3com wc4400
TRANSCRIPT
-
8/9/2019 3com wc4400
1/751
http://www.3Com.com/
Part No. 10015909 Rev ADPublished July 2008
Wireless LAN Mobility SystemWireless LAN Switch and ControllerConfiguration Guide
WX4400 3CRWX440095AWX2200 3CRWX220095AWX1200 3CRWX120695AWXR100 3CRWXR10095A
-
8/9/2019 3com wc4400
2/751
3Com Corporation
350 Campus DriveMarlborough, MA USA01752-3064
Copyright © 2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced
in any form or by any means or used to make any derivative work (such as translation, transformation, oradaptation) without written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from timeto time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, eitherimplied or expressed, including, but not limited to, the implied warranties, terms or conditions ofmerchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements orchanges in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a licenseagreement included with the product as a separate document, in the hard copy documentation, or on theremovable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy,
please contact 3Com and a copy will be provided to you.UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense.Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) oras a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as areprovided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rightsonly as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.You agree not to remove or deface any portion of any legend provided on any licensed program ordocumentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or maynot be registered in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
Mobility Domain, Managed Access Point, Mobility Profile, Mobility System, Mobility System Software, , MSS,and SentrySweep are trademarks of Trapeze Networks, Inc.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, Windows XP,and Windows NT are registered trademarks of Microsoft Corporation.
All other company and product names may be trademarks of the respective companies with which they areassociated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally friendly in all operations. To uphold our policy, weare committed to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmentalstandards. Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation, and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainable, managed forests; it isfully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, andthe inks are vegetable-based with a low heavy-metal content.
-
8/9/2019 3com wc4400
3/751
CONTENTS
ABOUT THIS GUIDEConventions 25
Documentation 26Documentation Comments 27
NEW FEATURES SUMMARYVirtual Controller Clustering 30
Virtual Controller Cluster Configuration Terminology 30Centralized Configuration Using Virtual Controller Cluster Mode 31Autodistribution of APs on the Virtual Controller Cluster 31“Hitless” Failover with Virtual Controller Cluster Configuration 32Additional Information 32Configuring Virtual Controller Clustering on a Mobility Domain 32
Other Virtual Controller Cluster Configuration Parameters 33
AP 3950 Support and 802.11n Configuration 34Power Over Ethernet (PoE) 34802.11n Configuration 35
External Captive Portal Support 35Network Address Translation (NAT) Support 36MAC-based Access Control Lists (ACLs) 36Simultaneous Login Support 36
Configuration 36Dynamic RADIUS Extensions 37
Configuration 37termination-action Attribute for Dynamic RADIUS 38
MAC User Range Authentication 38Configuration 38
MAC Authentication Request Format 39
Configuration 39User Attribute Enhancements 39
Configuration 40
-
8/9/2019 3com wc4400
4/751
Split Authentication and Authorization 41
Enhancements to Location Policy Configuration 41Configuration 41
RADIUS Ping Utility 41Configuration 42
Unique AP Number Support 42Configuration 42
Bandwidth Management 42Configuration 43
Mesh Services Enhancements 45RF Scanning Enhancements 45
Configuration 46RF Detection Enhancements 47
RF Classification Rules 47
Countermeasures Scaling and Resiliency in a Mobility Domain 48Configuration 48
MSS display Command Enhancements 48
1 USING THE COMMAND-LINE INTERFACEOverview 51CLI Conventions 51
Command Prompts 52Syntax Notation 52Text Entry Conventions and Allowed Characters 52User Globs, MAC Address Globs, and VLAN Globs 54Port Lists 56Virtual LAN Identification 57
Command-Line Editing 57Keyboard Shortcuts 57History Buffer 58Tabs 58
Single-Asterisk (*) Wildcard Character 58Double-Asterisk (**) Wildcard Characters 58
Using CLI Help 58
Understanding Command Descriptions 60
-
8/9/2019 3com wc4400
5/751
2 WX SETUP METHODSOverview 61
Quick Starts 613Com Wireless Switch Manager 62
CLI 62Web Manager 62
How a WX Switch Gets its Configuration 63
Web Quick Start (WXR100, WX1200 and WX2200 Only) 64Web Quick Start Parameters 64Web Quick Start Requirements 65Accessing the Web Quick Start 65
CLI quickstart Command 68
Quickstart Example 70Remote WX Configuration 73
Opening the QuickStart Network Plan in 3Com Wireless SwitchManager 73
3 CONFIGURING ADMINISTRATIVE AND LOCAL ACCESSOverview 75
Before You Start 78
About Administrative Access 78Access Modes 78Types of Administrative Access 78
First-Time Configuration via the Console 79Logging Into the WX For the First Time 79Setting the WX Switch Enable Password 80Authenticating at the Console 81
Setting User Passwords 82Adding and Clearing Local Users for Administrative Access 82
Displaying the AAA Configuration 83Saving the Configuration 83
Administrative Configuration Scenarios 84Local Authentication 84
84
-
8/9/2019 3com wc4400
6/751
4 MANAGING USER PASSWORDSOverview 85Configuring Passwords 86
Setting Passwords for Local Users 86
Enabling Password Restrictions 87Setting the Maximum Number of Login Attempts 87Specifying Minimum Password Length 88
Configuring Password Expiration Time 89Restoring Access to a Locked-Out User 90Displaying Password Information 90
5 CONFIGURING AND MANAGING PORTS AND VLANSConfiguring and Managing Ports 91
Setting the Port Type 91Configuring a Port Name 97
Configuring Interface Preference on a Dual-Interface Gigabit EthernetPort (WX4400 only) 97Configuring Port Operating Parameters 99Displaying Port Information 101
Configuring Load-Sharing Port Groups 105Configuring and Managing VLANs 107
Understanding VLANs in 3Com MSS 107Configuring a VLAN 111Changing Tunneling Affinity 113Restricting Layer 2 Forwarding Among Clients 114Displaying VLAN Information 115
Managing the Layer 2 Forwarding Database 116
Types of Forwarding Database Entries 116How Entries Enter the Forwarding Database 116Displaying Forwarding Database Information 117Adding an Entry to the Forwarding Database 118
Removing Entries from the Forwarding Database 118Configuring the Aging Timeout Period 119
Port and VLAN Configuration Scenario 120
-
8/9/2019 3com wc4400
7/751
6 CONFIGURING AND MANAGING IP INTERFACES AND SERVICESMTU Support 123Configuring and Managing IP Interfaces 124
Adding an IP Interface 124
Disabling or Reenabling an IP Interface 127Removing an IP Interface 127Displaying IP Interface Information 127
Configuring the System IP Address 128Designating the System IP Address 128Displaying the System IP Address 128Clearing the System IP Address 128
Configuring and Managing IP Routes 128
Displaying IP Routes 130Adding a Static Route 131
Removing a Static Route 132Managing the Management Services 133
Managing SSH 133Managing Telnet 136Managing HTTPS 138Changing the Idle Timeout for CLI Management Sessions 139Setting a Message of the Day (MOTD) Banner 140
Prompting the User to Acknowledge the MOTD Banner 140Configuring and Managing DNS 141
Enabling or Disabling the DNS Client 141
Configuring DNS Servers 141Configuring a Default Domain Name 142Displaying DNS Server Information 142
Configuring and Managing Aliases 143
Adding an Alias 143Removing an Alias 143Displaying Aliases 143
Configuring and Managing Time Parameters 144Setting the Time Zone 145Configuring the Summertime Period 145
Statically Configuring the System Time and Date 147Displaying the Time and Date 147Configuring and Managing NTP 147
-
8/9/2019 3com wc4400
8/751
-
8/9/2019 3com wc4400
9/751
8 CONFIGURING AND MANAGING MOBILITY DOMAIN ROAMINGAbout the Mobility Domain Feature 175Configuring a Mobility Domain 176
Configuring the Seed 176
Configuring Member WX Switches on the Seed 177Configuring a Member 177Configuring Mobility Domain Seed Redundancy 178
Displaying Mobility Domain Status 179Displaying the Mobility Domain Configuration 179Clearing a Mobility Domain from a WX Switch 179Clearing a Mobility Domain Member from a Seed 179
Configuring WX-WX Security 180
Monitoring the VLANs and Tunnels in a Mobility Domain 181Displaying Roaming Stations 181
Displaying Roaming VLANs and Their Affinities 182Displaying Tunnel Information 182
Understanding the Sessions of Roaming Users 183Requirements for Roaming to Succeed 183Effects of Timers on Roaming 184Monitoring Roaming Sessions 184
Mobility Domain Scenario 185
9 CONFIGURING NETWORK DOMAINSAbout the Network Domain Feature 187
Network Domain Seed Affinity 190Configuring a Network Domain 191
Configuring Network Domain Seeds 191
