NN47251-107 07 01 CLI Reference

ACLI Commands Reference for Avaya
WLAN 8100
Release 3.0
NN47251-107
Issue 07.01
June 2014
2014 Avaya Inc.
All Rights Reserved.

Notice
While reasonable efforts have been made to ensure that the
information in this document is complete and accurate at the time of
printing, Avaya assumes no liability for any errors. Avaya reserves
the right to make changes and corrections to the information in this
document without the obligation to notify any person or organization
of such changes.
Documentation disclaimer
Documentation means information published by Avaya in varying
mediums which may include product information, operating
instructions and performance specifications that Avaya may generally
make available to users of its products and Hosted Services.
Documentation does not include marketing materials. Avaya shall not
be responsible for any modifications, additions, or deletions to the
original published version of documentation unless such
modifications, additions, or deletions were performed by Avaya. End
User agrees to indemnify and hold harmless Avaya, Avaya's agents,
servants and employees against all claims, lawsuits, demands and
judgments arising out of, or in connection with, subsequent
modifications, additions or deletions to this documentation, to the
extent made by End User.
Link disclaimer
Avaya is not responsible for the contents or reliability of any linked
websites referenced within this site or documentation provided by
Avaya. Avaya is not responsible for the accuracy of any information,
statement or content provided on these sites and does not
necessarily endorse the products, services, or information described
or offered within them. Avaya does not guarantee that these links will
work all the time and has no control over the availability of the linked
pages.
Warranty
Avaya provides a limited warranty on Avaya hardware and software.
Refer to your sales agreement to establish the terms of the limited
warranty. In addition, Avayas standard warranty language, as well as
information regarding support for this product while under warranty is
available to Avaya customers and other parties through the Avaya
Support website: http://support.avaya.com or such successor site as
designated by Avaya. Please note that if you acquired the product(s)
from an authorized Avaya Channel Partner outside of the United
States and Canada, the warranty is provided to you by said Avaya
Channel Partner and not by Avaya.
Licenses
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA
WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO OR
SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, ARE
APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR
INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC.,
ANY AVAYA AFFILIATE, OR AN AVAYA CHANNEL PARTNER (AS
APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH
AVAYA OR AN AVAYA CHANNEL PARTNER. UNLESS
OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES
NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS
OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA
AFFILIATE OR AN AVAYA CHANNEL PARTNER; AVAYA
RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU
AND ANYONE ELSE USING OR SELLING THE SOFTWARE
WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR
USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO,
YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM
YOU ARE INSTALLING, DOWNLOADING OR USING THE
SOFTWARE (HEREINAFTER REFERRED TO
INTERCHANGEABLY AS YOU AND END USER), AGREE TO
THESE TERMS AND CONDITIONS AND CREATE A BINDING
CONTRACT BETWEEN YOU AND AVAYA INC. OR THE
APPLICABLE AVAYA AFFILIATE (AVAYA).
Avaya grants you a license within the scope of the license types
described below, with the exception of Heritage Nortel Software, for
which the scope of the license is detailed below. Where the order
documentation does not expressly identify a license type, the
applicable license will be a Designated System License. The
applicable number of licenses and units of capacity for which the

license is granted will be one (1), unless a different number of
licenses or units of capacity is specified in the documentation or other
materials available to you. Software means Avayas computer
programs in object code, provided by Avaya or an Avaya Channel
Partner, whether as stand-alone products, pre-installed , or remotely
accessed on hardware products, and any upgrades, updates, bug
fixes, or modified versions thereto. Designated Processor means a
single stand-alone computing device. Server means a Designated
Processor that hosts a software application to be accessed by
multiple users. Instance means a single copy of the Software
executing at a particular time: (i) on one physical machine; or (ii) on
one deployed software virtual machine (VM) or similar deployment.
License types
Designated System(s) License (DS). End User may install and use
each copy of the Software only on a number of Designated
Processors up to the number indicated in the order. Avaya may
require the Designated Processor(s) to be identified in the order by
type, serial number, feature key, location or other specific
designation, or to be provided by End User to Avaya through
electronic means established by Avaya specifically for this purpose.
CPU License (CP). End User may install and use each copy of the
Software on a number of Servers up to the number indicated in the
order provided that the performance capacity of the Server(s) does
not exceed the performance capacity specified for the Software. End
User may not re-install or operate the Software on Server(s) with a
larger performance capacity without Avayas prior consent and
payment of an upgrade fee.
Heritage Nortel Software
Heritage Nortel Software means the software that was acquired by
Avaya as part of its purchase of the Nortel Enterprise Solutions
Business in December 2009. The Heritage Nortel Software currently
available for license from Avaya is the software contained within the
list of Heritage Nortel Products located at http://support.avaya.com/
licenseinfo under the link Heritage Nortel Products. For Heritage
Nortel Software, Avaya grants Customer a license to use Heritage
Nortel Software provided hereunder solely to the extent of the
authorized activation or authorized usage level, solely for the purpose
specified in the Documentation, and solely as embedded in, for
execution on, or (in the event the applicable Documentation permits
installation on non-Avaya equipment) for communication with Avaya
equipment. Charges for Heritage Nortel Software may be based on
extent of activation or use authorized as specified in an order or
invoice.
Copyright
Except where expressly stated otherwise, no use should be made of
materials on this site, the Documentation, Software, Hosted Service,
or hardware provided by Avaya. All content on this site, the
documentation, Hosted Service, and the Product provided by Avaya
including the selection, arrangement and design of the content is
owned either by Avaya or its licensors and is protected by copyright
and other intellectual property laws including the sui generis rights
relating to the protection of databases. You may not modify, copy,
reproduce, republish, upload, post, transmit or distribute in any way
any content, in whole or in part, including any code and software
unless expressly authorized by Avaya. Unauthorized reproduction,
transmission, dissemination, storage, and or use without the express
written consent of Avaya can be a criminal, as well as a civil offense
under the applicable law.
Third Party Components
Third Party Components mean certain software programs or
portions thereof included in the Software or Hosted Service may
contain software (including open source software) distributed under
third party agreements (Third Party Components), which contain
terms regarding the rights to use certain portions of the Software
(Third Party Terms). As required, information regarding distributed
Linux OS source code (for those Products that have distributed Linux
OS source code) and identifying the copyright holders of the Third
Party Components and the Third Party Terms that apply is available
in the Documentation or on Avayas website at: http://
support.avaya.com/Copyright or such successor site as designated
by Avaya. You agree to the Third Party Terms for any such Third
Party Components
Preventing Toll Fraud

Toll Fraud is the unauthorized use of your telecommunications
system by an unauthorized party (for example, a person who is not a
corporate employee, agent, subcontractor, or is not working on your
company's behalf). Be aware that there can be a risk of Toll Fraud
associated with your system and that, if Toll Fraud occurs, it can
result in substantial additional charges for your telecommunications
services.
Avaya Toll Fraud Intervention
If you suspect that you are being victimized by Toll Fraud and you
need technical assistance or support, call Technical Service Center
Toll Fraud Intervention Hotline at +1-800-643-2353 for the United
States and Canada. For additional support telephone numbers, see
the Avaya Support Website: http://support.avaya.com/. Suspected
security vulnerabilities with Avaya products should be reported to
Avaya by sending mail to: securityalerts@avaya.com.
Trademarks
The trademarks, logos and service marks (Marks) displayed in this
site, the Documentation, Hosted Service(s), and Product(s) provided
by Avaya are the registered or unregistered Marks of Avaya, its
affiliates, or other third parties. Users are not permitted to use such
Marks without prior written consent from Avaya or such third party
which may own the Mark. Nothing contained in this site, the
Documentation, Hosted Service(s) and Product(s) should be
construed as granting, by implication, estoppel, or otherwise, any
license or right in and to the Marks without the express written
permission of Avaya or the applicable third party.
Avaya is a registered trademark of Avaya Inc.
All non-Avaya trademarks are the property of their respective owners.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Downloading Documentation
For the most current versions of Documentation, see the Avaya
Support website: http://support.avaya.com, or such successor site as
designated by Avaya.
Contact Avaya Support
See the Avaya Support website: http://support.avaya.com for Product
or Hosted Service notices and articles, or to report a problem with
your Avaya Product or Hosted Service. For a list of support telephone
numbers and contact addresses, go to the Avaya Support website:
http://support.avaya.com (or such successor site as designated by
Avaya), scroll to the bottom of the page, and select Contact Avaya
Support.
Contents
Chapter 1: Introduction............................................................................................................ 6
Purpose..................................................................................................................................6
Related Resources..................................................................................................................6
Documentation..................................................................................................................6
Training............................................................................................................................ 6
Viewing Avaya Mentor videos.............................................................................................7
Support.................................................................................................................................. 7
Chapter 2: New in this release.................................................................................................8
Features.................................................................................................................................8
Other changes........................................................................................................................ 9
Chapter 3: Overview of WLAN deployment solutions.........................................................10
Chapter 4: ACLI reference for Wireless LAN (WLAN) 8100................................................ 11
ACLI reference for the Wireless LAN (WLAN) 8100..................................................................11
Performing controller configuration using the WC 8180 Quick Configuration utility................ 12
Viewing WLAN 8100 current configuration.........................................................................14
Configuring and managing Link Layer Discovery Protocol...................................................15
Configuring and managing Remote Packet Capture........................................................... 19
Configuring and managing Client Band Steering and Client load balancing.......................... 28
Configuring and managing Captive Portals........................................................................ 29
Configuring and managing External Captive Portals........................................................... 41
Configuring and managing RADIUS..................................................................................48
Auto-RF..........................................................................................................................59
Configuring and viewing the Tunnel Path MTU.................................................................. 68
DiffServ.......................................................................................................................... 69
AeroScout.......................................................................................................................79
Station Isolation.............................................................................................................. 81
Ekahau RTLS support..................................................................................................... 83
Wi-Fi Zoning................................................................................................................... 86
Bonjour Gateway Support................................................................................................ 93
Domain AP configuration............................................................................................... 100
Wireless security WIDS-WIPS configuration and management..................................... 111
Configuring a MAC filter blacklist.................................................................................... 122
Wireless Security Client MAC validation......................................................................123
Load Balancing of APs and WSPs.................................................................................. 130
Commonly used configuration procedures ...................................................................... 140
Chapter 5: ACLI Reference for wired networks................................................................. 153
ACLI reference for wired networks........................................................................................ 153
Configuring system options............................................................................................ 153
Configuring system security........................................................................................... 202
ACLI Commands Reference for Avaya WLAN 8100

Comments? infodev@avaya.com
June 2014
Contents
Configuring VLANs and Link Aggregation........................................................................244

Configuring IP routing.................................................................................................... 274
Configuring Access Lists................................................................................................305
Configuring Elements, Classifiers, and Classifier Blocks................................................... 308
Configuring wired Quality of Service................................................................................314
Configuring Serviceability...............................................................................................345
Configuring diagnostics and graphing............................................................................. 354
Appendix A: Supported Country Codes............................................................................. 367
June 2014

Chapter 1: Introduction
Purpose
This document is an Avaya Command Line Interface (CLI) Commands Reference guide for the
configuration and management of the Avaya Wireless LAN (WLAN) 8100 solution.
The ACLI commands reference is organized into two parts:
ACLI reference for Wireless LAN (WLAN) 8100
This chapter describe the major WLAN 8100 features for release 3.0 and the typical ACLI
commands for their configuration and management.
ACLI reference for wired networks
This chapter describes typical ACLI commands for wired network configuration.
For further information on the features of the Wireless LAN 8100 solution, see Feature Overview for
Avaya WLAN 8100, NN47251-102.
Related Resources
Documentation
For a list of the documentation for this product, see Documentation Reference for Avaya WLAN
8100, NN47251-100.
Training
Ongoing product training is available. For more information or to register, see http://avayalearning.com/.
Enter the course code in the Search field and click Go to search for the course.
Course Code
Course Title
6769X
Avaya Wireless LAN 8100 Implementation and Management

June 2014
Support
Course Code
Course Title
4D00045V
Avaya VENA Unified Access Implementation
Wireless LAN 8100 AIPS credential

7D00060A
Wireless LAN 8100 Implementation Assessment (online test)
Viewing Avaya Mentor videos

Avaya Mentor videos provide technical content on how to install, configure, and troubleshoot Avaya
products.
About this task

Videos are available on the Avaya Support website, listed under the video document type, and on
the Avaya-run channel on YouTube.
Procedure
To find videos on the Avaya Support website, go to support.avaya.com and perform one of the
following actions:
In Search, type Avaya Mentor Videos to see a list of the available videos.
In Search, type the product name. On the Search Results page, select Video in the
Content Type column on the left.
To find the Avaya Mentor videos on YouTube, go to www.youtube.com/AvayaMentor and
perform one of the following actions:
Enter a key word or key words in the Search Channel to search for a specific product or
topic.
Scroll down Playlists, and click the name of a topic to see the available list of videos posted
on the website.
Note:
Videos are not available for all products.
Support
Go to the Avaya Support website at http://support.avaya.com for the most up-to-date
documentation, product notices, and knowledge articles. You can also search for release notes,
downloads, and resolutions to issues. Use the online service request system to create a service
request. Chat with live agents to get answers to questions, or request an agent to connect you to a
support team if an issue requires additional expertise.
June 2014

Chapter 2: New in this release
The following sections detail what's new in the ACLI Commands Reference for Avaya WLAN 8100,
NN47251-107 for release 3.0.
Related Links
Features on page 8
Other changes on page 9
Features
See the following sections for information about the feature changes:
Support for External Captive Portal on page 8
Support for Link Layer Discovery Protocol (LLDP) on page 8
Bonjour Gateway support on page 9
For information on the WMS enhancements and on Avaya Command Line Interface (CLI)
commands, see Using WMS and EDM on Avaya WLAN 8100, NN47251-108 and ACLI Commands
Reference for Avaya WLAN 8100, NN47251-107 respectively.
For more information on feature fundamentals, see Feature Overview for Avaya WLAN 8100,
NN47251-102.
Support for External Captive Portal

Wireless LAN Cotroller 8100 can support external captive portal with patented floating CPIP
mapping method and RFC 5176 Change of Authorization (CoA) to achieve a linearly scaling
standalone external captive portal solution that is designed for both large and small deployment.
WLAN 8100 users can provide their own external captive portal based on design guideline from
Avaya.
The WLAN controller leverages RFC 5176 CoA (Change of Authorization) to support small, medium,
and large scale deployments.
Support for Link Layer Discovery Protocol (LLDP)

The Link Layer Discovery Protocol (LLDP) is a data link layer protocol in the Internet Protocol Suite
used by network devices for neighbor identity and capability discovery. Avaya AP advertises its
status to the neighbors and relays the information and status about the LLDP neighbors to its
managing wireless controller.

June 2014
Other changes
LLDP support on AP can advertise its status, capabilities, and process information from other LLDP
neighbors. Eg. PoE switches.
Bonjour Gateway support

Bonjour is a service discovery protocol of Apple. Bonjour locates devices such as printers, other
computers, and the services that those devices offer on a local network using multicast domain
name system (mDNS) service records. Bonjour can be extended across subnets by using Avaya
WLAN 8100 Bonjour Gateway feature, which selectively relays service discovery packets across
networks without using external gateway or custom router configuration.
Related Links
New in this release on page 8
Other changes
There are no other changes to this document for release 3.0.
Related Links
New in this release on page 8
June 2014

Chapter 3: Overview of WLAN deployment

solutions
The current release of Avaya WLAN supports the following deployment models.
WLAN Overlay
In the Overlay deployment, the Wireless Controller (WC) 8180 controls/manages Access
Points (AP) over a control channel and data is tunneled between the APs and the controller
over an access tunnel. Two or more WCs in the domain form a cluster, with a mesh of control
channels and data tunnels between each other.
WLAN Unified Access
In the Avaya VENA Unified Access deployment, the wireless controller deploys in the controlplane mode of operation of the 8180 platform. This device then hosts only the wireless control
function and is called a wireless control point (WCP). A switch such as the Avaya ERS
8600/8800 introduced into the network, tunnels traffic (data) and is known as the wireless
switching point (WSP). The APs and WSPs tunnel traffic between each other over an access
tunnel and the WSPs tunnel traffic between each other over a mobility tunnel.
Avaya implemented this solution by combining the functionality of the Avaya WC 8100 with the
Avaya Ethernet Routing Switch 8800/8600 (ERS 8800/8600).
10

June 2014
Chapter 4: ACLI reference for Wireless LAN

(WLAN) 8100
ACLI reference for the Wireless LAN (WLAN) 8100

The following sections describe the major WLAN 8100 features and the typical Avaya Command
Line Interface (ACLI) commands for their configuration and management.
Related Links
Performing controller configuration using the WC 8180 Quick Configuration utility on page 12
Viewing WLAN 8100 current configuration on page 14
Configuring and managing Link Layer Discovery Protocol on page 15
Configuring and managing Remote Packet Capture on page 19
Configuring and managing Client Band Steering and Client load balancing on page 28
Configuring and managing Captive Portals on page 29
Configuring and managing External Captive Portals on page 41
Configuring and managing RADIUS on page 48
Auto-RF on page 59
Configuring and viewing the Tunnel Path MTU on page 68
DiffServ on page 69
AeroScout on page 79
Station Isolation on page 81
Ekahau RTLS support on page 83
Wi-Fi Zoning on page 86
Bonjour Gateway Support on page 93
Domain AP configuration on page 100
Wireless security WIDS-WIPS configuration and management on page 111
Configuring a MAC filter blacklist on page 122
Wireless Security Client MAC validation on page 123
Load Balancing of APs and WSPs on page 130
Commonly used configuration procedures on page 140
June 2014

11
Performing controller configuration using the WC 8180 Quick

Configuration utility
The WC 8180 Quick Configuration utility allows you to perform a quick configuration of the WLAN
8100 controller. This utility is run from the Avaya CLI and consists of a series of prompts that are
used to set up the required configuration on the controller. If the controller is reset with defaultsettings, the install utility automatically runs on boot up.
Important:
The WC 8180 Quick Configuration utility is supported in only the Overlay deployment.
The WC 8180 Quick Configuration utility guides you through steps to configure the following:
Management interface and Wireless or System interface
Basic SNMP-v2
Trap-host configuration
SNTP
telnet
Wireless client interfaces
Mobility VLANs
Mobility domains
Network profile, AP profile, Radio Profile and Captive Portal profile configuration
Wireless RADIUS server configuration
License download
Before you begin

Remove the WC 8180 device from its packaging. Ensure you have the following hardware
components and materials:
- Wireless Controller (WC) 8180 device
- console cable
Procedure
1. Power on the WC 8180.
2. When the WC 8180 is up, connect the console cable.
3. Verify that the baud rate and other console parameters are properly configured. You can
view console parameters using the PuTTY application.
a. Open a PuTTY session.
b. On the left-hand-side tree view, click Serial.
c. Verify that the parameters are configured as follows:
12

June 2014
Figure 1: Console configuration
4. Press Ctrl+Y to start.

5. On the MENU screen, select Command Line Interface to go to the CLI.
6. Initiate the WC 8180 setup utility:
WC8180>en
WC8180#
WC8180#install
Related Links
ACLI reference for the Wireless LAN (WLAN) 8100 on page 11
Verifying controller configuration on page 13
Verifying controller configuration

Use this procedure to verify the configuration after running the WC 8180 Quick Configuration utility.
Procedure
1. Verify controller configuration:
WC8180#show wireless
Operation Mode
:
Status
:
Interface IP
:
TCP/UDP base port :
Base MAC Address :
Tunnel Path MTU
:
WC
Enabled
192.168.34.4
61000
58:16:26:FD:FE:00
1492
2. Verify controller domain membership:

WC8180#show wireless controller domain-membership
Domain Name
: Avaya
Domain Role
: Active MDC
June 2014

13
Domain Action Status

Action Failure Reason
: Join Success
: None
3. Verify domain configuration using the following command:

WC8180#show running-config module wireless
For more information on this command, see Viewing WLAN 8100 current configuration on
page 14.
Related Links
Performing controller configuration using the WC 8180 Quick Configuration utility on page 12
Viewing WLAN 8100 current configuration

You can view the current configuration of the WLAN 8100 system using the show runningconfig command.
Note:
You can run this command from any controller in the domain.
Procedure
1. Enter the command show running-config to view the current configuration on the WLAN
8100 system.
Note:
The command show running-config displays the entire WLAN 8100 system
configuration. Only configuration that is different from the default configuration is
displayed.
Command options of the show running-config command:
WC8180#show running-config ?
module
Display configuration of an application
verbose Display entire configuration (defaults and non-defaults)
Command options of the show running-config module command:

WC8180#show running-config module ?
802.1ab
Display 802.1ab configuration
aaur
Display AAUR configuration
adac
Display ADAC configuration
arp-inspection
Display ARP Inspection configuration
asset-id
Display Asset ID configuration
aur
Display AUR configuration
banner
Display Custom Banner configuration
core
Display Core configuration
default-cmd-interface Display Default Command Interface configuration
dhcp-relay
Display DHCP Relay configuration
dhcp-snooping
Display DHCP Snooping configuration
interface
Display Interface configuration
ip
Display IP configuration
ip-source-guard
Display IP Source Guard configuration
ipfix
Display IPFIX configuration
ipmc
Display IPMC configuration
14

June 2014
ipmgr
ipv6
l3
l3-protocols
lacp
logging
mac-security
mlt
nsna
pim
port-mirroring
qos
rate-limit
rmon
rtc
slpp
smlt
snmp
ssh
sshc
ssl
stack
stkmon
stp
unicast-storm-control
vlacp
vlan
wireless
<cr>
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
Display
IP Manager configuration
IPV6 configuration
L3 configuration
L3 Protocols configuration
LACP configuration
System Logging configuration
MAC Security configuration
MLT configuration
NSNA configuration
PIM configuration
Port Mirroring configuration
QoS configuration
Rate Limiting configuration
RMON configuration
RTC configuration
SLPP configuration
SMLT configuration
SNMP configuration
SSH configuration
SSHC configuration
SSL configuration
Stack configuration
Stack Monitor configuration
STP configuration
Unicast Storm Control configuration
VLACP configuration
VLAN configuration
wireless configuration
2. Use one of the following command options to view the current wireless configuration:
WC8180#show running-config module wireless ?
ap-profile
Display wireless ap profile configs.
auto-rf
Display auto-rf configs
captive-portal
Display wireless captive-portal configs
capture-profile
Display wireless capture-profile configs.
crypto
Display wireless crypto configs
diffserv
Display wireless diffserv configs.
domain
Display wireless domian config
domain-ap
Display domain ap configs
domain-ap-image-external-download Display wireless
domain-ap-image-external-download configs
domain-load-balance
Display domain load balance configs
domain-wsp
Display domain wsp configs
network-profile
Display wireless network-profile configs.
radio-profile
Display wireless radio-profile configs.
security
Display wireless security config
system
Display wireless system configs
vlan-map
Display wireless valn-map configs
<cr>
Related Links
Configuring and managing Link Layer Discovery Protocol

Link Layer Discovery Protocol (LLDP) allows the Avaya AP to announce its presence on the
network, allowing it to be found by other devices. It also allows the AP to discover how and where it
June 2014

15
is connected to the network, and to report that information back to its managing Wireless Controller.
This information makes it easier to trace, locate, and debug installation issues.
The only configurable option for LLDP on the AP is the operation mode when the AP is managed. It
can be configured for:
Tx-Rx (Default mode): AP sends advertisements to neighbors and relays neighbor
advertisements to WC.
Tx-Only: AP sends advertisements to neighbors and drops neighbor advertisements.
Rx-Only: AP does not send advertisements to neighbors, but relays neighbor advertisements
to WC.
Off: AP does not send advertisements to neighbors and drops neighbor advertisements.
Note:
In unmanaged mode, the AP is always in Tx-Rx mode; no configuration is possible.
Advertisements are sent every 30 seconds with a time to live of 120 seconds. The content of the
LLDP advertisement is not configurable and is reproduced here for reference.
Transmitted (Advertised) Values:
Value
Unmanaged
Managed
Chassis ID
AP Ethernet MAC Address
Port ID
System Name
AP Model Type
AP Label from Configuration

Profile
Management Address
0.0.0.0 before dhcp address is

assigned
A.B.C.D, DHCP assigned

address
A.B.C.D after dhcp address is

assigned
System Capabilities
WLAN/Bridge Capability
WLAN/Bridge Capability
WLAN/Bridge Not Enabled
WLAN/Bridge Enabled
System Description
Avaya Wireless AP, Model

{model}, HW Ver: Rxx, FW
Ver: 3.0.0.0
Avaya Wireless AP, Model

{model}, HW Ver: Rxx, FW
Ver: 3.0.0.x
Port Description
eth0 before dhcp address is

obtained,
eth0, IP: A.B.C.D
eth0, IP: A.B.C.D after dhcp

is obtained
Related Links
Configuring LLDP operation on an AP on page 17
16

June 2014
Configuring LLDP operation on an AP

Before you begin
Ensure that you are in the wireless configuration mode on the Avaya CLI. Use the following
commands:
WC8180#conf t
WC8180(config)#wireless
WC8180(config-wireless)#
About this task

Use this procedure to configure LLDP operation on an AP.
Procedure
1. Enter into the ap-profile configuration mode:
WC8180(config-wireless)#ap-profile 1
2. Enter the following commands to configure LLDP on the AP:

To enable LLDP on AP:
WC8180(config-ap-profile)#lldp-status ?
rxOnly
Enable receive only
txAndRx Enable transmit and receive
txOnly
Enable transmit only
WC8180(config-ap-profile)#lldp-status rxOnly
To disable LLDP on AP:

WC8180(config-ap-profile)#no lldp status
To set the value to default:

WC8180(config-ap-profile)#default lldp status
3. Use the following commands to verify the LLDP status:

LLDP is enabled:
WC8180(config-ap-profile)#show wireless ap-profile 1 detail
AP Profile Id: 1
Name
: Default
Country Code
: US
AP Model
: Avaya APs (AP8120/AP8120-E)
Is Default Profile?
: No
AE Protocol Support
: Disable
Ekahau Tag Blink Mode : Disable
Ekahau Server IP
: 0.0.0.0
Ekahau Server UDP Port : 8569
LLDP status
: rxOnly
Status
: Configured
LLDP is disabled:
WC8180(config-ap-profile)#show wireless ap-profile 1 detail
AP Profile Id: 1
Name
: Default
Country Code
: US
AP Model
: Avaya APs (AP8120/AP8120-E)
Is Default Profile?
: No
AE Protocol Support
: Disable
Ekahau Tag Blink Mode : Disable
June 2014

17
Ekahau Server IP
: 0.0.0.0
Ekahau Server UDP Port : 8569
LLDP status
: Disabled
Status
: Configured
4. Apply the new LLDP configuration on the managed AP:

WC8180#wireless controller config-sync
5. View the status of LLDP configuration on the managed AP in detail:

WC8180# show wireless ap status 00:1B:4F:69:DF:E0 detail
Total APs: 1, Managed APs: 1, Failed APs: 0
------------------------------------------------------AP (MAC=00:1B:4F:69:DF:E0)
IP Address : 10.250.8.230
Status : Managed
------AP LED Status : LED-ON
LLDP status : Disabled | rxOnly | txOnly| rxAndTx|N/A
LLDP Neighbor Count : 1
6. Use the following command to view the LLDP status received by an AP from its neighbors:
WC8180#show wireless ap lldp-neighbor
------------------------------------------------------------------------------AP MAC
Neighbor MAC
Mgmt IP
Port Description
----------------- ------------------ --------------- ----------------------00:02:6F:B8:58:C0 6C:FA:58:7B:38:00
1.1.1.20
Port 24
00:1B:4F:6A:59:20 00:14:C7:30:6C:00
1.1.1.10
Port 22
58:16:26:AC:75:60 00:14:C7:30:6C:00
1.1.1.10
Port 21
B0:AD:AA:52:C8:E0 6C:FA:58:7B:38:00
1.1.1.20
Port 23
-------------------------------------------------------------------------------
7. Use the following command to view the details of LLDP neighbors:

WC8180#show wireless ap lldp-neighbor 58:16:26:AC:75:60 detail
------------------------------------------------------------------------------AP : 58:16:26:AC:75:60
------------------------------------------------------------------------------Neighbor : 00:14:C7:30:6C:00
Age
: 0d:01:36:19
PVID
: 70
Chassis
Chassis ID
: mac 00:14:C7:30:6C:00
System Name
:
System Description: Ethernet Routing Switch 5520-24T-PWR HW:02
FW:
6.0.0.18 SW:v6.3.3.040
Port
Port id
: mac 00:14:C7:30:6C:15
Port Description : Port 21
System Capabilities
Supported
: Bridge
Router
Enabled
: Bridge
Router
Management Address
Address
: ipv4 1.1.1.10
Interface Number : 0
Interface Subtype : Unknown (1)
Vlan
VLAN ID
: 1
Name: VLAN #1
18

June 2014
VLAN ID
: 70
Name: cherish2
-------------------------------------------------------------------------------
8. Use the following command to clear failed APs and associated LLDP neighbors:
WC8180#clear wireless ap failed
Related Links
Configuring and managing Link Layer Discovery Protocol on page 15
Configuring and managing Remote Packet Capture

Remote packet capture enables live debugging to troubleshoot client related issues. It can also be
used to monitor traffic in a wireless network.
Remote packet capture enables you to capture packets on wireless interfaces on any AP in the
mobility domain. You can use this capability to troubleshoot wireless connectivity issues and identify
the nature of the wireless traffic at different locations in the deployment. You can monitor wireless
traffic in general.
To enable remote packet capture, you typically configure a capture profile on the AMDC of the
mobility domain and then apply this profile to specific APs in the mobility domain. Each capture
profile supports multiple configuration parameters that specify the behavior of the capture. You can
configure up to four capture profiles on the AMDC.
A single stream of packet capture between the remote capture device and observer host is called a
capture instance. A remote capture device can have one capture instance per capture profile with a
maximum of 4 capture instances.
A capture instance is started when a capture profile is applied to a AP using a start action.
A capture instance cannot be started when the configuration profiles are not synchronized in the
mobility domain.
A capture instance that is not active can be restarted using a restart action. A capture instance that
is active can be stopped using a stop action
Before starting the capture instance, you must install Wireshark on the observer host to capture
frames on the observer host IP of the capture instance.
Wireshark is a packet analyzer with extensive capabilities to analyze various protocols and is freely
available for download from the internet. Wireshark version 1.6 or higher support decoding of
CAPWAP encapsulated data.
After you install Wireshark, start the capture stream for the capture instance. Wireshark displays
received packets from the capture stream on the configured UDP port for the capture instance.
Wireshark can be configured to decode all packets received on the UDP port of the capture stream
as CAPWAP data packets.
The UDP port that is used for CAPWAP capture stream to the observer host is configured in the
capture profile.
June 2014

19
Before you begin

Before you start a packet capture, ensure that you do the following on the Observer host PC.
Download the Netcat application from http://netcat.sourceforge.net/download.php to a location
on the PC.
Open a UDP port for listening.
Important:
If you do not open the UDP port on the observer host then the capture device receives the
ICMP port unreachable error for every capture packet in the capture stream. This
severely impacts the performance.
Launch Netcat.
On a Windows machine, execute the following command at the location of installation of
Netcat. In the following example, 172.16.9.10 is the IP address of the Observer host PC and
the observer port is 37008.
D:\RPC\NetCat>nc -l -u -p 37008 -s 172.16.9.10 -v
listening on [172.16.9.10] 37008 ...
On a Linux machine, execute the command nc l u <port number>.

Launch Wireshark to capture frames.
- In Wireshark, ensure that you configure the CAPWAP UDP data port correctly. To decode
the information packets correctly, this port must be the same as that opened for listening on
the observer host PC. On Wireshark, navigate to Edit, Preferences, CAPWAP. Update the
field CAPWAP data UDP port.
- Also ensure that you deselect Swap Frame Control.
20

June 2014
Figure 2: Configuration of the CAPWAP UDP port on Wireshark
Procedure
1. Create a capture profile on the AMDC using the following command.
WC8180(config-wireless)#capture-profile ?
<1-4> Capture Profile ID
Note:
You can configure a maximum of 4 capture profiles on the AMDC.
2. Configure the capture profile parameters using the following commands.
Important:
After you complete the configuration, ensure that you synchronize configuration across
all controllers in the mobility domain.
Overview of the capture profile configuration commands.
WC8180(config-capture-profile)#?
Capture Profile Configuration Commands
default
Set a command to its default values
direction
Filter capture by flow direction
duration
Stop after elapsed duration in seconds
end
End wireless capture configuration mode
exit
Exit from wireless capture configuration mode
filters
Set filters for the packet capture profile
interface
Specify the capture interface(s) for the packet capture
no
Disable capture profile parameters
observer-ip
IP address of the observer host
observer-port
L4 port on the observer host
June 2014

21
profile-name
promisc-mode
snap-length
Name of the profile

Enable promiscuous capture on selected interfaces
Truncate capture to a specified length (in bytes)
Configure the direction of the capture.

WC8180(config-capture-profile)#direction ?
both
Transmit and receive
downlink
Transmit only
uplink
Receive only
Configure the duration of the capture.

WC8180(config-capture-profile)#duration ?
<0-86400> Enter capture duration in seconds
Configure filters for the capture.

WC8180(config-capture-profile)#filters ?
Set filters for the packet capture profile
client-mac
Filter capture by client-mac
include-beacons
Include 802.11 beacons in capture data
include-control
Include 802.11 control frames in capture data
include-data
Include 802.11 data in capture data
include-mgmt
Include 802.11 mgmt frames other than probes/beacons in the
capture data
include-probes
Include 802.11 probes in capture data
ssid
Filter capture by ssid
Configure radio interfaces for the capture.

WC8180(config-capture-profile)#interface ?
a-radio
5.0 GHz radio interface only
all
All radio interfaces
b-radio
2.4 GHz radio interface only
Configure the IP address of the observer host PC.

WC8180(config-capture-profile)#observer-ip ?
ipaddr IP address of Observer machine
Configure the observer port.

WC8180(config-capture-profile)#observer-port ?
<1-65535> Enter a UDP port number
Configure the profile name.

WC8180(config-capture-profile)#profile-name ?
WORD Enter a name (1-32 characters)
Configure the snap length.

WC8180(config-capture-profile)#snap-length ?
<32-1024> Enter snap-length in bytes
Important:
In Wireshark, when the packet length exceeds the configured snap length in the capture
profile, the captured packets are displayed as Malformed. The default value of the snap
length is 128 and the value can be modified between 32 and 1024.
Adjust the snap length to prevent malformed packets.
3. Verify details of the configured capture profile(s) using the following commands.
22

June 2014
For an overview of all configured capture profiles, use:

WC8180# show wireless capture-profile
To view details of a selected capture-profile, use:

WC8180# show wireless capture-profile <1-4> detail
A sample output is as follows:

WC8180(config-capture-profile)#show wireless capture-profile 1 detail
Capture Profile ID: 1
Name
: Default
Observer IP Address
:
Observer UDP Port
: 37008
Filter Promiscous mode
: Disabled
Filter Interfaces
: All Radios
Filter Flow direction
: Transmit and Receive
Filter SSID
:
Filter Client MAC
: 00:00:00:00:00:00
Filter 802.11
: data
Filter Duration
: 300
Filter SNAP Length
: 128
4. Manage packet capture instances using the following commands.

CLI Reference:
WC8180#wireless capture-instance ?
Packet capture instances
delete
Delete capture instance
restart
Restart capture instance
start
Start capture instance
stop
Stop capture instance
Start packet capture instances:

WC8180# wireless capture-instance start ap <ap-mac> profile <profile-id>
Stop packet capture instances:

WC8180#wireless capture-instance stop ?
all
All instances
ap
AP MAC Address
profile
Capture profile
Stop all capture-instance(s) for a profile-id.

WC8180# wireless capture-instance stop profile <profile-id>
Stop all capture-instance(s) for an AP.

WC8180# wireless capture-instance stop ap <ap-mac>
Stop all capture instances.

WC8180# wireless capture-instance stop all
Restart packet capture instances:

WCP8180#wireless
all
ap
profile
June 2014
capture-instance restart ?
All instances
AP MAC Address
Capture profile

23
Restart all capture instances.

WC8180#wireless capture-instance restart all
Restart all capture-instance(s) for a specific AP.

WCP8180# wireless capture-instance restart ap <ap-mac>
Restart all capture-instance(s) for a specific profile.

WC8180# wireless capture-instance restart profile <profile-id>
Delete packet capture instances:

WCP8180#wireless capture-instance stop ?
all
All instances
ap
AP MAC Address
profile
Capture profile
Delete all capture instances.

WC8180#wireless capture-instance delete all
Delete all capture-instance(s) for a specific AP.

WCP8180# wireless capture-instance delete ap <ap-mac>
Delete all capture-instance(s) for a specific capture profile.

WC8180# wireless capture-instance delete profile <profile-id>
Delete a specific capture instance.

WC8180# wireless capture-instance delete ap <ap-mac> profile <profile-id>
View packet capture instances:

To view capture-instances for specific AP, use:
WC8180# show wireless capture-instance ap <ap-mac>
To view capture-instances for a specific profile, use:

WC8180# show wireless capture-instance profile <profile-id>
To view all capture instances, use:

WC8180# show wireless capture-instance
5. Use the following command to view wireless capture profile configuration:

WC8180#show running-config module wireless capture-profile
Related Links
Configuration scenarios on page 24
CLI commands reference for remote packet capture on page 25
Configuration scenarios
The following section describes special configuration scenarios and their behavior.
24

June 2014
Important:
When the SSID filter is set, you must not enable the promiscous mode.
Scenario 1 include-beacon + ssid:
Observation: No packets are captured.
Reason: In the Remote packet capture driver, ssid is converted to bssid. This bssid is compared
with the one from the beacon, which never matches and therefore no packet is captured.
Scenario 2 include-probe + ssid:
Observation: The probe request packets are observed but with a different ssid (the ssid filter did not
work)
Reason: When the probe request has a broadcast bssid, the comparison does not happen. Hence
all probe requests are captured with a different ssid.
The following section describes configuration settings and the corresponding output.
no promisc-mode + include-beacon you see beacons from all APs.
promisc-mode + include-beacon you see beacons from all APs.
no promisc-mode + include-probe you see probe requests/responses from all APs.
promisc-mode + include-probe you see probe requests/responses from all APs.
no promisc-mode + include-beacon + include-probe you see beacons/probes from all APs.
promisc-mode + include-beacon + include-probe you see beacons/probes from all APs.
no promisc-mode + include-data you see data to/from only your AP.
promisc-mode + include-data you see data to/from all APs.
promisc-mode + no frame-types you do not see any packets.
promisc-mode + include-data + include-beacon + include-probe you see data, beacon and
probes from all APs.
no promisc-mode + include-data + include-beacon + include-probe you see beacons and
probes from all APs, but data only from your AP.
CLI commands reference for remote packet capture

Commands to configure a capture profile
Use the following parameters to define a capture profile on a managed Access Point (AP).
Command
Parameters
Description
default
none
Sets the command to its default values.
direction
Specifies the capture flow direction.

The direction is specified with respect to the MU.
Uplink and Downlink are valid directions. By default,
June 2014

25
Command
duration
Parameters
Description
both directions are enabled. Uplink indicates receive
for an AP and downlink indicates transmit for the AP.
both
Specifies both transmit and receive.
downlink
Specifies transmit only.
uplink
Specifies receive only.
<086400>
Range is 0 to 86400 seconds.

Specifies the duration for which capture should continue.
Packet capture stops after the time duration elapses.
Use a default value of 5 minutes. A value of 0 means
infinite duration.
end
End wireless capture configuration mode.
exit
Exit from wireless capture configuration mode.
filters
client-mac
Traffic is captured only from/to specific client MAC

address. To exclude this filter, set the value to empty
string.
This setting is ignored on promiscuous mode. This filter
is not applicable to beacons.
By default, the client MAC address is null.
include-beacons
Include 802.11 beacons frames from captures on radio

interfaces. This filter is disabled by default. When a
station MAC filter is set, it is not applied for selection of
beacon frames
include-control
Include 802.11 control frames from captures on radio

interfaces. This filter is disabled by default.
include-data
Include 802.11 data in capture data. This filter is enabled

by default.
include-mgmt
Include 802.11 management frames other than probes/

beacons in the capture data. This filter is disabled by
default.
include-probes
Include 802.11 probe frames in capture data. This filter

is disabled by default.
ssid
Traffic is captured only on specifies SSID. To exclude

filtering on SSID, set this value to empty string. An
empty string is also the default value. This setting is
ignored on promiscuous mode.
An AP checks the validity of the SSID when packet
capture is started.
interface
no
26
a-radio
Specifies 5.0 GHz radio interface only.
all
Specifies all radio interfaces.
b-radio
Specifies 2.4 GHz radio interface only.

Disables capture profile parameters.

June 2014
Command
Parameters
Description
observer-ip
ipaddr
IP address of the observer host to which to send the

captured traffic.
observer-port
<165535>
Specifies the destination UDP port for sending the

captured traffic. This is the L4 port that observer PC is
listens on.
Important:
Ensure the observer host on the UDP port is open.
If you do not open the UDP port on the observer
host then the capture device receives the ICMP
port unreachable error for every capture
packet in the capture stream. This severely impacts
performance.
profile-name
WORD<132>
Specifies the name of the profile.

By default, a capture profile is created with the profile
name capture_profile_00n.
promisc-mode
Enable/Disable: When promiscuous mode is disabled,

only traffic directed to the AP is captured. Note that
enabling promiscuous mode can result in multiple APs
reporting copies of the same packets.
Promiscuous capture is disabled by default.
For more information on the promiscous mode of
operation, see the Feature Overview for Avaya WLAN
8100, NN47251-102.
snap-length
<321024>
Specifies the file size of the packet capture, after which

the capture is truncated.
The range is 32 to 1024 bytes. The default snap-length
is 128 bytes.
An AP forwards CAPWAP encapsulated wireless
packets to the observer PC. Snap-length is the size of
the wireless packet including the 802.11 headers.
You may notice malformed packets in Wireshark when
use a lower sized snap-length.
Note:
In Wireshark, when the packet length exceeds the
configured snap length in the capture profile, the
captured packets show as Malformed. The default
value of the snap length is 128 and the value can
be modified between 32 and 1024.
Commands to configure Capture Instances
June 2014

27
Configure capture instance

Command
Parameters
Description
start
ap <ap-mac>
Specifies the AP MAC address to start the wireless

capture instance.
profile <profile-id>
Specifies the capture profile.
all
Stops all wireless capture instances.
ap
Specifies the AP MAC address to stop the wireless

capture instance.
profile
Specifies the capture profile to stop.
all
Deletes all the wireless capture instances.
ap <ap-mac>
Specifies the AP MAC address to delete the wireless

capture instance.
profile <profile-id>
Specifies the capture profile to delete.
all
Restarts all the wireless capture instances.
ap
Specifies the AP MAC address to restart the wireless

capture instance.
profile
Specifies the capture profile to restart.
stop
delete
restart
Related Links
Configuring and managing Remote Packet Capture on page 19
Configuring and managing Client Band Steering and Client load

balancing
Client Band Steering is a technique used to increase the overall capacity of a dual-band wireless
network composed of multiple APs that use both the 2.4 GHz and 5.0 GHz radios.
You typically enable Client Band Steering and Client Load Balancing when you configure Access
radio profiles.
Client stations predominantly support 2.4GHz. Many modern client stations have dual-band support
yet tend to favor connection to 2.4GHz networks (although some popular modern clients still only
support 2.4GHz, e.g. the Apple iPhone 4). As a result, dual-band networks have the 2.4GHz band
heavily utilized, and the 5GHz band under utilized. The objective of Client Band Steering is to
encourage 5GHz capable client stations to use the 5GHz radio instead of the 2.4GHz radio, leaving
the 2.4GHz radio for stations that only support 2.4GHz.
As part of Client load-balancing configuration, you enable/disable the Load balancing. After you
enable load balancing, you configure the following parameters:
utilization-start (%) Utilization level at which client association load balancing begins
utilization-cutoff (%) Client association load balancing cutoff. If this threshold is exceeded,
all further client associations are refused.
28

June 2014
Important:
This cutoff is useful so that controller CPU utilization is maintained at an optimum level. If
CPU utilization goes beyond 100%, it causes the controller to restart which in turn results
in an unprecedented controller outage.
About this task

Use this procedure to configure client band steering and client load balancing in access radio
profiles.
Procedure
1. Create an Access Radio profile.
Configure A-N and BG-N radio profiles to support different radio frequencies. The following
examples shows the creation of A-N and BG-N radio profiles with the country code specified
as US and the AP model specified as ap8120/E. For an outdoor AP, specify the AP model
as ap8120O in the command.
WC8180(config-wireless)#radio-profile 3 country-code US ap-model ap8120/E
access-wids a-n
Creating a radio-profile (id = 3) with country-code = US and ap-model
AP8120/E...
WC8180(config-radio-profile)#profile-name A-N
WC8180(config-radio-profile)#exit
WC8180(config-wireless)#radio-profile 4 country-code US ap-model ap8120/E
access-wids bg-n
Creating a radio-profile (id = 4) with country-code = US and ap-model
AP8120/E...
WC8180(config-radio-profile)#profile-name BG-N
WC8180(config-radio-profile)#exit
2. Enable client band steering and load balancing using the following commands.
WC8180(config-wireless)#radio-profile 3
Entering radio-profile (id = 3) configuration mode...
WC8180(config-radio-profile)#band-steering enable
WC8180(config-radio-profile)#load-balance enable
WC8180(config-radio-profile)#load-balance utilization-start 30
WC8180(config-radio-profile)#load-balance utilization-cutoff 60
WC8180(config-radio-profile)#band-steering enable
WC8180(config-radio-profile)#load-balance enable
WC8180(config-radio-profile)#load-balance utilization-start 30
WC8180(config-radio-profile)#load-balance utilization-cutoff 60
Related Links
Configuring and managing Captive Portals

The following sections describe the configuration and management of Captive Portals using the
ACLI.
June 2014

29
Note:
The current release of WLAN 8100 supports certificate mapping to either a RADIUS application
or a Captive Portal. For more information, see Mapping a certificate on page 55.
Related Links
Configuring Captive Portal general settings on page 30
Configuring Captive Portal profiles on page 31
Redirecting the URL for Captive Portals on page 35
Configuring the Web hostname in Captive Portals on page 36
Customizing Captive Portals updating Captive Portal locale on page 36
Customizing Captive Portal using static HTML pages on page 38
Managing Captive Portals on page 40
Viewing Captive Portal network status on page 41
Viewing current Captive Portal configuration on page 41
Configuring Captive Portal general settings

About this task
Use the following commands to configure Captive Portal general settings.
CLI reference:
WCP8180(config-wireless)#captive-portal ?
Parameters:
auth-timeout
Authentication session timeout period
enable
Enable captive portal feature on the system
http-port
Configure additional HTTP port
https-port
Configure additional HTTPS port
stats-report-interval Interval between statistics reports to peer controller
tftp-server
Set TFTP server IP address for Captive Portal Image
customization
Sub-Commands/Groups:
profile Create/Modify a specific captive portal profile
WCP8180(config-wireless)#captive-portal
Procedure
1. Enter the wireless configuration mode of the ACLI.
2. Use the command captive-portal enable to enable Captive Portal service.
3. Use the command captive-portal auth-timeout <60 - 600> to set the
authentication timeout value in seconds.
4. Use the command captive-portal http-port <0 - 65535> to configure the Captive
Portal HTTP port.
5. Use the command captive-portal https-portal <0 - 65535> to configure the
Captive Portal HTTPS port.
6. Use the command captive-portal stats-report-interval <15 - 3600> to
configure the statistics reporting interval in seconds.
30

June 2014
7. Use the command captive-portal tftp-server <TFTP server IP address> to

configure the TFTP server IP address for Captive Portal customization. Captive Portal
customization files (such as Captive Portal messages, logo image, background image and
font-set) for a customized guest user login experience, are typically stored on a TFTP server.
The controller when configured with the TFTP server IP address can access the server and
upload the customization files.
Configuring Captive Portal profiles

A Captive Portal profile is an instance of a specific Captive Portal configuration set. It specifies
global attributes to customize Captive Portal interfaces, session timeout (for example, authentication
session timeout) and usage limits for users. You can store image files for customizing the Captive
Portal login page on a TFTP server, and specify the TFTP server IP address in a Captive Portal
profile. The controller (WC 8180) provides a way to protect the wireless system IP address from
guest user access using Captive Portal profiles.
The Captive Portal IP address is used for Captive Portal user access. All Captive Portal user clients
send HTTP/HTTPS GET requests to this IP address which is then mapped to a Web host name
internally. The client HTTP/HTTPS GET requests are load-balanced based on the client MAC
address.
Note:
The Captive Portal IP address must be an active VLAN interface IP on any controller in the
domain, except the Management VLAN IP, the System VLAN IP, or the wireless interface IP of
that controller. The Captive Portal IP must exist physically in one of the domain controllers.
Note:
The current release of WLAN 8100 allows you to configure up to 8 Captive Portal IP addresses
for a single Captive Portal profile. Avaya recommends that you configure as many Captive
Portal IP addresses for a Captive Portal profile as there are controllers in the domain. For
example, if there are 8 controllers in the domain, configure up to 8 Captive Portal IP addresses
for a single Captive Portal profile.
CLI Reference:
WCP8180(config-wireless)#captive-portal profile 1
Entering captive-portal-profile (id = 1) ...
WCP8180(config-cp-profile)#ip ?
A.B.C.D IPv4 Address
Procedure
1. Enter the wireless configuration mode of the CLI.
2. Use the command captive-portal profile <Profile ID> to configure a Captive
Portal. Use a profile ID, for example 3.
WCP8180(config-wireless)#captive-portal profile ?
<1-10> Captive portal profile ID
June 2014

31
WCP8180(config-cp-profile)#?
Captive Portal Profile Configuration Commands
block
Block traffic for this profile
color
Set Captive-portal color scheme
default
Set captive portal parameters to default settings
end
End configuration mode
exit
Exit out of captive portal profile configuration mode
idle-timeout
Configure session idle timeout
ip
Captive-portal IP addresses
locale
Configure captive portal locale settings
max-bandwidth
Configure max bandwidth limit for transmit or receive
max-octets
Configure max octets available per session
no
Disable captive portal profile settings
profile-name
Set captive portal profile name
protocol-mode
Set captive portal protocol mode
redirect
Enable HTTP redirect mode after authetication
redirect-url
Configure redirected URL
session-timeout Set session timeout.
user-logout
Enable user-logout mode for captive portal users
walled-garden
Captive-portal Walled Garden hostname configuration mode
web-hostname
Configure web hostname for Captive-Portal
WCP8180(config-cp-profile)#
3. Use the command show wireless captive-portal profile <ID> detail to show
details of the Captive Portal profile details for a specific Captive Portal profile.
4. Use the command captive portal profile <profile_number> block to block
profile traffic.
5. Use the command captive portal profile <profile_number> color to set the
Captive Portal color scheme.
Command options:
WCP8180(config-cp-profile)#color ?
background Set background color
foreground Set foreground color
separator
Set separator color
6. Use the command captive portal profile <profile_number> default to set

Captive Portal profile parameters to default settings.
7. Use the command captive portal profile <profile_number> idle-timeout to
set the Captive Portal session idle timeout value. Enter the time in seconds. The range is 0
to 2100000000 seconds.
8. Use the command captive portal profile ip <ip-address> to configure a
Captive Portal IP interface. Use the command, no ip < ip-address> to remove the
captive portal IP interface.
9. Use the command captive portal profile <profile_number> locale to set the
Captive Portal locale settings.
For more information, see Customizing Captive Portals updating captive portal locale on
page 36.
32

June 2014
10. Use the command captive portal profile <profile_number> max-bandwidth

to configure the maximum transmit and receive bandwidth limits.
Command options:
WCP8180(config-cp-profile)#max-bandwidth ?
down Set receive bandwidth limit
up
Set transmit bandwidth limit
WCP8180(config-cp-profile)#max-bandwidth down ?
<0-4294967295> Bandwidth in bits per second
WCP8180(config-cp-profile)#max-bandwidth up ?
<0-4294967295> Bandwidth in bits per second
11. Use the command captive portal profile <profile_number> max-octets to

configure the maximum session octets.
Command options:
WCP8180(config-cp-profile)#max-octets ?
input
Set max input octets per session
output Set max output octets per session
total
Set max total octets per session
WCP8180(config-cp-profile)#max-octets input ?
<0-4294967295> Enter max allowed in bytes
12. Use the command captive portal profile <profile_number> profile-name to

set the profile name.
13. Use the command captive portal profile <profile_number> protocol-mode
to set the protocol mode.
Command options:
WCP8180(config-cp-profile)#protocol-mode ?
http
HTTP mode
https HTTPS mode
14. Use the command captive portal profile <profile_number> redirect enable
HTTP redirect mode after authentication.
15. Use the command captive portal profile <profile_number> redirect-url to
configure the redirect URL.
For more information, see Redirecting the URL for captive portals on page 35.
16. Use the command captive portal profile <profile_number> sessiontimeout to set the session timeout value. Enter a time in seconds. The range is 0 to
2100000000.
17. Use the command captive portal profile <profile_number> user-logout to
enable user logout.
18. Use the command walled-garden to enter the Captive Portal Walled Garden host-name
configuration mode.
Sometimes, a Captive Portal user may need to access network resources in the intranet or
public Web sites from an enterprise network, without requiring to first undergo Captive Portal
June 2014

33
authentication. To support these user requirements, the WLAN 8100 allows configuration of
the IP addresses of Web hosts in a Captive Portal profile so that the user can access these
hosts without the need for authentication. This is the Captive Portal Walled Garden feature.
The Walled Garden feature also enables you to configure access to certain Web hosts within
the network for unauthenticated users. After you configure the host IP address of the Web
host, the users will have access to all Web pages hosted on that server. This is especially
useful when you want to open up specific information, policy or guest registration Web sites
for unauthenticated clients or guest users.
Note:
You can configure up to 8 Captive Portal walled-garden hosts in a single Captive Portal
profile.
Use the following command options to configure the host name and host type. Currently only
IP address is supported as a host type.
WC8180(config-cp-profile)#walled-garden ?
hostname Walled garden hostname or IP address
WC8180(config-cp-profile)#walled-garden hostname ?
WORD IP address (1-255 characters)
WC8180(config-cp-profile)#walled-garden hostname 10.1.1.2 ?
type Walled garden hostname Type
WC8180(config-cp-profile)#walled-garden hostname 10.1.1.2 type ?
ip-addr IP address type
Example: Use the following command to configure a Walled Garden host IP address.
WC8180(config-cp-profile)#walled-garden hostname 10.1.1.2 type ip-addr
Verify the configuration.

WC8180#show wireless captive-portal profile 1 detail
Captive Portal Profile ID: 1
........
Web Hostname
: xyz.com
Foreground Color
: #6F7B82
Background Color
: #6F7B82
Separator Color
: #CC0000
Walled Garden Hostname
: 10.10.10.20
: 10.10.10.30
CP IP Address
: 10.1.2.2
CP IP Address
: 10.1.2.3
........
19. Use the command captive portal profile <profile_number> web-hostname to

configure the Web host name for Captive Portal.
WCP8180(config-cp-profile)#web-hostname ?
WORD DNS name (1-255 characters)
Example
View a sample Captive Portal profile configuration using the command show running-config
module wireless captive-portal.
WC8180(config-cp-profile)#show running-config module wireless captive-portal
! Embedded ASCII Configuration Generator Script
34

June 2014
! Model = Wireless LAN Controller WC8180

! Operation Mode
= WC
! Software version = v2.1.0.015
!
! Displaying only parameters different to default
!================================================
...
captive-portal enable
captive-portal profile 1
profile-name Default
no user-logout
session-timeout 28800
color background #6F7B82
color foreground #6F7B82
color separator #CC0000
walled-garden hostname 10.10.10.20 type ip-addr
locale
success-msg browser-title 004300610070007400690076006500200050006F0072007400610
06C0020002D0020004C006F00670067006500640020004F00750074
exit
exit
...
Redirecting the URL for Captive Portals

After authentication of a guest user, by default, the Captive Portal welcome page is displayed to the
user. Use the Captive Portal redirect command to specify a Web page URL (different from that of
the default welcome page), to redirect a Captive Portal guest user request to, after authentication.
For this, you must first enable redirect on the Captive Portal.
The behavior of the Captive Portal redirect command is as follows:
If redirect is enabled but no redirect-url is configured, user requests are redirected to the
previously requested URL.
If redirect is enabled and a redirect-url is configured, user requests are redirected to the
specified Web page URL. The URL can be that of a corporate portal, guest portal or any Web
site reachable by the wireless clients.
If redirect is disabled, then, after user authentication the default Captive Portal welcome page
displays.
Use the following commands to configure the redirect URL in a Captive Portal:
2. Enter Captive Portal profile configuration.
3. Use the command captive portal profile <profile_number> redirect enable
HTTP redirect mode after authentication.
4. Use the command captive portal profile <profile_number> redirect-url to
configure the redirect-URL.
WCP8180(config-cp-profile)#redirect-url ?
WORD Redirect HTTP URL (1-255 characters)
June 2014

35
Note:
The supported characters in the redirect-URL are the underscore (_), dash (-), period (.),
percentage (%), colon (:), forward slash (/), question mark (?) and the equal sign (=).
Note:
To enter the question mark (?) character in CLI, use the escape character which is the
back slash (\), before the question mark character.
For example, if the redirct-URL is http://www.google.com?test=ag, you must
enter http://www.google.com\?test=ag.
5. Use the command captive portal profile <profile_number> no redirect to
disable redirection.
6. Use the command default redirect-url to reset the redirect-url to the default
value.
Configuring the Web hostname in Captive Portals

You can configure a Web host-name to mask a Captive Portal IP address, from guest users. A Web
host-name helps restrict exposure of the WLAN 8100 system IP addresses to a guest user.
Note:
The default Web host-name is <random-string>.cp-login.com.
2. Enter Captive Portal configuration.
3. Use the command captive-portal profile <ID> to go to the captive portal profile.
4. Use the command web-hostname <avaya-guest.com> to change the Web hostname.
5. Use the command default web-hostname to reset the Web hostname to the default
value.
Customizing Captive Portals updating Captive Portal locale

Configure Captive Portal locales for Captive Portal service presentation. Here you can define
Captive Portal messages, logo image, background image and font-set. You can download a
customized Captive Portal locale file from the TFTP server. For each Captive Portal profile there can
be only one locale. The locale also has localization configuration.
About this task

CLI reference:
Procedure
1. Enter the Captive Portal configuration in the CLI.
2. Use the command captive-portal profile <ID> to go to the Captive Portal profile.
36

June 2014
3. Enable customization on the Captive Portal profile.

WCP8180(config-cp-locale)# custom ?
<cr>
4. Configure the Captive Portal locale using the following options:

Important:
When configuring Captive Portal locale using command options that require strings (text)
as parameters, like for example, login-msg or error-msg, ensure that you provide
the UTF 16 equivalent of those strings. These commands do not accept strings as is.
WCP8180(config-cp-profile)#locale
WCP8180(config-cp-locale)#?
Captive Portal Locale Configuration Commands
code
Set locale code(browser preferred language)
custom
Enable Captive-Portal customization mode
custom-file Configure Captive-Portal Customization package filename
default
end
error-msg
Configure captive portal locale error message
exit
Exit out of locale configuration mode
font-list
Set captive-portal HTML page font
image
Configure captive portal locale image name
link
Set locale link text for user identification.
login-msg
Configure captive portal locale login message
logout-msg
Configure captive portal locale logout message
no
Disable Captive-Portal Locale setting
popup-msg
Set text to remind user to allow popups from our web site
script-msg
Set text to notify user if their browser has javascript disabled
success-msg Configure captive portal locale logout success message
welcome-msg Configure captive portal locale welcome message
wip-msg
Set message indicating authentication in progress
WCP8180(config-cp-locale)#
The following are the command options to configure images in Captive Portal locales:
Important:
Ensure that the image files satisfy the following criteria:
The image file format is one of .jpg, .gif, .png, .tif or .bmp.
The size of custom images (logo, background, logout image) must not exceed 1Mb
each.
The image filename does not exceed 31 characters.
WC8180(config-cp-locale)#image
account
Set image
background
Set image
branding
Set image
logout-background Set image
WC8180(config-cp-locale)#image
?
name
name
name
name
for
for
for
for
accounting identification
background appearence
branding appearence
logout background appearence
Example
The following is a sample usage of the command wip-msg to set a message indicating that
authentication is in progress:
WC8180(config-cp-locale)# wip-msg 0074006500730074
June 2014

37
In the above example, 0074006500730074 is the UTF 16 equivalent of the word test.
Customizing Captive Portal using static HTML pages

Use this procedure to customize the Captive Portal user login experience using static HTML pages.
Captive Portal customization using static HTML pages helps you update only those Web pages that
are displayed during the Captive Portal user login process (that is, during user authentication).
After successful authentication, a standard HTML page is used to display a welcome message to
the user. You can however specify a redirect URL to redirect the user to, like a corporate portal
page or a service main page. For more information on configuring the redirect URL, see Redirecting
the URL for captive portals on page 35.
Before you begin

You have configured the TFTP server IP address on the controller, using the following
command:
In this example, 172.16.1.11 is a sample TFTP server IP address.
WC8180#config t
Enter configuration commands, one per line. End with CNTL/Z.
WC8180(config-wireless)#captive-portal tftp-server 172.16.1.11
Procedure
1. Create the constituent HTML files:
captive_portal_custom.html which Captive Portal users see on first time login.
cp_custom_error.html which captive-portal users see when authentication error
happens.
cp_custom_refresh.html which captive-portal users see when waiting for authentication
results.
Note:
Ensure that you retain the exact names of the HTML files. Otherwise the controller
cannot recognize these files and the Captive Portal service will not work.
2. Create a package (.zip) file containing the HTML files. If you want to embed images in your
portal page, add appropriate HTML tags (for example, <img src = <filename>) in the
HTML files and include the graphics files in the zipped file.
Important:
Ensure the following rules when you create a .zip file.
The package file must be a zipped file with an extension of .zip.
The length of package filename must not exceed 31 characters.
The number of files in the package must not exceed 32.
The filenames of the files included in the package file must not exceed 31 characters.
38

June 2014
Total package file size does must not exceed 4 Mb and each profile size must not
exceed 8 Mb.
The zipped file must not contain any directory.
All files must be in the same directory.
The image file format is one of .jpg, .gif, .png, .tif and .bmp.
The size of custom images (logo, background, logout image) must not exceed 1Mb
each.
The image filename does not exceed 31 characters.
3. After creating the .zip file, copy the file to a TFTP server to upload it to the AMDC of the
domain.
Important:
To enable the AMDC to upload the .zip file from the TFTP server, ensure that the
controller is configured with the TFTP server IP address and the package filename (.zip)
is specified when configuring the captive-portal locale.
4. If there are other controllers (for example, peers) in the domain, ensure that you run the
config-sync command to push the AMDC configuration to all controllers in the domain.
Verify that all controllers are synchronized.
5. Run the wireless captive-portal tftp-get command to upload the .zip file to the
controller. This is one time action command.
If you run the action command without any parameters, all controllers in the domain upload
all the customization files (including customization package and customization image files for
account, brand, background and logout). If the controllers have multiple locales, this
command examines the current configuration and if the new configuration is different, it
forces an upload.
You can also specify the following parameters in the action command:
Peer controller IP address
Profile Id and locale Id
File type (account, brand logo, background, logout background and package file)
Action flag
After the customization package file is uploaded to your controller, it is not removed in the
flash unless you run the default command or perform another upload. You can also use
the default command to reset the configuration and to remove the corresponding file.
6. Verify the status of the upload in the Captive Portal locale by running the show wireless
captive-portal locale command. The status can be one of the following:
None the upload was not started
Success the upload was successful
In Progress the upload is in progress
June 2014

39
Transfer Failure the upload failed because of network connectivity issues.

Verification Failure the upload failed because of an incorrect .zip file or the file is
missing one of mandatory html files
File Not Found there is no matching file in the TFTP server
Internal Error the file size is too big or the flash file system is full
File Max Size Exceeded the TFTP file exceeds the file size limit (For image, 1Mb. For
package, 4Mb)
Profile Max Size Exceeded the Captive-portal profile disk usage exceeds the limit
(8Mb)
Related Links
Managing Captive Portals

CLI reference:
WC8180#wireless captive-portal ?
Captive portal run time settings
client-deauthenticate Deauthenticate a specific client
tftp-get
Execute TFTP client to get customization files
WC8180#wireless captive-portal client-deauthenticate ?
all
Deauthenticate all clients
captive-portal-profile Deauthenticate the clients associated with
captive-portal profile
H.H.H
Authenticated client MAC address
network-profile
Deauthenticate the clients associatd with
network-profile
WC8180#wireless captive-portal client-deauthenticate network-profile ?
<1-64> Network profile ID
WC8180#wireless captive-portal client-deauthenticate captive-portal-profile ?
<1-10> Captive portal profile ID
AMDC#wireless captive-portal tftp-get ?
address Controller IP address
About this task

Use the following commands to manage Captive Portals.
Procedure
1. Enter the wireless configuration mode of the CLI.
2. Use the command wireless captive-portal client-deauthenticate all to
revoke authentication on all clients.
3. Use the command wireless captive-portal client-deauthenticate captiveportal-profile <Captive Portal profile Id> to revoke authentication on all
clients associated with a particular Captive Portal profile.
4. Use the command wireless captive-portal client-deauthenticate
<authenticated client MAC address> to revoke authentication on a specific client.
40

June 2014
5. Use the command wireless captive-portal client-deauthenticate network

profile <network profile Id> to revoke authentication from all clients associated
with a particular network profile.
6. Use the command wireless captive-portal tftp-get to execute the TFTP client to
get customization files.
Related Links
Viewing Captive Portal network status

Use the following commands to verify Captive Portal network status.
Procedure
1. Use one of the following commands to view the Captive Portal network status for a specific
Captive Portal profile Id and network profile Id.
show wireless captive-portal network-status CP-profile <CP-profile-Id> networkprofile <network-profile-Id>
show wireless captive-portal network-status network-profile <network-profile-Id>
CP-profile <CP-profile-Id>
2. Use the following command to view the Captive Portal network status.
show wireless captive-portal network-status
Related Links
Viewing current Captive Portal configuration

View the current Captive Portal configuration.
Procedure
Enter the following command to view the current Captive Portal configuration of the WLAN
8100 system. This command only displays configuration that is different from the default
configuration.
WC8180#show running-config module wireless captive-portal
Related Links
Configuring and managing External Captive Portals

The following sections describe the configuration and management of Captive Portals using the
ACLI.
Related Links
June 2014

41
Configuring the External Captive Portal IP on page 42

Switching Captive Portal Modes on page 44
Creating a DAC Client Entry on page 45
Show a DAC Client Entry on page 46
Configuring the DAC RADIUS Shared Secret Key on page 46
Configuring the DAC Timewindow on page 47
Configuring the External Captive Portal IP

Use the following procedure to configure the IP addresses for the External IP address.
About this task

External captive-portal IP configuration is subject to captive-portal profile configuration. The
command only accepts valid IPv4 addresses for both the controller and external captive-portal
server, and uses no other command line argument. Each controller on the domain uses a unique
external captive-portal IP address. In order to accommodate this, each CP profile can have up to 32
external IP addresses.
Procedure
1. Use the command captive-portal profile <Captive Portal profile Id> to configure a Captive
Portal.
WC8180(config-wireless)#captive-portal profile <Captive Portal profile ID>
2. Set the Captive Portal IP Address and the IP address of the controller.
WC8180(config-cp-profile)#external-cp <Captive Portal IP> controller <Controller
IP>
WC8180(config-cp-profile)#no external-cp <Captive Portal IP> controller
<Controller IP>
3. Verify the changes.

