
set radio-profile mode on page 12-272
Updated clear radio-profile on page 12-228
set radio-profile service-profile on page 12-279
show radio-profile on page 12-354
SSID Assignment set service-profile ssid-name on page 12-310
set service-profile ssid-type on page 12-310
set service-profile beacon on page 12-289
Radio Properties set radio-profile active-scan on page 12-260
set radio-profile beacon-interval on page 12-266
set radio-profile countermeasures on page 12-268
Updated set radio-profile dfs-channels on page 12-269
set radio-profile weighted-fair-queuing on
page 12-270
set radio-profile frag-threshold on page 12-271
set radio-profile max-rx-lifetime on page 12-272
set radio-profile mode on page 12-272
set radio-profile preamble-length on page 12-275
set radio-profile rts-threshold on page 12-279
Authentication and
Encryption
set service-profile attr on page 12-286
Updated set service-profile [rsn-ie | wpa-ie] auth-dot1x on
page 12-287
Updated set service-profile [rsn-ie | wpa-ie] auth-psk on
page 12-289
set service-profile web-portal-form on page 12-316
set service-profile web-portal-acl on page 12-315
Updated set service-profile [rsn-ie | wpa-ie] auth-psk on
page 12-289
Updated set service-profile wpa-ie on page 12-321
MP Access Point Commands
MP Access Point Commands
12 – 221
Updated set service-profile rsn-ie on page 12-303
Updated set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on
page 12-292
Updated set service-profile [rsn-ie | wpa-ie] cipher-tkip on
page 12-293
Updated set service-profile [rsn-ie | wpa-ie] cipher-wep104 on
page 12-293
Updated set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on
page 12-294
set service-profile [rsn-ie | wpa-ie] psk-phrase on
page 12-301
Updated set service-profile [rsn-ie | wpa-ie] psk-raw on
page 12-302
set service-profile tkip-mc-time on page 12-312
set service-profile wep active-multicast-index on
page 12-319
set service-profile wep active-unicast-index on
page 12-320
set service-profile wep key-index on page 12-320
set service-profile keep-initial-vlan on page 12-297
set service-profile transmit-rates on page 12-312
set service-profile long-retry-count on page 12-298
set service-profile short-retry-count on page 12-304
set service-profile shared-key-auth on page 12-304
show service-profile on page 12-357
clear service-profile on page 12-229
QoS and VoIP set radio-profile qos-mode on page 12-275
set radio-profile wmm-powersave on page 12-284
set service-profile cac-mode on page 12-290
set service-profile cac-session on page 12-291
Updated set service-profile static-cos on page 12-311
set service-profile cos on page 12-295
Updated set service-profile use-client-dscp on page 12-314
DHCP Restrict set service-profile dhcp-restrict on page 12-296
Broadcast control set service-profile no-broadcast on page 12-300
Proxy ARP set service-profile proxy-arp on page 12-300
Keepalives and
session timers
set service-profile idle-client-probing on page 12-296
set service-profile user-idle-timeout on page 12-314
set service-profile web-portal-session-timeout on
page 12-318
Sygate On-Demand
(SODA)
set service-profile soda mode on page 12-308
set service-profile soda agent-directory on
page 12-305
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 222
set service-profile soda enforce-checks on page 12-305
set service-profile soda failure-page on page 12-306
set service-profile soda remediation-acl on
page 12-308
set service-profile soda success-page on page 12-309
set service-profile soda logout-page on page 12-307
Radio transmit rates set service-profile transmit-rates on page 12-312
set radio-profile rate-enforcement on page 12-276
Transmission retries set service-profile long-retry-count on page 12-298
set service-profile short-retry-count on page 12-304
RF Auto-Tuning set radio-profile auto-tune 11a-channel-range on
page 12-260
set radio-profile auto-tune channel-holddown on
page 12-261
Updated set radio-profile auto-tune channel-interval on
page 12-262
set radio-profile auto-tune channel-lockdown on
page 12-263
Updated set radio-profile auto-tune power-config on
page 12-264
set radio-profile auto-tune power-interval on
page 12-264
set radio-profile auto-tune power-lockdown on
page 12-265
set ap radio auto-tune max-power on page 12-248
show auto-tune neighbors on page 12-347
show auto-tune attributes on page 12-345
AeroScout tag
support
set radio-profile rf-scanning mode on page 12-278
Radio State set ap radio mode on page 12-253
Dual Homing set ap bias on page 12-234
RF Load Balancing set ap radio load-balancing on page 12-251
clear ap radio load-balancing group on page 12-227
set band-preference on page 12-257
set load-balancing mode on page 12-258
set load-balancing strictness on page 12-259
set service-profile load-balancing-exempt on
page 12-298
show load-balancing group on page 12-353
MP Administration
and Maintenance
set ap name on page 12-246
set ap blink on page 12-236
set ap upgrade-firmware on page 12-257
set ap force-image-download on page 12-242
reset ap on page 12-230
MP Access Point Commands
MP Access Point Commands
12 – 223
clear ap image
Clears an AirDefense sensor software image file from the configuration on an MP.
Syntax
clear ap apnum image
Updated set ap power-mode on page 12-246
Updated set ap radio channel on page 12-249
set ap radio tx-power on page 12-254
set ap image on page 12-243
set ap led-mode on page 12-244
clear ap radio on page 12-225
show ap config radio on page 12-328
show ap status on page 12-340
show ap counters on page 12-330
show ap global on page 12-351
show ap connection on page 12-349
show ap unconfigured on page 12-352
show ap qos-stats on page 12-336
show ap etherstats on page 12-338
MP Local Switching set ap local-switching mode on page 12-244
set ap local-switching vlan-profile on page 12-245
clear ap local-switching vlan-profile on page 12-224
show ap arp on page 12-326
show ap fdb on page 12-335
show ap vlan on page 12-344
WLAN Mesh Services set ap boot-configuration mesh mode on page 12-237
set ap boot-configuration mesh psk-phrase on
page 12-238
set ap boot-configuration mesh psk-raw on
page 12-238
set ap boot-configuration mesh ssid on page 12-239
set service-profile mesh on page 12-299
set service-profile bridging on page 12-290
show ap boot-configuration on page 12-348
show ap mesh-links on page 12-339
AirDefense
Integration
set ap image on page 12-243
clear ap image on page 12-223
ap apnum Index value that identifies the MP to the MX. You can specify a
value between 1 and 9999.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 224
Defaults
None.
Access
Enabled.
History
Usage
Use this command to configure an MP that was converted to an AirDefense sensor to
revert back to an MP. When you do this, the next time the MP is booted, it becomes a Trapeze
Mobility Point.
Examples
Examples
The following command causes the AirDefense sensor software file to be cleared from
the configuration of MP 1:
MX# clear ap 1 image
success: change accepted.
See Also
set ap image on page 12-243
clear ap local-switching vlan-profile
Clears the VLAN profile that had been applied to an MP to use with local switching.
Syntax
clear ap apnum local-switching vlan-profile
Defaults
None.
Access
Enabled.
History
Usage
A VLAN profile consists of a list of VLANs and tags. When a VLAN profile is applied to an
MP, traffic for the VLANs specified in the VLAN profile is locally switched by the MP instead of
being tunneled back to an MX.
Use this command to reset the VLAN profile used by the MP for local switching to the default
VLAN profile. Traffic that was locally switched because of an entry in the cleared VLAN profile is
tunneled to an MX.
When clearing a VLAN profile causes traffic that was locally switched by MPs to be tunneled to an
MX, the sessions of clients associated with the MPs with the VLAN profile are terminated, and
the clients must re-associate with the MPs.
Examples
The following command clears the VLAN profile that was applied to MP 7:
MX# clear ap 7 local-switching vlan-profile
success: change accepted.
See Also
set ap local-switching mode on page 12-244
Version 5.0 Command introduced.
Version 6.0 Option dap removed.
Version 6.2 Added index value range of 1-9999.
apnum Index value that identifies the MP on the MX. You can specify a value between 1 and
9999.
Version 6.0 Command was introduced.
Version 6.2 Added index value range of 1 to 9999.
MP Access Point Commands
MP Access Point Commands
12 – 225
set ap local-switching vlan-profile on page 12-245
set vlan-profile on page 6-75
clear ap radio
Disables an MP radio and resets it to its factory default settings.
Syntax
clear ap apnum radio {1 | 2 | all}
Defaults
The clear ap radio command resets the radio to the default settings listed in Table 12–
1 and in Table 12– 3 on page 273.
ap apnum Index value that identifies the MP on the MX. You can specify a value
between 1 and 9999.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.)
radio all All radios on the MP.
Table 12– 1. Radio-Specific Parameters
Parameter Default Value Description
antenna-
location
indoors Location of the radio antenna.
Note: This parameter applies only to MP models that
support external antennas.
antennatype For most MP models, the
default is internal.
For MP-620, the default for
the 802.11b/g radio is
ANT-1360-OUT. The
default for the 802.11a
radio is ANT-5360-OUT.
The default for the
802.11b/g radio on model
MP-262 is ANT1060.
Trapeze external antenna model
Note: This parameter applies only to MP models that
support external antennas.
auto-tune
max-power
Highest setting allowed for
the country of operation or
highest setting supported
on the hardware,
whichever is lower.
Maximum percentage of client retransmissions a radio
can experience before RF Auto-Tuning considers
changing the channel on the radio.
channel
802.11b/g—6
802.11a—Lowest valid
channel number for the
country of operation.
Number of the channel on which a radio transmits and
receives traffic.
mode disable Operational state of the radio.
radio-profile None. You must add the
radios to a radio profile.
802.11 settings
tx-power Highest setting allowed for
the country of operation or
highest setting supported
on the hardware,
whichever is lower.
Transmit power of a radio, in decibels referred to
1 milliwatt (dBm)
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 226
Access
Enabled
History
Usage
When you clear a radio, MSS performs the following actions:
Clears the transmit power, channel, and external antenna setting from the radio.
Removes the radio from its radio profile and places the radio in the default radio profile.
This command does not affect the PoE setting.
Examples
The following command disables and resets radio 2 on the MP connected to port 3:
MX# clear ap 3 radio 2
See Also
set ap radio mode on page 12-253
set ap radio radio-profile on page 12-254
set port type ap on page 5-59
clear ap boot-configuration
Removes the static IP address configuration for a Distributed MP.
Syntax
clear ap apnum boot-configuration
Defaults
None.
Access
Enabled.
History
Usage
When the static IP configuration is cleared for an MP, and an MP is rebooted, it uses the
standard boot process.
Examples
The following command clears the static IP address configuration for MP 1.
MX# clear ap 1 boot-configuration
This will clear specified AP devices. Would you like to continue? (y/n) [n]y
success: change accepted.
Version 1.0 Command introduced.
Version 2.0 Option dap added for Distributed MPs.
Version 5.0
Option antenna-location added.
Option auto-tune min-client-rate removed.
Option auto-tune max-retransmissions removed.
Version 6.0
Option dap removed for distributed MPs.
Version 6.2 Added index value range of 1 to 9999.
ap apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
Version 4.2 Command introduced.
Version 6.0 Option dap removed.
Version 6.2 Added a range of 1 to 9999 for index value.
MP Access Point Commands
MP Access Point Commands
12 – 227
See Also
set ap boot-configuration ip on page 12-236
set ap boot-configuration vlan on page 12-241
show ap boot-configuration on page 12-348
clear ap radio load-balancing group
Removes an MP radio from a load-balancing group.
Syntax
clear ap apnum radio {1 | 2} load-balancing group
Defaults
None.
Access
Enabled.
History
Usage
If an MP radio has been assigned to an RF load balancing group, you can use this
command to remove the MP radio from the group.
Examples
The following command clears radio 1 on MP 7 from the load balancing group to which
it had been assigned:
MX# clear ap 7 radio 1 load-balancing group
MX#
See Also
set load-balancing strictness on page 12-259
set ap radio load-balancing on page 12-251
set ap local-switching mode on page 12-244
show load-balancing group on page 12-353
ap apnum Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.)
Version 6.0 Command introduced.
Version 6.2 Added index value range of 1 to 9999.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 228
clear radio-profile
Removes a radio profile or resets one of the profile parameters to the default value.
Syntax
clear radio-profile name [parameter]
Defaults
If you reset an individual parameter, the parameter is returned to the default value
listed in Table 12– 3 on page 273.
Access
Enabled.
History
Usage
If you specify a parameter, the setting is reset to the default value. The settings of the
other parameters are unchanged and the radio profile remains in the configuration. If you do not
specify a parameter, the entire radio profile is deleted from the configuration. All radios that use
this profile must be disabled before you can delete the profile.
Examples
The following commands disable the radios using radio profile rp1 and reset the
beaconed-interval parameter to the default value:
MX# set radio-profile rp1 mode disable
MX# clear radio-profile rp1 beacon-interval
success: change accepted.
name Radio profile name.
parameter Radio profile parameter:
beacon-interval
countermeasures
dtim-interval
frag-threshold
max-rx-lifetime
max-tx-lifetime
preamble-length
rts-threshold
service-profile
snoop
weighted-fair-queuing
(For information about these parameters, see the set radio-profile
commands that use them.)
Version 1.0 Command introduced.
Version 1.1 Option added to clear individual radio-profile parameter instead of entire
profile.
Version 3.0
Parameters that no longer apply to radio profiles in MSS Version 3.0 removed:
beaconed-ssid
clear-ssid
crypto-ssid
shared-key-auth
service-profile parameter added.
Version 4.1 countermeasures parameter added.
Version 4.2 Parameters that no longer apply to radio profiles in MSS Version 4.2
removed:
long-retry
short-retry
MP Access Point Commands
MP Access Point Commands
12 – 229
The following commands disable the radios using radio profile rptest and remove the profile:
MX# set radio-profile rptest mode disable
MX# clear radio-profile rptest
success: change accepted.
See Also
set ap radio radio-profile on page 12-254
set radio-profile mode on page 12-272
show ap config radio on page 12-328
show radio-profile on page 12-354
clear service-profile
Removes a service profile or resets one of the profile parameters to the default value.
Syntax
clear service-profile name
[soda {agent-directory | failure-page | remediation-acl | success-page |
logout-page}]
Defaults
None.
Access
Enabled.
History
Usage
If the service profile is mapped to a radio profile, you must remove it from the radio profile
first. (After disabling all radios that use the radio profile, use the clear radio-profile name
service-profile name command.)
Examples
The following commands disable the radios using radio profile rp6, remove
service-profile svcprof6 from rp6, then clear svcprof6 from the configuration.
MX# set radio-profile rp6 mode disable
MX# clear radio-profile rp6 service-profile svcprof6
name Service profile name.
soda agent-directory Resets the directory for Sygate On-Demand (SODA) agent files
to the default directory. By default, the directory name for
SODA agent files is the same as the service profile name.
soda failure-page Resets the page loaded when a client fails the SODA agent
checks. By default, the page is generated dynamically.
soda remediation-acl Disables use of the specified remediation ACL for the service
profile. When no remediation ACL is specified, a client is
disconnected from the network when it fails SODA agent
checks.
soda success-page Resets the page loaded when a client passes the checks
performed by the SODA agent. By default, the page is
generated dynamically.
soda logout-page Resets the page loaded when a client logs out of the network.
By default, the client is disconnected from the network without
loading a page.
Version 3.0 Command introduced
Version 4.2 Options added to clear SODA parameters.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 230
success: change accepted.
MX# clear service-profile svcprof6
success: change accepted.
clear radio-profile on page 12-228
set radio-profile mode on page 12-272
show service-profile on page 12-357
reset ap
Restarts an MP access point.
Syntax
reset ap apnum
Defaults
None.
Access
Enabled.
History
Usage
When you enter this command, the MP drops all sessions and reboots.
Examples
The following command resets MP 7:
MX# reset ap 7
This will reset specified AP devices. Would you like to continue? (y/n)y
success: rebooting ap attached to port 7
set ap auto
Creates a profile for automatic configuration of MPs.
Syntax
set ap auto
Defaults
None.
Access
Enabled.
ap apnum Index value that identifies the MP on the MX. You can
specify a value between 1 and 9999.
Version 1.0 Command introduced.
Version 2.0 Option dap added for Distributed MPs.
Version 6.0 Option dap removed.
Version 6.2 Added index value range of 1 to 9999.
W arning!
Restarting an MP can cause data loss for users who are currently associated
with the MP.
MP Access Point Commands
MP Access Point Commands
12 – 231
History
Usage
Table 12– 2 lists the configurable profile parameters and the default values. The only
parameter that requires configuration is the profile mode. The profile is disabled by default. To use
the profile to configure Distributed MPs, you must enable the profile using the set ap auto mode
enable command.
The profile uses the default radio profile by default. You can change the profile using the set ap
auto radio radio-profile command. You can use set ap auto commands to change settings for
the parameters listed in Table 12– 2. (The commands are listed in the “See Also” section.)
Version 4.0 Command introduced.
Version 4.2 Option persistent added.
Version 5.0
Option force-image-download added.
Option radio num auto-tune min-client-rate
removed.
Option radio num tx-pwr removed.
Version 6.0 Option dap removed.
Version 7.1
Options power-mode, time-out, and
tunnel-affinity added.
Table 12– 2. Configurable Profile Parameters for Distributed MPs
Parameter Default Value
MP Parameters
bias high
blink
(Not shown in show ap
config output)
disable
force-image-download disable (NO)
group (load balancing group) none
led-mode disabled
local-switching disabled
mode disabled
persistent none
power-mode auto
time-out 25 seconds
tunnel-affinity 4
upgrade-firmware
(boot-download-enable)
enable (YES)
Radio Parameters
radio num auto-tune
max-power
default
radio num mode enabled
radio num radio-profile default
radiotype 11g
(or 11b for country codes
where 802.11g is not allowed)
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 232
Examples
The following command creates a profile for automatic Distributed MP configuration:
MX# set ap auto
success: change accepted.
See Also
set ap auto mode on page 12-232
set ap auto persistent on page 12-233
set ap auto radiotype on page 12-233
set ap bias on page 12-234
set ap blink on page 12-236
set ap group on page 12-243
set ap radio auto-tune max-power on page 12-248
set ap radio mode on page 12-253
set ap radio radio-profile on page 12-254
set ap upgrade-firmware on page 12-257
set ap auto mode
Enables an MX profile for automatic Distributed MP configuration.
Syntax
set ap auto mode {enable | disable}
Defaults
The MP configuration profile is disabled by default.
Access
Enabled.
History
I
Usage
You must use the set ap auto command to create the profile before you can enable it.
Examples
The following command enables the profile for automatic Distributed MP configuration:
MX# set ap auto mode enable
success: change accepted.
See Also
set ap auto on page 12-230
set ap auto persistent on page 12-233
set ap auto radiotype on page 12-233
set ap bias on page 12-234
set ap blink on page 12-236
set ap group on page 12-243
set ap radio auto-tune max-power on page 12-248
set ap radio mode on page 12-253
enable Enables the MP configuration profile.
disable Disables the MP configuration profile.
Version 4.0 Command introduced.
Version 6.0 Option dap removed.
MP Access Point Commands
MP Access Point Commands
12 – 233
set ap radio radio-profile on page 12-254
set ap upgrade-firmware on page 12-257
set ap auto persistent
Converts a temporary MP configuration created by the MP configuration profile into a persistent
MP configuration on the MX.
Syntax
set ap auto persistent [apnum | all]
Defaults
None.
Access
Enabled.
History
I
Usage
To display the Distributed MP numbers assigned to Auto-MPs, use the show ap status
all command.
Examples
The following command converts the configuration of Auto-AP 10 into a permanent
configuration:
MX# set ap auto persistent 10
success: change accepted.
See Also
set ap auto on page 12-230
set ap auto mode on page 12-232
set ap auto radiotype on page 12-233
set ap auto radiotype
Sets the radio type for single-MP radios that use the MP configuration profile.
Syntax
set ap auto [radiotype {11a | 11b| 11g}]
Defaults
The default radio type for models AP2750, MP-241, and MP-341, and for the 802.11b/g
radios in other models is 802.11g in regulatory domains that support 802.11g, or 802.11b in
regulatory domains that do not support 802.11g.
apnum Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
all Converts the configurations of all Auto-APs being managed by the MX into
permanent configurations.
Version 4.0 Introduced command.
Version 6.0 Option dap removed.
Version 6.2 Added the index value range of 1 to 9999.
radiotype 11a | 11b | 11g Radio type:
11a—802.11a
11b—802.11b
11g—802.11g
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 234
Access
Enabled.
History
Usage
If you set the radiotype to 11a and the MP configuration profile is used to configure a
two-radio MP model, radio 1 is configured as an 802.11b/g radio and radio 2 is configured as the
802.11a radio. Because this is the reverse of the standard configuration (where radio 1 is the
802.11a radio and radio 2 is the 802.11b/g radio), the radio 1 settings configured in the MP
configuration profile are applied to radio 2. Likewise, the radio 2 settings configured in the profile
are applied to radio 1. This behavior ensures that settings for radio 1 are always applied to the
80211a radio, regardless of the radio number.
Examples
The following command sets the radio type to 802.11b:
MX# set ap auto radiotype 11b
success: change accepted.
See Also
set ap auto on page 12-230
set ap auto mode on page 12-232
set ap auto persistent on page 12-233
set ap bias
Changes the bias for an MP. Bias is the priority of one MX over other MX switches for booting and
configuring the MP.
Syntax
set ap apnum auto bias {high | low}
Defaults
The default bias is high.
Access
Enabled.
History
Usage
High bias is preferred over low bias. Bias applies only to MX switches indirectly attached
to the MP through an intermediate Layer 2 or Layer 3 network. An MP always attempts to boot on
MP port 1 first, and if an MX is directly attached on MP port 1, the MP always boots from it.
If MP port 1 is indirectly connected to MX switches through the network, the MP boots from the
MX with the high bias for the MP. If the bias for all connections is the same, the MP selects the
Version 4.0 Command introduced.
Version 5.0 Option 11a supported.
Version 6.0 Option dap removed.
auto Configures bias for the MP configuration profile. (See set
ap auto on page 12-230.)
high High bias.
low Low bias.
Version 1.0 Command introduced.
Version 2.0 Option dap added for Distributed MPs.
Version 4.0 Option auto added for configuration of the MP
configuration profile.
Version 6.0 Option dap removed.
MP Access Point Commands
MP Access Point Commands
12 – 235
MX that has the greatest capacity to add more active MPs. For example, if an MP is dual homed to
two MX-400 switches, and one of the switches has 50 active MPs while the other MX has 60 active
MPs, the new MP selects the MX that has only 50 active MPs.
If the boot request on MP port 1 fails, the MP attempts to boot over its port 2, using the same
process described above.
The following command changes the bias for a Distributed MP to low:
MX# set ap 1 bias low
success: change accepted.
See Also
show ap config radio on page 12-328
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 236
set ap blink
Enables or disables LED blink mode on an MP to make it easy to identify. When blink mode is
enabled on MP-xxx models, the health and radio LEDs alternately blink green and amber. When
blink mode is enabled on an AP2750, the 11a LED blinks on and off. By default, blink mode is
disabled.
Syntax
set ap apnum blink {enable | disable}
Defaults
LED blink mode is disabled by default.
Access
Enabled.
History
Usage
Changing the LED blink mode does not alter operation of the MP access point. Only the
behavior of the LEDs is affected.
Examples
The following command enables LED blink mode on the MP access points connected to
ports 3 and 4:
MX# set ap 3-4 blink enable
success: change accepted.
set ap boot-configuration ip
Specifies static IP address information for a Distributed MP.
Syntax
set ap apnum boot-configuration ip ip-addr netmask mask-addr gateway
gateway-addr [mode {enable | disable}]
ap apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
enable Enables blink mode.
disable Disables blink mode.
Version 1.0 Command introduced
Version 2.0 Option dap added for Distributed MPs
Version 4.0 Option auto added for configuration of the MP
configuration profile.
Version 6.0 Option dap removed.
Version 6.2 Added the index value range of 1 to 9999.
Version 7.1 Option auto removed.
ap apnum Index value that identifies the MP on the MX.
You can specify a value from 1 to 9999.
ip ip-addr The IP address to be assigned to the MP, in
dotted decimal notation (for example,
10.10.10.10).
netmask mask-addr The subnet mask, in dotted decimal notation
(for example, 255.255.255.0).
MP Access Point Commands
MP Access Point Commands
12 – 237
Defaults
By default MPs use DHCP to obtain an IP address, rather than a using a manually
assigned IP address.
Access
Enabled.
History
Usage
Normally, Distributed MPs use DHCP to obtain IP address information. In some
installations, DHCP may not be available. In this case, you can assign static IP address
information to the MP, including the MP IP address and netmask, and default gateway.
If the manually assigned IP information is incorrect, the MP uses DHCP to obtain an IP address.
Examples
The following command configures MP 1 to use IP address 172.16.0.42 with a 24-bit
netmask, and use 172.16.0.20 as its default gateway:
MX# set ap 1 boot-configuration ip 172.16.0.42 netmask 255.255.255.0 gateway 172.16.0.20
success: change accepted.
See Also
clear ap boot-configuration on page 12-226
set ap boot-configuration switch on page 12-240
set ap boot-configuration vlan on page 12-241
show ap boot-configuration on page 12-348
set ap boot-configuration mesh mode
Enables WLAN mesh services on the MP.
Syntax
set ap apnum boot-configuration mesh mode {enable | disable}
Defaults
Disabled.
Access
Enabled.
History
Introduced in MSS .
Usage
Use this command to enable WLAN mesh services for an Mesh AP. Prior to deploying the
Mesh AP in a final untethered location, you must connect the MP to an MX and enter this
command to configure the MP for mesh services.
gateway gateway-addr The IP address of the next-hop router, in dotted
decimal notation.
mode {enable | disable} Enables or disables the static IP address for the
MP.
Version 4.2 Command introduced.
Version 6.0 Option dap removed.
Version 6.2 Added the index value range of 1 to 9999.
ap apnum Index value that identifies the MP on the MX. This can be a value
from 1 to 9999.
mode {enable | disable} Enables or disables WLAN mesh services for the MP.
Version 6.0 Command introduced.
Version 6.2 Added index value range from 1 to 9999.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 238
Examples
The following command enables WLAN mesh services for MP 7:
MX# set ap 7 boot-configuration mesh mode enable
success: change accepted.
See Also
set ap boot-configuration mesh ssid on page 12-239
set service-profile mesh on page 12-299
show ap mesh-links on page 12-339
set ap boot-configuration mesh psk-phrase
Specifies a preshared key (PSK) phrase that a Mesh AP uses for authentication to its Mesh Portal
AP.
Syntax
set ap apnum boot-configuration mesh psk-phrase passphrase
Defaults
None.
Access
Enabled.
History
Usage
Use this command to configure the preshared key that a Mesh AP uses to authenticate to
a Mesh Portal AP. You must connect the MP to an MX and enter this command to configure the
MP for mesh services prior to deploying the Mesh AP in its final untethered location.
MSS converts the passphrase into a 256-bit binary number for system use and a raw hexadecimal
key to store in the MX configuration. Neither the binary number nor the passphrase is ever
displayed in the configuration. To use PSK authentication, you must enable it and you also must
enable WPA IE or WPA2 IE. .
Examples
The following command configures MP 7 to use passphrase “1234567890123<>?=+&%
The quick brown fox jumps over the lazy dog” when authenticating with a Mesh Portal AP
MX# set ap 7 boot-configuration mesh psk-phrase "1234567890123<>?=+&% The quick brown fox
jumps over the lazy dog"
success: change accepted..
See Also
set ap boot-configuration mesh ssid on page 12-239
set service-profile mesh on page 12-299
show ap mesh-links on page 12-339
set ap boot-configuration mesh psk-raw
Configures a raw hexadecimal preshared key (PSK) to use for authenticating a Mesh AP to a
Mesh Portal AP. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise
session keys for individual WPA clients.
ap apnum Index value that identifies the MP on the MX. You can specify a value from 1 to
9999.
passphrase An ASCII string from 8 to 63 characters long. The string can contain blanks if
you use quotation marks at the beginning and end of the string.
Version 6.0 Command introduced.
Version 6.2 Added the index value range of 1 to 9999.
MP Access Point Commands
MP Access Point Commands
12 – 239
Syntax
set ap apnum boot-configuration mesh psk-raw hex
Defaults
None.
Access
Enabled.
History
Usage
Use this command to configure the preshared key that a Mesh AP uses to authenticate to a
Mesh Portal AP. You must connect the MP to an MX and enter this command to configure the MP
for mesh services prior to deploying the Mesh AP to a final untethered location.
MSS converts the hexadecimal number into a 256-bit binary number for system use. MSS also
stores the hexadecimal key in the MX configuration. The binary number is never displayed in the
configuration. To use PSK authentication, you must enable it and you also must enable WPA IE or
WPA2 IE.
Examples
The following command configures MP7 to use a raw PSK to authenticate with a Mesh
Portal AP:
MX# set ap 7 boot-configuration mesh psk-raw
c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d
success: change accepted.
See Also
set ap boot-configuration mesh ssid on page 12-239
set service-profile mesh on page 12-299
show ap mesh-links on page 12-339
set ap boot-configuration mesh ssid
Specifies the name of the SSID a Mesh AP attempts to associate with when the AP is booted.
Syntax
set ap apnum boot-configuration mesh ssid mesh-ssid
Defaults
None.
Access
Enabled.
History
apnum Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
hex A 64-bit ASCII string representing a 32-digit hexadecimal number. Enter
the two-character ASCII form of each hexadecimal number.
Version 6.0 Command introduced.
Version 6.2 Added the index value range of 1 to 9999.
ap apnum Index value that identifies the MP on the MX. You can specify a value from
1 to 9999.
mesh-ssid Name of the mesh SSID (up to 32 characters).
Version 6.0 Command introduced.
Version 6.2 Add the index value range of 1 to 9999.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 240
Usage
You must connect the MP to an MX and enter this command to specify the mesh SSID
prior to deploying the Mesh AP in its final untethered location. When the MP is booted in an
untethered location, and determines that it has no Ethernet link to the network, it then associates
with the specified mesh-ssid.
Note that when the mesh-ssid is specified, the regulatory domain of the MX and the power
restrictions are copied to the MP flash memory. This prevents the Mesh AP from operating
outside of regulatory limits after the AP is booted and before the AP receives a complete
configuration from the MX. Consequently, it is important that the regulatory and antenna
information specified on the MX actually reflects the locale where the Mesh AP is to be deployed,
in order to avoid regulatory violations.
Examples
The following command configures MP 7 to attempt to associate with the SSID
wlan-mesh when booted in an untethered location:
MX# set ap 7 boot-configuration mesh ssid wlan-mesh
success: change accepted.
See Also
set ap boot-configuration mesh mode on page 12-237
set service-profile mesh on page 12-299
show ap mesh-links on page 12-339
set ap boot-configuration switch
Specifies the MX that a Distributed MP contacts and attempts to use as the boot device.
Syntax
set ap apnum boot-configuration switch [switch-ip ip-addr] [name name dns
ip-addr] [mode {enable | disable}]
Defaults
By default MPs use the process described in “Default MP Boot Process”, in the Trapeze
Mobility System Software Configuration Guide to boot from an MX, instead of using a manually
specified MX.
Access
Enabled.
History
Usage
When you specify a boot MX for a distributed MP to boot from, it boots using the process
described in “MP Boot Process Using Static IP Configuration”, in the Trapeze Mobility System
Software Configuration Guide.
ap apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
switch-ip ip-addr The IP address of the MX to boot the Distributed MP.
name name The fully qualified domain name of the MX that the
Distributed MP boots from. When both a name and a
switch-ip are specified, the MP uses the name.
dns ip-addr The IP address of the DNS server used to resolve the
specified name of the MX.
mode {enable | disable} Enables or disables the MP using the specified boot device.
Version 4.2 Command introduced.
Version 6.0 Option dap removed.
Version 6.2 Added the index value range of 1 to 9999.
MP Access Point Commands
MP Access Point Commands
12 – 241
When a static IP address is specified for a Distributed MP, there is no preconfigured DNS
information or DNS name for the MX that the Distributed MP attempts to use as the boot device.
If you configure a static IP address for a Distributed MP, but do not specify a boot device, then the
MX must be reachable via subnet broadcast.
Examples
The following command configures Distributed MP 1 to use an MX with address
172.16.0.21 as its boot device.
MX# set ap 1 boot-configuration switch switch-ip 172.16.0.21 mode enable
success: change accepted.
The following command configures Distributed MP 1 to use the MX with the name mxr2 as its boot
device. The DNS server at 172.16.0.1 is used to resolve the name of the MX.
MX# set ap 1 boot-configuration switch name mxr2 dns 172.16.0.1 mode enable
success: change accepted.
See Also
clear ap boot-configuration on page 12-226
set ap boot-configuration ip on page 12-236
set ap boot-configuration vlan on page 12-241
show ap boot-configuration on page 12-348
set ap boot-configuration vlan
Specifies 802.1Q VLAN tagging information for a Distributed MP.
Syntax
set ap apnum boot-configuration vlan vlan-tag tag-value [mode {enable |
disable}]
Syntax
set ap apnum boot-configuration vlan mode {enable | disable}
Defaults
None.
Access
Enabled.
History
Usage
When this command is configured, all Ethernet frames emitted from the Distributed MP
are formatted with an 802.1Q tag with a specified VLAN number. Frames not tagged for this value
and sent to the Distributed MP are ignored.
Examples
The following command configures Distributed MP 1 to use VLAN tag 100:
MX# set ap 1 boot-configuration vlan vlan-tag 100 mode enable
success: change accepted.
ap apnum Index value that identifies the MP on the MX. You can specify a
value from 1 to 9999.
vlan-tag tag-value The VLAN tag value. You can specify a number from 1 – 4093.
mode {enable | disable} Enables or disables use of the specified VLAN tag on the
Distributed MP.
Version 4.2 Command introduced.
Version 6.0 Option dap removed.
Version 6.2 Added the index value range of 1 to 9999.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 242
See Also
clear ap boot-configuration on page 12-226
set ap boot-configuration ip on page 12-236
show ap boot-configuration on page 12-348
set ap fingerprint
Verifies an MP fingerprint on an MX. If MP-MX security is required by an MX, an MP can
establish a management session with the MX only if you have verified the MP identity by
verifying the fingerprint on the MX.
Syntax
set ap apnum fingerprint fingerprint
Defaults
None.
Access
Enabled.
History
Usage
MPs are configured with an encryption key pair at the factory. The fingerprint for the
public key is displayed on a label on the back of the MP, in the following format:
RSA
aaaa:aaaa:aaaa:aaaa:
aaaa:aaaa:aaaa:aaaa
If an MP is already installed and operating, you can use the show ap status command to display
the fingerprint. The show ap config command lists the MP fingerprint only if the fingerprint has
been verified in MSS. If the fingerprint has not been verified, the fingerprint information in the
command output is blank.
Examples
The following example verifies the fingerprint for Distributed MP 8:
MX# set ap 8 fingerprint b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3
success: change accepted.
See Also
set ap security on page 12-255
show ap config radio on page 12-328
show ap status on page 12-340
set ap force-image-download
Configures an MP to download a software image from the MX instead of loading the locally stored
image on the MP.
ap apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
fingerprint The 16-digit hexadecimal number of the fingerprint. Use
a colon between each digit. Make sure the fingerprint you
enter matches the fingerprint used by the MP.
Version 4.0 Introduced command.
Version 6.0 Option dap removed.
Version 6.2 Added the index value range of 1 to 9999.
MP Access Point Commands
MP Access Point Commands
12 – 243
Syntax
set ap auto force-image-download {enable | disable}
Defaults
Forced image download is disabled by default.
Access
Enabled.
History
Usage
A change to the forced image download option takes place the next time the MP is
restarted.
Even when forced image download is disabled (the default), the MP still checks with the MX to
verify that the MP has the latest image, and to verify that the MX is running MSS Version 5.0 or
later.
The MP loads a local image only if the MX is running MSS Version 5.0 or later and does not have a
different MP image than the one in the MP local storage. If the MX is not running MSS Version 5.0
or later, or the MX has a different version of the MP image than the version in the MP local
storage, the MP loads the image from the MX.
The forced image download option is not applicable to MP models MP-52, MP-101, and MP-122.
Examples
The following command enables forced image download on Distributed MP 69:
MX# set ap 69 force-image-download enable
success: change accepted.
See Also
show ap config radio on page 12-328
set ap group
Deprecated in MSS Version 6.0. To configure RF load balancing, see set load-balancing mode on
page 12-258.
set ap image
Loads an AirDefense sensor software image on an MP.
Syntax
set ap apnum image filename
Defaults
None.
ap auto Configures forced image download for the MP
configuration profile. (See set ap auto on page 12-230.)
force-image-
download enable
Enables forced image download.
force-image-
download disable
Disables forced image download.
Version 5.0 Command introduced.
Version 6.0 Option dap removed.
ap apnum Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
filename Name of the AirDefense sensor software image file. This file is assumed to
have been copied to the MX.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 244
Access
Enabled.
History
Usage
After the AirDefense sensor software is copied to the MX, use this command to configure
an MP to load the software. When you do this, the software is transferred to the MP, which then
reboots and comes up as an AirDefense sensor.
Examples
The following command causes Distributed MP 1 to load the adconvert.bin file, then
reboot as an AirDefense sensor:
MX# set ap 1 image adconvert.bin
This will change the file a AP will boot. Would you like to continue? (y/n) [n] y
See Also
clear ap image on page 12-223
set ap led-mode
Allows you to set the LED behavior on an AP or APs. The setting is active after the AP receives a
configuration from the MX. The blink command has precedence over this command.
Syntax
set [apnum | apnum-range | auto] led-mode {auto | static | off}
Defaults
Auto
Access
Enabled
History
Added in MSS 7.1
Usage
Used in configurations where the LED activity is undesired.
set ap local-switching mode
Enables local switching for a specified MP.
Syntax
set ap apnum local-switching mode {enable | disable}
Version 5.0 Command introduced.
Version 6.0 Option dap removed.
Version 6.2 Added the index value range of 1 to 9999.
auto LEDs are in standard behavior mode.
static LEDs do not flash when traffic is on the network. All
other LED behavior is standard.
off All LEDs are off once the AP is active.
Note:
The following MPs do not support this command:
MP-71
MP-620
MP-622
apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
MP Access Point Commands
MP Access Point Commands
12 – 245
Defaults
Local switching is disabled by default.
Access
Enabled.
History
Usage
Local switching allows traffic for specified VLANs to be switched by the MP, instead of
tunneling traffic back to an MX. The VLANs that perform local switching are specified in a VLAN
profile.
Local switching can be enabled on MPs connected to the MX through an intermediate Layer 2 or
Layer 3 network. Local switching is not supported for MPs that are directly connected to an MX.
If local switching is enabled on an MP, but no VLAN profile is configured, then a default VLAN
profile is used. The default VLAN profile includes a single VLAN named default that is not tagged.
Examples
The following command enables local switching for MP 7:
MX# set ap 7 local-switching mode enable
success: change accepted.
See Also
set ap local-switching vlan-profile on page 12-245
set vlan-profile on page 6-75
set ap local-switching vlan-profile
Applies a specified VLAN profile to an MP to use with local switching.
Syntax
set ap apnum local-switching vlan-profile profile-name
Defaults
If local switching is enabled on an MP, but no VLAN profile is configured, then a default
VLAN profile is used. The default VLAN profile includes a single VLAN named default that is not
tagged.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
A VLAN profile consists of a list of VLANs and tags. When a VLAN profile is applied to an
MP, traffic for the VLANs specified in the VLAN profile is locally switched by the MP instead of
tunneling the traffic back to an MX.
When applying a VLAN profile causes traffic that was tunneled to an MX to be locally switched by
MPs, or vice-versa, the sessions of clients associated with the MPs with the applied VLAN profile
are terminated, and the clients must re-associate with the MPs.
Examples
The following command specifies that MP 7 use VLAN profile locals:
MX# set ap 7 local-switching vlan-profile locals
success: change accepted.
enable Enables local switching for the MP.
disable Disables local switching for the MP.
Version 6.0 Command introduced.
Version 6.2 Added the index value range of 1 to 9999.
apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
profile-name The name of a VLAN profile configured on the MX.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 246
See Also
set ap local-switching mode on page 12-244
clear ap local-switching vlan-profile on page 12-224
set vlan-profile on page 6-75
set ap name
Changes an MP name.
Syntax
set ap apnum name name
Defaults
The default name of a directly attached MP is based on the port number of the MP
access port attached to the MP. For example, the default name for an MP on MP access port 1 is
MP01.
Access
Enabled.
History
Examples
The following command changes the name of the MP on port 1 to techpubs:
MX# set ap 1 name techpubs
success: change accepted.
See Also
show ap config radio on page 12-328
set ap power-mode
Specifies a power mode for the AP.
Syntax
set ap apnum power-mode {auto | high}
Defaults
None
Access
Enabled
History
Added in MSS Version 7.1
Usage
This command is used mainly for MPs with 802.11n capabilities.
ap apnum Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
name Alphanumeric string of up to 16 characters, with no spaces.
Version 1.0 Command introduced
Version 2.0 Option dap added for Distributed MPs
Version 4.1 Default Distributed MP name changed from DMPnum to DAPnum
Version 6.0 Option dap removed.
Version 6.2 Added index value range from 1 to 9999.
auto Manages power automatically on the AP.
high Operates the AP at the maximum available power.
MP Access Point Commands
MP Access Point Commands
12 – 247
Examples
To set an MP to use the maximum available power, use the following command:
MX# set ap 3 power-mode high
success: change accepted.
set ap radio antenna-location
Specifies the location (indoors or outdoors) of an external antenna. Use this command to ensure
that the proper set of channels is available on the radio. In some cases, the set of valid channels for
a radio differs depending on whether the antenna is located indoors or outdoors.
Syntax
set ap apnum radio number antenna-location
{indoors | outdoors}
Defaults
The default antenna location is indoors.
Access
Enabled.
History
Introduced in MSS 5.0.
Examples
The following command sets the antenna location for radio 1 on Distributed MP 22 to
outdoors:
MX# set ap 22 radio 1 antenna-location outdoors
success: change accepted.
See Also
set ap radio antennatype on page 12-247
set ap radio antennatype
Sets the model number for an external antenna.
set ap apnum radio {1 | 2} antennatype {ANT1060 | ANT1120 | ANT1180 |
ANT5060 | ANT5120 | ANT5180 |
ANT-1360-OUT | ANT-5360-OUT | ANT-5060-OUT | ANT-5120-OUT |
internal}
ap apnum Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
radio number Specify radio 1 or radio 2.
antenna-locatio
n
Specify antenna location.
indoors Specifies that the external antenna is installed indoors (inside the building).
outdoors Specifies that the external antenna is installed outdoors.
ap apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to
single-radio models.)
antennatype
{ANT1060 | ANT1120 |
ANT1180 | internal}
MP-3xx and MP-262 802.11b/g external antenna models:
ANT1060—60° 802.11b/g antenna
ANT1120—120° 802.11b/g antenna
ANT1180—180° 802.11b/g antenna
internal—Uses the internal antenna instead
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 248
Defaults
All radios use the internal antenna by default, if the MP model has an internal antenna.
The MP-620 802.11b/g radio uses model ANT-1360-OUT by default. The MP-620 802.11a radio
uses model ANT-5360-OUT by default. The MP-262 802.11b/g radio uses model ANT1060 by
default.
Access
Enabled.
History
Usage
This command applies only to radios on MP models MP-3xx and MP-620 and to the
802.11b/g radio on model MP-262.
Examples
The following command configures the 802.11b/g radio on Distributed MP 1 to use
antenna model ANT1060:
MX# set ap 1 radio 1 antennatype ANT1060
success: change accepted.
See Also
show ap config radio on page 12-328
set ap radio auto-tune max-power
Sets the maximum power that RF Auto-Tuning can set on a radio.
Syntax
set ap {apnum | auto} radio {1 | 2} auto-tune max-power power-level
antennatype
{ANT5060 | ANT5120 |
ANT5180 | internal}
MP-3xx 802.11a external antenna models:
ANT5060—60° 802.11a antenna
ANT5120—120° 802.11a antenna
ANT5180—180° 802.11a antenna
internal—Uses the internal antenna instead
antennatype
{ANT-1360-OUT | ANT-5360-OUT | A
NT-5060-OUT | ANT-5120-OUT | int
ernal}
MP-620 external antenna models:
ANT-1360-OUT—360° 802.11b/g antenna
ANT-5360-OUT—360° 802.11a antenna
ANT-5060-OUT—60° 802.11a antenna
ANT-5120-OUT—120° 802.11a antenna
internal—Uses the internal antenna instead
Version 2.1 Command introduced
Version 3.2
Model numbers added for 802.11a external antennas.
Default changed to internal (except for the MP-262).
Version 4.1 Model numbers added for MP-620 external antennas.
Version 6.2 Added index value range of 1 to 9999.
ap apnum Index value that identifies the MP on the MX. You can specify a
value from 1 to 9999.
ap auto Sets the maximum power for radios configured by the MP
configuration profile. (See set ap auto on page 12-230.)
radio 1 Radio 1 of the MP.
MP Access Point Commands
MP Access Point Commands
12 – 249
Defaults
The default maximum power setting that RF Auto-Tuning can set on a radio is the
highest setting allowed for the country of operation or highest setting supported on the hardware,
whichever is lower.
Access
Enabled.
History
Examples
The following command sets the maximum power that RF Auto-Tuning can set on radio
1 on the MP access point on port 7 to 12 dBm.
MX# set ap 7 radio 1 auto-tune max-power 12
success: change accepted.
See Also
set radio-profile auto-tune power-config on page 12-264
set radio-profile auto-tune power-interval on page 12-264
set ap radio auto-tune max-retransmissions
Deprecated in MSS Version 5.0.
set ap radio auto-tune min-client-rate
Deprecated in MSS Version 5.0. To configure radio transmit rates, see set service-profile
transmit-rates on page 12-312.
set ap radio channel
Sets an MP radio channel.
Syntax
set ap apnum radio {1 | 2} channel channel
radio 2 Radio 2 of the MP. (This option does not apply to single-radio
models.)
power-level Maximum power setting RF Auto-Tuning can assign to the radio,
expressed as the number of decibels in relation to 1 milliwatt
(dBm). You can specify a value from 1 up to the maximum value
allowed for the country of operation.
The power-level can be a value from 1 to 20 or you can set it to
default.
Version 3.0 Command introduced
Version 4.0 Option auto added for configuration of the MP configuration profile.
Version 6.2 Added the index value range of 1 to 9999.
ap apnum Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.)
channel channel Channel number. The valid channel numbers depend on the country of
operation.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 250
Defaults
The default channel depends on the radio type:
The default channel number for 802.11b/g is 6.
The default channel number for 802.11a is the lowest valid channel number for the country of
operation.
Access
Enabled.
History
Usage
You can configure the transmit power of a radio on the same command line. Use the
tx-power option.
This command is not valid if dynamic channel tuning (RF Auto-Tuning) is enabled.
Examples
The following command configures the channel on the 802.11a radio on the MP access
point connected to port 5:
MX# set ap 5 radio 1 channel 36
success: change accepted.
The following command configures the channel and transmit power on the 802.11b/g radio on the
MP access point connected to port 11:
MX# set ap 11 radio 1 channel 1 tx-power 10
success: change accepted.
See Also
set ap radio tx-power on page 12-254
show ap config radio on page 12-328
set ap radio link-calibration
Configures an MP radio to emit link calibration packets, which can aid in positioning a Mesh AP.
Syntax
set ap apnum radio {1 | 2} link-calibration mode {enable | disable}
Defaults
Disabled.
Access
Enabled.
Version 1.0 Command introduced
Version 2.0 Option dap added for Distributed MPs
Version 6.0 Option dap removed.
Version 6.2 Added the index value range of 1 to 9999.
Version 7.3 Option channel-number changed to channel.
ap apnum Index value that identifies the MP on the MX. You can specify a value from 1 to
9999.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.)
enable Enables link calibration packets for the MP radio.
disable Disables link calibration packets for the MP radio.
MP Access Point Commands
MP Access Point Commands
12 – 251
History
Usage
A Mesh Portal MP can be configured to emit link calibration packets to assist with
positioning the Mesh AP. A link calibration packet is an unencrypted 802.11 management packet
of type Action. When enabled on an MP, link calibration packets are sent at a rate of 5 per second.
The MP-620 is equipped with a connector to which an external RSSI meter can be attached during
installation. When an RSSI meter is attached to an MP-620 and a calibration packet is received,
the MP-620 emits a voltage to the RSSI meter proportional to the received signal strength of the
packet. This can aid in positioning the MP-620 where it has a strong signal to the Mesh Portal AP.
Only one radio on an MP can be configured to send link calibration packets. Link calibration
packets are intended to be used only during installation of MPs; they are not intended to be
enabled on a continual basis.
Examples
The following command enables link calibration packets for MP radio 1 on MP 7:
MX# set ap 7 radio 1 link-calibration mode enable
See Also
set ap boot-configuration mesh ssid on page 12-239
set service-profile mesh on page 12-299
show ap mesh-links on page 12-339
set ap radio load-balancing
Disables or enables RF load balancing for an MP radio.
Syntax
set ap apnum radio {1 | 2} load-balancing {enable | disable}
Defaults
RF load balancing is enabled by default for all MP radios.
Access
Enabled.
History
Usage
By default, RF load balancing is enabled on all MP radios. Use this command to disable or
re-enable RF load balancing for the specified MP radio.
RF load balancing can also be disabled or re-enabled globally with the set load-balancing mode
command. If RF load balancing has been enabled or disabled for a specific MP radio, then the
setting for the individual radio takes precedence over the global setting, if the global setting is
load-balancing mode enabled.
Version 6.0 Command introduced.
Version 6.2 Added index value range of 1 to 9999.
ap apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to
single-radio models.)
enable Enables RF load balancing for the MP radio.
disable Disables RF load balancing for the MP radio.
Version 6.0 Command introduced.
Version 6.2 Added index value range from 1 to 9999.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 252
Examples
The following command disables RF load balancing for MP radio 1 on MP 7:
MX# set ap 7 radio 1 load-balancing disable
See Also
set load-balancing strictness on page 12-259
clear ap radio load-balancing group on page 12-227
set ap local-switching mode on page 12-244
show load-balancing group on page 12-353
set ap radio load-balancing group
Assigns an MP radio to a load balancing group.
Syntax
set ap apnum radio {1 | 2} load-balancing group name [rebalance]
Defaults
By default, MP radios are not part of an RF load balancing group.
Access
Enabled.
History
Usage
Assigning radios to specific load balancing groups is optional. When you do this, MSS
considers them to have exactly overlapping coverage areas, rather than using signal strength
calculations to determine their overlapping coverage. MSS attempts to distribute client sessions
across radios in the load balancing group evenly. A radio can be assigned to only one group.
Examples
The following command assigns MP radio 1 on MP 7 to load balancing group room1:
MX# set ap 7 radio 1 load-balancing group room1
MX#
See Also
set load-balancing strictness on page 12-259
clear ap radio load-balancing group on page 12-227
set ap local-switching mode on page 12-244
show load-balancing group on page 12-353
ap apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to
single-radio models.)
group name Name of an RF load balancing group to which the MP
radio is assigned. A radio can belong to only one group.
rebalance Configures the MP radio to disassociate client sessions
and rebalance them whenever a new MP radio is added to
the load balancing group.
Version 6.0 Command introduced.
Version 6.2 Added index valued range from 1 to 9999.
MP Access Point Commands
MP Access Point Commands
12 – 253
set ap radio mode
Enables or disables a radio on an MP.
Syntax
set ap {apnum | auto}} radio {1 | 2} mode {enable |sentry| disable}
Defaults
MP access point radios are disabled by default.
Access
Enabled.
History
Usage
To enable or disable one or more radios assigned to a profile, use the set ap radio
radio-profile command. To enable or disable all radios that use a specific radio profile, use the
set radio-profile command.
Examples
The following command enables radio 1 on MP 1:
MX# set ap 1 radio 1 mode enable
success: change accepted.
The following command sets radio 2 in sentry mode on MP 1:
MX# set ap 1 radio 2 mode sentry
success: change accepted.
See Also
clear ap radio on page 12-225
set ap radio radio-profile on page 12-254
set radio-profile mode on page 12-272
show ap config radio on page 12-328
ap apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
ap auto Sets the radio mode for MPs managed by the MP
configuration profile. (See set ap auto on page 12-230.)
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to
single-radio models.)
mode enable Enables a radio.
mode sentry Allows longer dwell times on scanning channels.
mode disable Disables a radio.
Version 1.0 Command introduced
Version 2.0 Option dap added for Distributed MPs
Version 4.0 Option auto added for configuration of the MP configuration profile.
Version 6.0 Option dap removed.
Version 6.2 Added the index value range of 1 to 9999. Added sentry mode.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 254
set ap radio radio-profile
Assigns a radio profile to an MP radio and enables or disables the radio.
Syntax
set ap {apnum | auto} radio {1 | 2}
radio-profile name mode {enable | disable}
Defaults
None.
Access
Enabled.
History
Usage
When you create a new profile, the radio parameters in the profile are set to the factory
default settings.
To enable or disable all radios using a specific radio profile, use set radio-profile.
Examples
The following command enables radio 1 on MP 5 assigned to radio profile rp1:
MX# set ap 5 radio 1 radio-profile rp1 mode enable
success: change accepted.
See Also
clear ap radio on page 12-225
set ap radio mode on page 12-253
set radio-profile mode on page 12-272
show radio-profile on page 12-354
set ap radio tx-power
Sets the transmit power of an MP radio.
Syntax
set ap apnum radio {1 | 2} tx-power power-level
ap apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to
single-radio models.)
radio-profile
name
Radio profile name of up to 16 alphanumeric characters,
with no spaces.
mode enable Enables radios on the specified ports with the parameter
settings in the specified radio profile.
mode disable Disables radios on the specified ports.
Version 1.0 Command introduced
Version 2.0 Option dap added for Distributed MPs
Version 4.0 Option auto added for configuration of the MP
configuration profile.
Version 6.0 Option dap removed.
Version 6.2 Added index value range from 1 to 9999.
MP Access Point Commands
MP Access Point Commands
12 – 255
Defaults
The default transmit power on all MP radio types is the highest setting allowed for the
country of operation or highest setting supported on the hardware, whichever is lower.
Access
Enabled.
History
Usage
You also can configure a radio channel on the same command line. Use the channel
option.
This command is not valid if dynamic power tuning (RF Auto-Tuning) is enabled.
Examples
The following command configures the transmit power on the 802.11a radio on the MP
access point connected to port 5:
MX# set ap 5 radio 1 tx-power 10
success: change accepted.
The following command configures the channel and transmit power on the 802.11b/g radio on the
MP access point connected to port 11:
MX# set ap 11 radio 1 channel 1 tx-power 10
success: change accepted.
See Also
set ap radio channel on page 12-249
show ap config radio on page 12-328
set ap security
Sets security requirements for management sessions between an MX and Distributed MPs.
This feature applies to Distributed MPs only, not to directly connected MPs configured on MP
access ports.
ap apnum Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.)
tx-power
power-level
Number of decibels in relation to 1 milliwatt (dBm). The valid values depend
on the country of operation.
Note: The maximum transmit power you can configure on any Trapeze
Networks radio is the maximum allowed for the country in which you plan to
operate the radio or one of the following values if that value is less than the
country maximum: on an 802.11a radio, 11 dBm for channel numbers less
than or equal to 64, or 10 dBm for channel numbers greater than 64; on an
802.11b/g radio, 16 dBm for all valid channel numbers for 802.11b, or
14 dBm for all valid channel numbers for 802.11g.
Version 1.0 Command introduced
Version 2.0 Option dap added for Distributed MPs
Version 3.0 Default power level changed
Version 6.0 Option dap removed.
Version 6.2 Added the index value range from 1 to 9999.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 256
Syntax
set ap security secsetting {require | optional | none}
Defaults
The default setting is optional.
Access
Enabled.
History
Usage
This parameter applies to all Distributed MPs managed by the MX. If you change the
setting to required, the MX requires Distributed MPs to have encryption keys. The MX also
requires their fingerprints to be verified in MSS. When MP security is required, an MP can
establish a management session with the MX only if its fingerprint has been verified by you in
MSS.
A change to MP security support does not affect management sessions that are already
established. To apply the new setting to an MP, restart the MP.
Examples
The following command configures an MX to require Distributed MPs to have
encryption keys:
MX# set ap security require
See Also
set ap fingerprint on page 12-242
show ap config radio on page 12-328
show ap status on page 12-340
set ap tunnel-affinity
The MP-MP tunneling feature extends the MX-MX tunnel feature to allow MPs with
local-switching enabled to create and terminate client VLAN tunnels. Therefore, a VLAN is not
required on every MP.
Defaults
None
Access
Enabled
Note:
The maximum transmission unit (MTU) for encrypted MP management
traffic is 1498 bytes, whereas the MTU for unencrypted management traffic
is 1474 bytes. Make sure the devices in the intermediate network between
the MX switch and Distributed MP can support the higher MTU.
security
secsetting
Name of the security setting.
require Requires all Distributed MPs to have encryption keys that have been verified
in the CLI by an administrator. If an MP does not have an encryption key or
the key has not been verified, the MX does not establish a management
session with the MP.
optional Allows MPs to be managed by the switch even if they do not have encryption
keys or their keys have not been verified by an administrator. Encryption is
used for MPs that support it.
none Encryption is not used, even for MPs that support it.
Version 4.0 Command introduced.
Version 6.0 Option dap removed.
MP Access Point Commands
MP Access Point Commands
12 – 257
History
Added in MSS Version 7.1.
Syntax
set ap [apnum |auto] tunnel-affinity affinity
set ap upgrade-firmware
Disables or reenables automatic upgrade of an MP boot firmware.
Syntax
set ap auto upgrade-firmware {enable | disable}
Defaults
Automatic firmware upgrades of MPs are enabled by default.
Access
Enabled.
History
Usage
When the feature is enabled on an MX port, an MP connected to that port upgrades the
boot firmware to the latest version stored on the MX.
Examples
The following command disables automatic firmware upgrades on the MP connected to
port 9:
MX# set ap 9 upgrade-firmware disable
See Also
show ap config radio on page 12-328
set band-preference
Configures MSS to steer clients that support both the 802.11a and 802.11b/g radio bands to a
specific radio on an MP for the purpose of RF load balancing.
apnum Number of the MP to configure for MP-MP tunneling.
auto Enable MP-MP tunneling on all MPs.
tunnel-affinity
affinity
The default value for affinity is 4 with a range of 0 to 10 where 0
indicates that the MP is not used as a tunnel endpoint.
ap auto Configures firmware upgrades for the MP configuration
profile. (See set ap auto on page 12-230.)
enable Enables automatic firmware upgrades.
disable Disables automatic firmware upgrades.
Version 1.0 Command introduced
Version 2.0 Option dap added for Distributed MPs
Version 4.0 Option auto added for configuration of the MP
configuration profile.
Version 6.0 Option dap removed.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 258
Syntax
set band-preference {none | 5GHz | 2GHz}
Defaults
By default, clients are not steered to specific MP radios for RF load balancing.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
Use this command to steer clients that support both the 802.11a and 802.11b/g bands, to a
specific radio on an MP for the purpose of load balancing. This global “band-preference” option
controls the degree that an MP with two radios attempts to conceal one of its radios from a client
with the purpose of steering the client to the other radio.
Examples
The following command steers clients that support the 802.11a band to the 802.11a
radio on an MP:
MX# set band-preference 2GHz
See Also
set load-balancing strictness on page 12-259
set load-balancing mode on page 12-258
set ap radio load-balancing on page 12-251
show load-balancing group on page 12-353
set load-balancing mode
Disables or enables RF load balancing globally on the MX.
Syntax
set load-balancing mode {enable | disable}
Defaults
RF load balancing is enabled by default.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
By default, RF load balancing is enabled on all MP radios. Use this command to disable or
re-enable RF load balancing globally for all MP radios managed by the MX.
If RF load balancing has been enabled or disabled for a specific MP radio, then the setting for the
individual radio takes precedence over the global setting.
Examples
The following command globally disables RF load balancing for all MP radios managed
by the MX:
MX# set load-balancing mode disable
MX#
See Also
set load-balancing strictness on page 12-259
none When a client supports both 802.11a and 802.11b/g radio bands, does not
steer the client to a specific MP radio.
5GHz When a client supports 802.11b/g radio band, steers the client to the 5 GHz
radio.
2GHz When a client supports both 802.11a radio bands, steers the client to the 2
GHz radio.
enable Enables RF load balancing globally on the MX.
disable Disables RF load balancing globally on the MX.
MP Access Point Commands
MP Access Point Commands
12 – 259
set band-preference on page 12-257
set ap radio load-balancing on page 12-251
show load-balancing group on page 12-353
set load-balancing strictness
Controls the degree to which MSS balances the client load among MPs when performing RF load
balancing.
Syntax
set load-balancing strictness {low | med | high | max}
Defaults
Low.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
When performing RF load balancing, MSS may attempt to steer clients to less-busy radios
in a load-balancing group. To do this, MSS makes MP radios with heavy client loads less visible to
new clients, causing them to associate with MP radios that have a lighter load.
Use this command to specify how strictly MSS attempts to keep the client load balanced across the
MP radios in the load-balancing group. When low strictness is specified (the default), MSS makes
heavily loaded MP radios less visible in order to steer clients to less-busy MP radios, but ensures
that even if all the MP radios in the group are heavily loaded, clients are not denied service.
At the other end of the spectrum, when max strictness is specified, if an MP radio has reached the
maximum client load, MSS makes the MP invisible to new clients, and new clients attempt to
connect to other MP radios. In the event that all the MP radios in the group have reached the
maximum client load, then no new clients can to connect to the network.
Examples
The following command sets the RF load balancing strictness to the maximum setting:
MX# set load-balancing strictness max
Success: strictness set to "MAX"
See Also
set load-balancing mode on page 12-258
set band-preference on page 12-257
set ap radio load-balancing on page 12-251
show load-balancing group on page 12-353
low No clients are denied service. New clients can be steered to other MPs, but
only to the extent that service can be provided to all clients.
med Overloaded radios steer new clients to other MPs more strictly than the low
option. Clients attempting to connect to overloaded radios may be delayed
several seconds.
high Overloaded radios steer new clients to other MPs more strictly than the med
option. Clients attempting to connect to overloaded radios may be delayed up
to a minute.
max RF load balancing is strictly enforced. That is, overloaded radios do not
respond to new clients at all. A client would not be able to connect during
times that all of the detectable MP radios are overloaded.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 260
set radio-profile 11g-only
Deprecated in MSS Version 4.2. To configure radio data rates, see set service-profile
transmit-rates on page 12-312.
set radio-profile 11n
Configures 11n radio ranges on the MP-432.
Syntax set radio-profile profile-name 11n channel-width-na {20MHz | 40MHz}
Defaults
None
Access
Enabled
History
Introduced in MSS 7.0
Examples
Use the following command to set the channel width to 40 MHz:
MX# set radio-profile boardroom 11n channel-width-na 40MHz
set radio-profile active-scan
Deprecated in MSS 7.0.
set radio-profile auto-tune 11a-channel-range
When configured, the MP 802.11a radio selects a channel from a limited range of available
channels or all available channels.
Syntax
set radio-profile profile-name auto-tune 11a-channel-range
{lower-bands | all-bands}
Defaults
lower-bands
Access
Enabled
History
Usage
Improves the 802.11a radio usage on the network.
Examples
The following command enables the 802.11a radio to select any available channel in the
802.11a range:
MX# set radio-profile test auto-tune 11a-channel-range all-bands
profile-name
Radio profile name
11n channel-width-na
Set the channel width to 20 MHz or 40 MHz
profile-name The name of the radio profile to configure the 802.11a channel range.
lower-bands Only the lower channels are available for the 802.11a radio: 36, 40, 44, 48,
52, 56, 60, or 64.
all-bands All 802.11a channels are available for the 802.11a radio: 36. 40, 44, 48, 52,
56, 60, 64, 149, 153, 157, and 161.
Version 6.0 Command introduced.
MP Access Point Commands
MP Access Point Commands
12 – 261
success: change accepted.
set radio-profile auto-tune channel-config
Disables or reenables dynamic channel tuning (RF Auto-Tuning) for the MP radios in a radio
profile.
Syntax
set radio-profile profile-name auto-tune channel-config {enable | disable}
Defaults
Dynamic channel assignment is enabled by default.
Access
Enabled.
History
Usage
If you disable RF Auto-Tuning for channels, MSS does not dynamically set the channels
when radios are first enabled and also does not tune the channels during operation.
If RF Auto-Tuning for channels is enabled, MSS does not allow you to manually change channels.
Even when RF Auto-Tuning for channels is enabled, MSS does not change the channel on radios
that have active client sessions, unless you use the ignore-clients command.
Examples
The following command disables dynamic channel tuning for radios in the rp2 radio
profile:
MX# set radio-profile rp2 auto-tune channel-config disable
success: change accepted.
See Also
set ap radio channel on page 12-249
set radio-profile auto-tune channel-holddown on page 12-261
set radio-profile auto-tune channel-interval on page 12-262
set radio-profile auto-tune power-config on page 12-264
show radio-profile on page 12-354
set radio-profile auto-tune channel-holddown
Sets the minimum number of seconds a radio in a radio profile must remain on the current
channel assignment before RF Auto-Tuning can change the channel. The channel holddown
provides additional stability to the network by preventing the radio from changing channels too
rapidly in response to spurious RF anomalies such as short-duration channel interference.
profile-name Radio profile name.
enable Configures radios to dynamically select channels when the radios are started.
disable Configures radios to use statically assigned channels, or the default channels
if unassigned, when the radios are started.
Version 3.0 Command introduced.
Version 5.0 Option no-client added.
Version 6.0 no-client changed to ignore-clients.
Version 7.0 Option ignore-clients moved to a separate
command.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 262
Syntax
set radio-profile profile-name auto-tune channel-holddown holddown
Defaults
The default RF Auto-Tuning channel holddown is 900 seconds.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
The channel holddown applies even if RF anomalies occur that normally cause an
immediate channel change.
Examples
The following command changes the channel holddown for radios in radio profile rp2 to
600 seconds:
MX# set radio-profile rp2 auto-tune channel-holddown 600
success: change accepted.
See Also
set radio-profile auto-tune 11a-channel-range on page 12-260
set radio-profile auto-tune channel-interval on page 12-262
set radio-profile auto-tune channel-lockdown on page 12-263
show radio-profile on page 12-354
set radio-profile auto-tune channel-interval
Sets the interval at which RF Auto-Tuning decides whether to change the channels on radios in a
radio profile. At the end of each interval, MSS processes the results of the RF scans performed
during the previous interval, and changes radio channels if needed.
Syntax
set radio-profile profile-name auto-tune channel-interval seconds
Defaults
The default channel interval is 3600 seconds (one hour).
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
It is recommended to use an interval of at least 300 seconds (5 minutes).
RF Auto-Tuning can change a radio channel before the channel interval expires in response to RF
anomalies. Even in this case, channel changes cannot occur more frequently than the channel
holddown interval.
If you set the interval to 0, RF Auto-Tuning does not reevaluate the channel at regular intervals.
However, RF Auto-Tuning can still change the channel in response to RF anomalies.
profile-name Radio profile name.
rate Minimum number of seconds a radio must remain on its current channel
setting before RF Auto-Tuning is allowed to change the channel. You can
specify from 0 to 65535 seconds.
profile-name Radio profile name.
seconds Number of seconds RF Auto-Tuning waits before changing radio channels
to adjust to RF changes, if needed. You can specify from 30 to 65535
seconds.
MP Access Point Commands
MP Access Point Commands
12 – 263
Examples
The following command sets the channel interval for radios in radio profile rp2 to 2700
seconds (45 minutes):
MX# set radio-profile rp2 auto-tune channel-interval 2700
success: change accepted.
See Also
set radio-profile auto-tune 11a-channel-range on page 12-260
set radio-profile auto-tune channel-holddown on page 12-261
set radio-profile auto-tune channel-lockdown on page 12-263
show radio-profile on page 12-354
set radio-profile auto-tune channel-lockdown
Locks down the current channel settings on all radios in a radio profile. The channel settings that
are in effect when the command is entered are changed into statically configured channel
assignments on the radios. RF Auto-Tuning of channels is then disabled in the radio profile.
Syntax
set radio-profile profile-name auto-tune channel-lockdown
Defaults
By default, when RF Auto-Tuning of channels is enabled, channels continue to be
changed dynamically based on network conditions.
Access
Enabled.
History
Introduced in MSS Version 5.0.
Usage
To save this command and the static channel configuration commands created when you
enter this command, save the configuration.
Examples
The following command locks down the channel settings for radios in radio profile rp2:
MX# set radio-profile rp2 auto-tune channel-lockdown
success: change accepted.
See Also
set radio-profile auto-tune 11a-channel-range on page 12-260
set radio-profile auto-tune channel-holddown on page 12-261
set radio-profile auto-tune channel-interval on page 12-262
set radio-profile auto-tune power-lockdown on page 12-265
show radio-profile on page 12-354
set radio-profile auto-tune power-backoff-timer
Deprecated in MSS Version 5.0.
set radio-profile auto-tune ignore-clients
Ignores client connections in auto-tune channel selections.
profile-name Radio profile name.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 264
Syntax
set radio-profile profile-name auto-tune ignore-clients {enable | disable}
Defaults
None
Access
Enabled
History
Introduced in MSS 6.0.
set radio-profile auto-tune power-config
Enables or disables dynamic power tuning (RF Auto-Tuning) for the MP radios in a radio profile.
Syntax
set radio-profile name auto-tune power-config {enable | disable}
Defaults
Dynamic power assignment is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
When RF Auto-Tuning for power is disabled, MSS does not dynamically set the power
levels when radios are first enabled and also does not tune power during operation with associated
clients.
When RF Auto-Tuning for power is enabled, MSS does not allow you to manually change the
power level.
Examples
The following command enables dynamic power tuning for radios in the rp2 radio
profile:
MX# set radio-profile rp2 auto-tune power-config enable
success: change accepted.
See Also
set ap radio auto-tune max-power on page 12-248
set radio-profile auto-tune 11a-channel-range on page 12-260
set radio-profile auto-tune power-interval on page 12-264
set radio-profile auto-tune power-lockdown on page 12-265
set radio-profile auto-tune power-lockdown on page 12-265
show radio-profile on page 12-354
set radio-profile auto-tune power-interval
Sets the interval at which RF Auto-Tuning decides whether to change the power level on radios in
a radio profile. At the end of each interval, MSS processes the results of the RF scans performed
during the previous interval, and changes radio power levels if needed.
profile-name Radio profile name.
enable Configures auto-tune to ignore client connections.
disable Disables the feature.
name Radio profile name.
enable Configures radios to dynamically set power levels when the MPs are started.
disable Configures radios to use statically assigned power levels, or the default
power levels if unassigned, when the radios are started.
MP Access Point Commands
MP Access Point Commands
12 – 265
Syntax
set radio-profile name auto-tune power-interval seconds
Defaults
The default power tuning interval is 600 seconds.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Examples
The following command sets the power interval for radios in radio profile rp2 to 240
seconds:
MX# set radio-profile rp2 auto-tune power-interval 240
success: change accepted.
See Also
set ap radio auto-tune max-power on page 12-248
set radio-profile auto-tune power-config on page 12-264
set radio-profile auto-tune power-lockdown on page 12-265
set radio-profile auto-tune power-lockdown on page 12-265
set radio-profile auto-tune power-ramp-interval on page 12-266
show service-profile on page 12-357
set radio-profile auto-tune power-lockdown
Locks down the current power settings on all radios in a radio profile. The power settings that are
in effect when the command is entered are changed into statically configured power settings on the
radios. RF Auto-Tuning of power is then disabled in the radio profile.
Syntax
set radio-profile name auto-tune power-lockdown
Defaults
By default, when RF Auto-Tuning of power is enabled, power settings continue change
dynamically based on network conditions.
Access
Enabled.
History
Introduced in MSS Version 5.0.
Usage
To save this command and the static power configuration commands created when you
enter this command, save the configuration.
Examples
The following command locks down the power settings for radios in radio profile rp2:
MX# set radio-profile rp2 auto-tune power-lockdown
success: change accepted.
See Also
set ap radio auto-tune max-power on page 12-248
set radio-profile auto-tune channel-lockdown on page 12-263
set radio-profile auto-tune power-config on page 12-264
set radio-profile auto-tune power-interval on page 12-264
set radio-profile auto-tune power-ramp-interval on page 12-266
name Radio profile name.
seconds Number of seconds MSS waits before changing radio power levels to adjust to
RF changes, if needed. You can specify from 1 to 65535 seconds.
name Radio profile name.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 266
show radio-profile on page 12-354
set radio-profile auto-tune power-ramp-interval
Changes the interval at which power is increased or decreased, in 1 dBm increments, on radios in
a radio profile until the optimum power level calculated by RF Auto-Tuning is reached.
Syntax
set radio-profile profile-name auto-tune power-ramp-interval seconds
Defaults
The default interval is 60 seconds.
Access
Enabled.
History
Introduced in MSS Version 5.0.
Examples
The following command changes the power ramp interval for radios in radio profile rp2
to 120 seconds:
MX# set radio-profile rp2 auto-tune power-ramp-interval 120
success: change accepted.
See Also
set ap radio auto-tune max-power on page 12-248
set radio-profile auto-tune power-config on page 12-264
set radio-profile auto-tune power-interval on page 12-264
set radio-profile auto-tune power-lockdown on page 12-265
show radio-profile on page 12-354
set radio-profile beacon-interval
Changes the rate at which each MP radio in a radio profile advertises a service set identifier
(SSID).
Syntax
set radio-profile profile-name beacon-interval interval
Defaults
The beacon interval for MP radios is 100 ms by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You must disable all radios that are using a radio profile before you can change
parameters in the profile. Use the set radio-profile mode command
.
Examples
The following command changes the beacon interval for radio profile rp1 to 200 ms:
MX# set radio-profile rp1 beacon-interval 200
success: change accepted.
profile-name Radio profile name.
seconds Number of seconds MSS waits before increasing or decreasing radio power by
another 1 dBm. You can specify from 1 to 65535.
profile-name Radio profile name.
interval Number of milliseconds (ms) between beacons. You can specify from 25 ms to
8191 ms.
MP Access Point Commands
MP Access Point Commands
12 – 267
See Also
set radio-profile mode on page 12-272
show radio-profile on page 12-354
set radio-profile cac background
Sets Quality of Service (QoS) options for a radio profile.
Syntax
set radio-profile profile-name cac background {max-utilization percentage |
mode [enable | disable] | policing [enable | disable]}
Defaults
None
Access
Enabled
History
Introduced in MSS Version 7.0.
set radio-profile cac best-effort
Sets Quality of Service (QoS) options for a radio profile.
Syntax
set radio-profile profile-name cac best-effort {max-utilization percentage |
mode [enable | disable] | policing [enable | disable]}
Defaults
None
Access
Enabled
Introduced in MSS Version 7.0.
profile-name
Name of radio profile.
max-utilization
percentage
Set maximum admission control limit for background
traffic. You can configure a percentage from 1 to 100
percent.
mode
Configures CAC to be mandatory for the radio profile.
policing
Configure admission control policing for the radio profile.
profile-name
Name of radio profile.
max-utilization
percentage
Set maximum admission control limit for best effort
traffic. You can configure a percentage from 1 to 100
percent.
mode
Configures CAC to be mandatory for the radio profile.
policing
Configure admission control policing for the radio profile.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 268
set radio-profile cac video
Syntax
set radio-profile profile-name cac video {max-utilization percentage | mode
[enable | disable] | policing [enable | disable]}
Defaults
None
Access
Enabled
History
Introduced in MSS Version 7.0.
set radio-profile cac voice
Sets Quality of Service (QoS) options for a radio profile.
Syntax
set radio-profile profile-name cac voice {max-utilization percentage | mode
[enable | disable] | policing [enable | disable]}
Defaults
None
Access
Enabled
History
Introduced in MSS Version 7.0.
set radio-profile countermeasures
Enables or disables countermeasures on the MP radios managed by a radio profile.
Countermeasures are packets sent by a radio to prevent clients from being able to use rogue
access points.
MP radios can also issue countermeasures against interfering devices. An interfering device is not
part of the Trapeze network but also is not a rogue. No client connected to the device has been
detected communicating with any network entity listed in the forwarding database (FDD) of any
MX in the Mobility Domain. Although the interfering device is not connected to your network, the
device might be causing RF interference with MP radios.
profile-name
Name of radio profile.
max-utilization
percentage
Set maximum admission control limit for video traffic.
You can configure a percentage from 1 to 100 percent.
mode
Configures CAC to be mandatory for the radio profile.
policing
Configure admission control policing for the radio profile.
profile-name
Name of radio profile.
max-utilization
percentage
Set maximum admission control limit for voice traffic.
You can configure a percentage from 1 to 100 percent.
mode
Configures CAC to be mandatory for the radio profile.
policing
Configure admission control policing for the radio profile.
MP Access Point Commands
MP Access Point Commands
12 – 269
Syntax
set radio-profile profile-name countermeasures {all | rogue | none}
Defaults
Countermeasures are disabled by default.
Access
Enabled.
History
Examples
The following command enables countermeasures in radio profile radprof3 for rogues
only:
MX# set radio-profile radprof3 countermeasures rogue
success: change accepted.
The following command disables countermeasures in radio profile radprof3:
MX# clear radio-profile radprof3 countermeasures
success: change accepted.
The following command causes radios managed by radio profile radprof3 to issue countermeasures
against devices in the MX switch’s attack list:
MX# set radio-profile radprof3 countermeasures configured
success: change accepted.
Note that when you issue this command, countermeasures are then issued only against devices in
the MX attack list, not against other devices that were classified as rogues by other means.
