WLAN 8100
Release 3.0
NN47251-107
Issue 07.01
June 2014
Contents
Chapter 1: Introduction............................................................................................................ 6
Purpose..................................................................................................................................6
Related Resources..................................................................................................................6
Documentation..................................................................................................................6
Training............................................................................................................................ 6
Viewing Avaya Mentor videos.............................................................................................7
Support.................................................................................................................................. 7
Chapter 2: New in this release.................................................................................................8
Features.................................................................................................................................8
Other changes........................................................................................................................ 9
Chapter 3: Overview of WLAN deployment solutions.........................................................10
Chapter 4: ACLI reference for Wireless LAN (WLAN) 8100................................................ 11
ACLI reference for the Wireless LAN (WLAN) 8100..................................................................11
Performing controller configuration using the WC 8180 Quick Configuration utility................ 12
Viewing WLAN 8100 current configuration.........................................................................14
Configuring and managing Link Layer Discovery Protocol...................................................15
Configuring and managing Remote Packet Capture........................................................... 19
Configuring and managing Client Band Steering and Client load balancing.......................... 28
Configuring and managing Captive Portals........................................................................ 29
Configuring and managing External Captive Portals........................................................... 41
Configuring and managing RADIUS..................................................................................48
Auto-RF..........................................................................................................................59
Configuring and viewing the Tunnel Path MTU.................................................................. 68
DiffServ.......................................................................................................................... 69
AeroScout.......................................................................................................................79
Station Isolation.............................................................................................................. 81
Ekahau RTLS support..................................................................................................... 83
Wi-Fi Zoning................................................................................................................... 86
Bonjour Gateway Support................................................................................................ 93
Domain AP configuration............................................................................................... 100
Wireless security WIDS-WIPS configuration and management..................................... 111
Configuring a MAC filter blacklist.................................................................................... 122
Wireless Security Client MAC validation......................................................................123
Load Balancing of APs and WSPs.................................................................................. 130
Commonly used configuration procedures ...................................................................... 140
Chapter 5: ACLI Reference for wired networks................................................................. 153
ACLI reference for wired networks........................................................................................ 153
Configuring system options............................................................................................ 153
Configuring system security........................................................................................... 202
June 2014
Contents
June 2014
Chapter 1: Introduction
Purpose
This document is an Avaya Command Line Interface (CLI) Commands Reference guide for the
configuration and management of the Avaya Wireless LAN (WLAN) 8100 solution.
The ACLI commands reference is organized into two parts:
ACLI reference for Wireless LAN (WLAN) 8100
This chapter describe the major WLAN 8100 features for release 3.0 and the typical ACLI
commands for their configuration and management.
ACLI reference for wired networks
This chapter describes typical ACLI commands for wired network configuration.
For further information on the features of the Wireless LAN 8100 solution, see Feature Overview for
Avaya WLAN 8100, NN47251-102.
Related Resources
Documentation
For a list of the documentation for this product, see Documentation Reference for Avaya WLAN
8100, NN47251-100.
Training
Ongoing product training is available. For more information or to register, see http://avayalearning.com/.
Enter the course code in the Search field and click Go to search for the course.
Course Code
Course Title
6769X
June 2014
Support
Course Code
Course Title
4D00045V
Procedure
To find videos on the Avaya Support website, go to support.avaya.com and perform one of the
following actions:
In Search, type Avaya Mentor Videos to see a list of the available videos.
In Search, type the product name. On the Search Results page, select Video in the
Content Type column on the left.
To find the Avaya Mentor videos on YouTube, go to www.youtube.com/AvayaMentor and
perform one of the following actions:
Enter a key word or key words in the Search Channel to search for a specific product or
topic.
Scroll down Playlists, and click the name of a topic to see the available list of videos posted
on the website.
Note:
Videos are not available for all products.
Support
Go to the Avaya Support website at http://support.avaya.com for the most up-to-date
documentation, product notices, and knowledge articles. You can also search for release notes,
downloads, and resolutions to issues. Use the online service request system to create a service
request. Chat with live agents to get answers to questions, or request an agent to connect you to a
support team if an issue requires additional expertise.
June 2014
The following sections detail what's new in the ACLI Commands Reference for Avaya WLAN 8100,
NN47251-107 for release 3.0.
Related Links
Features on page 8
Other changes on page 9
Features
See the following sections for information about the feature changes:
Support for External Captive Portal on page 8
Support for Link Layer Discovery Protocol (LLDP) on page 8
Bonjour Gateway support on page 9
For information on the WMS enhancements and on Avaya Command Line Interface (CLI)
commands, see Using WMS and EDM on Avaya WLAN 8100, NN47251-108 and ACLI Commands
Reference for Avaya WLAN 8100, NN47251-107 respectively.
For more information on feature fundamentals, see Feature Overview for Avaya WLAN 8100,
NN47251-102.
June 2014
Other changes
LLDP support on AP can advertise its status, capabilities, and process information from other LLDP
neighbors. Eg. PoE switches.
Other changes
There are no other changes to this document for release 3.0.
Related Links
New in this release on page 8
June 2014
The current release of Avaya WLAN supports the following deployment models.
WLAN Overlay
In the Overlay deployment, the Wireless Controller (WC) 8180 controls/manages Access
Points (AP) over a control channel and data is tunneled between the APs and the controller
over an access tunnel. Two or more WCs in the domain form a cluster, with a mesh of control
channels and data tunnels between each other.
WLAN Unified Access
In the Avaya VENA Unified Access deployment, the wireless controller deploys in the controlplane mode of operation of the 8180 platform. This device then hosts only the wireless control
function and is called a wireless control point (WCP). A switch such as the Avaya ERS
8600/8800 introduced into the network, tunnels traffic (data) and is known as the wireless
switching point (WSP). The APs and WSPs tunnel traffic between each other over an access
tunnel and the WSPs tunnel traffic between each other over a mobility tunnel.
Avaya implemented this solution by combining the functionality of the Avaya WC 8100 with the
Avaya Ethernet Routing Switch 8800/8600 (ERS 8800/8600).
10
June 2014
June 2014
11
Procedure
1. Power on the WC 8180.
2. When the WC 8180 is up, connect the console cable.
3. Verify that the baud rate and other console parameters are properly configured. You can
view console parameters using the PuTTY application.
a. Open a PuTTY session.
b. On the left-hand-side tree view, click Serial.
c. Verify that the parameters are configured as follows:
12
June 2014
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Verifying controller configuration on page 13
Procedure
1. Verify controller configuration:
WC8180#show wireless
Operation Mode
:
Status
:
Interface IP
:
TCP/UDP base port :
Base MAC Address :
Tunnel Path MTU
:
WC
Enabled
192.168.34.4
61000
58:16:26:FD:FE:00
1492
June 2014
13
: Join Success
: None
For more information on this command, see Viewing WLAN 8100 current configuration on
page 14.
Related Links
Performing controller configuration using the WC 8180 Quick Configuration utility on page 12
Procedure
1. Enter the command show running-config to view the current configuration on the WLAN
8100 system.
Note:
The command show running-config displays the entire WLAN 8100 system
configuration. Only configuration that is different from the default configuration is
displayed.
Command options of the show running-config command:
WC8180#show running-config ?
module
Display configuration of an application
verbose Display entire configuration (defaults and non-defaults)
14
June 2014
ipmgr
ipv6
l3
l3-protocols
lacp
logging
mac-security
mlt
nsna
pim
port-mirroring
qos
rate-limit
rmon
rtc
slpp
smlt
snmp
ssh
sshc
ssl
stack
stkmon
stp
unicast-storm-control
vlacp
vlan
wireless
<cr>
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
IP Manager configuration
IPV6 configuration
L3 configuration
L3 Protocols configuration
LACP configuration
System Logging configuration
MAC Security configuration
MLT configuration
NSNA configuration
PIM configuration
Port Mirroring configuration
QoS configuration
Rate Limiting configuration
RMON configuration
RTC configuration
SLPP configuration
SMLT configuration
SNMP configuration
SSH configuration
SSHC configuration
SSL configuration
Stack configuration
Stack Monitor configuration
STP configuration
Unicast Storm Control configuration
VLACP configuration
VLAN configuration
wireless configuration
2. Use one of the following command options to view the current wireless configuration:
WC8180#show running-config module wireless ?
ap-profile
Display wireless ap profile configs.
auto-rf
Display auto-rf configs
captive-portal
Display wireless captive-portal configs
capture-profile
Display wireless capture-profile configs.
crypto
Display wireless crypto configs
diffserv
Display wireless diffserv configs.
domain
Display wireless domian config
domain-ap
Display domain ap configs
domain-ap-image-external-download Display wireless
domain-ap-image-external-download configs
domain-load-balance
Display domain load balance configs
domain-wsp
Display domain wsp configs
network-profile
Display wireless network-profile configs.
radio-profile
Display wireless radio-profile configs.
security
Display wireless security config
system
Display wireless system configs
vlan-map
Display wireless valn-map configs
<cr>
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
June 2014
15
is connected to the network, and to report that information back to its managing Wireless Controller.
This information makes it easier to trace, locate, and debug installation issues.
The only configurable option for LLDP on the AP is the operation mode when the AP is managed. It
can be configured for:
Tx-Rx (Default mode): AP sends advertisements to neighbors and relays neighbor
advertisements to WC.
Tx-Only: AP sends advertisements to neighbors and drops neighbor advertisements.
Rx-Only: AP does not send advertisements to neighbors, but relays neighbor advertisements
to WC.
Off: AP does not send advertisements to neighbors and drops neighbor advertisements.
Note:
In unmanaged mode, the AP is always in Tx-Rx mode; no configuration is possible.
Advertisements are sent every 30 seconds with a time to live of 120 seconds. The content of the
LLDP advertisement is not configurable and is reproduced here for reference.
Transmitted (Advertised) Values:
Value
Unmanaged
Managed
Chassis ID
Port ID
System Name
AP Model Type
Management Address
WLAN/Bridge Capability
WLAN/Bridge Capability
WLAN/Bridge Enabled
System Description
Port Description
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Configuring LLDP operation on an AP on page 17
16
June 2014
Procedure
1. Enter into the ap-profile configuration mode:
WC8180(config-wireless)#ap-profile 1
LLDP is disabled:
WC8180(config-ap-profile)#show wireless ap-profile 1 detail
AP Profile Id: 1
Name
: Default
Country Code
: US
AP Model
: Avaya APs (AP8120/AP8120-E)
Is Default Profile?
: No
AE Protocol Support
: Disable
Ekahau Tag Blink Mode : Disable
June 2014
17
Ekahau Server IP
: 0.0.0.0
Ekahau Server UDP Port : 8569
LLDP status
: Disabled
Status
: Configured
6. Use the following command to view the LLDP status received by an AP from its neighbors:
WC8180#show wireless ap lldp-neighbor
------------------------------------------------------------------------------AP MAC
Neighbor MAC
Mgmt IP
Port Description
----------------- ------------------ --------------- ----------------------00:02:6F:B8:58:C0 6C:FA:58:7B:38:00
1.1.1.20
Port 24
00:1B:4F:6A:59:20 00:14:C7:30:6C:00
1.1.1.10
Port 22
58:16:26:AC:75:60 00:14:C7:30:6C:00
1.1.1.10
Port 21
B0:AD:AA:52:C8:E0 6C:FA:58:7B:38:00
1.1.1.20
Port 23
-------------------------------------------------------------------------------
18
June 2014
VLAN ID
: 70
Name: cherish2
-------------------------------------------------------------------------------
8. Use the following command to clear failed APs and associated LLDP neighbors:
WC8180#clear wireless ap failed
Related Links
Configuring and managing Link Layer Discovery Protocol on page 15
June 2014
19
20
June 2014
Procedure
1. Create a capture profile on the AMDC using the following command.
WC8180(config-wireless)#capture-profile ?
<1-4> Capture Profile ID
Note:
You can configure a maximum of 4 capture profiles on the AMDC.
2. Configure the capture profile parameters using the following commands.
Important:
After you complete the configuration, ensure that you synchronize configuration across
all controllers in the mobility domain.
Overview of the capture profile configuration commands.
WC8180(config-capture-profile)#?
Capture Profile Configuration Commands
default
Set a command to its default values
direction
Filter capture by flow direction
duration
Stop after elapsed duration in seconds
end
End wireless capture configuration mode
exit
Exit from wireless capture configuration mode
filters
Set filters for the packet capture profile
interface
Specify the capture interface(s) for the packet capture
no
Disable capture profile parameters
observer-ip
IP address of the observer host
observer-port
L4 port on the observer host
June 2014
21
profile-name
promisc-mode
snap-length
Important:
In Wireshark, when the packet length exceeds the configured snap length in the capture
profile, the captured packets are displayed as Malformed. The default value of the snap
length is 128 and the value can be modified between 32 and 1024.
Adjust the snap length to prevent malformed packets.
3. Verify details of the configured capture profile(s) using the following commands.
22
June 2014
June 2014
capture-instance restart ?
All instances
AP MAC Address
Capture profile
23
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Configuration scenarios on page 24
CLI commands reference for remote packet capture on page 25
Configuration scenarios
The following section describes special configuration scenarios and their behavior.
24
June 2014
Important:
When the SSID filter is set, you must not enable the promiscous mode.
Scenario 1 include-beacon + ssid:
Observation: No packets are captured.
Reason: In the Remote packet capture driver, ssid is converted to bssid. This bssid is compared
with the one from the beacon, which never matches and therefore no packet is captured.
Scenario 2 include-probe + ssid:
Observation: The probe request packets are observed but with a different ssid (the ssid filter did not
work)
Reason: When the probe request has a broadcast bssid, the comparison does not happen. Hence
all probe requests are captured with a different ssid.
The following section describes configuration settings and the corresponding output.
no promisc-mode + include-beacon you see beacons from all APs.
promisc-mode + include-beacon you see beacons from all APs.
no promisc-mode + include-probe you see probe requests/responses from all APs.
promisc-mode + include-probe you see probe requests/responses from all APs.
no promisc-mode + include-beacon + include-probe you see beacons/probes from all APs.
promisc-mode + include-beacon + include-probe you see beacons/probes from all APs.
no promisc-mode + include-data you see data to/from only your AP.
promisc-mode + include-data you see data to/from all APs.
promisc-mode + no frame-types you do not see any packets.
promisc-mode + include-data + include-beacon + include-probe you see data, beacon and
probes from all APs.
no promisc-mode + include-data + include-beacon + include-probe you see beacons and
probes from all APs, but data only from your AP.
Parameters
Description
default
none
direction
June 2014
25
Command
duration
Parameters
Description
both directions are enabled. Uplink indicates receive
for an AP and downlink indicates transmit for the AP.
both
downlink
uplink
<086400>
end
exit
filters
client-mac
include-beacons
include-control
include-data
include-mgmt
include-probes
ssid
interface
no
26
a-radio
all
b-radio
June 2014
Command
Parameters
Description
observer-ip
ipaddr
observer-port
<165535>
profile-name
WORD<132>
promisc-mode
snap-length
<321024>
June 2014
27
Parameters
Description
start
ap <ap-mac>
profile <profile-id>
all
ap
profile
all
ap <ap-mac>
profile <profile-id>
all
ap
profile
stop
delete
restart
Related Links
Configuring and managing Remote Packet Capture on page 19
28
June 2014
Important:
This cutoff is useful so that controller CPU utilization is maintained at an optimum level. If
CPU utilization goes beyond 100%, it causes the controller to restart which in turn results
in an unprecedented controller outage.
Procedure
1. Create an Access Radio profile.
Configure A-N and BG-N radio profiles to support different radio frequencies. The following
examples shows the creation of A-N and BG-N radio profiles with the country code specified
as US and the AP model specified as ap8120/E. For an outdoor AP, specify the AP model
as ap8120O in the command.
WC8180(config-wireless)#radio-profile 3 country-code US ap-model ap8120/E
access-wids a-n
Creating a radio-profile (id = 3) with country-code = US and ap-model
AP8120/E...
WC8180(config-radio-profile)#profile-name A-N
WC8180(config-radio-profile)#exit
WC8180(config-wireless)#radio-profile 4 country-code US ap-model ap8120/E
access-wids bg-n
Creating a radio-profile (id = 4) with country-code = US and ap-model
AP8120/E...
WC8180(config-radio-profile)#profile-name BG-N
WC8180(config-radio-profile)#exit
2. Enable client band steering and load balancing using the following commands.
WC8180(config-wireless)#radio-profile 3
Entering radio-profile (id = 3) configuration mode...
WC8180(config-radio-profile)#band-steering enable
WC8180(config-radio-profile)#load-balance enable
WC8180(config-radio-profile)#load-balance utilization-start 30
WC8180(config-radio-profile)#load-balance utilization-cutoff 60
WC8180(config-wireless)#radio-profile 4
Entering radio-profile (id = 3) configuration mode...
WC8180(config-radio-profile)#band-steering enable
WC8180(config-radio-profile)#load-balance enable
WC8180(config-radio-profile)#load-balance utilization-start 30
WC8180(config-radio-profile)#load-balance utilization-cutoff 60
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
June 2014
29
Note:
The current release of WLAN 8100 supports certificate mapping to either a RADIUS application
or a Captive Portal. For more information, see Mapping a certificate on page 55.
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Configuring Captive Portal general settings on page 30
Configuring Captive Portal profiles on page 31
Redirecting the URL for Captive Portals on page 35
Configuring the Web hostname in Captive Portals on page 36
Customizing Captive Portals updating Captive Portal locale on page 36
Customizing Captive Portal using static HTML pages on page 38
Managing Captive Portals on page 40
Viewing Captive Portal network status on page 41
Viewing current Captive Portal configuration on page 41
Procedure
1. Enter the wireless configuration mode of the ACLI.
2. Use the command captive-portal enable to enable Captive Portal service.
3. Use the command captive-portal auth-timeout <60 - 600> to set the
authentication timeout value in seconds.
4. Use the command captive-portal http-port <0 - 65535> to configure the Captive
Portal HTTP port.
5. Use the command captive-portal https-portal <0 - 65535> to configure the
Captive Portal HTTPS port.
6. Use the command captive-portal stats-report-interval <15 - 3600> to
configure the statistics reporting interval in seconds.
30
June 2014
Procedure
1. Enter the wireless configuration mode of the CLI.
2. Use the command captive-portal profile <Profile ID> to configure a Captive
Portal. Use a profile ID, for example 3.
WCP8180(config-wireless)#captive-portal profile ?
<1-10> Captive portal profile ID
June 2014
31
WCP8180(config-wireless)#captive-portal profile 3
Entering captive-portal-profile (id = 3) ...
WCP8180(config-cp-profile)#?
Captive Portal Profile Configuration Commands
block
Block traffic for this profile
color
Set Captive-portal color scheme
default
Set captive portal parameters to default settings
end
End configuration mode
exit
Exit out of captive portal profile configuration mode
idle-timeout
Configure session idle timeout
ip
Captive-portal IP addresses
locale
Configure captive portal locale settings
max-bandwidth
Configure max bandwidth limit for transmit or receive
max-octets
Configure max octets available per session
no
Disable captive portal profile settings
profile-name
Set captive portal profile name
protocol-mode
Set captive portal protocol mode
redirect
Enable HTTP redirect mode after authetication
redirect-url
Configure redirected URL
session-timeout Set session timeout.
user-logout
Enable user-logout mode for captive portal users
walled-garden
Captive-portal Walled Garden hostname configuration mode
web-hostname
Configure web hostname for Captive-Portal
WCP8180(config-cp-profile)#
3. Use the command show wireless captive-portal profile <ID> detail to show
details of the Captive Portal profile details for a specific Captive Portal profile.
4. Use the command captive portal profile <profile_number> block to block
profile traffic.
5. Use the command captive portal profile <profile_number> color to set the
Captive Portal color scheme.
Command options:
WCP8180(config-cp-profile)#color ?
background Set background color
foreground Set foreground color
separator
Set separator color
32
June 2014
14. Use the command captive portal profile <profile_number> redirect enable
HTTP redirect mode after authentication.
15. Use the command captive portal profile <profile_number> redirect-url to
configure the redirect URL.
For more information, see Redirecting the URL for captive portals on page 35.
16. Use the command captive portal profile <profile_number> sessiontimeout to set the session timeout value. Enter a time in seconds. The range is 0 to
2100000000.
17. Use the command captive portal profile <profile_number> user-logout to
enable user logout.
18. Use the command walled-garden to enter the Captive Portal Walled Garden host-name
configuration mode.
Sometimes, a Captive Portal user may need to access network resources in the intranet or
public Web sites from an enterprise network, without requiring to first undergo Captive Portal
June 2014
33
authentication. To support these user requirements, the WLAN 8100 allows configuration of
the IP addresses of Web hosts in a Captive Portal profile so that the user can access these
hosts without the need for authentication. This is the Captive Portal Walled Garden feature.
The Walled Garden feature also enables you to configure access to certain Web hosts within
the network for unauthenticated users. After you configure the host IP address of the Web
host, the users will have access to all Web pages hosted on that server. This is especially
useful when you want to open up specific information, policy or guest registration Web sites
for unauthenticated clients or guest users.
Note:
You can configure up to 8 Captive Portal walled-garden hosts in a single Captive Portal
profile.
Use the following command options to configure the host name and host type. Currently only
IP address is supported as a host type.
WC8180(config-cp-profile)#walled-garden ?
hostname Walled garden hostname or IP address
WC8180(config-cp-profile)#walled-garden hostname ?
WORD IP address (1-255 characters)
WC8180(config-cp-profile)#walled-garden hostname 10.1.1.2 ?
type Walled garden hostname Type
WC8180(config-cp-profile)#walled-garden hostname 10.1.1.2 type ?
ip-addr IP address type
Example: Use the following command to configure a Walled Garden host IP address.
WC8180(config-cp-profile)#walled-garden hostname 10.1.1.2 type ip-addr
Example
View a sample Captive Portal profile configuration using the command show running-config
module wireless captive-portal.
WC8180(config-cp-profile)#show running-config module wireless captive-portal
! Embedded ASCII Configuration Generator Script
34
June 2014
June 2014
35
Note:
The supported characters in the redirect-URL are the underscore (_), dash (-), period (.),
percentage (%), colon (:), forward slash (/), question mark (?) and the equal sign (=).
Note:
To enter the question mark (?) character in CLI, use the escape character which is the
back slash (\), before the question mark character.
For example, if the redirct-URL is http://www.google.com?test=ag, you must
enter http://www.google.com\?test=ag.
5. Use the command captive portal profile <profile_number> no redirect to
disable redirection.
6. Use the command default redirect-url to reset the redirect-url to the default
value.
Procedure
1. Enter the Captive Portal configuration in the CLI.
2. Use the command captive-portal profile <ID> to go to the Captive Portal profile.
WCP8180(config-wireless)#captive-portal profile 1
Entering captive-portal-profile (id = 1) ...
36
June 2014
The following are the command options to configure images in Captive Portal locales:
Important:
Ensure that the image files satisfy the following criteria:
The image file format is one of .jpg, .gif, .png, .tif or .bmp.
The size of custom images (logo, background, logout image) must not exceed 1Mb
each.
The image filename does not exceed 31 characters.
WC8180(config-cp-locale)#image
account
Set image
background
Set image
branding
Set image
logout-background Set image
WC8180(config-cp-locale)#image
?
name
name
name
name
for
for
for
for
accounting identification
background appearence
branding appearence
logout background appearence
Example
The following is a sample usage of the command wip-msg to set a message indicating that
authentication is in progress:
WC8180(config-cp-locale)# wip-msg 0074006500730074
June 2014
37
In the above example, 0074006500730074 is the UTF 16 equivalent of the word test.
Procedure
1. Create the constituent HTML files:
captive_portal_custom.html which Captive Portal users see on first time login.
cp_custom_error.html which captive-portal users see when authentication error
happens.
cp_custom_refresh.html which captive-portal users see when waiting for authentication
results.
Note:
Ensure that you retain the exact names of the HTML files. Otherwise the controller
cannot recognize these files and the Captive Portal service will not work.
2. Create a package (.zip) file containing the HTML files. If you want to embed images in your
portal page, add appropriate HTML tags (for example, <img src = <filename>) in the
HTML files and include the graphics files in the zipped file.
Important:
Ensure the following rules when you create a .zip file.
The package file must be a zipped file with an extension of .zip.
The length of package filename must not exceed 31 characters.
The number of files in the package must not exceed 32.
The filenames of the files included in the package file must not exceed 31 characters.
38
June 2014
Total package file size does must not exceed 4 Mb and each profile size must not
exceed 8 Mb.
The zipped file must not contain any directory.
All files must be in the same directory.
The image file format is one of .jpg, .gif, .png, .tif and .bmp.
The size of custom images (logo, background, logout image) must not exceed 1Mb
each.
The image filename does not exceed 31 characters.
3. After creating the .zip file, copy the file to a TFTP server to upload it to the AMDC of the
domain.
Important:
To enable the AMDC to upload the .zip file from the TFTP server, ensure that the
controller is configured with the TFTP server IP address and the package filename (.zip)
is specified when configuring the captive-portal locale.
4. If there are other controllers (for example, peers) in the domain, ensure that you run the
config-sync command to push the AMDC configuration to all controllers in the domain.
Verify that all controllers are synchronized.
5. Run the wireless captive-portal tftp-get command to upload the .zip file to the
controller. This is one time action command.
If you run the action command without any parameters, all controllers in the domain upload
all the customization files (including customization package and customization image files for
account, brand, background and logout). If the controllers have multiple locales, this
command examines the current configuration and if the new configuration is different, it
forces an upload.
You can also specify the following parameters in the action command:
Peer controller IP address
Profile Id and locale Id
File type (account, brand logo, background, logout background and package file)
Action flag
After the customization package file is uploaded to your controller, it is not removed in the
flash unless you run the default command or perform another upload. You can also use
the default command to reset the configuration and to remove the corresponding file.
6. Verify the status of the upload in the Captive Portal locale by running the show wireless
captive-portal locale command. The status can be one of the following:
None the upload was not started
Success the upload was successful
In Progress the upload is in progress
June 2014
39
Procedure
1. Enter the wireless configuration mode of the CLI.
2. Use the command wireless captive-portal client-deauthenticate all to
revoke authentication on all clients.
3. Use the command wireless captive-portal client-deauthenticate captiveportal-profile <Captive Portal profile Id> to revoke authentication on all
clients associated with a particular Captive Portal profile.
4. Use the command wireless captive-portal client-deauthenticate
<authenticated client MAC address> to revoke authentication on a specific client.
40
June 2014
Procedure
1. Use one of the following commands to view the Captive Portal network status for a specific
Captive Portal profile Id and network profile Id.
show wireless captive-portal network-status CP-profile <CP-profile-Id> networkprofile <network-profile-Id>
show wireless captive-portal network-status network-profile <network-profile-Id>
CP-profile <CP-profile-Id>
2. Use the following command to view the Captive Portal network status.
show wireless captive-portal network-status
Related Links
Configuring and managing Captive Portals on page 29
Procedure
Enter the following command to view the current Captive Portal configuration of the WLAN
8100 system. This command only displays configuration that is different from the default
configuration.
WC8180#show running-config module wireless captive-portal
Related Links
Configuring and managing Captive Portals on page 29
June 2014
41
Procedure
1. Use the command captive-portal profile <Captive Portal profile Id> to configure a Captive
Portal.
WC8180(config-wireless)#captive-portal profile <Captive Portal profile ID>
2. Set the Captive Portal IP Address and the IP address of the controller.
WC8180(config-cp-profile)#external-cp <Captive Portal IP> controller <Controller
IP>
WC8180(config-cp-profile)#no external-cp <Captive Portal IP> controller
<Controller IP>
Example of setting and verifying Captive Portal and Controller IP addresses for captive-portal profile
1.
# configuration command
WC8180(config-wireless)#captive-portal profile 1
Entering captive-portal-profile (id = 1) ...
WC8180(config-cp-profile)#?
Captive Portal Profile Configuration Commands
block
Block traffic for this profile
color
Set Captive-portal color scheme
default
Set captive portal parameters to default settings
end
End configuration mode
exit
Exit out of captive portal profile configuration mode
external-cp
Configure external captive-portal IP address
idle-timeout
Configure session idle timeout
ip
Captive-portal IP addresses
locale
Configure captive portal locale settings
max-bandwidth
Configure max bandwidth limit for transmit or receive
max-octets
Configure max octets available per session
no
Disable captive portal profile settings
42
June 2014
profile-name
Set captive portal profile name
protocol-mode
Set captive portal protocol mode
redirect
Enable HTTP request redirect on successful CP-authentication
redirect-url
Configure redirected URL
session-timeout Set session timeout.
user-logout
Enable user-logout mode for captive portal users
walled-garden
Captive-portal Walled Garden hostname configuration
web-hostname
Configure web hostname for Captive-Portal
WC8180(config-cp-profile)#
WC8180(config-cp-profile)#external-cp 1.1.1.1 controller 2.2.2.2
WC8180(config-cp-profile)#no external-cp 1.1.1.1 controller 2.2.2.2
WC8180(config-cp-profile)#
# show command
WC8180(config-cp-profile)#show wireless captive-portal profile 1 detail
Captive Portal Profile ID: 1
Name
: Default
Protocol Mode
: http
User Logout Mode
: Enabled
Session Timeout (seconds)
: 0
Idle Timeout (seconds)
: 0
Max Bandwidth Up (bps)
: 0
Max Bandwidth Down (bps)
: 0
Max Input Octets (bytes)
: 0
Max Output Octets (bytes)
: 0
Max Total Octets (bytes)
: 0
Redirect Mode
: Disabled
Redirect URL
:
Web Hostname
:
Foreground Color
: #6F7B82
Background Color
: #6F7B82
Separator Color
: #CC0000
External Captive-portal IP : 1.1.1.1 / 2.2.2.2
1.1.1.1 / 2.2.2.3
Walled Garden Hostname
: 172.21.0.1
WC8180(config-cp-profile)#
# show running config
WC8180(config-cp-profile)#
...
captive-portal profile 1
profile-name Default
user-logout
session-timeout 0
color background #6F7B82
color foreground #6F7B82
color separator #CC0000
external-cp 1.1.1.1 controller 2.2.2.2
external-cp 1.1.1.2 controller 2.2.2.3
walled-garden hostname 172.21.0.1 type ip-addr
redirect-url =
locale
exit
exit
...
Related Links
Configuring and managing External Captive Portals on page 41
June 2014
43
New Mode
Check CP profile
for External CPIPs
configurations
Internal
External
Yes
Yes
No
External
Internal
Yes
No
Yes
Related Links
Configuring and managing External Captive Portals on page 41
Procedure
1. Remove any internal CPIP configured in CP profiles.
2. Remove any CP profile mapped in the network profiles.
3. Disable CP if enabled in any network profiles.
4. Switch to external mode.
5. Configure required CP profiles with external CPIPs.
6. Map CP profile to required network profiles.
Procedure
1. Remove any external CPIP configured in CP profiles.
2. Remove any CP profile mapped in network profiles.
3. Disable CP if enabled in any network profiles.
4. Switch to internal mode.
5. Configure required CP profiles with internal CPIPs.
6. Map CP profile to required network profiles.
WC8180(config-wireless)#captive-portal ?
Parameters:
auth-timeout
Authentication session timeout period
enable
Enable captive portal feature on the system
http-port
Configure additional HTTP port
https-port
Configure additional HTTPS port
44
June 2014
mode
stats-report-interval
tftp-server
Sub-Commands/Groups:
profile Create/Modify a specific captive portal profile
WC8180(config-wireless)#captive-portal mode internal
WC8180(config-wireless)#captive-portal mode external
Source:
New
<instance-parameter-1> = <ID>
Syntax (normal form):
config wireless security
dac-client <ID>
Syntax (no form):
config wireless security
no dac-client <ID>
Description:
Creates/Deletes a Dynamic Authorization Client
Corresponding MIB objects:
avWlanRadiusDacClientID
avWlanRadiusDacClientName
avWlanRadiusDacClientAddressType
avWlanRadiusDacClientAddress
avWlanRadiusDacClientSecret
avWlanRadiusDacClientSecretDigest
avWlanRadiusDacClientSecretEncrypt
avWlanRadiusDacClientRowStatus
avWlanRadiusDacClientTimeWindow
Procedure
1. Enter the wireless security configuration mode of the CLI.
WC8180#conf t
WC8180(config)#wireless
WC8180(config-wireless)#security
June 2014
45
Related Links
Configuring and managing External Captive Portals on page 41
privExec
Source:
New
Procedure
Use show wireless security dac-client <ID> to display DAC client entries.
WC8180#show wireless security dac-client 1
DAC ID IP
DAC Name Time-window(Secs)
------ --------------- -------- --------------1
192.168.10.10
SCP0
3000
Related Links
Configuring and managing External Captive Portals on page 41
46
June 2014
Source:
New
<parameter-1> = <WORD>
Syntax (normal form):
secret <WORD>
Syntax (no form):
NA
Syntax (default form):
NA
Description:
Configures shared radius secret for this dac client entry
avWlanRadiusDacClientSecret 64 byte word
avWlanRadiusDacClientSecretDigest 20 byte SHA-1 hash of secret
avWlanRadiusDacClientSecretEncrypt 128 byte - The encrypted RADIUS server secret
based on PAP protocol. It is AES encrypted. On retrieval, an encrypted string will be
returned.
Corresponding MIB objects:
avWlanRadiusDacClientSecret
avWlanRadiusDacClientSecretDigest
avWlanRadiusDacClientSecretEncrypt
Procedure
1. Enter the wireless security configuration mode of the CLI.
WC8180#conf t
Enter configuration commands, one per line.