WC8180(config-cp-profile)#show wireless captive-portal profile <Captive Portal
profile ID> detail
Example of setting and verifying Captive Portal and Controller IP addresses for captive-portal profile
1.
# configuration command
WC8180(config-wireless)#captive-portal profile 1
WC8180(config-cp-profile)#?
Captive Portal Profile Configuration Commands
block
Block traffic for this profile
color
Set Captive-portal color scheme
default
end
exit
Exit out of captive portal profile configuration mode
external-cp
Configure external captive-portal IP address
idle-timeout
Configure session idle timeout
ip
Captive-portal IP addresses
locale
Configure captive portal locale settings
max-bandwidth
Configure max bandwidth limit for transmit or receive
max-octets
Configure max octets available per session
no
Disable captive portal profile settings
42

June 2014
profile-name
Set captive portal profile name
protocol-mode
Set captive portal protocol mode
redirect
Enable HTTP request redirect on successful CP-authentication
redirect-url
Configure redirected URL
session-timeout Set session timeout.
user-logout
Enable user-logout mode for captive portal users
walled-garden
Captive-portal Walled Garden hostname configuration
web-hostname
Configure web hostname for Captive-Portal
WC8180(config-cp-profile)#
WC8180(config-cp-profile)#external-cp 1.1.1.1 controller 2.2.2.2
WC8180(config-cp-profile)#no external-cp 1.1.1.1 controller 2.2.2.2
# show command
WC8180(config-cp-profile)#show wireless captive-portal profile 1 detail
Captive Portal Profile ID: 1
Name
: Default
Protocol Mode
: http
User Logout Mode
: Enabled
Session Timeout (seconds)
: 0
Idle Timeout (seconds)
: 0
Max Bandwidth Up (bps)
: 0
Max Bandwidth Down (bps)
: 0
Max Input Octets (bytes)
: 0
Max Output Octets (bytes)
: 0
Max Total Octets (bytes)
: 0
Redirect Mode
: Disabled
Redirect URL
:
Web Hostname
:
Foreground Color
: #6F7B82
Background Color
: #6F7B82
Separator Color
: #CC0000
External Captive-portal IP : 1.1.1.1 / 2.2.2.2
1.1.1.1 / 2.2.2.3
: 172.21.0.1
# show running config
...
captive-portal profile 1
profile-name Default
user-logout
session-timeout 0
color background #6F7B82
color foreground #6F7B82
color separator #CC0000
external-cp 1.1.1.1 controller 2.2.2.2
external-cp 1.1.1.2 controller 2.2.2.3
redirect-url =
locale
exit
exit
...
Related Links
June 2014

43
Switching Captive Portal Modes

When either Internal or External Captive portal is configured many existing configurations related to
the other are not relevant. A mode switch command is introduced where a check is done to ensure
all CP related configurations are configured correctly so that the system can switch to the new
mode.
Current Mode
New Mode
Check NW profiles Check CP profile

for any CP related for Internal CPIPs
configurations
configurations
Check CP profile
for External CPIPs
configurations
Internal
External
Yes
Yes
No
External
Internal
Yes
No
Yes
Related Links
Switching from internal to external mode

Use the following procedure to switch from internal to external mode.
Procedure
1. Remove any internal CPIP configured in CP profiles.
2. Remove any CP profile mapped in the network profiles.
3. Disable CP if enabled in any network profiles.
4. Switch to external mode.
5. Configure required CP profiles with external CPIPs.
6. Map CP profile to required network profiles.
Switching from external to internal mode

Use the following procedure to switch from external to internal mode.
Procedure
1. Remove any external CPIP configured in CP profiles.
2. Remove any CP profile mapped in network profiles.
3. Disable CP if enabled in any network profiles.
4. Switch to internal mode.
5. Configure required CP profiles with internal CPIPs.
6. Map CP profile to required network profiles.
WC8180(config-wireless)#captive-portal ?
Parameters:
auth-timeout
Authentication session timeout period
enable
Enable captive portal feature on the system
http-port
Configure additional HTTP port
https-port
Configure additional HTTPS port
44

June 2014
mode
stats-report-interval
tftp-server
Configure internal or external CP mode

Interval between statistics reports to peer controller
Set TFTP server IP address for Captive Portal Image
customization
profile Create/Modify a specific captive portal profile
WC8180(config-wireless)#captive-portal mode internal
WC8180(config-wireless)#captive-portal mode external
Creating a DAC Client Entry

Use the following procedure to create a DAC client entry.
About this task

CLI Reference:
Command:
Mode:
(config-security)# dac-client <ID>
privExec, inside "security" config mode
Source:
New
<instance-parameter-1> = <ID>
Syntax (normal form):
config wireless security
dac-client <ID>
Syntax (no form):
config wireless security
no dac-client <ID>
Description:
Creates/Deletes a Dynamic Authorization Client
Corresponding MIB objects:
avWlanRadiusDacClientID
avWlanRadiusDacClientName
avWlanRadiusDacClientAddressType
avWlanRadiusDacClientAddress
avWlanRadiusDacClientSecret
avWlanRadiusDacClientSecretDigest
avWlanRadiusDacClientSecretEncrypt
avWlanRadiusDacClientRowStatus
avWlanRadiusDacClientTimeWindow
Procedure
1. Enter the wireless security configuration mode of the CLI.
WC8180#conf t
WC8180(config-wireless)#security
2. Use dac-client <ID> to create a DAC entry

WC8180#conf t
Enter configuration commands, one per line.
WC8180(config-security)#dac-client 1
June 2014
End with CNTL/Z.

45
Configuring radius DAC clients

WC8180(config-dac-client)#exit
WC8180(config-security)#no dac-client <ID>
Deleting dac-client entry 4
Related Links
Show a DAC Client Entry

Use the following procedure to show DAC client entries.
About this task

Cli Reference:
Command:
Mode:
show wireless security dac-client <ID>
privExec
Source:
New

show wireless security dac-client
Description:
shows dac client entry(s)
avWlanRadiusDacClientName
avWlanRadiusDacClientAddressType
avWlanRadiusDacClientAddress
avWlanRadiusDacClientRowStatus
Output Format:
WC8180#show wireless security dac-client
DAC ID IP
DAC Name Time-window(Secs)
------ --------------- -------- --------------1
192.168.10.10
SCP0
3000
2
192.168.10.11
SCP1
2000
3
192.168.10.12
SCP2
2000
Procedure
Use show wireless security dac-client <ID> to display DAC client entries.
WC8180#show wireless security dac-client 1
DAC ID IP
DAC Name Time-window(Secs)
------ --------------- -------- --------------1
192.168.10.10
SCP0
3000
Related Links
Configuring the DAC RADIUS Shared Secret Key

Use this procedure to configure the DAC radius shared secret key for verification purposes.
46

June 2014
About this task

CLI Reference:
Command:
Mode:
(config-dac-client)# secret <WORD>
privExec, inside DAC config mode
Source:
New
<parameter-1> = <WORD>
secret <WORD>
Syntax (no form):
NA
Syntax (default form):
NA
Description:
Configures shared radius secret for this dac client entry
avWlanRadiusDacClientSecret 64 byte word
avWlanRadiusDacClientSecretDigest 20 byte SHA-1 hash of secret
avWlanRadiusDacClientSecretEncrypt 128 byte - The encrypted RADIUS server secret
based on PAP protocol. It is AES encrypted. On retrieval, an encrypted string will be
returned.
Procedure
WC8180#conf t
End with CNTL/Z.
2. Enter WC8180(config-dac-client)#secret to input your secret.

WC8180#conf t
Creating dac-client entry 1
WC8180(config-dac-client)#secret
Enter Radius DAC secret:
End with CNTL/Z.
WC8180(config-dac-client)#
Related Links
Configuring the DAC Timewindow

Use the following procedure to configure a replay time window for a dac client entry.
June 2014

47
About this task

CLI Reference:
Command:
Mode:
(config-dac-client)# timewindow <1..65535>
privExec, inside DAC config mode
Source:
New
<parameter-1> = <1..65535>
timewindow <WORD>
Syntax (no form):
NA
Syntax (default form):
default timewindow
Description:
Configures replay time window for this dac client entry
Procedure
WC8180#conf t
End with CNTL/Z.
2. Enter WC8180(config-dac-client)#timewindow <time> to configure the time window.

WC8180#conf t
Creating dac-client entry 1
WC8180(config-dac-client)#name SCP1
WC8180(config-dac-client)#address 10.10.1.1
WC8180(config-dac-client)#secret <Secret>
WC8180(config-dac-client)#timewindow 2000
WC8180(config-dac-client)#exit
End with CNTL/Z.
Related Links
Configuring and managing RADIUS

The following sections describe the configuration and management of Remote Authentication
Dial-In User Service (RADIUS) for authentication, using ACLI.
Related Links
Configuring a RADIUS server on page 49
48

June 2014
Configuring Radius Health Check on page 51

Configuring RADIUS AAA offloading on page 52
Configuring and managing certificates on page 53
Generating a certificate on page 53
Importing a certificate on page 55
Mapping a certificate on page 55
Viewing generated certificates and their mapping on page 57
Configuring RADIUS server load balancing on page 57
Configuring RADIUS accounting on page 58
Configuring a RADIUS server

In WLAN 8100, RADIUS servers are grouped into a profile, called the radius-profile. Multiple
Radius-profiles, up to 32, can be configured on a controller. In each radius-profile, up to 32 RADIUS
servers (IPs) can be configured. A RADIUS server (IP) in two different radius-profiles count as 2
servers. A total of 32 servers can be configured on a controller.
About this task

Use this procedure to configure RADIUS servers.
Procedure
1. Enter Global or Interface Configuration mode of the ACLI.
2. Configure a RADIUS server using the command radius server <host IP Address>,
where <host IP address> is the IP address of the primary RADIUS server you want to
configure.
3. Configure a RADIUS profile using the command radius profile <profile name>
type .
A RADIUS profile can be one of two types authentication or accounting.
(WC8180-security)#radius profile <profile name> type ?
acct
auth
The default RADIUS profile type is auth.

4. Configure server selection for the authentication RADIUS profile using the command
radius profile <profile name> type auth server-selection .
(WC8180-security)#radius profile profile name type auth server-selection ?
priority
round-robin
The default server selection is priority.

5. Configure a RADIUS server and associate it with a RADIUS profile using the command
radius server <host IP Address> <profile name>.
6. Configure the attributes of a RADIUS server using the following parameters:
June 2014

49
In this example, 172.16.2.11 is the server host IP address and sample-radiusprofile is an example RADIUS profile.
WC8180(config-security)#radius server
encrypted-secret
health-check-encrypted-password
health-check-interval
health-check-password
health-check-user
priority
secret
udp-port
172.16.2.11 sample-radius-profile ?
encrypted radius secret
radius health check password (encrypted)
Radius health check interval.
User password for radius health check
User name used for radius healtcheck
server priority
server shared secret
server UDP port
The following table describes the parameters for this command.

Parameter
Description
encrypted-secret
Specifies the encrypted RADIUS secret.
health-check-encryptedpassword
Specifies the encrypted RADIUS health check password.
Specifies the time (in seconds) after which the controller checks
the health of the RADIUS server.
Enter a number in the range 0100. Specifying a time interval of
0 disables the health check.
health-check-user
Specifies the user name for the RADIUS health check.

This user name must be configured in the Active Directory.
Specifies the user password for RADIUS health check.

The password (for the health-check-user) must be configured in
the Active Directory.
priority
Specifies the server priority.

Enter an integer in the range 1-65535.
secret
Specifies the secret authentication and encryption key used for

all communications between the NAS and the RADIUS server.
The shared secret must be the same as the one defined on the
server. You are prompted to enter and confirm the secret.
udp-port
Specifies the UDP port for RADIUS.

<port> is an integer in the range 065535.
The default port number for RADIUS authentication is 1812.
The default port number for RADIUS accounting is 1813.
7. Use the command no radius profile <radius profile name> to delete a RADIUS profile.
8. Use the command no radius server <server IP Address> <radius profile
name> to delete a RADIUS server.
9. Use the command default radius server <ip address> <health-checkinterval | health-check-password | health-check-user | health-checkencrypted-password> to restore default RADIUS server settings.
50

June 2014
10. Use the command default radius profile <radius profile name> serverselection to delete a RADIUS profile.
Related Links
Configuring RADIUS on page 199
Configuring Radius Health Check

The RADIUS health-check mechanism allows a WLAN controller to determine if a RADIUS server is
available for authentication process. If the server is not available, a new server is selected and
incoming user authentication requests are forwarded to this server. This enhances the efficiency of
user authentication. RADIUS server health-check is enabled by default and starts the health check
when the first server (IP) is configured in a radius profile.
There are two parameters to be used in the radius server health-check duration and retries.
The duration is the time the health-check feature waits for a reply from a RADIUS server. It
is also the time when the check on the next server happens. The default duration is 3 seconds.
The retries specifies the maximum number of health-check messages sent to check the
health status of a RADIUS server before marking a server as dead.
Health check interval value is configured during Radius servers configuration. RADIUS servers are
grouped into a profile, called the radius-profile. For more informaiton, see Configuring a RADIUS
server on page 49. Health-check interval value ranges from 0-100 sec.
About this task

Use this procedure to determine if a RADIUS server is available for authentication process.
Complete the following steps to configure a health check user name, password, or encrypted
password. Synchronize this configuration across all controllers in the mobility domain.
Procedure
1. Enter Wireless Configuration mode of the ACLI.
2. Use the command security to enter Security Configuration mode.
3. Create a user name. Use the command radius server <server-ip> healthcheck
user <user-name> to configure the RADIUS health check user name.
Optionally:
Use the command default radius server-healthcheck-user to create a default
health check user.
4. Create a password. Use the command radius server <ip address> healthcheck
password to create the health check user password. The System prompts for a password
input which is displayed as *s.
Optionally:
Use the command default radius server-healthcheck-password to create a
default health check user password.
June 2014

51
5. Create an encrypted user password. Use the command radius server <ip address>
healthcheck encrypted <encrypted-password> to create the health check
encrypted password. The System prompts for a password input which is displayed as *s.
Optionally:
Use the command default radius server-healthcheck-encrypted-password
to create a default health check user password.
6. Configure the duration and retry parameters. Use one of the following commands.
Use the command radius server-retries <15> to configure radius server retries.
Use the command radius server-timeout <130> to configure the radius server
timeout in seconds.
Use the command default radius server-retries to set the radius server retries to
the default value.
Use the command default radius server-timeout to set the radius server timeout to
the default value.
7. Configure the RADIUS server health check interval. Use one of the following commands.
In the following commands 172.16.2.10 is a sample RADIUS server IP address.
Use the command radius server 172.16.2.10 IAS health-check-interval
<0-100> to configure the RADIUS server health check interval in seconds. 0 implies that
health check is disabled.
Use the command default radius server 172.16.2.13 IAS health-checkinterval to set the default value of the RADIUS server health check interval.
8. View the health check configuration in detail. Use the command show wireless
security radius server detail.
Related Links
Configuring RADIUS AAA offloading

Use RADIUS AAA offloading to reduce heavy loads between the RADIUS server and wireless users
during authentication. AAA offloading applies only to PEAPv0-MSCHAPv2 user authentication and
needs to be enabled on a network for it to take effect. When configured, it enables faster
authentication response time especially during peak hour traffic.
Note:
If there are 32 RADIUS servers with each of them mapped to 32 radius profiles, then radius
offload cannot be enabled. However, if there are 31 radius servers, each mapped to 31 radius
profiles then radius offload can be enabled.
RADIUS AAA offloading supports importing a third party certificate or generating a self-signed
certificate.
52

June 2014
Procedure
1. Enter the Network-profile configuration mode of the ACLI.
2. By default RADIUS offload is disabled. Use this command to enable RADIUS offload in
network profile.
WC8180 (config-network-profile)# radius offload
3. To disable RADIUS offload, use one of the following commands.
WC8180 (config-network-profile)# no radius offload
OR
WC8180 (config-network-profile)# default radius offload
Note:
Radius Offload is applicable only for WPA-enterprise security mode.
Related Links
Configuring and managing certificates

The WLAN 8100 controller supports generation of self signed certificates. These certificates are
used when PEAP offload functionality is enabled and also for Captive Portals when HTTPS is
enabled. For Captive Portals, this certificate is used for the secured HTTPS certificate handshake.
We can also import certificates that are generated by a 3rd party Certificate Authority (CA), into the
WLAN 8100 controller.
Related Links
Generating a certificate
You can generate self-signed certificates, with Self-Signed as the issuer name.
Generate a certificate by providing the following information.
Common Name
Country Code
Email
Key Size
Organization Name
Organization Unit
State
The number of days that the certificate will be valid
Locality name
June 2014

53
About this task

Use the following commands to generate X.509 certificates.
Procedure
Create a self-signed X.509 certificate by executing the following steps:
Note:
Common name is a mandatory parameter. The remaining parameters are optional.
a. Enter the Crypto configuration mode of the CLI.
b. Use the following command to create a self-signed certificate:
WLAN crypto configurations
certificate Certificate generation and mapping commands
end
End wireless crytpo configuration mode
exit
Exit from wireless crypto configuration mode
no
Delete crypto configurations
WC8180(config-crypto)#certificate ?
Certificate generation and mapping commands
generate Generate a self-signed (X.509) certificate
import
Import a certificate
map
Assign a certificate to an application
WC8180(config-crypto)#certificate import ?
pkcs12 Import a PKCS12 certificate
WC8180(config-crypto)#certificate import pk
WC8180(config-crypto)#certificate generate ?
<1-16> Certificate Index
WC8180(config-crypto)#certificate generate
Use the following variables to help you create a specified certificate.

key-size 1024 | 2048 | 4096
Size of the key
common-name
A name such as a user name or a server name ( 064

characters)
country-code
A country code (2 characters)
state-name
Name of the state or province ( 0128 characters)
organization
Name of the organization ( 064 characters)
organization-unit
Name of the organization unit such as section or subdivision

( 064 characters)
email
E-mail address (0128 characters)
valid
Certificate validity period in days
(Optional) Use the command no certificate <certificate-index> to remove

the self-signed certificate.
Related Links
54

June 2014
Importing a certificate
Certificates generated by 3rd party CA can be imported using TFTP. The certificate is imported by
providing details such as file type, filename and TFTP IP address and a passphrase. The certificate
Pkcs12 type must only be imported.
Note:
Certificates when generated or imported successfully are synchronized automatically to peer
controllers in a cluster, without the need to execute the command wireless controller
config-sync on the AMDC.
Certificates that failed to import are displayed on the AMDC with the failure status reason.
About this task

Use the following commands to import Pkcs12 type certificates.
Procedure
Import an X.509 certificate from a PKCS#12 by executing the following steps:
a. Enter the Wireless Crypto configuration of the CLI.
b. Use the following command to import a self-signed certificate:
WC8180(config-crypto)#certificate import pkcs12 3 ?
filename Name of the file to import
tftp-ip
TFTP Server IP
WC8180(config-crypto)#certificate import ?
pkcs12 Import a PKCS12 certificate
WC8180(config-crypto)#$ificate import pkcs12 3 tftp-ip 1.2.3.6 filename pp.k
Use the following variables to import a certificate:

Variable
Description
tftp-ipaddress
TFTP server IP address ( 0.0.0.0 255.255.255.255)
file-name
Certification file in pkcs#12 format ( 0127 characters)
Related Links
Mapping a certificate
When certificates are generated or imported, a certificate ID is created. A maximum of 16 certificate
IDs can be generated or imported. These certificate IDs can then be mapped to either RADIUS
applications or Captive Portals or both. Also, the same certificate ID can be mapped to both the
RADIUS application and the Captive Portal.
When a certificate ID is mapped to RADIUS application or a Captive Portal on AMDC in a cluster, it
must be pushed to peer controllers by executing the command wireless controller configsync.
June 2014

55
Important:
Certificate mapping or un-mapping must be synchronized across controllers in a cluster by
executing the wireless controller config-sync command on AMDC controller.
About this task

Use the following command to map an application to an X.509 certificate.
Note:
The current release of WLAN 8100 supports certificate mapping to either a RADIUS application
or a Captive Portal.
Procedure
1. Map an application to an X.509 certificate by executing the following steps:
a. Enter the wireless or crypto configuration mode of the ACLI.
b. Use the command certificate map {Captive Portal|radius}
certificate-index to map the certificate to a RADIUS application or a Captive
Portal.
WC8180(config-crypto)#certificate map ?
captive-portal Captive Portal application
radius
RADIUS application
WC8180(config-crypto)#certificate map radius ?
<1-16> Certificate Index
Use the following variable to help you map to a certificate

Variable
Description
certificate-index
The index of an X.509 certificate.
c. Use the command no certificate map {Captive Portal|radius} to delete

the mapping.
2. Use the following commands to un-map or delete a certificate.
Note:
Certificates cannot be deleted without first un-mapping the certificate Id from an
application.
To un-map a certificate for a CP application, ensure that you first set the protocol-mode
in the Captive Portal profile to HTTP and then un-map the certificate. Similarly, to unmap a certificate for a RADIUS application, ensure that you first un-map the certificate
from a RADIUS application and then delete the certificate.
Use the command no certificate map {Captive Portal|radius} to delete the
mapping and to un-map a certificate.
Use the command no certificate {certificate-index} to remove or delete a
certificate.
Related Links
56

June 2014
Viewing generated certificates and their mapping

Use the following command to view generated certificates and their mapping.
Procedure
Use the following commands to view the generated and imported certificates.
a. Use the command show wireless crypto certificate to display all generated
and imported certificates.
b. Use the command show wireless crypto certificate detail to display all
generated and imported certificates in detail.
c. Use the command show wireless crypto certificate <index> to display a
particular certificate.
d. Use the command show wireless crypto certificate <index> detail to
display a particular certificate in detail.
e. Use the command show wireless crypto certificate map to display
application mapping details.
Related Links
Configuring RADIUS server load balancing

In a Radius profile where RADIUS load balancing is not enabled, the RADIUS server that is used for
authentication is selected based on its priority. For more information on configuring RADIUS
servers, see Configuring a RADIUS server on page 49. When RADIUS server load balancing is
enabled in a radius profile, sever selection is not based on server priority. All servers that are
configured in the profile and that are not marked as dead are used. The next server to use is the
next authentication server in the sorted list with the same radius profile name of the type
authentication. RADIUS server load balancing is configured per radius profile. It is not a global
configuration.
Use the following procedure to configure RADIUS server load balancing to ease the server load due
to multiple simultaneous authentications requests. RADIUS server load balancing applies only to
radius profiles of type authentication not for RADIUS accounting profiles.
Ensure that you synchronize the server load balancing profile among controllers in a mobility
domain.
Note:
If RADIUS AAA offloading is enabled on the network, external RADIUS servers perform only
MSCHAPv2 authentication. Avaya therefore recommends not including load balancing with
RADIUS offloading.
About this task

Use the procedure to create a RADIUS profile for server load balancing.
June 2014

57
Procedure
1. Enter Wireless Configuration mode of the CLI.
2. Use the command security to enter Security Configuration mode.
3. Use the command radius profile server-selection round-robin to enable
RADIUS server load balancing.
4. Use the command default radius profile <profile-name> server-selection
to set the default server selection mode.
5. Use the command show wireless security radius profile profile-name to
show the RADIUS profile.
Related Links
Configuring RADIUS accounting

The RADIUS accounting helps the administrator to track the network usage for auditing and billing
purposes.
When you configure RADIUS accounting, at the start of service delivery an Accounting Start packet
is generated describing the type of service being delivered and the user it is delivered to. This
packet is sent to the RADIUS accounting server, which sends back an acknowledgment that the
packet is received. At the end of the service delivery, the client generates an Accounting Stop
packet describing the type of service that was delivered and statistics (optional), such as elapsed
time, input and output octets, or input and output packets. It then sends that data to the RADIUS
accounting server, which sends back an acknowledgment that the packet is received.
About this task

Use the procedure to configure RADIUS accounting in a RADIUS profile.
Procedure
1. Enter the Wireless Configuration mode of the CLI.
2. Configure RADIUS accounting on a RADIUS profile:
WC8180#radius profile <profile name> type ?
acct
auth
wc8180#radius server <radius accounting server ip> <radius accounting profile
name> type acct ?
encrypted-secret
health-check-encrypted-password Radius health check password (encrypted)
Radius health check interval
health-check-user
priority
server priority
secret
udp-port
server UDP port
<cr>
58

June 2014
Note:
Server selection is optional for configuring RADIUS accounting. Also, health-check does
not apply to accounting servers.
3. Enable RADIUS accounting in the network profile and also map the RADIUS accounting
profile with the network profile.
WC8180(config-network-profile)#radius accounting?
accounting
accounting-profile
WC8180(config-network-profile)#radius accounting
WC8180(config-network-profile)#radius accounting-profile <radius accounting
profile name>
Related Links
Auto-RF
The following sections describe the configuration and management of the Automatic Radio
Frequency (Auto-RF) feature, using the ACLI.
Related Links
Configuring Auto-RF on page 59
Managing Auto-RF operations on page 63
Viewing Auto-RF configuration and status on page 64
Configuring Auto-RF
Configure Auto-RF to perform automatic channel assignment or power selection for access points
(AP) in a mobility domain.
Note:
In the current release, Auto-RF is enabled by default.
About this task

ACLI reference:
WCP8180(config-wireless)#auto-rf ?
Configure auto-rf settings
channel-plan Configure auto-rf channel plan settings
power-plan
Configure auto-rf power plan settings
WCP8180(config-wireless)#auto-rf
Auto-RF channel plan configuration
June 2014

59
Configure the Auto-RF channel plan for the a-n and the bg-n radio frequency bands: .
WC8180(config-wireless)#auto-rf channel-plan ?
a-n
802.11 a/n radio frequency band
bg-n 802.11 bg/n radio frequency band
WC8180(config-wireless)#auto-rf channel-plan a-n ?
history-depth Set channel plan history depth
interval
Set interval used for "interval" plan mode
mode
Set channel plan mode
time
Set time used for "time" plan mode
WC8180(config-wireless)#auto-rf channel-plan bg-n ?
history-depth Set channel plan history depth
interval
Set interval used for "interval" plan mode
mode
Set channel plan mode
time
Set time used for "time" plan mode
Configure Auto-RF channel plan history depth:

WC8180(config-wireless)#auto-rf channel-plan a-n history-depth ?
<0-10> Number of channel-plan iterations to be saved
WC8180(config-wireless)#auto-rf channel-plan bg-n history-depth ?
<0-10> Number of channel-plan iterations to be saved
Configure the Auto-RF channel plan interval:

WC8180(config-wireless)#auto-rf channel-plan a-n interval ?
<1-24> Channel adjustment interval in hours
WC8180(config-wireless)#auto-rf channel-plan bg-n interval ?
<1-24> Channel adjustment interval in hours
Configure the Auto-RF channel plan mode:

WC8180(config-wireless)#auto-rf channel-plan a-n mode ?
interval Adjusting channels at regular interval
manual
Adjusting channels manually
time
Adjusting channels at a scheduled time
WC8180(config-wireless)#auto-rf channel-plan bg-n mode ?
interval Adjusting channels at regular interval
manual
Adjusting channels manually
time
Adjusting channels at a scheduled time
Auto-RF power plan configuration

Configure Auto-RF power plan at the domain level:
WC8180(config-wireless)#auto-rf
mode
Set power
threshold-strength Configure
the power
power-plan ?
plan mode
the threshold strength in dBm to be used for
adjustements
Configure the Auto-RF power plan mode:

Note:
Auto-RF power plan has the following modes:
Auto
Manual
60

June 2014
The default power plan mode is Auto.

AMDC(config-wireless)#auto-rf power-plan mode ?
auto
Adjusting power automatically
manual Adjusting power manually
Configure Auto-RF power plan threshold strength in dBm:

WC8180(config-wireless)#auto-rf power-plan threshold-strength ?
<-99 - -1> Enter the power plan strength in dBm(-1 to -99)
Procedure
2. Use the command auto-rf channel-plan {a-n | bg-n} history-depth <0 10> to set the number of saved historical channel plans.
3. Use the command auto-rf channel-plan {a-n | bg-n} interval <1 - 24> to
set the channel adjustment interval in hours.
4. Use the command auto-rf channel-plan {a-n | bg-n} time <hh:mm> to set the
time of day to perform channel adjustment.
5. Use the command auto-rf channel-plan {a-n | bg-n} mode {interval |
manual | time} to set the channel adjustment mode.
6. Use the command auto-rf power-plan mode {auto | manual} to set the power
adjustment mode.
7. Use the command auto-rf power-plan threshold strength <-99 -1> to set
the power plan threshold strength.
The default power plan threshold strength is 85 dBm.
8. Use the command wireless ap power <ap_mac_addr> <1|2> <%
power_reduction> to explicitly set a temporary override power on a specific radio.
Note:
The power is configured in terms of percentage of maximum power. The maximum
power is the minimum power level allowed for the channel by the regulatory domain or
the hardware capability.
Note:
The APA runs continuously collecting neighbor AP data for up to 20 minutes, making
power adjustments and starting the data collection again.
The ACA runs on a set interval. The default interval is 1 hour and can be configured.
For a first time installation of the WLAN 8100, a lower interval is recommended to
speed up convergence to an acceptable channel plan
Auto RF depends on data collected during the RF scan by the APs and forwarded to
the controllers. Depending on the deployment scenario and the configured off-channel
June 2014

61
scanning schedule, it can take several hours to build up the information needed for
Auto RF decisions.
Example
Sample Auto-RF Configuration using the CLI:
1. Enable APA at the domain level. Execute the following command:
WC8180(config-wireless)#auto-rf power-plan mode auto
Verify the configuration:

WC8180(config-wireless)#show wireless auto-rf power-plan
Power plan mode
: auto
Power Plan Operational Status
: Inactive
Power Threshold Strength (dBm)
: -85
Number of Interfering Managed AP's
: 0
Number of Interfering Managed VAP's
: 0
Power Cycle Count
: 0
Total Power Changes Count
: 0
Power Increase Count
: 0
Power Decrease Count
: 0
Number of Operational Radios
: 10
Time since last Power Plan Iteration
: 0d:00:00:00
2. Enable ACA at the domain level:

WC8180(config-wireless)#auto-rf channel-plan a-n mode interval
WC8180(config-wireless)#auto-rf channel-plan bg-n mode interval

AMDC#show wireless auto-rf channel-plan
---------------------------------------------------------------------Phy-Mode:
802.11 a/n
802.11 b/g/n
----------------------------------------Mode:
Interval
Interval
Interval:
1 hours
1 hours
Time:
00:00
00:00
History Depth:
10
10
Operational:
True
True
Last Iteration Status:
3
10
Manual Status:
None
None
Max Consecutive
Change Iterations:
0
6
Max Consecutive
No Change Iterations:
3
3. Select the auto mode on the Radio Profile.

WC8180(config-radio-profile)#power policy auto
WC8180(config-radio-profile)#channel policy auto

AMDC#show wireless radio-profile 1 detail
Radio Profile Id: 1
Name
Configuration Model
Country Code
Operation Mode
......
Auto Channel Adjustment Mode
62
:
:
:
:
Default-5GHz
AP8120/E
US
access-wids
: Yes

June 2014
Auto Power Adjustment Mode

......
: Yes
4. Verify that each AP is set to use Auto power and channel in the Domain AP database.
Note:
The default is auto.
AMDC#show wireless domain ap database detail
Total number of entries in AP database = 106
------------------------------------------------------AP MAC
: 00:1B:4F:6C:01:00
..........
Radio 1
Channel
: Automatic Adjustment
Power
..........
Radio 2
Channel
Power
...........
------------------------------------------------------......
......
5. Run the config-sync command to make Auto-RF fully operational:

6. (Optional) You can perform additional Auto-RF verification by reviewing the databases used
by Auto-RF:
Verify that RF Scan is working properly and collecting neighbor information:
WC8180#show
wireless
security
wids-wips
rf-scan
Check the neighbor APs detected, both domain and non-managed APs:
WC8180#show
wireless
ap
neighbor-ap
Check specific neighbor relations detected by APs:

WC8180#show
wireless
rrm
neighbors
all
Related Links
Auto-RF on page 59
Managing Auto-RF operations

CLI reference:
WC8180#wireless auto-rf ?
Auto-rf actions
channel-plan Perform auto-rf channel plan actions
power-plan
Perform auto-rf power plan actions
WC8180#wireless auto-rf channel-plan ?
a-n
bg-n 802.11 b/g/n radio frequency band
WC8180#wireless auto-rf power-plan ?
start Run proposed power adjustmnent algorithm
June 2014

63
About this task

This following procedure is used to manage automatic radio frequency functionality.
Procedure
1. Enter Privileged mode of the CLI.
2. Use the command wireless auto-rf channel-plan {a-n | b/g-n} start to run
the channel adjustment algorithm.
3. Use the command wireless auto-rf channel-plan {a-n | b/g-n} apply to
apply the proposed channel adjustment plan.
4. Use the command wireless auto-rf power-plan start to run the power planning
algorithm.
Note:
The apply option in the command wireless auto-rf power-plan is not supported
in the current release.
5. Use the command clear wireless auto-rf power-plan to clear the wireless power
plan.
This command clears all the APA power adjustments and resets all radios to their default
power level.
Related Links
Auto-RF on page 59
Viewing Auto-RF configuration and status

Use this procedure to view and verify Auto-RF configuration.
CLI reference:
WC8180# show wireless auto-rf ?
Display auto-rf infomation
channel-plan Display auto-rf channel plan settings
power-plan
Display auto-rf power plan settings
View Auto-RF channel plan settings:

WC8180#show wireless auto-rf channel-plan ?
Parameters:
a-n
bg-n 802.11 bg/n radio frequency band
<cr>
history
Display auto-rf channel plan history
proposed Display auto-rf proposed channel adjustments
View Auto-RF power plan settings:

WC8180#show wireless auto-rf power-plan ?
<cr>
64

June 2014
View the AP radio power plan status.

WC8180#show wireless ap radio power-plan status ?
detail Show mananged AP radio status in detail
H.H.H
AP MAC Address
<cr>
This command has further viewing options for a particular AP.

In the following command 00:1B:4F:6A:18:E0 is a sample AP MAC address:
WC8180#show wireless ap radio power-plan status 00:1B:4F:6A:18:E0 ?
<1-2>
Radio Index
detail Show mananged AP radio status in detail
<cr>
About this task

The following procedure lists the commands to view Auto-RF configuration in further detail with
sample outputs.
Procedure
1. Use the command show wireless auto-rf power-plan to view the Auto-RF power
plan settings.
Sample output:
WC8180#show wireless auto-rf power-plan
Power plan mode
Power Plan Operational Status
Power Threshold Strength (dBm)
Power Cycle Count
Total Power Changes Count
Number of Operational Radios
Time since last Power Plan Iteration
:
:
:
:
:
:
:
:
:
:
:
Manual
Inactive
-85
3
8
0
0
0
0
30
0d:00:08:42
2. Use the command show wireless ap radio power-plan status <AP MAC
addresss> <radio index> to view the AP radio power plan status for a particular AP
MAC address and radio index.
Example: AP radio power plan status for radio index 1 and AP MAC address 00:1B:4F:
6A:18:E0.
WC8180#show wireless ap radio power-plan status 00:1B:4F:6A:18:E0 1
-----------------------------------------------------------------------------TX
Int_AP Int_VAP Last Adjust Power Power
AP MAC
Radio Channel Power
Count Count
Status
Incr Decr
----------------- ----- ------- ------- ------ ------- ----------- ----- ----00:1B:4F:6A:18:E0 1
157
80
0
0
None
0
0
----------------------------------------------------------------------------
Example: AP radio power plan status for radio index 2 and AP MAC address 00:1B:4F:
6A:18:E0.
WC8180#show wireless ap radio power-plan status 00:1B:4F:6A:18:E0 2
-----------------------------------------------------------------------------TX
Int_AP Int_VAP Last Adjust Power Power
June 2014

65
AP MAC
Radio Channel Power
Count Count
Status
Incr Decr
----------------- ----- ------- ------- ------ ------- ----------- ----- ----00:1B:4F:6A:18:E0 2
6
80
0
0
None
0
0
----------------------------------------------------------------------------
3. Use the command show wireless ap radio power-plan status <AP MAC
address> detail to view the AP radio power plan status for an AP.
In the following example, 00:1B:4F:6A:18:E0 is a sample AP MAC address.
WC8180#show wireless ap radio power-plan status 00:1B:4F:6A:18:E0 detail
AP (mac=00:1B:4F:6A:18:E0)
Radio 1 (mac=00:1B:4F:6A:18:E0) Transmit
Channel
: 157
:
:
Strongest Neighbor Mac Address
:
Strongest Neighbor Signal
:
Strongest Detector AP Mac Address
:
Strongest Detector AP Signal
:
Last Power Adjustment Status
:
Last Power Adjustment Reason Code
:
:
:
Radio 2 (mac=00:1B:4F:6A:18:F0) Transmit
Channel
: 6
:
:
Strongest Neighbor Mac Address
:
Strongest Neighbor Signal
:
Strongest Detector AP Mac Address
:
Strongest Detector AP Signal
:
Last Power Adjustment Status
:
Last Power Adjustment Reason Code
:
:
:
Power
: 80 %
0
0
00:00:00:00:00:00
0
00:00:00:00:00:00
0
Unchanged
Power Plan Disabled
0
0
Power
: 80 %
0
0
00:00:00:00:00:00
0
00:00:00:00:00:00
0
Unchanged
Power Plan Disabled
0
0
4. Use the command show wireless ap radio power status <AP MAC address> to
view the AP radio power status for an AP.
In the following example, 00:1B:4F:6A:18:E0 is a sample AP MAC address.
Sample output:
WC8180#show wireless ap radio power status 00:1B:4F:6A:18:E0
AP (mac=00:1B:4F:6A:18:E0)
Radio 1 (mac=41:00:5E:3B:E1:00)
Manual Power Adjustment Status
Transmit Power
: None
: 80
Radio 2 (mac=41:00:5E:3B:E1:00)
Transmit Power
: None
: 80
Use the command show wireless ap radio power status <AP MAC address>
[1|2] to view the AP radio power status for an AP and for a specific radio channel.
66

June 2014
Sample output:
WC8180#show wireless ap radio power status 00:1B:4F:6A:18:E0 1
AP (mac=00:1B:4F:6A:18:E0)
Radio 1 (mac=41:00:5E:3B:E1:00)
Transmit Power
: None
: 80
5. Use the command show wireless auto-rf channel-plan [a-n|bg-n] to view the
Auto RF channel plan for the a-n and bg-n radio frequency bands.
Sample outputs:
WC8180#show wireless auto-rf channel-plan a-n
---------------------------------------------------------------------Phy-Mode:
802.11 a/n
--------------------Mode:
Interval
Interval:
1 hours
Time:
00:00
History Depth:
5
Operational:
True
7
Manual Status:
None
Max Consecutive
Change Iterations:
0
Max Consecutive
7
WC8180#show wireless auto-rf channel-plan bg-n
---------------------------------------------------------------------Phy-Mode:
802.11 b/g/n
--------------------Mode:
Interval
Interval:
1 hours
Time:
00:00
History Depth:
5
Operational:
True
7
Manual Status:
None
Max Consecutive
Change Iterations:
2
Max Consecutive
3
6. Use the command show wireless auto-rf channel-plan history to view the Auto
RF channel plan history.
Sample output:
WC8180#show wireless auto-rf channel-plan history
Phy Mode
AP Mac Address
Radio AP Location
Intf
------------ ----------------- ----- -------------------------------802.11 b/g/n 58:16:26:ac:75:60 2
802.11 b/g/n 58:16:26:ac:bf:e0 2
AP
Iter
---1
1
AP
Ch
--1
1
7. Use the command show wireless auto-rf channel-plan proposed to view the
proposed Auto RF channel plan.
June 2014

67
Sample output:
WC8180#show wireless auto-rf channel-plan proposed
-----------------------------------------------------------------------------Phy Mode
AP Mac Address
Radio Interface Current Channel New Channel
------------ ----------------- --------------- --------------- ----------802.11 b/g/n 58:16:26:ac:75:60 2
11
1
802.11 b/g/n 58:16:26:ac:bf:e0 2
6
1
8. Use the following command to view current Auto-RF configuration.

WC8180#show running-config module wireless auto-rf
Related Links
Auto-RF on page 59
Configuring and viewing the Tunnel Path MTU

In prior releases of the WLAN 8100, the Tunnel Path Maximum Transmission Unit (MTU) was fixed
at 1492 bytes for tunneling traffic between controllers and APs, and amongst controllers. From
release 2.1 onwards, you can configure the path MTU in the system in the range 1250 to 2372
bytes. This allows supporting tunnels over VPNs that may have MTUs lower than 1492 bytes.
Access points always receive the tunnel-path MTU configuration from its managing controller.
Note:
Tunnel Path MTU configuration is supported only in Overlay deployments.
The following sections describe configuration of the Tunnel Path MTU using the Avaya CLI.
CLI reference:
WC8180(config-wireless)#tunnel-path-mtu ?
<1250-2372> Range of the Tunnel Path MTU
Procedure
1. Enter the wireless configuration mode of the CLI. Use the following commands:
WC8180#conf t
2. Use the following command to set the Tunnel Path MTU to a value different from the default
value, at any time during the operation of the system.
WC8180(config-wireless)#tunnel-path-mtu 1250
Note:
The default value of the Tunnel Path MTU for the WC 8180 controller is 1492 bytes. The
range is 1250 2372 bytes.
68

June 2014
Note:
It is recommended that all controllers in the domain are set with an identical tunnel-path
MTU configuration.
3. Verify the Tunnel Path MTU configuration:
Operation Mode
:
Status
:
Interface IP
:
TCP/UDP base port :
Base MAC Address :
Tunnel Path MTU
:
WC
Enabled
134.177.252.65
61000
00:24:B5:1F:96:00
1250
4. Enable local MTU configuration on the WC 8180.

The WC 8180 controller supports local MTU configuration by enabling or disabling jumboframe support. When jumbo frame support is disabled, The local MTU can be configured in
the range between 1250 and 1500 bytes; otherwise it can be in the range of 1250 and 2372.
Note:
When you disable jumbo frame support, and the configured tunnel path MTU at the time
of the change is more than 1500 bytes, the tunnel path MTU configuration is changed to
1492.
CLI reference:
WC8180 (config)#no jumbo-frames enable
Warning: Tunnel-path-MTU configuration exceeds desired local port MTU.
The tunnel-path-MTU would be modified by this change to 1492.
Proceed with the change (y/n)?
Enter y to disable Jumbo frames.

Verify local MTU configuration:
Operation Mode
:
Status
:
Interface IP
:
TCP/UDP base port :
Base MAC Address :
Tunnel Path MTU
:
WC
Enabled
134.177.252.65
61000
00:24:B5:1F:96:00
1492
Related Links
DiffServ
Differentiated services or DiffServ specifies a simple and scalable mechanism for classifying and
managing network traffic and providing quality of service (QoS) to wireless clients, on modern IP
networks. The following sections describe the configuration and management of DiffServ using
ACLI.
June 2014

69
ACLI reference:
WCP8180(config-wireless)# DiffServ ?
Differentiated Services
classifierblock Classifier Block
policy
DiffServ Policy
Important:
Ensure that you configure DiffServ policy and classifier block names that are unique across the
network. Do not configure policy and classifier names that have similar letters and characters
and differ only in their case.
Before you begin

Ensure that you are in the Wireless Configuration mode on the Avaya CLI. Use the following
commands:
WCP8180#conf t
WCP8180(config)wireless#
Procedure
1. Configure a DiffServ classifier block and classifier elements.
CLI reference to configure a classifier block.
WCP8180(config-wireless)#diffserv classifierblock ?
WORD Enter Classifier Block name
WCP8180(config-wireless)#diffserv classifierblock c1
Example:
Configure a classifier block named classifier1 using the following command:
In the following example, 01:02:03:04:05:06 is a sample client MAC address and
ff:ff:ff:ff:ff:ff is the corresponding subnet mask. Replace these values with those
appropriate to your network.
WCP8180(config-wireless)#DiffServ classifierblock classsifier1
WCP8180(config-DiffServ-classifierelement)#match src-mac 01:02:03:04:05:06 mask
ff:ff:ff:ff:ff:ff
2. Configure Classifier Block options (elements).

CLI reference to configure classifier block elements.
WCP8180(config-diffserv-classifierelement)#?
Configure Classifier Element
end
End Diffserv classifier block
exit
Exit Diffserv Classifier block
match Match class map rule
WCP8180(config-diffserv-classifierelement)#match ?
all
Match all packets
cos
Match CoS
ds-field
Match IP DSCP
dst-ip
Match Dst IP/Mask
dst-mac
Match Dst MAC/Mask
dstport
Enter Dst L4 Port
ethtype
Enter Ethernet Type (0x600 - 0xFFFF)
precedence Match IP Precedence
protocol
Match IP Protocol
src-ip
Match Src IP/Mask
70

June 2014
src-mac
Match Src MAC/Mask
srcport
Match Src L4 Port
tos
Match ToS/Mask
WCP8180(config-diffserv-classifierelement)#
Important:
Considerations when configuring classifier block elements
When you configure a classifier block to match the source/destination client IP
address or a client MAC address (as in the above example), you must configure a
proper mask to ensure that the classifier block is applied to traffic from only the
specified client and not all clients within the subnet.
For example, if you configure the classifier block to drop packets for a client IP
address of 10.1.20.5, a mask of 255.255.255.0 drops the packets on all clients
within the subnet. To ensure that the packets are dropped for only for traffic from the
specified client, you must set the mask to 255.255.255.255.
Similarly, if you configure a client MAC address, ensure that you set the subnet mask
to ff:ff:ff:ff:ff:ff.
When you configure a classifier block, you can configure any value for EthType
parameter. However, only if you set the EthType parameter to 0x0800 (hex), you
can configure other classifier block parameters such as protocol, dest-ip, srcip, ipDscp, IpPrescedence IpTos, src-port and dst-port.
Use one of the following commands to configure the classifier block elements.
WCP8180(config-diffserv-classifierelement)#match cos ?
<0-7>
WCP8180(config-diffserv-classifierelement)#match ds-field ?
<0-63>
WCP8180(config-diffserv-classifierelement)#match dst-ip ?
A.B.C.D
WCP8180(config-diffserv-classifierelement)#match dst-mac ?
H.H.H
WCP8180(config-diffserv-classifierelement)#match dstport ?
<1-65535>
WCP8180(config-diffserv-classifierelement)#match ethtype ?
<0x600-0xFFFF> Ethernet Type in HEX
WCP8180(config-diffserv-classifierelement)#match precedence ?
<0-7>
WCP8180(config-diffserv-classifierelement)#match protocol ?
<0-255>
WCP8180(config-diffserv-classifierelement)#match src-ip ?
A.B.C.D
WCP8180(config-diffserv-classifierelement)#match srcport ?
<1-65535>
WCP8180(config-diffserv-classifierelement)#match tos ?
<0x00-0xFF>
June 2014

71
3. Configure a DiffServ policy.

CLI reference to configure a Diffserv policy:
WCP8180(config-diffserv-policy)#?
Differentiated Services
classifierblock
Associate Classifier block to Policy
end
End Diffserv Policy
exit
Exit Diffserv Policy
WCP8180(config-diffserv-policy)#cl
WCP8180(config-diffserv-policy)#classifierblock ?
WORD Enter classifier block name
WCP8180(config-diffserv-policy)#classifierblock c1 ?
allow
Allow packets
drop
Drop packets
remark-cos
Remark CoS
remark-dscp
Remark IP DSCP
remark-precedence Remark IP Precedence
CLI reference to configure remark CoS.

WCP8180(config-diffserv-policy)#classifierblock c1 remark-cos ?
<0-7>
CLI reference to configure Remark IP DSCP.

WCP8180(config-diffserv-policy)#classifierblock c1 remark-dscp ?
<0-63>
CLI reference to configure Remark IP Precedence.

WCP8180(config-diffserv-policy)#classifierblock c1 remark-precedence ?
<0-7>
Example:
Configure a DiffServ policy named policy1 and associate the configured classifier block
classifier1 with this policy. Use the following command:
In this example, allow is a sample action associated with the classifier block
classifier1. The allow action allows packets or traffic that match the criteria specified in
the classifier block configured in Step 1.
WCP8180(config-DiffServ-classifierelement)#DiffServ policy policy1
WCP8180(config-DiffServ-policy)#classifierblock classifier1 allow
4. Verify Diffserv classifier details. Use one off the following commands.
WCP8180#sh wireless diffserv classifierblock
Sample Output:
WCP8180#sh wireless diffserv classifierblock
Classifier Blocks
----------------c1
Total number of classifier blocks: 1
WCP8180(config-diffserv-policy)#show wireless diffserv classifierblock classifier1
detail
Sample Output:
WCP8180(config-diffserv-policy)#show wireless diffserv classifierblock classifier1
detail
72

June 2014
Classifier block classifier1

-----------------------Element ID: 1
Src Mac:
01:02:03:04:05:06
Src Mac Mask:
FF:FF:FF:FF:FF:FF
5. Verify Diffserv policy details. Use one of the following commands.

WCP8180#sh wireless diffserv policy
WCP8180#sh wireless diffserv policy
Policy Names
--------------------------p1
Total number of policies: 1
WCP8180(config-diffserv-policy)#show wireless diffserv policy policy1 detail
A sample output is as follows:

WCP8180(config-diffserv-policy)#show wireless diffserv policy policy1 detail
Policy Name
Classifierblocks
Action
--------------------------------------------------policy1
classifier1
Allow
6. Associate a DiffServ classifier block with a DiffServ policy.

CLI Reference:
WCP8180(config-wireless)#diffserv policy p1
Diffserv policy exists - 10
WCP8180(config-diffserv-policy)#classifierblock c1 ?
allow
Allow packets
drop
Drop packets
remark-cos
Remark CoS
remark-dscp
Remark IP DSCP
remark-precedence Remark IP Precedence
WCP8180(config-diffserv-policy)#
WC8180(config-diffserv-policy)#classifierblock c1 remark-cos ?
<0-7>
WC8180(config-diffserv-policy)#classifierblock c1 remark-dscp ?
<0-63>
WC8180(config-diffserv-policy)#classifierblock c1 remark-precedence ?
<0-7>
7. Configure a network profile.

In this example, you configure a network profile named AVAYA-Demo associated with a
mobility VLAN Mobile-Clients.
Important:
When you configure an SSID for a network profile, ensure that it is unique across the
network. SSIDs can have a maximum of 32 characters.
June 2014

73
Also, ensure that you do not configure SSIDs that have similar characters but are
different only in their case. For example, do not configure the SSIDs avaya-demo and
AVAYA-DEMO within the same network.
WCP8180(config-wireless)#network-profile 2
Creating network-profile (id = 2) ...
WCP8180(config-network-profile)#profile-name AVAYA-Demo
WCP8180(config-network-profile)#ssid AVAYA-Demo
WCP8180(config-network-profile)#mobility-vlan Mobile-Clients
WCP8180(config-network-profile)#exit
Verify creation of the network profile.

WCP8180(config-wireless)# WCP8180(config-wireless)#show wireless network-profile 2
------------------------------------------------------------------------Id Profile Name
Mobility VLAN
Security Mode Captive Portal
--- ------------------- ------------------- -------------- -------------2 AVAYA-Demo
Mobile-Clients
open
Disabled
------------------------------------------------------------------------WCP8180(config-wireless)#
WCP8180(config-wireless)#show wireless network-profile 2 detail
Network Profile ID
: 2
Name
: AVAYA-Demo
SSID
: AVAYA-Demo
Hide SSID
: No
Mobility Vlan Name
: Mobile-Clients
No Response to Probe Request
: Disabled
Captive Portal Mode
: Disabled
User Validation
: open
Captive Portal Profile Id
: 1
Local User Group
: Default
RADIUS Authentication Profile Name
:
RADIUS Accounting Profile Name
:
RADIUS Accounting Mode
: Disabled
Security Mode
: open
MAC Validation
: Disabled
Wireless ARP Suppression
: Disabled
WCP8180(config-wireless)#
8. Enable client-QoS and Domain AP-client-QoS and map the created Diffserv policy to the
AVAYA-Demo network profile, to prioritize WMM (Wireless Multi-Media) traffic in the network.
By default, in WMM, voice traffic has a higher priority over video traffic. You can, for
example, configure DiffServ policies to reverse this traffic priority in the network.
For example, to enable client QOS and configure the DiffServ policy policy1 on the
network profile, execute the following commands.
WCP8180(config-network-profile)#client-qos enable
WCP8180(config-network-profile)#client-qos diffserv {up} policy1
Verify the network profile client-QOS. Use the following command:

WCP8180(config-network-profile)#show wireless network-profile client-qos 2
---------------------------------------------------------Network
Client
Diffserv Policy Name
Profile
OoS
-------------------------------------Id
Mode
Down
Up
-------- -------- ------------------ ------------------
74

June 2014
2
Enabled
policy1
---------------------------------------------------------------
Enable Domain AP-client-QoS:

WCP8180#conf t
WCP8180(config)#wireless
WCP8180(config-wireless)#domain ap-client-qos
Verify Domain AP-client-QoS mode:

WCP8180#show wireless domain info
Country Code
AP QoS Mode
Roaming Timeout
TSPEC Violation Report Interval
Auto Promote for Discovered APs
AP Image Update Download Group Size
AP Image Update Reset Group Size
AP Reset Group Size
AP Reconnection Timeout Interval
Configured Load Balancing Metric
:
:
:
:
:
:
:
:
:
:
US
Enabled
30 seconds
300 seconds
Disabled
5 %
5 %
5 %
60
least-load
9. View the DiffServ statistics. Ensure that wireless clients are connected to the network.
Use the following command to view the DiffServ statistics for all clients.
WCP8180#show wireless diffserv statistics
Sample Output:
WCP8180#show wireless diffserv statistics
---------------------------------------------Client MAC
Direction
Policy Name
----------------- ------------ -------------00:05:03:01:00:01 Uplink
p1
00:05:03:01:00:01 Downlink
p1
00:05:03:02:00:01 Uplink
p1
00:05:03:02:00:01 Downlink
p1
Use the following command to view the DiffServ statistics for a specific client MAC address.
In the following example, 00:05:03:01:00:01 is a sample client MAC address.
WCP8180#show wireless diffserv statistics 00:05:03:01:00:01
Sample Output:
WCP8180#show wireless diffserv statistics 00:05:03:01:00:01
Client (MAC=00:05:03:01:00:01)
Direction: Uplink
Policy: p1
ClassifierBlock Name
Hits
-------------------------------------------c1
10280
Client (MAC=00:05:03:01:00:01)
Direction: Downlink
Policy: p1
Hits
-------------------------------------------c1
0
June 2014

75
Use the following command to view the DiffServ statistics in detail.

WCP8180#show wireless diffserv statistics detail
Sample Output:
WCP8180#sh wireless diffserv statistics detail
Client (MAC=00:05:03:01:00:01)
Direction: Uplink
Policy: p1
Hits
-------------------------------------------c1
11280
Client (MAC=00:05:03:01:00:01) Policy: p1
Direction: Downlink
Hits
-------------------------------------------c1
0
Client (MAC=00:05:03:02:00:01)
Direction: Uplink
Policy: p1
Hits
-------------------------------------------c1
0
Client (MAC=00:05:03:02:00:01)
Direction: Downlink
Policy: p1
Hits
-------------------------------------------c1
0
WCP8180#
10. Use the following commands to view client QoS bandwidth for uplink and downlink traffic
between APs and clients.
Important:
The displayed client QoS bandwidth represents the actual bandwidth rate in use for the
client, which may differ from the configured value because the AP rounds off the value
down to the nearest 64000 bps. This is independent of the type of client authentication.
For example, if the configured bandwidth rate for the client is 4294967295 bps
(configured in either the network profile or as part of RADIUS authentication), the actual
value displayed when you execute show wireless client qos status is
4294912000 bps, which is the nearest multiple of 64000.
C8180#show wireless client qos status
Client Mac Address: cc:52:af:0e:c6:81
QoS Operational Status: Enabled
Client to AP(Ingress)
--------------------QoS Bandwidth limit:
64000
Diffserv Policy Name:
None
WC8180#
AP to Client(Egress)
-------------------64000
None
WC8180#show wireless client qos cached-status

Client Mac Address: cc:52:af:0e:c6:81
76

June 2014
QoS Bandwidth limit:

Diffserv Policy Name:
WC8180#
Client to AP(Ingress)
--------------------40000
None
AP to Client(Egress)
-------------------40000
None
11. Use the following command to view current DiffServ configuration.

WC8180#show running-config module wireless diffserv
AP Client QoS configuration attributes

Use the following attributes to configure AP Client QoS.
Criteria
Description
Match All
Specifies that a packet must match all criteria of the classifier block.
Allow signifies that all packets will match the selected IP ACL and
Rule and will be either permitted or denied.
The Match All rule overrides all other filtering rules, so if Match All
is set, the other rules are not configurable.
Protocol
Specifies the packets protocol as the match condition for the selected
rule.
The protocol is identified by a number. This number is a standard value
assigned by IANA and is an integer in the range 1 to 255.
Source IP Address
Specifies the packets source port IP address as the match condition for
the rule.
The address you enter is compared with the packet's source IP
Address. You must also specify a source IP Mask with the Source IP
Address.
Source IP Mask
Specifies the source IP address wildcard mask.

The wild card masks determines which bits are used and which bits are
ignored. A wild card mask of 255.255.255.255 indicates that no bit is
important. A wildcard of 0.0.0.0 indicates that all of the bits are
important.
Wildcard masking for ACLs operate differently from a subnet mask. A
wildcard mask is in fact the inverse of a subnet mask. With a subnet
mask, the mask has ones (1) in the bit positions that are used for the
network address, and has zeros (0) for the bit positions that are not
used. In contrast, a wildcard mask has a 0 in the bit position that must
be checked and a 1 in the bit position that can be ignored.
Note:
This field is required when you configure a source IP address.
Source L4 Port
Specifies the packets TCP/UDP source port as the match condition.

Enter a user-defined Port ID to compare with the packet's TCP/UDP
source port.
June 2014

77
Criteria
Description
Destination L4 Port
Specifies the packets TCP/UDP destination port as the match

condition.
Enter a user-defined Port ID to compare with the packet's TCP/UDP
destination port.
Destination IP Address
Specifies a packets destination port IP address as the match condition.

The address you enter is compared to a packet's destination IP
Address. You must also configure the Destination IP Mask with the
Destination IP Address.
IPDSCP
(Optional)
Specifies the packet's IP DiffServ Code Point (DSCP) value as the

match condition for the rule.
The DSCP is defined as the high-order six bits of the Service Type
octet in the IP header. Enter an integer from 0 to 63.
Either the DSCP value, the IP Precedence value or the IP Tos value is
used to match packets to ACLs.
IP Precedence
(Optional)
Specifies the packet's IP Precedence value as the match condition for

the rule.
The IP Precedence field in a packet is defined as the high-order three
bits of the Service Type octet in the IP header.
Enter the IP Precedence value as an integer in the range 07. Either
the DSCP value or the IP Precedence value or IP Tos value is used to
match packets to ACLs.
IP TOS Bits
Specifies the packet's IP Tos value as the match condition for the rule.
(Optional)
The IP TOS field in a packet is defined as all eight bits of the Service
Type octet in the IP header. Matches on the Type of Service bits in the
IP header when checked.
For example, to check for an IP TOS value having bits 7 and 5 set and
bit 1 clear, where bit 7 is most significant, use a TOS Bits value of 0xA0
and a TOS Mask of 0xFF.
TOS Bits:
This value is a hexadecimal number from 00 to FF. Requires the bits
in a packets TOS field to match the two-digit hexadecimal number
that you enter.
TOS Mask:
This value is a hexadecimal number from 00 to FF. Specifies the bit
positions that are used for comparison against the IP TOS field in a
packet.
78

June 2014
AeroScout
The AeroScout Enterprise Visibility Solution leverages standard wireless networks infrastructure to
accurately locate any asset and utilize that location to deliver direct benefits such as asset tracking,
process automation, theft prevention and increased utilization. AeroScout Tags which are small,
battery-powered devices are mounted on equipment or carried by personnel to deliver real-time
location of the tracked asset or person. The messages transmitted by the AeroScout Tags are
received by access points and are passed along with additional information (e.g. signal strength
measurements) to the AeroScout Engine, a core component of the AeroScout visibility system, that
calculates the accurate location of the Tag .
The WLAN 8100 solution supports AeroScout enablement on an AP profile.
Important:
AeroScout enablement is supported only on indoor APs. It is not supported on the AP 8120O,
which is an outdoor AP.
The following sections describe AeroScout enablement using the Avaya CLI.
ACLI reference:
WC8180(config-wireless)#ap-profile ?
<1-32> AP Profile ID
Entering ap-profile (id = 2) configuration mode...
WC8180(config-ap-profile)#?
AP Profile Configuration Commands
aeroscout
Configure AE protocol support mode
ap-model
Configure AP Model
cos2dscp
CoS to DSCP Mappings
default
default-profile Set current profile, as the default profile for an AP
dscp2cos
DSCP to CoS QoS Mapping
end
End configure mode
exit
Exit from AP profile configuration mode
network
Configure Network Profile mapping on a radio
no
Disable AP profile parameters
profile-name
Set an AP profile name
radio
Configure Radio Profile mapping on a radio
WC8180(config-ap-profile)#aeroscout ?
enable Enable AE protocol support mode
Related Links
Enabling AeroScout on an AP profile on page 80
June 2014

79
Enabling AeroScout on an AP profile

Before you begin
commands:
WC8180#conf t
About this task

Use this procedure to create a sample AP profile and enable AeroScout on that profile.
Note:
AeroScout is disabled on an AP profile by default.
Procedure
1. Create an AP profile named AP-Profile-1 with profile ID 2.
Creating ap-profile (id = 2) ...
WC8180(config-ap-profile)#profile-name AP-Profile-1
WC8180(config-ap-profile)#exit
2. Verify creation of the AP profile.

WC8180#show wireless ap-profile 2 detail
Sample Output:
AP Profile Id: 2
Name
Country Code
AP Model
Is Default Profile?
AE Protocol Support
Status
:
:
:
:
:
:
AP-Profile-1
IN
Avaya APs (AP8120/AP8120-E)
No
Disable
Associated
3. Enable AeroScout on the AP profile.

Entering ap-profile (id = 2) configuration mode..
WC8180(config-ap-profile)#aeroscout enable
WC8180(config-ap-profile)#end
4. Verify AeroScout enablement.

Sample Output:
AP Profile Id: 2
Name
Country Code
AP Model
Is Default Profile?
AE Protocol Support
Status
:
:
:
:
:
:
AP-Profile-1
IN
No
Enable
Associated & Modified
Related Links
AeroScout on page 79
80

June 2014
Station Isolation
Station isolation prevents traffic from one wireless client inadvertently reaching another wireless
client on the same mobility VLAN. Station isolation is configured on a per network basis. When this
feature is enabled on the network, wireless clients can only communicate with devices in a different
subnet through the gateway. Traffic that is not destined to the gateway gets filtered by the AP.
Station Isolation is especially useful in environments such as a hotel or public hot spots.
Important:
Station isolation is supported in both the Overlay and Unified Access deployments.
The following sections describe enabling Station Isolation using the Avaya CLI.
Related Links
Enabling Station Isolation on a network profile on page 81
Enabling Station Isolation on a network profile

Before you begin
Ensure that you are in the wireless configuration mode of the Avaya CLI. Use the following
commands:
WC8180#conf t
Note:
From release 2.1.0 onwards, station isolation configuration is not supported on a Radio profile.
You can configure and enable only on a network profile.
About this task

Create a sample network profile and enable Station Isolation on that profile.
Procedure
1. Create a network profile named NP2 with profile ID 2.
WC8180(config-wireless)#network-profile 2
WC8180(config-network-profile)#profile-name NP2
WC8180(config-network-profile)#exit
2. Enable Station Isolation on the network profile.

Entering network-profile (id = 2) configuration mode..
WC8180(config-network-profile)#station-isolation enable
WC8180(config-network-profile)#
3. Verify that Station Isolation is enabled on the network profile.
June 2014

81
Sample Output:
WC8180#show wireless network-profile 2
------------------------------------------------------------Id Profile Mobility
Security Captive
Station
Name
VLAN
Mode
Portal
Isolation
--- ------- -------------- --------- --------- ------------2 NP2
default-MVLAN open
Disabled Enabled
--------------------------------------------------------------
4. (Optional) Configure a static Gateway MAC address.

Note:
The Gateway MAC Address can either be dynamically learnt through DHCP/ARP or can
be configured on the network profile. The dynamic learning is dependent on client
behavior. It is however recommended to configure a static MAC address if a static
Gateway is used in the network.
When you enable Station Isolation, only packets directed to the Gateway MAC are
allowed. All other packets are dropped. Station Isolation allows ARP, DHCP, DNS
packets, packets addressed to the client VAP MAC address and Multicast packets.
Entering network-profile (id = 2) configuration mode..
WC8180(config-network-profile)# gateway-mac 00:19:69:91:00:43
5. Verify network profile configuration in detail.

