Page 2: Table Of Contents
Table of Contents Introducing the D-Link Mobility System ..................1 D-Link Mobility System .........................1 Using the Command-Line Interface ....................2 Text and Syntax: Conventions ......................2 CLI Conventions ...........................3 Command Prompts ........................3 Syntax: Notations ........................4 Text Entry Conventions and Allowed Characters ..............4 MAC Address Notation ......................5 IP Address and Mask Notation ....................5...
Page 3 IGMP Snooping Commands ......................450 Security ACL Commands......................469 Trace Commands ..........................490 Snoop Commands ........................496 System Log Commands .......................505 Boot Prompt Commands ......................513 D-Link DWS-1008 CLI Manual...
Page 4: Introducing The D-link Mobility System
Mobility Point access points, and connecting the WLAN to the wired network backbone. • Multiple DWL-8220AP access points—Wireless access points (APs) that transmit and receive radio frequency (RF) signals to and from wireless users and connect them to a DWS-1008 switch. • Mobility System Software —The operating system that runs all DWS switches and access...
Page 5: Using The Command-line Interface
Using the Command-Line Interface The Mobility System Software (MMS) has a command-line interface (CLI) on the DWS-1008 switch that you can use to configure and manage the switch and its attached access points. You configure the DWS switch and AP access points primarily with set, clear, and show commands.
Page 6: Cli Conventions
MSS displays the following prompt: DWS-mmmm-nnnnnn# For ease of presentation, this manual shows the restricted and enabled prompts as follows: DWS-1008> DWS-1008# For information about changing the CLI prompt on an DWS switch, see set prompt on page 22. D-Link DWS-1008 CLI Manual...
Page 7: Syntax: Notations
MAC addresses, virtual LAN (VLAN) names, and ports in a single command. D-Link recommends that you do not use the same name with different capitalizations for VLANs or access control lists (ACLs). For example, do not configure two separate VLANs with the names red and RED.
Page 8: Mac Address Notation
The ACL mask must be a contiguous set of zeroes starting from the first bit. For example, 0.255.255.255, 0.0.255.255, and 0.0.0.255 are valid ACL masks. However, 0.255.0.255 is not a valid ACL mask. D-Link DWS-1008 CLI Manual...
Page 9: Globs
All users with usernames that have no delimiters. All users in the Windows Domain EXAMPLE with usernames that EXAMPLE\* have no delimiters. All users in the Windows Domain EXAMPLE whose usernames EXAMPLE\*.* contain a period. All users D-Link DWS-1008 CLI Manual...
Page 10: Mac Address Globs
VLAN Globs A VLAN glob is a method for matching one of a set of local rules on a DWS-1008 switch, known as the location policy, to one or more users. MSS compares the VLAN glob, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA, to determine whether to apply the rule.
Page 11: Port Lists
Use one of the following formats for port-list: • A single port number. For example: DWS-1008# set port enable 4 • A comma-separated list of port numbers, with no spaces. For example: DWS-1008# show port poe 1,2,4,6 •...
Page 12: Command-line Editing
Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer. Tabs The MSS CLI uses the Tab key for command completion. You can type the first few characters of a command and press the Tab key to display the command(s) that begin with those characters. D-Link DWS-1008 CLI Manual...
Page 13: Single-asterisk (*) Wildcard Character
Show, use ‘show help’ for more information telnet telnet IP address [server port] traceroute Print the route packets take to network host To see a subset of the online help, type the command for which you want more information. D-Link DWS-1008 CLI Manual...
Page 14: Understanding Command Descriptions
Understanding Command Descriptions Each command description in the D-Link Command Reference contains the following elements: • A command name, which shows the keywords but not the variables. For example, the following command name appears at the top of a command description and in the index:...
Page 15: Access Commands
Examples: The following command plus the enable password provides enabled access to the CLI for the current sessions: DWS-1008> enable Enter password: password DWS-1008# D-Link DWS-1008 CLI Manual...
Page 16: Set Enablepass
Examples: The following example illustrates the prompts that the system displays when the enable password is changed. The passwords you enter are not displayed. DWS-1008# set enablepass Enter old password: old-password Enter new password: new-password Retype new password: new-password Password changed D-Link DWS-1008 CLI Manual...
Page 17: System Services Commands
System Services Commands Use system services commands to configure and monitor system information for a DWS-1008 switch. This chapter presents system services commands alphabetically. Use the following table to located commands in this chapter based on their use. Configuration quickstart on page 18...
Page 18: Clear Banner Motd
Defaults: None. Access: Enabled. Examples: To clear a banner, type the following command: DWS-1008> clear banner motd success: change accepted Note: As an alternative to clearing the banner, you can overwrite the existing banner with an empty banner by typing the following command:...
Page 19: Clear System
Clears the system configuration of the specified information. Syntax: clear system [contact | countrycode | idle-timeout | ip-address | location | name] contact Resets the name of contact person for the DWS-1008 switch to null. countrycode Resets the country code for the DWS-1008 switch to null. idle-timeout Resets the number of seconds a CLI management session can remain idle to the default value (3600 seconds).
Page 20 Examples: Use this command to see a list of available commands. If you have restricted access, you see fewer commands than if you have enabled access. To display a list of CLI commands available at the enabled access level, type the following command at the enabled access level: D-Link DWS-1008 CLI Manual...
Page 21 If you run this command on a switch that already has a configuration, the configuration will be erased. In addition, error messages such as Critical AP Notice for directly connected APs can appear. D-Link DWS-1008 CLI Manual...
Page 22: Set Banner Motd
Usage: Type a caret (^), then the message, then another caret. Do not use the following characters with commands in which you set text to be displayed on the DWS-1008 switch, such as message-of-the-day (MOTD) banners: • Ampersand (&) • Angle brackets (< >) •...
Page 23: Set Confirm
MSS displays a message requiring confirmation when you enter certain commands that can have a potentially large impact on the network. For example: DWS-1008# clear vlan red This may disrupt user connectivity. Do you wish to continue? (y/n) [n] Examples: To turn off these confirmation messages, type the following command:...
Page 24: Set License
Installs an upgrade license key on a DWS-1008 switch. The DWS-1008 can boot and manage up to 32 APs by default. You can increase the AP support to 64, 96, or 128 APs, by installing one or more activation keys. You can install a 32-AP upgrade, 64-AP upgrade, or 96-AP upgrade.
Page 25: Set Prompt
Changes the CLI prompt for the DWS-1008 switch to a string you specify. Syntax: set prompt string string Alphanumeric string up to 32 characters long. To include spaces in the prompt, you must enclose the string in double quotation marks (“”).
Page 26: Set System Contact
• set system name • show system set system country code Defines the country-specific IEEE 802.11 regulations to enforce on the DWS-1008 switch. Syntax: set system countrycode code code Two-letter code for the country of operation for the DWS switch. You can...
Page 27 D-Link DWS-1008 CLI Manual...
Page 28 Usage: You must set the system county code to a valid value before using any set ap commands to configure an access point. Examples: To set the country code to Canada, type the following command: DWS-1008# set system country code CA success: change accepted. See Also: •...
Page 29 See Also: • clear system • show system set system ip-address Sets the system IP address so that it can be used by various services in the DWS-1008 switch. Syntax: set system ip-address ip-addr ip-addr IP address, in dotted decimal notation.
Page 30: Set System Location
Stores location information for the DWS-1008 switch. Syntax: set system location string string Alphanumeric string up to 256 characters long, with no blank spaces. Defaults: None. Access: Enabled. To view the system location string, type the show system command.
Page 31: Show Banner Motd
To view the system name string, type the show system command. Examples: The following example sets the system name to a name that identifies the DWS switch: DWS-1008# set system name DWS-bldg3 success: change accepted. DWS-1008-bldg3# See Also: •...
Page 32 Displays information about the license key(s) currently installed on an DWS-1008 switch. Syntax: show licenses Defaults: None. Access: All Examples: To view license keys, type the following command: DWS-1008# show licenses Feature : 80 additional APs See Also: •...
Page 33: Show System
Displays system information. Syntax: show system Defaults: None. Access: Enabled. Examples: To show system information, type the following command: DWS-1008# show system The table on the next page describes the fields of show system output. D-Link DWS-1008 CLI Manual...
Page 34 System Countrycode Country-specific 802.11 code required for AP operation. (configured with set system countrycode) Total Power Over Total power that the DWS-1008 is currently supplying to its directly connected Ethernet access points, in watts. System Location Record of the DWS switch’s physical location (optionally configured with set system location).
Page 35 Defaults: None. Access: Enabled. Usage: Enter this command before calling D-Link Technical Support. Examples: To store the location of the DWS-1008 switch in the switch’s configuration, type the following command: DWS-1008# set system location first-floor-bldg3 success: change accepted.
Page 36: Port Commands
35 Port Mirroring set port mirror on page 46 clear port mirror on page 35 Statistics show port counters on page 58 monitor port counters on page 38 clear port counters on page 34 D-Link DWS-1008 CLI Manual...
Page 37: Clear Dap
Number of the Distributed AP(s) you want to remove. Defaults: None. Access: Enabled. Examples: The following command clears Distributed AP 1: DWS-1008# clear dap 1 This will clear specified DAP devices. Would you like to continue? (y/n) [n]y See Also: •...
Page 38: Clear Port Mirror
Syntax: clear port-group name name Name of the port group. name Defaults: None. Access: Enabled. Examples: The following command clears port group server1: DWS-1008# clear port-group name server1 success: change accepted. See Also: • set port-group clear port mirror Removes a port mirroring configuration.
Page 39: Clear Port Name
Defaults: None. Access: Enabled. Examples: The following command clears the names of ports 1 through 4: DWS-1008# clear port 1-4 name See Also: • set port name clear port type Caution: When you clear a port, MSS ends user sessions that are using the port.
Page 40 Not applicable. parameters Maximum user sessions Not applicable. Examples: The following command clears port 5: DWS-1008# clear port type 5 This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted. See Also: • set port type ap •...
Page 41: Monitor Port Counters
5 seconds. This interval cannot be configured. Statistics types are displayed in the following order by default: • Octets • Packets • Receive errors • Transmit errors • Collisions • Receive Ethernet statistics • Transmit Ethernet statistics Access: All. D-Link DWS-1008 CLI Manual...