WC8180(config)#wireless
WC8180(config-wireless)#security
WC8180(config-dac-client)#
Related Links
Configuring and managing External Captive Portals on page 41
June 2014
47
Source:
New
<parameter-1> = <1..65535>
Syntax (normal form):
timewindow <WORD>
Syntax (no form):
NA
Syntax (default form):
default timewindow
Description:
Configures replay time window for this dac client entry
Corresponding MIB objects:
avWlanRadiusDacClientTimeWindow
Procedure
1. Enter the wireless security configuration mode of the CLI.
WC8180#conf t
Enter configuration commands, one per line.
WC8180(config)#wireless
WC8180(config-wireless)#security
Related Links
Configuring and managing External Captive Portals on page 41
48
June 2014
Procedure
1. Enter Global or Interface Configuration mode of the ACLI.
2. Configure a RADIUS server using the command radius server <host IP Address>,
where <host IP address> is the IP address of the primary RADIUS server you want to
configure.
3. Configure a RADIUS profile using the command radius profile <profile name>
type .
A RADIUS profile can be one of two types authentication or accounting.
(WC8180-security)#radius profile <profile name> type ?
acct
auth
June 2014
49
In this example, 172.16.2.11 is the server host IP address and sample-radiusprofile is an example RADIUS profile.
WC8180(config-security)#radius server
encrypted-secret
health-check-encrypted-password
health-check-interval
health-check-password
health-check-user
priority
secret
udp-port
172.16.2.11 sample-radius-profile ?
encrypted radius secret
radius health check password (encrypted)
Radius health check interval.
User password for radius health check
User name used for radius healtcheck
server priority
server shared secret
server UDP port
Description
encrypted-secret
health-check-encryptedpassword
health-check-interval
Specifies the time (in seconds) after which the controller checks
the health of the RADIUS server.
Enter a number in the range 0100. Specifying a time interval of
0 disables the health check.
health-check-user
health-check-password
priority
secret
udp-port
7. Use the command no radius profile <radius profile name> to delete a RADIUS profile.
8. Use the command no radius server <server IP Address> <radius profile
name> to delete a RADIUS server.
9. Use the command default radius server <ip address> <health-checkinterval | health-check-password | health-check-user | health-checkencrypted-password> to restore default RADIUS server settings.
50
June 2014
10. Use the command default radius profile <radius profile name> serverselection to delete a RADIUS profile.
Related Links
Configuring and managing RADIUS on page 48
Configuring RADIUS on page 199
Procedure
1. Enter Wireless Configuration mode of the ACLI.
2. Use the command security to enter Security Configuration mode.
3. Create a user name. Use the command radius server <server-ip> healthcheck
user <user-name> to configure the RADIUS health check user name.
Optionally:
Use the command default radius server-healthcheck-user to create a default
health check user.
4. Create a password. Use the command radius server <ip address> healthcheck
password to create the health check user password. The System prompts for a password
input which is displayed as *s.
Optionally:
Use the command default radius server-healthcheck-password to create a
default health check user password.
June 2014
51
5. Create an encrypted user password. Use the command radius server <ip address>
healthcheck encrypted <encrypted-password> to create the health check
encrypted password. The System prompts for a password input which is displayed as *s.
Optionally:
Use the command default radius server-healthcheck-encrypted-password
to create a default health check user password.
6. Configure the duration and retry parameters. Use one of the following commands.
Use the command radius server-retries <15> to configure radius server retries.
Use the command radius server-timeout <130> to configure the radius server
timeout in seconds.
Use the command default radius server-retries to set the radius server retries to
the default value.
Use the command default radius server-timeout to set the radius server timeout to
the default value.
7. Configure the RADIUS server health check interval. Use one of the following commands.
In the following commands 172.16.2.10 is a sample RADIUS server IP address.
Use the command radius server 172.16.2.10 IAS health-check-interval
<0-100> to configure the RADIUS server health check interval in seconds. 0 implies that
health check is disabled.
Use the command default radius server 172.16.2.13 IAS health-checkinterval to set the default value of the RADIUS server health check interval.
8. View the health check configuration in detail. Use the command show wireless
security radius server detail.
Related Links
Configuring and managing RADIUS on page 48
52
June 2014
Procedure
1. Enter the Network-profile configuration mode of the ACLI.
2. By default RADIUS offload is disabled. Use this command to enable RADIUS offload in
network profile.
WC8180 (config-network-profile)# radius offload
3. To disable RADIUS offload, use one of the following commands.
WC8180 (config-network-profile)# no radius offload
OR
WC8180 (config-network-profile)# default radius offload
Note:
Radius Offload is applicable only for WPA-enterprise security mode.
Related Links
Configuring and managing RADIUS on page 48
Generating a certificate
You can generate self-signed certificates, with Self-Signed as the issuer name.
Generate a certificate by providing the following information.
Common Name
Country Code
Email
Key Size
Organization Name
Organization Unit
State
The number of days that the certificate will be valid
Locality name
June 2014
53
Procedure
Create a self-signed X.509 certificate by executing the following steps:
Note:
Common name is a mandatory parameter. The remaining parameters are optional.
a. Enter the Crypto configuration mode of the CLI.
b. Use the following command to create a self-signed certificate:
WLAN crypto configurations
certificate Certificate generation and mapping commands
end
End wireless crytpo configuration mode
exit
Exit from wireless crypto configuration mode
no
Delete crypto configurations
WC8180(config-crypto)#certificate ?
Certificate generation and mapping commands
generate Generate a self-signed (X.509) certificate
import
Import a certificate
map
Assign a certificate to an application
WC8180(config-crypto)#certificate import ?
pkcs12 Import a PKCS12 certificate
WC8180(config-crypto)#certificate import pk
WC8180(config-crypto)#certificate generate ?
<1-16> Certificate Index
WC8180(config-crypto)#certificate generate
common-name
country-code
state-name
organization
organization-unit
valid
54
June 2014
Importing a certificate
Certificates generated by 3rd party CA can be imported using TFTP. The certificate is imported by
providing details such as file type, filename and TFTP IP address and a passphrase. The certificate
Pkcs12 type must only be imported.
Note:
Certificates when generated or imported successfully are synchronized automatically to peer
controllers in a cluster, without the need to execute the command wireless controller
config-sync on the AMDC.
Certificates that failed to import are displayed on the AMDC with the failure status reason.
Procedure
Import an X.509 certificate from a PKCS#12 by executing the following steps:
a. Enter the Wireless Crypto configuration of the CLI.
b. Use the following command to import a self-signed certificate:
WC8180(config-crypto)#certificate import pkcs12 3 ?
filename Name of the file to import
tftp-ip
TFTP Server IP
WC8180(config-crypto)#certificate import ?
pkcs12 Import a PKCS12 certificate
WC8180(config-crypto)#$ificate import pkcs12 3 tftp-ip 1.2.3.6 filename pp.k
Description
tftp-ipaddress
file-name
Related Links
Configuring and managing RADIUS on page 48
Mapping a certificate
When certificates are generated or imported, a certificate ID is created. A maximum of 16 certificate
IDs can be generated or imported. These certificate IDs can then be mapped to either RADIUS
applications or Captive Portals or both. Also, the same certificate ID can be mapped to both the
RADIUS application and the Captive Portal.
When a certificate ID is mapped to RADIUS application or a Captive Portal on AMDC in a cluster, it
must be pushed to peer controllers by executing the command wireless controller configsync.
June 2014
55
Important:
Certificate mapping or un-mapping must be synchronized across controllers in a cluster by
executing the wireless controller config-sync command on AMDC controller.
Procedure
1. Map an application to an X.509 certificate by executing the following steps:
a. Enter the wireless or crypto configuration mode of the ACLI.
b. Use the command certificate map {Captive Portal|radius}
certificate-index to map the certificate to a RADIUS application or a Captive
Portal.
WC8180(config-crypto)#certificate map ?
captive-portal Captive Portal application
radius
RADIUS application
WC8180(config-crypto)#certificate map radius ?
<1-16> Certificate Index
Description
certificate-index
56
June 2014
Procedure
Use the following commands to view the generated and imported certificates.
a. Use the command show wireless crypto certificate to display all generated
and imported certificates.
b. Use the command show wireless crypto certificate detail to display all
generated and imported certificates in detail.
c. Use the command show wireless crypto certificate <index> to display a
particular certificate.
d. Use the command show wireless crypto certificate <index> detail to
display a particular certificate in detail.
e. Use the command show wireless crypto certificate map to display
application mapping details.
Related Links
Configuring and managing RADIUS on page 48
June 2014
57
Procedure
1. Enter Wireless Configuration mode of the CLI.
2. Use the command security to enter Security Configuration mode.
3. Use the command radius profile server-selection round-robin to enable
RADIUS server load balancing.
4. Use the command default radius profile <profile-name> server-selection
to set the default server selection mode.
5. Use the command show wireless security radius profile profile-name to
show the RADIUS profile.
Related Links
Configuring and managing RADIUS on page 48
Procedure
1. Enter the Wireless Configuration mode of the CLI.
2. Configure RADIUS accounting on a RADIUS profile:
WC8180#radius profile <profile name> type ?
acct
auth
wc8180#radius server <radius accounting server ip> <radius accounting profile
name> type acct ?
encrypted-secret
encrypted radius secret
health-check-encrypted-password Radius health check password (encrypted)
health-check-interval
Radius health check interval
health-check-password
User password for radius health check
health-check-user
User name used for radius healtcheck
priority
server priority
secret
server shared secret
udp-port
server UDP port
<cr>
58
June 2014
Note:
Server selection is optional for configuring RADIUS accounting. Also, health-check does
not apply to accounting servers.
3. Enable RADIUS accounting in the network profile and also map the RADIUS accounting
profile with the network profile.
WC8180(config-network-profile)#radius accounting?
accounting
accounting-profile
WC8180(config-network-profile)#radius accounting
WC8180(config-network-profile)#radius accounting-profile <radius accounting
profile name>
Related Links
Configuring and managing RADIUS on page 48
Auto-RF
The following sections describe the configuration and management of the Automatic Radio
Frequency (Auto-RF) feature, using the ACLI.
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Configuring Auto-RF on page 59
Managing Auto-RF operations on page 63
Viewing Auto-RF configuration and status on page 64
Configuring Auto-RF
Configure Auto-RF to perform automatic channel assignment or power selection for access points
(AP) in a mobility domain.
Note:
In the current release, Auto-RF is enabled by default.
June 2014
59
Configure the Auto-RF channel plan for the a-n and the bg-n radio frequency bands: .
WC8180(config-wireless)#auto-rf channel-plan ?
a-n
802.11 a/n radio frequency band
bg-n 802.11 bg/n radio frequency band
WC8180(config-wireless)#auto-rf channel-plan a-n ?
history-depth Set channel plan history depth
interval
Set interval used for "interval" plan mode
mode
Set channel plan mode
time
Set time used for "time" plan mode
WC8180(config-wireless)#
WC8180(config-wireless)#auto-rf channel-plan bg-n ?
history-depth Set channel plan history depth
interval
Set interval used for "interval" plan mode
mode
Set channel plan mode
time
Set time used for "time" plan mode
WC8180(config-wireless)#
power-plan ?
plan mode
the threshold strength in dBm to be used for
adjustements
60
June 2014
Procedure
1. Enter Wireless Configuration mode of the CLI.
2. Use the command auto-rf channel-plan {a-n | bg-n} history-depth <0 10> to set the number of saved historical channel plans.
3. Use the command auto-rf channel-plan {a-n | bg-n} interval <1 - 24> to
set the channel adjustment interval in hours.
4. Use the command auto-rf channel-plan {a-n | bg-n} time <hh:mm> to set the
time of day to perform channel adjustment.
5. Use the command auto-rf channel-plan {a-n | bg-n} mode {interval |
manual | time} to set the channel adjustment mode.
6. Use the command auto-rf power-plan mode {auto | manual} to set the power
adjustment mode.
7. Use the command auto-rf power-plan threshold strength <-99 -1> to set
the power plan threshold strength.
The default power plan threshold strength is 85 dBm.
8. Use the command wireless ap power <ap_mac_addr> <1|2> <%
power_reduction> to explicitly set a temporary override power on a specific radio.
Note:
The power is configured in terms of percentage of maximum power. The maximum
power is the minimum power level allowed for the channel by the regulatory domain or
the hardware capability.
Note:
The APA runs continuously collecting neighbor AP data for up to 20 minutes, making
power adjustments and starting the data collection again.
The ACA runs on a set interval. The default interval is 1 hour and can be configured.
For a first time installation of the WLAN 8100, a lower interval is recommended to
speed up convergence to an acceptable channel plan
Auto RF depends on data collected during the RF scan by the APs and forwarded to
the controllers. Depending on the deployment scenario and the configured off-channel
June 2014
61
scanning schedule, it can take several hours to build up the information needed for
Auto RF decisions.
Example
Sample Auto-RF Configuration using the CLI:
1. Enable APA at the domain level. Execute the following command:
WC8180(config-wireless)#auto-rf power-plan mode auto
62
:
:
:
:
Default-5GHz
AP8120/E
US
access-wids
: Yes
June 2014
: Yes
4. Verify that each AP is set to use Auto power and channel in the Domain AP database.
Note:
The default is auto.
AMDC#show wireless domain ap database detail
Total number of entries in AP database = 106
------------------------------------------------------AP MAC
: 00:1B:4F:6C:01:00
..........
Radio 1
Channel
: Automatic Adjustment
Power
: Automatic Adjustment
..........
Radio 2
Channel
: Automatic Adjustment
Power
: Automatic Adjustment
...........
------------------------------------------------------......
......
6. (Optional) You can perform additional Auto-RF verification by reviewing the databases used
by Auto-RF:
Verify that RF Scan is working properly and collecting neighbor information:
WC8180#show
wireless
security
wids-wips
rf-scan
Check the neighbor APs detected, both domain and non-managed APs:
WC8180#show
wireless
ap
neighbor-ap
wireless
rrm
neighbors
all
Related Links
Auto-RF on page 59
June 2014
63
Procedure
1. Enter Privileged mode of the CLI.
2. Use the command wireless auto-rf channel-plan {a-n | b/g-n} start to run
the channel adjustment algorithm.
3. Use the command wireless auto-rf channel-plan {a-n | b/g-n} apply to
apply the proposed channel adjustment plan.
4. Use the command wireless auto-rf power-plan start to run the power planning
algorithm.
Note:
The apply option in the command wireless auto-rf power-plan is not supported
in the current release.
5. Use the command clear wireless auto-rf power-plan to clear the wireless power
plan.
This command clears all the APA power adjustments and resets all radios to their default
power level.
Related Links
Auto-RF on page 59
64
June 2014
Procedure
1. Use the command show wireless auto-rf power-plan to view the Auto-RF power
plan settings.
Sample output:
WC8180#show wireless auto-rf power-plan
Power plan mode
Power Plan Operational Status
Power Threshold Strength (dBm)
Number of Interfering Managed AP's
Number of Interfering Managed VAP's
Power Cycle Count
Total Power Changes Count
Power Increase Count
Power Decrease Count
Number of Operational Radios
Time since last Power Plan Iteration
:
:
:
:
:
:
:
:
:
:
:
Manual
Inactive
-85
3
8
0
0
0
0
30
0d:00:08:42
2. Use the command show wireless ap radio power-plan status <AP MAC
addresss> <radio index> to view the AP radio power plan status for a particular AP
MAC address and radio index.
Example: AP radio power plan status for radio index 1 and AP MAC address 00:1B:4F:
6A:18:E0.
WC8180#show wireless ap radio power-plan status 00:1B:4F:6A:18:E0 1
-----------------------------------------------------------------------------TX
Int_AP Int_VAP Last Adjust Power Power
AP MAC
Radio Channel Power
Count Count
Status
Incr Decr
----------------- ----- ------- ------- ------ ------- ----------- ----- ----00:1B:4F:6A:18:E0 1
157
80
0
0
None
0
0
----------------------------------------------------------------------------
Example: AP radio power plan status for radio index 2 and AP MAC address 00:1B:4F:
6A:18:E0.
WC8180#show wireless ap radio power-plan status 00:1B:4F:6A:18:E0 2
-----------------------------------------------------------------------------TX
Int_AP Int_VAP Last Adjust Power Power
June 2014
65
AP MAC
Radio Channel Power
Count Count
Status
Incr Decr
----------------- ----- ------- ------- ------ ------- ----------- ----- ----00:1B:4F:6A:18:E0 2
6
80
0
0
None
0
0
----------------------------------------------------------------------------
3. Use the command show wireless ap radio power-plan status <AP MAC
address> detail to view the AP radio power plan status for an AP.
In the following example, 00:1B:4F:6A:18:E0 is a sample AP MAC address.
WC8180#show wireless ap radio power-plan status 00:1B:4F:6A:18:E0 detail
AP (mac=00:1B:4F:6A:18:E0)
Radio 1 (mac=00:1B:4F:6A:18:E0) Transmit
Channel
: 157
Number of Interfering Managed AP's
:
Number of Interfering Managed VAP's
:
Strongest Neighbor Mac Address
:
Strongest Neighbor Signal
:
Strongest Detector AP Mac Address
:
Strongest Detector AP Signal
:
Last Power Adjustment Status
:
Last Power Adjustment Reason Code
:
Power Increase Count
:
Power Decrease Count
:
Radio 2 (mac=00:1B:4F:6A:18:F0) Transmit
Channel
: 6
Number of Interfering Managed AP's
:
Number of Interfering Managed VAP's
:
Strongest Neighbor Mac Address
:
Strongest Neighbor Signal
:
Strongest Detector AP Mac Address
:
Strongest Detector AP Signal
:
Last Power Adjustment Status
:
Last Power Adjustment Reason Code
:
Power Increase Count
:
Power Decrease Count
:
Power
: 80 %
0
0
00:00:00:00:00:00
0
00:00:00:00:00:00
0
Unchanged
Power Plan Disabled
0
0
Power
: 80 %
0
0
00:00:00:00:00:00
0
00:00:00:00:00:00
0
Unchanged
Power Plan Disabled
0
0
4. Use the command show wireless ap radio power status <AP MAC address> to
view the AP radio power status for an AP.
In the following example, 00:1B:4F:6A:18:E0 is a sample AP MAC address.
Sample output:
WC8180#show wireless ap radio power status 00:1B:4F:6A:18:E0
AP (mac=00:1B:4F:6A:18:E0)
Radio 1 (mac=41:00:5E:3B:E1:00)
Manual Power Adjustment Status
Transmit Power
: None
: 80
Radio 2 (mac=41:00:5E:3B:E1:00)
Manual Power Adjustment Status
Transmit Power
: None
: 80
Use the command show wireless ap radio power status <AP MAC address>
[1|2] to view the AP radio power status for an AP and for a specific radio channel.
66
June 2014
Sample output:
WC8180#show wireless ap radio power status 00:1B:4F:6A:18:E0 1
AP (mac=00:1B:4F:6A:18:E0)
Radio 1 (mac=41:00:5E:3B:E1:00)
Manual Power Adjustment Status
Transmit Power
: None
: 80
5. Use the command show wireless auto-rf channel-plan [a-n|bg-n] to view the
Auto RF channel plan for the a-n and bg-n radio frequency bands.
Sample outputs:
WC8180#show wireless auto-rf channel-plan a-n
---------------------------------------------------------------------Phy-Mode:
802.11 a/n
--------------------Mode:
Interval
Interval:
1 hours
Time:
00:00
History Depth:
5
Operational:
True
Last Iteration Status:
7
Manual Status:
None
Max Consecutive
Change Iterations:
0
Max Consecutive
No Change Iterations:
7
WC8180#show wireless auto-rf channel-plan bg-n
---------------------------------------------------------------------Phy-Mode:
802.11 b/g/n
--------------------Mode:
Interval
Interval:
1 hours
Time:
00:00
History Depth:
5
Operational:
True
Last Iteration Status:
7
Manual Status:
None
Max Consecutive
Change Iterations:
2
Max Consecutive
No Change Iterations:
3
6. Use the command show wireless auto-rf channel-plan history to view the Auto
RF channel plan history.
Sample output:
WC8180#show wireless auto-rf channel-plan history
Phy Mode
AP Mac Address
Radio AP Location
Intf
------------ ----------------- ----- -------------------------------802.11 b/g/n 58:16:26:ac:75:60 2
802.11 b/g/n 58:16:26:ac:bf:e0 2
AP
Iter
---1
1
AP
Ch
--1
1
7. Use the command show wireless auto-rf channel-plan proposed to view the
proposed Auto RF channel plan.
June 2014
67
Sample output:
WC8180#show wireless auto-rf channel-plan proposed
-----------------------------------------------------------------------------Phy Mode
AP Mac Address
Radio Interface Current Channel New Channel
------------ ----------------- --------------- --------------- ----------802.11 b/g/n 58:16:26:ac:75:60 2
11
1
802.11 b/g/n 58:16:26:ac:bf:e0 2
6
1
Related Links
Auto-RF on page 59
Procedure
1. Enter the wireless configuration mode of the CLI. Use the following commands:
WC8180#conf t
WC8180(config)#wireless
WC8180(config-wireless)#
2. Use the following command to set the Tunnel Path MTU to a value different from the default
value, at any time during the operation of the system.
WC8180(config-wireless)#tunnel-path-mtu 1250
Note:
The default value of the Tunnel Path MTU for the WC 8180 controller is 1492 bytes. The
range is 1250 2372 bytes.
68
June 2014
Note:
It is recommended that all controllers in the domain are set with an identical tunnel-path
MTU configuration.
3. Verify the Tunnel Path MTU configuration:
WC8180#show wireless
Operation Mode
:
Status
:
Interface IP
:
TCP/UDP base port :
Base MAC Address :
Tunnel Path MTU
:
WC
Enabled
134.177.252.65
61000
00:24:B5:1F:96:00
1250
WC
Enabled
134.177.252.65
61000
00:24:B5:1F:96:00
1492
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
DiffServ
Differentiated services or DiffServ specifies a simple and scalable mechanism for classifying and
managing network traffic and providing quality of service (QoS) to wireless clients, on modern IP
networks. The following sections describe the configuration and management of DiffServ using
ACLI.
June 2014
69
ACLI reference:
WCP8180(config-wireless)# DiffServ ?
Differentiated Services
classifierblock Classifier Block
policy
DiffServ Policy
Important:
Ensure that you configure DiffServ policy and classifier block names that are unique across the
network. Do not configure policy and classifier names that have similar letters and characters
and differ only in their case.
Procedure
1. Configure a DiffServ classifier block and classifier elements.
CLI reference to configure a classifier block.
WCP8180(config-wireless)#diffserv classifierblock ?
WORD Enter Classifier Block name
WCP8180(config-wireless)#diffserv classifierblock c1
Example:
Configure a classifier block named classifier1 using the following command:
In the following example, 01:02:03:04:05:06 is a sample client MAC address and
ff:ff:ff:ff:ff:ff is the corresponding subnet mask. Replace these values with those
appropriate to your network.
WCP8180(config-wireless)#DiffServ classifierblock classsifier1
WCP8180(config-DiffServ-classifierelement)#match src-mac 01:02:03:04:05:06 mask
ff:ff:ff:ff:ff:ff
70
June 2014
src-mac
Match Src MAC/Mask
srcport
Match Src L4 Port
tos
Match ToS/Mask
WCP8180(config-diffserv-classifierelement)#
Important:
Considerations when configuring classifier block elements
When you configure a classifier block to match the source/destination client IP
address or a client MAC address (as in the above example), you must configure a
proper mask to ensure that the classifier block is applied to traffic from only the
specified client and not all clients within the subnet.
For example, if you configure the classifier block to drop packets for a client IP
address of 10.1.20.5, a mask of 255.255.255.0 drops the packets on all clients
within the subnet. To ensure that the packets are dropped for only for traffic from the
specified client, you must set the mask to 255.255.255.255.
Similarly, if you configure a client MAC address, ensure that you set the subnet mask
to ff:ff:ff:ff:ff:ff.
When you configure a classifier block, you can configure any value for EthType
parameter. However, only if you set the EthType parameter to 0x0800 (hex), you
can configure other classifier block parameters such as protocol, dest-ip, srcip, ipDscp, IpPrescedence IpTos, src-port and dst-port.
Use one of the following commands to configure the classifier block elements.
WCP8180(config-diffserv-classifierelement)#match cos ?
<0-7>
WCP8180(config-diffserv-classifierelement)#match ds-field ?
<0-63>
WCP8180(config-diffserv-classifierelement)#match dst-ip ?
A.B.C.D
WCP8180(config-diffserv-classifierelement)#match dst-mac ?
H.H.H
WCP8180(config-diffserv-classifierelement)#match dstport ?
<1-65535>
WCP8180(config-diffserv-classifierelement)#match ethtype ?
<0x600-0xFFFF> Ethernet Type in HEX
WCP8180(config-diffserv-classifierelement)#match precedence ?
<0-7>
WCP8180(config-diffserv-classifierelement)#match protocol ?
<0-255>
WCP8180(config-diffserv-classifierelement)#match src-ip ?
A.B.C.D
WCP8180(config-diffserv-classifierelement)#match srcport ?
<1-65535>
WCP8180(config-diffserv-classifierelement)#match tos ?
<0x00-0xFF>
June 2014
71
Example:
Configure a DiffServ policy named policy1 and associate the configured classifier block
classifier1 with this policy. Use the following command:
In this example, allow is a sample action associated with the classifier block
classifier1. The allow action allows packets or traffic that match the criteria specified in
the classifier block configured in Step 1.
WCP8180(config-DiffServ-classifierelement)#DiffServ policy policy1
WCP8180(config-DiffServ-policy)#classifierblock classifier1 allow
4. Verify Diffserv classifier details. Use one off the following commands.
WCP8180#sh wireless diffserv classifierblock
Sample Output:
WCP8180#sh wireless diffserv classifierblock
Classifier Blocks
----------------c1
Total number of classifier blocks: 1
WCP8180(config-diffserv-policy)#show wireless diffserv classifierblock classifier1
detail
Sample Output:
WCP8180(config-diffserv-policy)#show wireless diffserv classifierblock classifier1
detail
72
June 2014
June 2014
73
Also, ensure that you do not configure SSIDs that have similar characters but are
different only in their case. For example, do not configure the SSIDs avaya-demo and
AVAYA-DEMO within the same network.
WCP8180(config-wireless)#network-profile 2
Creating network-profile (id = 2) ...
WCP8180(config-network-profile)#profile-name AVAYA-Demo
WCP8180(config-network-profile)#ssid AVAYA-Demo
WCP8180(config-network-profile)#mobility-vlan Mobile-Clients
WCP8180(config-network-profile)#exit
8. Enable client-QoS and Domain AP-client-QoS and map the created Diffserv policy to the
AVAYA-Demo network profile, to prioritize WMM (Wireless Multi-Media) traffic in the network.
By default, in WMM, voice traffic has a higher priority over video traffic. You can, for
example, configure DiffServ policies to reverse this traffic priority in the network.
For example, to enable client QOS and configure the DiffServ policy policy1 on the
network profile, execute the following commands.
WCP8180(config-wireless)#network-profile 2
Creating network-profile (id = 2) ...
WCP8180(config-network-profile)#client-qos enable
WCP8180(config-network-profile)#client-qos diffserv {up} policy1
74
June 2014
2
Enabled
policy1
---------------------------------------------------------------
:
:
:
:
:
:
:
:
:
:
US
Enabled
30 seconds
300 seconds
Disabled
5 %
5 %
5 %
60
least-load
9. View the DiffServ statistics. Ensure that wireless clients are connected to the network.
Use the following command to view the DiffServ statistics for all clients.
WCP8180#show wireless diffserv statistics
Sample Output:
WCP8180#show wireless diffserv statistics
---------------------------------------------Client MAC
Direction
Policy Name
----------------- ------------ -------------00:05:03:01:00:01 Uplink
p1
00:05:03:01:00:01 Downlink
p1
00:05:03:02:00:01 Uplink
p1
00:05:03:02:00:01 Downlink
p1
Use the following command to view the DiffServ statistics for a specific client MAC address.
In the following example, 00:05:03:01:00:01 is a sample client MAC address.
WCP8180#show wireless diffserv statistics 00:05:03:01:00:01
Sample Output:
WCP8180#show wireless diffserv statistics 00:05:03:01:00:01
Client (MAC=00:05:03:01:00:01)
Direction: Uplink
Policy: p1
ClassifierBlock Name
Hits
-------------------------------------------c1
10280
Client (MAC=00:05:03:01:00:01)
Direction: Downlink
Policy: p1
ClassifierBlock Name
Hits
-------------------------------------------c1
0
June 2014
75
Sample Output:
WCP8180#sh wireless diffserv statistics detail
Client (MAC=00:05:03:01:00:01)
Direction: Uplink
Policy: p1
ClassifierBlock Name
Hits
-------------------------------------------c1
11280
Client (MAC=00:05:03:01:00:01) Policy: p1
Direction: Downlink
ClassifierBlock Name
Hits
-------------------------------------------c1
0
Client (MAC=00:05:03:02:00:01)
Direction: Uplink
Policy: p1
ClassifierBlock Name
Hits
-------------------------------------------c1
0
Client (MAC=00:05:03:02:00:01)
Direction: Downlink
Policy: p1
ClassifierBlock Name
Hits
-------------------------------------------c1
0
WCP8180#
10. Use the following commands to view client QoS bandwidth for uplink and downlink traffic
between APs and clients.
Important:
The displayed client QoS bandwidth represents the actual bandwidth rate in use for the
client, which may differ from the configured value because the AP rounds off the value
down to the nearest 64000 bps. This is independent of the type of client authentication.
For example, if the configured bandwidth rate for the client is 4294967295 bps
(configured in either the network profile or as part of RADIUS authentication), the actual
value displayed when you execute show wireless client qos status is
4294912000 bps, which is the nearest multiple of 64000.
C8180#show wireless client qos status
Client Mac Address: cc:52:af:0e:c6:81
QoS Operational Status: Enabled
Client to AP(Ingress)
--------------------QoS Bandwidth limit:
64000
Diffserv Policy Name:
None
WC8180#
AP to Client(Egress)
-------------------64000
None
76
June 2014
Client to AP(Ingress)
--------------------40000
None
AP to Client(Egress)
-------------------40000
None
Description
Match All
Specifies that a packet must match all criteria of the classifier block.
Allow signifies that all packets will match the selected IP ACL and
Rule and will be either permitted or denied.
The Match All rule overrides all other filtering rules, so if Match All
is set, the other rules are not configurable.
Protocol
Specifies the packets protocol as the match condition for the selected
rule.
The protocol is identified by a number. This number is a standard value
assigned by IANA and is an integer in the range 1 to 255.
Source IP Address
Specifies the packets source port IP address as the match condition for
the rule.
The address you enter is compared with the packet's source IP
Address. You must also specify a source IP Mask with the Source IP
Address.
Source IP Mask
Source L4 Port
June 2014
77
Criteria
Description
Destination L4 Port
Destination IP Address
IPDSCP
(Optional)
IP Precedence
(Optional)
IP TOS Bits
Specifies the packet's IP Tos value as the match condition for the rule.
(Optional)
The IP TOS field in a packet is defined as all eight bits of the Service
Type octet in the IP header. Matches on the Type of Service bits in the
IP header when checked.
For example, to check for an IP TOS value having bits 7 and 5 set and
bit 1 clear, where bit 7 is most significant, use a TOS Bits value of 0xA0
and a TOS Mask of 0xFF.
TOS Bits:
This value is a hexadecimal number from 00 to FF. Requires the bits
in a packets TOS field to match the two-digit hexadecimal number
that you enter.
TOS Mask:
This value is a hexadecimal number from 00 to FF. Specifies the bit
positions that are used for comparison against the IP TOS field in a
packet.
78
June 2014
AeroScout
The AeroScout Enterprise Visibility Solution leverages standard wireless networks infrastructure to
accurately locate any asset and utilize that location to deliver direct benefits such as asset tracking,
process automation, theft prevention and increased utilization. AeroScout Tags which are small,
battery-powered devices are mounted on equipment or carried by personnel to deliver real-time
location of the tracked asset or person. The messages transmitted by the AeroScout Tags are
received by access points and are passed along with additional information (e.g. signal strength
measurements) to the AeroScout Engine, a core component of the AeroScout visibility system, that
calculates the accurate location of the Tag .
The WLAN 8100 solution supports AeroScout enablement on an AP profile.
Important:
AeroScout enablement is supported only on indoor APs. It is not supported on the AP 8120O,
which is an outdoor AP.
The following sections describe AeroScout enablement using the Avaya CLI.
ACLI reference:
WC8180(config-wireless)#ap-profile ?
<1-32> AP Profile ID
WC8180(config-wireless)#ap-profile 2
Entering ap-profile (id = 2) configuration mode...
WC8180(config-ap-profile)#?
AP Profile Configuration Commands
aeroscout
Configure AE protocol support mode
ap-model
Configure AP Model
cos2dscp
CoS to DSCP Mappings
default
Set a command to its default values
default-profile Set current profile, as the default profile for an AP
dscp2cos
DSCP to CoS QoS Mapping
end
End configure mode
exit
Exit from AP profile configuration mode
network
Configure Network Profile mapping on a radio
no
Disable AP profile parameters
profile-name
Set an AP profile name
radio
Configure Radio Profile mapping on a radio
WC8180(config-ap-profile)#aeroscout ?
enable Enable AE protocol support mode
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Enabling AeroScout on an AP profile on page 80
June 2014
79
Procedure
1. Create an AP profile named AP-Profile-1 with profile ID 2.
WC8180(config-wireless)#ap-profile 2
Creating ap-profile (id = 2) ...
WC8180(config-ap-profile)#profile-name AP-Profile-1
WC8180(config-ap-profile)#exit
Sample Output:
AP Profile Id: 2
Name
Country Code
AP Model
Is Default Profile?
AE Protocol Support
Status
:
:
:
:
:
:
AP-Profile-1
IN
Avaya APs (AP8120/AP8120-E)
No
Disable
Associated
Sample Output:
AP Profile Id: 2
Name
Country Code
AP Model
Is Default Profile?