Specifying Network Domain Seed Peers 192Configuring Network Domain Members 193Displaying Network Domain Information 194Clearing Network Domain Configuration from a WX Switch 195
Clearing a Network Domain Seed from a WX Switch 195Clearing a Network Domain Peer from a Network Domain Seed 195Clearing Network Domain Seed or Member Configuration from a WX
Switch 195Network Domain Scenario 196
-
8/9/2019 3com wc4400
10/751
10 CONFIGURING MAP ACCESS POINTSMAP Overview 199
Country of Operation 201
Directly Connected MAPs and Distributed MAPs 201Boot Process for Distributed MAPs 211Contacting a WX Switch 212
Loading and Activating an Operational Image 217Obtaining Configuration Information from the WX Switch 217Service Profiles 224Radio Profiles 231
Configuring MAPs 235Specifying the Country of Operation 235Configuring an Auto-AP Profile for Automatic MAP Configuration 240
Configuring MAP Port Parameters 246Configuring MAP-WX Security 251
Configuring a Service Profile 255Configuring a Radio Profile 262Configuring Radio-Specific Parameters 268Mapping the Radio Profile to Service Profiles 270
Assigning a Radio Profile and Enabling Radios 270
Disabling or Reenabling Radios 271Enabling or Disabling Individual Radios 271Disabling or Reenabling All Radios Using a Profile 271Resetting a Radio to its Factory Default Settings 272Restarting a MAP 272
Configuring Local Packet Switching on MAPs 273Configuring Local Switching 274
Displaying MAP Information 277Displaying MAP Configuration Information 278Displaying Connection Information for Distributed MAPs 279
Displaying a List of Distributed MAPs that Are Not Configured 280Displaying Active Connection Information for Distributed MAPs 280Displaying Service Profile Information 280
Displaying Radio Profile Information 282Displaying MAP Status Information 282Displaying Static IP Address Information for Distributed MAPs 283
-
8/9/2019 3com wc4400
11/751
Displaying MAP Statistics Counters 284
Displaying the Forwarding Database for a MAP 286Displaying VLAN Information for a MAP 286Displaying ACL Information for a MAP 287
11 CONFIGURING RF LOAD BALANCING FOR MAPSRF Load Balancing Overview 289
Configuring RF Load Balancing 290Disabling or Re-Enabling RF Load Balancing 290Assigning Radios to Load Balancing Groups 291Specifying Band Preference for RF Load Balancing 291Setting Strictness for RF Load Balancing 292
Exempting an SSID from RF Load Balancing 293Displaying RF Load Balancing Information 293
12 CONFIGURING WLAN MESH SERVICESWLAN Mesh Services Overview 295Configuring WLAN Mesh Services 296
Configuring the Mesh AP 297
Configuring the Service Profile for Mesh Services 298
Configuring Security 298Enabling Link Calibration Packets on the Mesh Portal MAP 299Deploying the Mesh AP 299
Configuring Wireless Bridging 300Displaying WLAN Mesh Services Information 301
13 CONFIGURING
USER
ENCRYPTION
Overview 303Configuring WPA 306
WPA Cipher Suites 306
TKIP Countermeasures 309WPA Authentication Methods 310WPA Information Element 310
Client Support 311Configuring WPA 312
Configuring RSN (802.11i) 318
-
8/9/2019 3com wc4400
12/751
Creating a Service Profile for RSN 318
Enabling RSN 318Specifying the RSN Cipher Suites 319Changing the TKIP Countermeasures Timer Value 320Enabling PSK Authentication 320Displaying RSN Settings 320Assigning the Service Profile to Radios and Enabling the Radios 320
Configuring WEP 321
Setting Static WEP Key Values 323Assigning Static WEP Keys 323
Encryption Configuration Scenarios 324Enabling WPA with TKIP 324Enabling Dynamic WEP in a WPA Network 326Configuring Encryption for MAC Clients 328
14 CONFIGURING RF AUTO-TUNINGOverview 333
Initial Channel and Power Assignment 333Channel and Power Tuning 334RF Auto-Tuning Parameters 336
Changing RF Auto-Tuning Settings 338
Selecting Available Channels on the 802.11a Radio 338Changing Channel Tuning Settings 338Changing Power Tuning Settings 339
Locking Down Tuned Settings 340Displaying RF Auto-Tuning Information 341
Displaying RF Auto-Tuning Settings 341
Displaying RF Neighbors 342Displaying RF Attributes 343
CONFIGURING MAPS TO BE AEROSCOUT LISTENERS
15 Configuring MAP Radios to Listen for AeroScout RFID Tags 346Locating an RFID Tag 347
Using an AeroScout Engine 347Using 3Com Wireless Switch Manager 347
-
8/9/2019 3com wc4400
13/751
16 CONFIGURING QUALITY OF SERVICEAbout QoS 349
Summary of QoS Features 349QoS Mode 352
WMM QoS Mode 353WMM QoS on a MAP 359Call Admission Control 362
Broadcast Control 363Static CoS 363Overriding CoS 363
Changing QoS Settings 364Changing the QoS Mode 364
Enabling U-APSD Support 364Configuring Call Admission Control 365
Configuring Static CoS 365Changing CoS Mappings 366
Using the Client’s DSCP Value to Classify QoS Level 366Enabling Broadcast Control 367
Displaying QoS Information 367Displaying a Radio Profile’s QoS Settings 367Displaying a Service Profile’s QoS Settings 368
Displaying CoS Mappings 369Displaying the DSCP Table 371Displaying MAP Forwarding Queue Statistics 371
17 CONFIGURING AND MANAGING SPANNING TREE PROTOCOLOverview 373
Enabling the Spanning Tree Protocol 374Changing Standard Spanning Tree Parameters 374
Bridge Priority 374Port Cost 375
Port Priority 375Changing the Bridge Priority 375Changing STP Port Parameters 376
Changing Spanning Tree Timers 379Configuring and Managing STP Fast Convergence Features 380
Configuring Port Fast Convergence 381
-
8/9/2019 3com wc4400
14/751
Displaying Port Fast Convergence Information 382
Configuring Backbone Fast Convergence 382Displaying the Backbone Fast Convergence State 382Configuring Uplink Fast Convergence 383Displaying Uplink Fast Convergence Information 383
Displaying Spanning Tree Information 383Displaying STP Bridge and Port Information 383Displaying the STP Port Cost on a VLAN Basis 384
Displaying Blocked STP Ports 385Displaying Spanning Tree Statistics 385Clearing STP Statistics 387
Spanning Tree Configuration Scenario 387
18 CONFIGURING AND MANAGING IGMP SNOOPING
Overview 391Disabling or Reenabling IGMP Snooping 391
Disabling or Reenabling Proxy Reporting 392Enabling the Pseudo-Querier 392Changing IGMP Timers 392
Changing the Query Interval 393Changing the Other-Querier-
Present Interval 393Changing the Query Response Interval 393Changing the Last Member Query Interval 393
Changing Robustness 393Enabling Router Solicitation 394
Changing the Router Solicitation Interval 394Configuring Static Multicast Ports 394
Adding or Removing a Static Multicast Router Port 395Adding or Removing a Static Multicast Receiver Port 395
Displaying Multicast Information 395
Displaying Multicast Configuration Information and Statistics 395Displaying Multicast Queriers 397Displaying Multicast Routers 397Displaying Multicast Receivers 398
-
8/9/2019 3com wc4400
15/751
-
8/9/2019 3com wc4400
16/751
Public and Private Keys 438
Digital Certificates 438PKCS #7, PKCS #10, and PKCS #12 Object Files 439
Certificates Automatically Generated by MSS 440Creating Keys and Certificates 441
Choosing the Appropriate Certificate Installation Method for YourNetwork 442Creating Public-Private Key Pairs 443
Generating Self-Signed Certificates 444Installing a Key Pair and Certificate from a PKCS #12 Object File 445Creating a CSR and Installing a Certificate from a PKCS #7 ObjectFile 446Installing a CA’s Own Certificate 447
Displaying Certificate and Key Information 448Key and Certificate Configuration Scenarios 449
Creating Self-Signed Certificates 449Installing CA-Signed Certificates from PKCS #12 Object Files 451
Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR) and aPKCS #7 Object File 453
21 CONFIGURING AAA FOR NETWORK USERS
About AAA for Network Users 455Authentication 455Authorization 460
Accounting 462Summary of AAA Features 462
AAA Tools for Network Users 463“Globs” and Groups for Network and Local User Classification 464
AAA Methods for IEEE 802.1X and Web Network Access 464IEEE 802.1X Extensible Authentication Protocol Types 468Ways a WX Switch Can Use EAP 469Effects of Authentication Type on Encryption Method 470
Configuring 802.1X Authentication 471Configuring EAP Offload 471Using Pass-Through 472
Authenticating via a Local Database 472Binding User Authentication to Machine Authentication 473
Configuring Authentication and Authorization by MAC Address 478
-
8/9/2019 3com wc4400
17/751
Adding and Clearing MAC Users and User Groups Locally 478
Configuring MAC Authentication and Authorization 479Changing the MAC Authorization Password for RADIUS 481
Configuring Web Portal WebAAA 482How WebAAA Portal Works 482WebAAA Requirements and Recommendations 484Configuring Web Portal WebAAA 489Using a Custom Login Page 493
Using Dynamic Fields in WebAAA Redirect URLs 497Using an ACL Other Than portalacl 498
Configuring the Web Portal WebAAA Session Timeout Period 499Configuring the Web Portal Logout Function 500
Configuring Last-Resort Access 501Configuring Last-Resort Access for Wired Authentication Ports 503
Configuring AAA for Users of Third-Party APs 504Authentication Process for Users of a Third-Party AP 504
Requirements 505Configuring Authentication for 802.1X Users of a Third-Party AP withTagged SSIDs 506Configuring Authentication for Non-802.1X Users of a Third-Party APwith Tagged SSIDs 509Configuring Access for Any Users of a Non-Tagged SSID 509
Assigning Authorization Attributes 509Assigning Attributes to Users and Groups 514Assigning SSID Default Attributes to a Service Profile 515