Page 42 Port Status Rx Unicast Rx NonUnicast Tx Unicast Tx NonUnicast =========================================================== 54620 62144 58318 62556 The following table describes the port statistics displayed by each statistics option. The Port and Status fields are displayed for each option. D-Link DWS-1008 CLI Manual...
Page 43 Number of frames received by the port that were fewer than Rx Short 64 bytes long. Number of frames received by the port that were valid but were longer than 1518 bytes. Rx Overrun This statistic does not include jumbo packets with valid CRCs. D-Link DWS-1008 CLI Manual...
Page 44 Number of packets transmitted that were 128-255 bytes long. Tx 511 Number of packets transmitted that were 256-511 bytes long. transmit-etherstats Number of packets transmitted that were 512-1023 bytes Tx 1023 long. Number of packets transmitted that were 1024-1518 bytes Tx 1518 long. D-Link DWS-1008 CLI Manual...
Page 45: Reset Port
DWS-1008 switch through an intermediate Layer 2 or Layer 3 network. Note. Before configuring a Distributed AP, you must use the set system countrycode command to set the IEEE 802.11 country-specific regulations on the DWS-1008 switch. See set system countrycode.
Page 46: Set Port
Access: Enabled. Examples: The following command configures Distributed AP 1 for AP model MP-372 with serial-ID 0322199999: DWS-1008# set dap 1 serial-id 0322199999 model mp-372 success: change accepted. The following command removes Distributed AP 1: DWS-1008# clear dap 1 This will clear specified DAP devices. Would you like to continue? (y/n)
Page 47 Examples: The following command configures a port group named server1 containing ports 1 through 5, and enables the link: DWS-1008# port-group name server1 1-5 mode on success: change accepted. D-Link DWS-1008 CLI Manual...
Page 48 The following commands disable the link for port group server1, change the list of ports in the group, and reenable the link: DWS-1008# set port-group name server1 1-5 mode off success: change accepted. DWS-1008# set port-group name server1 1-4,7 mode on success: change accepted.
Page 49: Set Port Mirror
Configures port mirroring. Port mirroring is a troubleshooting feature that copies (mirrors) traffic sent or received by a DWS-1008 port (the source port) to another port (the observer) on the same DWS-1008. You can attach a protocol analyzer to the observer port to examine the source port’s traffic.
Page 50: Set Port Negotiation
The DWS-1008 Ethernet ports support half-duplex and full-duplex operation. D-Link recommends that you do not configure the mode of a DWS-1008 port so that one side of the link is set to autonegotiation while the other side is set to full-duplex. Although MSS allows this configuration, it can result in slow throughput on the link.
Page 51: Set Port Poe
A stream of large packets sent to an DWS-1008 port in such a configuration can cause forwarding on the link to stop. Examples: The following command disables autonegotiation on ports 1, 2, and 4 through 6: DWS-1008# set port negotiation 1,2,4-6 disable...
Page 52: Set Port Speed
Defaults: All ports are set to auto. Access: Enabled. Usage: D-Link recommends that you do not configure the mode of a switch port so that one side of the link is set to autonegotiation while the other side is set to full-duplex. Although MSS allows this configuration, it can result in slow throughput on the link.
Page 53: Set Port Trap
Examples: The following command sets the port speed on ports 1, 3 through 5, and 8 to 10 Mbps and sets the operating mode to full-duplex: DWS-1008# set port speed 1,3-5,8 10 set port trap Enables or disables Simple Network Management Protocol (SNMP) linkup and linkdown traps on an individual port.
Page 54: Set Port Type Ap
Caution! When you set the port type for AP use, you must specify the PoE state (enable or disable) of the port. Use the DWS-1008’s PoE to power D-Link access points or PoE enabled devices only. If you enable PoE on a port connected to another device, physical damage to the device can result.
Page 55 Examples: The following commands set port 2 for access point model DWL-8220AP, enables PoE on the port: DWS-1008# set port type ap 2 model DWL-8220AP poe enable This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted.
Page 56 Denies authentication and prohibits the user from accessing the network over this port. web-portal Serves the user a web page from the DWS-1008’s nonvolatile storage for a secure login to the network. Defaults: The default tag-list is null (no tag values). The default number of sessions is 1. The default fallthru authentication type is none.
Page 57 Examples: The following command sets port 6 for a wired authentication user and specifies a maximum of three simultaneous user sessions: DWS-1008# set port type wired-auth 6 max-sessions 3 success: change accepted. See Also: • clear port type •...
Page 58: Show Port Counters
Defaults: None. Access: All. Usage: You can specify one statistic type with the command. Examples: The following command shows octet statistics for port 3: DWS-1008> show port counters octets port 3 Port Status Rx Octets Tx Octets...
Page 59: Show Port Mirror
Displays information for the specified port group. Defaults: None. Access: All. Examples: The following command displays the configuration of port group server2: DWS-1008# show port-group name server2 Port group: server2 is up Ports: 3, 5 The table below describes the fields in the show port-group output.
Page 60 List of physical ports. If you do not specify a port list, PoE information is displayed for all ports. Defaults: None. Access: All. Examples: The following command displays PoE information for all ports on a DWS-1008: DWS-1008# show port poe Link Port...
Page 61: Show Port Status
List of physical ports. If you do not specify a port list, information is displayed for all ports. Defaults: None. Access: All. Examples: The following command displays information for all ports on a DWS-1008: DWS-1008# show port status Port Name...
Page 62: Vlan Commands
64 show fdb on page 68 show fdb count on page 70 clear fdb on page 60 FDB Aging Timeout set fdb agingtime on page 65 show fdb agingtime on page 69 D-Link DWS-1008 CLI Manual...
Page 63: Clear Fdb
Examples: The following command clears all static forwarding database entries that match VLAN blue: dws-1008# clear fdb static vlan blue success: change accepted. The following command clears all dynamic forwarding database entries that match all VLANs: dws-1008# clear fdb dynamic success: change accepted.
Page 64 Examples: The following command removes MAC address aa:bb:cc:dd:ee:ff from the list of addresses to which clients in VLAN abc_air are allowed to send traffic at Layer 2: DWS-1008# clear security l2-restrict vlan abc_air permit-mac aa:bb:cc:dd:ee:ff success: change accepted. See Also: •...
Page 65: Clear Vlan
Usage: To clear MAC addresses from the list of addresses to which clients are allowed to send data, use the clear security l2-restrict command instead. Examples: The following command clears Layer 2 forwarding restriction statistics for VLAN abc_air: DWS-1008# clear security l2-restrict counters vlan abc_air success: change accepted. See Also: • clear security l2-restrict •...
Page 66 The following command removes port 4, which uses tag value 69, from VLAN red: DWS-1008# clear vlan red port 4 tag 69 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.
Page 67: Set Fdb
Examples: The following command adds a permanent entry for MAC address 00:11:22:aa:bb:cc on ports 3 and 5 in VLAN blue: DWS-1008# set fdb perm 00:11:22:aa:bb:cc port 3,5 vlan blue success: change accepted. The following command adds a static entry for MAC address 00:2b:3c:4d:5e:6f on port 1 in the...
Page 68: Set Fdb Agingtime
Defaults: The aging timeout period is 300 seconds (5 minutes). Access: Enabled. Examples: The following command changes the aging timeout period to 600 seconds for entries that match VLAN orange: DWS-1008# set fdb agingtime orange age 600 success: change accepted. See Also: • show fdb agingtime set security l2-restrict Restricts Layer 2 forwarding between clients in the same VLAN.
Page 69: Set Vlan Name
1. D-link also recommends that you do not rename the default VLAN. You cannot use a number as the first character in the VLAN name. D-Link recommends that you do not use the same name with different capitalizations for VLANs. For example, do not configure two separate VLANs with the names red and RED.
Page 70: Set Vlan Port
VLAN. If you do specify a tag value, the switch sends tagged frames only for the VLAN. If you do specify a tag value, D-Link recommends that you use the same value as the VLAN number. MSS does not require the VLAN number and tag value to be the same but some other vendors’...
Page 71: Show Fdb
To display only a portion of the database, use optional parameters to specify the types of entries you want to display. Examples: The following command displays all entries in the forwarding database: DWS-1008# show fdb all * = Static Entry. + = Permanent Entry. # = System Entry. VLAN TAG...
Page 72: Show Fdb Agingtime
The top line of the display identifies the characters to distinguish among the entry types. The following command displays all entries that begin with the MAC address glob 00: DWS-1008# show fdb 00:* * = Static Entry. + = Permanent Entry. # = System Entry.
Page 73: Show Fdb Count
VLAN name or number. Entries are listed for only the specified VLAN. Defaults: None. Access: All. Examples: The following command lists the number of dynamic entries that the forwarding database contains: DWS-1008# show fdb count dynamic Total Matching Entries = 2 See Also: • show fdb show security l2-restrict Displays configuration information and statistics for Layer 2 forwarding restriction.
Page 74: Show Vlan Config
Examples: The following command shows Layer 2 forwarding restriction information for all VLANs: DWS-1008# show security l2-restrict VLAN Name Drops Permit MAC Hits ------------------------------------------------------------------------------------------------- default 00:0b:0e:02:53:3e 5947 00:30:b6:3e:5c:a8 vlan-2 04:04:04:04:04:04 The table describes the fields in the display. Field Discription VLAN VLAN number.
Page 75: See Also
Examples: The following command displays information for VLAN burgundy: DWS-1008# show vlan config burgundy Admin VLAN Tunl Port VLAN Name Status State Affin Port State ------------------------------------------------------------------------------------------------------- burgundy none Up none Up none Up none Up none Up t:10.10.40.4 none Up The table below describes the fields in this display.
Page 76: Quality Of Service Commands
The switch’s internal QoS map ensures that prioritized traffic remains prioritized while transiting through the DWS-1008 switch. A switch uses the QoS map to do the following: • Classify inbound packets by mapping their DSCP values to one of eight internal QoS values •...
Page 77 Access: Enabled. Examples: The following command maps internal CoS value 5 to DSCP value 50: DWS-1008# set qos cos-to-dscp-map 5 dscp 50 warning: cos 5 is marked with dscp 50 which will be classified as cos 6 If the change results in a change to CoS, MSS displays a warning message indicating the change.
Page 78: Show Qos
Access: Enabled. Examples: The following command maps DSCP values 40-56 to internal CoS value 6: DWS-1008# set qos dscp-to-cos-map 40-56 cos 6 warning: cos 5 is marked with dscp 63 which will be classified as cos 7 warning: cos 7 is marked with dscp 56 which will be classified as cos 6 As shown in this example, if the change results in a change to CoS, MSS displays a warning message indicating the change.