AE Protocol Support
Status
:
:
:
:
:
:
AP-Profile-1
IN
Avaya APs (AP8120/AP8120-E)
No
Enable
Associated & Modified
Related Links
AeroScout on page 79
80
June 2014
Station Isolation
Station isolation prevents traffic from one wireless client inadvertently reaching another wireless
client on the same mobility VLAN. Station isolation is configured on a per network basis. When this
feature is enabled on the network, wireless clients can only communicate with devices in a different
subnet through the gateway. Traffic that is not destined to the gateway gets filtered by the AP.
Station Isolation is especially useful in environments such as a hotel or public hot spots.
Important:
Station isolation is supported in both the Overlay and Unified Access deployments.
The following sections describe enabling Station Isolation using the Avaya CLI.
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Enabling Station Isolation on a network profile on page 81
Note:
From release 2.1.0 onwards, station isolation configuration is not supported on a Radio profile.
You can configure and enable only on a network profile.
Procedure
1. Create a network profile named NP2 with profile ID 2.
WC8180(config-wireless)#network-profile 2
Creating network-profile (id = 2) ...
WC8180(config-network-profile)#profile-name NP2
WC8180(config-network-profile)#exit
June 2014
81
Sample Output:
WC8180#show wireless network-profile 2
------------------------------------------------------------Id Profile Mobility
Security Captive
Station
Name
VLAN
Mode
Portal
Isolation
--- ------- -------------- --------- --------- ------------2 NP2
default-MVLAN open
Disabled Enabled
--------------------------------------------------------------
6. View the wireless client status in detail, specifically the Gateway IP address and the
Gateway MAC address.
WC8180#show wireless client status
Total number of clients: 1
------------------------------------------------------------------------------Client
Client
Associated
Mobility
Status
MAC Address
IP Address
AP MAC
VLAN
----------------- --------------- ----------------- --------------- ----------00:05:02:01:00:01 10.1.21.180
00:1B:4F:6C:01:00 default-MVLAN
Auth
82
:
:
:
:
:
:
10.1.21.180
client1
AVAYA-Demo
Mobile-Clients
Authenticated
No
June 2014
..........
Gateway IP
Gateway MAC
Radio Resource Measurement (RRM)
Location Report Requests
AP Detection via Beacon Table Report
Beacon Active Scan Capability
Beacon Passive Scan Capability
Channel Load Measurement
RSSI (%)
Signal Strength (dBm)
Noise (dBm)
WC8180#
:
:
:
:
:
:
:
:
:
:
:
10.1.29.1
00:19:69:91:00:43
Unsupported
Unsupported
Unsupported
Unsupported
Unsupported
Unsupported
46
-49
-95
7. Use the following command to view the client statistics. The output of this command helps
you view the number of packets (from clients) dropped as a result of Station Isolation, when
these packets are not addressed to the gateway. You can also view the number of packets
dropped because, for example, the Gateway MAC address was not successfully dynamically
determined.
WC8180#show wireless client statistics detail
Client (MAC=CC:52:AF:0E:C6:FA)
Packets Rx / Tx
: 445
Bytes Rx / Tx
: 50204
........
Station Isolation stats
Unknown-GW Pkts dropped: 0
Non-GW Dst Pkts dropped: 47
........
/ 49
/ 462
WC8180#
Related Links
Station Isolation on page 81
June 2014
83
ACLI reference:
AMDC(config-ap-profile)#ekahau ?
enable
Enable Ekahau tag support on this AP profile
server-ip
Configure Ekahau server IP address
server-port Configure Ekahau server UDP port
Configure an Ekahau server IP address.
AMDC(config-ap-profile)#ekahau server-ip ?
A.B.C.D Ekahau server IP address
Configure the Ekahau server port.
AMDC(config-ap-profile)#ekahau server-port ?
<1024-65535> Ekahau server UDP port
Note that the Ekahau server UDP port range is 1024 to 65535.
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Enabling Ekahau RTLS support on an AP profile on page 84
Procedure
1. Create an AP profile named AP-Profile-1 with profile ID 2.
WC8180(config-wireless)#ap-profile 2
Creating ap-profile (id = 2) ...
WC8180(config-ap-profile)#profile-name AP-Profile-1
WC8180(config-ap-profile)#exit
Sample Output:
AP Profile Id: 2
Name
Country Code
AP Model
Is Default Profile?
Ekahau Protocol Support
Ekahau Tag Blink Mode
Ekahau Server IP
Ekahau Server UDP Port
Status
84
:
:
:
:
:
:
:
:
:
AP-Profile-1
IN
Avaya APs (AP8120/AP8120-E)
No
Disable
Disable
0.0.0.0
8569
Associated
June 2014
Sample Output:
AP Profile Id: 2
Name
Country Code
AP Model
Is Default Profile?
Ekahau Protocol Support
Ekahau Tag Blink Mode
Ekahau Server IP
Ekahau Server UDP Port
Status
:
:
:
:
:
:
:
:
:
AP-Profile-1
IN
Avaya APs (AP8120/AP8120-E)
No
Enable
Enable
0.0.0.0
8569
Associated & modified
The following command resets the Ekahau server IP address to the default value 0.0.0.0.
WC8180(config-ap-profile)# default ekahau server ip
6. Use the following command to configure the Ekahau server UDP port.
In the following example, the server port is configured as 8000.
WC8180#(config-ap-profile)#ekahau server-port 8000
The following command resets the Ekahau server port to the default value 8569.
WC8180(config-ap-profile)# default ekahau server port
This restores the default Ekahau support mode for the specified AP profile, that is, it disables
Ekahau support.
Related Links
Ekahau RTLS support on page 83
June 2014
85
Wi-Fi Zoning
Wi-Fi Zoning enables you to control the physical region of connectivity around an access point (AP)
by using the received signal strength indicator (RSSI) measurements of a clients 802.11
transmission, as an indicator of its distance from the access point (AP).
The primary use of this feature is to create Wi-Fi zones around an AP in a crowded Bring Your Own
Device (BYOD) deployment, such as in stadiums, hot-spots or trade-shows, to restrict the scale of
connectivity of wireless clients. A dense deployment can overwhelm a wireless network and affect
services for all users. Wi-Fi Zoning helps you reduce the service area around the AP, thereby
reducing the scale of users connecting to the system. It also helps improve the overall throughput of
your wireless deployment.
You can define two types of Wi-Fi zones around a domain AP, namely a Wi-Fi Association Zone and
a Wi-Fi Roaming Zone. The Wi-Fi association zone of an AP is the physical region around the AP
within which clients can associate to the wireless networks advertised by the AP. This zone is
configured by specifying an RSSI authentication threshold for the 802.11 authentication frames
received from the clients. If the authentication frames received from the clients are below the
configured threshold, the authentication request is rejected.
The Wi-Fi roaming zone is the physical region around the AP within which client devices can roam
without losing connectivity with the AP. The Wi-Fi roaming zone is configured by specifying an RSSI
drop threshold value for the 802.11 data transmissions received from the client. When this value is
configured, an AP samples the RSSI values for the upstream data transmission from the client. The
maximum value over 64 samples is compared against the configured drop threshold. When the
maximum value falls below the configured drop threshold, the client is explicitly de-authenticated
from the AP.
86
June 2014
The WLAN 8100 solution supports configuration of Wi-Fi Zoning on a domain AP (in the domain AP
database) or using radio profiles. Configuration on a domain AP takes precedence over the
configuration specified using a radio profile, except in the case where the AP database is set for
auto-configuration (-100 dBm).
Important:
The allowed range for the Wi-Fi association zone and roaming zone thresholds is -99 to -1
dBm. The values 0 and -100 dBm are used to disable Wi-Fi Zoning and for auto-configuration
respectively. However, in current release the value -100 dBm disables Wi-Fi zoning. Choose a
value depending on the physical distance between the APs and also the AP transmission
power.
When you configure the Wi-Fi association zone and roaming zone thresholds for an AP, always
ensure that the Wi-Fi association zone thresholds is greater than or equal to the Wi-Fi roaming
zone thresholds. For example, if Wi-Fi association zone thresholds value is -65 dBm, then
configure Wi-Fi roaming zone with thresholds value -80 dBm or -65 dBm.
The recommended range for optimal zoning is -90 dBm to -65 dBm.
The following sections describe the configuration of Wi-Fi Zoning using the Avaya CLI.
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Configuring Wi-Fi Zoning Job Aid on page 88
Configuring Wi-Fi Zoning on an AP using a radio profile on page 90
Configuring Wi-Fi Zoning on a domain AP on page 92
June 2014
87
Procedure
1. Plan the number of APs that need to be deployed in the Wi-Fi deployment zone. This
depends on the capacity requirement of your deployment.
2. Evenly distribute the APs in the Wi-Fi Association coverage zone. Ensure that the
Association Zones of neighboring APs (of each AP) overlap by about 30 to 40%.
3. Configure the Wi-Fi association zone threshold on an AP. Use the following tables as a
guide to configure appropriate association zone and roaming zone thresholds on the AP.
The values are tabulated based on sample client distances from the AP.
Table 1: Sample client RSSI values with respect to distance from the AP Operating
frequency 5 GHz
The following sample values are based on an FCC domain AP (model AP 8120) operating at 5.0 GHz
and on channel 44. The values are sampled in a 90% empty office floor, for an AP in a 10 feet high
ceiling mount position.
Ekahau 802.11n USB
IPAD-2
SSI-Max (dBm)
SSI-AVG (dBm)
SSI-Max (dBm)
SSI-Avg (dBm)
-54
-54
-48
-52
10
-58
-58
-54
-54
15
-58
-59
-57
-58
20
-59
-64
-55
-56
30
-57
-57
-58
-58
40
-60
-60
-58
-58
50
-62
-62
-61
-61
60
-64
-65
-63
-64
70
-64
-66
-62
-63
75
-65
-66
-66
-66
Table 2: Sample client RSSI values with respect to distance from the AP Operating
frequency 2.4 GHz
The following sample values are based on an FCC domain AP (model AP 8120) operating at 2.4 GHz
and on channel 8. The values are sampled in a 90% empty office floor, for an AP in a 10 feet high
ceiling mount position.
88
June 2014
IPAD-Mini
IPAD-2
Distance
SSI-MAX
SSI-AVG
SSI-MAX
SSI-AVG
SSI-MAX
SSI-AVG
(ft)
(dBm)
(dBm)
(dBm)
(dBm)
(dBm)
(dBm)
-34
-38
-42
-47
-49
-49
10
-35
-36
-46
-47
-43
-43
15
-35
-35
-45
-47
-49
-49
20
-37
-38
-51
-55
-48
-48
30
-44
-44
-51
-54
-53
-53
40
-46
-47
-53
-55
-54
-54
50
-47
-47
-64
-66
-56
-56
60
-49
-50
-58
-62
-56
-56
70
-46
-46
-56
-61
-57
-58
75
-54
-54
-53
-57
-61
-61
4. Configure the Roaming zone threshold on each AP, such that the roaming zones of the APs
overlap by about 60 to 80%. Configure the Roaming Zone threshold using the tables in Step
4.
Important:
Ensure that you configure the roaming zone threshold to be at least 15 dBm below the
association zone threshold. Also ensure that the roaming zone for an AP overlaps the
association zone of its neighboring AP.
5. Verify the roaming behavior of the clients within the association zone.
6. Verify the roaming behavior of clients at the edge of the association zone.
7. Tune the AP power settings using the following commands:
WC8180#wireless
Action commands
channel
image-update
power
reset
tech-dump
ap ?
for a managed AP
Change radio channel on a managed AP
Update image on a managed AP
Change radio transmit power on a managed AP
Reset a managed AP
Request AP tech-dump
June 2014
89
Related Links
Wi-Fi Zoning on page 86
Procedure
1. Create a radio profile named rp_WiFiZone with profile ID 20.
WC8180(config-wireless)#radio-profile 20
access-wids
Create a radio profile with access-wids operation mode
ap-model
Hardware model
country-code Create a radio profile with a country code
wids-wips
Create a radio profile with wids-wips operation mode
Entering radio-profile (id = 20) configuration mode...
WC8180(config-radio-profile)#
WC8180(config-wireless)#radio-profile 20 ap-model ap8120/E country-code US accesswids a-n
Note:
Auto tune the locked channel and power of the radio profile, by configuring the channel
and power in auto mode in domain AP database.
2. Verify creation of the radio profile.
WC8180(config-radio-profile)#show wireless radio-profile 20
Sample Output:
----------------------------------------------------------Id
Profile Name
AP
802.11
Operation
Auto
Model
Mode
Mode
Ch.
-- -------------------------- ----------------------20
rp_WifiZone
AP8120/E 802.11a/n access-wids Yes
------------------------------------------------------------
3. Configure the Wi-Fi Association and Roaming Zone RSSI thresholds. Specify values of -50
dBm and 70 dBm for the Association Zone and Roaming Zone thresholds, respectively.
90
June 2014
Important:
The allowed range for the Wi-Fi Association Zone and Roaming Zone thresholds is -99
to -1 dBm. The values 0 and -100 dBm are used to disable Wi-Fi Zoning and for autoconfiguration respectively. However, in current release the value -100 dBm disables WiFi zoning.
Also, ensure that the Association Zone thresholds is always greater than or equal to the
Roaming Zone thresholds. The recommended range for optimal zoning is -90 dBm to
-65 dBm.
WC8180(config-radio-profile)#assoc-zone ?
<-100 - 0> Enter the RSSI value in dBM. 0(Disabled), -1 to -99, -100(Auto)
WC8180(config-radio-profile)#assoc-zone -50
WC8180(config-radio-profile)#roam-zone ?
<-100 - 0> Enter the RSSI value in dBM. 0(Disabled), -1 to -99, -100(Auto)
WC8180(config-radio-profile)#roam-zone -70
4. Verify Wi-Fi Association Zone and Roaming Zone thresholds configuration on the radio
profile in detail.
WC8180#show wireless radio-profile 20 detail
Sample Output:
Radio Profile Id: 20
Name
:
Configuration Model
:
Country Code
:
Operation Mode
:
IEEE 802.11 Mode
:
RF Scan - Duration
:
RF Scan - Other Channels
:
RF Scan - Other Channels Scan Interval :
Broadcast/Multicast Rate Limiting
:
Broadcast/Multicast Rate Limit (Normal):
Broadcast/Multicast Rate Limit (Burst) :
Beacon Interval
:
DTIM Period
:
Fragmentation Threshold
:
RTS Threshold
:
Short Retry Limit
:
Long Retry Limit
:
Max Transmit Lifetime
:
Max Receive Lifetime
:
Max Clients
:
Auto Channel Adjustment Mode
:
Auto Power Adjustment Mode
:
Auto Power Minimum
:
Non-Auto Transmit Power
:
WMM(Wi-Fi Multimedia Mode)
:
Band Steering Mode
:
Load Balancing Mode
:
Load Balance Utilization Start
:
Load Balance Utilization Threshold
:
Channel Bandwidth
:
Primary Channel
:
802.11n Protection Mode
:
SGI(Short Guard Interval)
:
STBC(Space Time Block Code) Mode
:
Multicast Transmit Rate
:
June 2014
rp_WifiZone
AP8120/E
US
access-wids
802.11a/n
10 msec
Yes
60 sec
Disabled
50 pkts/sec
75 pkts/sec
100 msec
3
2346
2347
7
4
512 msec
512 msec
200
Yes
Yes
40 %
80 %
Enabled
Disabled
Disabled
30 %
60 %
40 MHz
Lower
Auto
Enabled
Enabled
Auto
91
:
:
:
:
:
Enabled
Disabled
Enabled
-50 (dBm)
-70 (dBm)
Related Links
Wi-Fi Zoning on page 86
Procedure
1. Configure domain AP radio profile parameter.
WC8180(config-domain-ap)#radio ?
<1-2> Radio Interface
WC8180(config-domain-ap)#radio 1 ?
admin-enable Configure the radio admin mode enable
antenna
Select antenna type for the specified radio
assoc-zone
Configure association RSSI threshold
channel
Configure channel setting for the specified radio
ext-cable
Select extension cable type for the specified radio
power
Configure power setting for the specified radio
roam-zone
Configure dissociation RSSI threshold
2. Configure thresholds value for the Wi-Fi association zone and roaming zone.
The following example assigns thresholds value -50 dBm and -65 dBm for association
zone and roaming zone respectively, on radio 1.
WC8180(config-domain-ap)#radio 1 assoc-zone -50
WC8180(config-domain-ap)#radio 1 roam-zone -65
92
June 2014
Model
: AP8120
Country Code
: US
Serial Number
: LBNNTMJXAC019M
Profile ID
: 1
Preferred Controller : 0.0.0.0
Alternate Controller : 0.0.0.0
Location
Campus
:
Building
:
Floor
:
Sector
:
Radio 1
Channel
: Automatic Adjustment
Power
: Automatic Adjustment
External Antenna : N/A
Extension Cable
: N/A
Assoc-zone
: -50 dBm
Roam-zone
: -65 dBm
Admin-Enable
: True
Radio 2
Channel
: Automatic Adjustment
Power
: Automatic Adjustment
External Antenna : N/A
Extension Cable
: N/A
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: True
-------------------------------------------------------
Related Links
Wi-Fi Zoning on page 86
June 2014
93
The following example of ACLI reference describes Bonjour Gateway enablement using the Avaya
CLI.
WC8180( config-wireless)# multicast-DNS ?
<cr> Enter the configuration mode of mDNS
WC8180(config-mDNS)# ?
mDNS-relay
Enable relay of mDNS traffic across VLANs
scan-list
Configure mobility VLANs where the mDNS traffic should be relayed
filter-rule
Configure filter rules to filter the services in the mDNS packets.
location-based-relay
Enable location based relay
exit
exit the mode
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Configuring multicast DNS relay mode on page 94
Configuring Scan-list on page 95
Configuring Filter-rule on page 96
Configuring Location-based-relay on page 97
Managing multicast VLAN Gateway election on page 98
Viewing Bonjour Gateway configuration statistics on page 98
94
June 2014
Procedure
1. Enable mDNS relay across the VLANs.
WC8180(config-mDNS)# mDNS-relay enable
Related Links
Bonjour Gateway Support on page 93
Configuring Scan-list
About this task
Use this procedure to configure required mobility VLANs under Scan-list and to enable relaying of
multicast DNS traffic across these MVLANs.
Procedure
Configure the required mobility VLANs for Scan-list configuration.
WC8180(config-mDNS)# scan-list <mobility-VLAN name>
<cr> Enter to execute command
exit To exit from the mode
Example
Sample Scan-list configuration using the CLI:
1. Configure mobility VLAN default-MVLAN and MV-mDNS under scan-list. Execute the
following command:
WC8180(config-mDNS)# scan-list default-MVLAN
WC8180(config-mDNS)# scan-list MV-mDNS
June 2014
95
-------------------------------default-MVLAN
MV-mDNS
--------------------------------
Related Links
Bonjour Gateway Support on page 93
Configuring Filter-rule
Filter-rule allows you to define only those mDNS services that can be relayed across or within the
networks. Filter-rule can either be a UDP protocol or TCP protocol. You can configure allow or
deny parameters for the Filter-rule.
You can configure up to 25 filter rules out of which nine rules are configured by default.
Default Filter-rules
The following table describes the list of system generated default Filter-rules.
Filter-rule Name
Reg-ex
Permit
State
Default_airplay
airplay
enable
Default_airprint
airprint
enable
Default_raop
raop
enable
Default_afpovertcp
afp
disable
Default_appletv
appletv
disable
Default_appletv-itunes
itunes
disable
Default_appletv-pair
appletv-pair
disable
Default_dacp
dacp
disable
Default_ipp
ipp
disable
Note:
By default, Filter-rules airplay, airprint, and raop are in enable state and the remaining are in
disabled state.
Procedure
1. Configure a new Filter-rule and execute the following command:
WC8180(config-mDNS)# filter-rule <filter-rule name> <service-name string> protocol
<protocolStr> <allow|deny> <cr>
96
June 2014
Note:
By default, all new user defined Filter-rule are in enable state.
2. Use this command to enable an existing filter-rule.
WC8180(config-mDNS)# filter-rule <filter-rule name> state <enable>
Verify enablement:
WC8180#show wire multicast-dNS filter-rule
Example
Execute the following command to configure a new filter-rule name samba with protocol type
udp.
WC8180(config-mDNS)#filter-rule samba smb protocol udp allow
Verify enablement:
WC8180#show wire multicast-dNS filter-rule
------------------------------------------------------Filter-rule Name
: default_airplay
Service Name
: airplay
Protocol
: any
Mode
: allow
Status
: Enabled
Type
: System Defined
-------------------------------------------------------
Related Links
Bonjour Gateway Support on page 93
Configuring Location-based-relay
Before you begin
Configure the location (campus, building, floor and sector) parameters in the AP database, see
Configuring domain AP parameters on page 100 for more details.
Procedure
1. Enable Location-based-relay.
WC8180(config-mDNS)# location-based-relay enable
June 2014
97
Related Links
Bonjour Gateway Support on page 93
Procedure
1. Configure mobility VLANs. Execute the following command for configuring mobility VLAN
name default-MVLAN and MV-mDNS.
Example :
WC8180(config-wireless)#switch vlan-map default-MVLAN lvid 70 l3-mobility server
weight 9
WC8180(config-wireless)#switch vlan-map MV-mDNS lvid 90 l3-mobility server weight 7
2. Verify if the switch is serving as mDNS gateway for the mapped VLAN.
Use the show wireless switch vlan-map command to include the mDNS gateway
information of the corresponding switch.
Example:
WC8180#show wireless switch vlan-map
-------------------------------------------------------------------------Mobility VLAN Name
LVID
State
Role
WCP-V Admin mDNS
Mapped GW
----------------------- ------------- ------ ----MV-mDNS
90
Active
Server Yes
Yes
No
default-MVLAN
70
Active
Server Yes
Yes
Yes
-------------------------------------------------------------------------Total Number of Mobility VLANs = 2
The mobility VLAN default-MVLAN is elected as the mDNS Gateway because, the mobility
VLAN weight is greater than the weight of the other mobility VLAN .
Related Links
Bonjour Gateway Support on page 93
98
June 2014
Procedure
1. Use the command WC8180 # show wireless switch multicast-DNS statistics
to view the multicast DNS statistics for a mobility switch.
Sample Ouptut:
WC8180#show wireless switch multicast-DNS statistics
mDNS
mDNS
mDNS
mDNS
mDNS
Packets
Packets
Packets
Packets
Relayed
Received
matched Filter
exceeding Path-MTU
Dropped due to filter mismatch
packets
:
:
:
:
:
79275
79142
0
122
37925
2. Use the command WC8180 # show wireless ap statistics detail to view the AP
statistics detail for an AP that is in a managed state.
Example: AP statistics detail for AP MAC address 00:1B:4F:6C:1B:A0.
Sample Output:
WC8180#show wireless ap statistics detail
AP MAC Address
:00:1B:4F:6C:1B:A0
Packets:
Bytes:
Packets Dropped:
Bytes Dropped:
Ethernet Packet:
Ethernet Bytes:
Ethernet Multicast Packets:
Ethernet Error Count:
L2 tunnel Bytes:
L2 tunnel Packets:
L2 tunnel Multicast:
ARP Requests From Bcast to Ucast:
Filtered ARP Requests:
Broadcasted ARP Requests:
mDNS Filter Mismatch Drop Count:
mDNS Fragmented packet Drop Count:
mDNS Location Mismatch Drop Count:
Receive
Transmit
-----------------------------------------42068
148372
10119177
20619686
NA
0
10081436
0
339389
382797
45628929
142925278
21591
21591
0
0
11537309
9192182
105424
20096
25093
13707
154
48682
20016
361
670
0
Related Links
Bonjour Gateway Support on page 93
June 2014
99
Domain AP configuration
Use the following procedures to configure domain APs.
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Configuring domain AP parameters on page 100
Enabling or disabling radios on a domain AP on page 102
Saving AP radio channel and power configuration to the domain AP database on page 104
LED management on a domain AP on page 108
Configuring and verifying the LED state on a domain AP on page 108
Procedure
1. Enter the wireless configuration mode of the controller:
WC8180#conf t
Enter configuration commands, one per line.
WC8180(config)#wireless
WC8180(config-wireless)#
3. Enter the domain AP configuration mode for the AP whose parameters you want to modify,
using the following command:
In the following example, 00:1B:4F:69:E7:80 is the MAC address of the domain AP
whose parameters you want to modify.
WC8180(config-wireless)# domain ap 00:1B:4F:69:E7:80
Entering domain AP (mac = 00:1B:4F:69:E7:80) configuration mode...
100
June 2014
4. Configure the appropriate parameters on the domain AP, using the following commands:
WC8180(config-domain-ap)#?
Configure Domain AP parameters
alternate-controller Configure alternate wireless controller
default
Set a command to its default values
end
End configuration mode
exit
Exit from domain AP configuration mode
label
Configure AP Label
led-state
Configure the operating state of LEDs on the AP
location
Configure AP Location
model
Configure AP Model
no
Delete Domain AP configurations
preferred-controller Configure preferred wireless controller
profile-id
Assign AP Profile ID used for AP configuration
radio
Configure radio channel / power / antenna / cable
settings
Configure an AP profile.
WC8180(config-domain-ap)#profile-id ?
<1-32> AP Profile ID
June 2014
101
antenna
assoc-zone
channel
ext-cable
power
roam-zone
Related Links
Domain AP configuration on page 100
Procedure
1. View the managed APs in the domain.
WC8180#show wireless domain ap database
Total number of entries in AP database = 3
-------------------------------------------------------Profile/ Radio 1 Radio 2 Preferred
AP MAC
Country Channel Channel WC
----------------- ------- ------- ------- ------------00:1B:4F:69:F4:20 1/IN
44
Auto
192.168.14.11
00:1B:4F:6A:05:00 2/IN
44
6
192.168.14.13
00:1B:4F:6B:E3:E0 1/IN
Auto
Auto
192.168.14.11
--------------------------------------------------------
2. View the current domain AP configuration for the AP. In the following example we select an
AP with MAC address 00:1B:4F:6A:05:00.
View the domain AP configuration for the AP.
WC8180#show wireless domain ap database 00:1B:4F:6A:05:00
------------------------------------------------------Profile/ Radio 1 Radio 2 Preferred
AP MAC
Country Channel Channel WC
----------------- ------- ------- ------- -----------00:1B:4F:6A:05:00 1/IN
44
Auto
192.168.14.11
------------------------------------------------------Total number of entries in AP database = 1
View the AP configuration in detail. Note that the Admin-Enable is set to False on
both Radio 1 and Radio 2.
WC8180#show wireless domain ap database 00:1B:4F:6A:05:00 detail
------------------------------------------------------AP MAC
: 00:1B:4F:6A:05:00
Label
:
Model
: AP8120
Country Code
: IN
Serial Number
: LBNNTMJXAD0830
Profile ID
: 1
Preferred Controller : 192.168.14.11
Alternate Controller : 0.0.0.0
Location
Campus
:
Building
:
Floor
:
Sector
:
102
June 2014
Radio 1
Channel
: 44
Power
: 80
External Antenna : N/A
Extension Cable
: N/A
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: False
Radio 2
Channel
: Automatic Adjustment
Power
: Automatic Adjustment
External Antenna : N/A
Extension Cable
: N/A
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: False
------------------------------------------------------Total number of entries in AP database = 1
3. Configure the Admin-Enable mode for Radio 1 of the AP with MAC address 00:1B:4F:
6A:05:00. Ensure that you are in the domain AP configuration mode of the CLI.
CLI reference:
WC8180(config-domain-ap)#radio 1 ?
admin-enable Configure the radio admin mode enable
antenna
Select antenna type for the specified radio
assoc-zone
Configure association RSSI threshold
channel
Configure channel setting for the specified radio
ext-cable
Select extension cable type for the specified radio
power
Configure power setting for the specified radio
roam-zone
Configure dissociation RSSI threshold
5. Verify that Radio 1 is enabled on the AP, that is Admin-Enable is set to True.
WC8180(config-domain-ap)#show wireless domain ap database 00:1B:4F:6A:05:00 detail
------------------------------------------------------AP MAC
: 00:1B:4F:6A:05:00
Label
:
Model
: AP8120-E
Country Code
: IN
Serial Number
: 11JX192F0039
Profile ID
: 5
Preferred Controller : 0.0.0.0
Alternate Controller : 0.0.0.0
Location
Campus
:
Building
:
June 2014
103
Floor
Sector
Radio 1
Channel
Power
External Antenna
Extension Cable
Assoc-zone
Roam-zone
Admin-Enable
Radio 2
Channel
Power
External Antenna
Extension Cable
Assoc-zone
Roam-zone
Admin-Enable
:
:
:
:
:
:
:
:
:
36
Automatic Adjustment
WL81AT070E6
3-ft
Auto
Auto
True
:
:
:
:
:
:
:
5
Automatic Adjustment
WL81AT070E6
3-ft
Auto
Auto
False
Related Links
Domain AP configuration on page 100
Procedure
1. View the managed APs in the domain.
WC8180#show wireless domain ap database
Total number of entries in AP database = 2
-------------------------------------------------------Profile/ Radio 1 Radio 2 Preferred
AP MAC
Country Channel Channel WC
----------------- ------- ------- ------- ------------00:1B:4F:69:F4:20 1/IN
Auto
Auto
192.168.14.11
00:1B:4F:6A:05:00 2/IN
Auto
Auto
192.168.14.13
--------------------------------------------------------
104
June 2014
In the following example we save the channel configuration of the AP with MAC address
00:1B:4F:6A:05:00, to the domain AP database.
a. View the current channel configuration of the AP.
WC8180#show wireless domain ap database 00:1B:4F:6A:05:00
---------------------------------------------------------Profile/ Radio 1 Radio 2 Preferred
AP MAC
Country Channel Channel WC
----------------- ------- ------- ------- --------------00:1B:4F:6A:05:00 10/CN
Auto
Auto
192.168.14.11
---------------------------------------------------------Total number of entries in AP database = 1
Observe that the channel setting for both radios on 00:1B:4F:6A:05:00 is auto and
the radios are operating on channels 157 and 6.
(Optional) View the AP radio status in detail.
WC8180#show wireless ap radio status 00:1B:4F:6A:05:00 detail
AP (mac=00:1B:4F:6A:05:00)
Radio 1 (mac=00:1B:4F:6A:05:00)
Operation Mode
:
802.11 Mode
:
Channel
Assignment Policy
:
Bandwidth
:
Current Channel
:
Manual Adjustment
:
Transmit Power
Assignment Policy
:
Current Power
:
Manual Adjustment
:
Radio Resource Measurement :
Total Neighbors
:
Authenticated Clients
:
WLAN Utilization
:
Antenna
:
Extension Cable
:
Radio Oper-Down Reason
:
Radio 2 (mac=00:1B:4F:6A:05:00)
Operation Mode
:
802.11 Mode
:
Channel
Assignment Policy
:
Bandwidth
:
Current Channel
:
Manual Adjustment
:
Transmit Power
Assignment Policy
:
Current Power
:
June 2014
-- Operation: On
Access WIDS
802.11a/n
Fixed
40MHz
auto
Complete
Fixed
99 %
None
Enabled
5
0
5 %
None
None
None
-- Operation: On
Access WIDS
802.11b/g/n
Fixed
20MHz
Auto
Complete
Fixed
99 %
105
Manual Adjustment
Radio Resource Measurement
Total Neighbors
Authenticated Clients
WLAN Utilization
Antenna
Extension Cable
Radio Oper-Down Reason
:
:
:
:
:
:
:
:
None
Enabled
116
100
10 %
None
None
None
Use the following command to save the AP channel configuration (on both radios) to the
domain AP database. When prompted, click y to confirm.
WC8180#wireless ap channel 00:1B:4F:6A:05:00 1 save-to-db
WARNING: This AP will be programmed to operate on fixed channel and Auto-RF
will not tune the channel in future.
Do you want to continue (y/n) ? y
WC8180#wireless ap channel 00:1B:4F:6A:05:00 2 save-to-db
WARNING: This AP will be programmed to operate on fixed channel and Auto-RF
will not tune the channel in future.
Do you want to continue (y/n) ? y
Use the following command to save the AP power configuration (on both radios) to the
domain AP database.
WC8180#wireless ap power 00:1B:4F:6A:05:00 1 save-to-db
WC8180#wireless ap power 00:1B:4F:6A:05:00 2 save-to-db
Note:
Prior releases of WLAN 8100 required a reset of the AP when domain AP changes
were made. From release 2.1 onwards, you do not need to perform an AP reset.
Instead, perform controller synchronization to apply the changes to the AP.
e. View the domain AP database to verify the update.
Observe that the channels are now fixed for at 157 and 6 and the power is fixed at 99
for the AP with MAC address 00:1B:4F:6A:05:00.
WC8180#show wireless domain ap database
Total number of entries in AP database = 2
106
June 2014
a. Execute the following commands to save channel and power configuration to all APs in
the domain.
Save channel configuration to all APs in the domain:
WC8180#wireless domain ap save-to-db channel
WARNING: All APs in the domain will be programmed to operate on fixed channel
and Auto-RF will not tune the channel in future.
Do you want to continue (y/n) ? y
June 2014
107
WC8180#
Related Links
Domain AP configuration on page 100
Procedure
1. Enter the domain AP configuration mode of the AP with MAC address 58:16:26:AC:
75:60.
WC8180(config)#wireless
WC8180(config-wireless)#domain ap 58:16:26:AC:75:60
Entering domain AP (mac = 58:16:26:AC:75:60) configuration mode...
108
June 2014
Important:
In earlier releases of the WLAN 8100, configuration changes made to the domain AP
database required a manual AP reset for the changes to take effect. From release 2.1
onwards, the wireless controller config-sync operation synchronizes configuration
changes across the domain, and an AP reset is not required.
