Page 1: Command Line Reference
Nortel WLAN Security Switch 2300 Series Command Line Reference Part No. NN47250-100 June 2008 4655 Great America Parkway Santa Clara, CA 95054...
Page 2: Restricted Rights Legend
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice. Nortel Networks does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 Software. 1.Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer...
Page 4: Legal Information
90 Days from time of purchase. Nortel requires purchasing the software subscription if a customer would like to receive new versions of Nortel WLAN—Security Switch 2300 Series and Nortel WLAN — Management System software. This limited warranty extends only to you the original purchaser of the Product.
Page 5 PRODUCT WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO END CUSTOMER. THIS LIMITED WARRANTY GIVES END CUSTOMER SPECIFIC LEGAL RIGHTS. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 6: Software License Agreement
END CUSTOMER MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/JURISDICTION. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL NORTEL OR ITS SUPPLIERS BE LIABLE FOR THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF PROFITS, OR FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES (OR DIRECT DAMAGES IN THE CASE OF NORTEL’S SUPPLIERS) ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING...
Page 7 U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement. Any technical data provided Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 8 that is not covered by the above provisions shall be deemed “technical data-commercial items” pursuant to DFAR section 227.7015(a). Any use, modification, reproduction, release, performance, display or disclosure of such technical data shall be governed by the terms of DFAR section 227.7015(b). Limitation of Liability.
Page 9 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 10 NN47250-100 (Version 02.51)
Page 11: Table Of Contents
Quality of Service Commands ....... . 93 Nortel WLAN—Management Software 2300 Series Reference Guide...
Page 12 IP Services Commands ........97 AAA Commands.
Page 13: How To Get Help
Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 14 14 How to get help NN47250-100 (Version 02.51)
Page 15: Introducing The Nortel Wlan 2300 System
WSS • WLAN Security Switch 2300 Series (WSS Software)—The operating system that runs all WSSs and APs in a WLAN, and is accessible through a command-line interface (CLI), the Web View interface, or the WLAN Management Software GUI Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 16: Documentation
Nortel WLAN Management Software 2300 Series Reference WLAN Management Software planning, configuration, and management features. Installation • Nortel WLAN—Security Switch 2300 Series Installation and Basic Configuration specifications for installing a WSS • Nortel WLAN—Security Switch 2300 Series Quick Start (802.1X) and guest (Web-based AAA) access, and for configuring a Mobility Domain for roaming •...
Page 17: Safety And Advisory Notices
The following kinds of safety and advisory notices appear in this manual. Caution! This situation or condition can lead to data loss or damage to the product or other property. Note. This information is of special interest. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 18: Text And Syntax Conventions
Text and Syntax Conventions Nortel manuals use the following text and syntax conventions: Convention Monospace text Bold text Italic text Menu Name > Command [ ] (square brackets) { } (curly brackets) | (vertical bar) NN47250-100 (Version 02.51) Sets off command syntax or sample commands and system responses.
Page 19: Using The Command-Line Interface
Understanding Command Descriptions ......17 WLAN Security Switch 2300 Series (WSS Software) operates a Nortel WLAN 2300 System wireless LAN (WLAN) consisting of WLAN Management Software, WLAN—Security Switch (WSS), and Access Points (APs).
Page 20: Command Prompts
By default, the WSS Software CLI provides the following prompt for restricted users. The mm portion shows the WSS model number (for example, 2360) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.
Page 21: Syntax Notation
SSIDs and VLANs: ampersand (&), angle brackets (< >), number sign (#), question mark (?), or quotation marks (“”). In addition, the CLI does not support the use of international characters such as the accented É in DÉCOR. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 22: Mac Address Notation
MAC Address Notation WSS Software displays MAC addresses in hexadecimal numbers with a colon (:) delimiter between bytes—for example, 00:01:02:1a:00:01. You can enter MAC addresses with either hyphen (-) or colon (:) delimiters, but colons are preferred. For shortcuts: • You can exclude leading zeros when typing a MAC address.
Page 23: Mac Address Wildcards
WSS Software compares the VLAN wildcard, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA, to determine whether to apply the rule. Nortel WLAN—Security Switch 2300 Series Command Line Reference User(s) Designated User jose at example.com...
Page 24: Matching Order For Wildcards
The ports on a WSS are numbered 1 through 22. No port 0 exists on the switch. You can include a single port or multiple ports in a command that includes port port-list. Use one of the following formats for port-list: •...
Page 25: Command-Line Editing
The history buffer stores the last 63 commands you entered during a terminal session. You can use the Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer. Nortel WLAN—Security Switch 2300 Series Command Line Reference Function Jumps to the first character of the command line.
Page 26: Using Cli Help
Tabs The WSS Software CLI uses the Tab key for command completion. You can type the first few characters of a command and press the Tab key to display the command(s) that begin with those characters. For example: WSS# show i <Tab> Show interfaces maintained by the interface manager igmp Show igmp information...
Page 27: Understanding Command Descriptions
---------------------------------- Enabled Understanding Command Descriptions Each command description in the Nortel WLAN Security Switch 2300 Series Command Reference contains the following elements: • A command name, which shows the keywords but not the variables. For example, the following command name...
Page 28 28 Using the Command-Line Interface NN47250-100 (Version 02.51)
Page 29: Access Commands
Access Commands Use access commands to control access to the WLAN Security Switch 2300 Series (WSS Software) (CLI). This chapter presents access commands alphabetically. Use the following table to locate commands in this chapter based on their use. Access Privileges disable Changes the CLI session from enabled mode to restricted access.
Page 30: Set Enablepass
See Also • set enablepass on page 20 • set confirm on page 60 quit Exit from the CLI session. Syntax quit Defaults None. Access All. Examples To end the administrator’s session, type the following command: WSS> quit set enablepass Sets the password that provides enabled access (for configuration and monitoring) to the WSS.
Page 31 See Also • disable on page 19 • enable on page 19 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 32 32 Access Commands NN47250-100 (Version 02.51)
Page 33: Port Commands
Speed Autonegotiation SNMP Port Groups Port Mirroring Nortel WLAN—Security Switch 2300 Series Command Line Reference set port type ap on page 41 set ap on page 33 set port type wired-auth on page 44 clear port type on page 27...
Page 34: Clear Port Counters
Statistics clear ap Caution! When you clear a AP, WSS Software ends user sessions that are using the Removes a AP. Syntax clear ap ap-num ap-num Defaults None. Access Enabled. Examples The following command clears AP 1: WSS# clear ap 1 This will clear specified AP devices.
Page 35: Clear Port-Group
Examples The following command disables the copper interface and reenables the fiber interface on port 2: 2380# clear port media-type 2 Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of the port group. List of physical ports. WSS Software disables the copper interface and...
Page 36: Clear Port Mirror
Syntax clear port mirror Defaults None. Access Enabled. History Introduced in WSS Software Version 4.1. Examples The following command clears the port mirroring configuration from the switch: WSS# clear port mirror See Also • set port mirror on page 37 •...
Page 37: Clear Port Type
Internet Group Management Protocol (IGMP) snooping Access point and radio parameters Maximum user sessions Nortel WLAN—Security Switch 2300 Series Command Line Reference List of physical ports. WSS Software resets and removes the configuration from all the specified ports. Table 1: Network Port Defaults Setting None.
Page 38: Monitor Port Counters
Examples The following command clears port 5: WSS# clear port type 5 This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted. See Also • set port type ap on page 41 • set port type wired-auth on page 44 monitor port counters Displays and continually updates port statistics.
Page 39 Rx Unicast Rx NonUnicast =============================================================================== 1 Up 54620 62144 Nortel WLAN—Security Switch 2300 Series Command Line Reference Effect on Monitor Display Advances to the next statistic type. Exits the monitor. WSS Software stops displaying the statistics and displays a new command prompt.
Page 40 Table 3 describes the port statistics displayed by each statistics option. The Port and Status fields are displayed for each option. Table 3: Output for monitor port counters Statistics Option Field Displayed for All Options Port Status octets Rx Octets Tx Octets packets Rx Unicast...
Page 41 Rx 127 Rx 255 Rx 511 Rx 1023 Rx 1518 Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Number of frames transmitted by the port that had the correct length but contained an invalid FCS value. Number of frames transmitted by the port that were fewer than 64 bytes long.
Page 42: Reset Port
Usage The reset command disables the port’s link and PoE (if applicable) for at least 1 second, then reenables them. This behavior is useful for forcing an AP that is connected to two WSSs to reboot over the link to the other switch. Examples The following command resets port 5: WSS# reset port 5 NN47250-100 (Version 02.51)
Page 43 {2330 | 2330A | 2330B | 2332-A1 | 2332-A2 | 2332-A3 | 2332-A4 | 2332-A5 | 2332-A6 | 2332-E1 | 2332-E2 | 2332-E3 | 2332-E4 | 2332-E5 |2332-E6 | 2332-E7 | 2332-E8 | 2332-E9 | 2332-J1 } [radiotype {11a | 11b| 11g}] Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 44 ap-num serial-id serial-ID model {2330 | 2330A | 2330B | 2332-A1 | 2332-A2 | 2332-A3 | 2332-A4 | 2332-A5 | 2332-A6 | 2332-E1 | 2332-E2 | 2332-E3 | 2332-E4 | 2332-E5 |2332-E6 | 2332-E7 | 2332-E8 | 2332-E9 | 2332-J1} radiotype 11a | 11b | 11g Defaults The default vales are the same as the defaults for the set port type ap command.
Page 45: Set Port
32 set port-group Configures a load-sharing port group. All ports in the group function as a single logical link. Nortel WLAN—Security Switch 2300 Series Command Line Reference Enables the specified ports. Disables the specified ports. List of physical ports. WSS Software disables or reenables all the...
Page 46: Set Port Media-Type
Syntax set port-group name group-name port-list mode {on | off} name group-name port-list mode Defaults Once configured, a group is enabled by default. Access Enabled. Usage Do not use dashes or hyphens in a port group name. If you do, WSS Software will not display or save the port group.
Page 47: Set Port Mirror
History Introduced in WSS Software Version 4.1. Usage The switch can have one port mirroring pair (one source port and one observer port) at a time. The source port can be a network port, AP access port, or wired authentication port. However, the observer port must be a network port, and cannot be a member of any VLAN or port group.
Page 48: Set Port Name
Examples The following command sets port 2 to monitor port 1’s traffic: WSS# set port 1 observer 2 See Also • clear port mirror on page 26 • show port mirror on page 49 set port name Assigns a name to a port. After naming a port, you can use the port name or number in other CLI commands. Syntax set port port name name port...
Page 49: Set Port Negotiation
<portnum> poe {enable|disable} port-list enable disable Nortel WLAN—Security Switch 2300 Series Command Line Reference List of physical ports. WSS Software disables or reenables autonegotiation on all the specified ports. Enables autonegotiation on the specified ports. Disables autonegotiation on the specified ports.
Page 50: Set Port Speed
Usage This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the 2360 and 2382 switch. Examples The following command disables PoE on ports 7 and 9, which are connected to an AP:...
Page 51: Set Port Trap
(enable or disable) of the port. Use the WSS’s PoE to power Nortel APs only. If you enable PoE on a port connected to another device, physical damage to the device can result. Nortel WLAN—Security Switch 2300 Series Command Line Reference List of physical ports.
Page 52 Note. Before configuring a port as an AP port, you must use the set system countrycode command to set the IEEE 802.11 country-specific regulations on the WSS. See set system countrycode on page 63. Note. For Series 2332 access points, be sure the system country code is supported for the selected access point model.
Page 53 Port groups IGMP snooping Maximum user sessions This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the 2360/2361 switch and port 3 on the 2382. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 54: Set Port Type Wired-Auth
To manage an AP on a switch model that does not have 10/100 Ethernet ports, use the set ap command to configure a AP connection on the switch. Examples The following commands set port 2 for AP model 2330, enable PoE on the port, and specify external antenna model 24453 for the 802.11b/g radio:...
Page 55 Port groups IGMP snooping Maximum user sessions Fallthru authentication type Nortel WLAN—Security Switch 2300 Series Command Line Reference List of physical ports. One or more numbers between 1 and 4094 that subdivide a wired authentication port into virtual ports. Maximum number of simultaneous user sessions supported.
Page 56: Show Port Counters
For 802.1X clients, wired authentication works only if the clients are directly attached to the wired authentica- tion port, or are attached through a hub that does not block forwarding of packets from the client to the PAE group address (01:80:c2:00:00:03). Wired authentication works in accordance with the 802.1X specification, which prohibits a client from sending traffic directly to an authenticator’s MAC address until the client is authenticated.
Page 57: Show Port-Group
Table 6: Output for show port-group Field Port group Ports Nortel WLAN—Security Switch 2300 Series Command Line Reference Tx Octets 34886544 Displays information for the specified port group. Description Name and state (enabled or disabled) of the port group.
Page 58: Show Port Media-Type
See Also • clear port-group on page 25 • set port-group on page 35 show port media-type Displays the enabled interface types on a 2380 switch’s gigabit Ethernet ports. Syntax show port media-type [port-list] port-list Defaults None. Access All. History Introduced in WSS Software Version 4.0.
Page 59: Show Port Mirror
============================================================================== down down down down down down down Nortel WLAN—Security Switch 2300 Series Command Line Reference List of physical ports. If you do not specify a port list, PoE information is displayed for all ports. config Draw disabled disabled disabled...
Page 60 10 10 11 11 down 12 12 down 13 13 down 14 14 down 15 15 down 16 16 down 17 17 down 18 18 down 19 19 down 20 20 down 21 21 down 22 22 down Table 8 describes the fields in this display.
Page 61: Show Port Status
Table 9: Output for show port status Field Port Name Nortel WLAN—Security Switch 2300 Series Command Line Reference List of physical ports. If you do not specify a port list, information is displayed for all ports. Config Actual...
Page 62 Table 9: Output for show port status (continued) Field Admin Oper Config Actual Type Media See Also • clear port type on page 27 • set port on page 35 • set port name on page 38 • set port negotiation on page 39 •...
Page 63: System Services Commands
System Services Commands Use system services commands to configure and monitor system information for a WLAN—Security Switch (WSS). This chapter presents system services commands alphabetically. Use the following table to located commands in this chapter based on their use. Configuration...
Page 64: Clear Banner Motd
Technical Support clear banner motd Deletes the message-of-the-day (MOTD) banner that is displayed before the login prompt for each CLI session on the WSS. Syntax clear banner motd Defaults None. Access Enabled. Examples To clear a banner, type the following command: WSS# clear banner motd success: change accepted Note.
Page 65: Clear Prompt
Access Enabled. History Version 4.1 Option idle-timeout added. Nortel WLAN—Security Switch 2300 Series Command Line Reference 10.) Resets the name of contact person for the WSS to null. Resets the country code for the WSS to null. Resets the number of seconds a CLI management session can remain idle to the default value (3600 seconds).
Page 66 Examples To clear the location of the WSS, type the following command: WSS# clear system location success: change accepted. See Also • set system contact on page 62 • set system countrycode on page 63 • set system idle-timeout on page 64 •...
Page 67: Set Auto-Config
If you run this command on a switch that already has a configuration, the configuration will be erased. In addition, error messages such as Critical AP Notice for directly connected APs can appear.
Page 68 To use the auto-config option with a new (unconfigured) 2350, insert a paperclip or similar object into the 2350’s factory reset hole to press the switch. The factory reset switch must be held for about 3 seconds while the factory reset LED (the right LED above port 1) is lit.
Page 69: Set Banner Motd
Do not use the following characters with commands in which you set text to be displayed on the WSS, such as message- of-the-day (MOTD) banners: • Ampersand (&) • Angle brackets (< >) • Double quotation marks (“”) Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 70: Set Confirm
• Number sign (#) • Question mark (?) • Single quotation mark (') Examples To create a banner that says Update meeting at 3 p.m., type the following command: WSS# set banner motd ^Update meeting at 3 p.m.^ success: change accepted. See Also •...
Page 71: Set License
WSS# set license 3B02-D821-6C19-CE8B-F20E success: license accepted Nortel WLAN—Security Switch 2300 Series Command Line Reference Number of lines of text to display between paging prompts. You can specify from 0 to 512. The 0 value disables the paging prompt action entirely.
Page 72: Set Prompt
See Also show licenses on page 67 set prompt Changes the CLI prompt for the WSS to a string you specify. Syntax set prompt string string Alphanumeric string up to 32 characters long. To include spaces in the prompt, you must enclose the string in double quotation marks (“”).
Page 73: Set System Countrycode
23x0#set system country code CA success: change accepted. Nortel WLAN—Security Switch 2300 Series Command Line Reference For the two-letter country code, refer to the approved list of country codes "Approved Countries for the WLAN 2300 Series Components" http://www.nortel.com/support located at http://www.nortel.com/support...
Page 74: Set System Idle-Timeout
For Series 2332 access points, be sure the system country code is supported for the selected access point model. set system idle-timeout Specifies the maximum number of seconds a CLI management session with the switch can remain idle before WSS Software terminates the session. Syntax...
Page 75: Set System Location
Usage You cannot include spaces in the system location string. To view the system location string, type the show system command. Examples To store the location of the WSS in the switch’s configuration, type the following command: WSS# set system location first-floor-bldg3 success: change accepted.
Page 76: Set System Name
See Also • clear system on page 55 • set system contact on page 62 • set system name on page 66 • show system on page 68 set system name Changes the name of the WSS from the default system name and also provides content for the CLI prompt, if you do not specify a prompt.
Page 77: Show Banner Motd
See Also • clear banner motd on page 54 show licenses Displays information about the license key(s) currently installed on a 2380 or 2382 switch. Syntax show licenses Defaults None. Access All. Usage This command applies only to the 2380 0r 2382.
Page 78: Show System
See Also show system on page 68 show system Displays system information. Syntax show system Defaults None. Access Enabled. History Version 4.0 License field removed. To display license information, use the show license command. Examples To show system information, type the following command: WSS# show system ============================================================================== Product Name:...
Page 79 50° C (32° F to 122° F). • Alarm—Temperature is above or below the acceptable range. WSS Software sends an alert to the system log every 5 minutes until this condition is corrected. Nortel WLAN—Security Switch 2300 Series Command Line Reference Table 1: show system output...
Page 80: Show Tech-Support
Table 1: show system output (continued) Field Description PSU Status Status of the lower and upper power supply units: • missing—Power supply is not installed or is inoperable. • DC ok—Power supply is producing DC power. • DC output failure—Power supply is not producing DC power. WSS Software sends an alert to the system log every 5 minutes until this condition is corrected.
Page 81 551 • show config on page 553 • show licenses on page 67 • show system on page 68 • show version on page 554 Nortel WLAN—Security Switch 2300 Series Command Line Reference “How to get...
Page 82 82 System Services Commands NN47250-100 (Version 02.51)
Page 83: Vlan Commands
Restriction of Client Layer 2 Forwarding Tunnel Affinity FDB Entries FDB Aging Timeout Nortel WLAN—Security Switch 2300 Series Command Line Reference set vlan name on page 79 set vlan port on page 80 clear vlan on page 76 show vlan config on page 89...
Page 84: Clear Fdb
clear fdb Deletes an entry from the forwarding database (FDB). Syntax clear fdb {perm | static | dynamic | port port-list} [vlan vlan-id] [tag tag-value] perm static dynamic port port-list vlan vlan-id tag tag-value Defaults None. Access Enabled. Usage You can delete forwarding database entries based on entry type, port, or VLAN. A VLAN name or number is required for deleting permanent or static entries.
Page 85: Clear Security L2-Restrict
Syntax clear security l2-restrict counters [vlan vlan-id | all] vlan-id Nortel WLAN—Security Switch 2300 Series Command Line Reference VLAN name or number. List of MAC addresses. WSS Software no longer allows clients in the VLAN to send traffic to the MAC addresses at Layer 2.
Page 86: Clear Vlan
Defaults If you do not specify a VLAN or all, counters for all VLANs are cleared. Access Enabled. History Introduced in WSS Software Version 4.1. Usage To clear MAC addresses from the list of addresses to which clients are allowed to send data, use the clear security l2-restrict command instead.
Page 87: Set Fdb
Access Enabled. Usage You cannot add a multicast or broadcast address as a permanent or static FDB entry. Nortel WLAN—Security Switch 2300 Series Command Line Reference Adds a permanent entry. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle.
Page 88: Set Fdb Agingtime
Examples The following command adds a permanent entry for MAC address 00:11:22:aa:bb:cc on ports 3 and 5 in VLAN blue: WSS# set fdb perm 00:11:22:aa:bb:cc port 3,5 vlan blue success: change accepted. The following command adds a static entry for MAC address 00:2b:3c:4d:5e:6f on port 1 in the default VLAN: WSS# set fdb static 00:2b:3c:4d:5e:6f port 1 vlan default success: change accepted.
Page 89: Set Vlan Name
Usage You must assign a name to a VLAN (other than the default VLAN) before you can add ports to the VLAN. Nortel WLAN—Security Switch 2300 Series Command Line Reference VLAN name or number. Enables or disables restriction of Layer 2 forwarding.
