Page 1: Configuration Guide
Wireless LAN Mobility System Wireless LAN Switch and Controller Configuration Guide WX4400 3CRWX440095A WX2200 3CRWX220095A WX1200 3CRWX120695A WXR100 3CRWXR10095A http://www.3Com.com/ Part No. 10015909 Published June 2007...
Page 2 3Com Corporation reserves the right to revise this documentation and to make changes in content from time 01752-3064 to time without obligation on the part of 3Com Corporation to provide notification of such revision or change. 3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose.
Page 3: Table Of Contents
Single-Asterisk (*) Wildcard Character Double-Asterisk (**) Wildcard Characters Using CLI Help Understanding Command Descriptions WX S ETUP ETHODS Overview Quick Starts 3Com Wireless Switch Manager Web Manager How a WX Switch Gets its Configuration Web Quick Start (WXR100, WX1200 and WX2200 Only) NTERFACE...
Page 4 Web Quick Start Parameters Web Quick Start Requirements Accessing the Web Quick Start CLI quickstart Command Quickstart Example Remote WX Configuration Opening the QuickStart Network Plan in 3Com Wireless Switch Manager ONFIGURING Overview Before You Start About Administrative Access Access Modes...
Page 5 Port (WX4400 only) Configuring Port Operating Parameters Displaying Port Information Configuring Load-Sharing Port Groups Configuring and Managing VLANs Understanding VLANs in 3Com MSS Configuring a VLAN Changing Tunneling Affinity Restricting Layer 2 Forwarding Among Clients Displaying VLAN Information Managing the Layer 2 Forwarding Database...
Page 6 Configuring the System IP Address Designating the System IP Address Displaying the System IP Address Clearing the System IP Address Configuring and Managing IP Routes Displaying IP Routes Adding a Static Route Removing a Static Route Managing the Management Services Managing SSH Managing Telnet Managing HTTPS...
Page 7 Configuring Member WX Switches on the Seed Configuring a Member Configuring Mobility Domain Seed Redundancy Displaying Mobility Domain Status Displaying the Mobility Domain Configuration Clearing a Mobility Domain from a WX Switch Clearing a Mobility Domain Member from a Seed ANAGING OBILITY OMAIN...
Page 8 Displaying Network Domain Information Clearing Network Domain Configuration from a WX Switch Clearing a Network Domain Seed from a WX Switch Clearing a Network Domain Peer from a Network Domain Seed Clearing Network Domain Seed or Member Configuration from a WX...
Page 9 Configuring MAPs Specifying the Country of Operation Configuring an Auto-AP Profile for Automatic MAP Configuration Configuring MAP Port Parameters Configuring MAP-WX Security Configuring a Service Profile Configuring a Radio Profile Configuring Radio-Specific Parameters Mapping the Radio Profile to Service Profiles Assigning a Radio Profile and Enabling Radios Disabling or Reenabling Radios Enabling or Disabling Individual Radios...
Page 10 Setting Strictness for RF Load Balancing Exempting an SSID from RF Load Balancing Displaying RF Load Balancing Information WLAN M ONFIGURING WLAN Mesh Services Overview Configuring WLAN Mesh Services Configuring the Mesh AP Configuring the Service Profile for Mesh Services Configuring Security Enabling Link Calibration Packets on the Mesh Portal MAP Deploying the Mesh AP...
Page 11 Displaying RF Neighbors Displaying RF Attributes ONFIGURING Configuring MAP Radios to Listen for AeroScout RFID Tags Locating an RFID Tag Using an AeroScout Engine Using 3Com Wireless Switch Manager ONFIGURING UALITY OF About QoS Summary of QoS Features QoS Mode...
Page 12 Enabling U-APSD Support Configuring Call Admission Control Configuring Static CoS Changing CoS Mappings Using the Client’s DSCP Value to Classify QoS Level Enabling Broadcast Control Displaying QoS Information Displaying a Radio Profile’s QoS Settings Displaying a Service Profile’s QoS Settings Displaying CoS Mappings Displaying the DSCP Table Displaying MAP Forwarding Queue Statistics...
Page 13 ONFIGURING AND Overview Disabling or Reenabling IGMP Snooping Disabling or Reenabling Proxy Reporting Enabling the Pseudo-Querier Changing IGMP Timers Changing the Query Interval Changing the Other-Querier- Present Interval Changing the Query Response Interval Changing the Last Member Query Interval Changing Robustness Enabling Router Solicitation Changing the Router Solicitation Interval Configuring Static Multicast Ports...
Page 14 Mapping Security ACLs Mapping User-Based Security ACLs Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed MAPs Modifying a Security ACL Adding Another ACE to a Security ACL Placing One ACE before Another Modifying an Existing Security ACL Clearing Security ACLs from the Edit Buffer Using ACLs to Change CoS Filtering Based on DSCP Values Enabling Prioritization for Legacy Voice over IP...
Page 15 “Globs” and Groups for Network User Classification AAA Methods for IEEE 802.1X and Web Network Access IEEE 802.1X Extensible Authentication Protocol Types Ways a WX Switch Can Use EAP Effects of Authentication Type on Encryption Method Configuring 802.1X Authentication Configuring EAP Offload...
Page 16 Configuring Last-Resort Access for Wired Authentication Ports Configuring AAA for Users of Third-Party APs Authentication Process for Users of a Third-Party AP Requirements Configuring Authentication for 802.1X Users of a Third-Party AP with Tagged SSIDs Configuring Authentication for Non-802.1X Users of a Third-Party AP with Tagged SSIDs Configuring Access for Any Users of a Non-Tagged SSID Assigning Authorization Attributes...
Page 17 ONFIGURING OMMUNICATION WITH RADIUS Overview Before You Begin Configuring RADIUS Servers Configuring Global RADIUS Defaults Setting the System IP Address as the Source Address Configuring Individual RADIUS Servers Deleting RADIUS Servers Configuring RADIUS Server Groups Creating Server Groups Deleting a Server Group RADIUS and Server Group Configuration Scenario 802.1X ANAGING...
Page 18 Configuring Web Portal WebAAA for the Service Profile Creating the SODA Agent with SODA Manager Copying the SODA Agent to the WX Switch Installing the SODA Agent Files on the WX Switch Enabling SODA Functionality for the Service Profile Disabling Enforcement of SODA Agent Checks...
Page 19 OGUE ETECTION AND Overview About Rogues and RF Detection Rogue Access Points and Clients RF Detection Scans Countermeasures Mobility Domain Requirement Summary of Rogue Detection Features Configuring Rogue Detection Lists Configuring a Permitted Vendor List Configuring a Permitted SSID List Configuring a Client Black List Configuring an Attack List Configuring an Ignore List...
Page 20 Backing Up and Restoring the System Managing Configuration Changes Backup and Restore Examples Upgrading the System Image Preparing the WX Switch for the Upgrade Upgrading an Individual Switch Using the CLI Command Changes During Upgrade ROUBLESHOOTING A Fixing Common WX Setup Problems...
Page 21 Displaying Remote Traffic Monitoring Statistics Preparing an Observer and Capturing Traffic Capturing System Information and Sending it to Technical Support The display tech-support Command Core Files Debug Messages Sending Information to 3Com Technical Support NABLING AND OGGING System Requirements Browser Requirements WX Switch Requirements...
Page 22 RADIUS A UPPORTED TTRIBUTES Attributes Supported Standard and Extended Attributes 3Com Vendor-Specific Attributes RAFFIC ORTS SED BY DHCP S ERVER How the MSS DHCP Server Works Configuring the DHCP Server Displaying DHCP Server Information BTAINING UPPORT FOR RODUCTS Register Your Product to Gain Service Benefits...
Page 23: About
This guide describes the configuration commands for the 3Com Wireless LAN Switch WXR100, WX1200, or 3Com Wireless LAN Controller WX4400, WX2200. This guide is intended for System integrators who are configuring the WXR100, WX1200, WX4400, or WX2200. If release notes are shipped with your product and the information there differs from the information in this guide, follow the instructions in the release notes.
Page 24: Documentation
These notes provide information about the MSS software release, including new features and bug fixes. Wireless LAN Switch and Controller Quick Start Guide This guide provides instructions for performing basic setup of secure (802.1X) and guest (WebAAA ™ ) access, for configuring a Mobility Domain for roaming, and for accessing a sample network plan in 3WXM for advanced configuration and management.
Page 25: Documentation Comments
This manual shows you how to plan, configure, deploy, and manage the entire WLAN with the 3WXM tool suite. Read this guide to learn how to plan wireless services, how to configure and deploy 3Com equipment to provide those services, and how to optimize and manage your WLAN.
Page 26 BOUT UIDE Please note that we can only respond to comments and questions about 3Com product documentation at this e-mail address. Questions related to technical support or sales should be directed in the first instance to your network supplier.
Page 27: Using The Command -Line Interface
Mobility System Software (MSS) operates a 3Com Mobility System wireless LAN (WLAN) consisting of 3Com Wireless Switch Manager software, Wireless LAN Switches (WX1200 or WXR100), Wireless LAN Controllers (WX4400 or WX2200), and Managed Access Points (MAPs). MSS has a command-line interface (CLI) on a WX switch that you can use to configure and manage the switch and its attached MAPs.
Page 28: Command Prompts
{dynamic | port port-list} [vlan vlan-id] A vertical bar (|) separates mutually exclusive options within a list of possibilities. For example, you enter either enable or disable, not both, in the following command: set port {enable | disable} port-list Wireless LAN Switch and Controller...
Page 29 MAC addresses, virtual LAN (VLAN) names, and ports in a single command. 3Com recommends that you do not use the same name with different capitalizations for VLANs or access control lists (ACLs). For example, do not configure two separate VLANs with the names red and RED.
Page 30: User Globs, Mac Address Globs, And Vlan Globs
1: U HAPTER SING THE OMMAND Wildcard Masks Security access control lists (ACLs) use source and destination IP addresses and wildcard masks to determine whether the WX filters or forwards IP packets. Matching packets are either permitted or denied network access. The ACL checks the bits in IP addresses that correspond to any 0s (zeros) in the mask, but does not check the bits that correspond to 1s (ones) in the mask.
Page 31 VLAN Globs A VLAN glob is a method for matching one of a set of local rules on a WX switch, known as the location policy, to one or more users. MSS compares the VLAN glob, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA, to determine whether to apply the rule.
Page 32: Port Lists
1: U HAPTER SING THE OMMAND To match all VLANs, use the double-asterisk (**) wildcard characters with no delimiters. To match any number of characters up to, but not including, a delimiter character in the glob, use the single-asterisk (*) wildcard.
Page 33: Virtual Lan Identification
Identification communications, are set by you and can be changed. In contrast, VLAN ID numbers, which the WX switch uses locally, are determined when the VLAN is first configured and cannot be changed. Unless otherwise indicated, you can refer to a VLAN by either its VLAN name or its VLAN number.
Page 34: History Buffer
1: U HAPTER SING THE OMMAND History Buffer The history buffer stores the last 63 commands you entered during a terminal session. You can use the Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer. Tabs The MSS CLI uses the Tab key for command completion.
Page 35 Print the route packets take to network host For more information on help, see the help command description in the Wireless LAN Switch and Controller Command To see a subset of the online help, type the command for which you want more information.
Page 36: Understanding Command Descriptions
Special tips for command usage. These are omitted if the command requires no special usage. One or more examples of the command in context, with the appropriate system prompt and response. One or more related commands. Wireless LAN Switch and Controller...
Page 37: Wx Setup Methods
Quick Starts The Web Quick Start enables you to easily configure a WXR100, WX1200 or WX2200 switch to provide wireless access to up to 10 users. The Web Quick Start is accessible only on unconfigured WXR100, WX1200 or WX2200 switches. The interface is not available on other switch models or on any switch that is already configured.
Page 38: 3Com Wireless Switch Manager
(These options are described in more detail in “Remote WX Configuration” on page 49.) You also can use 3Com Wireless Switch Manager to plan your network, create WX switches in the plan, then deploy the switch configurations to the real switches. For information, see the following: To open a sample network plan, see “Opening the QuickStart...
Page 39: How A Wx Switch Gets Its Configuration
How a WX Switch Figure 1 shows how a WX switch gets a configuration when you power it Gets its Configuration Figure 1 WX Switch Startup Algorithm Switch is powered on. Does switch have a configuration? Model WXR100? Model WX1200 or WX2200? Boots with no configuration.
Page 40: Web Quick Start (Wxr100, Wx1200 And Wx2200 Only)
SSIDs and authentication types. The Web Quick Start enables you to configure one secure SSID and one clear SSID. You can configure additional SSIDs using the CLI or 3Com Wireless Switch Manager. Usernames and passwords for your wireless users. You can configure up to ten users with the Web Quick Start.
Page 41: Web Quick Start Requirements
If you are configuring a WXR100, do not press the factory reset switch during power on. Pressing this switch on an unconfigured switch causes the switch to attempt to contact a 3Com Wireless Switch Manager server instead of displaying the Web Quick Start. (Other switch models also have reset switches, but the reset switch simply restarts these other models without clearing the configuration.)
Page 42 ETUP ETHODS This is a temporary, well-known address assigned to the unconfigured switch when you power it on. The Web Quick Start enables you to change this address. The first page of the Quick Start Wizard appears. 6 Click Start to begin. The wizard screens guide you through the configuration steps.
Page 43 If the switch is rebooted, the configuration settings are restored when the reboot is finished. The switch is ready for operation. You do not need to restart the switch. CAUTION: On a WXR100, do not press the factory reset switch for more than four seconds! On a WXR100 that is fully booted, the factory reset switch erases the configuration if held for five seconds or more.
Page 44: Cli Quickstart Command
2: WX S HAPTER ETUP ETHODS CLI quickstart The quickstart command runs a script that interactively helps you Command configure the following items: The quickstart command displays a prompt for each of these items, and lists the default if applicable. You can advance to the next item, and accept the default if applicable, by pressing Enter.
Page 45 In addition, error messages such as Critical AP Notice for directly connected MAPs can appear. To run the quickstart command: 1 Attach a PC to the WX switch’s serial console port. (Use these modem settings: 9600 bps, 8 bits, 1 stop, no parity, hardware flow control disabled.)
Page 46: Quickstart Example
System IP address: 172.16.0.21, on IP interface 172.16.0.21 255.255.255.0 Default route: 172.16.0.20 Administrative user wxadmin, with password letmein. The only management access the switch allows by default is CLI access through the serial connection. System Time and date parameters: Date: 31st of March, 2007...
Page 47 SSIDs and sets of users, AAA ensures that only the users who are authorized to access an SSID can access that SSID. Users of separate SSIDs can even be in the same VLAN, as they are in this example. Figure 2 Single-Switch Deployment WX1200-20-Corp Backbone Internet 10.10.10.4...
Page 48 2: WX S HAPTER ETUP ETHODS Specify the port number that needs to be tagged [1-2, <CR> ends config]: Admin username [admin]: wxadmin Admin password [optional]: letmein Enable password [optional]: enable Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 31/03/07 Is daylight saving time (DST) in effect [n]: n Enter the time (hh:mm:ss) []: 04:36:20...
Page 49: Remote Wx Configuration
QuickStart—Contains a two-floor building with two WX switches and two MAPs on each switch. Each switch and its MAPs provide coverage for a floor. The 3Com equipment is configured to provide both clear (unencrypted) and secure (802.1X) wireless access. StarterKit—Contains a simple rectangle as a floor plan, but with one WX switch and four MAPs.
Page 50 2 Start 3WXM by doing one of the following: If you are starting 3Com Wireless Switch Manager for the first time, or you have not entered license information previously, the License Information dialog box appears. Enter the serial number and License, then click OK.
Page 51: Configuring Aaa For Administrative And Local Access
1 Console connection. By default, any administrator can connect to the console port and manage the switch, because no authentication is enforced. (3Com recommends that you enforce authentication on the console port after initial connection.) 2 Telnet or SSH connection. Administrators cannot establish a Telnet or Secure Shell (SSH) connection to the WX by default.
Page 52 If it finds no match, the WX attempts administrative authentication on the RADIUS server. (For information about setting a WX switch to use RADIUS servers, see Chapter 22, “Configuring Communication with RADIUS,” on page 519.)
Page 53 Figure 3 Typical 3Com Mobility System F loor 3 Layer 2 switches F loor 2 Core router F loor 1 D ata center Layer 2 or Layer 3 switches RADIUS or AAA Servers B uilding 1 WX switches WX switches...
Page 54: Before You Start
MSS provides AAA either locally or via remote servers to authenticate valid users. MSS provides two modes of access: Types of MSS allows you access to the WX switch with the following types of Administrative Access administrative access: DMINISTRATIVE AND OCAL Administrative access mode —...
Page 55: First-Time Configuration Via The Console
Press Enter when prompted for them. To enable an administrator: 1 Log in to the WX switch from the serial console, and press Enter when the WX switch displays a username prompt: Username: 2 Press Enter when the WX switch displays a password prompt.
Page 56: Setting The Wx Switch Enable Password
Switch Enable optionally change the enable password from the default. Password 3Com recommends that you change the enable password from the default (no password) to prevent unauthorized users from entering configuration commands. Setting the WX Enable Password for the First Time To set the enable password for the first time: 1 At the enabled prompt, type set enablepass.
Page 57: Authenticating At The Console
Authenticating at the You can configure the console so that authentication is required, or so Console that no authentication is required. 3Com recommends that you enforce authentication on the console port. To enforce console authentication, take the following steps: 1 Add a user in the local database by typing the following command with a...
Page 58: Customizing Aaa With "Globs" And Groups
Like usernames, passwords are case-sensitive. To make passwords secure, Passwords make sure they contain uppercase and lowercase letters and numbers. 3Com recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack.
Page 59: Adding And Clearing Local Users For Administrative Access
“last-resort” guest user, the password has no effect. Last-resort users can never access a WX in administrative mode and never require a password. Adding and Clearing Usernames and passwords can be stored locally on the WX switch. 3Com Local Users for recommends that you enforce console authentication after the initial...
Page 60 RADIUS server to receive the accounting records. Specify local, which causes the processing to be done on the WX switch, or specify a RADIUS server group. For information about configuring a RADIUS server group, see “Configuring RADIUS Server Groups”...
Page 61: Displaying The Aaa Configuration
Configuration saved to configday. You must type the save config command to save all configuration changes since the last time you rebooted the WX switch or saved the configuration. If the WX switch is rebooted before you have saved the configuration, all changes are lost.
Page 62: Administrative Aaa Configuration Scenarios
Chapter 22, “Configuring Communication with RADIUS,” on page 519.) Local Authentication The first time you access a WX switch, it requires no authentication. (For more information, see “First-Time Configuration via the Console” on page 55.) In this scenario, after the initial configuration of the WX switch, Natasha is connected through the console and has enabled access.
Page 63: Authentication When Radius Servers Do Not Respond
Administrative AAA Configuration Scenarios Natasha also adds the RADIUS server (r1) to the RADIUS server group sg1, and configures Telnet administrative users for authentication through the group. She types the following commands in this order: WX1200# set server group sg1 members r1 success: change accepted.
Page 64: Local Override And Backup Local Authentication
Natasha also enables backup RADIUS authentication for Telnet administrative users. If the RADIUS server does not respond, the user is authenticated by the local database in the WX switch. Natasha types the following commands: WX1200# set authentication admin * sg1 local success: change accepted.
Page 65: Managing User Passwords
This chapter describes how to manage user passwords, configure user passwords, and how to display password information. Overview 3COM recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack.
Page 66: Configuring Passwords
All administrative logins, logouts, logouts due to idle timeout, and disconnects are logged. The audit log file on the WX switch (command_audit.cur) cannot be deleted, and attempts to delete log files are recorded. Setting a password for a user in the local database...
Page 67: Enabling Password Restrictions
{enable | disable} When this command is enabled, the following password restrictions take effect: For example, to enable password restrictions on the WX switch, type the following command: WX# set authentication password-restrict enable warning: the following users have passwords that do not have...
Page 68: Specifying Minimum Password Length
When you enable this command, MSS evaluates the passwords configured on the WX switch and displays a list of users whose password does not meet the minimum length restriction. For example, to set the minimum length for user passwords at 7...
Page 69: Configuring Password Expiration Time
Configuring Passwords Configuring To specify how long a user’s password is valid before it must be reset, use Password Expiration the following command: Time set user username expire-password-in time To specify how long the passwords are valid for users in a user group, use the following command: set usergroup group-name expire-password-in time By default, user passwords do not expire.
Page 70: Restoring Access To A Locked-Out User
10 user bob Password = 00121a08015e1f (encrypted) Password-expires-in = 59 hours (2 days 11 hours) status = disabled vlan-name = default service-type = 7 (For details on displaying passwords, see the Wireless LAN Switch and Controller Command Reference.
Page 71: Configuring And Managing Ports And Vlans
Port state Power over Ethernet (PoE) state Load sharing Network port. A network port is a Layer 2 switch port that connects the WX switch to other networking devices such as switches and routers. MAP access port. A MAP access port connects the WX switch to a MAP.
Page 72 HAPTER ONFIGURING AND All WX switch ports are network ports by default. You must set the port type for ports directly connected to MAP access ports and to wired user stations that must be authenticated to access the network. When you change port type, MSS applies default settings appropriate for the port type.
Page 73 Before configuring a port as a MAP access port, you must use the set system countrycode command to set the IEEE 802.11 country-specific regulations on the WX switch. (See “Specifying the Country of Operation” on page 213.) Some MSS features that work with directly connected MAPs require a port number to be specified.
Page 74 You cannot configure any gigabit Ethernet port, or port 7 or 8 on a WX1200 switch, or port 1 on a WXR100, as a MAP port. To manage a MAP on a switch model that does not have 10/100 Ethernet ports, configure a Distributed MAP connection on the switch.
Page 75 Table 7 Valid dap-num Values Switch Model WX4400 WX1200 WXR100 WX2200 For the serial-id parameter, specify the serial ID of the MAP. The serial ID is listed on the MAP case. To display the serial ID using the CLI, use the display version details command.
Page 76 If clients are connected to a wired authentication port through a downstream third-party switch, the WX switch attempts to authenticate based on any traffic coming from the switch, such as Spanning Tree Protocol (STP) BPDUs. In this case, disable repetitive traffic emissions such as STP BPDUs from downstream switches.
Page 77: Configuring A Port Name
To set the name of port 2 to adminpool, type the following command: WX1200# set port 2 name adminpool success: change accepted. To avoid confusion, 3Com recommends that you do not use numbers as port names. Removing a Port Name...
Page 78: Configuring Interface Preference On A Dual-Interface Gigabit Ethernet Port (Wx4400 Only)
[port-list] To disable the fiber interface and enable the copper interface of port 2 on a WX4400 switch and verify the change, type the following commands: WX4400# set port media-type 2 rj45 WX4400# display port media-type...
Page 79: Configuring Port Operating Parameters
They do not support half-duplex operation. Ports on the WX1200 switch support half-duplex and full-duplex operation. 3Com recommends that you do not configure the mode of a WX port so that one side of the link is set to autonegotiation while the other side is set to full-duplex.
Page 80 PoE when you set the port type. (See “Setting the Port Type” on page 71.) CAUTION: Use the WX switch’s PoE only to power 3Com MAPs. If you enable PoE on ports connected to other devices, damage can result.
Page 81: Displaying Port Information
Admin =============================================================================== In this example, three of the switch’s ports, 1, 5, and 6, have an operational status of up, indicating the links on the ports are available. Ports 1 and 6 are network ports. Port 5 is a MAP access port.
Page 82 MAP connected to port 3 is drawing 1.44 W of power from the WX switch. (For more information about the fields in the output, see the LAN Switch and Controller Command Displaying Port Statistics To display port statistics, use the following command:...
Page 83 Clearing Statistics Counters To clear all port statistics counters, use the following command: clear port counters The counters begin incrementing again, starting from 0. Monitoring Port Statistics You can display port statistics in a format that continually updates the counters. When you enable monitoring of port statistics, MSS clears the CLI session window and displays the statistics at the top of the window.
Page 84 Port Status Rx Unicast =============================================================================== (For information about the fields in the output, see the Switch and Controller Command VLAN ANAGING ORTS AND Effect on monitor display Advances to the next statistics type. Exits the monitor. MSS stops displaying the statistics and displays a new command prompt.
Page 85: Configuring Load-Sharing Port Groups
Link Redundancy A port group ensures link stability by providing redundant connections for the same link. If an individual port in a group fails, the WX switch reassigns traffic to the remaining ports. When the failed port starts operating again, the WX switch begins using it for new traffic flows.
Page 86 5: C HAPTER ONFIGURING AND To configure a port group named server1 containing ports 1 through 5 and enable the link, type the following command: WX1200# set port-group name server1 1-5 mode on success: change accepted. After you configure a port group, you can use the port group name with commands that change Layer 2 configuration parameters to apply configuration changes to all ports in the port group.
Page 87: Configuring And Managing Vlans
Interoperating with Cisco Systems EtherChannel Load-sharing port groups are interoperable with Cisco Systems EtherChannel capabilities. To configure a Cisco Catalyst switch to interoperate with a 3Com WX switch, use the following command on the Catalyst switch: set port channel port-list mode on...
Page 88 VLANs automatically through authentication and authorization mechanisms such as 802.1X. By default, none of a WX switch’s ports are in VLANs. A switch cannot forward traffic on the network until you configure VLANs and add network ports to those VLANs.
Page 89 VLAN on all WX switches in the Mobility Domain. When a user roams to a switch that is not a member of the VLAN the user is assigned to, the switch can tunnel traffic for the user through another switch that is a member of the VLAN.
Page 90 VLANs but on different network ports. If you use a tag value, 3Com recommends that you use the same value as the VLAN number. MSS does not require the VLAN number and tag value to be the same, but some other devices do.
Page 91: Configuring A Vlan
Specify a VLAN number from 2 to 4093, and specify a name up to 16 alphabetic characters long. You cannot use a number as the first character in a VLAN name. 3Com recommends that you do not use the same name with different capitalizations for VLANs or ACLs.
Page 92 After you create a VLAN, you can use the VLAN number or the VLAN name in commands. In addition, the VLAN name appears in CLI and 3Com Wireless Switch Manager displays. Adding Ports to a VLAN To add a port to a VLAN, use the following command: set vlan vlan-id port port-list [tag tag-value] You can specify a tag value from 1 through 4093.
Page 93: Changing Tunneling Affinity