set radio-profile dfs-channels
Enables the use of DFS channels to meet regulatory requirements.
Syntax
set radio-profile profile-name dfs-channels {enable | disable}
Defaults
Disabled
Access
Enabled
History
Introduced in MSS 7.0.
profile-name
Radio profile name.
all
Configures radios to attack rogues and interfering
devices.
rogue
Configures radios to attack rogues only.
none
Disables countermeasures for this radio profile.
Version 4.0 Command introduced.
Version 4.1 New option configured added to support
on-demand countermeasures.
Version 7.0 The option configured was removed.
MSS 7.0 Command introduced.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 270
set radio-profile dtim-interval
Changes the number of times after every beacon that each MP radio in a radio profile sends a
delivery traffic indication map (DTIM). An MP sends the multicast and broadcast frames stored in
its buffers to clients who request them in response to the DTIM.
Syntax
set radio-profile profile-name dtim-interval interval
Defaults
By default, MPs send the DTIM once after each beacon.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You must disable all radios using a radio profile before you can change parameters in the
profile. Use the set radio-profile mode command
.
The DTIM interval does not apply to unicast frames.
Examples
The following command changes the DTIM interval for radio profile rp1 to 2:
MX# set radio-profile rp1 dtim-interval 2
success: change accepted.
See Also
set radio-profile mode on page 12-272
show radio-profile on page 12-354
set radio-profile weighted-fair-queuing
Configures a minimum service level to specific radio profiles. Medium time weights determine the
relative transmit utilization of the radio between service profiles.
Syntax
set radio-profile profile-name weighted-fair-queuing {enable | disable}
weight service-profile-name weight
Defaults
None
Note:
The DTIM interval applies to both the beaconed SSID and the nonbeaconed SSID.
profile-name Radio profile name.
interval Number of times the DTIM is transmitted after every beacon. You can enter
a value from 1 through 31.
profile-name
Name of the radio profile.
weighted-fair-queuing
enable
Enable weighted queuing.
weighted-fair-queuing
disable
Disable weighted queuing.
service-profile-name
Name of the service profile to apply weighted queuing.
weight
Configure a weight value from 1 to 100. All profiles with
weighted queuing add up to 100.
MP Access Point Commands
MP Access Point Commands
12 – 271
Access
Enabled
History
Introduced in MSS Version 6.2.
Examples
To configure weighted queuing for a service and radio profile, use the following
command:
MX# set radio-profile wireless weighted-fair-queuing enable weight mp_conference 25
success: change accepted.
set radio-profile frag-threshold
Changes the fragmentation threshold for the MP radios in a radio profile. The fragmentation
threshold is the threshold at which the long-retry-count is applicable instead of the
short-retry-count.
The long-retry-count specifies the number of times a radio can send a unicast frame that is equal
to or longer than the frag-threshold without receiving an acknowledgment.
The short-retry-count specifies the number of times a radio can send a unicast frame that is
shorter than the frag-threshold without receiving an acknowledgment.
Syntax
set radio-profile name frag-threshold threshold
Defaults
The default fragmentation threshold for MP radios is 2346 bytes.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You must disable all radios that are using a radio profile before you can change parameters
in the profile. Use the set radio-profile mode command
.
The frag-threshold does not specify the maximum length a frame is allowed to be without being
broken into multiple frames before transmission. The MP does not support fragmentation upon
transmission, only upon reception.
The frag-threshold does not change the RTS threshold, which specifies the maximum length of a
frame before the radio uses the RTS/CTS method to send the frame. To change the RTS threshold,
use the set radio-profile rts-threshold command instead.
Examples
The following command changes the fragmentation threshold for radio profile rp1 to
1500 bytes:
MX# set radio-profile rp1 frag-threshold 1500
success: change accepted.
See Also
set radio-profile mode on page 12-272
set radio-profile rts-threshold on page 12-279
set service-profile long-retry-count on page 12-298
set service-profile short-retry-count on page 12-304
show radio-profile on page 12-354
name Radio profile name.
threshold Maximum frame length, in bytes. You can enter a value from 256 through
2346.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 272
set radio-profile long-retry
Deprecated in MSS Version 4.2. In 4.2, this parameter is associated with service profiles instead
of radio profiles. See set service-profile long-retry-count on page 12-298.
set radio-profile max-rx-lifetime
Changes the maximum receive threshold for the MP radios in a radio profile. The maximum
receive threshold specifies the number of milliseconds that a frame received by a radio can remain
in buffer memory.
Syntax
set radio-profile name max-rx-lifetime time
Defaults
The default maximum receive threshold for MP radios is 2000 ms (2 seconds).
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You must disable all radios that are using a radio profile before you can change
parameters in the profile. Use the set radio-profile mode command
.
Examples
The following command changes the maximum receive threshold for radio profile rp1 to
4000 ms:
MX# set radio-profile rp1 max-rx-lifetime 4000
success: change accepted.
See Also
set radio-profile mode on page 12-272
set radio-profile mode on page 12-272
show radio-profile on page 12-354
set radio-profile mode
Creates a new radio profile, and disables or reenables all MP radios that are using a specific
profile.
Syntax
set radio-profile profile-name [mode {enable | disable | sentry}]
Defaults
Each radio profile has a set of properties with factory default values that you can change
with the other set radio-profile commands in this chapter. Table 12– 3 lists the parameters
controlled by a radio profile and the default values.
name Radio profile name.
time Number of milliseconds. You can enter a value from 500 (0.5 second) through
250,000 (250 seconds).
profile-name Radio profile name of up to 16 alphanumeric characters, with no spaces.
Use this command without the mode enable or mode disable option to
create a new profile.
enable Enables the radios that use this profile.
disable Disables the radios that use this profile.
sentry Allows longer dwell times on scanning channels.
MP Access Point Commands
MP Access Point Commands
12 – 273
Access
Enabled.
Table 12– 3. Defaults for Radio Profile Parameters
Parameter Default Value Radio Behavior When Parameter Set To Default Value
active-scan enable Sends probe any requests (probe requests with a
null SSID name) to solicit probe responses from
other access points.
auto-tune enable Allows dynamic configuration of channel and
power settings by MSS.
beacon-interval 100 Waits 100 ms between beacons.
countermeasures Not
configured
Does not issue countermeasures against any
device.
dtim-interval 1 Sends the delivery traffic indication map (DTIM)
after every beacon.
frag-threshold 2346 Uses the short-retry-count for frames shorter
than 2346 bytes and uses the long-retry-count for
frames that are 2346 bytes or longer.
max-rx-lifetime 2000 Allows a received frame to stay in the buffer for
up to 2000 ms (2 seconds).
max-tx-lifetime 2000 Allows a frame that is scheduled for
transmission to stay in the buffer for up to
2000 ms (2 seconds).
preamble-length short Advertises support for short 802.11b preambles,
accepts either short or long 802.11b preambles,
and generates unicast frames with the preamble
length specified by the client.
Note: This parameter applies only to 802.11b/g
radios.
qos-mode wmm Classifies and marks traffic based on 802.1p and
DSCP, and optimizes forwarding prioritization of
MP radios for Wi-Fi Multimedia (WMM).
rfid-mode disable Radio does not function as a location receiver in
an AeroScout Visibility System.
rts-threshold 2346 Transmits frames longer than 2346 bytes by
means of the Request-to-Send/Clear-to-Send
(RTS/CTS) method.
service-profile No service
profiles
defined
You must configure a service profile. The service
profile sets the SSID name and other
parameters.
wmm-powersave disable Requires clients to send a separate PSpoll to
retrieve each unicast packet buffered by the MP
radio.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 274
History
Usage
Use the command without any optional parameters to create new profile. If the radio
profile does not already exist, MSS creates a new radio profile. Use the enable or disable option
to enable or disable all the radios using a profile. To assign the profile to one or more radios, use
the set ap radio radio-profile command.
To change a parameter in a radio profile, you must first disable all the radios in the profile. After
you complete the change, you can reenable the radios.
To enable or disable specific radios without disabling all of them, use the set ap radio command.
Examples
The following command configures a new radio profile named rp1:
MX# set radio-profile rp1
success: change accepted.
The following command enables the radios that use radio profile rp1:
MX# set radio-profile rp1 mode enable
The following commands disable the radios that use radio profile rp1, change the beacon interval,
then reenable the radios:
MX# set radio-profile rp1 mode disable
MX# set radio-profile rp1 beacon-interval 200
MX# set radio-profile rp1 mode enable
The following command enables the WPA IE on MP radios in radio profile rp2:
MX# set radio-profile rp2 wpa-ie enable
success: change accepted.
Version 1.0 Command introduced
Version 3.0
Parameters that no longer apply to radio profiles in MSS Version 3.0 removed:
auth-dot1x
auth-psk
beaconed-ssid
cipher-ccmp
cipher-tkip
cipher-wep104
cipher-wep40
clear-ssid
crypto-ssid
psk-phrase
psk-raw
shared-key-auth
tkip-mc-time
wep key-index
wep active-multicast-index
wep active-unicast-index
wpa-ie
auto-tune and service-profile parameters added.
Version 4.2
Parameters that no longer apply to radio profiles in MSS Version 4.2 removed:
11g-only
long-retry
short-retry
wmm parameter name changed to qos-mode.
Version 5.0 Parameters added:
rfid-mode
wmm-powersave
MP Access Point Commands
MP Access Point Commands
12 – 275
See Also
set ap radio mode on page 12-253
set ap radio radio-profile on page 12-254
show ap config radio on page 12-328
show radio-profile on page 12-354
set radio-profile preamble-length
Changes the preamble length for which an 802.11b/g MP radio advertises support. This command
does not apply to 802.11a.
Syntax
set radio-profile name preamble-length {long | short}
Defaults
The default is short.
Access
Enabled.
History
Usage
Changing the preamble length value affects only the support advertised by the radio.
Regardless of the preamble length setting (short or long), an 802.11b/g radio accepts and can
generate 802.11b/g frames with either short or long preambles.
If a client associated with an 802.11b/g radio uses long preambles for unicast traffic, the MP still
accepts frames with short preambles but does not transmit frames with short preambles. This
change also occurs if the access point overhears a beacon from an 802.11b/g radio on another
access point that indicates the radio has clients that require long preambles.
You must disable all radios that use a radio profile before you can change parameters in the
profile. Use the set radio-profile mode command
.
Examples
The following command configures 802.11b/g radios that use the radio profile rp_long to
advertise support for long preambles instead of short preambles:
MX# set radio-profile rp_long preamble-length long
success: change accepted.
See Also
set radio-profile mode on page 12-272
show radio-profile on page 12-354
set radio-profile qos-mode
Sets the prioritization mode for forwarding queues on MP radios managed by the radio profile.
name Radio profile name.
long Advertises support for long preambles.
short Advertises support for short preambles.
Version 1.0 Command introduced.
Version 1.1 Default changed from long to short.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 276
Syntax
set radio-profile name qos-mode {svp | wmm}
Defaults
The default QoS mode is wmm.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
When SVP is enabled, MP forwarding prioritization is optimized for SpectraLink Voice
Priority (SVP) instead of WMM, and the MP does not tag packets sent to the MX. Otherwise,
classification and tagging remain in effect. (For information, see the “Configuring Quality of
Service” chapter of the Trapeze Mobility System Software User’s Guide.)
If you plan to use SVP or another non-WMM type of prioritization, you must configure ACLs to tag
the packets. (See the “Enabling Prioritization for Legacy Voice over IP” section in the “Configuring
and Managing Security ACLs” chapter of the Trapeze Mobility System Software User’s Guide.)
Examples
The following command changes the QoS mode for radio profile rp1 to SVP:
MX# set radio-profile rp1 qos-mode svp
success: change accepted.
See Also
set radio-profile mode on page 12-272
show radio-profile on page 12-354
set radio-profile rate-enforcement
Configures MSS to enforce data rates, which means that a connecting client must transmit at one
of the mandatory or standard rates in order to associate with the MP.
Syntax
set radio-profile name rate-enforcement {enable | disable}
Defaults
Data rate enforcement is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
Each type of radio (802.11a, 802.11b, and 802.11g) providing service to an SSID has a set
of radio rates allowed for use when sending beacons, multicast frames, and unicast data. You can
configure the rate set for each type of radio, specifying rates in three categories:
Mandatory – Valid 802.11 transmit rates that clients must support in order to associate with
the MP
Disabled – Valid 802.11 transmit rates are disabled. MPs do not transmit at the disabled rates
Standard – Valid 802.11 transmit rates that are not disabled and are not mandatory
By default, the rate set is not enforced, meaning that a client can associate with and transmit data
to the MP using a disabled data rate, although the MP does not transmit data back to the client at
the disabled rate.
svp Optimizes forwarding prioritization of MP radios for SpectraLink Voice
Priority (SVP).
wmm Classifies and marks traffic based on 802.1p and DSCP, and optimizes
forwarding prioritization of MP radios for Wi-Fi Multimedia (WMM).
name Radio profile name.
enable Enables data rate enforcement for the radios in the radio profile.
disable Disables data rate enforcement for the radios in the radio profile.
MP Access Point Commands
MP Access Point Commands
12 – 277
You can use this command to enforce the data rates, which means that a connecting client must
transmit at one of the mandatory or standard rates in order to associate with the MP. When data
rate enforcement is enabled, clients transmitting at the disabled rates are not allowed to associate
with the MP.
This command is useful if you want to completely prevent clients from transmitting at disabled
data rates. For example, you can disable slower data rates so that clients transmitting at these
rates do not consume bandwidth on the channel at the expense of clients transmitting at faster
rates.
Examples
The following command enables data rate enforcement for radio profile rp1:
MX# set radio-profile rp1 rate-enforcement mode enable
success: change accepted.
See Also
set service-profile transmit-rates on page 12-312
show ap counters on page 12-330
set radio-profile rf-scanning channel-scope
Configures the channel-scope for RF scanning.
Syntax
set radio-profile profile-name rf-scanning channel-scope
[operating|regulatory|all]
Defaults
None
Access
Enabled
History
Added in MSS Version 6.2.
Examples
To scan only operating channels on radio profile, gofish, use the following command:
MX> set radio-profile gofish rf-scanning channel-scope operating
success: change accepted.
set radio-profile rf-scanning cts-to-self
Configures RF scanning to send CTS packets before going to another channel.
Syntax
set radio-profile name rf-scanning cts-to-self [enable | disable]
Defaults
None
Access
Enabled
History
Added in MSS 7.3
Examples
To enable a radio profile to send CTS packets, use the following command:
MX# set radio-profile corp1 rf-scanning cts-to-self enable
success: change accepted.
regulatory Scans and audits regulatory channels for
802.11a or 802.11b/g.
operating Scans and audits the current channel.
all Scans and audits all channels on the radio.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 278
set radio-profile rf-scanning mode
Configures RF scanning mode in active or passive states.
Syntax
set radio-profile profile-name rf-scanning mode [passive | active]
Defaults
None
Access
Enabled
History
Added in MSS Version 6.2
Examples
To configure active rf-scanning mode for radio profile gofish, use the following
command:
MX> set radio-profile gofish rf-scanning mode active
success: change accepted.
set radio-profile rfid-mode
Enables MP radios managed by a radio profile to function as location receivers in an AeroScout
Visibility System. An AeroScout Visibility System allows system administrators to track mobile
assets using RFID tags.
When you enable RFID mode on a radio profile, radios in the profile can receive and process
signals transmitted by RFID tags and relay them with related information to the AeroScout
Engine. If the floor plan is modeled in RingMaster, you also can use RingMaster to display the
locations of assets.
Syntax
set radio-profile profile-name rfid-mode {enable | disable}
Defaults
The default is disable.
Access
Enabled.
History
Introduced in MSS Version 5.0.
Examples
The following command enables radios managed by radio profile rp1 to act as asset
location receivers:
MX# set radio-profile rfid-mode enable
success: change accepted.
See Also
set radio-profile mode on page 12-272
show radio-profile on page 12-354
passive The radio scans once per predefined time and
audits the packets on the wireless network. The
default time is 1 second.
active The radio actively sends probes to other
channels and then audits the packets on the
wireless network.
profile-name Radio profile name.
enable Enables radios to function as asset location receivers.
disable Disables radios from functioning as asset location
receivers.
MP Access Point Commands
MP Access Point Commands
12 – 279
set radio-profile rts-threshold
Changes the RTS threshold for the MP radios in a radio profile. The RTS threshold specifies the
maximum length a frame can be before the radio uses the RTS/CTS method to send the frame. The
RTS/CTS method clears the air of other traffic to avoid corruption of the frame due to a collision
with another frame.
Syntax
set radio-profile profile-name rts-threshold threshold
Defaults
The default RTS threshold for an MP radio is 65535 bytes.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You must disable all radios with a radio profile before you can change parameters in the
profile. Use the set radio-profile mode command
.
Examples
The following command changes the RTS threshold for radio profile rp1 to 1500 bytes:
MX# set radio-profile rp1 rts-threshold 1500
success: change accepted.
See Also
set radio-profile mode on page 12-272
show radio-profile on page 12-354
set radio-profile service-profile
Maps a service profile to a radio profile. All radios that use the radio profile also use the parameter
settings, including SSID and encryption settings, in the service profile.
Syntax
set radio-profile profile-name service-profile profile-name
Defaults
By default, aradio profile does not have a service profile associated with it. In this case,
the radios in the radio profile use the default settings for parameters controlled by the service
profile. Table 12– 4 lists the parameters controlled by a service profile and the default values.
profile-name Radio profile name.
threshold Maximum frame length, in bytes. You can enter a value from 0 through
65535.
profile-name Radio profile name of up to 16 alphanumeric characters, with no spaces.
service-profile
name
Service profile name of up to 16 alphanumeric characters, with no spaces.
Table 12– 4. Defaults for Service Profile Parameters
Parameter Default Value Radio Behavior When Parameter Set To Default Value
attr No attributes
configured
Does not assign the SSID authorization attribute
values to SSID users, even if attributes are not
otherwise assigned.
auth-dot1x enable When the Wi-Fi Protected Access (WPA)
information element (IE) is enabled, uses 802.1X to
authenticate WPA clients.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 280
auth-fallthru none Denies access to users who do not match an 802.1X
or MAC authentication rule for the SSID requested
by the user.
auth-psk disable Does not support using a preshared key (PSK) to
authenticate WPA clients.
beacon enable Sends beacons to advertise the SSID managed by
the service profile.
bridging none Supports bridging between MPs
cac-mode none Does not limit the number of active user sessions
based on Call Admission Control (CAC).
cac-session 14 If session-based CAC is enabled (cac-mode is set
to session), limits the number of active user
sessions on a radio to 14.
cipher-ccmp disable Does not use Counter with Cipher Block Chaining
Message Authentication Code Protocol (CCMP) to
encrypt traffic sent to WPA clients.
cipher-tkip enable When the WPA IE is enabled, uses Temporal Key
Integrity Protocol (TKIP) to encrypt traffic sent to
WPA clients.
cipher-wep104 disable Does not use Wired Equivalent Privacy (WEP) with
104-bit keys to encrypt traffic sent to WPA clients.
cipher-wep40 disable Does not use WEP with 40-bit keys to encrypt
traffic sent to WPA clients.
cos 0 If static CoS is enabled (static-cos is set to
enable), assigns CoS 0 to all data traffic to or from
clients.
dhcp-restrict disable Does not restrict a client’s traffic to only DHCP
traffic while the client is being authenticated and
authorized.
idle-client-probing enable Sends a keepalive packet (a null-data frame) to
each client every 10 seconds.
keep-initial-vlan disable Reassigns the user to a VLAN after roaming,
instead of leaving the roamed user on the VLAN
assigned by the switch where the user logged on.
Note:
Enabling this option does not retain the initial
VLAN assignment for a user in all cases. (For
information, see “set service-profile
keep-initial-vlan” on page 12–297
.)
load-balancing-exe
mpt
none Exempts the service profile from load balancing.
long-retry-count 5 Sends a long unicast frame up to five times without
acknowledgment.
no-broadcast disable Does not reduce wireless broadcast traffic by
sending unicasts to clients for ARP requests and
DHCP Offers and Acks instead of forwarding them
as multicasts.
max-bw none Sets the service profile bandwidth limit from 1 to
300000 Kbps. 0 equals unlimited bandwidth.
Table 12– 4. Defaults for Service Profile Parameters (continued)
Parameter Default Value Radio Behavior When Parameter Set To Default Value
MP Access Point Commands
MP Access Point Commands
12 – 281
mesh none Enables mesh mode on the network.
proxy-arp disable Does not reply on behalf of wireless clients to ARP
requests for client IP addresses. Instead, the radio
forwards the ARP Requests as wireless broadcasts.
psk-encrypted none Sets an encrypted preshared key.
psk-phrase No passphrase
defined
Uses dynamically generated keys rather than
statically configured keys to authenticate WPA
clients.
psk-raw No preshared key
defined
Uses dynamically generated keys rather than
statically configured keys to authenticate WPA
clients.
rsn-ie disable Does not use the RSN IE in transmitted frames.
(The RSN IE is required for 802.11i. RSN is
sometimes called WPA2.)
shared-key-auth disable Does not use shared-key authentication.
This parameter does not enable PSK
authentication for WPA. To enable PSK encryption
for WPA, use the set radio-profile auth-psk
command.
short-retry-count 5 Sends a short unicast frame up to five times
without acknowledgment.
soda disable Sygate On Demand Agent (SODA) files are not
downloaded to connecting clients.
ssid-name trapeze Uses the SSID name trapeze.
ssid-type crypto Encrypts wireless traffic for the SSID.
tkip-mc-time 60000 Uses Michael countermeasures for 60,000 ms (60
seconds) following detection of a second MIC failure
within 60 seconds.
transmit-rates 802.11a:
mandatory:
6.0,12.0,24.0
beacon-rate: 6.0
multicast-rate:
auto
disabled: none
802.11b:
mandatory:
1.0,2.0
beacon-rate: 2.0
multicast-rate:
auto
disabled: none
802.11g:
mandatory:
1.0,2.0,5.5,11.0
beacon-rate: 2.0
multicast-rate:
auto
disabled: none
Accepts associations only from clients that support
one of the mandatory rates.
Sends beacons at the specified rate (6 Mbps for
802.11a, 2 Mbps for 802.11b/g).
Sends multicast data at the highest rate that can
reach all clients connected to the radio.
Accepts frames from clients at all valid data rates.
(No rates are disabled by default.)
Table 12– 4. Defaults for Service Profile Parameters (continued)
Parameter Default Value Radio Behavior When Parameter Set To Default Value
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 282
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
You must configure the service profile before you can map it to a radio profile. You can
map the same service profile to more than one radio profile.
You must disable all radios that use a radio profile before you can change parameters in the
profile. Use the set radio-profile mode command
.
Examples
The following command maps service-profile wpa_clients to radio profile rp2:
MX# set radio-profile rp2 service-profile wpa_clients
success: change accepted.
See Also
set service-profile attr on page 12-286
user-idle-timeout 180 Allows a client to remain idle for 180 seconds (3
minutes) before MSS changes the client’s session to
the Disassociated state.
web-portal-acl portalacl
Note: This is the
default only if the
fallthru type on
the service profile
has been set to
web-portal.
Otherwise, the
value is
unconfigured.
If set to portalacl and the service profile fallthru is
set to web-portal, radios use the portalacl ACL to
filter traffic for Web Portal users during
authentication.
If the fallthru type is web-portal but
web-portal-acl is set to an ACL other than
portalacl, the other ACL is used.
If the fallthru type is not web-portal, radios do not
use the web-portal-acl setting.
web-portal-form Not configured For WebAAA users, serves the Trapeze Networks
login page.
web-portal-logout none If set to logout-url, you can define a custom URL
that allows a client to log out of the network. To
enable this feature, use the mode option and then
enable.
web-portal-session-
timeout
5 Allows a Web Portal WebAAA session to remain in
the Deassociated state 5 seconds before being
terminated automatically.
wep key-index No keys defined Uses dynamic WEP rather than static WEP.
Note: If you configure a WEP key for static WEP,
MSS continues to also support dynamic WEP.
wep
active-multicast-ind
ex
1 Uses WEP key 1 for static WEP encryption of
multicast traffic if WEP encryption is enabled and
keys are defined.
wep
active-unicast-index
1 Uses WEP key 1 for static WEP encryption of
unicast traffic if WEP encryption is enabled and
keys are defined.
wpa-ie disable Does not use the WPA IE in transmitted frames.
Version 3.0 Command introduced.
Version 7.0 The option static-cos was removed.
Table 12– 4. Defaults for Service Profile Parameters (continued)
Parameter Default Value Radio Behavior When Parameter Set To Default Value
MP Access Point Commands
MP Access Point Commands
12 – 283
set service-profile [rsn-ie | wpa-ie] auth-dot1x on page 12-287
set service-profile [rsn-id | wpa-ie] auth-fallthru on page 12-287
set service-profile [rsn-ie | wpa-ie] auth-psk on page 12-289
set service-profile beacon on page 12-289
set service-profile cac-mode on page 12-290
set service-profile cac-session on page 12-291
set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 12-292
set service-profile [rsn-ie | wpa-ie] cipher-tkip on page 12-293
set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 12-293
set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 12-294
set service-profile cos on page 12-295
set service-profile dhcp-restrict on page 12-296
set service-profile idle-client-probing on page 12-296
set service-profile long-retry-count on page 12-298
set service-profile no-broadcast on page 12-300
set service-profile proxy-arp on page 12-300
set service-profile [rsn-ie | wpa-ie] psk-phrase on page 12-301
set service-profile [rsn-ie | wpa-ie] psk-raw on page 12-302
set service-profile rsn-ie on page 12-303
set service-profile shared-key-auth on page 12-304
set service-profile short-retry-count on page 12-304
set service-profile soda mode on page 12-308
set service-profile ssid-name on page 12-310
set service-profile ssid-type on page 12-310
set service-profile static-cos on page 12-311
set service-profile tkip-mc-time on page 12-312
set service-profile transmit-rates on page 12-312
set service-profile user-idle-timeout on page 12-314
set service-profile web-portal-form on page 12-316
set service-profile web-portal-session-timeout on page 12-318
set service-profile wep active-multicast-index on page 12-319
set service-profile wep active-unicast-index on page 12-320
set service-profile wep key-index on page 12-320
set service-profile wpa-ie on page 12-321
show radio-profile on page 12-354
show service-profile on page 12-357
set radio-profile snoop
Adds a configured snoop filter to the radio profile.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 284
Syntax
set radio-profile profile-name snoop snoop-filter
Defaults
None
Access
Enabled
History
Added in MSS Version 7.0.
set radio-profile wmm
Deprecated in MSS Version 4.2. To enable or disable WMM, see set radio-profile qos-mode on
page 12-275.
set radio-profile wmm-powersave
Enables Unscheduled Automatic Powersave Delivery (U-APSD) on MP radios managed by the
radio profile. U-APSD enables WMM clients that use powersave mode to more efficiently request
buffered unicast packets from MP radios.
When U-APSD is enabled, a client can retrieve buffered unicast packets for a traffic priority
enabled for U-APSD by sending a QoS data or QoS-Null frame for that priority. U-APSD can be
enabled for individual traffic priorities, for individual clients, based on the client’s request. A
client enables U-APSD for a traffic priority by indicating this preference when (re)associating
with the MP radio.
A client can but is not required to request U-APSD for all four traffic priorities. The MP radio still
buffers packets for all traffic priorities even if the client does not request U-APSD for them.
However, to retrieve buffered packets for priorities not using U-APSD, a client must send a
separate PSpoll for each buffered packet.
Syntax
set radio-profile name wmm-powersave {enable | disable}
Defaults
U-APSD is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 5.0.
Usage
U-APSD is supported only for QoS mode WMM. If WMM is not enabled on the radio
profile, use the set radio-profile qos-mode command to enable it.
Examples
The following command enables U-APSD on radio profile rp1:
MX# set radio-profile rp1 wmm-powersave enable
success: change accepted.
See Also
set radio-profile mode on page 12-272
set radio-profile qos-mode on page 12-275
show radio-profile on page 12-354
profile-name
Name of the radio-profile.
snoop-filter
Name of the snoop filter to add to the radio profile.
name Radio profile name.
enable Enables U-APSD.
disable Disables U-APSD.
MP Access Point Commands
MP Access Point Commands
12 – 285
set service-profile 11n
Configures maximum MPDU and MSDU packet length, frame aggregation for 802.11n and the
short guard interval for 11n network traffic.
Syntax
set service-profile profile-name 11n a-mpdu-max-length [ 8K | 16K | 32K |
64K] a-msdu-max-length [4K | 8K] frame-aggregation [msdu | mpdu | all | disable]
mode-na [enable | disable |required] mode-ng [enable | disable |required]
short-guard-interval [enable | disable]
Defaults
None
Access
Enabled
History
set service-profile active-call-idle-timeout
Set the length of time that a VoIP connection can be idle before the connection times out on the
network.
Syntax
set service-profile profile-name active-call-idle-timeout timeout
Defaults
None
Access
Enable
History
Introduced in MSS Version 7.1.
profile-name
Name of the service profile.
a-mpdu-max-length
Configures the length of the MPDU packet in kilobytes.
Select from 8, 16, 32, or 64K.
a-msdu-max-length
Configures the length of the MSDU packet in kilobytes.
Select from 8, 16, 32, or 64K.
frame-aggregation
Enables aggregation of MPDU and MSDU packets.
Select either MPDU or MSDU or all. You can also disable
this option.
mode-na
Set the 11n mode to na for the profile.
mode-ng
Set the 11n mode to ng for the profile.
short-guard-interval
Configure this option to prevent inter-symbol
interference on the 802.11n network.
Version 7.0 Command introduced.
Version 7.1 Options mode-na and mode-ng added.
profile-name
Name of the service profile.
timeout
Configures the length of in seconds. You can set this to a
value from 20 to 300.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 286
set service-profile attr
Configures authorization attributes that are applied by default to users accessing the SSID
managed by the service profile. These SSID default attributes are applied in addition to any
supplied by the RADIUS server or from the local database.
Syntax
set service-profile profile-name attr attribute-name value
Defaults
By default, a service profile does not have any authorization attributes set.
Access
Enabled.
History
Introduced in MSS 4.1.
Usage
To change the value of a default attribute for a service profile, use the set service-profile
attr command and specify a new value.
The SSID default attributes are applied in addition to any attributes supplied for the user by the
RADIUS server or the local database. When the same attribute is specified both as an SSID
default attribute and through AAA, then the attribute supplied by the RADIUS server or the local
database takes precedence over the SSID default attribute. If a location policy is configured, the
location policy rules also take precedence over SSID default attributes. The SSID default
attributes serve as a fallback when neither the AAA process, nor a location policy, provides them.
For example, a service profile might be configured with the service-type attribute set to 2. If a
user accessing the SSID is authenticated by a RADIUS server, and the RADIUS server returns
the vlan-name attribute set to orange, then that user has a total of two attributes set:
service-type and vlan-name.
If the service profile is configured with the vlan-name attribute set to blue, and the RADIUS
server returns the vlan-name attribute set to orange, then the attribute from the RADIUS server
takes precedence; the user is placed in the orange VLAN.
You can display the attributes for each connected user and if they are set through AAA or through
SSID defaults by entering the show sessions network verbose command. You can display the
configured SSID defaults by entering the show service-profile command.
Examples
The following command assigns users accessing the SSID managed by service profile
sp2 to VLAN blue:
MX# set service-prof sp2 attr vlan-name blue
success: change accepted.
The following command assigns users accessing the SSID managed by service profile sp2 to the
Mobility Profile tulip.
MX# set service-prof sp2 attr mobility-profile tulip
success: change accepted.
profile-name Service profile name.
attribute-name value Name and value of an attribute you are using to authorize SSID users
for a particular service or session characteristic.
For a list of authorization attributes and values that you can assign to
network users, see Table 9– 9 on page 179. All of the attributes listed
in Table 9– 9 can be used with this command except ssid.
MSS Version 4.1 Command introduced.
MSS Version 7.0 Attribute simultaneous-login added.
MP Access Point Commands
MP Access Point Commands
12 – 287
The following command limits the days and times when users accessing the SSID managed by
service profile sp2 can access the network, to 5 p.m. to 2 a.m. every weekday, and all day Saturday
and Sunday:
MX# set service-prof sp2 attr time-of-day Wk1700-0200,Sa,Su
success: change accepted.
See Also
show service-profile on page 12-357
show sessions network on page 19-454
set service-profile [rsn-ie | wpa-ie] auth-dot1x
Disables or reenables 802.1X authentication of Wi-Fi Protected Access (WPA) clients by MP
radios, when the WPA information element (IE) is enabled in the service profile that is mapped to
the radio profile for the radios.
Syntax
set service-profile profile-name [rsn-ie | wpa-id] auth-dot1x
{enable | disable}
Defaults
When the WPA IE is enabled, 802.1X authentication of WPA clients is enabled by
default. If the WPA IE is disabled, the auth-dot1x setting has no effect.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
This command does not disable dynamic WEP for non-WPA clients. To disable dynamic
WEP for non-WPA clients, enable the WPA IE (if not already enabled) and disable the 40-bit WEP
and 104-bit WEP cipher suites in the WPA IE, if they are not already disabled.
To use 802.1X authentication for WPA clients, you also must enable the WPA IE.
If you disable 802.1X authentication of WPA clients, the only method available for authenticating
the clients is preshared key (PSK) authentication. To use this, you must enable PSK support and
configure a passphrase or key.
Examples
The following command disables 802.1X authentication for WPA clients that use service
profile wpa_clients:
MX# set service-profile wpa_clients auth-dot1x disable
success: change accepted.
See Also
set service-profile [rsn-ie | wpa-ie] auth-psk on page 12-289
set service-profile [rsn-ie | wpa-ie] psk-phrase on page 12-301
set service-profile wpa-ie on page 12-321
show service-profile on page 12-357
set service-profile [rsn-id | wpa-ie] auth-fallthru
Specifies the authentication type for users who do not match an 802.1X or MAC authentication
rule for an SSID managed by the service profile. When a user tries to associate with an SSID, MSS
checks the authentication rules for that SSID for a userglob that matches the username. If the
profile-name Service profile name.
enable Enables 802.1X authentication of WPA clients.
disable Disables 802.1X authentication of WPA clients.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 288
SSID does not have an authentication rule that matches the username, authentication for the
user falls through to the fallthru type.
The fallthru type is a service profile parameter, and applies to all radios within the radio profiles
that are mapped to the service profile.
Syntax
set service-profile name [rsn-id | wpa-ie] auth-fallthru
{last-resort | none | web-portal}
Defaults
The default fallthru authentication type is none.
If a username does not match a userglob in an authentication rule for the SSID requested by the
user, the MX managing the radio that the user is connected to redirects the user to a Web page
located on the MX. The user must type a valid username and password on the Web page to access
the SSID.
Access
Enabled.
History
Usage
The last-resort fallthru authentication type allows any user to access any SSID managed
by the service profile. This method does not require the user to provide a username or password.
Use the last-resort method only if none of the SSIDs managed by the service profile require
secure access.
The web-portal authentication type also requires additional configuration items. (See the
“Configuring AAA for Network Users” chapter of the Trapeze Mobility System Software User’s
Guide.)
Examples
The following command sets the fallthru authentication type for SSIDS managed by the
service profile rnd_lab to web-portal:
MX# set service-profile rnd_lab auth-fallthru web-portal
success: change accepted.
See Also
set web-portal on page 9-189
set service-profile web-portal-form on page 12-316
show service-profile on page 12-357
last-resort Automatically authenticates the user and allows access to the SSID
requested by the user, without requiring a username and password.
none Denies authentication and prohibits the user from accessing the SSID.
Note: The fallthru authentication type none is different from the authentication
method none you can specify for administrative access. The fallthru authentication
type none denies access to a network user. In contrast, the authentication method
none allows access to the MX by an administrator. (See “set authentication
admin” on page 9–164 and “set authentication console” on page 9–165.)
web-portal Serves the user a web page from the MX nonvolatile storage for secure login
to the network.
Version 1.0 Command introduced.
Version 4.0 Option for WebAAA fallthru authentication type changed from web-auth to
web-portal.
Default changed to none.
MP Access Point Commands
MP Access Point Commands
12 – 289
set service-profile [rsn-ie | wpa-ie] auth-psk
Enables pre-shared key (PSK) authentication of Wi-Fi Protected Access (WPA) clients by MP
radios in a radio profile, when the WPA information element (IE) is enabled in the service profile.
Syntax
set service-profile name [rsn-id | wpa-ie] auth-psk {enable | disable}
Defaults
When the WPA IE is enabled, PSK authentication of WPA clients is enabled by default.
If the WPA IE is disabled, the auth-psk setting has no effect.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
This command affects authentication of WPA clients only.
To use PSK authentication, you also must configure a passphrase or key. In addition, you must
enable the WPA IE.
Examples
The following command enables PSK authentication for service profile wpa_clients:
MX# set service-profile wpa_clients auth-psk enable
success: change accepted.
See Also
set service-profile [rsn-ie | wpa-ie] auth-dot1x on page 12-287
set service-profile [rsn-ie | wpa-ie] psk-raw on page 12-302
set service-profile wpa-ie on page 12-321
show service-profile on page 12-357
set service-profile beacon
Disables or reenables beaconing of the SSID managed by the service profile.
An MP radio responds to an 802.11 probe any request with only the beaconed SSID(s). For a
nonbeaconed SSID, radios respond only to directed 802.11 probe requests that match the
nonbeaconed SSID’s SSID string.
When you disable beaconing for an SSID, the radio still sends beacon frames, but the SSID name
in the frames is blank.
Syntax
set service-profile name beacon {enable | disable}
Defaults
Beaconing is enabled by default.
Access
Enabled.
History
Introduced in MSS Version 3.0.
name Service profile name.
enable Enables PSK authentication of WPA clients.
disable Disables PSK authentication of WPA clients.
name Service profile name.
enable Enables beaconing of the SSID managed by the service
profile.
disable Disables beaconing of the SSID managed by the service
profile.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 290
Examples
The following command disables beaconing of the SSID managed by service profile sp2:
MX# set service-profile sp2 beacon disable
success: change accepted.
See Also
set radio-profile beacon-interval on page 12-266
set service-profile ssid-name on page 12-310
set service-profile ssid-type on page 12-310
show service-profile on page 12-357
set service-profile bridging
Enables wireless bridging for a service profile configured for WLAN mesh services.
Syntax
set service-profile service-profile bridging {enable | disable}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
WLAN mesh services can be used in a wireless bridge configuration, implementing MPs as
bridge endpoints in a transparent Layer 2 bridge. A typical application of wireless bridging is to
provide network connectivity between two buildings using a wireless link.
When wireless bridging is enabled for a service profile, the MPs with the applied service profile
serve as bridge peers. When a Mesh AP associates with a Mesh Portal AP through this service
profile, the Mesh Portal AP automatically configures the Mesh AP to operate in bridge mode.
Examples
The following command enables wireless bridging on service profile sp1:
MX# set service-profile sp1 bridging enable
success: change accepted.
See Also
set ap boot-configuration mesh ssid on page 12-239
set service-profile mesh on page 12-299
show ap mesh-links on page 12-339
set service-profile cac-mode
Configures the Call Admission Control (CAC) mode.
service-profile Mesh service profile name.
enable Enables wireless bridging for the service profile.
disable Enables wireless bridging for the service profile.
MP Access Point Commands
MP Access Point Commands
12 – 291
Syntax
set service-profile profile-name cac-mode {none | session | voip-call}
Defaults
The default CAC mode is none.
Access
Enabled.
History
Examples
The following command enables session-based CAC on service profile sp1:
MX# set service-profile sp1 cac-mode session
success: change accepted.
See Also
set service-profile cac-session on page 12-291
show service-profile on page 12-357
set service-profile cac-session
Specifies the maximum number of active sessions a radio can have when session-based CAC is
enabled. When an MP radio has reached the maximum allowed number of active sessions, the
radio refuses connections from additional clients.
Syntax
set service-profile profile-name cac-session max-sessions
Defaults
The default number of sessions allowed is 14.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
This command applies only when the CAC mode is session. If the CAC mode is none, you
can still change the maximum number of sessions, but the setting does not take effect until you
change the CAC mode to session. To change the CAC mode, use the set service-profile
cac-mode command.
Examples
The following command changes the maximum number of sessions for radios used by
service profile sp1 to 10:
MX# set service-profile sp1 cac-session 10
success: change accepted.
See Also
set service-profile cac-mode on page 12-290
show service-profile on page 12-357
profile-name Service profile name.
none CAC is not used.
session CAC is based on the number of active sessions.
voip-call CAC is based on VoIP calls.
MSS Version 4.2 Command introduced.
MSS Version 7.1 Added option voip-call.
profile-name Service profile name.
max-sessions Maximum number of active sessions allowed on the
radio.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 292
set service-profile cac-voip-call
Configures the maximum number of VoIP calls for a service profile.
Syntax
set service-profile profile-name cac-voip-call max-voip-calls
Defaults
None
Access
Enabled
History
Introduced in MSS Version 7.1
Examples
To set the maximum number of VoIP calls for a service profile, use the following
command:
MX# set service-profile corpbusiness cac-voip-call 100
set service-profile [rsn-ie | wpa-ie ]cipher-ccmp
Enables Counter with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
encryption with WPA clients, for a service profile.
Syntax
set service-profile name [rsn-ie | wpa-ie] cipher-ccmp {enable | disable}
Defaults
CCMP encryption is disabled by default.
Access
Enabled.
History
Usage
To use CCMP, you must also enable the WPA IE.
Examples
The following command configures service profile sp2 to use CCMP encryption:
MX# set service-profile sp2 cipher-ccmp enable
success: change accepted.
See Also
set service-profile [rsn-ie | wpa-ie] cipher-tkip on page 12-293
set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 12-293
set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 12-294
set service-profile wpa-ie on page 12-321
show service-profile on page 12-357
profile-name Service profile name.
max-voip-calls Configure between 0 and 500 calls allowed on the service profile.
name Service profile name.
enable Enables CCMP encryption for WPA clients.
disable Disables CCMP encryption for WPA clients.
MSS Version 3.0 Command introduced.
MSS Version 7.1 Moved command to rsn-ie and wpa-ie as part of
the mixed cipher feature.
MP Access Point Commands
MP Access Point Commands
12 – 293
set service-profile [rsn-ie | wpa-ie] cipher-tkip
Disables or reenables Temporal Key Integrity Protocol (TKIP) encryption in a service profile.
Syntax
set service-profile name [ rsn-ie | wpa-ie] cipher-tkip {enable | disable}
Defaults
When RNS IE or WPA IE is enabled, you can enable TKIP encryption. It is disabled by
default.
Access
Enabled.
History
Usage
To use TKIP, you must also enable the WPA IE.
Examples
The following command disables TKIP encryption in service profile sp2:
MX# set service-profile sp2 wpa-ie cipher-tkip disable
success: change accepted.
See Also
set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 12-292
set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 12-293
set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 12-294
set service-profile tkip-mc-time on page 12-312
set service-profile wpa-ie on page 12-321
show service-profile on page 12-357
set service-profile [rsn-ie | wpa-ie] cipher-wep104
Enables dynamic Wired Equivalent Privacy (WEP) with 104-bit keys, in a service profile.
Syntax
set service-profile name [rsn-ie | wpa-ie] cipher-wep104 {enable | disable}
Defaults
104-bit WEP encryption is disabled by default.
Access
Enabled.
name Service profile name.
enable Enables TKIP encryption for RSN or WPA clients.
disable Disables TKIP encryption for RSN or WPA clients.
MSS Version 3.0 Command introduced.
MSS Version 7.1 Moved command to rsn-ie and wpa-ie as part of
the mixed cipher feature.
name Service profile name.
enable Enables 104-bit WEP encryption for RSN or WPA clients.
disable Disables 104-bit WEP encryption for RNS or WPA
clients.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 294
History
Usage
To use 104-bit WEP with RSN or WPA clients, you must also enable RSN-IE or WPA IE.
When 104-bit WEP in RSN or WPA is enabled in the service profile, radios managed by a radio
profile that is mapped to the service profile can also support non-RSN or non-WPA clients that use
dynamic WEP.
To support WPA clients that use 40-bit dynamic WEP, you must enable WEP with 40-bit keys.
Use the set service-profile wpa-ie cipher-wep40 command.
Microsoft Windows XP does not support WEP with WPA. To configure a service profile to provide
dynamic WEP for XP clients, leave WPA disabled and use the set service-profile wep
commands.
To support non-WPA clients that use static WEP, you must configure static WEP keys. Use the
set service-profile wep command.
Examples
The following command configures service profile sp2 to use 104-bit WEP encryption:
MX# set service-profile sp2 wpa-ie cipher-wep104 enable
success: change accepted.
See Also
set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 12-292
set service-profile [rsn-ie | wpa-ie] cipher-tkip on page 12-293
set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 12-294
set service-profile wep key-index on page 12-320
set service-profile wpa-ie on page 12-321
show service-profile on page 12-357
set service-profile [rsn-ie | wpa-ie ] cipher-wep40
Enables dynamic Wired Equivalent Privacy (WEP) with 40-bit keys, in a service profile.
Syntax
set service-profile name [rsn-ie | wpa-ie] cipher-wep40 {enable | disable}
Defaults
40-bit WEP encryption is disabled by default.
Access
Enabled.
History
Usage
To use 40-bit WEP with RNS or WPA clients, you must also enable RSN IE or WPA IE.
MSS Version 3.0 Command introduced.
MSS Version 7.1 Moved command to rsn-ie and wpa-ie as part of
the mixed cipher feature.
name Service profile name.
enable Enables 40-bit WEP encryption for RSN or WPA clients.
disable Disables 40-bit WEP encryption for RSN or WPA clients.
MSS Version 3.0 Command introduced.
MSS Version 7.1 Command moved to rsn-ie and wpa-ie to
support mixed ciphers on a service profile.
MP Access Point Commands
MP Access Point Commands
12 – 295
When 40-bit WEP in RSN or WPA is enabled in the service profile, radios managed by a radio
profile that is mapped to the service profile can also support non-WPA clients that use dynamic
WEP.
To support WPA clients that use 104-bit dynamic WEP, you must enable WEP with 104-bit keys in
the service profile. Use the set service-profile wpa-ie cipher-wep104 command.
Microsoft Windows XP does not support WEP with WPA. To configure a service profile to provide
dynamic WEP for XP clients, leave WPA disabled and use the set service-profile wep
commands.
To support non-WPA clients that use static WEP, you must configure static WEP keys. Use the set
service-profile wep key-index command.
Examples
The following command configures service profile sp2 to use 40-bit WEP encryption:
MX# set service-profile sp2 wpa-ie cipher-wep40 enable
success: change accepted.
See Also
set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 12-292
set service-profile [rsn-ie | wpa-ie] cipher-tkip on page 12-293
set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 12-293
set service-profile wep key-index on page 12-320
set service-profile wpa-ie on page 12-321
show service-profile on page 12-357
set service-profile cos
Sets the Class-of-Service (CoS) level for static CoS.
Syntax
set service-profile profile-name cos cos
Defaults
The default static CoS level is 0.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
This command applies only when static CoS is enabled. If static CoS is disabled,
prioritization is based on the QoS mode configured in the radio profile, and on any ACLs that set
CoS. (See the “Configuring Quality of Service” chapter of the Trapeze Mobility System Software
Configuration Guide.) To enable static CoS, use the set service-profile static-cos command.
Examples
The following command changes the static CoS level to 7 (voice priority):
MX# set service-profile sp1 cos 7
success: change accepted.
See Also
set service-profile static-cos on page 12-311
show service-profile on page 12-357
profile-name Service profile name.
cos CoS value assigned by the MP to all traffic in the service
profile.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 296
set service-profile dhcp-restrict
Enables or disables DHCP Restrict on a service profile. DHCP Restrict filters the traffic from a
newly associated client and allows DHCP traffic only, until the client has been authenticated and
authorized. All other traffic is captured by the MX and is not forwarded. After the client is
successfully authorized, the traffic restriction is removed.
Syntax
set service-profile profile-name dhcp-restrict {enable | disable}
Defaults
DHCP Restrict is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
To further reduce the overhead of DHCP traffic, use the set service-profile
no-broadcast command to disable DHCP broadcast traffic from MP radios to clients on the
service profile’s SSID.
Examples
The following command enables DHCP Restrict on service profile sp1:
MX# set service-profile sp1 dhcp-restrict enable
success: change accepted.
See Also
set service-profile no-broadcast on page 12-300
set service-profile proxy-arp on page 12-300
show service-profile on page 12-357
set service-profile dot1x-handshake-timeout
Configure the number of milliseconds before the dot1X handshake message is retransmitted.
Syntax
set service-profile profile-name dot1X-handshake-timeout timeout
Defaults
None
Access
Enable
History
Introduced in MSS Version 7.1
set service-profile idle-client-probing
Disables or reenables periodic keepalives from MP radios to clients on a service profile’s SSID.
When idle-client probing is enabled, the MP radio sends a unicast null-data frame to each client
every 10 seconds. Normally, a client that is still active sends an Ack in reply to the keepalive.
If a client does not send any data or respond to any keepalives before the user idle timeout expires,
MSS changes the client session to the Disassociated state.
profile-name Service profile name.
enable Enables DHCP Restrict.
disable Disables DHCP Restrict.
profile-name Service profile name.
timeout Enter a value from 20 to 5000 seconds. Enter 0 to use the
global dot1x value.
MP Access Point Commands
MP Access Point Commands
12 – 297
Syntax
set service-profile profile-name idle-client-probing {enable | disable}
Defaults
Idle-client probing is enabled by default.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
The length of time a client can remain idle (unresponsive to idle-client probes) is specified
by the user-idle-timeout command.
Examples
The following command disables idle-client keepalives on service profile sp1:
MX# set service-profile sp1 idle-client-probing disable
success: change accepted.
See Also
set service-profile user-idle-timeout on page 12-314
show service-profile on page 12-357
set service-profile keep-initial-vlan
Configures MP radios managed by the radio profile to leave a roamed user on the VLAN assigned
by the MX where the user logged on. When this option is disabled, a users VLAN is reassigned by
each MX when a user roams.
Syntax
set service-profile profile-name keep-initial-vlan {enable | disable}
Defaults
This option is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 5.0.
Usage
Even when this option is enabled, the MX that a user roams to (the roamed-to MX) can
reassign the VLAN in any of the following cases:
A location policy on the local MX reassigns the VLAN.
The user is configured in the MX local database and the VLAN-Name attribute is set on the
user or on a user group the user is in.
The access rule on the roamed-to MX uses RADIUS, and the VLAN-Name attribute is set on
the RADIUS server.
Examples
The following command enables the keep-initial-vlan option on service profile sp3:
MX# set service-profile sp3 keep-initial-vlan enable
success: change accepted.
profile-name Service profile name.
enable Enables keepalives.
disable Disables keepalives.
profile-name Service profile name.
enable Enables radios to leave a roamed user on the same VLAN instead of
reassigning the VLAN.
disable Configures radios to reassign a roamed user VLAN.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 298
See Also
show service-profile on page 12-357
set service-profile load-balancing-exempt
Exempts a service profile from performing RF load balancing.
Syntax
set service-profile profile-name load-balancing-exempt {enable | disable}
Defaults
By default, MP radios automatically perform RF load balancing for all service profiles.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
Use this command to exempt a service profile from RF load balancing. Exempting a
service profile from RF load balancing means that if an MP radio is attempting to steer clients
away, the radio does not reduce or conceal the availability of the SSID named in the exempted
service profile. Even if a radio is withholding probe responses to manage the load, the radio does
respond to probes for an exempt SSID. Also, if an MP radio is withholding probe responses, and a
client probes for any SSID, and the radio has at least one exempt SSID, the radio responds to the
probe, but the response reveals only the exempt SSID(s).
Examples
The following command exempts service profile sp3 from RF load balancing:
MX# set service-profile sp3 load-balancing-exempt enable
success: change accepted.
See Also
set load-balancing strictness on page 12-259
set ap radio load-balancing on page 12-251
set ap local-switching mode on page 12-244
show load-balancing group on page 12-353
set service-profile long-retry-count
Changes the long retry threshold for a service profile. The long retry threshold specifies the
number of times a radio can send a long unicast frame without receiving an acknowledgment. A
long unicast frame is a frame that is equal to or longer than the frag-threshold.
Syntax
set service-profile name long-retry-count threshold
Defaults
The default long unicast retry threshold is 5 attempts.
Access
Enabled.
History
Introduced in MSS Version 4.2.
profile-name Service profile name.
enable Exempts the specified service profile from RF load balancing.
disable If a service profile has previously been exempted from RF load balancing,
restores RF load balancing for the service profile.
name Service profile name.
threshold Number of times the radio can send the same long unicast frame. You can
enter a value from 1 through 15.
MP Access Point Commands
MP Access Point Commands
12 – 299
Examples
The following command changes the long retry threshold for service profile sp1 to 8:
MX# set service-profile sp1 long-retry-count 8
success: change accepted.
See Also
set radio-profile frag-threshold on page 12-271
set service-profile short-retry-count on page 12-304
show service-profile on page 12-357
set service-profile max-bw
Configures the maximum bandwidth for a service profile.
Syntax
set service-profile profile-name max-bw max-bw-kb
Defaults
None
Access
Enabled
History
Added in MSS Version 7.0.
Usage
Use this command to configure specific bandwidth requirements for a service profile. Once
configured, the service profile can be mapped to a specific radio profile.
set service-profile mesh
Creates a service profile for use with WLAN mesh services.
Syntax
set service-profile name mesh mode {enable | disable}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
Use this command to configure mesh services for a service profile. Once configured, the
service profile can then be mapped to a radio profile that manages a radio on the Mesh Portal MP,
which then allows a Mesh Portal AP to beacon a mesh services SSID to Mesh APs.
Examples
The following command enables mesh services for service profile sp1:
MX# set service-profile sp1 mesh mode enable
success: change accepted.
profile-name
Name of the service profile.
max-bw-kb
Configure a bandwidth from 1-300000 Kbps. 0 =
unlimited bandwith
name Service profile name.
enable Enables mesh services for the service profile.
disable Disables mesh services for the service profile.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 300
See Also
set ap boot-configuration mesh ssid on page 12-239
show ap mesh-links on page 12-339
set service-profile no-broadcast
Disables or reenables the no-broadcast mode. The no-broadcast mode helps reduce traffic
overhead on an SSID by having more SSID bandwidth available for unicast traffic. The
no-broadcast mode also helps VoIP handsets conserve power by reducing the amount of broadcast
traffic sent to the phones.
When enabled, the no-broadcast mode prevents MP radios from sending DHCP or ARP broadcasts
to clients on the service profile SSID. Instead, an MP radio processes the traffic as follows:
ARP requests—If the SSID has clients with IP addresses that the MX does not already know,
the MX allows the MP radio to send the ARP request as a unicast to only those stations with
unknown addresses on the MX. The MP radio does not forward the ARP request as a
broadcast and does not send the request as a unicast to stations whose addresses the MX
already knows.
DHCP Offers or Acks—If the destination MAC address belongs to a client on the SSID, the
MP radio sends the DHCP Offer or Ack as a unicast to that client only.
The no-broadcast mode does not affect other types of broadcast traffic and does not prevent clients
from sending broadcasts.
Syntax
set service-profile name no-broadcast {enable | disable}
Defaults
The no-broadcast mode is disabled by default. (Broadcast traffic not disabled.)
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
To further reduce ARP traffic on a service profile, use the set service-profile proxy-arp
command to enable Proxy ARP.
Examples
The following command enables the no-broadcast mode on service profile sp1:
MX# set service-profile sp1 no-broadcast enable
success: change accepted.
See Also
set service-profile dhcp-restrict on page 12-296
set service-profile proxy-arp on page 12-300
show service-profile on page 12-357
set service-profile proxy-arp
Enables proxy ARP. When proxy ARP is enabled, the MX replies to ARP requests for client IP
address on behalf of the clients. This feature reduces broadcast overhead on a service profile SSID
by eliminating ARP broadcasts from MP radios to the SSID clients.
name Service profile name.
enable Enables the no-broadcast mode. MP radios are not allowed to send broadcast
traffic to clients on the SSID of the service profile.
disable Disables the no-broadcast mode.
MP Access Point Commands
MP Access Point Commands
12 – 301
If the ARP request is for a client with an IP address not on the MX, the MX allows MP radios to
send the ARP request to clients. If the no-broadcast mode is also enabled, the MP radios send the
ARP request as a unicast to only the clients with unknown addresses on the MX. However, if
no-broadcast mode is disabled, the MP radios sends the ARP request as a broadcast to all clients
on the SSID.
Syntax
set service-profile profile-name proxy-arp {enable | disable}
Defaults
Proxy ARP is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
To further reduce broadcast traffic on a service profile, use the set service-profile
no-broadcast command to disable DHCP and ARP request broadcasts.
Examples
The following command enables proxy ARP on service profile sp1:
MX# set service-profile sp1 proxy-arp enable
success: change accepted.
See Also
set service-profile dhcp-restrict on page 12-296
set service-profile no-broadcast on page 12-300
show service-profile on page 12-357
set service-profile [rsn-ie | wpa-ie] psk-encrypted
Configures an encrypted passphrase for preshared key (PSK) authentication to use when
authenticating RSN or WPA clients, in a service profile.
Syntax
set service-profile profile-name [rsn-ie | wpa-ie] psk-encrypted passphrase
Defaults
None
Access
Enabled
History
Introduced in MSS Version 7.0.
set service-profile [rsn-ie | wpa-ie] psk-phrase
Configures a passphrase for preshared key (PSK) authentication to use for authenticating WPA
clients, in a service profile. Radios use the PSK as a pairwise master key (PMK) to derive unique
pairwise session keys for individual WPA clients.
profile-name Service profile name.
enable Enables proxy ARP.
disable Disables proxy ARP.
profile-name Service profile name.
rsn-ie | wpa-ie Enable psk-encryption on RSN IE or WPA IE clients.
passphrase An ASCII string from 8 to 63 characters long. The string can contain blanks
if you use quotation marks at the beginning and end of the string.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 302
Syntax
set service-profile profile-name [rsn-ie | wpa-ie] psk-phrase passphrase
Defaults
None.
Access
Enabled.
History
Usage
MSS converts the passphrase into a 256-bit binary number for system use and a raw
hexadecimal key to store in the MX configuration. Neither the binary number nor the passphrase
is ever displayed in the configuration.
To use PSK authentication, you must enable it and you also must enable the WPA IE.
Examples
The following command configures service profile sp3 to use passphrase
“1234567890123<>?=+&% The quick brown fox jumps over the lazy dog”:
MX# set service-profile sp3 wpa-ie psk-phrase "1234567890123<>?=+&% The quick brown fox
jumps over the lazy dog"
success: change accepted.
See Also
set mac-user attr on page 9-178
set service-profile [rsn-ie | wpa-ie] auth-psk on page 12-289
set service-profile [rsn-ie | wpa-ie] psk-raw on page 12-302
set service-profile wpa-ie on page 12-321
show service-profile on page 12-357
set service-profile [rsn-ie | wpa-ie] psk-raw
Configures a raw hexadecimal preshared key (PSK) to use for authenticating RSN or WPA clients,
in a service profile. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise
session keys for individual WPA clients.
Syntax
set service-profile profile-name [rsn-ie | wpa-ie] psk-raw hex
Defaults
None.
Access
Enabled.
profile-name Service profile name.
rsn-ie | wpa-ie Enable psk-encryption on RSN IE or WPA IE clients.
passphrase An ASCII string from 8 to 63 characters long. The string can contain blanks
if you use quotation marks at the beginning and end of the string.
MSS Version 3.0 Command introduced.
MSS Version 7.1 Command moved to rsn-ie and wpa-ie as part of
the mixed cipher feature.
profile-name Service profile name.
rsn-ie | wpa-ie Enable psk-encryption on RSN IE or WPA IE clients.
hex A 64-bit ASCII string representing a 32-digit hexadecimal number. Enter the
two-character ASCII form of each hexadecimal number.
MP Access Point Commands
MP Access Point Commands
12 – 303
History
Usage
MSS converts the hexadecimal number into a 256-bit binary number for system use. MSS
also stores the hexadecimal key in the MX configuration. The binary number is never displayed in
the configuration.
To use PSK authentication, you must enable it and you also must enable RSN-IE or WPA IE.
Examples
The following command configures service profile sp3 to use a raw PSK with PSK
clients:
MX# set service-profile sp3 wpa-ie psk-raw
c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d
success: change accepted.
See Also
set mac-user attr on page 9-178
set service-profile [rsn-ie | wpa-ie] auth-psk on page 12-289
set service-profile [rsn-ie | wpa-ie] psk-phrase on page 12-301
set service-profile wpa-ie on page 12-321
show service-profile on page 12-357
set service-profile rsn-ie
Enables the Robust Security Network (RSN) Information Element (IE).
The RSN IE advertises the RSN (sometimes called WPA2) authentication methods and cipher
suites supported by radios in the radio profile mapped to the service profile.
Syntax
set service-profile profile-name rsn-ie {enable | disable}
auth-dot1x [enable | disable] auth-psk [enable | disable]
cipher-ccmp [enable | disable] cipher-tkip [enable | disable]
cipher-wep104 [enable | disable] cipher-40 [enable | disable]
Defaults
Disabled.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
When the RSN IE is enabled, you vsn enable the cipher suites you want the radios to
support.
Examples
The following command enables the RSN IE in service profile sprsn:
MX# set service-profile sprsn rsn-ie enable
success: change accepted.
See Also
set service-profile [rsn-ie | wpa-ie] auth-dot1x on page 12-287
MSS Version 3.0 Command introduced.
MSS Version 7.1 Command moved to rsn-ie and wpa-ie as part of
the mixed cipher feature.
profile-name Service profile name.
enable Enables the RSN IE.
disable Disables the RSN IE.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 304
set service-profile [rsn-ie | wpa-ie] auth-psk on page 12-289
set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 12-292
set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 12-293
set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 12-294
show service-profile on page 12-357
set service-profile shared-key-auth
Enables shared-key authentication, in a service profile.
Syntax
set service-profile profile-name shared-key-auth {enable | disable}
Defaults
Disabled.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
Shared-key authentication is supported only for encrypted SSIDs. In addition, if you
enable shared-key authentication, RSN, WPA, TKIP, and CCMP must be disabled. By default,
RSN, WPA, and CCMP are already disabled, but TKIP is enabled; you must manually disable
TKIP. To disable TKIP, use the set service-profile cipher-tkip disable command.
Examples
The following command enables shared-key authentication in service profile sp4:
MX# set service-profile sp4 shared-key-auth enable
success: change accepted.
See Also
set radio-profile mode on page 12-272
set service-profile [rsn-ie | wpa-ie] cipher-tkip on page 12-293
show service-profile on page 12-357
set service-profile short-retry-count
Changes the short retry threshold for a service profile. The short retry threshold specifies the
number of times a radio can send a short unicast frame without receiving an acknowledgment. A
short unicast frame is a frame that is shorter than the frag-threshold.
Note:
Use this command only if advised to do so by Trapeze Networks. This command does
not enable preshared key (PSK) authentication for Wi-Fi Protected Access (WPA). To
enable PSK encryption for WPA, use the set service-profile auth-psk command.
profile-name Service profile name.
enable Enables shared-key authentication.
disable Disables shared-key authentication.
MP Access Point Commands
MP Access Point Commands
12 – 305
Syntax
set service-profile profile-name short-retry-count threshold
Defaults
The default short unicast retry threshold is 5 attempts.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Examples
The following command changes the short retry threshold for service profile sp1 to 3:
MX# set service-profile sp1 short-retry-count 3
success: change accepted.
See Also
set radio-profile frag-threshold on page 12-271
set service-profile long-retry-count on page 12-298
show service-profile on page 12-357
set service-profile soda agent-directory
Specifies the directory on the MX where the SODA agent files for a service profile are located.
Syntax
set service-profile profile-name soda agent-directory directory
Defaults
By default, the MX expects SODA agent files to be located in a directory with the same
name as the service profile.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
If the same SODA agent is used for multiple service profiles, you can use this command to
specify a single directory for SODA agent files on the MX, rather than placing the same SODA
agent files in a separate directory for each service profile.
Examples
The following command specifies soda-agent as the location for SODA agent files for
service profile sp1:
MX# set service-profile sp1 soda agent-directory soda-agent
success: change accepted.
See Also
install soda agent on page 21-490
uninstall soda agent on page 21-502
show service-profile on page 12-357
set service-profile soda enforce-checks
Specifies whether a client is allowed access to the network after it has downloaded and run the
SODA agent security checks.
profile-name Service profile name.
threshold Number of times a radio can send the same short unicast frame. You can
enter a value from 1 through 15.
profile-name Service profile name.
directory Directory on the MX for SODA agent files.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 306
Syntax
set service-profile profile-name soda enforce-checks {enable | disable}
Defaults
By default, SODA agent checks are performed before the client is allowed access to the
network.
Access
Enabled
History
Introduced in MSS Version 4.2.
Usage
When the SODA agent is enabled in a service profile, by default the SODA agent checks
are downloaded to a client and run before the client is allowed on the network. You can use this
command to disable the enforcement of the SODA security checks, so that the client is allowed
access to the network immediately after the SODA agent is downloaded, rather than waiting for
the security checks to be run.
When the enforce checks option is enabled, upon successful completion of the SODA agent checks,
the client performs an HTTP Get operation to load the success page. Upon loading the success
page, the client is granted access to the network.
In order for the client to load the success page, you must make sure the SODA agent is configured
(through SODA Manager) with the correct URL of the success page, so that the MX can serve the
page to the client.
Similarly, you must make sure the SODA agent is configured with the correct URLs of the failure
and logout pages, so that when the client requests these pages, the MX can serve those pages as
well.
Examples
The following command allows network access to clients after they have downloaded
the SODA agent, but without requiring that the SODA agent checks be completed:
MX# set service-profile sp1 soda enforce-checks disable
success: change accepted.
See Also
set service-profile soda mode on page 12-308
show service-profile on page 12-357
set service-profile soda failure-page
Specifies a page on the MX that loads when a client fails the security checks performed by the
SODA agent.
Syntax
set service-profile profile-name soda failure-page page
Defaults
By default, the MX dynamically generates a page indicating that the SODA agent
checks have failed.
Access
Enabled.
History
Introduced in MSS Version 4.2.
profile-name Service profile name.
enable SODA agent checks are performed before the client is allowed access to the
network.
disable Allows the client access to the network immediately after the SODA agent is
downloaded, without waiting for the checks to be run.
profile-name Service profile name.
page Page that is loaded if the client fails the security checks
performed by the SODA agent.
MP Access Point Commands
MP Access Point Commands
12 – 307
Usage
Use this command to specify a custom page to be loaded by the client when the SODA
agent checks fail. After this page is loaded, the specified remediation ACL takes effect, or if there
is no remediation ACL configured, then the client is disconnected from the network.
This functionality occurs only when the enforce checks option is enabled for the service profile. The
enforce checks option is enabled by default.
The page is assumed to reside in the root directory on the MX. You can optionally specify a
different directory where the page resides.
Examples
The following command specifies failure.html as the page to load when a client fails the
SODA agent checks:
MX# set service-profile sp1 soda failure-page failure.html
success: change accepted.
The following command specifies failure.html, in the soda-files directory, as the page to load when
a client fails the SODA agent checks:
MX# set service-profile sp1 soda failure-page soda-files/failure.html
success: change accepted.
See Also
set service-profile soda enforce-checks on page 12-305
set service-profile soda remediation-acl on page 12-308
show service-profile on page 12-357
set service-profile soda logout-page
Specifies a page on the MX switch that is loaded when a client logs out of the network by closing
the SODA virtual desktop.
Syntax
set service-profile profile-name soda logout-page page
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
When a client closes the SODA virtual desktop, the client is automatically disconnected
from the network. You can use this command to specify a page that loads when the client closes
the SODA virtual desktop.
The client can request this page at any time, to ensure that the client session is terminated. You
can add the MX IP address to the DNS server as a well-known name, and you can advertise the
URL of the page to users as a logout page.
The page is assumed to reside in the root directory on the MX. You can optionally specify a
different directory where the page resides.
Note that you must also enable the HTTPS server on the MX, so that clients can log out of the
network and access the logout page using HTTPS. To do this, use the set ip https server enable
command.
Examples
The following command specifies logout.html as the page to load when a client closes the
SODA virtual desktop:
MX# set service-profile sp1 soda logout-page logout.html
success: change accepted.
profile-name Service profile name.
page Page that is loaded when the client closes the SODA virtual desktop.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 308
The following command specifies logout.html, in the soda-files directory, as the page to load when
a client closes the SODA virtual desktop:
MX# set service-profile sp1 soda logout-page soda-files/logout.html
success: change accepted.
See Also
set ip https server on page 8-109
show service-profile on page 12-357
set service-profile soda mode
Enables or disables Sygate On-Demand (SODA) functionality for a service profile.
Syntax
set service-profile profile-name soda mode {enable | disable}
Defaults
Disabled.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
When SODA functionality is enabled for a service profile, a SODA agent is downloaded to
clients attempting to connect to an MP managed by the service profile. The SODA agent performs
a series of security-related checks on the client. If the client passes the checks, then the client is
allowed on the network.
In release 4.2, SODA functionality requires that Web Portal WebAAA also be enabled for the
service profile.
Examples
The following command enables SODA functionality for service profile sp1:
MX# set service-profile sp1 soda mode enable
success: change accepted.
See Also
install soda agent on page 21-490
set service-profile soda enforce-checks on page 12-305
show service-profile on page 12-357
set service-profile soda remediation-acl
Specifies an ACL to be applied to a client if it fails the checks performed by the SODA agent.
Syntax
set service-profile profile-name soda remediation-acl acl-name
Defaults
None.
Access
Enabled.
profile-name Service profile name.
enable Enables SODA functionality for the service profile.
disable Disables SODA functionality for the service profile.
profile-name Service profile name.
acl-name Name of an existing security ACL to use as a remediation ACL for this
service profile. ACL names must start with a letter and are case-insensitive.
MP Access Point Commands
MP Access Point Commands
12 – 309
History
Introduced in MSS Version 4.2.
Usage
If the SODA agent checks fail on a client, by default the client is disconnected from the
network. Optionally, you can specify a failure page for the client to load (with the set
service-profile soda failure-page command). When the failure page is loaded, you can
optionally specify a remediation ACL to apply to the client. The remediation ACL can be used to
grant the client limited access to network resources, for example. If there is no remediation ACL
configured, then the client is disconnected from the network when the failure page is loaded.
This functionality occurs only when the enforce checks option is enabled for the service profile. The
enforce checks option is enabled by default.
Examples
The following command configures the MX to apply acl-1 to a client when it loads the
failure page:
MX# set service-profile sp1 soda remediation-acl acl-1
success: change accepted.
See Also
set service-profile soda enforce-checks on page 12-305
set service-profile soda failure-page on page 12-306
show service-profile on page 12-357
set service-profile soda success-page
Specifies a page on the MX that loads when a client passes the security checks performed by the
SODA agent.
Syntax
set service-profile profile-name soda success-page page
Defaults
By default, the MX generates a page indicating that the client passed the SODA agent
checks.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
Use this command to specify a custom page loaded by the client when it passes the checks
performed by the SODA agent. After this page is loaded, the client is placed in its assigned VLAN
and granted access to the network.
The page is assumed to reside in the root directory on the MX. You can optionally specify a
different directory where the page resides.
This functionality occurs only when the enforce checks option is enabled for the service profile. The
enforce checks option is enabled by default.
Examples
The following command specifies success.html, which resides in the root directory on the
MX, as the page to load when a client passes the SODA agent checks:
MX# set service-profile sp1 soda success-page success.html
success: change accepted.
The following command specifies success.html, which resides in the soda-files directory on the MX
switch, as the page to load when a client passes the SODA agent checks:
MX# set service-profile sp1 soda success-page soda-files/success.html
success: change accepted.
profile-name Service profile name.
page Page loaded if the client passes the security checks performed by the SODA
agent.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 310
See Also
set service-profile soda enforce-checks on page 12-305
set service-profile soda mode on page 12-308
show service-profile on page 12-357
set service-profile ssid-name
Configures the SSID name in a service profile.
Syntax
set service-profile profile-name ssid-name ssid-name
Defaults
The default SSID type is crypto (encrypted) and the default name is trapeze.
Access
Enabled.
History
Examples
The following command applies the name guest to the SSID managed by service profile
clear_wlan:
MX# set service-profile clear_wlan ssid-name guest
success: change accepted.
The following command applies the name corporate users to the SSID managed by service profile
mycorp_srvcprf:
MX# set service-profile mycorp_srvcprf ssid-name “corporate users”
success: change accepted.
See Also
set service-profile ssid-type on page 12-310
show service-profile on page 12-357
set service-profile ssid-type
Specifies whether the SSID managed by a service profile is encrypted or unencrypted.
Syntax
set service-profile profile-name ssid-type [clear | crypto]
profile-name Service profile name.
ssid-name Name of up to 32 alphanumeric characters.
You can include blank spaces in the name, if you delimit the name with single
or double quotation marks. You must use the same type of quotation mark
(either single or double) on both ends of the string.
Version 3.0 Command introduced
Version 4.0 Support added for blank spaces in the SSID name.
profile-name Service profile name.
clear Wireless traffic for the service profile’s SSID is not
encrypted.
crypto Wireless traffic for the service profile’s SSID is encrypted.
MP Access Point Commands
MP Access Point Commands
12 – 311
Defaults
The default SSID type is crypto.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Examples
The following command changes the SSID type for service profile clear_wlan to clear:
MX# set service-profile clear_wlan ssid-type clear
success: change accepted.
See Also
set service-profile ssid-name on page 12-310
show service-profile on page 12-357
set service-profile static-cos
Enables or disables static CoS on a service profile. Static CoS assigns the same CoS level to all
traffic on the service profile SSID, regardless of 802.1p or DSCP markings in the packets
themselves, and regardless of any ACLs that mark CoS. This option provides a simple way to
configure an SSID for priority traffic such as VoIP traffic.
When static CoS is enabled, the standard MSS prioritization mechanism is not used. Instead, the
MP sets CoS as follows:
For traffic from the MP to clients, the MP places the traffic into the forwarding queue that
corresponds to the CoS level configured on the service profile. For example, if the static CoS
level is set to 7, the MP radio places client traffic in its Voice queue.
For traffic from clients to the network, the MP marks the DSCP value in the IP headers of the
tunnel packets used to carry the user data from the MP to the MX.
Syntax
set service-profile profile-name static-cos {enable | disable}
Defaults
Static CoS is disabled by default.
Access
Enabled.
History
History
Introduced in MSS Version 4.2.
Usage
The CoS level is specified by the set service-profile cos command.
Examples
The following command enables static CoS on service profile sp1:
MX# set service-profile sp1 static-cos enable
success: change accepted.
See Also
set service-profile cos on page 12-295
show service-profile on page 12-357
profile-name Service profile name.
enable Enables static CoS on the service profile.
disable Disables static CoS on the service profile.
MSS Version 4.2 Command introduced.
MSS Version 7.1 Commanddeprecated.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 312
set service-profile tkip-mc-time