WC8180#wireless controller config-sync
4. Verify that the LEDs are turned off on the domain AP.
WC8180#show wireless domain ap database 58:16:26:AC:75:60 detail
Sample Output:
------------------------------------------------------AP MAC
: 58:16:26:AC:75:60
Label
:
Model
: AP8120-E
Country Code
: VE
Serial Number
: 11JX192F001P
Profile ID
: 13
Preferred Controller : 192.168.11.3
Alternate Controller : 0.0.0.0
LED-State
: off
Location
Campus
:
Building
:
Floor
:
Sector
:
Radio 1
Channel
: 36
Power
: 60
External Antenna : WL81AT070E6
Extension Cable
: 3-ft
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: True
Radio 2
Channel
: 11
Power
: 60
External Antenna : WL81AT070E6
Extension Cable
: 3-ft
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: True
------------------------------------------------------Total number of entries in AP database = 1
Sample Output:
--------------------------------------------------------------AP (MAC=58:16:26:AC:75:60)
IP Address
: 172.16.8.13
Status
: Managed
WC Assignment-Method
: Least-Load
AP Label
:
Hardware Type
: Avaya AP8120-E
June 2014
109
Software Version
: 2.1.0.088
Serial Number
: 11JX192F001P
Location
:
Country Code
: VE
Band Plan
: APL1
Locale
: VE/0
Age (since last update)
: 0d:00:00:01
System Up Time
: 0d:19:14:07
Discovery Reason
: Controller IP via DHCP
Managing Controller
: Local Controller
WC System IP Address
: 192.168.11.4
WC Managed Time
: 0d:01:01:09
Profile Id
: 13
Profile Name
: VE
Configuration Apply Status
: Success
Authenticated Clients
: 0
Configuration Failure Error
:
Reset status
: Not Started
Code Download Status
: Not Started
Image Upgrade Needed
: No
Ap Techdump Status
: Not Started
Hardware Version
: R01
AP port speed and duplex mode
: FullDuplex1000
AP LED Status
: LED-OFF
--------------------------------------------------------------
Sample Output:
------------------------------------------------------AP MAC
: 58:16:26:AC:75:60
Label
:
Model
: AP8120-E
Country Code
: VE
Serial Number
: 11JX192F001P
Profile ID
: 13
Preferred Controller : 192.168.11.3
Alternate Controller : 0.0.0.0
LED-State
: Normal(On)
Location
Campus
:
Building
:
Floor
:
Sector
:
Radio 1
Channel
: 36
Power
: 60
External Antenna : WL81AT070E6
Extension Cable
: 3-ft
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: True
Radio 2
Channel
: 11
110
June 2014
Power
: 60
External Antenna : WL81AT070E6
Extension Cable
: 3-ft
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: True
------------------------------------------------------Total number of entries in AP database = 1
Sample Output:
--------------------------------------------------------------AP (MAC=58:16:26:AC:75:60)
IP Address
: 172.16.8.13
Status
: Managed
WC Assignment-Method
: Least-Load
AP Label
:
Hardware Type
: Avaya AP8120-E
Software Version
: 2.1.0.088
Serial Number
: 11JX192F001P
Location
:
Country Code
: VE
Band Plan
: APL1
Locale
: VE/0
Age (since last update)
: 0d:00:00:01
System Up Time
: 0d:19:14:07
Discovery Reason
: Controller IP via DHCP
Managing Controller
: Local Controller
WC System IP Address
: 192.168.11.4
WC Managed Time
: 0d:01:01:09
Profile Id
: 13
Profile Name
: VE
Configuration Apply Status
: Success
Authenticated Clients
: 0
Configuration Failure Error
:
Reset status
: Not Started
Code Download Status
: Not Started
Image Upgrade Needed
: No
Ap Techdump Status
: Not Started
Hardware Version
: R01
AP port speed and duplex mode
: FullDuplex1000
AP LED Status
: LED-ON
--------------------------------------------------------------
Related Links
Domain AP configuration on page 100
June 2014
111
specifies the configuration elements for the WIDS/WIPS feature. This includes the rogue
classification criterion, known AP database and rogue AP database.
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Configuring profiles to aid AP/client threat detection and mitigation on page 112
Configuring WIDS-WIPS on page 113
Verifying configuration of WIDS-WIPS on page 119
Procedure
1. Use the following example commands to create radio profiles.
The following examples use the country code as US when creating the radio profiles.
Create an Access a-n radio profile.
#radio-profile 3 country-code US access-wids a-n
profile-name access-an
exit
112
June 2014
Use the following sample sequence of commands to create an AP Profile in the Accesswids mode. This AP profile when applied to an AP serves wireless clients and detects
rogues.
ap-profile 2 country-code US
profile-name access-abgn
radio 1 enable
radio 2 enable
radio 1 profile-id 3
radio 2 profile-id 4
exit
4. In the following configuration, one of the radios is configured to provide data service for
clients in either the 5GHz band (e.g., 802.11n and 802.11a) or the 2.4GHz band (e.g.,
802.11n and 802.11b/g) and the other dual band radio exclusively performs the WIDS/WIPS
functionality. The advantage of this mode is that the WIDS/WIPS functionality is not slowed
down by data services, because it runs on its own radio.
Use the following sample sequence of commands to create an AP Profile in the Mixed
Mode. This AP profile when applied to an AP serves clients and also detects and mitigates
rogues.
ap-profile 5 country-code US
profile-name mixed
radio 1 enable
radio 2 enable
radio 1 profile-id 7
radio 2 profile-id 4
exit
Related Links
Wireless security WIDS-WIPS configuration and management on page 111
Configuring WIDS-WIPS
CLI Reference:
WCP8180(config-security)#wids ?
Configure Wireless Intrusion Detection
ageout
Configure WIDS ageout timers
known-ap
Create/Modify an AP known to WIDS.
June 2014
113
rogue-ap
rogue-client
WCP8180(config-security)#wips ?
Configure Wireless Intrusion Protection
mitigation Configure Threat Mitigation
For example:
WC8180(config-wireless)#radio-profile 1
Entering radio-profile (id = 1) configuration mode...
WC8180(config-radio-profile)#
Procedure
1. Enable detection of Rogue AP threats.
Use one of the following command options to enable detection of specific Rogue AP threats.
WCP8180(config-security)#wids rogue-ap threat ?
fake-ap-on-invalid-channel
Fake AP operating on illegal channel
illegal-channel
AP operating on illegal channel
invalid-ssid-from-managed-ap
Managed AP using invalid SSID
known-standalone-ap-cfgerr
Standalone AP with unexpected
configuration
managed-ssid-rcvd-from-fake-ap
Fake AP detected with managed SSID
managed-ssid-rcvd-from-unknown-ap
Unknown AP using managed SSID
managed-ssid-with-invalid-security AP using invalid security on managed SSID
no-ssid-rcvd-from-ap
AP with no SSID
unexpected-wids-device
Unexpected WDS device
unmanaged-ap-on-wired-net
Unmanaged AP detected on wired network
Use the following command to disable detection of a specific rogue AP threat. For example,
the following command disables the detection of the illegal-channel rogue AP threat.
WCP8180(config-security)#no wids rogue-ap threat illegal-channel
114
June 2014
Use the following command to set the default for a specific rogue AP threat. Detection of a
threat is enabled by default.
For example, the following command sets the default for the illegal-channel threat,
which is to enable its detection.
WCP8180(config-security)#default wids rogue-ap threat illegal-channel
Use the following commands to configure options within the auth-failure threat.
WCP8180(config-security)# wids rogue-client threat auth-failure ?
threshold Set authentication failure threshold
<cr>
Use the following commands to configure options within the auth-req-rate threat.
WCP8180(config-security)# wids rogue-client threat auth-req-rate ?
interval
Set interval for calculating rate
threshold Set threshold for calculating rate
<cr>
Use the following commands to configure options within the deauth-req-rate threat.
WCP8180(config-security)# wids rogue-client threat deauth-req-rate ?
interval
Set interval for calculating rate
threshold Set threshold for calculating rate
<cr>
Use the following commands to configure options within the probe-req-rate threat.
WCP8180(config-security)# wids rogue-client threat probe-req-rate ?
interval
Set interval for calculating rate
threshold Set threshold for calculating rate
<cr>
Use the following command to disable detection of a specific client threat, for example the
assoc-unknown-ap threat.
WCP8180(config-security)#no wids client threat assoc-unknown-ap
Use the following command to set the default for a specific client threat. Detection of a threat
is enabled by default.
June 2014
115
For example, the following command sets the default for the auth-req-rate threat, which
is to enable its detection.
WCP8180(config-security)#default wids client threat auth-req-rate
Use one of the following commands to set the defaults for AP/client threat mitigation.
WCP8180(config-security)#default wips mitigation
WCP8180(config-security)#default wips mitigation ap-threat
WCP8180(config-security)#default wips mitigation client-threat
116
June 2014
Also, ensure that you do not configure SSIDs that have similar characters but are
different only in their case. For example do not configure SSIDs avaya-demo and
AVAYA-DEMO within the same network.
WCP8180(config-security)#wids known-ap 00:88:99:66:66:88 ssid ?
WORD an alphanumeric string, 1-32 chars
Use the following command options to configure the WDS mode for a known AP.
WCP8180(config-security)#wids known-ap 00:88:99:66:66:88 wds-mode ?
any
Operation as a bridge or in normal mode
bridge Operation as a bridge only
normal Operation in normal mode only
Use the following command options to configure the Wired mode for a known AP.
WCP8180(config-security)#wids known-ap 00:88:99:66:66:88 wired-mode ?
allowed
AP is allowed to be on the wired network
not-allowed AP is not allowed on the wired network
ageout
ageout
ageout
ageout
ageout
?
for
for
for
for
June 2014
117
Acknowledge a specific Rogue client (by specifying its MAC address) or all Rogue Clients.
WCP8180(config-security)#wids rogue-client ack ?
all
All rogue clients
H.H.H MAC Address of specific rogue client
Use the following commands to enable other channel scan and set the scan interval in a
radio profile.
WCP8180(config-radio-profile)#scan-other-channel
WCP8180(config-radio-profile)#scan-other-channel-interval
118
June 2014
Note:
To disable a scan option, prefix the command with no.
Related Links
Wireless security WIDS-WIPS configuration and management on page 111
Procedure
1. Verify RF scan configuration using the following command.
Show wireless security wids-wips rf-scan
Sample output:
WCP8180#show wireless security wids-wips rf-scan
Domain Role
Total Rogue APs
Total Unknown APs
Detected AP MAC
----------------00:02:6F:14:30:10
00:02:6F:BD:94:70
00:02:6F:BD:94:B0
00:02:6F:BD:95:20
:Active MDC
:6
:93
SSID
---------------CP-User-OAP
Dinesh-OAP-Test
user-db-test.17
test123
Ch
--1
11
8
11
Status
------Unknown
Unknown
Unknown
Unknown
Mitigation
---------NotRogue
NotRogue
NotRogue
NotRogue
LastSeen
-----------0d:22:48:33
0d:00:00:29
0d:00:01:48
0d:00:00:29
Sample output:
WCP8180#show wireless security wids-wips detected-clients
Domain Role
Total Rogue Clients
Total Detected Clients
Detected
Client MAC
----------------00:0F:CB:FB:55:2C
00:14:D1:79:AB:A4
00:17:C4:08:AC:86
00:17:C4:08:F0:45
:Active MDC
:0
:116
Client
Status
------------detected
detected
detected
detected
Det
--Y
Y
Y
Y
Mit
--N
N
N
N
Ch
--2
2
2
2
RSSI
(%)
---63
57
18
18
Sig
----46
-50
-78
-78
Last
Update
-----------0d:00:00:02
0d:00:00:02
0d:00:00:02
0d:00:00:02
Sample output:
WCP8180#show wireless security wids-wips known-ap
Total number of known APs = 2
-----------------------------------------------------------------Expected Expected Expected
June 2014
119
AP MAC
AP Type
Channel
Security SSID
----------------- --------------- -------- -------- ---------00:13:13:13:13:13 LocalEnterprise
Auto
Any
00:88:87:99:77:66 LocalEnterprise
Auto
Any
------------------------------------------------------------------
4. Verify configuration for the detection of Rogue APs and Rogue clients using the following
commands.
Show wireless security wids-wips rogue-ap-control
Sample Output:
WCP8180#show wireless security wids-wips rogue-ap-controls
Rogue detected trap interval:
Wired network detection interval:
180 seconds
60 seconds
Rogue
-----------------------------------------------------------Administrator configured rogue AP
Managed SSID received from an unknown AP
Managed SSID received from a fake managed AP
Beacon received from an AP without SSID
Beacon received from a fake managed AP on an invalid channel
Managed SSID detected with incorrect security configuration
Invalid SSID received from a managed AP
AP is operating on an illegal channel
Known Standalone AP is incorrectly configured
AP is operating as a WDS device
Unmanaged AP detected on wired network
State
------Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Sample Output:
WCP8180#show wireless security wids-wips rogue-ap-classification
Domain Role
Total Rogue APs
Total Unknown APs
:Active MDC
:6
:93
120
Reporting AP MAC
----------------00:00:00:00:00:00
5C:E2:86:0F:51:40
00:00:00:00:00:00
00:00:00:00:00:00
Radio
----0
2
0
0
Cond
Detect
-----False
True
False
False
Test
Config
------Disable
Enable
Enable
Enable
Test
Time Since
Result 1st Report
------ -----------0d:00:00:00
Rogue 1:02:56:12
0d:00:00:00
0d:00:00:00
Time Since
Last Report
-----------0d:00:00:00
0d:00:00:08
0d:00:00:00
0d:00:00:00
June 2014
5
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
6
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
7
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
8
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
9
00:00:00:00:00:00 0
False Disable
0d:00:00:00 0d:00:00:00
10
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
11
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
---------------------------------------------------------------------------Show wireless security wids-wips rogue-client-control
Sample Output:
WCP8180#show wireless security wids-wips rogue-client-controls
Rogue detected trap interval:
Known client database radius profile:
300
Rogue
---------------------------------------Client is not in known DB
Authenication request exceeded
Probe request exceeded
DeAuthenication request exceeded
Authenication failure exceeded
Client is authenicated with unknown AP
State
---------Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
Threshold Threshold
Interval
Value
---------- ---------60
60
60
10
120
10
5
Sample Output:
WCP8180#show wireless security wids-wips mitigation
ap-threat-mitigation:
client-threat-mitigation:
enabled
disabled
Sample Output:
WCP8180#show wireless security wids-wips ap-deauth-attacks
Target BSSID
----------------5C:E2:86:0F:F7:70
70:38:EE:89:C4:10
5C:E2:86:0F:F2:10
70:38:EE:89:C3:F0
00:1B:4F:6A:59:B0
00:1B:4F:6A:64:F0
Channel
---------3
11
10
11
11
6
Classify Since
-------------------2:02:57:19
1:18:33:49
1:18:33:19
1:18:27:48
1:03:01:11
0d:22:57:41
Last RFScan
-----------0d:00:00:00
0d:00:09:37
0d:00:00:07
0d:00:00:07
0d:00:00:07
0d:22:57:41
Sample Output:
WCP8180#show wireless security wids-wips ageout
adhoc-clients
June 2014
:1440 minutes
121
ap-failure
detected-client
rf-scan
:1440 minutes
:300 minutes
:1440 minutes
Related Links
Wireless security WIDS-WIPS configuration and management on page 111
Procedure
1. Enter wireless security configuration mode of the CLI.
WCP8180#conf t
Enter configuration commands, one per line.
WCP8180(config)#wireless
WCP8180(config-wireless)#security
WCP8180(config-security)#
Optionally add a name to the blacklisted client. Enter a string with a maximum length of 32
characters.
Note:
Ensure that the name is unique across the network.
Ensure also that you do not configure names that have similar characters or letters but
are different only in their case.
WC8180(config-security)#mac-db blacklist AC:81:BB:BB:11:11 Blacklist1
122
June 2014
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
June 2014
123
Procedure
1. Enter the wireless configuration mode of the ACLI.
WCP8180#conf t
Enter configuration commands, one per line.
WCP8180(config)#wireless
WCP8180(config-wireless)#
Note:
The command WCP8180(config-network-profile)#mac-validation <enter>
is not supported in the current release.
Instead, use the command WCP8180(config-network-profile)#macvalidation mode {local-whitelist|radius} to configure the MAC validation
mode in a network profile.
The following example uses a sample network profile with profile Id 2.
3. Verify the MAC validation mode on the network profile.
In the following example, the MAC validation mode is local-whitelist.
WC8180(config-wireless)#show wireless network-profile 2 detail
Network Profile ID: 2
Name
: Default
SSID
: Guest-Network
Hide SSID
: No
Mobility Vlan Name
: default-MVLAN
Probe Response
: Enabled
Captive Portal Mode
: Disabled
User Validation
: open
Captive Portal Profile Id
: 0
Local User Group
: Default
RADIUS Authentication Profile Name
:
RADIUS Accounting Profile Name
:
RADIUS Accounting Mode
: Disabled
Security Mode
: open
MAC Validation
: Enabled
MAC Validation mode
: Local-Whitelist
Wireless ARP Suppression
: Disabled
Radius offload
: Disabled
Station Isolation Mode
: Disabled
Gateway MAC address
: 00:00:00:00:00:00
4. (Optional) Use the following commands to disable MAC validation on a network profile.
WCP8180(config-wireless)#network-profile 2
Entering network-profile (id = 2) ...
WCP8180(config-network-profile)#no mac-validation
124
June 2014
5. (Optional) Use the following commands to set the default client MAC validation mode, which
is local-whitelist.
WC8180(config-network-profile)#default mac-validation ?
mode Set mac-validation mode to default value local-whitelist
<cr>
Related Links
Wireless Security Client MAC validation on page 123
Procedure
1. Enter the wireless configuration mode of the ACLI.
WCP8180#conf t
Enter configuration commands, one per line.
WCP8180(config)#wireless
2. Verify that the MAC validation mode on the network profile is local-whitelist.
The following example uses a sample network profile with profile Id 2.
WC8180(config-wireless)#show wireless network-profile detail
Network Profile ID: 2
Name
: Default
SSID
: Guest-Network
Hide SSID
: No
Mobility Vlan Name
: default-MVLAN
Probe Response
: Enabled
Captive Portal Mode
: Disabled
User Validation
: open
Captive Portal Profile Id
: 0
Local User Group
: Default
RADIUS Authentication Profile Name
:
RADIUS Accounting Profile Name
:
RADIUS Accounting Mode
: Disabled
Security Mode
: open
MAC Validation
: Enabled
MAC Validation mode
: local-whitelist
Wireless ARP Suppression
: Disabled
Radius offload
: Disabled
Station Isolation Mode
: Disabled
Gateway MAC address
: 00:00:00:00:00:00
June 2014
125
(Optional) If the MAC validation mode is not set to local-whitelist, use these
commands to set the MAC validation mode to local-whitelist.
a. Update the MAC validation mode on the network profile..
WCP8180(config-wireless)#network-profile 2
Entering network-profile (id = 2) ...
WCP8180(config-network-profile)#mac-validation mode local-whitelist
3. Use the following commands to configure blacklist and whitelist devices for your network.
Configure blacklist devices using the following command:
WCP8180(config-wireless)#security
WCP8180(config-security)#mac-db blacklist ?
H.H.H MAC address of the blacklisted user
126
June 2014
the client device is granted wireless network access. Otherwise, the client device continues to
be blacklisted.
For more information on configuring the known-client-ageout, see Configuring the knownclient-ageout for MAC validation against a RADIUS server on page 129.
Configure RADIUS server(s) using the following command, and associate it with a RADIUS
profile. RADIUS servers manage authentication of users and devices connected to the wireless
network.
In the following example, you configure a RADIUS server with IP address 10.1.1.104 and
associate it with the RADIUS profile rad-srvr-profile.
WC8180(config-security)#radius server 10.1.1.104 rad-srvr-profile secret
Enter server secret: ********
Verify server secret: ********
Verify the status of controller communication with the RADIUS server is Up by using the
following command:
WCP8180#show wireless security radius server
Total radius servers: 1
Server IP
Radius Profile
Port# Priority Status
--------------- ----------------------- ----- -------- ------10.1.1.20
rad-srvr-profile
1812 1
Up
Procedure
1. Enter the wireless configuration mode of the ACLI.
WCP8180#conf t
Enter configuration commands, one per line.
WCP8180(config)#wireless
2. Verify that the MAC validation mode on the network profile is radius.
The following example uses a sample network profile with profile Id 2.
WC8180(config-wireless)#show wireless network-profile detail
Network Profile ID: 2
Name
: Default
SSID
: Guest-Network
June 2014
127
Hide SSID
Mobility Vlan Name
Probe Response
Captive Portal Mode
User Validation
Captive Portal Profile Id
Local User Group
RADIUS Authentication Profile Name
RADIUS Accounting Profile Name
RADIUS Accounting Mode
Security Mode
MAC Validation
MAC Validation mode
Wireless ARP Suppression
Radius offload
Station Isolation Mode
Gateway MAC address
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
No
default-MVLAN
Enabled
Disabled
open
0
Default
Disabled
open
Enabled
radius
Disabled
Disabled
Disabled
00:00:00:00:00:00
(Optional) If the MAC validation mode is not set to radius, use these commands to set the
MAC validation mode to radius.
a. Update the MAC validation mode on the network profile.
WCP8180(config-wireless)#network-profile 2
Entering network-profile (id = 2) ...
WCP8180(config-network-profile)#mac-validation mode radius
Related Links
Wireless Security Client MAC validation on page 123
Configuring the known-client-ageout for MAC validation against a RADIUS server on page 129
Configuring a trap for authentication failure on page 129
128
June 2014
Procedure
1. Enter wireless security configuration mode of the ACLI.
WC8180#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WCP8180(config)#wireless
WC8180(config-wireless)#security
Note:
The default value is 30 minutes and the range is 1 to 65535 minutes.
3. View the known-client-ageout configuration.
WC8180(config-security)#show wireless security radius
Radius server timeout: 2 (sec.)
Radius server retries: 3
Radius known client db ageout: 30 (min.)
Related Links
Validating client MAC addresses against a RADIUS server on page 126
Procedure
1. Enter the configuration mode of the ACLI.
WC8180#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WCP8180(config)#
Note:
To view a complete list of snmp-server notification types and their status, execute the
command show snmp-server notification-control.
June 2014
129
Related Links
Validating client MAC addresses against a RADIUS server on page 126
Manual
Manual load balancing provides the greatest administrative control and always overrides any other
load balancing mechanisms.
When you configure an AP or a WSP in the Domain AP or WSP database respectively, you also
provide a preferred and an alternate controller (WC or WCP) IP address. This is done for manual
load balancing of the AP or WSP.
When an AP or WSP joins the domain, it is assigned to the preferred controller if available and not
loaded to its maximum capacity. If the controller is not available or is loaded to its maximum
capacity, the alternate controller is assigned to the AP or WSP. If both the preferred and alternate
controllers are loaded to their maximum capacity or are unavailable, the AP or WSP is assigned to
the controller based on the configured load balancing metric.
Automatic
If a situation arises where both the preferred and alternate controllers are loaded to their maximum
capacity or are unavailable, or manual load balancing is not configured, an automatic assignment of
the AP or WSP load to the controller is done based on the configured automatic load-balancing
metric.
The WLAN 8100 solution supports the following two load balancing metrics:
Least Load:
This method of load balancing assigns the AP or WSP to a controller that has least number of
APs/WSPs currently connected to it. Least load is always used as a fall back metric when other
metrics cannot uniquely determine a controller for an AP or WSP. This metric achieves an even
balancing of AP/WSP load across all controllers in the domain.
130
June 2014
Configure this load balancing metric when the objective of load balancing is to distribute traffic
load evenly across all controllers deployed in the domain. Note that this metric achieves only a
partial coverage redundancy since it allocates the APs or WSPs to different controllers in the
order in which the APs join the mobility domain. Full coverage redundancy can be achieved
only using manual configuration.
Location based:
This metric assigns APs or WSPs based on configured location information for APs/WSPs and
controllers. You can segment a physical environment of the enterprise into campus (C),
building (B), floor (F) and sector (S). You can then specify the location of APs or WSPs in the
mobility domain in terms of C-B-F-S parameters in the domain AP or WSP database. Each
location is an 8 byte ASCII string and the level of granularity increases from C>B>F>S.
The location specification starts from lowest granularity level. When a granularity level is not
specified, it means that the level is not included in the location specification. The location based
metric uses a best location granularity match between the AP or WSP location and WC
location for assignment of AP or WSP to WC. When multiple WCs match the AP or WSP
location, the least loaded WC is selected for assignment.
The WC location is a mobility domain configuration that must be synchronized with all domain
member WC devices using the config-sync action. AP or WSP location is configured in the
domain AP/WSP database for each AP/WSP and must also be synchronized with all domain
member WC devices.
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Configuring load balancing on page 131
Verifying configuration of load balancing on page 133
Configuring AP load balancing an example on page 135
Procedure
1. Enter the domain load balance configuration mode of the controller:
WCP8180#conf t
WCP8180(config)#wireless
WCP8180(config-wireless)#domain load-balance
WCP8180(config-wireless-lb)#
CLI Reference:
WCP8180(config-wireless-lb)#?
Load Balance configuration commands
controller Controller load balance configuration commands
default
Set load-balance parameters to default
end
End configuration mode
exit
Exit from domain load-balance configuration mode
lb-metric
Load balance metric for both AP and WSP
no
Remove AP/WSP lb metrics
June 2014
131
2. Use the following commands to create or modify the controller load-balance location
database for a specific controller (specified by the MAC address).
WCP8180(config-wireless-lb)#controller ?
H.H.H Controller MAC to create/modify the controller load-balance
location-db
WCP8180(config-wireless-lb)#controller 00:1B:4F:6A:18:E1 location ?
WORD Enter campus string (limit: 1-8 chars)
WCP8180(config-wireless-lb)#controller 00:1B:4F:6A:18:E1 location <campus-name> ?
WORD Enter building string (limit: 1-8 chars)
WCP8180(config-wireless-lb)#controller 00:1B:4F:6A:18:E1 location <campus-name>
<building-name> ?
WORD Enter floor string (limit: 1-8 chars)
WCP8180(config-wireless-lb)#controller 00:1B:4F:6A:18:E1 location <campus-name>
<building-name> <floor-name> ?
WORD Enter sector string (limit: 1-8 chars)
<cr>
WCP8180(config-wireless-lb)#$:44:55 location <campus-name> <building-name> <floorname> <sector-name>
3. Use the following commands to configure the load balancing metric (least-load or
location) for APs and WSPs.
Note:
Wireless Switching Point (WSP) load balancing is applicable only in Unified Access
deployments.
Choose the load balancing metric:
WCP8180(config-wireless-lb)# lb-metric ?
least-load Load balance to the least loaded device
location
Load balance to the device in the nearest location(C.B.F.S)
4. Use following commands to configure the C.B.F.S parameters for an AP or WSP for
location-based load balancing.
Note:
The Campus, building and floor parameters are mandatory but the sector name is
optional.
C.B.F.S parameter configuration for APs:
WCP8180(config-wireless)#domain ap 00:1B:4F:6A:18:E0
Entering domain AP (mac = 00:1B:4F:6A:18:E0) configuration mode...
WCP8180(config-domain-ap)#location ?
WORD Enter campus string (limit: 1-8 chars)
WCP8180(config-domain-ap)#location <campus-string> ?
WORD Enter building string (limit: 1-8 chars)
WCP8180(config-domain-ap)#location <campus-string> <Building-string> ?
WORD Enter floor string (limit: 1-8 chars)
WCP8180(config-domain-ap)#location <campus-string> <Building-string> <floorstring> ?
132
June 2014
a. Use the command default controller to set the default controller load balance
configuration commands.
b. Use the command default lb-metric to set the default parameters for lbmetric.
6. Use the following command to run the Load Balancing algorithm on APs or WSPs.
WSPs apply only to Unified Access deployments.
CLI Reference:
WCP8180#wireless domain load-balance ?
ap
Run LB algorithm again to balance the AP load on WCPs and WSPs
wsp Run LB algorithm again to balance the WSP load on WCPs
Related Links
Load Balancing of APs and WSPs on page 130
June 2014
133
controller-lb-status
status
Procedure
1. Verify load balancing action status information.
WC8180#show wireless domain load-balance action-status ?
ap Display AP load-balancing action-status information
Sample output:
WC8180#show wireless domain load-balance action-status ap
Command Name
: None
Status
: Completed
Number of Active WCs in the Domain : 2
Number of Active APs in the Domain : 10
Number of APs Moved
: 2
Sample output:
WC8180#show wireless domain load-balance ap-lb-table
Load Balancing Metric: location
-----------------------------------------------------------AP MAC Address
AP IP
WC IP
WC Status
----------------- --------------- --------------- ---------00:1B:4F:6C:1B:A0 172.16.7.11
192.171.0.56
Connected
5C:E2:86:0F:51:40 172.16.7.15
192.171.0.56
Connected
00:1B:4F:69:EA:C0 172.16.7.24
192.171.0.60
Disconnected
------------------------------------------------------------
Sample output:
WC8180#show wireless domain load-balance controller-db
----------------------------------------------------Controller
Location
-------------------------------------------MAC
Campus Building Floor Sector
----------------------------------------------------00:24:B5:1F:A8:00
amr
B3
First
Right
CC:F9:54:EB:0D:00
SC
A1
third
2
---------------------------------------------------Total number of WCs in the database: 2
Sample output:
OL-AMDC#show wireless domain load-balance controller-lb-status
--------------------------------------------Controller Load Balance Status
--------------------------------------------Controller IP
AP
AP
AP
AP
Cap. Cnt. Assign Conn.
---------------------------------------------
134
June 2014
192.171.0.56
32
4
0
4
192.171.0.60
512
1
0
1
---------------------------------------------
Sample output:
WC8180#show wireless domain load-balance status
Mobility Domain AP License
Mobility Domain AP License In Use
Configured Load Balancing Metric
: 16
: 5
: location
Related Links
Load Balancing of APs and WSPs on page 130
Controller IP
address
Campus
Building
Floor
Sector
WC1
00-24-B5-1F-81-01
192.168.18.12
Avaya
LeftWing
FirstFloor Lab1
WC2
00-24-B5-1F-81-02
192.168.18.9
Avaya
LeftWing
SecondFl Lab2
oor
MAC address
AP IP address
Campus
Building
Floor
Sector
AP1
00:1B:4F:6A:18:E1
172.16.2.101
Avaya
LeftWing
First
Floor
Lab1
AP2
00:1B:4F:6A:18:E2
172.16.2.102
Avaya
LeftWing
FirstFlo
or
Lab1
AP3
00:1B:4F:6A:18:E3
172.16.2.103
Avaya
LeftWing
Second
Floor
Lab2
AP4
00:1B:4F:6A:18:E4
172.16.2.104
Avaya
LeftWing
Second
Floor
Lab2
June 2014
135
Important:
When a large number of APs are rebalanced, and if after the rebalance, the assignment of APs
does not change, the configured load-balancing metric is also not changed. This ensures that
the load-balancing metric is synchronized between the AP and all controllers in the domain.
Procedure
1. Perform the following steps to load balance APs using the location metric.
a. View the current load balance status on controllers WC1 and WC2 as follows.
The load-balance status indicates that the current load-balancing metric is LeastLoad.
Also manual load balancing is not configured (preferred and alternate controllers are not
configured).
Load-balance status on WC1:
WC8180#show wireless domain load-balance status
Mobility Domain AP License
Mobility Domain AP License In Use
Configured Load Balancing Metric
: 4096
: 4
: none
: 4096
: 4
: none
b. Configure the load balancing metric as location on both controllers (WC1 and WC2).
WC8180(config-wireless-lb)#lb-metric location
c. Configure the location (C.B.F.S) parameters for the 2 controllers WC1 and WC2 in the
domain as follows:
Enter the load-balancing configuration mode:
WC8180#conf t
WC8180(config)#wireless
WC8180(config-wireless)#domain
WC8180(config-wireless-lb)#
136
load-balance
June 2014
Configure the C.B.F.S parameters for the controllers (WC1 and WC2):
WC8180(config-wireless-lb)#controller 00-24-B5-1F-81-01 ?
location Least loaded in Campus-Buidling-Floor-Sector zone
<cr>
WC8180(config-wireless-lb)#controller 00-24-B5-1F-81-01 location Avaya
LeftWing FirstFloor Lab1
WC8180(config-wireless-lb)#controller 00-24-B5-1F-81-02 ?
location Least loaded in Campus-Buidling-Floor-Sector zone
<cr>
WC8180(config-wireless-lb)#controller 00-24-B5-1F-81-02 location Avaya
LeftWing SecondFloor Lab2
: 4096
: 4
: none
June 2014
137
After load-balancing, the APs that are located on the first floor are managed by the
controller on the first floor. Similarly, APs on the second floor are managed by the
controller on the second floor.
WC8180#show wireless domain load-balance ap-lb-table
Load Balancing Metric: location
----------------------------------------------------------------AP MAC Address
AP IP
WC IP
WC Status
----------------- --------------- --------------- --------------00:1B:4F:6A:18:E1 172.16.2.101
192.168.18.12
Connected
00:1B:4F:6A:18:E2 172.16.2.102
192.168.18.12
Connected
00:1B:4F:6A:18:E3 172.16.2.103
192.168.18.9
Connected
00:1B:4F:6A:18:E4 172.16.2.104
192.168.18.9
Connected
-----------------------------------------------------------------
2. Perform the following steps to configure load balancing using the least-load metric.
Important:
Ensure that CBFS parameters are not configured on either the controller or APs.
Otherwise, the system load-balances the APs using only the location-based metric
by default, even if the load-balancing metric is configured as least-load.
a. View the current load balance status on the controllers WC1 and WC2 as follows.
The system displays the current load balancing metric as Location.