Do you wish to continue? (y/n) [n]y success: change accepted. You cannot remove the default VLAN (VLAN 1). However, you can add and remove ports. You can also rename the default VLAN, but 3Com recommends against it. Changing Tunneling To change the tunneling affinity, use the following command:...
Page 94: Restricting Layer 2 Forwarding Among Clients
5: C VLAN HAPTER ONFIGURING AND ANAGING ORTS AND Restricting Layer 2 By default, clients within a VLAN are able to communicate with one Forwarding Among another directly at Layer 2. You can enhance network security by Clients restricting Layer 2 forwarding among clients in the same VLAN. When you restrict Layer 2 forwarding in a VLAN, MSS allows Layer 2 forwarding only between a client and a set of MAC addresses, generally the VLAN’s default routers.
Page 95: Displaying Vlan Information
The display can include MAP access ports and wired authentication ports, because MSS dynamically adds these ports to a VLAN when handling user traffic for the VLAN. (For information about the fields in the output, see the Switch and Controller Command Configuring and Managing VLANs En Drops 0 aa:bb:cc:dd:ee:ff...
Page 96: Managing The Layer 2 Forwarding Database
5: C HAPTER ONFIGURING AND Managing the Layer A WX switch uses a Layer 2 forwarding database (FDB) to forward traffic 2 Forwarding within a VLAN. The entries in the forwarding database map MAC Database addresses to the physical or virtual ports connected to those MAC addresses within a particular VLAN.
Page 97: Displaying Forwarding Database Information
Displaying You can display the forwarding database size and the entries contained in Forwarding Database the database. Information Displaying the Size of the Forwarding Database To display the number of entries contained in the forwarding database, use the following command: display fdb count {perm | static | dynamic} [vlan vlan-id] For example, to display the number of dynamic entries that the forwarding database contains, type the following command:...
Page 98: Adding An Entry To The Forwarding Database
00:0b:0e:02:76:f5 Total Matching FDB Entries Displayed = 2 (For information about the fields in the output, see the Switch and Controller Command Adding an Entry to To add an entry to the forwarding database, use the following command: the Forwarding...
Page 99: Configuring The Aging Timeout Period
Managing the Layer 2 Forwarding Database Configuring the The aging timeout period specifies how long a dynamic entry can remain Aging Timeout Period unused before the software removes the entry from the database. You can change the aging timeout period on an individual VLAN basis. You can change the timeout period to a value from 0 through 1,000,000 seconds.
Page 100: Port And Vlan Configuration Scenario
5: C HAPTER ONFIGURING AND Port and VLAN This scenario assigns names to ports, and configures MAP access ports, Configuration wired authentication ports, a load-sharing port group, and VLANs. Scenario 1 Assign names to ports to identify their functions, and verify the configuration change.
Page 101 =============================================================================== Boot Time: 2000-03-18 22:59:19 Uptime: =============================================================================== Fan status: fan1 OK fan2 OK fan3 OK Temperature: temp1 ok PSU Status: Lower Power Supply DC ok AC ok Memory: 156.08/496.04 (31%) Total Power Over Ethernet : 0.000 =============================================================================== 3 Configure ports 2 through 4 for connection to MAP model AP2750 and verify the configuration changes.
Page 102 5: C HAPTER ONFIGURING AND 4 Configure ports 5 and 6 as wired authentication ports and verify the configuration change. Type the following commands: WX1200# set port type wired-auth 5,6 success: change accepted WX1200# display port status Port Name =============================================================================== mgmt finance accounting...
Page 103: Onfiguring And
If the path MTU between WX switches is less than 1384 bytes, a device in the path might further fragment or drop a tunneled packet. If the packet is further fragmented, the receiving WX switch will not be able to reassemble the fragments, and the packet is dropped.
Page 104: Configuring And Managing Ip Interfaces
Interfaces IP interfaces are associated with VLANs. At least one VLAN on a WX switch must have an IP interface to provide management access. Optionally, the other VLANs configured on the switch also can each have an IP interface.
Page 105 The DHCP client is disabled by default on all other switch models, and is disabled on a WXR100 if the switch is already configured or the factory reset switch is not pressed and held during power on.
Page 106 HAPTER ONFIGURING AND If the switch is powered down or restarted, MSS does not retain the values received from the DHCP server. However, if the IP interface goes down but MSS is still running, MSS attempts to reuse the address when the interface comes back up.
Page 107: Disabling Or Reenabling An Ip Interface
Displaying DHCP Client Information To display DHCP client information, type the following command: WX1200# display dhcp-client Disabling or IP interfaces are enabled by default. To administratively disable or Reenabling an IP reenable an IP interface, use the following command: Interface set interface vlan-id status {up | down} Removing an IP To remove an IP interface, use the following command:...
Page 108: Configuring The System Ip Address
HAPTER ONFIGURING AND Configuring the You can designate one of the IP addresses configured on a WX switch to System IP Address be the system IP address of the switch. The system IP address determines the interface or source IP address MSS uses for system tasks, including the...
Page 109 Otherwise, MSS uses a default route. For example, if the route table does not have a route to host 192.168.1.10, the WX switch uses the default route to forward a packet addressed to that host. 3Com recommends that you configure at least one default route.
Page 110: Displaying Ip Routes
MSS adds routes with next-hop types Direct and Local when you add an IP interface to a VLAN, when the VLAN is up. Direct routes are for the locally attached subnets that the switch’s IP addresses are in. Local routes are for destination interfaces configured on the WX switch itself.
Page 111: Adding A Static Route
10.0.2.255/32 IP 224.0.0.0/ 4 IP (For more information about the fields in the output, see the LAN Switch and Controller Command Adding a Static Route To add a static route, use the following command: set ip route {default | ip-addr mask | ip-addr/mask-length} default-router metric The metric (cost) can be any number between 0 and 2,147,483,647.
Page 112: Removing A Static Route
WX1200# set ip route default 10.2.4.17 2 success: change accepted. To add an explicit route from a WX switch to any host on the 192.168.4.x subnet through the local router 10.5.4.2, and give the route a cost of 1, type the following command: WX1200# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1...
Page 113: Managing The Management Services
Services SSH is enabled by default. Telnet and HTTPS are disabled by default. A WX switch can have up to eight Telnet or SSH sessions, in any combination, and one Console session. A WXR100 can have up to four Telnet or SSH sessions, in any combination, and one Console session.
Page 114 When you initially connect to the WX switch with an SSH client, you can compare the SSH key checksum displayed by the WX switch with the one displayed by the client to verify that you really are connected to the WX switch and not another device. Generally, SSH clients remember the encryption key after the first connection, so you need to check the key only once.
Page 115 (For more information, see “Adding and Clearing Local Users for Administrative Access” on page 59.) Changing the SSH Service Port Number To change the SSH port the WX switch listens on for SSH connections, use the following command: set ip ssh port port-num CAUTION: If you change the SSH port number from an SSH session, MSS immediately ends the session.
Page 116: Managing Telnet
(To manage Telnet client sessions, see “Logging In to a Remote Device” on page 132.) Managing Telnet Telnet requires a valid username and password for access to the switch. Telnet Login Timers After the username prompt is displayed, MSS allows 30 seconds to enter a valid username and password to complete the login.
Page 117 ---------------------------------- Enabled Changing the Telnet Service Port Number To change the TCP port the WX switch listens on for Telnet connections, use the following command: set ip telnet port-num CAUTION: If you change the Telnet port number from a Telnet session, MSS immediately ends the session.
Page 118: Managing Https
6: C HAPTER ONFIGURING AND To display the Telnet server sessions on a WX switch, type the following command: WX1200# display sessions admin ------- tty0 tty2 tty3 3 admin sessions To clear all Telnet server sessions, type the following command:...
Page 119: Changing The Idle Timeout For Cli Management Sessions
HTTPS connections with the switch and when the connections were established. If a browser connects to a WX switch from behind a proxy, then only the proxy IP address is shown. If multiple browsers connect using the same proxy, the proxy address appears only once in the output.
Page 120: Setting A Message Of The Day (Motd) Banner
6: C HAPTER ONFIGURING AND Setting a Message of You can configure the WX switch to display a Message of the Day (MOTD) banner, which is a string of text that is displayed before the the Day (MOTD) Banner beginning of the login prompt for a user’s CLI session. The MOTD banner can be a message to users, or legal and government-mandated warning messages.
Page 121: Configuring And Managing Dns
{enable | disable} Configuring DNS You can configure a WX switch to use one primary DNS server and up to Servers five secondary DNS servers to resolve DNS queries. The WX switch always sends a request to the primary DNS server first.
Page 122: Configuring A Default Domain Name
You can configure a single default domain name for DNS queries. The Domain Name WX switch appends the default domain name to hostnames you enter in commands. For example, you can configure the WX switch to automatically append the domain name example.com to any hostname that does not have a domain name.
Page 123: Configuring And Managing Aliases
Configuring and An alias is a string that represents an IP address. You can use aliases as Managing Aliases shortcuts in CLI commands. For example, you can configure alias pubs1 for IP address 10.10.10.20, and enter ping pubs1 as a shortcut for ping 10.10.10.20.
Page 124: Configuring And Managing Time Parameters
You also can configure MSS to offset the time by an additional hour for daylight savings time or similar summertime period. 3Com recommends that you set the time and date parameters before you install certificates on the WX switch. If the switch’s time and date are incorrect, the certificate might not be valid.
Page 125: Setting The Time Zone
Configuring and Managing Time Parameters Setting the Time The time zone parameter adjusts the system date, and optionally the Zone time, by applying an offset to UTC. To set the time zone, use the following command: set timezone zone-name {-hours [minutes]} The zone name can be up to 32 alphanumeric characters long, with no spaces.
Page 126 WX1200# display summertime Summertime is enabled, and set to 'PDT'. (For information about the fields in the output, see the Switch and Controller Command Clearing the Summertime Period To clear the summertime period, use the following command: clear summertime...
Page 127: Statically Configuring The System Time And Date
NTP servers for an update every 64 seconds and waits 15 seconds for a reply. If the switch does not receive a reply to an NTP query within 15 seconds, the switch tries again up to 16 times. You can change the...
Page 128: Adding An Ntp Server
If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes, convergence of the WX time can take many NTP update intervals. 3Com recommends that you set the time manually to the NTP server time before enabling NTP to avoid a significant delay in convergence.
Page 129: Resetting The Update Interval To The Default
The Timezone and Summertime fields are displayed only if you change the timezone or enable summertime. (For more information about the fields in the output, see the LAN Switch and Controller Command Configuring and Managing Time Parameters Peer state Local State...
Page 130: Managing The Arp Table
This example shows two entries. The local entry (with LOCAL in the Type field) is for the WX switch itself. The MAC address of the local entry is the switch’s MAC address. The ARP table contains one local entry for each VLAN configured on the switch.
Page 131: Adding An Arp Entry
Adding an ARP Entry MSS automatically adds a local entry for a WX switch and dynamic entries for addresses learned from traffic received by the switch. You can add the following types of entries: To add an ARP entry, use the following command: set arp {permanent | static | dynamic} ip-addr mac-addr To add a static ARP entry that maps IP address 10.10.10.1 to MAC...
Page 132: Pinging Another Device
From within an MSS console session or Telnet session, you can use the Remote Device Telnet client to establish a Telnet client session from a WX switch’s CLI to another device. To establish a Telnet client session with another device,...
Page 133: Tracing A Route
[session-id] These commands display and clear Telnet sessions from a WX switch’s Telnet client to another device. To display the Telnet client sessions on a WX switch, type the following command: WX1200# display sessions telnet client...
Page 134 4 server1.example.com (192.168.22.7) 3 ms * 2 ms In this example, server1 is four hops away. The hops are listed in order, beginning with the hop that is closest to the WX switch and ending with the route’s destination. (For information about the command options, see...
Page 135: Ip Interfaces And Services Configuration Scenario
IP Interfaces and This scenario configures IP interfaces, assigns one of the interfaces to be Services the system IP address, and configures a default route, DNS parameters, Configuration and time and date parameters. Scenario 1 Configure IP interfaces on the mgmt and roaming VLANs, and verify the configuration changes.
Page 136 6: C HAPTER ONFIGURING AND 3 Configure a default route through a default router attached to the WX switch and verify the configuration change. Type the following commands: WX1200# set ip route default 10.20.10.1 1 success: change accepted. WX1200# display ip route...
Page 137 IP Interfaces and Services Configuration Scenario WX1200# display summertime Summertime is enabled, and set to 'PDT'. Start : Sun Apr 04 2004, 02:00:00 : Sun Oct 31 2004, 02:00:00 Offset : 60 minutes Recurring : yes, starting at 2:00 am of first Sunday of April and ending at 2:00 am on last Sunday of October.
Page 138 6: C IP I HAPTER ONFIGURING AND ANAGING NTERFACES AND ERVICES...
Page 139: Onfiguring Snmp
(USM) users, with individually configurable access levels, authentication options, and encryption options. Set the switch’s system IP address, if it is not already set. SNMP will not work without the system IP address. (See “Configuring the System IP Address” on page 108.) Optionally, set the system location and contact strings.
Page 140: Setting The System Location And Contact Strings
7: C HAPTER ONFIGURING Setting the System To set the location and contact strings for a switch, use the following Location and Contact commands: Strings set system location string set system contact string Each string can be up to 256 characters long, with no blank spaces.
Page 141: Creating A Usm User For Snmpv3
SNMP management application using the string can get and set object values on the switch. notify-read-write—An SNMP management application using the string can get and set object values on the switch. The switch can use the string to send notifications. notify-read-write...
Page 142 Enter the IP address of the station. MSS calculates the engine ID based on the address. local—Uses the value computed from the switch’s system IP address. none—No authentication is used. This is the default. md5—Message-digest algorithm 5 is used.
Page 143: Setting Snmp Security
3des—Triple DES encryption is used. aes—Advanced Encryption Standard (AES) encryption is used. If the encryption type is des, 3des, or aes, you can specify a passphrase or a hexadecimal key. To specify a passphrase, use the encrypt-pass-phrase string option. The string can be from 8 to 32 alphanumeric characters long, with no spaces.
Page 144: Configuring A Notification Profile
A notification profile is a named list of all the notification types that can Notification Profile be generated by a switch, and for each notification type, the action to take (drop or send) when an event occurs. A default notification profile (named default) is already configured in MSS.
Page 145 ApOperRadioStatusTraps—Generated when the status of a MAP radio changes. APTimeoutTraps—Generated when a MAP fails to respond to the WX switch. AuthenTraps—Generated when the WX switch’s SNMP engine receives a bad community string. AutoTuneRadioChannelChangeTraps—Generated when the RF Auto-Tuning feature changes the channel on a radio.
Page 146 MobilityDomainTimeoutTraps—Generated when a timeout occurs after a WX switch has unsuccessfully tried to communicate with a seed member. PoEFailTraps—Generated when a serious PoE problem, such as a short circuit, occurs.
Page 147 RFDetectInterferingRogueDisappearTraps—Generated when an interfering device is no longer detected. RFDetectSpoofedMacAPTraps—Generated when MSS detects a wireless packet with the source MAC address of a 3Com MAP, but without the spoofed MAP’s signature (fingerprint). RFDetectSpoofedSsidAPTraps—Generated when MSS detects beacon frames for a valid SSID, but sent by a rogue AP.
Page 148: Configuring A Notification Target
7: C SNMP HAPTER ONFIGURING WX1200# set snmp notify profile snmpprof_rfdetect send RFDetectInterferingRogueAPTraps success: change accepted. WX1200# set snmp notify profile snmpprof_rfdetect send RFDetectInterferingRogueDisappearTraps success: change accepted. WX1200# set snmp notify profile snmpprof_rfdetect send RFDetectRogueAPTraps success: change accepted. WX1200# set snmp notify profile snmpprof_rfdetect send RFDetectRogueDisappearTraps success: change accepted.
Page 149 To clear a notification target, use the following command: clear snmp notify target target-num The target-num is an ID for the target. This ID is local to the WX switch and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10.
Page 150 The inform or trap option specifies whether the MSS SNMP engine expects the target to acknowledge notifications sent to the target by the WX switch. Use inform if you want acknowledgements. Use trap if you do not want acknowledgements. The inform option is applicable to SNMP version v2c or usm only.
Page 151: Enabling The Snmp Service
7: C HAPTER ONFIGURING This command configures target 1 at IP address 10.10.40.9. The target’s SNMP engine ID is based on its address. The MSS SNMP engine will send notifications based on the default profile, and will require the target to acknowledge receiving them.
Page 152: Displaying Notification Profiles
7: C SNMP HAPTER ONFIGURING Displaying To display notification profiles, use the following command: Notification Profiles display snmp notify profile The command lists settings separately for each notification profile. The use count indicates how many notification targets use the profile. For each notification type, the command lists whether MSS sends notifications of that type to the targets that use the notification profile.
Page 153: Onfiguring And Managing Mobility
AAA servers, see “Traffic Ports Used by MSS” on page 661 for the ports typically used in a Mobility Domain.) 3Com recommends that you run the same MSS version on all the WX switches in a Mobility Domain.
Page 154: Configuring A Mobility Domain
The Mobility Domain name is assigned to the seed WX switch only. The WX switch system IP address is used as the source IP address for all Mobility Domain communications. If the system IP address is not set, MSS...
Page 155: Configuring Member Wx Switches On The Seed
This command sets the WX switch as a member of the Mobility Domain defined on the seed device at the identified address. If the WX switch is currently part of another Mobility Domain or using another seed, this command overwrites that configuration.
Page 156: Configuring Mobility Domain Seed Redundancy
When the primary seed is restored, it resumes its role as the primary seed switch in the Mobility Domain. The secondary seed returns to its role as a regular member of the Mobility Domain. Use the following commands to configure a Mobility Domain consisting...
Page 157: Displaying Mobility Domain Status
You can clear all Mobility Domain configuration from a WX switch, regardless Domain from a WX of whether the WX switch is a seed or a member of a Mobility Domain.s. Switch You might want to clear the Mobility Domain to change a WX switch from one Mobility Domain to another, or to remove a WX switch from the Mobility Domain.
Page 158: Configuring Wx-Wx Security
Specify the key as 16 hexadecimal bytes, separated by colons. Here is an example: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff On each member switch, specify the seed’s IP address and its public key. Use the following command: set mobility-domain mode member seed-ip ip-addr key hex-bytes This command does not need to be entered on the seed switch.
Page 159: Monitoring The Vlans And Tunnels In A Mobility Domain
Tunnels connect WX switches. Tunnels are formed automatically in a VLANs and Tunnels Mobility Domain to extend a VLAN to the WX switch that a roaming in a Mobility station is associated with. A single tunnel can carry traffic for many users Domain and many VLANs.
Page 160: Displaying Roaming Vlans And Their Affinities
If multiple WX switches have native attachments to the VLAN, the affinity values they advertise are a way to attract tunneled traffic to a particular WX switch for that VLAN. A higher value represents preferred connection to the VLAN. (For more information, see “Changing Tunneling Affinity”...
Page 161: Understanding The Sessions Of Roaming Users
Roaming Users Roaming requires certain conditions and can be affected by some of the WX switch’s timers. You can monitor a wireless client’s roaming sessions with the display sessions network verbose command. Requirements for...
Page 162: Effects Of Timers On Roaming
For example, the following command displays information about the sessions of a wireless client who roamed between the ports on a WX switch. The output shows that the client SHUTTLE\2\exmpl roamed from the MAP connected to port 3 to the MAP connected to port 6 on the same WX, and then roamed back to the MAP connected to port 3.
Page 163: Mobility Domain Scenario
WX1200# set mobility-domain member 192.168.111.112 success: change accepted. 3 For each member WX switch, configure the IP address used to reach the seed WX switch. Type the following commands: WX1200# set mobility-domain member seed-ip 192.168.253.21 4 Display the Mobility Domain status. Type the following command:...
Page 164 8: C HAPTER ONFIGURING AND vlan-wep vlan-wep 7 To display active roaming tunnels, type the following command: WX1200# display tunnel VLAN Local Address -------------- --------------- --------------- ------- ----- ----- ----- vlan-eng 192.168.12.7 vlan-eng 192.168.12.7 ANAGING OBILITY OMAIN OAMING 192.168.12.7 192.168.15.5 Remote Address 192.168.15.5 192.168.14.6...
Page 165: Configuring Network Domains
Mobility Domain to establish connectivity on a WX switch in a remote Mobility Domain. The WX switch forwards the user traffic by creating a VLAN tunnel to a WX switch in the remote Mobility Domain.
Page 166 Network Domain members. The Network Domain seeds share this information among themselves, so that every seed has an identical database. In the example above, one WX switch at each site is a Network Domain seed. Each Network Domain member maintains a TCP connection to one of the seeds.
Page 167 Bob is configured to be on, VLAN Red, does not exist in the Corporate Office Mobility Domain. 2 Unable to find VLAN Red in the local Mobility Domain, the WX switch then contacts the local Network Domain seed. The Network Domain seed contains a database of all the VLANs configured on all the members of the Network Domain.
Page 168: Network Domain Seed Affinity
9: C HAPTER ONFIGURING 4 A VLAN tunnel is created between the WX switch at the Corporate Office and the WX switch at Sales Office C. 5 Bob establishes connectivity on the network at the corporate office and is placed in VLAN Red.
Page 169: Configuring A Network Domain
The WX switch has an affinity value of 10 (highest) for the local seed, and an affinity value of 7 for the seed at Branch Office 1. The WX switch has an affinity of 5 (the default) for the other seeds in the Network Domain.
Page 170: Specifying Network Domain Seed Peers
HAPTER ONFIGURING ETWORK OMAINS For example, the following command sets the current WX switch as a seed with the Network Domain California: WX1200# set network-domain mode seed domain-name California success: change accepted. If the seed in a Network Domain is also intended to be a member of the Network Domain, you must enter the following command on the seed, with the specified IP address pointing to the seed itself.
Page 171: Configuring Network Domain Members
Use the following command to set the current WX switch as a member of a Network Domain where a specified WX switch is a seed: set network-domain mode member seed-ip ip-addr [affinity num] You can enter this command multiple times on a WX switch, specifying different Network Domain seeds with different affinity values.
Page 172: Displaying Network Domain Information
On a WX switch that is a Network Domain seed, information is displayed about the Network Domain seeds with which the WX switch has a peer relationship, as well as the Network Domains of which the WX switch is a member. For example:...
Page 173: Clearing Network Domain Configuration From A Wx Switch
You can clear all Network Domain configuration from a WX switch, Domain regardless of whether the WX switch is a seed or a member of a Network Configuration from a Domain. You may want to do this in order to change a WX switch from...
Page 174: Network Domain Scenario
Network Domain seed at Site 1 is also the seed for Mobility Domain A. The Network Domain seed at Site 2 is used by both Mobility Domains B and C. At least one Network Domain seed is aware of each WX switch in the installation and maintains an active TCP connection with it.
Page 175 The following is the Network Domain configuration for this scenario: 1 Make the WX switch with IP address 10.10.10.1 a seed of a Network Domain called globaldom and establish a peer relationship with the WX switch with IP address 20.20.20.1. Type the following commands: WX1200# set network-domain mode seed domain-name globaldom success: change accepted.
Page 176 9: C HAPTER ONFIGURING 20.20.20.1 20.20.20.2 20.20.20.3 30.30.30.1 30.30.30.2 Member Network Domain name: globaldom Member --------------- --------------- 10.10.10.1 10.10.10.2 10.10.10.3 20.20.20.1 20.20.20.2 20.20.20.3 30.30.30.1 30.30.30.2 ETWORK OMAINS State ------------- SEED MEMBER MEMBER MEMBER MEMBER Mode ------ SEED MEMBER MEMBER SEED MEMBER MEMBER MEMBER...
Page 177: Configuring Map Access Points
MAP Overview Figure 8 shows an example of a 3Com network containing MAPs and WX switches. A MAP can be directly connected to a WX switch port or indirectly connected to a WX switch through a Layer 2 or IPv4 Layer 3 network.
Page 178 10: C HAPTER ONFIGURING Figure 8 Example 3Com Network serial-id M9DE48B012F00 serial-id M9DE48B123400 Port Port System IP address 10.10.10.4 Port Port Wired authentication client serial-id M9DE48B234500 VLAN s on WX 1 VLAN 2 mgmt, port 5, 10.10.10.4/24 VLAN 4 blue, port 5, tag 20, 10.10.20.2/24...
Page 179: Country Of Operation
Directly Connected To configure the WX switch to support a MAP, you must first determine MAPs and Distributed how the MAP connects to the switch. There are two types of MAP to WX MAPs connections: direct and distributed. Configure SSID and encryption settings in a service profile.
Page 180 Static IP configuration—If DHCP is not available in the network, a Distributed MAP can be configured with static IP information that specifies its IP address, as well as the WX switch it uses as its boot device. DNS — If the intermediate network between the WX switch and Distributed MAP includes one or more IP routers, create a 3COMWX.mynetwork.com entry on the DNS server.
Page 181 If only 3COMWX is defined in DNS, the MAP contacts the WX with an IP address returned for 3COMWX. Distributed MAPs and STP A Distributed MAP is a leaf device. You do not need to enable STP on the port that is directly connected to the MAP. If Spanning Tree Protocol (STP) is enabled on the port that is directly connected to a Distributed MAP, you might need to change the STP configuration on the port, to allow the MAP to boot.
Page 182 After receiving a DHCP Offer containing a valid string for option 43, a Distributed MAP sends a unicast Find WX message to each WX switch in the list. See “How a Distributed MAP Contacts a WX Switch (DHCP-Obtained Address)” on page 190 for a description of this process.
Page 183 MAP Overview Description MAP name. Setting a MAP’s bias on a WX switch to high causes the switch to be preferred over switches with low bias, for booting and managing the MAP. Note: Bias applies only to switches that are...
Page 184 Layer 2 or Layer 3 network. A MAP always attempts to boot on MAP port 1 first, and if a WX switch is directly attached on MAP port 1, the MAP boots from it regardless of the bias settings.
Page 185 Dual-Homed Direct Connections to a Single WX Figure 9 shows an example of a dual-homed direct connection to one WX switch. In this configuration, if the MAP’s active data link with the WX switch fails, the MAP detects the link failure and restarts using the other link on the same switch.
Page 186 Figure 11 shows an example of a dual-homed configuration in which one MAP connection is direct and the other is distributed over the network. Figure 11 Dual-Homed Direct and Distributed Connections to WX Switches WX switch WX switch WX switch...