Page 90: Set Vlan Port
RED. VLAN names are case-sensitive for RADIUS authorization when a client roams to a WSS. If the switch is not configured with the VLAN the client is on, but is configured with a VLAN that has the same spelling but different capitalization, authorization for the client fails.
Page 91: Show Fdb
Changes a WSS’s preferability within a mobility domain for tunneling user traffic for a VLAN. When a user roams to a WSS that is not a member of the user’s VLAN, the switch can forward the user traffic by tunneling to another WSS that is a member of the VLAN.
Page 92 mac-addr-wildcard vlan vlan-id perm static dynamic system port port-list Defaults None. Access All. Usage To display the entire forwarding database, enter the show fdb command without options. To display only a portion of the database, use optional parameters to specify the types of entries you want to display.
Page 93: Show Fdb Agingtime
Because the forwarding database aging timeout period can be configured only on an individual VLAN basis, the command lists the aging timeout period for each VLAN separately. Nortel WLAN—Security Switch 2300 Series Command Line Reference Table 1: Output for show fdb Description VLAN number.
Page 94: Show Fdb Count
See Also set fdb agingtime on page 78 show fdb count Lists the number of entries in the forwarding database. Syntax show fdb count {perm | static | dynamic} [vlan vlan-id] perm static dynamic vlan vlan-id Defaults None. Access All. Examples The following command lists the number of dynamic entries that the forwarding database contains: WSS# show fdb count dynamic...
Page 95: Show Roaming Vlan
85 show roaming vlan Shows all VLANs in the mobility domain, the WSSs servicing the VLANs, and their tunnel affinity values configured on each switch for the VLANs. Nortel WLAN—Security Switch 2300 Series Command Line Reference State violet...
Page 96 96 VLAN Commands Syntax show roaming vlan Defaults None. Access Enabled. Examples The following command shows the current roaming VLANs: WSS# show roaming vlan NN47250-100 (Version 02.51)
Page 97: Show Security L2-Restrict
Defaults If you do not specify a VLAN name or all, information is displayed for all VLANs. Access Enabled. History Introduced in WSS Software Version 4.1. Nortel WLAN—Security Switch 2300 Series Command Line Reference Affinity Description VLAN name. System IP address of the WSS on which the VLAN is configured.
Page 98: Show Tunnel
Examples The following command shows Layer 2 forwarding restriction information for all VLANs: WSS# show security l2-restrict VLAN Name En Drops ---- ---------------- -- ---------- ------------------- --------------------- 1 default 2 vlan-2 Table 14 describes the fields in the display. Table 4: Output for show security l2-restrict Field Description VLAN...
Page 99: Show Vlan Config
Defaults None. Access All. Examples The following command displays information for VLAN burgundy: Nortel WLAN—Security Switch 2300 Series Command Line Reference Port LVID RVID VLAN name or number. If you do not specify a VLAN, information for all VLANs is displayed.
Page 100 Member port of the VLAN. The port can be a physical port or a virtual port. • Physical ports are 10/100 Ethernet or gigabit Ethernet ports on the switch, and are listed by port number. • Virtual ports are tunnels to other switches in a...
Page 101 See Also • clear vlan on page 76 • set vlan name on page 79 • set vlan port on page 80 • set vlan tunnel-affinity on page 81 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 102 102 VLAN Commands NN47250-100 (Version 02.51)
Page 103: Quality Of Service Commands
Resets the switch’s mapping of Differentiated Services Code Point (DSCP) values to internal QoS values. The switch’s internal QoS map ensures that prioritized traffic remains prioritized while transiting through the WSS. A WSS uses the QoS map to do the following: •...
Page 104 Examples The following command resets all QoS mappings: WSS# clear qos success: change accepted. The following command resets the mapping used to classify packets with DSCP value 44: WSS# clear qos dscp-to-qos-map 44 success: change accepted. set qos cos-to-dscp-map Changes the value to which WSS Software maps an internal QoS value when marking outbound packets. Syntax set qos cos-to-dscp-map level dscp dscp-value level...
Page 105: Show Qos
History Introduced in WSS Software Version 4.1. Examples The following command displays the default QoS settings: WSS# show qos default Nortel WLAN—Security Switch 2300 Series Command Line Reference DSCP range. You can specify the values as decimal numbers. Valid decimal values are 0 to 63.
Page 106 Ingress QoS Classification Map (dscp-to-cos) Ingress DSCP CoS Level =============================================================================== 00-09 0 0 0 0 0 0 0 0 1 1 10-19 1 1 1 1 1 1 2 2 2 2 20-29 2 2 2 2 3 3 3 3 3 3 30-39 3 3 4 4 4 4 4 4 4 4...
Page 107: Ip Services Commands
IP Route SSH Management Telnet Management HTTPS Management IP Alias Nortel WLAN—Security Switch 2300 Series Command Line Reference set interface on page 109 set interface dhcp-client on page 110 set interface status on page 112 show interface on page 149...
Page 108 Time and Date SNMP NN47250-100 (Version 02.51) set timedate on page 142 set timezone on page 143 set summertime on page 140 show timedate on page 161 show timezone on page 161 show summertime on page 160 clear timezone on page 106 clear summertime on page 105 set ntp on page 121 set ntp server on page 122...
Page 109: Clear Interface
• set interface status on page 112 • show interface on page 149 Nortel WLAN—Security Switch 2300 Series Command Line Reference clear snmp community on page 103 clear snmp usm on page 105 clear snmp notify profile on page 104...
Page 110: Clear Ip Alias
clear ip alias Removes an alias, which is a string that represents an IP address. Syntax clear ip alias name name Alias name. Defaults None. Access Enabled. Examples The following command removes the alias server1: WSS# clear ip alias server1 success: change accepted.
Page 111: Clear Ip Dns Server
10.10.10.1: WSS# clear ip route 10.10.10.68/24 10.10.10.1 success: change accepted. Nortel WLAN—Security Switch 2300 Series Command Line Reference Default route. Note: default is an alias for IP address 0.0.0.0/0. IP address and subnet mask for the route destination, in dotted decimal notation (for example, 10.10.10.10 255.255.255.0).
Page 112: Clear Ip Telnet
See Also • set ip route on page 116 • show ip route on page 153 clear ip telnet Resets the Telnet server’s TCP port number to its default value. A WSS listens for Telnet management traffic on the Telnet server port. Syntax clear ip telnet Defaults The default Telnet port number is 23.
Page 113: Clear Snmp Community
Name of the SNMP community you want to clear. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. Examples The following command clears community string setswitch2: WSS# clear snmp community name setswitch2 success: change accepted. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 114: Clear Snmp Notify Profile
See Also • set snmp community on page 123 • show snmp community on page 158 clear snmp notify profile Clears an SNMP notification profile. Syntax clear snmp notify profile profile-name profile-name Name of the notification profile you are clearing. Defaults None.
Page 115: Clear Snmp Usm
See Also • clear timezone on page 106 • set summertime on page 140 • set timedate on page 142 • set timezone on page 143 • show summertime on page 160 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 116: Clear Timezone
• show timedate on page 161 • show timezone on page 161 clear system ip-address Clears the system IP address. Caution! Clearing the system IP address disrupts the system tasks that use the address. Syntax clear system ip-address Defaults None. Access Enabled.
Page 117 • dnf—Disabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference IP address, MAC address, hostname, alias, or user to ping. Number of ping packets to send. You can specify from 0 through 2,147,483,647. If you enter 0, WSS Software pings continuously until you interrupt the command.
Page 118: Set Arp
• interval—100 (one tenth of a second) • size—56. Access Enabled. Usage To stop a ping command that is in progress, press Ctrl+C. A WSS cannot ping itself. WSS Software does not support this. Examples The following command pings a device that has IP address 10.1.1.1: WSS# ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1) from 10.9.4.34 : 56(84) bytes of data.
Page 119: Set Arp Agingtime
{ip-addr mask | ip-addr/mask-length} vlan-id ip-addr mask ip-addr/mask-length Nortel WLAN—Security Switch 2300 Series Command Line Reference VLAN name or number. IP address and subnet mask in dotted decimal notation (for example, 10.10.10.10 255.255.255.0). IP address and subnet mask length in CIDR format (for...
Page 120: Set Interface Dhcp-Client
The DHCP client is disabled by default on all other switch models, and is disabled on a 2350 if the switch is already configured or the factory reset switch is not pressed and held during power on.
Page 121: Set Interface Dhcp-Server
Defaults The DHCP server is enabled by default on a new (unconfigured) 2350 or 2360, 2382 in order to provide an IP address to the host connected to the switch for access to the Web Quick Start. On all switch models, the DHCP server is enabled and cannot be disabled for directly connected APs.
Page 122: Set Interface Status
Specification of the DNS domain name, DNS servers, and default router are optional. If you omit one or more of these options, the WSS Software DHCP server uses oath values configured elsewhere on the switch: •...
Page 123: Set Ip Alias
150 set ip dns Enables or disables DNS on a WSS. Syntax set ip dns {enable | disable} enable Enables DNS. disable Disables DNS. Defaults DNS is disabled by default. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 124: Set Ip Dns Domain
Access Enabled. Examples The following command enables DNS on a WSS: WSS# set ip dns enable Start DNS Client See Also • clear ip dns domain on page 100 • clear ip dns server on page 101 • set ip dns domain on page 114 •...
Page 125: Set Ip Dns Server
114 • show ip dns on page 151 Nortel WLAN—Security Switch 2300 Series Command Line Reference IP address of a DNS server, in dotted decimal or CIDR notation. Makes the server the primary server, which WSS Software always consults first for resolving DNS queries.
Page 126: Set Ip Https Server
Enables the HTTPS server on a WSS. The HTTPS server is required for Web View access to the switch. Caution! If you disable the HTTPS server, Web View access to the switch is disabled. Syntax set ip https server {enable | disable} enable Enables the HTTPS server.
Page 127 WSS Software can use the static route. Before you add a static route, use the show interface command to verify that the switch has an IP interface in the same subnet as the route’s next-hop router. If not, the VLAN:Interface field of the show ip route command output shows that the route is down.
Page 128: Set Ip Snmp Server
• clear ip route on page 101 • show interface on page 149 • show ip route on page 153 set ip snmp server Enables or disables the SNMP service on the WSS. Syntax set ip snmp server {enable | disable} enable Enables the SNMP service.
Page 129: Set Ip Ssh Server
2048 command to generate one. The maximum number of SSH sessions supported on a WSS is eight. If Telnet is also enabled, the switch can have up to eight Telnet or SSH sessions, in any combination, and one Console session.
Page 130: Set Ip Telnet
If you change the Telnet port number from a Telnet session, WSS Software immediately ends the session. To open a new management session, you must Telnet to the switch with the new Telnet port number. Syntax set ip telnet port-num port-num TCP port number.
Page 131: Set Ntp
Usage The maximum number of Telnet sessions supported on a WSS is eight. If SSH is also enabled, the switch can have up to eight Telnet or SSH sessions, in any combination, and one console session. Examples The following command enables the Telnet server on a WSS: WSS# set ip telnet server enable success: change accepted.
Page 132: Set Ntp Server
set ntp server Configures a WSS to use an NTP server. Syntax set ntp server ip-addr ip-addr Defaults None. Access Enabled. Usage You can configure up to three NTP servers. WSS Software queries all the servers and selects the best response based on the method described in RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis.
Page 133: Set Snmp Community
Defaults None. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of the SNMP community. Specify between 1 and 32 alphanumeric characters, with no spaces. Allows an SNMP management application using the string to get (read) object values on the switch but not to set (write) them.
Page 134 History Version 4.0 Default strings removed. There are no default strings in WSS Software Version 4.0. New access types added for SNMPv3: • read-notify • notify-only • notify-read-write Usage SNMP community strings are passed as clear text in SNMPv1 and SNMPv2c. Nortel recommends that you use strings that cannot easily be guessed by unauthorized users.
Page 135: Set Snmp Notify Profile
Configures an SNMP notification profile. A notification profile is a named list of all the notification types that can be generated by a switch, and for each notification type, the action to take (drop or send) when an event occurs.
Page 136 notification-type NN47250-100 (Version 02.51) Name of the notification type: • APBootTraps—Generated when an AP boots. • ApNonOperStatusTraps—Generated to indicate an AP radio is nonoperational. • ApOperRadioStatusTraps—Generated when the status of an AP radio changes. • APTimeoutTraps—Generated when an AP fails to respond to the WSS.
Page 137 • RFDetectClientViaRogueWiredAPTraps— Generated when WSS Software detects, on the wired part of the network, the MAC address of a wireless client associated with a third-party AP. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 138 notification-type (cont.) Defaults A default notification profile (named default) is already configured in WSS Software. All notifications in the default profile are dropped by default. Access Enabled. History Introduced in WSS Software Version 4.0. Examples The following command changes the action in the default notification profile from drop to send for all notification types: WSS# set snmp notify profile default send all success: change accepted.
Page 139 123 • set snmp notify target on page 131 • set snmp protocol on page 135 • set snmp security on page 136 • set snmp usm on page 136 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 140 140 IP Services Commands • show snmp notify profile on page 158 NN47250-100 (Version 02.51)
Page 141: Set Snmp Notify Target
{unsecured | authenticated | encrypted} Nortel WLAN—Security Switch 2300 Series Command Line Reference ID for the target. This ID is local to the WSS and does not need to correspond to a value on the target itself.
Page 142 retries num timeout num SNMPv3 with Traps To configure a notification target for traps from SNMPv3, use the following command: Syntax set snmp notify target target-num ip-addr[:udp-port-number] usm trap user username [profile profile-name] [security {unsecured | authenticated | encrypted}] target-num ip-addr[:udp-port-number] username profile profile-name...
Page 143 Nortel WLAN—Security Switch 2300 Series Command Line Reference ID for the target. This ID is local to the WSS and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10.
Page 144 SNMPv1 with Traps To configure a notification target for traps from SNMPv1, use the following command: Syntax set snmp notify target target-num ip-addr[:udp-port-number] v1 community-string [profile profile-name] target-num ip-addr[:udp-port-number] community-string profile profile-name Defaults The default UDP port number on the target is 162. The default minimum required security level is unsecured.
Page 145: Set Snmp Protocol
Access Enabled. History Introduced in WSS Software Version 4.0. Usage SNMP requires the switch’s system IP address to be set. SNMP will not work without the system IP address. You also must enable the SNMP service using the set ip snmp server command.
Page 146: Set Snmp Security
set snmp security Sets the minimum level of security WSS Software requires for SNMP message exchanges. Syntax set snmp security {unsecured | authenticated | encrypted | auth-req-unsec-notify} unsecured authenticated encrypted auth-req-unsec-notify SNMP message exchanges are authenticated but are not encrypted, and Defaults By default, WSS Software allows nonsecure (unsecured) SNMP message exchanges.
Page 147 {encrypt-pass-phrase string | encrypt-key hex-string} usm-username snmp-engine-id {ip ip-addr | local | hex hex- string} Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of the SNMPv3 user. Specify between 1 and 32 alphanumeric characters, with no spaces. Specifies a unique identifier for the SNMP engine.
Page 148 • read-notify—An SNMP management application using the string can get object values on the switch but cannot set them. The switch can use the string to send notifications. • notify-only—The switch can use the string to send notifications. • read-write—An SNMP...
Page 149 Access Enabled. History Introduced in WSS Software Version 4.0. Nortel WLAN—Security Switch 2300 Series Command Line Reference Specifies the authentication type used to authenticate communications with the remote SNMP engine.
Page 150: Set Summertime
Examples The following command creates USM user snmpmgr1, associated with the local SNMP engine ID. This user can send traps to notification receivers. WSS# set snmp usm snmpmgr1 snmp-engine-id local success: change accepted. The following command creates USM user securesnmpmgr1, which uses SHA authentication and 3DES encryption with passphrases.
Page 151 IP address, in dotted decimal notation. The address must be configured on one of the WSS’s VLANs. Defaults None. Nortel WLAN—Security Switch 2300 Series Command Line Reference Minute to start or end the time change—a value between 0 and 59. End of the time change period.
Page 152: Set Timedate
Access Enabled. Usage You must use an address that is configured on one of the WSS’s VLANs. To display the system IP address, use the show system command. Examples The following commands configure an IP interface on VLAN taupe and configure the interface to be the system IP address: WSS# set interface taupe ip 10.10.20.20/24 success: set ip address 10.10.20.20 netmask 255.255.255.0 on vlan taupe...
Page 153: Set Timezone
161 • show timezone on page 161 Nortel WLAN—Security Switch 2300 Series Command Line Reference Time zone name of up to 32 alphabetic characters. You can use a standard name or any name you like. Minus time to indicate hours (and minutes) to be subtracted from UTC.
Page 154: Show Arp
show arp Displays the ARP table. Syntax show arp [ip-addr] ip-addr IP address. Defaults If you do not specify an IP address, the whole ARP table is displayed. Access All. Examples The following command displays ARP entries: WSS# show arp ARP aging time: 1200 seconds Host HW Address...
Page 155: Show Dhcp-Client
Defaults None. Access All. History Introduced in WSS Software Version 4.0. Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Entry type: • DYNAMIC—Entry was learned from network traffic and ages out if unused for longer than the ARP aging timeout.
Page 156 Examples The following command displays DHCP client information: WSS# show dhcp-client Interface: corpvlan(4) Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: IP Address: 10.3.1.110 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.1.1 DHCP Server: 10.3.1.4 DNS Servers: 10.3.1.29 DNS Domain Name: Table 18 describes the fields in this display.
Page 157: Show Dhcp-Server
DNS Domain Name: mycorp.com Table 19 Table 20 describe the fields in these displays. Nortel WLAN—Security Switch 2300 Series Command Line Reference Displays the IP addresses leased by the specified VLAN. Displays configuration and status information for the WSS Software DHCP server.
Page 158 Table 3.Output for show dhcp-server Field VLAN Name Address MAC Address Lease Remaining Table 4.Output for show dhcp-server verbose Field Interface Status Address Range Hardware Address State Lease Allocation Lease Remaining IP Address NN47250-100 (Version 02.51) Description VLAN number. VLAN name. IP address leased by the server.
Page 159: Show Interface
255.255.255.0 YES Table 21 describes the fields in this display. Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Network mask of the IP address leased to the client. Default router IP address included in the DHCP Offer to the client.
Page 160: Show Ip Alias
Field VLAN Name Address Mask Enabled State See Also • clear interface on page 99 • set interface on page 109 • set interface status on page 112 show ip alias Displays the IP aliases configured on the WSS. Syntax show ip alias [name] name Defaults If you do not specify an alias name, all aliases are displayed.
Page 161: Show Ip Dns
Table 23 describes the fields in this display. Field Domain Name DNS Status Nortel WLAN—Security Switch 2300 Series Command Line Reference Table 6: Output for show ip alias Description Alias string. IP address associated with the alias. Table 7: Output for show ip dns...
Page 162: Show Ip Https
Table 7: Output for show ip dns (continued) Field IP Address Type See Also • clear ip dns domain on page 100 • clear ip dns server on page 101 • set ip dns on page 113 • set ip dns domain on page 114 •...
Page 163: Show Ip Route
Displays the IP route table. Syntax show ip route [destination] destination Defaults None. Access All. Nortel WLAN—Security Switch 2300 Series Command Line Reference Table 8: Output for show ip https Description State of the HTTPS server: • Enabled • Disabled TCP port number on which the WSS listens for HTTPS connections.
Page 164 WSS has an IP interface in the default router’s (gateway’s) subnet. WSS Software cannot resolve a static route unless one of the switch’s VLANs has an interface in the default router’s subnet. If the switch has such an interface but the static route is still down, use the show vlan config command to check the state of the VLAN’s ports.
Page 165: Show Ip Telnet
---------------------------------- Enabled Table 26 describes the fields in this display. Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Next-hop router for reaching the route destination. Note: This field applies only to static routes. Destination VLAN, protocol type, and IP address of the route.
Page 166: Show Ntp
Field Server Status Port See Also • clear ip telnet on page 102 • set ip https server on page 116 • set ip telnet on page 120 • set ip telnet server on page 120 • show ip https on page 152 show ntp Displays NTP client information.
Page 167 • clear timezone on page 106 • set ntp on page 121 Nortel WLAN—Security Switch 2300 Series Command Line Reference Table 11: Output for show ntp Description State of the NTP client. The state can be one of the following: •...
Page 168: Show Snmp Community
• set ntp server on page 122 • set summertime on page 140 • set timezone on page 143 • show timezone on page 161 show snmp community Displays the configured SNMP community strings. Syntax show snmp community Defaults None. Access Enabled.
Page 169: Show Snmp Status
158 • show snmp counters on page 158 • show snmp notify profile on page 158 • show snmp notify target on page 159 • show snmp usm on page 160 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 170: Show Summertime
show snmp usm Displays information about SNMPv3 users. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. See Also • clear snmp usm on page 105 • show snmp usm on page 160 show summertime Shows a WSS’s offset from its real-time clock. Syntax show summertime Defaults There is no summertime offset by default.
Page 171: Show Timezone
106 • set summertime on page 140 • set timedate on page 142 • set timezone on page 143 • show summertime on page 160 • show timedate on page 161 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 172 ACL also denies access by the telnet command. Examples In the following example, an administrator establishes a Telnet session with another WSS and enters a command on the remote switch: WSS# telnet 10.10.10.90 Session 0 pty tty2.d Trying 10.10.10.90...