Sample Output:
WC8180#show wireless network-profile 2 detail
Network Profile ID: 2
Name
: NP2
SSID
: Corportate-Network
........
Station Isolation Mode
: Enabled
Gateway MAC address
: 00:19:69:91:00:43
6. View the wireless client status in detail, specifically the Gateway IP address and the
Gateway MAC address.
WC8180#show wireless client status
Total number of clients: 1
------------------------------------------------------------------------------Client
Client
Associated
Mobility
Status
MAC Address
IP Address
AP MAC
VLAN
----------------- --------------- ----------------- --------------- ----------00:05:02:01:00:01 10.1.21.180
00:1B:4F:6C:01:00 default-MVLAN
Auth
View the client status in detail.

WC8180#sh wireless client status detail
Total number of clients: 1
Client (MAC=00:05:02:01:00:01)
Client IP Address
User Name
SSID
Mobility Vlan
Status
Captive Portal Authenticated User
..........
82
:
:
:
:
:
:
10.1.21.180
client1
AVAYA-Demo
Mobile-Clients
Authenticated
No

June 2014
..........
Gateway IP
Gateway MAC
Radio Resource Measurement (RRM)
Location Report Requests
AP Detection via Beacon Table Report
Beacon Active Scan Capability
Beacon Passive Scan Capability
Channel Load Measurement
RSSI (%)
Signal Strength (dBm)
Noise (dBm)
WC8180#
:
:
:
:
:
:
:
:
:
:
:
10.1.29.1
00:19:69:91:00:43
Unsupported
Unsupported
Unsupported
Unsupported
Unsupported
Unsupported
46
-49
-95
7. Use the following command to view the client statistics. The output of this command helps
you view the number of packets (from clients) dropped as a result of Station Isolation, when
these packets are not addressed to the gateway. You can also view the number of packets
dropped because, for example, the Gateway MAC address was not successfully dynamically
determined.
WC8180#show wireless client statistics detail
Client (MAC=CC:52:AF:0E:C6:FA)
Packets Rx / Tx
: 445
Bytes Rx / Tx
: 50204
........
Station Isolation stats
Unknown-GW Pkts dropped: 0
Non-GW Dst Pkts dropped: 47
........
/ 49
/ 462
WC8180#
Related Links
Station Isolation on page 81
Ekahau RTLS support

The Ekahau Real-Time Location System (RTLS) is a fully automated tracking solution that
continually monitors the location of assets and people in a wireless network.
Ekahau Tags which are small, battery-powered devices are mounted on equipment or carried by
personnel to deliver real-time location of the tracked asset or person. The messages transmitted by
the Ekahau Tags are received by access points and are passed along with additional information
(e.g. signal strength measurements) to the Ekahau Engine, a core component of the Ekahau
visibility system, that calculates the accurate location of the tag.
The WLAN 8100 solution supports Ekahau enablement on an AP profile.
Note:
Ekahau enablement is supported only on indoor APs. It is not supported on the AP 8120O,
which is an outdoor AP.
The following sections describe Ekahau enablement using the Avaya CLI.
June 2014

83
ACLI reference:
AMDC(config-ap-profile)#ekahau ?
enable
Enable Ekahau tag support on this AP profile
server-ip
Configure Ekahau server IP address
server-port Configure Ekahau server UDP port
Configure an Ekahau server IP address.
AMDC(config-ap-profile)#ekahau server-ip ?
A.B.C.D Ekahau server IP address
Configure the Ekahau server port.
AMDC(config-ap-profile)#ekahau server-port ?
<1024-65535> Ekahau server UDP port
Note that the Ekahau server UDP port range is 1024 to 65535.
Related Links
Enabling Ekahau RTLS support on an AP profile on page 84
Enabling Ekahau RTLS support on an AP profile

Use this procedure to create a sample AP profile and enable Ekahau on that profile.
Note:
Ekahau is disabled on an AP profile by default.
Before you begin

Ensure that you are in the wireless configuration mode of the Avaya CLI. Use the following
commands:
WC8180#conf t
Procedure
1. Create an AP profile named AP-Profile-1 with profile ID 2.
Creating ap-profile (id = 2) ...
WC8180(config-ap-profile)#profile-name AP-Profile-1
WC8180(config-ap-profile)#exit
2. Verify creation of the AP profile.

Sample Output:
AP Profile Id: 2
Name
Country Code
AP Model
Is Default Profile?
Ekahau Protocol Support
Ekahau Tag Blink Mode
Ekahau Server IP
Ekahau Server UDP Port
Status
84
:
:
:
:
:
:
:
:
:
AP-Profile-1
IN
No
Disable
Disable
0.0.0.0
8569
Associated

June 2014
3. Enable Ekahau support on the AP profile.

Note:
By default Ekahau support is disabled on the AP profile.
Entering ap-profile (id = 2) configuration mode..
WC8180(config-ap-profile)#ekahau enable
4. Verify that Ekahau support is enabled.

Sample Output:
AP Profile Id: 2
Name
Country Code
AP Model
Is Default Profile?
Ekahau Protocol Support
Ekahau Tag Blink Mode
Ekahau Server IP
Ekahau Server UDP Port
Status
:
:
:
:
:
:
:
:
:
AP-Profile-1
IN
No
Enable
Enable
0.0.0.0
8569
Associated & modified
5. Use the following command to configure the Ekahau server IP address.

In the following example, 10.11.2.31 is a sample Ekahau server IP address.
WC8180#(config-ap-profile)#ekahau server-ip 10.11.2.31
The following command resets the Ekahau server IP address to the default value 0.0.0.0.
WC8180(config-ap-profile)# default ekahau server ip
6. Use the following command to configure the Ekahau server UDP port.
In the following example, the server port is configured as 8000.
WC8180#(config-ap-profile)#ekahau server-port 8000
The following command resets the Ekahau server port to the default value 8569.
WC8180(config-ap-profile)# default ekahau server port
7. Optionally, to disable Ekahau support, use the following command:

WC8180(config-ap-profile)# default ekahau enable
This restores the default Ekahau support mode for the specified AP profile, that is, it disables
Ekahau support.
Related Links
Ekahau RTLS support on page 83
June 2014

85
Wi-Fi Zoning
Wi-Fi Zoning enables you to control the physical region of connectivity around an access point (AP)
by using the received signal strength indicator (RSSI) measurements of a clients 802.11
transmission, as an indicator of its distance from the access point (AP).
The primary use of this feature is to create Wi-Fi zones around an AP in a crowded Bring Your Own
Device (BYOD) deployment, such as in stadiums, hot-spots or trade-shows, to restrict the scale of
connectivity of wireless clients. A dense deployment can overwhelm a wireless network and affect
services for all users. Wi-Fi Zoning helps you reduce the service area around the AP, thereby
reducing the scale of users connecting to the system. It also helps improve the overall throughput of
your wireless deployment.
You can define two types of Wi-Fi zones around a domain AP, namely a Wi-Fi Association Zone and
a Wi-Fi Roaming Zone. The Wi-Fi association zone of an AP is the physical region around the AP
within which clients can associate to the wireless networks advertised by the AP. This zone is
configured by specifying an RSSI authentication threshold for the 802.11 authentication frames
received from the clients. If the authentication frames received from the clients are below the
configured threshold, the authentication request is rejected.
The Wi-Fi roaming zone is the physical region around the AP within which client devices can roam
without losing connectivity with the AP. The Wi-Fi roaming zone is configured by specifying an RSSI
drop threshold value for the 802.11 data transmissions received from the client. When this value is
configured, an AP samples the RSSI values for the upstream data transmission from the client. The
maximum value over 64 samples is compared against the configured drop threshold. When the
maximum value falls below the configured drop threshold, the client is explicitly de-authenticated
from the AP.
86

June 2014
Figure 3: Typical association and roaming zones around an AP
The WLAN 8100 solution supports configuration of Wi-Fi Zoning on a domain AP (in the domain AP
database) or using radio profiles. Configuration on a domain AP takes precedence over the
configuration specified using a radio profile, except in the case where the AP database is set for
auto-configuration (-100 dBm).
Important:
The allowed range for the Wi-Fi association zone and roaming zone thresholds is -99 to -1
dBm. The values 0 and -100 dBm are used to disable Wi-Fi Zoning and for auto-configuration
respectively. However, in current release the value -100 dBm disables Wi-Fi zoning. Choose a
value depending on the physical distance between the APs and also the AP transmission
power.
When you configure the Wi-Fi association zone and roaming zone thresholds for an AP, always
ensure that the Wi-Fi association zone thresholds is greater than or equal to the Wi-Fi roaming
zone thresholds. For example, if Wi-Fi association zone thresholds value is -65 dBm, then
configure Wi-Fi roaming zone with thresholds value -80 dBm or -65 dBm.
The recommended range for optimal zoning is -90 dBm to -65 dBm.
The following sections describe the configuration of Wi-Fi Zoning using the Avaya CLI.
Related Links
Configuring Wi-Fi Zoning Job Aid on page 88
Configuring Wi-Fi Zoning on an AP using a radio profile on page 90
Configuring Wi-Fi Zoning on a domain AP on page 92
June 2014

87
Configuring Wi-Fi Zoning Job Aid

Use this procedure as a job aid to configure the Wi-Fi association zone and roaming zone
thresholds for APs in your wireless deployment.
Procedure
1. Plan the number of APs that need to be deployed in the Wi-Fi deployment zone. This
depends on the capacity requirement of your deployment.
2. Evenly distribute the APs in the Wi-Fi Association coverage zone. Ensure that the
Association Zones of neighboring APs (of each AP) overlap by about 30 to 40%.
3. Configure the Wi-Fi association zone threshold on an AP. Use the following tables as a
guide to configure appropriate association zone and roaming zone thresholds on the AP.
The values are tabulated based on sample client distances from the AP.
Table 1: Sample client RSSI values with respect to distance from the AP Operating
frequency 5 GHz
The following sample values are based on an FCC domain AP (model AP 8120) operating at 5.0 GHz
and on channel 44. The values are sampled in a 90% empty office floor, for an AP in a 10 feet high
ceiling mount position.
Ekahau 802.11n USB
IPAD-2
(40 MHz, MIMO)
(20 MHz, SISO)
Distance (ft) from

AP
SSI-Max (dBm)
SSI-AVG (dBm)
SSI-Max (dBm)
SSI-Avg (dBm)
-54
-54
-48
-52
10
-58
-58
-54
-54
15
-58
-59
-57
-58
20
-59
-64
-55
-56
30
-57
-57
-58
-58
40
-60
-60
-58
-58
50
-62
-62
-61
-61
60
-64
-65
-63
-64
70
-64
-66
-62
-63
75
-65
-66
-66
-66
Table 2: Sample client RSSI values with respect to distance from the AP Operating
frequency 2.4 GHz
The following sample values are based on an FCC domain AP (model AP 8120) operating at 2.4 GHz
and on channel 8. The values are sampled in a 90% empty office floor, for an AP in a 10 feet high
ceiling mount position.
88

June 2014
Ekahau 802.11n USB
IPAD-Mini
IPAD-2
(40 MHz, MIMO)
(40 MHz, SISO)
(20 MHz, SISO)
Distance
SSI-MAX
SSI-AVG
SSI-MAX
SSI-AVG
SSI-MAX
SSI-AVG
(ft)
(dBm)
(dBm)
(dBm)
(dBm)
(dBm)
(dBm)
-34
-38
-42
-47
-49
-49
10
-35
-36
-46
-47
-43
-43
15
-35
-35
-45
-47
-49
-49
20
-37
-38
-51
-55
-48
-48
30
-44
-44
-51
-54
-53
-53
40
-46
-47
-53
-55
-54
-54
50
-47
-47
-64
-66
-56
-56
60
-49
-50
-58
-62
-56
-56
70
-46
-46
-56
-61
-57
-58
75
-54
-54
-53
-57
-61
-61
4. Configure the Roaming zone threshold on each AP, such that the roaming zones of the APs
overlap by about 60 to 80%. Configure the Roaming Zone threshold using the tables in Step
4.
Important:
Ensure that you configure the roaming zone threshold to be at least 15 dBm below the
association zone threshold. Also ensure that the roaming zone for an AP overlaps the
association zone of its neighboring AP.
5. Verify the roaming behavior of the clients within the association zone.
6. Verify the roaming behavior of clients at the edge of the association zone.
7. Tune the AP power settings using the following commands:
WC8180#wireless
Action commands
channel
image-update
power
reset
tech-dump
ap ?
for a managed AP
Change radio channel on a managed AP
Update image on a managed AP
Change radio transmit power on a managed AP
Reset a managed AP
Request AP tech-dump
Update the AP radio power using the following commands:

In this example, 33:FF:44:35:55:6F is a sample AP MAC address.
WC8180#wireless ap power 33:FF:44:35:55:6F 1 ?
<1-100>
Radio Power in percentage
save-to-db Save power settings of the managed AP into domain DB
8. Repeat Step 6 and Step 7.

9. After you determine the optimal Association and Roaming zone thresholds, you can
configure the AP in your deployment with the lowest cut-off values for these thresholds. You
can apply this configuration to a single AP or to all APs in your deployment.
June 2014

89
Related Links
Configuring Wi-Fi Zoning on an AP using a radio profile

Configure Wi-Fi Association Zone and Roaming Zone RSSI thresholds for AP Radios, using a radio
profile.
Before you begin

Ensure that you are in the wireless configuration mode.
Execute the following commands:
WC8180#conf t
About this task

Use this procedure to create a sample radio profile and enable Wi-Fi association zone and roaming
zone thresholds on that profile.
Procedure
1. Create a radio profile named rp_WiFiZone with profile ID 20.
access-wids
Create a radio profile with access-wids operation mode
ap-model
Hardware model
country-code Create a radio profile with a country code
wids-wips
Create a radio profile with wids-wips operation mode
WC8180(config-radio-profile)#
WC8180(config-wireless)#radio-profile 20 ap-model ap8120/E country-code US accesswids a-n
Note:
Auto tune the locked channel and power of the radio profile, by configuring the channel
and power in auto mode in domain AP database.
2. Verify creation of the radio profile.
WC8180(config-radio-profile)#show wireless radio-profile 20
Sample Output:
----------------------------------------------------------Id
Profile Name
AP
802.11
Operation
Auto
Model
Mode
Mode
Ch.
-- -------------------------- ----------------------20
rp_WifiZone
AP8120/E 802.11a/n access-wids Yes
------------------------------------------------------------
3. Configure the Wi-Fi Association and Roaming Zone RSSI thresholds. Specify values of -50
dBm and 70 dBm for the Association Zone and Roaming Zone thresholds, respectively.
90

June 2014
Important:
The allowed range for the Wi-Fi Association Zone and Roaming Zone thresholds is -99
to -1 dBm. The values 0 and -100 dBm are used to disable Wi-Fi Zoning and for autoconfiguration respectively. However, in current release the value -100 dBm disables WiFi zoning.
Also, ensure that the Association Zone thresholds is always greater than or equal to the
Roaming Zone thresholds. The recommended range for optimal zoning is -90 dBm to
-65 dBm.
WC8180(config-radio-profile)#assoc-zone ?
<-100 - 0> Enter the RSSI value in dBM. 0(Disabled), -1 to -99, -100(Auto)
WC8180(config-radio-profile)#assoc-zone -50
WC8180(config-radio-profile)#roam-zone ?
<-100 - 0> Enter the RSSI value in dBM. 0(Disabled), -1 to -99, -100(Auto)
WC8180(config-radio-profile)#roam-zone -70
4. Verify Wi-Fi Association Zone and Roaming Zone thresholds configuration on the radio
profile in detail.
WC8180#show wireless radio-profile 20 detail
Sample Output:
Radio Profile Id: 20
Name
:
Configuration Model
:
Country Code
:
Operation Mode
:
IEEE 802.11 Mode
:
RF Scan - Duration
:
RF Scan - Other Channels
:
RF Scan - Other Channels Scan Interval :
Broadcast/Multicast Rate Limiting
:
Broadcast/Multicast Rate Limit (Normal):
Broadcast/Multicast Rate Limit (Burst) :
Beacon Interval
:
DTIM Period
:
Fragmentation Threshold
:
RTS Threshold
:
Short Retry Limit
:
Long Retry Limit
:
Max Transmit Lifetime
:
Max Receive Lifetime
:
Max Clients
:
Auto Channel Adjustment Mode
:
Auto Power Adjustment Mode
:
Auto Power Minimum
:
Non-Auto Transmit Power
:
WMM(Wi-Fi Multimedia Mode)
:
Band Steering Mode
:
Load Balancing Mode
:
Load Balance Utilization Start
:
Load Balance Utilization Threshold
:
Channel Bandwidth
:
Primary Channel
:
802.11n Protection Mode
:
SGI(Short Guard Interval)
:
STBC(Space Time Block Code) Mode
:
Multicast Transmit Rate
:
June 2014
rp_WifiZone
AP8120/E
US
access-wids
802.11a/n
10 msec
Yes
60 sec
Disabled
50 pkts/sec
75 pkts/sec
100 msec
3
2346
2347
7
4
512 msec
512 msec
200
Yes
Yes
40 %
80 %
Enabled
Disabled
Disabled
30 %
60 %
40 MHz
Lower
Auto
Enabled
Enabled
Auto

91
APSD(Auto Power Save Delivery) Mode

No ACK for Incorrectly Received Frames
RRM(Radio Resource Measurement)
Association Zone Threshold
Roaming Zone Threshold
:
:
:
:
:
Enabled
Disabled
Enabled
-50 (dBm)
-70 (dBm)
Related Links
Configuring Wi-Fi Zoning on a domain AP

Use this procedure to configure and verify Wi-Fi Zoning (Association Zone and Roaming Zone RSSI
thresholds) on a domain AP.
Before you begin

Ensure that you are in the domain AP configuration mode.
Sample commands for AP MAC address 5C:E2:86:0F:52:C0:
WC8180(config-wireless)#domain ap 5C:E2:86:0F:52:C0
Entering domain AP (mac = 5C:E2:86:0F:52:C0) configuration mode...
WC8180(config-domain-ap)#?
About this task

The following procedure lists the commands to view Wi-Fi Zoning configuration in further detail with
sample outputs.
Procedure
1. Configure domain AP radio profile parameter.
WC8180(config-domain-ap)#radio ?
<1-2> Radio Interface
WC8180(config-domain-ap)#radio 1 ?
admin-enable Configure the radio admin mode enable
antenna
Select antenna type for the specified radio
assoc-zone
Configure association RSSI threshold
channel
Configure channel setting for the specified radio
ext-cable
Select extension cable type for the specified radio
power
Configure power setting for the specified radio
roam-zone
Configure dissociation RSSI threshold
2. Configure thresholds value for the Wi-Fi association zone and roaming zone.
The following example assigns thresholds value -50 dBm and -65 dBm for association
zone and roaming zone respectively, on radio 1.
WC8180(config-domain-ap)#radio 1 assoc-zone -50
WC8180(config-domain-ap)#radio 1 roam-zone -65
3. Verify Wi-Fi Zoning configuration on domain AP database.

Use the command show wireless domain ap database <AP MAC address>
detail to view the status.
Sample Output:
WC8180#show wireless domain ap database 5C:E2:86:0F:52:C0 detail
------------------------------------------------------AP MAC
: 5C:E2:86:0F:52:C0
Label
:
92

June 2014
Model
: AP8120
Country Code
: US
Serial Number
: LBNNTMJXAC019M
Profile ID
: 1
Preferred Controller : 0.0.0.0
Alternate Controller : 0.0.0.0
Location
Campus
:
Building
:
Floor
:
Sector
:
Radio 1
Channel
Power
External Antenna : N/A
Extension Cable
: N/A
Assoc-zone
: -50 dBm
Roam-zone
: -65 dBm
Admin-Enable
: True
Radio 2
Channel
Power
Extension Cable
: N/A
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: True
-------------------------------------------------------
Related Links
Bonjour Gateway Support

Bonjour is a Layer 2 service discovery protocol of Apple, that relies on multicast messages. Bonjour
is used to locate devices such as printers, other computers, and the services that the devices on a
network offer using a multicast Domain Name System (mDNS). As the addresses used by the
protocol are link-local multicast addresses, each query or advertisement is only forwarded on the
VLAN assigned to it, and not across different VLANs.
To relay advertisements across different VLANs, Bonjour can be extended across subnets by using
Avaya WLAN 8100 Bonjour Gateway feature. The Avaya WLAN 8100 Bonjour Gateway feature
selectively relays service discovery packets across networks without using external gateway or
custom router configuration. Bonjour Gateway feature includes the following features:
Relay mode
Scan- list
Filter- rule
Location- based- relay
June 2014

93
The following example of ACLI reference describes Bonjour Gateway enablement using the Avaya
CLI.
WC8180( config-wireless)# multicast-DNS ?
<cr> Enter the configuration mode of mDNS
WC8180(config-mDNS)# ?
mDNS-relay
Enable relay of mDNS traffic across VLANs
scan-list
Configure mobility VLANs where the mDNS traffic should be relayed
filter-rule
Configure filter rules to filter the services in the mDNS packets.
location-based-relay
Enable location based relay
exit
exit the mode
Related Links
Configuring multicast DNS relay mode on page 94
Configuring Scan-list on page 95
Configuring Filter-rule on page 96
Configuring Location-based-relay on page 97
Managing multicast VLAN Gateway election on page 98
Viewing Bonjour Gateway configuration statistics on page 98
Configuring multicast DNS relay mode

You can configure Bonjour Gateway solution on the Avaya WLAN 8100 by enabling the relay mode.
There are three relay modes:
Enable. Enables the relay of mDNS traffic across mobility VLANs.
Disable. Disables the relay of mDNS traffic across mobility VLANs.
L2Flood. Floods mDNS traffic in received mobility VLAN.
Note:
L2Flood relay mode is enabled by default.
For more information, see the Feature Overview for Avaya WLAN 8100, NN47251-102.
Before you begin

commands:
WC8180#conf t
About this task

Use this procedure to configure multicast DNS relaying in WC.
ACLI Reference:
WC8180(config-mDNS)#mdnS-relay ?
disable
Disable Relay of mDNS traffic across mobility VLANs
enable
Enable Relay of mDNS traffic across mobility VLANs
l2-flood flood mDNS traffic in received mobility VLAN
94

June 2014
Procedure
1. Enable mDNS relay across the VLANs.
WC8180(config-mDNS)# mDNS-relay enable

WC8180#show wire multicast-dNS
multicast DNS Relay Mode: Enabled
2. Disable relay of mDNS traffic across mobility VLANs.

WC8180(config-mDNS)# mDNS-relay disable

multicast DNS Relay Mode: disabled
3. Configure L2 Flooding relay to flood mDNS traffic in received mobility VLAN.

WC8180(config-mDNS)# mDNS-relay l2-flood

multicast DNS Relay Mode: l2-flood
Related Links
Configuring Scan-list
About this task
Use this procedure to configure required mobility VLANs under Scan-list and to enable relaying of
multicast DNS traffic across these MVLANs.
Procedure
Configure the required mobility VLANs for Scan-list configuration.
WC8180(config-mDNS)# scan-list <mobility-VLAN name>
<cr> Enter to execute command
exit To exit from the mode
Verify the configuration.

WC8180#show wire multicast-dNS scan-list
Example
Sample Scan-list configuration using the CLI:
1. Configure mobility VLAN default-MVLAN and MV-mDNS under scan-list. Execute the
following command:
WC8180(config-mDNS)# scan-list default-MVLAN
WC8180(config-mDNS)# scan-list MV-mDNS
2. Verify the configuration:

WC8180#show wire multicast-dNS scan-list
-------------------------------Vlan Name
June 2014

95
-------------------------------default-MVLAN
MV-mDNS
--------------------------------
Related Links
Configuring Filter-rule
Filter-rule allows you to define only those mDNS services that can be relayed across or within the
networks. Filter-rule can either be a UDP protocol or TCP protocol. You can configure allow or
deny parameters for the Filter-rule.
You can configure up to 25 filter rules out of which nine rules are configured by default.
Default Filter-rules
The following table describes the list of system generated default Filter-rules.
Filter-rule Name
Reg-ex
Permit
State
Default_airplay
airplay
enable
Default_airprint
airprint
enable
Default_raop
raop
enable
Default_afpovertcp
afp
disable
Default_appletv
appletv
disable
Default_appletv-itunes
itunes
disable
Default_appletv-pair
appletv-pair
disable
Default_dacp
dacp
disable
Default_ipp
ipp
disable
Note:
By default, Filter-rules airplay, airprint, and raop are in enable state and the remaining are in
disabled state.
About this task

Use this procedure to configure rules to filter the mDNS services, to avoid flooding of all services
across the network.
Procedure
1. Configure a new Filter-rule and execute the following command:
WC8180(config-mDNS)# filter-rule <filter-rule name> <service-name string> protocol
<protocolStr> <allow|deny> <cr>
ProtocolStr is an optional parameter.

WC8180(config-mDNS)# filter-rule <filter-rule name> <service-name string> <allow|
deny> <cr>
96

June 2014
Note:
By default, all new user defined Filter-rule are in enable state.
2. Use this command to enable an existing filter-rule.
WC8180(config-mDNS)# filter-rule <filter-rule name> state <enable>
Verify enablement:
WC8180#show wire multicast-dNS filter-rule
Example
Execute the following command to configure a new filter-rule name samba with protocol type
udp.
WC8180(config-mDNS)#filter-rule samba smb protocol udp allow
Execute the following command to enable existing filter-rule name default_appletv.

WC8180(config-mDNS)#filter-rule default_appletv enable
Verify enablement:
WC8180#show wire multicast-dNS filter-rule
------------------------------------------------------Filter-rule Name
: default_airplay
Service Name
: airplay
Protocol
: any
Mode
: allow
Status
: Enabled
Type
: System Defined
-------------------------------------------------------
Related Links
Configuring Location-based-relay
Before you begin
Configure the location (campus, building, floor and sector) parameters in the AP database, see
Configuring domain AP parameters on page 100 for more details.
About this task

Use this procedure to configure mDNS traffic relay across networks using location-based-relay.
Procedure
1. Enable Location-based-relay.
WC8180(config-mDNS)# location-based-relay enable

Wc8180#show wireless multicast-dNS location-based-relay
multicast DNS location based Relay Mode: Enabled
2. Disable the mDNS traffic relay across networks based on location.

WC8180(config-mDNS)# no location-based-relay
June 2014

97

WC8180#show wire multicast-dNS location-based-relay
multicast DNS location based Relay Mode: Disabled
Related Links
Managing multicast VLAN Gateway election

The mDNS VLAN gateway election is built on the existing VLAN server election.
If more than one mobility switch is in the domain, then the one with highest priority value is elected
as the mDNS VLAN Gateway. But if there are two mobility switches with the same priority value,
then the one with the lowest IP parameter is elected as the mDNS VLAN Gateway.
About this task

Use this procedure to configure and verify a mobility VLAN for mDNS Gateway election.
Procedure
1. Configure mobility VLANs. Execute the following command for configuring mobility VLAN
name default-MVLAN and MV-mDNS.
Example :
WC8180(config-wireless)#switch vlan-map default-MVLAN lvid 70 l3-mobility server
weight 9
WC8180(config-wireless)#switch vlan-map MV-mDNS lvid 90 l3-mobility server weight 7
2. Verify if the switch is serving as mDNS gateway for the mapped VLAN.
Use the show wireless switch vlan-map command to include the mDNS gateway
information of the corresponding switch.
Example:
WC8180#show wireless switch vlan-map
-------------------------------------------------------------------------Mobility VLAN Name
LVID
State
Role
WCP-V Admin mDNS
Mapped GW
----------------------- ------------- ------ ----MV-mDNS
90
Active
Server Yes
Yes
No
default-MVLAN
70
Active
Server Yes
Yes
Yes
-------------------------------------------------------------------------Total Number of Mobility VLANs = 2
The mobility VLAN default-MVLAN is elected as the mDNS Gateway because, the mobility
VLAN weight is greater than the weight of the other mobility VLAN .
Related Links
Viewing Bonjour Gateway configuration statistics

Use this procedure to view and verify Bonjour Gateway configuration.
98

June 2014
View wireless switch multicast-DNS statistics:

WC8180#show wireless switch multicast-DNS statistics ?
View wireless AP statistics detail:

WC8180#show wireless ap statistics detail ?
About this task

The following procedure lists the commands to view Bonjour Gateway configuration in further detail
with sample outputs.
Procedure
1. Use the command WC8180 # show wireless switch multicast-DNS statistics
to view the multicast DNS statistics for a mobility switch.
Sample Ouptut:
WC8180#show wireless switch multicast-DNS statistics
mDNS
mDNS
mDNS
mDNS
mDNS
Packets
Packets
Packets
Packets
Relayed
Received
matched Filter
exceeding Path-MTU
Dropped due to filter mismatch
packets
:
:
:
:
:
79275
79142
0
122
37925
2. Use the command WC8180 # show wireless ap statistics detail to view the AP
statistics detail for an AP that is in a managed state.
Example: AP statistics detail for AP MAC address 00:1B:4F:6C:1B:A0.
Sample Output:
WC8180#show wireless ap statistics detail
AP MAC Address
:00:1B:4F:6C:1B:A0
Packets:
Bytes:
Packets Dropped:
Bytes Dropped:
Ethernet Packet:
Ethernet Bytes:
Ethernet Multicast Packets:
Ethernet Error Count:
L2 tunnel Bytes:
L2 tunnel Packets:
L2 tunnel Multicast:
ARP Requests From Bcast to Ucast:
Filtered ARP Requests:
Broadcasted ARP Requests:
mDNS Filter Mismatch Drop Count:
mDNS Fragmented packet Drop Count:
mDNS Location Mismatch Drop Count:
Receive
Transmit
-----------------------------------------42068
148372
10119177
20619686
NA
0
10081436
0
339389
382797
45628929
142925278
21591
21591
0
0
11537309
9192182
105424
20096
25093
13707
154
48682
20016
361
670
0
Related Links
June 2014

99
Domain AP configuration
Use the following procedures to configure domain APs.
Related Links
Configuring domain AP parameters on page 100
Enabling or disabling radios on a domain AP on page 102
Saving AP radio channel and power configuration to the domain AP database on page 104
LED management on a domain AP on page 108
Configuring and verifying the LED state on a domain AP on page 108
Configuring domain AP parameters

Use this procedure to configure parameters for a domain AP.
Note:
In earlier releases of the WLAN 8100, configuration changes made to the domain AP database
required a manual AP reset for the changes to take effect. From release 2.1 onwards, the
wireless controller config-sync operation synchronizes configuration changes across the
domain, and an AP reset is not required.
Procedure
1. Enter the wireless configuration mode of the controller:
WC8180#conf t
End with CNTL/Z.
2. View the APs in the domain AP database:

Sample Output:
WC8180(config-wireless)#show wireless domain ap database
---------------------------------------------------------Profile/ Radio 1 Radio 2 Preferred
AP MAC
Country Channel Channel WC
----------------- ------- ------- ------- --------------00:1B:4F:69:E7:80 4/IN
Auto
Auto
0.0.0.0
00:1B:4F:6A:18:E0 7/IN
44
11
0.0.0.0
---------------------------------------------------------WC8180(config-wireless)#
3. Enter the domain AP configuration mode for the AP whose parameters you want to modify,
using the following command:
In the following example, 00:1B:4F:69:E7:80 is the MAC address of the domain AP
whose parameters you want to modify.
WC8180(config-wireless)# domain ap 00:1B:4F:69:E7:80
Entering domain AP (mac = 00:1B:4F:69:E7:80) configuration mode...
100

June 2014
4. Configure the appropriate parameters on the domain AP, using the following commands:
WC8180(config-domain-ap)#?
Configure Domain AP parameters
alternate-controller Configure alternate wireless controller
default
end
exit
Exit from domain AP configuration mode
label
Configure AP Label
led-state
Configure the operating state of LEDs on the AP
location
Configure AP Location
model
Configure AP Model
no
Delete Domain AP configurations
preferred-controller Configure preferred wireless controller
profile-id
Assign AP Profile ID used for AP configuration
radio
Configure radio channel / power / antenna / cable
settings
Configure an alternate controller.

WC8180(config-domain-ap)# alternate-controller ?
A.B.C.D Controller IP Address
Configure the AP label.

WC8180(config-domain-ap)# label ?
WORD AP Label (1-32 characters)
Configure the LED state on the AP.

WC8180(config-domain-ap)# led-state ?
off
Turn-off all LEDs on the AP
normal
Set original operation mode (enable)
Configure the location of the AP.

WC8180(config-domain-ap)#location ?
WORD Enter campus string (limit: 1-8 chars)
Configure the AP model.

WC8180(config-domain-ap)#model ?
ap8120
Avaya AP8120
ap8120-E Avaya AP8120-E (with external antennas)
Configure the preferred controller IP address.

WC8180(config-domain-ap)#preferred-controller ?
A.B.C.D Controller IP Address
Configure an AP profile.
WC8180(config-domain-ap)#profile-id ?
Configure the domain AP radio.

Select the radio interface.
WC8180(config-domain-ap)#radio ?
Configure the following parameters on the selected radio interface.

June 2014

101
antenna
assoc-zone
channel
ext-cable
power
roam-zone

Related Links
Enabling or disabling radios on a domain AP

Use this procedure to enable or disable radios on a domain AP by configuring the Admin-Enable
parameter on a domain AP radio.
Procedure
1. View the managed APs in the domain.
WC8180#show wireless domain ap database
-------------------------------------------------------Profile/ Radio 1 Radio 2 Preferred
AP MAC
----------------- ------- ------- ------- ------------00:1B:4F:69:F4:20 1/IN
44
Auto
192.168.14.11
00:1B:4F:6A:05:00 2/IN
44
6
192.168.14.13
00:1B:4F:6B:E3:E0 1/IN
Auto
Auto
192.168.14.11
--------------------------------------------------------
2. View the current domain AP configuration for the AP. In the following example we select an
AP with MAC address 00:1B:4F:6A:05:00.
View the domain AP configuration for the AP.
WC8180#show wireless domain ap database 00:1B:4F:6A:05:00
------------------------------------------------------Profile/ Radio 1 Radio 2 Preferred
AP MAC
----------------- ------- ------- ------- -----------00:1B:4F:6A:05:00 1/IN
44
Auto
192.168.14.11
------------------------------------------------------Total number of entries in AP database = 1
View the AP configuration in detail. Note that the Admin-Enable is set to False on
both Radio 1 and Radio 2.
WC8180#show wireless domain ap database 00:1B:4F:6A:05:00 detail
------------------------------------------------------AP MAC
: 00:1B:4F:6A:05:00
Label
:
Model
: AP8120
Country Code
: IN
Serial Number
: LBNNTMJXAD0830
Profile ID
: 1
Location
Campus
:
Building
:
Floor
:
Sector
:
102

June 2014
Radio 1
Channel
: 44
Power
: 80
Extension Cable
: N/A
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: False
Radio 2
Channel
Power
Extension Cable
: N/A
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: False
3. Configure the Admin-Enable mode for Radio 1 of the AP with MAC address 00:1B:4F:
6A:05:00. Ensure that you are in the domain AP configuration mode of the CLI.
CLI reference:
antenna
assoc-zone
channel
ext-cable
power
roam-zone
Set the Admin-enable mode on radio 1 of the AP to True.

WC8180(config-domain-ap)#domain ap 00:1B:4F:6A:05:00
WC8180(config-domain-ap)#radio 1 admin-enable
4. Perform a controller configuration synchronization to apply changes to the AP.

Important:
In earlier releases of the WLAN 8100, configuration changes made to the domain AP
database required a manual AP reset for the changes to take effect. From release 2.1
onwards, the wireless controller config-sync operation synchronizes configuration
changes across the domain, and an AP reset is not required.
5. Verify that Radio 1 is enabled on the AP, that is Admin-Enable is set to True.
WC8180(config-domain-ap)#show wireless domain ap database 00:1B:4F:6A:05:00 detail
------------------------------------------------------AP MAC
: 00:1B:4F:6A:05:00
Label
:
Model
: AP8120-E
Country Code
: IN
Serial Number
: 11JX192F0039
Profile ID
: 5
Location
Campus
:
Building
:
June 2014

103
Floor
Sector
Radio 1
Channel
Power
External Antenna
Extension Cable
Assoc-zone
Roam-zone
Admin-Enable
Radio 2
Channel
Power
External Antenna
Extension Cable
Assoc-zone
Roam-zone
Admin-Enable
:
:
:
:
:
:
:
:
:
36
Automatic Adjustment
WL81AT070E6
3-ft
Auto
Auto
True
:
:
:
:
:
:
:
5
Automatic Adjustment
WL81AT070E6
3-ft
Auto
Auto
False
Related Links
Saving AP radio channel and power configuration to the domain AP

database
Use this procedure to save AP radio channel or power configuration to the domain AP database for
a specific radio of an AP, for a specific AP or for all managed APs in the domain.
Note:
From release 2.1.0 onwards, changes to domain AP configuration parameters does not require
an AP reset for the configuration to take effect.
Important:
After you save the channel or power configuration to the domain AP database, it cannot be
altered by the Auto-RF APA or ACA tuning mechanisms.
Procedure
1. View the managed APs in the domain.
AP MAC
----------------- ------- ------- ------- ------------00:1B:4F:69:F4:20 1/IN
Auto
Auto
192.168.14.11
00:1B:4F:6A:05:00 2/IN
Auto
Auto
192.168.14.13
--------------------------------------------------------
2. Execute the following commands to save AP channel configuration to the domain AP

database, for a specific domain AP.
104

June 2014
In the following example we save the channel configuration of the AP with MAC address
00:1B:4F:6A:05:00, to the domain AP database.
a. View the current channel configuration of the AP.
WC8180#show wireless domain ap database 00:1B:4F:6A:05:00
---------------------------------------------------------Profile/ Radio 1 Radio 2 Preferred
AP MAC
----------------- ------- ------- ------- --------------00:1B:4F:6A:05:00 10/CN
Auto
Auto
192.168.14.11
---------------------------------------------------------Total number of entries in AP database = 1
View the AP radio status.

WCP8180#show wireless ap radio status 00:1B:4F:6A:05:00
---------------------------------------------------------------AP MAC
Radio Operation Channel Power 802.11 Mode Auth Clients
----------------- ----- --------- ------- ----- ---------------00:1B:4F:6A:05:00
1
On
Auto
99 802.11a/n
0
2
On
Auto
99 802.11b/g/n
100
----------------------------------------------------------------
Observe that the channel setting for both radios on 00:1B:4F:6A:05:00 is auto and
the radios are operating on channels 157 and 6.
(Optional) View the AP radio status in detail.
WC8180#show wireless ap radio status 00:1B:4F:6A:05:00 detail
AP (mac=00:1B:4F:6A:05:00)
Radio 1 (mac=00:1B:4F:6A:05:00)
Operation Mode
:
802.11 Mode
:
Channel
Assignment Policy
:
Bandwidth
:
Current Channel
:
Manual Adjustment
:
Transmit Power
Assignment Policy
:
Current Power
:
Manual Adjustment
:
Radio Resource Measurement :
Total Neighbors
:
Authenticated Clients
:
WLAN Utilization
:
Antenna
:
Extension Cable
:
Radio Oper-Down Reason
:
Radio 2 (mac=00:1B:4F:6A:05:00)
Operation Mode
:
802.11 Mode
:
Channel
Assignment Policy
:
Bandwidth
:
Current Channel
:
Manual Adjustment
:
Transmit Power
Assignment Policy
:
Current Power
:
June 2014
-- Operation: On
Access WIDS
802.11a/n
Fixed
40MHz
auto
Complete
Fixed
99 %
None
Enabled
5
0
5 %
None
None
None
-- Operation: On
Access WIDS
802.11b/g/n
Fixed
20MHz
Auto
Complete
Fixed
99 %

105
Manual Adjustment
Radio Resource Measurement
Total Neighbors
WLAN Utilization
Antenna
Extension Cable
Radio Oper-Down Reason
:
:
:
:
:
:
:
:
None
Enabled
116
100
10 %
None
None
None
b. Save the AP channel configuration to the domain AP database.

CLI Reference:
WC8180#wireless ap channel <AP-MAC-address> <radio> ?
<1-216>
Enter a valid channel number. Use 'show wireless ap radio
supported-channels' to display valid channels.
save-to-db Save channel settings of the managed AP into domain DB
Use the following command to save the AP channel configuration (on both radios) to the
domain AP database. When prompted, click y to confirm.
WC8180#wireless ap channel 00:1B:4F:6A:05:00 1 save-to-db
WARNING: This AP will be programmed to operate on fixed channel and Auto-RF
will not tune the channel in future.
Do you want to continue (y/n) ? y
WC8180#wireless ap channel 00:1B:4F:6A:05:00 2 save-to-db
WARNING: This AP will be programmed to operate on fixed channel and Auto-RF
will not tune the channel in future.
c. Save AP power configuration to the domain AP database.

CLI Reference:
WC8180#wireless ap power <AP-MAC-address> <radio> ?
<1-100>
Radio Power in percentage
save-to-db Save power settings of the managed AP into domain DB
Use the following command to save the AP power configuration (on both radios) to the
domain AP database.
WC8180#wireless ap power 00:1B:4F:6A:05:00 1 save-to-db
WC8180#wireless ap power 00:1B:4F:6A:05:00 2 save-to-db
d. Perform a configuration synchronization to apply changes to the AP.

Note:
Prior releases of WLAN 8100 required a reset of the AP when domain AP changes
were made. From release 2.1 onwards, you do not need to perform an AP reset.
Instead, perform controller synchronization to apply the changes to the AP.
e. View the domain AP database to verify the update.
Observe that the channels are now fixed for at 157 and 6 and the power is fixed at 99
for the AP with MAC address 00:1B:4F:6A:05:00.
106

June 2014

AP MAC
----------------- ------- ------- ------- ------------00:1B:4F:69:F4:20 1/IN
Auto
Auto
192.168.14.11
00:1B:4F:6A:05:00 2/IN
157
6
192.168.14.13
-------------------------------------------------------WC8180#show wireless ap radio status 00:1B:4F:6A:05:00
-------------------------------------------------------------------AP MAC
----------------- ----- --------- ------- ----- --------------- ---00:1B:4F:6A:05:00
1
On
157
99 802.11a/n
0
2
On
6
99 802.11b/g/n
100
--------------------------------------------------------------------WC8180#
3. Execute the following commands to save AP channel configuration to the domain AP

database to be propagated to all APs in the domain.
CLI reference:
WC8180#wireless domain ap ?
Domain wide AP action commands
image-update Update image for all domain APs
reset
Reset all domain APs
save-to-db
Lock the radio settings for all managed APs in this domain.
WC8180#wireless domain ap save-to-db ?
channel Save the current opearting radio channels on managed APs in this
domain.
power
Save the current operating power settings on maaged APs in this
domain.
WC8180#wireless domain ap save-to-db channel ?
<cr>
WC8180#wireless domain ap save-to-db power ?
<cr>
a. Execute the following commands to save channel and power configuration to all APs in
the domain.
Save channel configuration to all APs in the domain:
WC8180#wireless domain ap save-to-db channel
WARNING: All APs in the domain will be programmed to operate on fixed channel
and Auto-RF will not tune the channel in future.
Save power configuration to all APs in the domain:

WC8180#wireless domain ap save-to-db power
b. Verify that the configuration is propagated to all APs in the domain.

WC8180#show wireless ap radio status
------------------------------------------------------------------AP MAC
----------------- ----- --------- ------- ----- ------------ -----00:1B:4F:69:F4:20
1
On
157
99 802.11a/n
0
2
On
6
99 802.11b/g/n
100
------------------------------------------------------------------00:1B:4F:6A:05:00
1
On
157
99 802.11a/n
0
2
On
6
99 802.11b/g/n
100
-------------------------------------------------------------------
June 2014

107
WC8180#
Related Links
LED management on a domain AP

You can control the state of LEDs (on or off) on a domain AP. For example, you can turn off LEDs
on a domain AP so that people who are in the same location as the AP are not disturbed by either
blinking or on LEDs.
Setting the LED state on a domain AP to off turns off the LEDs. Setting the LED state to
Normal(On) turns them on. You can turn off the LEDs on all APs in the domain, or on a single AP.
Note:
LED management applies only to indoor APs because outdoor APs do not have LEDs.
The following sections describe configuration of the LED state on a domain AP, using the CLI.
Related Links
Configuring and verifying the LED state on a domain AP

Use this procedure to configure the LEDs state on a domain AP to be turned off or on, and verify
the configuration.
Note:
By default, the LED state on a domain AP is set to Normal(On), that is, the LED lights are
turned on.
Procedure
1. Enter the domain AP configuration mode of the AP with MAC address 58:16:26:AC:
75:60.
WC8180(config-wireless)#domain ap 58:16:26:AC:75:60
Entering domain AP (mac = 58:16:26:AC:75:60) configuration mode...
2. Turn off LEDs on the domain AP.

CLI Reference:
WC8180(config-domain-ap)#led-state ?
normal Set original operation mode (enable)
off
Turn-off all LEDs on the AP
Use the following command to turn off LEDs on the AP:

WC8180(config-domain-ap)#led-state off
WC8180(config-domain-ap)#end
3. Perform a controller configuration synchronization (config-sync) to apply changes to the

AP.
108

June 2014
Important:
In earlier releases of the WLAN 8100, configuration changes made to the domain AP
database required a manual AP reset for the changes to take effect. From release 2.1
onwards, the wireless controller config-sync operation synchronizes configuration
changes across the domain, and an AP reset is not required.
4. Verify that the LEDs are turned off on the domain AP.
WC8180#show wireless domain ap database 58:16:26:AC:75:60 detail
Sample Output:
------------------------------------------------------AP MAC
: 58:16:26:AC:75:60
Label
:
Model
: AP8120-E
Country Code
: VE
Serial Number
: 11JX192F001P
Profile ID
: 13
LED-State
: off
Location
Campus
:
Building
:
Floor
:
Sector
:
Radio 1
Channel
: 36
Power
: 60
External Antenna : WL81AT070E6
Extension Cable
: 3-ft
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: True
Radio 2
Channel
: 11
Power
: 60
Extension Cable
: 3-ft
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: True
5. Verify the AP status in detail.

The AP LED status is set to LED-OFF.
WC8180#show wireless ap status 58:16:26:AC:75:60 detail
Sample Output:
--------------------------------------------------------------AP (MAC=58:16:26:AC:75:60)
IP Address
: 172.16.8.13
Status
: Managed
WC Assignment-Method
: Least-Load
AP Label
:
Hardware Type
: Avaya AP8120-E
June 2014

109
Software Version
: 2.1.0.088
Serial Number
: 11JX192F001P
Location
:
Country Code
: VE
Band Plan
: APL1
Locale
: VE/0
Age (since last update)
: 0d:00:00:01
System Up Time
: 0d:19:14:07
Discovery Reason
: Controller IP via DHCP
Managing Controller
: Local Controller
WC System IP Address
: 192.168.11.4
WC Managed Time
: 0d:01:01:09
Profile Id
: 13
Profile Name
: VE
Configuration Apply Status
: Success
: 0
Configuration Failure Error
:
Reset status
: Not Started
Code Download Status
: Not Started
Image Upgrade Needed
: No
Ap Techdump Status
: Not Started
Hardware Version
: R01
AP port speed and duplex mode
: FullDuplex1000
AP LED Status
: LED-OFF
--------------------------------------------------------------
6. Configure the LED-State to normal, to turn on the LEDs.

WC8180(config-domain-ap)#led-state normal
WC8180(config-domain-ap)#end
7. Perform a configuration synchronization to apply changes to the AP.

8. Verify that the LED-State on the AP is set to Normal(on).

WC8180#show wireless domain ap database 58:16:26:AC:75:60 detail
Sample Output:
------------------------------------------------------AP MAC
: 58:16:26:AC:75:60
Label
:
Model
: AP8120-E
Country Code
: VE
Serial Number
: 11JX192F001P
Profile ID
: 13
LED-State
: Normal(On)
Location
Campus
:
Building
:
Floor
:
Sector
:
Radio 1
Channel
: 36
Power
: 60
Extension Cable
: 3-ft
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: True
Radio 2
Channel
: 11
110

June 2014
Power
: 60
Extension Cable
: 3-ft
Assoc-zone
: Auto
Roam-zone
: Auto
Admin-Enable
: True
9. Verify AP status in detail.

The AP LED Status set to LED-ON.
WC8180#show wireless ap status 58:16:26:AC:75:60 detail
Sample Output:
--------------------------------------------------------------AP (MAC=58:16:26:AC:75:60)
IP Address
: 172.16.8.13
Status
: Managed
WC Assignment-Method
: Least-Load
AP Label
:
Hardware Type
: Avaya AP8120-E
Software Version
: 2.1.0.088
Serial Number
: 11JX192F001P
Location
:
Country Code
: VE
Band Plan
: APL1
Locale
: VE/0
Age (since last update)
: 0d:00:00:01
System Up Time
: 0d:19:14:07
Discovery Reason
: Controller IP via DHCP
Managing Controller
: Local Controller
WC System IP Address
: 192.168.11.4
WC Managed Time
: 0d:01:01:09
Profile Id
: 13
Profile Name
: VE
Configuration Apply Status
: Success
: 0
Configuration Failure Error
:
Reset status
: Not Started
Code Download Status
: Not Started
Image Upgrade Needed
: No
Ap Techdump Status
: Not Started
Hardware Version
: R01
AP port speed and duplex mode
: FullDuplex1000
AP LED Status
: LED-ON
--------------------------------------------------------------
Related Links
Wireless security WIDS-WIPS configuration and management

Wireless intrusion detection (WIDS) supports detection of rogue clients and AP(s) in the wireless
network based on a configurable set of detection criterion. Wireless intrusion prevention (WIPS)
takes proactive action to mitigate the threat posed by rogue devices. The WIDS/WIPS policy
June 2014

111
specifies the configuration elements for the WIDS/WIPS feature. This includes the rogue
classification criterion, known AP database and rogue AP database.
Related Links
Configuring profiles to aid AP/client threat detection and mitigation on page 112
Configuring WIDS-WIPS on page 113
Verifying configuration of WIDS-WIPS on page 119
Configuring profiles to aid AP/client threat detection and mitigation

The following section describes sample configuration of Radio Profiles and their mapping with AP
profiles, so that when the AP profile is mapped to an AP, threat detection and mitigation for APs and
clients can be achieved.
Procedure
1. Use the following example commands to create radio profiles.
The following examples use the country code as US when creating the radio profiles.
Create an Access a-n radio profile.
#radio-profile 3 country-code US access-wids a-n
profile-name access-an
exit
Create an Access bg-n radio profile.

#radio-profile 4 country-code US access-wids bg-n
profile-name access-bgn
exit
Create a WIDS 5 GHz radio profile.

#radio-profile 5 country-code US wids-wips 5
profile-name wips-5
exit
Create a WIDS 2.4 GHz radio profile.

#radio-profile 6 country-code US wids-wips 2.4
profile-name wips-24
exit
Create a WIDS both radio profile.

#radio-profile 7 country-code US wids-wips both
profile-name wips-both
exit
2. In the following configuration, the AP exclusively performs Access-WIDS functionality and

provide data services for clients in both the 5GHz and the 2.4GHz bands. In this
configuration, one radio is configured to provide data service for clients and WIDS in the
5GHz band (e.g., 802.11n and 802.11a). The other radio is configured to provide data
service for clients and WIDS in the 2.4GHz band (e.g., 802.11n and 802.11b/g). Each radio
shares its time between providing data services for clients and performing the WIDS
functionality.
112

June 2014
Use the following sample sequence of commands to create an AP Profile in the Accesswids mode. This AP profile when applied to an AP serves wireless clients and detects
rogues.
ap-profile 2 country-code US
profile-name access-abgn
radio 1 enable
radio 2 enable
radio 1 profile-id 3
exit
3. In the following configuration, the AP exclusively performs WIDS/WIPS functionality and

provides no service to clients. Here one radio is configured to provide WIDS/WIPS
functionality for the 5GHz band (e.g., 802.11n and 802.11a) and the other is configured to
provide WIDS/WIPS functionality for the 2.4GHz band (e.g., 802.11n and 802.11b/g). The
two radios work simultaneously, which makes this an optimal WIDS/WIPS configuration.
Use the following sample sequence of commands to create an AP Profile in Wids-Wips
mode. This AP profile when applied to an AP does not serve wireless clients but detects and
mitigates rogues.
profile-name wids-2-5
radio 1 enable
radio 2 enable
exit
4. In the following configuration, one of the radios is configured to provide data service for
clients in either the 5GHz band (e.g., 802.11n and 802.11a) or the 2.4GHz band (e.g.,
802.11n and 802.11b/g) and the other dual band radio exclusively performs the WIDS/WIPS
functionality. The advantage of this mode is that the WIDS/WIPS functionality is not slowed
down by data services, because it runs on its own radio.
Use the following sample sequence of commands to create an AP Profile in the Mixed
Mode. This AP profile when applied to an AP serves clients and also detects and mitigates
rogues.
profile-name mixed
radio 1 enable
radio 2 enable
exit
Related Links
Configuring WIDS-WIPS
CLI Reference:
WCP8180(config-security)#wids ?
Configure Wireless Intrusion Detection
ageout
Configure WIDS ageout timers
known-ap
Create/Modify an AP known to WIDS.
June 2014

113
rogue-ap
rogue-client
Change rogue AP parameters

Change rogue client parameters
WCP8180(config-security)#wips ?
Configure Wireless Intrusion Protection
mitigation Configure Threat Mitigation
Use the following commands to configure WIDS WIPS.
Before you begin

To execute the following commands, you must be in one of the following CLI configuration modes.
Wireless security configuration mode:
WC8180#conf t
WC8180(config)wireless#
WC8180#(config-wireless)#security
WC8180#(config-security)#
Wireless radio profile configuration mode:

WC8180#conf t
WC8180(config)wireless#
WC8180#(config-wireless)#radio-profile <radio-profile number>
For example:
WC8180(config-radio-profile)#
Procedure
1. Enable detection of Rogue AP threats.
Use one of the following command options to enable detection of specific Rogue AP threats.
WCP8180(config-security)#wids rogue-ap threat ?
fake-ap-on-invalid-channel
Fake AP operating on illegal channel
illegal-channel
AP operating on illegal channel
invalid-ssid-from-managed-ap
Managed AP using invalid SSID
known-standalone-ap-cfgerr
Standalone AP with unexpected
configuration
managed-ssid-rcvd-from-fake-ap
Fake AP detected with managed SSID
managed-ssid-rcvd-from-unknown-ap
Unknown AP using managed SSID
managed-ssid-with-invalid-security AP using invalid security on managed SSID
no-ssid-rcvd-from-ap
AP with no SSID
unexpected-wids-device
Unexpected WDS device
unmanaged-ap-on-wired-net
Unmanaged AP detected on wired network
Use the following command to disable detection of a specific rogue AP threat. For example,
the following command disables the detection of the illegal-channel rogue AP threat.
WCP8180(config-security)#no wids rogue-ap threat illegal-channel
Use the following command to disable detection of all rogue AP threats.

WCP8180(config-security)#no wids rogue-ap threat
114

June 2014
Use the following command to set the default for a specific rogue AP threat. Detection of a
threat is enabled by default.
For example, the following command sets the default for the illegal-channel threat,
which is to enable its detection.
WCP8180(config-security)#default wids rogue-ap threat illegal-channel
To set the defaults for all threats, enter:

WCP8180(config-security)#default wids rogue-ap threat
2. Enable detection of Rogue Client threats.

Use one of the following command options to enable detection of specific client threats.
WCP8180(config-security)# wids rogue-client threat ?
assoc-unknown-ap Enable known client associating to unknown AP test
auth-failure
Configure authentication failure test
auth-req-rate
Configure authenticaion request rate test
deauth-req-rate
Configure deauthentication request rate test
not-in-db
Enable client check in known database test
probe-req-rate
Configure probe request rate test
<cr>
Use the following commands to configure options within the auth-failure threat.
WCP8180(config-security)# wids rogue-client threat auth-failure ?
threshold Set authentication failure threshold
<cr>
Use the following commands to configure options within the auth-req-rate threat.
WCP8180(config-security)# wids rogue-client threat auth-req-rate ?
interval
Set interval for calculating rate
threshold Set threshold for calculating rate
<cr>
Use the following commands to configure options within the deauth-req-rate threat.
WCP8180(config-security)# wids rogue-client threat deauth-req-rate ?
interval
<cr>
Use the following commands to configure options within the probe-req-rate threat.
WCP8180(config-security)# wids rogue-client threat probe-req-rate ?
interval
<cr>
Use the following command to disable detection of a specific client threat, for example the
assoc-unknown-ap threat.
WCP8180(config-security)#no wids client threat assoc-unknown-ap
Use the following command to disable detection of all client threats.

WCP8180(config-security)#no wids client threat
Use the following command to set the default for a specific client threat. Detection of a threat
is enabled by default.
June 2014

115
For example, the following command sets the default for the auth-req-rate threat, which
is to enable its detection.
WCP8180(config-security)#default wids client threat auth-req-rate
To set the defaults for all threats, enter:

WCP8180(config-security)#default wids client threat
3. Use the following commands to enable WIPS mitigation.

WCP8180(config-security)#wips mitigation ?
ap-threat
Enable AP Threat Mitigation
client-threat Enable Client Threat Mitigation
Use one of the following commands to set the defaults for AP/client threat mitigation.
WCP8180(config-security)#default wips mitigation
WCP8180(config-security)#default wips mitigation ap-threat
WCP8180(config-security)#default wips mitigation client-threat
Use the following commands to disable WIPS mitigation.

WCP8180(config-security)#no wips mitigation ap-threat
WCP8180(config-security)#no wips mitigation client-threat
4. Use the following commands to configure Known APs.

An AP that is not managed by the WLAN switch, but is a known AP that is not a threat, can
be configured as a Known AP (by adding the AP to the Known AP table). That way during
an AP scan, Known APs can clearly be distinguished from Rogue APs.
In the following example, 00:88:87:99:77:66 is the MAC address of a Known AP.
WCP8180(config-security)#wids known-ap 00:88:87:99:77:66 ?
channel
Set the expected channel number
security
Set the expected security mode
ssid
Set the expected SSID
type
Set the type of the known AP
wds-mode
Set the expected WDS mode
wired-mode Set the expected wired network mode
Use the following command to configure the channel.

WCP8180(config-security)#wids known-ap 00:88:99:66:66:88 channel ?
<0-216> expected channel number, 0 for any channel
Use the following command options to configure security options

WCP8180(config-security)#wids known-ap 00:88:99:66:66:88 security ?
any
All security modes -- open, WEP, WPA/WPA2
open Open security
wep
WEP mode
wpa
WPA/WPA2 mode
Use the following command to configure an SSID.

Note:
When you configure an SSID for a network profile, ensure that it is unique across the
network. SSIDs can have a maximum of 32 characters.
116

June 2014
Also, ensure that you do not configure SSIDs that have similar characters but are
different only in their case. For example do not configure SSIDs avaya-demo and
AVAYA-DEMO within the same network.
WCP8180(config-security)#wids known-ap 00:88:99:66:66:88 ssid ?
WORD an alphanumeric string, 1-32 chars
Use the following command options to configure the Known AP type.

WCP8180(config-security)#wids known-ap 00:88:99:66:66:88 type ?
known-foreign
The AP is known from outside
local-enterprise The AP is in local database
other
Others...
Use the following command options to configure the WDS mode for a known AP.
WCP8180(config-security)#wids known-ap 00:88:99:66:66:88 wds-mode ?
any
Operation as a bridge or in normal mode
bridge Operation as a bridge only
normal Operation in normal mode only
Use the following command options to configure the Wired mode for a known AP.
WCP8180(config-security)#wids known-ap 00:88:99:66:66:88 wired-mode ?
allowed
AP is allowed to be on the wired network
not-allowed AP is not allowed on the wired network
5. Use the following command options to configure Ageout.

WCP8180(config-security)#wids
adhoc-clients
Configure
ap-failure
Configure
detected-clients Configure
rf-scan
Configure
ageout
ageout
ageout
ageout
ageout
?
for
for
for
for
ad hoc network status

AP failure status
detected clients status
RF scan status
Use one of the following commands to configure individual Ageout times.

The default for the adhoc-clients, ap-failure and rf-scan ageout time is 1440
minutes. The default for the detected-clients ageout time is 300 minutes.
WCP8180(config-security)#wids ageout adhoc-clients ?
<0-10080> Time in minutes
WCP8180(config-security)#wids ageout ap-failure ?
WCP8180(config-security)#wids ageout detected-clients ?
WCP8180(config-security)#wids ageout rf-scan ?
6. Configure the Rogue AP detection interval.

WCP8180(config-security)#wids rogue-ap trap-interval ?
<60-3600> Interval in seconds
Use the following command to set the default interval.

WCP8180(config-security)#default wids rogue-ap trap-interval
7. Configure the Rogue client detection interval.

WCP8180(config-security)# wids rogue-client trap-interval ?
June 2014

117

WCP8180(config-security)#default wids rogue-client trap-interval
8. Configure the wired detection interval of a rogue AP.

WCP8180(config-security)#wids rogue-ap wired-detection-interval ?

WCP8180(config-security)#default wids rogue-ap wired-detection-interval
9. Acknowledge Rogue clients/Rogue APs.

Acknowledge a specific Rogue AP (by specifying its MAC address) or all Rogue APs.
WCP8180(config-security)#wids rogue-ap ack ?
all
All rogue APs
H.H.H MAC Address of specific rogue AP
Acknowledge a specific Rogue client (by specifying its MAC address) or all Rogue Clients.
WCP8180(config-security)#wids rogue-client ack ?
all
All rogue clients
H.H.H MAC Address of specific rogue client
10. Enable RF Scan options.

The WIDS/WIPS functionality is driven by a process called RF Scan where APs with radios
configured for WIDS/WIPS or just the WIDS functionality, scan radio bands/channels to
collect information about neighboring APs and detected clients in those bands/channels.
They then send this information to their managed WLAN switches over UDP.
Use the following commands to enable RF Scan options for a radio profile. You must be in
the radio profile configuration mode of the CLI.
Use the following commands to configure RF-Scan.
WCP8180(config-radio-profile)#rf-scan ?
band
Set RF scan band (for wids-wips profile only)
duration
Set RF scan duration
scan-other-channel
Enable other channel scan
scan-other-channel-interval Set other channel scan interval
Use the following command options to configure RF-Scan band.

WCP8180(config-radio-profile)#rf-scan band ?
2.4GHz Scan 2.4 GHz band
5GHz
Scan 5 GHz band
both
Scan both 2.4 and 5 GHz bands
Use the following commands to configure RF-scan duration.

WCP8180(config-radio-profile)#rf-scan duration ?
<10-2000> Set scan duration (in milliseconds)
Use the following commands to enable other channel scan and set the scan interval in a
radio profile.
WCP8180(config-radio-profile)#scan-other-channel
WCP8180(config-radio-profile)#scan-other-channel-interval
118

June 2014
Note:
To disable a scan option, prefix the command with no.
Related Links
Verifying configuration of WIDS-WIPS

Use the following commands to verify WIDS-WIPS configuration.
Procedure
1. Verify RF scan configuration using the following command.
Show wireless security wids-wips rf-scan
Sample output:
WCP8180#show wireless security wids-wips rf-scan
Domain Role
Total Rogue APs
Total Unknown APs
Detected AP MAC
----------------00:02:6F:14:30:10
00:02:6F:BD:94:70
00:02:6F:BD:94:B0
00:02:6F:BD:95:20
:Active MDC
:6
:93
SSID
---------------CP-User-OAP
Dinesh-OAP-Test
user-db-test.17
test123
Ch
--1
11
8
11
Status
------Unknown
Unknown
Unknown
Unknown
Mitigation
---------NotRogue
NotRogue
NotRogue
NotRogue
LastSeen
-----------0d:22:48:33
0d:00:00:29
0d:00:01:48
0d:00:00:29
2. Verify detected client configuration using the following command.

Show wireless security wids-wips detected-client
Sample output:
WCP8180#show wireless security wids-wips detected-clients
Domain Role
Total Rogue Clients
Total Detected Clients
Detected
Client MAC
----------------00:0F:CB:FB:55:2C
00:14:D1:79:AB:A4
00:17:C4:08:AC:86
00:17:C4:08:F0:45
:Active MDC
:0
:116
Client
Status
------------detected
detected
detected
detected
Det
--Y
Y
Y
Y
Mit
--N
N
N
N
Ch
--2
2
2
2
RSSI
(%)
---63
57
18
18
Sig
----46
-50
-78
-78
Last
Update
-----------0d:00:00:02
0d:00:00:02
0d:00:00:02
0d:00:00:02
3. Verify Known AP configuration using the following command.