Page 187 MAP Ports Figure 12 shows an example of a dual-homed configuration in which both MAP connections are distributed over the network. Figure 12 Dual-homed Distributed Connections to WX Switches on Both MAP Ports WX switch WX switch Network Network backbone...
Page 188 If the switches are in another subnet, the MAP uses DNS to locate one of the switches, and asks the switch to send the IP address of the best WX to use, based on the bias settings on each switch and the capacity of each switch to add new active MAP connections.
Page 189: Boot Process For Distributed Maps
MAPs; it does not apply to a directly connected MAP. The boot process for a directly connected MAP occurs strictly between the MAP and WX switch and makes no use of the network’s DHCP or DNS services. The boot process for a distributed MAP consists of the following steps:...
Page 190: Contacting A Wx Switch
IP address, subnet mask, default gateway router, and whether the b The IP address of a suitable WX switch for the MAP to use as a boot c The fully qualified domain name of a WX switch to use as a boot These items are referred to by letter in the description of how the MAP contacts a WX switch in “How a Distributed MAP Contacts a WX Switch...
Page 191 4 The DNS server replies with the system IP address of a WX switch. If only 3COM is defined in DNS, the MAP sends a unicast Find WX message to the WX switch whose IP address is returned for 3Com.
Page 192 WX message to the WX switch whose IP address is returned for wlan-switch. If both 3Com and wlan-switch are defined in DNS, the MAP sends a unicast Find WX message to the WX switch whose IP address is returned for 3Com. The MAP ignores the IP address returned for wlan-switch.
Page 193 IP address, subnet mask, default gateway router, and whether the configured static IP address information is enabled for the MAP. b The IP address of a suitable WX switch for the MAP to use as a boot device. c The fully qualified domain name of a WX switch to use as a boot device, and the IP address of a DNS server used to resolve the WX switch’s name.
Page 194 3 If Items A and C are specified, the MAP sends a DNS request to resolve the fully qualified domain name of the WX switch. If the DNS server is not on the local subnet, the MAP uses the default gateway router address to contact the DNS server.
Page 195: Loading And Activating An Operational Image
Version 5.0 or later, and the WX switch does not have a newer MAP image than the one stored locally on the MAP. If the WX switch is not running MSS Version 5.0 or later, or the WX switch has a newer version of the MAP image than the version in the MAP’s local storage, the MAP...
Page 196 MAP connected through a Layer 3 network. Figure 16 on page 200 shows an example of the boot process for a dual-homed MAP that has one direct connection to a WX switch and an indirect connection through a Layer 2 network.
Page 197 4 WX1 and WX3 have high priority for the MAP and reply immediately. 5 The MAP contacts WX1 and determines whether it should use a locally stored operational image or download it from the WX switch. WX1 is contacted because it has fewer active MAP connections than WX3.
Page 198 3 The MAP sends a broadcast Find WX message to the IP subnet broadcast address. 4 When the MAP is unable to locate a WX on the subnet it is connected to, the MAP then sends a DNS request for 3com.example.com and wlan.example.com. MAP A...
Page 199 5 The DNS server sends the system IP address of the WX switch mapped to 3com.example.com. In this example, the address is for WX1. 6 The MAP sends a unicast Find WX message to WX1. 7 WX1 receives the Find WX message and compares the bias settings on each WX for the MAP.
Page 200 WX1 and an indirect connection to WX2 and WX3. In this configuration, since the MAP is directly connected to a WX switch, the MAP boots using the directly connected WX switch regardless of the bias set on any of the WX switches configured for the MAP.
Page 201 IP information. In the example, the MAP has been configured Configuration to use the following: Static IP address: 172.16.0.42, netmask: 255.255.255.0, default router 172.16.0.20 Boot WX switch: wxr100, DNS server: 172.16.0.1 Figure 17 MAP Booting with a Static IP Address DAP 1 static IP: 172.16.0.42 Layer 2...
Page 202: Service Profiles
2 The DNS server resolves the fully qualified domain name of the WX switch, wxr100. 3 The MAP sends a Find WX message to the WX switch WXR100. 4 The WX switch WXR100 responds to the Find WX message 5 The MAP sends a unicast message to the WX switch WXR100 and determines whether it should use a locally stored image or download it from the WX switch.
Page 203 Table 10 Defaults for Service Profile Parameters (continued) Parameter Default Value auth-fallthru web-auth auth-psk disable beacon enable cac-mode none cac-session cipher-ccmp disable cipher-tkip enable cipher-wep104 disable cipher-wep40 disable dhcp-restrict disable idle-client-probing enable long-retry-count MAP Overview Radio Behavior When Parameter Set to Default Value Uses WebAAA for users who do not match an 802.1X or MAC authentication rule for the SSID...
Page 204 Sygate On Demand Agent (SODA) files are not downloaded to connecting clients. Uses the SSID name 3Com. Encrypts wireless traffic for the SSID. Assigns CoS based on the QoS mode (wmm or svp) or based on ACLs.
Page 205 Table 10 Defaults for Service Profile Parameters (continued) Parameter Default Value tkip-mc-time 60000 transmit-rates 802.11a: mandatory: 6.0,12.0,24.0 beacon-rate: multicast-rate: auto disabled: none 802.11b: mandatory: 1.0,2.0 beacon-rate: multicast-rate: auto disabled: none 802.11g: mandatory: 1.0,2.0,5.5,1 beacon-rate: multicast-rate: auto disabled: none user-idle-timeout MAP Overview Radio Behavior When Parameter Set to Default Value Uses Michael countermeasures for...
Page 206 10: C HAPTER ONFIGURING Table 10 Defaults for Service Profile Parameters (continued) Parameter web-portal-acl web-portal-form web-portal-session- timeout wep key-index active-multicast-index active-unicast-index wpa-ie (To configure a service profile, see “Configuring a Service Profile” on page 233.) MAP A CCESS OINTS Default Value portalacl Note: This is the default only if...
Page 207 Public and Private SSIDs Each radio can support the following types of SSIDs: Encrypted SSID — Clients using this SSID must use encryption. Use the encrypted SSID for secured access to your enterprise network. Clear SSID — Clients using this SSID do not use encryption. Use the clear SSID for public access to nonsecure portions of your network.
Page 208 BSSID is equal to the MAP’s base MAC address + 2, and so on. All radio MAC addresses are dynamically allocated by the WX switch after the MAP boots. MSS allocates a unique block of eight consecutive addresses to each radio. Each SSID configured on the radio uses one of the addresses as its BSSID.
Page 209: Radio Profiles
Encryption Encrypted SSIDs can use the following encryption methods: Wi-Fi Protected Access (WPA) Non-WPA dynamic Wired Equivalent Privacy (WEP) Non-WPA static WEP Dynamic WEP is enabled by default. (For more information, including configuration instructions, see Chapter 13, “Configuring User Encryption,” on page 281.) Radio Profiles You can easily assign radio configuration parameters to many radios by configuring a radio profile and assigning the profile to the radios.
Page 210 10: C HAPTER ONFIGURING Table 12 Defaults for Radio Profile Parameters (continued) Parameter frag-threshold max-rx-lifetime max-tx-lifetime preamble-length short qos-mode rfid-mode rts-threshold service-profile wmm-powersave disable (To configure a radio profile, see “Configuring a Radio Profile” on page 240.) MAP A CCESS OINTS Default Value 2346...
Page 211 RF Auto-Tuning The RF Auto-Tuning feature dynamically assigns channel and power settings to MAP radios, and adjusts those settings when needed. RF Auto-Tuning can perform the following tasks: Assign initial channel and power settings when a MAP radio is started. Periodically assess the RF environment and change the channel or power setting if needed.
Page 212 Although these parameters have default values, 3Com recommends that you change the values for each radio for optimal performance. For example, leaving the channel number on each radio set to its default value can result in high interference among the radios.
Page 213: Configuring Maps
Configuring MAPs To configure MAPs, perform the following tasks, in this order: Specifying the You must specify the country in which you plan to operate the WX and its Country of Operation MAPs. MSS does not allow you to configure or enable the MAP radios until you specify the country of operation.
Page 214 10: C HAPTER ONFIGURING Table 14 Country Codes Country Algeria Argentina Australia Austria Bahrain Belgium Belize Bolivia Boznia and Herzegovina Brazil Bulgaria Canada Chile China Colombia Costa Rica Cote d’Ivoire Croatia Cyprus Czech Republic Denmark Dominican Republic Ecuador El Salvador Egypt Estonia Finland...
Page 215 Table 14 Country Codes (continued) Country Honduras Hong Kong Hungary Iceland India Indonesia Ireland Israel Italy Jamaica Japan Jordan Kazakhstan Kenya Kuwait Latvia Lebanon Liechtenstein Lithuania Luxembourg Macedonia, former Yugoslav Republic of Malaysia Malta Mauritius Mexico Morocco Namibia Netherlands New Zealand Nigeria Norway (continued)
Page 216 10: C HAPTER ONFIGURING Table 14 Country Codes (continued) Country Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia Singapore Slovakia Slovenia South Africa South Korea Spain Sri Lanka Sweden Switzerland Taiwan Thailand Trinidad and Tobago Tunisia Turkey...
Page 217 Table 14 Country Codes (continued) Country Uruguay Venezuela Vietnam The current software version might not support all of the countries listed here. To verify the configuration change, use the following command: display system The following commands set the country code to US (United States) and verify the setting: WX1200# set system countrycode US success: change accepted.
Page 218: Configuring An Auto-Ap Profile For Automatic Map Configuration
MAP, and sends the MAP the IP address of that switch. The best switch to use for configuring the MAP is the switch that has an Auto-AP profile with a high bias setting. If more than one WX has an Auto-AP profile with a high bias setting, the switch that has the greatest capacity to add new unconfigured MAPs is selected.
Page 219 The Number of MAPs that can be active on the switch, minus the number that are active, is 12 - 8 = 4. The lesser of the two values is 4. The switch can have up to 4 more MAPs. For WX1200 B: The Number of MAPs that can be configured on the switch, minus the number that are configured, is 30 - 20 = 10.
Page 220 OINTS The disconnected MAP can then begin the boot process again to find another WX switch that has an Auto-AP profile. When the MAP is disconnected, the MAP clients experience a service disruption, and will attempt to associate with another MAP if available to reconnect to the SSID they were using.
Page 221 Distributed MAP. Instead of specifying a Distributed MAP number with the command, specify auto. For more information about the syntax, see the “MAP Commands” chapter of the Wireless LAN Switch and Controller Command Configuring MAPs Default Value high...
Page 222 10: C MAP A HAPTER ONFIGURING CCESS OINTS MAP Parameters: set dap auto bias {high | low} set dap auto blink {enable | disable} set dap auto force-image-download {enable | disable} set dap auto group name set dap auto mode {enable | disable} set dap auto persistent [apnumber | all] set dap auto upgrade-firmware {enable | disable} Radio Parameters:...
Page 223 Displaying Status Information for MAPs Configured by the Auto-AP Profile To display status information for MAPs configured by the Auto-AP profile, type the following command: WX# display ap status auto AP: 7, AP model: AP3750, manufacturer 3Com, name: MAP07 ==================================================== State: operational (not encrypted) CPU info:...
Page 224: Configuring Map Port Parameters
(For information about configuring RF Auto-Tuning settings on a radio, see Chapter 14, “Configuring RF Auto-Tuning,” on page 311.) Table 17 lists how many MAPs you can configure on a WX switch, and how many MAPs a switch can boot. The numbers are for directly connected and Distributed MAPs combined.
Page 225 By default, Distributed MAPs use the procedure described in “How a Distributed MAP Obtains an IP Address through DHCP” on page 189 to obtain an IP address and connect to a WX switch. In some installations, DHCP may not be available. In such a case, you can manually assign static IP address information to the MAP.
Page 226 [switch-ip ip-addr] [name name dns ip-addr] [mode {enable | disable}] You can specify the WX switch by its fully qualified domain name; in this case, you also specify the address of the DNS server used to resolve the WX switch’s name.
Page 227 For example, the default name for Distributed MAP 1 is AP01. MAP names appear in the output of some CLI display commands and in 3Com Wireless Switch Manager. To change the name of a MAP, use the following command: set ap apnumber name name...
Page 228 MAP stores copies of its operational image locally, in its internal flash memory. At boot time, the MAP can either load the locally stored image, or it can download an operational image from the WX switch to which it has connected.
Page 229: Configuring Map-Wx Security
MAP image than the one in the MAP’s local storage. If the switch is not running MSS Version 5.0 or later, or the WX has a newer version of the MAP image than the version in the MAP’s local storage, the MAP loads its image from the WX.
Page 230 1498 bytes, whereas the MTU for unencrypted management traffic is 1474 bytes. Make sure the devices in the intermediate network between the WX switch and Distributed MAP can support the higher MTU. Encryption Key Fingerprint MAPs are configured with an encryption key pair at the factory. The...
Page 231 If the MAP is already installed and operating, use the display ap status command to display the fingerprint. The following example shows information for Distributed MAP 8, including its fingerprint: WX# display ap status 8 AP: 7, AP model: AP3750, manufacturer: 3Com, name: AP08 fingerprint: b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3 ==================================================== State:...
Page 232 MSS. If the fingerprint has not been verified, the fingerprint info in the command output is blank Verifying a Fingerprint on a WX Switch To verify a MAP fingerprint, find the fingerprint and use the set ap fingerprint command to enter the fingerprint in MSS.
Page 233: Configuring A Service Profile
Chapter 15, “Configuring Quality of Service” on page 327 “Configuring the Web Portal WebAAA Session Timeout Period” on page 477 “Assigning SSID Default Attributes to a Service Profile” on page 493. Chapter 24, “Configuring SODA Endpoint Security for a WX Switch,” on page 543 Configuring MAPs...
Page 234 10: C MAP A HAPTER ONFIGURING CCESS OINTS You can include blank spaces in the name, if you delimit the name with single or double quotation marks. You must use the same type of quotation mark (either single or double) on both ends of the string. The following command configures a service profile named corp1, and assigns SSID mycorp_rnd to it: WX1200# set service-profile corp1 ssid-name mycorp_rnd...
Page 235 Configuring MAPs SSIDs are beaconed by default. A MAP radio responds to an 802.11 probe any request only for a beaconed SSID. A client that sends a probe any request receives a separate response for each of the beaconed SSIDs supported by a radio. For a nonbeaconed SSID, radios respond only to directed 802.11 probe requests that match the nonbeaconed SSID’s SSID string.
Page 236 10: C HAPTER ONFIGURING Table 19 Transmit Rates Parameter mandatory disabled beacon-rate MAP A CCESS OINTS Default Value 11a— 6.0,12.0,24.0 11b—1.0,2.0 11g—1.0,2.0,5.5,11.0 None. All rates applicable to the radio type are supported by default. 11a—6.0 11b—2.0 11g—2.0 Description Set of data transmission rates that clients are required to support in order to associate with an SSID on a MAP radio.
Page 237 Table 19 Transmit Rates (continued) Parameter Default Value multicast-rate auto for all radio types To change transmit rates for a service profile, use the following command: set service-profile name transmit-rates {11a | 11b | 11g} mandatory rate-list [disabled rate-list] [beacon-rate rate] [multicast-rate {rate | auto}] The following command sets 802.11a mandatory rates for service profile sp1 to 6 Mbps and 9 Mbps, disables rates 48 Mbps and 54 Mbps, and...
Page 238 10: C MAP A HAPTER ONFIGURING CCESS OINTS Data rate enforcement is useful if you want to completely prevent clients from transmitting at disabled data rates. For example, you can disable slower data rates so that clients transmitting at these rates do not consume bandwidth on the channel at the expense of clients transmitting at faster rates.
Page 239 Configuring MAPs Responding to keepalive messages requires power use by a client. If you need to conserve power on the client (for example, on a VoIP handset), you can disable idle-client probing. To disable or reenable idle-client probing, use the following command: set service-profile name idle-client-probing {enable | disable} The following command disables idle-client probing on service profile...
Page 240: Configuring A Radio Profile
10: C HAPTER ONFIGURING To change the short retry threshold for service profile sp1 to 3, type the following command: WX1200# set service-profile sp1 short-retry 3 success: change accepted. Changing the Long Retry Threshold The long retry threshold specifies the number of times a radio can send a long unicast frame for an SSID without receiving an acknowledgment for the frame.
Page 241 Configuring MAPs Creating a New Profile To create a radio profile, use the following command: set radio-profile name [mode {enable | disable}] Specify a name of up to 16 alphanumeric characters. Do not include the mode enable or mode disable option. After you create the radio profile, you can use the enable and disable options to enable or disable all radios that use the profile.
Page 242 10: C MAP A HAPTER ONFIGURING CCESS OINTS Changing the DTIM Interval The DTIM interval specifies the number of times after every beacon that a radio sends a delivery traffic indication map (DTIM). A MAP sends the multicast and broadcast frames stored in its buffers to clients who request them in response to the DTIM.
Page 243 Configuring MAPs To change the RTS threshold, use the following command: set radio-profile name rts-threshold threshold The threshold can be a value from 256 bytes through 3000 bytes. The default is 2346. To change the RTS threshold for radio profile rp1 to 1500 bytes, type the following command: WX1200# set radio-profile rp1 rts-threshold 1500 success: change accepted.
Page 244 10: C MAP A HAPTER ONFIGURING CCESS OINTS Changing the Maximum Transmit Threshold The maximum transmission threshold specifies the number of milliseconds a frame scheduled to be transmitted by a radio can remain in buffer memory. To change the maximum transmit lifetime, use the following command: set radio-profile name max-tx-lifetime time The time can be from 500 ms (0.5 second) through 250,000 ms (250 seconds).
Page 245 Configuring MAPs The default preamble length value is short. This command does not apply to 802.11a radios. To change the preamble length advertised by 802.11b/g radios, use the following command: set radio-profile name preamble-length {long | short} To configure 802.11b/g radios that use the radio profile rp_long to advertise support for long preambles instead of short preambles, type the following command: WX1200# set radio-profile rp_long preamble-length long...
Page 246: Configuring Radio-Specific Parameters
10: C HAPTER ONFIGURING You must disable all radios that are using a radio profile before you can remove the profile. (See “Disabling or Reenabling All Radios Using a Profile” on page 250.) To disable the radios that are using radio profile rptest and remove the profile, type the following commands: WX1200# set radio-profile rptest mode disable WX1200# clear radio-profile rptest...
Page 247 You also can change the channel and transmit power on an individual basis. Configuring the External Antenna Model and Location Table 20 lists the external antenna models you can use on 3Com MAP models AP2750, AP3150, AP3750, AP7250, AP8250, and AP8750. The AP2750 supports all antennas listed in the table except model ANT3C598.
Page 248 10: C HAPTER ONFIGURING Table 21 lists the external antenna models you can use with these MAPs. Table 21 MP-341, MP-352, MP-262 External Antenna Models Model ANT-5060 (ASTN6S)* ANT-5120 (ASTN6T) ANT-5180 (ASTN6H) ANT1060 ANT1120 ANT1180 Table 22 lists the external antenna models you can use with the MP-620. Table 22 MP-620 External Antenna Models Model ANT-1360-OUT...
Page 249: Mapping The Radio Profile To Service Profiles
Configuring MAPs To configure antenna model ANT1060 for an MP-262 on MAP 1, type the following command: WX1200# set ap 1 radio 1 antennatype ANT1060 success: change accepted. Specifying the External Antenna Location In some cases, the set of valid channels for a radio differs depending on whether the antenna is located indoors or outdoors.
Page 250: Disabling Or Reenabling Radios
10: C HAPTER ONFIGURING To disable radio 1 on port 6 without disabling the other radios using radio profile rp1, type the following command: WX1200# set ap 6 radio 1 radio-profile rp1 mode disable (To disable or reenable all radios that are using a radio profile, see “Disabling or Reenabling All Radios Using a Profile”...
Page 251: Resetting A Radio To Its Factory Default Settings
Resetting a Radio to To disable a MAP radio and reset it to its factory default settings, use the its Factory Default following command: Settings clear ap apnumber radio {1 | 2 | all} This command performs the following actions: This command does not affect the PoE setting.
Page 252: Configuring Local Packet Switching On Maps
MAPs wired network, instead of passing through an intermediate WX switch. When a MAP is configured to perform local switching, the WX switch is removed from the forwarding path for client data traffic. When local switching is enabled, the client VLAN is directly accessible through the wired interface on the MAP.
Page 253: Configuring Local Switching
{enable | disable} Local switching can be enabled on MAPs that are connected to the WX switch via an intermediate Layer 2 or Layer 3 network. Local switching is not supported for MAPs that are directly connected to a WX.
Page 254 WX switch. When clearing a VLAN profile causes traffic that had been locally switched by MAPs to be tunneled to a WX switch, the sessions of clients associated with the MAPs where the VLAN profile is applied are...
Page 255 If a VLAN profile is changed so that traffic that had been tunneled to a WX switch is now locally switched by MAPs, or vice-versa, the sessions of clients associated with the MAPs where the VLAN profile is applied are terminated, and the clients must re-associate with the MAPs.
Page 256: Displaying Map Information
10: C HAPTER ONFIGURING Displaying MAP You can display the following MAP information: Information Displaying MAP To display configuration information, use the following commands: Configuration display ap config [apnumber [radio {1 | 2}]] Information The command lists information separately for each MAP. To display configuration information for MAP 59, type the following command: WX1200# display ap config 59...
Page 257: Displaying Connection Information For Distributed Maps
This command lists the System IP addresses of all the WX switches on which each Distributed MAP is configured, and lists the bias for the MAP on each switch. For each Distributed MAP that is configured on the switch on which you use the command, the connection number is also listed.
Page 258: Displaying A List Of Distributed Maps That Are Not Configured
Connection the system IP address of the WX that has the active connection (the Information for switch that booted the MAP), use the following command: Distributed MAPs display ap connection [apnumber | serial-id serial-ID] The serial-id parameter displays the active connection for a Distributed MAP even if that MAP is not configured on this WX.
Page 259: Displaying Service Profile Information
To display service profile information, use the following command: Profile Information display service-profile {name | ?} Entering display service-profile ? displays a list of the service profiles configured on the switch. To display information for service profile sp1, type the following command: WX# display service-profile sp1...
Page 260: Displaying Radio Profile Information
The terse option displays a brief line of essential status information for each directly connected MAP or Distributed MAP. The all option displays information for all directly attached MAPs and all Distributed MAPs configured on the switch. MAP A CCESS...
Page 261: Displaying Static Ip Address Information For Distributed Maps
The following command displays the status of a Distributed MAP: WX# display ap status 1 AP: 7, AP model: AP3750, manufacturer 3Com, name: MAP07 ==================================================== State: operational (not encrypt) CPU info: IBM:PPC speed=266666664 Hz version=405GPr, ram=33554432 s/n=0333703050 hw_rev=A3 Uptime: 531 hours, 37 minutes, 28 seconds Radio 1 type: 802.11g, state: configure succeed [Disabled] (Sweep mode)
Page 262: Displaying Map Statistics Counters
DNS IP: Mesh SSID: Mesh PSK: For information about the fields in the output, see the Switch and Controller Command Displaying MAP To display MAP statistics counters, use the following commands: Statistics Counters display ap counters [apnumber [radio {1 | 2}]]...
Page 263 Chapter 25, “Managing Sessions,” on page 557.) Displaying VLAN Profile Information To display the contents of the VLAN profiles configured on the WX switch, use the following command: display vlan-profile [profile-name] The command lists the names and tags for each VLAN in the VLAN profile, as well as the MAPs to which the VLAN profile has been applied.
Page 264: Displaying The Forwarding Database For A Map
Switch and Controller Command Displaying VLAN To display information about the VLANs that are either locally switched by the specified MAP or tunneled from the MAP to a WX switch, use Information for a the following command: display ap vlan apnumber...
Page 265: Displaying Acl Information For A Map
4 green (For information about the fields in the output, see the Switch and Controller Command Displaying ACL When a MAP is configured to perform local switching, you can display Information for a the number of packets filtered by security ACLs (“hits”) on the MAP.
Page 266 WX# display ap acl map 7 ---------------------------- ---- ------ ------- acl_123 acl_133 acl_124 (For information about the fields in the output, see the Switch and Controller Command MAP A CCESS OINTS Type Class Mapping Static In Static In...
Page 267: Configuring Rf Load Balancing For Maps
This section describes the following configuration tasks: RF Load Balancing RF load balancing is the ability to reduce network congestion over an area Overview by distributing client sessions across the MAP with overlapping coverage in the area. It allows you to provide the same client experience as if there were one nearby MAP with sufficient capacity, even when the total demand of nearby clients exceeds the capacity of a single MAP.
Page 268: Configuring Rf Load Balancing
MSS assumes that they have exactly the same coverage area, and attempts to distribute the client load across them equally. The MAP radios do not have to be on the same WX switch. A balanced set of MAP radios can span multiple WX switches in a Mobility Domain.
Page 269: Assigning Radios To Load Balancing Groups
Assigning Radios to Assigning radios to specific load balancing groups is optional. When you Load Balancing do this, MSS considers them to have exactly overlapping coverage areas, Groups rather than using signal strength calculations to determine their overlapping coverage. MSS attempts to distribute client sessions across radios in the load balancing group evenly.
Page 270: Setting Strictness For Rf Load Balancing
11: C HAPTER ONFIGURING Setting Strictness for To perform RF load balancing, MSS makes MAP radios with heavy client RF Load Balancing loads less visible to new clients, causing them to associate with MAP radios that have a lighter load. You can optionally specify how strictly MSS attempts to keep the client load balanced across the MAP radios in the load-balancing group.
Page 271: Exempting An Ssid From Rf Load Balancing
Radios in the same load-balancing group as: ap2/radio1 -------------------------------------------------- WX IP address Port Radio Overlap ------------------ ----- ------- For more information about the syntax, see the “MAP Commands” chapter of the Displaying RF Load Balancing Information Wireless LAN Switch and Controller Command Reference.
Page 272 11: C RF L HAPTER ONFIGURING ALANCING FOR...
Page 273: Configuring Wlan Mesh Ervices
This section describes how to configure the WLAN mesh services. WLAN Mesh WLAN mesh services allow a MAP to provide wireless services to clients Services Overview without having a wired interface on the MAP. Instead of a wired interface, there is a radio link to another MAP with a wired interface. WLAN mesh services can be used at sites where running Ethernet cable to a location is inconvenient, expensive or impossible.
Page 274: Configuring Wlan Mesh Services
After the Mesh AP is installed in its final location, and it has established a connection to the Mesh Portal AP, it can be configured as any other MAP on the WX switch. WLAN M ERVICES Attaching the Mesh AP to the network and configuring mesh services.
Page 275: Configuring The Mesh Ap
WX switch. Consequently, it is important that the regulatory and antenna information specified on the WX switch actually reflects the locale where the Mesh AP is deployed, in order to avoid regulatory violations. Configuring WLAN Mesh Services...
Page 276: Configuring The Service Profile For Mesh Services