Load-balance status on WC1:
WC8180#show wireless domain load-balance status
Mobility Domain AP License
Mobility Domain AP License In Use
Configured Load Balancing Metric
: 4096
: 4
: Location
: 4096
: 4
: Location
138
June 2014
In this example, assume that all the 4 APs are managed by the controller WC1 (IP
address 192.168.18.12). No APs are managed by the second controller WC2. This is
because the preferred controller for all the 4 APs is configured as WC1 with IP address
192.168.18.12.
WC8180#show wireless domain load-balance status
Mobility Domain AP License
Mobility Domain AP License In Use
Configured Load Balancing Metric
: 4096
: 4
: none
: 4096
: 4
: none
: 4096
: 4
: none
June 2014
139
APs load-balanced to WC
0
0
4
0
0
--------------------------------------------------------------------
f. Verify that the APs are distributed equally between the 2 controllers.
WC8180#show wireless domain load-balance ap-lb-table
Load Balancing Metric: least-load
----------------------------------------------------------------AP MAC Address
AP IP
WC IP
WC Status
----------------- --------------- --------------- --------------00:1B:4F:6A:18:E1 172.16.2.101
192.168.18.12
Connected
00:1B:4F:6A:18:E2 172.16.2.102
192.168.18.12
Connected
00:1B:4F:6A:18:E3 172.16.2.103
192.168.18.9
Connected
00:1B:4F:6A:18:E4 172.16.2.104
192.168.18.9
Connected
-----------------------------------------------------------------
Related Links
Load Balancing of APs and WSPs on page 130
client-roam-agetime
country-code
tspec-violation-report-interval
Sub-Commands/Groups:
ap
Domain AP commands
auto-promoted-aps approve all Discovered AP
load-balance
Enter load balance configuration mode
mobility-vlan
Create a mobility domain VLAN
WC8180(config-wireless)#domain ap ?
Parameters:
H.H.H AP MAC Address to create/modify an AP entry in AP database
Sub-Commands/Groups:
140
June 2014
image-update
reset-group-size
WCP8180(config-wireless)#domain auto-promoted-aps ?
approve approve all Discovered AP
WCP8180(config-wireless)#domain load-balance
WCP8180(config-wireless-lb)# ?
Load Balance configuration commands
controller Controller load balance configuration commands
default
Set load-balance parameters to default
end
End configuration mode
exit
Exit from domain load-balance configuration mode
lb-metric
Load balance metric for both AP and WSP
no
Remove AP/WSP lb metrics
WCP8180(config-wireless-lb)#lb-metric ?
least-load Load balance to the least loaded device
location
Load balance to the device in the nearest location(C.B.F.S)
WCP8180(config-wireless)#domain mobility-vlan ?
WORD Enter a mobility VLAN name (1-32 chars)
Procedure
1. Enter Wireless Configuration mode of the CLI.
2. Use the command domain ap-client-qos to enable access point QoS operations for
clients.
3. Use the command domain ap-reconnection-timeout to configure the AP-controller failover
timeout.
4. Use the command domain auto-promote-discovered-ap to enable auto promotion of
discovered access points.
5. Use the command domain client-roam-agetime <1 - 120> to configure the client
roaming timeout value in seconds.
6. Use the command domain country-code <country_code> to configure a code for
domain operation.
Note:
When creating an AP profile, specify a country code or use the default primary country
code of the domain. To change a country code after a profile has been created you must
delete the AP profile and create a new profile. Multiple-country domain names support a
maximum of 32 countries.
7. Use the command domain tspec-violation-report-interval <0 - 900> to
configure the TSPEC violators reporting interval in seconds.
8. Use the command domain ap <ap_mac> image-update to configure AP image update
related parameters.
June 2014
141
142
June 2014
22. Use the command domain ap default radio [<radio-id> [antenna]] to restore
the antenna the default.
23. Use the command domain ap radio <radio-id> ext-cable {3-ft | 10-ft} to
specify the length of an extension cable used to attach an external antenna.
24. Use the command domain ap default radio [<radio-id> [ext-cable]] to
restore the default value (3-ft) of an extension cable.
25. Use the command domain load-balance to enter the load balancing command mode.
Use the following commands to configure load balancing.
a. Use the command controller for controller load balance configuration commands.
b. Use the command default to set load balance parameters to default.
c. Use the command lb-metric least-load to configure APs (and WSPs, in Unified
Access deployments) to load balance to the least loaded device.
d. Use the command lb-metric location to load balance to the device in the nearest
location.
Related Links
Commonly used configuration procedures on page 140
client-roam-agetime
country-code
tspec-violation-report-interval
Sub-Commands/Groups:
ap
Domain AP commands
auto-promoted-aps approve all Discovered AP
load-balance
Enter load balance configuration mode
mobility-vlan
Create a mobility domain VLAN
wsp
Add a WSP entry to domain WSP database
WCP8180(config-wireless)#domain ap ?
Parameters:
H.H.H AP MAC Address to create/modify an AP entry in AP database
Sub-Commands/Groups:
image-update
Configure AP image update related parameters
reset-group-size Configure group size for a bulk RESET
WCP8180(config-wireless)#domain auto-promoted-aps ?
approve approve all Discovered AP
WCP8180(config-wireless)#domain load-balance
WCP8180(config-wireless-lb)# ?
Load Balance configuration commands
controller Controller load balance configuration commands
default
Set load-balance parameters to default
end
End configuration mode
exit
Exit from domain load-balance configuration mode
June 2014
143
lb-metric
no
WCP8180(config-wireless-lb)#lb-metric ?
least-load Load balance to the least loaded device
location
Load balance to the device in the nearest location(C.B.F.S)
WCP8180(config-wireless)#domain mobility-vlan ?
WORD Enter a mobility VLAN name (1-32 chars)
WCP8180(config-wireless)#domain wsp ?
H.H.H WSP MAC Address to create/modify a WSP entry in WSP database
Procedure
1. Enter Wireless Configuration mode of the CLI.
2. Use the command domain ap-client-qos to enable access point QoS operations for
clients.
3. Use the command domain ap-reconnection-timeout to configure the AP-WCP failover
timeout.
4. Use the command domain auto-promote-discovered-ap to enable auto promotion of
discovered access points.
5. Use the command domain client-roam-agetime <1 - 120> to configure the client
roaming timeout value in seconds.
6. Use the command domain country-code <country_code> to configure a country
code for domain operation.
Note:
When creating an AP profile, specify a country code or use the default primary country
code of the domain. To change the country code after you create the AP profile, you
must first delete the AP profile and then create a new profile. Multiple-country domain
names support a maximum of 32 countries.
7. Use the command domain tspec-violation-report-interval <0 - 900> to
configure the TSPEC violators reporting interval in seconds.
8. Use the command domain ap <ap_mac> image-update to configure AP image update
related parameters.
9. Use the command domain ap <ap_mac> reset-group-size to configure the Group
size for AP(s) reset after download.
10. Use the command domain ap image-update image to enter the AP image download
configuration mode.
11. Use the command domain ap image-update server-ip to configure the HTTP server
address.
144
June 2014
12. Use the command domain ap image-update server-port to configure the HTTP
server port.
13. Use the command domain ap image-update external-download to download an
image from an external web server.
14. Use the command domain ap image-update download-group-size <1 - 100> to
configure the percentage of access points forming a group.
15. Use the command domain ap image-update model <ap8120> version
<1.0.0.0> filename <path/filename> server-ip <ip_addr> server-port
<portnum> to configure the model, version number of the AP image, filename including http
server path, server-ip address, and server port number.
16. Use the command domain ap reset-group-size <1 - 100> to configure the
percentage of access points in the domain that will be reset.
17. Use the command domain auto-promoted-aps approve to approve all discovered
APs.
18. Use the command domain ap model {ap8120 | ap8120-E | ap8120-O} to
configure the AP model.
19. Use these commands for configuring domain options for a specific AP.
a. Use the command domain ap <ap_mac> alternate-controller to configure an
alternate wireless controller.
b. Use the command domain ap <ap-mac> alternate-wsp to configure an alternate
Wireless Switching Point (WSP).
c. Use the command domain ap <ap_mac> label to configure the AP label.
d. Use the command domain ap <ap_mac> location to configure the AP location.
e. Use the command domain ap <ap_mac> preferred-controller to configure
the preferred AP controller.
f. Use the command domain ap <ap-mac> preferred-wsp to configure a preferred
WSP.
g. Use the command domain ap <ap_mac> profile-id to assign the appropriate AP
profile ID.
h. Use the command domain ap <ap_mac> radio to configure the AP radio.
i. Use the command domain ap <ap_mac> serial to configure the AP serial number.
20. Use the command domain mobility-vlan <vlan_name> to create a new mobility
VLAN.
21. Use the command domain ap radio <radio-id> antenna {70-degree | 180degree} to specify a type of an external antenna attached to an AP radio.
22. Use the command domain ap default radio [<radio-id> [antenna]] to restore
the antenna the default.
June 2014
145
23. Use the command domain ap radio <radio-id> ext-cable {3-ft | 10-ft} to
specify the length of an extension cable used to attach an external antenna.
24. Use the command domain ap default radio [<radio-id> [ext-cable]] to
restore the default value (3-ft) of an extension cable.
25. Use the command domain load-balance to enter the load balancing command mode.
Use the following commands to configure load balancing.
a. Use the command controller for controller load balance configuration commands.
b. Use the command default to set load balance parameters to default.
c. Use the command lb-metric least-load to configure APs (and WSPs, in Unified
Access deployments) to load balance to the least loaded device.
d. Use the command lb-metric location to load balance to the device in the nearest
location.
26. Use the command domain wsp <wsp_mac> to add a WSP to the Domain WSP database
or modify an existing entry.
Related Links
Commonly used configuration procedures on page 140
Important:
As part of the configuration, when you configure profiles in the network (such as AP profiles,
network profiles and radio profiles) ensure that you configure profile name to be unique across
the network, for each of the profiles.
Also, ensure that you do not configure profile names that have similar characters or letters but
are different only in their case.
Important:
When you configure an SSID for a network profile, ensure that it is unique across the network.
SSIDs can have a maximum of 32 characters.
Also, ensure that you do not configure SSIDs that have similar characters but are different only
in their case. For example do not configure SSIDs avaya-demo and AVAYA-DEMO within the
same network.
146
June 2014
Procedure
1. Enter Wireless Configuration mode of the CLI.
2. Use the command network-profile <1-64> to create a network profile.
This command has the options listed in the following table.
June 2014
Command
Option
Description
arp-suppression
captive-portal
client-qos
cos2wmm
default
dot1x
end
End configuration.
exit
Exit configuration.
hide-ssid
mac-validation
mobility-vlan
probe-response
profile-name
radius
security-mode
ssid
user-group
user-validation
wep
Configure WEP-related
parameters.
wmm2cos
147
Command
Option
Description
wpa2
148
Command
Options
Description
apsd
beacon-interval
channel
data-rates
default
dot11-mode
dot11n
dot11n-protection-mode
dtim-period
end
End configuration.
exit
Exit configuration.
fragmentation-threshold
incorrect-frame-no-ack
load-balance
max-clients
multicast-tx-rate
no
power
profile-name
qos
June 2014
Command
ap-model
Options
Description
rate-limit
rf-scan
rrm
rts-threshold
station-isolation
tspec
wmm-mode
access-wids
wids-wips
ap8120-O
Configure AP Model
ap8120/E
country-code
June 2014
149
Option
Description
ap-profile <1-64>
cos2dscp
default
default-profile
dscp2cos
end
exit
network <1-64>
no
profile-name
radio
ap8120-O
ap8120/E
ap-model
150
June 2014
Option
Description
alternate-controller
default
end
exit mode
label
Configure AP Label
location
Configure AP Location
preferred-controller
profile-id <1-64>
June 2014
151
Command
Option
Description
WL81AT180E6 AP8120-E
external antenna (180
degree)
channel
1-216 Fixed channel
number. Use 'show wireless
radar-detection' to display
valid channels.
auto Automatic channel
selection
ext-cable
3-ft AP8120-E 3 feet
extension cable
10-ft AP8120-E 10 feet
extension cable
power
1-100 Fixed power level (in
percentage)
auto Automatic power level
adjustment
serial
6. Use the command captive-portal profile <1 - 10> to create a captive portal
profile.
Related Links
Commonly used configuration procedures on page 140
152
June 2014
June 2014
153
154
June 2014
The following table describes the parameters for the ip address command.
Table 5: ip address parameters
Parameters
Description
A.B.C.D
netmask
source
BootP/DHCP mode
Note:
When the IP address or subnet mask is changed, connectivity to Telnet and the Web can be
lost.
June 2014
155
The following table describes the variables for the ip address source command:
Table 6: ip address source command parameters
Parameter
Description
bootp-always
bootp-last-address
bootp-when-needed
dhcp-always
dhcp-last-address
dhcp-when-needed
no ip address command
The no ip address command clears the IP address and subnet mask for a switch. This
command sets the IP address and subnet mask for a switch to all zeros (0).
The syntax for the no ip address command is: no ip address switch
The no ip address command is executed in the Global Configuration command mode.
Note: When the IP address or subnet mask is changed, connectivity to Telnet and the Web Interface
can be lost. Any new Telnet connection can be disabled and is required to connect to the serial
console port to configure a new IP address.
ip default-gateway command
The ip default-gateway command sets the default IP gateway address for a switch to use.
This command is executed in the Global Configuration command mode.
CLI reference:
WCP8180(config)#ip default-gateway ?
A.B.C.D IP address of default gateway
The following table describes the parameters for the ip default-gateway command.
156
June 2014
Description
A.B.C.D
Note:
When the IP gateway is changed, connectivity to Telnet and the Web Interface can be lost.
show ip command
The show ip command displays the IP configurations, BootP/DHCP mode, switch address, subnet
mask, and gateway address. This command displays these parameters for what is configured, what
is in use, and the last BootP/DHCP.
This command is executed in the User EXEC command mode.
If you do not enter any parameters, this command displays all IP-related configuration information.
CLI reference:
WCP8180(config)#show ip ?
Parameters:
address
IP address
bootp
Show bootp
default-gateway IP address
<cr>
Sub-Commands/Groups:
arp-proxy
Display
default-ttl
Display
dhcp
Display
dhcp-relay
Display
directed-broadcast Display
dns
Display
fwd-nh
Display
igmp
Display
ipfix
Display
mgmt
Display
route
Display
routing
Display
WCP8180(config)#
of switch/stack
settings
of default gateway
Proxy ARP status
default TTL
DHCP settings
DHCP relay information
directed-broadcast forwarding mode
DNS configuration
IP forwarding next-hop settings
IGMP information
IPFIX settings
management VLAN information
IP route information
global routing enable/disable
The following table describes the parameters for the show ip command.
Parameters
Description
bootp
June 2014
157
Parameters
Description
default-gateway
address
address source
Displaying interfaces
The status of all interfaces on the switch can be viewed, including Multi-Link Trunk membership, link
status, autonegotiation and speed using the following command.
show interfaces command
The show interfaces command displays the current configuration and status of all interfaces.
The syntax for the show interfaces command is: show interfaces [names]
[<portlist>]
CLI reference:
WCP8180(config-security)#show interfaces ?
gbic-info Display gbic details
LINE
List of ports
names
Display interface names
verbose
Display contains informations about STP, VLACP, EAP and AES
<cr>
WCP8180(config-security)#
Description
names <portlist>
Displays the interface names; enter specific ports if you want to see
only those.
158
June 2014
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command interface FastEthernet <list of ports> to set the list of ports
to support Fast Ethernet.
4. Use the command interface vlan <14094> to assign the Layer 3 IP VLAN ID.
Related Links
General switch administration on page 154
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command jumbo-frames enable to enable Jumbo Frames.
Related Links
General switch administration on page 154
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command edm help-file-path <help-file-path> to set the EDM help file
path.
Related Links
General switch administration on page 154
Procedure
1. Enter Privileged mode of the CLI.
June 2014
159
Description
port <portlist>
10|100|1000|auto
Note: Enabling and disabling autonegotiation for speed also enables and disables it for duplex
operation.When you set the port speed for autonegotiation, ensure that the other side of the link is
also set for autonegotiation.
Related Links
Setting port speed on page 160
160
June 2014
Description
port <portlist>
Related Links
Setting port speed on page 160
duplex command
The duplex command specifies the duplex operation for a port.
The syntax for the duplex command is: duplex [port <portlist>] {full | half |
auto}
The duplex command is executed in the Interface Configuration command mode.
The following table describes the parameters for this command.
Parameters
Description
port <portlist>
Specifies the port numbers for which to reset the duplex mode
to factory default values. Enter the port number you want to
configure. The default value is autonegotiation.
Note: If you omit this parameter, the system uses the ports you
specified in the interface command.
June 2014
161
Description
port <portlist>
Related Links
Setting port speed on page 160
162
June 2014
Enabling Autotopology
About this task
The Optivity Autotopology protocol can be configured using the CLI.
Use the following commands to enable autotopology using the CLI.
Related Links
General switch administration on page 154
autotopology command on page 163
no autotopology command on page 163
default autotopology command on page 164
show autotopology settings command on page 164
show autotopology nmm-table command on page 164
autotopology command
The autotopology command enables the Autotopology protocol.
The syntax for the autotopology command is: autotopology
The autotopology command is executed in the Global Configuration command mode.
Related Links
Enabling Autotopology on page 163
no autotopology command
The no autotopology command disables the Autotopology protocol.
The syntax for the no autotopology command is: no autotopology
The no autotopology command is executed in the Global Configuration command mode.
June 2014
163
Related Links
Enabling Autotopology on page 163
default autotopology command
The default autotopology command enables the Autotopology protocol.
The syntax for the default autotopology command is: default autotopology
The default autotopology command is executed in the Global Configuration command mode.
Related Links
Enabling Autotopology on page 163
show autotopology settings command
The show autotopology settings command displays the global autotopology settings.
The syntax for the show autotopology settings command is: show autotopology
settings
The show autotopology settings command is executed in the Privileged EXEC command
mode.
Related Links
Enabling Autotopology on page 163
show autotopology nmm-table command
The show autotopology nmm-table command displays the Autotopology network
management module (NMM) table.
The syntax for the show autotopology nmm-table command is: show autotopology nmm-table
The show autotopology nmm-table command is executed in the Privileged EXEC command
mode.
Related Links
Enabling Autotopology on page 163
164
June 2014
Description
port <portlist>
Related Links
Enabling flow control on page 164
no flowcontrol command
The no flowcontrol command is used only on Gigabit Ethernet ports and disables flow control.
The syntax for the no flowcontrol command is: no flowcontrol [port <portlist>]
The no flowcontrol command is executed in the Interface Configuration mode.
The following table describes the parameters for this command.
Table 11: no flowcontrol command parameters
Parameters
Description
port <portlist>
Related Links
Enabling flow control on page 164
June 2014
165
Description
port <portlist>
Related Links
Enabling flow control on page 164
default rate-limit command
The default rate-limit command restores the rate-limiting value for the specified port to the
default setting.
The syntax for the default rate-limit command is: default rate-limit [port
<portlist>]
The default rate-limit command is executed in the Interface Configuration command mode.
The following table describes the parameters for this command.
Table 12: default rate-limit command parameters
Parameters
Description
port <portlist>
Related Links
Enabling flow control on page 164
Enabling rate-limiting
About this task
The percentage or packets per seconds of multicast traffic, broadcast traffic, or both, can be limited
using the CLI.
See the following commands for more information.
Related Links
General switch administration on page 154
166
June 2014
Description
percent <0-10>
Related Links
Enabling rate-limiting on page 166
no rate-limit command
The no rate-limit command disables rate-limiting on the port.
June 2014
167
The syntax for the no rate-limit command is: no rate-limit [port <portlist>]
The no rate-limit command is executed in the Interface Configuration command mode.
The following table describes the parameters for this command.
Table 14: no rate-limit command parameters
Parameters
Description
port <portlist>
Specifies the port numbers to disable for rate-limiting. Enter the port
numbers you want to disable.
Note: If you omit this parameter, the system uses the port number you
specified in the interface command.
Related Links
Enabling rate-limiting on page 166
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command energy-saver enable to enable energy saver mode.
4. Use the command energy-saver efficiency-mode to enable efficiency mode.
5. Use the command energy-saver poe-power-saving to enable Power Over Ethernet
power saving mode.
Related Links
Configuring system options on page 153
168
June 2014
If SNTP is enabled, the system synchronizes with the configured NTP server at boot-up and at userconfigurable periods thereafter (the default synchronization interval is 24 hours). The first
synchronization is not performed until network connectivity is established.
SNTP supports primary and secondary NTP servers. The system tries the secondary NTP server
only if the primary NTP server is unresponsive.
Use the following CLI commands to configure SNTP.
Related Links
Configuring system options on page 153
show SNTP command on page 169
show sys-info command on page 169
SNTP enable command on page 169
no SNTP enable command on page 170
SNTP server primary address command on page 170
SNTP server secondary address command on page 170
no SNTP server command on page 171
SNTP sync-now command on page 171
SNTP sync-interval command on page 171
June 2014
169
Related Links
Using Simple Network Time Protocol on page 168
Description
<A.B.C.D>
Related Links
Using Simple Network Time Protocol on page 168
170
Parameters
Description
<A.B.C.D>
June 2014
Related Links
Using Simple Network Time Protocol on page 168
Description
primary
secondary
Related Links
Using Simple Network Time Protocol on page 168
Descriptions
<0-168>
Enter the number of hours for periodic synchronization with the NTP
server.
Note: 0 is boot-time only, and 168 is once a week.
June 2014
171
Related Links
Using Simple Network Time Protocol on page 168
Description
<LINE>
<hh:mm:ss>
172
June 2014
June 2014
173
Configuring CANA
About this task
Use the auto-negotiation-advertisements command to configure CANA.
To configure port 5 to advertise the operational mode of 10 Mb/s and full duplex enter the following
command line: auto-negotiation-advertisements port 5 10-full
Related Links
Custom Autonegotiation Advertisements on page 173
no auto-negotiation-advertisements command
The no auto-negotiation-advertisements command makes a port silent.
The syntax for the no auto-negotiation-advertisements command is: no autonegotiation-advertisements [port <portlist>]
The no auto-negotiation-advertisements command can be executed in the Interface
Configuration mode.
Related Links
Custom Autonegotiation Advertisements on page 173
174
June 2014
ping command
Use the ping command to determine if communication with another switch can be established.
The syntax for this command is: ping<dns_host_name> [datasize <64-4096> [{count
<1-999>} | continuous] [{timeout | -t} <1-120>] [interval <1-60] [debug]
Substitute <dns_host_name> with the DNS host name of the unit to test.
Run this command in User EXEC command mode or any of the other command modes.
CLI reference:
WCP8180#ping ?
Hostname or A.B.C.D
<cr>
WCP8180#ping 1.1.1.1 ?
-t
Timeout in seconds
continuous Ping in continuous mode
count
Number of packets
datasize
Packet size
debug
Enable ping debug
interval
Interval to retransmit in seconds
timeout
Timeout in seconds
<cr>
Description
<dns_host_name>
datasize <644096>
timeout | -t | <1120>
Set the timeout using either the timeout with the -t parameter
followed by the number of seconds the switch must wait
before timing out.
interval <160>
June 2014
175
Parameters
Description
debug
Related Links
Connecting to another switch on page 175
telnet command
Use the telnet command to establish communications with another switch during the current CLI
session. Communication can be established to only one external switch at a time using the telnet
command.
The syntax for this command is: telnet <dns_host_name>
Substitute <dns_host_name> with the DNS hostname of the unit with which to communicate.
This command is executed in the User EXEC command mode.
CLI reference:
WCP8180#telnet ?
Hostname or A.B.C.D remote host name or IP address
WCP8180#telnet 1.1.1.1 ?
port tcp port number
<cr>
Related Links
Connecting to another switch on page 175
176
June 2014
ip domain-name command
The ip domain-name command is used to set the default DNS domain name for the switch. This
default domain name is appended to all DNS queries or commands that do not already contain a
DNS domain name.
The syntax for this command is: ip domain-name <domain_name>
Substitute <domain_name> with the default domain name to be used. A domain name is
determined to be valid if it contains alphanumeric characters and contains at least one period (.).
This command is executed in the Global Configuration command mode.
Related Links
Domain Name Server (DNS) Configuration on page 176
no ip domain-name command
The no ip domain-name command is used to clear a previously configured default DNS domain
name for the switch.
The syntax for this command is: no ip domain-name
This command is executed in the Global Configuration command mode.
Related Links
Domain Name Server (DNS) Configuration on page 176
ip name-server command
The ip name-server command is used to set the domain name servers the switch uses to
resolve a domain name to an IP address. A switch can have up to three domain name servers
specified for this purpose.
The syntax of this command is:
ip name-server <ip_address_1> ip name-server <ip_address_2> ip nameserver <ip_address_3>
Note: To enter all three server addresses you must enter the command three times, each with a
different server address.
June 2014
177
Description
<ip_address_1>
<ip_address_2>
<ip_address_3>
no ip name-server command
The no ip name-server command is used to remove domain name servers from the list of
servers used by the switch to resolve domain names to an IP address.
The syntax for this command is:
no ip name-server <ip_address_1> no ip name-server [<ip_address_2>] no ip
name-server [<ip_address_2>]
Note: To remove all three server addresses you must enter the command three times, each with a
different server address.
The following table outlines the parameters for this command.
Parameters
Description
<ip_address_1>
<ip_address_2>
<ip_address_3>
178
June 2014
Image name
Image Version
Image Size
wc8180_1.1.0.130s.img software
image
1.1.0.130
47 megabytes
When the download process is complete, the switch automatically resets unless the no-reset
parameter was used. The software image initiates a self-test and returns a message when the
process is complete.
An example of this message is illustrated in the following table.
Table 22: Software download message output
Download Image [/] Saving Image [-] Finishing Upgrading Image
Note:
Before upgrading to the latest software image, Avaya recommends to take the backup of the
binary & ASCII configuration on the controller and save it.
During the download process the switch is not operational.
The progress of the download process can be tracked by observing the front panel LEDs.
To change the software version running on the switch with CLI, follow this procedure:
Procedure
1. Access CLI through the Telnet protocol or a Console connection.
2. Enter enable and then hit enter to enter Privileged Access.
3. Enter download and then hit enter.
4. Enter the IP address address <a.b.c.d> of the TFTP address of where the image us
stored and then hit enter.
5. Enter the image file name image <image name> and hit enter.
6. The image downloads, saves the image, and reboots.
The following table explains the parameters for the download command.
Table 23: download command parameters
June 2014
Parameter
Description
address <a.b.c.d>
179
Related Links
Configuration files in CLI on page 180
180
June 2014
to a TFTP server. The WC 8180 also provide the ability to save the configuration file to a USB Mass
Storage Device through the front panel USB drive.
The syntax for the copy running-config command is:
copy running-config {tftp | (usb) [u2] } address <A.B.C.D> filename
<name>
The following table outlines the parameters for this command.
Table 24: copy running-config parameters
Parameters
Description
{tftp | usb}
address <A.B.C.D>
filename <name>
The copy running-config command only can be executed in the Privileged EXEC mode.
Related Links
Configuration files in CLI on page 180
Description
address <A.B.C.D>
filename <name>
Related Links
Configuration files in CLI on page 180
June 2014
181
Description
address <A.B.C.D>
filename <name>
182
June 2014
Enabling Quickconfig
About this task
Use the following procedure to enable Quickconfig
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command quickconfig enable to enable Quickconfig.
Related Links
Configuring system options on page 153
Terminal setup
Switch terminal settings can be customized to suit the preferences of a switch administrator. This
operation must be performed in CLI.
The terminal command configures terminal settings. These settings are transmit and receive
speeds, terminal length, and terminal width.
The syntax of the terminal command is: terminal speed {2400 | 4800 | 9600 | 19200 |
38400} length <0-132> width <1-132>
The terminal command is executed in the User EXEC command mode.
The following table describes the parameters for this command.
Table 27: terminal command parameters
Parameters
Description
speed {2400|4800|19200|38400}
length
width
The show terminal command can be used at any time to display the current terminal settings.
This command takes no parameters and is executed in the EXEC command mode.
June 2014
183
a menu or the command line interface prompt, depending on previously configured defaults. When
using the console port, you must log out for the new mode to display. When using Telnet, all
subsequent Telnet sessions display the selection.
To change the default management interface, use the cmd-interface command. The syntax of this
command is: cmd-interface {cli | menu}
The cmd-interface command must be executed in the Privileged EXEC command mode.
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command serial-console unit <18> to set the unit you want to enable serial
console port access.
4. Use the command serial-console enable to enable serial console port access.
Related Links
Configuring system options on page 153
telnet-access command
The telnet-access command configures the Telnet connection that is used to manage the
switch. The telnet-access command is executed through the console serial connection.
The syntax for the telnet-access command is:
telnet-access [enable | disable] [login-timeout <1-10>] [retry<1-100>]
[inactive-timeout <0-60>] [logging {none | access | failures | all}]
[source-ip <1-50> <A.B.C.D> <WORD> [mask <A.B.C.D>]
184
June 2014
Description
enable | disable
login-timeout <1-10>
retry <1-100>
inactive-timeout <0-60>
Related Links
Setting Telnet access on page 184
June 2014
185
boot command
The boot command performs a soft-boot of the switch.
The syntax for the boot command is:
boot [default] [partial default]
The boot command is executed in the Privileged EXEC command mode.
The following table describes the parameters for the boot command.
Table 29: boot command parameters
Parameters
Description
default
partial-default
Note: When you reset to factory defaults, the switch retains the last reset count and reason for last
reset; these two parameters do not default to factory defaults.
Related Links
Setting boot parameters on page 186
Defaulting to BootP-when-needed
The BootP default value is BootP-when-needed. This enables the switch to be booted and the
system to automatically seek a BootP server for the IP address.
If an IP address is assigned to the device and the BootP process times out, the BootP mode
remains in the default mode of BootP-when-needed.
However, if the device does not have an assigned IP address and the BootP process times out, the
BootP mode automatically changes to BootP disabled. But this change to BootP disabled is not
stored, and the BootP reverts to the default value of BootP-when-needed after rebooting the
device.
When the system is upgraded, the switch retains the previous BootP value. When the switch is
defaulted after an upgrade, the system moves to the default value of BootP-when-needed.
See the following CLI commands to configure BootP parameters.
Related Links
Configuring system options on page 153
ip bootp server command on page 187
186
June 2014
Description
Related Links
Defaulting to BootP-when-needed on page 186
June 2014
187
The default ip bootp server command is executed in the Global Configuration command
mode.
Related Links
Defaulting to BootP-when-needed on page 186
shutdown command
About this task
The shutdown command proves a mechanism for safely shutting down a switch without interfering
with device processes or corrupting the software image. After this command is issued, the
configuration is saved, auto-save functionality is temporarily disabled, and configuration changes
are not allowed until the switch restarts. If the shutdown is cancelled, auto-save functionality returns
to the state in which it was previously functioning.
The shutdown command has the following syntax: shutdown [force] [minutes-to-wait
<1-60>] [cancel]
The following table describes the parameters of the shutdown command.
Table 31: shutdown command parameter
Parameters
Description
force
minutes-to-wait <1-60>
cancel
reload command
About this task
The reload command operates in a similar fashion to the shutdown command. However, the
reload command is intended more to be used by system administrators using the command
functionality to configure remote devices and reset them when the configuration is complete.
The reload command differs from the shutdown command in that the configuration is not explicitly
saved after the command is issued. This means that any configuration changes must be explicitly
saved before the switch reloads.
The reload command does temporarily disable auto-save functionality until the reload occurs.
Cancelling the reload returns auto-save functionality to any previous setting.
The reload command has the following syntax: reload [force] [minutes-to-wait <1-60>]
[cancel]
The following table describes the parameters of the reload command.
188
June 2014
Description
force
minutes-to-wait <1-60>
cancel
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command storm-control and one of the following sub-commands to Packet
Storm Control settings:
a. Use the enable sub-command to enable the feature.
b. Use the high-watermark <11100000000> sub-command to set the high watermark in
packets per second.
c. Use the low-watermark <10100000000> sub-command to set the low watermark in
packets per second.
d. Use the poll-interval <5300> sub-command to set the poll interval in seconds.
e. Use the trap-send-interval <01000> sub-command to set the trap send interval in poll
cycles.
Related Links
Configuring system options on page 153
CLI Help
About this task
To obtain help on the navigation and use of Command Line Interface (CLI), use the following
command: help {commands | modes}
Use help commands to obtain information about the commands available in CLI organized by
command mode. A short explanation of each command is also included.
Use help modes to obtain information about command modes available and CLI commands used to
access them.
These commands are available in any command mode.
June 2014
189
Procedure
1. In CLI, set the Global Configuration command mode.
configure
2. Enable sntp server.
3. Set the date to change to daylight savings time.
clock summer-time zone date day month year hh:mm day month year
hh:mm [offset]
Job aid
The following table defines the variables for the clock summer-time command:
190
June 2014
Description
date
day
month
year
hh:mm
day
month
year
hh:mm
offset
WORD
June 2014
191
Variable
a.b.c.d
primary | secondary
no-reset
usb
Note:
Dual Agent supports the WLAN switches NBUs through AAUR.
Related Links
Configuring Dual Agent on page 191
192
June 2014
Procedure
1. In CLI, set the Global Configuration command mode.
configure
2. Enable sntp server.
3. Set clock time zone using the clock command.
clock time-zone zone hours [minutes]
Job aid
The following table defines the variables for the clock time-zone command:
Table 35: clock time-zone command
Variables
Description
zone
hours
Difference from UTC in hours. This can be any value between -12
and +12.
minutes
June 2014
193
Description
static | custom
Related Links
Customizing CLI banner with CLI on page 194
banner command
The banner command specifies the banner displayed at startup; either static or custom.
The syntax for the banner command is:
banner {static | custom} <line number> "<LINE>"
The following table outlines the parameters for this command.