Show wireless security wids-wips known-ap
Sample output:
WCP8180#show wireless security wids-wips known-ap
Total number of known APs = 2
-----------------------------------------------------------------Expected Expected Expected
June 2014

119
AP MAC
AP Type
Channel
Security SSID
----------------- --------------- -------- -------- ---------00:13:13:13:13:13 LocalEnterprise
Auto
Any
00:88:87:99:77:66 LocalEnterprise
Auto
Any
------------------------------------------------------------------
4. Verify configuration for the detection of Rogue APs and Rogue clients using the following
commands.
Show wireless security wids-wips rogue-ap-control
Sample Output:
WCP8180#show wireless security wids-wips rogue-ap-controls
Rogue detected trap interval:
Wired network detection interval:
180 seconds
60 seconds
Rogue
-----------------------------------------------------------Administrator configured rogue AP
Managed SSID received from an unknown AP
Managed SSID received from a fake managed AP
Beacon received from an AP without SSID
Beacon received from a fake managed AP on an invalid channel
Managed SSID detected with incorrect security configuration
Invalid SSID received from a managed AP
AP is operating on an illegal channel
Known Standalone AP is incorrectly configured
AP is operating as a WDS device
Unmanaged AP detected on wired network
State
------Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Show wireless security wids-wips rogue-ap-classification
Sample Output:
WCP8180#show wireless security wids-wips rogue-ap-classification
Domain Role
Total Rogue APs
Total Unknown APs
:Active MDC
:6
:93
AP Rogue Classification Description

Test ID 1 Administrator configured rogue AP
Test ID 2 Managed SSID received from an unknown AP
Test ID 3 Managed SSID received from a fake managed AP
Test ID 4 Beacon received from an AP without SSID
Test ID 5 Beacon received from a fake managed AP on an invalid channel
Test ID 6 Managed SSID detected with incorrect security configuration
Test ID 7 Invalid SSID received from a managed AP
Test ID 8 AP is operating on an illegal channel
Test ID 9 Known Standalone AP is incorrectly configured
Test ID 10 AP is operating as a WDS device
Test ID 11 Unmanaged AP detected on wired network
---------------------------------------------------------------------------AP MAC: 00:1B:4F:6A:59:B0
Test
ID
---1
2
3
4
120
Reporting AP MAC
----------------00:00:00:00:00:00
5C:E2:86:0F:51:40
00:00:00:00:00:00
00:00:00:00:00:00
Radio
----0
2
0
0
Cond
Detect
-----False
True
False
False
Test
Config
------Disable
Enable
Enable
Enable
Test
Time Since
Result 1st Report
------ -----------0d:00:00:00
Rogue 1:02:56:12
0d:00:00:00
0d:00:00:00

Time Since
Last Report
-----------0d:00:00:00
0d:00:00:08
0d:00:00:00
0d:00:00:00
June 2014
5
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
6
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
7
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
8
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
9
00:00:00:00:00:00 0
False Disable
0d:00:00:00 0d:00:00:00
10
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
11
00:00:00:00:00:00 0
False Enable
0d:00:00:00 0d:00:00:00
---------------------------------------------------------------------------Show wireless security wids-wips rogue-client-control
Sample Output:
WCP8180#show wireless security wids-wips rogue-client-controls
Rogue detected trap interval:
Known client database radius profile:
300
Rogue
---------------------------------------Client is not in known DB
Authenication request exceeded
Probe request exceeded
DeAuthenication request exceeded
Authenication failure exceeded
Client is authenicated with unknown AP
State
---------Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
Threshold Threshold
Interval
Value
---------- ---------60
60
60
10
120
10
5
Show wireless security wids-wips rogue-client-classification
5. Verify threat mitigation configuration using the following command.

Show wireless security wids-wips mitigation
Sample Output:
WCP8180#show wireless security wids-wips mitigation
ap-threat-mitigation:
client-threat-mitigation:
enabled
disabled
6. Verify AP deauthentication attacks using the following command.

Show wireless security wids-wips ap-deauth-attacks
Sample Output:
WCP8180#show wireless security wids-wips ap-deauth-attacks
Target BSSID
----------------5C:E2:86:0F:F7:70
70:38:EE:89:C4:10
5C:E2:86:0F:F2:10
70:38:EE:89:C3:F0
00:1B:4F:6A:59:B0
00:1B:4F:6A:64:F0
Channel
---------3
11
10
11
11
6
Classify Since
-------------------2:02:57:19
1:18:33:49
1:18:33:19
1:18:27:48
1:03:01:11
0d:22:57:41
Last RFScan
-----------0d:00:00:00
0d:00:09:37
0d:00:00:07
0d:00:00:07
0d:00:00:07
0d:22:57:41
7. Verify Ageout configuration using the following command.

Show wireless security wids-wips ageout
Sample Output:
WCP8180#show wireless security wids-wips ageout
adhoc-clients
June 2014
:1440 minutes

121
ap-failure
detected-client
rf-scan
:1440 minutes
:300 minutes
:1440 minutes
Related Links
Configuring a MAC filter blacklist

Use this procedure to configure a MAC filter blacklist.
In prior releases of the WLAN 8100, to filter out a client MAC, you would need to add it the Blacklist
database and enable MAC validation on the network profile. This also required all valid clients to be
added to the Whitelist database. From release 2.1 onwards, you can blacklist a client MAC
independent of a Whitelist or RADIUS based MAC validation, by configuring the client in a MAC filter
blacklist.
Procedure
1. Enter wireless security configuration mode of the CLI.
WCP8180#conf t
WCP8180(config-wireless)#security
WCP8180(config-security)#
End with CNTL/Z.
2. Enable blacklist MAC filtering for your network.

WCP8180(config-security)#mac-filter-blacklist
Verify that blacklist MAC filtering is enabled.

WCP8180(config-security)#show wireless security mac-filter-blacklist
mac-filter-blacklist: Enable
3. Configure a local list of blacklisted devices for your network.

CLI reference:
WC8180(config-security)#mac-db blacklist ?
H.H.H MAC address of the blacklisted user
In this example you blacklist a client with MAC address AC:81:BB:BB:11:11.

WC8180(config-security)#mac-db blacklist AC:81:BB:BB:11:11
Optionally add a name to the blacklisted client. Enter a string with a maximum length of 32
characters.
Note:
Ensure that the name is unique across the network.
Ensure also that you do not configure names that have similar characters or letters but
are different only in their case.
WC8180(config-security)#mac-db blacklist AC:81:BB:BB:11:11 Blacklist1
122

June 2014
Verify blacklist configuration:

WCP8180(config-security)#show wireless security mac-db blacklist
Total blacklisted users: 1
MAC Address
User Name
----------------- -------------------------------AC:81:BB:BB:11:11 Blacklist1
Related Links
Wireless Security Client MAC validation

The WLAN 8100 provides the capability to validate client devices in a wireless network using the
MAC address of the client.
Validation of client devices using their MAC addresses is achieved in of the following ways:
Using blacklists and whitelists:
The WLAN 8100 maintains two locally configured databases; the white list and the black list. If
the client MAC is configured in the white list, the system grants access to the client. If the MAC
address is configured on the black list or not configured in either list, access is denied.
Validating against a remote RADIUS server:
For improved scalability, client MAC authentication against a RADIUS server is now supported.
In this method of authentication, the MAC address of a mobile client device is verified against a
remote database interfaced by a RADIUS server.
This mode of authentication is useful in the validation of wireless devices that do not support
the 802.1X or the WPA authentication methods. It is also useful in enterprise networks that
support the Bring Your Own Device (BYOD) policy, personally-owned devices, IT-issued
devices and guests.
For more information, see the Feature Overview for Avaya WLAN 8100, NN47251-102.
Related Links
Configuring the client MAC validation mode in a network profile on page 123
Configuring and verifying blacklists and whitelists on page 125
Validating client MAC addresses against a RADIUS server on page 126
Configuring the client MAC validation mode in a network profile

Use this procedure to configure the client MAC validation mode (the mode of client authentication
using client MAC addresses) in a network profile.
The supported client MAC validation modes are:
validation against a local whitelist
June 2014

123
validation against a remote RADIUS server
Procedure
WCP8180#conf t
End with CNTL/Z.
2. Configure the MAC validation mode on the network profile.

WC8180(config-network-profile)#mac-validation mode ?
local-whitelist Set mac-validation to local-whitelist.
radius
Set mac-validation mode to radius.
Note:
The command WCP8180(config-network-profile)#mac-validation <enter>
is not supported in the current release.
Instead, use the command WCP8180(config-network-profile)#macvalidation mode {local-whitelist|radius} to configure the MAC validation
mode in a network profile.
The following example uses a sample network profile with profile Id 2.
3. Verify the MAC validation mode on the network profile.
In the following example, the MAC validation mode is local-whitelist.
WC8180(config-wireless)#show wireless network-profile 2 detail
Name
: Default
SSID
: Guest-Network
Hide SSID
: No
Mobility Vlan Name
: default-MVLAN
Probe Response
: Enabled
Captive Portal Mode
: Disabled
User Validation
: open
: 0
Local User Group
: Default
:
:
: Disabled
Security Mode
: open
MAC Validation
: Enabled
MAC Validation mode
: Local-Whitelist
: Disabled
Radius offload
: Disabled
: Disabled
Gateway MAC address
: 00:00:00:00:00:00
4. (Optional) Use the following commands to disable MAC validation on a network profile.
Entering network-profile (id = 2) ...
WCP8180(config-network-profile)#no mac-validation
124

June 2014
5. (Optional) Use the following commands to set the default client MAC validation mode, which
is local-whitelist.
WC8180(config-network-profile)#default mac-validation ?
mode Set mac-validation mode to default value local-whitelist
<cr>
Related Links
Configuring and verifying blacklists and whitelists

Use the following procedure to configure, and verify the configuration of blacklists and whitelists for
MAC validation of client devices in a network.
Before you begin

Ensure that the MAC validation mode on the network-profile is local-whitelist. For more
information on configuring the MAC validation mode, see Configuring MAC validation in a
network profile on page 123.
Procedure
WCP8180#conf t
End with CNTL/Z.
2. Verify that the MAC validation mode on the network profile is local-whitelist.
WC8180(config-wireless)#show wireless network-profile detail
Name
: Default
SSID
: Guest-Network
Hide SSID
: No
Mobility Vlan Name
: default-MVLAN
Probe Response
: Enabled
Captive Portal Mode
: Disabled
User Validation
: open
: 0
Local User Group
: Default
:
:
: Disabled
Security Mode
: open
MAC Validation
: Enabled
MAC Validation mode
: local-whitelist
: Disabled
Radius offload
: Disabled
: Disabled
Gateway MAC address
: 00:00:00:00:00:00
June 2014

125
(Optional) If the MAC validation mode is not set to local-whitelist, use these
commands to set the MAC validation mode to local-whitelist.
a. Update the MAC validation mode on the network profile..
WCP8180(config-network-profile)#mac-validation mode local-whitelist
b. Verify the MAC validation mode using the following command:

3. Use the following commands to configure blacklist and whitelist devices for your network.
Configure blacklist devices using the following command:
WCP8180(config-security)#mac-db blacklist ?
H.H.H MAC address of the blacklisted user
Configure whitelist devices using the following command:

Important:
To enable a client to access the wireless network, you must manually add the client
MAC address to the whitelist table. Whitelisted clients are displayed as known in
detected client table.
WCP8180(config-security)#mac-db whitelist ?
H.H.H MAC address of the whitelisted user
Verify blacklist and whitelist configuration:

WCP8180#show wireless security mac-db ?
Show black and white listed users
blacklist Display Blacklisted users
whitelist Display whitelisted users
Validating client MAC addresses against a RADIUS server

Use this procedure to configure a network profile to validate client MAC addresses against a
RADIUS server.
The following configuration requirements must be satisfied for this mode of authentication:
The RADIUS server is properly configured and is enabled to support the PAP protocol.
Appropriate RADIUS profiles are configured on the network to associate with the network
profile.
The MAC addresses of wireless client devices (to be validated against the RADIUS server), are
configured on the RADIUS server.
When a wireless client device is not configured on the RADIUS server, MAC validation for that
device fails, and the client is blacklisted for a configurable timeout period known as the knownclient-ageout.
Another attempt to validate a blacklisted client is made only after the timeout period elapses. If
the client device MAC address is added to the RADIUS server, MAC validation succeeds and
126

June 2014
the client device is granted wireless network access. Otherwise, the client device continues to
be blacklisted.
For more information on configuring the known-client-ageout, see Configuring the knownclient-ageout for MAC validation against a RADIUS server on page 129.
Before you begin

Ensure that the MAC validation mode on the network-profile is radius. For more information
on configuring the MAC validation mode, see Configuring MAC validation in a network
profile on page 123.
Configure a RADIUS authentication profile to associate with the network profile. Radius profiles
are associated with Radius servers for authentication of wireless clients.
Use the following command to configure a RADIUS authentication profile:
WCP8180(config-security)#radius profile rad-srvr-profile type auth
where rad-srvr-profile is the profile name.

Verify RADIUS profile creation using the following command:
WCP8180#show wireless security radius profile
Configure RADIUS server(s) using the following command, and associate it with a RADIUS
profile. RADIUS servers manage authentication of users and devices connected to the wireless
network.
In the following example, you configure a RADIUS server with IP address 10.1.1.104 and
associate it with the RADIUS profile rad-srvr-profile.
WC8180(config-security)#radius server 10.1.1.104 rad-srvr-profile secret
Enter server secret: ********
Verify server secret: ********
Verify the status of controller communication with the RADIUS server is Up by using the
following command:
WCP8180#show wireless security radius server
Total radius servers: 1
Server IP
Radius Profile
Port# Priority Status
--------------- ----------------------- ----- -------- ------10.1.1.20
rad-srvr-profile
1812 1
Up
Procedure
WCP8180#conf t
End with CNTL/Z.
2. Verify that the MAC validation mode on the network profile is radius.
Name
: Default
SSID
: Guest-Network
June 2014

127
Hide SSID
Mobility Vlan Name
Probe Response
Captive Portal Mode
User Validation
Local User Group
Security Mode
MAC Validation
MAC Validation mode
Radius offload
Gateway MAC address
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
No
default-MVLAN
Enabled
Disabled
open
0
Default
Disabled
open
Enabled
radius
Disabled
Disabled
Disabled
00:00:00:00:00:00
(Optional) If the MAC validation mode is not set to radius, use these commands to set the
MAC validation mode to radius.
a. Update the MAC validation mode on the network profile.
WCP8180(config-network-profile)#mac-validation mode radius
b. Verify the MAC validation mode using the following command:

3. Associate the network profile with the RADIUS authentication profile.

CLI reference:
WC8180(config-network-profile)#radius ?
accounting
Enable RADIUS accouting function
accounting-profile
Configure accounting radius profile
authentication-profile Configure authentication RADIUS profile
offload
Enable radius offloading
WC8180(config-network-profile)#radius authentication-profile rad-srvr-profile
4. Verify network profile configuration.

WC8180(config-wireless)#show wireless network-profile 2 detail
Name
: Default
SSID
: Guest-Network
.......
: rad-srvr-profile
.......
Security Mode
: open
MAC Validation
: Enabled
MAC Validation mode
: radius
.......
Related Links
Configuring the known-client-ageout for MAC validation against a RADIUS server on page 129
Configuring a trap for authentication failure on page 129
128

June 2014
Configuring the known-client-ageout for MAC validation against a RADIUS server

When the MAC address of a wireless client is not configured on the validating RADIUS server, MAC
validation for that device against the validating RADIUS server fails and the wireless client is
blacklisted for a configurable timeout period known as the known-client-ageout.
The known-client-ageout determines the time period in minutes for which a client device is
blacklisted. If after the timeout elapses, the client device MAC is configured on the RADIUS server,
MAC validation succeeds and the client device is granted wireless access.
Procedure
1. Enter wireless security configuration mode of the ACLI.
WC8180#conf t
2. Configure the known-client-ageout for example, for 30 minutes.

WC8180(config-security)#radius known-client-ageout 30
Note:
The default value is 30 minutes and the range is 1 to 65535 minutes.
3. View the known-client-ageout configuration.
WC8180(config-security)#show wireless security radius
Radius server timeout: 2 (sec.)
Radius server retries: 3
Radius known client db ageout: 30 (min.)
Related Links
Configuring a trap for authentication failure

Use the following procedure to configure a trap for authentication failure.
This trap is useful to detect the problem when MAC validation against a RADIUS server fails.
Procedure
1. Enter the configuration mode of the ACLI.
WC8180#conf t
WCP8180(config)#
2. Enable the authentication-failure trap.

WC8180(config)#snmp-server notification-control avWlanClientAuthenticationFail
Note:
To view a complete list of snmp-server notification types and their status, execute the
command show snmp-server notification-control.
June 2014

129
3. Verify the trap notification message using the following command:

WC8180(config)#show logging wireless-controller volatile
Related Links
Load Balancing of APs and WSPs

You perform load balancing of Access Points (APs) and Wireless Switching Points (WSPs) in a
mobility domain to allow even distribution of traffic load to achieve greater throughput per device and
better traffic localization. Load Balancing of WSPs are only applicable to Unified Access
deployments.
For more information on AP and WSP load balancing, see Feature Overview for Avaya WLAN 8100,
NN47251-102.
The following sections describe the mechanisms of load balancing for APs and WSPs.
Note:
Access Point (AP) load balancing can take up to 5 minutes to complete. It is also dependent on
your network topology.
Manual
Manual load balancing provides the greatest administrative control and always overrides any other
load balancing mechanisms.
When you configure an AP or a WSP in the Domain AP or WSP database respectively, you also
provide a preferred and an alternate controller (WC or WCP) IP address. This is done for manual
load balancing of the AP or WSP.
When an AP or WSP joins the domain, it is assigned to the preferred controller if available and not
loaded to its maximum capacity. If the controller is not available or is loaded to its maximum
capacity, the alternate controller is assigned to the AP or WSP. If both the preferred and alternate
controllers are loaded to their maximum capacity or are unavailable, the AP or WSP is assigned to
the controller based on the configured load balancing metric.
Automatic
If a situation arises where both the preferred and alternate controllers are loaded to their maximum
capacity or are unavailable, or manual load balancing is not configured, an automatic assignment of
the AP or WSP load to the controller is done based on the configured automatic load-balancing
metric.
The WLAN 8100 solution supports the following two load balancing metrics:
Least Load:
This method of load balancing assigns the AP or WSP to a controller that has least number of
APs/WSPs currently connected to it. Least load is always used as a fall back metric when other
metrics cannot uniquely determine a controller for an AP or WSP. This metric achieves an even
balancing of AP/WSP load across all controllers in the domain.
130

June 2014
Configure this load balancing metric when the objective of load balancing is to distribute traffic
load evenly across all controllers deployed in the domain. Note that this metric achieves only a
partial coverage redundancy since it allocates the APs or WSPs to different controllers in the
order in which the APs join the mobility domain. Full coverage redundancy can be achieved
only using manual configuration.
Location based:
This metric assigns APs or WSPs based on configured location information for APs/WSPs and
controllers. You can segment a physical environment of the enterprise into campus (C),
building (B), floor (F) and sector (S). You can then specify the location of APs or WSPs in the
mobility domain in terms of C-B-F-S parameters in the domain AP or WSP database. Each
location is an 8 byte ASCII string and the level of granularity increases from C>B>F>S.
The location specification starts from lowest granularity level. When a granularity level is not
specified, it means that the level is not included in the location specification. The location based
metric uses a best location granularity match between the AP or WSP location and WC
location for assignment of AP or WSP to WC. When multiple WCs match the AP or WSP
location, the least loaded WC is selected for assignment.
The WC location is a mobility domain configuration that must be synchronized with all domain
member WC devices using the config-sync action. AP or WSP location is configured in the
domain AP/WSP database for each AP/WSP and must also be synchronized with all domain
member WC devices.
Related Links
Configuring load balancing on page 131
Verifying configuration of load balancing on page 133
Configuring AP load balancing an example on page 135
Configuring load balancing

Use the commands in this procedure to configure load balancing for a controller, Access Point (AP)
or Wireless Switching Point (WSP).
Procedure
1. Enter the domain load balance configuration mode of the controller:
WCP8180#conf t
WCP8180(config-wireless)#domain load-balance
WCP8180(config-wireless-lb)#
CLI Reference:
WCP8180(config-wireless-lb)#?
Load Balance configuration commands
controller Controller load balance configuration commands
default
Set load-balance parameters to default
end
exit
Exit from domain load-balance configuration mode
lb-metric
Load balance metric for both AP and WSP
no
Remove AP/WSP lb metrics
June 2014

131
2. Use the following commands to create or modify the controller load-balance location
database for a specific controller (specified by the MAC address).
WCP8180(config-wireless-lb)#controller ?
H.H.H Controller MAC to create/modify the controller load-balance
location-db
WCP8180(config-wireless-lb)#controller 00:1B:4F:6A:18:E1 location ?
WCP8180(config-wireless-lb)#controller 00:1B:4F:6A:18:E1 location <campus-name> ?
WORD Enter building string (limit: 1-8 chars)
WCP8180(config-wireless-lb)#controller 00:1B:4F:6A:18:E1 location <campus-name>
<building-name> ?
WORD Enter floor string (limit: 1-8 chars)
WCP8180(config-wireless-lb)#controller 00:1B:4F:6A:18:E1 location <campus-name>
<building-name> <floor-name> ?
WORD Enter sector string (limit: 1-8 chars)
<cr>
WCP8180(config-wireless-lb)#$:44:55 location <campus-name> <building-name> <floorname> <sector-name>
3. Use the following commands to configure the load balancing metric (least-load or
location) for APs and WSPs.
Note:
Wireless Switching Point (WSP) load balancing is applicable only in Unified Access
deployments.
Choose the load balancing metric:
WCP8180(config-wireless-lb)# lb-metric ?
least-load Load balance to the least loaded device
location
Load balance to the device in the nearest location(C.B.F.S)
4. Use following commands to configure the C.B.F.S parameters for an AP or WSP for
location-based load balancing.
Note:
The Campus, building and floor parameters are mandatory but the sector name is
optional.
C.B.F.S parameter configuration for APs:
WCP8180(config-wireless)#domain ap 00:1B:4F:6A:18:E0
Entering domain AP (mac = 00:1B:4F:6A:18:E0) configuration mode...
WCP8180(config-domain-ap)#location ?
WCP8180(config-domain-ap)#location <campus-string> ?
WCP8180(config-domain-ap)#location <campus-string> <Building-string> ?
WCP8180(config-domain-ap)#location <campus-string> <Building-string> <floorstring> ?
132

June 2014

<cr>
WCP8180(config-domain-ap)#location <campus-string> <Building-string> <floorstring> <sector-string>
C.B.F.S parameter configuration for WSPs:

WCP8180(config-wireless)#domain wsp 00:13:65:4F:D0:00
Entering domain wsp (mac = 00:1B:4F:6A:18:E0) configuration mode...
WCP8180(config-domain-wsp)#location ?
WCP8180(config-domain-wsp)#location <campus-string> ?
WCP8180(config-domain-wsp)#location <campus-string> <Building-string> ?
WCP8180(config-domain-wsp)#location <campus-string> <Building-string> <floorstring> ?
<cr>
WCP8180(config-domain-wsp)#location <campus-string> <Building-string> <floorstring> <sector-string>
5. Use the following commands to set default parameters:

WCP8180(config-wireless-lb)# default ?
controller Default controller load balance configuration commands
lb-metric
Set default parameters for lb-metric
a. Use the command default controller to set the default controller load balance
configuration commands.
b. Use the command default lb-metric to set the default parameters for lbmetric.
6. Use the following command to run the Load Balancing algorithm on APs or WSPs.
WSPs apply only to Unified Access deployments.
CLI Reference:
WCP8180#wireless domain load-balance ?
ap
Run LB algorithm again to balance the AP load on WCPs and WSPs
wsp Run LB algorithm again to balance the WSP load on WCPs
Related Links
Verifying configuration of load balancing

Use the following commands to verify configuration of load balancing.
CLI Reference:
WC8180#show wireless domain load-balance ?
Display load-balancing information
action-status
Display load-balancing action-status information
ap-lb-table
Display AP load-balancing table information
controller-db
Display controller db load balancing information
June 2014

133
controller-lb-status
status
Display controller load-balancing status

Display load-balancing status
Procedure
1. Verify load balancing action status information.
WC8180#show wireless domain load-balance action-status ?
ap Display AP load-balancing action-status information
Sample output:
WC8180#show wireless domain load-balance action-status ap
Command Name
: None
Status
: Completed
Number of Active WCs in the Domain : 2
Number of Active APs in the Domain : 10
Number of APs Moved
: 2
2. Verify AP load-balancing table information.

WC8180#show wireless domain load-balance ap-lb-table
Sample output:
Load Balancing Metric: location
-----------------------------------------------------------AP MAC Address
AP IP
WC IP
WC Status
----------------- --------------- --------------- ---------00:1B:4F:6C:1B:A0 172.16.7.11
192.171.0.56
Connected
5C:E2:86:0F:51:40 172.16.7.15
192.171.0.56
Connected
00:1B:4F:69:EA:C0 172.16.7.24
192.171.0.60
Disconnected
------------------------------------------------------------
3. Verify controller DB load balancing information.

WC8180#show wireless domain load-balance controller-db
Sample output:
WC8180#show wireless domain load-balance controller-db
----------------------------------------------------Controller
Location
-------------------------------------------MAC
Campus Building Floor Sector
----------------------------------------------------00:24:B5:1F:A8:00
amr
B3
First
Right
CC:F9:54:EB:0D:00
SC
A1
third
2
---------------------------------------------------Total number of WCs in the database: 2
4. Verify controller load-balancing status.

WC8180#show wireless domain load-balance controller-lb-status
Sample output:
OL-AMDC#show wireless domain load-balance controller-lb-status
--------------------------------------------Controller Load Balance Status
--------------------------------------------Controller IP
AP
AP
AP
AP
Cap. Cnt. Assign Conn.
---------------------------------------------
134

June 2014
192.171.0.56
32
4
0
4
192.171.0.60
512
1
0
1
---------------------------------------------
5. Verify load-balancing status.

WC8180#show wireless domain load-balance status
Sample output:
Mobility Domain AP License
Mobility Domain AP License In Use
: 16
: 5
: location
Domain Load Balance Status per Method:

-------------------------------------------------------------------------Preferred Alternate LeastLoad Location Unknown
------------------------- --------- --------- --------- -------- -------APs load-balanced to WC
1
0
3
1
0
--------------------------------------------------------------------------
Related Links
Configuring AP load balancing an example

This procedure is an example to demonstrate the effect of least-load and location-based
load-balancing on the distribution of APs amongst controllers in a domain.
Use the following procedure to configure and verify load-balancing on APs. The following example
demonstrates the distribution of 4 APs amongst 2 controllers in a cluster based on the configured
load-balancing metric.
Table 3: Controller location parameters
Controller MAC address
Controller IP
address
Campus
Building
Floor
Sector
WC1
00-24-B5-1F-81-01
192.168.18.12
Avaya
LeftWing
FirstFloor Lab1
WC2
00-24-B5-1F-81-02
192.168.18.9
Avaya
LeftWing
SecondFl Lab2
oor
Table 4: AP location parameters

AP
MAC address
AP IP address
Campus
Building
Floor
Sector
AP1
00:1B:4F:6A:18:E1
172.16.2.101
Avaya
LeftWing
First
Floor
Lab1
AP2
00:1B:4F:6A:18:E2
172.16.2.102
Avaya
LeftWing
FirstFlo
or
Lab1
AP3
00:1B:4F:6A:18:E3
172.16.2.103
Avaya
LeftWing
Second
Floor
Lab2
AP4
00:1B:4F:6A:18:E4
172.16.2.104
Avaya
LeftWing
Second
Floor
Lab2
June 2014

135
Important:
When a large number of APs are rebalanced, and if after the rebalance, the assignment of APs
does not change, the configured load-balancing metric is also not changed. This ensures that
the load-balancing metric is synchronized between the AP and all controllers in the domain.
Procedure
1. Perform the following steps to load balance APs using the location metric.
a. View the current load balance status on controllers WC1 and WC2 as follows.
The load-balance status indicates that the current load-balancing metric is LeastLoad.
Also manual load balancing is not configured (preferred and alternate controllers are not
configured).
Load-balance status on WC1:
: 4096
: 4
: none

-------------------------------------------------------------------Preferred Alternate LeastLoad Location Unknown
--------------- --------- --------- --------- -------- -------APs load-balanced to WC
0
0
4
0
0
--------------------------------------------------------------------

: 4096
: 4
: none

0
0
4
0
0
--------------------------------------------------------------------
b. Configure the load balancing metric as location on both controllers (WC1 and WC2).
WC8180(config-wireless-lb)#lb-metric location
c. Configure the location (C.B.F.S) parameters for the 2 controllers WC1 and WC2 in the
domain as follows:
Enter the load-balancing configuration mode:
WC8180#conf t
WC8180(config-wireless)#domain
WC8180(config-wireless-lb)#
136
load-balance

June 2014
Configure the C.B.F.S parameters for the controllers (WC1 and WC2):
WC8180(config-wireless-lb)#controller 00-24-B5-1F-81-01 ?
location Least loaded in Campus-Buidling-Floor-Sector zone
<cr>
WC8180(config-wireless-lb)#controller 00-24-B5-1F-81-01 location Avaya
LeftWing FirstFloor Lab1
WC8180(config-wireless-lb)#controller 00-24-B5-1F-81-02 ?
location Least loaded in Campus-Buidling-Floor-Sector zone
<cr>
WC8180(config-wireless-lb)#controller 00-24-B5-1F-81-02 location Avaya
LeftWing SecondFloor Lab2
d. Configure the location (C.B.F.S) parameters of the 4 APs as follows:

Enter the domain AP configuration mode to configure the location parameters. In the
following example, we configure the CBFS parameters for all APs. Note that in this
case, the Preferred /alte controller is not configured (manual load balancing .
Configure the C.B.F.S parameters for AP1 and AP2:
WC8180(config-wireless)#domain ap 00:1B:4F:6A:18:E1
WC8180(config-domain-ap)#location Avaya LeftWing FirstFloor Lab1
WC8180(config-domain-ap)#location Avaya LeftWing FirstFloor Lab1
Configure the C.B.F.S parameters for AP3 and AP4:

WC8180(config-domain-ap)#location Avaya LeftWing SecondFloor Lab2
WC8180(config-domain-ap)#location Avaya LeftWing SecondFloor Lab2
e. Perform an AP load balance:

WC8180#wireless domain load-balance ap
f. Verify the result location-based load balancing.

View the load-balance status on WC1:
: 4096
: 4
: none

0
0
0
4
0
--------------------------------------------------------------------
g. Verify that the APs are distributed based on their location.
June 2014

137
After load-balancing, the APs that are located on the first floor are managed by the
controller on the first floor. Similarly, APs on the second floor are managed by the
controller on the second floor.
Load Balancing Metric: location
----------------------------------------------------------------AP MAC Address
AP IP
WC IP
WC Status
----------------- --------------- --------------- --------------00:1B:4F:6A:18:E1 172.16.2.101
192.168.18.12
Connected
00:1B:4F:6A:18:E2 172.16.2.102
192.168.18.12
Connected
00:1B:4F:6A:18:E3 172.16.2.103
192.168.18.9
Connected
00:1B:4F:6A:18:E4 172.16.2.104
192.168.18.9
Connected
-----------------------------------------------------------------
2. Perform the following steps to configure load balancing using the least-load metric.
Important:
Ensure that CBFS parameters are not configured on either the controller or APs.
Otherwise, the system load-balances the APs using only the location-based metric
by default, even if the load-balancing metric is configured as least-load.
a. View the current load balance status on the controllers WC1 and WC2 as follows.
The system displays the current load balancing metric as Location.
: 4096
: 4
: Location

4
0
0
4
0
--------------------------------------------------------------------

: 4096
: 4
: Location

4
0
0
4
0
--------------------------------------------------------------------
b. Configure the load balancing metric as least-load on both controllers.

WC8180(config-wireless-lb)#lb-metric least-load
138

June 2014
c. View the current distribution of APs.

Load Balancing Metric: least-load
----------------------------------------------------------------AP MAC Address
AP IP
WC IP
WC Status
----------------- --------------- --------------- --------------00:1B:4F:6A:18:E1 172.16.2.101
192.168.18.12
Connected
00:1B:4F:6A:18:E2 172.16.2.102
192.168.18.12
Connected
00:1B:4F:6A:18:E3 172.16.2.103
192.168.18.12
Connected
00:1B:4F:6A:18:E4 172.16.2.104
192.168.18.12
Connected
-----------------------------------------------------------------
In this example, assume that all the 4 APs are managed by the controller WC1 (IP
address 192.168.18.12). No APs are managed by the second controller WC2. This is
because the preferred controller for all the 4 APs is configured as WC1 with IP address
192.168.18.12.
: 4096
: 4
: none

4
0
4
0
0
--------------------------------------------------------------------
d. Perform an AP load balance:

WC8180#wireless domain load-balance ap
e. Verify the result of load balancing using the least-load metric.

: 4096
: 4
: none

0
0
4
0
0
--------------------------------------------------------------------

: 4096
: 4
: none

--------------- --------- --------- --------- -------- --------
June 2014

139
APs load-balanced to WC
0
0
4
0
0
--------------------------------------------------------------------
f. Verify that the APs are distributed equally between the 2 controllers.
Load Balancing Metric: least-load
----------------------------------------------------------------AP MAC Address
AP IP
WC IP
WC Status
----------------- --------------- --------------- --------------00:1B:4F:6A:18:E1 172.16.2.101
192.168.18.12
Connected
00:1B:4F:6A:18:E2 172.16.2.102
192.168.18.12
Connected
00:1B:4F:6A:18:E3 172.16.2.103
192.168.18.9
Connected
00:1B:4F:6A:18:E4 172.16.2.104
192.168.18.9
Connected
-----------------------------------------------------------------
Related Links
Commonly used configuration procedures

The following sections describe commonly used configuration procedures in wireless domains.
Related Links
Configuring domain options Overlay on page 140
Configuring domain options Unified Access on page 143
Configuring wireless profiles on page 146
Configuring domain options Overlay

CLI reference:
WC8180(config-wireless)#domain ?
Parameters:
ap-client-qos
ap-reconnection-timeout
auto-promote-discovered-ap
Enable AP QoS operation for clients

AP-WCP failover timeout
Enable auto-promote of discovered APs to AP
database.
Configure timeout for client roaming
Configure a primary country code for domain
Configure TSPEC violators report interval
client-roam-agetime
country-code
tspec-violation-report-interval
ap
Domain AP commands
auto-promoted-aps approve all Discovered AP
load-balance
Enter load balance configuration mode
mobility-vlan
Create a mobility domain VLAN
WC8180(config-wireless)#domain ap ?
Parameters:
H.H.H AP MAC Address to create/modify an AP entry in AP database
140

June 2014
image-update
reset-group-size
Configure AP image update related parameters

Configure group size for a bulk RESET
WCP8180(config-wireless)#domain auto-promoted-aps ?
approve approve all Discovered AP
WCP8180(config-wireless-lb)# ?
default
end
exit
lb-metric
no
WCP8180(config-wireless-lb)#lb-metric ?
location
WCP8180(config-wireless)#domain mobility-vlan ?
WORD Enter a mobility VLAN name (1-32 chars)
About this task

Use this procedure to configure domain options:
Procedure
2. Use the command domain ap-client-qos to enable access point QoS operations for
clients.
3. Use the command domain ap-reconnection-timeout to configure the AP-controller failover
timeout.
4. Use the command domain auto-promote-discovered-ap to enable auto promotion of
discovered access points.
5. Use the command domain client-roam-agetime <1 - 120> to configure the client
roaming timeout value in seconds.
6. Use the command domain country-code <country_code> to configure a code for
domain operation.
Note:
When creating an AP profile, specify a country code or use the default primary country
code of the domain. To change a country code after a profile has been created you must
delete the AP profile and create a new profile. Multiple-country domain names support a
maximum of 32 countries.
7. Use the command domain tspec-violation-report-interval <0 - 900> to
configure the TSPEC violators reporting interval in seconds.
8. Use the command domain ap <ap_mac> image-update to configure AP image update
related parameters.
June 2014

141
9. Use the command domain ap <ap_mac> reset-group-size to configure the Group

size for AP(s) reset after download.
10. Use the command domain ap image-update image to enter the AP image download
configuration mode.
11. Use the command domain ap image-update server-ip to configure the HTTP server
address.
12. Use the command domain ap image-update server-port to configure the HTTP
server port.
13. Use the command domain ap image-update external-download to download an
image from an external web server.
14. Use the command domain ap image-update download-group-size <1 - 100> to
configure the percentage of access points forming a group.
15. Use the command domain ap image-update model <ap8120> version
<1.0.0.0> filename <path/filename> server-ip <ip_addr> server-port
<portnum> to configure the model, version number of the AP image, filename including http
server path, server-ip address, and server port number.
16. Use the command domain ap reset-group-size <1 - 100> to configure the
percentage of access points in the domain that will be reset.
17. Use the command domain auto-promoted-aps approve to approve all discovered
APs.
18. Use the command domain ap model {ap8120 | ap8120-E | ap8120-O} to
configure the AP model.
19. Use these commands for configuring domain options for a specific AP.
a. Use the command domain ap <ap_mac> alternate-controller to configure an
alternate wireless controller.
b. Use the command domain ap <ap_mac> label to configure the AP label.
c. Use the command domain ap <ap_mac> location to configure the AP location.
d. Use the command domain ap <ap_mac> preferred-controller to configure
the preferred AP controller.
e. Use the command domain ap <ap_mac> profile-id to assign the appropriate AP
profile ID.
f. Use the command domain ap <ap_mac> radio to configure the AP radio.
g. Use the command domain ap <ap_mac> serial to configure the AP serial number.
20. Use the command domain mobility-vlan <vlan_name> to create a new mobility
VLAN.
21. Use the command domain ap radio <radio-id> antenna {70-degree | 180degree} to specify a type of an external antenna attached to an AP radio.
142

June 2014
22. Use the command domain ap default radio [<radio-id> [antenna]] to restore
the antenna the default.
23. Use the command domain ap radio <radio-id> ext-cable {3-ft | 10-ft} to
specify the length of an extension cable used to attach an external antenna.
24. Use the command domain ap default radio [<radio-id> [ext-cable]] to
restore the default value (3-ft) of an extension cable.
25. Use the command domain load-balance to enter the load balancing command mode.
Use the following commands to configure load balancing.
a. Use the command controller for controller load balance configuration commands.
b. Use the command default to set load balance parameters to default.
c. Use the command lb-metric least-load to configure APs (and WSPs, in Unified
Access deployments) to load balance to the least loaded device.
d. Use the command lb-metric location to load balance to the device in the nearest
location.
Related Links
Configuring domain options Unified Access

CLI reference:
WCP8180(config-wireless)#domain ?
Parameters:
ap-client-qos
ap-reconnection-timeout
auto-promote-discovered-ap
Enable AP QoS operation for clients

AP-WCP failover timeout
Enable auto-promote of discovered APs to AP
database.
Configure timeout for client roaming
Configure a primary country code for domain
Configure TSPEC violators report interval
client-roam-agetime
country-code
tspec-violation-report-interval
ap
Domain AP commands
auto-promoted-aps approve all Discovered AP
load-balance
Enter load balance configuration mode
mobility-vlan
Create a mobility domain VLAN
wsp
Add a WSP entry to domain WSP database
WCP8180(config-wireless)#domain ap ?
Parameters:
H.H.H AP MAC Address to create/modify an AP entry in AP database
image-update
Configure AP image update related parameters
reset-group-size Configure group size for a bulk RESET
WCP8180(config-wireless)#domain auto-promoted-aps ?
approve approve all Discovered AP
WCP8180(config-wireless-lb)# ?
default
end
exit
June 2014

143
lb-metric
no

WCP8180(config-wireless-lb)#lb-metric ?
location
WCP8180(config-wireless)#domain mobility-vlan ?
WORD Enter a mobility VLAN name (1-32 chars)
WCP8180(config-wireless)#domain wsp ?
H.H.H WSP MAC Address to create/modify a WSP entry in WSP database
About this task

Use this procedure to configure domain options:
Procedure
2. Use the command domain ap-client-qos to enable access point QoS operations for
clients.
3. Use the command domain ap-reconnection-timeout to configure the AP-WCP failover
timeout.
4. Use the command domain auto-promote-discovered-ap to enable auto promotion of
discovered access points.
5. Use the command domain client-roam-agetime <1 - 120> to configure the client
roaming timeout value in seconds.
6. Use the command domain country-code <country_code> to configure a country
code for domain operation.
Note:
When creating an AP profile, specify a country code or use the default primary country
code of the domain. To change the country code after you create the AP profile, you
must first delete the AP profile and then create a new profile. Multiple-country domain
names support a maximum of 32 countries.
7. Use the command domain tspec-violation-report-interval <0 - 900> to
configure the TSPEC violators reporting interval in seconds.
8. Use the command domain ap <ap_mac> image-update to configure AP image update
related parameters.
9. Use the command domain ap <ap_mac> reset-group-size to configure the Group
size for AP(s) reset after download.
10. Use the command domain ap image-update image to enter the AP image download
configuration mode.
11. Use the command domain ap image-update server-ip to configure the HTTP server
address.
144

June 2014
12. Use the command domain ap image-update server-port to configure the HTTP
server port.
13. Use the command domain ap image-update external-download to download an
image from an external web server.
14. Use the command domain ap image-update download-group-size <1 - 100> to
configure the percentage of access points forming a group.
15. Use the command domain ap image-update model <ap8120> version
<1.0.0.0> filename <path/filename> server-ip <ip_addr> server-port
<portnum> to configure the model, version number of the AP image, filename including http
server path, server-ip address, and server port number.
16. Use the command domain ap reset-group-size <1 - 100> to configure the
percentage of access points in the domain that will be reset.
17. Use the command domain auto-promoted-aps approve to approve all discovered
APs.
18. Use the command domain ap model {ap8120 | ap8120-E | ap8120-O} to
configure the AP model.
19. Use these commands for configuring domain options for a specific AP.
a. Use the command domain ap <ap_mac> alternate-controller to configure an
alternate wireless controller.
b. Use the command domain ap <ap-mac> alternate-wsp to configure an alternate
Wireless Switching Point (WSP).
c. Use the command domain ap <ap_mac> label to configure the AP label.
d. Use the command domain ap <ap_mac> location to configure the AP location.
e. Use the command domain ap <ap_mac> preferred-controller to configure
the preferred AP controller.
f. Use the command domain ap <ap-mac> preferred-wsp to configure a preferred
WSP.
g. Use the command domain ap <ap_mac> profile-id to assign the appropriate AP
profile ID.
h. Use the command domain ap <ap_mac> radio to configure the AP radio.
i. Use the command domain ap <ap_mac> serial to configure the AP serial number.
20. Use the command domain mobility-vlan <vlan_name> to create a new mobility
VLAN.
21. Use the command domain ap radio <radio-id> antenna {70-degree | 180degree} to specify a type of an external antenna attached to an AP radio.
22. Use the command domain ap default radio [<radio-id> [antenna]] to restore
the antenna the default.
June 2014

145
23. Use the command domain ap radio <radio-id> ext-cable {3-ft | 10-ft} to
specify the length of an extension cable used to attach an external antenna.
24. Use the command domain ap default radio [<radio-id> [ext-cable]] to
restore the default value (3-ft) of an extension cable.
25. Use the command domain load-balance to enter the load balancing command mode.
Use the following commands to configure load balancing.
a. Use the command controller for controller load balance configuration commands.
b. Use the command default to set load balance parameters to default.
c. Use the command lb-metric least-load to configure APs (and WSPs, in Unified
Access deployments) to load balance to the least loaded device.
d. Use the command lb-metric location to load balance to the device in the nearest
location.
26. Use the command domain wsp <wsp_mac> to add a WSP to the Domain WSP database
or modify an existing entry.
Related Links
Configuring wireless profiles

Configure Radio Profiles, Network Profiles and AP Profiles.
CLI reference:
WCP8180(config-wireless)#ap-profile ?
WCP8180(config-wireless)#network-profile ?
<1-64> Network Profile ID
WCP8180(config-wireless)#radio-profile ?
<1-128> Radio Profile ID
Important:
As part of the configuration, when you configure profiles in the network (such as AP profiles,
network profiles and radio profiles) ensure that you configure profile name to be unique across
the network, for each of the profiles.
Also, ensure that you do not configure profile names that have similar characters or letters but
are different only in their case.
Important:
When you configure an SSID for a network profile, ensure that it is unique across the network.
SSIDs can have a maximum of 32 characters.
Also, ensure that you do not configure SSIDs that have similar characters but are different only
in their case. For example do not configure SSIDs avaya-demo and AVAYA-DEMO within the
same network.
146

June 2014
About this task

Use this procedure to configure wireless profiles.
Procedure
2. Use the command network-profile <1-64> to create a network profile.
This command has the options listed in the following table.
June 2014
Command
Option
Description
network profile <1-64>
arp-suppression
Enable wireless ARP

suppression.
captive-portal
Configure captive portal

mapping.
client-qos
Configure client QoS settings.
cos2wmm
WMM values for CoS settings.
default
Set default network profile

settings.
dot1x
Configure 802.1x parameters.
end
End configuration.
exit
Exit configuration.
hide-ssid
Enable SSID hiding in network

beacons.
mac-validation
Enable client authentication

through client MAC addresses.
mobility-vlan
Configure the default mobility

VLAN.
probe-response
Enable response to broadcast

probe request.
profile-name
Configure the network profile

name.
radius
Configure RADIUS related

parameters.
security-mode
Configure the security mode.
ssid
Configure the network SSID.
user-group
Configure the local user group.
user-validation
Configure user validation

method if captive portal is
enabled.
wep
Configure WEP-related
parameters.
wmm2cos
CoS mapping for WMM.

147
Command
Option
Description
wpa2
Configure WPA2 settings.
3. Use the command radio-profile <1-128> to create a radio profile.

a. Ensure you use the command ap-model to select an AP model.
b. Ensure you use the command country-code to select a country code.
These commands have the options listed in the following table.
148
Command
Options
Description
radio-profile <1- 64>
apsd
Enable auto powersave delivery

mode.
beacon-interval
Set the beacon interval.
channel
Configure radio channel

settings.
data-rates
Configure basic/supported data

rates.
default
Set default profile parameters.
dot11-mode
Configure the physical mode of

the radio.
dot11n
Set the 802.11n configuration.
dot11n-protection-mode
Configure the 802.11n

protection mode.
dtim-period
Configure the Delivery Traffic

Indication Map.
end
End configuration.
exit
Exit configuration.
fragmentation-threshold
Configure packet fragmentation

threshold.
incorrect-frame-no-ack
Enable No-Ack for incorrectly

received frames on radio.
load-balance
Configure load balancing

parameters.
max-clients
Configure the maximum

number of simultaneous clients.
multicast-tx-rate
Configure the multicast transfer

rate.
no
Disable the radio profile.
power
Configure the radio power

settings.
profile-name
Set the radio profile name.
qos
Configure radio QoS queues.

June 2014
Command
ap-model
Options
Description
rate-limit
Configure the broadcast and

multicast rates.
rf-scan
Configure the RF scan mode

parameters.
rrm
Enable Radio Resource

Measurement.
rts-threshold
Configure the threshold below

which MPDU RTS/CTS is not
performed.
station-isolation
Enable station isolation.
tspec
Configure TSPEC settings.
wmm-mode
Enable WMM mode.
access-wids
Create a radio profile with a

specific IEEE 802.11 mode
wids-wips
Create a radio profile with a 2.4

GHz or 5 GHz scan band or
both.
ap8120-O
Configure AP Model
ap8120/E
Avaya outdoor AP (AP 8120O)

Avaya indoor (AP 8120) and
external antenna (AP 8120-E)
Note:
If you do not choose an ap
model the default is
ap8120.
country-code
Enter a country code
Create an AP profile with a

country code
Note:
When creating an AP
profile, specify a country
code or use the default
primary country code of
the domain. To change a
country code after a profile
has been created you
must delete the AP profile
and create a new profile.
Multiple country domain
names support a
June 2014

149
4. Use the command ap-profile <1-32> to create an access point profile.

a. Ensure you use the command ap-model to select an AP model.
b. Ensure you use the command country-code to select a country code.
These commands have the options listed in the following table.
Command
Option
Description
ap-profile <1-64>
cos2dscp
CoS to DSCP Mappings
default
Set a command to its default

values
default-profile
Set current profile, as the

default profile for an AP
dscp2cos
DSCP to CoS QoS Mapping
end
End configure mode
exit
Exit from AP profile

configuration mode
network <1-64>
<1-64> Network Profile ID.

Configure Network Profile
mapping on a radio
no
Disable AP profile parameters
profile-name
Set an AP profile name
radio
Configure Radio Profile

mapping on a radio
ap8120-O
Configure the AP model
ap8120/E
ap-model
Avaya indoor (AP 8120) and

external antenna (AP 8120-E)
Note:
If you do not choose an AP
ap8120.
country-code
Enter a country code
Create an AP profile with a

country code
Note:
When creating an AP
profile, specify a country
code or use the default
primary country code of
the domain. To change a
country code after a profile
has been created you
150

June 2014
must delete the AP profile

and create a new profile.
Multiple country domain
names support a
5. Use the command domain ap <mac address> to create a domain ap profile..

This command has the options listed in the following table.
Command
Option
Description
domain ap <mac address>
alternate-controller
Configure alternate wireless

controller
default
Set a command to its default

values
end
exit mode
Exit from domain AP

configuration
label
Configure AP Label
location
Configure AP Location
model {ap8120 | ap8120E | ap8120-O | }
Configure the AP model

Avaya indoor AP (AP 8120)
Avaya indoor AP8120-E (with
external antennas)
Note:
If you do not choose an AP
AP8120.
preferred-controller
Configure preferred wireless

controller
profile-id <1-64>
Assign AP profile ID used for

AP configuration
radio <1-2> [antenna

<WL81AT070E6 |
WL81AT180E6>] [channel
<1-216 | auto>] [extcable <3-ft | 10-ft>]
[power <1-100| auto>]
Configure radio channel /

power / antenna / cable
settings:
radio
antenna
WL81AT070E6 AP8120-E
external antenna (70 degree)
June 2014

151
Command
Option
Description
WL81AT180E6 AP8120-E
external antenna (180
degree)
channel
1-216 Fixed channel
number. Use 'show wireless
radar-detection' to display
valid channels.
auto Automatic channel
selection
ext-cable
3-ft AP8120-E 3 feet
extension cable
10-ft AP8120-E 10 feet
extension cable
power
1-100 Fixed power level (in
percentage)
auto Automatic power level
adjustment
serial
WORD Enter AP serial

number
6. Use the command captive-portal profile <1 - 10> to create a captive portal
profile.
Related Links
152

June 2014
Chapter 5: ACLI Reference for wired

networks

The following sections describe typical Avaya Command Line Interface (ACLI) commands for wired
network configuration.
Related Links
Configuring system options on page 153
Configuring system security on page 202
Configuring VLANs and Link Aggregation on page 244
Configuring IP routing on page 274
Configuring Access Lists on page 305
Configuring Elements, Classifiers, and Classifier Blocks on page 308
Configuring wired Quality of Service on page 314
Configuring Serviceability on page 345
Configuring diagnostics and graphing on page 354
Configuring system options

This section describes the system configuration procedures for the WLAN Controller 8180 (WC
8180).
Related Links
ACLI reference for wired networks on page 153
General switch administration on page 154
Configuring Energy Saver Options on page 168
Using Simple Network Time Protocol on page 168
Real time clock configuration on page 172
Custom Autonegotiation Advertisements on page 173
Connecting to another switch on page 175
Domain Name Server (DNS) Configuration on page 176
Changing switch software on page 178
Configuration files in CLI on page 180
June 2014

153
ACLI Reference for wired networks
Enabling Quickconfig on page 183

Terminal setup on page 183
Setting the default management interface on page 183
Enabling Serial Console Port Access on page 184
Setting Telnet access on page 184
Setting boot parameters on page 186
Defaulting to BootP-when-needed on page 186
shutdown command on page 188
reload command on page 188
Configuring Packet Storm Control Settings on page 189
CLI Help on page 189
Clearing the default TFTP server with CLI on page 190
Configuring a default TFTP server with CLI on page 190
Configuring default clock source on page 190
Configuring daylight savings time with CLI on page 190
Configuring Dual Agent on page 191
Configuring local time zone with CLI on page 193
Customizing CLI banner with CLI on page 194
Displaying the default TFTP server with CLI on page 195
Displaying complete GBIC information on page 195
Displaying hardware information on page 195
Configuring Auto-Unit Replacement on page 196
Configuring the UI button on page 196
Configuring USB Host Port on page 196
Enabling Autosave on page 197
Setting the server for Web-based management with CLI on page 197
Setting the read-only and read-write passwords on page 198
Setting telnet and serial passwords on page 198
Enabling RADIUS password fallback on page 200
Configuring RADIUS authentication on page 200
General switch administration

About this task
This section outlines the Avaya CLI commands used in general switch administration.
See the following topics for more information:
Related Links
Assigning and clearing IP addresses on page 155
Displaying interfaces on page 158
154

June 2014
Configuring Interface Options on page 158

Enabling Jumbo Frames on page 159
Configuring the EDM Help File Path on page 159
Configuring the HTTP Port on page 159
Setting port speed on page 160
Testing cables with the Time Domain Reflectometer on page 162
Enabling Autotopology on page 163
Enabling flow control on page 164
Enabling rate-limiting on page 166
Assigning and clearing IP addresses

You can assign, clear, and view IP addresses and gateway addresses with CLI. The commands
discussed in this section are used to perform these tasks.
Note:
Users should not change the Wireless System IP address of the controller after the controller
joins a domain. Do the following if a change is required after the controller joins a domain:
1. Remove the controller from the mobility domain.
2. Disable wireless operations.
3. Change the IP address.
4. Join the controller to the domain.
ip address command
The ip address command sets the IP address and subnet mask for the switch.
This command is executed in the Global Configuration command mode.
CLI reference:
WCP8180(config)#ip address ?
A.B.C.D IP address
netmask The subnet mask
source
BootP/DHCP mode
The following table describes the parameters for the ip address command.
Table 5: ip address parameters
Parameters
Description
A.B.C.D
Denotes the IP address in dotted-decimal notation; netmask is optional.
netmask
Signifies the IP subnet mask.
source
BootP/DHCP mode
Note:
When the IP address or subnet mask is changed, connectivity to Telnet and the Web can be
lost.
June 2014

155
ip address source command

If you want to automatically obtain an IP address, subnet mask and default gateway, you can use
the ip address command with the source parameter. When you use DHCP, the switch can also
obtain up to three DNS server IP addresses.
Execute the ip address source command in the Global Configuration command mode.
CLI reference:
WCP8180(config)#ip address source ?
bootp-always
Always use the bootp server
bootp-last-address Use the last time bootp server
bootp-when-needed
Use bootp server when needed
configured-address User-configured IP address
dhcp-always
Always use the DHCP server
dhcp-last-address
Use the last time DHCP server
dhcp-when-needed
Use DHCP client when needed
The following table describes the variables for the ip address source command:
Table 6: ip address source command parameters
Parameter
Description
bootp-always
Always use the bootp server.
bootp-last-address
Use the last bootp server.
bootp-when-needed
Use bootp server when needed.
dhcp-always
Always use the DHCP server.
dhcp-last-address
Use the last DHCP server.
dhcp-when-needed
Use DHCP client when needed.
no ip address command
The no ip address command clears the IP address and subnet mask for a switch. This
command sets the IP address and subnet mask for a switch to all zeros (0).
The syntax for the no ip address command is: no ip address switch
The no ip address command is executed in the Global Configuration command mode.
Note: When the IP address or subnet mask is changed, connectivity to Telnet and the Web Interface
can be lost. Any new Telnet connection can be disabled and is required to connect to the serial
console port to configure a new IP address.
ip default-gateway command
The ip default-gateway command sets the default IP gateway address for a switch to use.
CLI reference:
WCP8180(config)#ip default-gateway ?
A.B.C.D IP address of default gateway
The following table describes the parameters for the ip default-gateway command.
156

June 2014
Table 7: ip default-gateway command parameters

Parameters
Description
A.B.C.D
Enter the dotted-decimal IP address of the default IP gateway.
Note:
When the IP gateway is changed, connectivity to Telnet and the Web Interface can be lost.
show ip command
The show ip command displays the IP configurations, BootP/DHCP mode, switch address, subnet
mask, and gateway address. This command displays these parameters for what is configured, what
is in use, and the last BootP/DHCP.
This command is executed in the User EXEC command mode.
If you do not enter any parameters, this command displays all IP-related configuration information.
CLI reference:
WCP8180(config)#show ip ?
Parameters:
address
IP address
bootp
Show bootp
default-gateway IP address
<cr>
arp-proxy
Display
default-ttl
Display
dhcp
Display
dhcp-relay
Display
directed-broadcast Display
dns
Display
fwd-nh
Display
igmp
Display
ipfix
Display
mgmt
Display
route
Display
routing
Display
WCP8180(config)#
of switch/stack
settings
of default gateway
Proxy ARP status
default TTL
DHCP settings
DHCP relay information
directed-broadcast forwarding mode
DNS configuration
IP forwarding next-hop settings
IGMP information
IPFIX settings
management VLAN information
IP route information
global routing enable/disable
The following table describes the parameters for the show ip command.
Parameters
Description
bootp
Displays BootP/DHCP-related IP information. The possibilities

for status returned are:
BootP Always
Disabled
BootP or Last Address
BootP When Needed
DHCP Always
DHCP or Last Address
DHCP When Needed
June 2014

157
Parameters
Description
dhcp client lease
Displays DHCP client lease information. The command displays

information about configured lease time and lease time granted
by the DHCP server.
default-gateway
Displays the IP address of the default gateway.
address
Displays the current IP address.
address source
Displays the BootP or DHCP client information.Assigning and

clearing IP addresses for specific units
DHCP always
DHCP when needed
DHCP or last address
Disabled
BootP always
BootP when needed
BootP or last address
Displaying interfaces
The status of all interfaces on the switch can be viewed, including Multi-Link Trunk membership, link
status, autonegotiation and speed using the following command.
show interfaces command
The show interfaces command displays the current configuration and status of all interfaces.
The syntax for the show interfaces command is: show interfaces [names]
[<portlist>]
CLI reference:
WCP8180(config-security)#show interfaces ?
gbic-info Display gbic details
LINE
List of ports
names
Display interface names
verbose
Display contains informations about STP, VLACP, EAP and AES
<cr>
Table 8: show interfaces command parameters

Parameters
Description
names <portlist>
Displays the interface names; enter specific ports if you want to see
only those.
Configuring Interface Options

About this task
Use the following procedure to configure Fast Ethernet and Layer 3 IP VLAN options.
158

June 2014
Procedure
2. Enter Configuration mode by entering the config command.
3. Use the command interface FastEthernet <list of ports> to set the list of ports
to support Fast Ethernet.
4. Use the command interface vlan <14094> to assign the Layer 3 IP VLAN ID.
Related Links
Enabling Jumbo Frames

About this task
Use the following procedure to enable Jumbo Frames
Procedure
3. Use the command jumbo-frames enable to enable Jumbo Frames.
Related Links
Configuring the EDM Help File Path

About this task
Use the following procedure to change the location of EDM help files
Procedure
3. Use the command edm help-file-path <help-file-path> to set the EDM help file
path.
Related Links
Configuring the HTTP Port

About this task
Use the following procedure to configure the HTTP Port.
Procedure
June 2014

159

3. Use the command http-port <102465535> to set the HTTP port.
Related Links
Setting port speed

See the following sections for CLI commands to configure port speed and duplexing.
Related Links
speed command on page 160
default speed command on page 161
duplex command on page 161
default duplex command on page 162
speed command
The speed command sets the speed of the port.
The syntax for the speed command is: speed [port <portlist>] {10 | 100 | 1000 |
auto}
The speed command is executed in the Interface Configuration command mode.
The following table describes the parameters for the speed command.
Table 9: speed command parameters
Parameters
Description
port <portlist>
Specifies the port numbers for which to configure the

speed. Enter the port numbers you want to
configure.
Note: If you omit this parameter, the system uses the
port number you specified in the interface command.
10|100|1000|auto
Sets speed to:

1010Mb/s
100 100 Mb/s
1000 1000 Mb/s or 1GB/s
auto autonegotiation
Note: Enabling and disabling autonegotiation for speed also enables and disables it for duplex
operation.When you set the port speed for autonegotiation, ensure that the other side of the link is
also set for autonegotiation.
Related Links
160

June 2014
default speed command

The default speed command sets the speed of the port to the factory default speed.
The syntax for the default speed command is: default speed [port <portlist>]
The default speed command is executed in the Interface Configuration command mode.
Parameters
Description
port <portlist>
Specifies the port numbers to set the speed to factory default.

Enter the port numbers you want to set.
Note: If you omit this parameter, the system uses the port
number you specified in the interface command.
Related Links
duplex command
The duplex command specifies the duplex operation for a port.
The syntax for the duplex command is: duplex [port <portlist>] {full | half |
auto}
The duplex command is executed in the Interface Configuration command mode.
Parameters
Description
port <portlist>
Specifies the port numbers for which to reset the duplex mode
to factory default values. Enter the port number you want to
configure. The default value is autonegotiation.
Note: If you omit this parameter, the system uses the ports you
specified in the interface command.
full | half | auto
Sets duplex to:

full full-duplex mode
half half-duplex mode
autoautonegotiation
Note: Enabling/disabling autonegotiation for speed also enables/disables it for duplex

operation.When you set the duplex mode for autonegotiation, ensure that the other side of the link is
also set for autonegotiation.
Related Links
June 2014

161
default duplex command

The default duplex command sets the duplex operation for a port to the factory default duplex
value.
The syntax for the default duplex command is: default duplex [port <portlist>]
The default duplex command is executed in the Interface Configuration command mode.
Parameters
Description
port <portlist>
Specifies the port numbers to reset the duplex mode to factory

default values. Enter the port numbers you want to configure. The
default value is autonegotiation.
Related Links
Testing cables with the Time Domain Reflectometer

The WC 8180 is equipped with a Time Domain Reflectometer (TDR). The TDR provides a
diagnostic capability to test connected cables for defects (such as short pin and pin open). You can
obtain TDR test results from CLI or Device Manager.
The cable diagnostic tests only apply to Ethernet copper ports; fiber ports cannot be tested.
You can initiate a test on multiple ports at the same time.
When you test a cable with the TDR, if the cable has a 10/100 MB/s link, the link is broken during
the test and restored only when the test is complete. If the cable has a 10/100 MB/s link, the test
results may be incomplete as the test does not test all of the pins in the connector. Use of the TDR
does not affect 1 GB/s links.
See the Troubleshooting Avaya WLAN 8100, NN47251-700 for more information on troubleshooting
cables and for connector pin tables.
Note:
The accuracy margin of cable length diagnosis is between three to five meters. Avaya suggests
the shortest cable for length information be five meters long.
Use the following CLI commands to initiate a TDR cable diagnostic test and obtain test reports.
Related Links
tdr test command on page 162
show tdr command on page 163
tdr test command
The tdr test command initiates a TDR test on a port or ports.
162

June 2014
The syntax for this command is: tdr test <portlist>

where <portlist> specifies the ports to be tested.
The tdr test command is in the privExec command mode.
Related Links
show tdr command
The show tdr command displays the results of a TDR test.
The syntax for this command is: show tdr <portlist>
where <portlist> specifies the ports for which to display the test results.
The show tdr command is in the privExec command mode.
Related Links
Enabling Autotopology
About this task
The Optivity Autotopology protocol can be configured using the CLI.
Use the following commands to enable autotopology using the CLI.
Related Links
autotopology command on page 163
no autotopology command on page 163
default autotopology command on page 164
show autotopology settings command on page 164
show autotopology nmm-table command on page 164
autotopology command
The autotopology command enables the Autotopology protocol.
The syntax for the autotopology command is: autotopology
The autotopology command is executed in the Global Configuration command mode.
Related Links
no autotopology command
The no autotopology command disables the Autotopology protocol.
The syntax for the no autotopology command is: no autotopology
The no autotopology command is executed in the Global Configuration command mode.
June 2014

163
Related Links
default autotopology command
The default autotopology command enables the Autotopology protocol.
The syntax for the default autotopology command is: default autotopology
The default autotopology command is executed in the Global Configuration command mode.
Related Links
show autotopology settings command
The show autotopology settings command displays the global autotopology settings.
The syntax for the show autotopology settings command is: show autotopology
settings
The show autotopology settings command is executed in the Privileged EXEC command
mode.
Related Links
show autotopology nmm-table command
The show autotopology nmm-table command displays the Autotopology network
management module (NMM) table.
The syntax for the show autotopology nmm-table command is: show autotopology nmm-table
The show autotopology nmm-table command is executed in the Privileged EXEC command
mode.
Related Links
Enabling flow control

About this task
Gigabit Ethernet, when used with the WC 8180, can control traffic on this port using the
flowcontrol command.
See the following commands to enable flow control using the CLI.
Related Links
flow control command on page 165
no flowcontrol command on page 165
default flowcontrol command on page 166
default rate-limit command on page 166
164

June 2014
flow control command

The flowcontrol command is used only on Gigabit Ethernet ports and controls the traffic rates
during congestion.
The syntax for the flowcontrol command is: flowcontrol [port <portlist>]
{asymmetric | symmetric | auto | disable}
The flowcontrol command is executed in the Interface Configuration mode.
Table 10: flowcontrol command parameters
Parameters
Description
port <portlist>
Specifies the port numbers to configure for flow control.

specified in the interface command but only those ports which
have speed set to 1000/full.
asymmetric | symmetric | auto | disable
Sets the mode for flow control:

asymmetric- PAUSE frames can only flow in one direction.
symmetric- PAUSE frames con flow in either direction.
auto- sets the port to automatically determine the flow control
mode (default)
disabledisables flow control
Related Links
no flowcontrol command
The no flowcontrol command is used only on Gigabit Ethernet ports and disables flow control.
The syntax for the no flowcontrol command is: no flowcontrol [port <portlist>]
The no flowcontrol command is executed in the Interface Configuration mode.
Table 11: no flowcontrol command parameters
Parameters
Description
port <portlist>
Specifies the port numbers for which to disable flow

control.
ports you specified in the interface command, but
only those ports that have speed set to 1000/full.
Related Links
June 2014

165
default flowcontrol command

The default flowcontrol command is used only on Gigabit Ethernet ports and sets the flow
control to auto, which automatically detects the flow control.
The syntax for the default flowcontrol command is: default flowcontrol [port
<portlist>]
The default flowcontrol command is executed in the Interface Configuration mode.
Parameters
Description
port <portlist>
Specifies the port numbers to default to auto flow control.

Note: If you omit this parameter, the system uses the port number
you specified in the interface command.
Related Links
default rate-limit command
The default rate-limit command restores the rate-limiting value for the specified port to the
default setting.
The syntax for the default rate-limit command is: default rate-limit [port
<portlist>]
The default rate-limit command is executed in the Interface Configuration command mode.
Table 12: default rate-limit command parameters
Parameters
Description
port <portlist>
Specifies the port numbers on which to reset rate-limiting to factory default.