SSID. Once it locates a Mesh Portal AP with the mesh SSID, it associates with the Mesh Portal AP as a client device. The Mesh AP can then be authenticated by the WX switch. To configure the Mesh AP to be authenticated, use the following...
Page 277: Enabling Link Calibration Packets On The Mesh Portal Map
Enabling Link A Mesh Portal MAP can be configured to emit link calibration packets to assist with positioning the Mesh AP. A link calibration packet is an Calibration Packets on the Mesh Portal unencrypted 802.11 management packet of type Action. When enabled on a MAP, link calibration packets are sent at a rate of 5 per second.
Page 278: Configuring Wireless Bridging
12: C HAPTER ONFIGURING Configuring You can use WLAN mesh services in a wireless bridge configuration, Wireless Bridging implementing MAPs as bridge endpoints in a transparent Layer 2 bridge. Configuring a wireless bridge to connect two sites provides an alternative to installing Ethernet cable to provide bridge functionality.
Page 279: Displaying Wlan Mesh Services Information
MAP and the associated BSSID of the Mesh Portal. For example: WX# display ap status AP: 1, IP-addr: 10.8.255.10 (vlan 'corp'), AP model: mp-422, manufacturer: 3Com, name: AP01 ==================================================== State: operational (not encrypt) CPU info: Atheros:MIPS32 speed=220000000 Hz version=AR5312, ram=16777216...
Page 280 WX# display ap mesh-links 1 AP: 1 IP-addr: 1.1.1.3 Operational Mode: Mesh-Portal Downlink Mesh-APs ------------------------------------------------- BSSID: 00:0b:0e:17:bb:3f (54 Mbps) (For information about the fields in the output, see the Switch and Controller Command WLAN M ERVICES packets bytes 44279 215046 Wireless LAN Reference.)
Page 281: Configuring User Encryption
Mobility System Software (MSS) encrypts wireless user traffic for all users who are successfully authenticated to join an encrypted SSID and who are then authorized to join a VLAN. Overview MSS supports the following types of encryption for wireless user traffic: WEP is described in the IEEE 802.11 standard and WPA is described in the 802.11i standard.
Page 282 13: C HAPTER ONFIGURING You can configure an SSID to support any combination of WPA, RSN, and non-WPA clients. For example, a radio can simultaneously use Temporal Key Integrity Protocol (TKIP) encryption for WPA clients and WEP encryption for non-WPA clients. The SSID type must be crypto (encrypted) for encryption to be used.
Page 283 Dynamic WEP User B Non-WPA Dynamic 40-bit WEP This rest of this chapter describes the encryption types and how to configure them, and provides configuration scenarios. WX Switch Encryption settings: -WPA disabled -Dynamic WEP enabled -Static WEP disabled User C...
Page 284: Configuring Wpa
13: C HAPTER ONFIGURING Configuring WPA Wi-Fi Protected Access (WPA) is a security enhancement to the IEEE 802.11 wireless standard. WPA provides enhanced encryption with new cipher suites and provides per-packet message integrity checks. WPA is based on the 802.11i standard. You can use WPA with 802.1X authentication.
Page 285 Figure 21 WPA Encryption with TKIP Only User A Dynamic WEP User B Non-WPA Dynamic 40-bit WEP Configuring WPA WX Switch Encryption settings: -WPA enabled: TKIP only -Dynamic WEP disabled -Static WEP disabled User C Static WEP Non-WPA...
Page 286 CCMP or static WEP clients. The radio disassociates from these other clients. Figure 22 WPA Encryption with TKIP and WEP User A Dynamic WEP Non-WPA NCRYPTION WX Switch User B Dynamic 40-bit WEP Encryption settings: -WPA enabled: TKIP, WEP40 -Dynamic WEP enabled -Static WEP disabled...
Page 287: Tkip Countermeasures
TKIP WPA access points and clients verify the integrity of a wireless frame Countermeasures received on the network by generating a keyed message integrity check (MIC). The Michael MIC used with TKIP provides a holddown mechanism to protect the network against tampering. If the recalculated MIC matches the MIC received with the frame, the frame passes the integrity check and the access point or client processes the frame normally.
Page 288: Wpa Authentication Methods
The 802.1X authentication method requires user information to be configured on AAA servers or in the WX switch’s local database. This is the default WPA authentication method.
Page 289: Client Support
Probe response (sent by a MAP radio) — The WPA IE in a probe response frame lists the same WPA information that is contained in the beacon frame. Association request or reassociation (sent by a client) — The WPA IE in an association request lists the authentication method and cipher suite the client wants to use.
Page 290: Configuring Wpa
13: C HAPTER ONFIGURING Table 24 lists the encryption support for WPA and non-WPA clients. Table 24 Encryption Support for WPA and Non-WPA Clients Encryption Type WPA — CCMP WPA — TKIP WPA — WEP40 WPA — WEP104 Dynamic Static Configuring WPA To configure MAP radios to support WPA: 1 Create a service profile for each SSID that will support WPA clients.
Page 291 Creating a Service Profile for WPA Encryption parameters apply to all users who use the SSID configured by a service profile. To create a service profile, use the following command: set service-profile name To create a new service profile named wpa, type the following command: WX1200# set service-profile wpa success: change accepted.
Page 292 13: C HAPTER ONFIGURING NCRYPTION After you type this command, the service profile supports TKIP and 40-bit WEP. Microsoft Windows XP does not support WEP with WPA. To configure a service profile to provide WEP for XP clients, leave WPA disabled and see “Configuring WEP”...
Page 293 Configuring WPA The passphrase must be from 8 to 63 characters long, including blanks. If you use blanks, you must enclose the string in quotation marks. To configure service profile wpa to use passphrase 1234567890123<>?=+&% The quick brown fox jumps over the lazy sl, type the following command: WX1200# set service-profile wpa psk-phrase "1234567890123<>...
Page 294 13: C HAPTER ONFIGURING Displaying WPA Settings To display the WPA settings in a service profile, use the following command: display service-profile {name | ?} To display the WPA settings in effect in service profile wpa, type the following command: WX1200# display service-profile sp1 ssid-name: Beacon:...
Page 295 Configuring WPA Assigning the Service Profile to Radios and Enabling the Radios After you configure WPA settings in a service profile, you can map the service profile to a radio profile, assign the radio profile to radios, and enable the radios to activate the settings. To map a service profile to a radio profile, use the following command: set radio-profile name service-profile name To assign a radio profile to radios and enable the radios, use the following...
Page 296: Configuring Rsn (802.11I)
13: C HAPTER ONFIGURING Configuring RSN Robust Security Network (RSN) provides 802.11i support. RSN uses AES (802.11i) encryption. You can configure a service profile to support RSN clients exclusively, or to support RSN with WPA clients, or even RSN, WPA and WEP clients. The configuration tasks for a service profile to use RSN are similar to the tasks for WPA: 1 Create a service profile for each SSID that will support RSN clients.
Page 297: Specifying The Rsn Cipher Suites
Specifying the RSN To use RSN, at least one cipher suite must be enabled. You can enable Cipher Suites one or more of the following cipher suites: By default, TKIP is enabled and the other cipher suites are disabled. To enable or disable cipher suites, use the following commands: set service-profile name cipher-ccmp {enable | disable} set service-profile name cipher-tkip {enable | disable} set service-profile name cipher-wep104 {enable | disable}...
Page 298: Changing The Tkip Countermeasures Timer Value
13: C HAPTER ONFIGURING NCRYPTION Changing the TKIP To change the TKIP countermeasures timer, see “Changing the TKIP Countermeasures Countermeasures Timer Value” on page 298. The procedure is the same Timer Value for WPA and RSN. Enabling PSK To enable PSK authentication, see “Enabling PSK Authentication” on Authentication page 298.
Page 299: Configuring Wep
You can change or disable the broadcast or multicast rekeying interval. For static WEP, MSS uses statically configured keys typed in the WX switch’s configuration and on the wireless client and does not rotate the keys. Configuring WEP...
Page 300 WEP clients whose keys match the keys configured on the radio. Figure 23 Encryption for Dynamic and Static WEP User A Dynamic WEP Non-WPA NCRYPTION WX Switch User B Dynamic 40-bit WEP WPA disabled Dynamic WEP enabled Static WEP enabled -Unicast key = a1b1c1d1e1...
Page 301: Setting Static Wep Key Values
Setting Static WEP MSS supports dynamic WEP automatically. To enable static WEP, Key Values configure WEP keys and assign them to unicast and multicast traffic. You can set the values of the four static WEP keys, then specify which of the keys to use for encrypting multicast frames and unicast frames.
Page 302: Encryption Configuration Scenarios
13: C HAPTER ONFIGURING To configure an SSID that uses service profile wepsrvc4 to use WEP key index 4 for encrypting unicast traffic, type the following command: WX1200# set service-profile wepsrvc4 wep active-unicast-index 4 success: change accepted. Encryption The following scenarios provide examples of ways in which you can Configuration configure encryption for network clients: Scenarios...
Page 303 WX1200# display service-profile sp1 ssid-name: Beacon: DHCP restrict: Short retry limit: Auth fallthru: Enforce SODA checks: Custom success web-page: Custom logout web-page: Static COS: CAC mode: User idle timeout: Keep initial vlan: Web Portal ACL: Web Portal Session Timeout: WEP Key 1 value: WEP Key 3 value: WEP Unicast Index: Shared Key Auth:...
Page 304: Enabling Dynamic Wep In A Wpa Network
13: C HAPTER ONFIGURING force-image download: YES Radio 1: type: 802.11g, mode: tx pwr: 1, profile: rp1 auto-tune max-power: default Radio 2: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp1 auto-tune max-power: default 8 Save the configuration. Type the following command: WX1200# save config success: configuration saved.
Page 305 TKIP is already enabled by default when WPA is enabled. 6 Display the service profile wpa-wep to verify the changes. Type the following command: WX1200# display service-profile sp1 ssid-name: Beacon: DHCP restrict: Short retry limit: Auth fallthru: Enforce SODA checks: Custom success web-page: Custom logout web-page: Static COS:...
Page 306: Configuring Encryption For Mac Clients
13: C HAPTER ONFIGURING auto-tune max-power: default Port 6: AP model: mp-252, POE: boot-download-enable: YES force-image-download: YES Radio 1: type: 802.11g, mode: tx pwr: 1, profile: rp2 auto-tune max-power: default Port 11: AP model: mp-252, POE: enable, bias: high, name: MP11 boot-download-enable: YES force-image-download: YES Radio 1: type: 802.11g, mode: enabled, channel: 6...
Page 307 4 Verify the AAA configuration changes. Type the following command: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server ------------------------------------------------------------------- Server groups set authentication mac ssid voice * local mac-usergroup wpa-for-mac vlan-name = blue mac-user aa:bb:cc:dd:ee:ff Group = wpa-for-mac mac-user a1:b1:c1:d1:e1:f1...
Page 308 13: C HAPTER ONFIGURING 10 Configure a passphrase for the preshared key. Type the following command: WX1200# set service-profile wpa-wep-for-mac psk-phrase "passphrase to convert into a preshared key" success: change accepted. 11 Display the WPA configuration changes. Type the following command: WX1200# display service-profile sp1 ssid-name: Beacon:...
Page 309 WX1200# display ap config Port 4: AP model: MP-241, POE: boot-download-enable: YES force-image-download: YES Radio 1: type: 802.11a, mode: tx pwr: 1, profile: rp3 auto-tune max-power: default Port 6: AP model: mp-252, POE: boot-download-enable: YES force-image-download: YES Radio 1: type: 802.11g, mode: tx pwr: 1, profile: rp3 auto-tune max-power: default...
Page 310 13: C HAPTER ONFIGURING NCRYPTION...
Page 311: Configuring Rf Auto -Tuning
RF Auto-Tuning. If RF Auto-Tuning is enabled for channel and power assignment, the radio performs an RF scan and reports the results to the WX switch that is managing the MAP the radio is on. The scan results include third-party access points. Based on the scan results, MSS sets the channel and power on the radio.
Page 312: Channel And Power Tuning
A radio continues to scan on its active data channel and on other channels and reports the results to its WX switch. Periodically, the switch examines these results to determine whether the channel or the power needs to be changed. RF A...
Page 313 Power Tuning By default, the switch evaluates the scan results for possible power changes every 300 seconds (5 minutes), and raises or lowers the power level if needed. If RF Auto-Tuning determines that a power change is needed on a radio, MSS ramps the power up or down until the new power level is reached.
Page 314: Rf Auto-Tuning Parameters
14: C HAPTER ONFIGURING A radio also can change its channel before the channel tuning interval expires to respond to RF anomalies. An RF anomaly is a sudden major change in the RF environment, such as sudden major interference on the channel. By default, a radio cannot change its channel more often than every 900 seconds, regardless of the RF environment.
Page 315 Table 25 Defaults for RF Auto-Tuning Parameters (continued) Parameter Default Value channel-holddown channel-lockdown disabled power-config disable power-interval power-lockdown disabled power-ramp-interval 60 Individual radio parameters max-power Maximum allowed for country of operation Overview Radio Behavior When Parameter Set to Default Value MSS maintains the channel setting on a radio for at least 900 seconds regardless of RF changes.
Page 316: Changing Rf Auto-Tuning Settings
14: C HAPTER ONFIGURING Changing You can change the following RF Auto-Tuning settings: RF Auto-Tuning Settings Selecting Available You can configure the 802.11a radio on a MAP to allow certain channels Channels on the to be available or unavailable. To enable this feature, use the following 802.11a Radio command: set radio-profile name auto-tune 11a-channel-range...
Page 317: Changing Power Tuning Settings
RF Auto-Tuning does not reevaluate the channel at regular intervals. However, RF Auto-Tuning can still change the channel in response to RF anomalies. 3Com recommends that you use an interval of at least 300 seconds (5 minutes). To change the channel tuning interval, use the following command:...
Page 318: Locking Down Tuned Settings
14: C HAPTER ONFIGURING Changing the Power Tuning Interval The default power tuning interval is 600 seconds. You can change the interval to a value from 1 to 65535 seconds. To change the power tuning interval, use the following command: set radio-profile name auto-tune power-interval seconds To set the power tuning interval for radios in radio profile rp2 to 240 seconds, type the following command:...
Page 319: Displaying Rf Auto-Tuning Information
To verify the static settings, use the To save the locked down settings, you must save the switch’s configuration. The following commands lock down the channel and power settings for radios in radio profile rp2: WX1200# set radio-profile rp2 auto-tune channel-lockdown success: change accepted.
Page 320: Displaying Rf Neighbors
Radio 2: type: 802.11a, mode: disabled, channel: 36 tx pwr: 1, profile: default auto-tune max-power: default Displaying RF To display the other radios that a specific 3Com radio can hear, use the Neighbors following commands: display auto-tune neighbors [ap map-num [radio {1 | 2| all}]]...
Page 321: Displaying Rf Attributes
To display neighbor information for radio 1 on the directly connected MAP on port 2, type the following command: WX1200# display auto-tune neighbors ap 2 radio 1 Total number of entries for port 2 radio 1: 5 Channel Neighbor BSS/MAC ------- ----------------- ---- 1 00:0b:85:06:e3:60 1 00:0b:0e:00:0a:80...
Page 322 14: C RF A HAPTER ONFIGURING UNING...
Page 323: Configuring Map S T O B E Aero Scout Listeners
ID. AeroScout listeners detect the transmissions from the RFID tags and relay this information to an AeroScout Engine or a WX. You can use an AeroScout Engine or 3Com Wireless Switch Manager to locate the asset.
Page 324: Configuring Map Radios To Listen For Aeroscout Rfid Tags
Radios to Listen for AeroScout RFID Tags A MAP always forwards RFID tag information to its WX switch, even if RFID mode is disabled. The following example shows the commands to configure three MAPs to be AeroScout listeners. This example assumes that the MAPs have already been installed and configured.
Page 325: Locating An Rfid Tag
WX1200# set ap 69 radio 1 radio-profile rfid-listeners mode enable success: change accepted. Locating an RFID Tag You can use an AeroScout Engine or 3Com Wireless Switch Manager to locate an asset to which an RFID tag is attached. Using an AeroScout Engine 1 Load the site map in AeroScout System Manager.
Page 326 1 Connect to 3Com Wireless Switch Manager Services (the server) and open the network plan that contains the site information. 2 Select the Monitor tool bar option (at the top of the main 3Com Wireless Switch Manager window). The Monitor dashboard appears.
Page 327: Configuring
This chapter describes the Quality of Service (QoS) features supported in MSS and how to configure and manage them. About QoS MSS supports Layer 2 and Layer 3 classification and marking of traffic, and optimized forwarding of wireless traffic for time-sensitive applications such as voice and video.
Page 328 16: C HAPTER ONFIGURING Table 26 QoS Parameters (continued) QoS Feature QoS parameters configured in service profiles CAC mode Static CoS Using client DSCP value UALITY OF ERVICE Description Call Admission Control, which regulates addition of new VoIP sessions on MAP radios. One of the following modes can be enabled: None (the default)
Page 329 Table 26 QoS Parameters (continued) QoS Feature Description Transmit rates Data transmission rates supported by each radio type. The following categories are specified: Beacon Multicast Mandatory (a client must support at least one of these rates to associate) Disabled Standard (valid rates that are not disabled and are not mandatory) Defaults:...
Page 330: Qos Mode
16: C HAPTER ONFIGURING Table 26 QoS Parameters (continued) QoS Feature Broadcast control Mechanisms to reduce overhead Session timers QoS Mode MSS supports Layer 2 and Layer 3 classification and marking of traffic, to help provide end-to-end QoS throughout the network. The following modes of QoS are supported: Session-based Call Admission Control (CAC) is also supported.
Page 331: Wmm Qos Mode
The static CoS option enables you to easily set CoS for all traffic on an SSID by marking all the SSID’s traffic with the same CoS value. You can use ACLs to override CoS markings or set CoS for non-WMM traffic.
Page 332 16: C HAPTER ONFIGURING Figure 24 QoS on WX Switches—Classification of Ingress Packets UALITY OF ERVICE WX receives packet. 802.1p value that is not 0? No (802.1p = 0) DSCP value that is not 0? No (DCSP = 0) ACE on egress VLAN or MAP sets CoS? Use CoS mapped from DSCP or...
Page 333 Figure 25 QoS on WX Switches—Marking of Egress Packets WX has classified ingress packet. Egress interface has 802.1Q VLAN tag? No VLAN tag Egress interface is IP tunnel? Do not mark DSCP. WMM QoS Mode Mark 802.1p with CoS value: 1 ->...
Page 334 16: C HAPTER ONFIGURING Figure 26 QoS on MAPs—Classification and Marking of Packets from Clients to UALITY OF ERVICE MAP receives packet from client. Static CoS enabled? Set packet CoS based on 802.11 Service Type: 1 -> 1 2 -> 2 3 ->...
Page 335 Figure 27 QoS on MAPs—Classification and Marking of Packets from WX to Clients MAP receives packet from WX. Static CoS enabled? Look up CoS for DSCP value and set packet CoS: 0 - 7 -> 0 8 - 15 -> 1 16 - 23 ->...
Page 336 CoS-to-DSCP map is also reserved. CoS 0 packets are marked with DSCP 0. Table 27 shows how WMM priority information is mapped across the network. When WMM is enabled, 3Com switches and MAPs perform these mappings automatically. Table 27 WMM Priority Mappings...
Page 337: Wmm Qos On A Map
802.11 header and maps the service type value to an internal CoS value. The MAP then marks the DSCP value in the IP tunnel header to the WX switch based on the internal CoS value.
Page 338 (To display a MAP’s CoS mappings and queue usage statistics, see “Displaying MAP Forwarding Queue Statistics” on page 349.) Figure 28 shows an example of end-to-end QoS in a 3Com network. In this example, voice traffic is prioritized based on WMM. This example assumes that the QoS mappings are set to their default values.
Page 339 MAP maps internal CoS 7 to DSCP 56 and marks the IP tunnel header’s DSCP field with value 56. The MAP then sends the packet to the WX switch. 3 WX A receives the packet on the IP tunnel connecting the WX to MAP A.
Page 340: Call Admission Control
16: C HAPTER ONFIGURING SVP QoS Mode The SVP QoS mode optimizes forwarding of SVP traffic by setting the random wait time a MAP radio waits before transmitting the traffic to 0 microseconds. Normally, a MAP radio waits an additional number of microseconds following the fixed wait time, before forwarding a queued packet or frame.
Page 341: Broadcast Control
Broadcast Control You also can enhance bandwidth availability on an SSID by enabling the following broadcast control features: Proxy ARP—WX responds on behalf of wireless clients to ARP requests for their IP addresses. DHCP Restrict—WX captures and does not forward any traffic except DHCP traffic for a wireless client who is still being authenticated and authorized.
Page 342: Changing Qos Settings
The QoS mode is configurable on a radio-profile basis. CAC and static CoS are configurable on a service-profile basis. DSCP-CoS mapping is configurable on a global switch basis. Changing the QoS The default QoS mode is WMM. To change the QoS mode on a radio...
Page 343: Configuring Call Admission Control
Changing QoS Settings Configuring Call To configure CAC for an SSID, enable the feature on the SSID’s service Admission Control profile. When enabled, CAC limits the number of active sessions a radio can have to 14 by default. You can change the maximum number of sessions to a value from 0 to 100.
Page 344: Changing Cos Mappings
16: C HAPTER ONFIGURING For example, to configure static CoS 7 for service profile sp1, use the following commands: WX1200# set service-profile sp1 static-cos enable success: change accepted. WX1200# set service-profile sp1 cos 7 success: change accepted. Changing CoS To change CoS mappings, use the following commands: Mappings set qos dscp-to-cos-map dscp-range cos level set qos cos-to-dscp-map level dscp dscp-value...
Page 345: Enabling Broadcast Control
Enabling Broadcast To enable broadcast control features on a service-profile basis, using the Control following commands: set service-profile name proxy-arp {enable | disable} set service-profile name dhcp-restrict {enable | disable} set service-profile name no-broadcast {enable | disable} For example, to enable all these broadcast control features in service profile sp1, use the following commands: WX1200# set service-profile sp1 proxy-arp enable success: change accepted.
Page 346: Displaying A Service Profile's Qos Settings
11b mandatory rate: 1.0,2.0 standard rates: 5.5,11.0 11g beacon rate: 11g mandatory rate: 1.0,2.0,5.5,11.0 standard rates: 6.0,9.0,12.0,18.0,24.0, 36.0,48.0,54.0 UALITY OF ERVICE Channel Holddown: Countermeasures: QoS Mode: Wireless LAN Switch and Controller Guide.) corp2 ssid-type: Proxy ARP: No broadcast: Long retry limit: none Sygate On-Demand (SODA):...
Page 347: Displaying Cos Mappings
To display the default CoS mappings, use the following command: WX1200# display qos default Ingress QoS Classification Map (dscp-to-cos) Ingress DSCP CoS Level =============================================================================== 00-09 10-19 20-29 30-39 Wireless LAN Switch and Controller Guide.) SESSION Wireless LAN Switch and Controller Guide) Displaying QoS Information...
Page 348 16: C HAPTER ONFIGURING 40-49 50-59 60-63 Egress QoS Marking Map (cos-to-dscp) CoS Level =============================================================================== Egress DSCP Egress ToS byte Displaying a DSCP-to-CoS Mapping To display the CoS value to which a specific DSCP value is mapped during classification, use the following command: display qos dscp-to-cos-map dscp-value The following command displays the CoS value to which DSCP value 55 is mapped:...
Page 349: Displaying The Dscp Table
Displaying the DSCP To display the standard mappings of DSCP, ToS, and precedence values, Table use the following command: WX1200# display qos dscp-table DSCP ----------------------------------------------- Displaying MAP You can display statistics for MAP forwarding queues, using the following Forwarding Queue commands: Statistics display ap qos-stats [apnumber] [clear]...
Page 350 16: C HAPTER ONFIGURING UALITY OF ERVICE...
Page 351: Configuring And Managing Spanning Tree Protocol
STP state of other VLANs on the device. The IEEE 802.1D spanning tree specifications refer to networking devices that forward Layer 2 traffic as bridges. In this context, a WX switch is a bridge. Where this manual or the product interface uses the term bridge, you can assume the term is applicable to the WX switch.
Page 352: Enabling The Spanning Tree Protocol
To enable STP, use the following command: set spantree {enable | disable} [{all | vlan vlan-id | port port-list vlan-id}] To enable STP on all VLANs configured on a WX switch, type the following command: WX1200# set spantree enable success: change accepted.
Page 353: Port Cost
When the WX switch has more than one link to the root bridge, STP uses the link with the lowest priority value. You can set this parameter on an individual port basis, for all VLANs the port is in, or for specific VLANs.
Page 354: Changing Stp Port Parameters
17: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL To change the bridge priority of VLAN pink to 69, type the following command: WX1200# set spantree priority 69 vlan pink success: change accepted. Changing STP Port You can change the STP cost and priority of an individual port, on a Parameters global basis or an individual VLAN basis.
Page 355 Changing Standard Spanning Tree Parameters The command applies only to the ports you specify. The port cost on other ports remains unchanged. To reset the cost of ports 3 and 4 in the default VLAN to the default value, type the following command: WX1200# clear spantree portcost 3-4 success: change accepted.
Page 356 17: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL Resetting the STP Port Priority to the Default Value To reset the STP port priority to the default value, use one of the following commands: clear spantree portpri port-list clear spantree portvlanpri port-list {all | vlan vlan-id} The command applies only to the ports you specify.
Page 357: Changing Spanning Tree Timers
Changing Standard Spanning Tree Parameters Hello interval — The interval between configuration messages sent by a WX switch when the switch is acting as the root bridge. You can specify an interval from 1 through 10 seconds. The default is 2 seconds.
Page 358: Configuring And Managing Stp Fast Convergence Features
Features the forwarding delay. In some configurations, this delay is unnecessary. The WX switch provides the following fast convergence features to bypass the forwarding delay: Port fast convergence bypasses both the listening and learning stages and...
Page 359: Configuring Port Fast Convergence
Backbone fast convergence enables the WX switch to listen for bridge protocol data units (BPDUs) sent by a designated bridge when the designated bridge’s link to the root bridge fails.
Page 360: Displaying Port Fast Convergence Information
17: C HAPTER ONFIGURING AND Displaying Port Fast To display port fast convergence information, use the following command: Convergence display spantree portfast [port-list] Information To display port fast convergence information for all ports, type the following command: WX1200# display spantree portfast Port ------------------------- ---- In this example, port fast convergence is enabled on ports 5 and 6 in...
Page 361: Configuring Uplink Fast Convergence
Configuring Uplink To enable or disable uplink fast convergence, use the following Fast Convergence command: set spantree uplinkfast {enable | disable} Displaying Uplink To display uplink fast convergence information, use the following Fast Convergence command: Information display spantree uplinkfast [vlan vlan-id] The following command displays uplink fast convergence information for all VLANs: WX1200# display spantree uplinkfast...
Page 362: Displaying The Stp Port Cost On A Vlan Basis
5 are forwarding traffic. The other ports are blocking traffic. (For more information about the fields in the output, see the LAN Switch and Controller Command Displaying the STP To display a brief list of the STP port cost for a port in each of its VLANs,...
Page 363: Displaying Blocked Stp Ports
To display information about ports that are in the STP blocking state, use STP Ports the following command: display spantree blockedports [vlan vlan-id] To display information about blocked ports on a WX switch for the default VLAN (VLAN 1), type the following command: WX1200# display spantree blockedports vlan default Port...
Page 364 17: C HAPTER ONFIGURING AND config BPDU's xmitted(port/VLAN) config BPDU's received(port/VLAN) tcn BPDU's xmitted(port/VLAN) tcn BPDU's received(port/VLAN) forward transition count (port/VLAN) scp failure count root inc trans count (port/VLAN) inhibit loopguard loop inc trans count forward delay timer forward delay timer value message age timer message age timer value topology change timer...
Page 365: Clearing Stp Statistics
VLANs to 0. The software then begins incrementing the counters again. Spanning Tree This scenario configures a VLAN named backbone for a WX switch's Configuration connections to the network backbone, adds ports 1 and 2 to the VLAN, Scenario and enables STP on the VLAN to prevent loops.