Table 37: banner command parameters
Parameters
Description
static | custom
194
line number
LINE
June 2014
no banner command
The no banner command clears all lines of a previously stored custom banner. This command
sets the banner type to the default setting (STATIC).
The syntax for the command is:
no banner
The no banner command is executed in the Privileged EXEC command mode.
Related Links
Customizing CLI banner with CLI on page 194
June 2014
195
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command stack auto-unit-replacement config restore unit <18>
restore the configuration of a unit from the saved configuration on the saved unit.
Related Links
Configuring system options on page 153
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command ui-button unit <18> to set the unit to enable.
4. Use the command ui-button enable to enable the ui-button feature.
Related Links
Configuring system options on page 153
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command usb-host-port enable to enable the usb host port.
Related Links
Configuring system options on page 153
196
June 2014
Enabling Autosave
About this task
With autosave enabled the system checks every minute to see if there is any new configuration
data. If there is, it will automatically be saved to NVRAM. While autosave is enabled, the AUR
feature should perform normally.
Use the following command to enable the autosave feature.
web-server command
The web-server command enables or disables the web server used for Web-based management.
The syntax for the web-server command is:
web-server {enable | disable}
The web-server command is executed in the Global Configuration command mode.
The following table describes the parameters for this command.
Table 38: web-server command parameters
Parameter
Description
enable | disable
Related Links
Setting the server for Web-based management with CLI on page 197
no web-server command
The no web-server command disables the web server used for Web-based management.
The syntax for the no web-server command is:
no web-server
June 2014
197
Procedure
1. Access CLI through the Telnet protocol or a Console connection.
2. From the command prompt, use the cli password command to change the desired password.
cli password {read-only | read-write} <password>
The following table describes the parameters for this command.
Table 39: cli password command parameters
Parameter
Description
{read-only | read-write}
<password>
3. Press Enter.
Procedure
1. Access CLI through the Telnet protocol or a Console connection.
2. From the command prompt, use the cli password command to enable or disable the desired
password.
198
June 2014
Description
{telnet | serial}
3. Click Enter.
Configuring RADIUS
Configure RADIUS to perform authentication services for system users. For specific configuration
procedures, see the vendor documentation. In particular, ensure that you set the appropriate
Service-Type attribute in the user accounts as follows:
for read-write access, Service-Type = Administrative
for read-only access, Service-Type = NAS-Prompt
Related Links
Configuring system security on page 202
Configuring a RADIUS server on page 49
Enabling RADIUS password fallback on page 200
Viewing RADIUS information on page 212
June 2014
199
Procedure
1. Access CLI through the Telnet protocol or a Console connection.
2. From the command prompt, use the radius-server command to configure the server
settings.
CLI reference:
WCP8180(config)#radius-server ?
host
RADIUS primary host
200
June 2014
key
password
port
secondary-host
timeout
RADIUS
RADIUS
RADIUS
RADIUS
RADIUS
shared secret
password fallback
UDP port
secondary host
time-out period
Description
host <address>
[secondary-host <address>]
port <num>
key
[password fallback]
3. Press Enter.
Procedure
1. show radius-server
The command takes no parameters and displays the current RADIUS server configuration.
2. no radius-server
This command takes no parameters and clears any previously configured RADIUS server
settings.
3. radius-server password fallback
June 2014
201
This command takes no parameters and enables the password fallback RADIUS option if it
was not done when the RADIUS server was configured initially.
202
June 2014
mac-security ?
Display the stack/switch MAC security configuration.
Display the accessible MAC addresses on each port.
Display MAC DA filtering addresses
Display ports' MAC security status.
Display port membership of security lists.
Description
config
port
security-lists
The show mac-security command is executed in the Privileged EXEC command mode.
Related Links
Configuring MAC address-based security using CLI on page 202
June 2014
203
mac-security command
The mac-security command modifies the MAC security configuration.
The mac-security command is executed in the Global Configuration mode.
CLI reference:
WCP8180(config)#mac-security ?
auto-learning
Configure MAC Auto-Learning
disable
Disable MAC Address Security.
enable
Enable MAC Address Security.
filtering
Enable/disable DA filtering
intrusion-detect
Enable/disable partitioning on intrusion detection
intrusion-timer
Set temporary partition time for intrusion detection.
learning
Enable/disable MAC address learning
learning-ports
Modify ports participation in MAC address learning.
mac-address-table Add addresses to MAC security address table
mac-da-filter
Add/delete MAC DA filtering addresses
security-list
Modify security list port membership.
snmp-lock
Enable/disable SNMP lock on MAC address security parameters.
Description
auto-learning
disable|enable
filtering {enable|disable}
intrusion-detect {enable|disable|forever}
intrustion-timer <1-65535>
learning-ports <portlist>
learning {enable|disable}
snmp-lock {enable|disable}
204
June 2014
Parameter
Description
snmp-trap {enable|disable}
Related Links
Configuring MAC address-based security using CLI on page 202
Description
<H.H.H>
port <portlist>
security-list <1-32>
June 2014
205
Description
<1-32>
<portlist>
Description
port <portlist>
disable|enable|learning
The mac-security command for specific ports executes in the Interface Configuration mode.
206
June 2014
Related Links
Configuring MAC address-based security using CLI on page 202
June 2014
207
208
Parameter
Description
<portlist>
June 2014
Parameter
Description
disable|enable
max-addrs <1-25>
Description
<portlist>
enable
max-addrs
June 2014
209
Configuring RADIUS
Configure RADIUS to perform authentication services for system users. For specific configuration
procedures, see the vendor documentation. In particular, ensure that you set the appropriate
Service-Type attribute in the user accounts as follows:
for read-write access, Service-Type = Administrative
for read-only access, Service-Type = NAS-Prompt
Related Links
Configuring system security on page 202
Configuring a RADIUS server on page 49
Enabling RADIUS password fallback on page 200
Viewing RADIUS information on page 212
Procedure
1. Enter Global or Interface Configuration mode of the ACLI.
2. Configure a RADIUS server using the command radius server <host IP Address>,
where <host IP address> is the IP address of the primary RADIUS server you want to
configure.
3. Configure a RADIUS profile using the command radius profile <profile name>
type .
A RADIUS profile can be one of two types authentication or accounting.
(WC8180-security)#radius profile <profile name> type ?
acct
auth
210
June 2014
172.16.2.11 sample-radius-profile ?
encrypted radius secret
radius health check password (encrypted)
Radius health check interval.
User password for radius health check
User name used for radius healtcheck
server priority
server shared secret
server UDP port
Description
encrypted-secret
health-check-encryptedpassword
health-check-interval
Specifies the time (in seconds) after which the controller checks
the health of the RADIUS server.
Enter a number in the range 0100. Specifying a time interval of
0 disables the health check.
health-check-user
health-check-password
priority
secret
udp-port
7. Use the command no radius profile <radius profile name> to delete a RADIUS profile.
8. Use the command no radius server <server IP Address> <radius profile
name> to delete a RADIUS server.
June 2014
211
9. Use the command default radius server <ip address> <health-checkinterval | health-check-password | health-check-user | health-checkencrypted-password> to restore default RADIUS server settings.
10. Use the command default radius profile <radius profile name> serverselection to delete a RADIUS profile.
Related Links
Configuring and managing RADIUS on page 48
Configuring RADIUS on page 199
212
June 2014
June 2014
213
A single read-write community string that can only be configured using the console menus.
Up to four trap destinations and associated community strings that can be configured either in
the console menus, or using SNMP Set requests on the s5AgTrpRcvrTable
With the WLAN 8100 Series support for SNMPv3, you can configure SNMP using the new
standards-based method of configuring SNMP communities, users, groups, views, and trap
destinations.
Important:
You must configure views and users using CLI before SNMPv3 can be used.
Important:
You must have the secure version of the software image installed on your switch before you can
configure SNMPv3.
The WLAN 8100 Series also supports the previous proprietary SNMP configuration methods for
backward compatibility.
All the configuration data configured in the proprietary method is mapped into the SNMPv3 tables as
read-only table entries. In the new standards-based SNMPv3 method of configuring SNMP, all
processes are configured and controlled through the SNMPv3 MIBs. The Command Line Interface
commands change or display the single read-only community, read-write community, or four trap
destinations of the proprietary method of configuring SNMP. Otherwise, the commands change or
display SNMPv3 MIB data.
The WLAN 8100 Series software supports MD5 and SHA authentication, as well as AES and DES
encryption.
The SNMP agent supports exchanges using SNMPv1, SNMPv2c and SNMPv3. Support for
SNMPv2c introduces a standards-based GetBulk retrieval capability using SNMPv1 communities.
SNMPv3 support introduces industrial-grade user authentication and message security. This
includes MD5 and SHA-based user authentication and message integrity verification, as well as
AES- and DES-based privacy encryption.
Export restrictions on SHA and DES necessitate support for domestic and non-domestic executable
images or defaulting to no encryption for all customers.
The traps can be configured in SNMPv1, v2, or v3 format. If you do not identify the version (v1, v2,
or v3), the system formats the traps in the v1 format. A community string can be entered if the
system requires one.
Related Links
SNMP configuration using CLI on page 213
214
snmpCommunityTable: 20
vacmViewTreeFamilyTable: 60
vacmSecurityToGroupTable: 40
vacmAccessTable: 40
June 2014
usmUserTable: 20
snmpNotifyTable: 20
snmpTargetAddrTabel: 20
snmpTargetParamsTable: 20
Related Links
SNMP configuration using CLI on page 213
Description
host
user
view
notification-control
notify-filter
Related Links
SNMP configuration using CLI on page 213
June 2014
215
Description
Related Links
SNMP configuration using CLI on page 213
Description
read-view <view-name>
Changes the read view used by the new community string for
different types of SNMP operations.
view-namespecifies the name of the view which is a set of
MIB objects/instances that can be accessed; enter an
alphanumeric string.
write-view <view-name>
Changes the write view used by the new community string for
different types of SNMP operations.
view-namespecifies the name of the view which is a set of
MIB objects/instances that can be accessed; enter an
alphanumeric string.
notify-view <view-name>
Related Links
SNMP configuration using CLI on page 213
216
June 2014
Description
ro |rw|<community-string>
Related Links
SNMP configuration using CLI on page 213
Description
ro|rw
June 2014
217
Related Links
SNMP configuration using CLI on page 213
snmp-server command
The snmp-server command enables or disables the SNMP server.
The syntax for the snmp-server command is:
snmp-server {enable|disable}
The following table describes the parameters for this command.
Table 54: snmp-server command parameters
Parameter
Description
enable|disable
Related Links
SNMP configuration using CLI on page 213
no snmp-server command
The no snmp-server command disables SNMP access.
The syntax for the no snmp-server command is
no snmp-server
The no snmp-server command executes in the Global Configuration mode.
218
June 2014
Description
host-ip
community-string
port <trap-port>
v1<community-string>
v2c<community-string>
June 2014
219
Parameter
Description
Multiple trap receivers with varying access levels can
be created.
v3{auth|no-auth|auth-priv}
username
Related Links
SNMP configuration using CLI on page 213
220
June 2014
If you do not specify any parameters, this command deletes all trap destinations from the
s5AgTrpRcvrTable and from SNMPv3 tables.
The following table describes the parameters for this command.
Table 56: no snmp-server host command parameters
Parameter
Description
<host-ip> [<community-string>]
<host-ip>
port <trap-port>
v1|v2c|v3|<community-string>
Related Links
SNMP configuration using CLI on page 213
June 2014
221
Description
text
Related Links
SNMP configuration using CLI on page 213
222
June 2014
Description
text
Related Links
SNMP configuration using CLI on page 213
June 2014
223
Description
username
md5 <password>
read-view <view-name>
Specifies the read view to which the new user has access:
view-namespecifies the viewname; enter an alphanumeric
string of up to 255 characters.
write-view <view-name>
Specifies the write view to which the new user has access:
view-namespecifies the viewname; enter an alphanumeric
string that can contain at least some of the nonalphanumeric
characters.
notify-view <view-name>
Specifies the notify view to which the new user has access:
view-namespecifies the viewname; enter an alphanumeric
string that can contain at least some of the nonalphanumeric
characters.
SHA
3DES
AES
DES
engine-id
224
June 2014
Important:
If a view parameter is omitted from the command, that view type cannot be accessed.
Related Links
SNMP configuration using CLI on page 213
Description
username
Related Links
SNMP configuration using CLI on page 213
Description
viewname
OID
June 2014
225
Parameters
Description
For the dotted form, a sub-identifier can be an asterisk,
indicating a wildcard. Here are some examples of valid OID
parameters:
sysName
+sysName
-sysName
+sysName.0
+ifIndex.1
-ifEntry..1 (this matches all objects in the ifTable with an
instance of 1; that is, the entry for interface #1)
1.3.6.1.2.1.1.1.0 (the dotted form of sysDescr)
The + or - indicates whether the specified OID is included in
or excluded from, the set of MIB objects accessible using
this view.
There are 10 possible OID values.
Related Links
SNMP configuration using CLI on page 213
Description
viewname
Related Links
SNMP configuration using CLI on page 213
226
June 2014
Important:
This command deletes all existing SNMP configurations, hence must be used with care.
The syntax for the snmp-server bootstrap command is:
snmp-server bootstrap <minimum-secure>|<semi-secure>|<very-secure>
The snmp-server bootstrap command is executed in the Global Configuration mode.
The following table describes the parameters for this command.
Table 63: snmp-server bootstrap command parameters
Parameters
Description
<minimum-secure>
<semi-secure>
<very-secure>
Related Links
SNMP configuration using CLI on page 213
June 2014
227
Description
<WORD/1-128>
Related Links
SNMP configuration using CLI on page 213
no snmp-server notification-control
The no snmp-server notification-control command disables the notification identified by
the command parameter. The notification options are:
DHCP Snooping: bsDhcpSnoopingBindingTableFull, bsDhcpSnoopingTrap
Dynamic ARP Inspection: bsaiArpPacketDroppedOnUntrustedPort
IP Source Guard: bsSourceGuardReachedMaxIpEntries, bsSourceGuardCannotEnablePort
The syntax for the no snmp-server notification-control command is
no snmp-server notification-control <WORD/1-128>
The no snmp-server notification-control command executes in Global Configuration
mode.
The following table describes the parameters for this command.
Table 65: no snmp-server notification-control command parameters
Parameter
Description
<WORD/1-128>
Related Links
SNMP configuration using CLI on page 213
228
June 2014
Description
<WORD/1-128>
Related Links
SNMP configuration using CLI on page 213
June 2014
229
Description
host <IPaddr>
key <key>
[port <port>]
To delete a TACACS+ server, use one of the following commands in Global or Interface
Configuration mode:
no tacacs
default tacacs
The commands erase settings for the TACACS+ primary and secondary servers and secret key,
and restore default port settings.
Related Links
Configuring TACACS+ using CLI on page 229
230
June 2014
Description
all
<level>
June 2014
231
Parameter
Description
none
Related Links
Configuring TACACS+ using CLI on page 229
Enabling IP Manager
About this task
To enable IP Manager to control Telnet, SNMP, SSH, or HTTP access, use the following command
in Global Configuration mode:
ipmgr {telnet|snmp|web|ssh}
The following table describes the parameters for this command.
Table 69: Enabling IP manager command parameters
232
Parameter
Description
telnet
snmp
June 2014
Parameter
Description
web
ssh
To disable IP Manager for a management system, use the no keyword at the start of the command.
Related Links
Configuring IP Manager using CLI on page 232
Description
<list ID>
<Ipv4addr>
[mask <mask>]
Related Links
Configuring IP Manager using CLI on page 232
June 2014
233
234
June 2014
June 2014
235
The parameter <3-10> represents the number of passwords to store in the history table. Use the
appropriate value when configuring the feature.
Related Links
Configuring password security using CLI on page 234
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command nsna fail-open and one of the following commands to configure failopen options:
a. Use the command filter-vlan-id <14094> to set fail-open filter vlan ID.
b. Use the command vlan-id <14094> to set fail-open vlan ID.
c. Use the command enable to enable secure network access fail-open.
4. Use the command nsnas <subnet address> to set the secure network access subnet.
5. Use the command nsnas phone-signature <WORD> to assign a secure network access
phone signature.
6. Use the command nsnas vlan <14094> to set the secure network access vlan ID.
Related Links
Configuring system security on page 202
236
June 2014
Description
asccfg
serial
telnet
Procedure
1. Enter Privileged mode of the CLI.
2. Enter Configuration mode by entering the config command.
3. Use the command audit log save enable to enable audit log save settings.
Related Links
Configuring system security on page 202
Description
[no] ssl
June 2014
237
Command
Description
file. On deletion, the certificate in NVRAM is also deleted. The
current SSL server operation is not affected by the create or
delete operation.
ssl reset
show ssl
The following table describes the output for the show ssl command.
Table 73: Server state information
Field
Description
238
June 2014
Description
download-auth-key
global
session
The show ssh global command is executed in the Privileged EXEC command mode.
Related Links
Configuring Secure Shell protocol using CLI on page 238
June 2014
239
Description
address
key-name
usb
240
June 2014
Related Links
Configuring Secure Shell protocol using CLI on page 238
ssh command
The ssh command enables SSH in a non secure mode. If the host keys do not exist, they are
generated.
The syntax for the ssh command is:
ssh
The ssh command is executed in the Global Configuration mode.
This command has no parameters.
Related Links
Configuring Secure Shell protocol using CLI on page 238
no ssh command
The no ssh command disables SSH.
The syntax for the no ssh command is:
no ssh {dsa-auth|dsa-auth-key|dsa-host-key|pass-auth}
The following table describes the parameters for this command.
Table 76: no ssh command parameters
Parameter
Description
dsa-auth
dsa-auth-key
dsa-host-key
pass-auth
June 2014
241
Related Links
Configuring Secure Shell protocol using CLI on page 238
no ssh dsa-auth
The no ssh dsa-auth command disables user log on using DSA key authentication.
The syntax for the no ssh dsa-auth command is:
no ssh dsa-auth
The no ssh dsa-auth command is executed in the Global Configuration mode.
Related Links
Configuring Secure Shell protocol using CLI on page 238
242
June 2014
June 2014
243
244
June 2014
Procedure
To display VLAN information, use the command show vlan in the Privileged EXEC mode.
CLI reference:
WCP8180#show vlan ?
configcontrol Display
dhcp-relay
Display
id
Display
igmp
Display
interface
Display
ip
Display
mgmt
Display
multicast
Display
summary
Display
type
Display
<cr>
Variable definitions
The following table describes the variables for this command.
June 2014
245
Variable
Value
vid <1-4094>
type
protocol-ipEther2
protocol-ipx802.3
protocol-ipx802.2
protocol-ipxSnap
protocol-ipxEther2
protocol-decEther2
protocol-snaEther2
protocol-Netbios
protocol-xnsEther2
protocol-vinesEther2
protocol-ipv6Ether2
protocol-Userdef
protocol-RarpEther2
Related Links
Configuring VLANs using CLI on page 244
Procedure
To display VLAN interface information, use the following command from Privileged EXEC
mode.
show vlan interface info [<portlist>]
Procedure
To display VLAN port memberships, use the following command from Privileged EXEC
mode.
246
June 2014
Procedure
To set the management VLAN, use the following command from Global Configuration mode.
vlan mgmt <1-4094>
Procedure
To reset the management VLAN to default, use the following command from Global
Configuration mode.
default vlan mgmt
Creating a VLAN
About this task
Use the following procedure to create a VLAN. A VLAN is created by setting the state of a
previously nonexistent VLAN.
Procedure
To create a VLAN, use the following command from Global Configuration mode.
vlan create <1-4094> [name<line>] type {port | protocol-ipEther2 |
protocol-ipx802.3 | protocolipx802.2 | protocol-ipxSnap | protocolipxEther2 | protocol-decEther2 | protocol-snaEther2 | protocol-N
etbios | protocol-xnsEther2 | protocol-vinesEther2 | protocolipv6Ether2 | protocol-Userdef <4096-65534>| protocol-RarpEther2}
Variable definitions
Variable
Value
<1-4094>
name <line>
type
protocol-ipEther2
protocol-ipx802.3
protocol-ipx802.2
June 2014
247
Variable
Value
protocol-ipxSnap
protocol-ipxEther2
protocol-decEther2
protocol-snaEther2
protocol-Netbios
protocol-xnsEther2
protocol-vinesEther2
protocol-Userdef <4096-65534>
protocol-ipv6Ether2
Related Links
Configuring VLANs using CLI on page 244
Deleting a VLAN
About this task
Use the following procedure to delete a VLAN.
Procedure
To delete a VLAN, use the following command from Global Configuration mode.
vlan delete <2-4094>
Procedure
To modify VLAN MAC address flooding, or to delete a VLAN, use the following command
from Global Configuration mode.
no vlan [<2-4094>] [igmp unknown-mcast-allow-flood <H.H.H>]
Procedure
To configure the VLAN name, use the following command from Global Configuration mode.
vlan name <1-4094> <line>
248
June 2014
Procedure
To enable automatic PVID, use the following command from Global Configuration mode.
[no] auto-pvid
Use the no form of this command to disable
Procedure
To configure VLAN port settings, use the following command from Global Configuration
mode.
vlan ports [<portlist>] [tagging {enable | disable | tagAll |
untagAll | tagPvidOnly | untagPvidOnly}] [pvid <1-4094>] [filteruntagged-frame {enable | disable}] [filter-unregistered-frames
{enable | disable}] [priority <0-7>] [name <line>]
Variable Definitions
Variable
Value
<portlist>
tagging {enable|disable|tagAll|untagAll|
tagPvidOnly|untagPvidOnly}
pvid <1-4094>
filter-untagged-frame {enable|disable}
filter-unregistered-frames {enable |
disable}
priority <0-7>
name <line>
June 2014
249
Procedure
To configure VLAN members, use the following command from Global Configuration mode.
vlan members [add | remove] <1-4094> <portlist>
Variable Definitions
Variable
Value
add | remove
<1-4094>
portlist
250
June 2014
Procedure
To display VLAN Configuration Control settings, use the following command from Global
Configuration mode.
show vlan configcontrol
Modifying VLAN Configuration Control settings
Procedure
To modify VLAN Configuration Control settings, use the following command from Global
Configuration more
vlan configcontrol <vcc_option>
Variable Definitions
Variable
Value
<vcc_option>
This parameter denotes the VCC option to use on the switch. The
valid values are:
automatic -- Changes the VCC option to Automatic.
autopvid -- Changes the VCC option to AutoPVID.
flexible -- Changes the VCC option to Flexible.
strict -- Changes the VCC option to Strict. This is the default
VCC value.
June 2014
251
Related Links
Configuring VLANs using CLI on page 244
Displaying MAC address forwarding table on page 252
Configuring MAC address retention on page 252
Setting MAC address retention time to default on page 253
Clearing the MAC address table on page 253
Clearing the MAC address table on a VLAN on page 253
Clearing the MAC address table on a FastEthernet interface on page 253
Clearing the MAC address table on a trunk on page 254
Displaying MAC address forwarding table
Procedure
To displaying the MAC address forwarding table, use the following command from Privileged
EXEC mode
show mac-address-table [vid<1-4094>] [aging-time] [address<H.H.H>]
[port<portlist>]
Variable Definitions
Variable
Value
vid <1-4094>
Enter the number of the VLAN for which you want to display the
forwarding database. Default is to display the management
VLANs database.
aging-time
address <H.H.H>
Procedure
To configure unseen MAC address retention, use the following command from Global
Configuration mode.
mac-address-table aging-time <10-1 000 000>
Variable Definitions
252
June 2014
Variable
Value
Enter the aging time in seconds that you want for MAC
addresses before they expire.
Procedure
To set the MAC address retention time to default, use the following command from Global
Configuration mode.
default mac-address-table aging-time
Clearing the MAC address table
Procedure
To flush the MAC address table, use the following command from Privileged EXEC mode.
clear mac-address-table
Clearing the MAC address table on a VLAN
Procedure
To flush the MAC address table for a specific VLAN, use the following command from
Privileged EXEC mode.
clear mac-address-table interface vlan <vlan#>
Clearing the MAC address table on a FastEthernet interface
Procedure
To clear the MAC address table on a FastEthernet interface, use the following command
from Privileged EXEC mode.
clear mac-address-table interface FastEthernet <port-list|ALL>
June 2014
253
Procedure
To flush a single MAC address, use the following command from Privileged EXEC mode.
clear mac-address-table address <H.H.H>
IP Directed Broadcasting
About this task
IP directed broadcasting takes the incoming unicast Ethernet frame, determines that the destination
address is the directed broadcast for one of its interfaces, and then forwards the datagram onto the
appropriate network using a link-layer broadcast.
IP directed broadcasting in a VLAN forwards direct broadcast packets in two ways:
Through a connected VLAN subnet to another connected VLAN subnet.
Through a remote VLAN subnet to the connected VLAN subnet.
By default, this feature is disabled.
Use the following command to configure IP directed broadcasting using the CLI.
Related Links
Configuring VLANs using CLI on page 244
Enabling IP directed broadcast on page 254
Enabling IP directed broadcast
Procedure
To enable IP directed broadcast, use the following command from Global Configuration
mode.
[no] ip directed-broadcast enable
Use the no form of this command to disable.
254
June 2014
Procedure
To set the STP mode, use the following command from Global Configuration mode.
spanning-tree op-mode {stpg | rstp }
Procedure
1. To enable STP BPDU filtering, use the following command from Interface Configuration
mode.
[no] spanning-tree bpdu-filtering [port<portlist>] [enable] [timeout
<10-65535> | 0>]
Use the no form of this command to disable.
2. To set the STP BPDU Filtering properties on a port to their default values, use the following
command from the Interface Configuration command mode:
default spanning-tree bpdu-filtering [port<portlist>] [enable]
[timeout]
3. To show the current status of the BPDU Filtering parameters, use the following command
from the Privileged EXEC mode:
show spanning-tree bpdu-filtering [<interface-type>]
[port<portlist>]
Variable Definitions
Variable
Value
port <portlist>
enable
June 2014
255
Procedure
To configure path cost calculation mode, use the following command from Privileged EXEC
mode.
spanning-tree cost-calc-mode {dot1d | dot1t}
Configuring STG port membership mode
256
June 2014
Procedure
To configure STG port membership mode, use the following command from Privileged EXEC
mode.
spanning-tree port-mode {auto | normal}
Displaying STP configuration information
Procedure
To display STP configuration information, use the following command from Privileged EXEC
mode.
show spanning-tree [stp <1-8>] {config | port| port-mode | vlans}
Variable Definitions
Variable
Value
stp <1-8>
Procedure
To create a Spanning Tree Group, use the following command from Global Configuration
mode.
spanning-tree stp <1-8> create
Deleting a Spanning Tree Group
June 2014
257
Procedure
To delete a Spanning Tree Group, use the following command from Global Configuration
mode.
spanning-tree stp <1-8> delete
Enabling a Spanning Tree Group
Procedure
To enable a Spanning Tree Group, use the following command from Global Configuration
mode.
spanning-tree stg <1-8> enable
Disabling a Spanning Tree Group
Procedure
To disable a Spanning tree Group, use the following command from Global Configuration
mode.
spanning-tree stp <1-8> disable
Configuring STP values
Procedure
To configure STP values, use the following command from Global Configuration mode.
spanning-tree [stp <1-8>] [forward-time <4-30>] [hello-time <1-10>]
[max-age <6-40> [priority {0*0000 | 0*1000| 0*2000 | 0*3000 | ... |
0*E000 | 0*F000}] [tagged-bpdu {enable | disable}] [tagged-bpdu-vid
>1-4094>] [multicast-address <H.H.H>] [add-vlan] [remove-vlan]
Variable Definitions
258
Variable
Value
stp <1-8>
forward-time <4-30>
hello-time <1-10>
June 2014
Variable
Value
max-age <6-40>
tagged-bpdu-vid <1-4094>
multicast-address <H.H.H>
add-vlan
remove-vlan
Procedure
To restore Spanning Tree values to default, use the following command from Global
Configuration mode.
default spanning-tree [stp <1-8> [forward-time] [hello-time] [maxage] [priority] [tagged-bpdu] [multicast address]
Variable Definitions
Variable
Value
stp <1-8>
forward-time
hello-time
max-age
priority
tagged-bpdu
multicast address
June 2014
259
Procedure
To add a VLAN to a STG, use the following command from Global Configuration mode.
spanning-tree [stp <1-8>] add-vlan <1-4094>
Removing a VLAN from a STG
Procedure
To remove a VLAN from a STG, use the following command from Global Configuration
mode.
spanning-tree [stp <1-8>] remove-vlan <1-4094>
Configuring STP and MSTG participation
Procedure
To configure STP and MSTG participation, use the following command from Interface
Configuration mode.
[no] spanning-tree [port <portlist>] [stp <1-8>] [learning {disable
| normal | fast}] [cost <1-65535>] [priority]
Use the no form of this command to disable.
Variable Definitions
Variable
Value
port <portlist>
stp <1-8>
learning {disable|normal|fast}
260
June 2014
Variable
Value
fast -- enables FastLearn mode
cost <1-65535>
priority
Procedure
To reset Spanning Tree values to default, use the following command from Interface
Configuration mode.
default spanning-tree [port <portlist>] [stp <1-8>] [learning]
[cost] [priority]
Variable Definitions
Variable
Value
port <portlist>
stp <1-8>
learning
cost
priority
June 2014
261
Procedure
To configure RSTP parameters, use the following command from Global Configuration
mode.
spanning-tree rstp [ forward-time <4-30>] [hello-time <1-10>] [maxage <6-40>] [pathcost-type {bits16 | bits32}] [priority {0000|1000|
2000| ...| F000}] [tx-holdcount <1-10>] [version {stp-compatible |
rstp}]
Variable Definitions
Variable
Value
forward-time <4-30>
hello-time <1-10>
max-age <6-40>
tx-hold count
Procedure
To display RSTP port configuration, use the following command from Privileged EXEC
mode.
show spanning-tree rstp port {config | status | statistics | role}
[<portlist>]
262
June 2014
Variable Definitions
Variable
Value
config
status
statistics
role
Procedure
To configure RSTP on a port, use the following command from Interface Configuration
mode.
spanning-tree rstp [port <portlist>] [cost <1-200000000> [edge-port
{false | true}] [learning {disable | enable}] [p2p {auto | forcefalse | force-true}] [priority {00 | 10 | ... | F0}] [protocolmigration {false | true}]
Variable Definitions
Variable
Value
port <portlist>
cost <1-200000000>
June 2014
263
Procedure
To display RSTP configuration details, use the following command from Privileged EXEC
mode.
show spanning-tree rstp {config | status | statistics}
Variable Definitions
Variable
Value
config
status
statistics
Procedure
To display MLT configuration and utilization, use the following command from Privileged
EXEC mode.
show mlt [utilization <1-32>]
264
June 2014
Procedure
To configure a Multi-Link trunk, use the following command from Global Configuration mode.
mlt <id> [name<trunkname>] [enable | disable] [member <portlist>]
[learning {disable | fast | normal}] [bpdu {all-ports | singleport}] loadbalance {basic | advance}
Variable Definitions
Variable
Value
id
name <trunkname>
enable | disable
member <portlist>
Disabling a MLT
About this task
Use the following procedure to disable a Multi-Link trunk (MLT), clearing all the port members.
Procedure
To disable a MLT, use the following command from Global Configuration mode.
no mlt [<id>]
Procedure
To display MLT properties, use the following command from Global Configuration mode.
show mlt spanning-tree <1-32>
June 2014
265
Procedure
To configure STP participation for MLTs, use the following command from Global
Configuration mode.
mlt spanning-tree <1-32> [stp <1-8>, ALL>] [learning {disable |
normal | fast}]
Variable Definitions
Variable
Value
<1-32>
stp <1-8>
266
June 2014
Procedure
To display the port mode, use the following command from Privileged EXEC mode.
show lacp port-mode
Displaying LACP system settings
Procedure
To display system settings, use the following command from Privileged EXEC mode.
show lacp system
Displaying LACP per port configuration
Procedure
To display per port configuration, use the following command from Privileged EXEC mode.
show lacp port [<portList> | aggr <1-65535>]
Variable Definitions
Variable
Value
<portList>
aggr <1-65535>
Procedure
To display port statistics, use the following command from Privileged EXEC mode.
show lacp stats [<portList> | aggr <1-65535>]
Variable Definitions
June 2014
267
Variable
Value
<portList>
aggr <1-65535>
Procedure
To clear statistics, use the following command from Interface Configuration mode.
lacp clear-stats <portList>
Displaying LACP port debug information
Procedure
To display port debug information, use the following command from Privileged EXEC mode.
show lacp debug member [<portList>]
Displaying LACP aggregators
Procedure
To display aggregators, use the following command from Privileged EXEC mode.
show lacp aggr <1-65535>
Configuring LACP system priority
Procedure
To configure system priority, use the following command from Global Configuration mode.
lacp system-priority <0-65535>
Enabling LACP port aggregation mode
268
June 2014
Procedure
To enable the port aggregation mode, use the following command from Interface
Configuration mode.
[no] lacp aggregation [port <portList>] enable
Use the no form of the command to disable.
Configuring the LACP administrative key
Procedure
To set the administrative key, use the following command from Interface Configuration
mode.
lacp key [port <portList>] <1-4095>
Variable Definitions
Variable
Value
port <portList>
<1-4095>
Procedure
To configure the operating mode, use the following command from Interface Configuration
mode.
lacp mode [port <portList>] {active | passive | off}
Variable Definitions
Variable
Value
port <portList>
June 2014
269
Variable
Value
off -- The port does not participate in Link
Aggregation.
LACP requires at least one end of each link to be in
active mode.