Changes the length of time that MP radios use countermeasures if two message integrity code
(MIC) failures occur within 60 seconds. When countermeasures are in effect, MP radios dissociate
all TKIP and WPA WEP clients and refuse all association and reassociation requests until the
countermeasures end.
Syntax
set service-profile profile-name tkip-mc-time wait-time
Defaults
The default countermeasures wait time is 60,000 ms (60 seconds).
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
Countermeasures apply only to TKIP and WEP clients. This includes WPA WEP clients
and non-WPA WEP clients. CCMP clients are not affected.
The TKIP cipher suite must be enabled. The WPA IE also must be enabled.
Examples
The following command changes the countermeasures wait time for service profile sp3
to 30,000 ms (30 seconds):
MX# set service-profile sp3 tkip-mc-time 30000
success: change accepted.
See Also
set service-profile [rsn-ie | wpa-ie] cipher-tkip on page 12-293
set service-profile wpa-ie on page 12-321
show service-profile on page 12-357
set service-profile transmit-rates
Changes the data rates supported by MP radios for a service-profile SSID.
Syntax
set service-profile profile-name transmit-rates {11a | 11b | 11g | 11na |
11ng} mandatory rate-list [disabled rate-list] [beacon-rate rate] [multicast-rate
{rate | auto}]
profile-name Service profile name.
tkip-mc-time Number of milliseconds (ms) countermeasures remain in
effect. You can specify from 0 to 60,000.
profile-name Service profile name.
11a | 11b | 11g | 11na
| 11ng
Radio type.
MP Access Point Commands
MP Access Point Commands
12 – 313
Defaults
This command has the following defaults:
disabled—None. All rates applicable to the radio type are supported by default.
beacon-rate:
11a—6.0
11b—2.0
11g—2.0
multicast-rateauto for all radio types.
Access
Enabled.
History
Usage
If you disable a rate, you cannot use the rate as a mandatory rate or the beacon or
multicast rate. All rates that are applicable to the radio type and that are not disabled are
supported by the radio.
mandatory rate-list Set of data transmission rates that clients are required to support in
order to associate with an SSID on an MP radio. A client must support
at least one of the mandatory rates.
These rates are advertised in the basic rate set of 802.11 beacons,
probe responses, and reassociation response frames sent by MP radios.
Data frames and management frames sent by MP radios use one of the
specified mandatory rates.
The valid rates depend on the radio type:
11a—6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0
11b—1.0, 2.0, 5.5, 11.0
11g—1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0
11na—6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0, m0, m1, m2, m3, m4, m5,
m6, m7, m8, m9, m10, m11, m12, m13, m14, m15
11ng—1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0, m0, m1,
m2, m3, m4, m5, m6, m7, m8, m9, m10, m11, m12, m13, m14, m15
Use a comma to separate multiple rates, for example: 6.0,9.0,12.0.
disabled rate-list Data transmission rates that MP radios do not use to transmit data.
This setting applies only to data sent by the MP radios. The radios still
accepts frames from clients at disabled data rates.
The valid rates depend on the radio type and are the same as the valid
rates for mandatory.
beacon-rate rate Data rate of beacon frames sent by MP radios. This rate is also used
for probe-response frames.
The valid rates depend on the radio type and are the same as the valid
rates for mandatory. However, you cannot set the beacon rate to a
disabled rate.
multicast-rate
{rate | auto}
Data rate of multicast frames sent by MP radios.
rate—Sets the multicast rate to a specific rate. The valid rates depend on
the radio type and are the same as the valid rates for mandatory.
However, you cannot set the multicast rate to a disabled rate.
auto—Sets the multicast rate to the highest rate that can reach all clients
connected to the MP radio.
MSS Version 4.2 Command introduced.
MSS Version 7.0 Default rates for the mandatory option were removed.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 314
Examples
The following command sets 802.11a mandatory rates for service profile sp1 to 6 Mbps
and 9 Mbps, disables rates 48 Mbps and 54 Mbps, and changes the beacon rate to 9 Mbps:
MX# set service-profile sp1 transmit-rates 11a mandatory 6.0,9.0 disabled 48.0,54.0
beacon-rate 9.0
success: change accepted.
See Also
show service-profile on page 12-357
set radio-profile rate-enforcement on page 12-276
set service-profile use-client-dscp
Configures MSS to classify the QoS level of IP packets based on their DSCP value, instead of their
802.11 priority.
Syntax
set service-profile profile-name use-client-dscp {enable | disable}
Defaults
Disabled.
Access
Enabled.
History
Usage
If this command is enabled in the service profile, the 802.11 QoS level is ignored, and MSS
classifies QoS level of IP packets based on their DSCP value.
Examples
The following command enables mapping the QoS level of IP packets based on their
DSCP value for service profile sp1:
MX# set service-profile sp1 use-client-dscp enable
success: change accepted.
See Also
show qos on page 7-88
show service-profile on page 12-357
set service-profile user-idle-timeout
Changes the number of seconds MSS has a session available for a client not sending data and is
not responding to keepalives (idle-client probes). If the timer expires, the client session is changed
to the Dissociated state.
The timer is reset to 0 each time a client sends data or responds to an idle-client probe. If the
idle-client probe is disabled, the timer is reset each time the client sends data.
profile-name Service profile name.
enable Enables mapping QoS level from the DSCP level.
disable Disables mapping QoS level from the DSCP level.
MSS Version 6.0 Command introduced.
MSS Version 7.3 Command deprecated.
MP Access Point Commands
MP Access Point Commands
12 – 315
Syntax
set service-profile profile-name user-idle-timeout seconds
Defaults
The default user idle timeout is 180 seconds (3 minutes).
Access
Enabled.
History
Introduced in MSS Version 4.2.
Examples
The following command increases the user idle timeout to 360 seconds (6 minutes):
MX# set service-profile sp1 user-idle-timeout 360
success: change accepted.
See Also
set service-profile idle-client-probing on page 12-296
set service-profile web-portal-session-timeout on page 12-318
show service-profile on page 12-357
set service-profile web-portal-acl
Changes the ACL name MSS uses to filter Web-Portal user traffic during authentication.
Use this command if you create a custom Web-Portal ACL to allow more than just DHCP traffic
during authentication. For example, if you configure an ACL that allows a Web-Portal user to
access a credit card server, this command uses the custom ACL for Web-Portal users that
associate with the service profile SSID.
Syntax
set service-profile profile-name web-portal-acl aclname
Defaults
By default, a service profile web-portal-acl option is unset. However, when you change
the service profile auth-fallthru option to web-portal, MSS sets the web-portal-acl option to
portalacl. (MSS automatically creates the portalacl ACL the first time you set any service profile
auth-fallthru option to web-portal.)
Access
Enabled.
History
Introduced in MSS Version 5.0.
Usage
The first time you set the service profile auth-fallthru option to web-portal, MSS sets
the web-portal-acl option to portalacl. The value remains portalacl even if you change the
auth-fallthru option again. To change the web-portal-acl value, you must use the set
service-profile web-portal-acl command.
The Web-Portal ACL applies only to users who log on using Web-Portal, and applies only during
authentication. After a Web-Portal user is authenticated, the Web-Portal ACL no longer applies.
ACLs and other user attributes assigned to the username are applied instead.
profile-name Service profile name.
seconds Number of seconds a client is allowed to remain
idle before MSS changes the session to the
Dissociated state. You can specify from 20 to
86400 seconds.
To disable the timer, specify 0.
profile-name Service profile name.
aclname Name of the ACL to use for filtering Web-Portal
user traffic during authentication.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 316
Examples
The following command changes the Web-Portal ACL name to on service profile sp3 to
creditsrvr:
MX# set service-profile sp3 web-portal-acl creditsrvr
success: change accepted.
See Also
set service-profile [rsn-id | wpa-ie] auth-fallthru on page 12-287
show service-profile on page 12-357
set service-profile web-portal-form
Specifies a custom login page that loads for WebAAA users requesting the SSID managed by the
service profile.
Syntax
set service-profile profile-name web-portal-form url
Defaults
The Trapeze Networks Web login page is served by default.
Access
Enabled.
History
Usage
It is recommended that you create a subdirectory for the custom page and place all of the
files for the page in that subdirectory. Do not place the custom page in the root directory of the MX
user file area.
If the custom login page includes gif or jpg images, their path names are interpreted relative to
the directory from which the page is served.
The web-portal authentication type also requires additional configuration items. (See the
“Configuring AAA for Network Users” chapter of the Trapeze Mobility System Software
Configuration Guide.)
Examples
The following commands create a subdirectory named corpa, copy a custom login page
named corpa-login.html and a jpg image named corpa-logo.jpg into that subdirectory, and set the
Web login page for service profile corpa-service to corpa-login.html:
profile-name Service profile name.
url MX subdirectory name and HTML page name of the login page. Specify the
full path. For example, corpa-ssid/corpa.html.
Version 3.0 Command introduced.
Version 4.0 Option name changed from web-aaa-form to web-portal-form, to reflect
change to portal-based implementation.
Note:
To use WebAAA, the fallthru authentication type in the service profile that
manages the SSID must be set to web-portal. To use WebAAA for a wired
authentication port, edit the port configuration with the set port type
wired-auth command.
MP Access Point Commands
MP Access Point Commands
12 – 317
MX# mkdir corpa
success: change accepted.
MX# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html
success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec]
MX# copy tftp://10.1.1.1/corpa-logo.jpg corpa/corpa-logo.jpg
success: received 1202 bytes in 0.402 seconds [ 2112 bytes/sec]
MX# dir corpa
===============================================================================
file:
Filename Size Created
file:corpa-login.html 637 bytes Aug 12 2004, 15:42:26
file:corpa-logo.jpg 1202 bytes Aug 12 2004, 15:57:11
Total: 1839 bytes used, 206577 Kbytes free
MX# set service-profile corpa-service web-portal-form corpa/corpa-login.html
success: change accepted.
See Also
copy on page 21-485
dir on page 21-488
mkdir on page 21-492
set port type wired-auth on page 5-60
set service-profile [rsn-id | wpa-ie] auth-fallthru on page 12-287
set web-portal on page 9-189
show service-profile on page 12-357
set service-profile web-portal-logout logout-url
Specifies the URL that is requested when the user terminates a session in the Mobility Domain.
Syntax
set service-profile profile-name web-portal-logout logout-url url
Defaults
By default, the logout URL uses the IP address of the MX as the host part of the URL.
The host can be either an IP address or a hostname.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
Specifying the URL for the Web Portal logout feature is useful if you want to standardize
the URL across your network. For example, you can configure the logout URL on all of the MX
switches in the Mobility Domain as wifizone.trpz.com/logout.html, where wifizone.trpz.com
resolves to one of the MX switches in the Mobility Domain, ideally the seed.
To log out of the network, the user can click End Session in the window, or request the logout URL
directly.
Standardizing the logout URL serves as a backup means for the user to log out in case the
pop-under window is closed inadvertently. Note that if a user requests the logout URL, he or she
must enter a username and password in order to identify the session on the MX. The username
and password are both required to identify the session. If there is more than one session with the
same username, then requesting the logout URL does not end any session.
profile-name Service profile name.
url Specifies the URL for the Web Portal logout feature. The
URL should be of the form https://host/logout.html.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 318
Examples
The following command configures the Web Portal logout URL as wifizone.trpz.com/
logout.html for service profile sp1.
MX# set service-profile sp1 web-portal-logout logout-url https://wifizone.trpz.com/
logout.html
success: change accepted.
See Also
set service-profile web-portal-logout mode on page 12-318
show service-profile on page 12-357
set service-profile web-portal-logout mode
Enables the Web Portal logout functionality, so that a user can manually terminate his or her
session.
Syntax
set service-profile profile-name web-portal-logout mode {enable | disable}
Defaults
Disabled.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Usage
When Web Portal logout functionality is enabled, after a Web Portal WebAAA user is
successfully authenticated and redirected to the requested page, a pop-under window appears
behind the user’s browser. The window contains a button labeled “End Session”. When the user
clicks this button, a URL is requested that terminates the user’s session in the Mobility Domain.
This feature allows Web Portal users a way to manually log out of the network, instead of
automatically logging out when the Web Portal WebAAA session timeout period expires.
Examples
The following command enables the Web Portal logout functionality for service profile
sp1.
MX# set service-profile sp1 web-portal-logout mode enable
success: change accepted.
See Also
set service-profile web-portal-logout logout-url on page 12-317
show service-profile on page 12-357
set service-profile web-portal-session-timeout
Changes the number of seconds MSS allows Web Portal WebAAA sessions to remain in the
Deassociated state before being terminated automatically.
profile-name Service profile name.
enable Enables the Web Portal logout functionality
disable Disables the Web Portal logout functionality.
MP Access Point Commands
MP Access Point Commands
12 – 319
Syntax
set service-profile name web-portal-session-timeout seconds
Defaults
The default Web Portal WebAAA session timeout is 5 seconds.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
When a client that has connected through Web Portal WebAAA enters standby or
hibernation mode, the client may be idle for longer than the User idle-timeout period. When the
User idle-timeout period expires, MSS places the client Web Portal WebAAA session in the
Deassociated state. The Web Portal WebAAA session can remain in the Deassociated state for a
configurable amount of time before being terminated automatically. This configurable amount of
time is called the Web Portal WebAAA session timeout period. You can use this command to set
the number of seconds in the Web Portal WebAAA session timeout period.
Note that the Web Portal WebAAA session timeout period applies only to Web Portal WebAAA
sessions already authenticated with a username and password. For all other Web Portal WebAAA
sessions, the default Web Portal WebAAA session timeout period of 5 seconds is used.
Examples
The following command allows Web Portal WebAAA sessions to remain in the
Deassociated state 180 seconds before being terminated automatically.
MX# set service-profile sp1 web-portal-session-timeout 180
success: change accepted.
See Also
set service-profile user-idle-timeout on page 12-314
show service-profile on page 12-357
set service-profile wep active-multicast-index
Specifies the static Wired-Equivalent Privacy (WEP) key (one of four) to use for encrypting
multicast frames.
Syntax
set service-profile profile-name wep active-multicast-index num
Defaults
If WEP encryption is enabled and WEP keys are defined, MP radios use WEP key 1 to
encrypt multicast frames, by default.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
Before using this command, you must configure values for the WEP keys you plan to use.
Use the set service-profile wep key-index command.
Examples
The following command configures service profile sp2 to use WEP key 2 for encrypting
multicast traffic:
MX# set service-profile sp2 wep active-multicast-index 2
name Service profile name.
seconds Number of seconds MSS allows Web Portal
WebAAA sessions to remain in the Deassociated
state before being terminated automatically. You
can specify from 5 to 28800 seconds.
profile-name Service profile name.
num WEP key number. You can enter a value from 1 through
4.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 320
success: change accepted.
See Also
set service-profile wep active-unicast-index on page 12-320
set service-profile wep key-index on page 12-320
show service-profile on page 12-357
set service-profile wep active-unicast-index
Specifies the static Wired-Equivalent Privacy (WEP) key (one of four) to use for encrypting unicast
frames.
Syntax
set service-profile profile-name wep active-unicast-index num
Defaults
If WEP encryption is enabled and WEP keys are defined, MP radios use WEP key 1 to
encrypt unicast frames, by default.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
Before using this command, you must configure values for the WEP keys you plan to use.
Use the set service-profile wep key-index command.
Examples
The following command configures service profile sp2 to use WEP key 4 for encrypting
unicast traffic:
MX# set service-profile sp2 wep active-unicast-index 4
success: change accepted.
See Also
set service-profile wep active-multicast-index on page 12-319
set service-profile wep key-index on page 12-320
show service-profile on page 12-357
set service-profile wep key-index
Sets the value of one of four static Wired-Equivalent Privacy (WEP) keys for static WEP
encryption.
Syntax
set service-profile profile-name wep key-index num key value
profile-name Service profile name.
num WEP key number. You can enter a value from 1 through
4.
profile-name Service profile name.
key-index num WEP key index. You can enter a value from 1 through 4.
key value Hexadecimal value of the key. You can enter a 10-character ASCII string
representing a 5-byte hexadecimal number or a 26-character ASCII string
representing a 13-byte hexadecimal number. You can use numbers or letters.
ASCII characters in the following ranges are supported:
0 to 9
A to F
a to f
MP Access Point Commands
MP Access Point Commands
12 – 321
Defaults
By default, no static WEP keys are defined.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
MSS automatically enables static WEP when you define a WEP key. MSS continues to
support dynamic WEP.
Examples
The following command configures a 5-byte WEP key for key index 1 on service profile
sp2 to aabbccddee:
MX# set service-profile sp2 wep key-index 1 key aabbccddee
success: change accepted.
See Also
set service-profile wep active-multicast-index on page 12-319
set service-profile wep active-unicast-index on page 12-320
show service-profile on page 12-357
set service-profile wpa-ie
Enables the WPA information element (IE) in wireless frames. The WPA IE advertises the WPA
authentication methods and cipher suites supported by radios in the radio profile mapped to the
service profile.
Syntax
set service-profile profile-name wpa-ie {enable | disable}
auth-dot1x [enable | disable] auth-psk [enable | disable]
cipher-ccmp [enable | disable] cipher-tkip [enable | disable]
cipher-wep104 [enable | disable] cipher-40 [enable | disable]
Defaults
Disabled.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
When the WPA IE is enabled, you can enable the cipher suites supported by the radios.
Examples
The following command enables the WPA IE in service profile sp2:
MX# set service-profile sp2 wpa-ie enable
success: change accepted.
See Also
set service-profile [rsn-ie | wpa-ie] auth-dot1x on page 12-287
set service-profile [rsn-ie | wpa-ie] auth-psk on page 12-289
set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 12-292
set service-profile [rsn-ie | wpa-ie] cipher-tkip on page 12-293
profile-name Service profile name.
enable Enables the WPA IE.
disable Disables the WPA IE.
MSS Version 3.0 Command introduced.
MSS Version 7.1 Ciphers moved under this command to support
mixed ciphers per service profile.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 322
set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 12-293
set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 12-294
show service-profile on page 12-357
show ap 11n-counters
Displays 802.11n statistics for 802.11n MPs.
Syntax
show ap 11n-counters [apnum | radio [1 | 2]]
Defaults
None
Access
Enabled
History
Introduced in MSS Version 7.0.
Usage
Displays channel width, data rates, HT modes, and Ethernet links for 802.11n MPs.
MP Access Point Commands
MP Access Point Commands
12 – 323
Examples
Use the following command to display 802.11n statistics for all 802.11n MPs or a single
802.11n radio.
MX# show ap 11n-counters 3 radio 1
AP: 9980 radio: 1
=================================
Packet stats:
Tx packets count: 999002 Rx packets count: 999001
40MHz Tx packets count: 999004 40MHz Rx packets count: 999003
Tx packets retry count: 999005
Client stats:
Assciated clients: 999006 11n clients: 999007
Powersave clients: 999008 SM powersave clients: 999009
Frame aggregation stats:
A-MSDU Tx count: 999011 A-MPDU Tx count: 999017
A-MSDU Rx count: 999010 A-MPDU Rx count: 999016
A-MSDU Tx frame count: 999013 A-MPDU Tx frame count: 999019
A-MSDU Rx frame count: 999012 A-MPDU Rx frame count: 999018
A-MSDU retry count: 999014 A-MPDU retry count: 999020
Compound aggregates: 999022
size(bytes) <=4k <=8k <=16k <=32k <=64k | Peak
----------- ---------- ---------- ---------- ---------- ---------- - ----------
A-MPDU Tx: 999026 999030 999034 999038 999042 | 999046
A-MPDU Rx: 999025 999029 999033 999037 999041 | 999045
A-MSDU Tx: 999024 999028 999032 999036 999040 | 999044
A-MSDU Rx: 999023 999027 999031 999035 999039 | 999043
subframes <=4k <=8k <=16k <=32k <=64k | Peak
----------- ---------- ---------- ---------- ---------- ---------- - ----------
A-MPDU Tx: 999050 999054 999058 999062 999066 | 999070
A-MPDU Rx: 999049 999053 999057 999061 999065 | 999069
A-MSDU Tx: 999048 999052 999056 999060 999064 | 999068
A-MSDU Rx: 999047 999051 999055 999059 999063 | 999067
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 324
show ap acl hits
Displays the number of packets filtered by security ACLs (“hits”) on the specified MP if the MP is
configured to perform local switching. Each time a packet is filtered by a security ACL, the MP
ACL hit counter increments.
Syntax
show ap acl hits apnum
Defaults
None.
Access
Enabled.
Table 12– 5. 11n Counter Outut
Packet stats
Tx packets count —Number of packets sent
Rx packets count — Number of packets received
40MHz Tx packets count — Number of packets sent on the
40 MHz channel
40MHz Rx packets count — Number of packets received on
the 40 MHz channel
Tx Packet Retry count — Number of packets resent
Client stats
Associated clients — Number of clients on the radio
11n clients— Number of 11n clients
Powersave clients— Number of clients configured for
powersave mode
SM powersave clients —
Frame Aggregation stats
A-MSDU Tx count — Number of MSDU packets sent
A-MSDU Rx count — Number of MSDU packets received
A-MSDU Tx frame count — Number of MSDU frames sent
A-MSDU Rx frame count — Number of MSDU frames
received
A-MSDU retry count — Number of MSDU packets resent
A-MPDU Tx count — Number of MPDU packets sent
A-MPDU Rx count — Number of MPDU packets received
A-MPDU Tx frame count — Number of MPDU frames sent
A-MPDU Rx frame count — Number of MPDU frames
received
Compound Aggregates — The number of aggregated
packets
size
A-MPDU Tx count — Number of MSDU packets sent
A-MPDU Rx count — Number of MSDU packets received
A-MSDU Tx count — Number of MPDU packets sent
A-MSDU Rx count — Number of MPDU packets received
Peak — The largest size packet sent or received.
subframes
A-MPDU Tx count — Number of MSDU packets sent
A-MPDU Rx count — Number of MSDU packets received
A-MSDU Tx count — Number of MPDU packets sent
A-MSDU Rx count —Number of MPDU packets received
Peak — The highest number of subframes sent or received.
apnum Index value that identifies the MP on the MX. You can specify a value from 1 to
9999.
MP Access Point Commands
MP Access Point Commands
12 – 325
History
I
Usage
For MSS to count hits for a security ACL, you must specify hits in the set security acl
commands that define ACE rules for the ACL.
Examples
To display the security ACL hits on MP 7, type the following command:
MX# show ap acl hits 7
ACL hit-counters for AP 7
Index Counter ACL-name
----- -------------------- --------
1 0 acl_2
2 0 acl_175
3 916 acl_123
See Also
set security acl hit-sample-rate on page 15-401
set security acl on page 15-395
show ap acl map
Displays a summary of the security ACLs mapped on an MP.
Syntax
show ap acl map apnum
Defaults
None.
Access
Enabled.
History
I
Usage
This command lists only the ACLs that have been mapped on the specified MP. To list all
committed ACLs, use the show security acl info command. To list ACLs that have not yet been
committed, use the show security acl editbuffer command.
Examples
To display a summary of the security ACLs mapped on MP 7, type the following
command:
MX# show ap acl map 7
ACL Type Class Mapping
---------------------------- ---- ------ -------
acl_123 IP Static In
acl_133 IP Static In
acl_124 IP Static
See Also
clear security acl on page 15-391
commit security acl on page 15-394
Version 6.0 Command introduced.
Version 6.2 Added index value range of 1 to 9999.
apnum Index value that identifies the MP on the MX. You can specify a value from 1 to
9999.
Version 6.0 Command introduced.
Version 6.2 Added index value range of 1 to 9999.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 326
set security acl on page 15-395
show ap acl resource-usage
Displays statistics about the resources used by security ACL filtering on the MP.
Syntax
show ap acl resource-usage apnum
Defaults
None.
Access
Enabled.
History
Usage
Use this command with the help of the Trapeze Technical Assistance Center (TAC) to
diagnose an ACL resource problem.
Examples
To display security ACL resource usage for MP 7, type the following command:
MX# show ap acl resource-usage 7
AP 7 mapped ACL counters
--------------------------------------------
Number of rule groups : 0
Number of rules : 0
Number of maps : 0
show ap arp
Displays the ARP table for a specified MP.
Syntax
show ap arp apnum
Defaults
None.
Access
All.
History
Examples
The following command displays ARP entries for AP 7:
MX# show ap arp 7
AP 7:
Host HW Address VLAN State Type
------------------------------ ----------------- ----- -------- -------
apnum Index value that identifies the MP on the MX. You can specify
a value from 1 to 9999.
Version 6.0 Command introduced.
Version 6.2 Added index value range from 1 to 9999.
apnum Index value that identifies the MP on the MX. You can specify a value from 1 to
9999.
Version 6.0 Command introduced.
Version 6.2 Added index value range from 1 to 9999.
MP Access Point Commands
MP Access Point Commands
12 – 327
10.5.4.51 00:0b:0e:00:04:0c 1 EXPIRED DYNAMIC
10.5.4.53 00:0b:0e:02:76:f7 1 RESOLVED LOCAL
Table 13 describes the fields in this display.
See Also
set ap local-switching mode on page 12-244
set vlan-profile on page 6-75
show ap config
Displays a summary of MPs configured on your network.
Syntax
show ap config [verbose]
Defaults
None
Access
Enabled
History
Introduced in MSS Version 7.0
Examples
To display a summary of MPs configured on your network, enter the following
command:
MX# show ap config.
Table 13.Output for show ap arp
Field Description
Host IP address, hostname, or alias.
HW Address MAC address mapped to the IP address, hostname, or alias.
VLAN VLAN the entry is for.
State Entry state:
RESOLVING—MSS sent an ARP request for the entry and is waiting for
the reply.
RESOLVED—Entry is resolved.
EXPIRED—Entry is expired.
Type Entry type:
DYNAMIC—Entry was learned from network traffic and ages out if
unused for longer than the ARP aging timeout.
LOCAL—Entry for the MX MAC address. Each VLAN has one local entry
for the switch MAC address.
PERMANENT—Entry does not age out and remains in the configuration
even following a reboot.
STATIC—Entry does not age out but is removed after a reboot.
AP AP Name Model Mode Radio 1 profile Radio 2 profile
auto disabled default default
3 AP03 MP-372 default aaaaaaaa123456
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 328
show ap config radio
Displays global and radio-specific settings for an MP.
Syntax
show ap apnum config [port-list [radio {1 | 2}]]
Defaults
None.
Access
Enabled.
History
Usage
MSS lists information separately for each MP.
Examples
The following example shows configuration information for MP 2:
MX# show ap config 2
AP 2: serial-id: 123456789, AP model: MP-372, bias: high, name: AP02
upgrade-firmware: YES
force-image-download: NO
communication timeout: 10
apnum
Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
radio 1 Shows configuration information for radio 1.
radio 2 Shows configuration information for radio 2. (This option
does not apply to single-radio models.)
Version 1.0 Command introduced.
Version 1.1 New field added: load balancing group.
Version 2.0
Option dap added for Distributed MPs.
Dap and Serial-Id fields added to display for Distributed MPs.
The load balancing group field is displayed only if the MP is a member of a group.
Version 2.1 New field, antennatype, to list the external antenna model configured for the
802.11b/g radio in an MP-262.
Version 3.0
New fields added:
auto-tune max-power
auto-tune min-client-rate
auto-tune max-retransmissions
beacon field removed
Version 4.0
New field added: fingerprint
Note: This field applies to the display for Distributed MPs only.
Version 5.0
Field force-image-download added:
Field auto-tune min-client-rate removed.
Field auto-tune max-retransmissions removed.
Field location added.
Field contact added.
Version 6.0
Option dap removed.
Field communication timeout added.
Field load-balance-enable added.
Field force-rebalance added.
Field local-switching added.
Field vlan-profile added.
Version 6.2 Added index value range from 1 to 9999.
MP Access Point Commands
MP Access Point Commands
12 – 329
location:
contact:
Radio 1: type: 802.11g, mode: disabled, channel: dynamic
tx pwr: 18, profile: default
auto-tune max-power: default,
load-balance-group: ,
load-balance-enable: YES,
force-rebalance: NO,
local-switching: disabled, vlan-profile: default
Table 12– 1 describes the fields in this display.
Table 12– 1. Output for show ap config
Field Description
Port MX port number to which the MP is connected, if specified for the MP.
AP Index number that identifies the MP on the MX.
serial-id Serial number on the MP.
AP model MP model number.
bias Bias of the MX connection to the MP:
High
Low
name MP access point name, if configured.
upgrade-firmware State of the firmware upgrade option:
YES (automatic upgrades are enabled)
NO (automatic upgrades are disabled)
force-image-download State of the option to force the MP to download a software image from
the MX instead of loading a locally stored image on the MP.
communication timeout
location Location information for the MP.
contact Contact information for the MP.
Radio Radio number. The information listed below this field applies
specifically to the radio.
type Radio type:
802.11a
802.11b
802.11g
mode Radio state:
Enabled
Disabled
channel Channel number.
antennatype External antenna model, if applicable.
tx pwr Transmit power, in dBm.
profile Radio profile that manages the radio. Until you assign the radio to a
radio profile, MSS assigns the radio to the default radio profile.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 330
See Also
set ap on page 5-52
set port type ap on page 5-59
set ap bias on page 12-234
set ap fingerprint on page 12-242
set ap group on page 12-243
set ap name on page 12-246
set ap upgrade-firmware on page 12-257
set ap radio mode on page 12-253
set ap radio antennatype on page 12-247
set ap radio channel on page 12-249
set ap radio radio-profile on page 12-254
set ap radio tx-power on page 12-254
show ap connection on page 12-349
show ap global on page 12-351
show ap unconfigured on page 12-352
show radio-profile on page 12-354
show ap counters
Displays MP access point and radio statistics counters.
Syntax
show ap counters apnum [radio {1 | 2}]
auto-tune max-power Maximum power level the RF Auto-Tuning feature can set on the
radio.
The value default means RF Auto-Tuning can set the power up to the
maximum level allowed for the country of operation.
A specific numeric value means you or another administrator set the
maximum value.
load-balance-group Names of the RF load-balancing groups to which the MP belongs. If the
value is None, the MP does not belong to any load balancing groups.
Note: This field is displayed only if the MP is a member of a group.
load-balance-enable If RF load balancing is enabled for this MP.
force-rebalance If the MP radio disassociates the client sessions and rebalances them
whenever a new MP radio is added to the RF load balancing group.
local-switching If local packet switching is enabled for the MP.
vlan-profile The VLAN profile the MP uses for local packet switching, indicating
which VLANs are locally switched.
apnum
Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
Table 12– 1. Output for show ap config (continued)
Field Description
MP Access Point Commands
MP Access Point Commands
12 – 331
Defaults
None.
Access
Enabled.
History
Usage
To display statistics counters and other information for individual user sessions, use the
show sessions network command.
Examples
The following command shows statistics counters for Distributed MP 7:
MX# show ap counters 7
AP: 7 radio: 1
=================================
LastPktXferRate 2 PktTxCount 73473
NumCntInPwrSave 0 MultiPktDrop 0
LastPktRxSigStrength -89 MultiBytDrop 0
LastPktSigNoiseRatio 4 User Sessions 0
TKIP Pkt Transfer Ct 0 MIC Error Ct 0
TKIP Pkt Replays 0 TKIP Decrypt Err 0
CCMP Pkt Decrypt Err 0 CCMP Pkt Replays 0
CCMP Pkt Transfer Ct 0 RadioResets 0
Radio Recv Phy Err Ct 0 Transmit Retries 60501
Radio Adjusted Tx Pwr 15 Noise Floor -93
802.3 Packet Tx Ct 0 802.3 Packet Rx Ct 0
No Receive Descriptor 0 Illegal Rates 2
radio 1 Shows statistics counters for radio 1.
radio 2 Shows statistics counters for radio 2. (This option does
not apply to single-radio models.)
Version 1.0 Command introduced.
Version 1.1 New fields added for Wi-Fi Protected Access
(WPA):
TKIP Pkt Transfer Ct
TKIP Pkt Replays
CCMP Pkt Decrypt Err
CCMP Pkt Transfer Ct
MIC Error Ct
TKIP Decrypt Err
CCMP Pkt Replays
Version 2.0 Option dap added for Distributed MPs.
Version 4.0 New fields added:
Radio Recv Phy Err Ct
Transmit Retries
Radio Adjusted Tx Pwr
Noise Floor
802.3 Packet Tx Ct
802.3 Packet Rx Ct
No Receive Descriptor
Version 6.0 Option dap removed.
Field Illegal Rates added
Version 6.2 Added index value range of 1 to 9999.
Version 7.1 Added the option voice-details.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 332
TxUniPkt TxUniByte RxPkt UndcrptPkt
TxMultiPkt TxMultiByte RxByte UndcrptByte
PhyErr
1.0: 1017 0 10170 0 14 8347 0 0 3964
2.0: 5643 55683 822545 8697520 3 1670 0 0 8695
5.5: 0 0 0 0 5 258 0 0 4
6.0: 0 0 0 0 0 0 0 0 51
9.0: 0 0 0 0 1 172 0 0 53
11.0: 0 0 0 0 17 998 0 0 35
12.0: 0 0 0 0 0 0 0 0 26
18.0: 0 0 0 0 0 0 0 0 38
24.0: 0 0 0 0 0 0 0 0 47
36.0: 0 0 0 0 0 0 0 0 1
48.0: 0 0 0 0 1 68 0 0 29
54.0: 0 0 0 0 0 0 0 0 5
TOTL: 6660 55683 832715 8697520 41 11513 0 0 12948
...
Table 12– 2 describes the fields in this display.
Table 12– 2. Output for show ap counters
Field Description
AP Distributed MP number.
radio Radio number.
LastPktXferRate Data transmit rate, in Mbps, of the last packet received by the MP.
NumCntInPwrSave Number of clients currently in power save mode.
LastPktRxSigStrength Signal strength, in dBm, of the last packet received by the MP.
LastPktSigNoiseRatio Signal-to-noise ratio (SNR), in decibels (dB), of the last packet
received by the MP access point.
This value indicates the strength of the radio signal above the noise
floor. For example, if the noise floor is -88 and the signal strength is
-68, the SNR is 20.
If the value is below 10, this indicates a weak signal and might
indicate a problem in the RF environment.
TKIP Pkt Transfer Ct Total number of TKIP packets sent and received by the radio.
TKIP Pkt Replays Number of TKIP packets resent to the MP by a client.
A low value (under about one hundred) does not necessarily indicate a
problem. However, if this counter is increasing steadily or has a very
high value (in the hundreds or more), a Denial of Service (DoS) attack
might be occurring. Contact Trapeze Networks TAC.
CCMP Pkt Decrypt Err Number of times a decryption error occurred with a packet encrypted
with CCMP.
Occasional decryption errors do not indicate a problem.
However, steadily increasing errors or a high number of errors can
indicate that data loss is occurring in the network. Generally, this is
caused by a key mismatch between a client and the MP. To locate the
client that is experiencing decryption errors (and therefore is likely
causing this counter to increment on the MP), use the show sessions
network session-id session-id command for each client on the radio.
After you identify the client that is causing the errors, disable and
reenable the client (wireless NIC).
CCMP Pkt Transfer Ct Total number of CCMP packets sent and received by the radio.
MP Access Point Commands
MP Access Point Commands
12 – 333
Radio Recv Phy Err Ct Number of times radar caused packet errors. If this counter
increments rapidly, there is a problem in the RF environment.
Note:
This counter increments only when radar is detected. Rate-specific Phy
errors are instead counted in the PhyError columns for individual data rates
.
Radio Adjusted Tx Pwr Current power level set on the radio. If RF Auto-Tuning of power is
enabled, this value is the power set by RF Auto-Tuning. If RF
Auto-Tuning is disabled, this value is the statically configured power
level.
802.3 Packet Tx Ct Number of raw 802.3 packets transmitted by the radio. These are
LocalTalk (AppleTalk) frames. This counter increments only if
LocalTalk traffic is present.
No Receive Descriptor Number of packets for which the MP could not create a descriptor. A
descriptor describes a received packet’s size and its location in MP
memory. The MP buffers descriptors, and clears them during
interframe spaces.
This counter increments if the MP runs out of buffers for received
packets. This condition can occur when a noise burst temporarily
floods the air and the MP attempts to buffer the noise as packets.
Buffer overruns are normal while an MP is booting. However, if they
occur over an extended period of time when the MP is fully active, this
can indicate RF interference.
Illegal Rates Number of times a client attempted to connect with a disabled data
rate.
PktTxCount Number of packets transmitted by the radio.
MultiPktDrop Number of multicast packets dropped by the radio due to a buffer
overflow on the MP. This counter increments if there is too much
multicast traffic or there is a problem with the multicast packets.
Normally, this counter should be 0.
MultiBytDrop Number of multicast bytes dropped by the radio due to a buffer
overflow on the MP. (See the description for MultiPktDrop.)
User Sessions Number of clients currently associated with the radio.
Generally, this counter is equal to the number of sessions listed for the
radio in show sessions output. However, the counter can differ from
the counter in show sessions output if a client is associated with the
radio but has not yet completed 802.1X authentication. In this case,
the client is counted by this counter but not in the show sessions
output.
Although there is no specific normal range for this counter, a high or
low number relative to other radios can mean the radio is
underutilized or overutilized relative to the other radios. (However, if
the clients are VoIP phones, a relatively high number of clients does
not necessarily mean overutilization since voice clients consume less
bandwidth on average than data clients.)
MIC Error Ct Number of times the radio received a TKIP-encrypted frame with an
invalid MIC.
Normally, the value of this counter should always be 0. If the value is
not 0, check the system log for MIC error messages and contact
Trapeze Networks TAC.
TKIP Decrypt Err Number of times a decryption error occurred with a packet encrypted
with TKIP.
(See the description for CCMP Pkt Decrypt Err.)
Table 12– 2. Output for show ap counters (continued)
Field Description
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 334
CCMP Pkt Replays Number of CCMP packets that were resent by a client to the MP.
(See the description for TKIP Pkt Replays.)
RadioResets Number of times the radio has been reset. Generally, a reset occurs as
a result of RF noise. It is normal for this counter to increment a few
times per day.
Transmit Retries Number of times the radio retransmitted a unicast packet because it
was not acknowledged. The MP uses this counter to adjust the
transmit data rate for a client, in order to minimize retries.
The ratio of transmit retries to transmitted packets (TxUniPkt)
indicates the overall transmit quality. A ratio of about 1 retry to 10
transmitted packets indicates good transmit quality. A ratio of 3 or
more to 10 indicates poor transmit quality.
Note: This counter includes unacknowledged probes. Some clients do
not respond to probes, which can make this counter artificially high.
Noise Floor Received signal strength at which the MP can no longer distinguish
802.11 packets from ambient RF noise. A value around -90 or higher is
good for an 802.11b/g radio. A value around -80 or higher is good for
an 802.11a radio. Values near 0 can indicate RF interference.
802.3 Packet Rx Ct Number of raw 802.3 packets received by the radio. These are
LocalTalk (AppleTalk) frames. This counter increments only if
LocalTalk traffic is present.
The counters above are global for all data rates. The counters below are for individual data
rates.
Note: If counters for lower data rates are incrementing but counters for higher data rates are not
incrementing, this can indicate poor throughput. The poor throughput can be caused by interference. If the
cause is not interference or the interference cannot be eliminated, you might need to relocate the MP in
order to use the higher data rates and therefore improve throughput.
TxUniPkt Number of unicast packets transmitted by the radio.
TxMultiPkt Number of multicast packets transmitted by the radio.
TxUniByte Number of unicast bytes transmitted by the radio.
TxMultiByte Number of multicast bytes transmitted by the radio.
RxPkt Number of packets received by the radio.
RxByte Number of bytes received by the radio.
UndcrptPkt Number of undecryptable packets received by the radio. It is normal
for this counter to increment even in stable networks and does not
necessarily indicate an attack. For example, a client might be sending
incorrect key information. However, if the counter increments rapidly,
there might be a problem in the network.
UndcrptByte Number of undecryptable bytes received by the radio. (See the
description for UndcrptPkt.)
PhyError Number of packets that could not be decoded by the MP. This
condition can have any of the following causes:
Collision of an 802.11 packet.
Packet whose source is too far away, thus rendering the packet
unintelligible by the time it reaches the MP.
Interference caused by an 802.11b/g phone or other source.
It is normal for this counter to be about 10 percent of the total RxByte
count. It is also normal for higher data rates to have higher Phy error
counts than lower data rates.
Table 12– 2. Output for show ap counters (continued)
Field Description
MP Access Point Commands
MP Access Point Commands
12 – 335
See Also
show sessions network on page 19-454
show ap counters voice-details
Displays information about VoIP calls on the network.
Syntax
show ap counters apnum [radio {1 | 2}] voice-details
Defaults
None
Access
Enabled
History
Added in MSS Version 7.1
Examples
The following command displays voice details for AP 1 and radio 1:
MX# show ap counters 1 radio 1 voice-details
AP: 1 radio: 1
================================
Current Active Calls Quality Cumulative Voice Calls
BAD POOR FAIR GOOD EXCELLENT Accepted Rejected
-------------------------------------------------------------------------------------
Calls 0 0 0 0 0 1 0
Percentage 0 0 0 0 0 100 0
show ap fdb
Displays the entries in a specified MP forwarding database.
Syntax
show ap fdb {apnum | all | hash-utilization [apnum |all ]}
Defaults
None.
Access
All.
Table 12– 3. Output for show voice-details
Field Description
Current Active Call Quality Calls are rated from Bad to Excellent
Cumulative Accepted Total number of calls accepted on the
network.
Voice Calls Rejected Total number of calls rejected on the
network.
Calls Number of calls rated Bad to Excellent
Percentage Percentage of calls per rating category.
apnum Index value that identifies the MP on the MX. You can specify
a value from 1 to 9999.
all Show all MP forwarding databases.
hash-utilization
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 336
History
Examples
The following command displays FDB entries for AP 7:
MX# show ap fdb 7
AP 7:
# = System Entry. $ = Authenticate Entry
VLAN TAG Dest MAC/Route Des [CoS] Destination Ports
---- ---- ------------------ ----- -----------------
4095 4095 00:0b:0e:00:ca:c1 # CPU
4095 0 00:0b:0e:00:04:0c eth0
Table 12– 4 describes the fields in the show ap fdb output.
See Also
set ap local-switching mode on page 12-244
set vlan-profile on page 6-75
show ap qos-stats
Displays statistics for MP forwarding queues.
Syntax
show ap qos-stats [apnum] [clear]
Defaults
None.
Access
Enabled.
Version 6.0 Command introduced.
Version 6.2 Added index value range of 1 to 9999.
Table 12– 4. Output for show ap fdb
Field Description
VLAN VLAN number.
TAG VLAN tag value. If the interface is untagged, the
TAG field is blank.
Dest MAC/Route Des MAC address of this forwarding entry’s
destination.
CoS Type of entry. The entry types are explained in the
first row of the command output.
Note: This Class of Service (CoS) value is not
associated with MSS quality of service (QoS)
features.
Destination Ports MX port associated with the entry. An MX sends
traffic to the destination MAC address through
this port.
apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
clear Clears the counters after displaying their current values.
MP Access Point Commands
MP Access Point Commands
12 – 337
History
Usage
Repeating this command with the clear option at regular intervals allows you to monitor
transmission and drop rates.
Examples
The following command shows statistics for the MP forwarding queues on a Distributed
MP:
MX# show ap qos-stats 7
CoS Queue Rx Rx Tx Tx Tx Tx Tx Tx
Kbs % Kbs % %Req %Max Packets Dropped
===============================================================================
AP: 7 radio: 1
1,2 Background 0 0 0 0 0 0 0 0
0,3 BestEffort 93 9 0 0 0 0 0 0
4,5 Video 0 0 0 0 0 0 0 0
6,7 Voice 0 0 0 0 0 0 0 0
AP: 7 radio: 2
1,2 Background 0 0 0 0 0 0 0 0
0,3 BestEffort 127 3 0 0 0 0 0 0
4,5 Video 0 0 0 0 0 0 0 0
6,7 Voice 0 0 0 0 0 0 0 0
Table 12– 5 describes the fields in this display.
Version 4.0 Command introduced.
Version 4.2 TxDrop field added.
Version 5.0 Option clear added.
Version 6.0 Option dap removed.
Version 6.2 Added index value range of 1 to 9999.
Table 12– 5. Output for show ap qos-stats
Field Description
CoS CoS value associated with the forwarding queues.
Queue Forwarding queue.
AP Distributed MP number.
radio Radio number.
Tx Packets Number of packets transmitted to the air from the queue.
Tx Dropped Number of packets dropped from the queue instead of being
transmitted.
Some packet drops are normal, especially if the RF environment is
noisy. Also, it is normal for a mildly congested radio to drop
low-priority packets proportionally more often than high-priority
packets. However, continuous packet drops from the Voice queue can
indicate over-subscription or excessive interference in the RF
environment.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 338
show ap etherstats
Displays Ethernet statistics for an Ethernet port on an MP.
Syntax
show ap etherstats apnum
Defaults
None.
Access
Enabled.
History
Examples
The following command displays Ethernet statistics for the Ethernet ports on
Distributed MP 1:
MX# show ap etherstats 1
AP: 1 ether: 1
=================================
RxUnicast: 75432 TxGoodFrames: 55210
RxMulticast: 18789 TxSingleColl: 32
RxBroadcast: 8 TxLateColl: 0
RxGoodFrames: 94229 TxMaxColl: 0
RxAlignErrs: 0 TxMultiColl: 47
RxShortFrames: 0 TxUnderruns: 0
RxCrcErrors: 0 TxCarrierLoss: 0
RxOverruns: 0 TxDeferred: 150
RxDiscards: 0
AP: 1 ether: 2
=================================
RxUnicast: 64379 TxGoodFrames: 60621
RxMulticast: 21798 TxSingleColl: 32
RxBroadcast: 11 TxLateColl: 0
RxGoodFrames: 86188 TxMaxColl: 0
RxAlignErrs: 0 TxMultiColl: 12
RxShortFrames: 0 TxUnderruns: 0
RxCrcErrors: 0 TxCarrierLoss: 0
RxOverruns: 0 TxDeferred: 111
RxDiscards: 0
Table 12– 6 describes the fields in this display.
apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
Version 3.0 Command introduced.
Version 6.2 Added index value range from 1 to 9999.
Table 12– 6. Output for show ap etherstats
Field Description
RxUnicast Number of unicast frames received.
RxMulticast Number of multicast frames received.
RxBroadcast Number of broadcast frames received.
RxGoodFrames Number of frames received properly from the link.
MP Access Point Commands
MP Access Point Commands
12 – 339
show ap group
Deprecated in MSS Version 6.0. To display information about RF load balancing, see show
load-balancing group on page 12-353.
show ap mesh-links
Displays information about the links an MP has to Mesh APs and Mesh Portal APs.
Syntax
show ap mesh-links apnum
Defaults
None.
Access
All.
History
RxAlignErrs Number of received frames that were both misaligned and contained a
CRC error.
RxShortFrames Number of received frames that were shorter than the minimum
frame length.
RxCrcErrors Number of received frames that were discarded due to CRC errors.
RxOverruns Number of frames known to be lost due to a temporary lack of
hardware resources.
RxDiscards Number of frames known to be lost due to a temporary lack of software
resources.
TxGoodFrames Number of frames transmitted properly on the link.
TxSingleColl Number of transmitted frames that encountered a single collision.
TxLateColl Number of frames that were not transmitted because they
encountered a collision outside the normal collision window.
TxMaxColl Number of frames that were not transmitted because they
encountered the maximum allowed number of collisions. Typically,
this occurs only during periods of heavy traffic on the network.
TxMultiColl Number of transmitted frames that encountered more than one
collision.
TxUnderruns Number of frames that were not transmitted or retransmitted due to
temporary lack of hardware resources.
TxCarrierLoss Number of frames transmitted despite the detection of a deassertion of
CRS during the transmission.
TxDeferred Number of frames deferred before transmission due to activity on the
link.
apnum Index value that identifies the MP on the MX. You can specify
a value from 1 to 9999.
Version 6.0 Command introduced.
Version 6.2 Added index value range from 1 to 9999.
Table 12– 6. Output for show ap etherstats (continued)
Field Description
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 340
Examples
The following command mesh link information for AP 7:
MX# show ap mesh-links 7
AP: 7 IP-addr: 1.1.1.3
Operational Mode: Mesh-Portal
Downlink Mesh-APs
-------------------------------------------------
BSSID: 00:0b:0e:17:bb:3f (54 Mbps)
packets bytes
TX: 307 44279
RX: 315 215046
Table 12– 7 describes the fields in the show ap mesh-links output.
See Also
set ap boot-configuration mesh ssid on page 12-239
set service-profile mesh on page 12-299
show ap status
Displays MP access point and radio status information.
Syntax
show ap status [[apnum | all | verbose | [radio {1 | 2}] cluster ip-addr]]
Defaults
None.
Access
Enabled.
Table 12– 7. Output for show ap mesh-links
Field Description
AP Identifier for the MP on the MX.
Name VLAN name
IP-addr IP address of the MP.
Operational Mode If this MP is a Mesh AP or a Mesh Portal AP
Downlink Mesh-APs Information about the Mesh APs associated with the Mesh Portal MP.
BSSID The BSSID of the Mesh AP.
TX The amount of traffic (packets and bytes) transmitted to the Mesh AP.
RX The amount of traffic (packets and bytes) received from the Mesh AP.
apnum
Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
all Shows status information for all directly attached MPs and all Distributed
MPs configured on the MX.
radio 1 Shows status information for radio 1.
radio 2 Shows status information for radio 2. (This option does not apply to
single-radio models.)
cluster Displays the status of the MPs in a cluster configuration.
MP Access Point Commands
MP Access Point Commands
12 – 341
History
Examples
The following command displays the status of an MP access point:
Version 1.0 Command introduced.
Version 1.1 Radio type fields indicate when 802.11b protection is enabled on an 802.11b/g
radio.
Version 2.0
Option dap added for Distributed MPs.
Option all added.
IP-addr field added for Distributed MPs.
The dual-homed field was removed. (This field was located on the same line as the
Link field.)
Version 3.0
in boot field removed.
operational channel field added
operational power field added
bssid and ssid fields added
Version 3.2 True base MAC addresses of radios are displayed. Previously, the base MAC
address displayed for a radio was the true base MAC address plus 2.
Note that a radio’s base MAC address is also used as the BSSID of the first
SSID configured on the radio.
Version 4.0
New option added: terse
New option added for show dap status: all
New field added: fingerprint
MP-MX security status added to State field
Note: The fingerprint field and security state apply to the display for Distributed MPs
only.
Version 4.1
External antenna information added after the radio state information, to indicate
when an antenna has been detected and to indicate the configured antenna model
number.
Auto flag added to indicate operational channel or power settings that are
configured by RF Auto-Tuning.
Version 4.2 Radar Scan and Radar Detected flags added to indicate when the Dynamic
Frequency Selection (DFS) feature is scanning for radar or has stopped
transmitting due to detected radar. The flags apply to 802.11a radios only,
and only for country codes where DFS is used.
Version 5.0 RFID Reports field added.
Version 6.0 Option dap removed.
load balance field added
current load field added
Version 6.2 Added index value range of 1 to 9999 for MPs.
Version 7.0 Reformatted output to accomodate 802.11n and cluster configuration. Option
terse removed. Option verbose added. Added status as up or down.
Version 7.1 Added cluster to the options.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 342
MX# show ap status 9991
Flags: o = operational[0], c = configure[0], d = download[0], b = boot[0]
x= down a = auto AP, m = mesh AP, p/P = mesh portal (ena/actv), r = redundant[0]
i = insecure, e = encrypted, u = unencrypted
Radio: E = enabled - 20MHz channel, S = sentry
W/w = enabled - 40MHz wide channel (HTplus/HTminus)
D = admin disabled
IP Address: * = AP behind NAT
AP Flag IP Address Model MAC Address Radio 1 Radio 2 Uptime
---- ---- --------------- ------------ ----------------- ------- ------- ------
9991 oa-i 129.0.1.10 MP-422 00:0b:0e:00:1b:00 E 6/22 D 44/18 03d21h
The following command uses the verbose option to display all information for MPs:
MX# show ap status verbose
Rack28-2800-112226# show ap status 9991 verbose
AP: 9991 Name: AUTO-9991
Model: Trapeze MP-422, Rev: n/a, Serial number: 108
F/W1 : 1.0
F/W2 : 1.0
S/W : 7.0.1.0.private_032408_1529_jperson
BOOT S/W : <unknown>
IP-addr: 129.0.1.10 (DHCP, vlan 'apboot'),
Port 1 link: 10/Half , POE: 802.3af
Port 2 link: down , POE: 802.3af
State: operational (encrypted and fingerprint not verified)
Uptime: 3 days, 21 hours, 41 minutes, 28 seconds
Radio 1 Type: 802.11g, State: configure succeeded [Enabled]
Operational channel: 6 (Auto) Operational power: 22
Load balance: enabled, Current load: (unavailable)
RFID reports: Inactive
BSSID1: 00:0b:0e:00:1b:00, SSID: sim-open
Radio 2 Type: 802.11a, State: configure succeeded [Disabled]
Operational channel: 44 (Auto) Operational power: 18
Load balance: enabled, Current load: (unavailable)
RFID reports: Inactive
Table 12– 8 and Table 12– 9 describe the fields in these displays.
MP Access Point Commands
MP Access Point Commands
12 – 343
Table 12– 8. Output for show ap status
Field Description
Flags The following flags are displayed as part of the MP status:
o = operational —The MP is operational on the network.
c = configure [0] — The MP is configured.
d = download [0] — The MP is configured to download new software.
b = boot — The MP can boot on the network.
x = down — The MP is down on the network.
n = unconfigured — The MP has no configuration.
a = auto — The MP is configured in auto mode.
m = mesh AP — The MP is configured for Mesh services.
p/P (ena/actv) = — The MP is configured as a Mesh Portal. The lower-case p
means that the portal is inactive, and the upper-case P indicates that the
Portal is active.
r = redundant — The MP is configured as a redundant AP.
i = insecure — The MP is sending network traffic in the clear.
e = encrypted — The MP is configured with encryption.
u = unencrypted — The MP is configured with unencrypted security.
Radio The following flags are displayed as part of the radio status:
E = enabled - 20MHz
S = sentry
W/w = enabled - 40MHz wide channel (HTplus/HTminus)
D = admin disabled
IP Address * = AP behind NAT — The MP is configured behind a device with NAT
enabled.
AP Identifier for the MP on the MX.
Flag Letters that denote current status as described above.
IP-addr IP address of the MP. The address is assigned to the MP by a DHCP
server.
Note: This field is applicable only if the MP is not directly attached to
the MX.
Model MP model number.
MAC Address The MAC address of the MP.
Radio 1
Radio 2
802.11 type and configuration state of the radio.
Displays current status using the Radio flags.
Displays operational channels.
Uptime Amount of time since the MP booted using this link.
Table 12– 9. Output for show ap status verbose
Field Description
AP The index number of the connected MP
Name The name of the MP.
Model
MP model number
Revision number
Serial Number
Firmware versions
Software version
Boot software version
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 344
show ap vlan
Displays information about locally switched or tunneled VLANs.
Syntax
show ap vlan apnum
Defaults
None.
Access
All.
IP Address
IP address of the MP. The address is assigned to the MP by a DHCP server.
VLAN assigned to the MP.
Note: This field is applicable only if the MP is configured on the MX as a
Distributed MP.
Port 1 link:
Status
Configured duplex speed
PoE type
Port 2 link:
Stauts
Configured duplex speed
PoE type and status
State: Operational status flags for the MP.
For flag definitions, see the key in the command output.
Uptime Amount of time since the MP booted using this link.
Radio 1 State, channel, and power information for radio 1:
Radio type — 802.11a, 802.11b, 802.11g, 802.11na, or 802.11ng
The state can be D (disabled) or E (enabled).
Operational channel — Current channel for radio operations.
Operational power — The power level at which the radio is currently
operating.
Load balanced — Enabled or disabled.
Current load — The load on this radio relative to the load balancing group
average or target load.
RFID reports — Status of AeroScout asset tag support.
Active—The AeroScout Engine has enabled the tag report mode on the
MP.
Inactive—The AeroScout Engine has not enabled, or has disabled, the
tag report mode on the MP.
This field is displayed only if the rfid-mode option is enabled on the
radio profile that manages the radio.
BSSID, SSID — The base MAC address of the radio and the SSIDs
configured on the radio.
Radio 2 State, channel, and power information for radio 2. See Radio 1 for more
information.
apnum Index value that identifies the MP on the MX. You can specify
a value from 1 to 9999.
all Displays all MPs on a VLAN.
Table 12– 9. Output for show ap status verbose
Field Description
MP Access Point Commands
MP Access Point Commands
12 – 345
History
Examples
The following command displays information about the VLANs switched by AP 7:
MX# show ap vlan 7
AP 7:
VLAN Name Mode Port Tag
---- ---------------- ---- ---------------- ----
1 default local 1 none
2 red local 1 2
radio_1 20
radio_1 21
radio_2 22
4 green local 1 4
radio_1 23
5 yellow tunnel mx_tun 5
radio_1 24
Table 12– 4 describes the fields in the show ap vlan output.
See Also
set ap local-switching mode on page 12-244
set vlan-profile on page 6-75
show auto-tune attributes
Displays the current values of the RF attributes RF Auto-Tuning uses to decide whether to change
channel or power settings.
Syntax
show auto-tune attributes [ap apnum [radio {1 | 2| all}]]
Version 6.0 Command introduced.
Version 6.2 Introduced index value range of 1 to 9999.
Version 7.0 Added all option.
Table 12– 10. Output for show ap vlan
Field Description
VLAN VLAN number.
Name VLAN name
Mode Whether packets for the VLAN are locally switched by the MP, or are
tunneled to an MX, which places them on the VLAN.
Port The port(s) through which VLAN traffic is sent.
TAG VLAN tag value. If the interface is untagged, none is displayed in the
TAG field.
apnum Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
radio 1 Shows RF attribute information for radio 1.
radio 2 Shows RF attribute information for radio 2. (This option does not apply to
single-radio models.)
radio all Shows RF attribute information for both radios.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 346
Defaults
None.
Access
Enabled.
Examples
The following command displays RF attribute information for radio 1 on the directly connected
MP access point on port 2:
MX# show auto-tune attributes ap 2 radio 1
Auto-tune attributes for port 2 radio 1:
Noise: -92 Packet Retransmission Count: 0
Utilization: 0 Phy Errors Count: 0
CRC Errors count: 122
Table 12– 11 describes the fields in this display.
See Also
set ap radio auto-tune max-power on page 12-248
set radio-profile auto-tune 11a-channel-range on page 12-260
set radio-profile auto-tune channel-holddown on page 12-261
set radio-profile auto-tune channel-interval on page 12-262
set radio-profile auto-tune power-config on page 12-264
set radio-profile auto-tune power-interval on page 12-264
show auto-tune neighbors on page 12-347
show radio-profile on page 12-354
Version 3.0 Command introduced.
Version 6.0 Option dap removed.
Version 6.2 Added index value range from 1 to 9999.
Table 12– 11. Output for show auto-tune attributes
Field Description
Noise Noise threshold on the active channel. RF Auto-Tuning prefers
channels with low noise levels over channels with higher noise levels.
Utilization Number of multicast packets per second that a radio can send on a
channel while continuously sending fixed size frames over a period of
time. The number of packets that are successfully transmitted
indicates how busy the channel is.
CRC Errors count Number of frames received by the radio on that active channel that had
CRC errors. A high CRC error count can indicate a hidden node or
co-channel interference.
Packet Retransmission
Count
Number of retransmitted packets sent from the client to the radio on
the active channel. Retransmissions can indicate that the client is not
receiving ACKs from the MP radio.
Phy Errors Count Number of frames received by the MP radio that had physical layer
errors on the active channel. Phy errors can indicate interference from
a non-802.11 device.
MP Access Point Commands
MP Access Point Commands
12 – 347
show auto-tune neighbors
Displays the other Trapeze radios and third-party 802.11 radios that a Trapeze radio can hear.
Syntax
show auto-tune neighbors [ap apnum [radio {1 | 2| all}]]
Defaults
None.
Access
Enabled.
History
Usage
For simplicity, this command displays a single entry for each Trapeze radio, even if the
radio is supporting multiple BSSIDs. However, BSSIDs for third-party 802.11 radios are listed
separately, even if a radio is supporting more than one BSSID.
Information is displayed for a radio if the radio sends beacon frames or responds to probe requests.
Even if the radio SSIDs are unadvertised, Trapeze radios detect the empty beacon frames (beacon
frames without SSIDs) sent by the radio, and include the radio in the neighbor list.
Examples
The following command displays neighbor information for radio 1 on the directly
connected MP access point on port 2:
MX# show auto-tune neighbors ap 2 radio 1
Total number of entries for port 2 radio 1: 5
Channel Neighbor BSS/MAC RSSI
------- ----------------- ----
1 00:0b:85:06:e3:60 -46
1 00:0b:0e:00:0a:80 -78
1 00:0b:0e:00:d2:c0 -74
1 00:0b:85:06:dd:00 -50
1 00:0b:0e:00:05:c1 -72
Table 12– 8 describes the fields in this display.
See Also
set ap radio auto-tune max-power on page 12-248
apnum Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
radio 1 Shows neighbor information for radio 1.
radio 2 Shows neighbor information for radio 2. (This option does not apply to
single-radio models.)
radio all Shows neighbor information for both radios.
Version 3.0 Command introduced.
Version 6.0 Option dap removed.
Version 6.2 Added index value range of 1 to 9999.
Table 12– 12. Output for show auto-tune neighbors
Field Description
Channel Channel on which the BSSID is detected.
Neighbor BSS/MAC BSSID detected by the radio.
RSSI Received signal strength indication (RSSI), in decibels referred to 1
milliwatt (dBm). A higher value indicates a stronger signal.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 348
set radio-profile auto-tune 11a-channel-range on page 12-260
set radio-profile auto-tune channel-holddown on page 12-261
set radio-profile auto-tune channel-interval on page 12-262
set radio-profile auto-tune power-config on page 12-264
set radio-profile auto-tune power-interval on page 12-264
show auto-tune attributes on page 12-345
show radio-profile on page 12-354
show ap boot-configuration
Displays information about the static IP address configuration (if any) on a Distributed MP.
Syntax
show ap boot-configuration apnum
Defaults
None.
Access
Enabled.
History
I
Examples
The following command displays static IP configuration information for Distributed MP
1:
MX# show ap boot-configuration 1
Static Boot Configuration
AP: 7
IP Address: Disabled
VLAN Tag: Disabled
Switch: Disabled
Mesh: Disabled
IP Address:
Netmask:
Gateway:
VLAN Tag:
Switch IP:
Switch Name:
DNS IP:
Mesh SSID:
Mesh PSK:
Table 12– 6 describes the fields in this display.
apnum Index value that identifies the MP on the MX. You can
specify a value from 1 to 9999.
Version 4.2 Command introduced.
Version 6.0 Option dap removed.
Field Mesh added
Field Mesh SSID added
Field Mesh PSK added
Version 6.2 Added index value range from 1 to 9999.
MP Access Point Commands
MP Access Point Commands
12 – 349
show ap connection
Displays the system IP address of the MX that booted a Distributed MP.
Syntax
show ap connection [apnum | serial-id serial-ID]
Defaults
None.
Access
Enabled.
History
I
Usage
The serial-id parameter displays the active connection for the specified Distributed MP
even if that MP is not configured on this MX. If you instead use the command with the apnum
parameter or without a parameter, connection information is displayed only for Distributed MPs
configured on this MX.
Table 12– 13. Output for show ap boot-configuration
Field Description
AP MP number.
IP address Whether static IP address assignment is enabled for this Distributed
MP.
VLAN Tag Whether the Distributed MP is configured to use a VLAN tag.
Switch Whether the Distributed MP is configured to use a manually specified
MX as the boot device.
Mesh Whether WLAN mesh services are enabled for this MP.
IP address The static IP address assigned to this Distributed MP.
Netmask The subnet mask assigned to this Distributed MP.
Gateway The IP address of the default gateway assigned to this Distributed MP.
VLAN Tag The VLAN tag that the Distributed MP is configured to use (if any).
Switch IP The IP address of the MX that this Distributed MP is configured to use
as its boot device (if any).
Switch Name The name of the MX that this Distributed MP is configured to use as
the boot device (if any).
DNS IP The IP address of the DNS server that the Distributed MP uses to
resolve the name of the MX used as the boot device.
Mesh SSID The WLAN mesh services SSID this MP is configured to use (if any)
Mesh PSK The preshared key (PSK) the MP uses for authentication with a Mesh
Portal AP (if any).
apnum Index value that identifies the MP on the MX. You can specify a value
from 1 to 9999.
serial-id serial-ID MP access point serial ID.
Version 2.0 Command introduced.
Version 6.0 Option dap removed.
Version 6.2 Added index value range of 1 to 9999.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 350
This command provides information only if the Distributed MP is configured on the MX where you
entered the command. The MX does not need to be the one that booted the MP, but it must have
the MP in the configuration. Also, the MX that booted the MP must be in the same Mobility
Domain as the MX where you entered the command.
If a Distributed MP is configured on this MX (or another MX in the same Mobility Domain) but
does not have an active connection, the command does not display information for the MP. To
show connection information for Distributed MPs, use the show ap global command on one of
the switches where the MPs are configured.
Examples
The following command displays information for all Distributed MPs configured on this
MX switch that have active connections:
MX# show ap connection
Total number of entries: 2
AP Serial Id AP IP Address MX IP Address
--- ----------- --------------- ---------------
2 112233 10.10.2.27 10.3.8.111
4 0333000298 10.10.3.34 10.3.8.111
The following command displays connection information specifically for a Distributed MP with
serial ID 223344:
MX# show ap connection serial-id 223344
Total number of entries: 1
AP Serial Id AP IP Address MX IP Address
--- ----------- --------------- ---------------
9 223344 10.10.4.88 10.9.9.11
Table 12– 14 describes the fields in this display.
See Also
show ap config radio on page 12-328
show ap global on page 12-351
show ap unconfigured on page 12-352
Table 12– 14. Output for show ap connection
Field Description
AP ID assigned to the Distributed MP.
If the connection is configured on another MX, this field contains a
hyphen ( - ).
Serial Id Serial ID of the Distributed MP.
AP IP Address IP address assigned by DHCP to the Distributed MP.
MX IP Address System IP address of the MX that the MP has an active connection.
This is the MX that the MP used for booting and configuration and is
using for data transfer.
MP Access Point Commands
MP Access Point Commands
12 – 351
show ap global
Displays connection information for Distributed MPs configured on an MX .
Syntax
show ap global [apnum | serial-id serial-ID]
Defaults
None.
Access
Enabled.
History
Usage
Connections are shown only for the Distributed MPs configured on the MX that you enter
the command, and only for the Mobility Domain of the MX.
To show information only for Distributed MPs that have active connections, use the show ap
connection command.
Examples
The following command displays connection information for all the Distributed MPs
configured on an MX:
MX# show ap global
Total number of entries: 8
AP Serial Id MX IP Address Bias
--- ----------- --------------- ----
1 11223344 10.3.8.111 HIGH
- 11223344 10.4.3.2 LOW
2 332211 10.3.8.111 LOW
- 332211 10.4.3.2 HIGH
17 0322100185 10.3.8.111 HIGH
- 0322100185 10.4.3.2 LOW
18 0321500120 10.3.8.111 LOW
- 0321500120 10.4.3.2 HIGH
Table 12– 15 describes the fields in this display.
apnum Index value that identifies the MP on the MX. You can specify a value
from 1 to 9999.
serial-id serial-ID MP access point serial ID.
Version 2.0 Command introduced.
Version 6.0 Option dap removed.
Version 6.2 Added index value range from 1 to 9999.
Table 12– 15. Output for show ap global
Field Description
AP ID you assigned to the Distributed MP.
Note: AP numbers are listed only for Distributed MPs configured on
this MX switch. If the field contains a hyphen ( - ), the Distributed MP
configuration displayed in the row of output is on another MX switch.
Serial Id Serial ID of the Distributed MP.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 352
See Also
set ap on page 5-52
set ap bias on page 12-234
show ap config radio on page 12-328
show ap connection on page 12-349
show ap unconfigured on page 12-352
show ap unconfigured
Displays Distributed MPs that are physically connected to the network but that are not
configured on any MX switches.
Syntax
show ap unconfigured
Defaults
None.
Access
Enabled.
History
Usage
This command also displays an MP that is directly connected to an MX, if the MX port
connected to the MP is configured as a network port instead of an MP access port, and if the
network port is a member of a VLAN.
If a Distributed MP is configured on an MX, the MP can appear in the output until the MP is able
to establish a connection with an MX in a Mobility Domain. After the MP establishes a connection,
the entry for the MP ages out and no longer appears in the command output.
Entries in the command output table age out after two minutes.
Examples
The following command displays information for two Distributed MPs that are not
configured:
MX# show ap unconfigured
Total number of entries: 2
Serial Id Model IP Address Port Vlan
----------- ------ --------------- ---- --------
0333001287 MP-241 10.3.8.54 5 default
0333001285 MP-252 10.3.8.57 7 vlan-eng
Table 12– 16 describes the fields in this display.
MX IP Address System IP address of the MX on which the Distributed MP is
configured. A separate row of output is displayed for each MX on
which the Distributed MP is configured.
Bias Bias of the MX for the MP:
High
Low
Version 2.0 Command introduced.
Version 6.0 Option dap removed.
Table 12– 15. Output for show ap global (continued)
Field Description
MP Access Point Commands
MP Access Point Commands
12 – 353
See Also
show ap connection on page 12-349
show ap global on page 12-351
show load-balancing group
Displays an RF load balancing group’s member radios and current load for each radio.
Syntax
show load-balancing group {group-name | all | [ap apnum radio {1 | 2}]}
Defaults
None.
Access
Enabled.
History
Usage
Use this command to display information about the RF load-balancing groups configured
on the MX and the individual MP radios in the load-balancing groups.
Examples
The following command displays information about the MP radios that are in the same
group as radio 1 on MP 3:
MX# show load-balancing group ap 3 radio 1
Radios in the same load-balancing group as: ap3/radio1
--------------------------------------------------
IP address AP Radio Overlap
------------------ ---- ----- -------
10.2.28.200 3 1 100/100
The following command displays information about RF load balancing group blue:
Table 12– 16. Output for show ap unconfigured
Field Description
Serial Id Serial ID of the MP.
Model MP model number.
IP Address IP address of the MP. This is the address that the MP receives from a
DHCP server. The MP uses this address to send a Find MX message to
request configuration information from MX switches. However, the MP
cannot use the address to establish a connection unless the MP first
receives a configuration from an MX.
Port Port number on which this MX received the MP Find MX message.
VLAN VLAN that this MX received the MP Find MX message.
group-name Name of an RF load-balancing group configured on the MX.
all Displays information for every load-balancing group that has a radio on this
MX as a member.
apnum
Index value that identifies the MP on the MX. You can specify a value from 1
to 9999.
radio {1 | 2} Shows status information for a radio on an MP. This option displays
information about radios in the same group as the specified radio.
Version 6.0 Command introduced.
Version 6.2 Added index value range of 1 to 9999.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 354
MX# show load-balancing group blue
Load-balancing group: blue
IP address AP Radio Clients
------------------ ---- ----- -------
10.2.28.200 3 1 0
Table 12– 17 describes the fields in displayed by the show load-balancing group command.
See Also
set load-balancing strictness on page 12-259
set ap radio load-balancing on page 12-251
set ap local-switching mode on page 12-244
show radio-profile
Displays radio profile information.
Syntax
show radio-profile {profile | ?}
Defaults
None.
Access
Enabled.
History
Table 12– 17. Output for show load-balancing group
Field Description
IP address The IP address of the MP in the load-balancing group.
AP MP number
Radio Radio number
Overlap The amount of overlapping coverage area the specified MP radio has
with the MP radio in the list. An overlap of 100/100 indicates that the
MP radios have exactly the same coverage area.
Clients The current client load on the MP radio.
profile Displays information about the named radio profile.
? Displays a list of radio profiles.
Version 1.0 Command introduced
Version 1.1 New fields added to indicate the following:
Support of 802.11b/g radios for association by 802.11b clients
Wi-Fi Protected Access (WPA) parameter settings
MP Access Point Commands
MP Access Point Commands
12 – 355
Usage
MSS contains a default radio profile. Trapeze Networks recommends that you do not
change this profile but instead keep the profile for reference.
Examples
The following command shows radio profile information for the default radio profile:
MX# show radio-profile default
Beacon Interval: 100 DTIM Interval: 1
Max Tx Lifetime: 2000 Max Rx Lifetime: 2000
RTS Threshold: 2346 Frag Threshold: 2346
Long Preamble: no Tune Channel: yes
Tune Power: no Tune Channel Interval: 3600
Tune Power Interval: 600 Power ramp interval: 60
Channel Holddown: 300 Countermeasures: none
Active-Scan: yes RFID enabled: no
WMM Powersave: no QoS Mode: wmm
No service profiles configured.
Table 12– 18 describes the fields in this display.
Version 3.0
Fields removed for items that are no longer managed by radio profiles:
Encrypted Network Name
Clear Network Name
Network name(s) broadcast in the wireless beacon
WEP Key 1 value
WEP Key 2 value
WEP Key 3 value
WEP Key 4 value
WEP Unicast Index
WEP Multicast Index
Shared Key Auth
WPA enabled
These items are now managed by service profiles.
New fields added:
Tune Channel
Tune Power
Tune Channel Interval
Tune Power Interval
Client Backoff Timer
Channel Holddown
Service profiles
Name of the 802.11g field changed from Allow only 802.11g clients in 802.11g
networks to Allow 802.11g clients only
Version 4.0
New fields added:
Countermeasures
Active-Scan
WMM enabled
Name of the backoff timer field changed from Client Backoff Timer to Power
Backoff Timer
Version 4.2
WMM enabled field renamed to QoS Mode.
Long Retry Limit and Short Retry Limit fields moved to show
service-profile output. (These options are now configurable on a
service-profile basis instead of a radio-profile basis.)
Allow 802.11g clients only field removed. (This option is now configured using
the set service-profile transmit-rates command.)
Version 5.0
New fields added:
Power ramp interval
RFID enabled
WMM Powersave
Power Backoff Timer field removed.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 356
Table 12– 18. Output for show radio-profile
Field Description
Beacon Interval Rate (in milliseconds) at which each MP radio in the profile advertises
the beaconed SSID.
DTIM Interval Number of times after every beacon that each MP radio in the radio
profile sends a delivery traffic indication map (DTIM).
Max Tx Lifetime Number of milliseconds that a frame received by a radio in the radio
profile can remain in buffer memory.
Max Rx Lifetime Number of milliseconds that a frame scheduled to be transmitted by a
radio in the radio profile can remain in buffer memory.
RTS Threshold Minimum length (in bytes) a frame can be for a radio in the radio
profile to use the RTS/CTS method to send the frame. The RTS/CTS
method clears the air of other traffic to avoid corruption of the frame
due to a collision with another frame.
Frag Threshold Maximum length (in bytes) a frame is allowed to be without being
fragmented into multiple frames before transmission by a radio in the
radio profile.
Long Preamble Indicates whether an 802.11b radio that uses this radio profile
advertises support for frames with long preambles only:
YES—Advertises support for long preambles only.
NO—Advertises support for long and short preambles.
Tune Channel Indicates whether RF Auto-Tuning is enabled for dynamically setting
and tuning channels.
Tune Power Indicates whether RF Auto-Tuning is enabled for dynamically setting
and tuning power levels.
Tune Channel Interval Interval, in seconds, at which RF Auto-Tuning decides whether to
change the channels on radios in a radio profile. At the end of each
interval, MSS processes the results of the RF scans performed during
the previous interval, and changes radio channels if needed.
Tune Power Interval Interval, in seconds, at which RF Auto-Tuning decides whether to
change the power level on radios in a radio profile. At the end of each
interval, MSS processes the results of the RF scans performed during
the previous interval, and changes radio power levels if needed.
Power ramp interval Number of seconds a radio waits before increasing or decreasing its
power by 1 dBm in response to a power change from RF Auto-Tuning.
After each power ramp interval, the radio increases or decreases the
power by another 1 dB until the radio reaches the power level selected
by RF Auto-Tuning.
Channel Holddown Minimum number of seconds a radio in a radio profile must remain at
its current channel assignment before RF Auto-Tuning can change
the channel.
Countermeasures Indicates whether countermeasures are enabled.
Active-Scan Indicates whether the active-scan mode of RF detection is enabled.
RFID enabled Indicates whether AeroScout tag support is enabled.
WMM Powersave Indicates whether U-APSD support is enabled.
MP Access Point Commands
MP Access Point Commands
12 – 357
See Also
set radio-profile active-scan on page 12-260
set radio-profile auto-tune 11a-channel-range on page 12-260
set radio-profile auto-tune channel-holddown on page 12-261
set radio-profile auto-tune channel-interval on page 12-262
set radio-profile auto-tune channel-lockdown on page 12-263
set radio-profile auto-tune power-config on page 12-264
set radio-profile auto-tune power-interval on page 12-264
set radio-profile auto-tune power-lockdown on page 12-265
set radio-profile auto-tune power-ramp-interval on page 12-266
set radio-profile beacon-interval on page 12-266
set radio-profile countermeasures on page 12-268
set radio-profile dfs-channels on page 12-269
set radio-profile frag-threshold on page 12-271
set radio-profile max-rx-lifetime on page 12-272
set radio-profile mode on page 12-272
set radio-profile mode on page 12-272
set radio-profile preamble-length on page 12-275
set radio-profile qos-mode on page 12-275
set radio-profile rf-scanning mode on page 12-278
set radio-profile rts-threshold on page 12-279
set radio-profile service-profile on page 12-279
set radio-profile wmm-powersave on page 12-284
show service-profile
Displays service profile information.
Syntax
show service-profile {profile-name | ?}
QoS Mode Indicates the Quality-of-Service setting for MP radio forwarding
queues:
wmm—MP forwarding queues provide standard priority handling for
WMM devices.
svp—MP forwarding queues are optimized for SpectraLink Voice Priority
(SVP).
For information about the QoS modes, see the “Configuring Quality of
Service” chapter in the Trapeze Mobility System Software
Configuration Guide.
Service profiles Service profiles mapped to this radio profile. Each service profile
contains an SSID and encryption information for that SSID.
Note: When you upgrade from 2.x, MSS creates a default-dot1x
service profile for encrypted SSIDs and a default-clear service profile
for unencrypted SSIDs. These default service profiles contain the
default encryption settings for crypto SSIDs and clear SSIDs,
respectively.
Table 12– 18. Output for show radio-profile (continued)
Field Description
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 358
Defaults
None.
Access
Enabled.
History
Examples
The following command displays information for service profile sp1:
MX# show service-profile sp1
ssid-name: corp2 ssid-type: crypto
Beacon: yes Proxy ARP: no
DHCP restrict: no No broadcast: no
profile-name Displays information about the named service profile.
? Displays a list of service profiles.
Version 3.0 Command introduced
Version 4.1 New fields added to indicate the configured SSID default attributes in the
service profile.
Version 4.2 New fields added:
Proxy ARP
DHCP restrict
No broadcast
Short retry limit (moved from show radio-profile output)
Long retry limit (moved from show radio-profile output)
Sygate On-Demand (SODA)
Enforce SODA checks:
SODA remediation ACL
Custom success web-page
Custom failure web-page
Custom logout web-page
Custom agent-directory
Static COS
COS
CAC mode
CAC sessions
User idle timeout
Idle client probing
Web Portal Session Timeout
Transmit rates for 11a / 11b / 11g:
beacon rate
multicast rate
mandatory rate
standard rates
disabled rates
Version 5.0 New fields added:
Active call timeout
Keep initial vlan
Web Portal ACL
Version 6.0 New fields added:
Client DSCP
Mesh enabled
Bridging enabled
Load Balance Exempt
Web Portal Logout
Custom Web Portal Logout URL
MP Access Point Commands
MP Access Point Commands
12 – 359
Short retry limit: 5 Long retry limit: 5
Auth fallthru: none Sygate On-Demand (SODA): no
Enforce SODA checks: yes SODA remediation ACL:
Custom success web-page: Custom failure web-page:
Custom logout web-page: Custom agent-directory:
Static COS: no COS: 0
Client DSCP: no CAC mode: none
CAC sessions: 14 User idle timeout: 180
Idle client probing: yes Keep initial vlan: no
Web Portal Session Timeout: 5 Mesh enabled: no
Web Portal ACL: Bridging enabled: no
Load Balance Exempt: no Web Portal Logout: no
Custom Web Portal Logout URL:
WEP Key 1 value: <none> WEP Key 2 value: <none>
WEP Key 3 value: <none> WEP Key 4 value: <none>
WEP Unicast Index: 1 WEP Multicast Index: 1
Shared Key Auth: NO
11a beacon rate: 6.0 multicast rate: AUTO
11a mandatory rate: 6.0,12.0,24.0 standard rates: 9.0,18.0,36.0,48.0,54.0
11b beacon rate: 2.0 multicast rate: AUTO
11b mandatory rate: 1.0,2.0 standard rates: 5.5,11.0
11g beacon rate: 2.0 multicast rate: AUTO