Enter the port numbers on which to set rate-limiting to default.
Note: If you omit this parameter, the system uses the port number you
Related Links
Enabling rate-limiting
About this task
The percentage or packets per seconds of multicast traffic, broadcast traffic, or both, can be limited
using the CLI.
See the following commands for more information.
Related Links
166

June 2014
show rate-limit command on page 167

rate-limit command on page 167
no rate-limit command on page 167
show rate-limit command
The show rate-limit command displays the rate-limiting settings and statistics.
The syntax for the show rate-limit command is: show rate-limit
The show rate-limit command is executed in the Privileged EXEC command mode.
Related Links
rate-limit command
The rate-limit command configures rate-limiting on the port.
The syntax for the rate-limit command is: rate-limit {multicast | broadcast |
both} {percent <0-10>}
The rate-limit command is executed in the Interface Configuration command mode.
Table 13: rate-limit command parameters
Parameters
Description
multicast | broadcast | both
Applies rate-limiting to the type of traffic.

multicast--applies rate-limiting to multicast packets
broadcast--applies rate-limiting to broadcast
packets
both--applies rate-limiting to both multicast and
broadcast packets
percent <0-10>
Specifies the mode for setting the rates of the

incoming traffic.
percent <0-10>--enter and integer from 1 to 10 to
set the rate-limiting percentage.
For 10 Gb/s links, the default value for limiting both
broadcast and multicast is 10 percent.
Rate limiting using packet per seconds can only be
configured using CLI.
Related Links
no rate-limit command
The no rate-limit command disables rate-limiting on the port.
June 2014

167
The syntax for the no rate-limit command is: no rate-limit [port <portlist>]
The no rate-limit command is executed in the Interface Configuration command mode.
Table 14: no rate-limit command parameters
Parameters
Description
port <portlist>
Specifies the port numbers to disable for rate-limiting. Enter the port
numbers you want to disable.
Note: If you omit this parameter, the system uses the port number you
Related Links
Configuring Energy Saver Options

About this task
Use the following procedure to configure Energy Saver options.
Procedure
3. Use the command energy-saver enable to enable energy saver mode.
4. Use the command energy-saver efficiency-mode to enable efficiency mode.
5. Use the command energy-saver poe-power-saving to enable Power Over Ethernet
power saving mode.
Related Links
Using Simple Network Time Protocol

The Simple Network Time Protocol (SNTP) feature synchronizes the Universal Coordinated Time
(UCT) to an accuracy within 1 second. This feature adheres to the IEEE RFC 2030 (MIB is the
s5agent). With this feature, the system can obtain the time from any RFC 2030-compliant NTP/
SNTP server.
Note:
If you have trouble using this feature, try various NTP servers. Some NTP servers can be
overloaded or currently inoperable.The system retries connecting with the NTP server a
maximum of three times, with 5 minutes between each retry.
Using SNTP provides a real-time timestamp for the software, shown as Greenwich Mean Time
(GMT).
168

June 2014
If SNTP is enabled, the system synchronizes with the configured NTP server at boot-up and at userconfigurable periods thereafter (the default synchronization interval is 24 hours). The first
synchronization is not performed until network connectivity is established.
SNTP supports primary and secondary NTP servers. The system tries the secondary NTP server
only if the primary NTP server is unresponsive.
Use the following CLI commands to configure SNTP.
Related Links
show SNTP command on page 169
show sys-info command on page 169
SNTP enable command on page 169
no SNTP enable command on page 170
SNTP server primary address command on page 170
SNTP server secondary address command on page 170
no SNTP server command on page 171
SNTP sync-now command on page 171
SNTP sync-interval command on page 171
show SNTP command

The show SNTP command displays the SNTP information, as well as the configured NTP servers.
The syntax for the show SNTP command is: show sntp
The show SNTP command is executed in the Privileged EXEC command mode.
Related Links
show sys-info command

The show sys-info command displays the current system characteristics.
The syntax for the show sys-info command is: show sys-info
The show sys-info command is executed in the Privileged EXEC command mode.
Note: You must have SNTP enabled and configured to display GMT time.
Related Links
SNTP enable command

The SNTP enable command enables SNTP.
The syntax for the SNTP enable command is: sntp enable
The SNTP enable command is executed in the Global Configuration command mode.
Note: The default setting for SNTP is disabled.
June 2014

169
Related Links
no SNTP enable command

The no SNTP enable command disables SNTP.
The syntax for the no SNTP enable command is: no sntp enable
The no SNTP enable command is executed in the Global Configuration command mode.
Related Links
SNTP server primary address command

The SNTP server primary address command specifies the IP addresses of the primary NTP
server.
The syntax for the SNTP server primary address command is: sntp server primary
address <A.B.C.D>
The SNTP server primary address command can be executed in the Global Configuration
command mode.
Table 15: sntp server primary address command parameters
Parameters
Description
<A.B.C.D>
Enter the IP address of the primary NTP server in dotted-decimal

notation.
Related Links
SNTP server secondary address command

The SNTP server secondary address command specifies the IP addresses of the secondary
NTP server.
The syntax for the SNTP server secondary address command is: sntp server
secondary address <A.B.C.D>
The SNTP server secondary address command is executed in the Global Configuration
command mode.
Table 16: sntp server secondary address command parameters
170
Parameters
Description
<A.B.C.D>
Enter the IP address of the secondary NTP server in dotteddecimal notation.

June 2014
Related Links
no SNTP server command

The no SNTP server command clears the NTP server IP addresses. The command clears the
primary and secondary server addresses.
The syntax for the no SNTP server command is: no sntp server {primary |
secondary}
The no SNTP server command is executed in the Global Configuration command mode.
Table 17: no sntp server command parameters
Parameters
Description
primary
Clear primary SNTP server address.
secondary
Clear secondary SNTP server address.
Related Links
SNTP sync-now command

The SNTP sync-now command forces a manual synchronization with the NTP server.
The syntax for the SNTP sync-now command is: sntp sync-now
The SNTP sync-now command is executed in the Global Configuration command mode.
Note: SNTP must be enabled before this command can take effect.
Related Links
SNTP sync-interval command

The SNTP sync-interval command specifies recurring synchronization with the secondary NTP
server in hours relative to initial synchronization.
The syntax for the SNTP sync-interval command is: sntp sync-interval <0-168>
The SNTP sync-interval command is executed in the Global Configuration command mode.
Table 18: sntp sync-interval command parameters
Parameters
Descriptions
<0-168>
Enter the number of hours for periodic synchronization with the NTP
server.
Note: 0 is boot-time only, and 168 is once a week.
June 2014

171
Related Links
Real time clock configuration

In addition to SNTP time configuration, a real-time clock (RTC) is available to provide the switch with
time information. This RTC provides the switch information in the instance that SNTP time is not
available.
Use the following CLI commands to view and configure the RTC.
Related Links
clock set command on page 172
Clock sync rtc-with-SNTP enable command on page 172
no clock sync-rtc-with-SNTP enable command on page 173
Default clock sync-rtc-with-SNTP enable command on page 173
Clock source command on page 173
default clock source command on page 173
clock set command

This command is used to set the RTC. The syntax of the clock set command is: clock set
{<LINE> | <hh:mm:ss>}
The following table outlines the parameters for this command.
Table 19: clock set command parameters
Parameters
Description
<LINE>
A string in the format of mmddyyyyhhmmss that defines the

current local time.
<hh:mm:ss>
Numeric entry of the current local time in the manner specified.
This command is executed in the Privileged EXEC command mode.

Related Links
Clock sync rtc-with-SNTP enable command

This command enables the synching of the RTC with the SNTP clock when the SNTP clock
synchronizes.
The syntax for this command is: clock sync-rtc-with-sntp enable
Related Links
172

June 2014
no clock sync-rtc-with-SNTP enable command

This command disables the synching of the RTC with the SNTP clock when the SNTP clock
synchronizes.
The syntax for this command is: no clock sync-rtc-with-sntp enable
Related Links
Default clock sync-rtc-with-SNTP enable command

This command sets the synchronizing of the RTC with the SNTP clock to factory defaults.
The syntax for this command is: default clock sync-rtc-with-sntp enable
Related Links
Clock source command

This command sets the default clock source for the switch.
The syntax for this command is: clock source {sntp | rtc | sysUpTime}
Substitute {sntp | rtc | sysUpTime} with the clock source selection.
Related Links
default clock source command

This command sets the clock source to factory defaults. The syntax of this command is: default
clock source
Related Links
Custom Autonegotiation Advertisements

Custom Autonegotiation Advertisement (CANA) customizes the capabilities that are advertised. It
also controls the capabilities that are advertised by the WC 8180 as part of the auto-negotiation
process.
Use the following CLI commands to configure CANA.
Related Links
Configuring CANA on page 174
June 2014

173
Viewing current autonegotiation advertisements on page 174

Setting default auto-negotiation-advertisements on page 174
no auto-negotiation-advertisements command on page 174
Configuring CANA
About this task
Use the auto-negotiation-advertisements command to configure CANA.
To configure port 5 to advertise the operational mode of 10 Mb/s and full duplex enter the following
command line: auto-negotiation-advertisements port 5 10-full
Related Links
Viewing current autonegotiation advertisements

About this task
To view the autonegotiation advertisements for the device, enter the following command: show
auto-negotiation-advertisements [port <portlist>]
Related Links
Setting default auto-negotiation-advertisements

The default auto-negotiation-advertisements command makes a port advertise all its
auto-negotiation-capabilities.
The syntax for the default auto-negotiation-advertisements command is: default
auto-negotiation-advertisements [port <portlist>]
To set default advertisements for port 5 of the device, enter the following command line: default
auto-negotiation-advertisements port 5
The default auto-negotiation-advertisements command can be executed in the
Interface Configuration mode.
Related Links
no auto-negotiation-advertisements command
The no auto-negotiation-advertisements command makes a port silent.
The syntax for the no auto-negotiation-advertisements command is: no autonegotiation-advertisements [port <portlist>]
The no auto-negotiation-advertisements command can be executed in the Interface
Configuration mode.
Related Links
174

June 2014
Connecting to another switch

Using the Command Line Interface (CLI), it is possible to communicate with another switch while
maintaining the current switch connection. This is accomplished with the familiar ping and telnet
commands.
Related Links
ping command on page 175
telnet command on page 176
ping command
Use the ping command to determine if communication with another switch can be established.
The syntax for this command is: ping<dns_host_name> [datasize <64-4096> [{count
<1-999>} | continuous] [{timeout | -t} <1-120>] [interval <1-60] [debug]
Substitute <dns_host_name> with the DNS host name of the unit to test.
Run this command in User EXEC command mode or any of the other command modes.
CLI reference:
WCP8180#ping ?
Hostname or A.B.C.D
<cr>
The hostname or ip address to ping
WCP8180#ping 1.1.1.1 ?
-t
Timeout in seconds
continuous Ping in continuous mode
count
Number of packets
datasize
Packet size
debug
Enable ping debug
interval
Interval to retransmit in seconds
timeout
Timeout in seconds
<cr>

Table 20: ping command parameters
Parameters
Description
<dns_host_name>
The DNS host name of the unit to test.
datasize <644096>
Specify the size of the ICMP packet to be sent. The data

size range is from 64 to 4096 bytes.
count <19999> | continuous
Set the number of ICMP packets to be sent. The continuous

mode sets the ping running until the user interrupts it by
entering Ctrl+C.
timeout | -t | <1120>
Set the timeout using either the timeout with the -t parameter
followed by the number of seconds the switch must wait
before timing out.
interval <160>
Specify the number of seconds between transmitted

packets.
June 2014

175
Parameters
Description
debug
Provide additional output information such as the ICMP

sequence number and the trip time.
Related Links
telnet command
Use the telnet command to establish communications with another switch during the current CLI
session. Communication can be established to only one external switch at a time using the telnet
command.
The syntax for this command is: telnet <dns_host_name>
Substitute <dns_host_name> with the DNS hostname of the unit with which to communicate.
CLI reference:
WCP8180#telnet ?
Hostname or A.B.C.D remote host name or IP address
WCP8180#telnet 1.1.1.1 ?
port tcp port number
<cr>
Related Links
Domain Name Server (DNS) Configuration

Domain name servers are used when the switch needs to resolve a domain name to an IP address.
Use the following CLI commands for DNS configuration.
Related Links
show ip dns command on page 176
ip domain-name command on page 177
no ip domain-name command on page 177
default ip domain-name command on page 177
ip name-server command on page 177
no ip name-server command on page 178
show ip dns command

The show ip dns command is used to display DNS-related information. This information includes
the default switch domain name and any configured DNS servers.
The syntax for this command is: show ip dns
Related Links
176

June 2014
ip domain-name command
The ip domain-name command is used to set the default DNS domain name for the switch. This
default domain name is appended to all DNS queries or commands that do not already contain a
DNS domain name.
The syntax for this command is: ip domain-name <domain_name>
Substitute <domain_name> with the default domain name to be used. A domain name is
determined to be valid if it contains alphanumeric characters and contains at least one period (.).
Related Links
no ip domain-name command
The no ip domain-name command is used to clear a previously configured default DNS domain
name for the switch.
The syntax for this command is: no ip domain-name
Related Links
default ip domain-name command

The default ip domain-name command is used to set the system default switch domain name.
Because this default is an empty string, this command has the same effect as the no ip domainname command.
The syntax for this command is: default ip domain-name
Related Links
ip name-server command
The ip name-server command is used to set the domain name servers the switch uses to
resolve a domain name to an IP address. A switch can have up to three domain name servers
specified for this purpose.
The syntax of this command is:
ip name-server <ip_address_1> ip name-server <ip_address_2> ip nameserver <ip_address_3>
Note: To enter all three server addresses you must enter the command three times, each with a
different server address.
June 2014

177

Table 21: ip name-server command parameters
Parameters
Description
<ip_address_1>
The IP address of the domain name server used by the switch.
<ip_address_2>
Optional. The IP address of a domain name server to add to the list of

servers used by the switch.
<ip_address_3>
Optional. The IP address of a domain name server to add to the list of

servers used by the switch.

Related Links
no ip name-server command
The no ip name-server command is used to remove domain name servers from the list of
servers used by the switch to resolve domain names to an IP address.
The syntax for this command is:
no ip name-server <ip_address_1> no ip name-server [<ip_address_2>] no ip
name-server [<ip_address_2>]
Note: To remove all three server addresses you must enter the command three times, each with a
different server address.
Parameters
Description
<ip_address_1>
The IP address of the domain name server to remove.
<ip_address_2>
Optional. The IP address of a domain name server to remove from

the list of servers used by the switch.
<ip_address_3>
Optional. The IP address of a domain name server to remove from

the list of servers used by the switch.

Related Links
Changing switch software

About this task
The software download begins when the user initiates the download and follows the download
process accordingly. This process deletes the contents of the flash memory and replaces it with the
desired software image. Do not interrupt the download process. Depending on network conditions,
this process make take up to 10 minutes.
The current WLAN 8180 image build is as follows:
178

June 2014
Image name
Image Version
Image Size
wc8180_1.1.0.130s.img software
image
1.1.0.130
47 megabytes
When the download process is complete, the switch automatically resets unless the no-reset
parameter was used. The software image initiates a self-test and returns a message when the
process is complete.
An example of this message is illustrated in the following table.
Table 22: Software download message output
Download Image [/] Saving Image [-] Finishing Upgrading Image
Note:
Before upgrading to the latest software image, Avaya recommends to take the backup of the
binary & ASCII configuration on the controller and save it.
During the download process the switch is not operational.
The progress of the download process can be tracked by observing the front panel LEDs.
To change the software version running on the switch with CLI, follow this procedure:
Procedure
1. Access CLI through the Telnet protocol or a Console connection.
2. Enter enable and then hit enter to enter Privileged Access.
3. Enter download and then hit enter.
4. Enter the IP address address <a.b.c.d> of the TFTP address of where the image us
stored and then hit enter.
5. Enter the image file name image <image name> and hit enter.
6. The image downloads, saves the image, and reboots.
The following table explains the parameters for the download command.
Table 23: download command parameters
June 2014
Parameter
Description
address <a.b.c.d>
This parameter is the IP address of the TFTP

server to be used. The address <ip> parameter
is optional and if omitted the switch defaults to
the TFTP server specified by the tftpserver command unless software download is
to take place using a USB Mass Storage
Device.
image <image name>
This parameter is the name of the software

image to be downloaded from the TFTP server.

179
Configuration files in CLI

The CLI provides many options for working with configuration files. Using the CLI, configuration files
can be displayed, stored, and retrieved.
Related Links
Importing action commands on page 180
Displaying the current configuration on page 180
Storing the current configuration on page 180
copy tftp config command on page 181
copy usb config command on page 181
Saving the current configuration on page 182
Automatically downloading a configuration file with CLI on page 182
Importing action commands

The import and export of action commands in ASCII configuration files is not supported in this
release. This includes commands such as radius secret and mdc-join. Action commands that
are part of a device configuration before an export operation will be excluded during the export
operation. Subsequent imports of the configuration file will not contain the excluded commands.
Excluded commands must be manually executed after the import process.
This is very important to keep in mind especially in regards to configuring a new device or updating
a device that has been returned to factory defaults. Note the action commands that were part of the
pre-export configuration so they can be manually executed after the configuration file is imported.
Related Links
Displaying the current configuration

The show running-config command displays the current configuration of switch.
The syntax for the show running-config command is:
show running-config
This command only can be executed in the Privileged EXEC mode and takes no parameters.
CLI reference:
WCP8180#show running-config ?
module
Display configuration of an application
verbose Display entire configuration (defaults and non-defaults)
<cr>
Related Links
Storing the current configuration

The copy running-config command copies the contents of the current configuration file to
another location for storage. For all switches in the 8100 Series, the configuration file can be saved
180

June 2014
to a TFTP server. The WC 8180 also provide the ability to save the configuration file to a USB Mass
Storage Device through the front panel USB drive.
The syntax for the copy running-config command is:
copy running-config {tftp | (usb) [u2] } address <A.B.C.D> filename
<name>
Table 24: copy running-config parameters
Parameters
Description
{tftp | usb}
This parameter specifies the general location in which the

configuration file is saved.
address <A.B.C.D>
If a TFTP server is to be used, this parameter signifies the IP

address of the server to be used.
filename <name>
The name of the file that is created when the configuration is

saved to the TFTP server or USB Mass Storage Device.
The copy running-config command only can be executed in the Privileged EXEC mode.
Related Links
copy tftp config command

Use this command to restore a configuration file stored on a TFTP server.
copy tftp config address <A.B.C.D> filename <name>
Table 25: copy tftp config command parameters
Parameter
Description
address <A.B.C.D>
The IP address of the TFTP server to be used.
filename <name>
The name of the file to be retrieved.
Related Links
copy usb config command

Use this command to restore a configuration file stored on a USB Mass Storage Device. The syntax
is:
copy usb config filename <name>
The only parameter for this command is the name of the file to be retrieved from the USB device.
Related Links
June 2014

181
Saving the current configuration

The configuration currently in use on a switch is regularly saved to the flash memory automatically.
However, you can manually initiate this process using the copy config nvram command. This
command takes no parameters and you must run it in Privileged EXEC mode. If you have disabled
the AutosaveToNvramEnabled function by removing the default check in the
AutosaveToNvRamEnabled field, the configuration is not automatically saved to the flash memory.
Related Links
Automatically downloading a configuration file with CLI

This feature is enabled through CLI by using the configure network command. This command
enables a script to be loaded and executed immediately as well as configure parameters to
automatically download a configuration file when the switch is booted.
The syntax for the configure network command is: configure network load-on-boot
{disable | use-bootp | use-config} address <A.B.C.D> filename <name>
Table 26: configure network command parameters
Parameter
Description
load-on-boot {disable | use-bootp | use config}
Specifies the settings for automatically loading a

configuration file when the system boots:
disable - disables the automatic loading of config
file
use-bootp - specifies loading the ASCII
configuration file at boot and using BootP to obtain
values for the TFTP address and filename
use-config - specifies loading the ASCII
configuration file at boot and using the locally
configured values for the TFTP address and
filename
Note: If you omit this parameter, the system
immediately downloads and runs the ASCII config
file.
address <A.B.C.D>
The IP address of the desired TFTP server.
filename <name>
The name of the configuration file to use in this

process
This command must be run in the Privileged EXEC mode.

The current switch settings relevant to this process can be viewed using the show config-network
command. This command takes no parameters and must be executed in Privileged EXEC mode.
182

June 2014
Enabling Quickconfig
About this task
Use the following procedure to enable Quickconfig
Procedure
3. Use the command quickconfig enable to enable Quickconfig.
Related Links
Terminal setup
Switch terminal settings can be customized to suit the preferences of a switch administrator. This
operation must be performed in CLI.
The terminal command configures terminal settings. These settings are transmit and receive
speeds, terminal length, and terminal width.
The syntax of the terminal command is: terminal speed {2400 | 4800 | 9600 | 19200 |
38400} length <0-132> width <1-132>
The terminal command is executed in the User EXEC command mode.
Table 27: terminal command parameters
Parameters
Description
speed {2400|4800|19200|38400}
Sets the transmit and receive baud rates for the

terminal. The speed can be set at one of the five
options shown; the default is 9600.
length
Sets the length of the terminal display in lines; the

default is 23.
Note: If the terminal length is set to a value of 0, the
pagination is disabled and the display continues to
scroll without stopping.
width
Sets the width of the terminal display in characters;

the default is 79.
The show terminal command can be used at any time to display the current terminal settings.
This command takes no parameters and is executed in the EXEC command mode.
Setting the default management interface

You can set the default management interface with CLI to suit the preferences of the switch
administrator. This selection is stored in NVRAM. When the system is started, the banner displays
and prompts the user to enter Ctrl+Y. After these characters are entered, the system displays either
June 2014

183
a menu or the command line interface prompt, depending on previously configured defaults. When
using the console port, you must log out for the new mode to display. When using Telnet, all
subsequent Telnet sessions display the selection.
To change the default management interface, use the cmd-interface command. The syntax of this
command is: cmd-interface {cli | menu}
The cmd-interface command must be executed in the Privileged EXEC command mode.
Enabling Serial Console Port Access

About this task
Use the following procedure to enable serial console port access.
Procedure
3. Use the command serial-console unit <18> to set the unit you want to enable serial
console port access.
4. Use the command serial-console enable to enable serial console port access.
Related Links
Setting Telnet access

CLI can be accessed through a Telnet session. To access CLI remotely, the management port must
have an assigned IP address and remote access must be enabled.
Note:
Multiple users can access CLI system simultaneously, through the serial port, Telnet, and
modems. The maximum number of simultaneous users is four. All users can configure
simultaneously.
See the following commands to view or change Telnet-allowed IP addresses and settings.
Related Links
telnet-access command on page 184
default telnet-access command on page 185
telnet-access command
The telnet-access command configures the Telnet connection that is used to manage the
switch. The telnet-access command is executed through the console serial connection.
The syntax for the telnet-access command is:
telnet-access [enable | disable] [login-timeout <1-10>] [retry<1-100>]
[inactive-timeout <0-60>] [logging {none | access | failures | all}]
[source-ip <1-50> <A.B.C.D> <WORD> [mask <A.B.C.D>]
184

June 2014
Execute the telnet-access command in the Global Configuration command mode.

The following table describes the parameters for the telnet-access command.
Table 28: telnet-access command parameters
Parameters
Description
enable | disable
Enables or disables Telnet connection.
login-timeout <1-10>
Specify in minutes the time to wait for Telnet and

Console login before the connection closes. Enter an
integer between 1 and 10.
retry <1-100>
Specify the number of times the user can enter an

incorrect password before closing the connection.
Enter an integer between 1 and 100.
inactive-timeout <0-60>
Specify in minutes the duration for an inactive

session to be terminated.
logging {none | access | failures | all}
Specify the events whose details you want to store in

the event log:
none-do not save access events in the log
access-save only successful access events in the
log
failure-save failed access events in the log
all-save all access events in the log
[source-ip <1-50> <A.B.C.D> [mask <A.B.C.D>]

[source-ip <WORD>
Specify the source IP address from which

connections are allowed. Enter the IP address in
dotted-decimal notation. Mask specifies the subnet
mask from which connections are allowed; enter IP
mask in dotted-decimal notation.
Related Links
default telnet-access command

The default telnet-access command sets the Telnet settings to the default values.
The syntax for the default telnet-access command is:
default telnet-access
The default telnet-access command is executed in the Global Configuration command
mode.
Related Links
June 2014

185
Setting boot parameters

The command outlined in this section is used for booting the switch as well as setting boot
parameters.
Related Links
boot command on page 186
boot command
The boot command performs a soft-boot of the switch.
The syntax for the boot command is:
boot [default] [partial default]
The boot command is executed in the Privileged EXEC command mode.
The following table describes the parameters for the boot command.
Table 29: boot command parameters
Parameters
Description
default
Reboot the switch and use the factory default configurations
partial-default
Reboot the switch and use partial factory default configurations
Note: When you reset to factory defaults, the switch retains the last reset count and reason for last
reset; these two parameters do not default to factory defaults.
Related Links
Setting boot parameters on page 186
Defaulting to BootP-when-needed
The BootP default value is BootP-when-needed. This enables the switch to be booted and the
system to automatically seek a BootP server for the IP address.
If an IP address is assigned to the device and the BootP process times out, the BootP mode
remains in the default mode of BootP-when-needed.
However, if the device does not have an assigned IP address and the BootP process times out, the
BootP mode automatically changes to BootP disabled. But this change to BootP disabled is not
stored, and the BootP reverts to the default value of BootP-when-needed after rebooting the
device.
When the system is upgraded, the switch retains the previous BootP value. When the switch is
defaulted after an upgrade, the system moves to the default value of BootP-when-needed.
See the following CLI commands to configure BootP parameters.
Related Links
ip bootp server command on page 187
186

June 2014
no ip bootp server command on page 187

default ip bootp server command on page 187
ip bootp server command

The ip bootp server command configures BootP on the current instance of the switch or server.
This command is used to change the value of BootP from the default value, which is BootP-whenneeded.
The syntax for the ip bootp server command is:
ip bootp server {always | disable | last | needed}
The ip bootp server command is executed in the Global Configuration command mode.
Table 30: ip bootp server command parameters
Parameters
Description
always | disable | last | needed
Specifies when to use BootP:

always-Always use BootP
disable-never use BootP
last-use BootP or the last known address
needed-use BootP only when needed
Note: The default value is to use BootP when
needed.
Related Links
no ip bootp server command

The no ip bootp server command disables the BootP server.
The syntax for the no ip bootp server command is:
no ip bootp server
The no ip bootp server command is executed in the Global Configuration command mode.
Related Links
default ip bootp server command

The default ip bootp server command uses BootP when needed.
The syntax for the default ip bootp server command is:
default ip bootp server
June 2014

187
The default ip bootp server command is executed in the Global Configuration command
mode.
Related Links
shutdown command
About this task
The shutdown command proves a mechanism for safely shutting down a switch without interfering
with device processes or corrupting the software image. After this command is issued, the
configuration is saved, auto-save functionality is temporarily disabled, and configuration changes
are not allowed until the switch restarts. If the shutdown is cancelled, auto-save functionality returns
to the state in which it was previously functioning.
The shutdown command has the following syntax: shutdown [force] [minutes-to-wait
<1-60>] [cancel]
The following table describes the parameters of the shutdown command.
Table 31: shutdown command parameter
Parameters
Description
force
This parameter forces the shutdown without confirmation.
minutes-to-wait <1-60>
This parameter represents the number of minutes to wait

before the shutdown occurs. If no value is specified, the default
value of 10 minutes is used.
cancel
This parameter cancels a scheduled shutdown any time during

the time period specified by the minutes-to-wait
parameter.
reload command
About this task
The reload command operates in a similar fashion to the shutdown command. However, the
reload command is intended more to be used by system administrators using the command
functionality to configure remote devices and reset them when the configuration is complete.
The reload command differs from the shutdown command in that the configuration is not explicitly
saved after the command is issued. This means that any configuration changes must be explicitly
saved before the switch reloads.
The reload command does temporarily disable auto-save functionality until the reload occurs.
Cancelling the reload returns auto-save functionality to any previous setting.
The reload command has the following syntax: reload [force] [minutes-to-wait <1-60>]
[cancel]
The following table describes the parameters of the reload command.
188

June 2014
Table 32: reload command parameters

Parameter
Description
force
This parameter forces the reload without confirmation.
minutes-to-wait <1-60>
This parameter represents the number of minutes to wait before

the reload occurs. If no value is specified, the default value of 10
minutes is used.
cancel
This parameter cancels a scheduled reload any time during the

time period specified by the minutes-to-wait parameter.
Configuring Packet Storm Control Settings

About this task
Use the following procedure to configure Packet Storm Control settings.
Procedure
3. Use the command storm-control and one of the following sub-commands to Packet
Storm Control settings:
a. Use the enable sub-command to enable the feature.
b. Use the high-watermark <11100000000> sub-command to set the high watermark in
packets per second.
c. Use the low-watermark <10100000000> sub-command to set the low watermark in
packets per second.
d. Use the poll-interval <5300> sub-command to set the poll interval in seconds.
e. Use the trap-send-interval <01000> sub-command to set the trap send interval in poll
cycles.
Related Links
CLI Help
About this task
To obtain help on the navigation and use of Command Line Interface (CLI), use the following
command: help {commands | modes}
Use help commands to obtain information about the commands available in CLI organized by
command mode. A short explanation of each command is also included.
Use help modes to obtain information about command modes available and CLI commands used to
access them.
These commands are available in any command mode.
June 2014

189
Clearing the default TFTP server with CLI

About this task
The default TFTP server can be cleared from the switch and reset to 0.0.0.0 with the following two
commands:
no tftp-server
default tftp-server
Configuring a default TFTP server with CLI

About this task
The switch processes that make use of a TFTP server often give the switch administrator the option
of specifying the IP address of a TFTP server to be used. Instead of entering this address every
time it is needed, a default IP address can be stored on the switch.
A default TFTP server for the switch is specified with the tftp-server command. The syntax of this
command is: tftp-server <A.B.C.D>
To complete the command, replace <A.B.C.D> with the IP address of the default TFTP server.
This command must be executed in the Privileged EXEC command mode.
Configuring default clock source

About this task
This command sets the default clock source for the switch.
The syntax for this command is: clock source {rtp | sntp | sysUpTime}
Substitute {rtp | sntp | sysUpTime}with the clock source selection.
Run this command in Global Configuration command mode.
Configuring daylight savings time with CLI

About this task
Use the following procedure to configure the daylight savings time adjustment with CLI:
Procedure
1. In CLI, set the Global Configuration command mode.
configure
2. Enable sntp server.
3. Set the date to change to daylight savings time.
clock summer-time zone date day month year hh:mm day month year
hh:mm [offset]
Job aid
The following table defines the variables for the clock summer-time command:
190

June 2014
Table 33: clock summer-time command parameters

Parameters
Description
date
Indicates that daylight savings time should start and

end on the specified days every year.
day
Date to start daylight savings time.
month
Month to start daylight savings time.
year
Year to start daylight savings time.
hh:mm
Hour and minute to start daylight savings time.
day
Date to end daylight savings time.
month
Month to end daylight savings time.
year
Year to end daylight savings time.
hh:mm
Hour and minute to end daylight savings time.
offset
Number of minutes to add/subtract during the

summer time.
WORD
Set time zone acronym containing at most 4 chars

(for example 'PDT' for Pacific Daylight Time) to be
displayed when summer time is in effect.
Configuring Dual Agent

About this task
Use the following commands to configure the Dual Agent feature with CLI.
Related Links
Enhanced download command on page 191
toggle next boot image command on page 192
boot secondary command on page 192
Show agent images on page 193
Enhanced download command

You can update either active image or non-active image. Once the image download is done, the unit
resets and restarts with the new image regardless of the value of the Next Boot image indicator. In
case of image download without reset, the new image in the flash will be the Next Boot image.
Use the download command to specify the download target image. The syntax for this command
is:
download [address <a.b.c.d>] {primary | secondary} {image <image name> |
image-if-newer <image name> | diag <image name>} [no-reset] [usb]
The following table defines the parameters for the download command.
June 2014

191
Table 34: download command parameters

Parameters
Variable
a.b.c.d
Specifies the IP address of the TFTP server
primary | secondary
Choose which image to download.
image <image name>
Download the specified image.
image-if-newer <image name>
Only download the image if the version is newer than the

installed version.
diag <image name>
Download the specified diagnostic image.
no-reset
Do not reset the switch after downloading.
usb
Download the image from the USB drive.
Note:
Dual Agent supports the WLAN switches NBUs through AAUR.
Related Links
toggle next boot image command

You can use CLI commands to change the next boot image of the device.
Use the toggle-next-boot-image command to toggle the next boot image.
toggle-next-boot-image
You must restart the switch after this command to use the next boot image as the new primary
image.
Related Links
boot secondary command

You can use CLI commands to change the next boot image of the device.
Use the boot secondary command to use the secondary boot image. The syntax for this command
is:
boot secondary
The switch will restart automatically with the new image.
Related Links
192

June 2014
Show agent images

You can use CLI commands to list the following information about the agent images stored in flash
memory:
Primary image version
Secondary image name
Active image version
Use the show boot image command to show the agent image information for agent images stored in
the flash memory. They syntax for this command is:
show boot image
Related Links
Configuring local time zone with CLI

About this task
SNTP uses Coordinated Universal Time (UTC) for all time synchronizations so it is not affected by
different time zones. To have the switch report the time in your local time zone, you need to use the
clock commands to set the local time zone.
You must enable SNTP before you set the time zone. If SNTP is not enabled, this command has no
effect. If you enable SNTP and do not specify a time zone, UTC is shown by default.
Use the following procedure to configure your switch for your local time zone with CLI:
Procedure
1. In CLI, set the Global Configuration command mode.
configure
2. Enable sntp server.
3. Set clock time zone using the clock command.
clock time-zone zone hours [minutes]
Job aid
The following table defines the variables for the clock time-zone command:
Table 35: clock time-zone command
Variables
Description
zone
Time zone acronym to be displayed when showing system time

(up to 4 characters).
hours
Difference from UTC in hours. This can be any value between -12
and +12.
minutes
This is the number of minutes difference from UTC. The number

of minutes can be any value between 0 and 59.
June 2014

193
Customizing CLI banner with CLI

Related Links
show banner command on page 194
banner command on page 194
no banner command on page 195
show banner command

The show banner command displays the banner.
The syntax for the show banner command is:
show banner [static | custom]
The show banner command is executed in the Privileged EXEC command mode.
Table 36: show banner command parameters
Parameters
Description
static | custom
Displays which banner is currently set to display:

static
custom
Related Links
banner command
The banner command specifies the banner displayed at startup; either static or custom.
The syntax for the banner command is:
banner {static | custom} <line number> "<LINE>"
Table 37: banner command parameters
Parameters
Description
static | custom
Sets the display banner as:

static
custom
194
line number
Enter the banner line number you are setting. The

range is 1 to 19.
LINE
Specifies the characters in the line number.

June 2014
This command is executed in the Privileged EXEC command mode.

Related Links
no banner command
The no banner command clears all lines of a previously stored custom banner. This command
sets the banner type to the default setting (STATIC).
The syntax for the command is:
no banner
The no banner command is executed in the Privileged EXEC command mode.
Related Links
Displaying the default TFTP server with CLI

About this task
The default TFTP server configured for the switch can be displayed in CLI at any time by using the
folowing command:
show tftp-server command
This command has no parameters and is executed in the Privileged EXEC mode.
Displaying complete GBIC information

About this task
Complete information can obtained for a GBIC port using the following command: show
interfaces gbic-info <port-list>
Substitute <port-list> with the GBIC ports for which to display information. If no GBIC is
detected, this command does not show any information.
This command is available in all command modes.
Displaying hardware information

Use the following command to display a complete listing of information about the status of switch
hardware in CLI:
show system [verbose]
The inclusion of the [verbose] option displays additional information about fan status, power status,
switch serial number, switch model, firmware version, hardware version, pluggable ports, software
version and manufacturing date.
Switch hardware information is displayed in a variety of locations in Web-based management and
Device Manager. No special options are needed in these interfaces to display the additional
information.
June 2014

195
Configuring Auto-Unit Replacement

About this task
Use the following procedure to configure auto-unit replacement.
Procedure
3. Use the command stack auto-unit-replacement config restore unit <18>
restore the configuration of a unit from the saved configuration on the saved unit.
Related Links
Configuring the UI button

About this task
Use the following procedure to configure UI button options.
Procedure
3. Use the command ui-button unit <18> to set the unit to enable.
4. Use the command ui-button enable to enable the ui-button feature.
Related Links
Configuring USB Host Port

About this task
Use the following procedure to configure the USB host port.
Procedure
3. Use the command usb-host-port enable to enable the usb host port.
Related Links
196

June 2014
Enabling Autosave
About this task
With autosave enabled the system checks every minute to see if there is any new configuration
data. If there is, it will automatically be saved to NVRAM. While autosave is enabled, the AUR
feature should perform normally.
Use the following command to enable the autosave feature.
autosave enable command

The autosave enable command is used to enable the autosave feature.
autosave enable
The autosave enable command is executed in Global Configuration command mode.
Setting the server for Web-based management with CLI

You can use the CLI to enable or disable a web server for use with Web-based management.
Related Links
web-server command on page 197
no web-server command on page 197
web-server command
The web-server command enables or disables the web server used for Web-based management.
The syntax for the web-server command is:
web-server {enable | disable}
The web-server command is executed in the Global Configuration command mode.
Table 38: web-server command parameters
Parameter
Description
enable | disable
Enables or disables the web server.
Related Links
no web-server command
The no web-server command disables the web server used for Web-based management.
The syntax for the no web-server command is:
no web-server
June 2014

197
The no web-server command is executed in the Global Configuration command mode.

Related Links
Setting the read-only and read-write passwords

About this task
The first step to requiring password authentication when the user logs in to the switch is to edit the
password settings. To set the read-only and read-write passwords, perform the following procedure.
Procedure
2. From the command prompt, use the cli password command to change the desired password.
cli password {read-only | read-write} <password>
Table 39: cli password command parameters
Parameter
Description
{read-only | read-write}
This parameter specifies if the password change

is for read-only access or read-write access.
<password>
If password security is disabled, the length can

be 1-15 chars. If password security is enabled,
the range for length is 10-15 chars.
Note:
no password security disables
password security.
password security enables password
security.
3. Press Enter.
Setting telnet and serial passwords

About this task
After the read-only and read-write passwords are set, they can be individually enabled or disabled
for the various switch access methods. When enabled, password security prompts you for a
password and the value is hidden. To enable or disable passwords, perform the following
procedure:
Procedure
2. From the command prompt, use the cli password command to enable or disable the desired
password.
198

June 2014
cli password {telnet | serial} {none | local | radius | tacacs}

Table 40: cli password parameters
Parameter
Description
{telnet | serial}
This parameter specifies if the password is

enabled or disabled for telnet or the console.
Telnet and web access are tied together so that
enabling or disabling passwords for one enables
or disables it for the other.
{none | local | radius | tacacs}
This parameter specifies if the password is to be

disabled (none), or if the password to be used is
the locally stored password created in the
previous procedure, or if RADIUS authentication
or TACACS +AAA services is used.
Use the following commands to create a primary
RADIUS server and shared secret:
radius-server host <IP address>
radius-server key <shared secret>
Verify using the show radius-server
command.
Use the following commands to create a primary
TACACS server and shared secret:
tacacs-server host <IP address>
tacacs-server key <shared secret>
Verify using show tacacs-server
command.
3. Click Enter.
Configuring RADIUS
Configure RADIUS to perform authentication services for system users. For specific configuration
procedures, see the vendor documentation. In particular, ensure that you set the appropriate
Service-Type attribute in the user accounts as follows:
for read-write access, Service-Type = Administrative
for read-only access, Service-Type = NAS-Prompt
Related Links
Viewing RADIUS information on page 212
June 2014

199
Enabling RADIUS password fallback

About this task
Enable the RADIUS password fallback feature by using the following command in Global or
Interface Configuration mode:
radius-server password fallback
When RADIUS password fallback is enabled, users can log on to the switch using the local
password if the RADIUS server is unavailable or unreachable.The default is disabled.
After you enable RADIUS password fallback, you cannot disable it without erasing all other RADIUS
server settings.
Important:
You can use the Console Interface to disable the RADIUS password fallback without erasing
other RADIUS server settings. From the main menu, choose Console/Comm Port Configuration,
then toggle the RADIUS Password Fallback field to No.
Disable the RADIUS password fallback feature by using one of the following commands in Global or
no radius-server
default radius-server
The command erases settings for the RADIUS primary and secondary servers and secret key, and
restores default RADIUS settings.
Related Links
Configuring RADIUS authentication

About this task
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software
that enables remote access servers to communicate with a central server to authenticate dial-in
users and authorize their access to the requested system or service. RADIUS allows a company to
maintain user profiles in a central database that all remote servers can share. It provides better
security, allowing a company to set up a policy that can be applied at a single administered network
point.
Use the following commands to configure WLAN 8100 controller so that it can communicate with the
RADIUS server and allow authentication management for users on the controller.
Procedure
2. From the command prompt, use the radius-server command to configure the server
settings.
CLI reference:
WCP8180(config)#radius-server ?
host
RADIUS primary host
200

June 2014
key
password
port
secondary-host
timeout
RADIUS
RADIUS
RADIUS
RADIUS
RADIUS
shared secret
password fallback
UDP port
secondary host
time-out period

Table 41: radius-server parameters
Parameter
Description
host <address>
This parameter is the IPv6 or IPv4 Primary

address of the RADIUS server that is used for
authentication.
[secondary-host <address>]
The secondary-host <address> address>

parameter is optional. If a backup RADIUS
server is to be specified, include this parameter
with the IPv6 or IPv4 address of the backup
server.
port <num>
This parameter is the UDP port number the

RADIUS server uses to listen for requests.
key
This parameter prompts you to supply a secret

text string or password that is shared between
the switch and the RADIUS server. Enter the
secret string, which is a string up to 16
characters in length. The password is hidden
when entered.
[password fallback]
This parameter is optional and enables the

password fallback feature on the RADIUS
server. This option is disabled by default.
3. Press Enter.
Related RADIUS Commands

About this task
During the process of configuring RADIUS authentication, there are three other CLI commands that
can be useful to the process. These commands are:
Procedure
1. show radius-server
The command takes no parameters and displays the current RADIUS server configuration.
2. no radius-server
This command takes no parameters and clears any previously configured RADIUS server
settings.
3. radius-server password fallback
June 2014

201
This command takes no parameters and enables the password fallback RADIUS option if it
was not done when the RADIUS server was configured initially.
Configuring system security

About this task
The following sections describe the methods and procedures necessary to configure system
security.
Depending on the scope and usage of the commands you can use different command modes to
execute them.
Related Links
Configuring MAC address-based security using CLI on page 202
SNMP configuration using CLI on page 213
Configuring TACACS+ using CLI on page 229
Configuring IP Manager using CLI on page 232
Configuring password security using CLI on page 234
Configuring Avaya Secure Network Access Options on page 236
Displaying CLI Audit log using CLI on page 237
Enabling Audit Log Save Settings on page 237
Configuring Secure Socket Layer services using CLI on page 237
Configuring Secure Shell protocol using CLI on page 238
Configuring MAC address-based security using CLI

About this task
Use the following commands to configure the MAC address security using Media Access Control
(MAC) addresses.
Related Links
show mac-security command on page 203
show mac-security mac-da-filter command on page 203
mac-security command on page 204
mac-security mac-address-table address command on page 205
show mac-security mac-address-table command on page 205
mac-security security-list command on page 205
no mac-security security-list command on page 206
mac-security command for specific ports on page 206
show mac-security command on page 207
202

June 2014
mac-security mac-da-filter command on page 207

CLI commands for MAC address auto-learning on page 207
show mac-security command

The show mac-security command displays configuration information for the MAC security
application.
CLI reference:
WCP8180(config)#show
config
mac-address-table
mac-da-filter
port
security-lists
mac-security ?
Display the stack/switch MAC security configuration.
Display the accessible MAC addresses on each port.
Display MAC DA filtering addresses
Display ports' MAC security status.
Display port membership of security lists.

Table 42: show mac-security command parameters
Parameter
Description
config
Displays general MAC security configuration

information.
mac-address-table [address <madaddr>]
Displays contents of BaySecure table of allowed

MAC addresses:
addressspecifies a single MAC address to
display; enter the MAC address
port
Displays the BaySecure status of all ports.
security-lists
Displays port membership of all security lists.
The show mac-security command is executed in the Privileged EXEC command mode.
Related Links
show mac-security mac-da-filter command

The show mac-security mac-da-filter command displays configuration information for
filtering MAC destination addresses (DA). Packets can be filtered from up to 10 MAC DAs.
The syntax for the show mac-security mac-da-filter command is
show mac-security mac-da-filter
The show mac-security mac-da-filter command is executed in the Privileged EXEC
command mode.
The show mac-security mac-da-filter command has no parameters or variables.
Related Links
June 2014

203
mac-security command
The mac-security command modifies the MAC security configuration.
The mac-security command is executed in the Global Configuration mode.
CLI reference:
WCP8180(config)#mac-security ?
auto-learning
Configure MAC Auto-Learning
disable
Disable MAC Address Security.
enable
Enable MAC Address Security.
filtering
Enable/disable DA filtering
intrusion-detect
Enable/disable partitioning on intrusion detection
intrusion-timer
Set temporary partition time for intrusion detection.
learning
Enable/disable MAC address learning
learning-ports
Modify ports participation in MAC address learning.
mac-address-table Add addresses to MAC security address table
mac-da-filter
Add/delete MAC DA filtering addresses
security-list
Modify security list port membership.
snmp-lock
Enable/disable SNMP lock on MAC address security parameters.

Table 43: mac-security parameters
Parameter
Description
auto-learning
Configure MACE auto-learning
disable|enable
Disables or enables MAC address-based security.
filtering {enable|disable}
Enables or disables DA filtering on intrusion

detected.
intrusion-detect {enable|disable|forever}
Specifies partitioning of a port when an intrusion is

detected:
enableport is partitioned for a period of time
disabledport is not partitioned on detection
foreverport is partitioned until manually changed
intrustion-timer <1-65535>
Specifies, in seconds, length of time a port is

partitioned when an intrusion is detected; enter the
number of seconds desired.
learning-ports <portlist>
Specifies MAC address learning. Learned addresses

are added to the table of allowed MAC addresses.
Enter the ports to learn; a single port, a range of
ports, several ranges, all ports, or no ports can be
entered.
learning {enable|disable}
Specifies MAC address learning:

enableenables learning by ports
disabledisables learning by ports
snmp-lock {enable|disable}
204
Enables or disables a lock on SNMP write-access to

the BaySecure MIBs.

June 2014
Parameter
Description
snmp-trap {enable|disable}
Enables or disables trap generation upon intrusion

detection.
Related Links
mac-security mac-address-table address command

The mac-security mac-address-table address command assigns either a specific port or
a security list to the MAC address. This removes the previous assignment to the specified MAC
address and creates an entry in the BaySecure table of allowed MAC addresses.
The syntax for the mac-security mac-address-table address command is
mac-security mac-address-table address <H.H.H.> {port <portlist>|
security-list <1-32>}
Table 44: no mac-security mac-address-table parameters
Parameter
Description
<H.H.H>
Enter the MAC address in the form of H.H.H.H.H.H
port <portlist>
Enter the port number.
security-list <1-32>
Enter the security list number.
The no mac-security mac-address-table command executes in the Global Configuration

mode.
Related Links
show mac-security mac-address-table command

The show mac-security mac-address-table command displays the current global MAC Address
security table. The syntax for this command is
show mac-security mac-address-table.
This command executes in the Privileged EXEC/Global Configuration command mode.
Related Links
mac-security security-list command

The mac-security security-list command assigns a list of ports to a security list.
The syntax for the mac-security security-list command is:
mac-security security-list <1-32> <portlist>
June 2014

205
Table 45: mac-security security-list parameters

Parameter
Description
<1-32>
Enter the number of the security list you want to use.
<portlist>
Enter the port number.
The mac-security security-list command executes in the Global Configuration mode.

Related Links
no mac-security security-list command

The no mac-security security-list command clears the port membership of a security list.
The syntax for the no mac-security security-list command is:
no mac-security security-list <1-32>
Substitute the <1-32> with the number of the security list to be cleared.
The no mac-security security-list command executes in the Global Configuration mode.
Related Links
mac-security command for specific ports

The mac-security command for specific ports configures the BaySecure status of specific ports.
The syntax for the mac-security command for specific ports is
mac-security [port <portlist>] {disable|enable|learning}
Table 46: mac-security parameters
Parameter
Description
port <portlist>
Enter the port numbers.
disable|enable|learning
Directs the specific port

disabledisables BaySecure on the specified port and
removes the port from the list of ports for which MAC
address learning is being performed
enableenables BaySecure on the specified port and
removes the port from the list of ports for which MAC
learningdisables BaySecure on the specified port and
adds these port to the list of ports for which MAC
The mac-security command for specific ports executes in the Interface Configuration mode.
206

June 2014
Related Links
show mac-security command

The show mac-security command displays the current MAC Address security table for the ports
entered. The syntax for this command is
show mac-security port <portlist>
Substitute <portlist> with the ports to be displayed.
This command executes in the Privileged EXEC command mode.
Related Links
mac-security mac-da-filter command

The mac-security mac-da-filter command allows packets to be filtered from up to ten
specified MAC DAs. This command also allows you to delete such a filter and then receive packets
from the specified MAC DA.
The syntax for the mac-security mac-da-filter command is
mac-security mac-da-filter {add|delete} <H.H.H>
Substitute the {add|delete} <H.H.H> with either the command to add or delete a MAC address
and the MAC address in the form of H.H.H.
The mac-security mac-da-filter command executes in the Global Configuration mode.
Related Links
CLI commands for MAC address auto-learning

Use the following CLI commands to configure and manage MAC address auto-learning.
Related Links
mac-security auto-learning aging-time command on page 207
no mac-security auto-learning aging-time command on page 208
default mac-security auto-learning aging-time command on page 208
mac-security auto-learning port command on page 208
no mac-security auto-learning command on page 209
default mac-security auto-learning command on page 209
mac-security auto-learning aging-time command
The mac-security auto-learning aging-time command sets the aging time for the autolearned addresses in the MAC Security Table.
The syntax for the command is
June 2014

207
mac-security auto-learning aging-time <0-65535>

Substitute <0-65535> with the aging time in minutes. An aging time of 0 means that the learned
addresses never age out. The default is 60 minutes.
The mac-security auto-learning aging-time command executes in the Global
Configuration mode.
Related Links
no mac-security auto-learning aging-time command
The no mac-security auto-learning aging-time command sets the aging time for the
auto-learned addresses in the MAC Security Table to 0. In this way, it disables the removal of autolearned MAC addresses.
no mac-security auto-learning aging-time
The no mac-security aging-time command executes in the Global Configuration mode.
Related Links
default mac-security auto-learning aging-time command
The default mac-security auto-learning aging-time command sets the aging time for
the auto-learned addresses in the MAC Security Table to the default of 60 minutes.
default mac-security auto-learning aging-time
The default mac-security auto-learning aging-time command executes in the Global
Configuration mode.
Related Links
mac-security auto-learning port command
The mac-security auto-learning port command configures MAC security auto-learning on
the ports.
mac-security auto-learning port <portlist> disabledisable|{enable [maxaddrs <1-25>}
Table 47: mac-security auto-learning parameters
208
Parameter
Description
<portlist>
The ports to configure for auto-learning.

June 2014
Parameter
Description
disable|enable
Disables or enables auto-learning on the specified ports. The

default is disabled.
max-addrs <1-25>
Sets the maximum number of addresses the port learns. The

default is 2.
The mac-security auto-learning command executes in the Interface Configuration mode.

Related Links
no mac-security auto-learning command
This command disables MAC security auto-learning for the specified ports on the switch. The syntax
for this command is
no mac-security auto-learning port <portlist>
The no mac-security auto-learning command executes in the Interface Configuration
mode.
Related Links
default mac-security auto-learning command
The default mac-security auto-learning command sets the default MAC security autolearning on the switch.
default mac-security auto-learning port <portlist> [enable] [max-addrs]
Table 48: default mac-security auto-learning parameters
Parameters
Description
<portlist>
The ports to configure for auto-learning.
enable
Sets to default the auto-learning status for the port.

The default is disabled.
max-addrs
Sets to default the maximum number of addresses

the port learns. The default is 2.
The default mac-security auto-learning command executes in the Interface

Configuration mode.
Related Links
June 2014

209
Configuring RADIUS
Configure RADIUS to perform authentication services for system users. For specific configuration
procedures, see the vendor documentation. In particular, ensure that you set the appropriate
Service-Type attribute in the user accounts as follows:
for read-write access, Service-Type = Administrative
for read-only access, Service-Type = NAS-Prompt
Related Links
Viewing RADIUS information on page 212
Configuring a RADIUS server

In WLAN 8100, RADIUS servers are grouped into a profile, called the radius-profile. Multiple
Radius-profiles, up to 32, can be configured on a controller. In each radius-profile, up to 32 RADIUS
servers (IPs) can be configured. A RADIUS server (IP) in two different radius-profiles count as 2
servers. A total of 32 servers can be configured on a controller.
About this task

Use this procedure to configure RADIUS servers.
Procedure
1. Enter Global or Interface Configuration mode of the ACLI.
2. Configure a RADIUS server using the command radius server <host IP Address>,
where <host IP address> is the IP address of the primary RADIUS server you want to
configure.
3. Configure a RADIUS profile using the command radius profile <profile name>
type .
A RADIUS profile can be one of two types authentication or accounting.
(WC8180-security)#radius profile <profile name> type ?
acct
auth
The default RADIUS profile type is auth.

4. Configure server selection for the authentication RADIUS profile using the command
radius profile <profile name> type auth server-selection .
(WC8180-security)#radius profile profile name type auth server-selection ?
priority
round-robin
The default server selection is priority.

5. Configure a RADIUS server and associate it with a RADIUS profile using the command
radius server <host IP Address> <profile name>.
210

June 2014
6. Configure the attributes of a RADIUS server using the following parameters:

In this example, 172.16.2.11 is the server host IP address and sample-radiusprofile is an example RADIUS profile.
WC8180(config-security)#radius server
encrypted-secret
health-check-encrypted-password
health-check-user
priority
secret
udp-port
172.16.2.11 sample-radius-profile ?
radius health check password (encrypted)
Radius health check interval.
server priority
server UDP port

Parameter
Description
encrypted-secret
Specifies the encrypted RADIUS secret.
health-check-encryptedpassword
Specifies the encrypted RADIUS health check password.
Specifies the time (in seconds) after which the controller checks
the health of the RADIUS server.
Enter a number in the range 0100. Specifying a time interval of
0 disables the health check.
health-check-user
Specifies the user name for the RADIUS health check.

This user name must be configured in the Active Directory.
Specifies the user password for RADIUS health check.

The password (for the health-check-user) must be configured in
the Active Directory.
priority
Specifies the server priority.

Enter an integer in the range 1-65535.
secret
Specifies the secret authentication and encryption key used for

all communications between the NAS and the RADIUS server.
The shared secret must be the same as the one defined on the
server. You are prompted to enter and confirm the secret.
udp-port
Specifies the UDP port for RADIUS.

<port> is an integer in the range 065535.
The default port number for RADIUS authentication is 1812.
The default port number for RADIUS accounting is 1813.
7. Use the command no radius profile <radius profile name> to delete a RADIUS profile.
8. Use the command no radius server <server IP Address> <radius profile
name> to delete a RADIUS server.
June 2014

211
9. Use the command default radius server <ip address> <health-checkinterval | health-check-password | health-check-user | health-checkencrypted-password> to restore default RADIUS server settings.
10. Use the command default radius profile <radius profile name> serverselection to delete a RADIUS profile.
Related Links
Enabling RADIUS password fallback

About this task
Enable the RADIUS password fallback feature by using the following command in Global or
radius-server password fallback
When RADIUS password fallback is enabled, users can log on to the switch using the local
password if the RADIUS server is unavailable or unreachable.The default is disabled.
After you enable RADIUS password fallback, you cannot disable it without erasing all other RADIUS
server settings.
Important:
You can use the Console Interface to disable the RADIUS password fallback without erasing
other RADIUS server settings. From the main menu, choose Console/Comm Port Configuration,
then toggle the RADIUS Password Fallback field to No.
Disable the RADIUS password fallback feature by using one of the following commands in Global or
no radius-server
default radius-server
The command erases settings for the RADIUS primary and secondary servers and secret key, and
restores default RADIUS settings.
Related Links
Viewing RADIUS information

About this task
Display RADIUS configuration status by using the following command from any mode:
show radius-server
Related Links
212

June 2014
SNMP configuration using CLI

Use the following commands to configure SNMP to monitor devices running software that supports
the retrieval of SNMP information, using the CLI.
Related Links
Configuring SNMP v1, v2c, v3 Parameters using CLI on page 213
SNMPv3 table entries stored in NVRAM on page 214
show snmp-server command on page 215
snmp-server community for read or write command on page 215
snmp-server community command on page 216
no snmp-server community command on page 217
default snmp-server community command on page 217
no snmp-server contact command on page 218
default snmp-server contact command on page 218
snmp-server command on page 218
no snmp-server command on page 218
snmp-server host command on page 219
show snmp-server host command on page 220
no snmp-server host command on page 220
default snmp-server host command on page 221
snmp-server location command on page 221
no snmp-server location command on page 222
default snmp-server location command on page 222
snmp-server name command on page 222
no snmp-server name command on page 223
default snmp-server name command on page 223
snmp-server user command on page 223
no snmp-server user command on page 225
snmp-server view command on page 225
no snmp-server view command on page 226
snmp-server bootstrap command on page 226
show snmp-server notification-control on page 227
snmp-server notification-control command on page 228
no snmp-server notification-control on page 228
default snmp-server notification-control on page 229
Configuring SNMP v1, v2c, v3 Parameters using CLI

Earlier releases of SNMP used a proprietary method for configuring SNMP communities and trap
destinations for specifying SNMPv1 configuration that included:
A single read-only community string that can only be configured using the console menus.
June 2014

213
A single read-write community string that can only be configured using the console menus.
Up to four trap destinations and associated community strings that can be configured either in
the console menus, or using SNMP Set requests on the s5AgTrpRcvrTable
With the WLAN 8100 Series support for SNMPv3, you can configure SNMP using the new
standards-based method of configuring SNMP communities, users, groups, views, and trap
destinations.
Important:
You must configure views and users using CLI before SNMPv3 can be used.
Important:
You must have the secure version of the software image installed on your switch before you can
configure SNMPv3.
The WLAN 8100 Series also supports the previous proprietary SNMP configuration methods for
backward compatibility.
All the configuration data configured in the proprietary method is mapped into the SNMPv3 tables as
read-only table entries. In the new standards-based SNMPv3 method of configuring SNMP, all
processes are configured and controlled through the SNMPv3 MIBs. The Command Line Interface
commands change or display the single read-only community, read-write community, or four trap
destinations of the proprietary method of configuring SNMP. Otherwise, the commands change or
display SNMPv3 MIB data.
The WLAN 8100 Series software supports MD5 and SHA authentication, as well as AES and DES
encryption.
The SNMP agent supports exchanges using SNMPv1, SNMPv2c and SNMPv3. Support for
SNMPv2c introduces a standards-based GetBulk retrieval capability using SNMPv1 communities.
SNMPv3 support introduces industrial-grade user authentication and message security. This
includes MD5 and SHA-based user authentication and message integrity verification, as well as
AES- and DES-based privacy encryption.
Export restrictions on SHA and DES necessitate support for domestic and non-domestic executable
images or defaulting to no encryption for all customers.
The traps can be configured in SNMPv1, v2, or v3 format. If you do not identify the version (v1, v2,
or v3), the system formats the traps in the v1 format. A community string can be entered if the
system requires one.
Related Links
SNMPv3 table entries stored in NVRAM

The following list shows the number of nonvolatile entries (entries stored in NVRAM) allowed in the
SNMPv3 tables. The system does not allow you to create more entries marked nonvolatile when
you reach these limits:
214
snmpCommunityTable: 20
vacmViewTreeFamilyTable: 60
vacmSecurityToGroupTable: 40
vacmAccessTable: 40

June 2014
usmUserTable: 20
snmpNotifyTable: 20
snmpTargetAddrTabel: 20
snmpTargetParamsTable: 20
Related Links
show snmp-server command

The show snmp-server command displays SNMP configuration.
The syntax for the show snmp-server command is
show snmp-server {host|user|view|notification-control|notify-filter}
The show snmp-server command executes in the Privileged EXEC command mode.
Table 49: show snmp-server command parameters
Parameter
Description
host
Displays the trap receivers configured in the SNMPv3 MIBs.
user
Displays the SNMPv3 users, including views accessible to each

user.
view
Displays SNMPv3 views.
notification-control
Displays SNMPv3 notification controls.
notify-filter
Displays SNMPv3 notification filters.
Related Links
snmp-server community for read or write command

This command configures a single read-only or a single read-write community. A community
configured using this command does not have access to any of the SNMPv3 MIBs. The community
strings created by this command are controlled by the SNMP Configuration screen in the console
interface. These community strings have a fixed MIB view.
The snmp-server community command for read/write modifies the community strings for
SNMPv1 and SNMPv2c access.
The syntax for the snmp-server community for read/write command is
snmp-server community [ro|rw]
The snmp-server community for read/write command executes in the Global Configuration
mode.
June 2014

215
Table 50: snmp-server community for read/write command

Parameter
Description
ro|rw (read-only I read-write)
Specifies read-only or read-write access. Stations with ro

access can only retrieve MIB objects, and stations with rw
access can retrieve and modify MIB objects. If ro nor rw are
not specified, ro is assumed (default).
Related Links
snmp-server community command

The snmp-server community command allows you to create community strings with varying
levels of read, write, and notification access based on SNMPv3 views. These community strings are
separate from those created using the snmp-server community for read/write command.
This command affects community strings stored in the SNMPv3 snmpCommunity Table, which
allows several community strings to be created. These community strings can have any MIB view.
The syntax for the snmp-server community command is
snmp-server community {read-view <view-name>|write-view <view-name>|
notify-view <view-name>}
The snmp-server community command executes in the Global Configuration mode.
Table 51: snmp-server community command parameters
Parameter
Description
read-view <view-name>
Changes the read view used by the new community string for
different types of SNMP operations.
view-namespecifies the name of the view which is a set of
MIB objects/instances that can be accessed; enter an
alphanumeric string.
write-view <view-name>
Changes the write view used by the new community string for
different types of SNMP operations.
notify-view <view-name>
Changes the notify view settings used by the new community

string for different types of SNMP operations.
Related Links
216

June 2014
no snmp-server community command

The no snmp-server community command clears the snmp-server community configuration.
The syntax for the no snmp-server community command is
no snmp-server community {ro|rw|<community-string>}
The no snmp-server community command is executed in the Global Configuration mode.
If you do not specify a read-only or read-write community parameter, all community strings are
removed, including all the communities controlled by the snmp-server community command and
the snmp-server community for read-write command.
If you specify read-only or read-write, then just the read-only or read-write community is removed. If
you specify the name of a community string, then the community string with that name is removed.
Table 52: no snmp-server community command parameters
Parameters
Description
ro |rw|<community-string>
Changes the settings for SNMP:

ro|rwsets the specified old-style community string
value to NONE, thereby disabling it.
community-stringdeletes the specified community
string from the SNMPv3 MIBs (that is, from the newstyle configuration).
Related Links
default snmp-server community command

The default snmp-server community command restores the community string configuration
to the default settings.
The syntax for the default snmp-server community command is
default snmp-server community [ro|rw]
The default snmp-server community command executes in the Global Configuration mode.
If the read-only or read-write parameter is omitted from the command, then all communities are
restored to their default settings. The read-only community is set to Public, the read-write community
is set to Private, and all other communities are deleted.
Table 53: default snmp-server community command parameters
Parameters
Description
ro|rw
Restores the read-only community to Public, or the read-write

community to Private.
June 2014

217
Related Links
no snmp-server contact command

The no snmp-server contact command clears the sysContact value.
The syntax for the no snmp-server contact command is
no snmp-server contact
The no snmp-server contact command executes in the Global Configuration mode.
Related Links
default snmp-server contact command

The default snmp-server contact command restores sysContact to the default value.
The syntax for the default snmp-server contact command is
default snmp-server contact
The default snmp-server contact command executes in the Global Configuration mode.
Related Links
snmp-server command
The snmp-server command enables or disables the SNMP server.
The syntax for the snmp-server command is:
snmp-server {enable|disable}
Table 54: snmp-server command parameters
Parameter
Description
enable|disable
Enables or disables the SNMP server.
Related Links
no snmp-server command
The no snmp-server command disables SNMP access.
The syntax for the no snmp-server command is
no snmp-server
The no snmp-server command executes in the Global Configuration mode.
218

June 2014
The no snmp-server command has no parameters or variables.