Page 366 17: C HAPTER ONFIGURING AND down down 2 Configure a backbone VLAN and verify the configuration change. Type the following commands: WX1200# set vlan 10 name backbone port 1-2 success: change accepted. WX1200# display vlan config VLAN Name ---- --------------- ------ ----- ----- --------------- ----- ----- 1 default 10 backbone 4094 web-aaa...
Page 367 4 Reconnect or reenable ports 21 and 22 and verify the change. Type the following commands: WX1200# set port enable 1-2 success: set "enable" on port 1-2 WX1200# display port status Port Name Admin =============================================================================== 5 Wait for STP to complete the listening and learning stages and converge, then verify that STP is operating properly and blocking one of the ports in the backbone VLAN.
Page 368 17: C HAPTER ONFIGURING AND ANAGING PANNING ROTOCOL...
Page 369: Configuring And Managing Igmp Snooping
IGMP S Internet Group Management Protocol (IGMP) snooping controls multicast traffic on a WX switch by forwarding packets for a multicast group only on the ports that are connected to members of the group. A multicast group is a set of IP hosts that receive traffic addressed to a specific Class D IP address, the group address.
Page 370: Disabling Or Reenabling Proxy Reporting
Pseudo-Querier that does not have a multicast router to send IGMP general queries to clients. 3Com recommends that you use the pseudo-querier only when the VLAN contains local multicast traffic sources and no multicast router is servicing the subnet. To enable the pseudo-querier, use the following command:...
Page 371: Changing The Query Interval
If there are no more receivers for the group, the switch also sends a leave message for the group to multicast routers.
Page 372: Enabling Router Solicitation
Multicast Ports traffic it receives from those devices. When the WX switch receives traffic from a multicast router or receiver, the switch adds the port that received the traffic as a multicast router or receiver port. The WX switch forwards traffic to multicast routers only on the multicast router ports and forwards traffic to multicast receivers only on the multicast receiver ports.
Page 373: Adding Or Removing A Static Multicast Router Port
Adding or Removing To add or remove a static multicast router port, use the following a Static Multicast command: Router Port set igmp mrouter port port-list {enable | disable} Adding or Removing To add a static multicast receiver port, use the following command: a Static Multicast set igmp receiver port port-list {enable | disable} Receiver Port...
Page 374 Packets with bad checksum: 0 Packets dropped: 4 (For information about the fields in the output, see the Switch and Controller Command Displaying Multicast Statistics Only To display multicast statistics only without also displaying all the other multicast information, use the following command:...
Page 375: Displaying Multicast Queriers
---- --------------- ----------------- ----- In this example, the pseudo-querier feature is enabled on VLAN orange. (For information about the fields in the output, see the Switch and Controller Command Displaying Multicast To display information about the multicast routers only without also...
Page 376: Displaying Multicast Receivers
237.255.255.2 237.255.255.119 VLAN: green Session --------------- ---- --------------- ----------------- ----- 237.255.255.17 237.255.255.255 (For information about the fields in the output, see the Switch and Controller Command IGMP S ANAGING NOOPING Port Receiver-IP 10.10.20.19 00:02:04:06:09:0d 10.10.30.31 00:02:04:06:01:0b Port Receiver-IP 10.10.40.41 00:02:06:08:02:0c 10.10.60.61 00:05:09:0c:0a:01...
Page 377: Onfiguring And
About Security 3Com provides a very powerful mapping application for security ACLs. In Access Control Lists addition to being assigned to physical ports, VLANs, virtual ports in a VLAN, or Distributed MAPs, ACLs can be mapped dynamically to a user’s...
Page 378: Security Acl Filters
19: C HAPTER ONFIGURING AND Figure 29 Setting Security ACLs Security ACL Filters A security ACL filters packets to restrict or permit network traffic. These filters can then be mapped by name to authenticated users, ports, VLANs, virtual ports, or Distributed MAPs. You can also assign a class-of-service (CoS) level that marks the packets matching the filter for priority handling.
Page 379: Order In Which Acls Are Applied To Traffic
The order in which ACEs are listed in an ACL is important. MSS applies ACEs that are higher in the list before ACEs lower in the list. (See “Modifying a Security ACL” on page 394.) An implicit “deny all” rule is always processed as the last ACE of an ACL.
Page 380: Creating And Committing A Security Acl
19: C HAPTER ONFIGURING AND Selection of User ACLs Identity-based ACLs (ACLs mapped to users) take precedence over location-based ACLs (ACLs mapped to VLANs, ports, virtual ports, or Distributed MAPs). ACLs can be mapped to a user in the following ways: The user’s ACL comes from only one of these sources.
Page 381 (routine), and a type-of-service (TOS) level of 0 (normal). (For more information about type-of-service and precedence levels, see the LAN Switch and Controller Command WX1200# set security acl ip acl-2 permit cos 2 47 192.168.1.11 0.0.0.0 192.168.1.15 0.0.0.0 precedence 0 tos 0...
Page 382 10 in the first octet. Class of Service Class-of-service (CoS) assignment determines the priority treatment of packets transmitted by a WX switch, corresponding to a forwarding queue on the MAP. Table 31 shows the results of CoS priorities you assign in security ACLs.
Page 383: Setting An Icmp Acl
Table 31 Class-of-Service (CoS) Packet Handling Packet Priority Desired Background Best effort Video Voice MAP forwarding prioritization occurs automatically for Wi-Fi Multimedia (WMM) traffic. You do not need to configure ACLs to provide WMM prioritization. For non-WMM devices, you can provide MAP forwarding prioritization by configuring ACLs.
Page 384 ACLs, see “Modifying a Security ACL” on page 394. For information about TOS and precedence levels, see the Switch and Controller Command Service” on page 382. ICMP includes many messages that are identified by a type field. Some also have a code within that type.
Page 385: Setting Tcp And Udp Acls
To specify a range of TCP or UDP ports, you enter the beginning and ending port numbers. The CLI does not accept port names in ACLs. To filter on ports by name, you must use 3Com Wireless Switch Manager. For more information, see Setting a TCP ACL The following command filters TCP packets:...
Page 386: Determining The Ace Order
WX1200# set security acl ip acl-4 permit tcp 192.168.1.5 0.0.0.0 192.168.1.6 0.0.0.0 eq 524 precedence 7 tos 15 established hits (For information about TOS and precedence levels, see the Switch and Controller Command Service” on page 382.) Setting a UDP ACL The following command filters UDP packets:...
Page 387: Committing A Security Acl
To specify the order of the commands, use the following parameters: If the security ACL you specify when creating an ACE does not exist when you enter set security acl ip, the specified ACL is created in the edit buffer. If the ACL exists but is not in the edit buffer, the ACL reverts, or is rolled back, to the state when its last ACE was committed, but it now includes the new ACE.
Page 388 19: C HAPTER ONFIGURING AND ACLs do not take effect until you map them to something (a user, Distributed MAP, VLAN, port, or virtual port). To map an ACL, see “Mapping Security ACLs” on page 390. To display the mapped ACLs, use the display security acl command, without the editbuffer or info option.
Page 389 You can also view a specific security ACL. For example, to view acl-2, type the following command: WX1200# display security acl info acl-2 ACL information for acl-2 set security acl ip acl-2 (hits #1 0) ---------------------------------------------------- 1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits Displaying Security ACL Hits Once you map an ACL, you can view the number of packets it has...
Page 390: Clearing Security Acls
The Filter-Id attribute is a security ACL name (or two ACL names) with the direction of the packets indicated. The security ACL mapped by Filter-Id instructs the WX switch to use its local definition of the ACL, including the flow direction, to filter packets for the authenticated user.
Page 391 ACL in the WX, the user fails authorization and cannot be authenticated. 4 Alternatively, authenticate the user with the Filter-Id attribute in the WX switch’s local database. Use one of the commands shown in Table 33. Specify .in for incoming packets or .out for outgoing packets.
Page 392: Mapping Security Acls To Ports, Vlans, Virtual Ports, Or Distributed Maps
19: C HAPTER ONFIGURING AND Mapping Security Security ACLs can be mapped to ports, VLANs, virtual ports, and ACLs to Ports, VLANs, Distributed MAPs. Use the following command: Virtual Ports, or set security acl map acl-name {vlan vlan-id | port port-list Distributed MAPs [tag tag-value] | ap apnumber} {in | out} Specify the name of the ACL, the port, VLAN, tag value(s) of the virtual...
Page 393 To stop the packet filtering of a user-based security ACL, you must modify the user’s configuration in the local database on the WX switch or on the RADIUS servers where packet filters are authorized. For information about deleting a security ACL from a user’s configuration in the local WX...
Page 394: Modifying A Security Acl
ACL on a port, VLAN, or virtual port. (See “Clearing a Security ACL Map” on page 393.) Use clear security acl plus commit security acl to completely delete the ACL from the WX switch’s configuration. (See “Clearing Security ACLs” on page 390.)
Page 395: Placing One Ace Before Another
2 To add another ACE to the end of acl-violet, type the following command: WX1200# set security acl ip acl-violet permit 192.168.123.11 0.0.0.255 hits 3 To commit the updated security ACL acl-violet, type the following command: WX1200# commit security acl acl-violet success: change accepted.
Page 396: Modifying An Existing Security Acl
19: C HAPTER ONFIGURING AND 3 To view the results, type the following command: WX1200# display security acl info ACL information for all set security acl ip acl-111 (hits #4 0) ---------------------------------------------------- 1. deny IP source IP 192.168.254.12 0.0.0.255 destination IP any 2.
Page 397: Clearing Security Acls From The Edit Buffer
3 To view the results, type the following command: WX1200# display security acl info ACL information for all set security acl ip acl-111 (hits #4 0) ---------------------------------------------------- 1. permit IP source IP 192.168.254.12 0.0.0.0 destination IP any 2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any set security acl ip acl-2 (hits #1 0) ---------------------------------------------------- 1.
Page 398 19: C HAPTER ONFIGURING AND 3 To view details about these uncommitted ACEs, type the following command. WX1200# display security acl info all editbuffer ACL edit-buffer information for all set security acl ip acl-111 (ACEs 3, add 3, del 0, modified 2) ---------------------------------------------------- 1.
Page 399: Using Acls To Change Cos
ACL to change the packet’s CoS value. A CoS value assigned by an ACE overrides the CoS value assigned by the switch’s QoS map. To change CoS values using an ACL, you must map the ACL to the outbound traffic direction on a MAP port, Distributed MAP, or user VLAN.
Page 400 19: C HAPTER ONFIGURING AND Table 34 lists the CoS values to use when reassigning traffic to a different priority. The CoS determines the MAP forwarding queue to use for the traffic when sending it to a wireless client. Table 34 Class-of-Service (CoS) Packet Handling WMM Priority Desired Background...
Page 401: Enabling Prioritization For Legacy Voice Over Ip
The following commands perform the same CoS reassignment as the commands in “Using the dscp Option” on page 400. They remap IP packets from IP address 10.10.50.2 that have DSCP value 46 (equivalent to precedence value 5 and ToS value 12), to have CoS value 7 when they are forwarded to any 10.10.90.x address on Distributed MAP 4: WX1200# set security acl ip acl2 permit cos 7 ip 10.10.50.2 0.0.0.0 10.10.90.0 0.0.0.255 precedence 5 tos 12...
Page 402: General Guidelines
19: C HAPTER ONFIGURING AND General Guidelines 3Com recommends that you follow these guidelines for any wireless VoIP implementation: Table 35 shows how WMM priority information is mapped across the network. When WMM is enabled in MSS, WX switches and MAPs perform these mappings automatically.
Page 403: Enabling Voip Support For Telesym Voip
If you are upgrading a switch running MSS Version 3.x to MSS Version 4.x, and the switch uses ACLs to map VoIP traffic to CoS 4 or 5, and you plan to leave WMM enabled, 3Com recommends that you change the ACLs to map the traffic to CoS 6 or 7.
Page 404: Enabling Svp Optimization For Spectralink Phones
SVP phones and WLAN infrastructure products. This section describes how to configure WXs and MAPs for SVP phones. 3Com recommends that you plan for a maximum of 6 wireless phones per MAP. To configure MSS for SVP phones, perform the following configuration tasks:...
Page 405 Enabling Prioritization for Legacy Voice over IP Configuring a Service Profile for RSN (WPA2) To configure a service profile for SVP phones that use RSN (WPA2): Create the service profile and add the voice SSID to it. Enable the RSN information element (IE). Disable TKIP and enable CCMP.
Page 406 Some radio settings that are beneficial for voice traffic might not be beneficial for other wireless clients. If you plan to support other wireless clients in addition to voice clients, 3Com recommends that you create a new radio profile specifically for voice clients, or use the default radio profile only for voice clients and create a new profile for other clients.
Page 407 Enabling Prioritization for Legacy Voice over IP Configuring a VLAN for Voice Clients MSS requires all clients to be authenticated by RADIUS or the local database, and to be authorized for a specific VLAN. MSS places the user in the authorized VLAN. Configure a VLAN for voice clients You can use the same VLAN for other clients.
Page 408 VLAN on switch-2. Also, if an ACL is mapped to VLAN_A-in on switch-1, it will affect remote clients on switch-2, but not local clients. 3Com recommends mapping ACLs both vlan-in and vlan-out to ensure proper CoS marking in both...
Page 409: Restricting Client-To-Client Forwarding Among Ip-Only Clients
Disabling RF Auto-Tuning Before Upgrading a SpectraLink Phone If you plan to upgrade a SpectraLink phone using TFTP over a MAP, 3Com recommends that you disable RF Auto-Tuning before you begin the upgrade. This feature can increase the length of time required for the upgrade.
Page 410: Security Acl Configuration Scenario
19: C HAPTER ONFIGURING AND 3 Configure an ACE that denies all IP traffic from any IP address in the 10.10.11.0/24 subnet to any address in the same subnet. WX1200# set security acl ip c2c deny ip 10.10.11.0 0.0.0.255 10.10.11.0 0.0.0.255 4 Configure an ACE that permits all traffic that does not match the ACEs configured above: WX1200# set security acl ip c2c permit 0.0.0.0...
Page 411 4 To map acl-99 to port 6 to filter incoming packets, type the following command: WX1200# set security acl map acl-99 port 6 in mapping configuration accepted Because every security ACL includes an implicit rule denying all traffic that is not permitted, port 6 now accepts packets only from 192.168.1.1, and denies all other packets.
Page 412 19: C HAPTER ONFIGURING AND ANAGING ECURITY...
Page 413: Managing Keys And Certificates
Certain WX switch operations require the use of public-private key pairs Certificates? and digital certificates. All 3Com Wireless Switch Manager and Web Manager users, and users for which the WX performs IEEE 802.1X EAP authentication or WebAAA, require public-private key pairs and digital certificates to be installed on the WX switch.
Page 414: Wireless Security Through Tls
3 The wireless client then sends the key back to the WX switch so that both the WX and the client can derive a key from this pre-master secret for secure authentication and wireless session encryption.
Page 415: About Keys And Certificates
Admin, EAP (or 802.1X), or WebAAA certificates respectively. When the WX switch needs to communicate with 3Com Wireless Switch Manager, Web Manager, or an 802.1X or WebAAA client, MSS requests a private key from the switch’s certificate and key store: If the WX switch does not respond to the request from MSS, authentication fails and access is denied.
Page 416: Public Key Infrastructures
Network users must authenticate their identity to those with whom they communicate, and must be able to verify the identity of other users and network devices, such as switches and RADIUS servers. The 3Com Mobility System supports the following types of X.509 digital certificates: EYS AND...
Page 417: Pkcs #7, Pkcs #10, And Pkcs #12 Object Files
EAP certificate—Used by the WX switch to authenticate itself to EAP clients. WebAAA certificate—Used by the WX switch to authenticate itself to WebAAA clients, who use a web page served by a WX switch to log onto the network. Certificate authority (CA) certificates—Used by the WX switch in addition to the certificates listed above, when those certificates are from the CA.
Page 418: Certificates Automatically Generated By Mss
20: M HAPTER ANAGING Table 36 PKCS Object Files Supported by 3Com (continued) Certificates The first time you boot a switch with MSS Version 4.2 or later, MSS Automatically automatically generates keys and self-signed certificates, in cases where Generated by MSS certificates are not already configured or installed.
Page 419: Creating Keys And Certificates
Public-private key pairs and digital certificates are required for Certificates management access with 3Com Wireless Switch Manager or Web Manager, or for network access by 802.1X or WebAAA users. The digital certificates can be self-signed or signed by a certificate authority (CA). If...
Page 420: Choosing The Appropriate Certificate Installation Method For Your
CA instead of generated by the WX switch itself. The PKCS #12 object file is more complex to deal with than self-signed certificates. However, you can use 3Com Wireless Switch Manager, Web Manager, or the CLI to distribute this certificate. The other two methods can be performed only using the CLI.
Page 421: Creating Public-Private Key Pairs
Creating To use a self-signed certificate or Certificate Signing Request (CSR) Public-Private Key certificate for WX switch authentication, you must generate a Pairs public-private key pair. To create a public-private key pair, use the following command: crypto generate key {admin | domain | eap | ssh | web}...
Page 422: Generating Self-Signed Certificates
SSH requires an SSH authentication key, but you can allow MSS to generate it automatically. The first time an SSH client attempts to access the SSH server on a WX switch, the switch automatically generates a 1024-byte SSH key. If you want to use a 2048-byte key instead, use the crypto generate key ssh 2048 command to generate one.
Page 423: Installing A Key Pair And Certificate From A Pkcs #12 Object File
After transferring the PKCS #12 file from the CA via FTP and generating a one-time password to unlock it, you store the file in the WX switch’s certificate and key store. To set and store a PKCS #12 object file, follow...
Page 424: Creating A Csr And Installing A Certificate From A Pkcs #7 Object File
Installing a Certificate of authenticity from a CA by generating a Certificate Signing Request from a PKCS #7 (CSR) from the WX switch. A CSR is a text block with an encoded request Object File for a signed certificate from the CA.
Page 425: Installing A Ca's Own Certificate
Creating Keys and Certificates 2 Use a text editor to open the PKCS #7 file, and copy and paste the entire text block, including the beginning and ending delimiters, into the CLI. You must paste the entire block, from the beginning -----BEGIN CERTIFICATE----- to the end -----END CERTIFICATE-----.
Page 426: Displaying Certificate And Key Information
CN=BOBADMIN/emailAddress=BOBADMIN, unstructuredName=BOB The last two rows of the display indicate the period for which the certificate is valid. Make sure the date and time set on the switch are within the date and time range of the certificate. EYS AND...
Page 427: Key And Certificate Configuration Scenarios
To manage the security of the WX switch for administrative access by Certificates 3Com Wireless Switch Manager and Web Manager, and the security of communication with 802.1X users and Web AAA users, create Admin, EAP, and Web AAA public-private key pairs and self-signed certificates.
Page 428 20: M HAPTER ANAGING Unstructured Name: WX in wiring closet 4 Self-signed cert for eap is WX1200# crypto generate self-signed web Country Name: US State Name: CA Locality Name: San Francisco Organizational Name: example Organizational Unit: IT Common Name: WX 6 Email Address: admin@example.com Unstructured Name: WX in wiring closet 4 success: self-signed cert for web generated...
Page 429: Installing Ca-Signed Certificates From Pkcs #12 Object Files
WX1200# display crypto certificate web Certificate: CN=BOBADMIN/emailAddress=BOBADMIN, unstructuredName=BOB CN=BOBADMIN/emailAddress=BOBADMIN, unstructuredName=BOB Installing CA-Signed This scenario shows how to use PKCS #12 object files to install Certificates from public-private key pairs, CA-signed certificates, and CA certifies for PKCS #12 Object Files administrative access, 802.1X (EAP) access, and Web AAA access. 1 Set time and date parameters, if not already set.
Page 430 5 Unpack the PKCS #12 object files into the certificate and key storage area on the WX switch. Use the following command: crypto pkcs12 {admin | eap | web} filename The filename is the location of the file on the WX switch. For example: WX1200# crypto pkcs12 admin 2048admn.p12 Unwrapped from PKCS12 file: WX1200# crypto pkcs12 eap 20481x.p12...
Page 431: Installing Ca-Signed Certificates Using A Pkcs #10 Object File (Csr) And A Pkcs #7 Object File
Installing CA-Signed This scenario shows how to use CSRs to install public-private key pairs, Certificates Using a CA-signed certificates, and CA certifies for administrative access, 802.1X PKCS #10 Object File (EAP) access, and Web AAA access. (CSR) and a PKCS #7 Object File 1 Set time and date parameters, if not already set.
Page 432 WX1200# crypto certificate admin Enter PEM-encoded certificate 8 Paste the signed certificate text block into the WX switch’s CLI, below the prompt. 9 Display information about the certificate, to verify it: WX1200# display crypto certificate admin 10 Repeat step 3 through step 9 to obtain and install EAP (802.1X) and...
Page 433: Configuring Aaa For Network Users
You can configure authentication rules for each type of user, on an individual SSID or wired authentication port basis. MSS authenticates users based on user information on RADIUS servers or in the WX switch’s local database. The RADIUS servers or local database authorize successfully authenticated users for specific network access, including VLAN membership.
Page 434 ONFIGURING Each authentication rule specifies where the user credentials are stored. The location can be a group of RADIUS servers or the switch’s local database. In either case, if MSS has an authentication rule that matches on the required parameters, MSS checks the username or MAC address of the user and, if required, the password to make sure they match the information configured on the RADIUS servers or in the local database.
Page 435 The fallthru authentication type None denies access to a network user. In contrast, the authentication method none allows access to the WX switch by an administrator. (See “Configuring AAA for Administrative and Local Access”...
Page 436 21: C HAPTER ONFIGURING Figure 30 Authentication Flowchart for Network Users Client associates with MAP radio or requests access from wired authentication port Client requests 802.1X rule that encrypted SSID? matches SSID? MAC rule that matches SSID? Use fallthru authentication last-resort? web? none?
Page 437 SSID Name “Any” In authentication rules for wireless access, you can specify the name any for the SSID. This value is a wildcard that matches on any SSID string requested by the user. For 802.1X and WebAAA rules that match on SSID any, MSS checks the RADIUS servers or local database for the username (and password, if applicable) entered by the user.
Page 438: Authorization
RADIUS requires a password, if the last-resort-wired user is on the RADIUS server, MSS checks for a password. The default well-known password is 3Com but is configurable. (The same password applies to MAC users.) Last-resort access to an SSID does not require a special user (such as last-resort-ssid) to be configured.
Page 439 End-Date — Date and time after which the user is no longer allowed to be on the network. Mobility-Profile — Controls the WX switch ports a user can access. For wireless users, an MSS Mobility Profile specifies the MAPs through which the user can access the network.
Page 440: Accounting
Depending on your network configuration, you can configure Features authentication, authorization, and accounting (AAA) for network users to be performed locally on the WX switch or remotely on a RADIUS server. The number of users that the local WX database can support depends on your platform.
Page 441: Aaa Tools For Network Users
Authentication verifies network user identity and is required before a Network Users network user is granted access to the network. A WX switch authenticates user identity by username-password matching, digital signatures and certificates, or other methods (for example, by MAC address).
Page 442: Globs" And Groups For Network User Classification
SSID. To make an authentication rule match an any SSID string, specify the SSID name as any in the rule. AAA Methods for The following AAA methods are supported by 3Com for 802.1X and IEEE 802.1X and Web Web network access mode:...
Page 443 You can use the local database or RADIUS servers for MAC access as well. If you use RADIUS servers, make sure you configure the password for the MAC address user as 3Com. (This is the default authorization password. To change it, see “Changing the MAC Authorization Password for RADIUS”...
Page 444 You can use a combination of authentication methods; for example, PEAP offload and local authentication. When PEAP offload is configured, the WX switch offloads all EAP processing from server groups; the RADIUS servers are not required to communicate using the EAP protocols.
Page 445 2 If server-1 fails to respond, the WX retries the authentication using server-2. If server-2 responds, the authentication proceeds using server-2. 3 If server-2 does not respond, because the WX switch has no more servers to try in server-group-1, the WX attempts to authenticate using the next AAA method, which is the local method.
Page 446: Ieee 802.1X Extensible Authentication Protocol Types
Wireless and wired This protocol authentication. requires X.509 public key All authentication is certificates on processed on the both sides of WX switch. the connection. Requires use of local database. Not supported for RADIUS.
Page 447: Ways A Wx Switch Can Use Eap
No RADIUS servers are required. In this case, the switch needs a digital certificate. If you plan to use the EAP with Transport Layer Security (EAP-TLS) authentication protocol, the clients also need certificates.
Page 448: Effects Of Authentication Type On Encryption Method
ETWORK SERS Description The WX switch offloads all EAP processing from a RADIUS server by establishing a TLS session between the switch and the client. In this case, the switch needs a digital certificate. When you use offload, RADIUS can still be used for non-EAP authentication and authorization.
Page 449: Configuring 802.1X Authentication
LAN. Within this framework, you can use TLS, PEAP-TTLS, or EAP-MD5. Most EAP protocols can be passed through the WX switch to the RADIUS server. Some protocols can be processed locally on the WX switch. The following 802.1X authentication command allows differing...
Page 450: Using Pass-Through
“Remote Authentication with Local Backup” on page 444.) Authenticating via a To configure the WX switch to authenticate and authorize a user against Local Database the local database in the WX switch, use the following command:...
Page 451: Binding User Authentication To Machine Authentication
Configuring 802.1X Authentication Binding User Bonded Auth™ (bonded authentication) is a security feature that binds Authentication to an 802.1X user authentication to authentication of the machine from Machine which the user is attempting to log on. When this feature is enabled, MSS Authentication authenticates the user only if the machine the user is on has already been authenticated.
Page 452 (For a configuration example, see “Bonded Auth Configuration Example” on page 454.) 3Com recommends that you make the rules as general as possible. For example, if the Active Directory domain is mycorp.com, the following userglobs match on all machine names and users in the domain: If the domain name has more nodes (for example, nl.mycorp.com), use...
Page 453 By default, the Bonded Auth period is 0 seconds. MSS does not wait for a Bonded Auth user to reauthenticate. You can set the Bonded Auth period to a value up to 300 seconds. 3Com recommends that you try 60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60 seconds.
Page 454 21: C HAPTER ONFIGURING Bonded Auth Configuration Example To configure Bonded Auth: The following commands configure two 802.1X authentication rules for access to SSID mycorp. The first rule is for authentication of all trusted laptop PCs at mycorp.com (host/*-laptop.mycorp.com). The second rule is for bonded authentication of all users at mycorp.com (*.mycorp.com).
Page 455 In the following example, bob.mycorp.com uses Bonded Auth, and the Bonded Auth period is set to 60 seconds. WX1200# display dot1x config 802.1X user policy ---------------------- 'host/bob-laptop.mycorp.com' on ssid 'mycorp' doing PASSTHRU 'bob.mycorp.com' on ssid 'mycorp' doing PASSTHRU (bonded) 802.1X parameter ---------------- supplicant timeout auth-server timeout...
Page 456: Configuring Authentication And Authorization By Mac Address