Page 173 Usage To stop a traceroute command that is in progress, press Ctrl+C. Examples The following example traces the route to host server1: Nortel WLAN—Security Switch 2300 Series Command Line Reference IP address, hostname, or alias of the destination host. Specify the IP address in dotted decimal notation.
Page 174 WSS# traceroute server1 traceroute to server1.example.com (192.168.22.7), 30 hops max, 38 byte packets 1 engineering-1.example.com (192.168.192.206) 2 ms 1 ms 1 ms 2 engineering-2.example.com (192.168.196.204) 2 ms 3 ms 2 ms 3 gateway_a.example.com (192.168.1.201) 6 ms 3 ms 3 ms 4 server1.example.com (192.168.22.7) 3 ms * 2 ms The first row of the display indicates the target host, the maximum number of hops, and the packet size.
Page 175: Aaa Commands
Local Authorization for Password Users Local Authorization for MAC Users Nortel WLAN—Security Switch 2300 Series Command Line Reference “Security ACL Commands” on page set authentication console on page 183 set authentication admin on page 182 set authentication dot1x on page 185...
Page 176: Clear Accounting
Web authorization Accounting AAA information Mobility Profiles Location Policy clear accounting Removes accounting services for specified wireless users with administrative access or network access. Syntax clear accounting {admin | dot1x | system} {user-wildcard} admin dot1x NN47250-100 (Version 02.51) clear mac-usergroup attr on page 174 clear mac-user group on page 173 clear mac-usergroup on page 174 set web-portal on page 209...
Page 177: Clear Authentication Admin
Syntax clear authentication admin user-wildcard user-wildcard Defaults None. Nortel WLAN—Security Switch 2300 Series Command Line Reference Disables sending of Accounting-On and Accounting-Off messages to a RADIUS server, if previously enabled. When this command is entered, an Accounting-Off message is generated and sent to the server or server group specified with the set accounting system command.
Page 178: Clear Authentication Console
Access Enabled. Note. The syntax descriptions for the clear authentication commands have been separated for clarity. However, the options and behavior for the clear authentication admin command are the same as in previous releases. Examples The following command clears authentication for administrator Jose: WSS# clear authentication admin Jose success: change accepted.
Page 179: Clear Authentication Dot1X
5.0. Instead, a user who accesses the network on an SSID by using the fallthru access type last-resort is automatically a last-resort user. The authorization attributes assigned to the user come from the default authorization attributes set on the SSID. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 180: Clear Authentication Mac
clear authentication mac Removes a MAC authentication rule. Syntax clear authentication mac {ssid ssid-name | wired} mac-addr-wildcard ssid ssid-name wired mac-addr-wildcard Defaults None. Access Enabled. Examples The following command removes a MAC authentication rule for access to SSID thatcorp by MAC addresses beginning with aa:bb:cc: WSS# clear authentication mac ssid thatcorp aa:bb:cc:* See Also...
Page 181: Clear Authentication Web
Removes a rule from the location policy on a WSS. Syntax clear location policy rule-number rule-number Defaults None. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference Index number of a location policy rule to remove from the location policy.
Page 182 Usage To determine the index numbers of location policy rules, use the show location policy command. Removing all the ACEs from the location policy disables this function on the WSS. Examples The following command removes location policy rule 4 from a WSS’s location policy: WSS# clear location policy 4 success: clause 4 is removed.
Page 183 195 • show aaa on page 210 Nortel WLAN—Security Switch 2300 Series Command Line Reference MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. Name of an attribute used to authorize the MAC user for a particular service or session characteristic.
Page 184 clear mac-usergroup Removes a user group from the local database on the WSS, for a group of users who are authenticated by a MAC address. (To delete a MAC user group in RADIUS, see the documentation for your RADIUS server.) Syntax clear mac-usergroup group-name group-name...
Page 185: Clear User
Usage Deleting the user’s profile from the database deletes the assignment of any attributes in the profile to the user. Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of an existing Mobility Profile. Username of a user with a password.
Page 186: Clear User Attr
Examples The following command deletes the user profile for user Nin: WSS# clear user Nin success: change accepted. See Also • set user on page 206 • show aaa on page 210 clear user attr Removes an authorization attribute from the user profile in the local database on the WSS, for a user with a password.
Page 187: Clear Usergroup
Examples The following command deletes the cardiology user group from the local database: WSS# clear usergroup cardiology success: change accepted. See Also • clear usergroup attr on page 178 Nortel WLAN—Security Switch 2300 Series Command Line Reference Username of a user with a password. Name of an existing user group.
Page 188: Clear Usergroup Attr
• set usergroup on page 208 • show aaa on page 210 clear usergroup attr Removes an authorization attribute from a user group in the local database on the WSS. (To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.) Syntax clear usergroup group-name attr attribute-name group-name...
Page 189 Sets up accounting services for specified wireless users with network access, and defines the accounting records and where they are sent. Nortel WLAN—Security Switch 2300 Series Command Line Reference Single user or set of users with administrative access or network access.
Page 190 Syntax set accounting {dot1x | mac | web | last-resort} {ssid ssid-name | wired} {user- wildcard | mac-addr-wildcard} {start-stop | stop-only} method1 [method2] [method3] [method4] dot1x ssid ssid-name wired user-wildcard mac-addr-wildcard start-stop stop-only method1 method2 method3 method4 Defaults Accounting is disabled for all users by default. Access Enabled.
Page 191: Set Accounting System
WSS to reset. The WSS does not wait for a RADIUS server to acknowledge the Accounting- Off message; the switch makes one attempt to send the Accounting-Off message, then shuts down. Examples The following command causes Accounting-On and Accounting-Off messages to be...
Page 192: Set Authentication Admin
See Also • clear accounting on page 166 • show accounting statistics on page 212 set authentication admin Configures authentication and defines where it is performed for specified users with administrative access through Telnet or Web View. Syntax set authentication admin user- method1 [method2] [method3] [method4] user-wildcard method1...
Page 193: Set Authentication Console
191 • show aaa on page 210 set authentication console Configures authentication and defines where it is performed for specified users with administrative access through a console connection. Nortel WLAN—Security Switch 2300 Series Command Line Reference 12.)
Page 194 NN47250-100 (Version 02.51) wildcard Single user or set of users with administrative access through the switch’s console. Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character—either an at sign (@) or a period (.).
Page 195: Set Authentication Dot1X
SSID name to which this authentication rule applies. To apply the rule to all SSIDs, type any. wired Applies this authentication rule specifically to users connected to a wired authentication port. Nortel WLAN—Security Switch 2300 Series Command Line Reference 12.) [bonded] protocol wildcard...
Page 196 user-wildcard A single user or a set of users with 802.1X network access. Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character—either an at sign (@) or a period (.).
Page 197 • server-group-name—Uses the defined group of RADIUS servers for authentication. You can enter up to four names of existing RADIUS server groups as methods. RADIUS servers cannot be used with the EAP-TLS protocol. For more information, see “Usage.” Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 198 If the user does not support 802.1X, WSS Software attempts to perform MAC authentication for the user. In this case, if the switch’s configuration contains a set authentication mac command that matches the SSID the user is attempting to access and the user’s MAC address, WSS Software uses the method specified by the command.
Page 199: Set Authentication Mac
When using RADIUS for authentication, the default well-known password for MAC and last-resort users is nortel. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference SSID name to which this authentication rule applies. To apply the rule to all SSIDs, type any.
Page 200: Set Authentication Proxy
WSS database and sends an authentication request to the RADIUS server group. If the switch’s configuration contains a set authentication mac command that matches the SSID the user is attempting to access and the user’s MAC address, WSS Software uses the method specified by the command. Otherwise, WSS Software uses local MAC authentication by default.
Page 201: Set Authentication Web
(.). (For details, see ssid ssid-name SSID name to which this authentication rule applies. To apply the rule to all SSIDs, type any. Nortel WLAN—Security Switch 2300 Series Command Line Reference Guide. wildcard “User Wildcards” on page...
Page 202 wired Applies this authentication rule specifically to users connected to a wired authentication port. method1 At least one and up to four methods that WSS Software uses to handle authentication. Specify one or more of the following methods in priority order. method2 WSS Software applies multiple methods in the order you enter them.
Page 203: Set Location Policy
You can specify one or more of the following conditions: ssid operator ssid- name Nortel WLAN—Security Switch 2300 Series Command Line Reference wildcard Denies access to the network to users with characteristics that match the location policy rule.
Page 204 If the location policy contains multiple rules, WSS Software compares the user information to the rules one at a time, in the order the rules appear in the switch’s configuration file, beginning with the rule at the top of the list.
Page 205 • Use inacl inacl-name to filter traffic that enters the switch from users via an AP access port or wired authentication port, or from the network via a network port. • Use outacl outacl-name to filter traffic sent from the switch to users via an AP access port or wired authentication port, or from the network via a network port.
Page 206 Syntax set mac-user mac-addr [group group-name] mac-addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. group-name Name of an existing MAC user group. Defaults None. Access Enabled. Usage WSS Software does not require MAC users to belong to user groups. Users authenticated by MAC address can be authenticated only for network access through the WSS.
Page 207 MAC user group the user is in, the MAC user’s network access can begin as soon as the user start-date. The MAC user does not need to wait for the MAC user group’s start date. Nortel WLAN—Security Switch 2300 Series Command Line Reference MAC address of the user, in hexadecimal numbers separated by colons (:).
Page 208 Table 1: Authentication Attributes for Local Users Attribute Description encryption-type Type of encryption required for access by the client. Clients who attempt to use an unauthorized encryption method are rejected. Note: Encryption-Type is a Nortel vendor-specific attribute (VSA). The vendor ID is 562, and the vendor type is 233.
Page 209 Nortel vendor-specific attribute (VSA). The vendor ID is 562, and the vendor type is 232. Nortel WLAN—Security Switch 2300 Series Command Line Reference Valid Value(s) Name of an existing security ACL, up to 253 alphanumeric characters, with no tabs or spaces.
Page 210 Table 1: Authentication Attributes for Local Users (continued) Attribute Description service-type Type of access the user is requesting. session-timeout Maximum number of seconds for the user’s (network access mode session. only) ssid SSID the user is allowed to access after authentication. (network access mode only) start-date...
Page 211 ID is 562, and the vendor type is 234. time-of-day (network access mode only) (cont.) Nortel WLAN—Security Switch 2300 Series Command Line Reference Valid Value(s) One of the following: • never—Access is always denied. • any—Access is always allowed. • al—Access is always allowed.
Page 212 Table 1: Authentication Attributes for Local Users (continued) Attribute Description URL to which the user is redirected after successful (network access mode Web-based AAA. only) vlan-name Virtual LAN (VLAN) assignment. (network access mode only) Note: VLAN-Name is a Nortel vendor-specific attribute (VSA).
Page 213 See Also • clear mac-usergroup attr on page 174 Nortel WLAN—Security Switch 2300 Series Command Line Reference attr time-of-day mo1900-1159,tu0000- Name of a MAC user group. Specify a name of up to 32 alphanumeric characters, with no spaces. The name must begin with an alphabetic character.
Page 214 • show aaa on page 210 set mobility-profile Creates a Mobility Profile and specifies the AP and/or wired authentication ports on the WSS through which any user assigned to the profile is allowed access. Syntax set mobility-profile name name {port {none | all | port-list}} | {ap {none | all | ap-num}} name none port-list...
Page 215 Defaults The Mobility Profile feature is disabled by default. Access Enabled. Examples To enable the use of the Mobility Profile feature, type the following command: WSS# set mobility-profile mode enable success: change accepted. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 216: Set User
See Also • clear mobility-profile on page 175 • set mobility-profile on page 204 • show mobility-profile on page 215 set user Configures a user profile in the local database on the WSS for a user with a password. (To configure a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax set user username password [encrypted] string username...
Page 217: Set User Attr
Saturday and Sunday: WSS# set user Student1 attr time-of-day Wk1700-0200,Sa,Su success: change accepted. Nortel WLAN—Security Switch 2300 Series Command Line Reference Username of a user with a password. Name and value of an attribute you are using to authorize the user for a particular service or session characteristic.
Page 218: Set Usergroup
See Also • clear user attr on page 176 • show aaa on page 210 set user group Adds a user to a user group. The user must have a password and a profile that exists in the local database on the WSS.
Page 219 Defaults Enabled. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of a group for password users. Specify a name of up to 32 alphanumeric characters, with no spaces. The name must begin with an alphabetic character.
Page 220: Show Aaa
Usage This command disables or reenables support for Web-based AAA. However, Web-based AAA has additional configuration requirements. For information, see the “Configuring AAA for Network Users” chapter in the Nortel WLAN Security Switch 2300 Series Configuration Examples To disable Web-based AAA, type the following command: WSS# set web-portal disable success: change accepted.
Page 221 RADIUS server is ignored by the WSS. The default is 0 minutes. Shared secret key, or password, used to authenticate to a RADIUS server. The default is no key (null). Nortel WLAN—Security Switch 2300 Series Command Line Reference Table 2: show aaa Output...
Page 222 Table 2: show aaa Output (continued) Field Description author-pass Password used for authorization to a RADIUS server for MAC authentication. The client’s MAC address is sent as the username and the author-pass string is sent as the password. Radius Servers Information about active RADIUS servers.
Page 223 Calling-Station-Id=00-06-25-12-06-38 Nas-Port-Id=3/1 Called-Station-Id=00-0B-0E-00-CC-01 AAA_SSID_ATTR=vineet-dot1x Dec 14 00:39:53 Acct-Status-Type=START Acct-Authentic=0 User-Name=vineet Acct-Multi-Session-Id=SESS-4-01f82f-520793-bd779517 Acct-Session-Id=SESS-4-01f82f-520793-bd779517 Event-Timestamp=1134520793 AAA_ACCT_SVC_ATTR=2 AAA_VLAN_NAME_ATTR=default Calling-Station-Id=00-06-25-12-06-38 Nas-Port-Id=3/1 Called-Station-Id=00-0B-0E-00-CC-01 AAA_SSID_ATTR=vineet-dot1x Table 31 describes the fields that can appear in show accounting statistics output. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 224 Table 3: show accounting statistics Output Field Date and time Acct-Status-Type Acct-Authentic User-Name Acct-Multi-Session-Id AAA_TTY_ATTR Event-Timestamp Acct-Session-Time Acct-Output-Octets Acct-Input-Octets Acct-Output-Packets Acct-Input-Packets Vlan-Name Calling-Station-Id Nas-Port-Id Called-Station-Id See Also • clear accounting on page 166 • set accounting {admin | console} on page 178 •...
Page 225 WSS# show mobility-profile magnolia Mobility Profiles Name Ports ========================= magnolia AP 12 See Also • clear mobility-profile on page 175 • set mobility-profile on page 204 Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of an existing Mobility Profile.
Page 226 226 AAA Commands NN47250-100 (Version 02.51)
Page 227: Mobility Domain Commands
Use Mobility Domain commands to configure and manage Mobility Domain groups. A Mobility Domain is a system of WSSs and APs working together to support a roaming user (client). One WSS acts as a seed switch, which maintains and distributes a list of IP addresses of the domain members. Note.
Page 228: Clear Mobility-Domain
clear mobility-domain Clears all Mobility Domain configuration and information from a WSS, regardless of whether the WSS is a seed or a member of a Mobility Domain. Syntax clear mobility-domain Defaults None. Access Enabled. Usage This command has no effect if the WSS is not configured as part of a Mobility Domain. Examples To clear a Mobility Domain from a WSS within the domain, type the following command: 23x0# clear mobility-domain success: change accepted.
Page 229: Set Mobility-Domain Member
192.168.1.10 as members of a Mobility Domain whose seed is the current WSS: WSS# set mobility-domain member 192.168.1.8 success: change accepted. WSS# set mobility-domain member 192.168.1.9 Nortel WLAN—Security Switch 2300 Series Command Line Reference security is disabled. security is enabled. security is disabled.) IP address of the Mobility Domain member in dotted decimal notation.
Page 230: Set Mobility-Domain Mode Member Seed-Ip
success: change accepted. WSS# set mobility-domain member 192.168.1.10 success: change accepted. See Also • clear mobility-domain member on page 218 • show mobility-domain config on page 222 set mobility-domain mode member seed-ip On a nonseed WSS, sets the IP address of the seed WSS. This command is used on a member member.
Page 231: Set Mobility-Domain Mode Seed Domain-Name
Santa Clara See Also • clear mobility-domain member on page 218 • show mobility-domain on page 222 Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of the Mobility Domain. Specify between 1 and 32 characters with no spaces.
Page 232: Show Mobility-Domain Config
set mobility-domain mode secondary-seed domain- name seed-ip Creates a Mobility Domain by setting the current WSS as the secondary seed device and naming the Mobility Domain. Syntax set mobility-domain mode secondary-seed domain-name domain-name seed-ip seed- mob-domain-name Defaults None. Access Enabled. History Introduced in WSS Software Version 6.0.
Page 233 • clear mobility-domain on page 218 • set mobility-domain member on page 219 • set mobility-domain mode member seed-ip on page 220 Nortel WLAN—Security Switch 2300 Series Command Line Reference State Type (* active) ------------------------- Seed Secondary seed * Description...
Page 234 234 Mobility Domain Commands NN47250-100 (Version 02.51)
Page 235: Network Domain Commands
VLAN tunnel to a WSS in the remote Mobility Domain. In a Network Domain, one or more WSSs serve as a seed switch. At least one of the Network Domain seeds maintains a connection with each of the member WSSs in the Network Domain. The Network Domain seeds share information about the VLANs configured on their members, so that all the Network Domain seeds have a common database of VLAN information.
Page 236: Clear Network-Domain Mode
See Also • set network-domain mode member seed-ip on page 227 • set network-domain peer on page 228 • set network-domain mode seed domain-name on page 229 clear network-domain mode Removes the Network Domain seed or member configuration from the WSS. Syntax clear network-domain mode {seed | member} seed...
Page 237: Clear Network-Domain Seed-Ip
Sets the IP address of a Network Domain seed. This command is used for configuring a WSS as a member of a Network Domain. You can specify multiple Network Domain seeds and configure one as the primary seed. Nortel WLAN—Security Switch 2300 Series Command Line Reference IP address of the Network Domain seed in dotted decimal notation.
Page 238: Set Network-Domain Peer
Syntax set network-domain mode member seed-ip ip-addr [affinity num] ip-addr Defaults The default affinity for a Network Domain seed is 5. Access Enabled. History Introduced in WSS Software 4.1. Usage You can specify multiple Network Domain seeds on the WSS. When the WSS needs to connect to a Network Domain seed, it first attempts to connect to the seed with the highest affinity.
Page 239: Set Network-Domain Mode Seed Domain-Name
225 • show network-domain on page 229 show network-domain Displays the status of Network Domain seeds and members. Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of the Network Domain. Specify between 1 and 16 characters with no spaces.
Page 240 Syntax show network-domain Defaults None. Access Enabled. History Introduced in WSS Software 4.1. Examples To display Network Domain status, type the following command. The output of the command differs based on whether the WSS is a member of a Network Domain or a Network Domain seed. On a WSS that is a Network Domain member, the following output is displayed: WSS# show network-domain Member Network Domain name: California...
Page 241 • set network-domain mode seed domain-name on page 229 • set network-domain peer on page 228 Nortel WLAN—Security Switch 2300 Series Command Line Reference State of the WSS in the Network Domain: • UP • DOWN Role of the WSS in the Network Domain: •...
Page 242 242 Network Domain Commands NN47250-100 (Version 02.51)
Page 243: Ap Commands
This chapter presents AP commands alphabetically. Use the following table to locate commands in this chapter based on their use. Automatic Configuration of External Antennas Nortel WLAN—Security Switch 2300 Series Command Line Reference Nortel Access Point 2330/2330A/2330B Guide.) set ap auto on page 245...
Page 244 257 set ap security on page 274 set ap boot-configuration ip on page 251 set ap boot-configuration switch on page 255 set ap boot-configuration vlan on page 256 clear ap boot-configuration on page 241 show ap boot-configuration on page 370...
Page 245 327 set service-profile soda remediation-acl on page 330 set service-profile soda success-page on page 330 set service-profile soda logout-page on page 328 Radio transmit rates set service-profile transmit-rates on page 334 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 246 Transmission retries RF Auto-Tuning AeroScout tag support Radio State Dual Homing Load Balancing RF Load Balancing AP Administration and Maintenance NN47250-100 (Version 02.51) set radio-profile rate-enforcement on page 295 set service-profile long-retry-count on page 319 set service-profile short-retry-count on page 325 set radio-profile auto-tune channel-config on page 279 set radio-profile auto-tune channel-holddown on page 280 set radio-profile auto-tune channel-interval on page 281...
Page 247: Clear Ap Image
Defaults None. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference show ap config on page 344 show ap status on page 358 show ap counters on page 348 show ap global on page 373...
Page 248: Clear Ap Local-Switching Vlan-Profile
When clearing a VLAN profile causes traffic that had been locally switched by APs to be tunneled to an WSS switch, the sessions of clients associated with the APs where the VLAN profile is applied are terminated, and the clients must re-associate with the APs.