Important:
If you disable SNMP access to the switch, you cannot use Device Manager for the switch.
Related Links
snmp-server host command

The snmp-server host command adds a trap receiver to the trap-receiver table.
In the proprietary method, the table has a maximum of four entries, and these entries can generate
only SNMPv1 traps. This command controls the contents of the s5AgTrpRcvrTable, which is the set
of trap destinations controlled by the SNMP Configuration screen in the console interface.
The proprietary method syntax for the snmp-server host for command is
snmp-server host <host-ip> <community-string>
Using the new standards-based SNMP method, you can create several entries in SNMPv3 MIBs.
Each can generate v1, v2c, or v3 traps.
Important:
Before using the desired community string or user in this command, ensure that it is configured
with a notify-view.
The new standards-based method syntax for the snmp-server host command is
snmp-server host <host-ip> [port <trap-port>] {v1 <community-string>|v2c
<community-string>|v3 {auth|no-auth|auth-priv}<username>
The snmp-server host command executes in the Global Configuration mode.
Table 55: snmp-server host command parameters
Parameter
Description
host-ip
Enter a dotted-decimal IP address of a host to be the

trap destination.
community-string
If you are using the proprietary method for SNMP,

enter a community string that works as a password
and permits access to the SNMP protocol.
port <trap-port>
Enter a value for the SNMP trap port between 1 and

65535.
v1<community-string>
To configure the new standards-based tables, using

v1 creates trap receivers in the SNMPv3 MIBs.
Multiple trap receivers with varying access levels can
be created.
v2c<community-string>

v2c creates trap receivers in the SNMPv3 MIBs.
June 2014

219
Parameter
Description
be created.
v3{auth|no-auth|auth-priv}

v3 creates trap receivers in the SNMPv3 MIBs.
be created. Enter the following variables:
authauth specifies SNMPv3 traps are sent using
authentication and no privacy.
no-authno-auth specifies SNMPv3 traps are sent
using with no authentication and no privacy.
auth-privspecifies traps are sent using
authentication and privacy; this parameter is
available only if the image has full SHA/DES
support.
username
To configure the new standards-based tables;

specifies the SNMPv3 username for trap destination;
enter an alphanumeric string.
Related Links
show snmp-server host command

The show snmp-server host command displays the current SNMP host information including
the configured trap port.
The syntax for the show snmp-server host command is
show snmp-server host
The show snmp-server host executes in the any mode.
Related Links
no snmp-server host command

The no snmp-server host command deletes trap receivers from the table.
The proprietary method syntax for the no snmp-server host command is
no snmp-server host [<host-ip> [community-string>]]
Using the standards-based method of configuring SNMP, a trap receiver matching the IP address
and SNMP version is deleted.
The standards-based method syntax for the no snmp-server host command is
no snmp-server host <host-ip> [port<trap-port>] {v1|v2c|v3|<communitystring>}
The no snmp-server host command executes in the Global Configuration mode.
220

June 2014
If you do not specify any parameters, this command deletes all trap destinations from the
s5AgTrpRcvrTable and from SNMPv3 tables.
Table 56: no snmp-server host command parameters
Parameter
Description
<host-ip> [<community-string>]
In the proprietary method, enter the following

variables:
host-ipthe IP address of a trap destination host.
community-stringthe community string that works
as a password and permits access to the SNMP
protocol.
If both parameters are omitted, all hosts are cleared,
proprietary and standards-based. If a host IP is
included, the community-string is required or an error
is reported.
<host-ip>
Using the standards-based method, enter the IP

address of a trap destination host.
port <trap-port>
Using the standards-based method, enter the SNMP

trap port.
v1|v2c|v3|<community-string>
Using the standards-based method, specifies trap

receivers in the SNMPv3 MIBs. <community-string>
the community string that works as a password
and permits access to the SNMP protocol.
Related Links
default snmp-server host command

The default snmp-server host command restores the-old style SNMP server and the
standards based tables are reset (cleared).
The syntax for the default snmp-server host command is:
default snmp-server host
The default snmp-server host command is executed in the Global Configuration mode.
The default snmp-server host command has no parameters or variables.
Related Links
snmp-server location command

The snmp-server location command configures the SNMP sysLocation value.
The syntax for the snmp-server location command is:
June 2014

221
snmp-server location <text>

The snmp-server location command is executed in the Global Configuration mode.
Table 57: snmp-server location command parameters
Parameter
Description
text
Specify the SNMP sysLocation value; enter an alphanumeric

string of up to 255 characters.
Related Links
no snmp-server location command

The no snmp-server location command clears the SNMP sysLocation value.
The syntax for the no snmp-server location command is:
no snmp-server location
The no snmp-server location command is executed in the Global Configuration mode.
Related Links
default snmp-server location command

The default snmp-server location command restores sysLocation to the default value.
The syntax for the default snmp-server location command is:
default snmp-server location
The default snmp-server location command is executed in the Global Configuration mode.
Related Links
snmp-server name command

The snmp-server name command configures the SNMP sysName value.
The syntax for the snmp-server name command is:
snmp-server name <text>
The snmp-server name command is executed in the Global Configuration mode.
222

June 2014
Table 58: snmp-server name command parameters

Parameter
Description
text
Specify the SNMP sysName value; enter an alphanumeric string

of up to 255 characters.
Related Links
no snmp-server name command

The no snmp-server name command clears the SNMP sysName value.
The syntax for the no snmp-server name command is:
no snmp-server name
The no snmp-server name command is executed in the Global Configuration mode.
Related Links
default snmp-server name command

The default snmp-server name command restores sysName to the default value.
The syntax for the default snmp-server name command is:
default snmp-server name
The default snmp-server name command is executed in the Global Configuration mode.
Related Links
snmp-server user command

The snmp-server user command creates an SNMPv3 user.
For each user, you can create three sets of read/write/notify views:
for unauthenticated access
for authenticated access
for authenticated and encrypted access
The syntax for the snmp-server user command for unauthenticated access is:
snmp-server user <username> [read-view<view-name>] [write-view<viewname>] [notify-view<view-name]
The syntax for the snmp-server user command for authenticated access is:
snmp-server user <username> [read-view<view-name>] [write-view<viewname>] [notify-view<view-name]] md5|sha <password> [read-view<view-name>]
[write-view<view-name>] [notify-view<view-name]
The syntax for the snmp-server user command for authenticated and encrypted access is:
June 2014

223
snmp-server user <username> [read-view<view-name>] [write-view<viewname>] [notify-view<view-name]] md5|sha <password> [read-view<view-name>]

[write-view<view-name>] [notify-view<view-name]] {3des|aes|des}
<password> [read-view<view-name>] [write-view<view-name>] [notifyview<view-name]
The snmp-server user command is executed in the Global Configuration mode.
The sha and 3des/aes/des parameters are only available if the switch image has SSH support.
For authenticated access, you must specify the md5 or sha parameter. For authenticated and
encrypted access, you must also specify the 3des, aes, or des parameter.
For each level of access, you can specify read, write, and notify views. If you do not specify view
parameters for authenticated access, the user will have access to the views specified for
unauthenticated access. If you do not specify view parameters for encrypted access, the user will
have access to the views specified for authenticated access or, if no authenticated views were
specified, the user will have access to the views specified for unauthenticated access.
Table 59: snmp-server user command parameters
Parameters
Description
username
Specifies the user name. Enter an alphanumeric string of up to 255

characters.
md5 <password>
Specifies the use of an md5 password. <password> specifies the

new user md5 password; enter an alphanumeric string. If this
parameter is omitted, the user is created with only unauthenticated
access rights.
read-view <view-name>
Specifies the read view to which the new user has access:
view-namespecifies the viewname; enter an alphanumeric
string of up to 255 characters.
write-view <view-name>
Specifies the write view to which the new user has access:
string that can contain at least some of the nonalphanumeric
characters.
notify-view <view-name>
Specifies the notify view to which the new user has access:
string that can contain at least some of the nonalphanumeric
characters.
SHA
Specifies SHA authentication.
3DES
Specifies 3DES privacy encryption.
AES
Specifies AES privacy encryption.
DES
Specifies DES privacy encryption.
engine-id
Specifies the new remote user to receive notifications.

notify-viewspecifies the viewname to notify.
224

June 2014
Important:
If a view parameter is omitted from the command, that view type cannot be accessed.
Related Links
no snmp-server user command

The no snmp-server user command deletes the specified user.
The syntax for the no snmp-server user command is:
no snmp-server user [engine-id<engine ID>] <username>
The no snmp-server user command is executed in the Global Configuration mode.
Important:
If you do not specify any parameters, this command deletes all snmpv3 users from the SNMPv3
tables.
Table 60: no snmp-server user command parameters
Parameters
Description
[engine-id <engine ID>]
Specifies the SNMP engine ID of the remote SNMP entity.
username
Specifies the user to be removed.
Related Links
snmp-server view command

The snmp-server view command creates an SNMPv3 view. The view is a set of MIB object
instances which can be accessed.
The syntax for the snmp-server view command is:
snmp-server view <view-name> <OID> [<OID> {<OID> [<OID> [<OID> [<OID>
[<OID> [<OID> [<OID> [<OID>]]]]]]]]]
The snmp-server view command is executed in the Global Configuration mode.
Table 61: snmp-server view command parameters
Parameters
Description
viewname
Specifies the name of the new view; enter an alphanumeric

string.
OID
Specifies Object identifier. OID can be entered as a dotted

form OID. Each OID must be preceded by a + or - sign (if
this is omitted, a + sign is implied). The + is not optional.
June 2014

225
Parameters
Description
For the dotted form, a sub-identifier can be an asterisk,
indicating a wildcard. Here are some examples of valid OID
parameters:
sysName
+sysName
-sysName
+sysName.0
+ifIndex.1
-ifEntry..1 (this matches all objects in the ifTable with an
instance of 1; that is, the entry for interface #1)
1.3.6.1.2.1.1.1.0 (the dotted form of sysDescr)
The + or - indicates whether the specified OID is included in
or excluded from, the set of MIB objects accessible using
this view.
There are 10 possible OID values.
Related Links
no snmp-server view command

The no snmp-server view command deletes the specified view.
The syntax for the no snmp-server view is:
no snmp-server view <viewname>
The no snmp-server view is executed in the Global Configuration mode.
Table 62: no snmp-server view command parameters
Parameter
Description
viewname
Specifies the name of the view to be removed. This is not an

optional parameter.
Related Links
snmp-server bootstrap command

The snmp-server bootstrap command allows you to specify how you wish to secure SNMP
communications, as described in the SNMPv3 standards. It creates an initial set of configuration
data for SNMPv3. This configuration data follows the conventions described in the SNMPv3
standard (in RFC 3414 and 3415). This commands creates a set of initial users, groups and views.
226

June 2014
Important:
This command deletes all existing SNMP configurations, hence must be used with care.
The syntax for the snmp-server bootstrap command is:
snmp-server bootstrap <minimum-secure>|<semi-secure>|<very-secure>
The snmp-server bootstrap command is executed in the Global Configuration mode.
Table 63: snmp-server bootstrap command parameters
Parameters
Description
<minimum-secure>
Specifies a minimum security configuration that allows read access and

notify access to all processes (view restricted) with noAuth-noPriv and
read, write, and notify access to all processes (internet view) using AuthnoPriv and Auth-Priv.
Important:
In this configuration, view restricted matches view internet.
<semi-secure>
Specifies a minimum security configuration that allows read access and

notify access to all processes (view restricted) with noAuth-noPriv and
read, write, and notify access to all processes (internet view) using AuthnoPriv and Auth-Priv.
Important:
In this configuration, restricted contains a smaller subset of views
than internet view. The subsets are defined according to RFC 3515
Appendix A.
<very-secure>
Specifies a maximum security configuration that allows no access to the

users.
Related Links
show snmp-server notification-control

The show snmp-server notification-control command shows the current state of the
applicable notifications.
The syntax for the show snmp-server notification-control command is
show snmp-server notification-control
The show snmp-server notification-control command executes in any mode.
Related Links
June 2014

227
snmp-server notification-control command

The snmp-server notification-control command enables the notification identified by the
command parameter. The notification options are:
DHCP Snooping: bsDhcpSnoopingBindingTableFull, bsDhcpSnoopingTrap
Dynamic ARP Inspection: bsaiArpPacketDroppedOnUntrustedPort
IP Source Guard: bsSourceGuardReachedMaxIpEntries, bsSourceGuardCannotEnablePort
The syntax for the snmp-server notification-control command is
snmp-server notification-control <WORD/1-128>
The snmp-server notification-control command executes in Global Configuration mode.
Table 64: snmp-server notification-control command parameters
Parameter
Description
<WORD/1-128>
Can either be the English description or the OID of a supported

notification type.
Related Links
no snmp-server notification-control
The no snmp-server notification-control command disables the notification identified by
the command parameter. The notification options are:
DHCP Snooping: bsDhcpSnoopingBindingTableFull, bsDhcpSnoopingTrap
Dynamic ARP Inspection: bsaiArpPacketDroppedOnUntrustedPort
IP Source Guard: bsSourceGuardReachedMaxIpEntries, bsSourceGuardCannotEnablePort
The syntax for the no snmp-server notification-control command is
no snmp-server notification-control <WORD/1-128>
The no snmp-server notification-control command executes in Global Configuration
mode.
Table 65: no snmp-server notification-control command parameters
Parameter
Description
<WORD/1-128>
Can either be the English description or the OID of a supported

notification type.
Related Links
228

June 2014
default snmp-server notification-control

The default snmp-server notification-control command returns the notification
identified by the command parameter to its default state.
The syntax for the default snmp-server notification-control command is
default snmp-server notification-control <WORD/1-128>
The default snmp-server notification-control command executes in Global
Configuration mode.
Table 66: default snmp-server notification-control command parameters
Parameter
Description
<WORD/1-128>
Can either be the English description or the OID of a supported notification

type.
Related Links
Configuring TACACS+ using CLI

About this task
To configure TACACS+ to perform AAA services for system users, do the following:
1. Configure the TACACS+ server itself. For more information, see the vendor documentation
for your server for specific configuration procedures.
2. Configure TACACS+ server settings on the switch.
3. Enable TACACS+ services over serial or Telnet connections.
4. Enable TACACS+ authorization and specify privilege levels.
5. Enable TACACS+ accounting.
Important:
You can enable TACACS+ authorization without enabling TACACS+ accounting, and you can
enable TACACS+ accounting without enabling TACACS+ authorization.
Use the following commands to configure TACACS+.
Related Links
Configuring TACACS+ server settings on page 230
Enabling remote TACACS+ services on page 230
Enabling TACACS+ authorization on page 231
Setting authorization privilege levels on page 231
Viewing TACACS+ information on page 232
June 2014

229
Configuring TACACS+ server settings

About this task
To add a TACACS+ server, use the following command in Global or Interface Configuration mode:
tacacs server
Table 67: tacas server command parameters
Parameter
Description
host <IPaddr>
Specifies the IP address of the primary server you

want to add or configure.
key <key>
Specifies the secret authentication and encryption

key used for all communications between the NAS
and the TACACS+ server. The key, also referred to
as the shared secret, must be the same as the one
defined on the server. You are prompted to confirm
the key when you enter it.
Important:
The key parameter is a required parameter
when you create a new server entry. The
parameter is optional when you are modifying
an existing entry.
[secondary host <IPaddr>]
Specifies the IP address of the secondary server.

The secondary server is used only if the primary
server does not respond.
[port <port>]
Specifies the TCP port for TACACS+ where port is

an integer in the range of 0-65535. The default port
number is 49.
To delete a TACACS+ server, use one of the following commands in Global or Interface
Configuration mode:
no tacacs
default tacacs
The commands erase settings for the TACACS+ primary and secondary servers and secret key,
and restore default port settings.
Related Links
Enabling remote TACACS+ services

About this task
To enable TACACS+ to provide services to remote users over serial or Telnet connections, use the
following commands in Global or Interface Configuration mode.
230

June 2014
For serial connections:

cli password serial tacacs
For Telnet connections:
cli password telnet tacacs
You must configure a TACACS+ server on the switch before you can enable remote TACACS+
services. For more information about configuring the primary TACACS+ server and shared secret,
see Configuring TACACS+ server settings (page 159).
Related Links
Enabling TACACS+ authorization

About this task
To enable TACACS+ authorization globally on the switch, use the following command in Global or
tacacs authorization enable
To disable TACACS+ authorization globally on the switch, use the following command in Global or
tacacs authorization disable
The default is disabled.
Related Links
Setting authorization privilege levels

The preconfigured privilege levels control which commands can be executed. If a user has been
assigned a privilege level for which authorization has been enabled, TACACS+ authorizes the
authenticated user to execute a specific command only if the command is allowed for that privilege
level.
To specify the privilege levels to which authorization applies, use the following command in Global
or Interface Configuration mode:
tacacs authorization level all|<level>|none
Table 68: tacas authorization command parameters
Parameter
Description
all
Authorization is enabled for all privilege levels.
<level>
An integer in the range 015 that specifies the privilege

levels for which authorization is enabled. You can enter a
single level, a range of levels, or several levels. For any
levels you do not specify, authorization does not apply, and
users assigned to these levels can execute all commands.
June 2014

231
Parameter
Description
none
Authorization is not enabled for any privilege level. All users

can execute any command available on the switch.
Related Links
Viewing TACACS+ information

About this task
To display TACACS+ configuration status, enter the following command from any mode:
show tacacs
Related Links
Configuring IP Manager using CLI

About this task
To configure the IP Manager to control management access to the switch, do the following:
Enable IP Manager.
Configure the IP Manager list.
Use the following commands to configure the IP Manager.
Related Links
Enabling IP Manager on page 232
Configuring the IP Manager list on page 233
Removing IP Manager list entries on page 233
Viewing IP Manager settings on page 234
Enabling IP Manager
About this task
To enable IP Manager to control Telnet, SNMP, SSH, or HTTP access, use the following command
in Global Configuration mode:
ipmgr {telnet|snmp|web|ssh}
Table 69: Enabling IP manager command parameters
232
Parameter
Description
telnet
Enables the IP Manager list check for Telnet access.
snmp
Enables the IP Manager list check for SNMP, including Device

Manager.

June 2014
Parameter
Description
web
Enables the IP Manager list check for Web-based management

system.
ssh
Enables the IP Manager list check for SSH access.
To disable IP Manager for a management system, use the no keyword at the start of the command.
Related Links
Configuring the IP Manager list

About this task
To specify the source IP addresses or address ranges that have access the switch when IP
Manager is enabled, use the following command in Global Configuration mode:
For Ipv4 entries with list ID between 1-50:
ipmgr source-ip <list ID> <Ipv4addr> [mask<mask>]
Table 70: ipmgr source-ip command parameters
Parameter
Description
<list ID>
An integer in the range 1-50 for Ipv4 entries and 51-100

for Ipv6 entries that uniquely identifies the entry in the IP
Manager list.
<Ipv4addr>
Specifies the source IP address from which access is

allowed. Enter the IP address either as an integer or in
dotted-decimal notation.
[mask <mask>]
Specifies the subnet mask from which access is allowed.

Enter the IP mask in dotted-decimal notation.
Related Links
Removing IP Manager list entries

To deny access to the switch for specified source IP addresses or address ranges, use the following
command in Global Configuration mode:
no ipmgr source-ip [<list ID>]
<list ID> is an integer in the range 1-50 for Ipv4 addresses that uniquely identifies the entry in the IP
Manager list.
The command sets both the IP address and mask for the specified entry to 255.255.255.255 for
Ipv4 entries. If you do not specify a <list ID> value, the command resets the whole list to factory
defaults.
Related Links
June 2014

233
Viewing IP Manager settings

About this task
To view IP Manager settings, use the following command in any mode:
show ipmgr
The command displays
whether Telnet, SNMP, SSH, and Web access are enabled
whether the IP Manager list is being used to control access to Telnet, SNMP, SSH, and Webbased management system
the current IP Manager list configuration
Related Links
Configuring password security using CLI

About this task
Use the following CLI commands to manage password security features. These commands can be
used in the Global Configuration and Interface Configuration command modes.
Related Links
Enabling password security on page 234
Disabling password security on page 235
Creating user names and passwords on page 235
Configuring password retry attempts on page 235
Configuring password history on page 235
Defaulting password history on page 236
Displaying password history settings on page 236
Enabling password security

About this task
The password security command enables the Password Security feature on the WLAN 8100
Series.
The syntax of the password security command is
password security
Related Links
234

June 2014
Disabling password security

The no password security command disables the Password Security feature on the WLAN
8100 Series.
The syntax for the no password security command is
no password security
Related Links
Creating user names and passwords

About this task
Use the username command to create custom user names and assign switch read-only and readwrite passwords to them. These custom user names apply to local authentication only.
The syntax of this command is as follows:
username <username> {ro | rw}
After entering this command the user is prompted to enter the password for the new user.
Custom users cannot have custom access rights and limitations. Use of the associated read-only
password confers the same rights and limitations as the default read-only user. Use of the
associated read-write password confers the same rights and limitation as the default read-write
user.
Related Links
Configuring password retry attempts

About this task
To configure the number of times a user can retry a password, use the following command in Global
or Interface Configuration mode:
telnet-access retry <number>
Where number is an integer in the range 1 to 100 that specifies the allowed number of failed log on
attempts. The default is 3.
Related Links
Configuring password history

About this task
Use the password password-history command to configure the number of passwords stored
in the password history table. This command has the following syntax:
password password-history <3-10>
June 2014

235
The parameter <3-10> represents the number of passwords to store in the history table. Use the
appropriate value when configuring the feature.
Related Links
Defaulting password history

Use the default password password-history command to return the number of passwords
stored in the password history table to the default value of 3.
Related Links
Displaying password history settings

The show password password-history command is used to display the number of passwords
currently stored in the password history table.
Related Links
Configuring Avaya Secure Network Access Options

About this task
Use the following procedure to configure Avaya Secure Network Access (formerly Nortel Secure
Network Access or NSNA).
Procedure
3. Use the command nsna fail-open and one of the following commands to configure failopen options:
a. Use the command filter-vlan-id <14094> to set fail-open filter vlan ID.
b. Use the command vlan-id <14094> to set fail-open vlan ID.
c. Use the command enable to enable secure network access fail-open.
4. Use the command nsnas <subnet address> to set the secure network access subnet.
5. Use the command nsnas phone-signature <WORD> to assign a secure network access
phone signature.
6. Use the command nsnas vlan <14094> to set the secure network access vlan ID.
Related Links
236

June 2014
Displaying CLI Audit log using CLI

About this task
The CLI audit provides a means for tracking CLI commands. The show audit log command
displays the command history audit log stored in NVRAM. The syntax for the show audit log
command is:
show audit log [asccfg | serial | telnet]
The show audit log command is in the Privileged EXEC mode.
The following table describes the parameters and variables for the show audit log command.
Table 71: show audit log command parameters
Parameter
Description
asccfg
Displays the audit log for ASCII configuration.
serial
Displays the audit log for serial connections.
telnet
Displays the audit log for Telnet and SSH connections.
Enabling Audit Log Save Settings

About this task
Use the following procedure to enable Audit Log save settings.
Procedure
3. Use the command audit log save enable to enable audit log save settings.
Related Links
Configuring Secure Socket Layer services using CLI

About this task
The following table lists CLI commands available for working with Secure Socket Layer (SSL).
Table 72: SSL commands
Command
Description
[no] ssl
Enables or disables SSL. The Web server operates in a secure

mode when SSL is enabled and in nonsecure mode when the
SSL server is disabled.
[no] ssl certificate
Creates or deletes a certificate. The new certificate is used

only on the next system reset or SSL server reset. The new
certificate is stored in the NVRAM with the file name
SSLCERT.DAT. The new certificate file replaces the existing
June 2014

237
Command
Description
file. On deletion, the certificate in NVRAM is also deleted. The
current SSL server operation is not affected by the create or
delete operation.
ssl reset
Resets the SSL server. If SSL is enabled, the SSL server is

restarted and initialized with the certificate that is stored in the
NVRAM. Any existing SSL connections are closed. If SSL is
not enabled, the existing nonsecure connection is also closed
and the nonsecure operation resumes.
show ssl
Shows the SSL server configuration and SSL server state.
show ssl certificate
Displays the certificate which is stored in the NVRAM and is

used by the SSL server.
The following table describes the output for the show ssl command.
Table 73: Server state information
Field
Description
WEB Server SSL secured
Shows whether the Web server is using an SSL

connection.
SSL server state
Displays one of the following states:

Un-initialized: The server is not running.
Certificate Initialization: The server is generating a
certificate during its initialization phase.
Active: The server is initialized and running.
SSL Certificate: Generation in progress
Shows whether SSL is in the process of generating a

certificate. The SSL server generates a certificate
during server startup initialization, or CLI user can
regenerate a new certificate.
SSL Certificate: Saved in NVRAM
Shows whether an SSL certificate exists in the

NVRAM. The SSL certificate is not present if the
system is being initialized for the first time or CLI
user has deleted the certificate.
Configuring Secure Shell protocol using CLI

About this task
Secure Shell protocol is used to improve Telnet and provide a secure access to the CLI interface.
There are two versions of the SSH Protocol. The WLAN 8100 Series SSH supports SSH2.
Use the following CLI commands to configure and manage SSH.
Related Links
show ssh command on page 239
ssh dsa-host-key command on page 239
238

June 2014
no ssh dsa-host-key command on page 240

ssh download-auth-key command on page 240
no ssh dsa-auth-key command on page 240
ssh command on page 241
no ssh command on page 241
ssh secure command on page 241
ssh dsa-auth command on page 242
no ssh dsa-auth on page 242
default ssh dsa-auth command on page 242
ssh pass-auth command on page 242
no ssh pass-auth command on page 243
default ssh pass-auth command on page 243
ssh port command on page 243
default ssh port command on page 243
ssh timeout command on page 243
default ssh timeout command on page 244
show ssh command

This command displays information about all active SSH sessions and on other general SSH
settings.
The syntax for the show ssh command is:
show ssh {global|session|download-auth-key}
Table 74: show ssh command parameters
Parameter
Description
download-auth-key
Display authorization key and TFTP server IP address
global
Display general SSH settings
session
Display SSH session information
The show ssh global command is executed in the Privileged EXEC command mode.
Related Links
ssh dsa-host-key command

The ssh dsa-host-key command triggers the DSA key regeneration.
The syntax for the ssh dsa-host-key command is:
ssh dsa-host-key
The command is executed in the Global Configuration mode.
June 2014

239
The ssh dsa-host-key command has no parameters or variables.

Related Links
no ssh dsa-host-key command

The no ssh dsa-host-key command deletes the DSA keys in the switch. A new DSA key can
be generated by executing dsa-host-key or SSH enable commands.
The syntax for the no ssh dsa-host-key command is:
no ssh dsa-host-key
The no ssh dsa-host-key command is executed in the Global Configuration mode.
The no ssh dsa-host-key command has no parameters or variables.
Related Links
ssh download-auth-key command

The ssh download-auth-key command downloads the DSA authentication key into the switch
from the specified TFTP server or from the USB stick, if available.
The syntax for the ssh download-auth-key command is:
ssh download-auth-key [address] [<key-name>] [usb]
Table 75: ssh download-auth-key command parameters
Parameter
Description
address
Specify the TFTP server IP address.
key-name
Specify the TFTP/USB file name.
usb
Specify whether download SSH auth key from the USB

stick.
Available only if the device has USB port.
The ssh download-auth-key command is executed in the Global Configuration mode.

Related Links
no ssh dsa-auth-key command

The no ssh dsa-auth-key command deletes the DSA authentication key stored in the switch.
The syntax for the no ssh dsa-auth-key command is:
no ssh dsa-auth-key
The no ssh dsa-auth-key command is executed in the Global Configuration mode.
240

June 2014
Related Links
ssh command
The ssh command enables SSH in a non secure mode. If the host keys do not exist, they are
generated.
The syntax for the ssh command is:
ssh
The ssh command is executed in the Global Configuration mode.
This command has no parameters.
Related Links
no ssh command
The no ssh command disables SSH.
The syntax for the no ssh command is:
no ssh {dsa-auth|dsa-auth-key|dsa-host-key|pass-auth}
Table 76: no ssh command parameters
Parameter
Description
dsa-auth
Disable SSH DSA authentication.
dsa-auth-key
Delete SSH DSA auth key.
dsa-host-key
Delete SSH DSA host key.
pass-auth
Disable SSH password authentication.
The no ssh command is executed in the Global Configuration mode.

Related Links
ssh secure command

The ssh secure command disables web, SNMP, and Telnet management interfaces permanently.
The no ssh command does NOT turn them back on; they must be re-enabled manually. A warning
message is issued to the user to enable one of the other interfaces before turning off SSH secure
mode.
The syntax for the ssh secure command is:
ssh secure
The ssh secure command is executed in the Global Configuration mode.
June 2014

241
Related Links
ssh dsa-auth command

The ssh dsa-auth command enables the user log on using DSA key authentication.
The syntax for the command is:
ssh dsa-auth
The ssh dsa-auth command is executed in the Global Configuration mode.
Related Links
no ssh dsa-auth
The no ssh dsa-auth command disables user log on using DSA key authentication.
The syntax for the no ssh dsa-auth command is:
no ssh dsa-auth
The no ssh dsa-auth command is executed in the Global Configuration mode.
Related Links
default ssh dsa-auth command

The default ssh dsa-auth command enables the user log on using the DSA key
authentication.
The syntax for the default ssh dsa-auth command is:
default ssh dsa-auth
The default ssh dsa-auth command is executed in the Global Configuration mode.
Related Links
ssh pass-auth command

The ssh pass-auth command enables user log on using the password authentication method.
The syntax for the ssh pass-auth command is:
ssh pass-auth
The ssh pass-auth command is executed in the Global Configuration mode.
Related Links
242

June 2014
no ssh pass-auth command

The no ssh pass-auth command disables user log on using password authentication.
The syntax for the no ssh pass-auth command is:
no ssh pass-auth
The no ssh pass-auth command is executed in the Global Configuration mode.
Related Links
default ssh pass-auth command

The default ssh pass-auth command enables user log on using password authentication.
The syntax for the default ssh pass-auth command is:
default ssh pass-auth
The default ssh pass-auth command is executed in the Global Configuration mode.
Related Links
ssh port command

The ssh port command sets the TCP port for the SSH daemon.
The syntax for the ssh port command is:
ssh port <1-65535>
Substitute the <1-65535> with the number of the TCP port to be used.
The ssh port command is executed in the Global Configuration mode.
Related Links
default ssh port command

The default ssh port command sets the default TCP port for the SSH daemon.
The syntax for the default ssh port command is:
default ssh port
The default ssh port command is executed in the Global Configuration mode.
Related Links
ssh timeout command

The ssh timeout command sets the authentication timeout, in seconds.
The syntax of the ssh timeout command is:
June 2014

243
ssh timeout <1-120>

Substitute <1-120> with the desired number of seconds.
The ssh timeout command is executed in the Global Configuration mode.
Related Links
default ssh timeout command

The default ssh timeout command sets the default authentication timeout to 60 seconds.
The syntax for the default ssh timeout command is:
default ssh timeout
The default ssh timeout command is executed in the Global Configuration mode.
Related Links
Configuring VLANs and Link Aggregation

About this task
The following sections describe the methods and procedures necessary to configure VLANs,
Spanning Tree and Link Aggregation on the WC 8180.
Related Links
Configuring VLANs using CLI on page 244
Configuring STP using CLI on page 254
Configuring MLT using CLI on page 264
Configuring LACP and VLACP using the CLI on page 266
Configuring VLANs using CLI

About this task
Use the CLI commands described in this section to create and manage VLANs. Depending on the
type of VLAN being created or managed, the command mode needed to execute these commands
can differ.
Related Links
Displaying VLAN information on page 245
Variable definitions on page 245
Displaying VLAN interface information on page 246
Displaying VLAN port membership on page 246
Setting the management VLAN on page 247
244

June 2014
Resetting the management VLAN to default on page 247

Creating a VLAN on page 247
Variable definitions on page 247
Deleting a VLAN on page 248
Modifying VLAN MAC address flooding on page 248
Configuring VLAN name on page 248
Enabling automatic PVID on page 249
Configuring VLAN port settings on page 249
Configuring VLAN members on page 249
Configuring VLAN Configuration Control on page 250
Managing the MAC address forwarding database table on page 251
IP Directed Broadcasting on page 254
Displaying VLAN information

About this task
Use the following procedure to display the number, name, type, protocol, user PID, state of a VLAN
and whether it is a management VLAN.
Procedure
To display VLAN information, use the command show vlan in the Privileged EXEC mode.
CLI reference:
WCP8180#show vlan ?
configcontrol Display
dhcp-relay
Display
id
Display
igmp
Display
interface
Display
ip
Display
mgmt
Display
multicast
Display
summary
Display
type
Display
<cr>
VLAN control mode

DHCP relay info for a particular VLAN
specific VLAN
IGMP snoop settings
VLAN configuration for specified interfaces
IP info for VLANs
mgmt vlan ID
VLAN multicast configuration
a summary of VLANS
specific type of VLAN
The syntax is as follows:

show vlan [configcontrol] [dhcp-relay <1-4094>] [igmp {<1-4094>|
unknown-mcast-allow-flood | unknown-mcast-no-flood}] [interface
{ info | vids}] [ip <vid>] [mgmt] [multicast <membership>] [type
{port | protocol-ipEther2| protocol-ipx802.3 | protocol-ipx802.2 |
protocol-ipxSnap | protocol-ip xEther2 | protocol-decEther2 |
protocol-snaEther2 | protocol-Netbios | protocol-xnsEther2 |
protocol-vi nesEther2 | protocol-ipv6Ether2 | protocol-Userdef |
protocol-RarpEther2] [vid <1-4094>]
Variable definitions
The following table describes the variables for this command.
June 2014

245
Variable
Value
vid <1-4094>
Enter the number of the VLAN to display.
type
Enter the type of VLAN to display:

port - port-based
protocol - protocol-based (see following list)
protocol-ipEther2
Specifies an ipEther2 protocol-based VLAN.
protocol-ipx802.3
Specifies an ipx802.3 protocol-based VLAN.
protocol-ipx802.2
protocol-ipxSnap
Specifies an ipxSnap protocol-based VLAN.
protocol-ipxEther2
Specifies an ipxEther2 protocol-based VLAN.
protocol-decEther2
Specifies a decEther2 protocol-based VLAN.
protocol-snaEther2
Specifies an snaEther2 protocol-based VLAN.
protocol-Netbios
Specifies a NetBIOS protocol-based VLAN.
protocol-xnsEther2
Specifies an xnsEther2 protocol-based VLAN.
protocol-vinesEther2
Specifies a vinesEther2 protocol-based VLAN.
protocol-ipv6Ether2
Specifies an ipv6Ether2 protocol-based VLAN.
protocol-Userdef
Specifies a user-defined protocol-based VLAN.
protocol-RarpEther2
Specifies a RarpEther2 protocol-based VLAN.
Related Links
Displaying VLAN interface information

About this task
Use the following procedure to display VLAN settings associated with a port, including tagging
information, PVID number, priority, and filtering information for tagged, untagged, and unregistered
frames.
Procedure
To display VLAN interface information, use the following command from Privileged EXEC
mode.
show vlan interface info [<portlist>]
Displaying VLAN port membership

About this task
Use the following procedure to display port memberships in VLANs.
Procedure
To display VLAN port memberships, use the following command from Privileged EXEC
mode.
246

June 2014
show vlan interface vids [<portlist>]
Setting the management VLAN

About this task
Use the following procedure to set a VLAN as the management VLAN.
Procedure
To set the management VLAN, use the following command from Global Configuration mode.
vlan mgmt <1-4094>
Resetting the management VLAN to default

About this task
Use the following procedure to reset the management VLAN to VLAN1.
Procedure
To reset the management VLAN to default, use the following command from Global
Configuration mode.
default vlan mgmt
Creating a VLAN
About this task
Use the following procedure to create a VLAN. A VLAN is created by setting the state of a
previously nonexistent VLAN.
Procedure
To create a VLAN, use the following command from Global Configuration mode.
vlan create <1-4094> [name<line>] type {port | protocol-ipEther2 |
protocol-ipx802.3 | protocolipx802.2 | protocol-ipxSnap | protocolipxEther2 | protocol-decEther2 | protocol-snaEther2 | protocol-N
etbios | protocol-xnsEther2 | protocol-vinesEther2 | protocolipv6Ether2 | protocol-Userdef <4096-65534>| protocol-RarpEther2}
Variable
Value
<1-4094>
Enter the number of the VLAN to create.
name <line>
Enter the name of the VLAN to create.
type
Enter the type of VLAN to create:

port - port-based
protocol - protocol-based (see following list)
protocol-ipEther2
Specifies an ipEther2 protocol-based VLAN.
protocol-ipx802.3
protocol-ipx802.2
June 2014

247
Variable
Value
protocol-ipxSnap
Specifies an ipxSnap protocol-based VLAN.
protocol-ipxEther2
Specifies an ipxEther2 protocol-based VLAN.
protocol-decEther2
Specifies a decEther2 protocol-based VLAN.
protocol-snaEther2
Specifies an snaEther2 protocol-based VLAN.
protocol-Netbios
Specifies a NetBIOS protocol-based VLAN.
protocol-xnsEther2
Specifies an xnsEther2 protocol-based VLAN.
protocol-vinesEther2
Specifies a vinesEther2 protocol-based VLAN.
protocol-Userdef <4096-65534>
Specifies a user-defined protocol-based VLAN.
protocol-ipv6Ether2
Specifies an ipv6Ether2 protocol-based VLAN.
Related Links
Deleting a VLAN
About this task
Use the following procedure to delete a VLAN.
Procedure
To delete a VLAN, use the following command from Global Configuration mode.
vlan delete <2-4094>
Modifying VLAN MAC address flooding

About this task
Use the following procedure to remove MAC addresses from the list of addresses for which flooding
is allowed. This procedure can also be used as an alternate method of deleting a VLAN.
Procedure
To modify VLAN MAC address flooding, or to delete a VLAN, use the following command
from Global Configuration mode.
no vlan [<2-4094>] [igmp unknown-mcast-allow-flood <H.H.H>]
Configuring VLAN name

About this task
Use the following procedure to configure or modify the name of an existing VLAN.
Procedure
To configure the VLAN name, use the following command from Global Configuration mode.
vlan name <1-4094> <line>
248

June 2014
Enabling automatic PVID

About this task
Use the following procedure to enable the automatic PVID feature.
Procedure
To enable automatic PVID, use the following command from Global Configuration mode.
[no] auto-pvid
Use the no form of this command to disable
Configuring VLAN port settings

About this task
Use the following procedure to configure VLAN-related settings for a port.
Procedure
To configure VLAN port settings, use the following command from Global Configuration
mode.
vlan ports [<portlist>] [tagging {enable | disable | tagAll |
untagAll | tagPvidOnly | untagPvidOnly}] [pvid <1-4094>] [filteruntagged-frame {enable | disable}] [filter-unregistered-frames
{enable | disable}] [priority <0-7>] [name <line>]
Variable Definitions
Variable
Value
<portlist>
Enter the port numbers to be configured for a VLAN.
tagging {enable|disable|tagAll|untagAll|
tagPvidOnly|untagPvidOnly}
Enables or disables the port as a tagged VLAN member for

egressing packet.
pvid <1-4094>
Sets the PVID of the port to the specified VLAN.
filter-untagged-frame {enable|disable}
Enables or disables the port to filter received untagged packets.
filter-unregistered-frames {enable |
disable}
Enables or disables the port to filter received unregistered

packets. Enabling this feature on a port means that any frames
with a VID to which the port does not belong to are discarded.
priority <0-7>
Sets the port as a priority for the switch to consider as it

forwards received packets.
name <line>
Enter the name you want for this port.

Note: This option can only be used if a single port is specified in
the <portlist>
Configuring VLAN members

About this task
Use the following procedure to add or delete a port from a VLAN.
June 2014

249
Procedure
To configure VLAN members, use the following command from Global Configuration mode.
vlan members [add | remove] <1-4094> <portlist>
Variable
Value
add | remove
Adds a port to or removes a port from a VLAN.

Note: If this parameter is omitted, set the exact port membership for the
VLAN; the prior port membership of the VLAN is discarded and replaced
by the new list of ports.
<1-4094>
Specifies the target VLAN.
portlist
Enter the list of ports to be added, removed, or assigned to the VLAN.
Configuring VLAN Configuration Control

About this task
VLAN Configuration Control (VCC) allows a switch administrator to control how VLANs are modified.
VLAN Configuration Control is a superset of the existing AutoPVID functionality and incorporates
this functionality for backwards compatibility. VLAN Configuration Control is globally applied to all
VLANs on the switch.
VLAN Configuration Control offers four options for controlling VLAN modification:
Strict
Automatic
AutoPVID
Flexible
Note:
The factory default setting is Strict.
VLAN Configuration Control is only applied to ports with the tagging modes of Untag All and Tag
PVID Only.
See the following commands for VLAN configuration control using the CLI.
Related Links
Displaying VLAN Configuration Control settings on page 250
Modifying VLAN Configuration Control settings on page 251
Displaying VLAN Configuration Control settings
About this task

Use the following procedure to display the current VLAN Configuration Control setting.
250

June 2014
Procedure
To display VLAN Configuration Control settings, use the following command from Global
Configuration mode.
show vlan configcontrol
Modifying VLAN Configuration Control settings
About this task

Use the following procedure to modify the current VLAN Configuration Control setting. This
command applies the selected option to all VLANs on the switch.
Procedure
To modify VLAN Configuration Control settings, use the following command from Global
Configuration more
vlan configcontrol <vcc_option>
Variable
Value
<vcc_option>
This parameter denotes the VCC option to use on the switch. The
valid values are:
automatic -- Changes the VCC option to Automatic.
autopvid -- Changes the VCC option to AutoPVID.
flexible -- Changes the VCC option to Flexible.
strict -- Changes the VCC option to Strict. This is the default
VCC value.
Managing the MAC address forwarding database table

This section shows you how to view the contents of the MAC address forwarding database table, as
well as setting the age-out time for the addresses.
The MAC flush feature is a direct way to flush MAC addresses from the MAC address table. MAC
flush deletes dynamically learned addresses. MAC flush commands may not be executed instantly
when the command is issued. Since flushing the MAC address table is not considered an urgent
task, MAC flush commands are assigned the lowest priority and placed in a queue. The MAC flush
commands are supported in CLI, SNMP, DM, and Web-based Management.
The MAC flush commands allow flushing of:
a single MAC address
all addresses from the MAC address table
a port or list of ports
a trunk
a VLAN
The following CLI commands help you manage the MAC address forwarding database table.
June 2014

251
Related Links
Displaying MAC address forwarding table on page 252
Configuring MAC address retention on page 252
Setting MAC address retention time to default on page 253
Clearing the MAC address table on page 253
Clearing the MAC address table on a VLAN on page 253
Clearing the MAC address table on a FastEthernet interface on page 253
Clearing the MAC address table on a trunk on page 254
Displaying MAC address forwarding table
About this task

Use the following procedure to display the current contents of the MAC address forwarding
database table. You can filter the MAC Address table by port number. The MAC address table can
store up to 16000 addresses.
Procedure
To displaying the MAC address forwarding table, use the following command from Privileged
EXEC mode
show mac-address-table [vid<1-4094>] [aging-time] [address<H.H.H>]
[port<portlist>]
Variable
Value
vid <1-4094>
Enter the number of the VLAN for which you want to display the
forwarding database. Default is to display the management
VLANs database.
aging-time
Displays the time in seconds after which an unused entry is

removed from the forwarding database.
address <H.H.H>
Displays a specific MAC address if it exists in the database.

Enter the MAC address you want displayed.
Configuring MAC address retention
About this task

Use the following procedure to set the time during which the switch retains unseen MAC addresses.
Procedure
To configure unseen MAC address retention, use the following command from Global
Configuration mode.
mac-address-table aging-time <10-1 000 000>
252

June 2014
Variable
Value
vid <10-1 000 000>
Enter the aging time in seconds that you want for MAC
addresses before they expire.
Setting MAC address retention time to default
About this task

Use the following procedure to set the retention time for unseen MAC addresses to 300 seconds.
Procedure
To set the MAC address retention time to default, use the following command from Global
Configuration mode.
default mac-address-table aging-time
Clearing the MAC address table
About this task

Use the following procedure to clear the MAC address table.
Procedure
To flush the MAC address table, use the following command from Privileged EXEC mode.
clear mac-address-table
Clearing the MAC address table on a VLAN
About this task

Use the following procedure to flush the MAC addresses for the specified VLAN.
Procedure
To flush the MAC address table for a specific VLAN, use the following command from
Privileged EXEC mode.
clear mac-address-table interface vlan <vlan#>
Clearing the MAC address table on a FastEthernet interface
About this task

Use the following procedure to flush the MAC addresses for the specified ports. This command does
not flush the addresses learned on the trunk.
Procedure
To clear the MAC address table on a FastEthernet interface, use the following command
from Privileged EXEC mode.
clear mac-address-table interface FastEthernet <port-list|ALL>
June 2014

253
Clearing the MAC address table on a trunk
About this task

Use the following procedure to flush the MAC addresses for the specified trunk. This command
flushes only addresses that are learned on the trunk.
Procedure
To flush a single MAC address, use the following command from Privileged EXEC mode.
clear mac-address-table address <H.H.H>
IP Directed Broadcasting
About this task
IP directed broadcasting takes the incoming unicast Ethernet frame, determines that the destination
address is the directed broadcast for one of its interfaces, and then forwards the datagram onto the
appropriate network using a link-layer broadcast.
IP directed broadcasting in a VLAN forwards direct broadcast packets in two ways:
Through a connected VLAN subnet to another connected VLAN subnet.
Through a remote VLAN subnet to the connected VLAN subnet.
By default, this feature is disabled.
Use the following command to configure IP directed broadcasting using the CLI.
Related Links
Enabling IP directed broadcast on page 254
Enabling IP directed broadcast
About this task

Use the following procedure to enable IP directed broadcast.
Procedure
To enable IP directed broadcast, use the following command from Global Configuration
mode.
[no] ip directed-broadcast enable
Use the no form of this command to disable.
Configuring STP using CLI

Use the following procedures to configure STP for the WLAN 8100 Series using the CLI.
Related Links
Setting the STP mode using the CLI on page 255
Configuring STP BPDU Filtering using the CLI on page 255
254

June 2014
Creating and Managing STGs using the CLI on page 256
Setting the STP mode using the CLI

About this task
Use the following procedure to set the STP operational mode.
Procedure
To set the STP mode, use the following command from Global Configuration mode.
spanning-tree op-mode {stpg | rstp }
Configuring STP BPDU Filtering using the CLI

About this task
Use the following procedure to configure STP BPDU Filtering on a port. This command is available
in all STP modes (STPG, RSTP, and MSTP).
Procedure
1. To enable STP BPDU filtering, use the following command from Interface Configuration
mode.
[no] spanning-tree bpdu-filtering [port<portlist>] [enable] [timeout
<10-65535> | 0>]
2. To set the STP BPDU Filtering properties on a port to their default values, use the following
command from the Interface Configuration command mode:
default spanning-tree bpdu-filtering [port<portlist>] [enable]
[timeout]
3. To show the current status of the BPDU Filtering parameters, use the following command
from the Privileged EXEC mode:
show spanning-tree bpdu-filtering [<interface-type>]
[port<portlist>]
Variable
Value
port <portlist>
Specifies the ports affected by the command.
enable
Enables STP BPDU Filtering on the specified ports. The

default value is disabled.
timeout <10-65535| 0>
When BPDU filtering is enabled, this indicates the time (in

seconds) during which the port remains disabled after it
receives a BPDU. The port timer is disabled if this value is set
to 0. The default value is 120 seconds.
June 2014

255
Creating and Managing STGs using the CLI

To create and manage Spanning Tree Groups, you can refer to the Command Line Interface
commands listed in this section. Depending on the type of Spanning Tree Group that you want to
create or manage, the command mode needed to execute these commands can differ.
In the following commands, the omission of any parameters that specify a Spanning Tree Group
results in the command operating against the default Spanning Tree Group (Spanning Tree Group
1).
The following sections describe commands to configure and manage STGs using the CLI.
Related Links
Configuring STP using CLI on page 254
Configuring path cost calculation mode on page 256
Configuring STG port membership mode on page 256
Displaying STP configuration information on page 257
Creating a Spanning Tree Group on page 257
Deleting a Spanning Tree Group on page 257
Enabling a Spanning Tree Group on page 258
Disabling a Spanning Tree Group on page 258
Configuring STP values on page 258
Restoring default Spanning Tree values on page 259
Adding a VLAN to a STG on page 260
Removing a VLAN from a STG on page 260
Configuring STP and MSTG participation on page 260
Resetting Spanning Tree values for ports to default on page 261
Managing RSTP using the CLI on page 261
Configuring path cost calculation mode
About this task

Use the following procedure to set the path cost calculation mode for all Spanning Tree Groups on
the switch.
Procedure
To configure path cost calculation mode, use the following command from Privileged EXEC
mode.
spanning-tree cost-calc-mode {dot1d | dot1t}
Configuring STG port membership mode
About this task

Use the following procedure to set the STG port membership mode for all Spanning Tree Groups on
the switch.
256

June 2014
Procedure
To configure STG port membership mode, use the following command from Privileged EXEC
mode.
spanning-tree port-mode {auto | normal}
Displaying STP configuration information
About this task

Use the following procedure to display spanning tree configuration information that is specific to
either the Spanning Tree Group or to the port.
Procedure
To display STP configuration information, use the following command from Privileged EXEC
mode.
show spanning-tree [stp <1-8>] {config | port| port-mode | vlans}
Variable
Value
stp <1-8>
Displays specified Spanning Tree Group

configuration; enter the number of the group to be
displayed.
config | port | port-mode | vlans
Displays spanning tree configuration for:

config--the specified (or default) Spanning Tree
Group
port--the ports within the Spanning Tree Group
port-mode--the port mode
vlans--the VLANs that are members of the
specified Spanning Tree Group
Creating a Spanning Tree Group
About this task

Use the following procedure to create a Spanning Tree Group.
Procedure
To create a Spanning Tree Group, use the following command from Global Configuration
mode.
spanning-tree stp <1-8> create
Deleting a Spanning Tree Group
About this task

Use the following procedure to delete a Spanning Tree Group.
June 2014

257
Procedure
To delete a Spanning Tree Group, use the following command from Global Configuration
mode.
spanning-tree stp <1-8> delete
Enabling a Spanning Tree Group
About this task

Use the following procedure to enable a Spanning Tree Group.
Procedure
To enable a Spanning Tree Group, use the following command from Global Configuration
mode.
spanning-tree stg <1-8> enable
Disabling a Spanning Tree Group
About this task

Use the following procedure to disable a Spanning Tree Group.
Procedure
To disable a Spanning tree Group, use the following command from Global Configuration
mode.
spanning-tree stp <1-8> disable
Configuring STP values
About this task

Use the following procedure to set STP values by STG.
Procedure
To configure STP values, use the following command from Global Configuration mode.
spanning-tree [stp <1-8>] [forward-time <4-30>] [hello-time <1-10>]
[max-age <6-40> [priority {0*0000 | 0*1000| 0*2000 | 0*3000 | ... |
0*E000 | 0*F000}] [tagged-bpdu {enable | disable}] [tagged-bpdu-vid
>1-4094>] [multicast-address <H.H.H>] [add-vlan] [remove-vlan]
258
Variable
Value
stp <1-8>
Specifies the Spanning Tree Group; enter the STG

ID.
forward-time <4-30>
Enter the forward time of the STG in seconds; the

range is 4 -- 30, and the default value is 15.
hello-time <1-10>
Enter the hello time of the STG in seconds; the

range is 1 --10, and the default value is 2.

June 2014
Variable
Value
max-age <6-40>
Enter the max-age of the STG in seconds; the range

is 6 -- 40, and the default value is 20.
priority {0x000 | 0x1000 | 0x2000 | 0x3000 | .... |

0xE000 | 0xF000}
Sets the spanning tree priority (in Hex); if 802.1T

compliant, this value must be a multiple of 0x1000.
tagged-bpdu {enable | disable}
Sets the BPDU as tagged or untagged. The default

value for Spanning Tree Group 1 (default group) is
untagged; the default for the other groups is tagged.
tagged-bpdu-vid <1-4094>
Sets the VLAN ID (VID) for the tagged BPDU. The

default value is 4001 -- 4008 for STG 1 -- 8,
respectively.
multicast-address <H.H.H>
Sets the spanning tree multicast address.
add-vlan
Adds a VLAN to the Spanning Tree Group.
remove-vlan
Removes a VLAN from the Spanning Tree Group.
Restoring default Spanning Tree values
About this task

Use the following procedure to restore default spanning tree values for the Spanning Tree Group.
Procedure
To restore Spanning Tree values to default, use the following command from Global
Configuration mode.
default spanning-tree [stp <1-8> [forward-time] [hello-time] [maxage] [priority] [tagged-bpdu] [multicast address]
Variable
Value
stp <1-8>
Disables the Spanning Tree Group; enter the STG

ID.
forward-time
Sets the forward time to the default value of 15

seconds.
hello-time
Sets the hello time to the default value of 2 seconds.
max-age
Sets the maximum age time to the default value of

20 seconds.
priority
Sets spanning tree priority (in Hex); if 802.1T

compliant, this value must be a multiple of 0x1000.
tagged-bpdu
Sets the tagging to the default value. The default

value for Spanning Tree Group 1 (default group) is
untagged; the default for the other groups is tagged.
multicast address
Sets the spanning tree multicast MAC address to the

default.
June 2014

259
Adding a VLAN to a STG
About this task

Use the following procedure to add a VLAN to a specified Spanning Tree Group.
Procedure
To add a VLAN to a STG, use the following command from Global Configuration mode.
spanning-tree [stp <1-8>] add-vlan <1-4094>
Removing a VLAN from a STG
About this task

Use the following procedure to remove a VLAN from a specified Spanning Tree Group.
Procedure
To remove a VLAN from a STG, use the following command from Global Configuration
mode.
spanning-tree [stp <1-8>] remove-vlan <1-4094>
Configuring STP and MSTG participation
About this task

Use the following procedure to set the Spanning Tree Protocol (STP) and multiple Spanning Tree
Group (STG) participation for the ports within the specified Spanning Tree Group.
Procedure
To configure STP and MSTG participation, use the following command from Interface
Configuration mode.
[no] spanning-tree [port <portlist>] [stp <1-8>] [learning {disable
| normal | fast}] [cost <1-65535>] [priority]
Variable
Value
port <portlist>
Enables the spanning tree for the specified port or

ports; enter port or ports you want enabled for the
spanning tree.
port number you specified when you issued the
interface command to enter the Interface
Configuration mode.
stp <1-8>
Specifies the spanning tree group; enter the STG ID.
learning {disable|normal|fast}
Specifies the STP learning mode:

disable -- disables FastLearn mode
normal -- changes to normal learning mode
260

June 2014
Variable
Value
fast -- enables FastLearn mode
cost <1-65535>
Enter the path cost of the spanning tree; range is 1 -65535.
priority
Sets the spanning tree priority for a port as a

hexadecimal value. If the Spanning Tree Group is
802.1T compliant, this value must be a multiple of
0x10.
Resetting Spanning Tree values for ports to default
About this task

Use the following procedure to set the spanning tree values for the ports within the specified
Spanning Tree Group to the factory default settings.
Procedure
To reset Spanning Tree values to default, use the following command from Interface
Configuration mode.
default spanning-tree [port <portlist>] [stp <1-8>] [learning]
[cost] [priority]
Variable
Value
port <portlist>
Enables spanning tree for the specified port or ports; enter

port or ports to be set to factory spanning tree default values.
Note: If this parameter is omitted, the system uses the port
number specified when the interface command was used to
enter Interface Configuration mode.
stp <1-8>
Specifies the Spanning Tree Group to set to factory default

values; enter the STG ID. This command places the port into
the default STG. The default value for STG is 1.
learning
Sets the spanning tree learning mode to the factory default

value.
The default value for learning is Normal mode.
cost
Sets the path cost to the factory default value.

The default value for path cost depends on the type of port.
priority
Sets the priority to the factory default value.

The default value for the priority is 0x8000.
Managing RSTP using the CLI
About this task

Use the following command to configure RSTP:
Configuring RSTP parameters on page 262
June 2014

261
Configuring RSTP on a port on page 263

Displaying RSTP configuration on page 263
Displaying RSTP port configuration on page 262
Configuring RSTP parameters
About this task

Use the following procedure to set the RSTP parameters which include forward delay, hello time,
maximum age time, default path cost version, bridge priority, transmit holdcount, and version for the
bridge.
Procedure
To configure RSTP parameters, use the following command from Global Configuration
mode.
spanning-tree rstp [ forward-time <4-30>] [hello-time <1-10>] [maxage <6-40>] [pathcost-type {bits16 | bits32}] [priority {0000|1000|
2000| ...| F000}] [tx-holdcount <1-10>] [version {stp-compatible |
rstp}]
Variable
Value
forward-time <4-30>
Sets the RSTP forward delay for the bridge in

seconds; the default is 15.
hello-time <1-10>
Sets the RSTP hello time delay for the bridge in

max-age <6-40>
Sets the RSTP maximum age time for the bridge in

pathcost-type {bits16 | bits32}
Sets the RSTP default path cost version; the default

is bits32.
priority {0000 | 1000 | ... | F000}
Sets the RSTP bridge priority (in hex); the default is

8000.
tx-hold count
Sets the RSTP Transmit Hold Count; the default is 3.
version {stp-compatible | rstp}
Sets the RSTP version; the default is rstp.
Displaying RSTP port configuration
About this task

Use the following procedure to display the Rapid Spanning Tree Protocol (RSTP) related port-level
configuration details.
Procedure
To display RSTP port configuration, use the following command from Privileged EXEC
mode.
show spanning-tree rstp port {config | status | statistics | role}
[<portlist>]
262

June 2014
Variable
Value
config
Displays RSTP port-level configuration.
status
Displays RSTP port-level role information.
statistics
Displays RSTP port-level statistics.
role
Displays RSTP port-level status.
Configuring RSTP on a port
About this task

Use the following procedure to set the RSTP parameters, which include path cost, edge-port
indicator, learning mode, point-to-point indicator, priority, and protocol migration indicator on the
single or multiple port.
Procedure
To configure RSTP on a port, use the following command from Interface Configuration
mode.
spanning-tree rstp [port <portlist>] [cost <1-200000000> [edge-port
{false | true}] [learning {disable | enable}] [p2p {auto | forcefalse | force-true}] [priority {00 | 10 | ... | F0}] [protocolmigration {false | true}]
Variable
Value
port <portlist>
Filter on list of ports.
cost <1-200000000>
Sets the RSTP path cost on the single or multiple

ports; the default is 200000.
edge-port {false | true}
Indicates whether the single or multiple ports are

assumed to be edge ports. This parameter sets the
Admin value of edge port status; the default is false.
learning {disable | enable}
Enables or disables RSTP on the single or multiple

ports; the default is enable.
p2p {auto | force-false | force-true}
Indicates whether the single or multiple ports are to

be treated as point-to-point links. This command sets
the Admin value of P2P Status; the default is forcetrue.
priority {00 | 10 |... | F0}
Sets the RSTP port priority on the single or multiple

ports; the default is 80.
protocol-migration {false | true}
Forces the single or multiple port to transmit RSTP

BPDUs when set to true, while operating in RSTP
mode; the default is false.
Displaying RSTP configuration
June 2014

263
About this task

Use the following procedure to display the Rapid Spanning Tree Protocol (RSTP) related bridgelevel configuration details.
Procedure
To display RSTP configuration details, use the following command from Privileged EXEC
mode.
show spanning-tree rstp {config | status | statistics}
Variable
Value
config
Displays RSTP bridge-level configuration.
status
Displays RSTP bridge-level role information.
statistics
Displays RSTP bridge-level statistics.
Configuring MLT using CLI

The CLI commands detailed in this section allow for the creation and management of Multi-Link
trunks. Depending on the type of Multi-Link trunk being created or managed, the command mode
needed to execute these commands can differ.
Related Links
Displaying MLT configuration and utilization on page 264
Configuring a Multi-Link trunk on page 264
Disabling a MLT on page 265
Displaying MLT properties on page 265
Configuring STP participation for MLTs on page 265
Displaying MLT configuration and utilization

About this task
Use the following procedure to display Multi-Link Trunking (MLT) configuration and utilization.
Procedure
To display MLT configuration and utilization, use the following command from Privileged
EXEC mode.
show mlt [utilization <1-32>]
Configuring a Multi-Link trunk

About this task
Use the following procedure to configure a Multi-Link trunk (MLT).
264

June 2014
Procedure
To configure a Multi-Link trunk, use the following command from Global Configuration mode.
mlt <id> [name<trunkname>] [enable | disable] [member <portlist>]
[learning {disable | fast | normal}] [bpdu {all-ports | singleport}] loadbalance {basic | advance}
Variable
Value
id
Enter the trunk ID; the range is 1 to 32.
name <trunkname>
Specifies a text name for the trunk; enter up to 16

alphanumeric characters.
enable | disable
Enables or disables the trunk.
member <portlist>
Enter the ports that are members of the trunk.
learning <disable | fast | normal>
Sets STP learning mode.
bpdu {all-ports | single-port}
Sets trunk to send and receive BPDUs on either all

ports or a single port.
loadbalance {basic | advance}
Sets the MLT load-balancing mode:

basic: MAC-based load-balancing
advance: IP-based load-balancing
Disabling a MLT
About this task
Use the following procedure to disable a Multi-Link trunk (MLT), clearing all the port members.
Procedure
To disable a MLT, use the following command from Global Configuration mode.
no mlt [<id>]
Displaying MLT properties

About this task
Use the following procedure to display the properties of Multi-Link trunks (MLT) participating in
Spanning Tree Groups (STG).
Procedure
To display MLT properties, use the following command from Global Configuration mode.
show mlt spanning-tree <1-32>
Configuring STP participation for MLTs

About this task
Use the following procedure to set Spanning Tree Protocol (STP) participation for Multi-Link trunks
(MLT).
June 2014

265
Procedure
To configure STP participation for MLTs, use the following command from Global
Configuration mode.
mlt spanning-tree <1-32> [stp <1-8>, ALL>] [learning {disable |
normal | fast}]
Variable
Value
<1-32>
Specifies the ID of the MLT to associate with the

STG.
stp <1-8>
Specifies the spanning tree group.
learning {disable | normal | fast}
Specifies the STP learning mode:

disable -- disables learning
normal -- sets the learning mode to normal
fast -- sets the learning mode to fast
Configuring LACP and VLACP using the CLI

Related Links
Configuring Link Aggregation using CLI on page 266
Configuring VLACP using CLI on page 271
Configuring Link Aggregation using CLI

The following sections describe the commands necessary to configure and manage Link
Aggregation using the CLI.
Related Links
Displaying LACP port mode on page 267
Displaying LACP system settings on page 267
Displaying LACP per port configuration on page 267
Displaying LACP port statistics on page 267
Clearing LACP port statistics on page 268
Displaying LACP port debug information on page 268
Displaying LACP aggregators on page 268
Configuring LACP system priority on page 268
Enabling LACP port aggregation mode on page 268
Configuring the LACP administrative key on page 269
Configuring LACP operating mode on page 269
Configuring per port LACP priority on page 270
Configuring LACP periodic transmission timeout interval on page 270
266

June 2014
Configuring LACP port mode on page 270

Displaying LACP port mode
About this task

Use the following procedure to display the current port mode (default or advanced).
Procedure
To display the port mode, use the following command from Privileged EXEC mode.
show lacp port-mode
Displaying LACP system settings
About this task

Use the following procedure to display system-wide LACP settings.
Procedure
To display system settings, use the following command from Privileged EXEC mode.
show lacp system
Displaying LACP per port configuration
About this task

Use the following procedure to display information on the per-port LACP configuration. Select ports
either by port number or by aggregator value.
Procedure
To display per port configuration, use the following command from Privileged EXEC mode.
show lacp port [<portList> | aggr <1-65535>]
Variable
Value
<portList>
Enter the specific ports for which to display LACP information.
aggr <1-65535>
Enter the aggregator value to display ports that are members

of it.
Displaying LACP port statistics
About this task

Use the following procedure to displayLACP port statistics. Select ports either by port number or by
aggregator value.
Procedure
To display port statistics, use the following command from Privileged EXEC mode.
show lacp stats [<portList> | aggr <1-65535>]
June 2014

267
Variable
Value
<portList>
Enter the specific ports for which to display LACP information.
aggr <1-65535>
Enter the aggregator value to display ports that are members

of it.
Clearing LACP port statistics
About this task

Use the following procedure to clear existing LACP port statistics.
Procedure
To clear statistics, use the following command from Interface Configuration mode.
lacp clear-stats <portList>
Displaying LACP port debug information
About this task

Use the following procedure to display port debug information.
Procedure
To display port debug information, use the following command from Privileged EXEC mode.
show lacp debug member [<portList>]
Displaying LACP aggregators
About this task

Use the following procedure to display LACP aggregators or LACP trunks.
Procedure
To display aggregators, use the following command from Privileged EXEC mode.
show lacp aggr <1-65535>
Configuring LACP system priority
About this task

Use the following procedure to configure the LACP system priority. It is used to set the system-wide
LACP priority. The factory default priority value is 32768.
Procedure
To configure system priority, use the following command from Global Configuration mode.
lacp system-priority <0-65535>
Enabling LACP port aggregation mode
About this task

Use the following procedure to enable the port aggregation mode.
268

June 2014
Procedure
To enable the port aggregation mode, use the following command from Interface
Configuration mode.
[no] lacp aggregation [port <portList>] enable
Use the no form of the command to disable.
Configuring the LACP administrative key
About this task

Use the following procedure to configure the administrative LACP key for a set of ports.
Procedure
To set the administrative key, use the following command from Interface Configuration
mode.
lacp key [port <portList>] <1-4095>
Variable
Value
port <portList>
The ports to configure the LACP key for.
<1-4095>
The LACP key to use.
Configuring LACP operating mode
About this task

Use the following procedure to configure the LACP mode of operations for a set of ports.
Procedure
To configure the operating mode, use the following command from Interface Configuration
mode.
lacp mode [port <portList>] {active | passive | off}
Variable
Value
port <portList>
The ports for which the LACP mode is to be set.
{active | passive | off}
The type of LACP mode to set for the port. The

LACP modes are:
active -- The port will participate as an active Link
Aggregation port. Ports in active mode send
LACPDUs periodically to the other end to negotiate
for link aggregation.
passive -- The port will participate as a passive
Link Aggregation port. Ports in passive mode send
LACPDUs only when the configuration is changed
or when its link partner communicates first.
June 2014

269
Variable
Value
off -- The port does not participate in Link
Aggregation.
LACP requires at least one end of each link to be in
active mode.
Configuring per port LACP priority
About this task

Use the following procedure to configure the per-port LACP priority for a set of ports.
Procedure
To configure priority, use the following command from Interface Configuration mode.
lacp priority [port <portList> <0-65535>
Variable
Value
port <portList>
The ports for which to configure LACP priority.
<0-65535>
The priority value to assign.
Configuring LACP periodic transmission timeout interval
About this task

Use the following procedure to configure the LACP periodic transmission timeout interval for a set of
ports.
Procedure
To configure the interval, use the following command from Interface Configuration mode.
lacp timeout-time [port <portList>] {long | short}
Variable
Value
port <portList>
The ports for which to configure the timeout interval.
{long | short}
Specify the long or short timeout interval.
Configuring LACP port mode
About this task

Use the following procedure to configure the LACP port mode on the switch.
Procedure
To configure the port mode, use the following command from Interface Configuration mode.
lacp port-mode {default | advance}
270

June 2014
Variable
Value
default
Default LACP port mode.
advance
Advanced LACP port mode.
Configuring VLACP using CLI

Use the following commands to configure VLACP using the CLI.
Related Links
Enabling VLACP globally on page 271
Configuring VLACP multicast MAC address on page 273
Displaying VLACP status on page 273
Displaying VLACP port configuration on page 274
Enabling VLACP globally
About this task

Use the following procedure to globally enable VLACP for the device.
Procedure
To enable VLACP, use the following command from Global Configuration mode.
[no] vlacp enable
Configuring VLACP port parameters
About this task

Use the following procedure to configure VLACP parameters on a port.
Procedure
To configure parameters, use the following command from Interface Configuration mode.
[no] vlacp port <port> [enable | disable] [timeout <long/short>]
[fast-periodic-time <integer>] [slow-periodic-time <integer>]
[timeout-scale <integer>] [funcmac-addr <mac>] [ethertype <hex>]
Use the no form of this command to remove parameters.
Variable
Value
<port>
Specifies the port number.
enable|disable
Enables or disables VLACP.
June 2014

271
Variable
Value
timeout <long/short>
Specifies whether the timeout control value for the

port is a long or short timeout.
long sets the port timeout value to: (timeout-scale
value) (slow-periodic-time value).
short sets the ports timeout value to: (timeoutscale value) (fast-periodic-time value).
For example, if the timeout is set to short while the
timeout-scale value is 3 and the fast-periodic-time
value is 400 ms, the timer expires after 1200 ms.
Default is long.
fast-periodic-time <integer>
Specifies the number of milliseconds between

periodic VLACPDU transmissions using short
timeouts.
The range is 400-20000 milliseconds. Default is 500.
slow-periodic-time <integer>
Specifies the number of milliseconds between

periodic VLACPDU transmissions using long
timeouts.
The range is 10000-30000 milliseconds. Default is
30000.
timeout-scale <integer>
Sets a timeout scale for the port, where timeout =

(periodic time) (timeout scale).
The range is 1-10. Default is 3.
Note: With VLACP, a short interval exists between a
port transmitting a VLACPDU and the partner port
receiving the same VLACPDU. However, if the
timeout-scale is set to less than 3, the port timeout
value does not take into account the normal travel
time of the VLACPDU. The port expects to receive a
VLACPDU at the same moment the partner port
sends it. Therefore, the delayed VLACPDU results in
the link being blocked, and then enabled again when
the packet arrives. To prevent this scenario from
happening, set the timeout-scale to a value larger
than 3. VLACP partners must also wait 3
synchronized VLACPDUs to have the link enabled. If
VLACP partner miss 3 consecutive packets from the
other partner, sets the link as VLACP down.
funcmac-addr <mac>
272
Specifies the address of the far-end switch

configured to be the partner of this switch. If none is
configured, any VLACP-enabled switch
communicating with the local switch through VLACP
PDUs is considered to be the partner switch.