Assigning a Security ACL to a User or a Group 516Clearing a Security ACL from a User or Group 518Assigning Encryption Types to Wireless Users 519
Keeping Users on the Same VLAN Even After Roaming 521Overriding or Adding Attributes Locally with a Location Policy 522
About the Location Policy 523How the Location Policy Differs from a Security ACL 523
Setting the Location Policy 524Clearing Location Policy Rules and Disabling the Location Policy 526
Configuring Accounting for Wireless Network Users 527
Viewing Local Accounting Records 528Viewing Roaming Accounting Records 528Displaying the AAA Configuration 530
-
8/9/2019 3com wc4400
18/751
Avoiding AAA Problems in Configuration Order 531
Using the Wildcard “Any” as the SSID Name in AuthenticationRules 531Using Authentication and Accounting Rules Together 531
Configuring a Mobility Profile 533Network User Configuration Scenarios 535
General Use of Network User Commands 535Enabling RADIUS Pass-Through Authentication 537
Enabling PEAP-MS-CHAP-V2 Authentication 537Enabling PEAP-MS-CHAP-V2 Offload 538Combining EAP Offload with Pass-Through Authentication 539Overriding AAA-Assigned VLANs 539
22 CONFIGURING COMMUNICATION WITH RADIUS
RADIUS Overview 541Before You Begin 543
Configuring RADIUS Servers 543Configuring Global RADIUS Defaults 544Setting the System IP Address as the Source Address 545Configuring Individual RADIUS Servers 545Deleting RADIUS Servers 546
Configuring RADIUS Server Groups 546Creating Server Groups 547Deleting a Server Group 549
RADIUS and Server Group Configuration Scenario 550
23 MANAGING 802.1X ON THE WX SWITCH
Managing 802.1X on Wired Authentication Ports 553Enabling and Disabling 802.1X Globally 553Setting 802.1X Port Control 554
Managing 802.1X Encryption Keys 555
Enabling 802.1X Key Transmission 555Configuring 802.1X Key Transmission Time Intervals 555Managing WEP Keys 556
Setting EAP Retransmission Attempts 557Managing 802.1X Client Reauthentication 558
Enabling and Disabling 802.1X Reauthentication 558
-
8/9/2019 3com wc4400
19/751
Setting the Maximum Number of 802.1X Reauthentication
Attempts 558Setting the 802.1X Reauthentication Period 559Setting the Bonded Authentication Period 560
Managing Other Timers 560Setting the 802.1X Quiet Period 560Setting the 802.1X Timeout for an Authorization Server 561Setting the 802.1X Timeout for a Client 561
Displaying 802.1X Information 562Viewing 802.1X Clients 562Viewing the 802.1X Configuration 562Viewing 802.1X Statistics 563
24 CONFIGURING SODA ENDPOINT SECURITY FOR A WX SWITCH
About SODA Endpoint Security 565SODA Endpoint Security Support on WX Switches 566
How SODA Functionality Works on WX Switches 567Configuring SODA Functionality 568
Configuring Web Portal WebAAA for the Service Profile 569Creating the SODA Agent with SODA Manager 569Copying the SODA Agent to the WX Switch 571
Installing the SODA Agent Files on the WX Switch 571Enabling SODA Functionality for the Service Profile 572Disabling Enforcement of SODA Agent Checks 572
Specifying a SODA Agent Success Page 573Specifying a SODA Agent Failure Page 573Specifying a Remediation ACL 574Specifying a SODA Agent Logout Page 575
Specifying an Alternate SODA Agent Directory for a Service Profile 576Uninstalling the SODA Agent Files from the WX Switch 576Displaying SODA Configuration Information 577
25 MANAGING SESSIONSAbout the Session Manager 579
Displaying and Clearing Administrative Sessions 579Displaying and Clearing All Administrative Sessions 580Displaying and Clearing an Administrative Console Session 580
-
8/9/2019 3com wc4400
20/751
Displaying and Clearing Administrative Telnet Sessions 581
Displaying and Clearing Client Telnet Sessions 581Displaying and Clearing Network Sessions 582
Displaying Verbose Network Session Information 583Displaying and Clearing Network Sessions by Username 584Displaying and Clearing Network Sessions by MAC Address 585Displaying and Clearing Network Sessions by VLAN Name 585Displaying and Clearing Network Sessions by Session ID 586
Displaying and Changing Network Session Timers 587Disabling Keepalive Probes 588Changing or Disabling the User Idle Timeout 588
26 ROGUE DETECTION AND COUNTERMEASURESOverview 589
About Rogues and RF Detection 589Rogue Access Points and Clients 589
RF Detection Scans 593Countermeasures 594Mobility Domain Requirement 594
Summary of Rogue Detection Features 595Configuring Rogue Detection Lists 596
Configuring a Permitted Vendor List 596Configuring a Permitted SSID List 598Configuring a Client Black List 599Configuring an Attack List 600Configuring an Ignore List 601
Enabling Countermeasures 602
Using On-Demand Countermeasures in a Mobility Domain 603Disabling or Reenabling Active Scan 604Enabling MAP Signatures 604
Creating an Encrypted RF Fingerprint Key as a MAP Signature 605
Disabling or Reenabling Logging of Rogues 606Enabling Rogue and Countermeasures Notifications 606IDS and DoS Alerts 606
Flood Attacks 607DoS Attacks 607Netstumbler and Wellenreiter Applications 608
-
8/9/2019 3com wc4400
21/751
Wireless Bridge 608
Ad-Hoc Network 608Weak WEP Key Used by Client 609Disallowed Devices or SSIDs 609Displaying Statistics Counters 609IDS Log Message Examples 609
Displaying RF Detection Information 612Displaying Rogue Clients 614
Displaying Rogue Detection Counters 615Displaying SSID or BSSID Information for a Mobility Domain 616Displaying RF Detect Data 618Displaying the APs Detected by MAP Radio 618Displaying Countermeasures Information 619
27 MANAGING SYSTEM FILESAbout System Files 621
Displaying Software Version Information 621Displaying Boot Information 623
Working with Files 624Displaying a List of Files 624Copying a File 626
Using an Image File’s MD5 Checksum To Verify Its Integrity 628Deleting a File 629Creating a Subdirectory 630Removing a Subdirectory 630
Managing Configuration Files 631Displaying the Running Configuration 631
Saving Configuration Changes 632Specifying the Configuration File to Use After the Next Reboot 633Loading a Configuration File 633Specifying a Backup Configuration File 634
Resetting to the Factory Default Configuration 634Backing Up and Restoring the System 635
Managing Configuration Changes 637
Backup and Restore Examples 637Upgrading the System Image 638Preparing the WX Switch for the Upgrade 638
-
8/9/2019 3com wc4400
22/751
Upgrading an Individual Switch Using the CLI 639
Command Changes During Upgrade 640
A TROUBLESHOOTING A WX SWITCHFixing Common WX Setup Problems 641Recovering the System When the Enable Password is Lost 644
WXR100 644
WX1200, WX2200, or WX4400 644Configuring and Managing the System Log 645Log Message Components 645Logging Destinations and Levels 645Using Log Commands 647
Running Traces 653Using the Trace Command 653
Displaying a Trace 654Stopping a Trace 654
About Trace Results 655Displaying Trace Results 655Copying Trace Results to a Server 656Clearing the Trace Log 656List of Trace Areas 656
Using display Commands 657Viewing VLAN Interfaces 657Viewing AAA Session Statistics 657
Viewing FDB Information 658Viewing ARP Information 658
Port Mirroring 659
Configuration Requirements 659Configuring Port Mirroring 659Displaying the Port Mirroring Configuration 659Clearing the Port Mirroring Configuration 659
Remotely Monitoring Traffic 660How Remote Traffic Monitoring Works 660Best Practices for Remote Traffic Monitoring 661
Configuring a Snoop Filter 661Mapping a Snoop Filter to a Radio 663Enabling or Disabling a Snoop Filter 665
-
8/9/2019 3com wc4400
23/751
Displaying Remote Traffic Monitoring Statistics 665
Preparing an Observer and Capturing Traffic 665Capturing System Information and Sending it to Technical Support 667
The display tech-support Command 667Core Files 668Debug Messages 669Sending Information to 3Com Technical Support 670
B ENABLING AND LOGGING INTO WEB VIEWSystem Requirements 671
Browser Requirements 671WX Switch Requirements 671
Logging Into Web View 672
C SUPPORTED RADIUS ATTRIBUTESAttributes 673Supported Standard and Extended Attributes 6743Com Vendor-Specific Attributes 681
D TRAFFIC PORTS USED BY MSS
E DHCP SERVERHow the MSS DHCP Server Works 686Configuring the DHCP Server 687Displaying DHCP Server Information 688
F OBTAINING SUPPORT FOR YOUR 3COM PRODUCTSRegister Your Product to Gain Service Benefits 689Solve Problems Online 689
Purchase Extended Warranty and Professional Services 690Access Software Downloads 690Contact Us 690
Telephone Technical Support and Repair 691
-
8/9/2019 3com wc4400
24/751
GLOSSARY
INDEX
COMMAND INDEX
-
8/9/2019 3com wc4400
25/751
ABOUT THIS GUIDE
This guide describes the configuration commands for the 3Com WirelessLAN Switch WXR100, WX1200, or 3Com Wireless LAN ControllerWX4400, WX2200.
This guide is intended for System integrators who are configuring theWXR100, WX1200, WX4400, or WX2200.
If release notes are shipped with your product and the information therediffers from the information in this guide, follow the instructions in therelease notes.
Most user guides and release notes are available in Adobe AcrobatReader Portable Document Format (PDF) or HTML on the 3ComWorld Wide Web site:
http://www.3com.com/
Conventions Table 1 and Table 2 list conventions that are used throughout this guide.