Page 79 Examples: The following command displays the default QoS settings: DWS-1008# show qos default Ingress QoS Classification Map (dscp-to-cos) Ingress DSCP CoS Level =============================================================== 00-09 10-19 20-29 30-39 40-49 50-59 60-63 Egress QoS Marking Map (cos-to-dscp) CoS Level =============================================================== Egress DSCP...
Page 80: Ip Services Commands
• Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Examples: The following command removes the IP interface configured on VLAN mauve: DWS-1008# clear interface mauve ip success: cleared ip on vlan mauve See Also: •...
Page 81: Clear Ip Alias
Syntax: clear ip alias name name Alias name. Defaults: None. Access: Enabled. Examples: The following command removes the alias server1: DWS-1008# clear ip alias server1 success: change accepted. See Also: • set ip alias • show ip alias clear ip dns domain Removes the default DNS domain name.
Page 82: Clear Ip Dns Server
Removes a DNS server from a DWS-1008 switch configuration. Syntax: clear ip dns server ip-addr ip-addr IP address of a DNS server. Defaults: None. Access: Enabled. Examples: The following command removes DNS server 10.10.10.69 from a switch’s configuration: DWS-1008# clear ip dns server 10.10.10.69...
Page 83: Clear Ip Telnet
• set ip route • show ip route clear ip telnet Resets the Telnet server’s TCP port number to its default value. A DWS-1008 switch listens for Telnet management traffic on the Telnet server port. Syntax: clear ip telnet Defaults: The default Telnet port number is 23.
Page 84: Clear Ntp Server
Removes all NTP servers from the configuration. Defaults: None. Access: Enabled. Examples: The following command removes NTP server 192.168.40.240 from a switch configuration: DWS-1008# clear ntp server 192.168.40.240 success: change accepted. See Also: • clear ntp update-interval • set ntp •...
Page 85: Clear Snmp Community
Name of the SNMP community you want to clear. Defaults: None. Access: Enabled. Examples: The following command clears community string setswitch2: DWS-1008# clear snmp community name setswitch2 success: change accepted. See Also: • set snmp community • show snmp community clear snmp notify profile Clears an SNMP notification profile.
Page 86: Clear Snmp Notify Target
ID of the target. Defaults: None. Access: Enabled. Examples: The following command clears notification target 3: DWS-1008# clear snmp notify target 3 success: change accepted. See Also: • set snmp notify target • show snmp notify target clear snmp usm Clears an SNMPv3 user.
Page 87: Clear Summertime
Clears the summertime setting from a DWS-1008 switch. Syntax: clear summertime Defaults: None. Access: Enabled. Examples: To clear the summertime setting from a switch, type the following command: DWS-1008# clear summertime success: change accepted. See Also: • clear timezone •...
Page 88: Clear Timezone
Sends new ping packets as quickly as replies are received, or 100 times per second, whichever is greater. Note: Use the flood option sparingly. This option creates a lot of traffic and can affect other traffic on the network. D-Link DWS-1008 CLI Manual...
Page 89 • interval—100 (one tenth of a second) • size—56. Access: Enabled. Usage: To stop a ping command that is in progress, press Ctrl+C. A DWS-1008 switch cannot ping itself. MSS does not support this. Examples: The following command pings a device that has IP address 10.1.1.1: DWS-1008# ping 10.1.1.1...
Page 90: Set Arp
Access: Enabled. Examples: The following command adds a static ARP entry that maps IP address 10.10.10.1 to MAC address 00:bb:cc:dd:ee:ff: DWS-1008# set arp static 10.10.10.1 00:bb:cc:dd:ee:ff success: added arp 10.10.10.1 at 00:bb:cc:dd:ee:ff on VLAN 1 See Also: • set arp agingtime •...
Page 91: Set Interface
To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command. Examples: The following command changes the ARP aging timeout to 1800 seconds: DWS-1008# set arp agingtime 1800 success: set arp aging time to 1800 seconds...
Page 92 Enables the DHCP client on the VLAN. disable Disables the DHCP client on the VLAN. Defaults: The DHCP client is disabled by default on the DWS-1008. Access: Enabled. Usage: You can enable the DHCP client on one VLAN only. You can configure the DHCP client on more than one VLAN, but the client can be active on only one VLAN.
Page 93 IP address of the DHCP client’s default router. Defaults: The DHCP server is enabled by default on a new (unconfigured) DWS-1008 in order to provide an IP address to the host connected to the switch for access to the Web Quick Start.
Page 94: Set Interface Status
DHCP client’s subnet. Otherwise, the MSS DHCP server does not specify a router address. Examples: The following command enables the DHCP server on VLAN red-vlan to serve addresses from the 192.168.1.5 to 192.168.1.25 range: DWS-1008# set interface red-vlan ip dhcp-server enable start 192.168.1.5 stop 192.168.1.25 success: change accepted. See Also: •...
Page 95: Set Ip Alias
Enables DNS. disable Disables DNS. Defaults: DNS is disabled by default. Access: Enabled. Examples: The following command enables DNS on a DWS-1008 switch: DWS-1008# set ip dns enable Start DNS Client See Also: • clear ip dns domain • clear ip dns server •...
Page 96: Set Ip Dns Domain
Aliases take precedence over DNS. When you enter a hostname, MSS checks for an alias with that name first, before using DNS to resolve the name. Examples: The following command configures the default domain name example.com: DWS-1008# set ip dns domain example.com Domain name changed See Also: •...
Page 97: Set Ip Https Server
Defaults: None. Access: Enabled. Usage: You can configure a DWS-1008 switch to use one primary DNS server and up to five secondary DNS servers. Examples: The following commands configure a DWS-1008 switch to use a primary DNS server and two secondary DNS servers: DWS-1008# set ip dns server 10.10.10.50/24 primary...
Page 98: Set Ip Route
Syntax: set ip route {default | ip-addr mask | ip-addr/mask-length} default-router metric default Default route. A DWS-1008 switch uses the default route if an explicit route is not available for the destination. Note: default is an alias for IP address 0.0.0.0/0.
Page 99: Set Ip Snmp Server
DWS-1008# set ip route default 10.2.4.17 2 success: change accepted. The following command adds an explicit route from a DWS-1008 switch to any host on the 192.168.4.x subnet through the local router 10.5.4.2, and gives the route a cost of 1: DWS-1008# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1...
Page 100 • show snmp configuration set ip ssh Changes the TCP port number on which a DWS-1008 switch listens for Secure Shell (SSH) management traffic. Caution: If you change the SSH port number from an SSH session, MSS immediately ends the session.
Page 101: Set Ip Ssh Server
Usage: SSH requires an SSH authentication key. You can generate one or allow MSS to generate one. The first time an SSH client attempts to access the SSH server on a DWS-1008 switch, the switch automatically generates a 1024-byte SSH key.
Page 102: Set Ip Telnet Server
Defaults: The Telnet server is disabled by default. Access: Enabled. Usage: The maximum number of Telnet sessions supported on a DWS-1008 switch is eight. If SSH is also enabled, the switch can have up to eight Telnet or SSH sessions, in any combination, and one console session.
Page 103: Set Ntp
Usage: If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes, convergence of the switch time can take many NTP update intervals. D-link recommends that you set the time manually to the NTP server time before enabling NTP to avoid a significant delay in convergence.
Page 104 Examples: The following command configures a switch to use NTP server 192.168.1.5: DWS-1008# set ntp server 192.168.1.5 See Also: • clear ntp server • clear ntp update-interval • set ntp • set ntp update-interval • show ntp set ntp update-interval Changes how often MSS sends queries to the NTP servers for updates.
Page 105: Set Snmp Community
Defaults: None. Access: Enabled. Usage: SNMP community strings are passed as clear text in SNMPv1 and SNMPv2c. D-Link recommends that you use strings that cannot easily be guessed by unauthorized users. For example, do not use the well-known strings public and private.
Page 106: Set Snmp Notify Profile
DWS-1008# set snmp community read-write good_community success: change accepted. The following command configures community string switchmgr1 with access level notify-read- write: DWS-1008# set snmp community name switchmgr1 notify-read-write success: change accepted. See Also: • clear snmp community • set ip snmp server •...
Page 107 • ClientDeAssociationTraps—Generated when a client is dissociated from a radio. • ClientDot1xFailureTraps—Generated when a client experiences an 802.1X failure. • ClientRoamingTraps—Generated when a client roams. • CounterMeasureStartTraps—Generated when MSS begins countermeasures against a rogue access point. D-Link DWS-1008 CLI Manual...
Page 108 • RFDetectSpoofedMacAPTraps—Generated when MSS detects a wireless packet with the source MAC address of a D-Link AP, but without the spoofed AP’s signature (fingerprint). • RFDetectSpoofedSsidAPTraps—Generated when MSS detects beacon frames for a valid SSID, but sent by a rogue AP.
Page 109 Examples: The following command changes the action in the default notification profile from drop to send for all notification types: DWS-1008# set snmp notify profile default send all success: change accepted. The following commands create notification profile snmpprof_rfdetect, and change the action to...
Page 110: Set Snmp Notify Target
DWS-1008# set snmp notify profile snmpprof_rfdetect send RFDetectSpoofedSsidAPTraps success: change accepted. DWS-1008# set snmp notify profile snmpprof_rfdetect send RFDetectUnAuthorizedAPTraps success: change accepted. DWS-1008# set snmp notify profile snmpprof_rfdetect send RFDetectUnAuthorizedOuiTraps success: change accepted. DWS-1008# set snmp notify profile snmpprof_rfdetect send RFDetectUnAuthorizedSsidTraps success: change accepted.
Page 111 USM username. This option is applicable only when the SNMP version is usm. profile profile-name Notification profile this SNMP user will use to specify the notification types to send or drop. D-Link DWS-1008 CLI Manual...
Page 112 You can specify from 1 to 5 seconds. SNMPv2c with Traps To configure a notification target for traps from SNMPv2c, use the following command: Syntax: set snmp notify target target-num ip-addr[:udp-port-number] v2c community-string trap [profile profile-name] D-Link DWS-1008 CLI Manual...
Page 113 Use trap if you do not want acknowledgements. The inform option is applicable to SNMP version v2c or usm only. Examples: The following command configures a notification target for acknowledged notifications: DWS-1008# set snmp notify target 1 10.10.40.9 usm inform user securesnmpmgr1 snmp-engine-id ip success: change accepted. D-Link DWS-1008 CLI Manual...