11g mandatory rate: 1.0,2.0,5.5,11.0 standard rates: 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Table 12– 19 describes the fields in this display.
Table 12– 19. Output for show service-profile
Field Description
ssid-name Service set identifier (SSID) managed by this service profile.
ssid-type SSID type:
crypto—Wireless traffic for the SSID is encrypted.
clear—Wireless traffic for the SSID is unencrypted.
Beacon Indicates whether the radio sends beacons, to advertise the SSID:
no
yes
Proxy ARP Indicates whether proxy ARP is enabled. When this feature is enabled,
MSS answers ARP requests on behalf of wireless clients.
DHCP restrict Indicates whether DHCP Restrict is enabled. When this feature is
enabled, MSS allows only DHCP traffic for a new client until the client
has successfully completed authentication and authorization.
No broadcast Indicates if broadcast restriction is enabled. When this feature is
enabled, MSS sends ARP requests and DHCP Offers and Acks as
unicasts to their target clients instead of forwarding them as
broadcasts.
Short retry limit Number of times a radio serving the service-profile’s SSID can send a
short unicast frame without receiving an acknowledgment.
Long retry limit Number of times a radio serving the service-profile SSID can send a
long unicast frame without receiving an acknowledgment. A long
unicast frame is a frame that is equal to or longer than the RTS
threshold.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 360
Auth fallthru Secondary (fallthru) encryption type when a user tries to authenticate
but the MX managing the radio does not have an authentication rule
with a userglob that matches the username.
last-resort—Automatically authenticates the user and allows access to the
SSID requested by the user, without requiring a username and password.
none—Denies authentication and prohibits the user from accessing the
SSID.
web-portal—Redirects the user to a web page for login to the SSID.
Sygate On-Demand
(SODA)
Whether SODA functionality is enabled for the service profile. When
SODA functionality is enabled, connecting clients download SODA
agent files, which perform security checks on the client.
Enforce SODA checks If a client is allowed access to the network after it has downloaded and
run the SODA agent security checks. When SODA functionality is
enabled, and the MX is configured to enforce SODA checks, then a
connecting client must download the SODA agent files and pass the
checks in order to gain access to the network.
SODA remediation ACL The name of the ACL to be applied to the client if it fails the SODA
agent checks. If no remediation ACL is specified, then a client is
disconnected from the network if it fails the SODA agent checks.
Custom success
web-page
The name of the user-specified page that the client loads upon
successful completion of the SODA agent checks. If no page is specified,
then the success page is generated dynamically.
Custom failure
web-page
The name of the user-specified page that the client loads if it fails
SODA agent checks. If no page is specified, then the failure page is
generated dynamically.
Custom logout web-page The name of the user-specified page that the client loads upon logging
out of the network, either by closing the SODA virtual desktop, or by
requesting the page. If no page is specified, then the client is
disconnected without loading a logout page.
Custom agent-directory The name of the directory for SODA agent files on the MX switch, if
different from the default. By default, SODA agent files are stored in a
directory with the same name as the service profile.
Static COS Indicates whether static CoS assignment is enabled. When this feature
is enabled, MPs assign the CoS value in the COS field to all user traffic
forwarded by the MP.
COS CoS value assigned by the MP to all user traffic, if static CoS is
enabled. (If static CoS is disabled, WMM or ACLs are used to assign
CoS.)
Client DSCP If packets are classified based on client DSCP level instead of 802.11
priority.
CAC mode Call Admission Control mode:
none—CAC is disabled.
session—CAC is based on the number of active user sessions. If an MP
radio reaches the maximum number of active user sessions specified in the
CAC session field, the MP radio rejects new connection attempts.
CAC sessions Maximum number of user sessions that can be active on an MP radio at
one time, if the CAC mode is session. (If the CAC mode is none, this
value is not used.)
User idle timeout Indicates how many seconds a user session can remain idle (indicated
by no user traffic and no reply to client keepalive probes) before the
session is changed to the Disassociated state.
Idle client probing Indicates whether client keepalive probes are enabled.
Table 12– 19. Output for show service-profile (continued)
Field Description
MP Access Point Commands
MP Access Point Commands
12 – 361
Keep initial VLAN Indicates whether the keep-initial-vlan option is enabled.
Web Portal Session
Timeout
When a Web Portal WebAAA session is placed in the Deassociated
state, how many seconds the session can remain in that state before
being terminated automatically.
Mesh enabled Whether WLAN mesh services are enabled for the service profile.
Web Portal ACL Name of the ACL used to filter traffic for Web Portal users associated
with this service profile’s SSID while the users are being
authenticated.
Bridging enabled If wireless bridging is enabled for this service profile.
Load Balance Exempt If the MP radios managed by this service profile are exempted (do not
participate in) RF load balancing.
Web Portal Logout If the Web Portal WebAAA logout functionality has been enabled.
Custom Web Portal
Logout URL
If configured, the URL that Web Portal WebAAA users can access in
order to terminate their sessions.
WEP Key 1 value State of static WEP key number 1. Radios can use this key to encrypt
traffic with static Wired-Equivalent Privacy (WEP):
none—The key is not configured.
preset—The key is configured.
Note: The WEP parameters apply to traffic only on the encrypted
SSID.
WEP Key 2 value State of static WEP key number 2:
none—The key is not configured.
preset—The key is configured.
WEP Key 3 value State of static WEP key number 3:
none—The key is not configured.
preset—The key is configured.
WEP Key 4 value State of static WEP key number 4:
none—The key is not configured.
preset—The key is configured.
WEP Unicast Index Index of the static WEP key used to encrypt unicast traffic on an
encrypted SSID.
WEP Multicast Index Index of the static WEP key used to encrypt multicast traffic on an
encrypted SSID.
Shared Key Auth Indicates whether shared-key authentication is enabled.
WPA enabled
or
RSN enabled
Indicates that the Wi-Fi Protected Access (WPA) or Robust Security
Network (RSN) information element (IE) is enabled. Additional fields
display the settings of other WPA or RSN parameters:
ciphers—Lists the cipher suites advertised by radios in the radio profile
mapped to this service profile.
authentication—Lists the authentication methods supported for WPA or
RSN clients:
802.1X—dynamic authentication
PSK—preshared key authentication
TKIP countermeasures time—Indicates the amount of time (in ms) MSS
enforces countermeasures following a second message integrity code (MIC)
failure within a 60-second period.
Note: These fields are displayed only when the WPA IE or RSN IE is
enabled.
Table 12– 19. Output for show service-profile (continued)
Field Description
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 362
set service-profile attr on page 12-286
set service-profile [rsn-ie | wpa-ie] auth-dot1x on page 12-287
set service-profile [rsn-id | wpa-ie] auth-fallthru on page 12-287
set service-profile [rsn-ie | wpa-ie] auth-psk on page 12-289
set service-profile beacon on page 12-289
set service-profile cac-mode on page 12-290
set service-profile cac-session on page 12-291
set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 12-292
set service-profile [rsn-ie | wpa-ie] cipher-tkip on page 12-293
set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 12-293
set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 12-294
set service-profile cos on page 12-295
set service-profile dhcp-restrict on page 12-296
set service-profile idle-client-probing on page 12-296
set service-profile long-retry-count on page 12-298
set service-profile no-broadcast on page 12-300
set service-profile proxy-arp on page 12-300
set service-profile [rsn-ie | wpa-ie] psk-phrase on page 12-301
set service-profile [rsn-ie | wpa-ie] psk-raw on page 12-302
set service-profile rsn-ie on page 12-303
set service-profile shared-key-auth on page 12-304
set service-profile short-retry-count on page 12-304
set service-profile soda mode on page 12-308
set service-profile ssid-name on page 12-310
set service-profile ssid-type on page 12-310
vlan-name,
session-timeout,
service-type
These are examples of authorization attributes that are applied by
default to a user accessing the SSID managed by this service profile (in
addition to any attributes assigned to the user by a RADIUS server or
the local database).
Attributes are listed here only if they have been configured as default
attribute settings for the service profile.
See Table 9– 9 on page 179 for a list of authorization attributes and
values that can be assigned to network users.
11a / 11b / 11g transmit
rate fields
Data transmission rate settings for each radio type:
beacon rate—Data rate of beacon frames sent by MP radios.
multicast rate—Data rate of multicast frames sent by MP radios. If the rate
is auto, the MP sets the multicast rate to the highest rate that can reach all
clients connected to the radio.
mandatory rates—Set of data transmission rates that clients are required
to support in order to associate with an SSID on an MP radio. A client must
support at least one of the mandatory rates.
standard rates—The set of valid rates that are neither mandatory nor
disabled. These rates are supported for data transmission from the MP
radios.
disabled rates—Data transmission rates that MP radios will not use to
transmit data. (The radios will still accept frames from clients at disabled
data rates.)
Table 12– 19. Output for show service-profile (continued)
Field Description
MP Access Point Commands
MP Access Point Commands
12 – 363
set service-profile static-cos on page 12-311
set service-profile tkip-mc-time on page 12-312
set service-profile transmit-rates on page 12-312
set service-profile user-idle-timeout on page 12-314
set service-profile web-portal-form on page 12-316
set service-profile web-portal-session-timeout on page 12-318
set service-profile wep active-multicast-index on page 12-319
set service-profile wep active-unicast-index on page 12-320
set service-profile wep key-index on page 12-320
set service-profile wpa-ie on page 12-321
show service-profile cac session
Displays current session counts on all MPs using the specified service profile, when session-based
CAC is enabled.
Syntax
show service-profile profile-name cac session
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 6.0.
Examples
The following command displays information about session counts for service profile
sp1:
MX# show service-profile sp1 cac session
Service Profile sp1
CAC Mode SESSION
Max Sessions 14
Table 12– 20 describes the fields in displayed by the show service-profile cac session
command.
See Also
set service-profile cac-mode on page 12-290
set service-profile cac-session on page 12-291
profile-name Displays information about the named service profile.
Table 12– 20. Output for show service-profile cac session
Field Description
Service Profile Name of the service profile
CAC Mode CAC mode, either SESSION or NONE
Max Sessions The number of CAC sessions available on MPs managed by this service
profile.
MP Access Point Commands
Mobility System Software Command Reference Guide
Version 7.3
12 – 364
STP Commands 13 – 355
13
STP Commands
Use Spanning Tree Protocol (STP) commands to configure and manage spanning trees on the
virtual LANs (VLANs) configured on an MX, to maintain a loop-free network. This chapter
presents STP commands alphabetically. Use the following table to locate commands in this
chapter based on their use.
clear spantree portcost
Resets to the default value the cost of a network port or ports on paths to the STP root bridge in
all VLANs on an MX.
Syntax
clear spantree portcost port-list
Defaults
None.
STP State set spantree on page 13-358
show spantree on page 13-364
show spantree blockedports on page 13-367
Bridge Priority set spantree priority on page 13-363
Port Cost set spantree portcost on page 13-360
set spantree portvlancost on page 13-362
show spantree portvlancost on page 13-368
clear spantree portcost on page 13-355
clear spantree portvlancost on page 13-357
Port Priority set spantree portpri on page 13-362
set spantree portvlanpri on page 13-363
clear spantree portpri on page 13-356
clear spantree portvlanpri on page 13-357
Timers set spantree fwddelay on page 13-359
set spantree hello on page 13-359
set spantree maxage on page 13-360
Fast Convergence set spantree portfast on page 13-361
show spantree portfast on page 13-367
set spantree backbonefast on page 13-359
show spantree backbonefast on page 13-366
set spantree uplinkfast on page 13-364
show spantree uplinkfast on page 13-373
Statistics show spantree statistics on page 13-369
clear spantree statistics on page 13-358
port-list List of ports. The port cost is reset on the specified ports.
STP Commands
Mobility System Software Command Reference Guide
Version 7.3
13 – 356
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
This command resets the cost in all VLANs. To reset the cost for only specific VLANs, use
the clear spantree portvlancost command.
Examples
The following command resets the STP port cost on ports 5 and 6 to the default value:
MX# clear spantree portcost 5-6
success: change accepted.
See Also
clear spantree portvlancost on page 13-357
set spantree portcost on page 13-360
set spantree portvlancost on page 13-362
show spantree on page 13-364
show spantree portvlancost on page 13-368
clear spantree portpri
Resets the configuration to the default value for the priority of a network port or ports for
selection as part of the path to the STP root bridge in all VLANs on an MX.
Syntax
clear spantree portpri port-list
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
This command resets the priority in all VLANs. To reset the priority for only specific
VLANs, use the clear spantree portvlanpri command.
Examples
The following command resets the STP priority on port 9 to the default:
MX# clear spantree portpri 9
success: change accepted.
See Also
clear spantree portvlanpri on page 13-357
set spantree portpri on page 13-362
set spantree portvlanpri on page 13-363
show spantree on page 13-364
port-list List of ports. The port priority is reset to 32 (the default) on the specified ports.
STP Commands
STP Commands
13 – 357
clear spantree portvlancost
Resets to the default value the cost of a network port or ports on paths to the STP root bridge for a
specific VLAN on an MX switch, or for all VLANs.
Syntax
clear spantree portvlancost port-list {all | vlan vlan-id}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
MSS does not change the port cost for VLANs other than the one(s) you specify.
Examples
The following command resets the STP cost for port 12 in VLAN sunflower:
MX# clear spantree portvlancost 12 vlan sunflower
success: change accepted.
See Also
clear spantree portcost on page 13-355
set spantree portcost on page 13-360
set spantree portvlancost on page 13-362
show spantree on page 13-364
show spantree portvlancost on page 13-368
clear spantree portvlanpri
Resets to the default value the priority of a network port or ports for selection as part of the path to
the STP root bridge, on one VLAN or all VLANs.
Syntax
clear spantree portvlanpri port-list {all | vlan vlan-id}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
MSS does not change the port priority for VLANs other than the one(s) you specify.
Examples
The following command resets the STP priority for port 20 in VLAN avocado:
MX# clear spantree portvlanpri 20 vlan avocado
success: change accepted.
See Also
clear spantree portpri on page 13-356
port-list List of ports. The port cost is reset on the specified ports.
all Resets the cost for all VLANs.
vlan
vlan-id
VLAN name or number. MSS resets the cost for only the specified VLAN.
port-list List of ports. The port priority is reset to 32 (the default) on the specified ports.
all Resets the priority for all VLANs.
vlan
vlan-id
VLAN name or number. MSS resets the priority for only the specified VLAN.
STP Commands
Mobility System Software Command Reference Guide
Version 7.3
13 – 358
set spantree portpri on page 13-362
set spantree portvlanpri on page 13-363
show spantree on page 13-364
clear spantree statistics
Clears STP statistics counters for a network port or ports and resets them to 0.
Syntax
clear spantree statistics port-list [vlan vlan-id]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command clears STP statistics counters for ports 5, 11, and 19 through
22, for all VLANs:
MX# clear spantree statistics 5,11,19-22
success: change accepted.
See Also
show spantree statistics on page 13-369
set spantree
Enables or disables STP on one VLAN or all VLANs configured on an MX.
Syntax
set spantree {enable | disable}
[{all
| vlan vlan-id | port port-list vlan-id}]
Defaults
Disabled.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command enables STP on all VLANs configured on an MX:
MX# set spantree enable
success: change accepted.
The following command disables STP on VLAN burgundy:
MX# set spantree disable vlan burgundy
success: change accepted.
port-list List of ports. Statistics counters are reset on the specified ports.
vlan
vlan-id
VLAN name or number. MSS resets statistics counters for only the specified VLAN.
enable Enables STP.
disable Disables STP.
all Enables or disables STP on all VLANs.
vlan
vlan-id
VLAN name or number. MSS enables or disables STP on only
the specified VLAN, on all ports within the VLAN.
port port-list
vlan-id
Port number or list and the VLAN the ports are in. MSS
enables or disables STP on only the specified ports, within the
specified VLAN.
STP Commands
STP Commands
13 – 359
See Also
show spantree on page 13-364
set spantree backbonefast
Enables or disables STP backbone fast convergence on an MX. This feature accelerates port
recovery following the failure of an indirect link.
Syntax
set spantree backbonefast {enable | disable}
Defaults
STP backbone fast path convergence is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
If you plan to use the backbone fast convergence feature, you must enable it on all the
bridges in the spanning tree.
Examples
The following command enables backbone fast convergence:
MX# set spantree backbonefast enable
success: change accepted.
See Also
show spantree backbonefast on page 13-366
set spantree fwddelay
Changes the period of time after a topology change that an MX which is not the root bridge waits
to begin forwarding Layer 2 traffic on one or all of the configured VLANs. (The root bridge always
forwards traffic.)
Syntax
set spantree fwddelay delay {all | vlan vlan-id}
Defaults
The default forwarding delay is 15 seconds.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command changes the forwarding delay on VLAN pink to 20 seconds:
MX# set spantree fwddelay 20 vlan pink
success: change accepted.
See Also
show spantree on page 13-364
set spantree hello
Changes the interval between STP hello messages sent by an MX when operating as the root
bridge, on one or all of the configured VLANs.
enable Enables backbone fast convergence.
disable Disables backbone fast convergence.
delay Delay value. You can specify from 4 through 30 seconds.
all Changes the forwarding delay on all VLANs.
vlan
vlan-id
VLAN name or number. MSS changes the forwarding delay on only the specified
VLAN.
STP Commands
Mobility System Software Command Reference Guide
Version 7.3
13 – 360
Syntax
set spantree hello interval {all | vlan vlan-id}
Defaults
The default hello timer interval is 2 seconds.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command changes the hello interval for all VLANs to 4 seconds:
MX# set spantree hello 4 all
success: change accepted.
See Also
show spantree on page 13-364
set spantree maxage
Changes the maximum age for an STP root bridge hello packet that is acceptable to an MX acting
as a designated bridge on one or all of its VLANs. After waiting this period of time for a new hello
packet, the MX determines that the root bridge is unavailable and issues a topology change
message.
Syntax
set spantree maxage aging-time {all | vlan vlan-id}
Defaults
The default maximum age for root bridge hello packets is 20 seconds.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command changes the maximum acceptable age for root bridge hello
packets on all VLANs to 15 seconds:
MX# set spantree maxage 15 all
success: change accepted.
See Also
show spantree on page 13-364
set spantree portcost
Changes the cost that transmission through a network port or ports in the default VLAN on an
MX adds to the total cost of a path to the STP root bridge.
Syntax
set spantree portcost port-list cost cost
interval Interval value. You can specify from 1 through 10 seconds.
all Changes the interval on all VLANs.
vlan
vlan-id
VLAN name or number. MSS changes the interval on only the specified VLAN.
aging-time Maximum age value. You can specify from 6 through 40 seconds.
all Changes the maximum age on all VLANs.
vlan
vlan-id
VLAN name or number. MSS changes the maximum age on only the specified VLAN.
port-list List of ports. MSS applies the cost change to all the specified ports.
cost
cost
Numeric value. You can specify a value from 1 through 65,535. STP selects lower-cost
paths over higher-cost paths.
STP Commands
STP Commands
13 – 361
Defaults
The default port cost depends on the port speed and link type. Table 1 lists the defaults
for STP port path cost.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
This command applies only to the default VLAN (VLAN 1). To change the cost of a port in
another VLAN, use the set spantree portvlancost command.
Examples
The following command changes the cost on ports 3 and 4 to 20:
MX# set spantree portcost 3,4 cost 20
success: change accepted.
See Also
clear spantree portcost on page 13-355
clear spantree portvlancost on page 13-357
set spantree portvlancost on page 13-362
show spantree on page 13-364
show spantree portvlancost on page 13-368
set spantree portfast
Enables or disables STP port fast convergence on one or more ports on an MX.
Syntax
set spantree portfast port port-list {enable | disable}
Defaults
STP port fast convergence is disabled by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Use port fast convergence on ports that are directly connected to servers, hosts, or other
MAC stations.
Examples
The following command enables port fast convergence on ports 9, 11, and 13:
MX# set spantree portfast port 9,11,13 enable
success: change accepted.
Table 1.SNMP Port Path Cost Defaults
Port Speed Link Type Default Port Path Cost
1000 Mbps Full Duplex Aggregate Link (Port Group) 19
1000 Mbps Full Duplex 4
100 Mbps Full Duplex Aggregate Link (Port Group) 19
100 Mbps Full Duplex 18
100 Mbps Half Duplex 19
10 Mbps Full Duplex Aggregate Link (Port Group) 19
10 Mbps Full Duplex 95
10 Mbps Half Duplex 100
port port-list List of ports. MSS enables the feature on the specified ports.
enable Enables port fast convergence.
disable Disables port fast convergence.
STP Commands
Mobility System Software Command Reference Guide
Version 7.3
13 – 362
See Also
show spantree portfast on page 13-367
set spantree portpri
Changes the STP priority of a network port or ports for selection as part of the path to the STP
root bridge in the default VLAN on an MX.
Syntax
set spantree portpri port-list priority value
Defaults
The default STP priority for all network ports is 128.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
This command applies only to the default VLAN (VLAN 1). To change the priority of a port
in another VLAN, use the set spantree portvlanpri command.
Examples
The following command sets the priority of ports 3 and 4 to 48:
MX# set spantree portpri 3-4 priority 48
success: change accepted.
See Also
clear spantree portpri on page 13-356
clear spantree portvlanpri on page 13-357
set spantree portvlanpri on page 13-363
show spantree on page 13-364
set spantree portvlancost
Changes the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on
an MX switch.
Syntax
set spantree portvlancost port-list cost cost {all | vlan vlan-id}
Defaults
The default port cost depends on the port speed and link type. (See Table 1 on page 361.)
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command changes the cost on ports 3 and 4 to 20 in VLAN mauve:
MX# set spantree portvlancost 3,4 cost 20 vlan mauve
success: change accepted.
port-list List of ports. MSS changes the priority on the specified ports.
priority
value
Priority value. You can specify a value from 0 (highest) through 255 (lowest).
port-list List of ports. MSS applies the cost change to all the specified ports.
cost
cost
Numeric value. You can specify a value from 1 through 65,535. STP selects lower-cost
paths over higher-cost paths.
all Changes the cost on all VLANs.
vlan
vlan-id
VLAN name or number. MSS changes the cost on only the specified VLAN.
STP Commands
STP Commands
13 – 363
See Also
clear spantree portcost on page 13-355
clear spantree portvlancost on page 13-357
set spantree portcost on page 13-360
show spantree on page 13-364
show spantree portvlancost on page 13-368
set spantree portvlanpri
Changes the priority of a network port or ports for selection as part of the path to the STP root
bridge, on one VLAN or all VLANs.
Syntax
set spantree portvlanpri port-list priority value {all | vlan vlan-id}
Defaults
The default STP priority for all network ports is 128.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command sets the priority of ports 3 and 4 to 48 on VLAN mauve:
MX# set spantree portvlanpri 3-4 priority 48 vlan mauve
success: change accepted.
See Also
clear spantree portpri on page 13-356
clear spantree portvlanpri on page 13-357
set spantree portpri on page 13-362
show spantree on page 13-364
set spantree priority
Changes the STP root bridge priority of an MX switch on one or all of its VLANs.
Syntax
set spantree priority value {all | vlan vlan-id}
Defaults
The default root bridge priority for the MX on all VLANs is 32,768.
Access
Enabled.
History
Introduced in MSS Version 1.0.
port-list List of ports. MSS changes the priority on the specified ports.
priority
value
Priority value. You can specify a value from 0 (highest) through 255 (lowest).
all Changes the priority on all VLANs.
vlan
vlan-id
VLAN name or number. MSS changes the priority on only the specified VLAN.
priority
value
Priority value. You can specify a value from 0 through 65,535. The bridge with the
lowest priority value is elected to be the root bridge for the spanning tree.
all Changes the bridge priority on all VLANs.
vlan
vlan-id
VLAN name or number. MSS changes the bridge priority on only the specified VLAN.
STP Commands
Mobility System Software Command Reference Guide
Version 7.3
13 – 364
Examples
The following command sets the bridge priority of VLAN pink to 69:
MX# set spantree priority 69 vlan pink
success: change accepted.
See Also
show spantree on page 13-364
set spantree uplinkfast
Enables or disables STP uplink fast convergence on an MX. This feature enables an MX with
redundant links to the network backbone to immediately switch to the backup link to the root
bridge if the primary link fails.
Syntax
set spantree uplinkfast {enable | disable}
Defaults
Disabled.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
The uplink fast convergence feature is applicable to bridges acting as access switches to
the network core (distribution layer) but are not in the core themselves. Do not enable the feature
on MX switches that are in the network core.
Examples
The following command enables uplink fast convergence:
MX# set spantree uplinkfast enable
success: change accepted.
See Also
show spantree uplinkfast on page 13-373
show spantree
Displays STP configuration and port-state information.
Syntax
show spantree [port port-list | vlan vlan-id] [active]
Defaults
None.
Access
All.
History
enable Enables uplink fast convergence.
disable Disables uplink fast convergence.
port port-list List of ports. If you do not specify any ports, MSS displays STP information for all
ports.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays STP information
for all VLANs.
active Displays information for only the active (forwarding) ports.
Version 1.0 Command introduced
Version 4.2 Value STP Off added for STP-State and Port-State fields. This state indicates that
STP is disabled on the port. The Disabled state is still used, but only to indicate that
the port is not forwarding traffic.
STP Commands
STP Commands
13 – 365
Examples
The following command displays STP information for VLAN default:
MX# show spantree vlan default
VLAN 1
Spanning Tree Mode PVST+
Spanning Tree Type IEEE
Spanning Tree Enabled
Designated Root 00-02-4a-70-49-f7
Designated Root Priority 32768
Designated Root Path Cost 19
Designated Root Port 1
Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec
Bridge ID MAC ADDR 00-0b-0e-02-76-f7
Bridge ID Priority 32768
Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec
Port Vlan STP-State Cost Prio Portfast
------------------------------------------------------------------------------
1 1 Forwarding 19 128 Disabled
2 1 STP Off 19 128 Disabled
3 1 Disabled 19 128 Disabled
4 1 Disabled 19 128 Disabled
5 1 Disabled 19 128 Disabled
6 1 Disabled 19 128 Disabled
7 1 Disabled 19 128 Disabled
8 1 Disabled 19 128 Disabled
Table 13– 1 describes the fields in this display.
Table 13– 1. Output for show spantree
Field Description
VLAN VLAN number.
Spanning Tree Mode In the current software version, the mode is always PVST+, which means Per
VLAN Spanning Tree+.
Spanning Tree Type In the current software version, the type is always IEEE, which means STP is
based on the IEEE 802 standards.
Spanning Tree Enabled State of STP on the VLAN.
Designated Root MAC address of the spanning tree root bridge.
Designated Root Priority Bridge priority of the root bridge.
Designated Root Path Cost Cumulative cost from this bridge to the root bridge. If this MX is the root
bridge, then the root cost is 0.
Designated Root Port Port through which this MX reaches the root bridge.
If this MX switch is the root bridge, this field says We are the root.
Root Max Age Maximum acceptable age for hello packets on the root bridge.
Root Hello Time Hello interval on the root bridge.
Root Forward Delay Forwarding delay value on the root bridge.
Bridge ID MAC ADDR The MX MAC address.
Bridge ID Priority The MX bridge priority.
Bridge Max Age The MX maximum acceptable age for hello packets.
Bridge Hello Time The MX hello interval.
Bridge Forward Delay The MX forwarding delay value.
STP Commands
Mobility System Software Command Reference Guide
Version 7.3
13 – 366
See Also
show spantree blockedports on page 13-367
show spantree backbonefast
Indicates whether the STP backbone fast convergence feature is enabled or disabled.
Syntax
show spantree backbonefast
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following example shows the command output on an MX with backbone fast
convergence enabled:
MX# show spantree backbonefast
Backbonefast is enabled
Port Port number.
Note: Only network ports are listed. STP does not apply to MP ports or wired
authentication ports.
Vlan VLAN ID.
STP-State
or
Port-State
STP state of the port:
Blocking—The port is not forwarding Layer 2 traffic but is listening to and
forwarding STP control traffic.
Disabled—This state can indicate any of the following conditions:
The port is inactive.
The port is disabled.
STP is enabled on the port but the port is not forwarding traffic. (The
port is active and enabled but STP has just started to come up.)
Forwarding—The port is forwarding Layer 2 traffic.
Learning—The port is learning the locations of other devices in the
spanning tree before changing state to forwarding.
Listening—The port is comparing its own STP information with
information in STP control packets received by the port to compute the
spanning tree and change state to blocking or forwarding.
STP Off—STP is disabled on the port.
Cost STP cost of the port.
Prio STP priority of the port.
Portfast State of the uplink fast convergence feature:
Enabled
Disabled
Table 13– 1. Output for show spantree (continued)
Field Description
STP Commands
STP Commands
13 – 367
See Also
set spantree backbonefast on page 13-359
show spantree blockedports
Lists information about MX ports that STP has blocked on one or all of the VLANs.
Syntax
show spantree blockedports [vlan vlan-id]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Usage
The command lists information separately for each VLAN.
Examples
The following command shows information about blocked ports on an MX for the default
VLAN (VLAN 1):
MX# show spantree blockedports vlan default
Port Vlan Port-State Cost Prio Portfast
------------------------------------------------------------------------
22 190 Blocking 4 128 Disabled
Number of blocked ports (segments) in VLAN 1 : 1
The port information is the same as the information displayed by the show spantree command.
See Table 13– 1 on page 365.
See Also
show spantree on page 13-364
show spantree portfast
Displays STP uplink fast convergence information for all network ports or for one or more network
ports.
Syntax
show spantree portfast [port-list]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command shows uplink fast convergence information for all ports:
MX# show spantree portfast
Port Vlan Portfast
------------------------- ---- ----------
1 1 disable
2 1 disable
3 1 disable
4 1 enable
5 1 disable
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays information for
blocked ports on all VLANs.
port-list List of ports. If you do not specify any ports, MSS displays uplink fast convergence
information for all ports.
STP Commands
Mobility System Software Command Reference Guide
Version 7.3
13 – 368
6 1 disable
7 1 disable
8 1 disable
10 1 disable
15 1 disable
16 1 disable
17 1 disable
18 1 disable
19 1 disable
20 1 disable
21 1 disable
22 1 disable
11 2 enable
12 2 disable
13 2 disable
14 2 enable
Table 13– 2 describes the fields in this display.
See Also
set spantree portfast on page 13-361
show spantree portvlancost
Displays the cost of a port on a path to the STP root bridge, for each of the port of the VLANs.
Syntax
show spantree portvlancost port-list
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command shows the STP port cost of port 1:
MX# show spantree portvlancost 1
port 1 VLAN 1 have path cost 19
See Also
clear spantree portcost on page 13-355
clear spantree portvlancost on page 13-357
set spantree portcost on page 13-360
set spantree portvlancost on page 13-362
show spantree on page 13-364
Table 13– 2. Output for show spantree portfast
Field Description
Port Port number.
VLAN VLAN number.
Portfast State of the uplink fast convergence feature:
Enable
Disable
port-list List of ports.
STP Commands
STP Commands
13 – 369
show spantree statistics
Displays STP statistics for one or more MX network ports.
Syntax
show spantree statistics [port-list [vlan vlan-id]]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Usage
The command displays statistics separately for each port.
Examples
The following command shows STP statistics for port 1:
MX# show spantree statistics 1
BPDU related parameters
Port 1 VLAN 1
spanning tree enabled for VLAN = 1
port spanning tree enabled
state Forwarding
port_id 0x8015
port_number 0x15
path cost 0x4
message age (port/VLAN) 0(20)
designated_root 00-0b-0e-00-04-30
designated cost 0x0
designated_bridge 00-0b-0e-00-04-30
designated_port 38
top_change_ack FALSE
config_pending FALSE
port_inconsistency none
Port based information statistics
config BPDU's xmitted(port/VLAN) 0 (1)
config BPDU's received(port/VLAN) 21825 (43649)
tcn BPDU's xmitted(port/VLAN) 0 (0)
tcn BPDU's received(port/VLAN) 2 (2)
forward transition count (port/VLAN) 1 (1)
scp failure count 0
root inc trans count (port/VLAN) 1 (1)
inhibit loopguard FALSE
loop inc trans count 0 (0)
Status of Port Timers
forward delay timer INACTIVE
forward delay timer value 15
port-list List of ports. If you do not specify any ports, MSS displays STP
statistics for all ports.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS
displays STP statistics for all VLANs.
STP Commands
Mobility System Software Command Reference Guide
Version 7.3
13 – 370
message age timer ACTIVE
message age timer value 0
topology change timer INACTIVE
topology change timer value 0
hold timer INACTIVE
hold timer value 0
delay root port timer INACTIVE
delay root port timer value 0
delay root port timer restarted is FALSE
VLAN based information & statistics
spanning tree type ieee
spanning tree multicast address 01-00-0c-cc-cc-cd
bridge priority 32768
bridge MAC address 00-0b-0e-12-34-56
bridge hello time 2
bridge forward delay 15
topology change initiator: 0
last topology change occured: Tue Jul 01 2003 22:33:36.
topology change FALSE
topology change time 35
topology change detected FALSE
topology change count 1
topology change last recvd. from 00-0b-0e-02-76-f6
Other port specific info
dynamic max age transition 0
port BPDU ok count 21825
msg age expiry count 0
link loading 0
BPDU in processing FALSE
num of similar BPDU's to process 0
received_inferior_bpdu FALSE
next state 0
src MAC count 21807
total src MAC count 21825
curr_src_mac 00-0b-0e-00-04-30
next_src_mac 00-0b-0e-02-76-f6
Table 13– 3 describes the fields in this display.
Table 13– 3. Output for show spantree statistics
Field Description
Port Port number.
VLAN VLAN ID.
Spanning Tree enabled for vlan State of the STP feature on the VLAN.
port spanning tree State of the STP feature on the port.
STP Commands
STP Commands
13 – 371
state STP state of the port:
Blocking—The port is not forwarding Layer 2 traffic but is
listening to and forwarding STP control traffic.
Disabled—The port is not forwarding any traffic, including STP
control traffic. The port might be administratively disabled or
the link might be disconnected.
Forwarding—The port is forwarding Layer 2 traffic.
Learning—The port is learning the locations of other devices in
the spanning tree before changing state to forwarding.
Listening—The port is comparing its own STP information with
information in STP control packets received by the port to
compute the spanning tree and change state to blocking or
forwarding.
port_id STP port ID.
port_number STP port number.
path cost Cost to use this port to reach the root bridge. This is part of the total
path cost (designated cost).
message age Age of the protocol information for a port and the value of the
maximum age parameter (shown in parenthesis) recorded by the
switch.
designated_root MAC address of the root bridge.
designated cost Total path cost to reach the root bridge.
designated_bridge Bridge to which this MX forwards traffic away from the root bridge.
designated_port STP port through which this MX forwards traffic away from the root
bridge.
top_change_ack Value of the topology change acknowledgment flag in the next
configured bridge protocol data unit (BPDU) to be transmitted on
the associated port. The flag is set in reply to a topology change
notification BPDU.
config_pending Indicates whether a configured BPDU is to be transmitted on
expiration of the hold timer for the port.
port_inconsistency Indicates whether the port is in an inconsistent state.
config BPDU’s xmitted Number of BPDUs transmitted from the port. A number in
parentheses indicates the number of configured BPDUs transmitted
by the MX for this VLAN’s spanning tree.
config BPDU’s received Number of BPDUs received by this port. A number in parentheses
indicates the number of configured BPDUs received by the MX
switch for this VLAN’s spanning tree.
tcn BPDU’s xmitted Number of topology change notification (TCN) BDPUs transmitted
on this port.
tcn BPDU’s received Number of TCN BPDUs received on this port.
forward transition count Number of times the port state transitioned to the forwarding state.
scp failure count Number of service control point (SCP) failures.
root inc trans count Number of times the root bridge changed.
inhibit loopguard State of the loop guard. In the current release, the state is always
FALSE.
loop inc trans count Number of loops that have occurred.
forward delay timer Status of the forwarding delay timer. This timer monitors the time
spent by a port in the listening and learning states.
forward delay timer value Current value of the forwarding delay timer, in seconds.
Table 13– 3. Output for show spantree statistics (continued)
Field Description
STP Commands
Mobility System Software Command Reference Guide
Version 7.3
13 – 372
message age timer Status of the message age timer. This timer measures the age of the
received protocol information recorded for a port.
message age timer value Current value of the message age timer, in seconds.
topology change timer Status of the topology change timer. This timer determines the time
period during which configured BPDUs are transmitted with the
topology change flag set by this MX switch when it is the root
bridge, after detection of a topology change.
topology change timer value Current value of the topology change timer, in seconds.
hold timer Status of the hold timer. This timer ensures that configured BPDUs
are not transmitted too frequently through any bridge port.
hold timer value Current value of the hold timer, in seconds.
delay root port timer Status of the delay root port timer, which enables fast convergence
when uplink fast convergence is enabled.
delay root port timer value Current value of the delay root port timer.
delay root port timer restarted is Whether the delay root port timer has been restarted.
spanning tree type Type of spanning tree. The type is always IEEE.
spanning tree multicast address Destination address used to send out configured BPDUs on a bridge
port.
bridge priority STP priority of this MX.
bridge MAC address MAC address of this MX switch.
bridge hello time Value of the hello timer interval, in seconds, when this MX switch is
the root or is attempting to become the root.
bridge forward delay Value of the forwarding delay interval, in seconds, when this MX
switch is the root or is attempting to become the root.
topology change initiator Port number that initiated the most recent topology change.
last topology change occurred System time when the most recent topology change occurred.
topology change Value of the topology change flag in configuration BPDUs to be
transmitted by this MX switch on VLANs for which the switch is the
designated bridge.
topology change time Time period, in seconds, during which BPDUs are transmitted with
the topology change flag set by this MX switch when it is the root
bridge, after detection of a topology change. It is equal to the sum of
the switch’s maximum age and forwarding delay parameters.
topology change detected Indicates whether a topology change has been detected by the
switch.
topology change count Number of times the topology change has occurred.
topology change last recvd. from MAC address of the bridge from which the MX last received a
topology change.
dynamic max age transition Number of times the maximum age parameter was changed
dynamically.
port BPDU ok count Number of valid port BPDUs received.
msg age expiry count Number of expired messages.
link loading Indicates whether the link is oversubscribed.
BPDU in processing Indicates whether BPDUs are currently being processed.
num of similar BPDU’s to process Number of similar BPDUs received on a port that need to be
processed.
received_inferior_bpdu Indicates whether the port has received an inferior BPDU or a
response to a Root Link Query (RLQ) BPDU.
Table 13– 3. Output for show spantree statistics (continued)
Field Description
STP Commands
STP Commands
13 – 373
See Also
clear spantree statistics on page 13-358
show spantree uplinkfast
Displays uplink fast convergence information for one VLAN or all VLANs.
Syntax
show spantree uplinkfast [vlan vlan-id]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command shows uplink fast convergence information for all VLANs:
MX# show spantree uplinkfast
VLAN port list
------------------------------------------------------------------------
1 1(fwd),2,3
Table 13– 4 describes the fields in this display.
See Also
set spantree uplinkfast on page 13-364
next state Port state before it is set by STP.
src MAC count Number of BPDUs with the same source MAC address.
total src MAC count Number of BPDUs with all the source MAC addresses.
curr_src_mac Source MAC address of the current received BPDU.
next_src_mac Other source MAC address from a different source.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays STP statistics for
all VLANs.
Table 13– 4. Output for show spantree uplinkfast
Field Description
VLAN VLAN number.
port list Ports in the uplink group. The port that is forwarding traffic is indicated by
fwd. The other ports are blocking traffic.
Table 13– 3. Output for show spantree statistics (continued)
Field Description
STP Commands
Mobility System Software Command Reference Guide
Version 7.3
13 – 374
IGMP Snooping Commands 14 – 375
14
IGMP Snooping Commands
Use Internet Group Management Protocol (IGMP) snooping commands to configure and manage
multicast traffic reduction on an MX. This chapter presents IGMP snooping commands
alphabetically. Use the following table to locate commands in this chapter based on their use.
clear igmp statistics
Clears IGMP statistics counters on one VLAN or all VLANs on an MX and resets them to 0.
Syntax
clear igmp statistics [vlan vlan-id]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command clears IGMP statistics for all VLANs:
MX# clear igmp statistics
IGMP statistics cleared for all vlans
IGMP Snooping State set igmp mrouter on page 14-377
show igmp on page 14-382
Proxy Reporting set igmp proxy-report on page 14-379
Pseudo-querier set igmp querier on page 14-380
show igmp querier on page 14-386
Timers set igmp qi on page 14-379
set igmp oqi on page 14-378
set igmp qri on page 14-380
set igmp lmqi on page 14-376
set igmp rv on page 14-381
Router Solicitation set igmp mrsol on page 14-377
set igmp mrsol mrsi on page 14-378
Multicast Routers set igmp mrouter on page 14-377
show igmp mrouter on page 14-385
Multicast Receivers set igmp receiver on page 14-381
show igmp receiver-table on page 14-387
Statistics show igmp statistics on page 14-388
clear igmp statistics on page 14-375
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, IGMP statistics are cleared for
all VLANs.
IGMP Snooping Commands
Mobility System Software Command Reference Guide
Version 7.3
14 – 376
See Also
show igmp statistics on page 14-388
set igmp
Disables or reenables IGMP snooping on one VLAN or all VLANs on an MX.
Syntax
set igmp {enable | disable} [vlan vlan-id]
Defaults
IGMP snooping is disabled on all VLANs by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command enables IGMP snooping on VLAN orange:
MX# set igmp enable vlan orange
success: change accepted.
See Also
show igmp on page 14-382
set igmp lmqi
Changes the IGMP last member query interval timer on one VLAN or all VLANs on an MX
switch.
Syntax
set igmp lmqi tenth-seconds [vlan vlan-id]
Defaults
The default last member query interval is 10 tenths of a second (1 second).
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command changes the last member query interval on VLAN orange to 5
tenths of a second:
MX# set igmp lmqi 5 vlan orange
success: change accepted.
See Also
set igmp oqi on page 14-378
set igmp qi on page 14-379
set igmp mrouter on page 14-377
enable Enables IGMP snooping.
disable Disables IGMP snooping.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, IGMP snooping is disabled or
reenabled on all VLANs.
lmqi tenth-seconds Amount of time (in tenths of a second) that the MX waits for a response to a
group-specific query after receiving a leave message for that group, before
removing the receiver that sent the leave message from the list of receivers for
the group. If there are no more receivers for the group, the switch also sends a
leave message for the group to multicast routers. You can specify a value from
1 through 65,535.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, the timer change applies
to all VLANs.
IGMP Snooping Commands
IGMP Snooping Commands
14 – 377
set igmp mrouter
Adds or removes a port in an MX list of ports that the MX forwards traffic to multicast routers.
Static multicast ports are immediately added to or removed from the list of router ports and do not
age out.
Syntax
set igmp mrouter port port-list {enable | disable}
Defaults
By default, no ports are static multicast router ports.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You cannot add MP access ports or wired authentication ports as static multicast ports.
However, MSS can dynamically add these port types to the list of multicast ports based on
multicast traffic.
Examples
The following command adds port 9 as a static multicast router port:
MX# set igmp mrouter port 9 enable
success: change accepted.
The following command removes port 9 from the static multicast router port list:
MX# set igmp mrouter port 9 disable
success: change accepted.
See Also
show igmp mrouter on page 14-385
set igmp mrsol
Enables or disables multicast router solicitation by an MX switch on one VLAN or all VLANs.
Syntax
set igmp mrsol {enable | disable} [vlan vlan-id]
Defaults
Multicast router solicitation is disabled on all VLANs by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command enables multicast router solicitation on VLAN orange:
MX# set igmp mrsol enable vlan orange
success: change accepted.
port port-list
Port list. MSS adds or removes the specified ports in the list of static multicast router
ports.
enable Adds the port to the list of static multicast router ports.
disable Removes the port from the list of static multicast router ports.
enable Enables multicast router solicitation.
disable Disables multicast router solicitation.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, multicast router solicitation is
disabled or enabled on all VLANs.
IGMP Snooping Commands
Mobility System Software Command Reference Guide
Version 7.3
14 – 378
See Also
set igmp mrsol mrsi on page 14-378
set igmp mrsol mrsi
Changes the interval between multicast router solicitations by an MX on one VLAN or all VLANs.
Syntax
set igmp mrsol mrsi seconds [vlan vlan-id]
Defaults
The interval between multicast router solicitations is 30 seconds by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following example changes the multicast router solicitation interval to 60 seconds:
MX# set igmp mrsol mrsi 60
success: change accepted.
See Also
set igmp mrsol on page 14-377
set igmp oqi
Changes the IGMP other-querier-present interval timer on one VLAN or all VLANs on an MX
switch.
Syntax
set igmp oqi seconds [vlan vlan-id]
Defaults
The default other-querier-present interval is 255 seconds (4.25 minutes).
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
An MX cannot become the querier unless the pseudo-querier feature is enabled on the
switch. When the feature is enabled, the switch becomes the querier for a subnet so long as the
switch does not receive a query message from a router with a lower IP address than the IP address
of the switch in that subnet. To enable the pseudo-querier feature, use set igmp querier.
Examples
The following command changes the other-querier-present interval on VLAN orange to
200 seconds:
MX# set igmp oqi 200 vlan orange
success: change accepted.
See Also
set igmp lmqi on page 14-376
set igmp qi on page 14-379
set igmp qri on page 14-380
seconds Number of seconds between multicast router solicitations. You can specify a value
from 1 through 65,535.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS changes the multicast
router solicitation interval for all VLANs.
oqi
seconds
Number of seconds that the MX waits for a general query to arrive before becoming
the querier. You can specify a value from 1 through 65,535.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, the timer change applies to all
VLANs.
IGMP Snooping Commands
IGMP Snooping Commands
14 – 379
set igmp querier on page 14-380
set igmp mrouter on page 14-377
set igmp rv on page 14-381
set igmp proxy-report
Disables or reenables proxy reporting by an MX switch on one VLAN or all VLANs.
Syntax
set igmp proxy-report {enable | disable} [vlan vlan-id]
Defaults
Proxy reporting is enabled on all VLANs by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Proxy reporting reduces multicast overhead by sending only one membership report for a
group to the multicast routers and discarding other membership reports for the same group. If you
disable proxy reporting, the MX sends all membership reports to the routers, including multiple
reports for the same group.
Examples
The following example disables proxy reporting on VLAN orange:
MX# set igmp proxy-report disable vlan orange
success: change accepted.
See Also
show igmp on page 14-382
set igmp qi
Changes the IGMP query interval timer on one VLAN or all VLANs on an MX.
Syntax
set igmp qi seconds [vlan vlan-id]
Defaults
The default query interval is 125 seconds.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
The query interval is applicable only when the MX is querier for the subnet. For the MX to
become the querier, the pseudo-querier feature must be enabled on the MX and the MX must have
the lowest IP address among all the devices eligible to become a querier. To enable the
pseudo-querier feature, use the set igmp querier command.
Examples
The following command changes the query interval on VLAN orange to 100 seconds:
MX# set igmp qi 100 vlan orange
success: change accepted.
enable Enables proxy reporting.
disable Disables proxy reporting.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, proxy reporting is disabled or
reenabled on all VLANs.
qi
seconds
Number of seconds that elapse between general queries sent by the MX when the MX
is the querier for the subnet. You can specify a value from 1 through 65,535.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, the timer change applies to all
VLANs.
IGMP Snooping Commands
Mobility System Software Command Reference Guide
Version 7.3
14 – 380
See Also
set igmp lmqi on page 14-376
set igmp oqi on page 14-378
set igmp qri on page 14-380
set igmp querier on page 14-380
set igmp mrouter on page 14-377
set igmp rv on page 14-381
set igmp qri
Changes the IGMP query response interval timer on one VLAN or all VLANs on an MX.
Syntax
set igmp qri tenth-seconds [vlan vlan-id]
Defaults
The default query response interval is 100 tenths of a second (10 seconds).
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
The query response interval is applicable only when the MX is querier for the subnet. For
the MX to become the querier, the pseudo-querier feature must be enabled on the MX and the MX
must have the lowest IP address among all the devices eligible to become a querier. To enable the
pseudo-querier feature, use set igmp querier.
Examples
The following command changes the query response interval on VLAN orange to 50
tenths of a second (5 seconds):
MX# set igmp qri 50 vlan orange
success: change accepted.
See Also
set igmp lmqi on page 14-376
set igmp oqi on page 14-378
set igmp qi on page 14-379
set igmp querier on page 14-380
set igmp rv on page 14-381
set igmp querier
Enables or disables the IGMP pseudo-querier on an MX, on one VLAN or all VLANs.
Syntax
set igmp querier {enable | disable} [vlan vlan-id]
qri tenth-seconds Amount of time (in tenths of a second) that the MX waits for a receiver to respond
to a group-specific query message before removing the receiver from the receiver
list for the group. You can specify a value from 1 through 65,535.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, the timer change applies to
all VLANs.
enable Enables the pseudo-querier.
IGMP Snooping Commands
IGMP Snooping Commands
14 – 381
Defaults
The pseudo-querier is disabled on all VLANs by default.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Trapeze Networks recommends that you use the pseudo-querier only when the VLAN
contains local multicast traffic sources and no multicast router is servicing the subnet.
Examples
The following example enables the pseudo-querier on the orange VLAN:
MX# set igmp querier enable vlan orange
success: change accepted.
See Also
show igmp querier on page 14-386
set igmp receiver
Adds or removes a network port in the list of ports on which an MX switch forwards traffic to
multicast receivers. Static multicast receiver ports are immediately added to or removed from the
list of receiver ports and do not age out.
Syntax
set igmp receiver port port-list {enable | disable}
Defaults
By default, no ports are static multicast receiver ports.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
You cannot add MP access ports or wired authentication ports as static multicast ports.
However, MSS can dynamically add these port types to the list of multicast ports based on
multicast traffic.
Examples
The following command adds port 7 as a static multicast receiver port:
MX# set igmp receiver port 7 enable
success: change accepted.
The following command removes port 7 from the list of static multicast receiver ports:
MX# set igmp receiver port 7 disable
success: change accepted.
See Also
show igmp receiver-table on page 14-387
set igmp rv
Changes the robustness value for one VLAN or all VLANs on an MX switch. Robustness adjusts
the IGMP timers to the amount of traffic loss that occurs on the network.
disable Disables the pseudo-querier.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, the
pseudo-querier is enabled or disabled on all VLANs.
port port-list
Network port list. MSS adds the specified ports to the list of static multicast receiver
ports.
enable Adds the port to the list of static multicast receiver ports.
disable Removes the port from the list of static multicast receiver ports.
IGMP Snooping Commands
Mobility System Software Command Reference Guide
Version 7.3
14 – 382
Syntax
set igmp rv num [vlan vlan-id]
Defaults
The default robustness value for all VLANs is 2.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following example changes the robustness value on VLAN orange to 4:
MX# set igmp rv 4 vlan orange
success: change accepted.
See Also
set igmp oqi on page 14-378
set igmp qi on page 14-379
set igmp qri on page 14-380
set igmp version
Configures the version of IGMP used on a VLAN.
Syntax
set igmp version {1 | 2} vlan [vlan-id | all]
Defaults
None
Access
Enabled
History
Introduced in MSS Version 7.0.
show igmp
Displays IGMP configuration information and statistics for one VLAN or all VLANs.
Syntax
show igmp [vlan vlan-id]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command displays IGMP information for VLAN orange:
MX# show igmp vlan orange
VLAN: orange
IGMP is enabled
Proxy reporting is on
Mrouter solicitation is on
Querier functionality is off
Configuration values: qi: 125 oqi: 300 qri: 100 lmqi: 10 rvalue: 2 Multicast
num Robustness value. You can specify a value from 2 through 255. Set the robustness
value higher to adjust for more traffic loss.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS changes the robustness
value for all VLANs.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays IGMP
information for all VLANs.
IGMP Snooping Commands
IGMP Snooping Commands
14 – 383
router information:
Port Mrouter-IPaddr Mrouter-MAC Type TTL
---- --------------- ----------------- ----- -----
10 192.28.7.5 00:01:02:03:04:05 dvmrp 17
Group Port Receiver-IP Receiver-MAC TTL
--------------- ---- --------------- ----------------- -----
224.0.0.2 none none none undef
237.255.255.255 5 10.10.10.11 00:02:04:06:08:0b 258
237.255.255.255 5 10.10.10.13 00:02:04:06:08:0d 258
237.255.255.255 5 10.10.10.14 00:02:04:06:08:0e 258
237.255.255.255 5 10.10.10.12 00:02:04:06:08:0c 258
237.255.255.255 5 10.10.10.10 00:02:04:06:08:0a 258
Querier information:
Querier for vlan orange
Port Querier-IP Querier-MAC TTL
---- --------------- ----------------- -----
1 193.122.135.178 00:0b:cc:d2:e9:b4 23
IGMP vlan member ports: 10, 12, 11, 14, 16, 15, 13, 18, 17, 1, 20, 21, 2,
22, 19, 4, 6, 5, 3, 8, 7, 9
IGMP static ports: none
IGMP statistics for vlan orange:
IGMP message type Received Transmitted Dropped
----------------- -------- ----------- -------
General-Queries 0 0 0
GS-Queries 0 0 0
Report V1 0 0 0
Report V2 5 1 4
Leave 0 0 0
Mrouter-Adv 0 0 0
Mrouter-Term 0 0 0
Mrouter-Sol 50 101 0
DVMRP 4 4 0
PIM V1 0 0 0
PIM V2 0 0 0
Topology notifications: 0
Packets with unknown IGMP type: 0
Packets with bad length: 0
Packets with bad checksum: 0
Packets dropped: 4
Table 14– 1 describes the fields in this display.
Table 14– 1. Output for show igmp
Field Description
VLAN VLAN name. MSS displays information separately for each VLAN.
IGMP is enabled (disabled) IGMP state.
Proxy reporting Proxy reporting state.
Mrouter solicitation Multicast router solicitation state.
Querier functionality Pseudo-querier state.
Configuration values (qi) Query interval.
Configuration values (oqi) Other-querier-present interval.
Configuration values (qri) Query response interval.
IGMP Snooping Commands
Mobility System Software Command Reference Guide
Version 7.3
14 – 384
Configuration values (lmqi) Last member query interval.
Configuration values
(rvalue)
Robustness value.
Multicast router
information
List of multicast routers and active multicast groups. The fields containing
this information are described separately. The show igmp mrouter
command shows the same information.
Port Number of the physical port through which the MX switch can reach the
router.
Mrouter-IPaddr IP address of the multicast router interface.
Mrouter-MAC MAC address of the multicast router interface.
Type How the MX learned that the port is a multicast router port:
conf — Static multicast port configured by an administrator
madv—Multicast advertisement
quer—IGMP query
dvmrp—Distance Vector Multicast Routing Protocol (DVMRP)
pimv1—Protocol Independent Multicast (PIM) version 1
pimv2—PIM version 2
TTL Number of seconds before this entry ages out if not refreshed. For static
multicast router entries, the time-to-live (TTL) value is undef. Static multicast
router entries do not age out.
Group IP address of a multicast group. The show igmp receiver-table command
shows the same information as these receiver fields.
Port Physical port through which the MX switch can reach the group’s receiver.
Receiver-IP IP address of the client receiving the group.
Receiver-MAC MAC address of the client receiving the group.
TTL Number of seconds before this entry ages out if the MX does not receive a
group membership message from the receiver. For static multicast receiver
entries, the TTL value is undef. Static multicast receiver entries do not age
out.
Querier information Information about the subnet multicast querier. If the querier is another
device, the fields described below are applicable. If the querier is the MX, the
output indicates how many seconds remain until the next general query
message. If IGMP snooping does not detect a querier, the output indicates this.
The show igmp querier command shows the same information.
Querier for vlan VLAN containing the querier. Information is listed separately for each VLAN.
Querier-IP IP address of the querier.
Querier-MAC MAC address of the querier.
TTL Number of seconds before this entry ages out if the MX does not receive a
query message from the querier.
IGMP vlan member ports Physical ports in the VLAN. This list includes all network ports configured to
be in the VLAN and all ports MSS dynamically assigns to the VLAN when a
user assigned to the VLAN becomes a receiver. For example, the list can
include an MP access port that is not configured to be in the VLAN when a
user associated with the MP access point on that port becomes a receiver for a
group. When all receivers on a dynamically added port age out, MSS removes
the port from the list.
IGMP static ports Static receiver ports.
IGMP statistics Multicast message and packet statistics. These are the same statistics
displayed by the show igmp statistics command.
Table 14– 1. Output for show igmp (continued)
Field Description
IGMP Snooping Commands
IGMP Snooping Commands
14 – 385
See Also
show igmp mrouter on page 14-385
show igmp querier on page 14-386
show igmp receiver-table on page 14-387
show igmp statistics on page 14-388
show igmp mrouter
Displays the multicast routers in an MX subnet, on one VLAN or all VLANs. Routers are listed
separately for each VLAN, according to the port number through which the switch can reach the
router.
Syntax
show igmp mrouter [vlan vlan-id]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command displays the multicast routers in VLAN orange:
MX# show igmp mrouter vlan orange
Multicast routers for vlan orange
Port Mrouter-IPaddr Mrouter-MAC Type TTL
---- --------------- ----------------- ----- -----
10 192.28.7.5 00:01:02:03:04:05 dvmrp 33
Table 14– 2 describes the fields in this display.
See Also
set igmp mrouter on page 14-377
show igmp mrouter on page 14-385
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays the multicast
routers in all VLANs.
Table 14– 2. Output for show igmp mrouter
Field Description
Multicast routers for vlan VLAN containing the multicast routers. Ports are listed separately for each
VLAN.
Port Number of the physical port through which the MX can reach the router.
Mrouter-IPaddr IP address of the multicast router.
Mrouter-MAC MAC address of the multicast router.
Type How the MX learned that the port is a multicast router port:
conf — Static multicast port configured by an administrator
madv—Multicast advertisement
quer—IGMP query
dvmrp—Distance Vector Multicast Routing Protocol (DVMRP)
pimv1—Protocol Independent Multicast (PIM) version 1
pimv2—PIM version 2
TTL Number of seconds before this entry ages out if unused. For static multicast
router entries, the TTL value is undef. Static multicast router entries do not
age out.
IGMP Snooping Commands
Mobility System Software Command Reference Guide
Version 7.3
14 – 386
show igmp querier
Displays information about the active multicast querier, on one VLAN or all VLANs. Queriers are
listed separately for each VLAN. Each VLAN can have only one querier.
Syntax
show igmp querier [vlan vlan-id]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following command displays querier information for VLAN orange:
MX# show igmp querier vlan orange
Querier for vlan orange
Port Querier-IP Querier-MAC TTL
---- --------------- ----------------- -----
1 193.122.135.178 00:0b:cc:d2:e9:b4 23
The following command shows the information MSS displays when the querier is the MX:
MX# show igmp querier vlan default
Querier for vlan default:
I am the querier for vlan default, time to next query is 20
The output indicates how many seconds remain before the pseudo-querier on the switch
broadcasts the next general query report to IP address 224.0.0.1, the multicast all-systems group.
If IGMP snooping does not detect a querier, the output indicates this finding, as shown in the
following example:
MX# show igmp querier vlan red
Querier for vlan red:
There is no querier present on vlan red
This condition does not necessarily indicate a problem. For example, election of the querier might
be in progress.
Table 14– 3 on page 386 describes the fields in the display when a querier other than the MX
switch is present.
See Also
set igmp querier on page 14-380
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays querier
information for all VLANs.
Table 14– 3. Output for show igmp querier
Field Description
Querier for vlan VLAN containing the querier. Information is listed separately for each VLAN.
Querier-IP IP address of the querier interface.
Querier-MAC MAC address of the querier interface.
TTL Number of seconds before this entry ages out if the MX switch does not receive
a query message from the querier.
IGMP Snooping Commands
IGMP Snooping Commands
14 – 387
show igmp receiver-table
Displays the receivers to which an MX forwards multicast traffic. You can display receivers for all
VLANs, a single VLAN, or a group or groups identified by group address and network mask.
Syntax
show igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command displays all multicast receivers in VLAN orange:
MX# show igmp receiver-table vlan orange
VLAN: orange
Session Port Receiver-IP Receiver-MAC TTL
--------------- ---- --------------- ----------------- -----
224.0.0.2 none none none undef
237.255.255.255 5 10.10.10.11 00:02:04:06:08:0b 179
237.255.255.255 5 10.10.10.13 00:02:04:06:08:0d 179
237.255.255.255 5 10.10.10.14 00:02:04:06:08:0e 179
237.255.255.255 5 10.10.10.12 00:02:04:06:08:0c 179
237.255.255.255 5 10.10.10.10 00:02:04:06:08:0a 179
The following command lists all receivers for multicast groups 237.255.255.1 through
237.255.255.255, in all VLANs:
MX# show igmp receiver-table group 237.255.255.0/24
VLAN: red
Session Port Receiver-IP Receiver-MAC TTL
--------------- ---- --------------- ----------------- -----
237.255.255.2 2 10.10.20.19 00:02:04:06:09:0d 112
237.255.255.119 3 10.10.30.31 00:02:04:06:01:0b 112
VLAN: green
Session Port Receiver-IP Receiver-MAC TTL
--------------- ---- --------------- ----------------- -----
237.255.255.17 11 10.10.40.41 00:02:06:08:02:0c 12
237.255.255.255 6 10.10.60.61 00:05:09:0c:0a:01 111
Table 14– 4 describes the fields in this display.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays the
multicast receivers on all VLANs.
group
group-ip-addr/mask-length
IP address and subnet mask of a multicast group, in CIDR format (for
example, 239.20.20.10/24). If you do not specify a group address, MSS
displays the multicast receivers for all groups.
Table 14– 4. Output for show igmp receiver-table
Field Description
VLAN VLAN that contains the multicast receiver ports. Ports are listed separately for
each VLAN.
Session IP address of the multicast group being received.
Port Physical port through which the MX switch can reach the receiver.
Receiver-IP IP address of the receiver.
IGMP Snooping Commands
Mobility System Software Command Reference Guide
Version 7.3
14 – 388
See Also
set igmp receiver on page 14-381
show igmp statistics
Displays IGMP statistics.
Syntax
show igmp statistics [vlan vlan-id]
Defaults
None.
Access
All.
History
Introduced in MSS Version 1.0.
Examples
The following command displays IGMP statistics for VLAN orange:
MX# show igmp statistics vlan orange
IGMP statistics for vlan orange:
IGMP message type Received Transmitted Dropped
----------------- -------- ----------- -------
General-Queries 0 0 0
GS-Queries 0 0 0
Report V1 0 0 0
Report V2 5 1 4
Leave 0 0 0
Mrouter-Adv 0 0 0
Mrouter-Term 0 0 0
Mrouter-Sol 50 101 0
DVMRP 4 4 0
PIM V1 0 0 0
PIM V2 0 0 0
Topology notifications: 0
Packets with unknown IGMP type: 0
Packets with bad length: 0
Packets with bad checksum: 0
Packets dropped: 4
Table 14– 5 describes the fields in this display.
Receiver-MAC MAC address of the receiver.
TTL Number of seconds before this entry ages out if the MX does not receive a group
membership message from the receiver. For static multicast receiver entries,
the TTL value is undef. Static multicast receiver entries do not age out.
vlan
vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays IGMP statistics
for all VLANs.
Table 14– 4. Output for show igmp receiver-table (continued)
Field Description
IGMP Snooping Commands
IGMP Snooping Commands
14 – 389
See Also
clear igmp statistics on page 14-375
Table 14– 5. Output for show igmp statistics
Field Description
IGMP statistics for vlan VLAN name. Statistics are listed separately for each VLAN.
IGMP message type Type of IGMP message:
General-Queries—General group membership queries sent by the multicast
querier (multicast router or pseudo-querier).
GS-Queries—Group-specific queries sent by the the multicast querier to
determine whether there are receivers for a specific group.
Report V1—IGMP version 1 group membership reports sent by clients who
want to be receivers for the groups.
Report V2—IGMP version 2 group membership reports sent by clients who
want to be receivers for the groups.
Leave—IGMP version 2 leave messages sent by clients who want to stop
receiving traffic for a group. Leave messages apply only to IGMP version 2.
Mrouter-Adv—Multicast router advertisement packets. A multicast router
sends this type of packet to advertise the IP address of the sending
interface as a multicast router interface.
IGMP message type Type of IGMP message, continued:
Mrouter-Term—Multicast router termination messages. A multicast router
sends this type of message when multicast forwarding is disabled on the
router interface, the router interface is administratively disabled, or the
router itself is gracefully shutdown.
Mrouter-Sol—Multicast router solicitation messages. A multicast client or
an MX switch sends this type of message to immediately solicit multicast
router advertisement messages from the multicast routers in the subnet.
DVMRP—Distance Vector Multicast Routing Protocol (DVMRP) messages.
Multicast routers running DVMRP exchange multicast information with
these messages.
PIM V1—Protocol Independent Multicast (PIM) version 1 messages.
Multicast routers running PIMv1 exchange multicast information with
these messages.
PIM V2—PIM version 2 messages.
Received Number of packets received.
Transmitted Number of packets transmitted. This number includes both multicast packets
originated by the MX and multicast packets received and then forwarded by
the switch.
Dropped Number of IGMP packets dropped by the MX.
Topology notifications Number of Layer 2 topology change notifications received by the MX.
Note: In the current software version, the value in this field is always
0.
Packets with unknown
IGMP type
Number of multicast packets received with an unrecognized multicast type.
Packets with bad length Number of packets with an invalid length.
Packets with bad IGMP
checksum
Number of packets with an invalid IGMP checksum value.
Packets dropped Number of multicast packets dropped by the MX.
IGMP Snooping Commands
Mobility System Software Command Reference Guide
Version 7.3
14 – 390
Security ACL Commands 15 – 391
15
Security ACL Commands
Use security ACL commands to configure and monitor security access control lists (ACLs).
Security ACLs filter packets to restrict or permit network usage by certain users or traffic types,
and can assign to packets a class of service (CoS) to define the priority of treatment for packet
filtering.
(Security ACLs are different from the location policy on an MX, which helps you locally control
user access. For location policy commands, see Chapter , “AAA Commands,” on page 9-147.)
This chapter presents security ACL commands alphabetically. Use the following table to locate
commands in this chapter based on their use.
clear security acl
Clears a specified security ACL, an access control entry (ACE), or all security ACLs, from the edit
buffer. When used with the command commit security acl, clears the ACE from the running
configuration.
Syntax
clear security acl {acl-name | all} [editbuffer-index]
Defaults
None.
Access
Enabled.
Create Security ACLs set security acl on page 15-395
show security acl editbuffer on page 15-402
show security acl info on page 15-404
show security acl on page 15-402
clear security acl on page 15-391
Commit Security ACLs commit security acl on page 15-394
rollback security acl on page 15-395
Map Security ACLs set security acl map on page 15-400
show security acl map on page 15-405
clear security acl map on page 15-393
Monitor Security ACLs show security acl hits on page 15-403
set security acl hit-sample-rate on page 15-401
show security acl resource-usage on page 15-405
acl-name Name of an existing security ACL to clear. ACL names start with a letter and are
case-insensitive.
all Clears all security ACLs.
editbuffer-index Number that indicates which access control entry (ACE) in the security ACL to
clear. If you do not specify an ACE, all ACEs are cleared from the ACL.
Security ACL Commands
Mobility System Software Command Reference Guide
Version 7.3
15 – 392
History
Usage
This command deletes security ACLs only in the edit buffer. You must use the commit
security acl command with this command to delete the ACL or ACE from the running
configuration and nonvolatile storage.
The clear security acl command deletes a security ACL, but does not stop the current filtering
function if the ACL is mapped to any virtual LANs (VLANs), ports, or virtual ports, or if the ACL
is applied in a Filter-Id attribute to an authenticated user or group of users with current sessions.
Examples
The following commands display the current security ACL configuration, clear acl_133
in the edit buffer, commit the deletion to the running configuration, and redisplay the ACL
configuration to show that it no longer contains acl_133:
MX# show security acl info all
ACL information for all
set security acl ip acl_133 (hits #1 0)
---------------------------------------------------------
1. deny IP source IP 192.168.1.6 0.0.0.0 destination IP any
set security acl ip acl_134 (hits #3 0)
---------------------------------------------------------
1. permit IP source IP 192.168.0.1 0.0.0.0 destination IP any enable-hits
set security acl ip acl_135 (hits #2 0)
---------------------------------------------------------
1. deny IP source IP 192.168.1.1 0.0.0.0 destination IP any enable-hits
MX# clear security acl acl_133
MX# commit security acl acl_133
configuration accepted
MX# show security acl info all
ACL information for all
set security acl ip acl_134 (hits #3 0)
---------------------------------------------------------
1. permit IP source IP 192.168.0.1 0.0.0.0 destination IP any enable-hits
set security acl ip acl_135 (hits #2 0)
---------------------------------------------------------
1. deny IP source IP 192.168.1.1 0.0.0.0 destination IP any enable-hits
See Also
clear security acl map on page 15-393
commit security acl on page 15-394
set security acl on page 15-395
show security acl info on page 15-404
MSS Version 1.0 Command introduced.
MSS Version 1.1 ACL names changed from case-sensitive to case-insensitive.
Security ACL Commands
Security ACL Commands
15 – 393
clear security acl map
Deletes the mapping between a security ACL and a virtual LAN (VLAN), one or more physical
ports, or a virtual port. Or deletes all ACL maps to VLANs, ports, and virtual ports on an MX .
Syntax
clear security acl map {acl-name | all} {vlan vlan-id | port port-list [tag
tag-value] | ap apnum} {in | out}
Defaults
None.
Access
Enabled.
History
Usage
To clear a security ACL map, type the name of the ACL with the VLAN, physical port or
ports, virtual port tag, or Distributed MP and the direction of the packets to stop filtering. This
command deletes the ACL mapping, but not the ACL.
Examples
To clear the mapping of security ACL acljoe from port 4 for incoming packets, type the
following command:
MX# clear security acl map acljoe port 4 in
clear mapping accepted
To clear all physical ports, virtual ports, and VLANs of mapped ACLs on an MX for incoming and
outgoing traffic, type the following command:
MX# clear security acl map all
Note:
Security ACLs are applied to users or groups dynamically via the Filter-Id
attribute. To delete a security ACL from a user or group in the local MX
database, use the command clear user attr, clear mac-user attr, clear
usergroup attr, or clear mac-usergroup attr. To delete a security ACL
from a user or group on an external RADIUS server, see the documentation
for your RADIUS server.
acl-name Name of an existing security ACL to clear. ACL names start with a letter and are
case-insensitive.
all Removes security ACL mapping from all physical ports, virtual ports, and VLANs
on an MX switch.
vlan vlan-id VLAN name or number. MSS removes the security ACL from the specified VLAN.
port port-list Port list. MSS removes the security ACL from the specified MX physical port or
ports.
tag tag-value Tag value that identifies a virtual port in a VLAN. Specify a value from 1 through
4095. MSS removes the security ACL from the specified virtual port.
ap apnum One or more MPs, based on their connection IDs. Specify a single connection ID,
or specify a comma-separated list of connection IDs, a hyphen-separated range, or
any combination, with no spaces. MSS removes the security ACL from the
specified MPs.
in Removes the security ACL from traffic coming into the MX.
out Removes the security ACL from traffic going out of the MX.
MSS Version 1.0 Command introduced
MSS Version 1.1
Keyword and variable tag tag-value added to delete security ACL mapping from
virtual ports
ACL names changed from case-sensitive to case-insensitive
MSS Version 2.0 Keyword and variable dap dap-num added to delete security ACL mapping from
Distributed MPs
Security ACL Commands
Mobility System Software Command Reference Guide
Version 7.3
15 – 394
success: change accepted.
See Also
clear security acl on page 15-391
set security acl map on page 15-400
show security acl map on page 15-405
commit security acl
Saves a security ACL, or all security ACLs, in the edit buffer to the running configuration and
nonvolatile storage on the MX. Or, when used with the clear security acl command, commit
security acl deletes a security ACL, or all security ACLs, from the running configuration and
nonvolatile storage.
Syntax
commit security acl {acl-name | all}
Defaults
None.
Access
Enabled.
History
Usage
Use the commit security acl command to save security ACLs into, or delete them from,
the permanent configuration. Until you commit the creation or deletion of a security ACL, it is
stored in an edit buffer and is not enforced. After you commit a security ACL, it is removed from
the edit buffer.
A single commit security acl all command commits the creation and/or deletion of whatever
show security acl info all editbuffer shows to be currently stored in the edit buffer.
Examples
The following commands commit all the security ACLs in the edit buffer to the
configuration, display a summary of the committed ACLs, and show that the edit buffer has been
cleared:
MX# commit security acl all
configuration accepted
MX# show security acl
ACL table
ACL Type Class Mapping
----------------------- ---- ------ -------
acl_123 IP Static
acl_124 IP Static
MX# show security acl info all editbuffer
acl editbuffer information for all
See Also
clear security acl on page 15-391
rollback security acl on page 15-395
acl-name Name of an existing security ACL to commit. ACL names must start with a letter and
are case-insensitive.
all Commits all security ACLs in the edit buffer.
MSS Version 1.0 Command introduced.
MSS Version 1.1 ACL names changed from case-sensitive to case-insensitive.
Security ACL Commands
Security ACL Commands
15 – 395
set security acl on page 15-395
show security acl on page 15-402
show security acl info on page 15-404
hit-sample-rate
This command has been renamed in MSS Version 4.1. To configure the hit sample rate, see set
security acl hit-sample-rate on page 15-401.
rollback security acl
Clears changes made to the security ACL edit buffer since it was last saved. The ACL is rolled
back to its state after the last commit security acl command was entered. All uncommitted
ACLs in the edit buffer are cleared.
Syntax
rollback security acl {acl-name | all}
Defaults
None.
Access
Enabled.
History
Examples
The following commands show the edit buffer before a rollback, clear any changes in the
edit buffer to security acl_122, and show the edit buffer after the rollback:
MX# show security acl info all editbuffer
ACL edit-buffer information for all
set security acl ip acl_122 (ACEs 3, add 3, del 0, modified 0)
---------------------------------------------------------
1. permit IP source IP 20.0.1.11 0.0.0.255 destination IP any enable-hits
2. deny IP source IP 20.0.2.11 0.0.0.0 destination IP any
3. deny SRC source IP 192.168.1.234 255.255.255.255 enable-hits
MX# rollback security acl acl_122
MX# show security acl info all editbuffer
ACL edit-buffer information for all
See Also
show security acl on page 15-402
set security acl
In the edit buffer, creates a security access control list (ACL), adds one access control entry (ACE)
to a security ACL, and/or reorders ACEs in the ACL. The ACEs in an ACL filter IP packets by
source IP address, a Layer 4 protocol, or IP, ICMP, TCP, UDP, MAC address packet information.
acl-name Name of an existing security ACL to roll back. ACL names must start with a letter
and are case-insensitive.
all Rolls back all security ACLs in the edit buffer, clearing all uncommitted ACEs.
MSS Version 1.0 Command introduced.
MSS Version 1.1 ACL names changed from case-sensitive to case-insensitive.
Security ACL Commands
Mobility System Software Command Reference Guide
Version 7.3
15 – 396
Syntax
By source address
set security acl ip acl-name {permit [cos cos] | deny} {source-ip-addr mask | any}
[before editbuffer-index | modify editbuffer-index] [hits]
By Layer 4 protocol
set security acl ip acl-name {permit [cos cos] | deny} protocol-number
{source-ip-addr mask | any} {destination-ip-addr mask | any}
[[precedence precedence] [tos tos] | [dscp codepoint]]
[before editbuffer-index | modify editbuffer-index] [hits]
By IP packets
set security acl ip acl-name {permit [cos cos] | deny} ip {source-ip-addr mask |
any} {
destination-ip-addr mask | any} [[precedence precedence] [tos tos] | [dscp
codepoint]] [before editbuffer-index | modify editbuffer-index] [hits]
By ICMP packets
set security acl ip acl-name {permit [cos cos] | deny} icmp {source-ip-addr mask |
any} {destination-ip-addr mask | any} [type icmp-type] [code icmp-code]
[[precedence precedence] [tos tos] | [dscp codepoint]]
[before editbuffer-index | modify editbuffer-index] [hits]
By TCP packets
set security acl ip acl-name {permit [cos cos] | deny}
tcp {source-ip-addr mask
| any [operator port [port2]]} {destination-ip-addr mask
| any [operator port [port2]]} [[precedence precedence] [tos tos] | [dscp
codepoint]]
[established] [before editbuffer-index | modify editbuffer-index] [hits]
By UDP packets
set security acl ip acl-name {permit [cos cos] | deny} udp {source-ip-addr mask |
any [operator port [port2]]} {destination-ip-addr mask | any [operator port
[port2]]} [[precedence precedence] [tos tos] | [dscp codepoint]]
[before editbuffer-index | modify
editbuffer-index] [hits]
By MAC Address
set security acl name acl-name {permit | deny} mac {src-mac-address|src-mask|any}
[dest-mac-addr|any|bpdu 01:80:C2:00:00:0X|broadcast FF:FF:FF:FF:FF:FF|
multicast X1:XX:XX:XX:XX:XX|pvst 01:00:0C:CC:CC:CD]ethertype
[hex-value|any|arp|ipv4|ipv6] [editaction [before|modify]capture|hits]
Security ACL Commands
Security ACL Commands
15 – 397
acl-name Security ACL name. ACL names must be unique within the MX, must start with
a letter, and are case-insensitive. Specify an ACL name of up to 32 of the
following characters:
Letters a through z and A through Z
Numbers 0 through 9
Hyphen (-), underscore (_), and period (.)
Trapeze Networks recommends that you do not use the same name with
different capitalizations for ACLs. For example, do not configure two separate
ACLs with the names acl_123 and ACL_123.