(PDAs) do not support 802.1X authentication. If a client does not support 802.1X, MSS attempts to perform MAC authentication for the client instead. The WX switch can discover the MAC address of the device from received frames and can use the MAC address in place of a username for the client.
Page 457: Configuring Mac Authentication And Authorization
WX1200# clear mac-user 01:0f:03:04:05:06 group success: change accepted. The clear mac-usergroup command removes the group. To remove a MAC user profile from the local database on the WX switch, type the following command: clear mac-user mac-address For example, the following command removes MAC user...
Page 458 HAPTER ONFIGURING ETWORK SERS If the switch’s configuration does not contain a set authentication mac command that matches a non-802.1X client’s MAC address, MSS tries MAC authentication by default. You can also glob MAC addresses. For example, the following command...
Page 459: Changing The Mac Authorization Password For Radius
Configuring Authentication and Authorization by MAC Address Changing the MAC When you enable MAC authentication, the client does not supply a Authorization regular username or password. The MAC address of the user’s device is Password for RADIUS extracted from frames received from the device. To authenticate and authorize MAC users via RADIUS, MSS must supply a password for MAC users, which is called the outbound authorization password.
Page 460: Configuring Web Portal Webaaa
WebAAA on an encrypted SSID, you can use static WEP or WPA with PSK as the encryption type. MSS provides a 3Com login page, which is used by default. You can add custom login pages to the WX switch’s nonvolatile storage, and configure MSS to serve those pages instead.
Page 461 Login Page” on page 461.) 5 The user enters their username and password in the WebAAA login page. 6 MSS authenticates the user by checking RADIUS or the switch’s local database for the username and password entered by the user. If the user information is present, MSS authorizes the user based on the authorization attributes set for the user.
Page 462: Webaaa Requirements And Recommendations
If the WX does not receive a reply to a client’s DNS request, the WX spoofs a reply to the browser by sending the WX switch’s own IP address as the resolution to the browser’s DNS query. The WX also serves the web login page.
Page 463 DNS server. (To configure a VLAN, see “Configuring and Managing VLANs” on page 87.) If users will roam from the switch where they connect to the network to other WX switches, the system IP addresses of the switches should not be in the web-portal VLAN.
Page 464 21: C HAPTER ONFIGURING To set the fallthru authentication type for an SSID, set it in the service profile for the SSID, using the set service-profile auth-fallthru command. To set it on a wired authentication port, use the auth-fall-thru web-portal parameter of the set port type wired-auth command. set security acl ip portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67 set security acl ip portalacl deny 0.0.0.0 255.255.255.255...
Page 465 ACL and map that ACL instead to the web-portal-ssid or web-portal-wired user. Make sure to use the capture option for traffic you do not want to allow. 3Com recommends that you do not change the portalacl ACL. Leave the ACL as a backup in case you need to refer to it or you need to use it again.
Page 466 SERS Consider installing a WebAAA certificate signed by a trusted CA, instead of one signed by the WX switch itself. Unless the client’s browser is configured to trust the signature on the switch’s WebAAA certificate, display of the login page can take several seconds longer than usual, and might be interrupted by a dialog asking the user what to do about the untrusted certificate.
Page 467: Configuring Web Portal Webaaa
255.255.255.0 success: change accepted. The VLAN does not need to be configured on the switch where you configure Web Portal but the VLAN does need to be configured on a switch somewhere in the Mobility Domain. The user’s traffic will be tunneled to the switch where the VLAN is configured.
Page 468 21: C HAPTER ONFIGURING WX1200# set service-profile mycorp-srvcprof auth-fallthru web-portal success: change accepted. WX1200# set service-profile mycorp-srvcprof attr vlan-name mycorp-vlan success: change accepted. WX1200# set service-profile mycorp-srvcprof rsn-ie enable success: change accepted. WX1200# set service-profile mycorp-srvcprof cipher-ccmp enable success: change accepted. 3 Display the service profile to verify the changes: WX1200# display service-profile mycorp-srvcprof ssid-name:...
Page 469 The rule does not by itself allow access to all usernames. The ** value simply makes all usernames eligible for authentication, in this case by searching the switch’s local database for the matching usernames and passwords. If a username does not match on the access rule’s userglob, the user is denied access without a search of the local database for the username and password.
Page 470 21: C HAPTER ONFIGURING Displaying Session Information for Web Portal WebAAA Users To display user session information for Web Portal WebAAA users, use the following command: display sessions network [user user-glob | mac-addr mac-addr-glob | ssid ssid-name | vlan vlan-glob | session-id session-id | wired] [verbose] You can determine whether a Web Portal WebAAA user has completed the authentication and authorization process, based on the username...
Page 471: Using A Custom Login Page
Page To serve a custom page instead, do the following: 1 Copy and modify the 3Com page, or create a new page. 2 Create a subdirectory in the user files area of the WX switch’s nonvolatile storage, and copy the custom page into the subdirectory.
Page 472 MSS uses the following process to find the login page to display to a user: Copying and Modifying the Web Login Page To copy and modify the 3Com Web login page: 1 Configure an unencrypted SSID on a WX switch. The SSID is temporary and does not need to be one you intend to use in your network.
Page 473 WX1200# set ap 2 radio 1 radio-profile temprad mode enable success: change accepted. 2 From your PC, attempt to access the temporary SSID. The WX switch displays the login page. 3 In the browser, select File > Save As to save the login page.
Page 474 5 Save the modified page. 6 On the WX switch, create a new subdirectory for the customized page. (The files must be on a TFTP server that the WX switch can reach over the network.) WX1200# mkdir mycorp-webaaa success: change accepted.
Page 475: Using Dynamic Fields In Webaaa Redirect Urls
For the url, specify the full path; for example, mycorp-webaaa/mycorp-login.html. If the custom login page includes *.gif or *.jpg images, their path names are interpreted relative to the directory from which the page is served. 9 Configure WebAAA users and rules as described in “Configuring Web Portal WebAAA”...
Page 476: Using An Acl Other Than Portalacl
21: C HAPTER ONFIGURING When user piltdown is successfully authenticated and authorized, MSS redirects the user to the following URL: http://myserver.com/piltdown.html The following example configures a redirect URL that contains a script argument using the literal character ?: WX1200# set usergroup ancestors attr url https://saqqara.org/login.php$quser=$u success: change accepted.
Page 477: Configuring The Web Portal Webaaa Session Timeout Period
The MAP handling the client's session appears to be inoperative from the WX switch The client reappears on this MAP or another MAP managed by a WX switch, at which time the Web Portal WebAAA session enters the Active state The Web Portal WebAAA session is terminated administratively...
Page 478: Configuring The Web Portal Logout Function
WX receiving the logout request determines which WX switch has the user session. If it is a local session, the session is terminated. If another WX switch in the Mobility Domain has the session, then it redirects the request to that WX.
Page 479: Configuring Last-Resort Access
The URL should be of the form https://host/logout.html. By default, the logout URL uses the IP address of the WX switch as the host part of the URL. Th e host can be either an IP address or a hostname.
Page 480 21: C HAPTER ONFIGURING You do not need to configure an access rule for last-resort access. Last-resort access is automatically enabled on all service profiles and wired authentication ports that have the fallthru authentication type set to last-resort. (The set authentication last-resort and clear authentication last-resort commands are not needed and are not supported in MSS Version 5.0 and later.) The authentication method for last-resort is always local.
Page 481: Configuring Last-Resort Access For Wired Authentication Ports
Beginning with MSS Version 5.0, the special user last-resort-ssid, where ssid is the SSID name, is not required and is not supported. If you upgrade a switch running an earlier version of MSS to 5.0, the last-resort-ssid users are automatically removed from the configuration during the upgrade.
Page 482: Configuring Aaa For Users Of Third-Party Aps
AP that has authenticated the users with RADIUS. You can Third-Party APs connect a third-party AP to a WX switch and configure the WX to provide authorization for clients who authenticate and access the network through the AP. Figure 32 shows an example.
Page 483: Requirements
WX. The WX then removes the session. Requirements Third-Party AP Requirements The third-party AP must be connected to the WX switch through a wired Layer 2 link. MSS cannot provide data services if the AP and WX are in different Layer 3 subnets.
Page 484: Tagged Ssids
21: C HAPTER ONFIGURING WX Switch Requirements The WX system IP address must be the same as the IP address configured on the VLAN that contains the proxy port. RADIUS Server Requirements Configuring To configure MSS to authenticate 802.1X users of a third-party AP, use...
Page 485 Add a RADIUS proxy entry for the AP. The proxy entry specifies the IP address of the AP and the UDP ports on which the WX switch listens for RADIUS access-requests and stop-accounting records from the AP. Use the following command:...
Page 486 The following command configures a MAC authentication rule that matches on the third-party AP’s MAC address. Because the AP is connected to the WX switch on a wired authentication port, the wired option is used. WX4400# set authentication mac wired aa:bb:cc:01:01:01 srvrgrp1 success: change accepted.
Page 487: Configuring Authentication For Non-802.1X Users Of A Third-Party Ap With Tagged Ssids
Configuring To configure MSS to authenticate non-802.1X users of a third-party AP, Authentication for use the same commands as those required for 802.1X users. Additionally, Non-802.1X Users of when configuring the wired authentication port, use the auth-fall-thru a Third-Party AP with option to change the fallthru authentication type to last-resort or Tagged SSIDs web-portal.
Page 488 Table 43 lists the authorization attributes supported by MSS. (For brief descriptions of all the RADIUS attributes and 3Com vendor-specific attributes supported by MSS, as well as the vendor ID and types for 3Com VSAs configured on a RADIUS server “Supported RADIUS Attributes” on page 651.)
Page 489 32 alphanumeric characters, with no tabs or spaces. Note: If the Mobility Profile feature is enabled, and a user is assigned the name of a Mobility Profile that does not exist on the WX switch, the user is denied access.
Page 490 (approximately 136.2 years). Name of the SSID you want the user to use. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to 3Com radios in the Mobility Domain.
Page 491 Table 43 Authentication Attributes for Local Users (continued) Attribute Description start-date Date and time at which the user becomes eligible to access the network. MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified).
Page 492: Assigning Attributes To Users And Groups
To use the literal character $ or ?, use the following: Name of a VLAN that you want the user to use. The VLAN must be configured on a WX switch within the Mobility Domain to which this WX switch belongs.
Page 493: Assigning Ssid Default Attributes To A Service Profile
Assigning Authorization Attributes To change the value of an authorization attribute, reenter the command with the new value. To assign an authorization attribute to a user’s configuration on a RADIUS server, see the documentation for your RADIUS server. Assigning SSID You can configure a service profile with a set of default AAA Default Attributes to authorization attributes that are used when the normal AAA process or a...
Page 494: Assigning A Security Acl To A User Or A Group
21: C HAPTER ONFIGURING All of the authorization attributes listed in Table 40 on page 448 can be specified in a service profile except ssid. Assigning a Security Once a security access control list (ACL) is defined and committed, it can ACL to a User or a be applied dynamically and automatically to users and user groups Group...
Page 495: Clearing A Security Acl From A User Or Group
MAP access port or wired authentication port, or from the network via a network port. Use acl-name.out to filter traffic sent from the WX switch to users via a MAP access port or wired authentication port, or from the network via a network port.
Page 496: Assigning Encryption Types To Wireless Users
WX database or on the RADIUS server. Encryption-Type is a 3Com vendor-specific attribute (VSA). Clients who attempt to use an unauthorized encryption method are rejected.
Page 497 Table 45 Encryption Type Values and Associated Algorithms (continued) Encryption-Type Encryption Algorithm Value Assigned Wired-Equivalent Privacy protocol using 104 bits of key strength (WEP_104). This is the default. Wired-Equivalent Privacy protocol using 40 bits of key strength (WEP_40). No encryption. Static WEP For example, the following command restricts the MAC user group mac-fans to access the network by using only TKIP:...
Page 498: Keeping Users On The Same Vlan Even After Roaming
Yes or No means the mechanism does not affect the outcome, due to another mechanism that is set. The VLAN Assigned By column indicates the mechanism that is used by the roamed-to switch to assign the VLAN, based on the various ways the VLAN is set on that switch. ETWORK...
Page 499: Overriding Or Adding Attributes Locally With A Location Policy
AAA, or SSID default setting on the roamed-to switch. To enable keep-initial-vlan, use the following command: set service-profile name keep-initial-vlan {enable | disable} Enter this command on the switch that will be roamed to by users. The following command enables the keep-initial-vlan option on service profile sp3: WX1200# set service-profile sp3 keep-initial-vlan enable success: change accepted.
Page 500: About The Location Policy
MSS to take the specified action. If the location policy contains multiple rules, MSS compares the user information to the rules one at a time, in the order the rules appear in the switch’s configuration file, beginning with the rule at the top of the list. MSS continues comparing until a user matches all conditions in a rule or until there are no more rules.
Page 501: Setting The Location Policy
Setting the Location To enable the location policy function on a WX switch, you must create at Policy least one location policy rule with one of the following commands: set location policy deny if {ssid operator ssid-name | vlan operator vlan-glob | user...
Page 502 Output filter — Use outacl outacl-name to filter traffic sent from the switch to users via a MAP access port or wired authentication port, or from the network via a network port.
Page 503: Clearing Location Policy Rules And Disabling The Location Policy
Disabling the Location Policy Type display location policy to display the numbers of configured location policy rules. To disable the location policy on a WX switch, delete all the location policy rules. Overriding or Adding Attributes Locally with a Location Policy...
Page 504: Configuring Accounting For Wireless Network Users
Client’s MAC address MAP port number and radio number MAP’s MAC address Number of octets received by the WX switch Number of octets sent by the switch Number of packets received by the switch Number of packets sent by the switch...
Page 505: Viewing Local Accounting Records
Accounting Records session, rather than a new session. The following sample output shows a wireless user roaming from one WX switch to another WX switch. From the accounting records, you can determine the user’s activities by viewing the Acct-Status-Type, which varies from START to UPDATE to STOP, and the Called-Station-Id, which is the MAC address of the MAP through which the wireless user accessed the network.
Page 506 21: C HAPTER ONFIGURING ETWORK SERS User-Name=Administrator@example.com Acct-Session-Time=209 Acct-Output-Octets=1280 Acct-Input-Octets=1920 Acct-Output-Packets=10 Acct-Input-Packets=15 Event-Timestamp=1053536700 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 The user terminated the session on WX1200-0017: WX1200-0017# display accounting statistics May 21 17:07:32 Acct-Status-Type=STOP Acct-Authentic=2 Acct-Multi-Session-Id=SESSION-4-1106424789 User-Name=Administrator@example.com Acct-Session-Time=361 Event-Timestamp=1053536852 Acct-Output-Octets=2560 Acct-Input-Octets=5760 Acct-Output-Packets=20 Acct-Input-Packets=45 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D...
Page 507: Displaying The Aaa Configuration
Password = 082c6c64060b (encrypted) Filter-Id = acl-999.in Filter-Id = acl-999.out mac-user 01:02:03:04:05:06 usergroup eastcoasters session-timeout = 99 For information about the fields in the output, see the Switch and Controller Command Addr Ports 198.162.1.1 1821 1813 198.168.1.2 1821 1813 198.162.1.3...
Page 508: Avoiding Aaa Problems In Configuration Order
ONFIGURING Avoiding AAA This section describes some common AAA configuration issues on the Problems in WX switch and how to avoid them. Configuration Order Using the Wildcard You can configure an authentication rule to match on all SSID strings by “Any”...
Page 509 Configuration Producing an Incorrect Processing Order For example, suppose you initially set up start-stop accounting as follows for all 802.1X users via RADIUS server group 1: WX1200# set accounting dot1x ssid mycorp * start-stop group1 success: change accepted. You then set up PEAP-MS-CHAP-V2 authentication and authorization for all users at EXAMPLE/ at server group 1.
Page 510: Configuring A Mobility Profile
Mobility Profile who are allowed access to specified MAP access ports and wired authentication ports on a WX switch. In this way, you can constrain the areas to which a user can roam. You first create a Mobility Profile, assign it to one or more users, and finally enable the Mobility Profile feature on the WX.
Page 511 EXAMPLE\jose is rejected. The Mobility Profile feature is disabled by default. You must enable Mobility Profile attributes on the WX switch to use it. You can enable or disable the feature for the whole WX only. If the Mobility Profile feature is disabled, all Mobility Profile attributes are ignored.
Page 512: Network User Configuration Scenarios
21: C HAPTER ONFIGURING Network User The following scenarios provide examples of ways in which you use AAA Configuration commands to configure access for users: Scenarios General Use of The following example illustrates how to configure IEEE 802.1X network Network User users for authentication, accounting, ACL filtering, and Mobility Profile Commands assignment:...
Page 513 5 Create a Mobility Profile called tulip by typing the following commands: WX1200# set mobility-profile name tulip port 2,5 success: change accepted. WX1200# set mobility-profile mode enable success: change accepted. WX1200# display mobility-profile Mobility Profiles Name ========================= tulip 6 To assign Mobility Profile tulip to all users at EXAMPLE, type the following command for each EXAMPLE\ user: WX1200# set user EXAMPLE\username attr mobility-profile tulip Users at EXAMPLE are now restricted to ports 2 and 5, as specified in the...
Page 514: Enabling Radius Pass-Through Authentication
1 To set authentication for all 802.1X users of SSID thiscorp, type the following command: WX1200# set authentication dot1x ssid thiscorp * peap-mschapv2 local 2 To add user Natasha to the local database on the WX switch, type the following command: WX1200# set user Natasha password moon...
Page 515: Enabling Peap-Ms-Chap-V2 Offload
3 To assign Natasha to a VLAN named red, type the following command: WX1200# set user Natasha attr vlan-name red 4 To assign Natasha a session timeout value of 1200 seconds, type the following command: WX1200# set user Natasha attr session-timeout 1200 5 Save the configuration: WX1200# save config success: configuration saved.
Page 516: Combining Eap Offload With Pass-Through Authentication
WX1200# set server group sg1 members r1 3 To authenticate all 802.1X users of SSID bobblehead in the group mktg using PEAP on the WX switch and MS-CHAP-V2 on server sg1, type the following command: WX1200# set authentication dot1x ssid bobblehead mktg\* peap-mschapv2 sg1 4 To authenticate all 802.1X users of SSID aircorp in @eng.example.com via...
Page 517 1 Redirect bldga-prof- VLAN users to the VLAN bldgb-eng: WX1200# set location policy permit vlan bldgb-eng if vlan eq bldga-prof-* 2 Allow writing instructors from -techcomm VLANs to use the bldgb-eng VLAN: WX1200# set location policy permit vlan bldgb-eng if vlan eq *-techcomm 3 Display the configuration: WX1200# display location policy Id Clauses...
Page 518 21: C HAPTER ONFIGURING ETWORK SERS...
Page 519: Configuring Communication With Radius
ONFIGURING OMMUNICATION RADIUS WITH For a list of the standard and extended RADIUS attributes and 3Com vendor-specific attributes (VSAs) supported by MSS, see “Supported RADIUS Attributes” on page 651. RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed client-server system.
Page 520 1 The wireless user (client) requests an IEEE 802.11 association from the MAP. 2 After the MAP creates the association, the WX switch sends an Extensible Authentication Protocol (EAP) identity request to the client. 3 The client sends an EAP identity response.
Page 521: Before You Begin
To ensure that you can contact the RADIUS servers you plan to use for authentication, send the ping command to each one to verify connectivity. ping ip-address You can then set up communication between the WX switch and each RADIUS server group. Configuring...
Page 522: Configuring Global Radius Defaults
RADIUS servers in the server group are unresponsive and have entered the dead time. For failover authentication or authorization to work promptly, 3Com recommends that you change the dead time to a value other than 0.
Page 523: Setting The System Ip Address As The Source Address
Address change when routing conditions change. If you have set a system IP address for the WX switch, you can use it as a permanent source address for the RADIUS packets sent by the switch. To set the WX system IP address as the address of the RADIUS client, type...
Page 524: Deleting Radius Servers
You must provide RADIUS servers with names that are unique. To prevent confusion, 3Com recommends that RADIUS server names differ in ways other than case. For example, avoid naming two servers RS1 and rs1. You must configure RADIUS servers into server groups before you can access them.
Page 525: Creating Server Groups
(AAA). AAA methods can be the local database on the WX switch and/or one or more RADIUS server groups. You set the order in which the WX switch attempts the AAA methods by the order in which you enter the methods in CLI commands.
Page 526 HAPTER ONFIGURING Configuring Load Balancing You can configure the WX switch to distribute authentication requests across RADIUS servers in a server group, which is called load balancing. Distributing the authentication process across multiple RADIUS servers significantly reduces the load on individual servers while increasing resiliency on a systemwide basis.
Page 527: Deleting A Server Group
Adding Members to a Server Group To add RADIUS servers to a server group, type the following command: set server group group-name members server-name1 [server-name2] [server-name3] [server-name4] The keyword members lists the RADIUS servers contained in the named server group. A server group can contain between one and four RADIUS servers.
Page 528: Radius And Server Group Configuration Scenario
Server groups RADIUS and Server The following example illustrates how to declare four RADIUS servers to a Group WX switch and configure them into two load-balancing server groups, Configuration swampbirds and shorebirds: Scenario 1 Configure RADIUS servers. Type the following commands: WX1200# set radius server pelican address 192.168.253.11 key elm...
Page 529 6 Display the configuration. Type the following command: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server ------------------------------------------------------------------- sandpiper 192.168.253.17 seagull 192.168.243.12 egret 192.168.243.15 pelican 192.168.253.11 Server groups swampbirds (load-balanced): pelican seagull shorebirds (load-balanced): egret pelican sandpiper RADIUS and Server Group Configuration Scenario Addr Ports...
Page 530 22: C RADIUS HAPTER ONFIGURING OMMUNICATION WITH...
Page 531: On The Wx Switch
WX S Certain settings for IEEE 802.1X sessions on the WX switch are enabled by default. For best results, change the settings only if you are aware of a problem with the WX switch’s 802.1X performance. For settings that you can reset with a clear command, MSS reverts to the default value.
Page 532: Setting 802.1X Port Control
802.1X authentication attempts: set dot1x port-control {forceauth | forceunauth | auto} port-list The default setting is auto, which allows the WX switch to process 802.1X authentication normally according to the authentication configuration. Alternatively, you can set a wired authentication port or ports to either unconditionally authenticate or unconditionally reject all users.
Page 533: Managing 802.1X Encryption Keys
Managing 802.1X By default, the WX switch sends encryption key information to a wireless Encryption Keys supplicant (client) in an Extensible Authentication Protocol over LAN (EAPoL) packet after authentication is successful. You can disable this feature or change the time interval for key transmission.
Page 534: Managing Wep Keys
WEP key rotation. Configuring 802.1X WEP Rekeying WEP rekeying is enabled by default on the WX switch. Disable WEP rekeying only if you need to debug your 802.1X network. Use the following command to disable WEP rekeying for broadcast and...
Page 535: Setting Eap Retransmission Attempts
900 Setting EAP The following command sets the maximum number of times the WX Retransmission switch retransmits an 802.1X-encapsulated EAP request to the supplicant Attempts (client) before it times out the authentication session: set dot1x max-req number-of-retransmissions The default number of retransmissions is 2.
Page 536: Managing 802.1X Client Reauthentication
Managing 802.1X Reauthentication of 802.1X wireless supplicants (clients) is enabled on Client the WX switch by default. By default, the WX switch waits 3600 seconds Reauthentication (1 hour) between authentication attempts. You can disable reauthentication or change the defaults.
Page 537: Setting The 802.1X Reauthentication Period
Setting the 802.1X The following command configures the number of seconds that the WX Reauthentication switch waits before attempting reauthentication: Period set dot1x reauth-period seconds The default is 3600 seconds (1 hour). The range is from 60 to 1,641,600 seconds (19 days).
Page 538: Setting The Bonded Authentication Period
(For more information about Bonded Auth, see “Binding User Authentication to Machine Authentication” on page 451.) Managing Other By default, the WX switch waits 60 seconds before responding to a client Timers whose authentication failed, and times out a request to a RADIUS server or an authentication session with a client after 30 seconds.
Page 539: Setting The 802.1X Timeout For An Authorization Server
Setting the 802.1X Use this command to configure the number of seconds before the WX Timeout for an switch times out a request to a RADIUS authorization server. Authorization Server set dot1x timeout auth-server seconds The default is 30 seconds. The range is from 1 to 65,535 seconds.
Page 540: Displaying 802.1X Information
23: M 802.1X HAPTER ANAGING Displaying 802.1X This command displays 802.1X information for clients, statistics, VLANs, Information and configuration. display dot1x {clients | stats | config} Viewing 802.1X Type the following command to display active 802.1X clients: Clients WX1200# display dot1x clients MAC Address ------------- 00:20:a6:48:01:1f...
Page 541: Viewing 802.1X Statistics
Type the following command to display 802.1X statistics about Statistics connecting and authenticating: WX1200# display dot1x stats For information about the fields in the output, see the Switch and Controller Command 802.1X parameter ---------------- supplicant timeout auth-server timeout quiet period...
Page 542 23: M 802.1X WX S HAPTER ANAGING ON THE WITCH...
Page 543: Configuring Soda Endpoint Security For Awx Switch
Sygate On-Demand (SODA) is an endpoint security solution that allows enterprises to enforce security policies on client devices without having to install any special software on the client machines. MSS can be configured to run SODA security checks on users’ machines as a requirement for gaining access to the network.
Page 544: Soda Endpoint Security Support On Wx Switches
Once downloaded, the SODA agent runs a series of security checks to enforce endpoint security on the client device. SODA agent applets can be uploaded to a WX switch, stored there, and downloaded by clients attempting to connect to the network.
Page 545: How Soda Functionality Works On Wx Switches
2 The network administrator exports the SODA agent files from SODA Manager, and saves them as a .zip file. 3 The SODA agent .zip file is uploaded to the WX switch using TFTP. 4 The SODA agent files are installed on the WX switch using a CLI command that extracts the files from the .zip file and places them into a...
Page 546: Configuring Soda Functionality
If the WX switch is configured to enforce the SODA agent security b If the WX switch is configured not to enforce the SODA agent security c If the user’s computer fails one of the SODA agent checks, then a 7 At the completion of his or her session, the user can close the SODA Virtual Desktop or point to an advertised logout URL.