Page 114: Set Snmp Protocol
The MSS SNMP engine will send notifications based on the default profile, and will require the target to acknowledge receiving them. The following command configures a notification target for unacknowledged notifications: DWS-1008# set snmp notify target 2 10.10.40.10 v1 trap success: change accepted. See Also: •...
Page 115: Set Snmp Security
SNMPv1 or SNMPv2c, leave the minimum level of SNMP security set to unsecured. Examples: The following command sets the minimum level of SNMP security allowed to authentication and encryption: DWS-1008# set snmp security encrypted success: change accepted. See Also: • set ip snmp server •...
Page 116: Set Snmp Usm
• notify-read-write—An SNMP management application using the string can get and set object values on the switch. The switch can use the string to send notifications. D-Link DWS-1008 CLI Manual...
Page 117 The following command creates USM user securesnmpmgr1, which uses SHA authentication and 3DES encryption with passphrases. This user can send informs to the notification receiver that has engine ID 192.168.40.2. DWS-1008# set snmp usm securesnmpmgr1 snmp-engine-id ip 192.168.40.2 auth- type sha auth-pass-phrase myauthpword encrypt-type 3des encrypt-pass-phrase mycryptpword success: change accepted.
Page 118: Set Summertime
Offsets the real-time clock of a DWS-1008 switch by +1 hour and returns it to standard time for daylight savings time or a similar summertime period that you set. Syntax: set summertime summer-name [start week weekday month hour min...
Page 119 Examples: The following commands configure an IP interface on VLAN taupe and configure the interface to be the system IP address: DWS-1008# set interface taupe ip 10.10.20.20/24 success: set ip address 10.10.20.20 netmask 255.255.255.0 on vlan taupe DWS-1008# set system ip-address 10.10.20.20 success: change accepted.
Page 120: Set Timedate
Sets the time of day and date on the DWS-1008 switch. Syntax: set timedate {date mmm dd yyyy [time hh:mm:ss]} date mmm dd yyyy System date: • mmm—month. • dd—day. • yyyy—year. time hh:mm:ss System time, in hours, minutes, and seconds.
Page 121: Show Arp
Defaults: If this command is not used, then the default time zone is UTC. Access: Enabled. Examples: To set the time zone for Pacific Standard Time (PST), type the following command: DWS-1008# set timezone PST -8 Timezone is set to ‘PST’, offset from UTC is -8:0 hours. See Also: •...
Page 122 DWS-1008# show dhcp-client Interface: corpvlan(4) Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: 65532 seconds IP Address: 10.3.1.110 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.1.1 DHCP Server: 10.3.1.4 DNS Servers: 10.3.1.29 DNS Domain Name: mycorp.com D-Link DWS-1008 CLI Manual...
Page 123 Examples: The following command displays the addresses leased by the MSS DHCP server: DWS-1008# show dhcp-server VLAN Name Address Lease Remaining (sec) -------------------------------------------------------------------------------------------------------- default 10.10.20.2 00:01:02:03:04:05 12345 default 10.10.20.3 00:01:03:04:06:07 2103 red-vlan 192.168.1.5 00:01:03:04:06:08 102 red-vlan 192.168.1.7 00:01:03:04:06:09 16789 D-Link DWS-1008 CLI Manual...
Page 124 The following command displays configuration and status information for each VLAN on which the DHCP server is configured: DWS-1008# show dhcp-server verbose Interface: 0 (Direct AP) Status: Address Range: 10.0.0.1-10.0.0.253 Interface: default(1) Status: Address Range: 10.10.20.2-10.10.20.254 Hardware Address: 00:01:02:03:04:05 State:...
Page 125: Show Interface
10.10.10.10 netmask 255.255.255.0 on vlan default The following command configures IP interface 10.10.20.10 255.255.255.0 on VLAN mauve: DWS-1008# set interface mauve ip 10.10.20.10 255.255.255.0 success: set ip address 10.10.20.10 netmask 255.255.255.0 on vlan mauve See Also: •...
Page 126 VLAN, but only the client or the server can be enabled. The DHCP client and DHCP server cannot both be enabled on the same VLAN at the same time. Examples: The following command enables the DHCP client on VLAN corpvlan: DWS-1008# set interface corpvlan ip dhcp-client enable success: change accepted. See Also: •...
Page 127 Note: Use of the MSS DHCP server to allocate client addresses is intended for temporary, demonstration deployments and not for production networks. D-Link recommends that you do not use the MSS DHCP server to allocate client addresses in a production network.
Page 128 DHCP client’s subnet. Otherwise, the MSS DHCP server does not specify a router address. Examples: The following command enables the DHCP server on VLAN red-vlan to serve addresses from the 192.168.1.5 to 192.168.1.25 range: DWS-1008# set interface red-vlan ip dhcp-server enable start 192.168.1.5 stop 192.168.1.25 success: change accepted. See Also: •...
Page 129 Enables DNS. disable Disables DNS. Defaults: DNS is disabled by default. Access: Enabled. Examples: The following command enables DNS on a DWS-1008 switch: DWS-1008# set ip dns enable Start DNS Client See Also: • clear ip dns domain • clear ip dns server •...
Page 130 Aliases take precedence over DNS. When you enter a hostname, MSS checks for an alias with that name first, before using DNS to resolve the name. Examples: The following command configures the default domain name example.com: DWS-1008# set ip dns domain example.com Domain name changed See Also: •...
Page 131 • show ip dns set ip https server Enables the HTTPS server on a DWS-1008 switch. The HTTPS server is required for Web View access to the switch. Caution: If you disable the HTTPS server, Web View access to the switch is disabled.
Page 132 Syntax: set ip route {default | ip-addr mask | ip-addr/mask-length} default-router metric default Default route. A DWS-1008 switch uses the default route if an explicit route is not available for the destination. Note: default is an alias for IP address 0.0.0.0/0.
Page 133 Disables the SNMP service. Defaults: The SNMP service is disabled by default. Access: Enabled. Examples: The following command enables the SNMP server on a DWS-1008 switch: DWS-1008# set ip snmp server enable success: change accepted. D-Link DWS-1008 CLI Manual...
Page 134 Usage: SSH requires an SSH authentication key. You can generate one or allow MSS to generate one. The first time an SSH client attempts to access the SSH server on a DWS-1008 switch, the switch automatically generates a 1024-byte SSH key.
Page 135 Changes the TCP port number on which a DWS-1008 switch listens for Telnet management traffic. Caution: If you change the Telnet port number from a Telnet session, MSS immediately ends the session. To open a new management session, you must Telnet to the switch with the new Telnet port number.
Page 136 Usage: If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes, convergence of the switch time can take many NTP update intervals. D-Link recommends that you set the time manually to the NTP server time before enabling NTP to avoid a significant delay in convergence.
Page 137 Configures a DWS-1008 switch to use an NTP server. Syntax: set ntp server ip-addr ip-addr IP address of the NTP server, in dotted decimal notation. Defaults: None. Access: Enabled. Usage: You can configure up to three NTP servers. MSS queries all the servers and selects the best response based on the method described in RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis.
Page 138 Defaults: None. Access: Enabled. Usage: SNMP community strings are passed as clear text in SNMPv1 and SNMPv2c. D-Link recommends that you use strings that cannot easily be guessed by unauthorized users. For example, do not use the well-known strings public and private.
Page 139 The following command configures community string switchmgr1 with access level notify-read- write: DWS-1008# set snmp community name switchmgr1 notify-read-write success: change accepted. See Also: • clear snmp community • set ip snmp server • set snmp notify target • set snmp notify profile •...
Page 140 • RFDetectDoSTraps—Generated when MSS detects a DoS attack other than an associate request flood, reassociate request flood, or disassociate request flood. • RFDetectInterferingRogueAPTraps—Generated when interfering device detected. • RFDetectInterferingRogueDisappearTraps—Generated when an interfering device is no longer detected. D-Link DWS-1008 CLI Manual...
Page 141 • RFDetectSpoofedMacAPTraps—Generated when MSS detects a wireless packet with the source MAC address of a D-Link AP, but without the spoofed MP’s signature (fingerprint). • RFDetectSpoofedSsidAPTraps—Generated when MSS detects beacon frames for a valid SSID, but sent by a rogue AP.
Page 142 DWS-1008# set snmp notify profile snmpprof_rfdetect send RFDetectInterferingRogueDisappearTraps success: change accepted. DWS-1008# set snmp notify profile snmpprof_rfdetect send RFDetectRogueAPTraps success: change accepted. DWS-1008# set snmp notify profile snmpprof_rfdetect send RFDetectRogueDisappearTraps success: change accepted. DWS-1008# set snmp notify profile snmpprof_rfdetect send RFDetectSpoofedMacAPTraps success: change accepted.
Page 143 | encrypted} SNMP version is usm: • unsecured—Message exchanges are not authenticated, nor are they encrypted. This is the default. • authenticated—Message exchanges are authenticated, but are not encrypted. • encrypted—Message exchanges are authenticated and encrypted. D-Link DWS-1008 CLI Manual...
Page 144 | encrypted} SNMP version is usm: • unsecured—Message exchanges are not authenticated, nor are they encrypted. This is the default. • authenticated—Message exchanges are authenticated, but are not encrypted. • encrypted—Message exchanges are authenticated and encrypted. D-Link DWS-1008 CLI Manual...
Page 145 IP address of the server. You also can specify the UDP port number to send notifications to. community-string Community string. profile profile-name Notification profile this SNMP user will use to specify the notification types to send or drop. D-Link DWS-1008 CLI Manual...
Page 146 Examples: The following command configures a notification target for acknowledged notifications: DWS-1008# set snmp notify target 1 10.10.40.9 usm inform user securesnmpmgr1 snmp-engine-id ip success: change accepted. This command configures target 1 at IP address 10.10.40.9. The target’s SNMP engine ID is based on its address.
Page 147 IP address. You also must enable the SNMP service using the set ip snmp server command. Examples: The following command enables all SNMP versions: DWS-1008# set snmp protocol all enable success: change accepted. See Also: • set ip snmp server •...
Page 148 SNMPv1 or SNMPv2c, leave the minimum level of SNMP security set to unsecured. Examples: The following command sets the minimum level of SNMP security allowed to authentication and encryption: DWS-1008# set snmp security encrypted success: change accepted. See Also: • set ip snmp server •...