June 2014
Variable
Value
Note: VLACP has only one multicast MAC address,
configured using the vlacp macaddress command,
which is the Layer 2 destination address used for the
VLACPDUs.
The port-specific funcmac-addr parameter does not
specify a multicast MAC address, but instead
specifies the MAC address of the switch to which this
port is sending VLACPDUs.
You are not always required to configure funcmacaddr. If not configured, the first VLACP-enabled
switch that receives the PDUs from a unit assumes
that it is the intended recipient and processes the
PDUs accordingly.
If you want an intermediate switch to drop VLACP
packets, configure the funcmac-addr parameter to
the desired destination MAC address. With funcmacaddr configured, the intermediate switches do not
misinterpret the VLACP packets.
ethertype <hex>
Sets the VLACP protocol identification for this port.

Defines the ethertype value of the VLACP frame.
The range is 8101-81FF. Default is 8103.
Configuring VLACP multicast MAC address
About this task

Use the following procedure to set the multicast MAC address used by the device for VLACPDUs.
Procedure
To configure the multicast MAC address, use the following command from Global
Configuration mode.
[no] vlacp macaddress <macaddress>
Use the no form of this command to delete the address.
Displaying VLACP status
About this task

Use the following procedure to display the status of VLACP on the switch.
Procedure
To display VLACP status, use the following command from Privileged EXEC mode.
show vlacp
June 2014

273
Displaying VLACP port configuration
About this task

Use the following procedure to display the VLACP configuration details for a port or list of ports.
Procedure
To display port configuration, use the following command from Privileged EXEC mode.
show vlacp interface <slot/port>
where <slot/port> specifies a port or list of ports.
Among other properties, the show vlacp interface command displays a column called
HAVE PARTNER, with possible values of yes or no.
If HAVE PARTNER is yes when ADMIN ENABLED and OPER ENABLED are true, then that
port has received VLACPDUs from a port and those PDUs were recognized as valid
according to the interface settings.
If HAVE PARTNER is no, when ADMIN ENABLED is true and OPER ENABLED is FALSE,
then the partner for that port is down (that port received at least one correct VLACPDU, but
did not receive additional VLACPDUs within the configured timeout period). In this case
VLACP blocks the port. This scenario is also seen if only one unit has VLACP enabled and
the other has not enabled VLACP.
The show vlacp interface command is in the privExec command mode.
Note: If VLACP is enabled on an interface, the interface will not forward traffic unless it has a
valid VLACP partner. If one partner has VLACP enabled and the other is not enabled, the
unit with VLACP enabled will not forward traffic, however the unit with VLACP disabled will
continue to forward traffic.
Configuring IP routing
Related Links
IP routing configuration using CLI on page 274
Static route configuration using CLI on page 279
DHCP relay configuration using CLI on page 282
Directed broadcasts configuration using CLI on page 287
Static ARP and Proxy ARP configuration using CLI on page 288
IGMP snooping configuration using the CLI on page 292
IP routing configuration using CLI

The following sections describe the procedures you can use to configure routable VLANs using the
CLI.
274

June 2014
The WC 8180 can function as a Layer 3 (L3) switch. This means that a regular Layer 2 VLAN
becomes a routable L3 VLAN if an IP address and MAC address are attached to the VLAN. When
routing is enabled in L3 mode, every L3 VLAN is capable of routing as well as carrying the
management traffic. You can use any L3 VLAN instead of the Management VLAN to manage the
switch.
The following sections describe the procedures you can use to configure routable VLANs using the
CLI.
Related Links
IP routing configuration procedures on page 275
IP routing configuration navigation on page 275
Configuring global IP routing status on page 276
Displaying global IP routing status on page 276
Configuring an IP address for a VLAN on page 276
Configuring IP routing status on a VLAN on page 277
Displaying the IP address configuration and routing status for a VLAN on page 277
Displaying IP routes on page 278
Performing a traceroute on page 278
IP routing configuration procedures

About this task
To configure inter-VLAN routing on the switch, perform the following steps:
Procedure
1. Enable IP routing globally.
2. Assign an IP address to a specific VLAN or brouter port.
Routing is automatically enabled on the VLAN or brouter port when you assign an IP
address to it.
IP routing configuration navigation

About this task
Configuring global IP routing status
Displaying global IP routing status
Configuring an IP address for a VLAN
Configuring IP routing status for a VLAN
Displaying the IP address configuration and routing status for a VLAN
Displaying IP routes
Performing a traceroute
Entering Router Configuration mode
June 2014

275
Configuring global IP routing status

About this task
Use this procedure to enable and disable global routing at the switch level. By default, routing is
disabled.
Procedure
To configure the status of IP routing on the switch, enter the following from the Global
Configuration mode:
[no] ip routing
Variable
Value
no
Disables IP routing on the switch
Displaying global IP routing status

About this task
Use this command to display the status of IP blocking on the switch.
Procedure
To display the status of IP blocking on the switch, enter the following from the User EXEC
mode:
show ip routing
Configuring an IP address for a VLAN

About this task
To enable routing an a VLAN, you must first configure an IP address on the VLAN.
Procedure
To configure an IP address on a VLAN, enter the following from the VLAN Interface
Configuration mode:
[no] ip address <ipaddr> <mask> [<MAC-offset>]
276
Variable
Value
[no]
Removes the configured IP address and disables

routing on the VLAN.
<ipaddr>
Specifies the IP address to attach to the VLAN.
<mask>
Specifies the subnet mask to attach to the VLAN
[<MAC-offset>]
Specifies the value used to calculate the VLAN MAC

address, which is offset from the switch MAC
address. The valid range is 1-256. Specify the value

June 2014
Variable
Value
1 for the Management VLAN only. If no MAC offset is
specified, the switch applies one automatically.
Configuring IP routing status on a VLAN

About this task
Use this procedure to enable and disable routing for a particular VLAN.
Procedure
To configure the status of IP routing on a VLAN, enter the following from the VLAN Interface
Configuration mode:
[default] [no] ip routing
Variable
Value
default
Disables IP routing on the VLAN.
no
Disables IP routing on the VLAN.
Displaying the IP address configuration and routing status for a VLAN

About this task
Use this procedure to display the IP address configuration and the status of routing on a VLAN.
Procedure
To display the IP address configuration on a VLAN, enter the following from the VLAN
Privileged Exec mode:
show vlan ip [vid <vid>]
Variable
Value
[vid <vid>]
Specifies the VLAN ID of the VLAN to be displayed. Range is

1-4094.
Job aid
The following table shows the field descriptions for the show vlan ip command.
Field
Description
Vid
Specifies the VLAN ID.
ifindex
Specifies an index entry for the interface.
Address
Specifies the IP address associated with the VLAN.
Mask
Specifies the mask.
MacAddress
Specifies the MAC address associated with the VLAN.
June 2014

277
Field
Description
Offset
Specifies the value used to calculate the VLAN MAC address,

which is offset from the switch MAC address.
Routing
Specifies the status of routing on the VLAN: enabled or

disabled.
Displaying IP routes
About this task
Use this procedure to display all active routes in the routing table.
Route entries appear in ascending order of the destination IP addresses.
Procedure
To display all active routes in the routing table, enter the following from the User EXEC
command mode:
show ip route [<dest-ip>] [-s <subnet><mask>] [summary]
Variable
Value
[<dest-ip>]
Specifies the destination IP address of the route to display.
[-s <subnet><mask>]
Specifies the destination subnet of the routes to display.
[summary]
Displays a summary of IP route information.
Performing a traceroute
About this task
Use this procedure to display the route taken by IP packets to a specified host.
Procedure
1. To perform a traceroute, enter the following from the Global Configuration mode:
traceroute <Hostname|A.B.C.D.> <-m> <-p> <-q> <-v> <-w> <1-1464>
2. Type CTRL+C to interrupt the command.
278
Variable
Value
Hostname
Specifies the name of the remote host.
A.B.C.D
Specifies the IP address of the remote host.
-m
Specifies the maximum time to live (ttl). The value for this
parameter is in the rage from 1-255. The default value is 10.
Example: traceroute 10.3.2.134 -m 10
-p
Specifies the base UDP port number. The value for this
parameter is in the range from 0-65535. Example: traceroute
1.2.3.4 -p 87

June 2014
Variable
Value
-q
Specifies the number of probes per time to live. The value for
this parameter is in the range from 1-255. The default value
is 3. Example: traceroute 10.3.2.134 -q 3
-v
Specifies verbose mode. Example: traceroute 10.3.2.134 -v
-w
Specifies the wait time per probe. The value for this
parameter is in the range from 1-255. The default value is 5
seconds. Example: traceroute 10.3.2.134 -w 15
<1-1464>
Specifies the UDP probe packet size. TIP: probe packet size
is 40 plus specified data length in bytes. Example: traceroute
10.3.2.134 -w 60
Static route configuration using CLI

The following sections describe procedures you can use to configure static routes using the CLI.
Related Links
Configuring a static route on page 279
Displaying static routes on page 280
Configuring a management route on page 281
Displaying the management routes on page 282
Job aid on page 282
Configuring a static route

About this task
Use this procedure to configure a static route. Create static routes to manually configure a path to
destination IP address prefixes.
Prerequisites
Enable IP routing globally
Enable IP routing and configure an IP address on the VLANs to be routed.
Procedure
To configure a static route, enter the following from the Global Configuration command
mode:
[no] ip route <dest-ip> <mask> <next-hop> [<cost>] [disable]
[enable] [weight<cost>]
Variable
Value
[no]
Removes the specified static route.
<dest-ip>
Specifies the destination IP address for the route being added. 0.0.0.0 is
considered the default route.
June 2014

279
Variable
Value
<mask>
Specifies the destination subnet mask for the route being added.
<next-hop>
Specifies the next hop IP address for the route being added.
[<cost>]
Specifies the weight, or cost, of the route being added. Range is

1-65535.
[disable]
Disables the specified static route.
[enable]
Enables the specified static route.
[weight<cost>]
Changes the weight, or cost, of an existing static route. Range is

1-65535.
Displaying static routes

About this task
Use this procedure to display all static routes, whether these routes are active or inactive.
Procedure
1. To display a static route, enter the following command from the User EXEC mode:
show ip route static
2. To display an IP route, enter the following commands from the User EXEC command mode:
show ip route [-s <subnet IP Address> <mask>]
show ip route <Subnet IP Address> s [<subnet IP Address> <mask>]
Example
WCP8180#show ip route static
===============================================================================
Ip Static Route
===============================================================================
DEST
MASK
NEXT
COST PREF LCLNHOP STATUS ENABLE
------------------------------------------------------------------------------0.0.0.0
0.0.0.0
192.171.0.55
1
5
TRUE
ACTIVE TRUE
Total Routes: 1
WCP8180#show ip route
===============================================================================
Ip Route
===============================================================================
DST
MASK
NEXT
COST
VLAN PORT PROT TYPE PRF
------------------------------------------------------------------------------0.0.0.0
0.0.0.0
192.171.0.55
1
171 2
S IB
5
10.1.21.0
255.255.255.0
10.1.21.2
1
70
---- C DB
0
192.168.9.0
255.255.255.0
192.168.9.2
1
20
---- C DB
0
192.168.10.0
255.255.255.0
192.168.10.2
1
30
---- C DB
0
192.171.0.0
255.255.0.0
192.171.0.56
1
171 ---- C DB
0
Total Routes: 5
------------------------------------------------------------------------------TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Rou
te, U=Unresolved Route, N=Not in HW
280

June 2014
Variable
Value
<dest-ip>
Specifies the destination IP address of the static

routes to display.
[-s<subnet><mask>]
Specifies the destination subnet of the routes to

display.
Job aid
The following table shows the field descriptions for the show ip route static command.
Field
Description
DEST
Identifies the static route destination.
MASK
Identifies the static route mask.
NEXT
Identifies the next hop in the static route.
COST
Identifies the route cost.
PREF
Identifies the next preference for the route.
LCLNHOP
Indicates the state of the local next hop.
STATUS
Identifies the status of the route.
ENABLE
Identifies whether the route is enabled.
The following table shows the field descriptions for the show ip route command.
Field
Description
DST
Identifies the route destination.
MASK
Identifies the route mask.
NEXT
Identifies the next hop in the route.
COST
Identifies the route cost.
VLAN
Identifies the VLAN ID on the route.
PORT
Specifies the ports.
PROT
Specifies the routing protocols. For static routes, options are LOC
(local route) or STAT (static route).
TYPE
Indicates the type of route as described by the Type Legend on the

CLI screen.
PRF
Specifies the route preference.
Configuring a management route

About this task
Use this procedure to create a management route to the far end network, with a next-hop IP
address from the management VLANs subnet. A maximum of 4 management routes can be
configured on the switch.
June 2014

281
Prerequisites
Enable IP routing globally
Enable IP routing and configure an IP address on the management VLAN interface.
Procedure
To configure a static management route, enter the following from the Global Configuration
command mode:
[no] ip mgmt route <dest-ip><mask><next-hop>
Variable
Value
[no]
Removes the specified management route.
<dest-ip>
Specifies the destination IP address for the route being added.
<mask>
Specifies the destination subnet mask for the route being added.
<next-hope>
Specifies the next hop IP address for the route being added.
Displaying the management routes

About this task
Use this procedure to display the static routes configured for the management VLAN.
Procedure
To display the static routes configured for the management VLAN, enter the following from
the User EXEC mode:
show ip mgmt route
Job aid
The following table shows the shows the field descriptions for the show ip mgmt route
command.
Field
Description
Destination IP
Identifies the route destination.
Subnet Mask
Identifies the route mask.
Gateway IP
Identifies the next hop in the route.
Status
Identifies the status of the management route.
Related Links
Static route configuration using CLI on page 279
DHCP relay configuration using CLI

Before you begin
Enable IP routing globally.
282

June 2014
Enable IP routing and configure an IP address on the VLAN to be set as the DHCP relay
agent.
Ensure that a route to the destination DHCP server is available on the switch.
About this task

The following sections describe procedures you can use to configure DHCP relay using the CLI.
Important:
DHCP relay uses a hardware resource that is shared by the switch Quality of Service
applications. When DHCP relay is enabled globally, the Quality of Service filter manager will not
be able to use precedence 11 for configurations.
Related Links
DHCP relay configuration procedures on page 283
Configuring global DHCP relay status on page 283
Displaying the global DHCP relay status on page 284
Specifying a local DHCP relay agent and remote DHCP server on page 284
Displaying the DHCP relay configuration on page 285
Job aid on page 285
Configuring DHCP relay status and parameters on a VLAN on page 285
Displaying the DHCP relay configuration for a VLAN on page 286
Displaying DHCP relay counters on page 287
Job aid on page 287
Clearing DHCP relay counters for a VLAN on page 287
DHCP relay configuration procedures

About this task
To configure DHCP relay, perform the following steps:
Procedure
1. Ensure that DHCP relay is enabled globally. (DHCP relay is enabled by default.)
2. Configure the DHCP relay forwarding path, specifying the VLAN IP as the DHCP relay agent
and the remote DHCP server as the destination.
3. Enable DHCP for the specific VLAN.
Configuring global DHCP relay status

About this task
Use this procedure to configure the global DHCP relay status. DHCP relay is enabled by default.
Procedure
To configure the global DHCP relay status, enter the following from the Global Configuration
mode:
June 2014

283
[no] ip dhcp-relay
Variable
Value
[no]
Disables DHCP relay.
Displaying the global DHCP relay status

About this task
Use this procedure to display the current DHCP relay status for the switch.
Procedure
To display the global DHCP relay status, enter the following from the User EXEC command
mode:
show ip dhcp-relay
Example
WCP8180#show ip dhcp-relay
DHCP relay is enabled
DHCP relay option82 is disabled
DHCP relay max-frame is 0
Specifying a local DHCP relay agent and remote DHCP server

About this task
Use this procedure to specify a VLAN as a DHCP relay agent on the forwarding path to a remote
DHCP server. The DHCP relay agent can forward DHCP client requests from the local network to
the DHCP server in the remote network.
The DHCP relay feature is enabled by default, and the default mode is BootP-DHCP.
Prerequisites
Enable IP routing and configure an IP address on the VLAN to configure as a DHCP relay
agent.
Procedure
To configure a VLAN as a DHCP relay agent, enter the following from the Global
Configuration mode:
[no] ip dhcp-relay fwd-path <relay-agent-ip> <DHCP-server> [enable]
[disable] [mode {bootp | bootp-dhcp | dhcp}]
284
Variable
Value
[no]
Removes the specified DHCP forwarding path.
<relay-agent-ip>
Specifies the IP address of the VLAN that serves as the

local DHCP relay agent.

June 2014
Variable
Value
<DHCP-server>
Specifies the address of the remote DHCP server to

which DHCP packets are to be relayed.
[enable]
Enables the specified DHCP relay forwarding path.
[disable]
Disables the specified DHCP relay forwarding path.
[mode {bootp | bootp-dhcp | dhcp}]
Specifies the mode for DHCP relay.

BootP only
BootP and DHCP
DHCP only
If you do not specify a mode, the default DHCP and
BootP is used.
Displaying the DHCP relay configuration

About this task
Use this procedure to display the current DHCP relay agent configuration.
Procedure
To display the DHCP relay configuration, enter the following from the User EXEC command
mode:
show ip dhcp-relay fwd-path
Job aid
The following table shows the field descriptions for the show ip dhcp-relay fwd-path
command.
Field
Description
INTERFACE
Specifies the interface IP address of the DHCP relay agent.
SERVER
Specifies the IP address of the DHCP server.
ENABLE
Specifies whether DHCP is enabled.
MODE
Specifies the DHCP mode.
Related Links
Configuring DHCP relay status and parameters on a VLAN

About this task
Use this procedure to configure the DHCP relay parameters on a VLAN. To enable DHCP relay on
the VLAN, enter the command with no optional parameters.
June 2014

285
Procedure
To configure DHCP relay on a VLAN, enter the following from the VLAN Interface
Configuration mode:
[no] ip dhcp-relay [broadcast] [min-sec <min-sec>] [mode {bootp |
dhcp | bootp_dhcp}]
Variable
Value
[no]
Disables DHCP relay on the specified VLAN.
[broadcast]
Enables the broadcast of DHCP reply packets to the

DHCP clients on this VLAN interface.
min-sec <min-sec>
The switch immediately forwards a BootP/DHCP packet if

the secs field in the BootP/DHCP packet header is
greater than the configured min-sec value; otherwise, the
packet is dropped. Range is 0-65535. The default is 0.
mode {bootp | dhcp | bootp_dhcp}
Specifies the type of DHCP packets this VLAN supports:

bootp - Supports BootP only
dhcp - Supports DHCP only
bootp_dhcp - Supports both BootP and DHCP
Displaying the DHCP relay configuration for a VLAN

About this task
Use this procedure to display the current DHCP relay parameters configured for a VLAN.
Procedure
To display the DHCP relay VLAN parameters, enter the following from the Privileged EXEC
command mode:
show vlan dhcp-relay [<vid>]
Variable
Value
[<vid>]
Specifies the VLAN ID of the VLAN to be displayed. Range is 1-4094.
Job aid
The following table shows the field descriptions for the show ip dhcp-relay command.
286
Field
Description
IfIndex
Indicates the VLAN interface index.
MIN_SEC
Indicates the minimum time, in seconds, to wait between

receiving a DHCP packet and forwarding the DHCP packet to
the destination device. A value of zero indicates forwarding is
done immediately without delay.

June 2014
Field
Description
ENABLED
Indicates whether DHCP relay is enabled on the VLAN.
MODE
Indicates the type of DHCP packets this interface supports.

Options include none, BootP, DHCP, and both.
ALWAYS_BROADCAST
Indicates whether DHCP reply packets are broadcast to the

DHCP client on this VLAN interface.
OPTION_82
Indicates whether option 82 for DHCP relay is enabled or not.
Displaying DHCP relay counters

About this task
Use this procedure to display the current DHCP relay counters. This includes the number of
requests and the number of replies.
Procedure
To display the DHCP relay counters, enter the following from the User EXEC command
mode:
show ip dhcp-relay counters
Job aid
The following table shows the field descriptions for the show ip dhcp-relay counters
command.
Field
Description
INTERFACE
Indicates the interface IP address of the DHCP relay agent.
REQUESTS
Indicates the number of DHCP requests.
REPLIES
Indicates the number of DHCP replies.
Related Links
Clearing DHCP relay counters for a VLAN

About this task
Use this procedure to clear the DHCP relay counters for a VLAN.
Procedure
To clear the DHCP relay counters, enter the following from the VLAN Interface Configuration
command mode:
ip dhcp-relay clear-counters
Directed broadcasts configuration using CLI

The following sections describe procedures you can use to configure and display the status of
directed broadcasts using the CLI.
June 2014

287
Related Links
Configuring directed broadcasts on page 288
Displaying the directed broadcast configuration on page 288
Configuring directed broadcasts

About this task
Use this procedure to enable directed broadcasts on the switch. By default, directed broadcasts are
disabled.
Prerequisites
Enable IP routing and configure an IP address on the VLAN to be configured as a broadcast
interface.
Ensure that a route (local or static) to the destination address is available on the switch.
Procedure
To enable directed broadcasts, enter the following from the Global Configuration mode:
ip directed-broadcast enable
Displaying the directed broadcast configuration

About this task
Use this procedure to display the status of directed broadcasts on the switch. By default, directed
broadcasts are disabled.
Procedure
To display directed broadcast status, enter the following from the User EXEC mode:
show ip directed-broadcast
Static ARP and Proxy ARP configuration using CLI

About this task
Use the following procedures to configure Static ARP, Proxy ARP, and display ARP entries using
the CLI.
Related Links
Static ARP configuration on page 288
Proxy ARP configuration on page 291
Static ARP configuration

About this task
This section describes how to configure Static ARP using the CLI.
288

June 2014
Configuring a static ARP entry
About this task

Use this procedure to create and enable a static ARP entry.
Prerequisites
Enable IP routing and configure an IP address on the target VLAN.
Procedure
To configure a static ARP entry, enter the following from the Global Configuration mode:
[no] ip arp <A.B.C.D> <aa:bb:cc:dd:ee:ff> <port> [vid <1-4094>]
Variable
Value
[no]
Removes the specified ARP entry.
<A.B.C.D>
Specifies the IP address of the device being set as a static

ARP entry.
<aa:bb:cc:dd:ee:ff>
Specifies the MAC address of the device being set as a

static ARP entry.
< port>
Specifies the port number to which the static ARP entry is

being added.
vid <1-4094>
Specifies the VLAN ID to which the static ARP entry is

being added.
Displaying the ARP table
About this task

Use the following procedures to display the ARP table, configure a global timeout for ARP entries,
and clear the ARP cache.
Displaying ARP entries on page 289
Configuring a global timeout for ARP entries on page 290
Clearing the ARP cache on page 290
Displaying ARP entries
About this task

Use this procedure to display ARP entries.
Procedure
To display ARP entries, enter the following from the User Exec mode:
show arp-table
OR
June 2014

289
show ip arp [static | dynamic] [<ip-addr> | {-s <subnet> <mask>{]

[summary]
The show ip arp command is invalid if the switch is not in Layer 3 mode.
Variable
Value
<ip-addr>
Specifies the IP address of the ARP entry to be displayed.
-s <subnet> <mask>
Displays ARP entries for the specified subnet only.
static
Displays all configured static entries, including those without a valid

route.
Job aid
The following table shows the field descriptions for the show ip arp command.
Field
Description
IP Address
Specifies the IP address of the ARP entry.
Age (min)
Displays the ARP age time.
MAC Address
Specifies the MAC address of the ARP entry.
VLAN-Unit/Port/Trunk
Specifies the VLAN/port of the ARP entry.
Flags
Specifies the type of ARP entry. S=Static, D=Dynamic,

L=Local, B=Broadcast.
Configuring a global timeout for ARP entries
About this task

Use this procedure to configure an aging time for the ARP entries.
Procedure
To configure a global timeout for ARP entries, enter the following from the Global
Configuration mode:
ip arp timeout <timeout>
Variable
Value
<timeout>
Specifies the amount of time in minutes before an ARP entry ages out.
Range is 5-360. The default value is 360 minutes.
Clearing the ARP cache
About this task

Use this procedure to clear the cache of ARP entries.
Procedure
To clear the ARP cache, enter the following from the Global Configuration mode:
290

June 2014
clear arp-cache
Proxy ARP configuration

About this task
The following sections describe how to configure Proxy ARP using the CLI.
Configuring proxy ARP status on page 291
Displaying proxy ARP status on a VLAN on page 291
Configuring proxy ARP status
About this task

Use this procedure to enable proxy ARP functionality on a VLAN. By default, proxy ARP is disabled.
Prerequisites
Enable IP routing and configure an IP address on the VLAN to be configured as a Proxy ARP
interface.
Procedure
To configure proxy ARP status, enter the following from the VLAN Interface Configuration
mode:
[default] [no] ip arp-proxy enable
Variable
Value
default
Disables proxy ARP functionality on the VLAN.
no
Disables proxy ARP functionality on the VLAN.
Displaying proxy ARP status on a VLAN
About this task

Use this procedure to display the status of proxy ARP on a VLAN.
Procedure
To display proxy ARP status for a VLAN, enter the following from the User EXEC mode:
show ip arp-proxy interface [vlan<vid>]
Variable
Value
<vid>
Specifies the ID of the VLAN to display. Range is 1-4094.
Job aid
The following table shows the field descriptions for the show ip arp-proxy interfaces
command.
June 2014

291
Field
Description
Vlan
Identifies a VLAN.
Proxy ARP status
Specifies the status of Proxy ARP on the VLAN.
IGMP snooping configuration using the CLI

About this task
Use the following procedures to configure IGMP snooping on a VLAN using the CLI.
Related Links
IGMP snooping configuration procedures on page 293
Configuring IGMP snooping on a VLAN on page 293
Configuring IGMP send query on a VLAN on page 293
Configuring IGMP proxy on a VLAN on page 294
Configuring the IGMP version on a VLAN on page 294
Configuring static mrouter ports on a VLAN on page 295
Displaying IGMP snoop, proxy, and mrouter configuration on page 295
Configuring IGMP parameters on a VLAN on page 296
Configuring the router alert option on a VLAN on page 297
Displaying IGMP interface information on page 298
Job aid on page 298
Displaying IGMP group membership information on page 299
Configuring unknown multicast packet filter on page 300
Displaying the status of unknown multicast packet filtering on page 301
Job aid on page 301
Specifying a multicast MAC address to be allowed to flood all VLANs on page 301
Displaying the multicast MAC addresses for which flooding is allowed on page 302
Job aid on page 302
Displaying IGMP cache information on page 302
Job aid on page 302
Flushing the router table on page 303
Configuring IGMP selective channel block on page 303
Configuring IGMP selective channel block navigation on page 303
Creating an IGMP profile on page 304
Deleting an IGMP profile on page 304
Applying the IGMP filter profile on interface on page 304
Removing a profile from an interface on page 304
Displaying an IGMP profile on page 305
292

June 2014
IGMP snooping configuration procedures

Procedure
To configure IGMP snooping, the only required configuration is to enable snooping on the
VLAN.
All related configurations, listed below, are optional and can be configured to suit the
requirements of your network.
Configuring IGMP snooping on a VLAN

About this task
Enable IGMP snooping on a VLAN to forward the multicast data to only those ports that are
members of the group.
IGMP snooping is disabled by default.
Procedure
To enable IGMP snooping, enter the following from the VLAN Interface Configuration
command mode:
[default] [no] ip igmp snooping
OR
Enter the following from the Global Configuration command mode:
[default] vlan igmp <vid> [snooping {enable | disable}]
Variable
Value
default
Disables IGMP snooping on the selected VLAN.
no
enable
Enables IGMP snooping on the selected VLAN.
disable
Configuring IGMP send query on a VLAN

About this task
Use this procedure to enable IGMP send query on a snoop-enabled VLAN. When IGMP snooping
send query is enabled, the IGMP snooping querier sends out periodic IGMP queries that trigger
IGMP report messages from the switch or host that wants to receive IP multicast traffic. IGMP
snooping listens to these IGMP reports to establish appropriate forwarding.
IGMP send query is disabled by default.
Prerequisites
You must enable snoop on the VLAN.
June 2014

293
Procedure
To enable IGMP send query, enter the following command from the VLAN Interface
Configuration mode:
ip igmp send-query
Configuring IGMP proxy on a VLAN

About this task
Use this procedure to enable IGMP proxy on a snoop-enabled VLAN. With IGMP proxy enabled, the
switch consolidates incoming report messages into one proxy report for that group.
IGMP proxy is disabled by default.
Prerequisites
You must enable snoop on the VLAN.
Procedure
To enable IGMP proxy, enter the following from the VLAN Interface Configuration mode:
[default] [no] ip igmp proxy
OR
Enter the following from the Global Configuration command mode:
[default] [no] vlan igmp <vid> [proxy {enable | disable}]
Variable
Value
default
Disables IGMP proxy on the selected VLAN.
no
<vid>
Specifies the VLAN ID.
enable
Enables IGMP proxy on the selected VLAN.
disable
Configuring the IGMP version on a VLAN

About this task
Use this procedure to configure the IGMP version running on the VLAN. You can specify the version
as IGMPv1, IGMPv2, or IGMPv3 (IGMPv3 is supported for IGMP snooping only; it is not supported
with PIM-SM). The default is IGMPv2.
Procedure
To configure the IGMP version, enter the following from the VLAN Interface Configuration
mode:
[default] ip igmp version <1-3>
294

June 2014
Variable
Value
default
Restores the default IGMP protocol version (IGMPv2).
<1-3>
Specifies the IGMP version.
Configuring static mrouter ports on a VLAN

About this task
IGMP snoop considers the port on which the IGMP query is received as the active IGMP multicast
router (mrouter) port. By default, the switch forwards incoming IGMP Membership Reports only to
the active mrouter port.
To forward the IGMP reports to additional ports, you can configure the additional ports as static
mrouter ports.
Procedure
To configure static mrouter ports on a VLAN (IGMPv1, IGMPv2, and IGMPv3 according to
the supported version on the VLAN), enter the following from the VLAN Interface
Configuration mode:
[default] [no] ip igmp mrouter <portlist>
OR
To configure IGMPv1 or IGMPv2 static mrouter ports, enter the following from the Global
Configuration command mode:
[no] vlan igmp <vid> {v1-members | v2-members} [add | remove]
<portlist>
Variable
Value
default
Removes all static mrouter ports.
no
Removes the specified static mrouter port.
<portlist>
Specifies the list of ports to add or remove as static mrouter

ports.
{v1-members | v2-members}
Specifies whether the static mrouter ports are IGMPv1 or

IGMPv2.
[add | remove]
Specifies whether to add or remove the static mrouter

ports.
Displaying IGMP snoop, proxy, and mrouter configuration

About this task
Use this procedure to display the IGMP snoop, proxy, and mrouter configuration per VLAN.
Procedure
To display IGMP snoop information, enter:
June 2014

295
show ip igmp snooping

Variable
Value
Vlan
Indicates the Vlan ID.
Snoop Enable
Indicates whether snoop is enabled (true) or disabled (false).
Proxy Snoop Enable
Indicates whether IGMP proxy is enabled (true) or disabled (false).
Static Mrouter Ports
Indicates the static mrouter ports in this VLAN that provide

connectivity to an IP multicast router.
Active Mrouter Ports
Displays all dynamic (querier port) and static mrouter ports that are
active on the interface.
Mrouter Expiration Time
Specifies the time remaining before the multicast router is aged out
on this interface. If the switch does not receive queries before this
time expires, it flushes out all group memberships known to the
VLAN. The Query Max Response Interval (obtained from the queries
received) is used as the timer resolution.
Configuring IGMP parameters on a VLAN

About this task
Use this procedure to configure the IGMP parameters on a VLAN.
Important:
The query interval, robustness, and version values must be the same as those configured on
the interface (VLAN) of the multicast router (IGMP querier).
Procedure
To configure IGMP parameters, enter the following from the VLAN Interface Configuration
mode:
[default] ip igmp [last-member-query-interval<last-mbr-query-in>]
[query-interval<query-int>] [query-max-response<query-max-resp>]
[robust-value<robust-val>] [version<1-3>]
OR
enter the following from the Global Configuration command mode:
[default] vlan igmp <vid> [query-interval<query-int<] [robustvalue<robust-val>]
296
Variable
Value
default
Sets the selected parameter to the default value. If no parameters

are specified, snoop is disabled and all IGMP parameters are set to
their defaults.

June 2014
Variable
Value
<last-mbr-query-int>
Sets the maximum response time (in 1/10 seconds) that is inserted
into group-specific queries sent in response to leave group
messages. This parameter is also the time between group-specific
query messages. This value is not configurable for IGMPv1.
Decreasing the value reduces the time to detect the loss of the last
member of a group.
The range is from 0255, and the default is 10 (1 second). Avaya
recommends configuring this parameter to values higher than 3. If
a fast leave process is not required, Avaya recommends values
above 10. (The value 3 is equal to 0.3 of a second, and 10 is equal
to 1.0 second.)
<query-int>
Sets the frequency (in seconds) at which host query packets are
transmitted on the VLAN.
The range is 165535. The default value is 125 seconds.
<query-max-resp>
Specifies the maximum response time (in 1/10 seconds) advertised

in IGMPv2 general queries on this interface.
The range is 0255. The default value is 100 (10 seconds).
<robust-val>
Specifies tuning for the expected packet loss of a network. This

value is equal to the number of expected query packet losses for
each serial query interval, plus 1. If you expect a network to lose
query packets, you must increase the robustness value.
Ensure that the robustness value is the same as the configured
value on the multicast router (IGMP querier).
The range is from 2 to 255, and the default is 2. The default value
of 2 means that one query for each query interval can be dropped
without the querier aging out.
Configuring the router alert option on a VLAN

About this task
Use this command to enable the router alert feature. This feature instructs the router to drop control
packets that do not have the router-alert flag in the IP header.
Important:
To maximize your network performance, Avaya recommends that you set the router alert option
according to the version of IGMP currently in use: IGMPv1Disable IGMPv2Enable IGMPv3
Enable
Procedure
To configure the router alert option on a VLAN, enter the following from the VLAN Interface
Configuration mode:
[default] [no] ip igmp router-alert
June 2014

297
Variable
Value
default
Disables the router alert option.
no
Disables the router alert option.
Displaying IGMP interface information

About this task
Use this procedure to display IGMP interface parameters.
Procedure
To display the IGMP interface information, enter:
show ip igmp interface vlan <Vlan ID>
OR
Enter:
show vlan igmp <Vlan ID>
Job aid
The following table shows the field descriptions for the show ip igmp interface command.
298
Field
Description
VLAN
Indicates the VLAN on which IGMP is configured.
Query Intvl
Specifies the frequency (in seconds) at which host query packets are
transmitted on the interface.
Vers
Specifies the version of IGMP configured on this interface.
Oper Vers
Specifies the version of IGMP running on this interface.
Querier
Specifies the IP address of the IGMP querier on the IP subnet to

which this interface is attached.
Query MaxRsp T
Indicates the maximum query response time (in tenths of a second)

advertised in IGMPv2 queries on this interface.
Wrong Query
Indicates the number of queries received whose IGMP version does

not match the Interface version. You must configure all routers on a
LAN to run the same version of IGMP. Thus, if queries are received
with the wrong version, a configuration error occurs.
Joins
Indicates the number of times a group membership was added on

this interface.
Robust
Specifies the robust value configured for expected packet loss on the
interface.
LastMbr Query
Indicates the maximum response time (in tenths of a second) inserted

into group-specific queries sent in response to leave group
messages, and is also the amount of time between group-specific
query messages. Use this value to modify the leave latency of the
network. A reduced value results in reduced time to detect the loss of

June 2014
Field
Description
the last member of a group. This does not apply if the interface is
configured for IGMPv1.
Send Query
Indicates whether the ip igmp send-query feature is enabled or

disabled. Values are YES of NO. Default is disabled.
The following table shows the field descriptions for the show vlan igmp <Vlan Id> command.
Field
Description
VLAN ID
Displays the VLAN Id
Snooping
Indicates whether snooping is enabled or disabled.
Proxy
Indicates whether proxy snoop is enabled or disabled.
Robust Value
Indicates the robust value configured for expected packet loss

on the interface.
Query Time
Indicates the frequency (in seconds) at which host query

packets are transmitted on the interface.
IGMPv1 Static Router Ports
Indicates the IGMPv1 static mrouter ports.
IGMPv2 Static Router Ports
Indicates the IGMPv2 static mrouter ports.
Related Links
Displaying IGMP group membership information

About this task
Display the IGMP group information to show the learned multicast groups and the attached ports.
Procedure
To display IGMP group information, enter:
show ip igmp group [count] [group <A.B.C.D>] [membersubnet<A.B.C.D>/<0-32>]
OR
Enter:
show vlan multicast membership <Vlan ID>
Variable
Value
count
Displays the number of IGMP group entries.
group <A.B.C.D>
Displays group information for the specified group.
member-subnet <A.B.C.D>/<0-32
Displays group information for the specified member

subnet.
June 2014

299
Job aid
The following table shows the field descriptions for the show ip igmp group command.
Field
Description
Group Address
Indicates the multicast group address.
VLAN
Indicates the VLAN interface on which the group exists.
Member Address
Indicates the IP address of the IGMP receiver (host or IGMP

reporter). The IP address is 0.0.0.0 if the type is static.
Expiration
Indicates the time left before the group report expires. This variable is
updated upon receiving a group report.
Type
Specifies the type of membership: static or dynamic.
In Port
Identifies the member port for the group. This is the port on which
group traffic is forwarded and in those case where the type is
dynamic, it is the port on which the IGMP join was received.
The following table shows the field descriptions for the show vlan multicast membership
command.
Field
Description
Multicast Group Address
In Port
Indicates the physical interface or a logical interface (VLAN) that

received group reports from various sources.
Configuring unknown multicast packet filter

About this task
The default switch behavior is to flood all packets with unknown multicast addresses. Use this
procedure to prevent the flooding of packets with unknown multicast addresses and enable the
forwarding of these packets to static mrouter ports only.
Procedure
To configure unknown multicast packet flooding, enter the following from the Global
Configuration mode:
[no] [default] vlan igmp <vid> unknown-mcast-no-flood {enable |
disable}
300
Variable
Value
no
Enables the flooding of multicast packets on the VLAN.
default
enable
Prevents the flooding of multicast packets on the VLAN.
disable

June 2014
Displaying the status of unknown multicast packet filtering

About this task
Use this procedure to display the status of unknown multicast filtering: enabled (no flooding) or
disabled (flooding allowed).
Procedure
To display the unknown multicast flooding configuration, enter:
show vlan igmp unknown-mcast-no-flood
Job aid
The following table shows the field descriptions for the show vlan igmp unknown-mcast-noflood command.
Field
Description
Unknown Multicast No-Flood
Specifies the status of unknown multicast filtering: enabled

or disabled.
Related Links
Specifying a multicast MAC address to be allowed to flood all VLANs

About this task
Use this procedure to allow particular unknown multicast packets to be flooded on all switch VLANs.
To add MAC addresses starting with 01.00.5E to the allow-flood table, you must specify the
corresponding multicast IP address. For instance, you cannot add MAC address 01.00.5E.01.02.03
to the allow-flood table, but instead you must specify IP address 224.1.2.3.
For all other types of MAC address, you can enter the MAC address directly to allow flooding.
Procedure
To allow particular unknown multicast packets to be flooded, enter the following from the
Global Configuration mode:
vlan igmp unknown-mcast-allow-flood {<H.H.H> | <mcast_ip_address>}
Variable
Value
<H.H.H>
Specifies the multicast MAC address to be flooded. Accepted

formats are:
H.H.H
xx:xx:xx:xx:xx:xx
xx.xx.xx.xx.xx.xx
xx-xx-xx-xx-xx-xx
June 2014

301
Variable
Value
<mcast_ip_address>
Specifies the multicast IP address to be flooded.
Displaying the multicast MAC addresses for which flooding is allowed

About this task
Use this procedure to display the multicast MAC addresses for which flooding is allowed on all
switch VLANs.
Procedure
To display the multicast MAC addresses for which flooding is allowed, enter:
show vlan igmp unknown-mcast-allow-flood
Job aid
The following table shows the field descriptions for the show vlan igmp unknown-mcastallow-flood command.
Field
Description
Allowed Multicast Vlan MAC Addresses
Indicates multicast VLAN MAC addresses that can flood.
Allowed Multicast Vlan IP Addresses
Indicates multicast VLAN IP addresses that can flood.
Related Links
Displaying IGMP cache information

About this task
Display the IGMP cache information to show the learned multicast groups in the cache and the
IGMPv1 version timers.
Note: Using the show ip igmp cache command may not display the expected results in some
configurations. If the expected results are not displayed, use the show ip igmp group command to
view the information.
Procedure
To display the IGMP cache information, enter:
show ip igmp cache
Job aid
The following table shows the field descriptions for the show ip igmp cache command.
302
Field
Description
Group Address
Vlan ID
Indicates the VLAN interface on which the group exists.
Last Reporter
Indicates the last IGMP host to join the group.

June 2014
Field
Description
Expiration
Indicates the group expiration time (in seconds).
V1 Host Timer
Indicates the time remaining until the local router assumes

that no IGMP version 1 members exist on the IP subnet
attached to the interface. Upon hearing an IGMPv1
membership report, this value is reset to the group
membership timer.
When the time remaining is nonzero, the local interface
ignores IGMPv2 leave messages that it receives for this
group.
Type
Indicates whether the entry is learned dynamically or is

added statically.
Related Links
Flushing the router table

About this task
Use this procedure to flush the router table.
Procedure
To flush the router table, enter the following from the Global Configuration mode:
ip igmp flush vlan <vid> {grp-member|mrouter}
Variable
Value
{grp-member|mrouter}
Flushes the table specified by type.
Configuring IGMP selective channel block

About this task
In certain deployment scenarios it might be required not to allow multicast streaming from specific
group addresses to users connected to certain ports. With the IGMP selective channel block feature
this type of control can be implemented. When configured it will control the IGMP membership of
ports by blocking IGMP reports received from users on that port destined for the specific group
address/addresses. The filter can be configured to block a single multicast address or range of
addresses.
This feature will work regardless of whether the switch is in Layer 2 IGMP snooping mode or the full
IGMP mode (PIM-SM enabled). It will also be applicable for IGMPv1 and v2.
Configuring IGMP selective channel block navigation

About this task
Creating an IGMP profile on page 304
Deleting an IGMP profile on page 304
June 2014

303
Applying the IGMP filter profile on interface on page 304

Removing a profile from an interface on page 304
Displaying an IGMP profile on page 305
Related Links
Creating an IGMP profile

About this task
Use this procedure to create an IGMP profile.
Procedure
1. In the Global Configuration mode, enter the command ip igmp profile <profile
number (1-65535)>.
2. Configure the IGMP filter profile address range. Enter the command range <starting ip
address of range><ending ip address of range>.
Deleting an IGMP profile

About this task
Use this procedure to delete an IGMP profile.
Procedure
To delete an IGMP profile enter the following command from Global Configuration mode:
no ip igmp profile <profile number (1-65535)>
Applying the IGMP filter profile on interface

About this task
Use this procedure to apply the IGMP filter profile on an interface.
Procedure
1. From Global Configuration mode enter the interface <interface-id> command.
2. Enter the ip igmp filter <profile number> command.
Removing a profile from an interface

About this task
Use this procedure to remove a profile from an interface.
Procedure
1. From Global Configuration mode enter the interface <interface-id> command.
2. Enter the no ip igmp filter <profile number> command.
304

June 2014
Displaying an IGMP profile

About this task
Use this procedure to display an IGMP profile.
Procedure
To display an IGMP profile enter the following command from Global Configuration mode:
show ip igmp profile <cr> or <profile number>
Job aid
The following table shows the field descriptions for the show ip igmp profile command.
Field
Description
Profile
Indicates the profile ID of the IGMP.
Type
Allows or denies rule for IGMP profile.
Range Start
Indicates the IGMP Multicast start address.
Range End
Indicates the IGMP Multicast end address.
Port List
Specifies the type of port as blocked or static.
Matched Grps
Specifies the matching profile for IGMP group.
Configuring Access Lists

Use the CLI commands in this section to configure and manage Access Lists.
Related Links
Assigning ports to an access list on page 305
Removing an access list assignment on page 306
Creating an IP access list on page 306
Removing an IP access list on page 307
Creating a Layer 2 access list on page 307
Removing a Layer 2 access list on page 308
Assigning ports to an access list

About this task
Assign ports to an access list by performing this the procedure.
Procedure
Assign ports to an access list by using the following command in Global Configuration mode.
qos acl-assign port <port_list> acl-type {ip | l2} name <name>
June 2014

305
Variable
Value
port <port_list>
Specifies the list of ports assigned to the specified access list.
acl-type {ip | l2}
Specifies the type of access list used; IP or Layer 2.
name <name>
Specifies the name of the access list to be used. Access lists must be
configured before ports can be assigned to them.
Removing an access list assignment

About this task
Remove an access list assignment by performing this procedure.
Procedure
Remove an access list assignment by using the following command from Global
Configuration mode.
no qos acl-assign <aclassignid>
Creating an IP access list

About this task
Create an IP access list by performing this procedure.
Procedure
Create an access list by using the following procedure from Global Configuration mode.
qos ip-acl name <name> [addr-type <addrtype>] [src-ip <source_ip>]
[dst-ip <destination_ip>] [ds-field <dscp>] [{protocol
<protocol_type> | next_header <header>}] [src-port-min <port> srcport-max <port>] [dst-port-min <port> dst-port-max <port>] [flow-id
<flowid>] [drop-action {drop | pass}] [update-dscp <0 - 63>]
[update-1p <0 - 7>] [set-drop-prec {high drop | low drop}] [block
<block_name>]
306
Variable
Value
name <name>
Specifies the name assigned to this access list.
addr-type <addrtype>
Specifies the IP address type to use for the access list.
src-ip <source_ip>
Specifies the source IP address to use for this access list.
dst-ip <destination_ip>
Specifies the destination IP address to use for this access list.
ds-field <dscp>
Specifies the DSCP value to use for this access list.
{protocol <protocol_type> |
next_header <header>}
Specifies the protocol type or IP header to use with this access list.

June 2014
Variable
Value
src-port-min <port> src-portmax <port>
Specifies the minimum and maximum source ports to use with this access
list. Both values must be specified.
dst-port-min <port> dst-portmax <port>
Specifies the minimum and maximum destination ports to use with the
access list. Both values must be specified.
flow-id <flowid>
Specifies the flow ID to use with this access list.
drop-action {drop | pass}
Specifies the drop action to use for this access list.
update-dscp <0 - 63>
Specifies the DSCP value to update for this access list.
update-1p <0 - 7>
Specifies the 802.1p value to update for this access list.
set-drop-prec {high drop | low

drop}
Specifies the drop precedence to configure for this access list.
block <block_name>
Specifies the block name to associate with the access list.
Removing an IP access list

About this task
Remove an IP access list by performing this procedure.
Procedure
Remove an access list by using the following command from Global Configuration mode.
no qos ip-acl <aclid>
Creating a Layer 2 access list

About this task
Create a Layer 2 access list by performing this procedure.
Procedure
Create an access list by using the following command from Global Configuration mode.
qos l2-acl name <name> [src-mac <source_mac_address>] [src-mac-mask
<source_mac_address_mask>] [dst-mac <destination_mac_address>] [dstmac-mask <destination_mac_address_mask>] [vlan-min <vid_min> vlanmax <vid_max>] [vlan-tag <vtag>] [ethertype <etype>] [priority
<ieee1p_seq>] [drop-action {drop | pass}] [update-dscp <0 - 63>]
[update-1p <0 - 7>] [set-drop-prec {high-drop | low-drop}] [block
<block_name>]
Note: Possible values for vlan-max are based on the binary value of vlan-min, and are
obtained by replacing consecutive trailing zeros in this binary value with ones, starting at the
right-most position. For example, if vlan-min = 200, then there are 4 possible values for vlanmax: 11001000 (200) 11001001 (201) 11001011 (203) 11001111 (207) The value of vlanmax is vlan-min + 2n - 1, where n is the number of consecutive trailing zeros replaced.
June 2014

307
Variable
Value
name <name>
Specifies the name assigned to this access list.
src-mac
<source_mac_address>
Specifies the source MAC address to use for this access list.
src-mac-mask
<source_mac_address_mask
>
Specifies the source MAC address mask to use for this access list.
[dst-mac
<destination_mac_address>]
Specifies the destination MAC address to use for this access list.
dst-mac-mask
<destination_mac_address_m
ask>
Specifies the destination MAC address mask to use for this access list.
vlan-min <vid_min> vlan-max

<vid_max>
Specifies the minimum and maximum VLANs to use with this access list.
Both values must be specified.
vlan-tag <vtag>
Specifies the VLAN tag to use with this access list.
ethertype <etype>
Specifies the Ethernet protocol type to use with the access list.
priority <ieee1p_seq>
Specifies the priority value to use with this access list.
drop-action {drop | pass}
Specifies the drop action to use for this access list.
update-dscp <0 - 63>
Specifies the DSCP value to update for this access list.
update-1p <0 - 7>
Specifies the 802.1p value to update for this access list.
set-drop-prec {high-drop | lowdrop}
Specifies the drop precedence to configure for this access list.
block <block_name>
Specifies the block name to associate with the access list.
Removing a Layer 2 access list

About this task
Remove a Layer 2 access list by performing this procedure.
Procedure
Remove an access list by using the following command from Global Configuration mode.
no qos l2-acl <aclid>
Configuring Elements, Classifiers, and Classifier Blocks

About this task
Use the CLI commands in this section to configure elements, classifiers, and classifier blocks.
Related Links
308

June 2014
Configuring IP classifier element entries on page 309

Viewing IP classifier entries on page 310
Removing IP classifier entries on page 310
Adding Layer 2 elements on page 311
Viewing Layer 2 elements on page 312
Removing Layer 2 elements on page 312
Linking IP and L2 classifier elements on page 312
Removing classifier entries on page 313
Combining individual classifiers on page 313
Removing classifier block entries on page 314
Configuring IP classifier element entries

About this task
Use the following procedure to add and configure classifier entries.
Procedure
Add and configure classifier entries by using the following command from Global
Configuration mode.
qos ip-element <cid> [addr-type <addrtype>] [ds-field <dscp>] [dstip <dst-ip-info>] [dst-port-min <port>] [flow-id <flowid>] [ip-flag
<ip-flags>] [ipv4-options <no-opt | with-opt>] [next-header
<nextheader>] [session-id] [src-ip <src-ip-info>] [src-port-min
<port>] [tcp-control <tcp-flags>]
Variable
Value
<cid>
Specifies the element ID, value ranges from 155000.
addr-type <addrtype>
Specifies the address type. Use the value ipv4 to indicate an

IPv4 address or the value ipv6 to indicate an IPv6 address. The
default value is ipv4.
ds-field <0-63>
Specifies a 6-bit DSCP value; value ranges from 063. Default

is ignore.
dst-ip <dst-ip-info>
Specifies the source IP address and mask in the form of

a.b.c.d/x for IPv4, or x:x:x:x:x:x:x:x/z for IPv6. Default is 0.0.0.0.
dst-port-min <port>
Specifies the L4 destination port minimum value.
flow-id <flowid>
Specifies the IPv6 flow identifier.
ip-flag <ip-flags>
Specifies the flags present in an IPv4 header.
ipv4-options <no-opt | with-opt>
Specifies whether the Option field is present in the packet

header. Valid values are
no-optindicates that only IPv4 packets without options will
match this classifier element.
June 2014

309
Variable
Value
with-optindicates that only IPv4 packets with options will
match this classifier element.
next-header
Specifies the IPv6 next header classifier criteria; range is 0

255.
src-ip <src-ip-info>
Specifies the source IP address and mask in the form of

a.b.c.d/x for IPv4, or x:x:x:x:x:x:x:x/z for IPv6. Default is 0.0.0.0.
session-id
Specifies the session ID.
src-port-min <port>
Specifies the L4 source port minimum value.
tcp-control <tcp-flags>
Specifies the control flags present in an TCP header.
Viewing IP classifier entries

About this task
View IP classifier entries by performing this procedure.
Procedure
View IP classifier element entries by using the following commands from the Privileged
EXEC Configuration mode.
show qos ip-element [<1-65535>] [all] [system] [user]
Use the data in the following table to use show qos ip element command.
Variable
Description
<165535>
Displays the specified IP classifier element entry.
all
Displays all user-created, default, and system entries.
system
Displays system entries only.
user
Displays only user-created and default entries.
Removing IP classifier entries

About this task
Use the following procedure to remove IP classifier entries.
Note: An IP element that is referenced in a classifier cannot be deleted.
Procedure
Remove IP classifier entries by using the following command from Global Configuration
mode.
no qos ip-element <1-55000>
310

June 2014
Adding Layer 2 elements

About this task
Use the following procedure to add Layer 2 elements.
Note: A Layer 2 element referenced in a classifier cannot be deleted.
Procedure
Add Layer 2 elements by using the following command from the Global Configuration mode.
qos l2-element <1-55000> [dst-mac <dst-mac>] [dst-mac-mask <dst-macmask>] [ethertype <etype>] [ivlan-min <vid-min>] [pkt-type <etherII
| llc | snap>] [priority <ieee1p-seq>] [session-id <session-id>]
[src-mac <src-mac>] [src-mac-mask <src-mac-mask>] [vlan-min <vidmin>] [vlan-tag <vtag>]
Variable
Value
<1-55000>
Specifies the element ID; range is 155000.
dst-mac <dst-mac>
Specifies the destination MAC element criteria. Valid

format is H.H.H.
dst-mac-mask <dst-mac-mask>
Specifies the destination MAC mask element criteria.

Valid format is H.H.H.
ethertype <etype>
Specifies the Ethernet type. Valid format is 0xXXXX, for

example, 0x0801. Default is ignore.
ivlan-min <vid-min>
Specifies the inner VLAN ID minimum value element

criteria. Range is 14094.
pkt-type <etherII | llc | snap>
Specifies the packet frame format.

etherIIindicates that only Ethernet II format frames
match this classifier component.
snapindicates that only EEE 802 SNAP format
frames match this classifier component.
llcindicates that only IEEE 802 LLC format frames
match this classifier component.
priority <ieee1p-seq>
Specifies the 802.1p priority values; range from 07 or

all. Default is ignore.
session-id <session-id>
src-mac <src-mac>
Specifies the source MAC element criteria. Enter in the

format H.H.H.
src-mac-mask <src-mac-mask>
Specifies the source MAC mask element criteria. Valid

format is H.H.H.
vlan-min <vid-min>
Specifies the VLAN ID minimum value element criteria.

Range is 14094.
June 2014

311
Variable
Value
vlan-tag <format>
Specifies the packet format element criteria:

untagged
tagged
The default is Ignore.
Viewing Layer 2 elements

About this task
View Layer 2 elements by performing this procedure.
Procedure
View Layer 2 element entries by using the following commands from the Privileged EXEC
Configuration mode.
show qos l2-element [<1-65535>] [all] [system] [user]
Use the data in the following table to use show qos l2 element command.
Variable
Description
<165535>
Displays the specified Layer2 classifier element entry.
all
system
user
Removing Layer 2 elements

About this task
Use the following procedure to delete Layer 2 element entries.
Procedure
Delete element entries by using the following command from Global Configuration mode.
no qos l2-element <1-55000>
Linking IP and L2 classifier elements

About this task
Use the following procedure to link IP and L2 classifier elements.
Note: A classifier that is referenced in a classifier block or installed policy cannot be deleted.
Procedure
Link elements by using the following command from Global Configuration mode.
312

June 2014
qos classifier <1-55000> set-id <1-55000> [name <WORD>] element-type

{ip | l2 | system} element-id <1-55000>
Variable
Value
classifier <1-55000>
Specifies the classifier ID; range is 155000.
set-id <1-55000>
Specifies the classifier set ID; range is 155000.
name <WORD>
Specifies the set label; maximum is 16 alphanumeric characters.
element-type {ip| l2 |system}
Specifies the element type; either ip or l2, or system classifier.
element-id <1-55000>
Specifies the element ID; range is 155000.
Removing classifier entries

About this task
Use the following procedure to delete classifier entries.
Note: Each classifier can have only a single IP classifier element plus a single L2 classifier element
or system classifier element. However, a classifier can be created using only one IP classifier
element or only one L2 classifier element or only one system classifier element.
Procedure
Delete classifier entries by using the following command from Global Configuration mode.
no qos classifier <1-55000>
Combining individual classifiers

About this task
Use the following procedure to combine individual classifiers.
Note: A classifier block that is referenced in an installed policy cannot be deleted.
Procedure
Combine individual classifiers by using the following command from Global Configuration
mode.
qos classifier-block <1-55000> block-number <1-55000> [name <WORD>]
{set-id <1-55000> | set-name <WORD>} [{in-profile-action <1-55000> |
in-profile-action-name <WORD>} | {meter <1-55000> | meter-name
<WORD>}]
Variable
Value
classifier-block<1-55000>
Specifies an the classifier block ID; range is 155000.
block-number <1-55000>
Specifies the classifier block number; range is 155000.
name <WORD>
Specifies the label for the classifier block; maximum is 16 alphanumeric

characters.
June 2014

313
Variable
Value
set-id <1-55000>
Specifies the classifier set to be linked to the classifier block; range is 1

55000.
set-name <WORD>
Specifies the classifier set name to be linked to the classifier block;

maximum is 16 alphanumeric characters.
in-profile-action <1-55000>
Specifies the in profile action to be linked to the filter block; range is 1

55000.
in-profile-action-name <WORD> Specifies the in profile action name to be linked to the classifier block;
maximum is 16 alphanumeric characters.
meter <1-55000>
Specifies the meter to be linked to the classifier block; range is 155000.
meter-name <WORD>
Specifies the meter name to be linked to the classifier block; maximum is

16 alphanumeric characters.
Removing classifier block entries

About this task
Use the following procedure to delete classifier block entries.
Procedure
Delete classifier block entries by using the following command from Global Configuration
mode.
no qos classifier-block <1-55000>
Configuring wired Quality of Service

About this task
The following sections describe the CLI commands to configure DiffServ and Quality of Service
(QoS) parameters for policy-enabled networks.
Note:
When the ignore value is used in QoS, the system matches all values for that parameter.
Related Links
Displaying QoS Parameters on page 315
Displaying QoS capability policy configuration on page 318
QoS Agent configuration on page 318
Configuring Default Buffering Capabilities on page 320
Configuring the CoS-to-Queue Assignments on page 322
Configuring QoS Interface Groups on page 323
Configuring DSCP and 802.1p and Queue Associations on page 325
Configuring QoS system-element on page 327
314

June 2014
Configuring QoS Actions on page 329

Configuring QoS Interface Action Extensions on page 331
Configuring QoS Meters on page 332
Configuring QoS Interface Shaper on page 333
Configuring QoS Policies on page 334
QoS Generic Filter set configuration on page 336
Configuring User Based Policies on page 338
Maintaining the QoS Agent on page 341
Configuring DoS Attack Prevention Package on page 343
Displaying QoS Parameters

About this task
Display QoS parameters by performing this procedure.
Procedure
Display QoS parameters by using the following command from Privileged EXEC mode.
show qos { acl-assign <1 - 65535> | action [user | system | all |
<1-65535>] | agent [details]| bpdu {blocker [port] } | capability
[meter|shaper] | classifier [user | system | all | <1-65535>] |
classifier-block [user | system | all |<1-65535> ] | dhcp {snooping
[port] | spoofing [port] } | diag [unit] | dos {nachia [port] |
sqlslam [port] | tcp-dnsport [port] | egressmap [ds| status]| ifaction-extension [user | system | all | <1-65535>] | if-assign
[port] | if-group | if-shaper [port] | ingressmap | ip-acl <1 65535> | ip-element [user | system | all | <1-65535>] | l2-acl <1 65535> | l2-element [user | system | all | <1-65535>] | meter [user
| system | all | <1-65535>] | nsna | policy [user | system | all |
<1-65535>] | queue-set | queue-set-assignment | statistics <1-65535>
| system-element [user | system | all |<1-65535>] | ubp | userpolicy}
Variable
Value
acl-assign <1 - 65535>
Displays the specified access list assignment entry.

<1-65535>Displays a particular entry.
action [<1-65535> | all | system | Displays the base action entries. The applicable values are:
user]
<1-65535>displays a particular entry.
alldisplays user-created, default, and system entries.
systemdisplays only system entries.
userdisplays only user-created and default entries.
Default is all.
June 2014

315
Variable
Value
agent <details>
Displays the global QoS parameters.

detailsdisplays the policy class support table.
capability [meter | shaper]
Displays the current QoS meter and shaper capabilities of each interface.
The applicable values are:
meterdisplays QoS port meter capabilities.
shaperdisplays QoS port shaper capabilities.
classifier [<1-65535> | all |

system user]
Displays the classifier set entries. The applicable values are:

alldisplays all user-created, default, and system entries.
Default is all.
classifier-block [<1-65535> | all | Displays the classifier block entries. The applicable values are:
system | user]
Default is all.
diag [unit]
Displays the diagnostics entries.

unit <1-8>displays diagnostic entries for particular unit
egressmap
Displays the association between the DSCP and the 802.1p priority and
drop precedence.
filter-limiting
Displays QoS filter limiting.
if-action-extension [<1-65535> |
all | system | user]
Displays the interface action extension entries. The applicable values are:
Default is all.
if-assign [port]
Displays the list of interface assignments.

portList of ports. Displays the configuration for particular ports
if-group
Displays the interface groups.
if-queue-shaper
Displays the interface egress queue shaping parameters.
if-shaper [port]
Displays the interface shaping parameters.

portList of ports. Displays the configuration for particular ports
316

June 2014
Variable
Value
ingressmap
Displays the 802.1p priority to DSCP mapping.
ip-acl <1 - 65535>
Displays the specified IP access list assignment entry.

ip-element [<1-65535> | all |

system | user]
Displays the IP classifier element entries. The applicable values are:

Default is all.
l2-acl <1 - 65535>
Displays the specified Layer 2 access list assignment entry.

l2-element [<1-65535> | all |

system | user]
Displays the Layer 2 classifier element entries. The applicable values are:
Default is all.
meter [<1-65535> | all | system |

user]
Displays the meter entries. The applicable values are:

Default is all.
nsna [classifier | interface |

name]
Displays QoS NSNA entries. The applicable values are:

classifierdisplays QoS NSNA classifier entries.
interfacedisplays QoS NSNA interface entries.
namespecifies the label to display a particular NSNA template entry.
policy [<1-65535> | all | system |

user]
Displays the policy entries. The applicable values are:

Default is all.
port
June 2014
Displays QoS port configuration.