Page 249: Clear Ap Radio
Nortel WLAN—Security Switch 2300 Series Command Line Reference List of ports connected to the AP(s) on which to reset a radio. Number of a AP on which to reset a radio.
Page 250 Table 1: Radio-Specific Parameters (continued) Parameter Default Value channel • 802.11b/g—6 • 802.11a—Lowest valid channel number for the country of operation mode disable radio-profile None. You must add the radios to a radio profile. tx-power Highest setting allowed for the country of operation or highest setting supported on the hardware, whichever is lower.
Page 251: Clear Ap Boot-Configuration
Usage If an AP radio has been assigned to an RF load balancing group, you can use this command to remove the AP radio from the group. Nortel WLAN—Security Switch 2300 Series Command Line Reference Number of the AP for which you are clearing static IP information.
Page 252: Clear Radio-Profile
Examples The following command clears radio 1 on AP 7 from the load balancing group to which it had been assigned: WSS# clear ap 7 radio 1 load-balancing group success : change accepted. See Also • set load-balancing strictness on page 277 •...
Page 253: Clear Service-Profile
[soda {agent-directory | failure-page | remediation-acl | success-page | logout-page}] name soda agent-directory Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Resets the directory for Sygate On-Demand (SODA) agent files to the default directory. By default, the directory name for SODA agent files is the same as the service profile name.
Page 254 soda failure-page soda remediation-acl soda success-page soda logout-page Defaults None. Access Enabled. History Version 4.1 Options added to clear SODA parameters. Usage If the service profile is mapped to a radio profile, you must remove it from the radio profile first.
Page 255: Reset Ap
• Option radio num auto-tune min-client-rate • Option radio num tx-pwr removed. Version 6.0 • Option dap removed. Nortel WLAN—Security Switch 2300 Series Command Line Reference List of ports connected to the AP to restart. Number of a AP to reset. removed.
Page 256 Usage Table 35 lists the configurable profile parameters and their defaults. The only parameter that requires configuration is the profile mode. The profile is disabled by default. To use the profile to configure APs, you must enable the profile using the set ap auto mode enable command. The profile uses the default radio profile by default.
Page 257: Set Ap Auto Mode
Converts a temporary AP configuration created by the AP configuration profile into a persistent AP configura- tion on the WSS. Nortel WLAN—Security Switch 2300 Series Command Line Reference Enables the AP configuration profile. Disables the AP configuration profile.
Page 258: Set Ap Auto Radiotype
Access Enabled. NN47250-100 (Version 02.51) Converts the configuration of the AP that has the specified connection number into a permanent configuration. Converts the configurations of all Auto-APs being managed by the switch into permanent configurations. Radio type: • 11a—802.11a • 11b—802.11b •...
Page 259: Set Ap Bias
Version 6.0 Option dap removed. Nortel WLAN—Security Switch 2300 Series Command Line Reference List of ports on which to change the bias for directly connected APs. Number of a AP for which to change the bias. Configures bias for the AP configuration profile. (See set ap auto on page 245.)
Page 260: Set Ap Blink
AP selection of a WSS is sticky. After an AP selects a WSS to boot from, the AP continues to use that switch for its active data link even if another switch configured with high bias for the AP becomes available.
Page 261: Set Ap Boot-Configuration Ip
255 • set ap boot-configuration vlan on page 256 Nortel WLAN—Security Switch 2300 Series Command Line Reference Number of the AP for which you are specifying static IP information. The IP address to be assigned to the AP, in dotted decimal notation (for example, 10.10.10.10).
Page 262: Set Ap Boot-Configuration Mesh Mode
Usage Use this command to enable WLAN mesh services for an Mesh AP. Prior to deploying the Mesh AP in its final untethered location, you must connect the AP to an WSS switch and enter this command to configure the AP for mesh services.
Page 263: Set Ap Boot-Configuration Mesh Psk-Raw
Usage Use this command to configure the preshared key that a Mesh AP uses to authenticate to a Mesh Portal AP. You must connect the AP to an WSS switch and enter this command to configure the AP for mesh services prior to deploying the Mesh AP in its final untethered location.
Page 264 Mesh AP from operating outside of regulatory limits after it is booted and before it receives its complete configuration from the WSS switch. Consequently, it is important that the regulatory and antenna information specified on the WSS switch actually reflects the locale where the Mesh AP is to be deployed, in order to avoid regulatory violations.
Page 265: Set Ap Boot-Configuration Switch
{enable | disable} Defaults By default APs use the process described in “Default AP Boot Process”, in the Nortel WLAN Security Switch 2300 Series Configuration Guide to boot from a WSS, instead of using a manually specified WSS. Access Enabled.
Page 266: Set Ap Boot-Configuration Vlan
241 • set ap boot-configuration ip on page 251 • set ap boot-configuration switch on page 255 • show ap boot-configuration on page 370 NN47250-100 (Version 02.51) Number of the AP for which you are specifying VLAN information.
Page 267: Set Ap Fingerprint
Verifies an AP’s fingerprint on a WSS. If AP-WSS security is required by a WSS, an AP can establish a management session with the switch only if you have verified the AP’s identity by verifying its fingerprint on the switch.
Page 268: Set Ap Group
AP has the latest image, and to verify that the The AP loads its local image only if the a newer AP image than the one in the AP’s local storage. If the switch is not running WSS Software Version 5.0 or later, or the has a newer version of the AP image than the version in the AP’s local storage, the AP...
Page 269: Set Ap Image
Version 6.0 Option dap removed. Usage You can assign any subset or all of the APs connected to a WSS to a group on that switch. All access points in a group must be connected to the same WSS. If you use the name none, spelled in any combination of capital or lowercase letters, the specified AP is cleared from all AP groups.
Page 270: Set Ap Local-Switching Mode
History Introduced in WSS Version 6.0. Usage Local switching allows traffic for specified VLANs to be switched by the AP itself, instead of being tunneled back to an WSS switch. The VLANs for which local switching is performed are specified in a VLAN profile.
Page 271: Set Ap Name
WSS switch. When applying a VLAN profile causes traffic that had been tunneled to an WSS switch to be locally switched by APs, or vice-versa, the sessions of clients associated with the APs where the VLAN profile is applied are terminated, and the clients must re-associate with the APs.
Page 272: Set Ap Radio Antenna-Location
History Version 4.1 Default AP name changed from DAPnum to DAPnum Version 6.0 Option dap removed. Examples The following command changes the name of the AP on port 1 to techpubs: WSS# set ap 1 name techpubs success: change accepted. See Also show ap config on page 344 set ap radio antenna-location...
Page 273 OUT-25 | 5133-NEMA | 5133-NEMA-10 | 5133-NEMA-25 | 5643 | 5643-OUT | 5643-OUT-10 | 5643-OUT-25 | 5643-NEMA | 5643-NEMA-10 | 5643-NEMA-25 | 5173-OUT | 5173-OUT-10 | 5173-OUT-25 | 5173-NEMA | 5173-NEMA-10 | 5173-NEMA-25 | 5103-OUT | 5103-OUT-10 | 5103-OUT-25 | 5103-NEMA | 5103-NEMA-10 | 5103-NEMA-25} Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 274 ap port-list ap ap-num radio 1 radio 2 antennatype internal | 24203 | 24403 | 24453 | 24553 | mixed | 24143 | 24143-OUT | 24143-OUT- 10 | 24143-OUT-25 | 24143-NEMA | 24143-NEMA-10 | 24143-NEMA-25 | 24123 | 24123-OUT | 24123-OUT-10 | 24123-OUT-25 | 24123-NEMA | 24123- NEMA-10 | 24123-NEMA-25 | 24113 | 24113-OUT | 24113-OUT-10 | 24113-...
Page 275: Set Ap Radio Auto-Tune Max-Power
CLI command is executed against. set ap radio auto-tune max-power Sets the maximum power that RF Auto-Tuning can set on a radio. Nortel WLAN—Security Switch 2300 Series Command Line Reference 802.11a antenna models: • internal - Omnidirectional puck • 5303 - Wideband Squint •...
Page 276: Set Ap Radio Auto-Tune Max-Retransmissions
Syntax set {ap port-list | auto}} radio {1 | 2} auto-tune max-power power-level ap port-list ap ap-num ap auto radio 1 radio 2 power-level Defaults The default maximum power setting that RF Auto-Tuning can set on a radio is the highest setting allowed for the country of operation or highest setting supported on the hardware, whichever is lower.
Page 277: Set Ap Radio Channel
272 • show ap config on page 344 Nortel WLAN—Security Switch 2300 Series Command Line Reference List of ports connected to the AP on which to set the channel. Number of a AP on which to set the channel.
Page 278: Set Ap Radio Min-Tx-Datarate
set ap radio min-tx-datarate To specify the minimum rate at which a radio is allowed to transmit traffic to clients, see Deprecated in WSS Software Version 5.0. on page 266. set ap radio link-calibration Configures an AP radio to emit link calibration packets, which can aid in positioning a Mesh AP. Syntax set ap ap-number radio {1 | 2} link-calibration mode {enable | disable} ap ap-number...
Page 279: Set Ap Radio Load-Balancing Group
1 radio 2 Nortel WLAN—Security Switch 2300 Series Command Line Reference Index value that identifies the AP on the WSS. Radio 1 of the AP. Radio 2 of the AP. (This option does not apply to single-radio models.) Enables RF load balancing for the AP radio.
Page 280 group name rebalance Defaults By default, AP radios are not part of an RF load balancing group. Access Enabled. History Introduced in WSS Software Version 6.0. Usage Assigning radios to specific load balancing groups is optional. When you do this, WSS Software considers them to have exactly overlapping coverage areas, rather than using signal strength calculations to determine their overlapping coverage.
Page 281: Set Ap Radio Radio-Profile
2 radio-profile name mode enable mode disable Defaults None. Nortel WLAN—Security Switch 2300 Series Command Line Reference List of ports. Number of a AP. Sets the radio profile for the AP configuration profile. (See set ap auto on page 245.) Radio 1 of the AP.
Page 282: Set Ap Radio Tx-Power
Access Enabled. History Version 4.0 Option auto added for configuration of the AP configuration profile. Version 6.0 Option dap removed. Usage When you create a new profile, the radio parameters in the profile are set to their factory default values. To enable or disable all radios that use a specific radio profile, use set radio-profile.
Page 283 11: WSS# set ap 11 radio 1 channel 1 tx-power 10 success: change accepted. See Also • set ap radio channel on page 267 • show ap config on page 344 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 284: Set Ap Security
Option dap removed in 6.0. Usage This parameter applies to all APs managed by the switch. If you change the setting to required, the switch requires APs to have encryption keys. The switch also requires their fingerprints to be verified in WSS Software.
Page 285: Set Ap Sticky-Bit
Configures WSS Software to steer clients that support both the 802.11a and 802.11b/g radio bands to a specific radio on an AP for the purpose of RF load balancing. Nortel WLAN—Security Switch 2300 Series Command Line Reference List of ports connected to the AP(s) on which to allow automatic firmware upgrades.
Page 286: Set Load-Balancing Mode
802.11b/g radio. When a client supports both 802.11a and 802.11b/g radio bands, steers the client to the 802.11a radio. Enables RF load balancing globally on the WSS switch. Disables RF load balancing globally on the WSS switch.
Page 287: Set Load-Balancing Strictness
Usage By default, RF load balancing is enabled on all AP radios. Use this command to disable or re-enable RF load balancing globally for all AP radios managed by the WSS switch. If RF load balancing has been enabled or disabled for a specific AP radio, then the setting for the individual radio takes precedence over the global setting.
Page 288: Set Radio-Profile Active-Scan
across the AP radios in the load-balancing group. When low strictness is specified (the default), WSS Software makes heavily loaded AP radios less visible in order to steer clients to less-busy AP radios, but ensures that even if all the AP radios in the group are heavily loaded, clients are not denied service. At the other end of the spectrum, when max strictness is specified, if an AP radio has reached its maximum client load, WSS Software makes it invisible to new clients, causing them to attempt to connect to other AP radios.
Page 289: Set Radio-Profile Auth-Dot1X
If RF Auto-Tuning for channels is enabled, WSS Software does not allow you to manually change channels. Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio profile name.
Page 290: Set Radio-Profile Auto-Tune Channel-Holddown
Even when RF Auto-Tuning for channels is enabled, WSS Software does not change the channel on radios that have active client sessions, unless you use the no-client option. RF Auto-Tuning of channels on 802.11a radios uses only the bottom eight channels in the band (36, 40, 44, 48, 52, 56, 60, and 64).
Page 291: Set Radio-Profile Auto-Tune Channel-Interval
282 • show radio-profile on page 376 Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio profile name. Number of seconds RF Auto-Tuning waits before changing radio channels to adjust to RF changes, if needed. You can specify from 0 to...
Page 292: Set Radio-Profile Auto-Tune Channel-Lockdown
set radio-profile auto-tune channel-lockdown Locks down the current channel settings on all radios in a radio profile. The channel settings that are in effect when the command is entered are changed into statically configured channel assignments on the radios. RF Auto-Tuning of channels is then disabled in the radio profile.
Page 293: Set Radio-Profile Auto-Tune Power-Interval
Defaults The default power tuning interval is 300 seconds. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio profile name. Configures radios to dynamically set their power levels when the APs are started. Configures radios to use their statically assigned power levels, or the default power levels if unassigned, when the radios are started.
Page 294: Set Radio-Profile Auto-Tune Power-Lockdown
History Introduced in WSS Software Version 3.0. Examples The following command sets the power interval for radios in radio profile rp2 to 240 seconds: WSS# set radio-profile rp2 auto-tune power-interval 240 success: change accepted. See Also • set ap radio auto-tune max-power on page 265 •...
Page 295: Set Radio-Profile Auto-Tune Power-Ramp-Interval
Usage You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command. Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio profile name. Number of seconds WSS Software waits before increasing or decreasing radio power by another 1 dBm.
Page 296: Set Radio-Profile Beaconed-Ssid
Examples The following command changes the beacon interval for radio profile rp1 to 200 ms: WSS# set radio-profile rp1 beacon-interval 200 success: change accepted. See Also • set radio-profile mode on page 291 • show radio-profile on page 376 set radio-profile beaconed-ssid See set service-profile beacon on page 310.
Page 297: Set Radio-Profile Countermeasures
Examples The following command enables countermeasures in radio profile radprof3 for rogues only: WSS# set radio-profile radprof3 countermeasures rogue success: change accepted. Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio profile name. Configures radios to attack rogues and interfering devices. Configures radios to attack rogues only.
Page 298: Set Radio-Profile Crypto-Ssid
The following command disables countermeasures in radio profile radprof3: WSS# clear radio-profile radprof3 countermeasures success: change accepted. The following command causes radios managed by radio profile radprof3 to issue countermeasures against devices in the WSS’s attack list: WSS# set radio-profile radprof3 countermeasures configured success: change accepted.
Page 299: Set Radio-Profile Frag-Threshold
319 • set service-profile short-retry-count on page 325 • show radio-profile on page 376 Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio profile name. Maximum frame length, in bytes. You can enter a value from 256 through 2346.
Page 300: Set Radio-Profile Long-Retry
set radio-profile long-retry Deprecated in WSS Software Version 4.1. In 4.1, this parameter is associated with service profiles instead of radio profiles. See set service-profile long-retry-count on page 319. set radio-profile max-rx-lifetime Changes the maximum receive threshold for the AP radios in a radio profile. The maximum receive threshold specifies the number of milliseconds that a frame received by a radio can remain in buffer memory.
Page 301: Set Radio-Profile Mode
Parameter active-scan auto-tune beacon-interval Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio profile name of up to 16 alphanumeric characters, with no spaces. Use this command without the mode enable or mode disable option to create a new profile.
Page 302 Table 4: Defaults for Radio Profile Parameters (continued) Parameter countermeasures dtim-interval frag-threshold max-rx-lifetime max-tx-lifetime preamble-length qos-mode rfid-mode rts-threshold service-profile wmm-powersave Access Enabled. NN47250-100 (Version 02.51) Radio Behavior When Default Parameter Set To Default Value Value Not configured Does not issue countermeasures against any device.
Page 303 271 • show ap config on page 344 • show radio-profile on page 376 Nortel WLAN—Security Switch 2300 Series Command Line Reference in WSS Software Version 4.1 removed: • 11g-only • long-retry • short-retry...
Page 304: Set Radio-Profile Preamble-Length
set radio-profile preamble-length Changes the preamble length for which an 802.11b/g AP radio advertises support. This command does not apply to 802.11a. Syntax set radio-profile name preamble-length {long | short} name long short Defaults The default is short. Access Enabled. Usage Changing the preamble length value affects only the support advertised by the radio.
Page 305 Configures WSS Software to enforce data rates, which means that a connecting client must transmit at one of the mandatory or standard rates in order to associate with the AP. Nortel WLAN—Security Switch 2300 Series Command Line Reference Optimizes forwarding prioritization of AP radios for SpectraLink Voice Priority (SVP).
Page 306 Syntax set radio-profile name rate-enforcement {enable | disable} name enable disable Defaults Data rate enforcement is disabled by default. Access Enabled. History Introduced in WSS Software Version 6.0. Usage Each type of radio (802.11a, 802.11b, and 802.11g) providing service to an SSID has a set of radio rates allowed for use when sending beacons, multicast frames, and unicast data.
Page 307: Set Radio-Profile Rts-Threshold
• set radio-profile mode on page 291 • show radio-profile on page 376 Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio profile name. Enables radios to function as asset location receivers. Disables radios from functioning as asset location receivers.
Page 308: Set Radio-Profile Service-Profile
set radio-profile service-profile Maps a service profile to a radio profile. All radios that use the radio profile also use the parameter settings, including SSID and encryption settings, in the service profile. Syntax set radio-profile name service-profile name radio-profile name service-profile name Defaults A radio profile does not have a service profile associated with it by default.
Page 309 Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio Behavior When Parameter Set To Default Value Does not use Counter with Cipher Block Chaining Message Authentication Code Protocol (CCMP) to encrypt traffic sent to WPA clients.
Page 310 Table 5: Defaults for Service Profile Parameters (continued) Parameter no-broadcast proxy-arp psk-phrase psk-raw rsn-ie shared-key-auth short-retry-count soda ssid-name ssid-type static-cos NN47250-100 (Version 02.51) Radio Behavior When Default Value Parameter Set To Default Value disable Does not reduce wireless broadcast traffic by sending unicasts to clients for ARP requests and DHCP Offers and Acks instead of forwarding them...
Page 311 802.11g: • mandatory: • beacon-rate: 2.0 • multicast-rate: • disabled: none user-idle-timeout Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio Behavior When Parameter Set To Default Value Uses Michael countermeasures for 60,000 ms (60 seconds) following detection of a second MIC failure within 60 seconds.
Page 312 Table 5: Defaults for Service Profile Parameters (continued) Parameter web-portal-acl web-portal-form web-portal-session- timeout wep key-index wep active-multicast-index wep active-unicast-index wpa-ie Access Enabled. History Introduced in WSS Software Version 3.0. Usage You must configure the service profile before you can map it to a radio profile. You can map the same service profile to more than one radio profile.
Page 313 336 • set service-profile web-portal-form on page 337 • set service-profile web-portal-logout on page 339 • set service-profile wep active-multicast-index on page 340 • set service-profile wep active-unicast-index on page 341 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 314: Set Radio-Profile Shared-Key-Auth
• set service-profile wep key-index on page 342 • set service-profile wpa-ie on page 342 • show radio-profile on page 376 • show service-profile on page 380 set radio-profile shared-key-auth See set service-profile shared-key-auth on page 324. set radio-profile short-retry Deprecated in WSS Software Version 4.1.
Page 315: Set Radio-Profile Wmm-Powersave
291 • set radio-profile qos-mode on page 295 • show radio-profile on page 376 set radio-profile wpa-ie See set service-profile wpa-ie on page 342. Nortel WLAN—Security Switch 2300 Series Command Line Reference Radio profile name. Enables U-APSD. Disables U-APSD.
Page 316 set service-profile attr Configures authorization attributes that are applied by default to users accessing the SSID managed by the service profile. These SSID default attributes are applied in addition to any supplied by the RADIUS server or from the local database. Syntax set service-profile name attr attribute-name value name...
Page 317: Set Service-Profile Auth-Dot1X
Examples The following command disables 802.1X authentication for WPA clients that use service profile wpa_clients: WSS# set service-profile wpa_clients auth-dot1x disable success: change accepted. Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Enables 802.1X authentication of WPA clients. Disables 802.1X authentication of WPA clients.
Page 318: Set Service-Profile Auth-Fallthru
See Also • set service-profile auth-psk on page 309 • set service-profile psk-phrase on page 322 • set service-profile wpa-ie on page 342 • show service-profile on page 380 set service-profile auth-fallthru Specifies the authentication type for users who do not match an 802.1X or MAC authentication rule for an SSID managed by the service profile.
Page 319: Set Service-Profile Auth-Psk
323 • set service-profile wpa-ie on page 342 • show service-profile on page 380 Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Enables PSK authentication of WPA clients. Disables PSK authentication of WPA clients. Guide.)