Page 149 • notify-read-write—An SNMP management application using the string can get and set object values on the switch. The switch can use the string to send notifications. D-Link DWS-1008 CLI Manual...
Page 150 • To specify a passphrase, use the encrypt-pass-phrase string option. The string can be from 8 to 32 alphanumeric characters long, with no spaces. • To specify a key, use the encrypt-key hex-string option. D-Link DWS-1008 CLI Manual...
Page 151 The following command creates USM user securesnmpmgr1, which uses SHA authentication and 3DES encryption with passphrases. This user can send informs to the notification receiver that has engine ID 192.168.40.2. DWS-1008# set snmp usm securesnmpmgr1 snmp-engine-id ip 192.168.40.2 auth-type sha auth-pass-phrase myauthpword encrypt-type 3des encrypt-pass-phrase mycryptpword success: change accepted.
Page 152 Otherwise, summertime’s adjustment of the time will make the time incorrect, if the date is within the summertime period. Examples: To enable summertime and set the summertime time zone to PDT (Pacific Daylight Time), type the following command: DWS-1008# set summertime PDT success: change accepted See Also: • clear summertime •...
Page 153 Syntax: set system ip-address ip-addr ip-addr IP address, in dotted decimal notation. The address must be configured on one of the DWS-1008 switch’s VLANs. Defaults: None. Access: Enabled. Usage: You must use an address that is configured on one of the switch’s VLANs.
Page 154 Examples: The following command sets the date to March 13, 2003 and time to 11:11:12: DWS-1008# set timedate date feb 29 2004 time 23:58:00 Time now is: Sun Feb 29 2004, 23:58:02 PST See Also: •...
Page 155 Defaults: If this command is not used, then the default time zone is UTC. Access: Enabled. Examples: To set the time zone for Pacific Standard Time (PST), type the following command: DWS-1008# set timezone PST -8 Timezone is set to ‘PST’, offset from UTC is -8:0 hours. See Also: •...
Page 156 DWS-1008# show dhcp-client Interface: corpvlan(4) Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: 65532 seconds IP Address: 10.3.1.110 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.1.1 DHCP Server: 10.3.1.4 DNS Servers: 10.3.1.29 DNS Domain Name: mycorp.com D-Link DWS-1008 CLI Manual...
Page 157 Examples: The following command displays the addresses leased by the MSS DHCP server: DWS-1008# show dhcp-server VLAN Name Address Lease Remaining (sec) -------------------------------------------------------------------------------------------------------- default 10.10.20.2 00:01:02:03:04:05 12345 default 10.10.20.3 00:01:03:04:06:07 2103 red-vlan 192.168.1.5 00:01:03:04:06:08 red-vlan 192.168.1.7 00:01:03:04:06:09 16789 D-Link DWS-1008 CLI Manual...
Page 158 The following command displays configuration and status information for each VLAN on which the DHCP server is configured: DWS-1008# show dhcp-server verbose Interface: 0 (Direct AP) Status: Address Range: 10.0.0.1-10.0.0.253 Interface: default(1) Status: Address Range: 10.10.20.2-10.10.20.254 Hardware Address: 00:01:02:03:04:05 State:...
Page 159 The table below describes the fields in this display. Field Description VLAN VLAN number. Name VLAN name. Address IP address. Mask Subnet mask. Administrative state: Enabled • YES (enabled) • NO (disabled) Link state: State • Up (operational) • Down (unavailable) Routing Information Base D-Link DWS-1008 CLI Manual...
Page 160: Show Ip Alias
Displays the IP aliases configured on the DWS-1008 switch. Syntax: show ip alias [name] name Alias string. Defaults: If you do not specify an alias name, all aliases are displayed. Access: Enabled. Examples: The following command displays all the aliases configured on a switch:...
Page 161: Show Ip Dns
Displays the DNS servers the switch is configured to use. Syntax: show ip dns Defaults: None. Access: All. Examples: The following command displays the DNS information: DWS-1008# show ip dns Domain Name: example.com DNS Status: enabled IP Address Type ------------------------------------- 10.1.1.1...
Page 162: Show Ip Https
Defaults: None. Access: All. Examples: The following command shows the status and port number for the HTTPS management interface to the switch: DWS-1008> show ip https HTTPS is enabled HTTPS is set to use port 443 Last 10 Connections: IP Address...
Page 163: Show Ip Route
If the switch has such an interface but the static route is still down, use the show vlan config command to check the state of the VLAN’s ports. Examples: The following command shows all routes in a switch’s IP route table: DWS-1008# show ip route Router table for IPv4 Destination/Mask...
Page 164: Show Ip Telnet
Syntax: show ip telnet Defaults: None. Access: All. Examples: The following command shows the status and port number for the Telnet management interface to the switch: DWS-1008> show ip telnet Server Status Port ---------------------------------- Enabled The table below describes the fields in this display.
Page 165: Show Ntp
Displays NTP client information. Syntax: show ntp Defaults: None. Access: All. Examples: To display NTP information for a DWS-1008 switch, type the following command: DWS-1008> show ntp NTP client: enabled Current update-interval: 20(secs) Current time: Fri Feb 06 2004, 12:02:57 Timezone is set to ‘PST’, offset from UTC is -8:0 hours.
Page 166: Show Snmp Community
• clear snmp notify profile • set snmp notify profile show snmp notify target Displays SNMP notification targets. Syntax: show snmp notify target Defaults: None. Access: Enabled. See Also: • clear snmp notify target • set snmp notify target D-Link DWS-1008 CLI Manual...
Page 167: Show Snmp Status
• show snmp notify profile • show snmp notify target • show snmp usm show snmp usm Displays information about SNMPv3 users. Defaults: None. Access: Enabled. See Also: • clear snmp usm • show snmp usm D-Link DWS-1008 CLI Manual...
Page 168: Show Summertime
• set timezone • show timedate • show timezone show timedate Shows the date and time of day currently set on a DWS-1008 switch’s real-time clock. Syntax: show timedate Defaults: None. Access: All. Examples: To display the time and date set on a switch’s real-time clock, type the following...
Page 169: Show Timezone
To end a client session from the local device, use the clear sessions telnet client command. If the configuration of the switch from which you enter the telnet command has an ACL that denies Telnet client traffic, the ACL also denies access by the telnet command. D-Link DWS-1008 CLI Manual...
Page 170 Up none Up When the administrator presses Ctrl+t to end the Telnet connection, the management session returns to the local DWS prompt: DWS-1008-remote> Session 0 pty tty2.d terminated tt name tty2.d DWS-1008# See Also: • clear sessions • show sessions...
Page 171 (192.168.22.7), 30 hops max, 38 byte packets 1 engineering-1.example.com (192.168.192.206) 2 ms 1 ms 1 ms 2 engineering-2.example.com (192.168.196.204) 2 ms 3 ms 2 ms 3 gateway_a.example.com (192.168.1.201) 6 ms 3 ms 3 ms 4 server1.example.com (192.168.22.7) 3 ms * 2 ms D-Link DWS-1008 CLI Manual...
Page 172 No route to host. The host is unreachable. Connection refused. The protocol is unreachable. Fragmentation needed but Do Not Fragment (DNF) bit was set. Source route failed. Communication administratively prohibited. Unknown error occurred. See Also: • ping D-Link DWS-1008 CLI Manual...
Page 173: Aaa Commands
212 clear accounting on page 171 AAA information show aaa on page 210 Location Policy set location policy on page 197 show location policy on page 213 clear location policy on page 175 D-Link DWS-1008 CLI Manual...
Page 174: Clear Accounting
(@) or a period (.). Defaults: None. Access: Enabled. Examples: The following command removes accounting services for authorized network user Nin: DWS-1008# clear accounting dot1x Nin success: change accepted. See Also: • set accounting {admin | console} • set accounting system •...
Page 175: Clear Authentication Admin
However, the options and behavior for the clear authentication admin command are the same as in previous releases. Examples: The following command clears authentication for administrator Jose: DWS-1008# clear authentication admin Jose success: change accepted. See Also: • clear authentication console •...
Page 176: Clear Authentication Dot1x
Access: Enabled. Examples: The following command removes 802.1X authentication for network users with usernames ending in @thiscorp.com who try to access SSID finance: DWS-1008# clear authentication dot1x ssid finance *@thiscorp.com See Also: • clear authentication admin • clear authentication console •...
Page 177: Clear Authentication Mac
MAC address glob associated with the rule you are removing. Access: Enabled. Examples: The following command removes a MAC authentication rule for access to SSID thatcorp by MAC addresses beginning with aa:bb:cc: DWS-1008# clear authentication mac ssid thatcorp aa:bb:cc:* See Also: • clear authentication admin • clear authentication console •...
Page 178: Clear Authentication Web
User-glob associated with the rule you are removing. Defaults: None. Access: Enabled. Examples: The following command removes WebAAA for SSID research and userglob temp*@ thiscorp.com: DWS-1008# clear authentication web ssid research temp*@thiscorp.com See Also: • clear authentication admin • clear authentication console • clear authentication dot1x •...
Page 179 Usage: Deleting a MAC user’s profile from the database deletes the assignment of any attributes in the profile to the user. Examples: The following command removes the user profile for a user at MAC address 01:02:03:04:05:06: DWS-1008# clear mac-user 01:02:03:04:05:06 success: change accepted. See Also: • set mac-usergroup attr •...
Page 180 Defaults: None. Access: Enabled. Examples: The following command removes an access control list (ACL) from the profile of a user at MAC address 01:02:03:04:05:06: DWS-1008# clear mac-user 01:02:03:04:05:06 attr filter-id success: change accepted. See Also: • set mac-user attr • show aaa...
Page 181 Removes a user group from the local database on the DWS-1008 switch, for a group of users who are authenticated by a MAC address. (To delete a MAC user group in RADIUS, see the documentation for your RADIUS server.)
Page 182: Clear User
Examples: The following command removes the members of the MAC user group eastcoasters from a VLAN assignment by deleting the VLAN-Name attribute from the group: DWS-1008# clear mac-usergroup eastcoasters attr vlan-name success: change accepted. See Also: • clear mac-usergroup • set mac-usergroup attr •...