317
Variable
Value
queue-set
Displays the queue set configuration.
queue-set-assignment
Displays the association between the 802.1p priority to that of a specific

queue.
statistics <1-65535>
Displays the policy and filter statistics values.

system-element [<1-65535> | all

| system | user]
Displays the system classifier element entries. The applicable values are:
traffic-profile
Displays QoS Traffic Profile entries.
ubp [classifier | interface | name] Displays QoS UBP entries. The applicable values are:
classifierdisplays QoS UBP classifier entries.
interfacedisplays QoS UBP interface entries.
namespecifies the label to display a particular UBP template entry.
user-policy
Displays QoS User Policy entries.
Displaying QoS capability policy configuration

About this task
Display QoS meter and shaper capabilities for system ports by performing this procedure.
Procedure
Display QoS capability policy configuration by using the following command from Privileged
EXEC mode:
show qos capability {meter [port] | shaper [port]}
Variable
Value
meter [port]
Displays granularity for committed rate, maximum committed rate and

maximum bucket that can be used on ports for meters.
portspecifies list of ports. Displays the information for particular ports
shaper [port]
Displays granularity for committed rate, maximum committed rate and

maximum bucket that can be used on ports for shapers.
portspecifies list of ports. Displays the information for particular ports
QoS Agent configuration

Related Links
318

June 2014
Globally enabling and disabling QoS Agent support on page 319

Configuring a default queue set on page 319
Modifying default queue configuration on page 320
Globally enabling and disabling QoS Agent support

About this task
Perform this procedure to globally enable or disable QoS Agent support. The commands used in
this procedure are available in Global Configuration mode.
QoS Agent support is enabled by default. QoS Agent support cannot be disabled if QoS functionality
is currently used by NSNA or UBP.
Procedure
1. Globally enable QoS Agent support using the following command:
qos agent oper-mode [enable]
OR
default qos agent [oper-mode]
2. Globally disable QoS Agent support using the following commands:
qos agent oper-mode [disable]
OR
no qos agent oper-mode [enable]
Variable
Value
enable
Enables QoS Agent functionality for the system.
disable
Disables QoS Agent functionality for the system.
Configuring a default queue set

About this task
Use the following procedure to specify the default queue set.
Note: The default qos agent command has the same result as the qos agent reset-default
command.
Procedure
Configure the queue set by using the following command from Global Configuration mode.
default qos agent [aq-mode| buffer | dos-attack-prevention | nvramdelay | oper-mode | queue-set | statistics-tracking | ubp]
June 2014

319
Variable
Value
aq-mode
Restores default Auto QOS application traffic processing mode.
buffer
Restores default QoS resource buffer allocation.
dos-attack-prevention
Restores default QoS DoS Attack Prevention. This parameter is only

available on the 5600 Series switch.
nvram-delay
Restores default maximum time in seconds to write configuration data to a

nonvolatile storage.
oper-mode
Restores default QoS operational mode.
queue-set
Restores default QoS queue set.
statistics-tracking
Restores default QoS statistics tracking support.
ubp
Restores default QoS UBP support level.
Job aid: Viewing the QoS agent
About this task

The following is an example for viewing the qos agent
5530-24TFD(config)#show qos agent QoS Operational Mode: Enabled QoS NVRam
Commit Delay: 10 seconds QoS Queue Set: 2 QoS Buffering: Large QoS UBP
Support Level: Low Security Local Data QoS Default Statistics Tracking:
Aggregate QoS DOS Attack Prevention: Disabled Minimum TCP Header Length:
20 Maximum IPv4 ICMP Length: 512 Maximum IPv6 ICMP Length: 512 QoS NT
mode: Disabled
Modifying default queue configuration

About this task
Use the following procedure to modify the default queue configuration.
Note: The queue-set value sets the number of queues in a queue set for each port type. The default
value is 2.
Procedure
Modify the configuration by using the following command from Global Configuration mode.
qos agent queue-set <1-8>
Configuring Default Buffering Capabilities

Use the following CLI commands to display and modify the buffer allocation mode.
Related Links
Configuring default QoS resource buffer on page 321
Modifying QoS resource buffer allocation on page 321
320

June 2014
Configuring default QoS resource buffer

About this task
Use the following procedure to allocate the default QoS resource buffer.
Procedure
Restore the default the resource buffer by using the following command from Global
Configuration mode.
default qos agent buffer
Modifying QoS resource buffer allocation

About this task
Use the following procedure to modify QoS resource buffer allocation.
Procedure
1. Modify resource buffer allocation by using the following command from Global Configuration
mode.
qos agent buffer <regular | large | loseless | maximum>
2. View the QoS resource buffer allocaton by using the following command:
show qos agent details
Example
WCP8180(config)#show qos agent details
QoS
QoS
QoS
QoS
QoS
QoS
QoS
Operational Mode: Enabled

NVRam Commit Delay: 10 seconds
Queue Set: 2
Buffering: Large
UBP Support Level: Disabled
Default Statistics Tracking: Aggregate
DoS Attack Prevention: Enabled w/ Status Tracking
Minimum TCP Header Length: 20
Maximum IPv4 ICMP Length: 512
Maximum IPv6 ICMP Length: 512
Auto QoS Mode: Disabled
QoS Trusted Processing Mode: Partial
QoS Policy Device Ident. Descr: Avaya QoS Policy Agent (QPAv2) v6.2.0
QoS Policy Device Max. Message Size: 2048 bytes
Policy Class Name
Maximum
Installed
Instances
________________________________________ __________ __________
ntnQosPrcSupportTable
28
0
ntnQosPolicyDeviceIdentTable
1
0
ntnQosInterfaceRoleTable
4
100
ntnQosIfQueueTable
252
0
ntnQosIfAssignmentTable
31
512
ntnQosDscpToCosTable
64
64
ntnQosCosToDscpTable
8
8
ntnQosQsetPriAssignmentTable
448
8
ntnDsMultiFieldClfrTable
0
200
ntnL2MultiFieldClfrTable
2
200
ntnSystemClfrTable
1
100
June 2014
Current
Instances

321
ntnClfrComponentTable
ntnClfrBlockTable
ntnQosIfcActionTable
ntnQosBaseActionTable
ntnQosTBParamTable
ntnQosMeterTable
ntnQosCountActTable
ntnQosFilterStatsTable
ntnQosPolicyTable
ntnQosIfShapingTable
ntnQosDsAccessElemTable
ntnQosL2AccessElemTable
ntnQosAccessAsgnTable
ntnQosIfAppsTable
ntnQosUserPolicyTable
ntnQosDsL2AccessElemTable
ntnQosQueueShapingTable
2
2
0
11
0
0
2
0
2
0
0
0
0
0
0
0
0
400
200
64
128
4708
100
200
0
200
512
200
200
384
512
1536
200
4096
Variable
Value
buffer
Modifies the QoS resource buffer allocation. The allowed buffer

allocation modes for all QoS interfaces are as follows:
regular
large
lossless
maximum
Note: The buffer mode determines the level of resource sharing
across interfaces sharing the same port hardware.
Configuring the CoS-to-Queue Assignments

About this task
Use the following CLI commands to display and modify CoS-to-queue assignments.
Configuring 802.1p priority values

About this task
Use the following procedure to associate the 802.1p priority values with a specific queue within a
specific queue set. This association determines the egress scheduling treatment that traffic with a
specific 802.1p priority value receives.
Procedure
1. Configure priority values by using the following command from Global Configuration mode.
qos queue-set-assignment queue-set <1-56> 1p <0-7> queue <1-8>
2. View the priority values by using the following command:
show qos queue-set-assignment queue-set
322

June 2014
Example
WCP8180(config)#show qos queue-set-assignment queue-set 1
Queue Set 1
802.1p Priority
_______________
0
1
2
3
4
5
6
7
Queue
_____
1
1
1
1
1
1
1
1
Variable
Value
queue-set <1-56>
Specifies the queue-set, value ranges from 156.
1p <0-7>
Specifies the 802.1p priority value for which the queue association is being
modified; value ranges from 07.
queue <1-8>
Specifies the queue within the identified queue set to assign the 802.1p
priority traffic at egress, value ranges from 18.
Configuring QoS Interface Groups

Use the CLI commands in this section to add or delete ports to or from an interface group, or add or
delete the interface groups themselves.
Related Links
Configuring ports for an interface group on page 323
Removing ports from an interface group on page 324
Creating an interface group on page 324
Removing an interface group on page 324
Configuring ports for an interface group

About this task
Use the following procedure to add ports to a defined interface group.
Note: The system automatically removes the port from an existing interface group to assign it to a
new interface group.
Procedure
Add ports by using the following command from Interface Configuration mode.
qos if-assign [port <portlist>] name [<WORD>]
June 2014

323
Variable
Value
port <portlist>
Specifies the ports to add to interface group.
name <WORD>
Specifies name of interface group.
Removing ports from an interface group

About this task
Use the following procedure to delete ports from a defined interface group.
Note: Ports not associated with an interface are considered QoS-disabled and may not have QoS
operations applied until assigned to an interface group.
Procedure
Delete ports by using the following command from Interface Configuration mode.
no qos if-assign [port <portlist>]
Creating an interface group

About this task
Use the following procedure to create interface groups.
Procedure
Create interface groups by using the following command from Global Configuration mode.
qos if-group name <WORD> class <trusted | untrusted | unrestricted>
Variable
Value
name <WORD>
Specifies the name of the interface group; maximum is 32 US-ASCII.

Name must begin with a letter a..z or A..Z.
class <trusted | untrusted |

unrestricted>
Defines a new interface group and specifies the class of traffic received on
interfaces associated with this interface group:
trusted
untrusted
unrestricted
Removing an interface group

About this task
Use the following procedure to delete interface groups.
Note 1: An interface group referenced by an installed policy cannot be deleted.
Note 2: An interface group associated with ports cannot be deleted.
324

June 2014
Procedure
Delete interface groups by using the following command from Global Configuration mode.
no qos if-group name <WORD>
Configuring DSCP and 802.1p and Queue Associations

About this task
The following sections contain procedures to configure DSCP, 802.1p priority and queue set
associations.
Related Links
Configuring DSCP to 802.1p priority on page 325
Restoring egress mapping entries to default on page 326
Configuring 802.1p priority to DSCP on page 326
Restoring ingress mapping entries to default on page 327
Configuring DSCP to 802.1p priority

About this task
Use the following procedure to configure DSCP-to-802.1p priority and drop precedence associations
that are used for assigning these values at packet egress, based on the DSCP in the received
packet.
Procedure
1. Configure priority by using the following command from Global Configuration mode.
qos egressmap [name <WORD>] ds <0-63> 1p <0-7> dp <low-drop | highdrop>
2. View the configured egress map details by using the following command:
show qos egressmap
Example
WCP8180(config)#show qos egressmap
DSCP
____
0
1
2
3
4
5
6
7
8
9
10
11
12
13
802.1p Priority
_______________
0
0
0
0
0
0
0
0
2
0
2
0
2
0
June 2014
Drop Precedence
_______________
High Drop
High Drop
High Drop
High Drop
High Drop
High Drop
High Drop
High Drop
High Drop
High Drop
Low Drop
High Drop
High Drop
High Drop
New DSCP
________
0
1
2
3
4
5
6
7
8
9
10
11
12
13
Name
________________
Standard Service
Standard Service
Standard Service
Standard Service
Standard Service
Standard Service
Standard Service
Standard Service
Bronze Service
Standard Service
Bronze Service
Standard Service
Bronze Service
Standard Service

325
14
15
16
17
18
19
20
2
0
3
0
3
0
3
High Drop
High Drop
High Drop
High Drop
Low Drop
High Drop
High Drop
14
15
16
17
18
19
20
Bronze Service
Standard Service
Silver Service
Standard Service
Silver Service
Standard Service
Silver Service
Variable
Value
name <WORD>
Specifies the label for the egress mapping.
ds <0-63>
Specifies the DSCP value used as a lookup key for 802.1p priority and
drop precedence at egress when appropriate; range is between 0 and 63.
1p <0-7>
Specifies the 802.1p priority value associated with the DSCP; range is
between 0 and 7.
dp <low-drop | high-drop>
Specifies the drop precedence values associated with the DSCP:

low-drop
high-drop
Restoring egress mapping entries to default

About this task
Use the following procedure to reset the egress mapping entries to factory default values.
Procedure
Reset the entries by using the following command from Global Configuration mode.
default qos egressmap
Configuring 802.1p priority to DSCP

About this task
Use the following procedure to configure 802.1p priority-to-DSCP associations that are used for
assigning default values at packet ingress based on the 802.1p value in the ingressing packet.
Procedure
1. Configure priority by using the following command from Global Configuration mode.
qos ingressmap [name <WORD>] 1p <0-7> ds <0-63>
2. vView the configured ingressmap details by using the following command:
show qos ingressmap
Example
WCP8180(config)#show qos ingressmap
802.1p Priority
_______________
0
1
2
326
DSCP
____
0
0
10
Name
________________
Standard Service
Standard Service
Bronze Service

June 2014
3
4
5
6
7
18
26
34
46
48
Silver Service
Gold Service
Platinum Service
Premium Service
Network Service
Variable
Value
name <WORD>
Specifies the label for the ingress mapping.
1p <0-7>
Specifies the 802.1p priority used as lookup key for DSCP assignment at
ingress; range is between 0 and 7.
ds <0-63>
Specifies the DSCP value associated with the target 802.1p priority; range
is between 0 and 63.
Restoring ingress mapping entries to default

About this task
Use the following procedure to reset the ingress mapping entries to factory default values.
Procedure
Reset the entries by using the following command from Global Configuration mode.
default qos ingressmap
Configuring QoS system-element

Related Links
Configuring system classifier element parameters on page 327
Viewing system classifier elements parameters on page 328
Removing system classifier element entries on page 329
Configuring system classifier element parameters

About this task
Use the following procedure to configure system classifier element parameters that may be used in
QoS policies.
Procedure
Configure system classifier element parameters by using the following command from Global
Configuration mode.
qos system-element <1-55000> [known-ip-mcast | known-non-ip-mcast |
name | non-ip | pattern-data <WORD> | pattern-format {tagged |
untagged}] | [pattern-ip-version {ipv4 | ipv6 | non-ip}] | patternl2format | session-id | unknown-ip-mcast | unknown-non-ip-mcast |
unknown-ucast
June 2014

327
Variable
Value
<1-55000>
Specifies the system classifier element entry id; range is 1

55000.
known-ip-mcast
Matches the frames containing a known IP multicast destination

address.
known-non-ip-mcast
Match frames containing a known non-IP multicast destination

address.
name
Specifies the name of the system element.
non-ip
Matches the non-IP frames.
unknown-ucast
Matches the Filter on unknown unicast destination address.
pattern-format { tagged | untagged }
Specifies the format of data/mask pattern. Specifies the

available values are:
tagged Data/mask pattern describes a tagged packet
untaggedData/mask pattern describes an untagged packet
pattern-data <WORD>
Specifies the byte pattern data to filter on.

Note: The format of the WORD string is in the form of
XX:XX:XX:....:XX.
pattern-l2version
Specifies the L2 format of the pattern data/mask.
pattern-ip-version
Specifies the IP version of the pattern data or mask.

ipv4Filter IPv4 Header
non-ipFilter non-ip packets
session-id
unknown-ip-mcast
Matches frames containing an unknown IP multicast destination

address.
unknown-non-ip-mcast
Matches frames containing an unknown non-IP multicast

destination address.
Viewing system classifier elements parameters

About this task
View system classifier elements parameters by performing this procedure.
Procedure
View system classifier elements parameters by using the following commands from the
Privileged EXEC Configuration mode.
show qos system-element [<1-65535>] [all] [system] [user]
Use the data in the following table to use show qos system element command.
328

June 2014
Variable
Description
<165535>
Displays the specified system classifier element entries.
all
system
user
Removing system classifier element entries

About this task
Use the following procedure to remove system classifier element entries.
Procedure
Remove system classifier element entries by using the following command from Global
Configuration mode.
no qos system-element <1-55000>
Configuring QoS Actions

The configuration of QoS actions directs the WC 8180 to take specific action on each packet.
The following sections describe configuring QoS actions using the CLI.
Related Links
Creating and updating QoS actions on page 329
Removing QoS actions on page 330
Creating and updating QoS actions

About this task
Use the following procedure to create and update QoS actions.
Note: Certain options can be restricted based on the policy associated with the specific action. An
action that is referenced in a meter or an installed policy cannot be deleted.
Procedure
1. Create or update QoS actions by using the following command from Global Configuration
mode.
qos action <10-55000> [name <WORD>] [drop-action <enable | disable |
deferred-pass>] [update-dscp <0-63>] [update-1p {<0-7> | use-tosprec | use-egress}] [set-drop-prec <low-drop | high-drop>] [actionext <1-55000> | action-ext-name <WORD>]
2. View QoS action by using the following command:
show qos action <165535> [all] [system] [user]
June 2014

329
Variable
Value
<10-55000>
Specifies the QoS action; range is 1055000.
name <WORD>
Assigns a name to a QoS action with the designated action ID. Enter
the name for the action; maximum is 16 alphanumeric characters
drop-action<enable | disable |
deferred-pass>
Specifies whether packets are dropped or not:

enabledrop the traffic flow
disabledo not drop the traffic flow
deferred-passtraffic flow decision deferred to other installed
policies
Default is deferred pass.
Note: If you omit this parameter, the default value applies.
update-dscp <0-63>
Specifies whether DSCP value are updated or left unchanged;

unchanged equals ignore. Enter the 6-bit DSCP value; range is 0 to 63.
Default is ignore.
update-1p<0-7>
Specifies whether 802.1p priority value are updated or left unchanged;

unchanged equals ignore:
ieee1penter the value you want; range is 0 to 7
use-egressuses the egress map to assign value
use-tos-precuses the type of service precedence to assign value.
Default is ignore.
Note: Requires specification of update-dscp value.
set-drop-prec <low-drop | highdrop>
Specifies the drop precedence value:

low-drop
high-drop
Default is low-drop.
action-ext <1-55000>
Specifies the action extension; range is 155000.
action-ext-name <WORD>
Specifies a label for the action extension; maximum is 16 alphanumeric

characters.
Removing QoS actions

About this task
Use the following procedure to delete QoS action entries.
Note: An action cannot be deleted if referenced by a policy, classifier block, or meter.
Procedure
Delete QoS action entries by using the following command from Global Configuration mode.
330

June 2014
no qos action <10-55000>
Configuring QoS Interface Action Extensions

About this task
QoS interface action extensions direct the WC 8180 to take specific action on each packet.
Related Links
Creating interface action extension entries on page 331
Removing interface action extension entries on page 331
Creating interface action extension entries

About this task
Use the following procedure to create interface action extension entries.
Note: An interface extension that is referenced in an action entry cannot be deleted.
Procedure
1. Create interface action extension entries by using the following command from Global
Configuration mode.
qos if-action-extension <1-55000> [name <WORD>] {egress-ucast <port>
| egress-non-ucast <port>}
2. View the interface action extension entries by using the following command:
show qos if-action-extension <165535> [all] [system] [user]
Variable
Value
<1-55000>
Specifies the QoS action. The range is 155000
name <WORD>
Assigns a name to a QoS action with the designated action ID.

Enter the name for the action; maximum is 16 alphanumeric
characters
egress-ucast <port> | egress-non-ucast

<port>
Specifies redirection of unicast/non-unicast to specified port.
session-id
Specifies the session id for QoS action.
Removing interface action extension entries

About this task
Use the following procedure to remove interface action extension entries.
Procedure
Remove interface action extension entries by using the following command from Global
Configuration mode.
June 2014

331
no qos if-action-extension <1-55000>
Configuring QoS Meters

The following sections describe the CLI commands to set the meters, to meter or police traffic,
configure the committed rate, burst rate, and burst duration.
Related Links
Creating QoS meter entries on page 332
Removing QoS meter entries on page 333
Creating QoS meter entries

About this task
Use the following procedure to create QoS meter entries.
Procedure
Create QoS meter entries by using the following command from Global Configuration mode.
qos meter <1-55000> [name <WORD>] committed-rate <64-10230000>
{burst-size <burst-size> max-burst-rate <64-4294967295> [max-burstduration <1-4294967295>]} {in-profile-action <1-55000> | in-profileaction-name <WORD>} {out-profile-action <1,9-55000> | out-profileaction-name <WORD>}
332
Variable
Value
<1-55000>
Specifies the QoS meter; range is 155000.
name <WORD>
Specifies name for meter; maximum is 16 alphanumeric

characters.
committed-rate <64-10230000>
Specifies rate that traffic must not exceed for extended periods
to be considered in-profile. Enter the rate in Kb/s for in-profile
traffic in increments of 1000 Kbits/sec; range is 64 to 10230000
Kbits/sec.
burst-size <4,8,16,...,16384>
Committed burst size in Kilobytes. The value range is: 4, 8, 16,

32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384.
max-burst-rate <64-4294967295>
Specifies the largest burst of traffic that can be received a given

time for the traffic to be considered in-profile. Used in
calculating the committed burst size. Enter the burst size in Kb/s
for in-profile traffic; range is 64 to 4294967295 Kbits/sec.
max-burst-duration <1-4294967295>
Specifies the amount of time that the largest burst of traffic that
can be received for the traffic to be considered in-profile. Used
in calculating the committed burst size. Enter the burst duration
in ms for in-profile traffic; range is 14294967295 ms.
Specifies the in-profile action ID; range is 155000.
in-profile-action-name <WORD>
Specifies the in-profile action name.

June 2014
Variable
Value
out-profile-action <1,9-55000>
Specifies the out-of-profile action ID; range is 1,9 to 55000.
out-profile-action-name <word>
Specifies the out of profile action name.
Removing QoS meter entries

About this task
Use the following procedure to delete QoS meter entries.
Note: A meter that is referenced in an installed policy or classifier block cannot be deleted.
Procedure
Remove QoS meter entries by using the following command from Global Configuration
mode.
no qos meter <1-55000>
Configuring QoS Interface Shaper

Related Links
Configuring interface shaping on page 333
Disabling interface shaping on page 334
Configuring interface shaping

About this task
Use the following procedure to configure interface shaping.
Procedure
Configure interface shaping by using the following command from Interface Configuration
mode.
qos if-shaper [port <portlist>] [name <WORD>] shape-rate
<64-10230000> {burst-size <burst-size> max-burst-rate
<64-4294967295> [max-burst-duration <1-4294967295>]}
Variable
Value
burst-size <4,8,16, ..., 16384>
Specifies the committed burst size in Kilobytes. The value range

is: 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192,
16384.
port <portlist>
Specifies the ports to configure shaping parameters.
name <WORD>
Specifies name for if-shaper; maximum is 16 alphanumeric

characters.
shape-rate <64-10230000>
Specifies the shaping rate in kilobits/sec; range is 64-10230000

kilobits/sec.
June 2014

333
Variable
Value
max-burst-rate <64-4294967295>
Specifies the largest burst of traffic that can be received a given

time for the traffic to be considered in-profile. Used in
calculating the committed burst size. Enter the burst size in Kb/s
for in-profile traffic; range is 64 to 4294967295 Kbits/sec.
max-burst-duration <1-4294967295>
Specifies the amount of time that the largest burst of traffic that
can be received for the traffic to be considered in-profile. Used
in calculating the committed burst size. Enter the burst duration
in ms for in-profile traffic; range is 14294967295 ms.
Disabling interface shaping

About this task
Use the following procedure to disable interface shaping.
Procedure
Disable interface shaping by using the following command from Interface Configuration
mode.
no qos if-shaper [port <portlist>]
Configuring QoS Policies

Use the following CLI commands to configure QoS policies.
Related Links
Configuring QoS policies on page 334
Removing QoS policies on page 335
Configuring QoS policies

About this task
Use the following procedure to create and configure QoS policies.
Note: All components associated with a policy, including the interface group, element, classifier,
classifier block, action, and meter, must be defined before referencing those components in a policy.
Procedure
Create a QoS policy by using the following command from Global Configuration mode.
qos policy <1-55000> {enable|disable [name <WORD>] {port <port_list>
| if-group <WORD>} clfr-type {classifier | block} {clfr-id <1-55000>
| clfr-name <WORD>} {{in-profile-action <1-55000> | in-profileaction-name <WORD>} | meter <1-55000> | meter-name <WORD>}} [nonmatch-action <1-55000> | non-match-action-name <WORD>] precedence
<1-15> [track-statistics <individual | aggregate>]}
334

June 2014
Variable
Value
<1-55000>
Specifies the QoS policy; range is 155000.
enable|disable
Enables or disables the QoS policy.
name <WORD>
Specifies the name for the policy; maximum is 16 alphanumeric

characters.
port <portlist>
Specifies the ports to which to directly apply this policy.
if-group <WORD>
Specifies the interface group name to which this policy applies;

maximum number of characters is 32 US-ASCII. The group
name must begin with a letter within the range a..z or A..Z.
clfr-type <classifier | block>
Specifies the classifier type; classifier or block.
clfr-id <1-55000>
Specifies the classifier ID; range is 155000.
clfr-name <WORD>
Specifies the classifier name or classifier block name; maximum

is 16 alphanumeric characters.
Specifies the action ID for in-profile traffic; range is 155000.
in-profile-action-name <WORD>
Specifies the action name for in-profile traffic; maximum is 16

meter <1-55000>
Specifies meter ID associated with this policy; range is 1

55000.
meter-name <WORD>
Specifies the meter name associated with this policy; maximum

of 16 alphanumeric characters.
non-match-action <1-55000>
Specifies the action ID for non-match traffic; range is 155000.

This parameter is not applicable to 5600 Series switches.
non-match-action-name <WORD>
Specifies the action name for non-match traffic; maximum is 16

precedence <1-15>
Specifies the precedence of this policy in relation to other

policies associated with the same interface group. Enter
precedence number; range is 115.
Note: Policies with a lower precedence value are evaluated
after policies with a higher precedence number. Evaluation goes
from highest value to lowest.
track-statistics <individual | aggregate>
Specifies statistics tracking on this policy, either:

individualstatistics on individual classifiers
aggregateaggregate statistics
Removing QoS policies

About this task
Use the following procedure to disable QoS policy entries. Policies can be enabled using the qos
policy <policynum> enable command.
June 2014

335
Procedure
Remove QoS policy entries by using the following command from Global Configuration
mode.
no qos policy <1-55000>
QoS Generic Filter set configuration

Use the following procedures to configure and manipulate a generic filter set.
Related Links
Configuring a traffic profile set on page 336
Deleting a classifier, classifier block, or an entire filter set on page 336
Viewing filter descriptions on page 337
Configuring a traffic profile set

About this task
Configure a traffic profile set by performing the following procedure.
Procedure
Use the following command to configure a traffic profile classifier entry.
qos traffic-profile set port <port> name <name> [commited-rate
<64-10230000>] [drop-nm-action <drop | pass>] [enable]
This command is used in the Global Configuration mode.
Variable
Value
port <port>
Specifies the ports to apply the traffic profile to.
name <name>
Specifies the name of the traffic profile.
commited-rate <64-10230000>
Specifies the committed rate in Kilobits per second.
drop-nm-action <drop | pass>
Specifies the action to take when the packet is

nonmatching. This action is applied to all traffic that
was not previously matched by the specified filtering
data. Options are drop (packet is dropped) and
pass (packet is not dropped).
enable
Enables the traffic profile.
Deleting a classifier, classifier block, or an entire filter set

About this task
Delete a filter classifier or set by performing this procedure.
336

June 2014
Procedure
1. Delete a Traffic Profile classifier by using the following command from the Global
Configuration mode.
no qos traffic-profile classifier name <classifier-name>
2. Delete a Traffic Profile set by using the following command from the Global Configuration
mode.
no qos traffic-profile set {name <name> | port <port>}
Viewing filter descriptions

About this task
View filter descriptions by performing this procedure.
Procedure
1. View classifier entries by using the following commands from the Privileged EXEC
Configuration mode.
show qos traffic-profile classifier
OR
show qos traffic-profile classifier name <classifier name>
2. View the parameters for a specific set by using the following command from the Privileged
EXEC Configuration mode.
show qos traffic-profile set <set name> port <port>
3. View ports and the filter sets assigned to those ports by using the following command from
the Privileged EXEC Configuration mode.
show qos traffic-profile interface
Example
Wc#show qos traffic-profile classifier name 1
Id: 2
Name: 1
Block:
Master: No
Eval Order: 1
Address Type: Ignore
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
IP Flags: Ignore
TCP Control Flags: Ignore
IPv4 Options: Ignore
Destination MAC Addr: Ignore
June 2014

337
Destination MAC Mask: Ignore

Source MAC Addr: Ignore
Source MAC Mask: Ignore
VLAN: Ignore
VLAN Tag: Ignore
EtherType: Ignore
802.1p Priority: All
Packet Type: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Out-Profile Drop Action: Drop
Out-Profile Update DSCP Action: Ignore
Out-Profile Set Drop Precedence Action: Low Drop
Storage Type: NonVolatile
Configuring User Based Policies

About this task
Use the following procedure to configure User Based Policies.
Procedure
Configure User Based Policies by using the following command from the Global
configuration mode.
qos ubp
Note:
To modify an entry in a filter set, you must delete the entry and add a new entry with the
desired modifications.
Related Links
Variable
Value
classifier name [addr-type {ipv4|ipv6}]

Creates the User Based Policy classifier entry.
[block] [drop-action] [ds-field] [dst-ip] [dstOptional parameters:
mac] [dst-port-min] [ethertype] [eval addr-type {ipv4|ipv6} specifies the type of IP address used by
order] [flow-id] [next-header] [priority]
this classifier entry. The type is limited to IPv4 and IPv6
[protocol] [set-drop-prec] [src-ip] [src-mac]
addresses.
[src-port-min] [update-1p] [update-dscp]
[vlan-min] [ vlan-tag]
block specifies the label to identify access list elements that
are of the same block.
drop-action specifies whether or not to drop non-conforming
traffic.
ds-field specifies the value for the DiffServ Codepoint (DSCP)
in a packet.
dst-ip specifies the IP address to match against the
destination IP address of a packet.
338

June 2014
Variable
Value
dst-mac specifies the MAC address against which the MAC
destination address of incoming packets is compared.
dst-port-min specifies the minimum value for the layer 4
destination port number in a packet. dst-port-max must be
terminated prior to configuring this parameter.
ethertype specifies a value indicating the version of Ethernet
protocol being used.
eval-order specifies the evaluation order for all elements with
the same name.
flow-id specifies the flow identifier for IPv6 packets.
next-header specifies the IPv6 next-header value. Values are
in the range 0-255.
priority specifies a value for the 802.1p user priority.
protocol specifies the IPv4 protocol value.
set-drop-prec specifies drop precendence
src-ip specifies the IP address to match against the source IP
address of a packet.
src-mac specifies the MAC source address of incoming
packets.
src-port-min specifies the minimum value for the Layer 4
source port number in a packet. src-port-max must be
terminated prior to configuring this parameter.
update-1p specifies an 802.1p value used to update user
priority.
update-dscp specifies a value used to update the DSCP field
in an IPv4 packet.
vlan-min specifies the minimum value for the VLAN ID in a
packet. vlan-max must be terminated prior to configuring this
parameter.
vlan-tag specifies the type of VLAN tagging in a packet.
set name [commited-rate] [drop-nmaction] [drop-out-action] [max-burst-rate]

[max-burst-duration] [update-dscp-outaction] [set-priority]
Creates the User Based Policy set.

Optional parameters:
commited-rate specifies the commited rate in Kbps.
drop-nm-action specifies the action to take when the packet is
non-matching. This action is applied to all traffic that was not
previously matched by the specified filtering data. Options are
enable (packet is dropped) and disable (packet is not
dropped).
drop-out-action specifies the action to take when a packet is
out-of-profile. This action is only applied if metering is being
June 2014

339
Variable
Value
enforced, and if the traffic is deemed out of profile based on
the level of traffic and the metering criteria. Options are
enable (packet is dropped) and disable (packet is not
dropped).
max-burst-rate specifies the maximum number of bytes
allowed in a single transmission burst.
max-burst-duration specifies the maximum burst duration in
milliseconds.
update-dscp-out-action specifies an updated DSCP value for
an IPv4 packet for out of profile traffic..
set-priority specifies the priority level of this filter set.
Deleting a classifier, classifier block, or an entire filter set

About this task
Use the following procedure to delete a classifier, classifier block, or filter set.
Note: You cannot reset QoS defaults if the EAP/NEAP UBP support references a QoS UBP filter
set.
Procedure
1. Delete an entire filter set by using the following command from the Global configuration
mode.
no qos ubp name <filter name>
Note: You cannot delete a filter set while it is in use.
2. Delete a classifier by using the following command from the Global configuration mode.
no qos ubp name <filter name> eval-order <value>
Viewing filter descriptions

About this task
Use the following procedure to view User-based Policy filter parameters, view parameters for a
specific filter set, view ports and associated filter sets, and view classifier entries.
Procedure
1. View User Based Policy filter parameters by using the following command from the
Privileged EXEC configuration mode.
show qos ubp
2. View the parameters for a specific filter set by using the following command from the
Privileged EXEC configuration mode.
show qos ubp name <filter name>
340

June 2014
3. View ports and the filter sets assigned to those ports by using the following command from
the Privileged EXEC configuration mode.
show qos ubp interface
4. View classifier entries by using the following command from the Privileged EXEC
configuration mode.
show qos ubp classifier
Maintaining the QoS Agent

Use the following CLI commands to maintain the QoS agent.
Related Links
Resetting QoS to factory default state on page 341
Configuring QOS AQ mode on page 341
Configuring QoS UBP support on page 342
Configuring QoS statistics tracking type on page 342
Configuring NVRAM delay on page 343
Resetting NVRAM delay to default on page 343
Resetting the QoS agent on page 343
Resetting QoS to factory default state

About this task
Use the following procedure to delete all user-defined entries, remove all installed policies, and reset
the system to its QoS factory default values.
Note 1: You cannot reset QoS defaults if the NSNA application references a QoS NSNA filter set.
Note 2: You cannot reset QoS defaults if the EAP/NEAP UBP support references a QoS UBP filter
set.
Procedure
Reset QoS to factory defaults by using the following command from Global Configuration
mode.
qos agent reset-default
Configuring QOS AQ mode

About this task
This procedure describes how to configure the QoS Agent NT mode.
Procedure
Configure QoS NT mode by using the following command from Global Configuration mode.
qos agent aq-mode [pure|mixed|disable]
June 2014

341
Variable
Value
disable
NT application traffic processing is disabled on all ports.
mixed
NT application traffic processing enabled on all port with egress DSCP mapping.
pure
NT application traffic processing enabled on all ports without egress DSCP mapping.
Configuring QoS UBP support

About this task
Use the following procedure to configure the UBP support level.
Procedure
Configure the UBP support level by using the following command from Global Configuration
mode.
qos agent ubp [disable|epm|high-security-local|low-security-local]
Variable
Value
disable
QoS agent rejects information forwarded by other applications.
epm
QoS Agent notifications generated for EPM based on user information forwarded
by other applications.
high-security-local
User may be rejected if resources needed to install the UBP filter set are not
available.
low-security-local
User may be accepted even if the UBP filter set could not be applied.
Configuring QoS statistics tracking type

About this task
This procedure describes the steps necessary to configure the type of statistics tracking used with
QoS.
Procedure
Configure the QoS statistics tracking type by using the following command from Global
Configuration mode.
qos agent statistics-tracking [aggregate|disable|individual]
342
Variable
Value
aggregate
Allocates a single statistics counter to track data for all classifiers contained in the
QoS policy being created.
disable
Disable statistics tracking.
individual
Allocates individual statistics counters to track data for each classifier contained in
the QoS policy being created.

June 2014
Configuring NVRAM delay

About this task
Use the following procedure to specify the maximum amount of time, in seconds, before non-volatile
QoS configuration is written to non-volatile storage. Delaying NVRAM access can be used to
minimize file input and output. This can aid QoS agent efficiency if a large amount of QoS data is
being configured.
Procedure
Configure NVRAM delay by using the following command from Global Configuration mode.
qos agent nvram-delay <0-604800>
Default is 10 seconds.
Resetting NVRAM delay to default

About this task
Use the following procedure to reset the NVRAM delay time to factory default.
Procedure
Reset NVRAM delay to default by using the following command from Global Configuration
mode.
default qos agent nvram-delay
Resetting the QoS agent

About this task
Use the following procedure to delete all user-defined entries, remove all installed policies, and reset
the system to its QoS factory default values.
Procedure
Reset the QoS agent by using the following command from Global Configuration mode.
default qos agent
Configuring DoS Attack Prevention Package

Use the following procedures to configure the DoS Attack Prevention Package (DAPP). This feature
is only applicable to the 8100 Series switch.
Related Links
Enabling DAPP on page 344
Configuring DAPP status tracking on page 344
Configuring DAPP minimum TCP header size on page 344
Configuring DAPP maximum IPv4 ICMP length on page 344
June 2014

343
Enabling DAPP
About this task
This procedure describes the steps necessary to enable DAPP.
Procedure
Enable DAPP by using the following command from Global Configuration mode:
[no] qos agent dos-attack-prevention enable
Configuring DAPP status tracking

About this task
This procedure describes how to configure DAPP status tracking.
Note: If adequate resources are not available to enable this feature the command will fail.
Procedure
Enable DAPP status tracking by using the following command from Global Configuration
mode:
qos agent dos-attack-prevention status-tracking [enable | max-ipv4icmp | max-ipv6-icmp | min-tcp-header]
Configuring DAPP maximum IPv6 ICMP length
About this task

This procedure describes how to set the maximum IPv6 ICMP length used by DAPP.
Procedure
Set the maximum IPv6 ICMP length by using the following command from Global
Configuration mode:
qos agent dos-attack-prevention max-ipv6-icmp <0-16383>
Configuring DAPP minimum TCP header size

About this task
This procedure describes how to set the minimum TCP header size used by DAPP.
Procedure
Set the minimum TCP header size by using the following command from Global
Configuration mode:
qos agent dos-attack-prevention min-tcp-header <0-255>
Configuring DAPP maximum IPv4 ICMP length

About this task
This procedure describes how to set the maximum IPv4 ICMP length used by DAPP.
344

June 2014
Procedure
Set the maximum IPv4 ICMP length by using the following command from Global
Configuration mode:
qos agent dos-attack-prevention max-ipv4-icmp <0-1023>
Configuring Serviceability
About this task
Use the following procedures to configure RMON and IPFIX.
Related Links
Configuring RMON with the CLI on page 345
Configuring IPFIX using CLI on page 350
Configuring RMON with the CLI

About this task
Use the following CLI commands to configure and manage RMON.
Related Links
Viewing RMON alarms on page 345
Viewing RMON events on page 346
Viewing RMON history on page 346
Viewing RMON statistics on page 347
Setting RMON alarms on page 347
Deleting RMON alarm table entries on page 347
Configuring RMON event log and traps on page 348
Deleting RMON event table entries on page 348
Configuring RMON history on page 349
Deleting RMON history table entries. on page 349
Configuring RMON statistics on page 349
Disabling RMON statistics on page 350
Viewing RMON alarms

About this task
Use the following procedure to view RMON alarms.
Procedure
1. Enter Privileged Executive mode.
June 2014

345
2. Use the show rmon alarm command to display information about RMON alarms.
Viewing RMON events

About this task
Use the following procedure to display information regarding RMON events.
Procedure
2. Enter the show rmon event command.
Viewing RMON history

About this task
Use this procedure to display information regarding the configuration of RMON history.
Procedure
2. Enter the show rmon history [<port>] command.
Example
WCP8180(config)#show rmon history port 1
Index
----1
29
Port
---1
1
Buckets Requested
----------------15
5
Buckets Granted
--------------15
5
Interval
-------30
1800
Variable
Definition
<port>
The specified port number for which RMON history

settings is displayed.
Job aid
The following table shows the descriptions for show rmon history port command.
346
Field
Description
Index
Indicates the profile index of RMON.
Port
Specifies the valid ethernet port.
Buckets Requested
Indicates the value associated with the number of buckets specified

for the RMON collection history group of statistics. If unspecified,
defaults to 50. The range is from 1 to 65535.
Buckets Granted
Indicates the value associated with the number of buckets specified

for the RMON collection history group of statistics. If unspecified,
defaults to 50. The range is from 1 to 65535.
Interval
Specifies the number of seconds in each polling cycle. If unspecified,

defaults to 1800. Valid range is from 1 to 3600.

June 2014
Viewing RMON statistics

About this task
Use the following procedure to display information regarding the configuration of RMON statistics.
Procedure
2. Enter the show rmon stats command.
Setting RMON alarms

About this task
Use the following procedure to set
Procedure
1. Enter Global Configuration mode.
2. Enter the rmon alarm <1-65535> <WORD> <1-2147483647> {absolute | delta}
rising-threshold <-2147483648-2147483647> [<1-65535>] fallingthreshold <-2147483648-2147483647> [<1-65535>] [owner <LINE>]
command.
Parameter
Description
<1-65535>
Unique index for the alarm entry.
<WORD>
The MIB object to be monitored. This object identifier can be an English

name.
<1-2147483647>
The sampling interval, in seconds.
absolute
Use absolute values (value of the MIB object is compared directly with
thresholds).
delta
Use delta values (change in the value of the MIB object between samples
is compared with thresholds).
rising-threshold
<-2147483648-2147483647 >
[<1-65535>]
The first integer value is the rising threshold value. The optional second
integer specifies the event entry to be triggered after the rising threshold is
crossed. If omitted, or if an invalid event entry is referenced, no event is
triggered.
falling-threshold
<-2147483648-2147483647 >
[<1-65535>]
The first integer value is the falling threshold value. The optional second
integer specifies the event entry to be triggered after the falling threshold is
crossed. If omitted, or if an invalid event entry is referenced, no event is
triggered.
[owner <LINE>]
Specify an owner string to identify the alarm entry.
Deleting RMON alarm table entries

About this task
Use the following procedure to delete RMON alarm table entries.
June 2014

347
Procedure
2. Enter the no rmon alarm [<1-65535>] command.
Variable
Definition
[<1-65535>]
The number assigned to the alarm. If no number is

selected, all RMON alarm table entries are deleted.
Configuring RMON event log and traps

About this task
Use the following procedure to configure RMON event log and trap settings.
Procedure
2. Enter the rmon event <1-65535> [log] [trap] [description <LINE>] [owner
<LINE>] command.
Parameter
Description
<1-65535>
Unique index for the event entry.
[log]
Record events in the log table.
[trap]
Generate SNMP trap messages for events.
[description <LINE>]
Specify a textual description for the event.
[owner <LINE>]
Specify an owner string to identify the event entry.
Deleting RMON event table entries

About this task
Use the following procedure to clear entries in the table.
Procedure
2. Enter the no rmon event [<1-65535>] command to delete the entries.
348
Variable
Definition
[<1-65535>]
Unique identifier of the event. If not given, all table

entries are deleted.

June 2014
Configuring RMON history

About this task
Use the following procedure to configure RMON history settings.
Procedure
2. Enter the rmon history <1-65535> <LINE> <1-65535> <1-3600> [owner
<LINE>] command to configure the RMON history..
Parameter
Description
<1-65535>
Unique index for the history entry.
<LINE>
Specify the port number to be monitored.
<1-65535>
The number of history buckets (records) to keep.
<1-3600>
The sampling rate (how often a history sample is collected).
[owner <LINE>]
Specify an owner string to identify the history entry.
Deleting RMON history table entries.

About this task
Use this procedure to delete RMON history table entries.
Procedure
2. Enter the no rmon history [<1-65535>] command to delete the entries.
Variable
Definition
[<1-65535>]
Unique identifier of the event. If not given, all table

entries are deleted.
Configuring RMON statistics

About this task
Use this procedure to configure RMON statistics settings.
Procedure
2. Enter the rmon stats <1-65535> <LINE> [owner <LINE>] command to configure
RMON statistics.
June 2014

349
Parameter
Description
<1-65535>
Unique index for the stats entry.
[owner <LINE>]
Specify an owner string to identify the stats entry.
Disabling RMON statistics

About this task
Use this procedure to disable RMON statistics. If the variable is omitted, all entries in the table are
cleared.
Procedure
2. Enter the no rmon stats [<1-65535>] command to disable RMON statistics.
Variable
Definition
<1-65535>
Unique index for the statistics entry. If omitted, all

statistics are disabled.
Configuring IPFIX using CLI

The following sections describe the commands used in the configuration and management of IP
Flow Information Export (IPFIX) using the CLI.
Related Links
Configuring IPFIX collectors on page 350
Enabling IPFIX globally on page 351
Configuring unit specific IPFIX on page 351
Enabling IPFIX on the interface on page 352
Enabling IPFIX export through ports on page 352
Deleting the IPFIX information for a port on page 352
Viewing the IPFIX table on page 353
Configuring IPFIX collectors

About this task
The ip ipfix collector command is used to configure IPFIX collectors. IPFIX collectors are
used to collect and analyze data exported from an IPFIX compliant switch. In WLAN Release 1.1,
the only external collector supported is NetQOS. At this time, up to two collectors can be supported.
IPFIX data is exported from the switch in Netflow version 9 format. Data is exported using UDP port
9995.
350

June 2014
IPFIX data is not load balanced when two collectors are in use. Identical information is sent to both
collectors.
Use the following procedure to configure the IPFIX collectors.
Procedure
2. Use the ip ipfix collector <unit_number> <collector_ip_address>
command to configure the IPFIX collector.
Parameter
Description
<unit_number>
The unit number of the collector. Currently up to two collectors are

supported so the values 1 or 2 are valid.
<collector_ip_address>
The IP address of the collector.
Enabling IPFIX globally

About this task
Use the following procedure to globally enable IPFIX on the switch.
Procedure
2. Use the ip ipfix enable command to enable IPFIX on the switch.
Variable definition
Parameter
Description
enable
Enables the IPFIX globally.
Configuring unit specific IPFIX

About this task
Use the following command to configure unit specific IPFIX parameters.
Procedure
2. Use the ip ipfix slot <unit_number> [aging-interval <aging_interval>]
[export-interval <export_interval>] [exporter-enable] [templaterefresh-interval <template_refresh_interval>] [template-refreshpackets <template_refresh_packets>] command to enable IPFIX on the switch.
Parameter
Description
<unit_number>
The unit number of the collector. Currently up to two collectors are

supported so the values 1 or 2 are valid.
June 2014

351
Parameter
Description
<aging_interval>
The IPFIX aging interval. This value is in seconds from 0 to 2147400.
<export_interval>
The IPFIX export interval. This interval is the value at which IPFIX data is
exported in seconds from 10 to 3600.
<template_refresh_interval>
The IPFIX template refresh interval. This value is in seconds from 300 to
3600.
<template_refresh_packets>
The IPFIX template refresh packet setting. This value is the number of
packets from 10000 - 100000.
Enabling IPFIX on the interface

About this task
Use the following procedure to enable IPFIX on the interface.
Procedure
1. Enter Interface Configuration mode.
2. Use the ip ipfix enable command to enable IPFIX on the interface.
Enabling IPFIX export through ports

About this task
Use the following procedure to enable the ports exporting data through IPFIX.
Procedure
1. Enter Interface Configuration mode.
2. Use the ip ipfix port <port_list> command to enable IPFIX on the interface.
Variable
Definition
port-list
Single or comma-separated list of ports.
Deleting the IPFIX information for a port

About this task
Use the following procedure to delete the collected IPFIX information for a port.
Procedure
2. Use the ip ipfix flush port <port_list> [export-and-flush] command to
delete the collected IPFIX information for the port or ports.
352
Variable
Definition
port-list
Single or comma-separated list of ports.

June 2014
Variable
Definition
export-and-flush
Export data to a collector before it is deleted.
Viewing the IPFIX table

About this task
Use the following procedure to display IPFIX data collected from the switch.
Procedure
2. Use the show ip ipfix table <unit_number> sort-by <sort_by> sort-order
<sort_order> display <num_entries> command view the IPFIX data.
Variable
Definition
<unit_number>
The unit number of the collector. Currently up to two collectors are supported so
the values 1 or 2 are valid.
<sort_by>
The value on which the data is sorted. Valid options are:

byte-count
dest-addr
first-pkt-time
last-pkt-time
pkt-count
port
protocol
source-addr
TCP-UDP-dest-port
TCP-UDP-src-port
TOS
<sort_order>
The order in which the data is sorted. Valid options are ascending and descending.
<num_entries>
The number of data rows to display. Valid options are:

all
top-10
top-25
top-50
top-100
top-200
June 2014

353
Configuring diagnostics and graphing

Use the following procedures to configure diagnostics and graphing.
Related Links
System diagnostics and statistics using CLI on page 354
Network monitoring configuration using the CLI on page 357
System diagnostics and statistics using CLI

About this task
Use the following procedures to perform system diagnostics and gather statistics using the CLI.
Viewing port-statistics
About this task
Use this procedure to view the statistics for the port on both received and transmitted traffic.
Procedure
2. Enter the show port-statistics [port <portlist>] command.
354

June 2014
Variable
Definition
port <portlist>
The ports to display statistics for. When no port list is specified,

all ports are shown.
Displaying port operational status

About this task
Use this procedure to display the port operational status.
Important:
If you use a terminal with a width of greater than 80 characters, the output is displayed in a
tabular format.
Procedure
2. Enter the show interfaces [port list] verbose command. If you issue the
command with no parameters the port status is shown for all ports.
3. Observe the CLI output.
June 2014

355
Validating port operational status

About this task
VLACP: Configure VLACP on port 1 from a 8100 series unit and on port 2 on 5000 series unit. Have
a link between these 2 ports. When the show interfaces command is typed, VLACP status is up
for port on the unit where the command is typed. Pull out the link from the other switch, VLACP
status goes Down.
STP: After switch boots, type show interfaces command. STP Status is Listening (wait a few
seconds and try again). STP Status becomes Learning.
After a while (15 seconds is the forward delay default value, only if you did not configure another
time interval for STP forward delay), if you type show interfaces again, STP Status should be
forwarding.
Showing port information

About this task
Perform this procedure to display port configuration information.
Procedure
2. Enter the show interfaces <portlist> config command.
3. Observe the CLI output.
356

June 2014
Network monitoring configuration using the CLI

About this task
Use the following CLI commands to view and configure network monitoring.
Related Links
Configuring diagnostics and graphing on page 354
Viewing CPU utilization on page 357
Viewing memory utilization on page 358
Configuring the system log on page 358
Configuring remote logging on page 360
Configuring port mirroring on page 363
Viewing CPU utilization

About this task
Use this procedure to view the CPU utilization
Procedure
June 2014

357
2. Enter the show cpu-utilization command.

3. Observe the displayed information.
Sample CLI output:
WCP8180(config)#show cpu-utilization
---------------------------------------------------------------CPU Utilization
---------------------------------------------------------------Unit
10 Sec, 1 Min, 10 Min, 60 Min, 24 Hrs, System Boot-Up
---------------------------------------------------------------Host
11%
12%
20%
22%
18%
15%
WCP
1%
1%
1%
2%
2%
1%
WDP
1%
1%
1%
1%
1%
7%
WCP8180(config)#
Viewing memory utilization

About this task
Use this procedure to view the memory utilization
Procedure
2. Enter the show memory-utilization command.
Sample CLI output:
WCP8180(config)#show memory-utilization
--------------------------------------------------------Memory Utilization (in MB)
--------------------------------------------------------Unit
Total
Used
Free
Peak
--------------------------------------------------------Host
1024
203
821
203
WCP
1635
1091
544
1094
WDP
276
36
240
36
WCP8180(config)#
Configuring the system log

Use the following CLI commands to configure and manage the system log.
Related Links
Displaying the system log on page 358
Configuring the system log on page 359
Setting the system log to default on page 360
Clearing the system log on page 360
Displaying the system log
About this task

Use this procedure to displays the configuration, and the current contents, of the system event log.
358

June 2014
Procedure
Enter the show logging [config] [critical] [serious] [informational]
[sort-reverse] command Privileged Executive mode.
CLI reference:
WCP8180(config)#show logging ?
Show logging information
system
Show the contents of logging buffers
wireless-controller Show logging information of wireless controller
WCP8180(config)#show logging system ?
config
Display configuration of event logging
critical
Critical event
informational Informational message
serious
Serious event message
<cr>
WCP8180(config)#show logging wireless-controller ?
volatile Display log messages in DRAM
WCP8180(config)#show logging wireless-controller volatile ?
critical
Critical event messages
informational Informational messages
serious
Serious event messages
<cr>
Variable
Value
config
Display configuration of event logging.
critical
Display critical log messages.
serious
Display serious log messages.
informational
Display informational log messages.
sort-reverse
Display informational log messages in reverse chronological

order (beginning with most recent).
Configuring the system log
About this task

Use this procedure to configure the system settings for the system event log.
Procedure
Enter the logging [enable | disable] [level critical | serious |
informational | none] [nv-level critical | serious | none] command
Privileged Executive mode.
CLI reference:
WCP8180(config)#logging ?
disable
Disable the event log
enable
Enable the event log
level
The severity level of events that will be logged in DRAM
nv-level The severity level of events that will be saved in NV storage
remote
Configure remote logging parameters
volatile Configure options for logging to DRAM
June 2014

359
Variable
Value
enable | disable
Enables or disables the event log (default is Enabled).
level critical | serious | informational |

none
Specifies the level of logging stored in DRAM.
nv-level critical | serious | none
Specifies the level of logging stored in NVRAM.
Disabling the system log
About this task

Use this procedure to disable the system event log.
Procedure
Enter the no logging command in global configuration mode.
Setting the system log to default
About this task

Use this procedure to default the system event log configuration.
Procedure
Enter the default logging command in global configuration mode.
Clearing the system log
About this task

Use this procedure to clear all log messages in DRAM.
Procedure
Enter the clear logging system [non-volatile] [nv] [volatile] command in
global configuration mode.
Variable
Value
non-volatile
Clears log messages from NVRAM.
nv
Clears log messages from NVRAM and DRAM.
volatile
Clears log messages from DRAM.
Configuring remote logging

About this task
Use the following CLI commands to configure remote logging. This section also discusses the
commands that enable remote logging.
Related Links
360

June 2014
Displaying logging on page 361

Enabling remote logging on page 361
Disabling remote logging on page 361
Setting the remote logging address on page 361
Clearing the remote server IP address on page 362
Setting the log severity on page 362
Resetting the severity level on page 362
Setting the default remote logging level on page 363
Displaying logging
About this task

Use this procedure to display the configuration and the current contents of the system event log.
Procedure
2. Enter the show logging command to display the log.
Enabling remote logging
About this task

Use this procedure to enable remote logging. By default, remote logging is disabled.
Procedure
2. Enter the logging remote enable command to enable the use of a remote syslog
server.
Disabling remote logging
About this task

Use this procedure to disable remote logging.
Procedure
2. Enter the no logging remote enable command to disable the use of a remote syslog
server.
Setting the remote logging address
About this task

Use this procedure to set the address of the remote server for the syslog.
Procedure
June 2014

361
2. Enter the logging remote address <A.B.C.D> command to disable the use of a
remote syslog server.
Parameters and variables
Description
<A.B.C.D>
Specifies the IP address of the remote server in dotted-decimal

notation. The default address is 0.0.0.0.
Clearing the remote server IP address
About this task

Use this procedure to clear the IP address of the remote server.
Procedure
2. Enter the no logging remote address command to clear the IP address of the remote
syslog server.
Setting the log severity
About this task

Use this command to set the severity level of the logs sent to the remote server.
Procedure
2. Enter the logging remote level {critical | informational | serious |
none} command to set the severity level of the logs that will be sent to the server.
Parameters and variables
Description
{critical | serious | informational | none}
Specifies the severity level of the log messages to be sent to

the remote server:
critical
informational
serious
none
Resetting the severity level
About this task

Use this command to remove severity level setting
Procedure
362

June 2014
2. Enter the no logging remote level command to remove the severity level of the logs
that will be sent to the server. The level is set to none.
Setting the default remote logging level
About this task

Use this procedure to set the remote logging level to default.
Procedure
2. Enter the default logging remote level command to sets the severity level of the
logs sent to the remote server. The default level is none.
Configuring port mirroring

About this task
Use the following CLI commands to configure port mirroring.
Related Links
Displaying the port-mirroring configuration on page 363
Configure port-mirroring on page 363
Disabling port-mirroring on page 365
Displaying Many-to-Many port-mirroring on page 365
Configuring Many-to-Many port-mirroring on page 365
Disabling Many-to-Many port-mirroring on page 366
Displaying the port-mirroring configuration
About this task

Use this procedure to display the existing port-mirroring configuration.
Procedure
2. Enter the show port-mirroring command to display the port-mirroring configuration.
Configure port-mirroring
About this task

Use this procedure to set the port-mirroring configuration
Procedure
2. Enter the port-mirroring mode {disable | Xrx monitor-port <portlist>
mirror-ports <portlist> | Xtx monitor-port <portlist> mirror-ports
<portlist> | ManytoOneRx monitor-port <portlist> mirror-ports
<portlist> | ManytoOneTx monitor-port <portlist> mirror-port-X
June 2014

363
<portlist> | ManytoOneRxTx monitor-port <portlist> mirror-port-X

<portlist> | XrxOrXtx monitor-port <portlist> mirror-port-X
<portlist> | XrxOrYtx monitor-port <portlist> mirror-port-X
<portlist> mirror-port-Y <portlist> | XrxYtxmonitor-port <portlist>
mirror-port-X <portlist> mirror-port-Y <portlist> | XrxYtxOrYrxXtx
monitor-port <portlist> mirror-port-X <portlist> mirror-port-Y
<portlist> | Asrc monitor-port <portlist> mirror-MAC-A <macaddr> |
Adst monitor-port <portlist> mirror-MAC-A <macaddr> | AsrcOrAdst
monitor-port <portlist> mirror-MAC-A <macaddr> | AsrcBdst monitorport <portlist> mirror-MAC-A <macaddr> mirror-MAC-B <macaddr> |
AsrcBdstOrBsrcAdst monitor-port <portlist> mirror-MAC-A <macaddr>
mirror-MAC-B <macaddr>} command to display the port-mirroring configuration.
364
Parameter
Description
disable
Disables port-mirroring.
monitor-port
Specifies the monitor port.
mirror-port-X
Specifies the mirroring port X.
mirror-port-Y
Specifies the mirroring port Y.
mirror-MAC-A
Specifies the mirroring MAC address A.
mirror-MAC-B
Specifies the mirroring MAC address B.
portlist
Enter the port numbers.
ManytoOneRx
Many to one port mirroring on ingress packets.
ManytoOneTx
Many to one port mirroring on egress packets.
ManytoOneRxTx
Many to one port mirroring on ingress and egress traffic.
Xrx
Mirror packets received on port X.
Xtx
Mirror packets transmitted on port X.
XrxOrXtx
Mirror packets received or transmitted on port X.
XrxYtx
Mirror packets received on port X and transmitted on port Y.

This mode is not recommended for mirroring broadcast and
multicast traffic.
XrxYtxOrXtxYrx
Mirror packets received on port X and transmitted on port Y or

packets received on port Y and transmitted on port X.
XrxOrYtx
Mirror packets received on port X or transmitted on port Y.
macaddr
Enter the MAC address in format H.H.H.
Asrc
Mirror packets with source MAC address A.
Adst
Mirror packets with destination MAC address A.
AsrcOrAdst
Mirror packets with source or destination MAC address A.
AsrcBdst
Mirror packets with source MAC address A and destination

MAC address B.

June 2014
Parameter
Description
AsrcBdstOrBsrcAdst
Mirror packets with source MAC address A and destination

MAC address B or packets with source MAC address B and
destination MAC address A.
Disabling port-mirroring
About this task

Use this procedure to disable port-mirroring
Procedure
1. Enter Global Configuration mode
2. Enter the no port-mirroring command to disable port-mirroring.
Displaying Many-to-Many port-mirroring
About this task

Use this procedure to display Many-to-Many port-mirroring settings
Procedure
1. Enter Privileged Executive mode
2. Enter the show port-mirroring command.
Configuring Many-to-Many port-mirroring
About this task

Use this procedure to configure Many-to-Many port-mirroring
Procedure
2. Enter the port-mirroring <1-4> mode {disable | Adst | Asrc | AsrcBdst |
AsrcBdstOrBsrcAdst | AsrcOrAdst | ManyToOneRx | ManyToOneRxTx |
ManyToOneTx | Xrx | XrxOrXtx | XrxOrYtx | XrxYtx | XrxYtxOrYrxXtx |
Xtx} command.
3. Enter the command from step 2 for up to four instances.
Variable
Value
disable
Disable mirroring.
Adst
Mirror packets with destination MAC address A
Asrc
Mirror packets with source MAC address A.
AsrcBdst
Mirror packets with source MAC address A and

destination MAC address B.
June 2014

365
Variable
Value
AsrcBdstOrBsrcAdst
Mirror packets with source MAC address A and

destination MAC address B or packets with source
MAC address B and destination MAC address A.
AsrcOrAdst
Mirror packets with source or destination MAC

address A.
ManyToOneRx
Mirror many to one port mirroring on ingress packets.
ManyToOneRxTx
Mirror many to one port mirroring on ingress and

egress packets.
ManyToOneTx
Mirror many to one port mirroring on egress packets.
Xrx
Mirror packets received on port X.
XrxOrXtx
Mirror packets received on port X and transmitted on

port Y.
XrxYtx

port Y.
XrxYtxOrYrxXtx

port Y or packets received on port Y and transmitted
on port X.
Xtx
Mirror packets received on port X or transmitted on

port Y
Disabling Many-to-Many port-mirroring
About this task

Use this procedure to disable Many-to-Many port-mirroring
Procedure
2. Enter the port-mirroring [<1-4>] mode disable or no port-mirroring
[<1-4>] command to disable a specific instance.
3. Enter the no port-mirroring command to disable all instances.
366
Variable
Definition
<1-4>
The port-mirroring instance.

June 2014
Appendix A: Supported Country Codes
Table 77: Supported country codes for release 3.0

Country Name
Code
United Arab Emirates
AE
Antigua and Barbuda
AG
Netherlands Antilles
AN
Argentina
AR
American Samoa
AS
Austria
AT
Australia
AU
Aruba
AW
Azerbaijan
AZ
Bosnia
BA
Barbados
BB
Bangladesh
BD
Belgium
BE
Bulgaria
BG
Bahrain
BH
Bermuda
BM
Brunei
BN
Bolivia
BO
Brazil
BR
Bahamas
BS
Bhutan
BT
Belarus
BY
Canada
CA
Switzerland
CH
Chile
CL
China
CN
June 2014

367
Supported Country Codes
368
Country Name
Code
Columbia
CO
Costa Rica
CR
Cuba
CU
Cape Verde
CV
Cyprus
CY
Czech Republic
CZ
Germany
DE
Denmark
DK
Dominica
DM
Dominican Republic
DO
Ecuador
EC
Estonia
EE
Egypt
EG
Spain
ES
Finland
FI
Falkland Islands
FK
Federated States of Micronesia
FM
France
FR
United Kingdom
GB
French Guiana
GF
Guernsey
GG
Gibraltar
GI
Guadeloupe
GP
Greece
GR
Guatemala
GT
Guam
GU
Hong Kong
HK
Honduras
HN
Croatia
HR
Haiti
HT
Hungary
HU
Indonesia
ID
Ireland
IE
Israel
IL
Isle of Man
IM
India
IN

June 2014
Country Name
Code
Iran
IR
Iceland
IS
Italy
IT
Jersey
JE
Jamaica
JM
Jordan
JO
Japan
JP
Kenya
KE
Kiribati
KI
Korea Republic
KR
Kuwait
KW
Cayman Islands
KY
LAO People's Democratic Republic
LA
Lebanon
LB
Liechtenstein
LI
Sri Lanka
LK
Lesotho
LS
Lithuania
LT
Luxembourg
LU
Latvia
LV
Morocco
MA
Monaco
MC
Macedonia
MK
Macao
MO
Northern Mariana Islands
MP
Martinique
MQ
Mauritania
MR
Malta
MT
Mauritius
MU
Maldives
MV
Malawi
MW
Mexico
MX
Malaysia
MY
Nigeria
NG
Nicaragua
NI
Netherlands
NL
June 2014

369
Supported Country Codes
370
Country Name
Code
Norway
NO
New Zealand
NZ
Oman
OM
Panama
PA
Peru
PE
Papua New Guinea
PG
Philippines
PH
Pakistan
PK
Poland
PL
St. Pierre and Miquelon
PM
Portugal
PT
Puerto Rico
PR
Qatar
QA
Reunion
RE
Romania
RO
Serbia
RS
Russia
RU
Saudi Arabia
SA
Sweden
SE
Singapore
SG
Slovenia
SI
Slovak Republic
SK
El Salvador
SV
Syria
SY
Thailand
TH
Tajikistan
TJ
Tunisia
TN
Turkey
TR
Trinidad & Tobago
TT
Taiwan
TW
Tanzania
TZ
Ukraine
UA
US(Minor Outlying Islands)
UM
United States
US
Uruguay
UY
Uzbekistan
UZ

June 2014
Country Name
Code
Holy See (Vatican City)
VA
Venezuela
VE
Virgin Islands(British)
VG
US Virgin Isle
VI
Vietnam
VN
Yemen
YE
Mayotte
YT
South Africa
ZA
Zambia
ZM
June 2014

371

NN47251-107 07 01 CLI Reference

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

NN47251-107 07 01 CLI Reference

Diunggah oleh

Hak Cipta:

Format Tersedia

ACLI Commands Reference for Avaya

2014 Avaya Inc.

All Rights Reserved.

applicable number of licenses and units of capacity for which the

Preventing Toll Fraud

ACLI Commands Reference for Avaya WLAN 8100

Configuring VLANs and Link Aggregation........................................................................244

Appendix A: Supported Country Codes............................................................................. 367

ACLI Commands Reference for Avaya WLAN 8100

Avaya Wireless LAN 8100 Implementation and Management

ACLI Commands Reference for Avaya WLAN 8100

Avaya VENA Unified Access Implementation

Wireless LAN 8100 AIPS credential

Wireless LAN 8100 Implementation Assessment (online test)

Viewing Avaya Mentor videos

About this task

ACLI Commands Reference for Avaya WLAN 8100

Chapter 2: New in this release

Support for External Captive Portal

Support for Link Layer Discovery Protocol (LLDP)

ACLI Commands Reference for Avaya WLAN 8100

Bonjour Gateway support

ACLI Commands Reference for Avaya WLAN 8100

Chapter 3: Overview of WLAN deployment

ACLI Commands Reference for Avaya WLAN 8100

Chapter 4: ACLI reference for Wireless LAN

ACLI reference for the Wireless LAN (WLAN) 8100

ACLI Commands Reference for Avaya WLAN 8100

ACLI reference for Wireless LAN (WLAN) 8100

Performing controller configuration using the WC 8180 Quick

Before you begin

ACLI Commands Reference for Avaya WLAN 8100

ACLI reference for the Wireless LAN (WLAN) 8100

Figure 1: Console configuration

4. Press Ctrl+Y to start.

Verifying controller configuration

2. Verify controller domain membership:

ACLI Commands Reference for Avaya WLAN 8100

ACLI reference for Wireless LAN (WLAN) 8100

Domain Action Status

3. Verify domain configuration using the following command:

Viewing WLAN 8100 current configuration

Command options of the show running-config module command:

ACLI Commands Reference for Avaya WLAN 8100

ACLI reference for the Wireless LAN (WLAN) 8100

Configuring and managing Link Layer Discovery Protocol

ACLI Commands Reference for Avaya WLAN 8100

ACLI reference for Wireless LAN (WLAN) 8100

AP Ethernet MAC Address

AP Ethernet MAC Address

AP Ethernet MAC Address

AP Ethernet MAC Address

AP Label from Configuration

0.0.0.0 before dhcp address is

A.B.C.D, DHCP assigned

A.B.C.D after dhcp address is

WLAN/Bridge Not Enabled

Avaya Wireless AP, Model

Avaya Wireless AP, Model

eth0 before dhcp address is

eth0, IP: A.B.C.D

eth0, IP: A.B.C.D after dhcp

ACLI Commands Reference for Avaya WLAN 8100