Page 320: Set Service-Profile Beacon
set service-profile beacon Disables or reenables beaconing of the SSID managed by the service profile. An AP radio responds to an 802.11 probe any request with only the beaconed SSID(s). For a nonbeaconed SSID, radios respond only to directed 802.11 probe requests that match the nonbeaconed SSID’s SSID string. When you disable beaconing for an SSID, the radio still sends beacon frames, but the SSID name in the frames is blank.
Page 321: Set Service-Profile Cac-Mode
See Also • set service-profile cac-session on page 312 • show service-profile on page 380 Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. CAC is not used. CAC is based on the number of active sessions.
Page 322: Set Service-Profile Cac-Session
set service-profile cac-session Specifies the maximum number of active sessions a radio can have when session-based CAC is enabled. When an AP radio has reached the maximum allowed number of active sessions, the radio refuses connections from additional clients. Syntax set service-profile name cac-session max-sessions name max-sessions...
Page 323: Set Service-Profile Cipher-Tkip
333 • set service-profile wpa-ie on page 342 • show service-profile on page 380 Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Enables TKIP encryption for WPA clients. Disables TKIP encryption for WPA clients.
Page 324: Set Service-Profile Cipher-Wep
set service-profile cipher-wep104 Enables dynamic Wired Equivalent Privacy (WEP) with 104-bit keys, in a service profile. Syntax set service-profile name cipher-wep104 {enable | disable} name enable disable Defaults 104-bit WEP encryption is disabled by default. Access Enabled. History Introduced in WSS Software Version 3.0. Usage To use 104-bit WEP with WPA clients, you must also enable the WPA IE.
Page 325: Set Service-Profile Cos
380 set service-profile cos Sets the Class-of-Service (CoS) level for static CoS. Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Enables 40-bit WEP encryption for WPA clients. Disables 40-bit WEP encryption for WPA clients.
Page 326: Set Service-Profile Dhcp-Restrict
NN47250-100 (Version 02.51) Service profile name. CoS value assigned by the AP to all traffic in the service profile. Nortel WLAN Security Switch 2300 Series Configuration Service profile name. Enables DHCP Restrict. Disables DHCP Restrict. Guide.) To enable...
Page 327: Set Service-Profile Idle-Client-Probing
Configures AP radios managed by the radio profile to leave a roamed user on the VLAN assigned by the switch where the user logged on. When this option is disabled, a user’s VLAN is reassigned by each WSS to which a user roams.
Page 328: Set Service-Profile Load-Balancing-Exempt
• A location policy on the local switch reassigns the VLAN. • The user is configured in the switch’s local database and the VLAN-Name attribute is set on the user or on a user group the user is in. •...
Page 329: Set Service-Profile Long-Retry-Count
325 • show service-profile on page 380 Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Number of times the radio can send the same long unicast frame. You can enter a value from 1 through 15.
Page 330: Set Service-Profile No-Broadcast
set service-profile mesh Creates a service profile for use with WLAN mesh services. Syntax set service-profile name mesh mode {enable | disable} name enable disable Defaults None. Access Enabled. History Introduced in WSS Software version 6.0. Usage Use this command to configure mesh services for a service profile. Once configured, the service profile can then be mapped to a radio profile that manages a radio on the Mesh Portal AP, which then allows a Mesh Portal AP to beacon a mesh services SSID to Mesh APs.
Page 331: Set Service-Profile Proxy-Arp
Defaults Proxy ARP is disabled by default. Access Enabled. History Introduced in WSS Software Version 4.1. Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Enables the no-broadcast mode. AP radios are not allowed to send broadcast traffic to clients on the service profile’s SSID.
Page 332: Set Service-Profile Psk-Phrase
Usage To further reduce broadcast traffic on a service profile, use the set service-profile no-broadcast command to disable DHCP and ARP request broadcasts. Examples The following command enables proxy ARP on service profile sp1: WSS# set service-profile sp1 proxy-arp enable success: change accepted.
Page 333: Set Service-Profile Psk-Raw
The RSN IE advertises the RSN (sometimes called WPA2) authentication methods and cipher suites supported by radios in the radio profile mapped to the service profile. Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. A 64-bit ASCII string representing a 32-digit hexadecimal number. Enter...
Page 334: Set Service-Profile Shared-Key-Auth
Syntax set service-profile name rsn-ie {enable | disable} name enable disable Defaults The RSN IE is disabled by default. Access Enabled. History Introduced in WSS Software Version 3.0. Usage When the RSN IE is enabled, the default authentication method is 802.1X. There is no default cipher suite.
Page 335: Set Service-Profile Short-Retry-Count
319 • show service-profile on page 380 Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Number of times a radio can send the same short unicast frame. You can enter a value from 1 through 15.
Page 336: Set Service-Profile Soda Agent-Directory
set service-profile soda agent-directory Specifies the directory on the WSS where the SODA agent files for a service profile are located. Syntax set service-profile name soda agent-directory directory name directory Defaults By default, the WSS expects SODA agent files to be located in a directory with the same name as the service profile.
Page 337: Set Service-Profile Soda Failure-Page
After this page is loaded, the specified remediation ACL takes effect, or if there is no remediation ACL configured, then the client is disconnected from the network. Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name.
Page 338: Set Service-Profile Soda Logout-Page
This functionality occurs only when the enforce checks option is enabled for the service profile. The enforce checks option is enabled by default. The page is assumed to reside in the root directory on the WSS. You can optionally specify a different directory where the page resides.
Page 339: Set Service-Profile Soda Mode
542 • set service-profile soda enforce-checks on page 326 • show service-profile on page 380 Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Enables SODA functionality for the service profile. Disables SODA functionality for the service profile.
Page 340: Set Service-Profile Soda Remediation-Acl
set service-profile soda remediation-acl Specifies an ACL to be applied to a client if it fails the checks performed by the SODA agent. Syntax set service-profile name soda remediation-acl acl-name name acl-name Defaults None. Access Enabled. History Introduced in WSS Software Version 4.1. Usage If the SODA agent checks fail on a client, by default the client is disconnected from the network.
Page 341: Set Service-Profile Ssid-Name
History Version 4.0 Support added for blank spaces in the SSID name. Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Name of up to 32 alphanumeric characters. You can include blank spaces in the name, if you delimit the name with single or double quotation marks.
Page 342: Set Service-Profile Ssid-Type
Examples The following command applies the name guest to the SSID managed by service profile clear_wlan: WSS# set service-profile clear_wlan ssid-name guest success: change accepted. The following command applies the name corporate users to the SSID managed by service profile mycorp_srvcprf: WSS# set service-profile mycorp_srvcprf ssid-name “corporate users”...
Page 343: Set Service-Profile Tkip-Mc-Time
Defaults The default countermeasures wait time is 60,000 ms (60 seconds). Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Enables static CoS on the service profile. Disables static CoS on the service profile.
Page 344 History Introduced in WSS Software Version 3.0. Usage Countermeasures apply only to TKIP and WEP clients. This includes WPA WEP clients and non- WPA WEP clients. CCMP clients are not affected. The TKIP cipher suite must be enabled. The WPA IE also must be enabled. Examples The following command changes the countermeasures wait time for service profile sp3 to 30,000 ms (30 seconds): WSS# set service-profile sp3 tkip-mc-time 30000...
Page 345 WSS# set service-profile sp1 transmit-rates 11a mandatory 6.0,9.0 disabled 48.0,54.0 beacon- rate 9.0 success: change accepted. Nortel WLAN—Security Switch 2300 Series Command Line Reference Data rate of beacon frames sent by AP radios. This rate is also used for probe-response frames.
Page 346: Set Service-Profile User-Idle-Timeout
See Also show service-profile on page 380 set service-profile user-idle-timeout Changes the number of seconds WSS Software will leave a session up for a client that is not sending data and is not responding to keepalives (idle-client probes). If the timer expires, the client’s session is changed to the Dissociated state.
Page 347: Set Service-Profile Web-Portal-Form
Defaults The Nortel Web login page is served by default. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. Name of the ACL to use for filtering Web-Portal user traffic during authentication.
Page 348 Usage Nortel recommends that you create a subdirectory for the custom page and place all the page’s files in that subdirectory. Do not place the custom page in the root directory of the switch’s user file area. If the custom login page includes gif or jpg images, their path names are interpreted relative to the directory from which the page is served.
Page 349: Set Service-Profile Web-Portal-Session-Timeout
Changes the number of seconds WSS Software allows Web Portal Web-based AAA sessions to remain in the Deassociated state before being terminated automatically. Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. To enable or disable web portal logout.
Page 350: Set Service-Profile Wep Active-Multicast-Index
Syntax set service-profile name web-portal-session-timeout seconds name seconds Defaults The default Web Portal Web-based AAA session timeout is 5 seconds. Access Enabled. History Introduced in WSS Software Version 4.1. Usage When a client that has connected through Web Portal Web-based AAA enters standby or hibernation mode, the client may be idle for longer than the User idle-timeout period.
Page 351: Set Service-Profile Wep Active-Unicast-Index
340 • set service-profile wep key-index on page 342 • show service-profile on page 380 Nortel WLAN—Security Switch 2300 Series Command Line Reference Service profile name. WEP key number. You can enter a value from 1 through 4.
Page 352: Set Service-Profile Wep Key-Index
set service-profile wep key-index Sets the value of one of four static Wired-Equivalent Privacy (WEP) keys for static WEP encryption. Syntax set service-profile name wep key-index num key value name key-index num key value Defaults By default, no static WEP keys are defined. Access Enabled.
Page 353: Show Ap Arp
WSS# show ap arp 7 AP 7: Host HW Address --------- ---------------------- ------------- 10.5.4.51 00:0b:0e:00:04:0c 1 EXPIRED 10.5.4.53 00:0b:0e:02:76:f7 Table 39 describes the fields in this display. Nortel WLAN—Security Switch 2300 Series Command Line Reference ap-number VLAN State Type ------------- DYNAMIC 1 RESOLVED LOCAL...
Page 354 ARP aging timeout. • LOCAL—Entry for the WSS MAC address. Each VLAN has one local entry for the switch MAC address. • PERMANENT—Entry does not age out and remains in the configuration even following a reboot.
Page 355 1, profile: default auto-tune max-power: default Radio 2: type: 802.11a, mode: disabled, channel: 36 tx pwr: 1, profile: default auto-tune max-power: default Table 40 describes the fields in this display. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 356 Field Port serial-id AP model bias name fingerprint boot-download-enable force-image-download load balancing group Radio NN47250-100 (Version 02.51) Table 7: Output for show ap config Description WSS port number. Note: This field is applicable only if the AP is directly connected to the WSS and the WSS’s port is configured as an AP access port.
Page 357 • set ap radio tx-power on page 272 • show ap connection on page 371 • show ap global on page 373 Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Radio type: • 802.11a • 802.11b • 802.11g Radio state: •...
Page 358: Show Ap Counters
• show ap unconfigured on page 374 • show radio-profile on page 376 show ap counters Displays AP and radio statistics counters. Syntax show ap counters [port-list [radio {1 | 2}]] port-list ap-num radio 1 radio 2 Defaults None. Access Enabled. History Version 4.0 New fields added:...
Page 359 Table 8: Output for show ap counters Field Port radio LastPktXferRate NumCntInPwrSave LastPktRxSigStrength LastPktSigNoiseRatio TKIP Pkt Transfer Ct Nortel WLAN—Security Switch 2300 Series Command Line Reference TKIP Decrypt Err 0 CCMP Pkt Replays 0 RadioResets Transmit Retries 60501 Noise Floor 802.3 Packet Rx Ct 0 8347...
Page 360 Table 8: Output for show ap counters (continued) Field TKIP Pkt Replays CCMP Pkt Decrypt Err CCMP Pkt Transfer Ct Radio Recv Phy Err Ct Radio Adjusted Tx Pwr 802.3 Packet Tx Ct No Receive Descriptor PktTxCount MultiPktDrop MultiBytDrop NN47250-100 (Version 02.51) Description Number of TKIP packets that were resent to the AP by a client.
Page 361 -80 or higher is good for an 802.11a radio. Values near 0 can indicate RF interference. 802.3 Packet Rx Ct Number of raw 802.3 packets received by the radio. These are LocalTalk (AppleTalk) frames. This counter increments only if LocalTalk traffic is present. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 362: Show Ap Dual-Home
Table 8: Output for show ap counters (continued) Field The counters above are global for all data rates. The counters below are for individual data rates. Note: If counters for lower data rates are incrementing but counters for higher data rates are not incrementing, this can indicate poor throughput.
Page 363: Show Ap Fdb
Destination Ports See Also • set ap local-switching mode on page 260 • set vlan-profile Nortel WLAN—Security Switch 2300 Series Command Line Reference ----------------- eth0 Table 9: Output for show ap fdb Description VLAN number. VLAN tag value. If the interface is untagged, the TAG field is blank.
Page 364: Show Ap Qos-Stats
show ap qos-stats Displays statistics for AP forwarding queues. Syntax show ap qos-stats [ap-num] [clear] Syntax show ap qos-stats [port-list] [clear] ap-num port-list clear Defaults None. Access Enabled. History Version 4.0 Command introduced. Version 4.1 TxDrop field added. Version 5.0 Option clear added.
Page 365: Show Ap Etherstats
75432 TxGoodFrames: RxMulticast: 18789 TxSingleColl: RxBroadcast: RxGoodFrames: 94229 TxMaxColl: RxAlignErrs: Nortel WLAN—Security Switch 2300 Series Command Line Reference Description CoS value associated with the forwarding queues. Forwarding queue. AP number or AP port number. Radio number. Number of packets transmitted to the air from the queue.
Page 366 RxShortFrames: RxCrcErrors: RxOverruns: RxDiscards: AP: 1 ether: 2 ================================= RxUnicast: 64379 TxGoodFrames: RxMulticast: 21798 TxSingleColl: RxBroadcast: 11 TxLateColl: RxGoodFrames: 86188 TxMaxColl: RxAlignErrs: RxShortFrames: RxCrcErrors: RxOverruns: RxDiscards: Table 44 describes the fields in this display. Table 11: Output for show ap etherstats Field RxUnicast RxMulticast...
Page 367: Show Ap Group
------------------------------------------------- BSSID: 00:0b:0e:17:bb:3f (54 Mbps) packets bytes Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Number of frames that were not transmitted because they encountered a collision outside the normal collision window. Number of frames that were not transmitted because they encountered the maximum allowed number of collisions.
Page 368: Show Ap Status
Displays a brief line of essential status information for each AP. List of ports connected to the AP(s) for which to display status. Number of a AP for which to display status. Shows status information for all directly attached APs and all APs configured on the switch.
Page 369 1, IP-addr: 10.2.30.5 (vlan 'vlan-corp'), AP model:2330, manufacturer: Nortel, name: AP01 fingerprint: b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3 ==================================================== State: operational (not encrypted) CPU info: IBM:PPC speed=266666664 Hz version=405GPr id=0x29c15335347f1919 ram=33554432 s/n=0333703027 hw_rev=A3 Uptime: 18 hours, 36 minutes, 27 seconds Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 370 Radio 1 type: 802.11g, state: configure succeed [Enabled] (802.11b protect) operational channel: 1 operational power: 14 base mac: 00:0b:0e:00:d2:c0 bssid1: 00:0b:0e:00:d2:c0, ssid: public bssid2: 00:0b:0e:00:d2:c2, ssid: employee-net bssid3: 00:0b:0e:00:d2:c4, ssid: mycorp-tkip Radio 2 type: 802.11a, state: configure succeed [Enabled] operational channel: 64 operational power: 14 base mac: 00:0b:0e:00:d2:c1 bssid1: 00:0b:0e:00:d2:c1, ssid: public bssid2: 00:0b:0e:00:d2:c3, ssid: employee-net...
Page 371 Link AP port Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Connection ID for the AP. Note: This field is applicable only if the AP is configured on the WSS as a AP. WSS port number.
Page 372 Table 13: Output for show ap status (continued) Field State CPU info Uptime NN47250-100 (Version 02.51) Description State of the AP: • init—The AP has been recognized by the WSS but has not yet begun booting. • booting—The AP has asked the WSS for a boot image.
Page 373 • Sweep Mode indicates that a disabled radio is • Countermeasures Enabled indicates that the radio • Radar Scan indicates that the radio is performing Nortel WLAN—Security Switch 2300 Series Command Line Reference has received configuration parameters for the radio and the radio is ready to accept client connections.
Page 374 Table 13: Output for show ap status (continued) Field Radio 1 type Radio 2 type (cont.) operational channel operational power base mac NN47250-100 (Version 02.51) Description • Radar Detected indicates that DFS has detected radar on the channel. When this occurs, the AP stops transmitting on the channel for 30 minutes.
Page 375: Show Ap Vlan
Displays information about the VLANs that are either locally switched by the specified AP or tunneled from the AP to an WSS switch. Nortel WLAN—Security Switch 2300 Series Command Line Reference Description SSIDs configured on the radio and their BSSIDs.
Page 376 VLAN number. VLAN name Whether packets for the VLAN are locally switched by the AP, or are tunneled to an WSS switch, which places them on the VLAN. The port(s) through which traffic for the VLAN is sent. VLAN tag value. If the interface is untagged, none is displayed...
Page 377: Show Auto-Tune Attributes
Noise Utilization CRC Errors count Nortel WLAN—Security Switch 2300 Series Command Line Reference AP port connected to the AP for which to display RF attributes. Number of a AP for which to display RF attributes. Shows RF attribute information for radio 1.
Page 378: Show Auto-Tune Neighbors
Table 16: Output for show auto-tune attributes (continued) Field Packet Retransmission Count Phy Errors Count See Also • set ap radio auto-tune max-power on page 265 • set radio-profile auto-tune channel-config on page 279 • set radio-profile auto-tune channel-holddown on page 280 •...
Page 379 • show ap vlan on page 365 • show radio-profile on page 376 Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Channel on which the BSSID is detected. BSSID detected by the radio. Received signal strength indication (RSSI), in decibels referred...
Page 380 VLAN Tag: Disabled Switch: Disabled Mesh: Disabled IP Address: Netmask: Gateway: VLAN Tag: Switch IP: Switch Name: DNS IP: Mesh SSID: Mesh PSK: Table 44 describes the fields in this display. Table 18: Output for show ap boot-configuration Field VLAN Tag NN47250-100 (Version 02.51)
Page 381: Show Ap Connection
This command provides information only if the AP is configured on the switch where you use the command. The switch does not need to be the one that booted the AP, but it must have the AP in its configuration. Also, the switch that booted the AP must be in the same Mobility Domain as the switch where you use the command.
Page 382 IP address assigned by DHCP to the AP. System IP address of the WSS on which the AP has an active connection. This is the switch that the AP used for booting and configuration and is using for data transfer.
Page 383: Show Ap Global
Table 53 describes the fields in this display. Table 20: Output for show ap global Field Serial Id Nortel WLAN—Security Switch 2300 Series Command Line Reference Number of a AP for which to display configuration settings. AP serial ID. ---- HIGH...
Page 384: Show Ap Unconfigured
Table 20: Output for show ap global (continued) Field IP Address Bias See Also • set ap on page 33 • set ap bias on page 249 • show ap config on page 344 • show ap connection on page 371 •...
Page 385: Show Load-Balancing Group
History Introduced in WSS Version 6.0. Usage Use this command to display information about the RF load-balancing groups configured on the WSS and the individual AP radios in the load-balancing groups. Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Serial ID of the AP.
Page 386: Show Radio-Profile
Examples The following command displays information about the AP radios that are in the same group as radio 1 on AP 3: WSS# show load-balancing group ap 3 radio 1 Radios in the same load-balancing group as: ap3/radio1 -------------------------------------------------- IP address AP Radio Overlap ------------------ ---- ----- ------- 10.2.28.200...
Page 387 WMM Powersave: QoS Mode: No service profiles configured. Table 56 describes the fields in this display. Nortel WLAN—Security Switch 2300 Series Command Line Reference • Countermeasures • Active-Scan • WMM enabled Client Backoff Timer to Power Backoff Timer moved to show service-profile output. (These options are now configurable on a service-profile basis instead of a radio-profile basis.)
Page 388 Table 23: Output for show radio-profile Field Beacon Interval DTIM Interval Max Tx Lifetime Max Rx Lifetime RTS Threshold Frag Threshold Long Preamble Tune Channel Tune Power Tune Channel Interval Tune Power Interval Power ramp interval Channel Holddown NN47250-100 (Version 02.51) Description Rate (in milliseconds) at which each AP radio in the profile advertises the beaconed SSID.
Page 389 289 • set radio-profile max-rx-lifetime on page 290 • set radio-profile max-tx-lifetime on page 290 Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Indicates whether countermeasures are enabled. Indicates whether the active-scan mode of RF detection is enabled.
Page 390: Show Service-Profile
• set radio-profile mode on page 291 • set radio-profile preamble-length on page 294 • set radio-profile qos-mode on page 295 • set radio-profile rfid-mode on page 296 • set radio-profile rts-threshold on page 297 • set radio-profile service-profile on page 298 •...
Page 391 DHCP restrict: no No broadcast: Short retry limit: 5 Long retry limit: Auth fallthru: none Sygate On-Demand (SODA):no Nortel WLAN—Security Switch 2300 Series Command Line Reference profile output) output) • beacon rate • multicast rate • mandatory rate • standard rates •...