Page 183: Clear User Attr
Name of an attribute used to authorize the user for a particular service or session characteristic. Defaults: None. Access: Enabled. Examples: The following command removes the Session-Timeout attribute from Hosni’s user profile: DWS-1008# clear user Hosni attr session-timeout success: change accepted. See Also: • set user attr • show aaa clear user group Removes a user with a password from membership in a user group in the local database on the switch.
Page 184: Clear Usergroup
Examples: The following command removes the user Nin from the user group Nin is in: DWS-1008# clear user Nin group success: change accepted. See Also: • clear usergroup • set user group • show aaa clear usergroup Removes a user group and its attributes from the local database on the switch, for users with passwords.
Page 185: Clear Usergroup Attr
Access: Enabled. Examples: The following command removes the members of the user group cardiology from a network access time restriction by deleting the Time-Of-Day attribute from the group: DWS-1008# clear usergroup cardiology attr time-of-day success: change accepted. See Also: • clear usergroup •...
Page 186 MSS sends interim updates to the RADIUS server when the user roams. Examples: The following command issues start-and-stop accounting records at the local database for administrator Natasha, when she accesses the switch using Telnet or Web View: DWS-1008# set accounting admin Natasha start-stop local success: change accepted. See Also: •...
Page 187 When the local accounting storage space is full, MSS overwrites older records with new ones. • server-group-name—Stores accounting records on one or more Remote Authentication Dial-In User Service (RADIUS) servers. You can also enter the names of existing RADIUS server groups as methods. D-Link DWS-1008 CLI Manual...
Page 188: Set Accounting System
MSS sends interim updates to the RADIUS server when the user roams. Examples: The following command issues stop-only records to the RADIUS server group sg2 for network user Nin, who is authenticated by 802.1X: DWS-1008# set accounting dot1x Nin stop-only sg2 success: change accepted. See Also: •...
Page 189: Set Authentication Admin
The fallthru authentication type none denies access to a network user. For more information, see “Usage.” Defaults: By default, authentication is deactivated for all admin users. The default authentication method in an admin authentication rule is local. MSS checks the local database for authentication. Access: Enabled. D-Link DWS-1008 CLI Manual...
Page 190: Set Authentication Console
Examples: The following command configures administrator Jose, who connects via Telnet, for authentication on RADIUS server group sg3: DWS-1008# set authentication admin Jose sg3 success: change accepted. See Also: •...
Page 191 MSS requires no username or password, by default. These users can press Enter at the prompts for administrative access. Note: D-Link recommends that you change the default setting unless the switch is in a secure physical location.
Page 192: Set Authentication Dot1x
RADIUS server group. Examples: To set the console port so that it does not enforce username-password authentication for administrators, type the following command: DWS-1008# set authentication console * none success: change accepted. See Also: • clear authentication console •...
Page 193 • Only the server side of the connection needs a certificate. The wireless client authenticates using TLS to set up an encrypted session. Then MS-CHAP-V2 performs mutual authentication using the specified AAA method. • pass-through—MSS sends all the EAP protocol processing to a RADIUS server. D-Link DWS-1008 CLI Manual...
Page 194 In this case, if the switch’s configuration contains a set authentication mac command that matches the SSID the user is attempting to access and the user’s MAC address, MSS uses the method specified by the command. Otherwise, MSS uses local MAC authentication by default. D-Link DWS-1008 CLI Manual...
Page 195: Set Authentication Mac
Examples: The following command configures EAP-TLS authentication in the local database for SSID mycorp and 802.1X client Geetha: DWS-1008# set authentication dot1x ssid mycorp Geetha eap-tls local success: change accepted. The following command configures PEAP-MS-CHAP-V2 authentication at RADIUS server groups sg1 through sg3 for all 802.1X clients at example.com who want to access SSID examplecorp:...
Page 196 (for WebAAA), or none. Examples: To use the local database to authenticate all users who access the mycorp2 SSID by their MAC address, type the following command: DWS-1008# set authentication ssid mycorp2 mac ** local success: change accepted. See Also: •...
Page 197: Set Authentication Proxy
Examples: The following command configures a proxy authentication rule that matches on all usernames associated with SSID mycorp. MSS uses RADIUS server group srvrgrp1 to proxy RADIUS requests and hence to authenticate and authorize the users. DWS-1008# set authentication proxy ssid mycorp ** srvrgrp1 See Also: • clear authentication proxy •...
Page 198: Set Authentication Web
EAP-TLS protocol. For more information, see “Usage.” Defaults: By default, authentication is unconfigured for all clients with network access through AP ports or wired authentication ports on the switch. Connection, authorization, and accounting are also disabled for these users. Access Enabled. D-Link DWS-1008 CLI Manual...
Page 199 For a wired authentication rule, the type is specified by the auth-fall-thru option of the set port type wired-auth command.) Examples: The following command configures a WebAAA rule in the local database for SSID ourcorp and userglob rnd*: DWS-1008# set authentication web ssid ourcorp rnd* local success: change accepted. See Also: • clear authentication web •...
Page 200: Set Location Policy
SSID. Asterisks (wildcards) are not supported in SSID names. You must specify the complete SSID name. vlan operator vlan-glob VLAN-Name attribute assigned by AAA and condition by which to determine if the location policy rule applies. D-Link DWS-1008 CLI Manual...
Page 201 Access: Enabled. Usage: Only a single location policy is allowed per DWS-1008 switch. The location policy can contain up to 150 rules. Once configured, the location policy becomes effective immediately. To disable location policy operation, use the clear location policy command.
Page 202 ACLs svcs_2 to the traffic they send and svcs_3 to the traffic they receive: DWS-1008# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4.* The following command authorizes users entering the network on ports 2 through 4 and port 6 to...
Page 203 MSS does not support passwords for MAC users. Examples: The following command creates a user profile for a user at MAC address 01:02:03:04:05:06 and assigns the user to the eastcoasters user group: DWS-1008# set mac-user 01:02:03:04:05:06 group eastcoasters success: change accepted. See Also: •...
Page 204 Equivalent Privacy protocol using 104 bits encryption-type of key strength) Note: Encryption-Type is a D-Link vendor- • 16—WEP_40 (Wired-Equivalent Privacy specific attribute (VSA). The vendor ID is 14525, protocol using 40 bits of key strength) and the vendor type is 3.
Page 205 SSID the user is allowed to access after profile, and the service profile must be used by mode only) authentication. a radio profile assigned to D-Link radios in the network. Date and time, in the following format: Date and time at which the user becomes YY/MM/DD-HH:MM eligible to access the network.
Page 206 URL to which the user is redirected after (network access mode • $v—VLAN successful WebAAA. only) • $s—SSID • $p—Service profile name To use the literal character $ or ?, use the following: • $$ • $q D-Link DWS-1008 CLI Manual...
Page 207 Examples: The following command assigns input access control list (ACL) acl-03 to filter the packets from a user at MAC address 01:02:03:04:05:06: DWS-1008# set mac-user 01:02:03:04:05:06 attr filter-id acl-03.in success: change accepted. The following command restricts a user at MAC address 06:05:04:03:02:01 to network access between 7 p.m.
Page 208 MAC user group’s start date. Examples: The following command creates the MAC user group eastcoasters and assigns the group members to VLAN orange: DWS-1008# set mac-usergroup eastcoasters attr vlan-name orange success: change accepted. See Also: •...
Page 209: Set User
Examples: The following command creates a user profile for user Nin in the local database, and assigns the password goody: DWS-1008# set user Nin password goody success: User Nin created The following command assigns the password chey3nne to the admin user:...
Page 210: Set User Attr
The user does not need to wait for the user group’s start date. Examples: The following command assigns user Tamara to VLAN orange: DWS-1008# set user Tamara attr vlan-name orange success: change accepted. The following command limits the days and times when user Student1 can access the network, to 5 p.m.
Page 211: Set Usergroup
Usage: MSS does not require users to belong to user groups. To create a user group, user the command set usergroup. Examples: The following command adds user Hosni to the cardiology user group: DWS-1008# set user Hosni group cardiology success: change accepted. See Also: •...
Page 212 See Also: • clear usergroup • clear usergroup attr • show aaa set web-portal Globally enables or disables WebAAA on a DWS-1008 switch. Syntax: set web-portal {enable | disable} enable Enables WebAAA on the switch. disable Disables WebAAA on the switch.
Page 213: Show Aaa
** peap-mschapv2 sg1 sg2 sg3 set accounting dot1x Nin ssid mycorp stop-only sg2 set accounting admin Natasha start-stop local user Nin Password = 082c6c64060b (encrypted) Filter-Id = acl-999.in Filter-Id = acl-999.out mac-user 01:02:03:04:05:06 usergroup eastcoasters session-timeout = 99 D-Link DWS-1008 CLI Manual...
Page 214 List of user and user group profiles stored in the local database on the switch. See Also: • set accounting {admin | console} • set authentication admin • set authentication console • set authentication dot1x • set authentication mac • set authentication web D-Link DWS-1008 CLI Manual...
Page 215 (To display RADIUS accounting records, see the documentation for your RADIUS server.) Syntax: show accounting statistics Defaults: None. Access: Enabled. Examples: To display the locally stored accounting records, type the following command: DWS-1008# show accounting statistics Dec 14 00:39:48 Acct-Status-Type=STOP Acct-Authentic=0 Acct-Multi-Session-Id=SESS-3-01f82f-520236-24bb1223...
Page 216 • clear accounting • set accounting {admin | console} • show aaa show location policy Displays the list of location policy rules that make up the location policy on a DWS-1008 switch. Syntax: show location policy Defaults: None. Access: Enabled.
Page 217: Cryptography Commands
224 crypto certificate on page 216 show crypto certificate on page 225 PKCS#12 Certificate crypto otp on page 222 crypto pkcs12 on page 223 Self-Signed Certificate crypto generate self-signed on page 220 D-Link DWS-1008 CLI Manual...
Page 218 Open the PKCS#7 object file with an ASCII text editor such as Notepad orvi. Enter the crypto ca-certificate command on the CLI command line. When MSS prompts you for the PEM-formatted certificate, paste the PKCS#7 object file onto the command line. D-Link DWS-1008 CLI Manual...
Page 219: Crypto Certificate
Examples The following command adds the certificate authority’s certificate to switch certificate and key storage: DWS-1008# crypto ca-certificate admin Enter PEM-encoded certificate -----BEGIN CERTIFICATE----- MIIDwDCCA2qgAwIBAgIQL2jvuu4PO5FAQCyewU3ojANBgkqhkiG9wOBAQUFADCB mzerMClaweVQQTTooewi\wpoer0QWNFNkj90044mbdrl1277SWQ8G7Diw YUtrqoQplKJvxz ..Lm8wmVYxP56M;CUAm908C2foYgOY40= -----END CERTIFICATE----- See Also: • show crypto ca-certificate crypto certificate Installs one of the switch’s PKCS#7 certificates into the certificate and key storage area on the switch.