Table 1 Notice Icons
Icon Notice Type Description
Information note Information that describes important features orinstructions
Caution Information that alerts you to potential loss of data orpotential damage to an application, system, or device
26 ABOUT THIS GUIDE
-
8/9/2019 3com wc4400
26/751
26 ABOUT THIS GUIDE
This manual uses the following text and syntax conventions:
Documentation The MSS documentation set includes the following documents.
Wireless Switch Manager (3WXM) Release Notes
These notes provide information about the 3WXM software release,including new features and bug fixes.
Wireless LAN Switch and Controller Release Notes
These notes provide information about the MSS software release,including new features and bug fixes.
Wireless LAN Switch and Controller Quick Start Guide
This guide provides instructions for performing basic setup of secure(802.1X) and guest (WebAAA™) access, for configuring a MobilityDomain for roaming, and for accessing a sample network plan in3WXM for advanced configuration and management.
Table 2 Text Conventions
Convention Description
Monospace text Sets off command syntax or sample commands and systemresponses.
Bold text Highlights commands that you enter or items you select.
Italic text Designates command variables that you replace with
appropriate values, or highlights publication titles or wordsrequiring special emphasis.
[ ] (square brackets) Enclose optional parameters in command syntax.
{ } (curly brackets) Enclose mandatory parameters in command syntax.
| (vertical bar) Separates mutually exclusive options in command syntax.
Keyboard key names If you must press two or more keys simultaneously, the keynames are linked with a plus sign (+). Example:
Press Ctrl+Alt+DelWords in italics Italics are used to:
Emphasize a point.
Denote a new term at the place where it is defined in thetext.
Highlight an example string, such as a username or SSID.
Documentation Comments 27
http://mssquickstart6-0.pdf/http://mssquickstart6-0.pdf/http://mssquickstart6-0.pdf/
-
8/9/2019 3com wc4400
27/751
Wireless Switch Manager Reference Manual
This manual shows you how to plan, configure, deploy, and manage aMobility System wireless LAN (WLAN) using the 3Com Wireless SwitchManager (3WXM).
Wireless Switch Manager User’s Guide
This manual shows you how to plan, configure, deploy, and manage theentire WLAN with the 3WXM tool suite. Read this guide to learn how toplan wireless services, how to configure and deploy 3Com equipment toprovide those services, and how to optimize and manage your WLAN.
Wireless LAN Switch and Controller Hardware Installation Guide
This guide provides instructions and specifications for installing a WXwireless switch in a Mobility System WLAN.
Wireless LAN Switch and Controller Configuration Guide
This guide provides instructions for configuring and managing thesystem through the Mobility System Software (MSS) CLI.
Wireless LAN Switch and Controller Command Reference
This reference provides syntax information for all MSS commandssupported on WX switches.
DocumentationComments Your suggestions are very important to us. They will help make ourdocumentation more useful to you. Please e-mail comments about thisdocument to 3Com at:
Please include the following information when contacting us:
Document title
Document part number and revision (on the title page)
Page number (if appropriate)
Example:
Wireless LAN Switch and Controller Configuration Guide
Part number 730-9502-0071, Revision B
Page 25
28 ABOUT THIS GUIDE
http://3wxmref6-0.pdf/http://3wxmref6-0.pdf/http://3wxmug6-0.pdf/http://3wxmug6-0.pdf/http://wxinstall6-0.pdf/http://wxinstall6-0.pdf/http://msscfgguide6-0.pdf/http://msscfgguide6-0.pdf/http://msscmdref6-0.pdf/http://msscmdref6-0.pdf/http://msscmdref6-0.pdf/http://msscfgguide6-0.pdf/http://wxinstall6-0.pdf/http://3wxmug6-0.pdf/http://3wxmref6-0.pdf/
-
8/9/2019 3com wc4400
28/751
Please note that we can only respond to comments and questions about
3Com product documentation at this e-mail address. Questions related totechnical support or sales should be directed in the first instance to yournetwork supplier.
-
8/9/2019 3com wc4400
29/751
NEW FEATURES SUMMARY
This summary describes new features available in Version 7.0 of theWireless LAN Mobility System that affect this guide. Each feature sectionincludes:
A brief description of the feature
Basic configuration procedures, if applicable
It is important to note that new MSS 7.0 features are not described withinthe individual chapters of this guide. They are only covered in this summary section.
This summary covers the following topics:
Virtual Controller Clustering on page 30
AP 3950 Support and 802.11n Configuration on page 34
Network Address Translation (NAT) Support on page 36 External Captive Portal Support on page 35
MAC-based Access Control Lists (ACLs) on page 36
Simultaneous Login Support on page 36
Dynamic RADIUS Extensions on page 37
MAC User Range Authentication on page 38
MAC Authentication Request Format on page 39
User Attribute Enhancements on page 39
Split Authentication and Authorization on page 41
RADIUS Ping Utility on page 41
Unique AP Number Support on page 42
Bandwidth Management on page 42
Mesh Services Enhancements on page 45
30 NEW FEATURES SUMMARY
-
8/9/2019 3com wc4400
30/751
RF Scanning Enhancements on page 45
RF Detection Enhancements on page 47 MSS display Command Enhancements on page 48
Virtual ControllerClustering
WX switches use innovative clustering technology to ensure mobilityacross an entire wireless network. With clustering, you can create logicalgroups of WX switches and APs, which proactively share network and
user information for hitless failover support. You can also create a singlepoint of configuration for small and large WLAN deployments to reducethe cost of installation and network management. Adding WXs and APsis seamless and does not require an interruption of connectivity in yourexisting network.
Virtual Controller Clustering provides distributed network intelligencethat enables fast, transparent failover to overcome network and deviceinterruptions and provides a means of central configuration anddistribution for WXs and APs on the network.
The features of cluster configuration include the following:
Centralized configuration of WXs and APs.
Autodistribution of configuration parameters to APs.
“Hitless” failover on the network if a WX is unavailable. Automatic load balancing of APs across any WXs in the cluster.
The number of APs supported on a cluster member is limited to thenumber supported on a WX. It is recommended that you use largercapacity WXs, such as WX 2200s, in your configuration to obtain themaximum benefits of cluster configuration.
Virtual Controller
Cluster Configuration
Terminology
Domain configuration – Wireless parameters in the configurationfile, including radio profiles, service profiles, AP configuration, andmore. The domain configuration is typically duplicated among morethan one WX in a cluster.
Configuration cluster – The cluster subset of WXs in a mobilitydomain that share a domain configuration.
Primary AP Manager (PAM) – The WX in the cluster responsible foractively managing APs that receive configuration information from thePAM.
Virtual Controller Clustering 31
-
8/9/2019 3com wc4400
31/751
Secondary AP Manager (SAM) – The WX in the cluster acting as the
hot standby for an AP.
Centralized
Configuration Using
Virtual Controller
Cluster Mode
Cluster mode is a subset of a mobility domain.
A predetermined set of configuration parameters are distributed fromthe primary seed to members of the cluster in a load-balancedmanner. The AP parameters are then distributed to the APs on eachWX.
A member of a configuration cluster does not have a local copy of thedomain configuration unless it is the primary or secondary seed.
A WX cannot boot an AP without network connectivity to the primary
or secondary seed.
The domain configuration is created and managed by the active seed.
The secondary seed provides redundancy for configuration
management to the primary seed.
The primary seed takes precedence over the secondary seed if there are
conflicting configurations between them. The only exception is if you
explicitly override the configuration.
Changes to the secondary seed are not allowed while the primary seed
is active on the network.
Adding more WXs to the cluster to increase AP booting capacity isseamless and requires no configuration changes to more than one WXin the cluster.
Configuration changes for WXs can only be performed on the primaryseed of the mobility domain, or the secondary seed if one isconfigured and the primary seed is unavailable.
Autodistribution of APson the Virtual
Controller Cluster
Load balancing of APs is supported across the cluster without anyexplicit configuration.
The maximum number of configured APs on the cluster is restricted bythe maximum number of configured APs on the primary or secondaryseed. Larger capacity WXs should be used for larger deployments ofAPs.
Client session states are shared among WXs in the cluster
configuration.
32 NEW FEATURES SUMMARY
-
8/9/2019 3com wc4400
32/751
“Hitless” Failover with
Virtual ControllerCluster Configuration
Failure of a WX has no adverse impact on the current installation.
Existing clients and APs remain active on the network and there is noimpact on the ability to make cluster configuration changes while theWX is in a failure state.
APs connected to a WX failover to another WX in the cluster withoutresetting on the network.
Existing client sessions on an AP are not disconnected if the WX is inthe process of failing.
Client session states are shared between WXs with a configurationprofile for an AP. This ensures proper network resiliency capability.
Keepalive packets are sent between the primary seed and the clustermembers to ensure that all members are available.
Additional Information Only one cluster can be configured on a mobility domain.
In MSS Version 7.0, the maximum number of APs supported in acluster is 2048.
AP-WX load balancing automatically occurs on the mobility domain toensure maximum failover capability.
Cluster configuration is not supported on releases earlier than MSSVersion 7.0.
All WXs configured as part of a cluster must have MSS Version 7.0 asthe operating software.
All WXs configured as part of the cluster must run the same level offirmware and be of the same type (e.g. two WX-4400s).
Directly attached APs cannot be configured on any WX in a clusterconfiguration.