Note: In an ACL name, do not include the term all, default-action, map, help,
or editbuffer.
permit Allows traffic that matches the conditions in the ACE.
cos cos For permitted packets, a class-of-service (CoS) level for packet handling. Specify
a value from 0 through 7:
1 or 2—Background. Packets are queued in MP forwarding queue 4.
0 or 3—Best effort. Packets are queued in MP forwarding queue 3.
4 or 5—Video. Packets are queued in MP forwarding queue 2.
Use CoS level 4 or 5 for voice over IP (VoIP) packets other than SpectraLink
Voice Priority (SVP).
6 or 7—Voice. Packets are queued in MP forwarding queue 1.
Use 6 or 7 only for VoIP phones that use SVP, not for other types of traffic
deny Blocks traffic that matches the conditions in the ACE.
protocol IP protocol by which to filter packets:
ip
tcp
udp
icmp
A protocol number between 0 and 255.
(For a complete list of IP protocol names and numbers, see www.iana.org/
assignments/protocol-numbers.)
source-ip-addr mask
| any
IP address and wildcard mask of the network or host from of the sent packet.
Specify both address and mask in dotted decimal notation. For more
information, see “Wildcard Masks” on page 2–7.
To match on any address, specify any or 0.0.0.0 255.255.255.255.
operator port [port2] Operand and port number(s) for matching TCP or UDP packets to the number of
the source or destination port on source-ip-addr or destination-ip-addr. Specify
one of the following operands and the associated port:
eq—Packets are filtered for only port number.
gt—Packets are filtered for all ports that are greater than port number.
lt—Packets are filtered for all ports that are less than port number.
neq—Packets are filtered for all ports except port number.
range—Packets are filtered for ports in the range between port and port2. To
specify a port range, enter two port numbers. Enter the lower port number
first, followed by the higher port number.
(For a complete list of TCP and UDP port numbers, see www.iana.org/
assignments/port-numbers.)
destination-ip-addr
mask | any
IP address and wildcard mask of the network or host to that the packet is sent.
Specify both address and mask in dotted decimal notation. For more
information, see “Wildcard Masks” on page 2–7.
To match on any address, specify any or 0.0.0.0 255.255.255.255.
type icmp-type Filters ICMP messages by type. Specify a value from 0 through 255. (For a list of
ICMP message type and code numbers, see www.iana.org/assignments/
icmp-parameters.)
code icmp-code For ICMP messages filtered by type, additionally filters ICMP messages by code.
Specify a value from 0 through 255. (For a list of ICMP message type and code
numbers, see www.iana.org/assignments/icmp-parameters.)
Security ACL Commands
Mobility System Software Command Reference Guide
Version 7.3
15 – 398
Defaults
By default, permitted packets are classified based on DSCP value, which is converted
into an internal CoS value in the switch’s CoS map. The packet is then marked with a DSCP value
based on the internal CoS value. If the ACE contains the cos option, this option overrides the
switch’s CoS map and marks the packet based on the ACE.
Access
Enabled.
History
precedence precedence Filters packets by precedence level. Specify a value from 0 through 7:
0—routine precedence
1—priority precedence
2—immediate precedence
3—flash precedence
4—flash override precedence
5—critical precedence
6—internetwork control precedence
7—network control precedence
tos tos Filters packets by type of service (TOS) level. Specify one of the following values,
or any sum of these values up to 15. For example, a tos value of 9 filters packets
with the TOS levels minimum delay (8) and minimum monetary cost (1).
8—minimum delay
4—maximum throughput
2—maximum reliability
1—minimum monetary cost
0—normal
dscp codepoint Filters packets by Differentiated Services Code Point (DSCP) value. You can
specify a number from 0 to 63, in decimal or binary format.
Note: You cannot use the dscp option along with the precedence and
tos options in the same ACE. The CLI rejects an ACE that has this
combination of options.
established For TCP packets only, applies the ACE only to established TCP sessions and not
to new TCP sessions.
before editbuffer-index Inserts the new ACE in front of another ACE in the security ACL. Specify the
number of the existing ACE in the edit buffer. Index numbers start at 1. (To
display the edit buffer, use show security acl editbuffer.)
modify editbuffer-index Replaces an ACE in the security ACL with the new ACE. Specify the number of
the existing ACE in the edit buffer. Index numbers start at 1. (To display the edit
buffer, use show security acl editbuffer.)
hits Tracks the number of packets that are filtered based on a security ACL, for all
mappings.
MSS Version 1.0 Command introduced
MSS Version 1.1 ACL names changed from case-sensitive to case-insensitive
MSS Version 3.0 capture option deprecated
MSS Version 4.1 The any option is supported for the source or destination IP address and mask. This
option is equivalent to 0.0.0.0 255.255.255.255.
Note: The any option is shown in the configuration file as
0.0.0.0 255.255.255.255, regardless of whether you specify any or
0.0.0.0 255.255.255.255 when you configure the ACE.
The dscp codepoint is added. This option enables you to filter based on a packet
Differentiated Services Code Point (DSCP) value.
MSS Version 6.2 Using MAC addresses to define ACLs is now supported.
Security ACL Commands
Security ACL Commands
15 – 399
Usage
The MX does not apply security ACLs until you activate them with the commit security
acl command and map them to a VLAN, port, or virtual port, or to a user. If the MX is reset or
restarted, any ACLs in the edit buffer are lost.
You cannot perform ACL functions that include permitting, denying, or marking with a Class of
Service (CoS) level on packets with a multicast or broadcast destination address.
The order of security ACEs in a security ACL is important. Once an ACL is active, the ACEs are
checked according to the order in the ACL. If an ACE criterion is met, the action takes place and
any ACEs that follow are ignored.
ACEs are listed in the order in which you create them, unless you move them. To position security
ACEs within a security ACL, use before editbuffer-index and modify editbuffer-index.
Examples
The following command adds an ACE to security acl_123 that permits packets from IP
address 192.168.1.11/24 and counts the hits:
MX# set security acl ip acl_123 permit 192.168.1.11 0.0.0.255 hits
The following command adds an ACE to acl_123 that denies packets from IP address 192.168.2.11:
MX# set security acl ip acl_123 deny 192.168.2.11 0.0.0.0
The following command creates acl_125 by defining an ACE that denies TCP packets from source
IP address 192.168.0.1 to destination IP address 192.168.0.2 for established sessions only, and
counts the hits:
MX# set security acl ip acl_125 deny tcp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0
established hits
The following command adds an ACE to acl_125 that denies TCP packets from source IP address
192.168.1.1 to destination IP address 192.168.1.2, on destination port 80 only, and counts the hits:
MX# set security acl ip acl_125 deny tcp 192.168.1.1 0.0.0.0 192.168.1.2 0.0.0.0 eq 80 hits
Finally, the following command commits the security ACLs in the edit buffer to the configuration:
MX# commit security acl all
configuration accepted
See Also
clear security acl on page 15-391
commit security acl on page 15-394
show security acl on page 15-402
Security ACL Commands
Mobility System Software Command Reference Guide
Version 7.3
15 – 400
set security acl map
Assigns a committed security ACL to a VLAN, physical port or ports, virtual port, or Distributed
MP on the MX switch.
Syntax
set security acl map acl-name {vlan vlan-id | port port-list [tag tag-list]
| ap apnum} {in | out}
Defaults
None.
Access
Enabled.
History
Usage
Before you can map a security ACL, you must use the commit security acl command to
save the ACL in the running configuration and nonvolatile storage.
For best results, map only one input security ACL and one output security ACL to each VLAN,
physical port, virtual port, or Distributed MP to filter a flow of packets. If more than one security
ACL filters the same traffic, MSS applies only the first ACL match and ignores any other
matches.
Examples
The following command maps security ACL acl_133 to port 4 for incoming packets:
MX set security acl map acl_133 port 4 in
success: change accepted.
See Also
clear security acl map on page 15-393
commit security acl on page 15-394
Note:
To assign a security ACL to a user or group in the local MX database, use the
command set user attr, set mac-user attr, set usergroup attr, or set
mac-usergroup attr with the Filter-Id attribute. To assign a security ACL to a user
or group with Filter-Id on a RADIUS server, see the documentation for your RADIUS
server.
acl-name Name of an existing security ACL to map. ACL names start with a letter and are
case-insensitive.
vlan vlan-id VLAN name or number. MSS assigns the security ACL to the specified VLAN.
port port-list Port list. MSS assigns the security ACL to the specified physical MX port or ports.
tag tag-list One or more values that identify a virtual port in a VLAN. Specify a single tag value
from 1 through 4095. Or specify a comma-separated list of values, a hyphen-separated
range, or any combination, with no spaces. MSS assigns the security ACL to the
specified virtual port or ports.
ap apnum One or more MPs, based on their connection IDs. Specify a single connection ID, or
specify a comma-separated list of connection IDs, a hyphen-separated range, or any
combination, with no spaces. MSS assigns the security ACL to the specified MPs.
in Assigns the security ACL to traffic coming into the MX.
out Assigns the security ACL to traffic coming from the MX.
MSS Version 1.0 Command introduced.
MSS Version 1.1
Keyword and variable tag tag-list added to allow security ACL mapping to virtual
ports.
ACL names changed from case-sensitive to case-insensitive.
MSS Version 2.0 Keyword and variable dap dap-num added to allow security ACL mapping to
Distributed MPs.
Security ACL Commands
Security ACL Commands
15 – 401
set mac-user attr on page 9-178
set mac-usergroup attr on page 9-182
set security acl on page 15-395
set user attr on page 9-186
set usergroup on page 9-188
show security acl map on page 15-405
set security acl hit-sample-rate
Specifies the time interval, in seconds, that the packet counter for each security ACL is sampled
for display. The counter counts the number of packets filtered by the security ACL—or “hits.”
Syntax
set security acl hit-sample-rate seconds
Defaults
By default, the hits are not sampled.
Access
Enabled.
History
Usage
To view counter results for a particular ACL, use the show security acl info acl-name
command. To view the hits for all security ACLs, use the show security acl hits command.
Examples
The first command sets MSS to sample ACL hits every 15 seconds. The second and third
commands display the results. The results show that 916 packets matching security acl_153 were
sent since the ACL was mapped.
MX# set security acl hit-sample-rate 15
MX# show security acl info acl_153
ACL information for acl_153
set security acl ip acl_153 (hits #3 916)
---------------------------------------------------------
1. permit IP source IP 20.1.1.1 0.0.0.0 destination IP any enable-hits
MX# show security acl hits
ACL hit counters
Index Counter ACL-name
----- -------------------- -----------
1 0 acl_2
2 0 acl_175
3 916 acl_153
See Also
show security acl hits on page 15-403
show security acl info on page 15-404
seconds Number of seconds between samples. A sample rate of 0 (zero) disables the sample
process.
Version 1.0 Command introduced
Version 4.1 Syntax changed from hit-sample-rate seconds to set security acl hit-sample-rate
seconds, to allow the command to be saved in the configuration file.
Security ACL Commands
Mobility System Software Command Reference Guide
Version 7.3
15 – 402
show security acl
Displays a summary of the security ACLs that are mapped.
Syntax
show security acl
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
This command lists only the ACLs mapped to something (a user, or VLAN, or port, and so
on). To list all committed ACLs, use the show security acl info command. To list ACLs that are
not yet committed, use the show security acl editbuffer command.
Examples
To display a summary of the mapped security ACLs on an MX, type the following
command:
MX# show security acl
ACL table
ACL Type Class Mapping
---------------------------- ---- ------ -------
acl_123 IP Static Port 2 In
acl_133 IP Static Port 4 In
acl_124 IP Static
See Also
clear security acl on page 15-391
commit security acl on page 15-394
set security acl on page 15-395
show security acl editbuffer on page 15-402
show security acl info on page 15-404
show security acl dscp
This command has been renamed in MSS Version 4.1. See show qos dscp-table on page 7-89.
show security acl editbuffer
Displays a summary of the security ACLs that have not yet been committed to the configuration.
Syntax
show security acl [info all] editbuffer
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To view a summary of the security ACLs in the edit buffer, type the following command:
MX# show security acl editbuffer
ACL edit-buffer table
ACL Type Status
info all Displays the ACEs in each uncommitted ACL. Without this option, only the ACE
names are listed.
Security ACL Commands
Security ACL Commands
15 – 403
---------------------------- ---- --------------
acl_111 IP Not committed
acl-a IP Not committed
To view details about these uncommitted ACLs, type the following command.
MX# show security acl info all editbuffer
ACL edit-buffer information for all
set security acl ip acl-111 (ACEs 3, add 3, del 0, modified 2)
----------------------------------------------------
1. permit IP source IP 192.168.254.12 0.0.0.0 destination IP any
2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any
3. deny SRC source IP 192.168.253.1 0.0.0.255
set security acl ip acl-a (ACEs 1, add 1, del 0, modified 0)
----------------------------------------------------
1. permit SRC source IP 192.168.1.1 0.0.0.0
See Also
clear security acl on page 15-391
commit security acl on page 15-394
set security acl on page 15-395
show security acl on page 15-402
show security acl info on page 15-404
show security acl hits
Displays the number of packets filtered by security ACLs (“hits”) on the MX. Each time a packet is
filtered by a security ACL, the hit counter increments.
Syntax
show security acl hits
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
For MSS to count hits for a security ACL, you must specify hits in the set security acl
commands that define ACE rules for the ACL.
Examples
To display the security ACL hits on an MX, type the following command:
MX# show security acl hits
ACL hit-counters
Index Counter ACL-name
----- -------------------- --------
1 0 acl_2
2 0 acl_175
3 916 acl_123
See Also
hit-sample-rate on page 15-395
set security acl on page 15-395
Security ACL Commands
Mobility System Software Command Reference Guide
Version 7.3
15 – 404
show security acl info
Displays the contents of a specified security ACL or all security ACLs that are committed—saved
in the running configuration and nonvolatile storage—or the contents of security ACLs in the edit
buffer before they are committed.
Syntax
show security acl info [acl-name | all] [editbuffer]
Defaults
None.
Access
Enabled.
History
Examples
To display the contents of all security ACLs committed on an MX, type the following
command:
MX# show security acl info
ACL information for all
set security acl ip acl_123 (hits #5 462)
---------------------------------------------------------
1. permit IP source IP 192.168.1.11 0.0.0.255 destination IP any enable-hits
2. deny IP source IP 192.168.2.11 0.0.0.0 destination IP any
set security acl ip acl_134 (hits #3 0)
---------------------------------------------------------
1. permit IP source IP 192.168.0.1 0.0.0.0 destination IP any enable-hits
set security acl ip acl_135 (hits #2 0)
---------------------------------------------------------
1. deny IP source IP 192.168.1.1 0.0.0.0 destination IP any enable-hits
The following command displays the contents of acl_123 in the edit buffer, including the
committed ACE rules 1 and 2 and the uncommitted rule 3:
MX# show security acl info acl_123 editbuffer
ACL edit-buffer information for acl_123
set security acl ip acl_123 (ACEs 3, add 3, del 0, modified 0)
---------------------------------------------------------
1. permit IP source IP 192.168.1.11 0.0.0.255 destination IP any enable-hits
2. deny IP source IP 192.168.2.11 0.0.0.0 destination IP any
3. deny SRC source IP 192.168.1.234 255.255.255.255 enable-hits
See Also
clear security acl on page 15-391
commit security acl on page 15-394
acl-name Name of an existing security ACL to display. ACL names must start with a letter and
are case-insensitive.
all Displays the contents of all security ACLs.
editbuffer Displays the contents of the specified security ACL or all security ACLs that are
stored in the edit buffer after being created with set security acl. If you do not use
this parameter, only committed ACLs are shown.
MSS Version 1.0 Command introduced
MSS Version 1.1 ACL names changed from case-sensitive to case-insensitive
MSS Version 4.1 The acl-name | all option is no longer required; show security acl info is valid and
displays the same information as security acl info all.
Security ACL Commands
Security ACL Commands
15 – 405
set security acl on page 15-395
show security acl map
Displays the VLANs, ports, and virtual ports on the MX that a security ACL is assigned.
Syntax
show security acl map acl-name
Defaults
None.
Access
Enabled.
History
Examples
The following command displays the port to which security ACL acl_111 is mapped:
MX# show security acl map acl_111
ACL acl_111 is mapped to:
Port 4 in
See Also
clear security acl map on page 15-393
set security acl map on page 15-400
show security acl on page 15-402
show security acl resource-usage
Displays statistics about the resources used by security ACL filtering on the MX.
Syntax
show security acl resource-usage
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
Use this command with the help of the Trapeze Technical Assistance Center (TAC) to
diagnose an ACL resource problem. (To contact TAC, see “Contacting the Technical
Assistance Center” on page 1–1.)
Examples
To display security ACL resource usage, type the following command:
MX# show security acl resource-usage
ACL resources
Classifier tree counters
------------------------
Number of rules : 2
Number of leaf nodes : 1
Stored rule count : 2
Leaf chain count : 1
acl-name Name of an existing security ACL to display static mapping. ACL names must start
with a letter and are case-insensitive.
MSS Version 1.0 Command introduced
MSS Version 1.1 ACL names changed from case-sensitive to case-insensitive
Security ACL Commands
Mobility System Software Command Reference Guide
Version 7.3
15 – 406
Longest leaf chain : 2
Number of non-leaf nodes : 0
Uncompressed Rule Count : 2
Maximum node depth : 1
Sub-chain count : 0
PSCBs in primary memory : 0 (max: 512)
PSCBs in secondary memory : 0 (max: 9728)
Leaves in primary : 2 (max: 151)
Leaves in secondary : 0 (max 12096)
Sum node depth : 1
Information on Network Processor status
---------------------------------------
Fragmentation control : 0
UC switchdest : 0
ACL resources
Port number : 0
Number of action types : 2
LUdef in use : 5
Default action pointer : c8007dc
L4 global : True
No rules : False
Non-IP rules : False
Root in first : True
Static default action : False
No per-user (MAC) mapping : True
Out mapping : False
In mapping : True
No VLAN or PORT mapping : False
No VPORT mapping : True
Table 15– 1 explains the fields in the show security acl resource-usage output.
Table 15– 1. show security acl resource-usage Output
Field Description
Number of rules Number of security ACEs currently mapped to ports or VLANs.
Number of leaf
nodes
Number of security ACL data entries stored in the rule tree.
Stored rule count Number of security ACEs stored in the rule tree.
Leaf chain count Number of chained security ACL data entries stored in the rule tree.
Longest leaf chain Longest chain of security ACL data entries stored in the rule tree.
Number of non-leaf
nodes
Number of nodes with no data entries stored in the rule tree.
Uncompressed Rule
Count
Number of security ACEs stored in the rule tree, including duplicates—ACEs in
ACLs applied to multiple ports, virtual ports, or VLANs.
Maximum node
depth
Number of data elements in the rule tree, from the root to the furthest data entry
(leaf).
Sub-chain count Sum of action types represented in all security ACL data entries.
PSCBs in primary
memory
Number of pattern search control blocks (PSCBs) stored in primary node memory.
PSCBs in secondary
memory
Number of PSCBs stored in secondary node memory.
Leaves in primary Number of security ACL data entries stored in primary leaf memory.
Security ACL Commands
Security ACL Commands
15 – 407
Leaves in secondary Number of ACL data entries stored in secondary leaf memory.
Sum node depth Total number of security ACL data entries.
Fragmentation
control
Control value for handling fragmented IP packets.
Note: The current MSS version filters only the first packet of a fragmented
IP packet and passes the remaining fragments.
UC switchdest Control value for handling fragmented IP packets.
Note: The current MSS version filters only the first packet of a fragmented
IP packet and passes the remaining fragments.
Port number Control value for handling fragmented IP packets.
Note: The current MSS version filters only the first packet of a fragmented
IP packet and passes the remaining fragments.
Number of action
types
Number of actions that can be performed by ACLs. This value is always 2, because
ACLs can either permit or deny.
LUdef in use Number of the lookup definition (LUdef) table currently in use for packet handling.
Default action
pointer
Memory address used for packet handling, from which default action data is obtained
when necessary.
L4 global Security ACL mapping on the MX switch:
True—Security ACLs are mapped.
False—No security ACLs are mapped.
No rules Security ACE rule mapping on the MX switch:
True—No security ACEs are mapped.
False—Security ACEs are mapped.
Non-IP rules Non-IP security ACE mapping on the MX switch:
True—Non-IP security ACEs are mapped.
False—Only IP security ACEs are mapped.
Note: The current MSS version supports security ACEs for IP only.
Root in first
Leaf buffer allocation:
True—Enough primary leaf buffers are allocated in nonvolatile memory to
accommodate all leaves.
False—Insufficient primary leaf buffers are allocated in nonvolatile memory to
accommodate all leaves.
Static default action Definition of a default action:
True—A default action types is defined.
False—No default action type is defined.
No per-user (MAC)
mapping
Per-user application of a security ACL with the Filter-Id attribute, on the MX switch:
True—No security ACLs are applied to users.
False—Security ACLs are applied to users.
Out mapping Application of security ACLs to outgoing traffic on the MX switch:
True—Security ACLs are mapped to outgoing traffic.
False—No security ACLs are mapped to outgoing traffic.
In mapping Application of security ACLs to incoming traffic on the MX switch:
True—Security ACLs are mapped to incoming traffic.
False—No security ACLs are mapped to incoming traffic.
Table 15– 1. show security acl resource-usage Output (continued)
Field Description
Security ACL Commands
Mobility System Software Command Reference Guide
Version 7.3
15 – 408
No VLAN or PORT
mapping
Application of security ACLs to MX VLANs or ports on the MX:
True—No security ACLs are mapped to VLANs or ports.
False—Security ACLs are mapped to VLANs or ports.
No VPORT mapping Application of security ACLs to MX virtual ports on the MX:
True—No security ACLs are mapped to virtual ports.
False—Security ACLs are mapped to virtual ports.
Table 15– 1. show security acl resource-usage Output (continued)
Field Description
Cryptography Commands 16 – 409
16
Cryptography Commands
A digital certificate is a form of electronic identification for computers. The MX requires digital
certificates to authenticate communications to RingMaster and Web View, to WebAAA clients,
and to Extensible Authentication Protocol (EAP) clients for which the MX performs all EAP
processing. Certificates can be generated on the MX or obtained from a certificate authority (CA).
Keys contained within the certificates allow the MX, the servers, and the wireless clients to
exchange information secured by encryption.
This chapter presents cryptography commands alphabetically. Use the following table to locate
commands in this chapter based on their use.
Note:
If the MX does not already have certificates, MSS automatically generates the
missing ones the first time the MX boots with MSS Version 4.2 or later. You do not
need to install certificates unless you want to replace the ones automatically
generated by MSS. (For more information, see the “Certificates Automatically
Generated by MSS” section in the “Managing Keys and Certificates” chapter of the
Trapeze Mobility System Software Configuration Guide.)
Note:
Before installing a new certificate, verify with the show timedate and show
timezone commands that the MX is set to the correct date, time, and time zone.
Otherwise, certificates might not be installed correctly.
Encryption Keys crypto generate key on page 16-412
show crypto key domain on page 16-419
show crypto key ssh on page 16-419
PKCS #7 Certificates crypto generate request on page 16-412
crypto ca-certificate on page 16-410
show crypto ca-certificate on page 16-417
crypto certificate on page 16-411
show crypto certificate on page 16-418
PKCS #12 Certificate crypto otp on page 16-415
crypto pkcs12 on page 16-416
Self-Signed Certificate crypto generate self-signed on page 16-414
Cryptography Commands
Mobility System Software Command Reference Guide
Version 7.3
16 – 410
crypto ca-certificate
Installs a certificate authority’s own PKCS #7 certificate into the MX certificate and key storage
area.
Syntax
crypto ca-certificate {admin | eap | web} PEM-formatted-certificate
Defaults
None.
Access
Enabled.
History
Usage
The Privacy-Enhanced Mail protocol (PEM) format is used for representing a PKCS #7
certificate in ASCII text. PEM uses base64 encoding to convert the certificate to ASCII text, then
puts the encoded text between the following delimiters:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
To use this command, you must already have obtained a copy of the certificate from the certificate
authority as a PKCS #7 object file. Then do the following:
1. Open the PKCS #7 object file with an ASCII text editor such as Notepad or vi.
2. Enter the crypto ca-certificate command on the CLI command line.
3. When MSS prompts for the PEM-formatted certificate, paste the PKCS #7 object file onto the
command line.
Examples
The following command adds the certificate from the certificate authority to MX
certificate and key storage:
MX# crypto ca-certificate admin
Enter PEM-encoded certificate
-----BEGIN CERTIFICATE-----
MIIDwDCCA2qgAwIBAgIQL2jvuu4PO5FAQCyewU3ojANBgkqhkiG9wOBAQUFADCB
mzerMClaweVQQTTooewi\wpoer0QWNFNkj90044mbdrl1277SWQ8G7DiwYUtrqoQplKJvxz
.....
Lm8wmVYxP56M;CUAm908C2foYgOY40=
-----END CERTIFICATE-----
See Also
show crypto ca-certificate on page 16-417
admin Stores the certificate authority’s certificate that signed the administrative certificate
for the MX.
The administrative certificate authenticates the MX to RingMaster or Web View.
eap Stores the certificate authority’s certificate that signed the Extensible Authentication
Protocol (EAP) certificate for the MX.
The EAP certificate authenticates the MX to 802.1X supplicants (clients).
web Stores the certificate authority’s certificate that signed the WebAAA certificate for the
MX.
The Web certificate authenticates the MX to clients who use WebAAA.
PEM-formatted-cer
tificate
ASCII text representation of the certificate authority PKCS #7 certificate, consisting of
up to 5120 characters that you have obtained from the certificate authority.
Version 1.0 Command introduced
Version 3.0 webaaa option added
Version 4.1 webaaa option renamed to web
Cryptography Commands
Cryptography Commands
16 – 411
crypto certificate
Installs one of the MX PKCS #7 certificates into the certificate and key storage area on the MX.
The certificate, which is issued and signed by a certificate authority, authenticates the MX either
to RingMaster or Web View, or to 802.1X supplicants (clients).
Syntax
crypto certificate {admin | eap | web} PEM-formatted certificate
Defaults
None.
Access
Enabled.
History
Usage
To use this command, you must already have generated a certificate request with the
crypto generate request command, sent the request to the certificate authority, and obtained a
signed copy of the MX certificate as a PKCS #7 object file. Then do the following:
1. Open the PKCS #7 object file with an ASCII text editor such as Notepad or vi.
2. Enter the crypto certificate command on the CLI command line.
3. When MSS prompts you for the PEM-formatted certificate, paste the PKCS #7 object file in the
command line.
The MX verifies the validity of the public key associated with this certificate before installing it, to
prevent a mismatch between the MX private key and the public key in the installed certificate.
Examples
The following command installs a certificate:
MX# crypto certificate admin
Enter PEM-encoded certificate
-----BEGIN CERTIFICATE-----
MIIBdTCP3wIBADA2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQOExGjAYBgNVBAMU
EXR1Y2hwdWJzQHRycHouY29tMIGfMAOGCSqGSIb3DQEBAQAA4GNADCBiQKBgQC4
.....
2L8Q9tk+G2As84QYLm8wmVY>xP56M;CUAm908C2foYgOY40=
-----END CERTIFICATE-----
See Also
crypto generate request on page 16-412
crypto generate self-signed on page 16-414
admin Stores the certificate authority’s administrative certificate, which authenticates the
MX switch to RingMaster or Web View.
eap Stores the certificate authority’s Extensible Authentication Protocol (EAP) certificate,
which authenticates the MX switch to 802.1X supplicants (clients).
web Stores the certificate authority’s WebAAA certificate, which authenticates the MX to
clients who use WebAAA.
PEM-formatted
certificate
ASCII text representation of the PKCS #7 certificate, consisting of up to
5120 characters, that you have obtained from the certificate authority.
Version 1.0 Command introduced
Version 3.0 webaaa option added
Version 4.1 webaaa option renamed to web
Cryptography Commands
Mobility System Software Command Reference Guide
Version 7.3
16 – 412
crypto generate key
Generates an RSA public-private encryption key pair that is required for a Certificate Signing
Request (CSR) or a self-signed certificate. For SSH, generates an authentication key.
Syntax
crypto generate key {admin | domain | eap | ssh | web}
{128 | 512 | 1024 | 2048}
Defaults
None.
Access
Enabled.
History
Usage
You can overwrite a key by generating another key of the same type.
SSH requires an SSH authentication key, but you can allow MSS to generate it automatically.
The first time an SSH client attempts to access the SSH server on an MX, the MX automatically
generates a 1024-byte SSH key. If you want to use a 2048-byte key instead, use the crypto
generate key ssh 2048 command to generate one.
Examples
To generate an administrative key for use with RingMaster, type the following
command:
MX# crypto generate key admin 1024
key pair generated
See Also
show crypto key ssh on page 16-419
crypto generate request
Generates a Certificate Signing Request (CSR). This command outputs a PEM-formatted
PKCS #10 text string that you can cut and paste to another location for delivery to a certificate
authority.
This command generates either an administrative CSR for use with RingMaster and Web View, or
an EAP CSR for use with 802.1X clients.
admin Generates an administrative key pair for authenticating the MX to RingMaster or
Web View.
domain Generates a key pair for authenticating management traffic exchanged by MX
switches within a Mobility Domain.
eap Generates an EAP key pair for authenticating the MX to 802.1X supplicants
(clients).
ssh Generates a key pair for authenticating the MX to Secure Shell (SSH) clients.
web Generates an administrative key pair for authenticating the MX to WebAAA
clients.
128 | 512 | 1024 | 2048 Length of the key pair in bits.
Note: The minimum key length for SSH is 1024. The length 128 applies
only to domain and is the only valid option for it.
Version 1.0 Command introduced
Version 2.0 Option ssh added for generating an SSH key
Version 3.0 webaaa option added
Version 4.1 webaaa option renamed to web
Version 5.0 domain option added
Cryptography Commands
Cryptography Commands
16 – 413
Syntax
crypto generate request {admin | eap | web}
After type the command, you are prompted for the following variables:
Defaults
None.
Access
Enabled.
History
Usage
To use this command, you must already have generated a public-private encryption key
pair with the crypto generate key command.
Enter crypto generate request admin, crypto generate request eap, or crypto generate
request web and press Enter. When you are prompted, type the identifying values in the fields, or
press Enter if the field is optional. You must enter a common name for the MX.
This command outputs a PKCS #10 text string in Privacy-Enhanced Mail protocol (PEM) format
that you paste to another location for submission to the certificate authority. You then send the
request to the certificate authority to obtain a signed copy of the MX certificate as a PKCS #7
object file.
Examples
To request an administrative certificate from a certificate authority, type the following
command:
MX# crypto generate request admin
Country Name: US
admin Generates a request for an administrative certificate to authenticate the MX to
RingMaster or Web View.
eap Generates a request for an EAP certificate to authenticate the MX to 802.1X
supplicants (clients).
web Generates a request for a WebAAA certificate to authenticate the MX to WebAAA
clients.
Country Name
string
(Optional) Specify the abbreviation for the country in which the MX is operating, in
2 alphanumeric characters with no spaces.
State Name string (Optional) Specify the name of the state, in up to 64 alphanumeric characters. Spaces
are allowed.
Locality Name
string
(Optional) Specify the name of the locality, in up to 80 alphanumeric characters with
no spaces.
Organizational
Name string
(Optional) Specify the name of the organization, in up to 80 alphanumeric characters
with no spaces.
Organizational Unit
string
(Optional) Specify the name of the organizational unit, in up to 80 alphanumeric
characters with no spaces.
Common Name
string
Specify a unique name for the MX, in up to 80 alphanumeric characters with no
spaces. Use a fully qualified name if such names are supported on your network. This
field is required.
Email Address
string
(Optional) Specify your e-mail address, in up to 80 alphanumeric characters with no
spaces.
Unstructured Name
string
(Optional) Specify any name, in up to 80 alphanumeric characters with no spaces.
Version 1.0 Command introduced
Version 3.0 webaaa option added
Version 4.1
webaaa option renamed to web
Maximum string length for State Name increased from two to 64 alphanumeric
characters.
Cryptography Commands
Mobility System Software Command Reference Guide
Version 7.3
16 – 414
State Name: CA
Locality Name: Pleasanton
Organizational Name: Trapeze
Organizational Unit: ENG
Common Name: ENG
Email Address: admin@example.com
Unstructured Name: admin
CSR for admin is
-----BEGIN CERTIFICATE REQUEST-----
MIIBuzCCASQCAQAwezELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAmNhMQswCQYDVQQH
EwJjYTELMAkGA1UEChMCY2ExCzAJBgNVBAsTAmNhMQswCQYDVQQDEwJjYTEYMBYG
CSqGSIb3DQEJARYJY2FAY2EuY29tMREwDwYJKoZIhvcNAQkCEwJjYTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEA1zatpYStOjHMa0QJmWHeZPPFGQ9kBEimJKPG
bznFjAC780GcZtnJPGqnMnOKj/4NdknonT6NdCd2fBdGbuEFGNMNgZMYKGcV2JIu
tr*P*z*exECScaNlicKMYa$$LQo621vh67RM1KTMECM6uCBB6XNypIHn1gtrrpL/
LhyGTWUCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAHK5z2kfjBbV/F0b0MyC5S7K
htsw7T4SwmCij55qfUHxsRelggYcw6vJtr57jJ7wFfsMd8C50NcbJLF1nYC9OKkB
hW+5gDPAOZdOnnr591XKz3Zzyvyrktv00rcld8Fo2RtTQ3AOT9cUZqJVelO85GXJ
-----END CERTIFICATE REQUEST-----
See Also
crypto certificate on page 16-411
crypto generate key on page 16-412
crypto generate self-signed
Generates a self-signed certificate for either an administrative certificate for use with RingMaster
or an EAP certificate for use with 802.1X wireless users.
Syntax
crypto generate self-signed {admin | eap | web}
After type the command, you are prompted for the following variables:
admin Generates an administrative certificate to authenticate the MX to RingMaster or Web
View.
eap Generates an EAP certificate to authenticate the MX to 802.1X supplicants (clients).
web Generates a WebAAA certificate to authenticate the MX to WebAAA clients.
Country Name
string
(Optional) Specify the abbreviation for the country in which the MX is operating, in
2 alphanumeric characters with no spaces.
State Name string (Optional) Specify the abbreviation for the name of the state, in 2 alphanumeric
characters with no spaces.
Locality Name
string
(Optional) Specify the name of the locality, in up to 80 alphanumeric characters with
no spaces.
Organizational
Name string
(Optional) Specify the name of the organization, in up to 80 alphanumeric characters
with no spaces.
Organizational Unit
string
(Optional) Specify the name of the organizational unit, in up to 80 alphanumeric
characters with no spaces.
Cryptography Commands
Cryptography Commands
16 – 415
Defaults
None.
Access
Enabled.
History
Usage
To use this command, you must already have generated a public-private encryption key
pair with the crypto generate key command.
Examples
To generate a self-signed administrative certificate, type the following command:
MX# crypto generate self-signed admin
Country Name:
State Name:
Locality Name:
Organizational Name:
Organizational Unit:
Common Name: mx1@example.com
Email Address:
Unstructured Name:
success: self-signed cert for admin generated
See Also
crypto certificate on page 16-411
crypto generate key on page 16-412
crypto otp
Sets a one-time password (OTP) for use with the crypto pkcs12 command.
Syntax
crypto otp {admin | eap | web} one-time-password
Common Name
string
Specify a unique name for the MX, in up to 80 alphanumeric characters with no
spaces. Use a fully qualified name if such names are supported on your network. This
field is required.
Note: If you are generating a WebAAA (web) certificate, use a common
name that looks like a domain name (two or more strings connected by dots,
with no spaces). For example, use common.name instead of common name.
The string is not required to be an actual domain name. It simply needs to
be formatted like one.
Email Address
string
(Optional) Specify your email address, in up to 80 alphanumeric characters with no
spaces.
Unstructured Name
string
(Optional) Specify any name, in up to 80 alphanumeric characters with no spaces.
Version 1.0 Command introduced
Version 3.0 webaaa option added
Version 4.1 webaaa option renamed to web
admin Creates a one-time password for installing a PKCS #12 object file for an
administrative certificate and key pair—and optionally the certificate
authority’s own certificate—to authenticate the MX switch to RingMaster or
Web View.
eap Creates a one-time password for installing a PKCS #12 object file for an EAP
certificate and key pair—and optionally the certificate authority’s own
certificate—to authenticate the MX switch to 802.1X supplicants (clients).
Cryptography Commands
Mobility System Software Command Reference Guide
Version 7.3
16 – 416
Defaults
None.
Access
Enabled.
History
Usage
The password allows the public-private key pair and certificate to be installed together
from the same PKCS #12 object file. MSS erases the one-time password after processing the
crypto pkcs12 command or when you reboot the MX.
Trapeze Networks recommends that you create a password that is memorable to you but is not
subject to easy guesses or a dictionary attack. For best results, create a password of alphanumeric
uppercase and lowercase characters.
Examples
The following command creates the one-time password hap9iN#ss for installing an
EAP certificate and key pair:
MX# crypto generate otp eap hap9iN#ss
OTP set
See Also
crypto pkcs12 on page 16-416
crypto pkcs12
Unpacks a PKCS #12 object file into the certificate and key storage area on the MX. This object
file contains a public-private key pair, an MX certificate signed by a certificate authority, and the
certificate authority’s certificate.
Syntax
crypto pkcs12 {admin | eap | web} file-location-url
web Creates a one-time password for installing a PKCS #12 object file for a WebAAA
certificate and key pair—and optionally the certificate authority’s own
certificate—to authenticate the MX to WebAAA clients.
one-time-password Password of at least 1 alphanumeric character, with no spaces, for clients other
than Microsoft Windows clients. The password must be the same as the
password protecting the PKCS #12 object file.
Note: On an MX providing communication to and from Microsoft
Windows clients, use a one-time password of 31 characters or fewer.
The following characters cannot be used as part of the one-time password of a
PKCS #12 file:
Quotation marks (“ ”)
Question mark (?)
Ampersand (&)
Version 1.0 Command introduced
Version 3.0 webaaa option added
Version 4.1 webaaa option renamed to web
admin Unpacks a PKCS #12 object file for an administrative certificate and key pair—
and optionally the certificate authority’s own certificate—for authenticating the
MX to RingMaster or Web View.
eap Unpacks a PKCS #12 object file for an EAP certificate and key pair—and
optionally the certificate authority’s own certificate—for authenticating the MX
to 802.1X supplicants (clients).
Cryptography Commands
Cryptography Commands
16 – 417
Defaults
The password you enter with the crypto otp command must be the same as the one
protecting the PKCS #12 file.
Access
Enabled.
History
Usage
To use this command, you must have already created a one-time password with the crypto
otp command.
You must also have the PKCS #12 object file available. You can download a PKCS #12 object file
via TFTP from a remote location to the local nonvolatile storage system on the MX.
Examples
The following commands copy a PKCS #12 object file for an EAP certificate and key
pair—and optionally the certificate authority’s certificate—from a TFTP server to nonvolatile
storage on the MX, create the one-time password hap9iN#ss, and unpack the PKCS #12 file:
MX# copy tftp://192.168.253.1/2048full.p12 2048full.p12
success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec]
MX# crypto otp eap hap9iN#ss
OTP set
MX# crypto pkcs12 eap 2048full.p12
Unwrapped from PKCS12 file:
keypair
device certificate
CA certificate
See Also
crypto otp on page 16-415
show crypto ca-certificate
Displays information about the certificate authority’s PEM-encoded PKCS #7 certificate.
Syntax
show crypto ca-certificate {admin | eap | web}
Defaults
None.
Access
Enabled.
web Unpacks a PKCS #12 object file for a WebAAA certificate and key pair—and
optionally the certificate authority’s own certificate—for authenticating the MX
switch to WebAAA clients.
file-location-url Location of the PKCS #12 object file to be installed. Specify a location of between
1 and 128 alphanumeric characters, with no spaces.
Version 1.0 Command introduced
Version 3.0 webaaa option added
Version 4.1 webaaa option renamed to web
admin Displays information about the certificate authority’s certificate that signed the administrative
certificate for the MX.
The administrative certificate authenticates the MX to RingMaster or Web View.
eap Displays information about the certificate authority’s certificate that signed the Extensible
Authentication Protocol (EAP) certificate for the MX.
The EAP certificate authenticates the MX to 802.1X supplicants (clients).
web Displays information about the certificate authority’s certificate that signed the WebAAA
certificate for the MX.
The WebAAA certificate authenticates the MX to WebAAA clients.
Cryptography Commands
Mobility System Software Command Reference Guide
Version 7.3
16 – 418
History
Examples
To display information about the certificate of a certificate authority, type the following
command:
MX# show crypto ca-certificate
Table 16– 1 describes the fields in the display.
See Also
crypto ca-certificate on page 16-410
show crypto certificate on page 16-418
show crypto certificate
Displays information about one of the cryptographic certificates installed on the MX.
Syntax
show crypto certificate {admin | eap | web}
Defaults
None.
Access
Enabled.
History
Usage
You must have generated a self-signed certificate or obtained a certificate from a
certificate authority before displaying information about the certificate.
Version 1.0 Command introduced
Version 3.0 webaaa option added
Version 4.1 webaaa option renamed to web
Table 16– 1. show crypto ca-certificate Output
Fields Description
Version Version of the X.509 certificate.
Serial Number A unique identifier for the certificate or signature.
Subject Name of the certificate owner.
Signature Algorithm Algorithm that created the signature, such as RSA MD5 or
RSA SHA.
Issuer Certificate authority that issued the certificate or signature.
Validity Time period for which the certificate is valid.
admin Displays information about the administrative certificate that authenticates the MX to
RingMaster or Web View.
eap Displays information about the EAP certificate that authenticates the MX to 802.1X
supplicants (clients).
web Displays information about the WebAAA certificate that authenticates the MX to
WebAAA clients.
Version 1.0 Command introduced
Version 3.0 webaaa option added
Version 4.1 webaaa option renamed to web
Cryptography Commands
Cryptography Commands
16 – 419
Examples
To display information about a cryptographic certificate, type the following command:
MX# show crypto certificate eap
Table 16– 2 describes the fields of the display.
See Also
crypto generate self-signed on page 16-414
show crypto ca-certificate on page 16-417
show crypto key domain
Displays the checksum (also called a fingerprint) of the public key used to authenticate
management traffic between MX switches.
Syntax
show crypto key domain
Defaults
None.
Access
Enabled.
History
Introduced in MSS 5.0.
Examples
To display the fingerprint for MX-MX security, type the following command:
MX# show crypto key domain
Domain public key:
e6:43:91:e2:b3:53:ed:46:76:5f:f0:96:3a:3b:86:d3
See Also
crypto generate key on page 16-412
show crypto key ssh
Displays SSH authentication key information. This command displays the checksum (also called a
fingerprint) of the public key. When you connect to the MX with an SSH client, you can compare
the SSH key checksum displayed by the MX with the one displayed by the client to verify that you
really are connected to the MX and not another device. Generally, SSH clients remember the
encryption key after the first connection, so you need to check the key only once.
Syntax
show crypto key ssh
Defaults
None.
Access
Enabled.
History
Introduced in MSS 2.0.
Table 16– 2. crypto certificate Output
Fields Description
Version Version of the X.509 certificate.
Serial Number A unique identifier for the certificate or signature.
Subject Name of the certificate owner.
Signature Algorithm Algorithm that created the signature, such as RSA MD5 or RSA SHA.
Issuer Certificate authority that issued the certificate or signature.
Validity Time period for which the certificate is valid.
Cryptography Commands
Mobility System Software Command Reference Guide
Version 7.3
16 – 420
Examples
To display SSH key information, type the following command:
MX# show crypto key ssh
ec:6f:56:7f:d1:fd:c0:28:93:ae:a4:f9:7c:f5:13:04
See Also
crypto generate key on page 16-412
RADIUS, LDAP, and Server Groups Commands 17 – 421
17
RADIUS, LDAP, and Server Groups Commands
Use RADIUS commands to set up communication between an MX switch and groups of up to four
RADIUS servers for remote authentication, authorization, and accounting (AAA) of
administrators and network users. This chapter presents RADIUS commands alphabetically. Use
the following table to locate commands in this chapter based on their uses.
With MSS 7.1, LDAPv3 is now available as an authentication method. You can configure LDAP
servers, LDAP server groups, and LDAP load-balancing across LDAP servers.
Command Auditing
LDAP Servers clear ldap auth-port on page 422
clear ldap base-dn on page 422
clear ldap bind-mode on page 422
clear ldap deadtime on page 422
clear ldap mac-addr-format on page 422
clear ldap timeout on page 423
ldap-ping on page 426
set ldap on page 427
set ldap server on page 428
LDAP Server Groups set ldap server group on page 428
set ldap server group load-balance on page 429
RADIUS Client set radius client system-ip on page 431
set radius client system-ip on page 430
clear radius client system-ip on page 424
RADIUS Diagnostics radping on page 426
RADIUS Servers set radius on page 429
set radius client system-ip on page 430
set authorization dynamic on page 431
set radius das-port on page 431
set radius server on page 433
clear radius on page 423
clear radius server on page 425
show radius on page 438
Server Groups set server group on page 435
set server group load-balance on page 435
clear server group on page 426
RADIUS Proxy set radius proxy client on page 432
set radius proxy port on page 433
clear radius proxy client on page 425
clear radius proxy port on page 425
RADIUS, LDAP, and Server Groups Commands
Mobility System Software Command Reference Guide
Version 7.3
17 – 422
(For information about RADIUS attributes, see the RADIUS appendix in the Trapeze Mobility
System Software Configuration Guide.)
clear ldap auth-port
Syntax
clear ldap auth-port port
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1.
clear ldap base-dn
Syntax
clear ldap base-dn basedn
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1.
clear ldap bind-mode
Syntax
clear ldap bind-mode [simple-auth | sasl-md5]
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
clear ldap deadtime
Syntax
clear ldap deadtime min
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
Usage
Used to clear the deadtime configuration for an LDAP server.
Examples
To clear an LDAP deadtime of five minutes, use the following command:
MX# clear ldap deadtime 5
success:change accepted
clear ldap mac-addr-format
Syntax
clear ldap mac-addr-format format
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1.
RADIUS, LDAP, and Server Groups Commands
RADIUS, LDAP, and Server Groups Commands
17 – 423
Usage
Clears the MAC address format from the LDAP configuration.
clear ldap timeout
Syntax
clear ldap timeout secs
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1.
clear ldap server
Syntax
clear ldap server name
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1.
clear ldap server group
Syntax
clear ldap server group name
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
clear radius
Resets parameters that were globally configured for RADIUS servers to the default values.
Syntax
clear radius {deadtime | key | retransmit | timeout}
Defaults
Global RADIUS parameters have the following default values:
deadtime—0 (zero) minutes (The MX does not designate unresponsive RADIUS servers as
unavailable.)
key—No key
retransmit—3 (the total number of attempts, including the first attempt)
timeout—5 seconds
Access
Enabled.
History
Introduced in MSS 1.0.
deadtime Number of minutes to wait after declaring an unresponsive RADIUS server
unavailable before retrying the RADIUS server.
key Password (shared secret key) used to authenticate to the RADIUS server.
retransmit Number of transmission attempts made before declaring an unresponsive RADIUS
server unavailable.
timeout Number of seconds to wait for the RADIUS server to respond before retransmitting.
RADIUS, LDAP, and Server Groups Commands
Mobility System Software Command Reference Guide
Version 7.3
17 – 424
Usage
To override the globally set values on a particular RADIUS server, use the set radius
server command.
Examples
To reset all global RADIUS parameters to their factory defaults, type the following
commands:
MX# clear radius deadtime
success: change accepted.
MX# clear radius key
success: change accepted.
MX# clear radius retransmit
success: change accepted.
MX# clear radius timeout
success: change accepted.
See Also
set radius on page 429
set radius server on page 433
show aaa on page 190
clear radius das-port
Clears a configured Dynamic RADIUS server authorization port.
Syntax
MX# clear radius das-port port_number
Defaults
None.
Access
Enabled.
History
Introduced in MSS 6.2.
Examples
To clear a dynamic RADIUS server port of 3799, use the following command:
MX# clear radius das-port 3799
clear radius client system-ip
Removes the MX system IP address from use as the permanent source address in RADIUS client
requests from the MX to the RADIUS server(s).
Syntax
clear radius client system-ip
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
The clear radius client system-ip command causes the MX to use the IP address of the
interface through which the MX sends a RADIUS client request as the source IP address. The MX
selects a source interface address based on information in the routing table as the source address
for RADIUS packets leaving the MX.
Examples
To clear the system IP address as the permanent source address for RADIUS client
requests, type the following command:
MX# clear radius client system-ip
success: change accepted.
RADIUS, LDAP, and Server Groups Commands
RADIUS, LDAP, and Server Groups Commands
17 – 425
See Also
set radius client system-ip on page 431
show aaa on page 190
clear radius proxy client
Removes RADIUS proxy client entries for third-party APs.
Syntax
clear radius proxy client all
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.0.
Examples
The following command clears all RADIUS proxy client entries from the MX:
MX# clear radius proxy client all
success: change accepted.
See Also
set radius proxy client on page 432
clear radius proxy port
Removes RADIUS proxy ports configured for third-party APs.
Syntax
clear radius proxy port all
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.0.
Examples
The following command clears all RADIUS proxy port entries from the switch:
MX# clear radius proxy port all
success: change accepted.
See Also
set radius proxy port on page 433
clear radius server
Removes the named RADIUS server from the MX configuration.
Syntax
clear radius server server-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
The following command removes the RADIUS server rs42 from a list of remote AAA
servers:
MX# clear radius server rs42
success: change accepted.
server-name Name of a RADIUS server configured to perform remote AAA services for the MX.
RADIUS, LDAP, and Server Groups Commands
Mobility System Software Command Reference Guide
Version 7.3
17 – 426
See Also
set radius server on page 433
show aaa on page 190
clear server group
Removes a RADIUS server group from the configuration, or disables load balancing for the group.
Syntax
clear server group group-name [load-balance]
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
Deleting a server group removes the server group from the configuration. However, the
members of the server group remain.
Examples
To remove the server group sg-77 type the following command:
MX# clear server group sg-77
success: change accepted.
To disable load balancing in a server group shorebirds, type the following command:
MX# set server group shorebirds load-balance disable
success: change accepted.
See Also
set server group on page 435
ldap-ping
Provides a diagnostic tool to enhance troubleshooting capabilities for LDAP servers on the
network.
Syntax
ldap-ping [group server-group-name | server server-name]
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
radping
Provides a diagnostic tool to enhance troubleshooting capabilities for RADIUS servers on the
network. The command sends an authentication request to the RADIUS server to determine if it
is offline.
group-name Name of a RADIUS server group configured to perform remote AAA services for MX
switches.
load-balance Ability of group members to share demand for services among servers.
RADIUS, LDAP, and Server Groups Commands
RADIUS, LDAP, and Server Groups Commands
17 – 427
Syntax
MX# radping {server |servername | group servergroup}request [acct-off |
acct-on | acct-start | acct-stop | acct-update | authentication] user username
password password auth-type {plain|mschap2}
Defaults
None
Access
Enabled.
History
Introduced in MSS Version 6.2.
Examples
To verify that a RADIUS server, alpha with the username, smith5, password,
swordfish, is active on the network, type the following command:
MX# radping alpha request authentication user smith5 password swordfish auth-type mschap2
Sending authentication request to server test-27708 (10.20.30.40:1812)
To send an accounting request to the RADIUS server, use the following command:
MX# radping alpha request acct-start
To stop the accounting requests, use the following commands:
MX# radping alpha request acct-stop
set accounting command
Used to configure command auditing on your network. All commands entered using the CLI are
logged to the RADIUS server for auditing purposes.
set ldap
Configure additional settings for an LDAP configuration.
server
servername
Name of a RADIUS server configured to perform remote AAA services for MX
switches.
group
servergroup
Name of a RADIUS server group configured to perform remote AAA services for MX
switches.
request
acct-off
acct-on
acct-start
acct-stop
acct-update
Send accounting requests to the RADIUS server to collect and start or stop user
statistics.
authentication
Send an authentication request to the RADIUS server.
user
username
A user name configured on the RADIUS server.
password
password
The password configured for user.
auth-type
plain|mschap2
The authentication type used by the RADIUS server or server group.
RADIUS, LDAP, and Server Groups Commands
Mobility System Software Command Reference Guide
Version 7.3
17 – 428
Syntax
set ldap [ auth-port port] [base-dn basedn]
[bind-mode simpleauth | sasl-md5] [deadtime mins] [mac-addr-format hyphens |colons
| one-hyphen | raw] [timeout seconds]
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
set ldap server
Add LDAP servers to your network configuration as an authentication method.
Syntax
set ldap server server-name address ip-address
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
Examples
To add a LDAP server with the IP address of 10.1.1.1 to the configuration, enter the
following command:
MX# set ldap server corpnet address 10.1.1.1
success: change accepted.
set ldap server group
Add LDAP servers to a group for redundancy on the network.
Syntax
set ldap server group server-group-name members member-name
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
Usage
LDAP server groups provide redundancy and load balancing on the network. You can
configure up to four LDAP server groups.
auth-port
port
The designated port used for LDAP authentication.
base-dn
basedn
The suffix to be appended to a Domain Name.
bind-mode
simple-auth | sasl-md5
The binding mode for authentication - you can select from the
following:
simple-auth — a request for authentication is sent with the
user’s credentials.
sasl-md5 — a response is sent with a sasl-md5 challenge.
deadtime
mins
The deadtime can be configured in minutes with a range of 0 to
1440 minutes. The default value is five minutes.
mac-addr-format
hyphens | colons | one-hyphen | raw]
Authentication requires a corresponding MAC address from the
client.
timeout
secs
Configure a length of time that a client can be idle on the
network. It can be a value from 1 second to 65535 seconds. The
default value is five seconds.
RADIUS, LDAP, and Server Groups Commands
RADIUS, LDAP, and Server Groups Commands
17 – 429
Examples
To add LDAP server, testldap, to the server group, corpldap, use the following
command:
MX# set ldap server group corpldap members testldap
success: change accepted.
set ldap server group load-balance
Allows you to balance traffic between LDAP server groups on your network.
Syntax
set ldap server group server-group-name load-balance [enable | disable]
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
Examples
To configure load balancing on the server group corplap, use the following command:
MX# set ldap server group corpldap load-balance enable
success: change accepted.
set radius
Configures global defaults for RADIUS servers that do not explicitly set these values themselves.
By default, the MX automatically sets all these values except the password (key).
Syntax
set radius {author-password use-mac-address | deadtime minutes | das-port
port encrypted-key string | key string | [mac-addr-format [colons | hyphens |
one-hypen | raw]] retransmit number | timeout seconds}
author-password
use-mac-address
Set this option to send the user mac-address as the password.
das-port port Set the dynamic authorization port for all DACs. The value can be 1, 65535, or
3799.
deadtime minutes Number of minutes the MX waits after declaring an unresponsive RADIUS
server unavailable before retrying the RADIUS server. You can specify from
0 to 1440 minutes.
encrypted-key string Password (shared secret key) used to authenticate to the RADIUS server,
entered in its encrypted form. You must provide the same encrypted password
that is defined on the RADIUS server. The password can be 1 to 64 characters
long, with no spaces or tabs.
MSS does not encrypt the string you enter, and instead displays the string in
show config and show aaa output exactly as you entered it.
Note: Use this option only if you are entering the key in the encrypted
form. To enter the key in unencrypted form, use the key string option
instead.
key string Password (shared secret key) used to authenticate to the RADIUS server,
entered in its unencrypted form. You must provide the same password that is
defined on the RADIUS server. The password can be 1 to 64 characters long,
with no spaces or tabs.
MSS encrypts the displayed form of the string in show config and show aaa
output.
Note: Use this option only if you are entering the key in the
unencrypted form. To enter the key in encrypted form, use the
encrypted-key string option instead.
RADIUS, LDAP, and Server Groups Commands
Mobility System Software Command Reference Guide
Version 7.3
17 – 430
Defaults
Global RADIUS parameters have the following default values:
deadtime—0 (zero) minutes (The MX does not designate unresponsive RADIUS servers as
unavailable.)
encrypted-key—No key
key—No key
retransmit—3 (the total number of attempts, including the first attempt)
timeout—5 seconds
Access
Enabled.
History
Usage
You can specify only one parameter per command line.
Examples
The following commands sets the dead time to 5 minutes, the RADIUS key to goody,
the number of retransmissions to 1, and the timeout to 21 seconds on all RADIUS servers
connected to the MX switch:
MX-20# set radius deadtime 5
success: change accepted.
MX-20# set radius key goody
success: change accepted.
MX-20# set radius retransmit 1
success: change accepted.
MX-20# set radius timeout 21
success: change accepted.
See Also
clear radius server on page 425
set radius server on page 433
show aaa on page 190
set radius client system-ip
Configure RADIUS to use the client system IP address as the source IP address for all RADIUS
packets.
Syntax
set radius client system-ip
Defaults
None
mac-addr-format
[colons | hyphens |
one-hyphen | raw]
Sets the MAC address format for all RADIUS servers using the
author-password option. MAC addresses can have the following formats:
colons—12:34:56:78:9a:bc
hyphens—12–34–56–78–9a–bc
one-hyphen— 123456–789abc
raw—123456789abc
retransmit number Number of transmission attempts the MX makes before declaring an
unresponsive RADIUS server unavailable. You can specify from 1 to 100
retries.
timeout seconds Number of seconds the MX waits for the RADIUS server to respond before
retransmitting. You can specify from 1 to 65,535.
Version 1.0 Command introduced
Version 4.2 encrypted-key option added
RADIUS, LDAP, and Server Groups Commands
RADIUS, LDAP, and Server Groups Commands
17 – 431
Access
Enabled
History
Introduced in MSS Version 7.0
set radius dac
Configure dyanmic RADIUS extensions in support of RFC 3576.
Syntax
MX#set radius-dac name ip-addr key string [disconnect [enable|disable]
change-of-author[enable|disable] replay-protection [enable|disable] replay-window
seconds]
Defaults
None
Access
Enabled.
History
Introduced in MSS Version 6.2.
For more information on configuring this feature, see the Mobility System Software Configuration
Guide.
set authorization dynamic
Configures SSIDs for dynamic RADIUS clients.
Syntax
MX# set authorization dynamic {ssid [wireless_8021X |8021X |any |name]
| wired name}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 6.2.
Examples
To configure an SSID named dac_clients, use the following command:
MX# set authorization dynamic ssid dac_clients
success:change accepted.
set radius das-port
Configures the dynamic authorization port for Dynamic RADIUS servers.
Syntax
set radius das-port port_number
Defaults
None
Access
Enabled
History
Introduced in MSS Version 6.2.
Examples
MX# set radius das-port 65539
sucess:change accepted
set radius client system-ip
Causes all RADIUS requests to be sourced from the IP address specified by the set system
ip-address command, providing a permanent source IP address for RADIUS packets sent from
the MX.
RADIUS, LDAP, and Server Groups Commands
Mobility System Software Command Reference Guide
Version 7.3
17 – 432
Syntax
set radius client system-ip
Defaults
None. If you do not use this command, RADIUS packets leaving the MX have the source
IP address of the outbound interface, which can change as routing conditions change.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
The MX system IP address must be set before you use this command.
Examples
The following command sets the MX system IP address as the address of the RADIUS
client:
MX# set radius client system-ip
success: change accepted.
See Also
clear radius client system-ip on page 424
set system ip-address on page 35
set radius proxy client
Adds a RADIUS proxy entry for a third-party AP. The proxy entry specifies the IP address of the
AP and the UDP ports on which the MX listens for RADIUS traffic from the AP.
Syntax
set radius proxy client address ip-address
[acct-port acct-udp-port-number] [port udp-port-number] key string
Defaults
The default UDP port number for access-requests is 1812. The default UDP port number
for stop-accounting records is 1813.
Access
Enabled.
History
Introduced in MSS 4.0.
Usage
AAA for third-party AP users has additional configuration requirements. See the
“Configuring AAA for Users of Third-Party APs” section in the “Configuring AAA for Network
Users” chapter of the Trapeze Mobility System Software Advanced Configuration Guide.
Examples
The following command configures a RADIUS proxy entry for a third-party AP
RADIUS client at 10.20.20.9, sending RADIUS traffic to the default UDP ports 1812 and 1813 on
the MX:
MX# set radius proxy client address 10.20.20.9 key radkey1
success: change accepted.
See Also
clear radius proxy client on page 425
set authentication proxy on page 173
set radius proxy port on page 433
address ip-address IP address of the third-party AP. Enter the address in dotted decimal
notation.
port udp-port-number UDP port on which the MX listens for RADIUS access-requests from the AP.
acct-port
acct-udp-port-number
UDP port on which the MX swtch listens for RADIUS stop-accounting records
from the AP.
key string Password (shared secret key) the MX uses to authenticate and encrypt
RADIUS communication.
RADIUS, LDAP, and Server Groups Commands
RADIUS, LDAP, and Server Groups Commands
17 – 433
set radius proxy port
Configures the MX port connected to a third-party AP as a RADIUS proxy for the SSID supported
by the AP.
Syntax
set radius proxy port port-list [tag tag-value]
ssid ssid-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.0.
Usage
AAA for third-party AP users has additional configuration requirements. See the
“Configuring AAA for Users of Third-Party APs” section in the “Configuring AAA for Network
Users” chapter of the Trapeze Mobility System Software Advanced Configuration Guide.
Enter a separate command for each SSID, and the tag value that you want the MX to support.
Examples
The following command maps SSID mycorp to packets received on port 3 or 4, using
802.1Q tag value 104:
MX# set radius proxy port 3-4 tag 104 ssid mycorp
success: change accepted.
See Also
clear radius proxy port on page 425
set authentication proxy on page 173
set radius proxy client on page 432
set radius server
Configures RADIUS servers and their parameters. By default, the MX automatically sets all these
values except the password (key).
Syntax
set radius server server-name [address ip-address] [auth-port port-number]
[acct-port port-number] [timeout seconds] [retransmit number] [deadtime minutes]
[[key string] | [mac-addr-format [hyphens | colons | one-hyphen |raw]]
[encrypted-key string]][author-password password]
port port-list MX port(s) connected to the third-party AP.
tag tag-value 802.1Q tag value in packets sent by the third-party AP for the SSID.
ssid ssid-name SSID supported by the third-party AP.
server-name Unique name for this RADIUS server. Enter an alphanumeric string of up to
32 characters, with no blanks.
address ip-address IP address of the RADIUS server. Enter the address in dotted decimal notation.
auth-port
port-number
UDP port that the MX uses for authentication and authorization.
acct-port
port-number
UDP port that the MX uses for accounting.
timeout seconds Number of seconds the MX waits for the RADIUS server to respond before
retransmitting. You can specify from 1 to 65,535 seconds.
retransmit number Number of transmission attempts made before declaring an unresponsive RADIUS
server unavailable. You can specify from 1 to 100 retries.
RADIUS, LDAP, and Server Groups Commands
Mobility System Software Command Reference Guide
Version 7.3
17 – 434
Defaults
Default values are listed below:
auth-port—UDP port 1812
acct-port—UDP port 1813
timeout—5 seconds
retransmit—3 (the total number of attempts, including the first attempt)
deadtime—0 (zero) minutes (The MX does not designate unresponsive RADIUS servers as
unavailable.)
key—No key
encrypted-key—No key
author-password—trapeze
Access
Enabled.
History
Usage
For a given RADIUS server, the first instance of this command must set both the server
name and the IP address and can include any or all of the other optional parameters. Subsequent
instances of this command can be used to set optional parameters for a given RADIUS server.
To configure the server as a remote authenticator for the MX switch, you must add it to a server
group with the set server group command.
Do not use the same name for a RADIUS server and a RADIUS server group.
Examples
To set a RADIUS server named RS42 with IP address 198.162.1.1 to use the default
accounting and authorization ports with a timeout interval of 30 seconds, two transmit attempts,
5 minutes of dead time, a key string of keys4u, and the default authorization password of trapeze,
type the following command:
MX-20# set radius server RS42 address 198.162.1.1 timeout 30 retransmit 2 deadtime 5 key
keys4U
See Also
set authentication admin on page 164
deadtime minutes Number of minutes the MX waits after declaring an unresponsive RADIUS server
unavailable before retrying that RADIUS server. Specify between 0 (zero) and
1440 minutes (24 hours). A zero value causes the MX to identify unresponsive servers
as available.
key string |
encrypted-key
string
Password (shared secret key) the MX uses to authenticate to RADIUS servers. You
must provide the same password that is defined on the RADIUS server. The
password can be 1 to 64 characters long, with no spaces or tabs.
Use the key option to enter the string in its unencrypted form. MSS encrypts the
displayed form of the string in show config and show aaa output.
To enter the string in its encrypted form instead, use the encrypted-key option.
MSS does not encrypt the string you enter, and instead displays the string exactly
as you enter it.
mac-addr-format
hyphen|colons|
one-hyphen|raw
Configures a MAC address format to be sent as a username to a RADIUS server for
MAC authentication. The following formats can be specified:
hyphens—12-34-56-78-9a-bc
colons—12:34:56:78:9a:bc
one-hyphen—123456-789abc
raw—123456789abc
author-password
password
Password used for authorization to a RADIUS server for MAC authentication. The
client’s MAC address is sent as the username and the author-password string is
sent as the password. Specify a password of up to 64 alphanumeric characters with no
spaces or tabs.
Version 1.0 Command introduced
Version 4.2 encrypted-key option added
RADIUS, LDAP, and Server Groups Commands
RADIUS, LDAP, and Server Groups Commands
17 – 435
set authentication console on page 165
set authentication dot1x on page 167
set authentication mac on page 170
set authentication web on page 174
set radius on page 429
set server group on page 435
show aaa on page 190
set server group
Configures a group of one to four RADIUS servers.
Syntax
set server group group-name members server-name1 [server-name2]
[server-name3] [server-name4]
Defaults
None.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
You must assign all group members simultaneously, as shown in the example. To enable
load balancing, use set server group load-balance enable.
Do not use the same name for a RADIUS server and a RADIUS server group.
Examples
To set server group shorebirds with members heron, egret, and sandpiper, type the
following command:
MX-20# set server group shorebirds members heron egret sandpiper
success: change accepted.
See Also
clear server group on page 426
set server group load-balance on page 435
show aaa on page 190
set server group load-balance
Enables or disables load balancing among the RADIUS servers in a server group.
Syntax
set server group group-name load-balance {enable | disable}
Defaults
Load balancing is disabled by default.
Access
Enabled.
group-name Server group name of up to 32 characters, with no spaces or tabs.
members
server-name1
server-name2
server-name3
server-name4
The names of one or more configured RADIUS servers. You can enter up to four
server names.
group-name Server group name of up to 32 characters.
load-balance
enable | disable
Enables or disables load balancing of authentication requests among the servers
in the group.
RADIUS, LDAP, and Server Groups Commands
Mobility System Software Command Reference Guide
Version 7.3
17 – 436
History
Introduced in MSS 1.0.
Usage
You can optionally enable load balancing after assigning the server group members. If you
configure load balancing, MSS sends each AAA request to a separate server, starting with the
first one on the list and skipping unresponsive servers. If no server in the group responds, MSS
moves to the next method configured with set authentication and set accounting.
In contrast, if load balancing is not configured, MSS always begins with the first server in the list
and sends unfulfilled requests to each subsequent server in the group before moving on to the next
configured AAA method.
Examples
To enable load balancing between the members of server group shorebirds, type the
following command:
MX-20# set server group shorebirds load-balance enable
success: change accepted.
To disable load balancing between shorebirds server group members, type the following command:
MX-20# set server group shorebirds load-balance disable
success: change accepted.
See Also
clear server group on page 426
clear radius server on page 425
set server group on page 435
show aaa on page 190
show ldap
Displays configuration information about LDAP servers.
Syntax
show ldap
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1.
RADIUS, LDAP, and Server Groups Commands
RADIUS, LDAP, and Server Groups Commands
17 – 437
Examples
Use the following command to display information about LDAP configurations.
MX# show ldap
LDAP Servers Default Values
auth-port=389, timeout=5(s), deadtime=5(mn)
bind-mode=sasl-md5, mac-addr-format=hyphens
LDAP Servers
Flags: (state) U=up, D=down
(bind-mode) s=simple-auth, m=sasl-md5
(mac-format) h=hyphens, c=colons, o=one-hyphen, r=raw
Auth Time Deadtime Flags
Server IP address Port Out Conf:Rem s:bm FQDN
-------------- --------------- ---- ---- ---------- ----- ---------------------
techpubs 10.8.112.212 389 5 5 :0m U:mh trapeze.com
testldap 10.1.1.1 389 5 5 :0m U:mh
Server groups
techldap: testldap
Table 17– 1. show LDAP output
Field Description
Default values LDAP default values for all parameters.
Flags Indicates the following information:
state - U=up , D=down
bind-mode - s=simple-auth m=sasl-md5
mac-format - h=hyphens, c=colons, o=one-hyphen, r=raw
Server Name of each LDAP server currently active.
IP Address IP address of each LDAP server currently active.
Auth Port UDP port on the MX for transmission of LDAP authorization and
authentication messages. The default port is 389.
Time Out Number of seconds the MX waits for a LDAP server to respond before
retransmitting. The default is 5 seconds
Dead Time Number of minutes the MX switch waits after determining a LDAP
server is unresponsive before trying to reconnect with this server.
During the dead time, the LDAP server is ignored by the MX. The
default is 0 minutes.
Flags Current state of each RADIUS server currently active:
UP (operating)
DOWN (unavailable)
FQDN The fully qualified domain name associated with the LDAP server.
Server Group Names of LDAP server groups and member servers configured on the
MX.
Server Port The RADIUS server port configured for dynamic authorization.
RADIUS, LDAP, and Server Groups Commands
Mobility System Software Command Reference Guide
Version 7.3
17 – 438
show radius
Displays configuration information about RADIUS servers.
Syntax
show radius
Defaults
None
Access
Enabled
History
Command introduced in MSS 6.2.
Examples
Use the following command to display information about RADIUS configurations.
MX# show radius
Radius servers Default Values
Auth-Port=1812 Acct-Port=1813 Timeout=5 Acct-Timeout=5
Retrans=3 Deatime=0 Key=(null) Author-Pass=(null)
Radius Servers
Server groups
SG1:rs1
SG2:dummy
Radius Dynamic Authorization Configuration
Server port: 3799
Server
-------
IP Address
----------
Auth
Port
-------
-
Acct
Port
-------
Time
Out
------
Retry
--------
Dead
Time
--------
State
-------
rs1 172.21.14.3
0
1812 1813 5 3 0 UP
rs2 1.1.1.1 1812 1813 5 3 0 UP
dummy 172.21.14.3
1
1812 1813 5 3 0 UP
RADIUS, LDAP, and Server Groups Commands
RADIUS, LDAP, and Server Groups Commands
17 – 439
describes the fields that can appear in the show radius output.
Table 17– 2. show radius Output
Field Description
Default values RADIUS default values for all parameters.
Server Name of each RADIUS server currently active.
IP Address IP address of each RADIUS server currently active.
Auth Port UDP port on the MX for transmission of RADIUS authorization and
authentication messages. The default port is 1812.
Acct Port UDP port on the MX for transmission of RADIUS accounting records.
The default is port 1813
Time Out Number of seconds the MX waits for a RADIUS server to respond
before retransmitting. The default is 5 seconds
Retry Number of times the MX switch retransmits a message before
determining a RADIUS server unresponsive. The default is 3 times
Dead Time Number of minutes the MX switch waits after determining a RADIUS
server is unresponsive before trying to reconnect with this server.
During the dead time, the RADIUS server is ignored by the MX. The
default is 0 minutes.
State Current state of each RADIUS server currently active:
UP (operating)
DOWN (unavailable)
Server Group Names of RADIUS server groups and member servers configured on the
MX.
RADIUS Dynamic Authorization
Configuration
If configured, dynamic authentication attributes are displayed.
Server Port The RADIUS server port configured for dynamic authorization.
Dynamic Author
Dynamic Author Clients The name of the DAC server
IP Address IP address of the DAC sever
Disconnect Disconnected clients
Change Author Enable or disable any changes in authorization
Replay Protect Enable or disable replay protection
Replay Win The length of time in seconds to allow for replay.
RADIUS, LDAP, and Server Groups Commands
Mobility System Software Command Reference Guide
Version 7.3
17 – 440
802.1X Management Commands 18 – 435
18
802.1X Management Commands
Use 802. IEEE X management commands to modify the default settings for IEEE 802.1X sessions
on an MX. For best results, change the settings only if you are aware of a problem with 802.1X
performance on the MX.
This chapter presents 802.1X commands alphabetically. Use the following table to locate
commands in this chapter based on their use. For information about configuring 802.1X
commands for user authentication, see Chapter , “AAA Commands,” on page 147.
!
Caution
802.1X parameter settings are global for all SSIDs configured on the MX.
Wired Authentication
Port Control
set dot1x port-control on page 18-442
clear dot1x port-control on page 18-436
set dot1x authcontrol on page 18-439
Keys set dot1x key-tx on page 18-440
set dot1x tx-period on page 18-445
clear dot1x tx-period on page 18-439
set dot1x wep-rekey on page 18-446
set dot1x wep-rekey-period on page 18-446
Bonded Authentication clear dot1x bonded-period on page 18-436
set dot1x bonded-period on page 18-440
Reauthentication set dot1x reauth on page 18-443
set dot1x reauth-max on page 18-443
clear dot1x reauth-max on page 18-437
set dot1x reauth-period on page 18-444
clear dot1x reauth-period on page 18-437
Retransmission set dot1x max-req on page 18-441
clear dot1x max-req on page 18-436
Quiet Period and
Timeouts
set dot1x quiet-period on page 18-442
clear dot1x quiet-period on page 18-437
set dot1x timeout auth-server on page 18-444
clear dot1x timeout auth-server on page 18-438
set dot1x timeout supplicant on page 18-445
clear dot1x timeout supplicant on page 18-438
Settings, Active Clients,
and Statistics
show dot1x on page 18-447
802.1X Management Commands
Mobility System Software Command Reference Guide
Version 7.3
18 – 436
clear dot1x bonded-period
Resets the Bonded Auth period to its default value.
Syntax
clear dot1x max-req
Defaults
The default bonded authentication period is 0 seconds.
Access
Enabled.
History
Introduced in MSS Version 2.1.
Usage
Examples
To reset the Bonded period to its default, type the following command:
MX# clear dot1x bonded-period
success: change accepted.
See Also
set dot1x bonded-period on page 18-440
show dot1x on page 18-447
clear dot1x max-req
Resets to the default setting the number of Extensible Authentication Protocol (EAP) requests
that the MX switch retransmits to a supplicant (client).
Syntax
clear dot1x max-req
Defaults
The default number is 20.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
To reset the number of 802.1X requests the MX can send to the default setting, type the
following command:
MX# clear dot1x max-req
success: change accepted.
See Also
set dot1x max-req on page 18-441
show dot1x on page 18-447
clear dot1x port-control
Resets all wired authentication ports on the MX to default 802.1X authentication.
Syntax
clear dot1x port-control
Defaults
By default, all wired authentication ports are set to auto and they process
authentication requests as determined by the set authentication dot1X command.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
This command is overridden by the set dot1x authcontrol command. The clear dot1x
port-control command returns port control to the method configured. This command applies only
to wired authentication ports.
802.1X Management Commands
802.1X Management Commands
18 – 437
Examples
Type the following command to reset the wired authentication port control:
MX# clear dot1x port-control
success: change accepted.
See Also
set dot1x port-control on page 18-442
show dot1x on page 18-447
clear dot1x quiet-period
Resets the quiet period after a failed authentication to the default setting.
Syntax
clear dot1x quiet-period
Defaults
The default is 60 seconds.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to reset the 802.1X quiet period to the default:
MX# clear dot1x quiet-period
success: change accepted.
See Also
set dot1x quiet-period on page 18-442
show dot1x on page 18-447
clear dot1x reauth-max
Resets the maximum number of reauthorization attempts to the default setting.
Syntax
clear dot1x reauth-max
Defaults
The default is 2 attempts.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to reset the maximum number of reauthorization attempts
to the default:
MX# clear dot1x reauth-max
success: change accepted.
See Also
set dot1x reauth-max on page 18-443
show dot1x on page 18-447
clear dot1x reauth-period
Resets the time period that must elapse before a reauthentication attempt, to the default time
period.
Syntax
clear dot1x reauth-period
Defaults
The default is 3600 seconds (1 hour).
802.1X Management Commands
Mobility System Software Command Reference Guide
Version 7.3
18 – 438
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to reset the default reauthentication time period:
MX# clear dot1x reauth-period
success: change accepted.
See Also
set dot1x reauth-period on page 18-444
show dot1x on page 18-447
clear dot1x timeout auth-server
Resets to the default setting the number of seconds that must elapse before the MX times out a
request to a RADIUS server.
Syntax
clear dot1x timeout auth-server
Defaults
The default is 30 seconds.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
To reset the default timeout for requests to an authentication server, type the following
command:
MX# clear dot1x timeout auth-server
success: change accepted.
See Also
set dot1x timeout auth-server on page 18-444
show dot1x on page 18-447
clear dot1x timeout supplicant
Resets to the default setting the number of seconds that must elapse before an authentication
session with a supplicant (client) times out.
Syntax
clear dot1x timeout supplicant
Defaults
The default for the authentication timeout sessions is 30 seconds.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to reset the timeout period for an authentication session:
MX# clear dot1x timeout supplicant
success: change accepted.
See Also
set dot1x timeout supplicant on page 18-445
show dot1x on page 18-447
802.1X Management Commands
802.1X Management Commands
18 – 439
clear dot1x tx-period
Resets to the default setting the number of seconds that must elapse before the MX retransmits an
EAP over LAN (EAPoL) packet.
Syntax
clear dot1x tx-period
Defaults
The default is 5 seconds.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to reset the EAPoL retransmission time:
MX# clear dot1x tx-period
success: change accepted.
See Also
set dot1x tx-period on page 18-445
show dot1x on page 18-447
set dot1x authcontrol
Provides a global override mechanism for 802.1X authentication configuration on wired
authentication ports.
Syntax
set dot1x authcontrol {enable | disable}
Defaults