Page 392 Enforce SODA checks: yes SODA remediation ACL: Custom success web-page: Custom failure web-page: Custom logout web-page: Custom agent-directory: Static COS: COS: CAC mode: none CAC sessions: User idle timeout: 180 Idle client probing: Keep initial vlan: no Web Portal Session Timeout: Web Portal ACL: WEP Key 1 value: <none>...
Page 393 If no page is specified, then the client is disconnected without loading a logout page. Nortel WLAN—Security Switch 2300 Series Command Line Reference and allows access to the SSID requested by the user, without requiring a username and password.
Page 394 Table 24: Output for show service-profile (continued) Field Custom agent-directory Static COS CAC mode CAC sessions User idle timeout Idle client probing Keep initial VLAN Web Portal Session Timeout Web Portal ACL WEP Key 1 value WEP Key 2 value NN47250-100 (Version 02.51) Description The name of the directory for SODA agent files on the WSS, if...
Page 395 Attributes are listed here only if they have been configured as default attribute settings for the service profile. values that can be assigned to network users. Nortel WLAN—Security Switch 2300 Series Command Line Reference radios in the radio profile mapped to this service profile.
Page 396 Table 24: Output for show service-profile (continued) Field 11a / 11b / 11g transmit rate fields • set service-profile attr on page 306 • set service-profile auth-dot1x on page 307 • set service-profile auth-fallthru on page 308 • set service-profile auth-psk on page 309 •...
Page 397 339 • set service-profile wep active-multicast-index on page 340 • set service-profile wep active-unicast-index on page 341 • set service-profile wep key-index on page 342 • set service-profile wpa-ie on page 342 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 398 398 AP Commands NN47250-100 (Version 02.51)
Page 399: Stp Commands
Port Cost Port Priority Timers Fast Convergence Statistics Nortel WLAN—Security Switch 2300 Series Command Line Reference set spantree on page 393 show spantree on page 400 show spantree blockedports on page 404 set spantree priority on page 399 set spantree portcost on page 395...
Page 400: Clear Spantree Portcost
clear spantree portcost Resets to the default value the cost of a network port or ports on paths to the STP root bridge in all VLANs on a WSS. Syntax clear spantree portcost port-list port-list Defaults None. Access Enabled. Usage This command resets the cost in all VLANs. To reset the cost for only specific VLANs, use the clear spantree portvlancost command.
Page 401: Clear Spantree Portvlancost
Resets to the default value the priority of a network port or ports for selection as part of the path to the STP root bridge, on one VLAN or all VLANs. Nortel WLAN—Security Switch 2300 Series Command Line Reference List of ports. The port cost is reset on the specified ports.
Page 402: Clear Spantree Statistics
Syntax clear spantree portvlanpri port-list {all | vlan vlan-id} port-list vlan vlan-id Defaults None. Access Enabled. Usage WSS Software does not change a port’s priority for VLANs other than the one(s) you specify. Examples The following command resets the STP priority for port 20 in VLAN avocado: WSS# clear spantree portvlanpri 20 vlan avocado success: change accepted.
Page 403: Set Spantree
Defaults STP backbone fast path convergence is disabled by default. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference Enables STP. Disables STP. Enables or disables STP on all VLANs. VLAN name or number. WSS Software enables or disables STP on only the specified VLAN, on all ports within the VLAN.
Page 404: Set Spantree Fwddelay
Usage If you plan to use the backbone fast convergence feature, you must enable it on all the bridges in the spanning tree. Examples The following command enables backbone fast convergence: WSS# set spantree backbonefast enable success: change accepted. See Also show spantree backbonefast on page 403 set spantree fwddelay Changes the period of time after a topology change that a WSS which is not the root bridge waits to begin forwarding...
Page 405: Set Spantree Maxage
Changes the maximum age for an STP root bridge hello packet that is acceptable to a WSS acting as a designated bridge on one or all of its VLANs. After waiting this period of time for a new hello packet, the switch determines that the root bridge is unavailable and issues a topology change message.
Page 406: Set Spantree Portfast
Defaults The default port cost depends on the port speed and link type. port path cost. Table 1.SNMP Port Path Cost Defaults Port Speed 1000 Mbps 1000 Mbps 100 Mbps 100 Mbps 100 Mbps 10 Mbps 10 Mbps 10 Mbps Access Enabled.
Page 407: Set Spantree Portpri
Changes the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on a WSS. Nortel WLAN—Security Switch 2300 Series Command Line Reference Enables port fast convergence. Disables port fast convergence.
Page 408: Set Spantree Portvlanpri
Syntax set spantree portvlancost port-list cost cost {all | vlan vlan-id} port-list cost cost vlan vlan-id Defaults The default port cost depends on the port speed and link type. (See Access Enabled. Examples The following command changes the cost on ports 3 and 4 to 20 in VLAN mauve: WSS# set spantree portvlancost 3,4 cost 20 vlan mauve success: change accepted.
Page 409: Set Spantree Priority
Enables or disables STP uplink fast convergence on a WSS. This feature enables a WSS with redundant links to the network backbone to immediately switch to the backup link to the root bridge if the primary link fails. Syntax...
Page 410: Show Spantree
Defaults Disabled. Access Enabled. Usage The uplink fast convergence feature is applicable to bridges that are acting as access switches to the network core (distribution layer) but are not in the core themselves. Do not enable the feature on WSSs that are in the network core.
Page 411 STP Commands 411 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 412 Port Vlan STP-State Cost Prio Portfast ------------------------------------------------------------------------------ Forwarding 19 128 STP Off 19 128 Disabled 19 128 Disabled 19 128 Disabled 19 128 Disabled 19 128 Disabled 19 128 Disabled 19 128 Table 59 describes the fields in this display. Field VLAN Spanning Tree Mode...
Page 413: Show Spantree Backbonefast
Indicates whether the STP backbone fast convergence feature is enabled or disabled. Syntax show spantree backbonefast Defaults None. Nortel WLAN—Security Switch 2300 Series Command Line Reference Table 2: Output for show spantree (continued) Description STP state of the port: • Blocking—The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic.
Page 414: Show Spantree Blockedports
Access All. Examples The following example shows the command output on a WSS with backbone fast convergence enabled: WSS# show spantree backbonefast Backbonefast is enabled See Also set spantree backbonefast on page 393 show spantree blockedports Lists information about WSS ports that STP has blocked on one or all of its VLANs. Syntax show spantree blockedports [vlan vlan-id] vlan vlan-id...
Page 415: Show Spantree Portfast
Table 60 describes the fields in this display. Nortel WLAN—Security Switch 2300 Series Command Line Reference List of ports. If you do not specify any ports, WSS Software displays uplink fast convergence information for all ports. disable disable...
Page 416: Show Spantree Portvlancost
Table 3: Output for show spantree portfast Field Port VLAN Portfast See Also set spantree portfast on page 396 show spantree portvlancost Displays the cost of a port on a path to the STP root bridge, for each of the port’s VLANs. Syntax show spantree portvlancost port-list port-list...
Page 417: Show Spantree Statistics
BPDU's xmitted(port/VLAN) tcn BPDU's received(port/VLAN) forward transition count (port/VLAN) Nortel WLAN—Security Switch 2300 Series Command Line Reference List of ports. If you do not specify any ports, WSS Software displays STP statistics for all ports. VLAN name or number. If you do not specify a VLAN, WSS Software displays STP statistics for all VLANs.
Page 418 scp failure count root inc trans count (port/VLAN) inhibit loopguard loop inc trans count Status of Port Timers forward delay timer forward delay timer value message age timer message age timer value topology change timer topology change timer value hold timer hold timer value delay root port timer delay root port timer value...
Page 419 Spanning Tree enabled for vlan port spanning tree state port_id port_number path cost message age designated_root Nortel WLAN—Security Switch 2300 Series Command Line Reference 21807 21825 00-0b-0e-00-04-30 00-0b-0e-02-76-f6 Description Port number. VLAN ID. State of the STP feature on the VLAN.
Page 420 NN47250-100 (Version 02.51) Description Total path cost to reach the root bridge. Bridge to which this switch forwards traffic away from the root bridge. STP port through which this switch forwards traffic away from the root bridge.
Page 421 BPDU ok count msg age expiry count link loading BPDU in processing Nortel WLAN—Security Switch 2300 Series Command Line Reference Description Status of the hold timer. This timer ensures that configured BPDUs are not transmitted too frequently through any bridge port.
Page 422: Show Spantree Uplinkfast
Table 4: Output for show spantree statistics (continued) Field num of similar BPDU’s to process received_inferior_bpdu next state src MAC count total src MAC count curr_src_mac next_src_mac See Also clear spantree statistics on page 392 show spantree uplinkfast Displays uplink fast convergence information for one VLAN or all VLANs. Syntax show spantree uplinkfast [vlan vlan-id] vlan vlan-id...
Page 423 STP Commands 423 See Also set spantree uplinkfast on page 399 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 424 424 STP Commands NN47250-100 (Version 02.51)
Page 425: Igmp Snooping Commands
[vlan vlan-id] vlan vlan-id Defaults None. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference set igmp on page 416 show igmp on page 423 set igmp proxy-report on page 419 set igmp querier on page 421...
Page 426: Set Igmp
If there are no more receivers for the group, the switch also sends a leave message for the group to multicast routers. You can specify a value from 1 through 65,535.
Page 427: Set Igmp Mrouter
Enables or disables multicast router solicitation by a WSS on one VLAN or all VLANs. Nortel WLAN—Security Switch 2300 Series Command Line Reference Port list. WSS Software adds or removes the specified ports in the list of static multicast router ports.
Page 428: Set Igmp Mrsol Mrsi
Syntax set igmp mrsol {enable | disable} [vlan vlan-id] enable disable vlan vlan-id Defaults Multicast router solicitation is disabled on all VLANs by default. Access Enabled. Examples The following command enables multicast router solicitation on VLAN orange: WSS# set igmp mrsol enable vlan orange success: change accepted.
Page 429: Set Igmp Proxy-Report
IP address than the IP address of the switch in that subnet. To enable the pseudo-querier feature, use set igmp querier.
Page 430: Set Igmp Qri
Defaults The default query interval is 125 seconds. Access Enabled. Usage The query interval is applicable only when the WSS is querier for the subnet. For the switch to become the querier, the pseudo-querier feature must be enabled on the switch and the switch must have the lowest IP address among all the devices eligible to become a querier.
Page 431: Set Igmp Querier
Usage The query response interval is applicable only when the WSS is querier for the subnet. For the switch to become the querier, the pseudo-querier feature must be enabled on the switch and the switch must have the lowest IP address among all the devices eligible to become a querier. To enable the pseudo-querier feature, use set igmp querier.
Page 432: Set Igmp Receiver
Examples The following example enables the pseudo-querier on the orange VLAN: WSS# set igmp querier enable vlan orange success: change accepted. See Also show igmp querier on page 427 set igmp receiver Adds or removes a network port in the list of ports on which a WSS forwards traffic to multicast receivers. Static multicast receiver ports are immediately added to or removed from the list of receiver ports and do not age out.
Page 433: Show Igmp
237.255.255.255 5 237.255.255.255 5 Querier information: Querier for vlan orange Nortel WLAN—Security Switch 2300 Series Command Line Reference VLAN name or number. If you do not specify a VLAN, WSS Software displays IGMP information for all VLANs. Type TTL ------ -----...
Page 434 Port Querier-IP Querier-MAC ---- --------------- ----------------- ----- 1 193.122.135.178 00:0b:cc:d2:e9:b4 23 IGMP vlan member ports: 10, 12, 11, 14, 16, 15, 13, 18, 17, 1, 20, 21, 2, 22, 19, 4, 6, 5, 3, 8, 7, 9 IGMP static ports: none IGMP statistics for vlan orange: IGMP message type -------------------------- ----------- -----------...
Page 435 Querier for vlan VLAN containing the querier. Information is listed separately for each VLAN. Querier-IP IP address of the querier. Querier-MAC MAC address of the querier. Nortel WLAN—Security Switch 2300 Series Command Line Reference administrator Protocol (DVMRP) version 1...
Page 436: Show Igmp Mrouter
Displays the multicast routers in a WSS’s subnet, on one VLAN or all VLANs. Routers are listed separately for each VLAN, according to the port number through which the switch can reach the router. Syntax show igmp mrouter [vlan vlan-id] vlan vlan-id Defaults None.
Page 437: Show Igmp Querier
[vlan vlan-id] vlan vlan-id Defaults None. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference Description VLAN containing the multicast routers. Ports are listed separately for each VLAN. Number of the physical port through which the WSS can reach the router.
Page 438 438 IGMP Snooping Commands Examples The following command displays querier information for VLAN orange: WSS# show igmp querier vlan orange Querier for vlan orange NN47250-100 (Version 02.51)
Page 439: Show Igmp Receiver-Table
I am the querier for vlan default, time to next query is 20 The output indicates how many seconds remain before the pseudo-querier on the switch broadcasts the next general query report to IP address 224.0.0.1, the multicast all-systems group.
Page 440 Syntax show igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length] vlan vlan-id group group-ip-addr/mask-length Defaults None. Access All. Examples The following command displays all multicast receivers in VLAN orange: WSS# show igmp receiver-table vlan orange VLAN: orange Session Port --------------- ---- 224.0.0.2 none none 237.255.255.255 5 237.255.255.255 5...
Page 441: Show Igmp Statistics
Report V2 Leave Mrouter-Adv Mrouter-Term Mrouter-Sol Nortel WLAN—Security Switch 2300 Series Command Line Reference Description VLAN that contains the multicast receiver ports. Ports are listed separately for each VLAN. IP address of the multicast group being received. Physical port through which the WSS can reach the receiver.
Page 442 DVMRP PIM V1 PIM V2 Topology notifications: 0 Packets with unknown IGMP type: 0 Packets with bad length: 0 Packets with bad checksum: 0 Packets dropped: 4 Table 67 describes the fields in this display. Table 5: Output for show igmp statistics Field IGMP statistics for vlan IGMP message type...
Page 443 Number of multicast packets dropped by the WSS. See Also clear igmp statistics on page 415 Nortel WLAN—Security Switch 2300 Series Command Line Reference messages. A multicast router sends this type of message when multicast forwarding is disabled on the router interface, the router interface is administratively disabled, or the router itself is gracefully shutdown.
Page 444 444 IGMP Snooping Commands NN47250-100 (Version 02.51)
Page 445: Session Management Commands
To clear all administrative Telnet sessions, type the following command: WSS# clear sessions telnet This will terminate manager sessions, do you wish to continue? (y|n) [n]y Nortel WLAN—Security Switch 2300 Series Command Line Reference show sessions on page 437 clear sessions on page 435...
Page 446: Clear Sessions Network
To clear Telnet client session 0, type the following command: WSS# clear sessions telnet client 0 See Also show sessions on page 437 clear sessions network Clears all network sessions for a specified username or set of usernames, MAC address or set of MAC addresses, virtual LAN (VLAN) or set of VLANs, or session ID.
Page 447: Show Sessions
Examples To view information about sessions of administrative users, type the following command: WSS> show sessions admin Username ------- -------------------- -------- ---- tty0 tty2 tech tty3 sshadmin 3 admin sessions Nortel WLAN—Security Switch 2300 Series Command Line Reference Time (s) Type 3644 Console Telnet...
Page 448 To view information about console users’ sessions, type the following command: WSS> show sessions console Username ------- -------------------- -------- console 1 console session To view information about Telnet users sessions, type the following command: WSS> show sessions telnet Username ------- -------------------- -------- tty2 To view information about Telnet client sessions, type the following command:...
Page 449: Show Sessions Network
Nortel WLAN—Security Switch 2300 Series Command Line Reference | mac-addr mac-addr- wildcard | session-id session-id | wired] [verbose] Displays all network sessions for a single user or set of users. Specify a username, use the double-asterisk wildcard character (**)
Page 450 Defaults None. Access All. History Version 4.1 Output added to the show network sessions verbose command to indicate the user’s authorization attributes and whether they were supplied through AAA or through configured SSID defaults in a service profile. Version 5.0 •...
Page 451 Service-Type=2 (service-profile) End-Date=52/06/07-08:57 (AAA) Start-Date=05/04/11-10:00 (AAA) 1 sessions total (Table 71 on page 443 describes the additional fields of the verbose output of show sessions network commands.) Nortel WLAN—Security Switch 2300 Series Command Line Reference VLAN Port/ Name Radio vlan-eng...
Page 452 The following command displays information about network session 88: WSS# show sessions network session-id 88 Local Id: Global Id: SESS-88-00040f-876766-623fd6 State: ACTIVE SSID: Rack-39-PM Port/Radio: 10/1 MAC Address: 00:0f:66:f4:71:6d User Name: last-resort-Rack-39-PM IP Address: 10.2.39.217 Vlan Name: default Tag: Session Start: Wed Apr 12 21:19:27 2006 GMT Last Auth Time: Last Activity:...
Page 453 • KILLING—User’s session is being cleared, because of 802.1X authentication failure, entry of a clear command, or some other event. Nortel WLAN—Security Switch 2300 Series Command Line Reference Description IP address of the session user, or the user’s MAC address if the user has not yet received an IP address.
Page 454 VLAN assignment. (This means the keep-initial- vlan option is enabled on the service profile.) • The VLAN is not configured for the user on the roamed-to switch by the local database. • A Location Policy on the roamed-to WSS does not set the VLAN.
Page 455 Table 5: show sessions network session-id Output Field Description Local Id Identifier for the session on this particular switch. (This is the session ID you specify when entering the show sessions network session-id command.) Global Id Unique session identifier within the Mobility Domain.
Page 456 Table 5: show sessions network session-id Output (continued) Field Description System-wide supported VLAN tag type. Session Start Indicates when the session started. Last Auth Time Indicates when the most recent authentication of the session occurred. Last Activity Indicates when the last activity (transmission) occurred on the session. Session Timeout Assigned session timeout in seconds.
Page 457 Session Management Commands 457 See Also clear sessions network on page 436 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 458 458 Session Management Commands NN47250-100 (Version 02.51)
Page 459: Security Acl Commands
ACE from the running configuration. Syntax clear security acl {acl-name | all} [editbuffer-index] acl-name editbuffer-index Nortel WLAN—Security Switch 2300 Series Command Line Reference 165.) set security acl on page 454 show security acl editbuffer on page 462 show security acl info on page 463...
Page 460 Defaults None. Access Enabled. Usage This command deletes security ACLs only in the edit buffer. You must use the commit security acl command with this command to delete the ACL or ACE from the running configuration and nonvolatile storage. The clear security acl command deletes a security ACL, but does not stop its current filtering function if the ACL is mapped to any virtual LANs (VLANs), ports, or virtual ports, or if the ACL is applied in a Filter-Id attribute to an authenticated user or group of users with current sessions.
Page 461: Clear Security Acl Map
WSS# clear security acl map acljoe port 4 in clear mapping accepted Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of an existing security ACL to clear. ACL names start with a letter and are case-insensitive. Removes security ACL mapping from all physical ports, virtual ports, and VLANs on a WSS.
Page 462: Commit Security Acl
To clear all physical ports, virtual ports, and VLANs on a WSS of the ACLs mapped for incoming and outgoing traffic, type the following command: WSS# clear security acl map all success: change accepted. See Also • clear security acl on page 449 •...
Page 463: Rollback Security Acl
ACL edit-buffer information for all See Also show security acl on page 461 Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of an existing security ACL to roll back. ACL names must start with a letter and are case-insensitive.
Page 464: Set Security Acl
set security acl In the edit buffer, creates a security access control list (ACL), adds one access control entry (ACE) to a security ACL, and/or reorders ACEs in the ACL. The ACEs in an ACL filter IP packets by source IP address, a Layer 4 protocol, or IP, ICMP, TCP, or UDP packet information.
Page 465 • 4 or 5—Video. Packets are queued in AP • 6 or 7—Voice. Packets are queued in AP forwarding deny Blocks traffic that matches the conditions in the ACE. Nortel WLAN—Security Switch 2300 Series Command Line Reference forwarding queue 4. forwarding queue 3. forwarding queue 2.
Page 466 protocol source-ip-addr mask | any operator port [port2] destination-ip-addr mask | type icmp-type code icmp-code NN47250-100 (Version 02.51) IP protocol by which to filter packets: • ip • tcp • udp • icmp • A protocol number between 0 and 255. (For a complete list of IP protocol names and numbers, see www.iana.org/assignments/protocol-numbers.) IP address and wildcard mask of the network or host from which the...
Page 467 Defaults By default, permitted packets are classified based on DSCP value, which is converted into an internal CoS value in the switch’s CoS map. The packet is then marked with a DSCP value based on the internal CoS value. If the ACE contains the cos option, this option overrides the switch’s CoS map and marks the packet based on the ACE.
Page 468 History WSS Software The any option is supported for the source or destination IP address and Version 4.1 mask. This option is equivalent to 0.0.0.0 255.255.255.255. Note: The any option is shown in the configuration file as 0.0.0.0 255.255.255.255, regardless of whether you specify any or 0.0.0.0 255.255.255.255 when you configure the ACE.