Page 220: Crypto Generate Key
The switch verifies the validity of the public key associated with this certificate before installing it, to prevent a mismatch between the switch’s private key and the public key in the installed certificate. Examples: The following command installs a certificate: DWS-1008# crypto certificate admin Enter PEM-encoded certificate -----BEGIN CERTIFICATE----- MIIBdTCP3wIBADA2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQOEx GjAYBgNVBAMU EXR1Y2hwdWJzQHRycHouY29tMIGfMAOGCSqGSIb3DQ EBAQAA4GNADCBiQKBgQC4 ..
Page 221: Crypto Generate Request
1024-byte SSH key. If you want to use a 2048-byte key instead, use the crypto generate key ssh 2048 command to generate one. Examples: To generate an administrative key, type the following command: DWS-1008# crypto generate key admin 1024 key pair generated. See Also: •...
Page 222 PKCS#7 object file. Examples: To request an administrative certificate from a certificate authority, type the following command: DWS-1008# crypto generate request admin Country Name: US State Name: CA Locality Name: Pleasanton...
Page 223 (Optional) Specify the name of the organization, in up to 80 string alphanumeric characters with no spaces. Organizational Unit (Optional) Specify the name of the organizational unit, in up to 80 string alphanumeric characters with no spaces. D-Link DWS-1008 CLI Manual...
Page 224 Usage: To use this command, you must already have generated a public-private encryption key pair with the crypto generate key command. Examples: To request an administrative certificate from a certificate authority, type the following command: DWS-1008# crypto generate self-signed admin Country Name: State Name: Locality Name:...
Page 225: Crypto Otp
PKCS#12 object file. MSS erases the one-time password after processing the cryptopkcs12 command or when you reboot the switch. D-Link recommends that you create a password that is memorable to you but is not subject to easy guesses or a dictionary attack. For best results, create a password of alphanumeric uppercase and lowercase characters.
Page 226: Crypto Pkcs
PKCS#12 file: DWS-1008# copy tftp://192.168.253.1/2048full.p12 2048full.p12 success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] DWS-1008# crypto otp eap hap9iN#ss OTP set DWS-1008# crypto pkcs12 eap 2048full.p12...
Page 227 WebAAA clients. Defaults: None. Access: Enabled. Examples: To display information about the certificate of a certificate authority, type the following command: DWS-1008# show crypto ca-certificate The table below describes the fields in the display. Fields Description Version Version of the X.509 certificate.
Page 228: Show Crypto Certificate
Usage: You must have generated a self-signed certificate or obtained a certificate from a certificate authority before displaying information about the certificate. Examples: To display information about a cryptographic certificate, type the following command: DWS-1008# show crypto certificate eap The table below describes the fields in the display. Crypto Certificate Output Fields...
Page 229: Show Crypto Key Domain
Syntax: show crypto key domain Defaults: None. Access: Enabled. Examples: To display the fingerprint for switch-switch security, type the following command: DWS-1008# show crypto key domain Domain public key: e6:43:91:e2:b3:53:ed:46:76:5f:f0:96:3a:3b:86:d3 See Also: • crypto generate key show crypto key ssh Displays SSH authentication key information.
Page 230: Radius And Server Groups Commands
235 clear radius proxy client on page 230 clear radius proxy port on page 230 (For information about RADIUS attributes, see the RADIUS appendix in the D-Link Mobility System Software Configuration Guide.) D-Link DWS-1008 CLI Manual...
Page 231: Clear Radius
Usage: To override the globally set values on a particular RADIUS server, use the set radius server command. Examples: To reset all global RADIUS parameters to their factory defaults, type the following commands: DWS-1008# clear radius deadtime success: change accepted. DWS-1008# clear radius key success: change accepted.
Page 232 RADIUS packets leaving the switch. Examples: To clear the system IP address as the permanent source address for RADIUS client requests, type the following command: DWS-1008# clear radius client system-ip success: change accepted. See Also: • set radius client system-ip •...
Page 233: Clear Radius Proxy Client
Syntax: clear radius proxy client all Defaults: None Access: Enabled. Examples: The following command clears all RADIUS proxy client entries from the switch: DWS-1008# clear radius proxy client all success: change accepted. See Also: • set radius proxy client clear radius proxy port Removes RADIUS proxy ports configured for third-party APs.
Page 234: Clear Radius Server
Defaults: None Access: Enabled. Examples: The following command removes the RADIUS server rs42 from a list of remote AAA servers: DWS-1008# clear radius server rs42 success: change accepted. See Also: • set radius server • show aaa clear server group Removes a RADIUS server group from the configuration, or disables load balancing for the group.
Page 235: Set Radius
To disable load balancing in a server group shorebirds, type the following command: DWS-1008# set server group shorebirds load-balance disable success: change accepted. See Also: • set server group set radius Configures global defaults for RADIUS servers that do not explicitly set these values themselves.
Page 236 Examples: The following commands sets the dead time to 5 minutes, the RADIUS key to goody, the number of retransmissions to 1, and the timeout to 21 seconds on all RADIUS servers connected to the switch: DWS-1008# set radius deadtime 5 success: change accepted. DWS-1008# set radius key goody success: change accepted.
Page 237: Set Radius Proxy Client
Usage: The switch system IP address must be set before you use this command. Examples: The following command sets the switch system IP address as the address of the RADIUS client: DWS-1008# set radius client system-ip success: change accepted. See Also: •...
Page 238: Set Radius Proxy Port
Enter a separate command for each SSID, and its tag value, you want the switch to support. Examples: The following command maps SSID mycorp to packets received on port 3 or 4, using 802.1Q tag value 104: DWS-1008# set radius proxy port 3-4 tag 104 ssid mycorp success: change accepted. See Also: •...
Page 239: Set Radius Server
Number of minutes the switch waits after declaring an unresponsive password RADIUS server unavailable before retrying that RADIUS server. Specify between 0 (zero) and 1440 minutes (24 hours). A zero value causes the switch to identify unresponsive servers as available. D-Link DWS-1008 CLI Manual...
Page 240 30 seconds, two transmit attempts, 5 minutes of dead time, a key string of keys4u, and the default authorization password of dlink, type the following command: DWS-1008# set radius server RS42 address 198.162.1.1 timeout 30 retransmit 2 deadtime 5 key keys4U See Also: •...
Page 241: Set Server Group
Do not use the same name for a RADIUS server and a RADIUS server group. Examples: To set server group shorebirds with members heron, egret, and sandpiper, type the following command: DWS-1008# set server group shorebirds members heron egret sandpiper success: change accepted. See Also: •...
Page 242 AAA method. Examples: To enable load balancing between the members of server group shorebirds, type the following command: DWS-1008# set server group shorebirds load-balance enable success: change accepted. To disable load balancing between shorebirds server group members, type the following...
Page 243: 802.1x Management Commands
802.1X Management Commands Use 802. IEEE X management commands to modify the default settings for IEEE 802.1X sessions on a DWS-1008 switch. For best results, change the settings only if you are aware of a problem with the switch’s 802.1X performance.
Page 244 Syntax: clear dot1x max-req Defaults: The default bonded authentication period is 0 seconds. Access: Enabled. Examples: To reset the Bonded period to its default, type the following command: DWS-1008# clear dot1x bonded-period success: change accepted See Also: • set dot1x bonded-period •...
Page 245 This command applies only to wired authentication ports. Examples: Type the following command to reset the wired authentication port control: DWS-1008# clear dot1x port-control success: change accepted See Also: • set dot1x port-control •...
Page 246 Defaults: The default is 2 attempts. Access: Enabled. Examples: Type the following command to reset the maximum number of reauthorization attempts to the default: DWS-1008# clear dot1x reauth-max success: change accepted See Also: • set dot1x reauth-max • show dot1x...
Page 247: Clear Dot1x Timeout Supplicant
Defaults: The default is 30 seconds. Access: Enabled. Examples: To reset the default timeout for requests to an authentication server, type the following command: DWS-1008# clear dot1x timeout auth-server success: change accepted See Also: • set dot1x timeout auth-server • show dot1x...
Page 248: Set Dot1x Authcontrol
Defaults: By default, authentication control for individual wired authentication is enabled. Access: Enabled. Usage: This command applies only to wired authentication ports. Examples: To enable per-port 802.1X authentication on wired authentication ports, type the following command: DWS-1008# set dot1x authcontrol enable success: dot1x authcontrol enabled. D-Link DWS-1008 CLI Manual...
Page 249 802.1X reauthentication parameter or the RADIUS Session-Timeout parameter. D-Link recommends that you try 60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60 seconds. The bonded authentication period applies only to 802.1X authentication rules that contain the bonded option.
Page 250 Disables transmission of encryption key information to clients. Defaults: Key transmission is enabled by default. Access: Enabled. Examples: Type the following command to enable key transmission: DWS-1008# set dot1x key-tx enable success: dot1x key transmission enabled. See Also: • show dot1x...
Page 251 Usage: This command affects only wired authentication ports. Examples: The following command forces port 6 to unconditionally accept all 802.1X authentication attempts: DWS-1008# set dot1x port-control forceauth 6 success: authcontrol for 19 is set to FORCE-AUTH. See Also: • show port status •...
Page 252 Specify a value between 0 and 65,535. Defaults: The default is 60 seconds. Access: Enabled. Examples: Type the following command to set the quiet period to 90 seconds: DWS-1008# set dot1x reauth enable success: dot1x reauthentication enabled. See Also: • set dot1x reauth-max •...
Page 253 Specify a value between 1 and 65,535. Defaults: The default is 30 seconds. Access: Enabled. Examples: Type the following command to set the authentication server timeout to 60 seconds: DWS-1008# set dot1x timeout auth-server 60 success: dot1x auth-server timeout set to 60. D-Link DWS-1008 CLI Manual...
Page 254: Set Dot1x Timeout Supplicant
Defaults: The default is 30 seconds. Access: Enabled. Examples: Type the following command to set the number of seconds for authentication session timeout to 300: DWS-1008# set dot1x timeout supplicant 300 success: dot1x supplicant timeout set to 300. See Also: • clear dot1x timeout auth-server •...