I
t is recommended that you back up the existing configuration on each WXthat is a member of the cluster configuration. If you disable cluster mode, you can return to the previous configuration without reconfiguring theWX.
Configuring Virtual
Controller Clustering
on a Mobility Domain
On the primary seed for the mobility domain, enter the followingcommand:
WX_PS# set cluster mode enablesuccess:change accepted
Virtual Controller Clustering 33
-
8/9/2019 3com wc4400
33/751
On the secondary seed for the mobility domain, enter the following
command to provide cluster redundancy on the network: WX_SS# set cluster mode preempt enable
On each mobility domain member, enter the following command:
WX1# set cluster mode enablesuccess:change accepted
WX2# set cluster mode enablesuccess:change accepted
WX3# set cluster mode enablesuccess:change accepted
If the primary and secondary seed become disconnected and if you haveconfigured one as part of the mobility domain, use the command setcluster preempt enable on the secondary seed WX to override theprimary seed configuration. Once the primary seed WX is available, theprimary seed manages the cluster configuration again.
This command is not persistent and you must set preempt again if theWX resets.
Use the restore-backup-config command to restore the previousconfiguration on the WX before cluster mode was enabled.
Other VirtualController Cluster
Configuration
Parameters
The following configuration parameters are also shared as part of thevirtual cluster controller configuration:
ACLs are implemented as follows:
ACLs that refer to an AP must be configured on the seed WX.
ACLs defined on a seed WX are shared with members.
ACL mapping to ports, VLANs, and vports can be defined on the
member WXs for locally defined ACLs.
If there are conflicting ACL names, the local ACL takes precedence
and the incident is logged to the event log.
Mobility profiles have the following configuration constraints:
Mobility profiles must be configured on the Primary seed.
Mobility profiles that reference ports are not accepted by the
configuration.
Location policies can be configured as follows:
34 NEW FEATURES SUMMARY
-
8/9/2019 3com wc4400
34/751
Must be configured on the seed WX.
Profiles with port references are not allowed.
QoS profiles
AP 3950 Supportand 802.11nConfiguration
With the introduction of the AP-3950, MSS 7.0 now supports 802.11n.Some of the features of the AP-3950 include:
40 MHz channels
High throughput
Additional Rates
MPDU aggregation
MIMO
Legacy clients and APs
2.4 GHz and 5 GHz capabilities
You can configure different data rates on the AP-3950 for 802.11b,802.11ng, and 802.11na.
For instructions on how to install the AP-3950, refer to the AP3950Managed Access Point Quick Start Guide.
Power Over Ethernet
(PoE)
Because the AP-3950 has two 802.11n radios, it requires more PoEsupport than a single 802.3af power source.
Use the following command to configure PoE:
set ap apnum power-mode {auto | high}
Table 3 AP-3950 Data Rates
Radio Type Data Rates
802.11na 6.0, 9.0,12.0, 18.0, 24.0, 36.0, 48.0, 54.0, MCS0-15
802.11b 1.0, 2.0, 5.5, 11.0
802.11ng 1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0,54.0, MCS0-15
External Captive Portal Support 35
-
8/9/2019 3com wc4400
35/751
There are two possible configurations for supplying power to the
AP-3950: If the power mode is set to auto, the power is managed automatically
by sensing the power level on the AP. If low power is detected, unusedEthernet is disabled and reduces the traffic on the 2.4 GHz radio. Ifhigh power is detected, then both radios operate at 3x3 (3 transmitchains and 3 receive chains).
If the power mode is set to high, both radios operate at the maximum
power available which requires either 802.3at PoE or both ports using802.3af PoE.
802.11n Configuration It is recommended that you follow these best practices when configuring802.11n:
Use separate radio profiles for long and short guard intervals. A shortguard interval is used to prevent inter-symbol interference for
802.11n. When enabled, the interval is 400 nanoseconds and itenhances throughput when multipath delay is low.
Do not configure 40 MHz channels on the 2.4 GHz radio.
40 MHz channels may not be optimal in areas with high client density,such as auditoriums or large classrooms. Consider using twoAP-3950s on different 20 MHz channels and load-balance the trafficbetween the two APs.
For information on 802.11n frame aggregation, data rate, and channelcommands, refer to the New Features Summary section of the WirelessLAN Switch and Controller Command Reference Guide
External Captive
Portal Support
The ability to redirect Web portal authentication to a Web server on a
network rather than a local WX database or RADIUS is now available inMSS 7.0. The feature works in the following manner:
A user connects to the local WX with web portal enabled.
The WX redirects the user via HTTP or HTTPS to an externalauthentication web server.
After the user credentials are verified, the external server sends aChange of Attribute (CoA) to the WX. The CoA requests a change in
the session username on the WX.
36 NEW FEATURES SUMMARY
-
8/9/2019 3com wc4400
36/751
The Web server can also change or set any other allowed CoAs at the
same time. WX# set service-profile profile-name web-portal-form URL
Network AddressTranslation (NAT)Support
MSS Version 6.2 supports NAT, which provides the translation of IPaddresses in one network for those in a different network. NAT is typicallyused in firewall applications in which one network (private) is hiddenbehind the firewall to protect it from the public network. In somenetwork configurations, a firewall appliance or other network appliancemay be placed between an AP and a WX and use NAT in a configuration.
Changes to the MSS architecture affect the WX-AP control plane, WX-APclient data transport, and the WX-WX roaming client data transportportions of MSS. NAT support is transparent to the end user and does notrequire explicit MSS or 3WXM configuration.
MAC-based AccessControl Lists (ACLs)
Access Control Lists (ACLs) filter packets based on certain fields in thepacket such as ICMP, IP address, TCP, CoS, or UDP. With the release ofMSS 7.0, you can now configure ACLs using MAC addresses. The MACaddress mask is similar to IP address masks, but specified in hexidecimalformat.
Simultaneous LoginSupport
As part of the administrative and user configuration enhancements toMSS 7.0, you can now limit the number of concurrent sessions that a usercan have on the network. You can use a vendor-specific attribute (VSA)on a RADIUS server or configure it as part of a service profile. You canapply the attribute to users and user groups.
Configuration To configure simultaneous logins for a user, enter the followingcommand:
WX# set user username attr simultaneous-logins value
where value is between 0-1000. If you set the value to 0, then the user islocked out of the network. The default value is unlimited access. Inaddition, setting this value applies only to user sessions in the mobility
domain and not a specific WX. Additional commands include thefollowing:
WX# set usergroup group attr simultaneous-logins value
Dynamic RADIUS Extensions 37
-
8/9/2019 3com wc4400
37/751
WX# set service-profile profile-name attr simultaneous-loginsvalue
To clear the configuration, enter:
WX# clear user username attr simultaneous-logins
Dynamic RADIUS
Extensions
This feature allows administrators supporting a RADIUS server to
disconnect a user and change the authorization attributes of an existinguser session. New terminology is introduced in support of RFC 3576(Dynamic Authorization Server MIB):
Dynamic Authorization Server (DAS) — The component residingon the NAS and processes the Disconnect andChange-of-Authorization requests sent by the Dynamic AuthorizationClient (DAC).
Dynamic Authorization Client (DAC) — The component sendingthe Disconnect and Change of Attribute requests to the DAS. Thoughthe DAC often resides on the RADIUS server, it can be located on aseparated host, such as a rating engine.
Dynamic Authorization Server Port — The UDP that the DASlistens for Disconnect and Change of Attribute requests sent by theDAC.
Configuration To configure a RADIUS DAC server on a WX, use the followingcommands:
WX# set radius dac dac-name ip-address key string
Additional attributes include the following:
[disconnect [enable | disable] | [change-of-author [enable |disable] | replay-protection [enable | disable] |replay-window seconds]
To configure the dynamic authorization server port, use the followingcommand:
WX# set radius das-port portnum
To clear the das-port, use the following command: WX# clear radius das-port
38 NEW FEATURES SUMMARY
-
8/9/2019 3com wc4400
38/751
To configure SSIDs for RADIUS DAC, use the following commands:
WX# set authorization dynamic {ssid [wireless_8021X | 8021x |any |name]| wired name}
You can configure up to four SSIDs and four wired rule names for RADIUSDAC.
termination-action
Attribute for Dynamic
RADIUS
The termination-action RADIUS attribute is now supported in MSS7.0. This attribute supports reauthentication of all access types: dot1x,web-portal, MAC, and last-resort. When the value is set to 0, the usersession is terminated after the session expires. If the value is set to 1, theuser session is reauthenticated by sending a RADIUS request messageafter the session expires. The command syntax is shown below:
WX# set usergroup groupname attr termination-action [0 | 1] WX# set user username attr termination-action [0 | 1]
MAC User RangeAuthentication
3WXM and MSS allow authentication of users based on the MediaAccess Control (MAC) address of a device. This enables a set ofMAC-authenticated devices like VoIP phones to authenticate through aRADIUS server and through the WX local database, without additionalconfiguration.
Version 7.0 modifies the User MAC Address field to allow input such as00:11:00:* instead of just a single MAC address in previous versions.Only one * (asterisk) is allowed in the address format and it must be thelast character.
During authentication of the MAC User client, the most specific entrythat matches the MAC-user glob is selected. Therefore, an entry for00:11:30:21:ab:cd overrides an entry for 00:11:30:21:*, and an entry
for 00:11:30:21:* overrides an entry for 00:11:30:*.