Page 469: Set Security Acl Map
Examples The following command maps security ACL acl_133 to port 4 for incoming packets: WSS set security acl map acl_133 port 4 in success: change accepted. See Also • clear security acl map on page 451 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 470 • commit security acl on page 452 • set mac-user attr on page 197 • set mac-usergroup attr on page 203 • set security acl on page 454 • set user attr on page 207 • set usergroup on page 208 •...
Page 471 463 show security acl dscp This command has been renamed in WSS Software Version 4.1. See show qos dscp-table on page 96. Nortel WLAN—Security Switch 2300 Series Command Line Reference ACL-name 0 acl_2 0 acl_175...
Page 472 show security acl editbuffer Displays a summary of the security ACLs that have not yet been committed to the configuration. Syntax show security acl [info all] editbuffer info all Displays the ACEs in each uncommitted ACL. Without this option, only the ACE names are listed.
Page 473 Examples To display the contents of all security ACLs committed on a WSS, type the following command: WSS# show security acl info ACL information for all Nortel WLAN—Security Switch 2300 Series Command Line Reference ACL-name 0 acl_2 0 acl_175 916 acl_123 Name of an existing security ACL to display.
Page 474 set security acl ip acl_123 (hits #5 462) --------------------------------------------------------- 1. permit IP source IP 192.168.1.11 0.0.0.255 destination IP any enable-hits 2. deny IP source IP 192.168.2.11 0.0.0.0 destination IP any set security acl ip acl_134 (hits #3 0) --------------------------------------------------------- 1. permit IP source IP 192.168.0.1 0.0.0.0 destination IP any enable-hits set security acl ip acl_135 (hits #2 0) --------------------------------------------------------- 1.
Page 475 ACL resources Port number Number of action types : 2 LUdef in use Default action pointer Nortel WLAN—Security Switch 2300 Series Command Line Reference “How to get help” on page : 2 (max: 151) : 0 (max 12096) : c8007dc...
Page 476 L4 global No rules Non-IP rules Root in first Static default action No per-user (MAC) mapping : True Out mapping In mapping No VLAN or PORT mapping : False No VPORT mapping Table 73 explains the fields in the show security acl resource-usage output. Table 1: show security acl resource-usage Output Field Number of rules...
Page 477 • False—Security ACLs are applied to users. Out mapping Application of security ACLs to outgoing traffic on the WSS: • True—Security ACLs are mapped to outgoing traffic. • False—No security ACLs are mapped to outgoing traffic. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 478 Table 1: show security acl resource-usage Output (continued) Field In mapping No VLAN or PORT mapping No VPORT mapping NN47250-100 (Version 02.51) Description Application of security ACLs to incoming traffic on the WSS: • True—Security ACLs are mapped to incoming traffic. •...
Page 479: Cryptography Commands
Encryption Keys PKCS #7 Certificates PKCS #12 Certificate Self-Signed Certificate Nortel WLAN—Security Switch 2300 Series Command Line Reference Guide.) crypto generate key on page 472 show crypto key domain on page 481 show crypto key ssh on page 481...
Page 480: Crypto Ca-Certificate
crypto ca-certificate Installs a certificate authority’s own PKCS #7 certificate into the WSS certificate and key storage area. Syntax crypto ca-certificate {admin | eap | web} PEM-formatted-certificate admin Stores the certificate authority’s certificate that signed the administrative certificate for the WSS. The administrative certificate authenticates the WSS to WLAN Management Software or Web View.
Page 481: Crypto Certificate
Examples The following command installs a certificate: WSS# crypto certificate admin Enter PEM-encoded certificate Nortel WLAN—Security Switch 2300 Series Command Line Reference Stores the certificate authority’s administrative certificate, which authenticates the WSS to WLAN Management Software or Web View. Stores the certificate authority’s Extensible Authentication Protocol (EAP) certificate, which authenticates the WSS to 802.1X supplicants...
Page 482: Crypto Generate Key
-----BEGIN CERTIFICATE----- MIIBdTCP3wIBADA2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQOExGjAYBgNVB EXR1Y2hwdWJzQHRycHouY29tMIGfMAOGCSqGSIb3DQEBAQAA4GNADCBiQKBgQC4 2L8Q9tk+G2As84QYLm8wmVY>xP56M;CUAm908C2foYgOY40= -----END CERTIFICATE----- See Also • crypto generate request on page 473 • crypto generate self-signed on page 475 crypto generate key Generates an RSA public-private encryption key pair that is required for a Certificate Signing Request (CSR) or a self- signed certificate.
Page 483: Crypto Generate Request
SSH requires an SSH authentication key, but you can allow WSS Software to generate it automatically. The first time an SSH client attempts to access the SSH server on a WSS, the switch automatically generates a 1024-byte SSH key. If you want to use a 2048-byte key instead, use the crypto generate key ssh 2048 command to generate one.
Page 484 Email Address string Unstructured Name string Defaults None. Access Enabled. History Version 4.1 • webaaa option renamed to web • Maximum string length for State Name increased Usage To use this command, you must already have generated a public-private encryption key pair with the crypto generate key command.
Page 485: Crypto Generate Self-Signed
Common Name string Email Address string Unstructured Name string Nortel WLAN—Security Switch 2300 Series Command Line Reference Generates an administrative certificate to authenticate the WSS to WLAN Management Software or Web View. Generates an EAP certificate to authenticate the WSS to 802.1X supplicants (clients).
Page 486: Crypto Otp
Defaults None. Access Enabled. History Version 4.1 webaaa option renamed to web Usage To use this command, you must already have generated a public-private encryption key pair with the crypto generate key command. Examples To generate a self-signed administrative certificate, type the following command: WSS# crypto generate self-signed admin Country Name: State Name:...
Page 487: Crypto Pkcs
Syntax crypto pkcs12 {admin | eap | web} file-location-url admin Nortel WLAN—Security Switch 2300 Series Command Line Reference Password of at least 1 alphanumeric character, with no spaces, for clients other than Microsoft Windows clients. The password must be the same as the password protecting the PKCS #12 object file.
Page 488 file-location-url Defaults The password you enter with the crypto otp command must be the same as the one protecting the PKCS #12 file. Access Enabled. History Version 4.1 webaaa option renamed to web Usage To use this command, you must have already created a one-time password with the crypto otp command.
Page 489: Show Crypto Ca-Certificate
Issuer Validity See Also • crypto ca-certificate on page 470 Nortel WLAN—Security Switch 2300 Series Command Line Reference to 802.1X supplicants (clients). Description Version of the X.509 certificate. A unique identifier for the certificate or signature. Name of the certificate owner.
Page 490: Show Crypto Certificate
• show crypto certificate on page 480 show crypto certificate Displays information about one of the cryptographic certificates installed on the WSS. Syntax show crypto certificate {admin | eap | web} admin Displays information about the administrative certificate that authenticates the WSS to WLAN Management Software or Web View.
Page 491: Show Crypto Key Domain
Access Enabled. History Introduced in WSS Software 2.0. Examples To display SSH key information, type the following command: WSS# show crypto key ssh ec:6f:56:7f:d1:fd:c0:28:93:ae:a4:f9:7c:f5:13:04 See Also crypto generate key on page 472 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 492 492 Cryptography Commands NN47250-100 (Version 02.51)
Page 493: Radius And Server Groups Commands
Resets parameters that were globally configured for RADIUS servers to their default values. Syntax clear radius {deadtime | key | retransmit | timeout} deadtime Nortel WLAN—Security Switch 2300 Series Command Line Reference set radius client system-ip on page 488 clear radius client system-ip on page 484 set radius on page 487...
Page 494: Clear Radius Client System-Ip
RADIUS client request as the source IP address. The WSS selects a source interface address based on information in its routing table as the source address for RADIUS packets leaving the switch. NN47250-100 (Version 02.51) Number of transmission attempts made before declaring an unresponsive RADIUS server unavailable.
Page 495: Clear Radius Proxy Client
History Introduced in WSS Software 4.0. Examples The following command clears all RADIUS proxy port entries from the switch: WSS# clear radius proxy port all success: change accepted. See Also set radius proxy port on page 489 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 496: Clear Radius Server
clear radius server Removes the named RADIUS server from the WSS configuration. Syntax clear radius server server-name server-name Defaults None. Access Enabled. History Introduced in WSS Software 1.0. Examples The following command removes the RADIUS server rs42 from a list of remote AAA servers: WSS# clear radius server rs42 success: change accepted.
Page 497: Set Radius
(the total number of attempts, including the first attempt) • timeout—5 seconds Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference Number of minutes the WSS waits after declaring an unresponsive RADIUS server unavailable before retrying the RADIUS server. You can specify from 0 to 1440 minutes.
Page 498: Set Radius Client System-Ip
History Version 4.1 encrypted-key option added Usage You can specify only one parameter per command line. Examples The following commands sets the dead time to 5 minutes, the RADIUS key to goody, the number of retransmissions to 1, and the timeout to 21 seconds on all RADIUS servers connected to the WSS: 23x0# set radius deadtime 5 success: change accepted.
Page 499: Set Radius Proxy Client
[tag tag-value] ssid ssid-name port port-list Nortel WLAN—Security Switch 2300 Series Command Line Reference IP address of the third-party AP. Enter the address in dotted decimal notation. UDP port on which the WSS listens for RADIUS access- requests from the AP.
Page 500: Set Radius Server
tag tag-value ssid ssid-name Defaults None. Access Enabled. History Introduced in WSS Software 4.0. Usage AAA for third-party AP users has additional configuration requirements. See the “Configuring AAA for Users of Third-Party APs” section in the “Configuring AAA for Network Users” chapter of the WLAN 2300 System Software Configuration Enter a separate command for each SSID, and its tag value, you want the WSS to support.
Page 501 Do not use the same name for a RADIUS server and a RADIUS server group. Nortel WLAN—Security Switch 2300 Series Command Line Reference Number of minutes the WSS waits after declaring an unresponsive RADIUS server unavailable before retrying that RADIUS server.
Page 502: Set Server Group
Examples To set a RADIUS server named RS42 with IP address 198.162.1.1 to use the default accounting and authorization ports with a timeout interval of 30 seconds, two transmit attempts, 5 minutes of dead time, a key string of keys4u, and the default authorization password of nortel, type the following command: 23x0# set radius server RS42 address 198.162.1.1 timeout 30 retransmit 2 deadtime 5 key keys4U See Also...
Page 503: Set Server Group Load-Balance
492 • show aaa on page 210 Nortel WLAN—Security Switch 2300 Series Command Line Reference Server group name of up to 32 characters. Enables or disables load balancing of authentication requests among the servers in the group.
Page 504 504 RADIUS and Server Groups Commands NN47250-100 (Version 02.51)
Page 505: 802.1X Management Commands
Keys Bonded Authentication Reauthentication Retransmission Quiet Period and Timeouts Nortel WLAN—Security Switch 2300 Series Command Line Reference 165. set dot1x port-control on page 502 clear dot1x port-control on page 497 set dot1x authcontrol on page 500 set dot1x key-tx on page 501...
Page 506: Clear Dot1X Max-Req
Settings, Active Clients, and Statistics clear dot1x bonded-period Resets the Bonded Auth period to its default value. Syntax clear dot1x max-req Defaults The default bonded authentication period is 0 seconds. Access Enabled. History Introduced in WSS Software Version 2.1. Usage Examples To reset the Bonded period to its default, type the following command: WSS# clear dot1x bonded-period success: change accepted.
Page 507: Clear Dot1X Port-Control
503 • show dot1x on page 507 clear dot1x reauth-max Resets the maximum number of reauthorization attempts to the default setting. Syntax clear dot1x reauth-max Defaults The default is 2 attempts. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 508: Clear Dot1X Reauth-Period
Access Enabled. History Introduced in WSS Software 1.0. Examples Type the following command to reset the maximum number of reauthorization attempts to the default: WSS# clear dot1x reauth-max success: change accepted. See Also • set dot1x reauth-max on page 504 •...
Page 509: Clear Dot1X Timeout Supplicant
Examples Type the following command to reset the EAPoL retransmission time: WSS# clear dot1x tx-period success: change accepted. See Also • set dot1x tx-period on page 506 • show dot1x on page 507 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 510: Set Dot1X Authcontrol
set dot1x authcontrol Provides a global override mechanism for 802.1X authentication configuration on wired authentication ports. Syntax set dot1x authcontrol {enable | disable} enable disable Defaults By default, authentication control for individual wired authentication is enabled. Access Enabled. History Introduced in WSS Software 1.0. Usage This command applies only to wired authentication ports.
Page 511: Set Dot1X Key-Tx
Defaults The default number of EAP retransmissions is 2. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference Enables transmission of encryption key information to clients. Disables transmission of encryption key information to clients. Specify a value between 0 and 10.
Page 512: Set Dot1X Port-Control
History Introduced in WSS Software 1.0. Usage To support SSIDs that have both 802.1X and static WEP clients, WSS Software sends a maximum of two ID requests, even if this parameter is set to a higher value. Setting the parameter to a higher value does affect all other types of EAP messages.
Page 513: Set Dot1X Reauth
See Also • set dot1x reauth-max on page 504 • set dot1x reauth-period on page 504 • show dot1x on page 507 Nortel WLAN—Security Switch 2300 Series Command Line Reference Specify a value between 0 and 65,535. Permits reauthentication. Denies reauthentication.
Page 514: Set Dot1X Reauth-Max
set dot1x reauth-max Sets the number of reauthentication attempts that the WSS makes before the supplicant (client) becomes unauthorized. Syntax set dot1x reauth-max number-of-attempts number-of-attempts Defaults The default number of reauthentication attempts is 2. Access Enabled. History Introduced in WSS Software 1.0. Usage If the number of reauthentications for a wired authentication client is greater than the maximum number of reauthentications allowed, WSS Software sends an EAP failure packet to the client and removes the client from the network.
Page 515: Set Dot1X Timeout Supplicant
Examples Type the following command to set the number of seconds for authentication session timeout to 300: WSS# set dot1x timeout supplicant 300 success: dot1x supplicant timeout set to 300. Nortel WLAN—Security Switch 2300 Series Command Line Reference Specify a value between 1 and 65,535. Specify a value between 1 and 65,535.
Page 516: Set Dot1X Tx-Period
See Also • clear dot1x timeout auth-server on page 498 • show dot1x on page 507 set dot1x tx-period Sets the number of seconds that must elapse before the WSS retransmits an EAPoL packet. Syntax set dot1x tx-period seconds seconds Defaults The default is 5 seconds.
Page 517: Show Dot1X
Defaults None. Nortel WLAN—Security Switch 2300 Series Command Line Reference Specify a value between 30 and 1,641,600 (19 days). Displays information about active 802.1X clients, including client name, MAC address, and state. Displays global 802.1X statistics associated with connecting and authenticating.
Page 518 Access Enabled. Examples Type the following command to display the 802.1X clients: WSS# show dot1x clients MAC Address State ------------- ------- 00:20:a6:48:01:1f Connecting 00:05:3c:07:6d:7c Authenticated vlan-it 00:05:5d:7e:94:83 Authenticated vlan-eng 00:02:2d:86:bd:38 Authenticated vlan-eng 00:05:5d:7e:97:b4 Authenticated vlan-eng 00:05:5d:7e:98:1a Authenticated vlan-eng 00:0b:be:a9:dc:4e Authenticated vlan-pm 00:05:5d:7e:96:e3 Authenticated vlan-eng 00:02:2d:6f:44:77...
Page 519 Logoffs While Connecting Enters Authenticating Success While Authenticating Timeouts While Authenticating Number of times that the WSS state wildcard transitions from Failures While Authenticating Nortel WLAN—Security Switch 2300 Series Command Line Reference value ----- Table 1: show dot1x stats Output Description Number of times that the WSS state transitions to the CONNECTING state from any other state.
Page 520 Table 1: show dot1x stats Output (continued) Field Reauths While Authenticating Starts While Authenticating Logoffs While Authenticating Bad Packets Received NN47250-100 (Version 02.51) Description Number of times that the WSS state wildcard transitions from AUTHENTICATING to ABORTING, as a result of a reauthentication request (reAuthenticate = TRUE).
Page 521: Rf Detection Commands
A rogue access point is a BSSID (MAC address associated with an SSID) that does not belong to a Nortel device and is not a member of the ignore list configured on the seed switch of the Mobility Domain.
Page 522: Clear Rfdetect Attack-List
clear rfdetect attack-list Removes a MAC address from the attack list. Syntax clear rfdetect attack-list mac-addr mac-addr Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. Examples The following command clears MAC address 11:22:33:44:55:66 from the attack list: WSS# clear rfdetect attack-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer in attacklist.
Page 523: Clear Rfdetect Ignore
517 • show rfdetect ssid-list on page 530 Nortel WLAN—Security Switch 2300 Series Command Line Reference Basic service set identifier (BSSID), which is a MAC address, of the device to remove from the ignore list.
Page 524: Clear Rfdetect Vendor-List
clear rfdetect vendor-list Removes an entry from the permitted vendor list. Syntax clear rfdetect vendor-list {client | ap} mac-addr | all client | ap mac-addr | all Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. Examples The following command removes client OUI aa:bb:cc:00:00:00 from the permitted vendor list: WSS# clear rfdetect vendor-list client aa:bb:cc:00:00:00 success: aa:bb:cc:00:00:00 is no longer in client vendor-list.
Page 525: Set Rfdetect Ignore
Configures a list of known devices to ignore during an RF scan. WSS Software does not generate log messages or traps for the devices in the ignore list. Syntax set rfdetect ignore mac-addr mac-addr Nortel WLAN—Security Switch 2300 Series Command Line Reference MAC address you want to place on the black list. BSSID (MAC address) of the device to ignore.
Page 526: Set Rfdetect Log
History Introduced in WSS Software Version 3.0. Usage The log messages for rogues are generated only on the seed and appear only in the seed’s log message buffer. Use the show log buffer command to display the messages in the seed switch’s log message buffer.
Page 527: Set Rfdetect Signature
Defaults The permitted SSID list is empty by default and all SSIDs are allowed. However, after you add an entry to the list, WSS Software allows traffic only for the SSIDs that are on the list. Nortel WLAN—Security Switch 2300 Series Command Line Reference Enables AP signatures.
Page 528: Set Rfdetect Vendor-List
Access Enabled. History Introduced in WSS Software Version 4.0. Usage The permitted SSID list applies only to the WSS on which the list is configured. WSSs do not share permitted SSID lists. If you add a device that WSS Software has classified as a rogue to the permitted SSID list, but not to the ignore list, WSS Software can still classify the device as a rogue.
Page 529: Show Rfdetect Attack-List
Total number of entries: 1 Blacklist MAC Type ----------------- ----------------- 11:22:33:44:55:66 configured 11:23:34:45:56:67 assoc req flood 3 See Also • clear rfdetect black-list on page 512 Nortel WLAN—Security Switch 2300 Series Command Line Reference SSID -53 rogue-ssid Port TTL ------- ---...
Page 530: Show Rfdetect Clients
• set rfdetect black-list on page 515 show rfdetect clients Displays the wireless clients detected by a WSS. Syntax show rfdetect clients [mac mac-addr] mac mac-addr Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. Examples The following command shows information about all wireless clients detected by a WSS’s APs: # show rfdetect clients Total number of entries: 30 Client MAC...
Page 531 Company that manufactures or sells the AP with which the rogue client is associated. Nortel WLAN—Security Switch 2300 Series Command Line Reference is not supposed to be on the network. network and is not a rogue, but might be causing RF interference with AP radios.
Page 532: Show Rfdetect Countermeasures
Output no longer lists rogues for which countermeasures have not been started. Usage This command is valid only on the seed switch of the Mobility Domain. Examples The following example displays countermeasures status for the Mobility Domain: WSS# show rfdetect countermeasures...
Page 533: Show Rfdetect Counters
802.11 adhoc clients Unknown 802.11 clients Interfering 802.11 clients seen on wired network Nortel WLAN—Security Switch 2300 Series Command Line Reference Description BSSID of the rogue. Classification of the rogue device: • rogue—Wireless device that is on the network but is not supposed to be on the network.
Page 534 Usage You can enter this command on any WSS in the Mobility Domain. The output applies only to the switch on which you enter the command. To display all devices that a specific Nortel radio has detected, even if the radio is managed by another WSS, use the show rfdetect visible command.
Page 535 AP radio, in decibels referred to 1 milliwatt (dBm). Number of seconds since an AP radio last detected 802.11 packets from the device. Nortel WLAN—Security Switch 2300 Series Command Line Reference 3/1/6 i----w -61 6 r27-cisco1200-2 3/1/6 i----w -82 6 r116-cisco1200-2...
Page 536: Show Rfdetect Ignore
See Also • show rfdetect mobility-domain on page 526 • show rfdetect visible on page 531 show rfdetect ignore Displays the BSSIDs of third-party devices that WSS Software ignores during RF scans. WSS Software does not generate log messages or traps for the devices in the ignore list. Syntax show rfdetect ignore Defaults None.
Page 537 • bssid and ssid options added. • Vendor, Type, and Flags fields added. Usage This command is valid only on the seed switch of the Mobility Domain. To display rogue information for an individual switch, use the show rfdetect data command on that switch.