By default, authentication control for individual wired authentication is enabled.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
This command applies only to wired authentication ports.
Examples
To enable per-port 802.1X authentication on wired authentication ports, type the
following command:
MX# set dot1x authcontrol enable
success: dot1x authcontrol enabled.
See Also
set dot1x port-control on page 18-442
show dot1x on page 18-447
enable Allows all wired authentication ports running 802.1X to use the authentication
specified per port by the set dot1X port-control command.
disable Forces all wired authentication ports running 802.1X to unconditionally accept all
802.1X authentication attempts with an EAP Success message (ForceAuth).
802.1X Management Commands
Mobility System Software Command Reference Guide
Version 7.3
18 – 440
set dot1x bonded-period
Changes the Bonded Auth™ (bonded authentication) period. The Bonded Auth period is the
number of seconds MSS allows a Bonded Auth user to reauthenticate.
Syntax
set dot1x bonded-period seconds
Defaults
The default bonded period is 0 seconds, which disables the feature.
Access
Enabled.
History
Introduced in MSS 2.1.
Usage
Normally, the Bonded Auth period needs to be set only if the network has Bonded Auth
clients that use dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN. These
clients can be affected by the 802.1X reauthentication parameter or the RADIUS Session-Timeout
parameter.
Trapeze Networks recommends that you try 60 seconds, and change the period to a longer value
only if clients are unable to authenticate within 60 seconds.
The bonded authentication period applies only to 802.1X authentication rules that contain the
bonded option.
Examples
To set the bonded authentication period to 60 seconds, type the following command:
MX# set dot1x bonded-period 60
success: change accepted.
See Also
clear dot1x bonded-period on page 18-436
show dot1x on page 18-447
set dot1x key-tx
Enables or disables the transmission of encryption key information to the supplicant (client) in
EAP over LAN (EAPoL) key messages, after authentication is successful.
Syntax
set dot1x key-tx {enable | disable}
Defaults
Key transmission is enabled by default.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to enable key transmission:
MX# set dot1x key-tx enable
success: dot1x key transmission enabled.
See Also
show dot1x on page 18-447
seconds Number of seconds MSS retains session information for an authenticated computer
while waiting for a client to (re)authenticate on the same computer. You can change
the bonded authentication period to a value from 1 to 300 seconds.
enable Enables transmission of encryption key information to clients.
disable Disables transmission of encryption key information to clients.
802.1X Management Commands
802.1X Management Commands
18 – 441
set dot1x max-req
Sets the maximum number of times the MX retransmits an EAP request to a supplicant (client)
before ending the authentication session.
Syntax
set dot1x max-req number-of-retransmissions
Defaults
The default number of EAP retransmissions is 2.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
To support SSIDs that have both 802.1X and static WEP clients, MSS sends a maximum of
two ID requests, even if this parameter is set to a higher value. Setting the parameter to a higher
value does affect all other types of EAP messages.
Examples
Type the following command to set the maximum number of EAP request
retransmissions to three attempts:
MX# set dot1x max-req 3
success: dot1x max request set to 3.
See Also
clear dot1x max-req on page 18-436
show dot1x on page 18-447
set dot1x multicast-rekey
Enables or disables multicast periodic rekeying on the network.
Syntax
set dot1x multicast-rekey {enable | disable}
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
set dot1x multicast-rekey-period
Enables or disables multicast periodic rekeying with a configurable interval.
Syntax
set dot1x multicast-rekey-period [integer]
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
number-of-retransmissions Specify a value between 0 and 10.
integer Configure an integer from 30 to 86400.
802.1X Management Commands
Mobility System Software Command Reference Guide
Version 7.3
18 – 442
set dot1x port-control
Determines the 802.1X authentication behavior on individual wired authentication ports or
groups of ports.
Syntax
set dot1x port-control {forceauth | forceunauth | auto} port-list
Defaults
By default, wired authentication ports are set to auto.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
This command affects only wired authentication ports.
Examples
The following command forces port 19 to unconditionally accept all 802.1X
authentication attempts:
MX# set dot1x port-control forceauth 19
success: authcontrol for 19 is set to FORCE-AUTH.
See Also
show port status on page 5-65
show dot1x on page 18-447
set dot1x quiet-period
Sets the number of seconds an MX remains quiet and does not respond to a supplicant after a
failed authentication.
Syntax
set dot1x quiet-period seconds
Defaults
The default is 60 seconds.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to set the quiet period to 90 seconds:
MX# set dot1x quiet-period 90
success: dot1x quiet period set to 90.
See Also
clear dot1x quiet-period on page 18-437
show dot1x on page 18-447
forceauth Forces the specified wired authentication port(s) to unconditionally authorize all
802.1X authentication attempts, with an EAP success message.
forceunauth Forces the specified wired authentication port(s) to unconditionally reject all 802.1X
authentication attempts with an EAP failure message.
auto Allows the specified wired authentication ports to process 802.1X authentication
normally as determined for the user by the set authentication dot1X command.
port-list One or more wired authentication ports for which to set 802.1X port control.
seconds Specify a value between 0 and 65,535.
802.1X Management Commands
802.1X Management Commands
18 – 443
set dot1x reauth
Determines whether the MX switch allows the reauthentication of supplicants (clients).
Syntax
set dot1x reauth {enable | disable}
Defaults
Reauthentication is enabled by default.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to enable reauthentication of supplicants (clients):
MX# set dot1x reauth enable
success: dot1x reauthentication enabled.
See Also
set dot1x reauth-max on page 18-443
set dot1x reauth-period on page 18-444
show dot1x on page 18-447
set dot1x reauth-max
Sets the number of reauthentication attempts that the MX makes before the supplicant (client)
becomes unauthorized.
Syntax
set dot1x reauth-max number-of-attempts
Defaults
The default number of reauthentication attempts is 2.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
If the number of reauthentications for a wired authentication client is greater than the
maximum number of reauthentications allowed, MSS sends an EAP failure packet to the client
and removes the client from the network. However, MSS does not remove a wireless client from
the network under these circumstances.
Examples
Type the following command to set the number of authentication attempts to 8:
MX# set dot1x reauth-max 8
success: dot1x max reauth set to 8.
See Also
clear dot1x reauth-max on page 18-437
show dot1x on page 18-447
enable Permits reauthentication.
disable Denies reauthentication.
number-of-attempts Specify a value between 1 and 10.
802.1X Management Commands
Mobility System Software Command Reference Guide
Version 7.3
18 – 444
set dot1x reauth-period
Sets the number of seconds that must elapse before the MX switch attempts reauthentication.
Syntax
set dot1x reauth-period seconds
Defaults
The default is 3600 seconds (1 hour).
Access
Enabled.
History
Usage
You also can use the RADIUS session-timeout attribute to set the reauthentication
timeout for a specific client. In this case, MSS uses the timeout that has the lower value. If the
session-timeout is set to fewer seconds than the global reauthentication timeout, MSS uses the
session-timeout for the client. However, if the global reauthentication timeout is shorter than the
session-timeout, MSS uses the global timeout instead.
Examples
Type the following command to set the number of seconds to 100 before
reauthentication is attempted:
MX# set dot1x reauth-period 100
success: dot1x auth-server timeout set to 100.
See Also
clear dot1x reauth-period on page 18-437
show dot1x on page 18-447
set dot1x timeout auth-server
Sets the number of seconds that must elapse before the MX switch times out a request to a
RADIUS authentication server.
Syntax
set dot1x timeout auth-server seconds
Defaults
The default is 30 seconds.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to set the authentication server timeout to 60 seconds:
MX# set dot1x timeout auth-server 60
success: dot1x auth-server timeout set to 60.
See Also
clear dot1x timeout auth-server on page 18-438
show dot1x on page 18-447
seconds Specify a value between 60 (1 minute) and 1,641,600
(19 days).
MSS Version 1.0 Command introduced.
MSS Version 1.1 Maximum value changed.
seconds Specify a value between 1 and 65,535.
802.1X Management Commands
802.1X Management Commands
18 – 445
set dot1x timeout supplicant
Sets the number of seconds that must elapse before the MX switch times out an authentication
session with a supplicant (client).
Syntax
set dot1x timeout supplicant seconds
Defaults
The default is 30 seconds.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to set the number of seconds for authentication session
timeout to 300:
MX# set dot1x timeout supplicant 300
success: dot1x supplicant timeout set to 300.
See Also
clear dot1x timeout auth-server on page 18-438
show dot1x on page 18-447
set dot1x tx-period
Sets the number of seconds that must elapse before the MX switch retransmits an EAPoL packet.
Syntax
set dot1x tx-period seconds
Defaults
The default is 5 seconds.
Access
Enabled.
History
Introduced in MSS 1.0.
Examples
Type the following command to set the number of seconds before the MX retransmits an
EAPoL packet to 300:
MX# set dot1x tx-period 300
success: dot1x tx-period set to 300.
See Also
clear dot1x tx-period on page 18-439
show dot1x on page 18-447
set dot1x unicast-rekey
Enables or disables unicast periodic rekeying on the network.
Syntax
set dot1x unicast-rekey {enable | disable}
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
seconds Specify a value between 1 and 65,535.
seconds Specify a value between 1 and 65,535.
802.1X Management Commands
Mobility System Software Command Reference Guide
Version 7.3
18 – 446
set dot1x unicast-rekey-period
Enables or disables unicast periodic rekeying with a configurable interval.
Syntax
set dot1x unicast-rekey-period [integer]
Defaults
None
Access
Enabled
History
Introduced in MSS 7.1
Usage
set dot1x wep-rekey
Enables or disables Wired Equivalency Privacy (WEP) rekeying for broadcast and multicast
encryption keys.
Syntax
set dot1X wep-rekey {enable | disable}
Defaults
WEP key rotation is enabled, by default.
Access
Enabled.
History
Introduced in MSS 1.0.
Usage
Reauthentication is not required for WEP key rotation to take place. Broadcast and
multicast keys are always rotated at the same time, so all members of a given radio, VLAN, or
encryption type receive the new keys at the same time.
Examples
Type the following command to disable WEP key rotation:
MX# set dot1x wep-rekey disable
success: wep rekeying disabled
See Also
set dot1x wep-rekey-period on page 18-446
show dot1x on page 18-447
set dot1x wep-rekey-period
Sets the interval for rotating the WEP broadcast and multicast keys.
Syntax
set dot1x wep-rekey-period seconds
Defaults
The default is 1800 seconds (30 minutes).
integer Configure an integer from 30 to 86400.
enable Causes the broadcast and multicast keys for WEP to be rotated at an interval set by
the set dot1x wep-rekey-period for each radio, associated VLAN, and encryption
type. The MX generates the new broadcast and multicast keys and pushes the keys to
the clients via EAPoL key messages.
disable WEP broadcast and multicast keys are never rotated.
seconds Specify a value between 30 and 1,641,600 (19 days).
802.1X Management Commands
802.1X Management Commands
18 – 447
Access
Enabled.
History
Examples
Type the following command to set the WEP-rekey period to 300 seconds:
MX# set dot1x wep-rekey-period 300
success: dot1x wep-rekey-period set to 300
See Also
set dot1x wep-rekey on page 18-446
show dot1x on page 18-447
show dot1x
Displays 802.1X client information for statistics and configuration settings.
Syntax
show dot1x {clients | stats | config}
Defaults
None.
Access
Enabled.
History
Examples
Type the following command to display the 802.1X clients:
MX# show dot1x clients
MAC Address State Vlan Identity
------------- ------- ------ ----------
00:20:a6:48:01:1f Connecting (unknown)
00:05:3c:07:6d:7c Authenticated vlan-it EXAMPLE\jose
00:05:5d:7e:94:83 Authenticated vlan-eng EXAMPLE\singh
00:02:2d:86:bd:38 Authenticated vlan-eng bard@xmple.com
00:05:5d:7e:97:b4 Authenticated vlan-eng EXAMPLE\havel
00:05:5d:7e:98:1a Authenticated vlan-eng EXAMPLE\nash
00:0b:be:a9:dc:4e Authenticated vlan-pm xalik@xmple.com
00:05:5d:7e:96:e3 Authenticated vlan-eng EXAMPLE\mishan
MSS Version 1.0 Command introduced.
MSS Version 1.1 Maximum value changed.
clients Displays information about active 802.1X clients, including
client name, MAC address, and state.
stats Displays global 802.1X statistics associated with connecting
and authenticating.
config Displays a summary of the current configuration.
Version 1.0 Command introduced
Version 2.1 Bonded authentication information added to show dot1x config output:
New flag added for Username field. If a user glob is configured for bonded
authentication, an asterisk appears after the user glob. For example:
nash@trapezesqa.com !
New field, Bonded period, added to 802.1X parameter column.
Version 3.1 Format of 802.1X authentication rule information in show dot1x config output
changed. The rules are still listed at the top of the display, but more information is
shown for each rule.
802.1X Management Commands
Mobility System Software Command Reference Guide
Version 7.3
18 – 448
00:02:2d:6f:44:77 Authenticated vlan-eng EXAMPLE\ethan
00:05:5d:7e:94:89 Authenticated vlan-eng EXAMPLE\fmarshall
00:06:80:00:5c:02 Authenticated vlan-eng EXAMPLE\bmccarthy
00:02:2d:6a:de:f2 Authenticated vlan-pm neailey@xmple.com
00:02:2d:5e:5b:76 Authenticated vlan-pm EXAMPLE\tamara
00:02:2d:80:b6:e1 Authenticated vlan-cs dmc@xmple.com
00:30:65:16:8d:69 Authenticated vlan-wep MAC authenticated
00:02:2d:64:8e:1b Authenticated vlan-eng EXAMPLE\wong
Type the following command to display the 802.1X configuration:
MX# show dot1x config
802.1X user policy
----------------------
'host/bob-laptop.mycorp.com' on ssid 'mycorp' doing PASSTHRU
'bob.mycorp.com' on ssid 'mycorp' doing PASSTHRU (bonded)
802.1X parameter setting
---------------- -------
supplicant timeout 30
auth-server timeout 30
quiet period 5
transmit period 5
reauthentication period 3600
maximum requests 2
key transmission enabled
reauthentication enabled
authentication control enabled
WEP rekey period 1800
WEP rekey enabled
Bonded period 60
port 5, authcontrol: auto, max-sessions: 16
port 6, authcontrol: auto, max-sessions: 1
port 7, authcontrol: auto, max-sessions: 1
port 8, authcontrol: auto, max-sessions: 1
port 9, authcontrol: auto, max-sessions: 1
port 10, authcontrol: auto, max-sessions: 1
port 11, authcontrol: auto, max-sessions: 1
port 12, authcontrol: auto, max-sessions: 1
port 13, authcontrol: auto, max-sessions: 1
port 14, authcontrol: auto, max-sessions: 1
port 15, authcontrol: auto, max-sessions: 1
port 16, authcontrol: auto, max-sessions: 1
port 22, authcontrol: auto, max-sessions: 16
Type the following command to display 802.1X statistics:
MX# show dot1x stats
802.1X statistic value
---------------- -----
Enters Connecting: 709
Logoffs While Connecting: 112
Enters Authenticating: 467
Success While Authenticating: 0
Timeouts While Authenticating: 52
Failures While Authenticating: 0
Reauths While Authenticating: 0
Starts While Authenticating: 31
Logoffs While Authenticating: 0
802.1X Management Commands
802.1X Management Commands
18 – 449
Starts While Authenticated: 85
Logoffs While Authenticated: 1
Bad Packets Received: 0
Table 18– 1 explains the counters in the show dot1x stats output.
Table 18– 1. show dot1x stats Output
Field Description
Enters Connecting Number of times that the MX state transitions to the CONNECTING state
from any other state.
Logoffs While Connecting Number of times that the MX state transitions from CONNECTING to
DISCONNECTED as a result of receiving an EAPoL-Logoff message.
Enters Authenticating Number of times that the state wildcard transitions.
Success While
Authenticating
Number of times the MX state transitions from AUTHENTICATING from
AUTHENTICATED, as a result of an EAP-Response/Identity message being
received from the supplicant (client).
Timeouts While
Authenticating
Number of times that the MX state wildcard transitions from
AUTHENTICATING to ABORTING.
Failures While
Authenticating
Number of times that the MX state wildcard transitions from
AUTHENTICATION to HELD.
Reauths While
Authenticating
Number of times that the MX state wildcard transitions from
AUTHENTICATING to ABORTING, as a result of a reauthentication request
(reAuthenticate = TRUE).
Starts While
Authenticating
Number of times that the MX state wildcard transitions from
AUTHENTICATING to ABORTING, as a result of an EAPoL-Start message
being received from the Supplicant (client).
Logoffs While
Authenticating
Number of times that the MX state wildcard transitions from
AUTHENTICATING to ABORTING, as a result of an EAPoL-logoff message
being received from the Supplicant (client).
Bad Packets Received Number of EAPoL packets received that have an invalid version or type.
802.1X Management Commands
Mobility System Software Command Reference Guide
Version 7.3
18 – 450
Session Management Commands 19 – 449
19
Session Management Commands
Use session management commands to display and clear administrative and network user
sessions. This chapter presents session management commands alphabetically. Use the following
table to locate commands in this chapter based on their use.
clear sessions
Clears all administrative sessions, or clears administrative console or Telnet sessions.
Syntax
clear sessions {admin | console | telnet client |
mesh-ap [session-id session-id]}
Defaults
None.
Access
Enabled.
History
Examples
To clear all administrator sessions type the following command:
MX# clear sessions admin
This will terminate manager sessions, do you wish to continue? (y|n) [n]y
To clear all administrative sessions through the console, type the following command:
MX# clear sessions console
This will terminate manager sessions, do you wish to continue? (y|n) [n]y
Administrative Sessions show sessions on page 19-451
clear sessions on page 19-449
Network Sessions show sessions network on page 19-454
clear sessions network on page 19-450
Mesh AP Sessions show sessions mesh-ap on page 19-453
admin Clears sessions for all users with administrative access to the MX through a Telnet
or SSH connection or a console plugged into the switch.
console Clears sessions for all users with administrative access to the MX through a console
plugged into the switch.
telnet Clears sessions for all users with administrative access to the MX through a Telnet
connection.
telnet client
[session-id]
Clears all Telnet client sessions from the CLI to remote devices, or clears an
individual session identified by session ID.
mesh-ap
[session-id]
Clears all Mesh AP sessions, or clears an individual Mesh AP session identified by
session ID.
Version 1.0 Command introduced.
Version 1.1 New option, client [session-id], added to clear Telnet client
sessions.
Version 6.0 New option, mesh-ap, added to clear Mesh AP sessions.
Session Management Commands
Mobility System Software Command Reference Guide
Version 7.3
19 – 450
To clear all administrative Telnet sessions, type the following command:
MX# clear sessions telnet
This will terminate manager sessions, do you wish to continue? (y|n) [n]y
To clear Telnet client session 0, type the following command:
MX# clear sessions telnet client 0
See Also
show sessions on page 19-451
clear sessions network
Clears all network sessions for a specified username or set of usernames, MAC address or set of
MAC addresses, virtual LAN (VLAN) or set of VLANs, or session ID.
Syntax
clear sessions network { ap apnum radio radio | mac-addr mac-addr-glob |
session-id local-session-id | ssid name | user user-glob|vlan vlan-glob | wired}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
The clear sessions network command clears network sessions by deauthenticating and,
for wireless clients, disassociating them.
Examples
To clear all sessions for MAC address 00:01:02:03:04:05, type the following command:
MX# clear sessions network mac-addr 00:01:02:03:04:05
To clear session 9, type the following command:
MX-20# clear sessions network session-id 9
SM Apr 11 19:53:38 DEBUG SM-STATE: localid 9, mac 00:06:25:09:39:5d,
flags 0000012fh, to change state to KILLING
Localid 9, globalid SESSION-9-893249336 moved from ACTIVE to KILLING
(client=00:06:25:09:39:5d)
ap apnum
radio radio
Clears all network sessions for a specified MP and radio. Specify radio 1 or 2.
mac-addr mac-addr-glob Clears all network sessions for a MAC address. Specify a MAC address in
hexadecimal numbers separated by colons (:), or use the wildcard character (*) to
specify a set of MAC addresses. (For details, see “MAC Address Globs” on
page 2–7.)
session-id
local-session-id
Clears the specified 802.1X network session. To find local session IDs, use the
show sessions command.
ssid name Clears all network sessions for a named SSID.
user user-glob Clears all network sessions for a single user or set of users.
Specify a username, use the double-asterisk wildcard character (**) to specify all
usernames, or use the single-asterisk wildcard character (*) to specify a set of
usernames up to or following the first delimiter character—either an at sign (@) or
a period (.). (For details, see “User Globs” on page 2–7.)
vlan vlan-glob Clears all network sessions on a single VLAN or a set of VLANs.
Specify a VLAN name, use the double-asterisk wildcard character (**) to specify
all VLAN names, or use the single-asterisk wildcard character (*) to specify a set
of VLAN names up to or following the first delimiter character, either an at sign
(@) or a period (.). (For details, see “VLAN Globs” on page 2–8.)
wired Clears all networks sessions on a wired port.
Session Management Commands
Session Management Commands
19 – 451
To clear the session of user Natasha, type the following command:
MX-20# clear sessions network user Natasha
To clear the sessions of users whose name begins with the characters Jo, type the following
command:
MX-20# clear sessions network user
Jo*
To clear the sessions of all users on VLAN red, type the following command:
MX-20# clear sessions network vlan red
See Also
show sessions on page 19-451
show sessions network on page 19-454
show sessions
Displays session information and statistics for all users with administrative access to the MX, or
for administrative users with either console or Telnet access.
Syntax
show sessions [admin | console | telnet client]
Defaults
None.
Access
All, except for show sessions telnet client, which has enabled access.
History
Examples
To display information about all sessions, use the following command:
MX> show sessions
admin Displays sessions for all users with administrative access to the MX through a Telnet or
SSH connection or a console plugged into the switch.
console Displays sessions for all users with administrative access to the MX through a console
plugged into the switch.
telnet Displays sessions for all users with administrative access to the MX through a Telnet
connection.
telnet client Displays Telnet sessions from the CLI to remote devices.
Version 1.0 Command introduced.
Version 1.1 New option, client, added to display Telnet client sessions.
Version 2.0 New field added to list the type of administrative session.
Version 6.2 Added the ability to display all sessions
Session Management Commands
Mobility System Software Command Reference Guide
Version 7.3
19 – 452
To view information about sessions of administrative users, type the following command:
MX> show sessions admin
Tty Username Time (s) Type
------- -------------------- -------- ----
tty0 3644 Console
tty2 tech 6 Telnet
tty3 sshadmin 381 SSH
3 admin sessions
To view information about console users’ sessions, type the following command:
MX> show sessions console
Tty Username Time (s)
------- -------------------- --------
console 8573
1 console session
To view information about Telnet users sessions, type the following command:
MX> show sessions telnet
Tty Username Time (s)
------- -------------------- --------
tty2 sea 7395
To view information about Telnet client sessions, type the following command:
MX# show sessions telnet client
Session Server Address Server Port Client Port
------- -------------- ------------ -----------
0 192.168.1.81 23 48000
1 10.10.1.22 23 48001
Table 19– 1 describes the fields of the show sessions admin, show sessions console, and
show sessions telnet displays.
Table 19– 2 describes the fields of the show sessions telnet client display.
User
Name
--------------
Sess
ID
---------
Type
--------
IP or MAC
Address
--------------
VLAN
------
AP/
Radio
engineering-05:0c:78 28* dot1x 10.7.255.2 yellow 5/1
engineering-79:86:73 29* dot1x 10.7.254.3 red 2/1
engineering-1a:68:78 30* dot1x 10.7.254.8 red 7/1
Table 19– 1. show sessions admin, show sessions console, and show sessions telnet Output
Field Description
Tty The Telnet terminal number, or console for administrative users
connected through the console port.
Username Up to 30 characters of the name of an authenticated user.
Time (s) Number of seconds the session has been active.
Type Type of administrative session:
Console
SSH
Telnet
Session Management Commands
Session Management Commands
19 – 453
See Also
clear sessions on page 19-449
show sessions mesh-ap
Displays summary or verbose information about Mesh AP sessions on the MX.
Syntax
show sessions mesh-ap [session-id session-id | verbose]
Defaults
None.
Access
All.
History
Introduced in MSS Version 6.0.
Examples
To view information about Mesh AP sessions, type the following command:
MX> show sessions mesh-ap
User Sess IP or MAC VLAN AP/
Name ID Address Name Radio
---------------------------- ---- ----------------- --------------- ---------
00:0b:0e:17:bb:3f 2* 1.1.1.3 (none) L AP 2/2
Table 19– 3 describes the fields of show sessions mesh-ap output.
Table 19– 2. show sessions telnet client Output
Field Description
Session Session number assigned by MSS when the client session is
established.
Server Address IP address of the remote device.
Server Port TCP port number of the remote device’s TCP server.
Client Port TCP port number MSS is using for the client side of the session.
session-id
local-session-id
Displays the specified Mesh AP session. To determine the local session ID for a
Mesh AP session, use the show sessions mesh-ap command without the
session-id option.
verbose Provides detailed output for all Mesh AP sessions.
Table 19– 3. show sessions mesh-ap Output
Field Description
User Name The MAC address of the authenticated Mesh AP.
Sess ID Locally unique number that identifies this session. An asterisk
(*) next to a session ID indicates that the session is fully
active.
IP or MAC Address IP address of the Mesh AP.
VLAN Name Name of the VLAN associated with the session.
Port/Radio Number of the port and radio through which the Mesh AP is
accessing this session.
Session Management Commands
Mobility System Software Command Reference Guide
Version 7.3
19 – 454
See Also
clear sessions on page 19-449
show sessions network
Displays summary or verbose information about all network sessions, or network sessions for a
specified username or set of usernames, MAC address or set of MAC addresses, VLAN or set of
VLANs, or session ID.
Syntax
show sessions network [ap apnum | | mac-addr mac-addr-glob | qos-profile
profilename | session-id session-id| ssid ssid-name | statistics | user user-glob |
vlan vlan-glob | | wired ] [verbose]
Defaults
None.
Access
All.
History
ap apnum Displays network sessions for a single MP.
user user-glob Displays all network sessions for a single user or set of users.
Specify a username, use the double-asterisk wildcard character (**) to specify all
usernames, or use the single-asterisk wildcard character (*) to specify a set of
usernames up to or following the first delimiter character—either an at sign (@) or
a period (.). (For details, see “User Globs” on page 2–7.)
mac-addr mac-addr-glob Displays all network sessions for a MAC address. Specify a MAC address in
hexadecimal numbers separated by colons (:).
Or use the wildcard character (*) to specify a set of MAC addresses. (For details,
see “MAC Address Globs” on page 2–7.)
qos-profile
profilename
Displays all network sessions for a named QoS profile.
ssid ssid-name Displays all network sessions for an SSID.
statistics Displays network statistics.
vlan vlan-glob Displays all network sessions on a single VLAN or a set of VLANs.
Specify a VLAN name, use the double-asterisk wildcard character (**) to specify
all VLAN names, or use the single-asterisk wildcard character (*) to specify a set
of VLAN names up to or following the first delimiter character, either an at sign
(@) or a period (.). (For details, see “VLAN Globs” on page 2–8.)
session-id
local-session-id
Displays the specified network session. To find local session IDs, use the show
sessions command. The verbose option is not available with this form of the
show sessions network command.
wired Displays all network sessions on wired authentication ports.
verbose Provides detailed output for all network sessions or ones displayed by username,
MAC address, or VLAN name.
Version 1.0 Command introduced.
Version 4.1 Output added to the show network sessions verbose
command to indicate the user’s authorization attributes and
whether they were supplied through AAA or through configured
SSID defaults in a service profile.
Session Management Commands
Session Management Commands
19 – 455
Usage
MSS displays information about network sessions in three types of displays. See the
following tables for field descriptions.
Authorization attribute values can be changed during authorization. If the values are changed,
show sessions output shows the values that are actually in effect following any changes.
Examples
To display summary information for all network sessions, type show sessions
network. For example:
MX>
show sessions network
User Name SessID Type Address VLAN AP/Radio
--------------------- ------ ----- ----------------- --------------- --------
TRAPEZE\jjonesg 20* dot1x 172.21.50.151 eng-alpha 20/2
TRAPEZE\jdoe 75* dot1x 172.21.50.97 eng-alpha 2/2
TRAPEZE\lsmith 752* dot1x 172.21.50.89 eng-alpha 20/2
TRAPEZE\lforte 409* dot1x 172.21.52.149 cs-alpha 27/2
TRAPEZE\lcheval 24* dot1x 172.21.50.66 eng-alpha 27/2
TRAPEZE\mjaune 477* dot1x 172.21.52.102 cs-alpha 2/2
TRAPEZE\schat 365* dot1x 172.21.50.135 eng-alpha 27/2
TRAPEZE\scottw 333* dot1x 172.21.50.113 eng-alpha 4/2
TRAPEZE\vlait 627* dot1x 172.21.54.134 pm-alpha 22/2
TRAPEZE\zvoiture 5* dot1x 172.21.50.82 eng-alpha 20/2
bjones 672* dot1x 172.21.52.159 cs-alpha 2/1
The following command displays summary information about the sessions for MAC address
00:05:5d:7e:98:1a:
MX> show sessions network mac-addr 00:05:5d:7e:98:1a
User Name Sess Type Address VLAN AP/Radio/
--------------------------- ---- ----- -------------- ------------ -----
EXAMPLE\Havel 13* web 10.10.10.40 vlan-eng 1/2
Version 4.2 Host name field added to show sessions network verbose
output.
MP serial number added to show sessions network
verbose output.
The following fields added to show sessions network
session-id output:
Local Id
SSID
Last Auth Time
Last Activity
Idle Time-To-Live
Login Type
Protocol
Session CAC
Authentication Method field renamed to EAP Method.
Version 5.0
New values for the source of user attribute values (attributes
include Vlan-Name, Start-Date, and so on.) See Table 19– 5
on page 458.
Summary display See Table 19– 4 on page 457.
Verbose display See Table 19– 5 on page 458.
show sessions network session-id display See Table 19– 6 on page 459.
Session Management Commands
Mobility System Software Command Reference Guide
Version 7.3
19 – 456
The following command displays summary information about all the sessions of users whose
names begin with E:
MX>
show sessions network user E*
User Name Sess Type Address VLAN AP/Radio/
--------------------------- ---- ----- -------------- ------------ -----
EXAMPLE\Eval 13* web 10.10.10.39 vlan-eng 1/2
(Table 19– 4 on page 457 describes the summary displays of show sessions network
commands.)
The following command displays verbose output about the sessions of all current network users:
MX> show sessions network verbose
User Name Sess Type Address VLAN AP/Radio
---------------------------- ---- -------- ----------------- --------------- ---------
SHUTTLE2\exmpl 3* web 10.8.255.8 default 7/1
Client MAC: 00:0b:7d:26:b1:fb GID: SESS-3-00040c-287058-657673d4
State: ACTIVE (prev AUTHORIZED)
now on: MX 172.16.0.1, port 10, AP/radio 0422900147/1, as of 00:00:22 ago
from: MX 172.16.0.1, port 6, AP/radio 0342900121/1, as of 00:01:07 ago
from: MX 172.16.0.1, port 2, AP/radio 0412900109/1, as of 00:01:53 ago
Host name: shuttle2_laptop
Vlan-Name=default (service-profile)
Service-Type=2 (service-profile)
End-Date=52/06/07-08:57 (AAA)
Start-Date=05/04/11-10:00 (AAA)
1 sessions total
(Table 19– 5 on page 458 describes the additional fields of the verbose output of show sessions
network commands.)
The following command displays information about network session 88:
MX# show sessions network session-id 88
Name: Trapeze\jdoeh
Session Id: 88
Global Id: SESS-88-00040f-876766-623fd6
Login Type: dot1x
SSID: Rack-39-PM
IP Address: 10.2.39.217
MAC Address: 00:0f:66:f4:71:6d
AP/Radio: 10/1
State: ACTIVE
Session Tag: 2
Host name: jdoeh-d410
Vlan Name: default
Up time: 02:54:29
Roaming history:
Session Start: Wed Sep 20 21:19:27 2006 GMT
Last Auth Time: Wed Apr 20 21:19:26 2006 GMT
Last Activity: Wed Apr 20 21:19:49 2006 GMT ( <15s ago)
Session Timeout: 0
Switch
---------
AP/Radio
---------
Association Time
---------------
Duration
--------
192.168.254.82 3/2 09/21/07 11:16:47 02:54:03
Session Management Commands
Session Management Commands
19 – 457
Idle Time-To-Live: 175
EAP Method: NONE, using server 172.16.0.1
Protocol: 802.11
CoS: flow-through
Session CAC: disabled
Radio type: 802.11na
Last packet rate: 300Mb/s (m15 40 MHz)
Last packet RSSI: -45 dBm
Last packet SNR: 50
11n Capabilities:
Max Rx A-MSDU size: 2K
Max Rx A-MPDU size: 16K
Max Channel Width: 40MHz
For descriptions of the fields of show sessions network session-id output, see Table 19– 6 on
page 459.
Packets
-------
Bytes
-----
Rx Unicast 1814 2522
Rx Multicast 68 7846
Rx Encrypt Err 0 0
Tx Unicast 2004 4444900
Rx peak A-MSDU 6 2048
Rx peak A-MPDU 13 16345
Tx peak A-MSDU 6 2048
Tx peak A-MPDU 13 16345
Queue
-------
Tx Packets
-----------
Tx Dropped
-----------
Re-Transmit
-----------
Rx Dropped
-----------
Background 0 0 0 0
Best Effort 30 0 0 0
Queue
-------
Tx Packets
-----------
Tx Dropped
-----------
Re-Transmit
-----------
Rx Dropped
-----------
Video 2 0 0 0
Voice 0 0 0 0
Table 19– 4. show sessions network (summary) Output
Field Description
User Name Up to 30 characters of the name of the authenticated user of
this session.
Note: For a MAC-authenticated session, this value is
the client device’s MAC address.
Sess ID Locally unique number that identifies this session. An asterisk
(*) next to a session ID indicates that the session is fully
active.
Session Management Commands
Mobility System Software Command Reference Guide
Version 7.3
19 – 458
IP or MAC Address IP address of the session user, or the user’s MAC address if the
user has not yet received an IP address.
VLAN Name Name of the VLAN associated with the session.
Port/Radio Number of the port and radio through which the user is
accessing this session.
Table 19– 5. Additional show sessions network verbose
Output
Field Description
Client MAC MAC address of the session user.
GID Global session ID, a unique session number within a Mobility Domain.
State Status of the session:
AUTH, ASSOC REQ—Client is being associated by the 802.1X protocol.
AUTH AND ASSOC—Client is being associated by the 802.1X protocol, and the user is being
authenticated.
AUTHORIZING—User has been authenticated (for example, by the 802.1X protocol and an
AAA method), and is entering AAA authorization.
AUTHORIZED—User has been authorized by an AAA method.
ACTIVE—User’s AAA attributes have been applied, and the user is active on the network.
DEASSOCIATED—One of the following:
Wireless client has sent the MX switch a disassociate message.
User associated with one of the current MX switch’s MP access points has appeared at
another MX switch in the Mobility Domain.
ROAMING AWAY—The MX switch has been sent a request to transfer the user, who is
roaming, to another MX switch.
STATUS UPDATED—MX switch is receiving a final update from an MP access point about the
user, who has roamed away.
WEB_AUTHING—User is being authenticated by WebAAA.
WIRED AUTH’ING—User is being authenticated by the 802.1X protocol on a wired
authentication port.
KILLING—User’s session is being cleared, because of 802.1X authentication failure, entry of a
clear command, or some other event.
now on Shows the following information about the MP and radio the session is currently on:
IP address and port number of the MX managing the MP
Serial number and radio number of the MP
Amount of time the session has been on this MP
from Shows information about the MPs from which the session has roamed. (See the descriptions above
for the now on field.)
Host name Host name of the user’s networking device.
Table 19– 4. show sessions network (summary) Output (continued)
Field Description
Session Management Commands
Session Management Commands
19 – 459
Vlan-Name
(and other
attributes if
set)
Authorization attributes for the user and how they were assigned (the sources of the attribute
values).
For Vlan-Name, the source of the attribute value can be one of the following:
AAA—VLAN is from RADIUS or the local database.
initial-assignment—For a client that has roamed from one MX to another, VLAN is the one
assigned to the user on the MX where the user first accessed the network. (This is the MX
where the client’s global session in the Mobility Domain started.)
This authorization source (initial-assignment) is displayed only if the following conditions are
true:
The client roamed from another MX.
The service profile for the SSID the user is on is configured to keep the client’s initial VLAN
assignment. (This means the keep-initial-vlan option is enabled on the service profile.)
The VLAN is not configured for the user on the roamed-to switch by the local database.
A Location Policy on the roamed-to MX does not set the VLAN.
location policy—Attribute value was assigned by a Location Policy.
service-profile—Attribute value is configured on the SSID, and was not overridden by other
attribute sources (such as AAA or location policy).
Web Portal—Session is for a Web Portal client.
Table 19– 6. show sessions network session-id Output
Field Description
Local Id Identifier for the session on this particular MX. (This is the session ID you specify when
entering the show sessions network session-id command.)
Global Id Unique session identifier within the Mobility Domain.
State Status of the session:
AUTH, ASSOC REQ—Client is associating by the 802.1X protocol.
AUTH AND ASSOC—Client is associating by the 802.1X protocol, and the user is
authenticating.
AUTHORIZING—User is authenticated (for example, by the 802.1X protocol and an
AAA method), and is entering AAA authorization.
AUTHORIZED—User is authorized by an AAA method.
ACTIVE—User’s AAA attributes are applied, and the user is active on the network.
State,
cont.
DEASSOCIATED—One of the following:
Wireless client has sent the MX a disassociate message.
User associated with one of the MPs of the current MX has appeared at another MX
in the Mobility Domain.
ROAMING AWAY—The MX was sent a request to transfer the user, who is roaming, to
another MX.
STATUS UPDATED—MX is receiving a final update from an MP about the user, who
has roamed away.
WEB_AUTHING—User is authenticating by WebAAA.
WIRED AUTH’ING—User is authenticating by the 802.1X protocol on a wired
authentication port.
KILLING—User’s session is cleared, because of 802.1X authentication failure, entry of
a clear command, or some other event.
SSID Name of the SSID of the user.
AP/Radio Number of the port and radio that the user is accessing for this session.
MAC address MAC address of the session user.
User Name Name of the authenticated user of this session
IP Address IP address of the session user.
Vlan Name Name of the VLAN associated with the session.
Table 19– 5. Additional show sessions network verbose
Output (continued)
Field Description
Session Management Commands
Mobility System Software Command Reference Guide
Version 7.3
19 – 460
See Also
clear sessions network on page 19-450
show sessions network sip
Displays information about SIP sessions on the network.
Syntax
show sessions network sip [statistics | verbose | voice-details]
Defaults
None
Access
Enabled
History
Added in MSS 7.1
Tag System-wide supported VLAN tag type.
Session Start Indicates when the session started.
Last Auth Time Indicates when the most recent authentication of the session occurred.
Last Activity Indicates when the last activity (transmission) occurred on the session.
Session Timeout Assigned session timeout in seconds.
Idle Time-To-Live Number of seconds the session can remain idle before MSS changes the session state to
Disassociated.
Login Type Authentication type used to log onto the network:
DOT1X
MAC
LAST-RESORT
WEB-PORTAL
EAP Method Extensible Authentication Protocol (EAP) type used to authenticate the session user, and
the IP address of the authentication server.
Session statistics as
updated from AP
Time the session statistics were last updated from the MP access point, in seconds since a
fixed standard date and time.
Unicast packets in Total number of unicast packets received from the user by the MX (64-bit counter).
Unicast bytes in Total number of unicast bytes received from the user by the MX (64-bit counter).
Unicast packets out Total number of unicast packets sent by the MX to the user (64-bit counter).
Unicast bytes out Total number of unicast bytes sent by the MX to the user (64-bit counter).
Multicast packets in Total number of multicast packets received from the user by the MX (64-bit counter).
Multicast bytes in Total number of multicast bytes received from the user by the MX (64-bit counter).
Number of packets
with encryption errors
Total number of decryption failures.
Number of bytes with
encryption errors
Total number of bytes with decryption errors.
Last packet data rate Data transmit rate, in megabits per second (Mbps), of the last packet received by the MP
access point.
Last packet signal
strength
Signal strength, in decibels referred to 1 milliwatt (dBm), of the last packet received by the
MP access point.
Last packet data S/N
ratio
Signal-to-noise ratio of the last packet received by the MP access point.
Protocol Wireless protocol used.
Session CAC State of session-based Call Admission Control (CAC) on the SSID’s service profile.
Table 19– 6. show sessions network session-id Output (continued)
Field Description
Session Management Commands
Session Management Commands
19 – 461
Usage
Examples
To display a network session with a SIP configuration, use the following command:
MX# show sessions network sip
1 of 6 sessions matched
User Name SessID Type Address VLAN AP/Radio
--------------------- ------ ----- ----------------- --------------- --------
jdoe 49551* dot1x 172.21.50.45 eng-alpha 12/1
show sessions network voice-details
Displays information about VoIP sessions on the network.
Syntax
show sessions network voice-details
Defaults
None
Access
Enabled
History
Added in MSS 7.1
Examples
To display information about VoIP sessions on the network, type the following
command:
MX# show sessions network voice-details
3 sessions total
Name: TRAPEZE\jdoe
Session ID: 49568
SSID: alpha-aes
IP: 172.21.50.103
MAC: 00:19:7d:37:f7:96
AP/Radio: 4/2
Protocol: 802.11
Session CAC: disabled
Radio type: 802.11a
Last packet rate: 36 Mb/s
Last packet RSSI: -80 dBm
Last packet SNR: 15
Voice Queue: IDLE
Name: TRAPEZE\jsmith
Session ID: 49558
SSID: alpha-aes
Session Management Commands
Mobility System Software Command Reference Guide
Version 7.3
19 – 462
IP: 172.21.50.51
MAC: 00:13:e8:95:51:8d
AP/Radio: 12/2
Protocol: 802.11
Session CAC: disabled
Radio type: 802.11a
Last packet rate: 54 Mb/s
Last packet RSSI: -67 dBm
Last packet SNR: 28
Voice Queue: IDLE
Name: TRAPEZE\jjones
Session ID: 49549
SSID: alpha-tkip
IP: 172.21.50.114
MAC: 00:1e:e5:a7:24:66
AP/Radio: 4/2
Protocol: 802.11
Session CAC: disabled
Radio type: 802.11a
Last packet rate: 48 Mb/s
Last packet RSSI: -65 dBm
Last packet SNR: 30
Voice Queue: IDLE
Table 20. show sessions network voice-details Output
Field Description
Name: Name of the client
Session ID: Number that identifies the session.
SSID: Associated SSID for the session.
IP: IP address of the client on the network.
MAC: MAC address of the wireless client.
AP/Radio: Number of the MP associated with the session and
the radio.
Session Management Commands
Session Management Commands
19 – 463
Protocol: Identifies the wireless protocol configured for the
session.
Session CAC: Displays if CAC is enabled in the configuration.
Radio type: Displays the wireless radio type for the client.
Last Packet Rate: Indicates network speed for the client.
Last Packet RSSI: Displays the radio strength of the last transmitted
packet.
Last Packet SNR: Displays the signal to noise ratio of the last
transmitted packet.
Voice Queue: Indicates an active voice call for the session.
Table 20. show sessions network voice-details Output
Field Description
Session Management Commands
Mobility System Software Command Reference Guide
Version 7.3
19 – 464
RF Detection Commands 20 – 461
20
RF Detection Commands
MSS automatically performs RF detection scans on enabled and disabled radios to detect rogue
access points. A rogue access point is a BSSID (MAC address associated with an SSID) that does
not belong to a Trapeze device and is not a member of the ignore list configured on the seed MX of
the Mobility Domain.
MSS can issue countermeasures against rogue devices to prevent clients from being able to use
them.
You can configure RF detection parameters on individual MX switches.
This chapter presents RF detection commands alphabetically. Use the following table to locate
the commands in this chapter based on usage.
Rogue Information show rfdetect clients on page 20-472
show rfdetect mobility-domain on page 20-477
show rfdetect data on page 20-475
show rfdetect visible on page 20-480
show rfdetect counters on page 20-474
Countermeasures show rfdetect countermeasures on page 20-473
Classification set rfdetect classification ad-hoc on page 20-466
set rfdetect classification default on page 20-467
set rfdetect classification seen-in-network on page
20-467
set rfdetect classification ssid-masquerade on
page 20-467
Permitted Vendor List set rfdetect vendor-list on page 20-470
show rfdetect vendor-list on page 20-480
clear rfdetect vendor-list on page 20-464
Permitted SSID List set rfdetect ssid-list on page 20-469
show rfdetect ssid-list on page 20-480
clear rfdetect ssid-list on page 20-463
Client Black List set rfdetect black-list on page 20-465
set rfdetect black-list dynamic on page 20-466
New show rfdetect black-list on page 20-471
clear rfdetect black-list on page 20-462
Rogue List clear rfdetect rogue-list on page 20-462
show rfdetect rogue-list on page 20-471
clear rfdetect rogue-list on page 20-462
Ignore List set rfdetect ignore on page 20-468
show rfdetect neighbor-list on page 20-476
clear rfdetect neighbor-list on page 20-463
MP Signatures set rfdetect signature on page 20-469
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 462
clear rfdetect rogue-list
Removes a MAC address from the attack list.
Syntax
clear rfdetect rogue-list [mac | all]
Defaults
None.
Access
Enabled.
History
Examples
The following command clears MAC address 11:22:33:44:55:66 from the rogue list:
MX# clear rfdetect attack-list 11:22:33:44:55:66
success: 11:22:33:44:55:66 is no longer in roguelist.
See Also
set rfdetect rogue-list on page 20-465
show rfdetect rogue-list on page 20-471
clear rfdetect black-list
Removes a MAC address from the client blacklist.
Syntax
clear rfdetect black-list [ mac | all]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command removes MAC address 11:22:33:44:55:66 from the blacklist:
MX# clear rfdetect black-list 11:22:33:44:55:66
success: 11:22:33:44:55:66 is no longer blacklisted.
See Also
set rfdetect black-list on page 20-465
show rfdetect black-list on page 20-471
Log Messages set rfdetect log on page 20-468
MX-to-Client RF Link rfping on page 20-464
mac MAC address you want to remove from the rogue list.
all Removes all MAC addresses from the rogue list.
MSS Version 4.0 Command introduced.
MSS Version 6.2 Input changed from attack-list to rogue-list
mac-addr MAC address you want to remove from the blacklist.
RF Detection Commands
RF Detection Commands
20 – 463
clear rfdetect countermeasures mac
Deprecated in MSS Version 4.0.
clear rfdetect neighbor-list
Removes a device from the neighbor list for RF scans. MSS does not generate log messages or
traps for the devices in the neighbor list.
Syntax
clear rfdetect neighbor-list [transmit-mac | oui | all]
Defaults
None.
Access
Enabled.
History
Examples
The following command removes BSSID aa:bb:cc:11:22:33 from the neighbor list for RF
scans:
MX-20# clear rfdetect neighbor-list aa:bb:cc:11:22:33
success: aa:bb:cc:11:22:33 is no longer on the neighbor-list.
See Also
set rfdetect ignore on page 20-468
show rfdetect neighbor-list on page 20-476
clear rfdetect ssid-list
Removes an SSID from the permitted SSID list.
Syntax
clear rfdetect ssid-list ssid-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command clears SSID mycorp from the permitted SSID list:
MX# clear rfdetect ssid-list mycorp
success: mycorp is no longer in ssid-list.
See Also
set rfdetect ssid-list on page 20-469
transmit-mac Basic service set identifier (BSSID), which is a MAC address, of the device to remove
from the neighbor list.
oui A third-party device ID
all Removes all devices from the neighbor list.
MSS Version 3.0 Command introduced.
MSS Version 6.2 Changed ignore to neighbor-list.
ssid-name SSID name you want to remove from the permitted SSID list.
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 464
show rfdetect ssid-list on page 20-480
clear rfdetect vendor-list
Deprecated in MSS Version 6.2.
rfping
Provides information about the RF link between the MX and the client based on sending test
packets to the client.
Syntax
rfping {mac mac-addr | session-id session-id}
Defaults
None.
Access
Enabled.
History
Usage
Use this command to send test packets to a specified client. The output of the command
indicates the number of test packets received and acknowledged by the client, as well as the client
signal strength and signal-to-noise ratio.
Examples
The following command tests the RF link between the MX and the client with MAC
address 00:0e:9b:bf:ad:13:
MX# rfping mac 00:0e:9b:bf:ad:13
RF-Link Test to 00:0e:9b:bf:ad:13 :
Session-Id: 2
Packets Sent Packets Rcvd RSSI SNR RTT (micro-secs)
------------ ------------ ------- ----- ----------------
20 20 -68 26 976
Table 20– 5 describes the fields in this display.
See Also
show rfdetect data on page 20-475
show rfdetect visible on page 20-480
mac-addr Tests the RF link between the MX and the client with the specified MAC address.
session-id Tests the RF link between the MX and the client with the specified local session ID.
Version 4.2 Command introduced.
Version 6.0 Name of command changed from test rflink to rfping.
Table 20– 1. rfping Output
Field Description
Packets Sent The number of test packets sent from the MX to the client.
Packets Rcvd The number of test packets acknowledged by the client.
RSSI Received signal strength indication (RSSI)—the strength of the RF signal from the client, in
decibels referred to 1 milliwatt (dBm).
SNR Signal-to-noise ratio (SNR), in decibels (dB), of the data received from the client.
RTT (micro-secs) The round-trip time, in microseconds, for the client response to the test packets.
RF Detection Commands
RF Detection Commands
20 – 465
set rfdetect active-scan
Deprecated in MSS Version 4.0. You now can disable or reenable active scan in individual radio
profiles. See set radio-profile active-scan on page 12-260.
set rfdetect rogue-list
Adds an entry to the rogue list. The rogue list specifies the MAC addresses of devices that MSS
should issue countermeasures against whenever the devices are detected on the network. The
rogue list can contain the MAC addresses of APs and clients.
Syntax
set rfdetect rogue-list mac-addr
Defaults
The rogue list is empty by default.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Usage
The rogue list applies only to the MX with the configured list. MX switches do not share
rogue lists.
When on-demand countermeasures are enabled (with the set radio-profile countermeasures
configured command) only those devices configured in the rogue list are subject to
countermeasures. In this case, devices found to be rogues by other means, such as policy violations
or by determining that the device is providing connectivity to the wired network, are not attacked.
Examples
The following command adds MAC address aa:bb:cc:44:55:66 to the attack list:
MX# set rfdetect rogue-list 11:22:33:44:55:66
success: MAC 11:22:33:44:55:66 is now in roguelist.
See Also
clear rfdetect rogue-list on page 20-462
show rfdetect rogue-list on page 20-471
set radio-profile countermeasures on page 12-268
set rfdetect black-list
Adds an entry to the client blacklist. The client blacklist specifies clients that are not allowed on
the network. MSS drops all packets from the clients on the blacklist. The black-list is shared
across a Mobility Domain.
Syntax
set rfdetect black-list mac-addr
Defaults
The client black list is empty by default.
Access
Enabled.
mac-addr MAC address you want to add as a rogue.
MSS Version 4.0 Command introduced.
MSS Version 6.2 Command changed from attack-list to rogue-list.
mac-addr MAC address you want to place on the black list.
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 466
History
Introduced in MSS Version 4.0.
Usage
In addition to manually configured entries, the list can contain entries added by MSS.
MSS can place a client in the blacklist due to an association, reassociation or disassociation flood
from the client.
The client black list applies only to the MX with the configured list. MX switches do not share
client blacklists.
MSS supports up to 1024 clients in the black list.
Examples
The following command adds client MAC address 11:22:33:44:55:66 to the black list:
MX# set rfdetect black-list 11:22:33:44:55:66
success: MAC 11:22:33:44:55:66 is now blacklisted.
See Also
set rfdetect black-list on page 20-465
show rfdetect black-list on page 20-471
set rfdetect black-list dynamic
Adds the ability to create a dynamic black list of rogue signals.
Syntax
set rfdetect black-list dynamic {enable | disable} [duration seconds]
Defaults
None
Access
Enabled
History
Introduced in MSS Version 7.1.
Examples
To allow an entry to stay on the black-list for 60 seconds, you must first enable the
feature and then configure the duration:
MX# set rdetect black-list dynamic enable
success: change accepted.
MX# set rfdetect black-list dynamic duration 60
success: change accepted.
set rfdetect classification ad-hoc
Used to classify devices as ad-hoc devices on the network.
Syntax
set rfdetect classification ad-hoc [rogue | skip-test]
Defaults
None
Access
Enabled
enable | disable Enables or disables the dynamic black-list feature.
duration seconds Length of time that an entry should stay on the black list
in seconds. The range is 1 to 2147483647 seconds.
rogue
Detects ad-hoc networks and classifies them as rogues
skip-test
Omit looking for ad-hoc networks and go to the next classification
step.
RF Detection Commands
RF Detection Commands
20 – 467
History
Introduced in MSS 6.2
Examples
To configure MSS to detect ad-hoc networks and classify them as rogue devices, use the
following command:
MX>
set rfdetect classification ad-hoc rogue
set rfdetect classification default
Used to configure the default classification of unknown devices on the network.
Syntax
set rfdetect classification default [rogue | suspect | neighbor]
Defaults
None
Access
Enabled
History
Introduced in MSS 6.2
Examples
To configure MSS to detect unknown devices and classify them as rogue devices, use the
following command:
MX>set rfdetect classification default rogue
set rfdetect classification seen-in-network
Used to configure devices seen on the network as rogue devices.
Syntax
set rfdetect seen-in-network [rogue | skip-test]
Defaults
None
Access
Enabled
History
Introduced in MSS 6.2
Examples
To configure MSS to detect devices seen on the network and classify them as rogue
devices, use the following command:
MX>set rfdetect classification seen-in-network rogue
set rfdetect classification ssid-masquerade
Used to configure devices with spoofed SSIDs as rogue devices.
rogue
Sets the default classification as rogue.
suspect
Sets the default classification as suspect.
neighbor
Sets the default classification as neighbor.
rogue
Sets the classification as rogue.
skip-test
Sets the default classification as suspect.
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 468
Syntax
set rfdetect ssid-masquerade [rogue | skip-test]
Defaults
None
Access
Enabled
History
Introduced in MSS 6.2
Examples
To configure MSS to detect unknown devices and classify them as rogue devices, use
the following command:
MX>
set rfdetect classification ssid-masquerade rogue
set rfdetect countermeasures
Deprecated in MSS Version 4.0.
set rfdetect countermeasures mac
Deprecated in MSS Version 4.0.
set rfdetect ignore
Deprecated in MSS Version 7.0.
set rfdetect log
Disables or reenables generation of log messages when rogues are detected or when they
disappear.
Syntax
set rfdetect log {enable | disable}
Defaults
RF detection logging is enabled by default.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
The log messages for rogues are generated only on the seed and appear only in the seed’s
log message buffer. Use the show log buffer command to display the messages in the seed
switch’s log message buffer.
Examples
The following command enables RF detection logging for the Mobility Domain managed
by this seed switch:
MX-20# set rfdetect log enable
success: rfdetect logging is enabled.
See Also
show log buffer on page 24-520
rogue
Sets the classification as rogue.
skip-test
Sets the default classification as suspect.
enable Enables logging of rogues.
disable Disables logging of rogues.
RF Detection Commands
RF Detection Commands
20 – 469
set rfdetect signature
Enables MP signatures. An MP signature is a set of bits in a management frame sent by an MP
that identifies that MP to MSS. If someone attempts to spoof management packets from a Trapeze
MP, MSS can detect the spoof attempt.
Syntax
set rfdetect signature {enable | disable}
Defaults
MP signatures are disabled by default.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Usage
The command applies only to MPs managed by the MX switch on which you enter the
command. To enable signatures on all MPs in a Mobility Domain, enter the command on each MX
switch in the Mobility Domain.
Examples
The following command enables MP signatures on an MX:
MX-20# set rfdetect signature enable
success: signature is now enabled.
set rfdetect signature key
Creates an encrypted RF fingerprint key to use as a signature for an MP.
Syntax
set rfdetect signature key encrypted <key_value>
Defaults
Disabled by default.
Access
Enabled
History
Introduced in 5.0
set rfdetect ssid-list
Adds an SSID to the permitted SSID list.The permitted SSID list specifies the SSIDs that are
allowed on the network. If MSS detects packets for an SSID not on the list, the AP sending the
packets is classified as a rogue. MSS issues countermeasures against the rogue if they are enabled.
enable Enables MP signatures.
disable Disables MP signatures.
Note:
You must use the same MP signature setting (enabled or disabled) on all MX
switches in a Mobility Domain.
key 16 bytes separated by colons generated by the user. For example,
a1:b2:c3:d4:e5:f6:g7:h8 can be a key value.
encrypted Encrypts the signature key.
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 470
Syntax
set rfdetect ssid-list [ssid-name | ssid*]
Defaults
The permitted SSID list is empty by default and all SSIDs are allowed. However, after
you add an entry to the list, MSS allows traffic only for the listed SSIDs.
Access
Enabled.
History
Usage
The permitted SSID list applies only to the MX with the configured list. MX switches do
not share permitted SSID lists.
If you add a device that MSS has classified as a rogue to the permitted SSID list, but not to the
ignore list, MSS can still classify the device as a rogue. Adding an entry to the permitted SSID list
merely indicates that the device is using an allowed SSID. However, if you want MSS to stop
classifying the device as a rogue, you must add the device MAC address to the ignore list.
Examples
The following command adds SSID mycorp to the list of permitted SSIDs:
MX# set rfdetect ssid-list mycorp
success: ssid mycorp is now in ssid-list.
See Also
clear rfdetect ssid-list on page 20-463
show rfdetect ssid-list on page 20-480
set rfdetect vendor-list
Deprecated in MSS Version 6.2.
show rfdetect classification
Displays information about the RF detect classifications configured on the network.
Syntax
show rfdetect classification
Defaults
None
Access
Enabled
History
Introduced in MSS 6.2
Examples
The following shows the RF detect classification on the MX.
MX# show rfdetect classification
User Rul
ssid-name SSID name you want to add to the permitted SSID list.
ssid* SSID glob to add to the permitted SSID list.
MSS Version 4.0 Command introduced.
MSS Version 6.2 Added the ability to use wildcards for SSID names.
User
Rule
Rules for Classifiation Classification
N If in Rogue list Rogue
N If AP is part of Mobility Domain Member
RF Detection Commands
RF Detection Commands
20 – 471
show rfdetect rogue-list
Displays information about the MAC addresses in the rogue list.
Syntax
show rfdetect rogue-list
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following example shows the rogue list on MX:
MX# show rfdetect rogue-list
Total number of entries: 1
Roguelist MAC Port/Radio/Chan RSSI SSID
----------------- ----------------- ------ ------------
11:22:33:44:55:66 ap 2/1/11 -53 rogue-ssid
See Also
clear rfdetect rogue-list on page 20-462
set rfdetect rogue-list on page 20-465
show rfdetect black-list
Displays information abut the clients in the client blacklist.
Syntax
show rfdetect black-list
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following example shows the client blacklist on MX:
MX# show rfdetect black-list
Total number of entries: 1
Blacklist MAC Type Port TTL
----------------- ----------------- ------- ---
11:22:33:44:55:66 configured - -
11:23:34:45:56:67 assoc req flood 3 25
N If in the Neighbor List Neighbor
Y If SSID Masquerade Rogue
Y Client or Client DST MAC seen in network Rogue
Y If Ad hoc device Rogue
N If SSID in SSID list Neighbor
Y Default Classification Suspect
MSS Version 4.0 Command introduced.
MSS Version 6.2 Command changed from attack-list to rogue-list.
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 472
See Also
clear rfdetect black-list on page 20-462
set rfdetect black-list on page 20-465
show rfdetect clients
Displays the wireless clients detected by an MX.
Syntax
show rfdetect clients [mac mac-addr]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command shows information about all wireless clients detected by an MX
and MPs:
MX# show rfdetect clients
Total number of entries: 30
Client MAC Client AP MAC AP Port/Radio NoL Type Last
Vendor Vendor /Channel seen
----------------- ------- ----------------- ------- ------------- --- ----- ----
00:03:7f:bf:16:70 Unknown Unknown ap 1/1/6 1 intfr 207
00:04:23:77:e6:e5 Intel Unknown ap 1/1/2 1 intfr 155
00:05:5d:79:ce:0f D-Link Unknown ap 1/1/149 1 intfr 87
00:05:5d:7e:96:a7 D-Link Unknown ap 1/1/149 1 intfr 117
00:05:5d:7e:96:ce D-Link Unknown ap 1/1/157 1 intfr 162
00:05:5d:84:d1:c5 D-Link Unknown ap 1/1/1 1 intfr 52
The following command displays more details about a specific client:
MX# show rfdetect clients mac 00:0c:41:63:fd:6d
Client Mac Address: 00:0c:41:63:fd:6d, Vendor: Linksys
Port: ap 1, Radio: 1, Channel: 11, RSSI: -82, Rate: 2, Last Seen (secs ago): 84
Bssid: 00:0b:0e:01:02:00, Vendor: Trapeze, Type: intfr, Dst: ff:ff:ff:ff:ff:ff
Last Rogue Status Check (secs ago): 3
The first line lists information for the client. The other lines list information about the most recent
802.11 packet detected from the client.
Table 20– 2 and Table 20– 3 describe the fields in these displays.
mac mac-addr Displays detailed information for a specific client.
Table 20– 2. show rfdetect clients Output
Field Description
Client MAC MAC address of the client.
Client Vendor Company that manufactures or sells the client.
AP MAC MAC address of the radio with which the rogue client is associated.
AP Vendor Company that manufactures or sells the AP with which the rogue client is
associated.
Port/Radio/Channel Port number, radio number, and channel number of the radio that detected the
rogue.
NoL Number of listeners. This is the number of MP radios that detected the rogue
client.
RF Detection Commands
RF Detection Commands
20 – 473
show rfdetect countermeasures
Displays the current status of countermeasures against rogues in the Mobility Domain.
Syntax
show rfdetect countermeasures
Defaults
None.
Access
Enabled.
History
Usage
This command is valid only on the seed MX of the Mobility Domain.
Examples
The following example displays countermeasures status for the Mobility Domain:
Type Classification of the rogue device:
rogue—Wireless device that is on the network but is not supposed to be on
the network.
intfr—Wireless device that is not part of your network and is not a rogue,
but might be causing RF interference with MP radios.
known—Device that is a legitimate member of the network.
Last seen Number of seconds since an MP radio last detected 802.11 packets from the
device.
Table 20– 3. show rfdetect clients mac Output
Field Description
RSSI Received signal strength indication (RSSI)—the strength of the RF signal
detected by the MP radio, in decibels referred to 1 milliwatt (dBm).
Rate The data rate of the client.
Last Seen Number of seconds since an MP radio last detected 802.11 packets from the
device.
BSSID MAC address of the SSID with which the rogue client is associated.
Vendor Company that manufactures or sells the AP with which the rogue client is
associated.
Typ Classification of the rogue device:
rogue—Wireless device that is on the network but is not supposed to be on
the network.
intfr—Wireless device that is not part of your network and is not a rogue,
but might be causing RF interference with MP radios.
known—Device that is a legitimate member of the network.
Dst MAC addressed to which the last 802.11 packet detected from the client was
addressed.
Last Rogue Status Check Number of seconds since the MX looked on the air for the AP that the rogue
client is associated. The MX looks for the client AP by sending a packet from
the wired side of the network addressed to the client, and watching the air for a
wireless packet containing the client’s MAC address.
Version 3.0 Command introduced.
Version 4.0 Output no longer lists rogues that countermeasures have not started.
Table 20– 2. show rfdetect clients Output (continued)
Field Description
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 474
MX# show rfdetect countermeasures
Total number of entries: 190
Rogue MAC Type Countermeasures MX-IPaddr Port/Radio
Radio Mac /Channel
----------------- ----- ------------------ --------------- -------------
00:0b:0e:00:71:c0 intfr 00:0b:0e:44:55:66 10.1.1.23 ap 4/1/6
00:0b:0e:03:00:80 rogue 00:0b:0e:11:22:33 10.1.1.23 ap 2/1/11
Table 20– 4 describes the fields in this display.
See Also
set radio-profile countermeasures on page 12-268
show rfdetect counters
Displays statistics for rogue and Intrusion Detection System (IDS) activity detected by the MPs
managed by an MX.
Syntax
show rfdetect counters
Defaults
None.
Access
Enabled.
History
Introduced in MSS 4.0.
Examples
The following command shows counters for rogue activity detected by an MX:
MX# show rfdetect counters
Type Current Total
-------------------------------------------------- ------------ ------------
Rogue access points 0 0
Interfering access points 139 1116
Rogue 802.11 clients 0 0
Interfering 802.11 clients 4 347
802.11 adhoc clients 0 1
Unknown 802.11 clients 20 965
Interfering 802.11 clients seen on wired network 0 0
802.11 probe request flood 0 0
802.11 authentication flood 0 0
802.11 null data flood 0 0
802.11 mgmt type 6 flood 0 0
Table 20– 4. show rfdetect countermeasures Output
Field Description
Rogue MAC BSSID of the rogue.
Type Classification of the rogue device:
rogue—Wireless device that is on the network but is not supposed to be on
the network.
intfr—Wireless device that is not part of your network and is not a rogue,
but might be causing RF interference with MP radios.
known—Device that is a legitimate member of the network.
Countermeasures Radio
MAC
MAC address of the Trapeze radio sending countermeasures against the
rogue.
MX-IPaddr System IP address of the MX managing the MP that is sending or will send
countermeasures.
Port/Radio/Channel Port number, radio number, and channel number of the countermeasures
radio.
RF Detection Commands
RF Detection Commands
20 – 475
802.11 mgmt type 7 flood 0 0
802.11 mgmt type d flood 0 0
802.11 mgmt type e flood 0 0
802.11 mgmt type f flood 0 0
802.11 association flood 0 0
802.11 reassociation flood 0 0
802.11 disassociation flood 0 0
Weak wep initialization vectors 0 0
Spoofed access point mac-address attacks 0 0
Spoofed client mac-address attacks 0 0
Ssid masquerade attacks 1 12
Spoofed deauthentication attacks 0 0
Spoofed disassociation attacks 0 0
Null probe responses 626 11380
Broadcast deauthentications 0 0
FakeAP ssid attacks 0 0
FakeAP bssid attacks 0 0
Netstumbler clients 0 0
Wellenreiter clients 0 0
Active scans 1796 4383
Wireless bridge frames 196 196
Adhoc client frames 8 0
Access points present in attack-list 0 0
Access points not present in ssid-list 0 0
Access points not present in vendor-list 0 0
Clients not present in vendor-list 0 0
Clients added to automatic black-list 0 0
show rfdetect data
Displays information about the APs detected by an MX.
Syntax
show rfdetect data
Defaults
None.
Access
Enabled.
History
Usage
You can enter this command on any MX in the Mobility Domain. The output applies only to
the MX on which you enter the command. To display all devices that a specific Trapeze radio has
detected, even if the radio is managed by another MX, use the show rfdetect visible command.
To display rogue information for the entire Mobility Domain, use the show rfdetect
mobility-domain command on the seed switch.
Only one MAC address is listed for each Trapeze radio, even if the radio is beaconing multiple
SSIDs.
Version 1.0 Command introduced.
Version 2.0 New option, verbose, added to include Trapeze devices and devices in the ignore list.
Version 3.0
sweep-name, sentry-sweep, and verbose options deprecated.
Fields rearranged to show BSSID first.
Version 4.0 Vendor, Type, and Flags fields added.
Version 7.0 Added 40 MHz channel information.
Version 7.1 Removed flags from output.
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 476
Examples
The following command shows the devices detected by the MX during the most recent
RF detection scan:
MX# show rfdetect data
Total number of entries: 197
BSSID Vendor Class AP Name RSSI Ch Age SSID
----------------- ------- ----- ------------- ------- ---- ----- ----------
00:07:50:d5:cc:91 Cisco intfr 3 i----w 6 -61 r27-cisco1200-2
00:07:50:d5:dc:78 Cisco intfr 1 i----w 6 -82 r116-cisco1200-2
00:09:b7:7b:8a:54 Cisco intfr 3 i----- 6 -96
00:0a:5e:4b:4a:c0 3Com intfr 3 i----- 6 -76 public
00:0a:5e:4b:4a:c2 3Com intfr 3 i-t1-- 6 -86 tapezewlan
00:0a:5e:4b:4a:c4 3Com intfr 3 ic---- 6 -85 trpz-ccmp
00:0a:5e:4b:4a:c6 3Com intfr 3 i-t--- 6 -85 trpz-tkip
00:0a:5e:4b:4a:c8 3Com intfr 3 i----w 6 -83 trpz-voip
00:0a:5e:4b:4a:ca 3Com intfr 3 i----- 6 -85 trpz-webaaa
Table 20– 5 describes the fields in this display.
See Also
show rfdetect mobility-domain on page 20-477
show rfdetect visible on page 20-480
show rfdetect neighbor-list
Displays the BSSIDs of third-party devices that MSS ignores during RF scans. MSS does not
generate log messages or traps for the devices in the ignore list.
Table 20– 5. show rfdetect data Output
Field Description
Field Description
BSSID MAC address of the SSID used by the detected device.
Vendor Company that manufactures or sells the rogue device.
Class Classification of the rogue device:
rogue—Wireless device that is not supposed to be on the network. The client's MAC
address as well as the client's Destination MAC address are compared to an MX FDB. If
either one of the addresses is in the FDB on ANY MX in the mobility-domain, then the
AP that the client is associated with isclassified as a Rogue device.
intfr—Wireless device that is not part of your network but is not a rogue. The device does
not have an entry in an MX FDB and is not actually on the network, but might be
causing RF interference with MP radios.
known—Device that is a legitimate member of the network.
AP Name Name of the AP that detected the rogue.
Channel The channel that is performing the RF detection.
RSSI Received signal strength indication (RSSI)—the strength of the RF signal detected by the
MP radio, in decibels referred to 1 milliwatt (dBm).
Age Number of seconds since an MP radio last detected 802.11 packets from the device.
SSID The SSID of the device
+/- If the device is using 40 MHz wide channels, the primary channel is listed in the Ch column.
If the secondary channel is above the primary, a “-” appears next to the channel number. If
the secondary channel is below the primary, a “+” appears next to the channel number.
RF Detection Commands
RF Detection Commands
20 – 477
Syntax
show rfdetect neighbor-list
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Examples
The following example displays the list of ignored devices:
MX# show rfdetect neighbor-list
Total number of entries: 2
Ignore MAC
-----------------
aa:bb:cc:11:22:33
aa:bb:cc:44:55:66
See Also
clear rfdetect neighbor-list on page 20-463
set rfdetect ignore on page 20-468
show rfdetect mobility-domain
Displays the rogues detected by all MX switches in the Mobility Domain during RF detection
scans.
Syntax
show rfdetect mobility-domain
[ssid ssid-name | bssid mac-addr]
Defaults
None.
Access
Enabled.
History
Usage
This command is valid only on the seed MX of the Mobility Domain. To display rogue
information for an individual MX, use the show rfdetect data command on that MX.
Examples
The following command displays summary information for all SSIDs and BSSIDs
detected in the Mobility Domain:
MSS Version 3.0 Command introduced.
MSS 6.2 Command changed from ignore to neighbor-list.
ssid ssid-name Displays rogues using the specified SSID.
bssid mac-addr Displays rogues using the specified BSSID.
Version 3.0 Command introduced.
Version 4.0
bssid and ssid options added.
Vendor, Type, and Flags fields added.
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 478
MX# show rfdetect mobility-domain
Total number of entries: 194
Flags: i = infrastructure, a = ad-hoc, u = unresolved
c = CCMP, t = TKIP, 1 = 104-bit WEP, 4 = 40-bit WEP, w = WEP(non-WPA)
BSSID Vendor Type Flags SSID
----------------- ------------ ----- ------ --------------------------------
00:07:50:d5:cc:91 Cisco intfr i----w r27-cisco1200-2
00:07:50:d5:dc:78 Cisco intfr i----w r116-cisco1200-2
00:09:b7:7b:8a:54 Cisco intfr i-----
00:0a:5e:4b:4a:c0 3Com intfr i----- public
00:0a:5e:4b:4a:c2 3Com intfr i----w trapezewlan
00:0a:5e:4b:4a:c4 3Com intfr ic---- trpz-ccmp
00:0a:5e:4b:4a:c6 3Com intfr i----w trpz-tkip
00:0a:5e:4b:4a:c8 3Com intfr i----w trpz-voip
00:0a:5e:4b:4a:ca 3Com intfr i----- trpz-webaaa
...
The lines in this display are compiled from data from multiple listeners (MP radios). If an item
has the value unresolved, not all listeners agree on the value for that item. Generally, an
unresolved state occurs only when an MP or a Mobility Domain is still coming up, and lasts only
briefly.
The following command displays detailed information for rogues using SSID trpz-webaaa.
MX# show rfdetect mobility-domain ssid trpz-webaaa
BSSID: 00:0a:5e:4b:4a:ca Vendor: 3Com SSID: trpz-webaaa
Type: intfr Adhoc: no Crypto-types: clear
MX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/1/11 Mac: 00:0b:0e:00:0a:6a
Device-type: interfering Adhoc: no Crypto-types: clear
RSSI: -85 SSID: trpz-webaaa
BSSID: 00:0b:0e:00:7a:8a Vendor: Trapeze SSID: trpz-webaaa
Type: intfr Adhoc: no Crypto-types: clear
MX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/1/1 Mac: 00:0b:0e:00:0a:6a
Device-type: interfering Adhoc: no Crypto-types: clear
RSSI: -75 SSID: trpz-webaaa
MX-IPaddress: 10.3.8.103 Port/Radio/Ch: ap 1/1/1 Mac: 00:0b:0e:76:56:82
Device-type: interfering Adhoc: no Crypto-types: clear
RSSI: -76 SSID: trpz-webaaa
Two types of information are shown. The lines that are not indented show the BSSID, vendor, and
information about the SSID. The indented lines that follow this information indicate the listeners
(MP radios) that detected the SSID. Each set of indented lines is for a separate MP listener.
In this example, two BSSIDs are mapped to the SSID. Separate sets of information are shown for
each of the BSSIDs, and information about the listeners for each BSSID is shown.
The following command displays detailed information for a BSSID.
MX# show rfdetect mobility-domain bssid 00:0b:0e:00:04:d1
BSSID: 00:0b:0e:00:04:d1 Vendor: Cisco SSID: notmycorp
Type: rogue Adhoc: no Crypto-types: clear
MX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/2/56 Mac: 00:0b:0e:00:0a:6b
Device-type: rogue Adhoc: no Crypto-types: clear
RSSI: -72 SSID: notmycorp
MX-IPaddress: 10.3.8.103 Port/Radio/Ch: ap 1/1/157 Mac: 00:0b:0e:76:56:82
Device-type: rogue Adhoc: no Crypto-types: clear
RF Detection Commands
RF Detection Commands
20 – 479
RSSI: -72 SSID: notmycorp
Table 20– 6 and Table 20– 7 describe the fields in these displays.
Table 20– 6. show rfdetect mobility-domain Output
Field Description
BSSID MAC address of the SSID used by the detected device.
Vendor Company that manufactures or sells the rogue device.
Type Classification of the rogue device:
rogue—Wireless device that is not supposed to be on the network. The
device has an entry in an MX switch’s FDB and is therefore on the network.
intfr—Wireless device not part of your network but is not a rogue. The
device does not have an entry in an MX FDB and is not actually on the
network, but might be causing RF interference with MP radios.
known—Device that is a legitimate member of the network.
Flags Classification and encryption information for the rogue:
The i, a, or u flag indicates the classification.
The other flags indicate the encryption used by the rogue.
For flag definitions, see the key in the command output.
SSID SSID used by the detected device.
Table 20– 7. show rfdetect mobility-domain ssid or bssid Output
Field Description
BSSID MAC address of the SSID used by the detected device.
Vendor Company that manufactures or sells the rogue device.
SSID SSID used by the detected device.
Type Classification of the rogue device:
rogue—Wireless device that is on the network but is not supposed to be on
the network.
intfr—Wireless device that is not part of your network and is not a rogue,
but might be causing RF interference with MP radios.
known—Device that is a legitimate member of the network.
Adhoc Indicates whether the rogue is an infrastructure rogue (is using an AP) or is
operating in ad-hoc mode.
Crypto-Types Encryption type:
clear (no encryption)
ccmp
tkip
wep104 (WPA 104-bit WEP)
wep40 (WPA 40-bit WEP)
wep (non-WPA WEP)
MX-IPaddress System IP address of the MX that detected the rogue.
Port/Radio/Channel Port number, radio number, and channel number of the radio that detected the
rogue.
Mac MAC address of the radio that detected the rogue.
Device-type Device type detected by the MP radio.
Adhoc Ad-hoc status (yes or no) detected by the MP radio.
Crypto-Types Encryption type detected by the MP radio.
RSSI Received signal strength indication (RSSI)—the strength of the RF signal
detected by the MP radio, in decibels referred to 1 milliwatt (dBm).
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 480
See Also
show rfdetect data on page 20-475
show rfdetect visible on page 20-480
show rfdetect ssid-list
Displays the entries in the permitted SSID list.
Syntax
show rfdetect ssid-list
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following example shows the permitted SSID list on MX:
MX# show rfdetect ssid-list
Total number of entries: 3
SSID
-----------------
mycorp
corporate
guest
See Also
clear rfdetect ssid-list on page 20-463
set rfdetect ssid-list on page 20-469
show rfdetect vendor-list
Deprecated in MSS Version 6.2.
show rfdetect visible
Displays the BSSIDs discovered by a specific Trapeze radio. The data includes BSSIDs
transmitted by other Trapeze radios as well as by third-party access points.
Syntax
show rfdetect visible mac-addr
Syntax
show rfdetect visible ap apnum [radio {1 | 2}]
SSID SSID mapped to the BSSID.
mac-addr Base MAC address of the Trapeze radio.
Note: To display the base MAC address of a Trapeze
radio, use the show ap status command.
apnum Port connected to the MP access point to display neighboring
BSSIDs.
Table 20– 7. show rfdetect mobility-domain ssid or bssid Output (continued)
Field Description
RF Detection Commands
RF Detection Commands
20 – 481
Defaults
None.
Access
Enabled.
History
Usage
If a Trapeze radio is supporting more than one SSID, each of the corresponding BSSIDs is
listed separately.
To display rogue information for the entire Mobility Domain, use the show rfdetect
mobility-domain command on the seed switch.
Examples
To following command displays information about the rogues detected by radio 1 on MP
port 3:
MX# show rfdetect visible ap 3 radio 1
Total number of entries: 104
Flags: i = infrastructure, a = ad-hoc
c = CCMP, t = TKIP, 1 = 104-bit WEP, 4 = 40-bit WEP, w = WEP(non-WPA)
Transmit MAC Vendor Type Ch RSSI Flags SSID
----------------- ------- ----- --- ---- ------ --------------------------------
00:07:50:d5:cc:91 Cisco intfr 6 -60 i----w r27-cisco1200-2
00:07:50:d5:dc:78 Cisco intfr 6 -82 i----w r116-cisco1200-2
00:09:b7:7b:8a:54 Cisco intfr 2 -54 i-----
00:0a:5e:4b:4a:c0 3Com intfr 11 -57 i----- public
00:0a:5e:4b:4a:c2 3Com intfr 11 -86 i-t1-- trapezewlan
00:0a:5e:4b:4a:c4 3Com intfr 11 -85 ic---- trpz-ccmp
00:0a:5e:4b:4a:c6 3Com intfr 11 -85 i-t--- trpz-tkip
00:0a:5e:4b:4a:c8 3Com intfr 11 -83 i----w trpz-voip
00:0a:5e:4b:4a:ca 3Com intfr 11 -85 i----- trpz-webaaa
...
Table 20– 8 describes the fields in this display.
radio 1 Shows neighbor information for radio 1.
radio 2 Shows neighbor information for radio 2. (This option does not
apply to single-radio models.)
Version 3.0 Command introduced.
Version 4.0 Vendor, Type, and Flags fields added.
Table 20– 8. show rfdetect visible Output
Field Description
Transmit MAC MAC address the rogue device that sent the 802.11
packet detected by the MP radio.
Vendor Company that manufactures or sells the rogue device.
Type Classification of the rogue device:
rogue—Wireless device that is on the network but is
not supposed to be on the network.
intfr—Wireless device not part of your network and
is not a rogue, but might be causing RF interference
with MP radios.
known—Device that is a legitimate member of the
network.
Ch Channel number on which the radio detected the rogue.
RSSI Received signal strength indication (RSSI)—the strength
of the RF signal detected by the MP radio, in decibels
referred to 1 milliwatt (dBm).
RF Detection Commands
Mobility System Software Command Reference Guide
Version 7.3
20 – 482
See Also
show rfdetect data on page 20-475
show rfdetect mobility-domain on page 20-477
Flags Classification and encryption information for the rogue:
The i, a, or u flag indicates the classification.
The other flags indicate the encryption used by the
rogue.
For flag definitions, see the key in the command output.
SSID SSID used by the detected device.
Table 20– 8. show rfdetect visible Output (continued)
Field Description
Transmit MAC MAC address the rogue device that sent the 802.11
packet detected by the MP radio.
Vendor Company that manufactures or sells the rogue device.
Type Classification of the rogue device:
rogue—Wireless device that is on the network but is
not supposed to be on the network.
intfr—Wireless device not part of your network and
is not a rogue, but might be causing RF interference
with MP radios.
known—Device that is a legitimate member of the
network.
Ch Channel number on which the radio detected the rogue.
File Management Commands 21 – 483
21
File Management Commands
Use file management commands to manage system files and to display software and boot
information. This chapter presents file management commands alphabetically. Use the following
table to locate commands in this chapter based on their use.
backup
Creates an archive of MX system files and optionally, user file, in Unix tape archive (tar) format.
Syntax
backup system [tftp:/ip-addr/]filename [all | critical]
Software Version reset system on page 493
show version on page 500
Boot Settings set boot partition on page 497
set boot configuration-file on page 496
set boot backup-configuration on page 496
show boot on page 497
clear boot config on page 485
clear boot backup-configuration on page 484
File Management dir on page 488
copy on page 485
md5 on page 492
delete on page 487
mkdir on page 492
rmdir on page 495
Configuration File save config on page 495
load config on page 491
show config on page 499
System Backup and
Restore
backup on page 483
restore on page 494
Sygate On-Demand
Agent (SODA) file
installation and
removal
install soda agent on page 490
uninstall soda agent on page 502
[tftp:/ip-addr/]filename Name of the archive file to create. You can store the file locally in the
switch’s nonvolatile storage or on a TFTP server.
all Backs up system files and all the files in the user files area.
The user files area contains the set of files listed in the file section of dir
command output.
critical Backs up system files only, including the configuration file used when
booting, and certificate files. The size of an archive created by this
option is generally 1MB or less.
File Management Commands
Mobility System Software Command Reference Guide
Version 7.3
21 – 484
Defaults