Configuration To configure a MAC User Range with MSS, use these commands:
WX# set mac-user 00:11:* WX# set mac-user 00:11:* attr attribute-name value WX# set mac-user 00:11:* [group group_name]
MAC Authentication Request Format 39
-
8/9/2019 3com wc4400
39/751
To configure this feature for authentication on a RADIUS server, use thefollowing command:
WX# set authentication mac-prefix {ssid name | wired}mac-glob radius-server-group
The parameter mac-glob represents the range of MAC addresses for thisrule and determines the prefix used for authentication. Duringauthentication, the MAC prefix is extracted from the MAC-glob and usedas the user-name in the Access-Request portion of the handshake.
MACAuthenticationRequest Format
MAC Authentication Request is an enhancement to the current usernameand password format available in MSS for authentication through aRADIUS server. Changes to this feature allow for better interoperabilitywith third-party vendors who may use different formats for MAC addressauthentication.
Configuration A new parameter is available to configure a MAC address format to besent as a username to a RADIUS server for MAC authentication. Toconfigure the MAC address format with MSS, use the followingcommand:
WX# set radius server name mac-addr-format {hyphens | colons| one-hyphen | raw}
For example:
WX# set radius server sp1 mac-addr-format ?
You can also configure all RADIUS servers to use a specific MAC addressformat with the following command:
WX# set radius mac-addr-format {hyphens | colons | one-hyphen| raw}
User AttributeEnhancements
The RADIUS standard (RFC 2865) allows the attribute user-name to bereturned as part of the access-accept handshake. The user-name string is
hyphens 12-34-56-78-9a-bc
colons 12:34:56:78:9a:bc
one-hyphen 123456-789abc
raw 123456789abc
40 NEW FEATURES SUMMARY
-
8/9/2019 3com wc4400
40/751
used as the user-name for the session. MSS supports this functionality onthe RADIUS server but not the WX local database. With the release ofMSS and 3WXM Version 7.0, this attribute is now supported as part ofthe login session.
This attribute is particularly useful when the user-name is a MAC addressfor an MAC-authenticated session. When a different user name isconfigured for each session, then interpretation of the sessioninformation and the accounting logs is easier and simpler.
Configuration A new command allows you to configure a user name as an attribute:
set user name attr user-name newname WX# set mac-user 00:01:02:03:04:05 attr user-name johndoe
The new attribute has the same constraints that currently exist for theuser name in the local database. The user-name attribute can be a
maximum of 80 characters, including numbers and special characters.The user-name attribute can also be configured as part of a usergroup ormac-usergroup:
WX# set usergroup name attr user-name name WX# set mac-usergroup name attr user-name name
The corresponding clear commands are also available:
WX# clear user name attr user-name WX# clear user-group name attr user-name WX# clear mac-usergroup name attr user-name
If configured, usernames are now part of display output such asdisplay sessions:
WX# display sessions
UserName-----------------
SessID------------
IP or MAC Address----------------------
VLANName------
Port/Radio------
engineering-05:0c:78 28* 10.7.255.2 yellow 5/1
engineering-79:86:73 29* 10.7.254.3 red 2/1
engineering-1a:68:78 30* 10.7.254.8 red 7/1
engineering-45:12:34 35* 10.9.254.7 blue 2/1
Split Authentication and Authorization 41
-
8/9/2019 3com wc4400
41/751
Since the session user name is replaced by the user-name attribute, thedisplay sessions output displays this attribute as the user name forthe session. When the attribute is obtained from a user group, the username of all users in the group appears the same and you cannotdifferentiate between them. However, the MAC address is added to theuser group name in the output.
Split
Authentication andAuthorization
With the implementation of this feature, a RADIUS server authenticates a
user but authorization attributes are taken from the WX local userdatabase. This is accomplished by including a Vendor Specific Attribute(VSA) in the RADIUS Accept response. When the WX receives the RADIUSAccept response, the WX uses the group name and attempts to match itto authorization attributes of a corresponding user group in the local userdatabase.
For MSS Version 7.0, additional attributes must be configured on theRADIUS server. For the user-group name, specify a value consisting of astring 1-32 characters long. Additional values consist of Type - 26, VendorID- 43, Vendor Type - 9 (3Com VSA).
Attributes that appear in the RADIUS Access Accept response are addedto the session attributes. If the Access Accept has a 3Com group-nameVSA, the attributes from the corresponding user group in the local
database are applied.
Enhancements toLocation PolicyConfiguration
MSS Version 7.0 adds support for controlling wireless access duringcertain times of day—for example, to prevent university students fromInternet surfing during a professor’s lecture. It also adds support for localcustomization of the redirection URL.
Configuration To add location policy attributes using MSS, use the following commands:
WX# set location policy {deny | permit} if [time-of-dayoperator time-of-day ]
RADIUS Ping Utility This feature provides a RADIUS ping utility for troubleshooting if there areproblems communicating with a RADIUS server. The radping commandallows the WX to send an authentication request to a RADIUS server to
42 NEW FEATURES SUMMARY
-
8/9/2019 3com wc4400
42/751
determine if the server is active or offline. You must authenticate on theRADIUS server using MSCHAPv2 authentication.
Configuration This command sends an authentication request with the specifiedusername and password to the RADIUS server or RADIUS server group:
WX# radping {server servername | group servergroup} requestauthentication user username password password auth-type{plain | mschapv2}
This command sends an accounting request from the specified user tothe specified server or server group:
WX# radping {server servername | group servergroup} request{acct-start | acct-stop | acct-update} user username
WX# radping {server servername | group servergroup} request{acct-on | acct-off}
Unique AP NumberSupport
As of today, APs can be numbered from 1 to the maximum number ofAPs configured on a WX. This numbering scheme may cause confusionwhen multiple WX appliances are configured on the network and thesame AP can be identified by different numbers on different WXs. MSS7.0 now allows APs to be numbered from 1 to 9999 on a network.However, there is no change to the maximum number of APs that can beconfigured on a WX.
Configuration There are no changes to the CLI, except to allow a range of 1 to 9999 forapnum .
WX# set ap apnum
BandwidthManagement Bandwidth management allows you to manage network traffic on yournetwork by configuring certain traffic for higher priority over othertraffic—for example, VoIP traffic over normal network traffic. You canconfigure this feature when you implement QoS profiles. You canconfigure bandwidth management on a per-SSID, per-user, or queuingweights basis.
You can control access to priority-based queues on a per-user basis, and
also permit or deny access to certain queues configured for VoIP traffic.Managing radio time by “medium time” rather than packet count allowsmore efficient clients (high speed) to obtain higher data rates than less
Bandwidth Management 43
-
8/9/2019 3com wc4400
43/751
efficient clients. You can guarantee a minimum service level on a per-SSIDbasis and service providers can control access to the network uplink.
Configuration The QoS profile contains a set of parameters that are applied to clients toassure a specific service level on the network. A QoS profile is an AAAattribute assigned to a client when the client associates on the network.Prior to this release, some QoS parameters were configured as part of theservice profile attributes.
Static CoS assigns a value to all upstream and downstream packets. Toconfigure static CoS for a QoS profile, use the following command:
WX# set qos-profile profile-name cos number
number is configured as an integer from 0 (highest) to 7 (lowest) priority.When static CoS is enabled, an ACL can override an upstream packet, butdownstream packets are determined by the static CoS value.
The user-client-dscp attribute defines upstream packets classification.When disabled, non-WMM packets are marked best-effort. Whenenabled, upstream packets are marked based on the client DSCP value.To configure this attribute, use the following command:
WX# set qos-profile profile-name use-client-dscp [enable |disable]
You can configure maximum bandwidth (full duplex rate) for aggregatesof access categories (AC) for a wireless client. Downstream packets areshaped and upstream packets are policed. The AP has one queue per ACand each queue is a finite size (
-
8/9/2019 3com wc4400
44/751
To configure SSID medium time weights, use the following command:
WX# set radio-profile profile-name weighted-fair-queuingservice-profile-weight
You can configure SSID bandwidth limits to restrict traffic through aservice profile. The configured limit is full duplex in increments of Kbpsand is only enforced on transmitted packets. SSID weights do not restrictbandwidth unless the radio is congested. Therefore, you may choose SSIDbandwidth limits over SSID weights because bandwidth limits place a
measurable cap on bandwidth through the AP uplink. To configurebandwidth limits, use the following command:
WX# set service-profile profile-name max-bw [max-bw-kb ]
max-bw-kb can be a value from 1 to 100000 Kbps with 0 as unlimitedbandwidth.
Access categories (AC) can be configured to define access and classifytraffic behavior. The default behavior allows a packet flow access to theAC matching the CoS. Downstream packets are classified on ingress tothe AP. In some instances, access to a voice AC must be restricted. Withlegacy clients such as SVP, access to a voice AC can be blocked byconfiguring an AC for a QoS profile.
To configure an AC for a QoS profile, use the following command:
WX# set qos-profile profile-name access-category [background| best-effort | video | voice] [permit | demote]
Selecting demote has no effect on background ACs, and can override astatic CoS configuration.
For example, using the following commands...
set qos-profile qp_voice cos 7set qos-profile qp_data cos 0set qos-profile qp_test mac-bw 100
creates the following system behavior:
All users with the profile qp_voice are given voice priority on thenetwork. All packets are forwarded through the voice AC and markedwith CoS=7.
Mesh Services Enhancements 45
-
8/9/2019 3com wc4400
45/751
All users with the profile qp_data are given best effort priority.Packets are dropped if the bandwidth exceeds 1Mbps. All packets areforwarded through the best-effort AC and marked with CoS=0.
All users with the profile qp_test use the AC based on packet CoSmarkings and ACLs. Bandwidth for all other ACs is not limited.