Page 538 Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -76 SSID: -webaaa nrtl Two types of information are shown. The lines that are not indented show the BSSID, vendor, and information about the SSID. The indented lines that follow this information indicate the listeners (AP radios) that detected the SSID. Each set of indented lines is for a separate AP listener.
Page 539 Indicates whether the rogue is an infrastructure rogue (is using an AP) or is operating in ad-hoc mode. Nortel WLAN—Security Switch 2300 Series Command Line Reference on the network. The device has an entry in a WSS’s FDB and is therefore on the network.
Page 540: Show Rfdetect Ssid-List
Table 6: show rfdetect mobility-domain ssid or bssid Output (continued) Field Crypto-Types WSS-IPaddress Port/Radio/Channel Device-type Adhoc Crypto-Types RSSI SSID See Also • show rfdetect data on page 524 • show rfdetect visible on page 531 show rfdetect ssid-list Displays the entries in the permitted SSID list. Syntax show rfdetect ssid-list Defaults None.
Page 541: Show Rfdetect Vendor-List
518 show rfdetect visible Displays the BSSIDs discovered by a specific Nortel radio. The data includes BSSIDs transmitted by other Nortel radios as well as by third-party access points. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 542 To display rogue information for the entire Mobility Domain, use the show rfdetect mobility-domain command on the seed switch. Examples To following command displays information about the rogues detected by radio 1 on AP port 3: # show rfdetect visible ap 3 radio 1...
Page 543 Syntax rfping {mac mac-addr | session-id session-id} mac-addr session-id Nortel WLAN—Security Switch 2300 Series Command Line Reference Description MAC address the rogue device that sent the 802.11 packet detected by the AP radio. Company that manufactures or sells the rogue device.
Page 544 Defaults None. Access Enabled. History Introduced in WSS Software Version 5.0. Name of the command changed from test rflink to rfping in WSS Software Version 6.0. Usage Use this command to send test packets to a specified client. The output of the command indicates the number of test packets received and acknowledged by the client, as well as the client’s signal strength and signal-to-noise ratio.
Page 545: File Management Commands
Creates an archive of WSS system files and optionally, user file, in Unix tape archive (tar) format. Nortel WLAN—Security Switch 2300 Series Command Line Reference reset system on page 546 show version on page 554 set boot partition on page 550...
Page 546 Use the critical option if you want to back up or restore only the system-critical files required to operate and communi- cate with the switch. Use the all option if you also want to back up or restore Web-based AAA pages, backup configuration files, image files, and any other files stored in the user files area of nonvolatile storage.
Page 547: Clear Boot Config
Defaults None. Access Enabled. Examples The following commands back up the configuration file on a WSS, reset the switch to its factory default configuration, and reboot the switch: WSS# copy configuration tftp://10.1.1.1/backupcfg success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] WSS# clear boot config success: Reset boot config to factory defaults.
Page 548 • Copies a file from a TFTP server to nonvolatile storage. • Copies a file from nonvolatile storage or temporary storage to a TFTP server. • Copies a file from one area in nonvolatile storage to another. • Copies a file to a new filename in nonvolatile storage. Syntax copy source-url destination-url source-url...
Page 549 When you press Enter after typing a delete command, WSS Software immediately deletes the specified file. Note. WSS Software does not allow you to delete the currently running software image file or the running configuration. Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 550 Syntax delete url Defaults None. Access Enabled. Usage You might want to copy the file to a TFTP server as a backup before deleting the file. Examples The following commands copy file testconfig to a TFTP server and delete the file from nonvolatile storage: WSS# copy testconfig tftp://10.1.1.1/testconfig success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec]...
Page 551 12 KB file:testback 28 KB Total: 159 Kbytes used, 207663 Kbytes free Nortel WLAN—Security Switch 2300 Series Command Line Reference Created Jul 12 2005, 15:02:32 Mar 14 2005, 22:20:04 Mar 14 2005, 22:20:04 40 KB May 09 2005, 21:08:30...
Page 552 Size in Kbytes or bytes. System time and date when the file was created or copied onto the switch. Number of kilobytes in use to store files and the number that are still free.
Page 553: Load Config
Syntax load config [url] Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of a .zip file on the WSS containing SODA agent files. Directory on the WSS where SODA agent files are to be installed. The command automatically creates this directory.
Page 554 Defaults The default file location is nonvolatile storage. Note. The current version supports loading a configuration file only from the switch’s nonvolatile storage. You cannot load a configuration file directly from a TFTP server. If you do not specify a filename, WSS Software uses the same configuration filename that was used for the previous configuration load.
Page 555 8928 Kbytes used, 3312 Kbytes free Boot1: Total: 8197 Kbytes used, 4060 Kbytes free =============================================================================== Nortel WLAN—Security Switch 2300 Series Command Line Reference Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no spaces. Created May 21 2004, 18:20:53...
Page 556: Reset System
This will reset the entire system. Are you sure (y/n)y The following commands attempt to restart a WSS with a running configuration that has unsaved changes, and then force the switch to restart: WSS# reset system error: Cannot reset, due to unsaved configuration changes. Use "reset system force" to override.
Page 557 Defaults The default is critical. Access Enabled. Usage If a file in the archive has a counterpart on the switch, the archive version of the file replaces the file on the switch. The restore command does not delete files that do not have counterparts in the archive.
Page 558: Save Config
If the configuration running on the switch is different from the one in the archive or you renamed the configu- ration file, and you want to retain changes that were made after the archive was created, see the “Managing System Files” chapter of the...
Page 559: Set Boot Backup-Configuration
Defaults By default, there is no backup configuration file. Access Enabled. History Introduced in WSS Software Version 4.1. Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of the configuration file. Specify between 1 and 128 alphanumeric characters, with no spaces.
Page 560: Set Boot Partition
Defaults The default configuration filename is configuration. Access Enabled. Usage The file must be located in the switch’s nonvolatile storage. Examples The following command sets the boot configuration file to testconfig1: WSS# set boot configuration-file testconfig1 success: boot config set.
Page 561: Show Boot
Configured boot configuration: file:configuration Backup boot configuration: Booted version: Booted image: Booted configuration: Product model: Table 86 describes the fields in the show boot output. Nortel WLAN—Security Switch 2300 Series Command Line Reference boot configuration, added 5.0.7.0.20 boot1:N6050700.020 NONE 5.0.7.0.20 boot1:N6050700.020 file:configuration...
Page 562 554 NN47250-100 (Version 02.51) Table 2: Output for show boot Description Software version the switch will run next time the software is rebooted. Boot partition and image filename WSS Software will use to boot next time the software is rebooted.
Page 563: Show Config
Syntax show config [area area] [all] area area area area, cont. Defaults None. Nortel WLAN—Security Switch 2300 Series Command Line Reference Configuration area. You can specify one of the following: • aaa • acls • ap • arp • eapol •...
Page 564: Show Version
Defaults None Access All. Examples The following command displays version information for a WSS: WSS# show version WLAN Security Switch 2300 Series, Version: 5.0.0 QA 67 Copyright (c) 2002, 2003, 2004, 2005 Nortel. All rights reserved. NN47250-100 (Version 02.51) snoop Includes additional software build information and information about the APs configured on the WSS.
Page 565 The following command displays additional software build information and AP information: WSS# show version details WLAN Security Switch 2300 Series, Version: 5.0.0 QA 67 Copyright (c) 2002, 2003, 2004, 2005 Nortel. All rights reserved. Build Information: (build#67) TOP 2005-09-21 04:41:00 Label: 5.0.0.67_092205_WSS2380...
Page 566: Uninstall Soda Agent
Field Build Information Label Build Suffix Model Hardware Serial number Flash Kernel BootLoader Port/ap AP Model Serial # Versions See Also show boot on page 551 uninstall soda agent Removes the contents of a directory containing SODA agent files. Syntax uninstall soda agent agent-directory directory directory Defaults None.
Page 567 See Also • install soda agent on page 542 • set service-profile soda mode on page 329 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 568 568 File Management Commands NN47250-100 (Version 02.51)
Page 569: Trace Commands
• set log on page 576 • show log buffer on page 579 Nortel WLAN—Security Switch 2300 Series Command Line Reference set trace sm on page 563 set trace dot1x on page 562 set trace authentication on page 561 set trace authorization on page 561...
Page 570: Clear Trace
clear trace Deletes running trace commands and ends trace processes. Syntax clear trace {trace-area | all} trace-area Ends a particular trace process. Specify one of the following keywords to end the traces documented in this chapter: • authorization—Ends an authorization trace •...
Page 571: Set Trace Authentication
564 set trace authorization Traces authorization information. Nortel WLAN—Security Switch 2300 Series Command Line Reference Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). Traces a port number. Specify a WSS port number between 1 and 22.
Page 572: Set Trace Dot1X
Syntax set trace authorization [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address port port-num user username level level Defaults The default trace level is 5. Access Enabled. Examples The following command starts a trace for information for authorization for MAC address 00:01:02:03:04:05: WSS# set trace authorization mac-addr 00:01:02:03:04:05 success: change accepted.
Page 573: Set Trace Sm
560 • show trace on page 564 Nortel WLAN—Security Switch 2300 Series Command Line Reference Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). Traces a port number. Specify a WSS port number between 1 and 22.
Page 574: Show Trace
show trace Displays information about traces that are currently configured on the WSS, or all possible trace options. Syntax show trace [all] Displays all possible trace options and their configuration. Defaults None. Access Enabled. Examples To view the traces currently running, type the following command: WSS# show trace milliseconds spent printing traces: 1885.614 Trace Area...
Page 575: Snoop Commands
• set snoop on page 567 • show snoop info on page 571 Nortel WLAN—Security Switch 2300 Series Command Line Reference Nortel WLAN Security Switch 2300 Series Configuration set snoop on page 567 show snoop info on page 571 clear snoop on page 565...
Page 576: Clear Snoop Map
clear snoop map Removes a snoop filter from an AP radio. Examples clear snoop map filter-name ap ap-num radio {1 | 2} filter-name Name of the snoop filter. ap ap-num Number of a AP to which to snoop filter is mapped. radio 1 Radio 1 of the AP.
Page 577: Set Snoop
Nortel recommends specifying a snap length of 100 bytes or less. Defaults No snoop filters are configured by default. Access Enabled. Nortel WLAN—Security Switch 2300 Series Command Line Reference management | probe}...
Page 578: Set Snoop Map
History Version 4.0 Command introduced Version 5.0 New Boolean operators: lt (less than) and gt (greater than). The new options apply to src-mac, dest-mac, and host-mac. Usage Traffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear) version is sent to the observer.
Page 579: Set Snoop Mode
| all} enable [stop-after num-pkts] disable Nortel WLAN—Security Switch 2300 Series Command Line Reference Name of the snoop filter. Specify all to enable all snoop filters. Enables the snoop filter. The stop-after option disables the filter after the specified number of packets match the filter.
Page 580 Defaults Snoop filters are disabled by default. Access Enabled. History Introduced in WSS Software Version 4.0. Usage The filter mode is not retained if you change the filter configuration or disable and reenable the radio, or when the AP or the WSS is restarted. You must reenable the filter to place it back into effect.
Page 581 Usage To display the mappings for all snoop filters, use the show snoop command. Examples The following command shows the mapping for snoop filter snoop1: WSS# show snoop map snoop1 filter 'snoop1' mapping Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 582 ap: 3 Radio: 2 See Also • clear snoop map on page 566 • set snoop map on page 568 • show snoop on page 570 show snoop stats Displays statistics for enabled snoop filters. Examples show snoop stats [filter-name [ap-num [radio {1 | 2}]]] filter-name Name of the snoop filter.
Page 583 Radio Rx Match Tx Match Dropped Stop-After Nortel WLAN—Security Switch 2300 Series Command Line Reference Table 1: show snoop stats Output Description Name of the snoop filter. AP containing the radio to which the filter is mapped. Radio to which the filter is mapped.
Page 584 584 Snoop Commands NN47250-100 (Version 02.51)
Page 585: System Log Commands
See Also • clear log trace on page 559 Nortel WLAN—Security Switch 2300 Series Command Line Reference set log on page 576 set log mark on page 578 show log buffer on page 579 show log config on page 581...
Page 586: Set Log
• set log on page 576 set log Enables or disables logging of WSS and AP events to the WSS log buffer or other logging destination and sets the level of the events logged. For logging to a syslog server only, you can also set the facility logged. Syntax set log {buffer | console | current | sessions | trace} [severity severity-level] [enable | disable]...
Page 587 Trace logging is enabled, and debug-level output is stored in the WSS trace buffer. Access Enabled. History Option port added in Version 4.1 Nortel WLAN—Security Switch 2300 Series Command Line Reference Logs events at a severity level greater than or equal to the level specified. Specify one of the following: •...
Page 588: Set Log Mark
Usage Using the command with only enable or disable turns logging on or off for the target at all levels. For example, entering set log buffer enable with no other keywords turns on logging to the system buffer of all facilities at all levels. Entering set log buffer disable with no other keywords turns off all logging to the buffer.
Page 589: Set Log Trace Mbytes
+|-number-of-messages facility facility-name matching string Nortel WLAN—Security Switch 2300 Series Command Line Reference Displays the log messages in nonvolatile storage. Displays the number of messages specified as follows: • A positive number (for example, +100), displays that number of log entries starting from the oldest in the log.
Page 590 severity severity-level Defaults None. Access Enabled. History Version 5.0 Option COPP removed. The option is not applicable to WSS Software Version 5.0. Usage The debug level produces a lot of messages, many of which can appear to be somewhat cryptic. Debug messages are used primarily by Nortel for troubleshooting and are not intended for administrator use.
Page 591: Show Log Config
576 • clear log on page 575 show log trace Displays system information stored in the nonvolatile log buffer or the trace buffer. Nortel WLAN—Security Switch 2300 Series Command Line Reference disabled DEBUG disabled INFO enabled...
Page 592 Syntax show log trace [{+|-|/}number-of-messages] [facility facility-name] [matching string] [severity severity-level] trace +|-|/number-of-messages facility facility-name matching string severity severity-level Defaults None. Access Enabled. NN47250-100 (Version 02.51) Displays the log messages in the trace buffer. Displays the number of messages specified as follows: •...
Page 593 See Also • clear log on page 575 • show log config on page 581 Nortel WLAN—Security Switch 2300 Series Command Line Reference Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP, ASO, ROGUE Oct 28 16:30:19.7046 ROGUE Oct 28 16:30:...
Page 594 594 System Log Commands NN47250-100 (Version 02.51)
Page 595: Boot Prompt Commands
Command Information Booting File Management Boot Profile Management Diagnostics Nortel WLAN—Security Switch 2300 Series Command Line Reference ls on page 594 help on page 593 boot on page 587 reset on page 595 autoboot on page 586 dhcp on page 591...
Page 596 autoboot Displays or changes the state of the autoboot option. The autoboot option controls whether a WSS automatically boots a system image after initializing the hardware, following a system reset or power cycle. Syntax autoboot [ON | on | OFF | off] Defaults The autoboot option is enabled by default.
Page 597 OPT=option OPT+=option Defaults The boot settings in the currently active boot profile are used by default. Access Boot prompt. Nortel WLAN—Security Switch 2300 Series Command Line Reference Boot type: • c—Compact flash. Boots using nonvolatile storage or a flash card.
Page 598 Usage If you use an optional parameter, the parameter setting overrides the setting of the same parameter in the currently active boot profile. However, the boot profile itself is not changed. To display the currently active boot profile, use the show command. To change the currently active boot profile, use the change command. Examples The following command loads system image file WSS010101.020 from boot partition 1: boot>...
Page 599 See Also • boot on page 587 • create on page 590 • delete on page 590 • dhcp on page 591 • next on page 595 • show on page 596 Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 600 0 through 3. When you create a new profile, the system uses the next available slot for the profile. If all four slots already contain profiles and you try to create a fifth profile, the switch displays a message advising you to change one of the existing profiles instead.
Page 601 The following command disables the DHCP option: boot> dhcp DHCP is currently disabled. See Also boot on page 587 Nortel WLAN—Security Switch 2300 Series Command Line Reference Enables the DHCP option. Same effect as ON. Disables the DHCP option. Same effect as OFF.
Page 602 diag Accesses the diagnostic mode. Syntax diag Defaults The diagnostic mode is disabled by default. Access Boot prompt. Usage Access to the diagnostic mode requires a password, which is not user configurable. Use this mode only if advised to do so by Nortel. Displays the boot code and system image files on a WSS.
Page 603 Usage If you specify a command name, detailed information is displayed for that command. If you do not specify a command name, all the boot prompt commands are listed. Nortel WLAN—Security Switch 2300 Series Command Line Reference Boot prompt command.
Page 604 Examples The following command displays detailed information for the fver command: boot> help fver fver Display the version of the specified device:filename. USAGE: fver [c:file|d:file|e:file|f:file|boot0:file|boot1:file|boot2:file|boo t3:file] Command to display the version of the compressed image file associated with the given device:filename. See Also ls on page 594 Displays a list of the boot prompt commands.
Page 605 Usage After resetting the hardware, the reset command attempts to load a system image file only if other boot settings are configured to do so. Examples To immediately reset the system, type the following command at the boot prompt: Nortel WLAN—Security Switch 2300 Series Command Line Reference...
Page 606 boot> reset Nortel WSS Bootstrap 1.17 Release Testing Low Memory 1 ... Testing Low Memory 2 ... CISTPL_VERS_1: 4.1 <SanDisk> <SDP> <5/3 0.6> Reset Cause (0x02) is COLD Nortel WSS Bootstrap/Bootloader Version 1.6.5 Release Bootstrap 0 version: Bootloader 0 version: Bootstrap 1 version: Bootloader 1 version: WSS Board Revision: 3.
Page 607 Table 89 describes the fields in the display. Field BOOT Index BOOT TYPE Nortel WLAN—Security Switch 2300 Series Command Line Reference Table 1: Output for show Description Boot profile slot, which can be a number from 0 to 3. Boot type: •...
Page 608 Table 1: Output for show (continued) Field DEVICE HOST IP LOCAL IP GATEWAY IP IP MASK FILENAME FLAGS OPTIONS See Also • change on page 588 • create on page 590 • delete on page 590 • dhcp on page 591 NN47250-100 (Version 02.51) Description Location of the system image file:...
Page 609 Nortel WSS Bootstrap/Bootloader Version 1.6.5 Release Bootstrap 0 version: Bootloader 0 version: Bootstrap 1 version: Nortel WLAN—Security Switch 2300 Series Command Line Reference Enables the poweron test flag. Same effect as ON. Disables the poweron test flag. Same effect as OFF.
Page 610 Bootloader 1 version: WSS Board Revision: 3. WSS Controller Revision: 24. POE Board Revision: 1 POE Controller Revision: 6 See Also • dir on page 592 • fver on page 593 NN47250-100 (Version 02.51) 1.6.3...
Page 611: Command Index
Nortel WLAN Security Switch 2300 Series Command Line Reference clear boot backup-configuration clear boot config clear dap clear domain security clear dot1x max-req...
Page 612 clear port type clear port-group clear prompt 55 clear radio-profile clear radius clear radius client system-ip clear radius proxy client clear radius proxy port clear radius server clear rfdetect attack-list clear rfdetect black-list clear rfdetect ignore clear rfdetect ssid-list clear rfdetect vendor-list clear security l2-restrict clear security l2-restrict counters clear server group...
Page 613 15 install soda agent IP addresses conventions for entry and display 12 Nortel WLAN Security Switch 2300 Series Command Line Reference keyboard shortcuts for command entry 15 last-resort username passwords are invalid 206 list formats for command entry 14...
Page 614 NN47250-100 (320658-G Version 02.51)
Page 615 Nortel WLAN Security Switch 2300 Series Command Line Reference set network-domain mode seed domain-name set network-domain peer set ntp set ntp server...
Page 616 set radio-profile max-tx-lifetime set radio-profile mode set radio-profile preamble-length set radio-profile psk-phrase set radio-profile psk-raw set radio-profile rts-threshold set radio-profile service-profile set radio-profile shared-key-auth set radio-profile short-retry set radio-profile tkip-mc-time set radio-profile wep active-multicast-index set radio-profile wep active-unicast-index set radio-profile wep key-index set radio-profile wmm set radio-profile wmm-powersave set radio-profile wpa-ie...
Page 617 Nortel WLAN Security Switch 2300 Series Command Line Reference show crypto certificate admin show crypto certificate eap show crypto key domain show crypto key ssh...
Page 618 show rfdetect counters show rfdetect data show rfdetect ignore show rfdetect mobility-domain show rfdetect ssid-list show rfdetect vendor-list show rfdetect visible show roaming station show roaming vlan show security l2-restrict show service-profile show sessions show sessions network show snmp community show snmp counters show snmp notify profile show snmp notify target...
Page 619 Command Index 619 in MAC addresses 12 in user globs 12 in VLAN globs 14 Nortel WLAN Security Switch 2300 Series Command Line Reference...
Page 620 620 Command Index NN47250-100 (320658-G Version 02.51)
Page 622 The information in this document is proprietary to Nortel Networks. *Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. *Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.

Nortel 2300 Series Reference

Quick Links

Related Manuals for Nortel 2300 Series

Summary of Contents for Nortel 2300 Series