The default is all.
Access
Enabled.
History
Introduced in MSS Version 3.2.
Usage
You can create an archive located on a TFTP server or in the nonvolatile storage of the
MX. If you specify a TFTP server as part of the filename, the archive is copied directly to the TFTP
server and not stored locally on the MX.
Use the critical option if you want to back up or restore only the system-critical files required to
operate and communicate with the MX. Use the all option if you also want to back up or restore
WebAAA pages, backup configuration files, image files, and any other files stored in the user files
area of nonvolatile storage.
The maximum supported file size is 32 MB. If the file size of the tarball is too large, delete
unnecessary files (such as unneeded copies of system image files) and try again, or use the
critical option instead of the all option.
Neither option archives image files or any other files listed in the Boot section of dir command
output. The all option archives image files only if they are present in the user files area.
Archive files created by the all option are larger than files created by the critical option. The file
size depends on the files in the user area, and the file can be quite large if the user area contains
image files.
The backup command places the boot configuration file into the archive. (The boot configuration
file is the Configured boot configuration in the show boot command output.) If the running
configuration contains unsaved changes, these changes are not in the boot configuration file and
are not archived. To make sure the archive contains the configuration currently running on the
MX, use the save config command to save the running configuration to the boot configuration
file, before using the backup command.
Examples
The following command creates an archive of the system-critical files and copies the
archive directly to a TFTP server. The filename in this example includes a TFTP server IP
address, so the archive is not stored locally on the switch.
MX# backup system tftp:/10.10.20.9/sysa_bak critical
success: sent 28263 bytes in 0.324 seconds [ 87231 bytes/sec]
See Also
dir on page 488
restore on page 494
clear boot backup-configuration
Clears the filename specified as the backup configuration file. In the event that MSS cannot read
the configuration file at boot time, a backup configuration file is not used.
Syntax
clear boot backup-configuration
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Examples
The following command clears the name specified as the backup configuration file from
the configuration of the MX:
MX# clear boot backup-configuration
success: Backup boot config filename was cleared.
File Management Commands
File Management Commands
21 – 485
See Also
set boot backup-configuration on page 496
show boot on page 497
clear boot config
Resets to the factory default the configuration that MSS loads during a reboot.
Syntax
clear boot config
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
The following commands back up the configuration file on an MX, reset the switch to its
factory default configuration, and reboot the MX:
MX# copy configuration tftp://10.1.1.1/backupcfg
success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec]
MX# clear boot config
success: Reset boot config to factory defaults.
MX# reset system force
...... rebooting ......
See Also
reset system on page 493
show config on page 499
copy
Performs the following copy operations:
Copies a file from a FTP or TFTP server to nonvolatile storage.
Copies a file from nonvolatile storage or temporary storage to a FTP or TFTP server.
Copies a file securely using SCP (Secure Copy Protocol).
Copies a file from one area in nonvolatile storage to another.
Copies a file to a new filename in nonvolatile storage.
File Management Commands
Mobility System Software Command Reference Guide
Version 7.3
21 – 486
Syntax
copy source-url destination-url
Defaults
None.
Access
Enabled.
History
Usage
The filename and file:filename URLs are equivalent. You can use either URL to refer to a
file in an MX nonvolatile memory. The tftp://ip-addr/filename URL refers to a file on a TFTP
server. If DNS is configured on the MX, you can specify a TFTP server hostname as an alternative
to specifying the IP address.
The tmp:filename URL specifies a file in temporary storage. You can copy a file out of temporary
storage but you cannot copy a file into temporary storage. Temporary storage is reserved for use
by MSS.
If you are copying a system image file into nonvolatile storage, the filename must be preceded by
the boot partition name, which can be boot0 or boot1. Enter the filename as boot0:/filename or
boot1:/filename. You must specify the boot partition that was not used to load the currently
running image.
The maximum supported file size for TFTP is 32 MB.
Examples
The following command copies a file called floormx from nonvolatile storage to a TFTP
server:
MX# copy floormx tftp://10.1.1.1/floormx
success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec]
The following command copies a file called closetmx from a TFTP server to nonvolatile storage:
MX# copy tftp://10.1.1.1/closetmx closetmx
source-url Name and location of the file to copy. The uniform resource locator (URL) can be one
of the following:
[subdirname/]filename
file:[subdirname/]filename
ftp://ip-addr/[subdirname/]filename
scp://ip-addr/[subdirname/]filename
tftp://ip-addr/[subdirname/]filename
tmp:filename
For the filename, specify between 1 and 128 alphanumeric characters, with no spaces.
Enter the IP address in dotted decimal notation.
The subdirname/ option specifies a subdirectory.
destination-url Name of the copy and the location to place the copy. The URL can be one of the
following:
[subdirname/]filename
file:[subdirname/]filename
ftp://ip-addr/[subdirname/]filename
scp://ip-addr/[subdirname/]filename
tftp://ip-addr/[subdirname/]filename
If you are copying a system image file into nonvolatile storage, the filename must
include the boot partition name. You can specify one of the following:
boot0:/filename
boot1:/filename
Version 1.0 Command introduced
Version 1.1 Enhanced to allow copying files from one area in nonvolatile storage to another and
from one name to another in the same area
Version 3.0 Subdirectory support added
Version 7.1 FTP and SCP added as protocols.
File Management Commands
File Management Commands
21 – 487
success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec]
The following command copies system image MX020101.020 from a TFTP server to boot partition
1 in nonvolatile storage:
MX# copy tftp://10.1.1.107/MX020101.020 boot1:MX020101.020
..........................................................................................
..................success: received 9163214 bytes in 105.939 seconds [ 86495 bytes/sec]
The following commands rename test-config to new-config by copying it from one name to the other
in the same location, then deleting test-config:
MX# copy test-config new-config
MX# delete test-config
success: file deleted.
The following command copies file corpa-login.html from a TFTP server into subdirectory corpa in
an MX switch’s nonvolatile storage:
MX# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html
success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec]
See Also
delete on page 487
dir on page 488
delete
Deletes a file.
Syntax
delete url
Defaults
None.
Access
Enabled.
History
Usage
You might want to copy the file to a TFTP server as a backup before deleting the file.
W arning!
MSS does not prompt you to verify if you want to delete a file. When you
press Enter after typing a delete command, MSS immediately deletes the
specified file.
Note:
MSS does not allow you to delete the currently running software image file or
the running configuration.
url Filename. Specify between 1 and 128 alphanumeric characters, with no spaces.
If the file is in a subdirectory, specify the subdirectory name, followed by a forward
slash, in front of the filename. For example: subdir_a/file_a.
Version 1.0 Command introduced
Version 3.0 Subdirectory support added, to delete a file that is in a subdirectory
File Management Commands
Mobility System Software Command Reference Guide
Version 7.3
21 – 488
Examples
The following commands copy file testconfig to a TFTP server and delete the file from
nonvolatile storage:
MX# copy testconfig tftp://10.1.1.1/testconfig
success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec]
MX# delete testconfig
success: file deleted.
Examples
The following command deletes file dang_doc from subdirectory dang:
MX# delete dang/dang_doc
success: file deleted.
See Also
copy on page 485
dir on page 488
dir
Displays a list of the files in nonvolatile storage and temporary files.
Syntax
dir [subdirname] | [file:] | [core:] | [boot0:] | [boot1:]
Defaults
None.
Access
Enabled.
History
Examples
The following command displays the files in the root directory:
MX# dir
===============================================================================
file:
Filename Size Created
file:configuration 48 KB Jul 12 2005, 15:02:32
file:corp2:corp2cnfig 17 KB Mar 14 2005, 22:20:04
corp_a/ 512 bytes May 21 2004, 19:15:48
file:dangcfg 14 KB Mar 14 2005, 22:20:04
old/ 512 bytes May 16 2004, 17:23:44
file:pubsconfig-april062005 40 KB May 09 2005, 21:08:30
subdirname Subdirectory name. If you specify a subdirectory name, the command lists the files in
that subdirectory. Otherwise, the command lists the files in the root directory and
also lists the subdirectories.
file: Limits dir output to the contents of the user files area
core: Limits dir output to the contents of the /tmp/core subdirectory
boot0: Limits dir output to the contents of the boot0 partition
boot1: Limits dir output to the contents of the boot1 partition
Version 1.0 Command introduced
Version 1.1 Enhanced to list the image files in the boot partitions and indicate the partition that
was used to load the currently running image
Version 3.0 subdirectory option added, to list the files in the specified subdirectory
Version 4.1 core:, file:, boot0:, and boot1: options added, to limit the output to the specified
category
File Management Commands
File Management Commands
21 – 489
file:sysa_bak 12 KB Mar 15 2005, 19:18:44
file:testback 28 KB Apr 19 2005, 16:37:18
Total: 159 Kbytes used, 207663 Kbytes free
===============================================================================
Boot:
Filename Size Created
boot0:mx040100.020 9780 KB Aug 23 2005, 15:54:08
*boot1:mx040100.020 9796 KB Aug 28 2005, 21:09:56
Boot0: Total: 9780 Kbytes used, 2460 Kbytes free
Boot1: Total: 9796 Kbytes used, 2464 Kbytes free
===============================================================================
temporary files:
Filename Size Created
core:command_audit.cur 37 bytes Aug 28 2005, 21:11:41
Total: 37 bytes used, 91707 Kbytes free
The following command displays the files in the old subdirectory:
MX# dir old
===============================================================================
file:
Filename Size Created
file:configuration.txt 3541 bytes Sep 22 2003, 22:55:44
file:configuration.xml 24 KB Sep 22 2003, 22:55:44
Total: 27 Kbytes used, 207824 Kbytes free
The following command limits the output to the contents of the user files area:
MX# dir file:
===============================================================================
file:
Filename Size Created
file:configuration 48 KB Jul 12 2005, 15:02:32
file:corp2:corp2cnfig 17 KB Mar 14 2005, 22:20:04
corp_a/ 512 bytes May 21 2004, 19:15:48
file:dangcfg 14 KB Mar 14 2005, 22:20:04
dangdir/ 512 bytes May 16 2004, 17:23:44
file:pubsconfig-april062005 40 KB May 09 2005, 21:08:30
file:sysa_bak 12 KB Mar 15 2005, 19:18:44
file:testback 28 KB Apr 19 2005, 16:37:18
Total: 159 Kbytes used, 207663 Kbytes free
The following command limits the output to the contents of the /tmp/core subdirectory:
MX# dir core:
===============================================================================
file:
Filename Size Created
core:command_audit.cur 37 bytes Aug 28 2005, 21:11:41
Total: 37 bytes used, 91707 Kbytes free
The following command limits the output to the contents of the boot0 partition:
MX# dir boot0:
===============================================================================
file:
Filename Size Created
boot0:mx040100.020 9780 KB Aug 23 2005, 15:54:08
Total: 9780 Kbytes used, 207663 Kbytes free
Table 21– 1 describes the fields in the dir output.
File Management Commands
Mobility System Software Command Reference Guide
Version 7.3
21 – 490
See Also
copy on page 485
delete on page 487
install soda agent
Installs Sygate On-Demand (SODA) agent files in a directory on the MX.
Syntax
install soda agent agent-file agent-directory directory
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
Use this command to install a .zip file containing SODA agent files into a directory on the
MX switch. Prior to installing the SODA agent files, you must have already copied the .zip file to
the MX switch. This command creates the specified directory, unzips the file and places the
contents into the directory. If the specified directory has the same name as an SSID, then that
SSID uses the SODA agent files in the directory if SODA functionality is enabled for the service
profile that manages the SSID.
Examples
The following command installs the contents of the file soda.ZIP into a directory called
sp1.
MX# install soda agent soda.ZIP agent-directory sp1
This command may take up to 20 seconds...
MX#
See Also
uninstall soda agent on page 502
set service-profile soda mode on page 308
Table 21– 1. Output for dir
Field Description
Filename Filename or subdirectory name.
For files, the directory name is shown in front of the filename (for example,
file:configuration). The file: directory is the root directory.
For subdirectories, a forward slash is shown at the end of the subdirectory
name (for example, old/ ).
In the boot partitions list (Boot:), an asterisk (*) indicates the boot partition
from which the currently running image was loaded and the image filename.
Size Size in Kbytes or bytes.
Created System time and date when the file was created or copied onto the MX.
Total Number of kilobytes in use to store files and the number that are still free.
agent-file Name of a .zip file on the MX containing SODA agent files.
directory Directory on the MX where SODA agent files are to be installed. The command
automatically creates this directory.
File Management Commands
File Management Commands
21 – 491
load config
Loads configuration commands from a file and replaces the MX running configuration with the
commands in the loaded file.
Syntax
load config [url]
Defaults
The default file location is nonvolatile storage.
If you do not specify a filename, MSS uses the same configuration filename that was used for the
previous configuration load. For example, if the MX used configuration for the most recent
configuration load, MSS uses configuration again unless you specify a different filename. To
display the filename of the configuration file MSS loaded during the last reboot, use the show
boot command.
Access
Enabled.
History
Usage
This command completely replaces the running configuration with the configuration in the
file.
Examples
The following command reloads the configuration from the most recently loaded
configuration file:
MX# load config
Reloading configuration may result in lost of connectivity, do you wish to continue? (y/n)
[n]y
success: Configuration reloaded
The following command loads configuration file testconfig1:
MX# load config testconfig1
Reloading configuration may result in lost of connectivity, do you wish to continue? (y/n)
[n]y
success: Configuration reloaded
See Also
save config on page 495
show boot on page 497
W arning!
This command completely removes the running configuration and replaces
it with the configuration contained in the file. Trapeze Networks
recommends that you save a copy of the current running configuration to a
backup configuration file before loading a new configuration.
url Filename. Specify between 1 and 128 alphanumeric characters, with no spaces.
If the file is in a subdirectory, specify the subdirectory name, followed by a forward
slash, in front of the filename. For example: backup_configs/config_c.
Note:
The current version supports loading a configuration file only from the MX
nonvolatile storage. You cannot load a configuration file directly from a TFTP
server.
Version 1.0 Command introduced
Version 3.0 Subdirectory support added, to load a file that is in a subdirectory
File Management Commands
Mobility System Software Command Reference Guide
Version 7.3
21 – 492
show config on page 499
md5
Calculates the MD5 checksum for a file in the MX nonvolatile storage.
Syntax
md5 [boot0: | boot1:]filename
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Usage
You must include the boot partition name in front of the filename. If you specify only the
filename, the CLI displays a message stating that the file does not exist.
Examples
The following command calculates the checksum for image file MX040003.020 in boot
partition 0:
pubs# md5 boot0:MX040003.020
MD5 (boot0:MX040003.020) = b9cf7f527f74608e50c70e8fb896392a
See Also
copy on page 485
dir on page 488
mkdir
Creates a new subdirectory in nonvolatile storage.
Syntax
mkdir [subdirname]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Examples
The following commands create a subdirectory called corp2 and display the root
directory to verify the result:
MX# mkdir corp2
success: change accepted.
MX# dir
===============================================================================
file:
Filename Size Created
file:configuration 17 KB May 21 2004, 18:20:53
file:configuration.txt 379 bytes May 09 2004, 18:55:17
corp2/ 512 bytes May 21 2004, 19:22:09
corp_a/ 512 bytes May 21 2004, 19:15:48
boot0: | boot1: Boot partition into which you copied the file.
filename Name of the file.
subdirname Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no
spaces.
File Management Commands
File Management Commands
21 – 493
file:dangcfg 13 KB May 16 2004, 18:30:44
dangdir/ 512 bytes May 16 2004, 17:23:44
old/ 512 bytes Sep 23 2003, 21:58:48
Total: 33 Kbytes used, 207822 Kbytes free
===============================================================================
Boot:
Filename Size Created
*boot0:bload 746 KB May 09 2004, 19:02:16
*boot0:mx030000.020 8182 KB May 09 2004, 18:58:16
boot1:mx030000.020 8197 KB May 21 2004, 18:01:02
Boot0: Total: 8928 Kbytes used, 3312 Kbytes free
Boot1: Total: 8197 Kbytes used, 4060 Kbytes free
===============================================================================
temporary files:
Filename Size Created
Total: 0 bytes used, 93537 Kbytes free
See Also
dir on page 488
rmdir on page 495
reset system
Restarts an MX and reboots the software.
Syntax
reset system [force]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Usage
If you do not use the force option, the command first compares the running configuration
to the configuration file. If the running configuration and configuration file do not match, MSS
does not restart the MX but instead displays a message advising you to either save the
configuration changes or use the force option.
Examples
The following command restarts an MX that does not have any unsaved configuration
changes:
MX# reset system
This will reset the entire system. Are you sure (y/n)y
The following commands attempt to restart an MX switch with a running configuration with
unsaved changes, and then force the MX to restart:
MX# reset system
error: Cannot reset, due to unsaved configuration changes. Use "reset system force" to
override.
MX# reset system force
...... rebooting ......
See Also
save config on page 495
show boot on page 497
force Immediately restarts the system and reboots, without comparing the running
configuration to the configuration file.
File Management Commands
Mobility System Software Command Reference Guide
Version 7.3
21 – 494
show version on page 500
restore
Unzips a system archive created by the backup command and copies the files from the archive
onto the switch.
Syntax
restore system [tftp:/ip-addr/]filename [all | critical] [force]
Defaults
The default is critical.
Access
Enabled.
History
Introduced in MSS Version 3.2.
Usage
If a file in the archive has a counterpart on the switch, the archive version of the file
replaces the file on the MX. The restore command does not delete files that do not have
counterparts in the archive. For example, the command does not completely replace the user files
area. Instead, files in the archive are added to the user files area. A file in the user area is
replaced only if the archive contains a file with the same name.
The backup command stores the MAC address of the switch in the archive. By default, the
restore command works only if the MAC address in the archive matches the MAC address of the
switch where the restore command is entered. The force option overrides this restriction and
allows you to unpack an archive from one MX onto another MX.
If the configuration running on the MX is different from the one in the archive or you renamed the
configuration file, and you want to retain changes made after the archive was created, see the
“Managing System Files” chapter of the Trapeze Mobility System Software Configuration Guide.
Examples
The following command restores system-critical files on a MX from archive sysa_bak:
MX# restore system tftp:/10.10.20.9/sysa_bak
success: received 11908 bytes in 0.150 seconds [ 79386 bytes/sec]
[tftp:/ip-addr/]filename Name of the archive file to load. The archive can be located in the MX
nonvolatile storage or on a TFTP server.
all Restores system files and the user files from the archive.
critical Restores system files only, including the configuration file used when
booting, and certificate files.
force Replaces files on the MX with those in the archive, even if the MX is not
the same as the one from which the archive was created.
CAUTION! Do not use this option unless advised to do so by Trapeze
Networks TAC. If you restore MX system files from one MX onto another
MX, you must generate new key pairs and certificates on the MX.
Note:
If the archive’s files cannot fit on the MX, the restore operation fails. Trapeze
Networks recommends deleting unneeded image files before creating or
restoring an archive.
!
Caution
Do not use the force option unless you are certain you want to replace the
MX files with files from another MX. If you restore one MX system files onto
another MX, you must generate new key pairs and certificates on the MX.
File Management Commands
File Management Commands
21 – 495
success: restore complete.
See Also
backup on page 483
rmdir
Removes a subdirectory from nonvolatile storage.
Syntax
rmdir [subdirname]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Usage
MSS does not allow the subdirectory to be removed unless it is empty. Delete all files from
the subdirectory before attempting to remove it.
Examples
The following example removes subdirectory corp2:
MX# rmdir corp2
success: change accepted.
See Also
dir on page 488
mkdir on page 492
save config
Saves the running configuration to a configuration file.
Syntax
save config [filename]
Defaults
By default, MSS saves the running configuration as the configuration filename used
during the last reboot.
Access
Enabled.
History
Usage
If you do not specify a filename, MSS replaces the configuration file loaded during the most
recent reboot. To display the filename of the configuration file MSS loaded during the most recent
reboot, use the show boot command.
The command completely replaces the specified configuration file with the running configuration.
subdirname Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no
spaces.
filename Name of the configuration file. Specify between 1 and 128 alphanumeric characters,
with no spaces.
To save the file in a subdirectory, specify the subdirectory name, followed by a forward
slash, in front of the filename. For example: backup_configs/config_c.
Version 1.0 Command introduced
Version 3.0 Subdirectory support added, to save the configuration file to a subdirectory
File Management Commands
Mobility System Software Command Reference Guide
Version 7.3
21 – 496
Examples
The following command saves the running configuration to the configuration file loaded
during the most recent reboot. In this example, the filename used during the most recent reboot is
configuration.
MX# save config
Configuration saved to configuration.
The following command saves the running configuration to a file named testconfig1:
MX# save config testconfig1
Configuration saved to testconfig1.
See Also
load config on page 491
show boot on page 497
show config on page 499
set boot backup-configuration
Specifies the name of a backup configuration file to be used if the current configuration file cannot
be read by the MX at boot time.
Syntax
set boot backup-configuration filename
Defaults
By default, there is no backup configuration file.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Examples
The following command specifies a file called backup.cfg as the backup configuration
file on the MX:
MX# set boot backup-configuration backup.cfg
success: backup boot config filename set.
See Also
clear boot backup-configuration on page 484
show boot on page 497
set boot configuration-file
Changes the configuration file to load after rebooting.
Syntax
set boot configuration-file filename
Defaults
The default configuration filename is configuration.
Access
Enabled.
filename Name of the file to use as a backup configuration file if MSS cannot read the MX
configuration file.
filename Filename. Specify between 1 and 128 alphanumeric characters, with no spaces.
To load the file from a subdirectory, specify the subdirectory name, followed by a
forward slash, in front of the filename. For example: backup_configs/config_c.
File Management Commands
File Management Commands
21 – 497
History
Usage
The file must be located in the MX nonvolatile storage.
Examples
The following command sets the boot configuration file to testconfig1:
MX# set boot configuration-file testconfig1
success: boot config set.
set boot partition
Specifies the boot partition in which to look for the system image file following the next system
reset, software reload, or power cycle.
Syntax
set boot partition {boot0 | boot1}
Defaults
By default, an MX uses the same boot partition for the next software reload that was
used to boot the currently running image.
Access
Enabled.
History
Introduced in MSS Version 1.1.
Usage
To determine the boot partition used to load the currently running software image, use the
dir command.
Examples
The following command sets the boot partition for the next software reload to partition
1:
MX# set boot partition boot1
success: Boot partition set to boot1.
See Also
copy on page 485
dir on page 488
reset system on page 493
show boot
Displays the system image and configuration filenames used after the last reboot and configured
for use after the next reboot.
Syntax
show boot
Defaults
None.
Access
Access.
Version 1.0 Command introduced
Version 3.0 Subdirectory support added, to load a configuration file from a subdirectory
boot0 Boot partition 0.
boot1 Boot partition 1.
File Management Commands
Mobility System Software Command Reference Guide
Version 7.3
21 – 498
History
Examples
The following command shows the boot information for an MX:
MX# show boot
Configured boot version: 4.1.0.65
Configured boot image: boot1:mx040100.020
Configured boot configuration: file:configuration
Backup boot configuration: file:backup.cfg
Booted version: 4.1.0.65
Booted image: boot1:mx040100.020
Booted configuration: file:configuration
Product model: MX
Table 21– 2 describes the fields in the show boot output.
See Also
clear boot config on page 485
reset system on page 493
set boot configuration-file on page 496
show version on page 500
Version 1.0 Command introduced
Version 1.1 The following fields were removed because they are not applicable in 1.1:
Last boot status
Unpacking status
Version 2.1
New field, Product model, added
Version 4.1
New fields, Configured boot version and Backup boot configuration, added
Table 21– 2. Output for show boot
Field Description
Configured boot version Software version the MX runs when the software is
rebooted.
Configured boot image Boot partition and image filename MSS uses to boot
when the software is rebooted.
Configured boot
configuration
Configuration filename MSS uses to boot when the
software is rebooted.
Backup boot configuration The name of the configuration file to be used in the
event that MSS cannot read the configured boot
configuration file next time the software is rebooted.
Booted version Software version the MX is running.
Booted image Boot partition and image filename MSS used the last
time the software was rebooted. MSS is running this
software image.
Booted configuration Configuration filename MSS used to load the
configuration the last time the software was rebooted.
File Management Commands
File Management Commands
21 – 499
show config
Displays the configuration running on the MX.
Syntax
show config [all | cluster | local] [area area]
Defaults
None.
Access
Enabled.
area area
Configuration area. You can specify one of the following:
aaa
acls
ap
ap-trace
arp
eapol
httpd
ip
ip-config
l2acl
load-balancing
log
mobility-domain
network-domain
ntp
port-group
port config
qos
radio-profile
rfdetect
service-profile
sm
snmp
snoop
spantree
system
trace
vlan
vlan-fdb
vlan-profile
If you do not specify a configuration area, nondefault
information for all areas is displayed.
cluster Displays only the cluster configuration on the MX.
local Displays only the local configuration on the MX.
all Includes configuration items set to the default values.
File Management Commands
Mobility System Software Command Reference Guide
Version 7.3
21 – 500
History
Usage
If you do not use one of the optional parameters, configuration commands that set
nondefault values are displayed for all configuration areas. If you specify an area, commands are
displayed for that area only. If you use the all option, the display also includes commands for
configuration items that are set to the default values.
Examples
The following command shows configuration information for VLANs:
MX# show config area vlan
# Configuration nvgen'd at 2004-5-21 19:36:48
# Image 3.0.0
# Model MX
# Last change occurred at 2004-5-21 18:20:50
set vlan 1 port 1
See Also
load config on page 491
save config on page 495
show version
Displays software and hardware version information for an MX and, optionally, for any attached
MPs.
Syntax
show version [details]
Defaults
None
Access
All.
History
Version 1.0 Command introduced
Version 2.1 New comment added to the comments at top of the file, to list the model number
Version 3.0
New options added for area:
radio-profile
rfdevice
service-profile
rf-detection option removed. (Use rfdevice instead.)
Version 4.0
New options added for remote traffic monitoring: snoop
rfdevice changed to rfdetect
Version 4.1 New options added: l2acl, network-domain, and qos
Version 4.2 Option portgroup renamed to port-group for consistency with clear port-group,
set port-group, and show port-group commands.
Version 7.0 Added the options cluster and local to support Virtual Controller Cluster
configuration.
details Includes additional software build information and information about the MP
configured on the MX.
Version 1.0 Command introduced
Version 2.1 Label of Port field in detailed display modified to Port/DAP
File Management Commands
File Management Commands
21 – 501
Examples
The following command displays version information for an MX:
MX# show version
Mobility System Software, Version: 4.1.0 QA 67
Copyright (c) 2002, 2003, 2004, 2005 Trapeze Networks, Inc. All rights reserved.
Build Information: (build#67) TOP 2005-07-21 04:41:00
Model: MX
Hardware
Mainboard: version 24 ; revision 3 ; FPGA version 24
PoE board: version 1 ; FPGA version 6
Serial number 0321300013
Flash: 4.1.0.14 - md0a
Kernel: 3.0.0#20: Fri May 20 17:43:51 PDT 2005
BootLoader: 4.10 / 4.1.0
The following command displays additional software build information and MP information:
MX# show version details
Mobility System Software, Version: 4.1.0 QA 67
Copyright (c) 2002, 2003, 2004, 2005 Trapeze Networks, Inc. All rights reserved.
Build Information: (build#67) TOP 2005-07-21 04:41:00
Label: 4.1.0.67_072105_MX20
Build Suffix: -d-O1
Model: MX
Hardware
Mainboard: version 24 ; revision 3 ; FPGA version 24
CPU Model: 750 (Revision 3.1)
PoE board: version 1 ; FPGA version 6
Serial number 0321300013
Flash: 4.1.0.14 - md0a
Kernel: 3.0.0#20: Fri May 20 17:43:51 PDT 2005
BootLoader: 4.10 / 4.1.0
Port/ AP AP Model Serial # Versions
-------- ---------- -------------- ------------------------
11 /- MP-352 0424902948 H/W : A
F/W1 : 5.6
F/W2 : 5.6
S/W : 4.1.0.67_072105_0432__AP
BOOT S/W : 4.0.3.15_062705_0107__AP
Table 21– 3 describes the fields in the show version output.
File Management Commands
Mobility System Software Command Reference Guide
Version 7.3
21 – 502
See Also
show boot on page 497
uninstall soda agent
Removes the contents of a directory containing SODA agent files.
Syntax
uninstall soda agent agent-directory directory
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.2.
Usage
Use this command to remove a SODA agent directory and all files in the specified
directory. The command removes the directory and the contents, even if it does not contain SODA
agent files.
Examples
The following command removes the directory sp1 and all of the contents:
MX# uninstall soda agent agent-directory sp1
This will delete all files in agent-directory, do you wish to continue? (y|n) [n]y
See Also
install soda agent on page 490
set service-profile soda mode on page 308
Table 21– 3. Output for show version
Field Description
Build Information Factory timestamp of the image file.
Label Software version and build date.
Build Suffix Build suffix.
Model Build model.
Hardware Version information for the MX motherboard and Power over Ethernet (PoE)
board.
Serial number Serial number of the MX.
Flash Flash memory version.
Kernel Kernel version.
BootLoader Boot code version.
Port/AP Port number connected to an MP.
AP Model MP model number.
Serial # MP serial number.
Versions MP hardware, firmware, and software versions.
directory Directory on the MX where SODA agent files are to be removed.
Trace Commands 22 – 503
22
Trace Commands
Use trace commands to perform diagnostic routines. While MSS allows you to run many types of
traces, this chapter describes commands for those traces you are most likely to use. For a
complete listing of the types of traces MSS allows, type the set trace ? command.
This chapter presents trace commands alphabetically. Use the following table to locate commands
in this chapter based on their use.
clear log trace
Deletes the log messages stored in the trace buffer.
Syntax
clear log trace
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To delete the trace log, type the following command:
MX# clear log trace
See Also
set log on page 24-518
show log buffer on page 24-520
clear trace
Deletes running trace commands and ends trace processes.
W arning!
Using the set trace command can have adverse effects on system performance.
Trapeze Networks recommends that you use the lowest levels possible for initial
trace commands, and slowly increase the levels to get the data you need.
Trace set trace sm on page 22-507
set trace dot1x on page 22-506
set trace authentication on page 22-504
set trace authorization on page 22-505
show trace on page 22-507
show trace on page 22-507
save trace on page 22-504
clear log trace on page 22-503
Trace Commands
Mobility System Software Command Reference Guide
Version 7.0
22 – 504
Syntax
clear trace {trace-area | all}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To clear all trace processes, type the following command:
MX# clear trace all
success: clear trace all
To clear the session manager trace, type the following command:
MX# clear trace sm
success: clear trace sm
See Also
set trace authentication on page 22-504
set trace authorization on page 22-505
set trace dot1x on page 22-506
set trace sm on page 22-507
show trace on page 22-507
save trace
Saves the accumulated trace data for enabled traces to a file in the MX nonvolatile storage.
Syntax
save trace filename
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 3.0.
Examples
To save trace data into the file trace1 in the subdirectory traces, type the following
command:
MX# save trace traces/trace1
set trace authentication
Traces authentication information.
trace-area Ends a particular trace process. Specify one of the following keywords to end the traces
documented in this chapter:
authorization—Ends an authorization trace
dot1x—Ends an 802.1X trace
authentication—Ends an authentication trace
sm—Ends a session manager trace
all Ends all trace processes.
filename Name for the trace file. To save the file in a subdirectory, specify the subdirectory name,
then a slash. For example: traces/trace1
Trace Commands
Trace Commands
22 – 505
Syntax
set trace authentication [ip-addr ip address] [mac-addr mac-address]
[port port-num] [user username] [level level]
Defaults
The default trace level is 5.
Access
Enabled.
History
History
Introduced in MSS Version 1.0.
Examples
The following command starts a trace for information about user jose authentication:
MX# set trace authentication user jose
success: change accepted.
See Also
clear trace on page 22-503
show trace on page 22-507
set trace authorization
Traces authorization information.
Syntax
set trace authorization [ip-addr ip address][mac-addr mac-address]
[port port-num] [user username] [level level]
Defaults
The default trace level is 5.
Access
Enabled.
ip-addr ip address Specify an IP address in the IPv4 format.
mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the
octets (for example, 00:11:22:aa:bb:cc).
port port-num Traces a port number. Specify an MX port number between 1 and 22.
user username Traces a user. Specify a username of up to 32 alphanumeric characters with
no spaces.
level level Determines the quantity of information included in the output. You can set
the level with an integer from 1 to 10, where level 10 provides the most
information. Levels 1 through 5 provide user-readable information. If you do
not specify a level, level 5 is the default.
MSS Version 1.0 Command introduced.
MSS Version 7.0 The option ip-addr was added.
ip-addr ip address Specify an IP address in the IPv4 format.
mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the
octets (for example, 00:11:22:aa:bb:cc).
port port-num Traces a port number. Specify an MX port number between 1 and 22.
user username Traces a user. Specify a username of up to 80 alphanumeric characters with
no spaces.
level level Determines the quantity of information included in the output. You can set
the level with an integer from 1 to 10, where level 10 provides the most
information. Levels 1 through 5 provide user-readable information. If you do
not specify a level, level 5 is the default.
Trace Commands
Mobility System Software Command Reference Guide
Version 7.0
22 – 506
History
.
Examples
The following command starts a trace for information for authorization for MAC
address 00:01:02:03:04:05:
MX# set trace authorization mac-addr 00:01:02:03:04:05
success: change accepted.
See Also
clear trace on page 22-503
show trace on page 22-507
set trace dot1x
Traces 802.1X sessions.
Syntax
set trace dot1x [ip-addr ip address][mac-addr mac-address] [port port-num]
[user username] [level level]
Defaults
The default trace level is 5.
Access
Enabled.
History
Examples
The following command starts a trace for the 802.1X sessions for MAC address
00:01:02:03:04:05:
MX# set trace dot1x mac-addr 00:01:02:03:04:05:
success: change accepted.
See Also
clear trace on page 22-503
show trace on page 22-507
MSS Version 1.0 Command introduced.
MSS Version 7.0 The option ip-addr was added.
ip-addr ip address Specify an IP address in the IPv4 format.
mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the
octets (for example, 00:11:22:aa:bb:cc).
port port-num Traces a port number. Specify an MX port number between 1 and 22.
user username Traces a user. Specify a username of up to 80 alphanumeric characters with
no spaces.
level level Determines the quantity of information included in the output. You can set
the level with an integer from 1 to 10, where level 10 provides the most
information. Levels 1 through 5 provide user-readable information. If you
do not specify a level, level 5 is the default.
MSS Version 1.0 Command introduced.
MSS Version 7.0 The option ip-addr was added.
Trace Commands
Trace Commands
22 – 507
set trace sm
Traces session manager activity.
Syntax
set trace sm [ip-addr ip address][mac-addr mac-address] [port port-num]
[user username] [level level]
Defaults
The default trace level is 5.
Access
Enabled.
History
.
Examples
Type the following command to trace session manager activity for MAC address
00:01:02:03:04:05:
MX# set trace sm mac-addr 00:01:02:03:04:05:
success: change accepted.
See Also
clear trace on page 22-503
show trace on page 22-507
show trace
Displays information about traces that are currently configured on the MX, or all possible trace
options.
Syntax
show trace [all]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To view the traces currently running, type the following command:
MX# show trace
milliseconds spent printing traces: 1885.614
Trace Area Level Mac User Port Filter
ip-addr ip address Specify an IP address in the IPv4 format.
mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the
octets (for example, 00:11:22:aa:bb:cc).
port port-num Traces a port number. Specify an MX port number between 1 and 22.
user username Traces a user. Specify a username of up to 80 alphanumeric characters,
with no spaces.
level level Determines the quantity of information included in the output. You can set
the level with an integer from 1 to 10, where level 10 provides the most
information. Levels 1 through 5 provide user-readable information. If you
do not specify a level, level 5 is the default.
MSS Version 1.0 Command introduced.
MSS Version 7.0 The option ip-addr was added.
all Displays all possible trace options and their configuration.
Trace Commands
Mobility System Software Command Reference Guide
Version 7.0
22 – 508
-------------------- ----- ----------------- ----------------- ---- --------
dot1x 5 0
sm 5 0
See Also
clear trace on page 22-503
set trace authentication on page 22-504
set trace authorization on page 22-505
set trace dot1x on page 22-506
set trace sm on page 22-507
Snoop Commands 23 – 509
23
Snoop Commands
Use snoop commands to monitor wireless traffic, by using an MP as a sniffing device. The MP
copies the sniffed 802.11 packets and sends the copies to an observer, typically a protocol analyzer
such as Ethereal or Tethereal.
(For more information, including setup instructions for the monitoring station, see the “Remotely
Monitoring Traffic” section in the “Troubleshooting an MX Switch” chapter of the Trapeze
Mobility System Software Configuration Guide.)
This chapter presents snoop commands alphabetically. Use the following table to locate
commands in this chapter based on their use.
clear snoop
Deletes a snoop filter.
Syntax
clear snoop filter-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command deletes snoop filter snoop1:
MX# clear snoop snoop1
See Also
set snoop on page 23-510
show snoop info on page 23-513
clear snoop map
Removes a snoop filter from an MP radio.
Remote monitoring
(snooping)
set snoop on page 23-510
show snoop info on page 23-513
clear snoop on page 23-509
set snoop map on page 23-511
show snoop map on page 23-514
show snoop on page 23-513
clear snoop map on page 23-509
set snoop mode on page 23-512
show snoop stats on page 23-514
filter-name Name of the snoop filter.
Snoop Commands
Mobility System Software Command Reference Guide
Version 7.3
23 – 510
Examples
clear snoop map filter-name ap apnum radio {1 | 2}
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command removes snoop filter snoop2 from radio 2 on Distributed MP 3:
MX# clear snoop map snoop2 ap 3 radio 2
success: change accepted.
The following command removes all snoop filter mappings from all radios:
MX# clear snoop map all
success: change accepted.
See Also
set snoop map on page 23-511
show snoop on page 23-513
show snoop map on page 23-514
set snoop
Configures a snoop filter.
Syntax
set snoop filter-name [condition-list] [observer ip-addr] [snap-length num]
filter-name Name of the snoop filter.
ap apnum Number of an MP to which to snoop filter is mapped.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.)
filter-name Name for the filter. The name can be up to 15 alphanumeric characters, with no
spaces.
condition-list Match criteria for packets. Conditions in the list are ANDed. Therefore, to be copied
and sent to an observer, a packet must match all criteria in the condition-list. You can
specify up to eight of the following conditions in a filter, in any order or combination:
frame-type {eq | neq} {beacon | control | data | management | probe}
channel {eq | neq} channel
bssid {eq | neq} bssid
src-mac {eq | neq | lt | gt} mac-addr
dest-mac {eq | neq | lt | gt} mac-addr
host-mac {eq | neq | lt | gt} mac-addr
mac-pair mac-addr1 mac-addr2
direction {eq | neq} {transmit | receive}
To match on packets to or from a specific MAC address, use the dest-mac or src-mac
option. To match on both send and receive traffic for a host address, use the host-mac
option. To match on a traffic flow (source and destination MAC addresses), use the
mac-pair option. This option matches for either direction of a flow, and either MAC
address can be the source or destination address.
If you omit a condition, all packets match that condition. For example, if you omit
frame-type, all frame types match the filter.
For most conditions, you can use eq (equal) to match only on traffic that matches the
condition value. Use neq (not equal) to match only on traffic that is not equal to the
condition value.
The src-mac, dest-mac, and host-mac conditions also support lt (less than) and gt
(greater than).
Snoop Commands
Snoop Commands
23 – 511
Defaults
No snoop filters are configured by default.
Access
Enabled.
History
Usage
Traffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear)
version is sent to the observer.
For best results:
Do not specify an observer that is associated with the MP configured with the snoop filter. This
configuration causes an endless cycle of snoop traffic.
If the snoop filter is running on a Distributed MP, and the MP used a DHCP server in its local
subnet to configure the IP information, and the MP did not receive a default router (gateway)
address as a result, the observer must also be in the same subnet. Without a default router,
the MP cannot find the observer.
The MP with a snoop filter forwards snooped packets directly to the observer. This is a
one-way communication, from the MP to the observer. If the observer is not present, the MP
still sends the snoop packets, which uses bandwidth. If the observer is present but is not
listening to TZSP traffic, the observer continuously sends ICMP error indications back to the
MP. These ICMP messages can affect network and MP performance.
Examples
The following command configures a snoop filter named snoop1 that matches on all
traffic, and copies the traffic to the device that has IP address 10.10.30.2:
MX# set snoop snoop1 observer 10.10.30.2 snap-length 100
The following command configures a snoop filter named snoop2 that matches on all data traffic
between the device with MAC address aa:bb:cc:dd:ee:ff and the device with MAC address
11:22:33:44:55:66, and copies the traffic to the device that has IP address 10.10.30.3:
MX# set snoop snoop2 frame-type eq data mac-pair aa:bb:cc:dd:ee:ff 11:22:33:44:55:66
observer 10.10.30.3 snap-length 100
See Also
clear snoop on page 23-509
set snoop map on page 23-511
set snoop mode on page 23-512
show snoop info on page 23-513
show snoop stats on page 23-514
set snoop map
Maps a snoop filter to a radio on an MP. A snoop filter does not take effect until you map it to a
radio and enable the filter.
Examples
set snoop map filter-name ap apnum radio {1 | 2}
observer ip-addr Specifies the IP address of the station where the protocol analyzer is located. If you do
not specify an observer, the MP radio still counts the packets that match the filter.
snap-length num Specifies the maximum number of bytes to capture. If you do not specify a length, the
entire packet is copied and sent to the observer. Trapeze Networks recommends
specifying a snap length of 100 bytes or less.
Version 4.0 Command introduced
Version 5.0 New Boolean operators: lt (less than) and gt (greater than). The new options
apply to src-mac, dest-mac, and host-mac.
Version 6.0 Direction filter added.
Snoop Commands
Mobility System Software Command Reference Guide
Version 7.3
23 – 512
Defaults
Snoop filters are unmapped by default.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Usage
You can map the same filter to more than one radio. You can map up to eight filters to the
same radio. If more than one filter has the same observer, the MP sends only one copy of a packet
that matches a filter to the observer. After the first match, the MP sends the packet and stops
comparing the packet against other filters for the same observer.
If the filter does not have an observer, the MP still maintains a counter of the number of packets
that match the filter. (See show snoop stats on page 23-514.)
Examples
The following command maps snoop filter snoop1 to radio 2 on MP 3:
MX# set snoop map snoop1 ap 3 radio 2
success: change accepted.
See Also
clear snoop map on page 23-509
set snoop on page 23-510
set snoop mode on page 23-512
show snoop map on page 23-514
show snoop stats on page 23-514
set snoop mode
Enables a snoop filter. A snoop filter does not take effect until you map it to an MP radio and
enable the filter.
Examples
set snoop {filter-name | all} mode {enable | disable}
Defaults
Snoop filters are disabled by default.
Access
Enabled.
History
Usage
The filter mode is retained even if you disable and reenable the radio, or restart the MP or
the MX switch. Once the filter is enabled, you must use the disable option to disable it.
Examples
The following command enables snoop filter snoop1:
MX# set snoop snoop1 mode enable
filter-name Name of the snoop filter.
ap ap-num Number of an MP to which to map the snoop filter.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.)
filter-name | all} Name of the snoop filter. Specify all to enable all snoop filters.
enable Enables the snoop filter.
disable Disables the snoop filter.
Version 4.0 Command introduced
Version 6.0 Removed stop-after option.
Filter mode made persistent across restarts
Snoop Commands
Snoop Commands
23 – 513
success: filter 'snoop1' enabled
See Also
show snoop on page 23-513
show snoop info on page 23-513
show snoop map on page 23-514
show snoop stats on page 23-514
show snoop
Displays the MP radio mapping for all snoop filters.
Syntax
show snoop
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Usage
To display the mappings for a specific MP radio, use the show snoop map command.
Examples
The following command shows the MP radio mappings for all snoop filters configured on
an MX switch:
MX# show snoop
AP: 3 Radio: 2
snoop1
snoop2
AP: 2 Radio: 2
snoop2
See Also
clear snoop map on page 23-509
set snoop map on page 23-511
show snoop map on page 23-514
show snoop info
Shows the configured snoop filters.
Syntax
show snoop filter-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Examples
The following command shows the snoop filters configured in the examples above:
filter-name Name of the snoop filter.
Snoop Commands
Mobility System Software Command Reference Guide
Version 7.3
23 – 514
MX# show snoop info
snoop1:
observer 10.10.30.2 snap-length 100
all packets
snoop2:
observer 10.10.30.3 snap-length 100
frame-type eq data
mac-pair (aa:bb:cc:dd:ee:ff, 11:22:33:44:55:66)
See Also
clear snoop on page 23-509
set snoop on page 23-510
show snoop map
Shows the MP radios mapped to a specific snoop filter.
Syntax
show snoop map filter-name
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
Usage
To display the mappings for all snoop filters, use the show snoop command.
Examples
The following command shows the mapping for snoop filter snoop1:
MX# show snoop map snoop1
filter 'snoop1' mapping
AP: 3 Radio: 2
See Also
clear snoop map on page 23-509
set snoop map on page 23-511
show snoop on page 23-513
show snoop stats
Displays statistics for enabled snoop filters.
Examples
show snoop stats [filter-name [ap-num [radio {1 | 2}]]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 4.0.
filter-name Name of the snoop filter.
filter-name Name of the snoop filter.
ap ap-num Number of an MP to which the snoop filter is mapped.
radio 1 Radio 1 of the MP.
radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.)
Snoop Commands
Snoop Commands
23 – 515
Usage
The MP retains statistics for a snoop filter until the filter is changed or disabled. The MP
then clears the statistics.
Examples
The following command shows statistics for snoop filter snoop1:
MX# show snoop stats snoop1
Filter AP Radio Rx Match Tx Match Dropped
===================================================================
snoop1 3 1 96 4 0
Table 23– 1 describes the fields in this display.
Table 23– 1. show snoop stats Output
Field Description
Filter Name of the snoop filter.
AP MP containing the radio that the filter is mapped.
Radio Radio to which the filter is mapped.
Rx Match Number of packets received by the radio that match the filter.
Tx Match Number of packets sent by the radio that match the filter.
Dropped Number of packets that matched the filter but that were not copied to the
observer due to memory or network problems.
Snoop Commands
Mobility System Software Command Reference Guide
Version 7.3
23 – 516
System Log Commands 24 – 517
24
System Log Commands
Use the system log commands to record information for monitoring and troubleshooting. MSS
system logs are based on RFC 3164, which defines the log protocol.
This chapter presents system log commands alphabetically. Use the following table to locate
commands in this chapter based on their use.
clear log
Clears the log messages stored in the log buffer, or removes the configuration for a syslog server
and stops sending log messages to that server.
Syntax
clear log [buffer | server ip-addr]
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To stop sending system logging messages to a server at 192.168.253.11, type the
following command:
MX# clear log server 192.168.253.11
success: change accepted.
Type the following command to clear all messages from the log buffer:
MX# clear log buffer
success: change accepted.
See Also
clear log trace on page 22-503
set log on page 24-518
System Logs set log on page 24-518
set log mark on page 24-519
show log buffer on page 24-520
show log config on page 24-521
show log trace on page 24-521
clear log on page 24-517
buffer Deletes the log messages stored in nonvolatile storage.
server ip-addr Deletes the configuration for and stops sending log messages to the syslog server at
this IP address. Specify an address in dotted decimal notation.
System Log Commands
Mobility System Software Command Reference Guide
Version 7.3
24 – 518
set log
Enables or disables logging of MX and MP events to the MX log buffer or other logging destination
and sets the level of the events logged. For logging to a syslog server only, you can also set the
facility logged.
Syntax
set log {buffer | console | current | sessions | trace} [severity
severity-level] [enable | disable]
set log server ip-addr [port port-number] severity severity-level [local-facility
facility-level]
Defaults
buffer Sets log parameters for the log buffer in nonvolatile storage.
console Sets log parameters for console sessions.
current Sets log parameters for the current Telnet or console session. These settings are not
stored in nonvolatile memory.
server ip-addr Sets log parameters for a syslog server. Specify an address in dotted decimal notation.
sessions Sets the default log values for Telnet sessions. You can set defaults for the following
log parameters:
Severity
Logging state (enabled or disabled)
To override the session defaults for an individual session, type the set log command
from within the session and use the current option.
trace Sets log parameters for trace files.
port port-number Sets the TCP port for sending messages to the syslog server. You can specify a
number from 1 to 65535. The default syslog port is 514.
severity
severity-level
Logs events at a severity level greater than or equal to the level specified. Specify one
of the following:
emergency—The MX is unusable.
alert—Action must be taken immediately.
critical—You must resolve the critical conditions. If the conditions are not
resolved, the MX can reboot or shut down.
error—The MX is missing data or is unable to form a connection.
warning—A possible problem exists.
notice—Events that potentially can cause system problems have occurred. These
are logged for diagnostic purposes. No action is required.
info—Informational messages only. No problem exists.
debug—Output from debugging.
local-facility
facility-level
For messages sent to a syslog server, maps all messages of the severity you specify to
one of the standard local log facilities defined in RFC 3164. You can specify one of the
following values:
0—maps all messages to local0.
1—maps all messages to local1.
2—maps all messages to local2.
3—maps all messages to local3.
4—maps all messages to local4.
5—maps all messages to local5.
6—maps all messages to local6.
7—maps all messages to local7.
If you do not specify a local facility, MSS sends the messages with their default MSS
facilities. For example, AAA messages are sent with facility 4 and boot messages are
sent with facility 20 by default.
enable Enables messages to the specified target.
disable Disables messages to the specified target.
System Log Commands
System Log Commands
24 – 519
Events at the error level and higher are logged to the MX console.
Events at the error level and higher are logged to the MX system buffer.
Trace logging is enabled, and debug-level output is stored in the MX trace buffer.
Access
Enabled.
History
Version 1.0 Command introduced.
Version 4.2 Option port added.
Usage
Using the command with only enable or disable turns logging on or off for the target at
all levels. For example, entering set log buffer enable with no other keywords turns on logging
to the system buffer of all facilities at all levels. Entering set log buffer disable with no other
keywords turns off all logging to the buffer.
Examples
To log only emergency, alert, and critical system events to the console, type the
following command:
MX# set log console severity critical enable
success: change accepted.
See Also
show log config on page 24-521
clear log on page 24-517
set log mark
Configures MSS to generate mark messages at regular intervals. The mark messages indicate the
current system time and date. Trapeze Networks can use the mark messages to determine the
approximate time when a system restart or other event causing a system outage occurred.
Syntax
set log mark [enable | disable] [severity level]
[interval interval]
Defaults
Mark messages are disabled by default. When messages are enabled, MSS generates a
message at the notice level once every 300 seconds by default.
Access
Enabled.
History
Introduced in MSS Version 4.1.
Examples
The following command enables mark messages:
MX# set log mark enable
enable Enables the mark messages.
disable Disables the mark messages.
severity level Log severity at which the messages are logged:
emergency
alert
critical
error
warning
notice
info
debug
interval interval Interval at which MSS generates the mark messages. You can specify from 1 to
2147483647 seconds.
System Log Commands
Mobility System Software Command Reference Guide
Version 7.3
24 – 520
success: change accepted.
See Also
show log config on page 24-521
set log trace mbytes
This command is deprecated in MSS Version 4.0.
show log buffer
Displays system information stored in the nonvolatile log buffer or the trace buffer.
Syntax
show log buffer [{+|-}number-of-messages] [facility facility-name]
[matching string] [severity severity-level]
Defaults
None.
Access
Enabled.
History
Usage
The debug level produces a lot of messages, and many can appear to be cryptic. Debug
messages are used primarily by Trapeze Networks for troubleshooting and are not intended for
administrator use.
Examples
Type the following command to see the facilities that you can view event messages
archived in the buffer:
buffer Displays the log messages in nonvolatile storage.
+|-number-of-messages Displays the number of messages specified as follows:
A positive number (for example, +100), displays that number of log entries
starting from the oldest in the log.
A negative number (for example, -100) displays that number of log entries
starting from newest in the log.
facility facility-name Area of MSS that is sending the log message. Type a space and a question
mark (?) after show log buffer facility for a list of valid facilities.
matching string Displays messages that match a string—for example, a username or IP
address.
severity severity-level Displays messages at a severity level greater than or equal to the level
specified. Specify one of the following:
emergency—The MX is unusable.
alert—Action must be taken immediately.
critical—You must resolve the critical conditions. If the conditions are not
resolved, the MX can reboot or shut down.
error—The MX is missing data or is unable to form a connection.
warning—A possible problem exists.
notice—Events that potentially can cause system problems have occurred.
These are logged for diagnostic purposes. No action is required.
info—Informational messages only. No problem exists.
debug—Output from debugging.
Version 1.0 Command introduced
Version 5.0 Option COPP removed. The option is not applicable to MSS Version 5.0.
System Log Commands
System Log Commands
24 – 521
MX# show log buffer facility ?
<facility name> Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP, ASO, BOOT,
CLI, CLUSTER, CRYPTO, DOT1X, NET, ETHERNET, GATEWAY, HTTPD, IGMP, IP, MISC, NOSE, NP,
RAND, RESOLV, RIB, ROAM, ROGUE, SM, SNMPD, SPAN, STORE, SYS, TAGMGR, TBRIDGE, TCPSSL,
TELNET, TFTP, TLS, TUNNEL, VLAN, X509, XML, MP, RAPDA, WEBVIEW, EAP, FP, STAT, SSHD,
SUP, DNSD, CONFIG, BACKUP.
The following command displays logged messages for the AAA facility:
MX# show log buffer facility AAA
AAA Jun. 25 09:11:32.579848 ERROR AAA_NOTIFY_ERR: AAA got SM special event (98) on locality
3950 which is gone
See Also
clear log on page 24-517
show log config on page 24-521
show log config
Displays log configuration information.
Syntax
show log config
Defaults
None.
Access
Enabled.
History
Introduced in MSS Version 1.0.
Examples
To display how logging is configured, type the following command:
MX# show log config
Logging console: disabled
Logging console severity: DEBUG
Logging sessions: disabled
Logging sessions severity: INFO
Logging buffer: enabled
Logging buffer severity: WARNING
Logging trace: enabled
Logging trace severity: DEBUG
Logging buffer size: 10485760 bytes
Log marking: disabled
Log marking severity: NOTICE
Log marking interval: 300 seconds
Logging server: 172.21.12.19 port 514 severity EMERGENCY
Current session: disabled
Current session severity: INFO
See Also
set log on page 24-518
clear log on page 24-517
show log trace
Displays system information stored in the nonvolatile log buffer or the trace buffer.
System Log Commands
Mobility System Software Command Reference Guide
Version 7.3
24 – 522
Syntax
show log trace [{+|-|/}number-of-messages] [facility facility-name]
[matching string] [severity severity-level]
Defaults
None.
Access
Enabled.
History
Examples
Type the following command to see the facilities for which you can view event messages
archived in the buffer:
MX# show log trace facility ?
<facility name> Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP, ASO, BOOT,
CLI, CLUSTER, CRYPTO, DOT1X, ENCAP, ETHERNET, GATEWAY, HTTPD, IGMP, IP, MISC, NOSE, NP,
RAND, RESOLV, RIB, ROAM, ROGUE, SM, SNMPD, SPAN, STORE, SYS, TAGMGR, TBRIDGE, TCPSSL,
TELNET, TFTP, TLS, TUNNEL, VLAN, X509, XML, MP, RAPDA, WEBVIEW, EAP, PORTCONFIG, FP.
The following command displays the newest five trace log entries for the ROGUE facility:
MX# show log trace +5 facility ROGUE
ROGUE Oct 28 16:30:19.695141 ERROR ROGUE_AP_ALERT: Xmtr Mac 01:0b:0e:ff:00:3b Po
rt 7 Radio 1 Chan 36 RSSI 18 Tech DOT_11A SSID trapeze
ROGUE Oct 28 16:30:19.7046
37 ERROR ROGUE_AP_ALERT: Xmtr Mac 01:0b:0e:00:09:5f Port 7 Radio 1 Chan 36 RSSI
15 Tech DOT_11A SSID examplewlan
ROGUE Oct 28 16:30:19.711253 ERROR ROGUE_AP_ALER
T: Xmtr Mac 01:0b:0e:00:06:b7 Port 7 Radio 1 Chan 36 RSSI 36 Tech DOT_11A SSID wlan-7
ROGUE Oct 28 16:30:19.717954 ERROR ROGUE_AP_ALERT: Xmtr Mac 00:0b:0e:00:0
6:8f Port 7 Radio 1 Chan 36 RSSI 13 Tech DOT_11A SSID trapeze
ROGUE Oct 28 16:30:
19.727069 ERROR ROGUE_AP_ALERT: Xmtr Mac 01:0b:0e:da:da:dd Port 7 Radio 1 Chan 3
trace Displays the log messages in the trace buffer.
+|-|/
number-of-messages
Displays the number of messages specified as follows:
A positive number (for example, +100), displays that number of log entries
starting from the oldest in the log.
A negative number (for example, -100) displays that number of log entries
starting from newest in the log.
A number preceded by a slash (for example, /100) displays that number of the
most recent log entries in the log, starting with the least recent.
facility facility-name Area of MSS that is sending the log message. Type a space and a question mark
(?) after show log trace facility for a list of valid facilities.
matching string Displays messages that match a string—for example, a username or IP address.
severity
severity-level
Displays messages at a severity level greater than or equal to the level specified.
Specify one of the following:
emergency—The MX switch is unusable.
alert—Action must be taken immediately.
critical—You must resolve the critical conditions. If the conditions are not
resolved, the MX can reboot or shut down.
error—The MX is missing data or is unable to form a connection.
warning—A possible problem exists.
notice—Events that potentially can cause system problems have occurred.
These are logged for diagnostic purposes. No action is required.
info—Informational messages only. No problem exists.
debug—Output from debugging.
Version 1.0 Command introduced
Version 5.0 Option COPP removed. The option is not applicable to MSS Version 5.0.
System Log Commands
System Log Commands
24 – 523
6 RSSI 22 Tech DOT_11A SSID trapeze
See Also
clear log on page 24-517
show log config on page 24-521
System Log Commands
Mobility System Software Command Reference Guide
Version 7.3
24 – 524
Boot Prompt Commands 25 – 525
25
Boot Prompt Commands
Boot prompt commands enable you to perform basic tasks, including booting a system image file,
from the boot prompt (boot>). A CLI session enters the boot prompt if MSS does not boot
successfully or you intentionally interrupt the boot process. To interrupt the boot process, press q
followed by Enter (return).
This chapter presents boot prompt commands alphabetically. Use the following table to locate
commands in this chapter based on their use.
autoboot
Displays or changes the state of the autoboot option. The autoboot option controls whether an MX
automatically boots a system image after initializing the hardware, following a system reset or
power cycle.
Syntax
autoboot [ON | on | OFF | off]
!
Caution
Generally, boot prompt commands are used only for troubleshooting. Trapeze
Networks recommends that you use these commands only when working with
Trapeze to diagnose a system issue. In particular, commands that change boot
parameters can interfere with an MX ability to boot successfully.
Command Information ls on page 25-532
help on page 25-531
Booting boot on page 25-526
reset on page 25-533
autoboot on page 25-525
dhcp on page 25-529
File Management dir on page 25-530
fver on page 25-531
version on page 25-536
Boot Profile
Management
show on page 25-534
create on page 25-528
next on page 25-533
change on page 25-527
delete on page 25-529
Diagnostics diag on page 25-530
test on page 25-536
ON Enables the autoboot option.
on Same effect as ON.
Boot Prompt Commands
Mobility System Software Command Reference Guide
Version 7.3
25 – 526
Defaults
The autoboot option is enabled by default.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Examples
The following command displays the current setting of the autoboot option:
boot> autoboot
The autoboot flag is on.
See Also
boot on page 25-526
boot
Loads and executes a system image file.
Syntax
boot [BT=type] [DEV=device] [FN=filename] [HA=ip-addr] [FL=num]
[OPT=option] [OPT+=option]
Defaults
The boot settings in the currently active boot profile are used by default.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
OFF Disables the autoboot option.
off Same effect as OFF.
BT=type Boot type:
c—Compact flash. Boots using nonvolatile storage or a flash card.
n—Network. Boots using a TFTP server.
DEV=device Location of the system image file:
c:—Nonvolatile storage area containing boot partition 0
d:—Nonvolatile storage area containing boot partition 1
e:—Primary partition of the flash card in the flash card slot
f:—Secondary partition of the flash card in the flash card slot
boot0—boot partition 0
boot1—boot partition 1
When the boot type is n (network), the device can be one of the following:
emac1—Port 1 on an MXR-2
emac2—Port 2 on an MXR-2
mgmt or tsec0—The 10/100 port labelled Mgmt on an MX-200 or MX-216
FN=filename System image filename.
HA=ip-addr Host address (IP address) of a TFTP server. This parameter applies only when the
boot type is n (network).
FL=num Number representing the bit settings of boot flags to pass to the booted system image.
Use this parameter only if advised to do so by Trapeze Networks.
OPT=option String up to 128 bytes of boot options to pass to the booted system image instead of
the boot option(s) in the currently active boot profile. The options temporarily replace
the options in the boot profile. Use this parameter only if advised to do so by Trapeze
Networks.
OPT+=option String up to 128 bytes of boot options to pass to the booted system image in addition
to the boot option(s) in the currently active boot profile. The options are appended to
the options already in the boot profile. Use this parameter only if advised to do so by
Trapeze Networks.
Boot Prompt Commands
Boot Prompt Commands
25 – 527
Usage
If you use an optional parameter, the parameter setting overrides the setting of the same
parameter in the currently active boot profile. However, the boot profile itself is not changed. To
display the currently active boot profile, use the show command. To change the currently active
boot profile, use the change command.
Examples
The following command loads system image file MX010101.020 from boot partition 1:
boot> boot FN=MX010101.020 DEV=boot1
Compact Flash load from boot1:testcfg matches MX010101.020.
unzip: Inflating ramdisk_1.1.1.. OK
unzip file len 36085486 OK
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003
The NetBSD Foundation, Inc. All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Power Cycle Reboot
Detecting hardware...done.
readclock: 2003-10-8 2:9:50.67 UTC=>1065578990.670000 (1064992894)
init: Creating mfs /dev
erase ^H, werase ^W, kill ^U, intr ^C, status ^T
Doing Trapeze mounts and links
Starting nos_mon...
nos_mon:ps: not found
SYSLOGD Oct 08 02:10:05.477814 CRITICAL SYSTEM_READY: The system has finished booting.
Copyright (c) 2002, 2003
Trapeze Networks, Inc.
Username:
Password:
See Also
change on page 25-527
show on page 25-534
change
Changes parameters in the currently active boot profile. (For information about boot profiles, see
show on page 25-534.)
Syntax
change
Defaults
The default boot type is c (compact flash). The default filename is default. The default
flags setting is 0x00000000 (all flags disabled) and the default options list is run=nos;boot=0. The
default device setting is the boot partition specified by the most recent set boot partition
command typed at the Enabled level of the CLI, or boot 0 if the command has never been typed.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Usage
After you type the change command, the system interactively displays the current setting
of each parameter and prompts you for the new setting. When prompted, type the new setting,
press Enter to accept the current setting, or type . (period) to change the setting to the default
value. To back up to the previous parameter, type - (hyphen).
Boot Prompt Commands
Mobility System Software Command Reference Guide
Version 7.3
25 – 528
For information about each of the boot parameters you can set, see show on page 25-534.
Examples
The following command enters the configuration mode for the currently active boot
profile, changes the device to boot1, and leaves the other parameters with their current settings:
boot> change
Changing the default configuration is not recommended.
Are you sure that you want to proceed? (y/n)y
BOOT TYPE: [c]
DEVICE: [boot0:]boot1
FILENAME: [default]
FLAGS: [0x00000000]
OPTIONS: [run=nos;boot=0]
The following command enters the configuration mode for the currently active boot profile and
configures the MX (in this example, an MXR-2) to boot using a TFTP server:
boot> change
Changing the default configuration is not recommended.
Are you sure that you want to proceed? (y/n)y
BOOT TYPE: [c]> n
DEVICE: [boot0:]> emac1
FILENAME: [default]> bootfile
HOST IP: [0.0.0.0]> 172.16.0.1
LOCAL IP: [0.0.0.0]> 172.16.0.21
GATEWAY IP: [0.0.0.0]> 172.16.0.20
IP MASK: [0.0.0.0]> 255.255.255.0
FLAGS: [0x00000000]>
OPTIONS: [run=nos;boot=0]>
See Also
boot on page 25-526
create on page 25-528
delete on page 25-529
dhcp on page 25-529
next on page 25-533
show on page 25-534
create
Creates a new boot profile. (For information about boot profiles, see show on page 25-534.)
Syntax
create
Defaults
The new boot profile has the same settings as the currently active boot profile by
default.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Usage
An MX can have up to four boot profiles. The boot profiles are stored in slots, numbered
0 through 3. When you create a new profile, the system uses the next available slot for the profile.
If all four slots already contain profiles and you try to create a fifth profile, the MX displays a
message advising you to change one of the existing profiles instead.
To make a new boot profile the currently active boot profile, use the next command. To change
boot parameter settings, use the change command.
Boot Prompt Commands
Boot Prompt Commands
25 – 529
Examples
The following command creates a new boot profile in slot 1 on an MX that currently has
only one boot profile, in slot 0:
boot> create
BOOT Index: 1
BOOT TYPE: c
DEVICE: boot1:
FILENAME: default
FLAGS: 00000000
OPTIONS: run=nos;boot=0
See Also
change on page 25-527
delete on page 25-529
next on page 25-533
show on page 25-534
delete
Removes the currently active boot profile. (For information about boot profiles, see show on
page 25-534.)
Syntax
delete
Defaults
None.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Usage
When you type the delete command, the next-lower numbered boot profile becomes the
active profile. For example, if the currently active profile is number 3, profile number 2 becomes
active after you type delete to delete profile 3. You cannot delete boot profile 0.
Examples
To remove the currently active boot profile, type the following command:
boot> delete
BOOT Index: 1
BOOT TYPE: c
DEVICE: boot1:
FILENAME: default
FLAGS: 00000000
OPTIONS: run=nos;boot=0
See Also
change on page 25-527
create on page 25-528
next on page 25-533
show on page 25-534
dhcp
Displays or changes the state of the DHCP option. The DHCP option controls whether an MX uses
DCHP to obtain its IP address when it is booted using a TFTP server.
Boot Prompt Commands
Mobility System Software Command Reference Guide
Version 7.3
25 – 530
Syntax
dhcp [ON | on | OFF | off]
Defaults
The DHCP option is disabled by default.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Examples
The following command displays the current setting of the DHCP option:
boot> dhcp
DHCP is currently enabled.
The following command disables the DHCP option:
boot> dhcp
DHCP is currently disabled.
See Also
boot on page 25-526
diag
Accesses the diagnostic mode.
Syntax
diag
Defaults
The diagnostic mode is disabled by default.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Usage
Access to the diagnostic mode requires a password, which is not user configurable. Use
this mode only if advised to do so by Trapeze Networks.
dir
Displays the boot code and system image files on an MX switch.
Syntax
dir [c: | d: | e: | f: | boot0 | boot1]
Defaults
None.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
ON Enables the DHCP option.
on Same effect as ON.
OFF Disables the DHCP option.
off Same effect as OFF.
c: Nonvolatile storage area containing boot partition 0 (primary).
d: Nonvolatile storage area containing boot partition 1 (secondary).
e: Primary partition of the flash card in the flash card slot.
f: Secondary partition of the flash card in the flash card slot.
boot0 Boot partition 0.
boot1 Boot partition 1.
Boot Prompt Commands
Boot Prompt Commands
25 – 531
Usage
To display the system image software versions, use the fver command. This command
does not list the boot code versions. To display the boot code versions, use the version command.
Examples
The following command displays all the boot code and system image files on an MX
switch:
boot> dir
Internal Compact Flash Directory (Primary):
MX010101.020 5523634 bytes
BLOAD 696176 bytes
BSTRAP 38056 bytes
Internal Compact Flash Directory (Secondary):
MX010101.020 5524593 bytes
See Also
fver on page 25-531
version on page 25-536
fver
Displays the version of a system image file installed in a specific location on an MX.
Syntax
fver {c: | d: | e: | f: | boot0: | boot1:} [filename]
Defaults
None.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Usage
To display the image filenames, use the dir command. This command does not list the boot
code versions. To display the boot code versions, use the version command.
Examples
The following command displays the system image version installed in boot partition 1:
boot> fver boot1
File boot1:default version is 1.1.0.98.
See Also
dir on page 25-530
version on page 25-536
help
Displays a list of all the boot prompt commands or detailed information for an individual
command.
c: Nonvolatile storage area containing boot partition 0 (primary).
d: Nonvolatile storage area containing boot partition 1 (secondary).
e: Primary partition of the flash card in the flash card slot.
f: Secondary partition of the flash card in the flash card slot.
boot0: Boot partition 0.
boot1: Boot partition 1.
[filename] System image filename.
Boot Prompt Commands
Mobility System Software Command Reference Guide
Version 7.3
25 – 532
Syntax
help [command-name]
Defaults
None.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Usage
If you specify a command name, detailed information is displayed for that command. If
you do not specify a command name, all the boot prompt commands are listed.
Examples
The following command displays detailed information for the fver command:
boot> help fver
fver Display the version of the specified device:filename.
USAGE: fver [c:file|d:file|e:file|f:file|boot0:file|boot1:file|boot2:file|boo
t3:file]
Command to display the version of the compressed image file
associated with the given device:filename.
See Also
ls on page 25-532
ls
Displays a list of the boot prompt commands.
Syntax
ls
Defaults
None.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Usage
To display help for an individual command, type help followed by the command name (for
example, help boot).
Examples
To display a list of the commands available at the boot prompt, type the following
command:
boot> ls
ls Display a list of all commands and descriptions.
help Display help information for each command.
autoboot Display the state of, enable, or disable the autoboot option.
boot Load and execute an image using the current boot configuration profile.
change Change the current boot configuration profile.
create Create a new boot configuration profile.
delete Delete the current boot configuration profile.
next Select the next boot configuration profile.
show Display the current boot configuration profile.
dir Display the contents of the specified boot partition.
fver Display the version of the loadable image specified by device:filename.
version Display HW and Bootstrap/Bootloader version information.
reset Reset the system.
test Display the state of, enable, or disable the tests option.
diag Access the diagnostic command CLI.
command-name Boot prompt command.
Boot Prompt Commands
Boot Prompt Commands
25 – 533
See Also
help on page 25-531
next
Activates and displays the boot profile in the next boot profile slot. (For information about boot
profiles, see show on page 25-534.)
Syntax
next
Defaults
None.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Usage
An MX contains 4 boot profile slots, numbered 0 through 3. This command activates the
boot profile in the next slot, in ascending numerical order. If the currently active slot is 3, the
command activates the boot profile in slot 0.
Examples
To activate the boot profile in the next slot and display the profile, type the following
command:
boot> next
BOOT Index: 0
BOOT TYPE: c
DEVICE: boot1:
FILENAME: testcfg
FLAGS: 00000000
OPTIONS: run=nos;boot=0
See Also
change on page 25-527
create on page 25-528
delete on page 25-529
show on page 25-534
reset
Resets an MX hardware.
Syntax
reset
Defaults
None.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Usage
After resetting the hardware, the reset command attempts to load a system image file only
if other boot settings are configured to do so.
Examples
To immediately reset the system, type the following command at the boot prompt:
boot> reset
Trapeze Networks MX Bootstrap 1.17 Release
Testing Low Memory 1 ............
Testing Low Memory 2 ............
CISTPL_VERS_1: 4.1 <SanDisk> <SDP> <5/3 0.6>
Reset Cause (0x02) is COLD
Boot Prompt Commands
Mobility System Software Command Reference Guide
Version 7.3
25 – 534
Trapeze Networks MX Bootstrap/Bootloader
Version 1.6.5 Release
Bootstrap 0 version: 1.17 Active
Bootloader 0 version: 1.6.5 Active
Bootstrap 1 version: 1.17
Bootloader 1 version: 1.6.3
MX Board Revision: 3.
MX Controller Revision: 24.
POE Board Revision: 1
POE Controller Revision: 6
BOOT Index: 0
BOOT TYPE: c
DEVICE: boot1:
FILENAME: default
FLAGS: 00000000
OPTIONS: run=nos;boot=0
See Also
boot on page 25-526
show
Displays the currently active boot profile. A boot profile is a set of parameters that an MX uses to
control the boot process. Each boot profile contains the following parameters:
Boot type—Either compact flash (local device on the MX) or network (TFTP)
Boot device—Location of the system image file
Filename—System image file
Flags—Number representing the bit settings of boot flags to pass to the booted system image.
Options—String up to 128 bytes of boot options to pass to the booted system image
An MX can have up to four boot profiles, numbered 0 through 3. Only one boot profile can be active
at a time. You can create, change, and delete boot profiles. You also can activate another boot
profile in place of the currently active one.
Syntax
show
Defaults
None.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Examples
To display the currently active boot profile, type the following command at the boot
prompt:
boot> show
BOOT Index: 0
BOOT TYPE: c
DEVICE: boot1:
FILENAME: default
FLAGS: 00000000
OPTIONS: run=nos;boot=0
Boot Prompt Commands
Boot Prompt Commands
25 – 535
The following is an example of a boot profile from an MXR-2 that is booted with a software image
downloaded from a TFTP server. In the example, when the MXR-2 boots, it downloads a system
image file called bootfile located on a TFTP server with address 172.16.0.1.
boot> show
BOOT Index: 0
BOOT TYPE: n
DEVICE: emac1
FILENAME: bootfile
HOST IP: 172.16.0.1
LOCAL IP: 172.16.0.21
GATEWAY IP: 172.16.0.20
IP MASK: 255.255.255.0
FLAGS: 00000000
OPTIONS: run=nos
Table 25– 1 describes the fields in the display.
See Also
change on page 25-527
create on page 25-528
delete on page 25-529
dhcp on page 25-529
next on page 25-533
Table 25– 1. Output for show
Field Description
BOOT Index Boot profile slot, which can be a number from 0 to 3.
BOOT TYPE Boot type:
c—Compact flash. Boots using nonvolatile storage or a flash card.
n—Network. Boots using a TFTP server.
DEVICE Location of the system image file:
c:—Nonvolatile storage area containing boot partition 0
d:—Nonvolatile storage area containing boot partition 1
e:—Primary partition of the flash card in the flash card slot
f:—Secondary partition of the flash card in the flash card slot
boot0—boot partition 0
boot1—boot partition 1
When the boot type is Network, the device can be one of the following:
emac1—Port 1 on an MXR-2
emac2—Port 2 on an MXR-2
mgmt or tsec0—The 10/100 port labelled Mgmt on an MX-200 or MX-216
HOST IP For network booting, the IP address of the host with the system image.
LOCAL IP For network booting, the IP address of the MX. If the DHCP option is enabled,
this does not need to be specified.
GATEWAY IP For network booting, the default router (gateway) used by the MX. If the DHCP
option is enabled, this does not need to be specified.
IP MASK For network booting, the subnet mask. If the DHCP option is enabled, this does
not need to be specified.
FILENAME System image file name.
FLAGS Number representing the bit settings of boot flags to pass to the booted system
image.
OPTIONS String up to 128 bytes of boot options to pass to the booted system image.
Boot Prompt Commands
Mobility System Software Command Reference Guide
Version 7.3
25 – 536
test
Displays or changes the state of the poweron test flag. The poweron test flag controls whether an
MX performs a set of self tests prior to the boot process.
Syntax
test [ON | on | OFF | off]
Defaults
The poweron test flag is disabled by default.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Examples
The following command displays the current setting of the poweron test flag:
boot> test
The diagnostic execution flag is not set.
See Also
boot on page 25-526
version
Displays version information for the MX hardware and boot code.
Syntax
version
Defaults
None.
Access
Boot prompt.
History
Introduced in MSS Version 1.0.
Usage
This command does not list the system image file versions installed in the boot partitions.
To display system image file versions, use the dir or fver command.
Examples
To display hardware and boot code version information, type the following command at
the boot prompt:
boot> version
Trapeze Networks MX Bootstrap/Bootloader
Version 1.6.5 Release
Bootstrap 0 version: 1.17 Active
Bootloader 0 version: 1.6.5 Active
Bootstrap 1 version: 1.17
Bootloader 1 version: 1.6.3
MX Board Revision: 3.
MX Controller Revision: 24.
POE Board Revision: 1
POE Controller Revision: 6
See Also
dir on page 25-530
fver on page 25-531
ON Enables the poweron test flag.
on Same effect as ON.
OFF Disables the poweron test flag.
off Same effect as OFF.
556