Total bandwidth for users with qp_test is limited to 100 Kbps.
To clear QoS profiles and configurations, use the following commands:
clear qos-profile profile-name cosclear qos-profile profile-name use-client-dscpclear qos-profile profile-name max-bw clear qos-profile profile-name
Mesh ServicesEnhancements
Multi-hop is now available when configuring Mesh Services. The systemcan support up to 16 Mesh Portals with each Mesh Portal supporting a
six-Mesh AP fan-out with a depth of four Mesh APs. Also, a single MeshAP can perform two roles: Mesh Portal and Mesh Link.
Mesh Services reliability has been improved with the followingenhancements:
Improved transmission of station session record.
Ability to manage link loss between Mesh Portals and Mesh APs.
Improved management of duplicate messages for SSR updates frommultiple Mesh APs.
Mesh Portal selection has been improved by scanning for Mesh Link SSIDsand sorting them by RSSI values. The Mesh AP establishes a link using theRSSI values in descending order. If all attempts fail, the Mesh AP scansfrom the beginning of the table. After 60 seconds, if no link is
established, the Mesh AP reboots.
If the Mesh Link is using a DFS channel, then the Mesh Link has a timeoutof 140 seconds to allow for DFS channel assessment.
RF ScanningEnhancements
You can now use attributes to independently configure and controlscanning behaviors on radios. For example, a disabled radio does nottransmit or receive, and a radio that is scanning, but not providing radioservice to clients, is in sentry mode.
46 NEW FEATURES SUMMARY
-
8/9/2019 3com wc4400
46/751
You can also assign a weight to the scanning time on each radio. Byassigning a weight to the scanning time, a higher proportion of time isspent on “operational” channels. This enhancement increases theprobability that an event of interest is detected within a short time.
Configuration New CLI commands are available to configure the radio in disabled orsentry mode:
WX# set ap apnum radio [1 | 2] mode [enable | sentry |disable]
WX# set radio-profile profile-name mode [enable | sentry |disable]
The attribute sentry allows longer dwell times on scanning channelsthan the enable mode. After configuring a radio for sentry mode, thecountermeasures feature of MSS looks for any APs in sentry mode beforethose APs configured in other modes. Also, you cannot configure
autotuning for radios configured in sentry mode.The radio profile must be explicitly configured, since it is disabled bydefault. To configure RF scanning on radios with MSS 7.0, use thefollowing command:
WX# set radio-profile profile-name rf-scanning mode [passive| active]
If you select passive mode, the radio scans once per predefined time,and audits packets on the wireless network. The default time is onesecond. If you select active mode, the radio actively sends probes toother channels and then audits the packets on the wireless network.
To configure the channel scope for RF scanning, use the followingcommand:
WX# set radio-profile profile-name rf-scanning channel-scope[operating | regulatory | all]
When you select operating, only the current channel is scanned andaudited. If you select regulatory, only regulatory channels are scannedand audited. If the radio is configured for 802.11b/g, the most commonlyused channels, 1, 6, or 11, are scanned and audited more frequently. Ifyou select all, all channels are scanned and audited.
RF Detection Enhancements 47
-
8/9/2019 3com wc4400
47/751
AP LED behavior has changed to support this feature. If the AP is in sentrymode, the LEDs alternate between green and yellow/amber. If the radio isdisabled, the LED is a solid yellow/amber color.
RF DetectionEnhancements
RF Classification Rules Modifications to the RF Detect List are required due to the complex
nature of rogue detection and countermeasures. The naming of each listhas changed as follows:
The ability to classify all types of RF devices is now available in 3WXM andMSS 7.0. This functionality addresses aggressive APs on the network thatdo not appear on the Vendor or SSID list. The enhancements allow full
control over the classification of APs as rogue or suspect devices. Thetypes of devices are now:
AP
Client
Ad hoc
Tag
Unknown
A new category of known devices is now available to distinguish betweendevices that are part of the mobility domain (members) and those
Table 4 RF Detect List Names
Old List Name New List Name (or no longer supported)
Ignore List Neighbor List
Attack List Rogue List
Black List Black ListSSID List SSID List
Vendor List (List no longer supported in MSS 7.0)
48 NEW FEATURES SUMMARY
-
8/9/2019 3com wc4400
48/751
allowed on the system (neighbors). The new list of classifications is asfollows:
Devices that were previously classified as interfering are now identified assuspect, because a suspect device may be potentially more threateningthan an interfering device (but not as threatening as a rogue device).
Countermeasures
Scaling and Resiliency
in a Mobility Domain
The countermeasures feature has been updated for MSS 7.0. The abilityto launch countermeasures is now assigned to each WX and RF data is no
longer shared across the mobility domain. When an AP assigned to a WXsees a rogue on the network, the WX begins countermeasures againstthe rogue without relying on the WX seed configuration. This introduceslocalized FDB lookups and minimizes the amount of information sharedacross the mobility domain.
Configuration The list of deprecated, changed, and new rfdetect commands for
configuring RF classifications in MSS 7.0 is described in the New FeaturesSummary section of the Wireless LAN Switch and Controller CommandReference Guide.
MSS display CommandEnhancements
Various enhancements to the MSS 7.0 CLI’s display commands allowyou to quickly and easily identify elements of the output generated byMSS. Refer to the New Features Summary section of the Wireless LANSwitch and Controller Command Reference Guide for more information.
Table 5 Device Classifications
Old Classification New Classification Description of New Classification
None None Unclassified device on the network
Known Member Device is part of a mobility domain
Known Neighbor Device is part of a neighboringnetwork and is nonthreatening
Interfering Suspect Device is detected on the networkbut is not part of a mobility domain,nor does it appear in a configuredVendor or SSID list
Rogue Rogue Device is identified as a threat on thenetwork, either through aconfigured attack list or clientsappearing in the forwardingdatabase (FDB) of a WX.
MSS display Command Enhancements 49
-
8/9/2019 3com wc4400
49/751
50 NEW FEATURES SUMMARY
-
8/9/2019 3com wc4400
50/751
U C L
-
8/9/2019 3com wc4400
51/751
1USING THE COMMAND-LINE INTERFACE
Mobility System Software (MSS) operates a 3Com Mobility Systemwireless LAN (WLAN) consisting of 3Com Wireless Switch Managersoftware, Wireless LAN Switches (WX1200 or WXR100), Wireless LANControllers (WX4400 or WX2200), and Managed Access Points (MAPs).MSS has a command-line interface (CLI) on a WX switch that you can useto configure and manage the switch and its attached MAPs.
Overview You configure the WX switch and MAPs primarily with set, clear, anddisplay commands. Use set commands to change parameters. Use clear commands to reset parameters to their defaults. In many cases, you canoverwrite a parameter with another set command. Use display commands to display the current configuration and monitor the status ofnetwork operations.
The WX switch supports two connection modes: Administrative access mode, which enables the network administrator
to connect to the WX and configure the network
Network access mode, which enables network users to connectthrough the WX to access the network
CLI Conventions Be aware of the following MSS CLI conventions for command entry: “Command Prompts” on page 52
“Syntax Notation” on page 52
“Text Entry Conventions and Allowed Characters” on page 52
“User Globs, MAC Address Globs, and VLAN Globs” on page 54
“Port Lists” on page 56 “Virtual LAN Identification” on page 57
52 CHAPTER 1: USING THE COMMAND-LINE INTERFACE
C d P t B d f lt th MSS CLI id th f ll i t f t i t d
-
8/9/2019 3com wc4400
52/751
Command Prompts By default, the MSS CLI provides the following prompt for restrictedusers. The mmmm portion shows the WX model number (for example,
1200) and the nnnnnn portion shows the last 6 digits of the WX mediaaccess control (MAC) address.
WXmmmm >
After you become enabled as an administrative user by typing enable and supplying a suitable password, MSS displays the following prompt:
WXmmmm #
For information about changing the CLI prompt on a WX, see the setprompt command description in the Wireless LAN Switch and ControllerCommand Reference.
Syntax Notation The MSS CLI uses standard syntax notation:
Bold monospace font identifies the command and keywords you must
type. For example:set enablepass
Italic monospace font indicates a placeholder for a value. For example,you replace vlan-id in the following command with a virtual LAN(VLAN) ID:
clear interface vlan-id ip
Curly brackets ({ }) indicate a mandatory parameter, and squarebrackets ([ ]) indicate an optional parameter. For example, you mustenter dynamic or port and a port list in the following command, buta VLAN ID is optional:
clear fdb {dynamic | port port-list} [vlan vlan-id ]
A vertical bar (|) separates mutually exclusive options within a list ofpossibilities. For example, you enter either enable or disable, not
both, in the following command:set port {enable | disable} port-list
Text EntryConventions and
Allowed Characters
Unless otherwise indicated, the MSS CLI accepts standard ASCIIalphanumeric characters, except for tabs and spaces, and iscase-insensitive.
CLI Conventions 53
The CLI has specific notation requirements for MAC addresses IP
http://msscmdref6-0.pdf/http://msscmdref6-0.pdf/http://msscmdref6-0.pdf/http://msscmdref6-0.pdf/
-
8/9/2019 3com wc4400
53/751
The CLI has specific notation requirements for MAC addresses, IPaddresses, and masks, and allows you to group usernames, MAC
addresses, virtual LAN (VLAN) names, and ports in a single command.
3Com recommends that you do not use the same name with differentcapitalizations for VLANs or access control lists (ACLs). For example, donot configure two separate VLANs with the names red and RED.