Procedure
To configure priority, use the following command from Interface Configuration mode.
lacp priority [port <portList> <0-65535>
Variable Definitions
Variable
Value
port <portList>
<0-65535>
Procedure
To configure the interval, use the following command from Interface Configuration mode.
lacp timeout-time [port <portList>] {long | short}
Variable Definitions
Variable
Value
port <portList>
{long | short}
Procedure
To configure the port mode, use the following command from Interface Configuration mode.
lacp port-mode {default | advance}
Variable Definitions
270
June 2014
Variable
Value
default
advance
Procedure
To enable VLACP, use the following command from Global Configuration mode.
[no] vlacp enable
Use the no form of this command to disable.
Configuring VLACP port parameters
Procedure
To configure parameters, use the following command from Interface Configuration mode.
[no] vlacp port <port> [enable | disable] [timeout <long/short>]
[fast-periodic-time <integer>] [slow-periodic-time <integer>]
[timeout-scale <integer>] [funcmac-addr <mac>] [ethertype <hex>]
Use the no form of this command to remove parameters.
Variable Definitions
Variable
Value
<port>
enable|disable
June 2014
271
Variable
Value
timeout <long/short>
fast-periodic-time <integer>
slow-periodic-time <integer>
timeout-scale <integer>
funcmac-addr <mac>
272
June 2014
Variable
Value
Note: VLACP has only one multicast MAC address,
configured using the vlacp macaddress command,
which is the Layer 2 destination address used for the
VLACPDUs.
The port-specific funcmac-addr parameter does not
specify a multicast MAC address, but instead
specifies the MAC address of the switch to which this
port is sending VLACPDUs.
You are not always required to configure funcmacaddr. If not configured, the first VLACP-enabled
switch that receives the PDUs from a unit assumes
that it is the intended recipient and processes the
PDUs accordingly.
If you want an intermediate switch to drop VLACP
packets, configure the funcmac-addr parameter to
the desired destination MAC address. With funcmacaddr configured, the intermediate switches do not
misinterpret the VLACP packets.
ethertype <hex>
Procedure
To configure the multicast MAC address, use the following command from Global
Configuration mode.
[no] vlacp macaddress <macaddress>
Use the no form of this command to delete the address.
Displaying VLACP status
Procedure
To display VLACP status, use the following command from Privileged EXEC mode.
show vlacp
June 2014
273
Procedure
To display port configuration, use the following command from Privileged EXEC mode.
show vlacp interface <slot/port>
where <slot/port> specifies a port or list of ports.
Among other properties, the show vlacp interface command displays a column called
HAVE PARTNER, with possible values of yes or no.
If HAVE PARTNER is yes when ADMIN ENABLED and OPER ENABLED are true, then that
port has received VLACPDUs from a port and those PDUs were recognized as valid
according to the interface settings.
If HAVE PARTNER is no, when ADMIN ENABLED is true and OPER ENABLED is FALSE,
then the partner for that port is down (that port received at least one correct VLACPDU, but
did not receive additional VLACPDUs within the configured timeout period). In this case
VLACP blocks the port. This scenario is also seen if only one unit has VLACP enabled and
the other has not enabled VLACP.
The show vlacp interface command is in the privExec command mode.
Note: If VLACP is enabled on an interface, the interface will not forward traffic unless it has a
valid VLACP partner. If one partner has VLACP enabled and the other is not enabled, the
unit with VLACP enabled will not forward traffic, however the unit with VLACP disabled will
continue to forward traffic.
Configuring IP routing
Related Links
ACLI reference for wired networks on page 153
IP routing configuration using CLI on page 274
Static route configuration using CLI on page 279
DHCP relay configuration using CLI on page 282
Directed broadcasts configuration using CLI on page 287
Static ARP and Proxy ARP configuration using CLI on page 288
IGMP snooping configuration using the CLI on page 292
274
June 2014
The WC 8180 can function as a Layer 3 (L3) switch. This means that a regular Layer 2 VLAN
becomes a routable L3 VLAN if an IP address and MAC address are attached to the VLAN. When
routing is enabled in L3 mode, every L3 VLAN is capable of routing as well as carrying the
management traffic. You can use any L3 VLAN instead of the Management VLAN to manage the
switch.
The following sections describe the procedures you can use to configure routable VLANs using the
CLI.
Related Links
Configuring IP routing on page 274
IP routing configuration procedures on page 275
IP routing configuration navigation on page 275
Configuring global IP routing status on page 276
Displaying global IP routing status on page 276
Configuring an IP address for a VLAN on page 276
Configuring IP routing status on a VLAN on page 277
Displaying the IP address configuration and routing status for a VLAN on page 277
Displaying IP routes on page 278
Performing a traceroute on page 278
Procedure
1. Enable IP routing globally.
2. Assign an IP address to a specific VLAN or brouter port.
Routing is automatically enabled on the VLAN or brouter port when you assign an IP
address to it.
June 2014
275
Procedure
To configure the status of IP routing on the switch, enter the following from the Global
Configuration mode:
[no] ip routing
Variable Definitions
Variable
Value
no
Procedure
To display the status of IP blocking on the switch, enter the following from the User EXEC
mode:
show ip routing
Procedure
To configure an IP address on a VLAN, enter the following from the VLAN Interface
Configuration mode:
[no] ip address <ipaddr> <mask> [<MAC-offset>]
Variable Definitions
276
Variable
Value
[no]
<ipaddr>
<mask>
[<MAC-offset>]
June 2014
Variable
Value
1 for the Management VLAN only. If no MAC offset is
specified, the switch applies one automatically.
Procedure
To configure the status of IP routing on a VLAN, enter the following from the VLAN Interface
Configuration mode:
[default] [no] ip routing
Variable Definitions
Variable
Value
default
no
Procedure
To display the IP address configuration on a VLAN, enter the following from the VLAN
Privileged Exec mode:
show vlan ip [vid <vid>]
Variable Definitions
Variable
Value
[vid <vid>]
Job aid
The following table shows the field descriptions for the show vlan ip command.
Field
Description
Vid
ifindex
Address
Mask
MacAddress
June 2014
277
Field
Description
Offset
Routing
Displaying IP routes
About this task
Use this procedure to display all active routes in the routing table.
Route entries appear in ascending order of the destination IP addresses.
Procedure
To display all active routes in the routing table, enter the following from the User EXEC
command mode:
show ip route [<dest-ip>] [-s <subnet><mask>] [summary]
Variable Definitions
Variable
Value
[<dest-ip>]
[-s <subnet><mask>]
[summary]
Performing a traceroute
About this task
Use this procedure to display the route taken by IP packets to a specified host.
Procedure
1. To perform a traceroute, enter the following from the Global Configuration mode:
traceroute <Hostname|A.B.C.D.> <-m> <-p> <-q> <-v> <-w> <1-1464>
2. Type CTRL+C to interrupt the command.
Variable Definitions
278
Variable
Value
Hostname
A.B.C.D
-m
Specifies the maximum time to live (ttl). The value for this
parameter is in the rage from 1-255. The default value is 10.
Example: traceroute 10.3.2.134 -m 10
-p
Specifies the base UDP port number. The value for this
parameter is in the range from 0-65535. Example: traceroute
1.2.3.4 -p 87
June 2014
Variable
Value
-q
Specifies the number of probes per time to live. The value for
this parameter is in the range from 1-255. The default value
is 3. Example: traceroute 10.3.2.134 -q 3
-v
-w
Specifies the wait time per probe. The value for this
parameter is in the range from 1-255. The default value is 5
seconds. Example: traceroute 10.3.2.134 -w 15
<1-1464>
Specifies the UDP probe packet size. TIP: probe packet size
is 40 plus specified data length in bytes. Example: traceroute
10.3.2.134 -w 60
Procedure
To configure a static route, enter the following from the Global Configuration command
mode:
[no] ip route <dest-ip> <mask> <next-hop> [<cost>] [disable]
[enable] [weight<cost>]
Variable Definitions
Variable
Value
[no]
<dest-ip>
Specifies the destination IP address for the route being added. 0.0.0.0 is
considered the default route.
June 2014
279
Variable
Value
<mask>
Specifies the destination subnet mask for the route being added.
<next-hop>
Specifies the next hop IP address for the route being added.
[<cost>]
[disable]
[enable]
[weight<cost>]
Procedure
1. To display a static route, enter the following command from the User EXEC mode:
show ip route static
2. To display an IP route, enter the following commands from the User EXEC command mode:
show ip route [-s <subnet IP Address> <mask>]
show ip route <Subnet IP Address> s [<subnet IP Address> <mask>]
Example
WCP8180#show ip route static
===============================================================================
Ip Static Route
===============================================================================
DEST
MASK
NEXT
COST PREF LCLNHOP STATUS ENABLE
------------------------------------------------------------------------------0.0.0.0
0.0.0.0
192.171.0.55
1
5
TRUE
ACTIVE TRUE
Total Routes: 1
WCP8180#show ip route
===============================================================================
Ip Route
===============================================================================
DST
MASK
NEXT
COST
VLAN PORT PROT TYPE PRF
------------------------------------------------------------------------------0.0.0.0
0.0.0.0
192.171.0.55
1
171 2
S IB
5
10.1.21.0
255.255.255.0
10.1.21.2
1
70
---- C DB
0
192.168.9.0
255.255.255.0
192.168.9.2
1
20
---- C DB
0
192.168.10.0
255.255.255.0
192.168.10.2
1
30
---- C DB
0
192.171.0.0
255.255.0.0
192.171.0.56
1
171 ---- C DB
0
Total Routes: 5
------------------------------------------------------------------------------TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Rou
te, U=Unresolved Route, N=Not in HW
280
June 2014
Variable definitions
Variable
Value
<dest-ip>
[-s<subnet><mask>]
Job aid
The following table shows the field descriptions for the show ip route static command.
Field
Description
DEST
MASK
NEXT
COST
PREF
LCLNHOP
STATUS
ENABLE
The following table shows the field descriptions for the show ip route command.
Field
Description
DST
MASK
NEXT
COST
VLAN
PORT
PROT
Specifies the routing protocols. For static routes, options are LOC
(local route) or STAT (static route).
TYPE
PRF
June 2014
281
Prerequisites
Enable IP routing globally
Enable IP routing and configure an IP address on the management VLAN interface.
Procedure
To configure a static management route, enter the following from the Global Configuration
command mode:
[no] ip mgmt route <dest-ip><mask><next-hop>
Variable Definitions
Variable
Value
[no]
<dest-ip>
<mask>
Specifies the destination subnet mask for the route being added.
<next-hope>
Specifies the next hop IP address for the route being added.
Procedure
To display the static routes configured for the management VLAN, enter the following from
the User EXEC mode:
show ip mgmt route
Job aid
The following table shows the shows the field descriptions for the show ip mgmt route
command.
Field
Description
Destination IP
Subnet Mask
Gateway IP
Status
Related Links
Static route configuration using CLI on page 279
282
June 2014
Enable IP routing and configure an IP address on the VLAN to be set as the DHCP relay
agent.
Ensure that a route to the destination DHCP server is available on the switch.
Procedure
1. Ensure that DHCP relay is enabled globally. (DHCP relay is enabled by default.)
2. Configure the DHCP relay forwarding path, specifying the VLAN IP as the DHCP relay agent
and the remote DHCP server as the destination.
3. Enable DHCP for the specific VLAN.
Procedure
To configure the global DHCP relay status, enter the following from the Global Configuration
mode:
June 2014
283
[no] ip dhcp-relay
Variable Definitions
Variable
Value
[no]
Procedure
To display the global DHCP relay status, enter the following from the User EXEC command
mode:
show ip dhcp-relay
Example
WCP8180#show ip dhcp-relay
DHCP relay is enabled
DHCP relay option82 is disabled
DHCP relay max-frame is 0
Procedure
To configure a VLAN as a DHCP relay agent, enter the following from the Global
Configuration mode:
[no] ip dhcp-relay fwd-path <relay-agent-ip> <DHCP-server> [enable]
[disable] [mode {bootp | bootp-dhcp | dhcp}]
Variable Definitions
284
Variable
Value
[no]
<relay-agent-ip>
June 2014
Variable
Value
<DHCP-server>
[enable]
[disable]
Procedure
To display the DHCP relay configuration, enter the following from the User EXEC command
mode:
show ip dhcp-relay fwd-path
Job aid
The following table shows the field descriptions for the show ip dhcp-relay fwd-path
command.
Field
Description
INTERFACE
SERVER
ENABLE
MODE
Related Links
DHCP relay configuration using CLI on page 282
June 2014
285
Procedure
To configure DHCP relay on a VLAN, enter the following from the VLAN Interface
Configuration mode:
[no] ip dhcp-relay [broadcast] [min-sec <min-sec>] [mode {bootp |
dhcp | bootp_dhcp}]
Variable Definitions
Variable
Value
[no]
[broadcast]
min-sec <min-sec>
Procedure
To display the DHCP relay VLAN parameters, enter the following from the Privileged EXEC
command mode:
show vlan dhcp-relay [<vid>]
Variable definitions
Variable
Value
[<vid>]
Job aid
The following table shows the field descriptions for the show ip dhcp-relay command.
286
Field
Description
IfIndex
MIN_SEC
June 2014
Field
Description
ENABLED
MODE
ALWAYS_BROADCAST
OPTION_82
Procedure
To display the DHCP relay counters, enter the following from the User EXEC command
mode:
show ip dhcp-relay counters
Job aid
The following table shows the field descriptions for the show ip dhcp-relay counters
command.
Field
Description
INTERFACE
REQUESTS
REPLIES
Related Links
DHCP relay configuration using CLI on page 282
Procedure
To clear the DHCP relay counters, enter the following from the VLAN Interface Configuration
command mode:
ip dhcp-relay clear-counters
June 2014
287
Related Links
Configuring IP routing on page 274
Configuring directed broadcasts on page 288
Displaying the directed broadcast configuration on page 288
Procedure
To enable directed broadcasts, enter the following from the Global Configuration mode:
ip directed-broadcast enable
Procedure
To display directed broadcast status, enter the following from the User EXEC mode:
show ip directed-broadcast
288
June 2014
Procedure
To configure a static ARP entry, enter the following from the Global Configuration mode:
[no] ip arp <A.B.C.D> <aa:bb:cc:dd:ee:ff> <port> [vid <1-4094>]
Variable Definitions
Variable
Value
[no]
<A.B.C.D>
<aa:bb:cc:dd:ee:ff>
< port>
vid <1-4094>
Procedure
To display ARP entries, enter the following from the User Exec mode:
show arp-table
OR
June 2014
289
Value
<ip-addr>
-s <subnet> <mask>
static
Job aid
The following table shows the field descriptions for the show ip arp command.
Field
Description
IP Address
Age (min)
MAC Address
VLAN-Unit/Port/Trunk
Flags
Procedure
To configure a global timeout for ARP entries, enter the following from the Global
Configuration mode:
ip arp timeout <timeout>
Variable Definitions
Variable
Value
<timeout>
Specifies the amount of time in minutes before an ARP entry ages out.
Range is 5-360. The default value is 360 minutes.
Procedure
To clear the ARP cache, enter the following from the Global Configuration mode:
290
June 2014
clear arp-cache
Procedure
To configure proxy ARP status, enter the following from the VLAN Interface Configuration
mode:
[default] [no] ip arp-proxy enable
Variable Definitions
Variable
Value
default
no
Procedure
To display proxy ARP status for a VLAN, enter the following from the User EXEC mode:
show ip arp-proxy interface [vlan<vid>]
Variable Definitions
Variable
Value
<vid>
Job aid
The following table shows the field descriptions for the show ip arp-proxy interfaces
command.
June 2014
291
Field
Description
Vlan
Identifies a VLAN.
292
June 2014
Procedure
To enable IGMP snooping, enter the following from the VLAN Interface Configuration
command mode:
[default] [no] ip igmp snooping
OR
Enter the following from the Global Configuration command mode:
[default] vlan igmp <vid> [snooping {enable | disable}]
Variable Definitions
Variable
Value
default
no
enable
disable
June 2014
293
Procedure
To enable IGMP send query, enter the following command from the VLAN Interface
Configuration mode:
ip igmp send-query
Procedure
To enable IGMP proxy, enter the following from the VLAN Interface Configuration mode:
[default] [no] ip igmp proxy
OR
Enter the following from the Global Configuration command mode:
[default] [no] vlan igmp <vid> [proxy {enable | disable}]
Variable Definitions
Variable
Value
default
no
<vid>
enable
disable
Procedure
To configure the IGMP version, enter the following from the VLAN Interface Configuration
mode:
[default] ip igmp version <1-3>
294
June 2014
Variable Definitions
Variable
Value
default
<1-3>
Procedure
To configure static mrouter ports on a VLAN (IGMPv1, IGMPv2, and IGMPv3 according to
the supported version on the VLAN), enter the following from the VLAN Interface
Configuration mode:
[default] [no] ip igmp mrouter <portlist>
OR
To configure IGMPv1 or IGMPv2 static mrouter ports, enter the following from the Global
Configuration command mode:
[no] vlan igmp <vid> {v1-members | v2-members} [add | remove]
<portlist>
Variable Definitions
Variable
Value
default
no
<portlist>
{v1-members | v2-members}
[add | remove]
Procedure
To display IGMP snoop information, enter:
June 2014
295
Value
Vlan
Snoop Enable
Displays all dynamic (querier port) and static mrouter ports that are
active on the interface.
Specifies the time remaining before the multicast router is aged out
on this interface. If the switch does not receive queries before this
time expires, it flushes out all group memberships known to the
VLAN. The Query Max Response Interval (obtained from the queries
received) is used as the timer resolution.
Procedure
To configure IGMP parameters, enter the following from the VLAN Interface Configuration
mode:
[default] ip igmp [last-member-query-interval<last-mbr-query-in>]
[query-interval<query-int>] [query-max-response<query-max-resp>]
[robust-value<robust-val>] [version<1-3>]
OR
enter the following from the Global Configuration command mode:
[default] vlan igmp <vid> [query-interval<query-int<] [robustvalue<robust-val>]
Variable Definitions
296
Variable
Value
default
June 2014
Variable
Value
<last-mbr-query-int>
Sets the maximum response time (in 1/10 seconds) that is inserted
into group-specific queries sent in response to leave group
messages. This parameter is also the time between group-specific
query messages. This value is not configurable for IGMPv1.
Decreasing the value reduces the time to detect the loss of the last
member of a group.
The range is from 0255, and the default is 10 (1 second). Avaya
recommends configuring this parameter to values higher than 3. If
a fast leave process is not required, Avaya recommends values
above 10. (The value 3 is equal to 0.3 of a second, and 10 is equal
to 1.0 second.)
<query-int>
Sets the frequency (in seconds) at which host query packets are
transmitted on the VLAN.
The range is 165535. The default value is 125 seconds.
<query-max-resp>
<robust-val>
Procedure
To configure the router alert option on a VLAN, enter the following from the VLAN Interface
Configuration mode:
[default] [no] ip igmp router-alert
June 2014
297
Variable Definitions
Variable
Value
default
no
Procedure
To display the IGMP interface information, enter:
show ip igmp interface vlan <Vlan ID>
OR
Enter:
show vlan igmp <Vlan ID>
Job aid
The following table shows the field descriptions for the show ip igmp interface command.
298
Field
Description
VLAN
Query Intvl
Specifies the frequency (in seconds) at which host query packets are
transmitted on the interface.
Vers
Oper Vers
Querier
Query MaxRsp T
Wrong Query
Joins
Robust
Specifies the robust value configured for expected packet loss on the
interface.
LastMbr Query
June 2014
Field
Description
the last member of a group. This does not apply if the interface is
configured for IGMPv1.
Send Query
The following table shows the field descriptions for the show vlan igmp <Vlan Id> command.
Field
Description
VLAN ID
Snooping
Proxy
Robust Value
Query Time
Related Links
IGMP snooping configuration using the CLI on page 292
Procedure
To display IGMP group information, enter:
show ip igmp group [count] [group <A.B.C.D>] [membersubnet<A.B.C.D>/<0-32>]
OR
Enter:
show vlan multicast membership <Vlan ID>
Variable Definitions
Variable
Value
count
group <A.B.C.D>
member-subnet <A.B.C.D>/<0-32
June 2014
299
Job aid
The following table shows the field descriptions for the show ip igmp group command.
Field
Description
Group Address
VLAN
Member Address
Expiration
Indicates the time left before the group report expires. This variable is
updated upon receiving a group report.
Type
In Port
Identifies the member port for the group. This is the port on which
group traffic is forwarded and in those case where the type is
dynamic, it is the port on which the IGMP join was received.
The following table shows the field descriptions for the show vlan multicast membership
command.
Field
Description
In Port
Procedure
To configure unknown multicast packet flooding, enter the following from the Global
Configuration mode:
[no] [default] vlan igmp <vid> unknown-mcast-no-flood {enable |
disable}
Variable Definitions
300
Variable
Value
no
default
enable
disable
June 2014
Procedure
To display the unknown multicast flooding configuration, enter:
show vlan igmp unknown-mcast-no-flood
Job aid
The following table shows the field descriptions for the show vlan igmp unknown-mcast-noflood command.
Field
Description
Related Links
IGMP snooping configuration using the CLI on page 292
Procedure
To allow particular unknown multicast packets to be flooded, enter the following from the
Global Configuration mode:
vlan igmp unknown-mcast-allow-flood {<H.H.H> | <mcast_ip_address>}
Variable Definitions
Variable
Value
<H.H.H>
June 2014
301
Variable
Value
<mcast_ip_address>
Procedure
To display the multicast MAC addresses for which flooding is allowed, enter:
show vlan igmp unknown-mcast-allow-flood
Job aid
The following table shows the field descriptions for the show vlan igmp unknown-mcastallow-flood command.
Field
Description
Related Links
IGMP snooping configuration using the CLI on page 292
Procedure
To display the IGMP cache information, enter:
show ip igmp cache
Job aid
The following table shows the field descriptions for the show ip igmp cache command.
302
Field
Description
Group Address
Vlan ID
Last Reporter
June 2014
Field
Description
Expiration
V1 Host Timer
Type
Related Links
IGMP snooping configuration using the CLI on page 292
Procedure
To flush the router table, enter the following from the Global Configuration mode:
ip igmp flush vlan <vid> {grp-member|mrouter}
Variable Definitions
Variable
Value
{grp-member|mrouter}
June 2014
303
Procedure
1. In the Global Configuration mode, enter the command ip igmp profile <profile
number (1-65535)>.
2. Configure the IGMP filter profile address range. Enter the command range <starting ip
address of range><ending ip address of range>.
Procedure
To delete an IGMP profile enter the following command from Global Configuration mode:
no ip igmp profile <profile number (1-65535)>
Procedure
1. From Global Configuration mode enter the interface <interface-id> command.
2. Enter the ip igmp filter <profile number> command.
Procedure
1. From Global Configuration mode enter the interface <interface-id> command.
2. Enter the no ip igmp filter <profile number> command.
304
June 2014
Procedure
To display an IGMP profile enter the following command from Global Configuration mode:
show ip igmp profile <cr> or <profile number>
Job aid
The following table shows the field descriptions for the show ip igmp profile command.
Field
Description
Profile
Type
Range Start
Range End
Port List
Matched Grps
Procedure
Assign ports to an access list by using the following command in Global Configuration mode.
qos acl-assign port <port_list> acl-type {ip | l2} name <name>
June 2014
305
Variable Definitions
Variable
Value
port <port_list>
name <name>
Specifies the name of the access list to be used. Access lists must be
configured before ports can be assigned to them.
Procedure
Remove an access list assignment by using the following command from Global
Configuration mode.
no qos acl-assign <aclassignid>
Procedure
Create an access list by using the following procedure from Global Configuration mode.
qos ip-acl name <name> [addr-type <addrtype>] [src-ip <source_ip>]
[dst-ip <destination_ip>] [ds-field <dscp>] [{protocol
<protocol_type> | next_header <header>}] [src-port-min <port> srcport-max <port>] [dst-port-min <port> dst-port-max <port>] [flow-id
<flowid>] [drop-action {drop | pass}] [update-dscp <0 - 63>]
[update-1p <0 - 7>] [set-drop-prec {high drop | low drop}] [block
<block_name>]
Variable Definitions
306
Variable
Value
name <name>
addr-type <addrtype>
src-ip <source_ip>
dst-ip <destination_ip>
ds-field <dscp>
{protocol <protocol_type> |
next_header <header>}
Specifies the protocol type or IP header to use with this access list.
June 2014
Variable
Value
Specifies the minimum and maximum source ports to use with this access
list. Both values must be specified.
Specifies the minimum and maximum destination ports to use with the
access list. Both values must be specified.
flow-id <flowid>
block <block_name>
Procedure
Remove an access list by using the following command from Global Configuration mode.
no qos ip-acl <aclid>
Procedure
Create an access list by using the following command from Global Configuration mode.
qos l2-acl name <name> [src-mac <source_mac_address>] [src-mac-mask
<source_mac_address_mask>] [dst-mac <destination_mac_address>] [dstmac-mask <destination_mac_address_mask>] [vlan-min <vid_min> vlanmax <vid_max>] [vlan-tag <vtag>] [ethertype <etype>] [priority
<ieee1p_seq>] [drop-action {drop | pass}] [update-dscp <0 - 63>]
[update-1p <0 - 7>] [set-drop-prec {high-drop | low-drop}] [block
<block_name>]
Note: Possible values for vlan-max are based on the binary value of vlan-min, and are
obtained by replacing consecutive trailing zeros in this binary value with ones, starting at the
right-most position. For example, if vlan-min = 200, then there are 4 possible values for vlanmax: 11001000 (200) 11001001 (201) 11001011 (203) 11001111 (207) The value of vlanmax is vlan-min + 2n - 1, where n is the number of consecutive trailing zeros replaced.
June 2014
307
Variable Definitions
Variable
Value
name <name>
src-mac
<source_mac_address>
Specifies the source MAC address to use for this access list.
src-mac-mask
<source_mac_address_mask
>
Specifies the source MAC address mask to use for this access list.
[dst-mac
<destination_mac_address>]
Specifies the destination MAC address to use for this access list.
dst-mac-mask
<destination_mac_address_m
ask>
Specifies the destination MAC address mask to use for this access list.
Specifies the minimum and maximum VLANs to use with this access list.
Both values must be specified.
vlan-tag <vtag>
ethertype <etype>
Specifies the Ethernet protocol type to use with the access list.
priority <ieee1p_seq>
block <block_name>
Procedure
Remove an access list by using the following command from Global Configuration mode.
no qos l2-acl <aclid>
308
June 2014
Procedure
Add and configure classifier entries by using the following command from Global
Configuration mode.
qos ip-element <cid> [addr-type <addrtype>] [ds-field <dscp>] [dstip <dst-ip-info>] [dst-port-min <port>] [flow-id <flowid>] [ip-flag
<ip-flags>] [ipv4-options <no-opt | with-opt>] [next-header
<nextheader>] [session-id] [src-ip <src-ip-info>] [src-port-min
<port>] [tcp-control <tcp-flags>]
Variable Definitions
Variable
Value
<cid>
addr-type <addrtype>
ds-field <0-63>
dst-ip <dst-ip-info>
dst-port-min <port>
flow-id <flowid>
ip-flag <ip-flags>
June 2014
309
Variable
Value
with-optindicates that only IPv4 packets with options will
match this classifier element.
next-header
src-ip <src-ip-info>
session-id
src-port-min <port>
tcp-control <tcp-flags>
Procedure
View IP classifier element entries by using the following commands from the Privileged
EXEC Configuration mode.
show qos ip-element [<1-65535>] [all] [system] [user]
Variable definitions
Use the data in the following table to use show qos ip element command.
Variable
Description
<165535>
all
system
user
Procedure
Remove IP classifier entries by using the following command from Global Configuration
mode.
no qos ip-element <1-55000>
310
June 2014
Procedure
Add Layer 2 elements by using the following command from the Global Configuration mode.
qos l2-element <1-55000> [dst-mac <dst-mac>] [dst-mac-mask <dst-macmask>] [ethertype <etype>] [ivlan-min <vid-min>] [pkt-type <etherII
| llc | snap>] [priority <ieee1p-seq>] [session-id <session-id>]
[src-mac <src-mac>] [src-mac-mask <src-mac-mask>] [vlan-min <vidmin>] [vlan-tag <vtag>]
Variable Definitions
Variable
Value
<1-55000>
dst-mac <dst-mac>
dst-mac-mask <dst-mac-mask>
ethertype <etype>
ivlan-min <vid-min>
priority <ieee1p-seq>
session-id <session-id>
src-mac <src-mac>
src-mac-mask <src-mac-mask>
vlan-min <vid-min>
June 2014
311
Variable
Value
vlan-tag <format>
Procedure
View Layer 2 element entries by using the following commands from the Privileged EXEC
Configuration mode.
show qos l2-element [<1-65535>] [all] [system] [user]
Variable definitions
Use the data in the following table to use show qos l2 element command.
Variable
Description
<165535>
all
system
user
Procedure
Delete element entries by using the following command from Global Configuration mode.
no qos l2-element <1-55000>
Procedure
Link elements by using the following command from Global Configuration mode.
312
June 2014
Variable Definitions
Variable
Value
classifier <1-55000>
set-id <1-55000>
name <WORD>
element-id <1-55000>
Procedure
Delete classifier entries by using the following command from Global Configuration mode.
no qos classifier <1-55000>
Procedure
Combine individual classifiers by using the following command from Global Configuration
mode.
qos classifier-block <1-55000> block-number <1-55000> [name <WORD>]
{set-id <1-55000> | set-name <WORD>} [{in-profile-action <1-55000> |
in-profile-action-name <WORD>} | {meter <1-55000> | meter-name
<WORD>}]
Variable Definitions
Variable
Value
classifier-block<1-55000>
block-number <1-55000>
name <WORD>
June 2014
313
Variable
Value
set-id <1-55000>
set-name <WORD>
in-profile-action <1-55000>
in-profile-action-name <WORD> Specifies the in profile action name to be linked to the classifier block;
maximum is 16 alphanumeric characters.
meter <1-55000>
meter-name <WORD>
Procedure
Delete classifier block entries by using the following command from Global Configuration
mode.
no qos classifier-block <1-55000>
314
June 2014
Procedure
Display QoS parameters by using the following command from Privileged EXEC mode.
show qos { acl-assign <1 - 65535> | action [user | system | all |
<1-65535>] | agent [details]| bpdu {blocker [port] } | capability
[meter|shaper] | classifier [user | system | all | <1-65535>] |
classifier-block [user | system | all |<1-65535> ] | dhcp {snooping
[port] | spoofing [port] } | diag [unit] | dos {nachia [port] |
sqlslam [port] | tcp-dnsport [port] | egressmap [ds| status]| ifaction-extension [user | system | all | <1-65535>] | if-assign
[port] | if-group | if-shaper [port] | ingressmap | ip-acl <1 65535> | ip-element [user | system | all | <1-65535>] | l2-acl <1 65535> | l2-element [user | system | all | <1-65535>] | meter [user
| system | all | <1-65535>] | nsna | policy [user | system | all |
<1-65535>] | queue-set | queue-set-assignment | statistics <1-65535>
| system-element [user | system | all |<1-65535>] | ubp | userpolicy}
Variable Definitions
Variable
Value
action [<1-65535> | all | system | Displays the base action entries. The applicable values are:
user]
<1-65535>displays a particular entry.
alldisplays user-created, default, and system entries.
systemdisplays only system entries.
userdisplays only user-created and default entries.
Default is all.
June 2014
315
Variable
Value
agent <details>
Displays the current QoS meter and shaper capabilities of each interface.
The applicable values are:
meterdisplays QoS port meter capabilities.
shaperdisplays QoS port shaper capabilities.
classifier-block [<1-65535> | all | Displays the classifier block entries. The applicable values are:
system | user]
<1-65535>displays a particular entry.
alldisplays all user-created, default, and system entries.
systemdisplays only system entries.
userdisplays only user-created and default entries.
Default is all.
diag [unit]
egressmap
Displays the association between the DSCP and the 802.1p priority and
drop precedence.
filter-limiting
if-action-extension [<1-65535> |
all | system | user]
Displays the interface action extension entries. The applicable values are:
<1-65535>displays a particular entry.
alldisplays all user-created, default, and system entries.
systemdisplays only system entries.
userdisplays only user-created and default entries.
Default is all.
if-assign [port]
if-group
if-queue-shaper
if-shaper [port]
316
June 2014
Variable
Value
ingressmap
Displays the Layer 2 classifier element entries. The applicable values are:
<1-65535>displays a particular entry.
alldisplays all user-created, default, and system entries.
systemdisplays only system entries.
userdisplays only user-created and default entries.