Page 547: Configuring Web Portal Webaaa For The Service Profile
C:\Program Files\Sygate\Sygate On-Demand directory. You place the contents of the On-DemandAgent directory into a .zip file (for example, soda.ZIP) and copy the file to the WX switch using TFTP, as described in “Copying the SODA Agent to the WX Switch” on page 549.
Page 548 The hostname of the logout page should be set to a name that resolves to the WX switch’s IP address on the VLAN where the client resides, or should be the IP address of the WX switch on the Web Portal WebAAA VLAN; for example: https://10.1.1.1/logout.html...
Page 549: Copying The Soda Agent To The Wx Switch
Installing the SODA After copying the .zip file containing the SODA agent files to the WX Agent Files on the switch, you install the SODA agent files into a directory using the WX Switch following command: install soda agent agent-file agent-directory directory This command creates the specified directory, unzips the specified agent-file and places the contents of the file into the directory.
Page 550: Enabling Soda Functionality For The Service Profile
URLs to client devices. In addition, you should not configure the SODA agent to refer to the success and failure pages on the WX switch if you have disabled enforcement of SODA agent checks.
Page 551: Specifying A Soda Agent Success
The page refers to a file on the WX switch. After this page is loaded, the client is placed in its assigned VLAN and granted access to the network. For example, the following command specifies success.html, which is a...
Page 552: Specifying A Remediation Acl
The page refers to a file on the WX switch. After this page is loaded, the specified remediation ACL takes effect, or if there is no remediation ACL configured, then the client is disconnected from the network.
Page 553: Specifying A Soda Agent Logout Page
URL of the page to users as a logout page. For example, the following command specifies logout.html, which is a file in the root directory on the WX switch, as the page to load when a client closes the SODA virtual desktop: WX1200# set service-profile sp1 soda logout-page logout.html...
Page 554: Specifying An Alternate Soda Agent Directory For A Service Profile
24: C HAPTER ONFIGURING The following command specifies logout.html, in the soda-files directory on the WX switch, as the page to load when a client closes the SODA virtual desktop: WX# set service-profile sp1 soda logout-page soda-files/logout.html success: change accepted.
Page 555: Displaying Soda Configuration Information
For example, the following command removes the directory sp1 and all of its contents: WX1200# uninstall soda agent agent-directory sp1 This will delete all files in agent-directory, do you wish to continue? (y|n) [n]y Displaying SODA To view information about the SODA configuration for a service profile, Configuration use the display service profile command.
Page 556 24: C SODA E WX S HAPTER ONFIGURING NDPOINT ECURITY FOR A WITCH (For information about the fields in the output, see the Wireless LAN Switch and Controller Command Reference.)
Page 557: Managing Sessions
Manager authenticated user (client) and the specific station to which the client is bound. Packets are exchanged during a session. A WX switch supports the following kinds of sessions: The WX session manager manages the sessions for each client, but does not examine the substance of the traffic.
Page 558: Displaying And Clearing All Administrative Sessions
This will terminate manager sessions, do you wish to continue? (y|n) [n]y Displaying and To view information about the user with administrative access to the WX Clearing an switch through a console plugged into the switch, type the following Administrative command: Console Session WX1200> display sessions console...
Page 559: Displaying And Clearing Administrative Telnet Sessions
Displaying and To view information about administrative Telnet sessions, type the Clearing following command: Administrative Telnet WX1200> display sessions telnet Sessions ------- tty3 1 telnet session To clear the administrative sessions of Telnet users, type the following command: WX1200# clear sessions telnet This will terminate manager sessions, do you wish to continue? (y|n) [y]y Displaying and...
Page 560: Displaying And Clearing Network Sessions
An asterisk (*) in the Sess ID field indicates a session that is currently active. (For more information about the fields in the output, see the Wireless LAN Switch and Controller Command (For information about getting detailed output, see “Displaying Verbose Network Session Information”...
Page 561: Displaying Verbose Network Session Information
Displaying Verbose In the display sessions network commands, you can specify verbose Network Session to get more in-depth information. Information For example, to display detailed information for all network sessions, type the following command: WX1200> display sessions network verbose User Name ------------------------------ ---- EXAMPLE\wong...
Page 562: Displaying And Clearing Network Sessions By Username
25: M HAPTER ANAGING Displaying and You can view sessions by a username or user glob. (For a definition of Clearing Network user globs and their format, see “User Globs” on page 30.) Sessions by To see all sessions for a specific user or for a group of users, type the Username following command: display sessions network user user-glob...
Page 563: Displaying And Clearing Network Sessions By Mac Address
Displaying and You can view sessions by MAC address or MAC address glob. (For a Clearing Network definition of MAC address globs and their format, see “MAC Address Sessions by MAC Globs” on page 31.) To view session information for a MAC address or Address set of MAC addresses, type the following command: display sessions network mac-addr mac-addr-glob...
Page 564: Displaying And Clearing Network Sessions By Session Id
25: M HAPTER ANAGING To clear the sessions on a VLAN or set of VLANs, use the following command: clear sessions network vlan vlan-glob For example, the following command clears the sessions of all users on VLAN red: WX1200# clear sessions network vlan red Displaying and You can display information about a session by session ID.
Page 565: Displaying And Changing Network Session Timers
Protocol: 802.11 Session CAC: disabled (For information about the fields in the output, see the Switch and Controller Command The verbose option is not available with the display sessions network session-id command. To clear network sessions by session ID, type the following command with the appropriate local session ID number.
Page 566: Disabling Keepalive Probes
25: M HAPTER ANAGING ESSIONS MSS temporarily keeps session information for disassociated web-portal clients to allow them time to reassociate after roaming. (See “Configuring the Web Portal WebAAA Session Timeout Period” on page 477.) Disabling Keepalive To disable or reenable keepalive probes in a service profile, use the Probes following command: set service-profile name idle-client-probing {enable |...
Page 567: Etection And
You also can enable countermeasures to prevent clients from using the devices that truly are rogues. With 3Com Wireless Switch Manager, you also can display the physical location of a rogue device. (For more information, see the Manager Reference About Rogues and RF detection detects all the IEEE 802.11 devices in a Mobility Domain and...
Page 568 RF Auto-Tuning is enabled. OUNTERMEASURES Rogue—The device is in the 3Com network but does not belong there. Interfering device—The device is not part of the 3Com network but also is not a rogue. No client connected to the device has been detected communicating with any network entity listed in the forwarding database (FDB) of any WX switch in the Mobility Domain.
Page 569 Client black list—A list of MAC addresses of wireless clients who are not allowed on the network. MSS prevents clients on the list from accessing the network through a WX switch. If the client is placed on the black list dynamically by MSS due to an association, reassociation or disassociation flood, MSS generates a log message.
Page 570 26: R HAPTER OGUE ETECTION AND Figure 34 Rogue Detection Algorithm MAP radio detects wireless packet. Source MAC in Ignore List? OUNTERMEASURES SSID in Permitted SSID List? OUI in Permitted Vendor List? Source MAC in Attack List? Rogue classification algorithm deems the device to be a rogue? Device is not a threat.
Page 571: Rf Detection Scans
RF Detection Scans All radios continually scan for other RF transmitters. Radios perform passive scans and active scans: Passive scans — The radio listens for beacons and probe responses. Active scans — The radio sends probe any requests (probe requests with a null SSID name) to solicit probe responses from other access points.
Page 572: Countermeasures
RF Detection data is processed. Existing RF Detection information ages out normally. Processing of RF Detection data is resumed only when all members of the Mobility Domain are up. If a seed switch in the Mobility Domain cannot resume full operation, you can restore the Mobility...
Page 573: Summary Of Rogue Detection Features
Summary of Rogue Table 48 lists the rogue detection features in MSS. Detection Features Table 48 Rogue Detection Features Rogue Detection Feature Classification Permitted vendor list Permitted SSID list Client black list Attack list Ignore list Summary of Rogue Detection Features Description MSS can classify third-party APs as rogues or interfering devices.
Page 574: Configuring Rogue Detection Lists
If you configure a permitted vendor list, MSS allows only the devices whose OUIs are on the list. The permitted vendor list applies only to the WX switch on which the list is configured. WX switches do not share permitted vendor lists.
Page 575 The trailing 00:00:00 value is required. To display the permitted vendor list, use the following command: display rfdetect vendor-list The following example shows the permitted vendor list on a switch: WX1200# display rfdetect vendor-list Total number of entries: 1 Type...
Page 576: Configuring A Permitted Ssid List
SSID list, MSS allows traffic only for the SSIDs that are on the list. The permitted SSID list applies only to the WX switch on which the list is configured. WX switches do not share permitted SSID lists.
Page 577: Configuring A Client Black List
The client black list applies only to the WX switch on which the list is configured. WX switches do not share client black lists.
Page 578: Configuring An Attack List
The attack list can contain the MAC addresses of APs and clients. By default, the attack list is empty. The attack list applies only to the WX switch on which the list is configured. WX switches do not share attack lists. When on-demand countermeasures are enabled, only those devices configured in the attack list are subject to countermeasures.
Page 579: Configuring An Ignore List
By default, when countermeasures are enabled, MSS considers any Ignore List non-3Com transmitter to be a rogue device and can send countermeasures to prevent clients from using that device. To prevent MSS from sending countermeasures against a friendly device, add the...
Page 580: Enabling Countermeasures
WX4400# set radio-profile radprof3 countermeasures rogue success: change accepted. The following command causes radios managed by radio profile radprof3 to issue countermeasures against devices in the WX switch’s attack list: WX4400# set radio-profile radprof3 countermeasures configured success: change accepted. To disable countermeasures on a radio profile, use the following...
Page 581: Using On-Demand Countermeasures In A Mobility Domain
For example, in a Mobility Domain consisting of three WX switches, if WX switch A has an attack list consisting of MAC address 1, and WX switch B has an attack list consisting of MAC address 2, then WX switch C (the seed for the Mobility Domain) might determine that the optimal radio to attack MAC address 2 is attached to WX switch A.
Page 582: Disabling Or Reenabling Active Scan
A MAP signature is a set of bits in a management frame sent by a MAP Signatures that identifies that MAP to MSS. If someone attempts to spoof management packets from a 3Com MAP, MSS can detect the spoof attempt. MAP signatures are disabled by default. To enable or disable them, use...
Page 583: Creating An Encrypted Rf Fingerprint Key As A Map Signature
Creating an To create an encrypted RF fingerprint key to use as a signature for a MAP, Encrypted use the following command: RF Fingerprint Key as set rfdetect signature key encrypted <key_value> a MAP Signature For example: WXR100_desk# set rfdetect ? attack-list black-list ignore...
Page 584: Disabling Or Reenabling Logging Of Rogues
26: R HAPTER OGUE ETECTION AND Disabling or By default, a WX switch generates a log message when a rogue is Reenabling Logging detected or disappears. To disable or reenable the log messages, use the of Rogues following command: set rfdetect log {enable | disable}...
Page 585: Flood Attacks
Flood Attacks A flood attack is a type of Denial of Service attack. During a flood attack, a rogue wireless device attempts to overwhelm the resources of other wireless devices by continuously injecting management frames into the air. For example, a rogue client can repeatedly send association requests to try to overwhelm APs that receive the requests.
Page 586: Netstumbler And Wellenreiter Applications
Data from clients that associate with the rogue device can be accessed by the hacker controlling the rogue device. Spoofed AP—A rogue device pretends to be a 3Com MAP by sending packets with the source MAC address of the 3Com MAP. Data from clients that associate with the rogue device can be accessed by the hacker controlling the rogue device.
Page 587: Weak Wep Key Used By Client
OUI that is not on the list is detected. Client black list—MSS prevents clients on the list from accessing the network through a WX switch. If the client is placed on the black list dynamically by MSS due to an association, reassociation or disassociation flood, MSS generates a log message.
Page 588 26: R HAPTER OGUE ETECTION AND Table 49 IDS and DoS Log Messages (continued) Message Type Management frame 6 flood Management frame 7 flood Management frame D flood Management frame E flood Management frame F flood Associate request flood Reassociate request flood Disassociate request flood...
Page 589 Table 49 IDS and DoS Log Messages (continued) Message Type Example Log Message Spoofed Disassociation frame from AP aa:bb:cc:dd:ee:ff is being disassociation frames spoofed. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Null probe responses AP aa:bb:cc:dd:ee:ff is sending null probe responses.
Page 590: Displaying Rf Detection Information
Displays all wireless clients detected on the air. Displays statistics for rogue and Intrusion Detection System (IDS) activity detected by the MAPs managed by a WX switch. Displays information about rogues detected in a Mobility Domain. This command is valid only on the Mobility...
Page 591 Description Displays information about all BSSIDs detected on the air, and labels those that are from rogues or interfering devices. This command is valid on any switch in the Mobility Domain. Displays the BSSIDs detected by a specific 3Com radio.
Page 592: Displaying Rogue Clients
26: R HAPTER OGUE ETECTION AND Displaying Rogue To display the wireless clients detected by a WX switch, use the following Clients command: display rfdetect clients [mac mac-addr] The following command shows information about all wireless clients detected by a WX switch’s MAPs:...
Page 593: Displaying Rogue Detection Counters
To display rogue detection statistics counters, use the following Detection Counters command: display rfdetect counters The command shows counters for rogue activity detected by the WX switch on which you enter the command. WX1200# display rfdetect counters Type -------------------------------------------------- ------------ ------------ Rogue access points Interfering access points Rogue 802.11 clients...
Page 594: Displaying Ssid Or Bssid Information For A Mobility Domain
MAP or a Mobility Domain is still coming up, and lasts only briefly. The following command displays detailed information for rogues using SSID 3Com-webaaa. WX1200# display rfdetect mobility-domain ssid 3Com-webaaa BSSID: 00:0a:5e:4b:4a:ca Vendor: 3Com SSID: 3Com-webaaa Type: intfr Adhoc: no Crypto-types: clear OUNTERMEASURES...
Page 595 WX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/1/11 Mac: 00:0b:0e:00:0a:6a Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -85 SSID: 3Com-webaaa BSSID: 00:0b:0e:00:7a:8a Vendor: 3Com SSID: 3Com-webaaa Type: intfr Adhoc: no Crypto-types: clear WX1200-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/1/1 Mac: 00:0b:0e:00:0a:6a Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -75 SSID: 3Com-webaaa WX1200-IPaddress: 10.3.8.103 Port/Radio/Ch: dap 1/1/1 Mac: 00:0b:0e:76:56:82...
Page 596: Displaying Rf Detect Data
To display information about the APs detected by an individual WX Data switch, use the following command: display rfdetect data You can enter this command on any switch in the Mobility Domain. WX1200# display rfdetect data Total number of entries: 197 Flags: i = infrastructure, a = ad-hoc...
Page 597: Displaying Countermeasures Information
To display the current status of countermeasures against rogues in the Countermeasures Mobility Domain, use the following command: Information display rfdetect countermeasures This command is valid only on the Mobility Domain’s seed switch. WX# display rfdetect countermeasures Total number of entries: 190 Rogue MAC Type...
Page 598 26: R HAPTER OGUE ETECTION AND OUNTERMEASURES...
Page 599: Managing System Files
Generally, a WX switch’s nonvolatile storage contains the following types of files: When you power on or reset the WX switch or reboot the software, the switch loads a designated system image, then loads configuration information from a designated configuration file.
Page 600 To display version information for a WX switch, type the following command: WX# display version Mobility System Software, Version: 6.0.0.2 REL Copyright (c) 2002 - 2006 3Com Corporation. All rights reserved. Build Information: (build#0) REL_6_0_0_branch 2006-10-06 23:46:00 Model: WX-20 Hardware Mainboard: version 24 ;...
Page 601: Displaying Boot Information
WX switch to load image B the next time the switch is booted. When the switch is reset, if image B fails to load, the switch then attempts to load image A (the last image successfully loaded on the WX switch).
Page 602: Working With Files
The following section describe how to manage files stored on the WX switch. Displaying a List of Files are stored on a WX switch in the following areas: Files The file and boot areas are in nonvolatile storage. Files in nonvolatile storage remain in storage following a software reload or power cycle.
Page 603 =============================================================================== Boot: Filename boot0:WXA30001.Rel *boot1:WXA40101.Rel Boot0: Total: 9780 Kbytes used, 2460 Kbytes free Boot1: Total: 9796 Kbytes used, 2464 Kbytes free =============================================================================== temporary files: Filename core:command_audit.cur Total: 37 bytes used, 91707 Kbytes free The following command displays the files in the old subdirectory: WX1200# dir old =============================================================================== file:...
Page 604: Copying A File
A URL can be one of the following: The filename and file:filename URLs are equivalent. You can use either URL to refer to a file in a WX switch’s nonvolatile memory. YSTEM ILES Copy a file from a TFTP server to nonvolatile storage.
Page 605 The maximum supported file size for TFTP is 32 MB. You can copy a file from a WX switch to a TFTP server or from a TFTP server to a WX switch, but you cannot use MSS to copy a file directly from one TFTP server to another.
Page 606: Using An Image File's Md5 Checksum To Verify Its Integrity
CLI copy tftp command on the WX switch to copy the image onto the switch’s nonvolatile storage. 2 On the 3Com support site, click on the MD5 link next to the link for the image file, to display the MD5 checksum for the file. Here is an example: b9cf7f527f74608e50c70e8fb896392a wxb04102.rel...
Page 607: Deleting A File
WARNING: MSS does not prompt you to verify whether you want to delete a file. When you press Enter after typing a delete command, MSS immediately deletes the specified file. 3Com recommends that you copy a file to a TFTP server before deleting the file.
Page 608: Creating A Subdirectory
27: M HAPTER ANAGING Creating a You can create subdirectories in the user files area of nonvolatile storage. Subdirectory To create a subdirectory, use the following command: mkdir [subdirname] To create a subdirectory called corp2 and display the root directory to verify the result, type the following commands: WX1200# mkdir corp2 success: change accepted.
Page 609: Managing Configuration Files
Managing A configuration file contains CLI commands that set up the WX switch. Configuration Files The switch loads a designated configuration file immediately after loading the system software when the software is rebooted. You also can load a configuration file while the switch is running to change the switch’s configuration.
Page 610: Saving Configuration Changes
PDT start first sun apr 2 0 end lastsun oct 2 0 set system name WX1200 set system countrycode US set system contact 3Com-pubs set radius server r1 address 192.168.253.1 key sunflower set server group sg1 members r1...
Page 611: Specifying The Configuration File To Use After The Next Reboot
WARNING: This command completely removes the running configuration and replaces it with the configuration contained in the file. 3Com recommends that you save a copy of the current running configuration to a backup configuration file before loading a new configuration.
Page 612: Specifying A Backup Configuration File
Booted version: Booted image: Booted configuration: Product model: Resetting to the To reset the WX switch to its factory default configuration, use the Factory Default following command: Configuration clear boot config This command removes the configuration file that the WX switch searches for after the software is rebooted.
Page 613: Backing Up And Restoring The System
The restore command unzips an archive created by the backup command and copies the files from the archive onto the switch. If a file in the archive has a counterpart on the switch, the archive version of the file replaces the file on the switch.
Page 614 The force option overrides this restriction and allows you to unpack one switch’s archive onto another switch. CAUTION: Do not use the force option unless advised to do so by 3Com. If you restore one switch’s system files onto another switch, you must generate new key pairs and certificates on the switch.
Page 615: Managing Configuration Changes
If instead, you want to replace the configuration restored from the archive with the running configuration, use the save config command to save the running configuration to the boot configuration file.
Page 616: Upgrading The System Image
[filename] CAUTION: Save the configuration, then create a backup of your WX switch files before you upgrade the switch. 3Com recommends that you make a backup of the switch files before you install the upgrade. If an error occurs during the upgrade, you can restore your switch to its previous state.
Page 617: Upgrading An Individual Switch Using The Cli
When you restart the WX switch, the switch boots using the new MSS image. The switch also sends the MAP version of the new boot image to MAPs and restarts the MAPs. After a MAP restarts, it checks the version of the new MAP boot image to make sure the boot image is newer than the boot image currently installed on the MAP.
Page 618: Command Changes During Upgrade
HAPTER ANAGING Upgrade Scenario To upgrade a WX1200 switch from MSS Version 4.0 to MSS Version 4.1, type the following commands. This example copies the image file into boot partition 1. On your switch, copy the image file into the boot partition that was not used the last time the switch was restarted.
Page 619: Wx Switch
The display base-information command combines a number of display commands into one, and provides an extensive snapshot of your WX switch configuration settings for 3Com technical support. Table 51 contains remedies for some common problems that can occur during basic installation and setup of a WX switch.
Page 620 A: T HAPTER ROUBLESHOOTING A Table 51 WX Setup Problems and Remedies Symptom 3Com Wireless Switch Manager or a web browser (if you are using Web Manager) warns that the WX switch’s certificate date is invalid. WX switch does not...
Page 621 The configuration changes information were not saved. disappears after a software reload. Mgmt LED is quickly The WX switch was unable to blinking amber. load the system image file. CLI stops at boot prompt (boot>). Fixing Common WX Setup Problems...
Page 622: Recovering The System When The Enable Password Is Lost
To recover a WX switch, use one of the following procedures. WXR100 To recover a WXR100 switch: 1 After the switch has fully booted, use a pin to press the factory reset switch for at least 5 seconds. This operation erases the switch’s configuration.
Page 623: Configuring And Managing The System Log
Configuring and System logs provide information about system events that you can use to Managing the monitor and troubleshoot MSS. Event messages for the WX switch and its System Log attached MAPs can be stored or sent to the following destinations: The system log is a file in which the newest record replaces the oldest.
Page 624 Sends log information to the volatile trace buffer. Description The WX switch is unusable. Action must be taken immediately. You must resolve the critical conditions. If the conditions are not resolved, the WX can reboot or shut down. The WX is missing data or is unable to form a connection.
Page 625: Using Log Commands
Informational messages only. No problem exists. Output from debugging. The debug level produces a lot of messages, many of which can appear to be somewhat cryptic. Debug messages are used primarily by 3Com for troubleshooting and are not intended for administrator use.
Page 626 A: T HAPTER ROUBLESHOOTING A Logging to the Log Buffer The system log consists of rolling entries stored as a last-in first-out queue maintained by the WX. Logging to the buffer is enabled by default for events at the error level and higher. To modify settings to another severity level, use the following command: set log buffer severity severity-level For example, to set logging to the buffer for events at the warning level...
Page 627 To filter the event log by MSS area, use the facility facility-name keyword. For a list of facilities for which you can view event messages, type the following command: WX1200# display log buffer facility ? <facility name> SYSLOGD, ACL, APM, ARP, ASO, BOOT, CLI, CLUSTER, CRYPTO, DOT1X, NET, ETHERNET, GATEWAY, HTTPD, IGMP, IP, MISC, NOSE, NP, RAND, RESOLV, RIB, ROAM, ROGUE, SM, SNMPD, SPAN, STORE, SYS, TAGMGR, TBRIDGE, TCPSSL, TELNET, TFTP, TLS, TUNNEL,...
Page 628 A: T HAPTER ROUBLESHOOTING A Logging Messages to a Syslog Server To send event messages to a syslog server, use the following command: set log server ip-addr [port port-number severity-level [local-facility facility-level] Use the IP address of the syslog server to which you want messages sent. (See Table 54 on page 624 for information about severity levels.) By default, MSS uses TCP port 514 for sending messages to the syslog server.
Page 629 Enabling Mark Messages You can configure MSS to generate mark messages at regular intervals. The mark messages indicate the current system time and date. 3Com can use the mark messages to determine the approximate time when a system restart or other event causing a system outage occurred.
Page 630 Saving Trace Messages in a File To save the accumulated trace data for enabled traces to a file in the WX switch’s nonvolatile storage, use the following command: save trace filename To save trace data into the file trace1 in the subdirectory traces, type the...
Page 631: Running Traces
WARNING: Using the set trace command can have adverse effects on system performance. 3Com recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels to get the data you need.
Page 632: Displaying A Trace
A: T HAPTER ROUBLESHOOTING A Tracing Authorization Activity Tracing authorization activity can help diagnose authorization problems. For example, to trace the authorization of MAC address 00:00:30:b8:72:b0, type the following command: WX1200# set trace authorization mac-addr 00:00:30:b8:72:b0 success: change accepted. Tracing 802.1X Sessions Tracing 802.1X sessions can help diagnose problems with wireless clients.
Page 633: About Trace Results
Because traces use the logging facility, any other logging target can be used to capture trace messages if its severity is set to debug. However, since tracing can be voluminous, 3Com discourages this in practice. To enable trace output to the console, enter the command set log console severity debug.
Page 634: Copying Trace Results To A Server
A: T HAPTER ROUBLESHOOTING A To filter trace output by MSS area, use the facility facility-name keyword. For a list of valid facilities for which you can view event messages, type the following command: WX1200# display log trace facility ? <facility name>...
Page 635: Using Display Commands
Using display To troubleshoot the WX switch, you can use display commands to Commands display information about different areas of the MSS. The following commands can provide helpful information if you are experiencing MSS performance issues. Viewing VLAN To view interface information for VLANs, type the following command:...
Page 636: Viewing Fdb Information
Administrative and Local Access,” on page 51 and Chapter 21, “Configuring AAA for Network Users,” on page 433.) Viewing FDB The display fdb command displays the hosts learned by the WX switch Information and the ports to which they are connected. To display forwarding...
Page 637: Port Mirroring