The CLI does not support the use of special characters including thefollowing in any named elements such as SSIDs and VLANs: ampersand(&), angle brackets (< >), number sign (#), question mark (?), or quotationmarks (“”).
In addition, the CLI does not support the use of international characterssuch as the accented É in DÉCOR.
MAC Address Notation
MSS displays MAC addresses in hexadecimal numbers with a colon (:)delimiter between bytes—for example, 00:01:02:1a:00:01. You can enterMAC addresses with either hyphen (-) or colon (:) delimiters, but colonsare preferred.
For shortcuts:
You can exclude leading zeros when typing a MAC address. MSS
displays of MAC addresses include all leading zeros. In some specified commands, you can use the single-asterisk (*)
wildcard character to represent an entire MAC address or from 1 byteto 5 bytes of the address. (For more information, see “MAC AddressGlobs” on page 55.)
IP Address and Mask Notation
MSS displays IP addresses in dotted decimal notation—for example,192.168.1.111. MSS makes use of both subnet masks and wildcardmasks.
Subnet Masks Unless otherwise noted, use classless interdomainrouting (CIDR) format to express subnet masks—for example,192.168.1.112/24. You indicate the subnet mask with a forward slash (/)and specify the number of bits in the mask.
54 CHAPTER 1: USING THE COMMAND-LINE INTERFACE
Wildcard Masks Security access control lists (ACLs) use source and
-
8/9/2019 3com wc4400
54/751
Wildcard Masks Security access control lists (ACLs) use source anddestination IP addresses and wildcard masks to determine whether the
WX filters or forwards IP packets. Matching packets are either permittedor denied network access. The ACL checks the bits in IP addresses thatcorrespond to any 0s (zeros) in the mask, but does not check the bits thatcorrespond to 1s (ones) in the mask. You specify the wildcard mask indotted decimal notation.
For example, the address 10.0.0.0 and mask 0.255.255.255 match all IP
addresses that begin with 10 in the first octet.The ACL mask must be a contiguous set of zeroes starting from the firstbit. For example, 0.255.255.255, 0.0.255.255, and 0.0.0.255 are validACL masks. However, 0.255.0.255 is not a valid ACL mask.
User Globs, MACAddress Globs, and
VLAN Globs
Name “globbing” is a way of using a wildcard pattern to expand a singleelement into a list of elements that match the pattern. MSS accepts user
globs, MAC address globs, and VLAN globs. The order in which globsappear in the configuration is important, because once a glob is matched,processing stops on the list of globs
User Globs
A user glob is shorthand method for matching an authentication,authorization, and accounting (AAA) command to either a single user or
a set of users.
A user glob can be up to 80 characters long and cannot contain spaces ortabs. The double-asterisk (**) wildcard characters with no delimitercharacters match all usernames. The single-asterisk (*) wildcard charactermatches any number of characters up to, but not including, a delimitercharacter in the glob. Valid user glob delimiter characters are the at (@)sign and the period (.).
For example, in Table 6, the following globs identify the following users:
Table 6 User Globs
User Glob User(s) Designated
[email protected] User jose at example.com
CLI Conventions 55
Table 6 User Globs (continued)
-
8/9/2019 3com wc4400
55/751
MAC Address Globs
A media access control (MAC) address glob is a similar method formatching some authentication, authorization, and accounting (AAA) andforwarding database (FDB) commands to one or more 6-byte MACaddresses. In a MAC address glob, you can use a single asterisk (*) as awildcard to match all MAC addresses, or as follows to match from 1 byte
to 5 bytes of the MAC address:00:*
00:01:*00:01:02:*00:01:02:03:*00:01:02:03:04:*
For example, the MAC address glob 02:06:8c* represents all MAC
addresses starting with 02:06:8c. Specifying only the first 3 bytes of aMAC address allows you to apply commands to MAC addresses based onan organizationally unique identity (OUI).
VLAN Globs
A VLAN glob is a method for matching one of a set of local rules on a WXswitch, known as the location policy, to one or more users. MSS
compares the VLAN glob, which can optionally contain wildcardcharacters, against the VLAN-Name attribute returned by AAA, todetermine whether to apply the rule.
*@example.com All users at example.com whose usernames do notcontain periods—for example, [email protected] and [email protected], but [email protected], because nin.wongcontains a period
*@marketing.example.com All marketing users at example.com whoseusernames do not contain periods
*.*@marketing.example.com All marketing users at example.com whoseusernames contain a period
* All users with usernames that have no delimiters
EXAMPLE\* All users in the Windows Domain EXAMPLE withusernames that have no delimiters
EXAMPLE\*.* All users in the Windows Domain EXAMPLE whoseusernames contain a period
** All users
Table 6 User Globs (continued)
User Glob User(s) Designated
56 CHAPTER 1: USING THE COMMAND-LINE INTERFACE
To match all VLANs, use the double-asterisk (**) wildcard characters with
-
8/9/2019 3com wc4400
56/751
To match all VLANs, use the double asterisk ( ) wildcard characters withno delimiters. To match any number of characters up to, but not
including, a delimiter character in the glob, use the single-asterisk (*)wildcard. Valid VLAN glob delimiter characters are the at (@) sign and theperiod (.).
For example, the VLAN glob bldg4.* matches bldg4.security and bldg4.hr and all other VLAN names with bldg4. at the beginning.
Matching Order for Globs
In general, the order in which you enter AAA commands determines theorder in which MSS matches the user, MAC address, or VLAN to a glob.To verify the order, view the output of the display aaa or display config command. MSS checks globs that appear higher in the list before itemslower in the list and uses the first successful match.
Port Lists The physical Ethernet ports on a WX can be set for connection to MAPs,authenticated wired users, or the network backbone. You can include asingle port or multiple ports in one MSS CLI command by using theappropriate list format.
The ports on a WX are numbered 1 through as high as 22, depending onthe WX model. No port 0 exists on the WX. You can include a single portor multiple ports in a command that includes port port-list . Use one of
the following formats for port-list : A single port number. For example:
WX1200# set port enable 6
A comma-separated list of port numbers, with no spaces. Forexample:
WX1200# display port poe 1,2,4,6
A hyphen-separated range of port numbers, with no spaces. Forexample:
WX1200# reset port 1-8
Any combination of single numbers, lists, and ranges. Hyphens takeprecedence over commas. For example:
WX1200# display port status 1-3,5
Command-Line Editing 57
Virtual LAN The names of virtual LANs (VLANs), which are used in Mobility Domain™
-
8/9/2019 3com wc4400
57/751
Identificationy
communications, are set by you and can be changed. In contrast, VLAN
ID numbers, which the WX switch uses locally, are determined when theVLAN is first configured and cannot be changed. Unless otherwiseindicated, you can refer to a VLAN by either its VLAN name or its VLANnumber. CLI set and display commands use a VLAN’s name or numberto uniquely identify the VLAN within the WX switch.
Command-LineEditing MSS editing functions are similar to those of many other networkoperating systems.
Keyboard Shortcuts Table 7 lists the keyboard shortcuts available for entering and editing CLIcommands.
Table 7 CLI Keyboard Shortcuts
Keyboard Shortcut(s) FunctionCtrl+A Jumps to the first character of the command line.
Ctrl+B or Left Arrow key Moves the cursor back one character.
Ctrl+C Escapes and terminates prompts and tasks.
Ctrl+D Deletes the character at the cursor.
Ctrl+E Jumps to the end of the current command line.
Ctrl+F or Right Arrow key Moves the cursor forward one character.
Ctrl+K Deletes from the cursor to the end of the commandline.
Ctrl+L or Ctrl+R Repeats the current command line on a new line.
Ctrl+N or Down Arrowkey
Enters the next command line in the history buffer.
Ctrl+P or Up Arrow key Enters the previous command line in the history buffer.
Ctrl+U or Ctrl+X Deletes characters from the cursor to the beginning ofthe command line.
Ctrl+W Deletes the last word typed.
Esc B Moves the cursor back one word.
Esc D Deletes characters from the cursor forward to the endof the word.
Delete key or Backspacekey
Erases mistake made during command entry. Reenterthe command after using this key.
58 CHAPTER 1: USING THE COMMAND-LINE INTERFACE
History Buffer The history buffer stores the last 63 commands you entered during a
-
8/9/2019 3com wc4400
58/751
terminal session. You can use the Up Arrow and Down Arrow keys to
select a command that you want to repeat from the history buffer.
Tabs The MSS CLI uses the Tab key for command completion. You can type thefirst few characters of a command and press the Tab key to display thecommand(s) that begin with those characters. For example:
WX1200# display i ifm display interfaces maintained by the interface manager
igmp display igmp informationinterface display interfacesip display ip information
Single-Asterisk (*)Wildcard Character
You can use the single-asterisk (*) wildcard character in globbing. (Fordetails, see “User Globs, MAC Address Globs, and VLAN Globs” onpage 54.)
Double-Asterisk (**)Wildcard Characters
The double-asterisk (**) wildcard character matches all usernames. Fordetails, see “User Globs” on page 54.
Using CLI Help The CLI provides online help. To see the full range of commands availableat your access level, type the following command:
WX1200# helpCommands:-----------------------------------------------------------------------
clear Clear, use 'clear help' for more informationcommit Commit the content of the ACL tablecopy Copy from filename (or url) to filename (or url)crypto Crypto, use 'crypto help' for more informationdelete Delete url
dir display list of files on flash devicedisable Disable privileged modedisplay Display, use 'display help' for more informationhelp display this help screen
history display contents of histo