Default is all.
port
June 2014
317
Variable
Value
queue-set
queue-set-assignment
statistics <1-65535>
Displays the system classifier element entries. The applicable values are:
<1-65535>displays a particular entry.
alldisplays all user-created, default, and system entries.
systemdisplays only system entries.
userdisplays only user-created and default entries.
traffic-profile
ubp [classifier | interface | name] Displays QoS UBP entries. The applicable values are:
classifierdisplays QoS UBP classifier entries.
interfacedisplays QoS UBP interface entries.
namespecifies the label to display a particular UBP template entry.
user-policy
Procedure
Display QoS capability policy configuration by using the following command from Privileged
EXEC mode:
show qos capability {meter [port] | shaper [port]}
Variable Definitions
Variable
Value
meter [port]
shaper [port]
318
June 2014
Procedure
1. Globally enable QoS Agent support using the following command:
qos agent oper-mode [enable]
OR
default qos agent [oper-mode]
2. Globally disable QoS Agent support using the following commands:
qos agent oper-mode [disable]
OR
no qos agent oper-mode [enable]
Variable Definitions
Variable
Value
enable
disable
Procedure
Configure the queue set by using the following command from Global Configuration mode.
default qos agent [aq-mode| buffer | dos-attack-prevention | nvramdelay | oper-mode | queue-set | statistics-tracking | ubp]
June 2014
319
Variable definitions
Variable
Value
aq-mode
buffer
dos-attack-prevention
nvram-delay
oper-mode
queue-set
statistics-tracking
ubp
Procedure
Modify the configuration by using the following command from Global Configuration mode.
qos agent queue-set <1-8>
320
June 2014
Procedure
Restore the default the resource buffer by using the following command from Global
Configuration mode.
default qos agent buffer
Procedure
1. Modify resource buffer allocation by using the following command from Global Configuration
mode.
qos agent buffer <regular | large | loseless | maximum>
2. View the QoS resource buffer allocaton by using the following command:
show qos agent details
Example
WCP8180(config)#show qos agent details
QoS
QoS
QoS
QoS
QoS
QoS
QoS
Maximum
Installed
Instances
________________________________________ __________ __________
ntnQosPrcSupportTable
28
0
ntnQosPolicyDeviceIdentTable
1
0
ntnQosInterfaceRoleTable
4
100
ntnQosIfQueueTable
252
0
ntnQosIfAssignmentTable
31
512
ntnQosDscpToCosTable
64
64
ntnQosCosToDscpTable
8
8
ntnQosQsetPriAssignmentTable
448
8
ntnDsMultiFieldClfrTable
0
200
ntnL2MultiFieldClfrTable
2
200
ntnSystemClfrTable
1
100
June 2014
Current
Instances
321
ntnClfrComponentTable
ntnClfrBlockTable
ntnQosIfcActionTable
ntnQosBaseActionTable
ntnQosTBParamTable
ntnQosMeterTable
ntnQosCountActTable
ntnQosFilterStatsTable
ntnQosPolicyTable
ntnQosIfShapingTable
ntnQosDsAccessElemTable
ntnQosL2AccessElemTable
ntnQosAccessAsgnTable
ntnQosIfAppsTable
ntnQosUserPolicyTable
ntnQosDsL2AccessElemTable
ntnQosQueueShapingTable
2
2
0
11
0
0
2
0
2
0
0
0
0
0
0
0
0
400
200
64
128
4708
100
200
0
200
512
200
200
384
512
1536
200
4096
Variable definitions
Variable
Value
buffer
Procedure
1. Configure priority values by using the following command from Global Configuration mode.
qos queue-set-assignment queue-set <1-56> 1p <0-7> queue <1-8>
2. View the priority values by using the following command:
show qos queue-set-assignment queue-set
322
June 2014
Example
WCP8180(config)#show qos queue-set-assignment queue-set 1
Queue Set 1
802.1p Priority
_______________
0
1
2
3
4
5
6
7
Queue
_____
1
1
1
1
1
1
1
1
Variable Definitions
Variable
Value
queue-set <1-56>
1p <0-7>
Specifies the 802.1p priority value for which the queue association is being
modified; value ranges from 07.
queue <1-8>
Specifies the queue within the identified queue set to assign the 802.1p
priority traffic at egress, value ranges from 18.
Procedure
Add ports by using the following command from Interface Configuration mode.
qos if-assign [port <portlist>] name [<WORD>]
June 2014
323
Variable Definitions
Variable
Value
port <portlist>
name <WORD>
Procedure
Delete ports by using the following command from Interface Configuration mode.
no qos if-assign [port <portlist>]
Procedure
Create interface groups by using the following command from Global Configuration mode.
qos if-group name <WORD> class <trusted | untrusted | unrestricted>
Variable Definitions
Variable
Value
name <WORD>
Defines a new interface group and specifies the class of traffic received on
interfaces associated with this interface group:
trusted
untrusted
unrestricted
324
June 2014
Procedure
Delete interface groups by using the following command from Global Configuration mode.
no qos if-group name <WORD>
Procedure
1. Configure priority by using the following command from Global Configuration mode.
qos egressmap [name <WORD>] ds <0-63> 1p <0-7> dp <low-drop | highdrop>
2. View the configured egress map details by using the following command:
show qos egressmap
Example
WCP8180(config)#show qos egressmap
DSCP
____
0
1
2
3
4
5
6
7
8
9
10
11
12
13
802.1p Priority
_______________
0
0
0
0
0
0
0
0
2
0
2
0
2
0
June 2014
Drop Precedence
_______________
High Drop
High Drop
High Drop
High Drop
High Drop
High Drop
High Drop
High Drop
High Drop
High Drop
Low Drop
High Drop
High Drop
High Drop
New DSCP
________
0
1
2
3
4
5
6
7
8
9
10
11
12
13
Name
________________
Standard Service
Standard Service
Standard Service
Standard Service
Standard Service
Standard Service
Standard Service
Standard Service
Bronze Service
Standard Service
Bronze Service
Standard Service
Bronze Service
Standard Service
325
14
15
16
17
18
19
20
2
0
3
0
3
0
3
High Drop
High Drop
High Drop
High Drop
Low Drop
High Drop
High Drop
14
15
16
17
18
19
20
Bronze Service
Standard Service
Silver Service
Standard Service
Silver Service
Standard Service
Silver Service
Variable Definitions
Variable
Value
name <WORD>
ds <0-63>
Specifies the DSCP value used as a lookup key for 802.1p priority and
drop precedence at egress when appropriate; range is between 0 and 63.
1p <0-7>
Specifies the 802.1p priority value associated with the DSCP; range is
between 0 and 7.
dp <low-drop | high-drop>
Procedure
Reset the entries by using the following command from Global Configuration mode.
default qos egressmap
Procedure
1. Configure priority by using the following command from Global Configuration mode.
qos ingressmap [name <WORD>] 1p <0-7> ds <0-63>
2. vView the configured ingressmap details by using the following command:
show qos ingressmap
Example
WCP8180(config)#show qos ingressmap
802.1p Priority
_______________
0
1
2
326
DSCP
____
0
0
10
Name
________________
Standard Service
Standard Service
Bronze Service
June 2014
3
4
5
6
7
18
26
34
46
48
Silver Service
Gold Service
Platinum Service
Premium Service
Network Service
Variable Definitions
Variable
Value
name <WORD>
1p <0-7>
Specifies the 802.1p priority used as lookup key for DSCP assignment at
ingress; range is between 0 and 7.
ds <0-63>
Specifies the DSCP value associated with the target 802.1p priority; range
is between 0 and 63.
Procedure
Reset the entries by using the following command from Global Configuration mode.
default qos ingressmap
Procedure
Configure system classifier element parameters by using the following command from Global
Configuration mode.
qos system-element <1-55000> [known-ip-mcast | known-non-ip-mcast |
name | non-ip | pattern-data <WORD> | pattern-format {tagged |
untagged}] | [pattern-ip-version {ipv4 | ipv6 | non-ip}] | patternl2format | session-id | unknown-ip-mcast | unknown-non-ip-mcast |
unknown-ucast
June 2014
327
Variable definitions
Variable
Value
<1-55000>
known-ip-mcast
known-non-ip-mcast
name
non-ip
unknown-ucast
pattern-data <WORD>
pattern-l2version
pattern-ip-version
session-id
unknown-ip-mcast
unknown-non-ip-mcast
Procedure
View system classifier elements parameters by using the following commands from the
Privileged EXEC Configuration mode.
show qos system-element [<1-65535>] [all] [system] [user]
Variable definitions
Use the data in the following table to use show qos system element command.
328
June 2014
Variable
Description
<165535>
all
system
user
Procedure
Remove system classifier element entries by using the following command from Global
Configuration mode.
no qos system-element <1-55000>
Procedure
1. Create or update QoS actions by using the following command from Global Configuration
mode.
qos action <10-55000> [name <WORD>] [drop-action <enable | disable |
deferred-pass>] [update-dscp <0-63>] [update-1p {<0-7> | use-tosprec | use-egress}] [set-drop-prec <low-drop | high-drop>] [actionext <1-55000> | action-ext-name <WORD>]
2. View QoS action by using the following command:
show qos action <165535> [all] [system] [user]
June 2014
329
Variable Definitions
Variable
Value
<10-55000>
name <WORD>
Assigns a name to a QoS action with the designated action ID. Enter
the name for the action; maximum is 16 alphanumeric characters
drop-action<enable | disable |
deferred-pass>
update-dscp <0-63>
update-1p<0-7>
action-ext <1-55000>
action-ext-name <WORD>
Procedure
Delete QoS action entries by using the following command from Global Configuration mode.
330
June 2014
Procedure
1. Create interface action extension entries by using the following command from Global
Configuration mode.
qos if-action-extension <1-55000> [name <WORD>] {egress-ucast <port>
| egress-non-ucast <port>}
2. View the interface action extension entries by using the following command:
show qos if-action-extension <165535> [all] [system] [user]
Variable definitions
Variable
Value
<1-55000>
name <WORD>
session-id
Procedure
Remove interface action extension entries by using the following command from Global
Configuration mode.
June 2014
331
Procedure
Create QoS meter entries by using the following command from Global Configuration mode.
qos meter <1-55000> [name <WORD>] committed-rate <64-10230000>
{burst-size <burst-size> max-burst-rate <64-4294967295> [max-burstduration <1-4294967295>]} {in-profile-action <1-55000> | in-profileaction-name <WORD>} {out-profile-action <1,9-55000> | out-profileaction-name <WORD>}
Variable Definitions
332
Variable
Value
<1-55000>
name <WORD>
committed-rate <64-10230000>
Specifies rate that traffic must not exceed for extended periods
to be considered in-profile. Enter the rate in Kb/s for in-profile
traffic in increments of 1000 Kbits/sec; range is 64 to 10230000
Kbits/sec.
burst-size <4,8,16,...,16384>
max-burst-rate <64-4294967295>
max-burst-duration <1-4294967295>
Specifies the amount of time that the largest burst of traffic that
can be received for the traffic to be considered in-profile. Used
in calculating the committed burst size. Enter the burst duration
in ms for in-profile traffic; range is 14294967295 ms.
in-profile-action <1-55000>
in-profile-action-name <WORD>
June 2014
Variable
Value
out-profile-action <1,9-55000>
out-profile-action-name <word>
Procedure
Remove QoS meter entries by using the following command from Global Configuration
mode.
no qos meter <1-55000>
Procedure
Configure interface shaping by using the following command from Interface Configuration
mode.
qos if-shaper [port <portlist>] [name <WORD>] shape-rate
<64-10230000> {burst-size <burst-size> max-burst-rate
<64-4294967295> [max-burst-duration <1-4294967295>]}
Variable Definitions
Variable
Value
port <portlist>
name <WORD>
shape-rate <64-10230000>
June 2014
333
Variable
Value
max-burst-rate <64-4294967295>
max-burst-duration <1-4294967295>
Specifies the amount of time that the largest burst of traffic that
can be received for the traffic to be considered in-profile. Used
in calculating the committed burst size. Enter the burst duration
in ms for in-profile traffic; range is 14294967295 ms.
Procedure
Disable interface shaping by using the following command from Interface Configuration
mode.
no qos if-shaper [port <portlist>]
Procedure
Create a QoS policy by using the following command from Global Configuration mode.
qos policy <1-55000> {enable|disable [name <WORD>] {port <port_list>
| if-group <WORD>} clfr-type {classifier | block} {clfr-id <1-55000>
| clfr-name <WORD>} {{in-profile-action <1-55000> | in-profileaction-name <WORD>} | meter <1-55000> | meter-name <WORD>}} [nonmatch-action <1-55000> | non-match-action-name <WORD>] precedence
<1-15> [track-statistics <individual | aggregate>]}
334
June 2014
Variable Definitions
Variable
Value
<1-55000>
enable|disable
name <WORD>
port <portlist>
if-group <WORD>
clfr-id <1-55000>
clfr-name <WORD>
in-profile-action <1-55000>
in-profile-action-name <WORD>
meter <1-55000>
meter-name <WORD>
non-match-action <1-55000>
non-match-action-name <WORD>
precedence <1-15>
June 2014
335
Procedure
Remove QoS policy entries by using the following command from Global Configuration
mode.
no qos policy <1-55000>
Procedure
Use the following command to configure a traffic profile classifier entry.
qos traffic-profile set port <port> name <name> [commited-rate
<64-10230000>] [drop-nm-action <drop | pass>] [enable]
This command is used in the Global Configuration mode.
Variable Definitions
Variable
Value
port <port>
name <name>
commited-rate <64-10230000>
enable
336
June 2014
Procedure
1. Delete a Traffic Profile classifier by using the following command from the Global
Configuration mode.
no qos traffic-profile classifier name <classifier-name>
2. Delete a Traffic Profile set by using the following command from the Global Configuration
mode.
no qos traffic-profile set {name <name> | port <port>}
Procedure
1. View classifier entries by using the following commands from the Privileged EXEC
Configuration mode.
show qos traffic-profile classifier
OR
show qos traffic-profile classifier name <classifier name>
2. View the parameters for a specific set by using the following command from the Privileged
EXEC Configuration mode.
show qos traffic-profile set <set name> port <port>
3. View ports and the filter sets assigned to those ports by using the following command from
the Privileged EXEC Configuration mode.
show qos traffic-profile interface
Example
Wc#show qos traffic-profile classifier name 1
Id: 2
Name: 1
Block:
Master: No
Eval Order: 1
Address Type: Ignore
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
IP Flags: Ignore
TCP Control Flags: Ignore
IPv4 Options: Ignore
Destination MAC Addr: Ignore
June 2014
337
Procedure
Configure User Based Policies by using the following command from the Global
configuration mode.
qos ubp
Note:
To modify an entry in a filter set, you must delete the entry and add a new entry with the
desired modifications.
Related Links
Configuring wired Quality of Service on page 314
Variable Definitions
Variable
Value
338
June 2014
Variable
Value
dst-mac specifies the MAC address against which the MAC
destination address of incoming packets is compared.
dst-port-min specifies the minimum value for the layer 4
destination port number in a packet. dst-port-max must be
terminated prior to configuring this parameter.
ethertype specifies a value indicating the version of Ethernet
protocol being used.
eval-order specifies the evaluation order for all elements with
the same name.
flow-id specifies the flow identifier for IPv6 packets.
next-header specifies the IPv6 next-header value. Values are
in the range 0-255.
priority specifies a value for the 802.1p user priority.
protocol specifies the IPv4 protocol value.
set-drop-prec specifies drop precendence
src-ip specifies the IP address to match against the source IP
address of a packet.
src-mac specifies the MAC source address of incoming
packets.
src-port-min specifies the minimum value for the Layer 4
source port number in a packet. src-port-max must be
terminated prior to configuring this parameter.
update-1p specifies an 802.1p value used to update user
priority.
update-dscp specifies a value used to update the DSCP field
in an IPv4 packet.
vlan-min specifies the minimum value for the VLAN ID in a
packet. vlan-max must be terminated prior to configuring this
parameter.
vlan-tag specifies the type of VLAN tagging in a packet.
June 2014
339
Variable
Value
enforced, and if the traffic is deemed out of profile based on
the level of traffic and the metering criteria. Options are
enable (packet is dropped) and disable (packet is not
dropped).
max-burst-rate specifies the maximum number of bytes
allowed in a single transmission burst.
max-burst-duration specifies the maximum burst duration in
milliseconds.
update-dscp-out-action specifies an updated DSCP value for
an IPv4 packet for out of profile traffic..
set-priority specifies the priority level of this filter set.
Procedure
1. Delete an entire filter set by using the following command from the Global configuration
mode.
no qos ubp name <filter name>
Note: You cannot delete a filter set while it is in use.
2. Delete a classifier by using the following command from the Global configuration mode.
no qos ubp name <filter name> eval-order <value>
Procedure
1. View User Based Policy filter parameters by using the following command from the
Privileged EXEC configuration mode.
show qos ubp
2. View the parameters for a specific filter set by using the following command from the
Privileged EXEC configuration mode.
show qos ubp name <filter name>
340
June 2014
3. View ports and the filter sets assigned to those ports by using the following command from
the Privileged EXEC configuration mode.
show qos ubp interface
4. View classifier entries by using the following command from the Privileged EXEC
configuration mode.
show qos ubp classifier
Procedure
Reset QoS to factory defaults by using the following command from Global Configuration
mode.
qos agent reset-default
Procedure
Configure QoS NT mode by using the following command from Global Configuration mode.
qos agent aq-mode [pure|mixed|disable]
June 2014
341
Variable definitions
Variable
Value
disable
mixed
NT application traffic processing enabled on all port with egress DSCP mapping.
pure
NT application traffic processing enabled on all ports without egress DSCP mapping.
Procedure
Configure the UBP support level by using the following command from Global Configuration
mode.
qos agent ubp [disable|epm|high-security-local|low-security-local]
Variable Definitions
Variable
Value
disable
epm
QoS Agent notifications generated for EPM based on user information forwarded
by other applications.
high-security-local
User may be rejected if resources needed to install the UBP filter set are not
available.
low-security-local
User may be accepted even if the UBP filter set could not be applied.
Procedure
Configure the QoS statistics tracking type by using the following command from Global
Configuration mode.
qos agent statistics-tracking [aggregate|disable|individual]
Variable Definitions
342
Variable
Value
aggregate
Allocates a single statistics counter to track data for all classifiers contained in the
QoS policy being created.
disable
individual
Allocates individual statistics counters to track data for each classifier contained in
the QoS policy being created.
June 2014
Procedure
Configure NVRAM delay by using the following command from Global Configuration mode.
qos agent nvram-delay <0-604800>
Default is 10 seconds.
Procedure
Reset NVRAM delay to default by using the following command from Global Configuration
mode.
default qos agent nvram-delay
Procedure
Reset the QoS agent by using the following command from Global Configuration mode.
default qos agent
June 2014
343
Enabling DAPP
About this task
This procedure describes the steps necessary to enable DAPP.
Procedure
Enable DAPP by using the following command from Global Configuration mode:
[no] qos agent dos-attack-prevention enable
Use the no form of this command to disable.
Procedure
Enable DAPP status tracking by using the following command from Global Configuration
mode:
qos agent dos-attack-prevention status-tracking [enable | max-ipv4icmp | max-ipv6-icmp | min-tcp-header]
Configuring DAPP maximum IPv6 ICMP length
Procedure
Set the maximum IPv6 ICMP length by using the following command from Global
Configuration mode:
qos agent dos-attack-prevention max-ipv6-icmp <0-16383>
Procedure
Set the minimum TCP header size by using the following command from Global
Configuration mode:
qos agent dos-attack-prevention min-tcp-header <0-255>
344
June 2014
Procedure
Set the maximum IPv4 ICMP length by using the following command from Global
Configuration mode:
qos agent dos-attack-prevention max-ipv4-icmp <0-1023>
Configuring Serviceability
About this task
Use the following procedures to configure RMON and IPFIX.
Related Links
ACLI reference for wired networks on page 153
Configuring RMON with the CLI on page 345
Configuring IPFIX using CLI on page 350
Procedure
1. Enter Privileged Executive mode.
June 2014
345
2. Use the show rmon alarm command to display information about RMON alarms.
Procedure
1. Enter Privileged Executive mode.
2. Enter the show rmon event command.
Procedure
1. Enter Privileged Executive mode.
2. Enter the show rmon history [<port>] command.
Example
WCP8180(config)#show rmon history port 1
Index
----1
29
Port
---1
1
Buckets Requested
----------------15
5
Buckets Granted
--------------15
5
Interval
-------30
1800
Variable Definitions
Variable
Definition
<port>
Job aid
The following table shows the descriptions for show rmon history port command.
346
Field
Description
Index
Port
Buckets Requested
Buckets Granted
Interval
June 2014
Procedure
1. Enter Privileged Executive mode.
2. Enter the show rmon stats command.
Procedure
1. Enter Global Configuration mode.
2. Enter the rmon alarm <1-65535> <WORD> <1-2147483647> {absolute | delta}
rising-threshold <-2147483648-2147483647> [<1-65535>] fallingthreshold <-2147483648-2147483647> [<1-65535>] [owner <LINE>]
command.
Variable Definitions
Parameter
Description
<1-65535>
<WORD>
<1-2147483647>
absolute
Use absolute values (value of the MIB object is compared directly with
thresholds).
delta
Use delta values (change in the value of the MIB object between samples
is compared with thresholds).
rising-threshold
<-2147483648-2147483647 >
[<1-65535>]
The first integer value is the rising threshold value. The optional second
integer specifies the event entry to be triggered after the rising threshold is
crossed. If omitted, or if an invalid event entry is referenced, no event is
triggered.
falling-threshold
<-2147483648-2147483647 >
[<1-65535>]
The first integer value is the falling threshold value. The optional second
integer specifies the event entry to be triggered after the falling threshold is
crossed. If omitted, or if an invalid event entry is referenced, no event is
triggered.
[owner <LINE>]
June 2014
347
Procedure
1. Enter Global Configuration mode.
2. Enter the no rmon alarm [<1-65535>] command.
Variable Definitions
Variable
Definition
[<1-65535>]
Procedure
1. Enter Global Configuration mode.
2. Enter the rmon event <1-65535> [log] [trap] [description <LINE>] [owner
<LINE>] command.
Variable Definitions
Parameter
Description
<1-65535>
[log]
[trap]
[description <LINE>]
[owner <LINE>]
Procedure
1. Enter Global Configuration mode.
2. Enter the no rmon event [<1-65535>] command to delete the entries.
Variable Definitions
348
Variable
Definition
[<1-65535>]
June 2014
Procedure
1. Enter Global Configuration mode.
2. Enter the rmon history <1-65535> <LINE> <1-65535> <1-3600> [owner
<LINE>] command to configure the RMON history..
Variable Definitions
Parameter
Description
<1-65535>
<LINE>
<1-65535>
<1-3600>
[owner <LINE>]
Procedure
1. Enter Global Configuration mode.
2. Enter the no rmon history [<1-65535>] command to delete the entries.
Variable Definitions
Variable
Definition
[<1-65535>]
Procedure
1. Enter Global Configuration mode.
2. Enter the rmon stats <1-65535> <LINE> [owner <LINE>] command to configure
RMON statistics.
June 2014
349
Variable Definitions
Parameter
Description
<1-65535>
[owner <LINE>]
Procedure
1. Enter Global Configuration mode.
2. Enter the no rmon stats [<1-65535>] command to disable RMON statistics.
Variable Definitions
Variable
Definition
<1-65535>
350
June 2014
IPFIX data is not load balanced when two collectors are in use. Identical information is sent to both
collectors.
Use the following procedure to configure the IPFIX collectors.
Procedure
1. Enter Global Configuration mode.
2. Use the ip ipfix collector <unit_number> <collector_ip_address>
command to configure the IPFIX collector.
Variable Definitions
Parameter
Description
<unit_number>
<collector_ip_address>
Procedure
1. Enter Global Configuration mode.
2. Use the ip ipfix enable command to enable IPFIX on the switch.
Variable definition
Parameter
Description
enable
Procedure
1. Enter Global Configuration mode.
2. Use the ip ipfix slot <unit_number> [aging-interval <aging_interval>]
[export-interval <export_interval>] [exporter-enable] [templaterefresh-interval <template_refresh_interval>] [template-refreshpackets <template_refresh_packets>] command to enable IPFIX on the switch.
Variable Definitions
Parameter
Description
<unit_number>
June 2014
351
Parameter
Description
<aging_interval>
<export_interval>
The IPFIX export interval. This interval is the value at which IPFIX data is
exported in seconds from 10 to 3600.
<template_refresh_interval>
The IPFIX template refresh interval. This value is in seconds from 300 to
3600.
<template_refresh_packets>
The IPFIX template refresh packet setting. This value is the number of
packets from 10000 - 100000.
Procedure
1. Enter Interface Configuration mode.
2. Use the ip ipfix enable command to enable IPFIX on the interface.
Procedure
1. Enter Interface Configuration mode.
2. Use the ip ipfix port <port_list> command to enable IPFIX on the interface.
Variable Definitions
Variable
Definition
port-list
Procedure
1. Enter Privileged Executive mode.
2. Use the ip ipfix flush port <port_list> [export-and-flush] command to
delete the collected IPFIX information for the port or ports.
Variable Definitions
352
Variable
Definition
port-list
June 2014
Variable
Definition
export-and-flush
Procedure
1. Enter Privileged Executive mode.
2. Use the show ip ipfix table <unit_number> sort-by <sort_by> sort-order
<sort_order> display <num_entries> command view the IPFIX data.
Variable Definitions
Variable
Definition
<unit_number>
The unit number of the collector. Currently up to two collectors are supported so
the values 1 or 2 are valid.
<sort_by>
<sort_order>
The order in which the data is sorted. Valid options are ascending and descending.
<num_entries>
June 2014
353
Viewing port-statistics
About this task
Use this procedure to view the statistics for the port on both received and transmitted traffic.
Procedure
1. Enter Global Configuration mode.
2. Enter the show port-statistics [port <portlist>] command.
354
June 2014
Variable Definitions
Variable
Definition
port <portlist>
Procedure
1. Enter Privileged Executive mode.
2. Enter the show interfaces [port list] verbose command. If you issue the
command with no parameters the port status is shown for all ports.
3. Observe the CLI output.
June 2014
355
Procedure
1. Enter Privileged Executive mode.
2. Enter the show interfaces <portlist> config command.
3. Observe the CLI output.
356
June 2014
Procedure
1. Enter Privileged Executive mode.
June 2014
357
Procedure
1. Enter Privileged Executive mode.
2. Enter the show memory-utilization command.
3. Observe the displayed information.
Sample CLI output:
WCP8180(config)#show memory-utilization
--------------------------------------------------------Memory Utilization (in MB)
--------------------------------------------------------Unit
Total
Used
Free
Peak
--------------------------------------------------------Host
1024
203
821
203
WCP
1635
1091
544
1094
WDP
276
36
240
36
WCP8180(config)#
358
June 2014
Procedure
Enter the show logging [config] [critical] [serious] [informational]
[sort-reverse] command Privileged Executive mode.
CLI reference:
WCP8180(config)#show logging ?
Show logging information
system
Show the contents of logging buffers
wireless-controller Show logging information of wireless controller
WCP8180(config)#show logging system ?
config
Display configuration of event logging
critical
Critical event
informational Informational message
serious
Serious event message
<cr>
WCP8180(config)#show logging wireless-controller ?
volatile Display log messages in DRAM
WCP8180(config)#show logging wireless-controller volatile ?
critical
Critical event messages
informational Informational messages
serious
Serious event messages
<cr>
Variable Definitions
Variable
Value
config
critical
serious
informational
sort-reverse
Procedure
Enter the logging [enable | disable] [level critical | serious |
informational | none] [nv-level critical | serious | none] command
Privileged Executive mode.
CLI reference:
WCP8180(config)#logging ?
disable
Disable the event log
enable
Enable the event log
level
The severity level of events that will be logged in DRAM
nv-level The severity level of events that will be saved in NV storage
remote
Configure remote logging parameters
volatile Configure options for logging to DRAM
June 2014
359
Variable Definitions
Variable
Value
enable | disable
Procedure
Enter the no logging command in global configuration mode.
Setting the system log to default
Procedure
Enter the default logging command in global configuration mode.
Clearing the system log
Procedure
Enter the clear logging system [non-volatile] [nv] [volatile] command in
global configuration mode.
Variable Definitions
Variable
Value
non-volatile
nv
volatile
360
June 2014
Procedure
1. Enter Global Configuration mode.
2. Enter the show logging command to display the log.
Enabling remote logging
Procedure
1. Enter Global Configuration mode.
2. Enter the logging remote enable command to enable the use of a remote syslog
server.
Disabling remote logging
Procedure
1. Enter Global Configuration mode.
2. Enter the no logging remote enable command to disable the use of a remote syslog
server.
Setting the remote logging address
Procedure
1. Enter Global Configuration mode.
June 2014
361
2. Enter the logging remote address <A.B.C.D> command to disable the use of a
remote syslog server.
Variable Definitions
Parameters and variables
Description
<A.B.C.D>
Procedure
1. Enter Global Configuration mode.
2. Enter the no logging remote address command to clear the IP address of the remote
syslog server.
Setting the log severity
Procedure
1. Enter Global Configuration mode.
2. Enter the logging remote level {critical | informational | serious |
none} command to set the severity level of the logs that will be sent to the server.
Variable Definitions
Parameters and variables
Description
Procedure
1. Enter Global Configuration mode.
362
June 2014
2. Enter the no logging remote level command to remove the severity level of the logs
that will be sent to the server. The level is set to none.
Setting the default remote logging level
Procedure
1. Enter Global Configuration mode.
2. Enter the default logging remote level command to sets the severity level of the
logs sent to the remote server. The default level is none.
Procedure
1. Enter Privileged Executive mode.
2. Enter the show port-mirroring command to display the port-mirroring configuration.
Configure port-mirroring
Procedure
1. Enter Global Configuration mode.
2. Enter the port-mirroring mode {disable | Xrx monitor-port <portlist>
mirror-ports <portlist> | Xtx monitor-port <portlist> mirror-ports
<portlist> | ManytoOneRx monitor-port <portlist> mirror-ports
<portlist> | ManytoOneTx monitor-port <portlist> mirror-port-X
June 2014
363
364
Parameter
Description
disable
Disables port-mirroring.
monitor-port
mirror-port-X
mirror-port-Y
mirror-MAC-A
mirror-MAC-B
portlist
ManytoOneRx
ManytoOneTx
ManytoOneRxTx
Xrx
Xtx
XrxOrXtx
XrxYtx
XrxYtxOrXtxYrx
XrxOrYtx
macaddr
Asrc
Adst
AsrcOrAdst
AsrcBdst
June 2014
Parameter
Description
AsrcBdstOrBsrcAdst
Disabling port-mirroring
Procedure
1. Enter Global Configuration mode
2. Enter the no port-mirroring command to disable port-mirroring.
Displaying Many-to-Many port-mirroring
Procedure
1. Enter Privileged Executive mode
2. Enter the show port-mirroring command.
3. Observe the displayed information.
Configuring Many-to-Many port-mirroring
Procedure
1. Enter Global Configuration mode
2. Enter the port-mirroring <1-4> mode {disable | Adst | Asrc | AsrcBdst |
AsrcBdstOrBsrcAdst | AsrcOrAdst | ManyToOneRx | ManyToOneRxTx |
ManyToOneTx | Xrx | XrxOrXtx | XrxOrYtx | XrxYtx | XrxYtxOrYrxXtx |
Xtx} command.
3. Enter the command from step 2 for up to four instances.
Variable Definitions
Variable
Value
disable
Disable mirroring.
Adst
Asrc
AsrcBdst
June 2014
365
Variable
Value
AsrcBdstOrBsrcAdst
AsrcOrAdst
ManyToOneRx
ManyToOneRxTx
ManyToOneTx
Xrx
XrxOrXtx
XrxYtx
XrxYtxOrYrxXtx
Xtx
Procedure
1. Enter Global Configuration mode
2. Enter the port-mirroring [<1-4>] mode disable or no port-mirroring
[<1-4>] command to disable a specific instance.
3. Enter the no port-mirroring command to disable all instances.
Variable Definitions
366
Variable
Definition
<1-4>
June 2014
Code
AE
AG
Netherlands Antilles
AN
Argentina
AR
American Samoa
AS
Austria
AT
Australia
AU
Aruba
AW
Azerbaijan
AZ
Bosnia
BA
Barbados
BB
Bangladesh
BD
Belgium
BE
Bulgaria
BG
Bahrain
BH
Bermuda
BM
Brunei
BN
Bolivia
BO
Brazil
BR
Bahamas
BS
Bhutan
BT
Belarus
BY
Canada
CA
Switzerland
CH
Chile
CL
China
CN
June 2014
367
368
Country Name
Code
Columbia
CO
Costa Rica
CR
Cuba
CU
Cape Verde
CV
Cyprus
CY
Czech Republic
CZ
Germany
DE
Denmark
DK
Dominica
DM
Dominican Republic
DO
Ecuador
EC
Estonia
EE
Egypt
EG
Spain
ES
Finland
FI
Falkland Islands
FK
FM
France
FR
United Kingdom
GB
French Guiana
GF
Guernsey
GG
Gibraltar
GI
Guadeloupe
GP
Greece
GR
Guatemala
GT
Guam
GU
Hong Kong
HK
Honduras
HN
Croatia
HR
Haiti
HT
Hungary
HU
Indonesia
ID
Ireland
IE
Israel
IL
Isle of Man
IM
India
IN
June 2014
Country Name
Code
Iran
IR
Iceland
IS
Italy
IT
Jersey
JE
Jamaica
JM
Jordan
JO
Japan
JP
Kenya
KE
Kiribati
KI
Korea Republic
KR
Kuwait
KW
Cayman Islands
KY
LA
Lebanon
LB
Liechtenstein
LI
Sri Lanka
LK
Lesotho
LS
Lithuania
LT
Luxembourg
LU
Latvia
LV
Morocco
MA
Monaco
MC
Macedonia
MK
Macao
MO
MP
Martinique
MQ
Mauritania
MR
Malta
MT
Mauritius
MU
Maldives
MV
Malawi
MW
Mexico
MX
Malaysia
MY
Nigeria
NG
Nicaragua
NI
Netherlands
NL
June 2014
369
370
Country Name
Code
Norway
NO
New Zealand
NZ
Oman
OM
Panama
PA
Peru
PE
PG
Philippines
PH
Pakistan
PK
Poland
PL
PM
Portugal
PT
Puerto Rico
PR
Qatar
QA
Reunion
RE
Romania
RO
Serbia
RS
Russia
RU
Saudi Arabia
SA
Sweden
SE
Singapore
SG
Slovenia
SI
Slovak Republic
SK
El Salvador
SV
Syria
SY
Thailand
TH
Tajikistan
TJ
Tunisia
TN
Turkey
TR
TT
Taiwan
TW
Tanzania
TZ
Ukraine
UA
UM
United States
US
Uruguay
UY
Uzbekistan
UZ
June 2014
Country Name
Code
VA
Venezuela
VE
Virgin Islands(British)
VG
US Virgin Isle
VI
Vietnam
VN
Yemen
YE
Mayotte
YT
South Africa
ZA
Zambia
ZM
June 2014
371