Mirroring command: Configuration clear port mirror The switch can have one port mirroring pair (one source port and one observer port) at a time. The source port can be a network port, MAP access port, or wired authentication port. The observer port must be a network port, and cannot be a member of any VLAN or port group.
Page 638: Remotely Monitoring Traffic
Filters and their mappings are persistent and remain in the configuration following a restart. The filter state is also persistent across restarts. Once a filter is enabled, if the switch or the MAP is subsequently restarted, the filter remains enabled after the restart.
Page 639: Best Practices For Remote Traffic Monitoring
MAP Mar 25 13:15:21.681369 ERROR DAP 3 ap_network: Observer 10.10.101.2 is not accepting TZSP packets To prevent ICMP error messages from the observer, 3Com recommends using the Netcat application on the observer to listen to UDP packets on the TZSP port.
Page 640 The snap-length num option specifies the maximum number of bytes to capture. If you do not specify a length, the entire packet is copied and sent to the observer. 3Com recommends specifying a snap length of 100 bytes or less.
Page 641: Mapping A Snoop Filter To A Radio
Displaying Configured Snoop Filters To display the snoop filters configured on the WX switch, use the following command: display snoop info [filter-name] The following command shows the snoop filters configured in the examples above: WX1200# display snoop info snoop1: snoop2:...
Page 642 A: T HAPTER ROUBLESHOOTING A The following command maps snoop filter snoop1 to radio 2 on MAP 3: WX1200# set snoop map snoop1 ap 3 radio 2 success: change accepted. Displaying the Snoop Filters Mapped to a Radio To display the snoop filters that are mapped to a radio, use the following command: display snoop map filter-name The following command shows the mapping for snoop filter snoop1:...
Page 643: Enabling Or Disabling A Snoop Filter
The filter operates until you manually disable it. The filter mode is retained even if you disable and reenable the radio, or restart the MAP or the WX switch. Once the filter is enabled, you must use the disable option to disable it.
Page 644 A: T HAPTER ROUBLESHOOTING A Use Netcat to listen to UDP packets on the TZSP port. This avoids a constant flow of ICMP destination unreachable messages from the observer back to the radio. You can obtain Netcat through the following link: http://www.vulnwatch.org/netcat/ If the observer is a PC, you can use a Tcl script instead of Netcat if preferred.
Page 645: Capturing System Information And Sending It To Technical Support
AAA settings, and other configuration values, and the last 100 log messages. To save the output in a file to send to 3Com, use the following syntax: display tech-support [file [subdirname/]filename] The following command saves the output in a file named fortechsupport and copies the file to a TFTP server.
Page 646: Core Files
Core files are saved in tarball (tar) format. Core files are erased when you restart the switch. You must copy the files to a TFTP server or to the nonvolatile part of file storage before restarting the switch.
Page 647: Debug Messages
If the switch’s network interfaces to the TFTP server have gone down, copy the core file to the nonvolatile file area before restarting the switch. The following commands copy netsys.core.217.tar to the nonvolatile file area and verify the result: WX4400# copy core:netsys.core.217.tar file:netsys.core.217.tar success: copy complete.
Page 648: Sending Information To 3Com Technical Support
(if applicable), you can send them to 3Com. Support 3Com has an external FTP server for use by customers to upload MSS debugging information, 3Com Wireless Switch Manager plans, and core dumps relating to active cases in 3Com Technical Support.
Page 649: Nabling And
NABLING AND Mozilla Firefox Version 1.0 or later Microsoft Internet Explorer Version 6.0 or later The WX switch’s HTTPS server must be enabled. (This option is enabled by default.) If HTTPS is disabled, you can enable it using the following command:...
Page 650: Logging Into Web View
If you want to turn off the yellow highlighting, disable the Automatically highlight fields that Autofill can fill option, which is one of the toolbar’s options. OGGING The switch must have an IP interface that can be reached by the PC where the browser is installed.
Page 651: Supported Radius Attributes
3Com Mobility System Software (MSS) supports the standard and extended RADIUS authentication and accounting attributes listed in Table 55 on page 652. Also supported are 3Com vendor-specific attributes (VSAs), listed in Table 56 on page 659. Attributes An attribute is sent to RADIUS accounting only if the table listing it shows Yes or Optional in the column marked Sent in Accounting-Request for the attribute and the attribute is applied to the client’s session configuration.
Page 652: Supported Standard And Extended Attributes
String. Name of the user to be authenticated. Used only in Request packets. Password of the user to be authenticated, unless a CHAP-Password is used. Password of the user to be authenticated, unless a User-Password is used. IP address sent by the WX switch.
Page 653 Access type, which can be one of the following: 2—Framed; for network user access 6—Administrative; for administrative access to the WX switch, with authorization to access the enabled (configuration) mode. The user must enter the enable command to access the enabled mode.
Page 654 Type Resp? Reqst? Sent in Acct Reqst? Description Optional If configured in the WX switch’s local database, this attribute can be an access control list (ACL) to filter outbound or inbound traffic. Use the following format: filter-id inboundacl.in filter-id outboundacl.out...
Page 655 RADIUS server for that client session. String. Allows MSS to support 3Com VSAs. (See Table 56 on page 659.) Optional Maximum number of seconds of service allowed the user before reauthentication of the session.
Page 656 (for example, 00-10-A4-23-19-C0). Name of the RADIUS client originating an Access-Request. The value in the current release is 3Com and cannot be changed. Valid values: Acct-Start Acct-Interim-Update Acct-Stop Time in seconds for which the client has been trying to send the record.
Page 657 Supported Standard and Extended Attributes Table 55 801.1X Attributes (continued) Rcv in Access Attribute Type Resp? Acct-Output- Octets Acct- Session-Id Acct- Authentic Acct-Session- Time Acct-Input- Packets Sent in Sent in Access Acct Reqst? Reqst? Description Number of octets sent on the port in the course of this service being provided.
Page 658 C: S RADIUS A HAPTER UPPORTED Table 55 801.1X Attributes (continued) Attribute Acct-Output- Packets Acct-Multi- Session-Id Acct-Input- Gigawords Acct-Output- Gigawords TTRIBUTES Rcv in Sent in Access Access Type Resp? Reqst? Sent in Acct Reqst? Description Number of packets sent in the course of this service being provided.
Page 659: 3Com Vendor-Specific Attributes
Vendor-Specific according to the procedure recommended in RFC 2865, with Vendor-ID Attributes set to 43. Table 56 describes the 3Com VSAs, listed in order by vendor type number. (For attribute details, see Table 43, “Authentication Attributes for Local Users,” on page 488.)
Page 660 C: S RADIUS A HAPTER UPPORTED Table 56 3Com VSAs (continued) Attribute SSID End-Date Start-Date TTRIBUTES Type, Vendor ID, Rcv in Sent in Vendor Access Access Type Resp? Reqst? 26, 43, 6 26, 43, 7 26, 43, 7 26, 43, 8...
Page 661 RAFFIC When deploying a 3Com wireless network, you might attach 3Com equipment to subnets that have firewalls or access controls between them. 3Com equipment uses various protocol ports to exchange information. To ensure full operation of your network, make sure the equipment can exchange information on the ports listed in Table 57.
Page 662 D: T HAPTER RAFFIC ORTS Table 57 Traffic Ports Used by MSS (continued) Protocol IP/UDP (17) IP/ICMP (1) Roaming traffic uses IP tunnels, encapsulated with IP protocol 4. To list the TCP port numbers in use on a WX, including those for the other end of a connection, use the display tcp command.
Page 663: Dhcp Server
DHCP S MSS has a DHCP server that the switch uses to allocate IP addresses to the following: Directly connected MAPs Host connected to a new (unconfigured) WXR100, to configure the switch using the Web Quick Start DHCP service for these items is enabled by default.
Page 664: How The Mss Dhcp Server Works
Use of the MSS DHCP server to allocate client addresses is intended for temporary, demonstration deployments and not for production networks. 3Com recommends that you do not use the MSS DHCP server to allocate client addresses in a production network.
Page 665: Configuring The Dhcp Server
Configuring the You can configure the DHCP server on an individual VLAN basis. To DHCP Server configure the server, use the following command: set interface vlan-id ip dhcp-server [enable | disable] [start ip-addr1 stop ip-addr2] [dns-domain domain-name] [primary-dns ip-addr [secondary-dns ip-addr]] [default-router ip-addr] The vlan-id can be the VLAN name or number.
Page 666: Displaying Dhcp Server Information
E: DHCP S HAPTER ERVER Displaying DHCP To display information about the MSS DHCP server, use the following Server Information command: display dhcp-server [interface vlan-id] [verbose] If you enter the command without the interface or verbose option, the command displays a table of all the IP addresses leased by the server. You can use the interface option to display addresses leased by a specific VLAN.
Page 667: Upport For
To take advantage of warranty and other service benefits, you must first Product to Gain register your product at: Service Benefits http://eSupport.3com.com/ 3Com eSupport services are based on accounts that are created or that you are authorized to access. Solve Problems 3Com offers the following support tool: Online...
Page 668: Purchase Extended Warranty And Professional Services
3Com as a separately ordered product. Separately orderable software releases and licenses are listed in the 3Com Price List and are available for purchase from your 3Com reseller.
Page 669: Telephone Technical Support And Repair
When you contact 3Com for assistance, please have the following information ready: To send a product directly to 3Com for repair, you must first obtain a return materials authorization number (RMA). Products sent to 3Com without authorization numbers clearly marked on the outside of the package will be returned to the sender unopened, at the sender’s...
Page 670 Return material authorization: warranty_repair@3com.com Contract requests: emea_contract@3com.com Latin America — Telephone Technical Support and Repair Antigua 1 800 988 2112 Argentina 0 810 444 3COM Aruba 1 800 998 2112 Bahamas 1 800 998 2112 Barbados 1 800 998 2112 Belize...
Page 671 3Com Wireless A tool suite for planning, configuring, deploying, and managing a Switch Manager™ 3Com Mobility System wireless LAN (WLAN). Based on site and user (3WXM)™ requirements, 3WXM determines the location of Wireless Switches (WXs) and Managed Access Points (MAPs) and can store and verify configuration information before installation.
Page 672 802.11b/g radio A radio that can receive and transmit signals at IEEE 802.11b and 802.11g data rates. 3Com 802.11b/g radios allow associations from 802.11b clients as well as 802.11g clients by default, for networks that have a mixture of both client types. However, association by any 802.11b clients restricts the maximum data transmit rate for all clients.
Page 673 In a 3Com Mobility System, the Wireless Switch (WX) can use a RADIUS server or its own local database for AAA services.
Page 674 (AID), which the wireless LAN (WLAN) uses to track the mobile station as it roams. After associating with a Managed Access Point (MAP) in a 3Com Mobility System, a mobile station can send and receive traffic through any MAP within the same Mobility Domain™...
Page 675 From the credentials provided by a client (or supplicant), the authentication service determines whether the supplicant is authorized to access the services of the authenticator. In a 3Com Mobility System, one or more RADIUS servers can act as authentication servers.
Page 676 LOSSARY BSSID Basic service set identifier. The 48-bit media access control (MAC) address of the radio in the access point (AP) that serves the stations in a basic service set (BSS). See certificate authority (CA). CBC-MAC See CCMP. Co-channel interference. Obstruction that occurs when one signal on a particular frequency intrudes into a cell that is using that same frequency for transmission.
Page 677 See plenum-rated cable. plenum cable coverage area In 3Com Wireless Switch Manager (3WXM), the smallest unit of floor space within which to plan access point coverage for a wireless LAN (WLAN). The number of access points required for a coverage area depends on the type of IEEE 802.11 transmission used, and the area’s...
Page 678 LOSSARY cryptography The science of information security. Modern cryptography is typically concerned with the processes of scrambling ordinary text (known as plain text or clear text) into encrypted text at the sender’s end of a connection, and decrypting the encrypted text back into clear text at the receiver’s end.
Page 679 A key exchange algorithm that was the first public-key algorithm ever published. Diffie-Hellman can be used anonymously (without authentication). Anonymous Diffie-Hellman is used to establish the connection between the 3Com Wireless Switch Manager (3WXM) and a Wireless Switch (WX). Diffserv Differentiated services.
Page 680 LOSSARY domain policy A collection of configuration settings that you can define once in 3Com Wireless Switch Manager (3WXM) and apply to many Wireless Switches (WXs). Each Mobility Domain group in the network has a default domain policy that applies to every WX switch in the Mobility Domain.
Page 681 Both the wireless client (or supplicant) and the authenticator must support the same EAP type for successful authentication to occur. EAP types supported in a 3Com Mobility System wireless LAN (WLAN) include EAP-MD5, EAP-TLS, PEAP-TLS, PEAP-MS-CHAP, and Tunneled Transport Layer Security (TTLS). See also MD5;...
Page 682 Extended service set. A logical connection of multiple basic service sets (BSSs) connected to the same network. Roaming within an ESS is guaranteed by the 3Com Mobility System. Ethernet II The original Ethernet specification produced by Digital, Intel, and Xerox (DIX) that served as the basis of the IEEE 802.3 standard.
Page 683 Compare DSSS. forwarding database A database maintained on a Wireless Switch (WX) for the purpose of (FDB) making Layer 2 forwarding and filtering decisions. Each entry consists...
Page 684 LOSSARY Group master key. A cryptographic key used to derive a group transient key (GTK) for the Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). greenfield network An original deployment of a telecommunications network. GRE tunnel A virtual link between two remote points on a network, created by means of the Generic Routing Encapsulation (GRE) tunneling protocol.
Page 685 The process of certifying a product or specification to verify that it meets regulatory standards. HPOV Hewlett-Packard Open View. The umbrella network management system (NMS) family of products from Hewlett-Packard. The 3Com Wireless Switch Manager (3WXM) tool suite interacts with the HPOV Network Node Manager (NNM). HTTPS Hypertext Transfer Protocol over Secure Sockets Layer.
Page 686 Like most corporate wireless LANs (WLANs), which must access a wired LAN for file servers and printers, a 3Com Mobility System is an infrastructure network. Compare ad hoc network. initialization vector In encryption, random data used to make a message unique.
Page 687 Internet See IAS. Authentication Service Internet Group See IGMP. Management Protocol Interswitch Link See ISL. Interswitch Link. A proprietary Cisco protocol for interconnecting multiple switches and maintaining virtual LAN (VLAN) information as traffic travels between switches. Working in a way similar to VLAN trunking, described in the IEEE 802.1Q standard, ISL provides VLAN capabilities while maintaining full wire-speed performance on Ethernet links in full-duplex or half-duplex mode.
Page 688 See also location policy rule. location policy rule A rule in the location policy on a Wireless Switch (WX) that grants or denies a set of network access rights based on one or more criteria. Location policy rules use a username or VLAN membership to determine whether to override —...
Page 689 WX by means of the MAP Control Protocol. managed device In a 3Com Mobility System wireless LAN (WLAN), a Wireless Switch (WX) or Managed Access Point (MAP) under the control of the 3Com Wireless Switch Manager (3WXM) tool suite. See Managed Access Point™ (MAP™).
Page 690 The 3Com operating system, accessible through a command-line Software™ (MSS™) interface (CLI) or the 3Com Wireless Switch Manager (3WXM) tool suite, that enables 3Com Mobility System products to operate as a single system. Mobility System Software (MSS) performs authentication, authorization, and accounting (AAA) functions; manages Wireless Switches (WXs) and Managed Access Points (MAPs);...
Page 691 See NAT. translation network plan A design for network deployment and settings for network configuration, stored in the 3Com Wireless Switch Manager (3WXM) tool suite. nonvolatile storage A way of storing images and configurations so that they are maintained in a unit’s memory whether power to the unit is on or off.
Page 692 LOSSARY PEAP Protected Extensible Authentication Protocol. A draft extension to the Extensible Authentication Protocol with Transport Layer Security (EAP-TLS), developed by Microsoft Corporation, Cisco Systems, and RSA Data Security, Inc. TLS is used in PEAP Part 1 to authenticate the server only, and thus avoids having to distribute user certificates to every client.
Page 693 Policy Manager A 3Com Wireless Switch Manager (3WXM) feature that allows you to apply a collection of configuration settings known as a domain policy, or part of the policy, to one or more Wireless Switches (WXs). With Policy Manager, you can also merge some or all of the configuration changes you make to a single WX switch into a domain policy.
Page 694 LOSSARY pre-master secret A key generated during the handshake process in Transport Layer Security (TLS) protocol negotiations and used to derive a master secret. preshared key See PSK. Pseudorandom function. A function that produces effectively unpredictable output. A PRF can use multiple iterations of one or more hash algorithms to achieve its output.
Page 695 Pairwise transient key. A value derived from a pairwise master key (PMK) and split into multiple encryption keys and message integrity code (MIC) keys for use by a client and server as temporal session keys for IEEE 802.11i robust security. See also 802.11i. public key In cryptography, one of a pair of keys, one public and one private, that are created with the same algorithm for encrypting and decrypting...
Page 696 LOSSARY RADIUS Remote Authentication Dial-In User Service. A client-server security protocol described in RFC 2865 and RFC 2866. RADIUS extensions, including RADIUS support for the Extensible Authentication Protocol (EAP), are described in RFC 2869. Originally developed by Livingston Enterprises, Inc., to authenticate, authorize, and account for dial-up users, RADIUS has been widely extended to broadband and enterprise networking.
Page 697 Associating a security ACL with a particular user, port, virtual LAN (VLAN), or virtual port on a Wireless Switch (WX) controls the network traffic to or from the user, port, VLAN, or virtual port. The rules in an ACL are known as access control entries (ACEs).
Page 698 (1) An input to a pseudorandom number generator (PRNG), that is generally the combination of two or more inputs. (2) The Wireless Switch (WX) that distributes information to all the WX switches in a Mobility Domain™ group. SentrySweep™ A radio frequency (RF) detection sweep that runs continuously on the disabled radios in a Mobility Domain™...
Page 699 (PHY) interface to the wireless medium that comply with the standards for all IEEE 802 networks. Wireless clients and Managed Access Points (MAPs) are stations in a 3Com Mobility System. Spanning Tree Protocol. A link management protocol, defined in the IEEE 802.1D standard, that provides path redundancy while preventing...
Page 700 Mobility Domain™ group, a Wireless Switch (WX) that is not a member of the user’s virtual LAN (VLAN) creates a tunnel to another WX switch on which the user’s VLAN is configured. type, length, and See TLV.
Page 701 See U-NII. Information Infrastructure user A person who uses a client. In a 3Com Mobility System, users are indexed by username and associated with authorization attributes such as user group membership. user glob A 3Com convention for matching fully qualified structured usernames or sets of usernames during authentication by means of known characters plus two special “wildcard”...
Page 702 LOSSARY VLAN glob A 3Com convention for applying the authentication, authorization, and accounting (AAA) attributes in the location policy on a WX switch to one or more users, based on a virtual LAN (VLAN) attribute. To specify all VLANs, use the double-asterisk (**) wildcard characters. To match any number of characters up to, but not including a delimiter character in the glob, use the single-asterisk wildcard.
Page 703 (ACLs), you specify source and destination IP addresses and corresponding wildcard masks by which the WX switch determines whether to forward or filter packets. The security ACL checks the bits in IP addresses that correspond to any 0s (zeros) in the mask, but does not check the bits that correspond to 1s (ones) in the mask.
Page 704 LOSSARY wireless LAN See WLAN. Wireless Switch™ A switch in a 3Com Mobility System. A WX provides forwarding, (WX™) queuing, tunneling, and some security services for the information it receives from its directly attached Managed Access Points (MAPs). In addition, the WX coordinates, provides power to, and manages the configuration of each attached MAP, by means of the MAP Control Protocol.
Page 705 LOSSARY X.509 An International Telecommunications Union Telecommunication Standardization Sector (ITU-T) Recommendation and the most widely used standard for defining digital certificates. Extensible Markup Language. A simpler and easier-to-use subset of the Standard Generalized Markup Language (SGML), with unlimited, self-defining markup symbols (tags). Developed by the World Wide Web Consortium (W3C), the XML specification provides a flexible way to create common information formats and share both the format and the data on the Internet, intranets, and elsewhere.
Page 706 LOSSARY...
Page 707 NDEX Numbers 3Com Knowledgebase tool 667 3Com Professional Services 668 3Com resources, directory 669 3Com Technical Support 645 3WXM keys and certificates requirement 413 802.11a 74, 224 802.11b 74, 224 802.11g 74, 224 802.1Q tagging 90 802.1X authentication 449 authentication port control 532...
Page 708 NDEX sessions, clearing 557 sessions, displaying 557 Telnet client sessions, displaying and clearing 559 Telnet sessions, displaying and clearing 559 AeroScout RFID tag support 323 affinity 90 configuring 93 in roaming VLANs 160 number 160 aging timeout ARP 131 FDB 99 alert logging level 624 aliases 123 all access 36...
Page 709 Calling-Station-Id attribute 656 case in usernames and passwords 58 Catalyst switch, interoperating with load-sharing port groups 87 CCMP 284 enabling 291, 297 certificate authority certificate source 415 enrolling with 424 Certificate Signing Request (CSR) 420, 421 defined 417 generating 424...
Page 710 DHCP client 104 DHCP option 43 182 DHCP server 663 diagnostics 631 digital certificates. See certificates digital signatures 414 directory of 3Com resources 669 directory, displaying 602 display 28 password information 70 Distributed MAPs AeroScout RFID tag support 323 configuring 177, 311...
Page 711 668 Extensible Authentication Protocol (EAP). See EAP (Extensible Authentication Protocol) factory default configuration recovering the system 622 factory reset switch 622 fallthru authentication type changing 235 fast convergence features 358 backbone fast convergence 359 backbone fast convergence, configuring 360...
Page 712 NDEX other-querier-present interval, configuring 371 proxy reporting 370 pseudo-querier 370 querier, displaying 375 query interval 370 query interval, configuring 371 query response interval 370 query response interval, configuring 371 robustness value 371 robustness value, configuring 371 router solicitation 372 statistics 374 timers 370 ignore list 579 image file 599...
Page 713 227 LED blink mode 229 naming 227 restarting 251 status 260 WX switch ports 71 WX switch ports, configuring 73 MAP (Mobility Access Point) boot examples 195 configuration template 218 Distributed MAP, configuring 224 security 229 MAP configuration information, displaying 256...
Page 714 387 modifying an ACE 396 monitoring wireless traffic 638 monitors port statistics 83 WX switch performance 623 MOTO, message of day banner 120 MSS CLI. See CLI (command-line interface) multicast DTIM interval 242 IGMP snooping 369 IGMP snooping, displaying information 373...
Page 715 other-querier-present interval 370 configuring 371 OTP 423, 429 outbound authorization password 459 output filters, reassigning 502 override, local, scenario 64 packets CoS handling 382 denying or permitting with security ACLs 377 pass-through authentication configuration scenario 514 configuring 450 defined 447 keys and certificates on RADIUS server 415 password activating restrictions 67...
Page 716 Power over Ethernet. See PoE (Power over Ethernet) preamble length 244 Privacy-Enhanced Mail (PEM) 424 private keys 416 product registration 667, 668 Professional Services from 3Com 668 profile, MAP configuration 218 proxy reporting 370 pseudo-querier 370 public key cryptography 416...
Page 717 US and Canada 670 repair support, Europe, Middle East, and Africa 669 Reply-Message attribute 655 Request-To-Send threshold 242 resetting the WX switch, lost password 622 restore, locked-out user 70 Restricted Software 668 return authorization number (RMA) 669...
Page 718 Network Domain, configuring 169, 171 self-signed certificates administrative 422 defined 420 EAP 422 generating 422 Web 422 sending products to 3Com for repair 669 server groups adding members 527 contact order 524 deleting 527 displaying 507 load balancing 526...
Page 719 Simple Network Time Protocol. See NTP (Network Time Protocol) single asterisks (*) in MAC address globs 31 in network session information 560 in user globs 30 in VLAN globs 32 wildcard 34 SNMP community strings 140 informs 144 notifications, rogue detection 584 trap receiver 148 traps 144 SNMP ports...
Page 720 630 managing 623 message components 623 severity levels 624 system recovery, lost password 622 system time, configuring 124 table of 3Com support contact numbers 668 tabs, for command completion 34 tag type 90 target buffer 624 console 624...
Page 721 MSS debugging via trace 631 MSS logging 623 no network access 621 system trace files for 599 VLAN authorization failure 621 WX switch 619 TTY sessions, current, logging system messages to 629 Tunnel-Private-Group-ID attribute 88, 659 tunnels affinity of a WX for 90...
Page 722 75 Wired-Equivalent Privacy. See WEP (Wired-Equivalent Privacy) wireless bridges 586 wireless bridging, configuring 278 wireless session encryption 414 Wireless Switch. See WX (Wireless Switch) WLAN mesh services configuring AP 275 configuring security 276 configuring service profile 276 deploying 277...
Page 723 OMMAND backup system 613, 616 clear ap 77, 227 clear ap radio 251 clear boot config 612 clear dot1x bonded-period 453 clear dot1x max-req 535 clear dot1x port-control 532 clear dot1x quiet-period 539 clear dot1x reauth-max 537 clear dot1x reauth-period 537 clear dot1x timeout auth-server 539 clear dot1x timeout supplicant 539 clear dot1x tx-period 534...
Page 724 OMMAND NDEX clear snmp usm 141 clear snoop 641 clear snoop map 642 clear spantree portcost 354 clear spantree portpri 356 clear spantree portvlancost 354 clear spantree portvlanpri 356 clear spantree statistics 365 clear summertime 126 clear system idle-timeout 119 clear system ip-address 108 clear timezone 125 clear trace 632...
Page 725 223 set ap bias 227 set ap blink 229 set ap boot-ip 225 set ap boot-switch 226 set ap boot-vlan 226 set ap name 227 set ap radio channel 246 set ap radio load-balancing group 269...
Page 726 OMMAND NDEX set boot configuration-file 611 set dot1x authcontrol 531 set dot1x bonded-period 453 set dot1x key-tx 533 set dot1x max-req 535 set dot1x port-control 532 set dot1x quiet-period 538 set dot1x reauth 536 set dot1x reauth-max 536 set dot1x reauth-period 537 set dot1x timeout auth-server 539 set dot1x timeout supplicant 539 set dot1x tx-period 533...
Page 727 set radio-profile service-profile 249, 295, 298 set radio-profile wmm-powersave 342 set radius 522 set radius proxy client 485 set radius proxy port 485 set radius server 523 set radius server address key 523 set radius server author-password 459 set rfdetect attack-list 578 set rfdetect black-list 577 set rfdetect signature 582 set rfdetect signature key 583...
Page 728 OMMAND NDEX set usergroup attr filter-id 494 set vlan name 91 set vlan port 92 set vlan tunnel-affinity 93 set vlan-profile 253 telnet 132 traceroute 134 uninstall soda-agent 554...

This manual is also suitable for:

3crwxr10095a Wx1200 Wx4400 3crwx440095a Wx2200 3crwx220095a ... Show all

3Com WX1200 3CRWX120695A Configuration Manual

About

1 Using the Command -Line Interface

2 Wx Setup Methods

3 Com Wireless Switch Manager

Configuring Aaa for Administrative and Local Access

4 Managing User Passwords

5 Configuring and Managing Ports and Vlans

6 Onfiguring and

7 Onfiguring Snmp

8 Onfiguring and Managing Mobility

9 Configuring Network Domains

10 Configuring Map Access Points

11 Configuring Rf Load Balancing for Maps

12 Configuring Wlan Mesh Ervices

13 Configuring User Encryption

14 Configuring Rf Auto -Tuning

15 Configuring Map S T O B E Aero Scout Listeners

16 Configuring

Quick Links

Configuration Guide

Related Manuals for 3Com WX1200 3CRWX120695A

Summary of Contents for 3Com WX1200 3CRWX120695A