Hulp nodig? Stel uw vraag in het forum

Spelregels

Misbruik melden

Gebruikershandleiding.com neemt misbruik van zijn services uitermate serieus. U kunt hieronder aangeven waarom deze vraag ongepast is. Wij controleren de vraag en zonodig wordt deze verwijderd.

Product:

Bijvoorbeeld antisemitische inhoud, racistische inhoud, of materiaal dat gewelddadige fysieke handelingen tot gevolg kan hebben.

Bijvoorbeeld een creditcardnummer, een persoonlijk identificatienummer, of een geheim adres. E-mailadressen en volledige namen worden niet als privégegevens beschouwd.

Spelregels forum

Om tot zinvolle vragen te komen hanteren wij de volgende spelregels:

Belangrijk! Als er een antwoord wordt gegeven op uw vraag, dan is het voor de gever van het antwoord nuttig om te weten als u er wel (of niet) mee geholpen bent! Wij vragen u dus ook te reageren op een antwoord.

Belangrijk! Antwoorden worden ook per e-mail naar abonnees gestuurd. Laat uw emailadres achter op deze site, zodat u op de hoogte blijft. U krijgt dan ook andere vragen en antwoorden te zien.

Abonneren

Abonneer u voor het ontvangen van emails voor uw Trapeze smart mobile Mobility System Software 7.3 bij:


U ontvangt een email met instructies om u voor één of beide opties in te schrijven.


Ontvang uw handleiding per email

Vul uw emailadres in en ontvang de handleiding van Trapeze smart mobile Mobility System Software 7.3 in de taal/talen: Engels als bijlage per email.

De handleiding is 3,55 mb groot.

 

U ontvangt de handleiding per email binnen enkele minuten. Als u geen email heeft ontvangen, dan heeft u waarschijnlijk een verkeerd emailadres ingevuld of is uw mailbox te vol. Daarnaast kan het zijn dat uw internetprovider een maximum heeft aan de grootte per email. Omdat hier een handleiding wordt meegestuurd, kan het voorkomen dat de email groter is dan toegestaan bij uw provider.

Stel vragen via chat aan uw handleiding

Stel uw vraag over deze PDF

Uw handleiding is per email verstuurd. Controleer uw email

Als u niet binnen een kwartier uw email met handleiding ontvangen heeft, kan het zijn dat u een verkeerd emailadres heeft ingevuld of dat uw emailprovider een maximum grootte per email heeft ingesteld die kleiner is dan de grootte van de handleiding.

Er is een email naar u verstuurd om uw inschrijving definitief te maken.

Controleer uw email en volg de aanwijzingen op om uw inschrijving definitief te maken

U heeft geen emailadres opgegeven

Als u de handleiding per email wilt ontvangen, vul dan een geldig emailadres in.

Uw vraag is op deze pagina toegevoegd

Wilt u een email ontvangen bij een antwoord en/of nieuwe vragen? Vul dan hier uw emailadres in.



Info