Page 255 VLAN, or encryption type receive the new keys at the same time. Examples: Type the following command to disable WEP key rotation: DWS-1008# set dot1x wep-rekey disable success: wep rekeying disabled See Also: •...
Page 256: Show Dot1x
Displays global 802.1X statistics associated with connecting and authenticating. config Displays a summary of the current configuration. Defaults: None. Access: Enabled. Examples: Type the following command to display the 802.1X clients: DWS-1008# show dot1x clients MAC Address State Vlan Identity ------------------------------------------------------------------------------------------------------------- 00:20:a6:48:01:1f...
Page 257 Type the following command to display the 802.1X clients: DWS-1008# show dot1x config 802.1X user policy ---------------------- ‘host/bob-laptop.mycorp.com’ on ssid ‘mycorp’ doing PASSTHRU ’bob.mycorp.com’ on ssid ‘mycorp’ doing PASSTHRU (bonded) 802.1X parameter setting ---------------------- ---------------------- supplicant timeout auth-server timeout quiet period...
Page 258 Type the following command to display 802.1X statistics: DWS-1008# show dot1x stats 802.1X statistic value ---------------------- ---------------------- Enters Connecting: Logoffs While Connecting: Enters Authenticating: Success While Authenticating: Timeouts While Authenticating: Failures While Authenticating: Reauths While Authenticating: Starts While Authenticating: Logoffs While Authenticating:...
Page 259: Session Management Commands
Access: Enabled. Examples: To clear all administrator sessions type the following command: DWS-1008# clear sessions admin This will terminate manager sessions, do you wish to continue? (y|n) [n]y To clear all administrative sessions through the console, type the following command:...
Page 260: Clear Sessions Network
DWS-1008# clear sessions telnet This will terminate manager sessions, do you wish to continue? (y|n) [n]y To clear Telnet client session 0, type the following command: DWS-1008# clear sessions telnet client 0 See Also: • show sessions clear sessions network Clears all network sessions for a specified username or set of usernames, MAC address or set of MAC addresses, virtual LAN (VLAN) or set of VLANs, or session ID.
Page 261: Show Sessions
Examples: To clear all sessions for MAC address 00:01:02:03:04:05, type the following command: DWS-1008# clear sessions network mac-addr 00:01:02:03:04:05 This will terminate manager sessions, do you wish to continue? (y|n) [n]y To clear session 9, type the following command: DWS-1008# clear sessions network session-id 9...
Page 262 DWS-1008# show sessions telnet TTty Username Time (s) ------- -------------------- -------- tty2 7395 To view information about Telnet client sessions, type the following command: DWS-1008# show sessions telnet client Session Server Address Server Port Client Port -------- -------------- ------------ ----------- 192.168.1.81 48000 10.10.1.22...
Page 263: Show Sessions Network
Displays all network sessions for a MAC address. Specify a MAC address in mac-addr-glob hexadecimal numbers separated by colons (:). Or use the wildcard character (*) to specify a set of MAC addresses. (For details, see “MAC Address Globs” on page 7.) D-Link DWS-1008 CLI Manual...
Page 264 Authorization attribute values can be changed during authorization. If the values are changed, show sessions output shows the values that are actually in effect following any changes. Examples: To display summary information for all network sessions, type show sessions network. For example: DWS-1008# show sessions network User Sess IP or MAC...
Page 265 The following command displays summary information about the sessions for MAC address 00:05:5d:7e:98:1a: DWS-1008# show sessions network mac-addr 00:05:5d:7e:98:1a User Sess IP or MAC VLAN Port/ Name Address Name Radio ------------------------------ ---- ----------------- --------------- ----- EXAMPLE\Havel 10.10.10.40 vlan-eng The following command displays summary information about all the sessions of users whose...
Page 266 The following command displays information about network session 88: DWS-1008# show sessions network session-id 88 Local Id: Global Id: SESS-88-00040f-876766-623fd6 State: ACTIVE SSID: Rack-39-PM Port/Radio: 10/1 MAC Address: 00:0f:66:f4:71:6d User Name: last-resort-Rack-39-PM IP Address: 10.2.39.217 Vlan Name: default Tag: Session Start:...
Page 267 • location policy—Attribute value was assigned by a Location Policy. • service-profile—Attribute value is configured on the SSID, and was not overridden by other attribute sources (such as AAA or location policy). • Web Portal—Session is for a Web Portal client. D-Link DWS-1008 CLI Manual...
Page 268 Total number of unicast packets received from the user by the switch (64-bit counter). Unicast bytes in Total number of unicast bytes received from the user by the switch (64-bit counter). Unicast packets out Total number of unicast packets sent by the switch to the user (64-bit counter). D-Link DWS-1008 CLI Manual...
Page 269 Last packet data Signal-to-noise ratio of the last packet received by the access point. S/N ratio Protocol Wireless protocol used. Session CAC State of session-based Call Admission Control (CAC) on the SSID’s service profile. D-Link DWS-1008 CLI Manual...
Page 270: Rf Detection Commands
A rogue access point is a BSSID (MAC address associated with an SSID) that does not belong to a D-Link device and is not a member of the ignore list configured on the seed switch. MSS can issue countermeasures against rogue devices to prevent clients from being able to use them.
Page 271: Clear Rfdetect Ignore
MAC address you want to remove from the attack list. Defaults: None. Access: Enabled. Examples: The following command clears MAC address 11:22:33:44:55:66 from the attack list: DWS-1008# clear rfdetect attack-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer in attacklist. See Also: • set rfdetect attack-list •...
Page 272 Defaults: None. Access: Enabled. Examples: The following command removes client OUI aa:bb:cc:00:00:00 from the permitted vendor list: DWS-1008# clear rfdetect vendor-list client aa:bb:cc:00:00:00 success: aa:bb:cc:00:00:00 is no longer in client vendor-list. See Also: • set rfdetect vendor-list • show rfdetect vendor-list...
Page 273 Examples: The following command adds MAC address aa:bb:cc:44:55:66 to the attack list: DWS-1008# set rfdetect attack-list 11:22:33:44:55:66 success: MAC 11:22:33:44:55:66 is now in attacklist. See Also: •...
Page 274: Set Rfdetect Ignore
Syntax: set rfdetect ignore mac-addr mac-addr BSSID (MAC address) of the device to ignore. Defaults: MSS reports all non-D-Link BSSIDs detected during an RF scan. Access: Enabled. Usage: Use this command to identify third-party APs and other devices you are already aware of and do not want MSS to report following RF scans.
Page 275: Set Rfdetect Log
Enables AP signatures. An AP signature is a set of bits in a management frame sent by an AP that identifies that AP to MSS. If someone attempts to spoof management packets from a D-Link AP, MSS can detect the spoof attempt.
Page 276 To enable signatures on all APs, enter the command on each switch. Note: You must use the same AP signature setting (enabled or disabled) on all switches. Examples: The following command enables AP signatures on an switch: DWS-1008# set rfdetect signature enable success: signature is now enabled. set rfdetect ssid-list Adds an SSID to the permitted SSID list.
Page 277 MAC address to the ignore list. Examples: The following command adds an entry for clients whose MAC addresses start with aa:bb:cc: DWS-1008# set rfdetect vendor-list client aa:bb:cc:00:00:00 success: MAC aa:bb:cc:00:00:00 is now in client vendor-list. The trailing 00:00:00 value is required.
Page 278: Show Rfdetect Clients
Examples: The following example shows the attack list on switch: DWS-1008# show rfdetect attack-list Total number of entries: 1 Attacklist MAC Port/Radio/Chan RSSI SSID ----------------- ----------------- ------ ------------ 11:22:33:44:55:66 dap 2/1/11 rogue-ssid See Also: • clear rfdetect attack-list • set rfdetect attack-list show rfdetect black-list Displays information abut the clients in the client black list.
Page 279 Client Mac Address: 00:0c:41:63:fd:6d, Vendor: Linksys Port: dap 1, Radio: 1, Channel: 11, RSSI: -82, Rate: 2, Last Seen (secs ago): 84 Bssid: 00:0b:0e:01:02:00, Vendor: D-Link, Type: intfr, Dst: ff:ff:ff:ff:ff:ff Last Rogue Status Check (secs ago): 3 The first line lists information for the client. The other lines list information about the most recent 802.11 packet detected from the client.
Page 280: Show Rfdetect Countermeasures
MAC address. show rfdetect countermeasures Displays the current status of countermeasures against rogues. Syntax: show rfdetect countermeasures Defaults: None. Access: Enabled. D-Link DWS-1008 CLI Manual...
Page 281: Show Rfdetect Counters
• known—Device that is a legitimate member of the network. Countermeasures Radio MAC address of the D-Link radio sending countermeasures against the rogue. System IP address of the switch that is managing the AP that is sending or will IPaddr send countermeasures.
Page 282 Examples: The following command shows counters for rogue activity detected by a switch: DWS-1008# show rfdetect countermeasures Type Current Total ------------------------------------------------------------------------------------------------------------ Rogue access points Interfering access points 1116 Rogue 802.11 clients Interfering 802.11 clients 802.11 adhoc clients Unknown 802.11 clients Interfering 802.11 clients seen on wired network...
Page 283 To display all devices that a specific D-Link radio has detected, even if the radio is managed by another switch, use the show rfdetect visible command. Only one MAC address is listed for each D-Link radio, even if the radio is beaconing multiple SSIDs.
Page 284: Show Rfdetect Ignore
Syntax: show rfdetect ignore Defaults: None. Access: Enabled. Examples: The following example displays the list of ignored devices: DWS-1008# show rfdetect ignore Total number of entries: 2 Ignore MAC ----------------- aa:bb:cc:11:22:33...
Page 285 Displays the entries in the permitted SSID list. Syntax: show rfdetect ssid-list Defaults: None. Access: Enabled. Examples: The following example shows the permitted SSID list on switch: DWS-1008# show rfdetect ssid-list Total number of entries: 3 SSID ----------------- mycorp corporate...
Page 286: Show Rfdetect Visible
Defaults: None. Access: Enabled. Usage: If a D-Link radio is supporting more than one SSID, each of the corresponding BSSIDs is listed separately. Examples: To following command displays information about the rogues detected by radio 1 on...
Page 287 Usage: Use this command to send test packets to a specified client. The output of the command indicates the number of test packets received and acknowledged by the c