3Com Corporation reserves the right to revise this documentation and to make changes in content from time
to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either
implied or expressed, including, but not limited to, the implied warranties, terms or conditions of
merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or
changes in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license
agreement included with the product as a separate document, in the hard copy documentation, or on the
removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy,
please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are
provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense.
Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or
as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are
provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights
only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.
You agree not to remove or deface any portion of any legend provided on any licensed program or
documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not
be registered in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
ntel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows
NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of
Novell, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively
through X/Open Company, Ltd.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are
associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally friendly in all operations. To uphold our policy, we
are committed to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental
standards. Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainable, managed forests; it is
fully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally friendly, and
the inks are vegetable-based with a low heavy-metal content.
CONTENTS
USINGTHE CLI
Overview19
CLI Command Modes19
Introduction19
User EXEC Mode20
Privileged EXEC20
Global Configuration Mode21
Interface Configuration and Specific Configuration Modes21
Starting the CLI22
Editing Features23
Entering Commands23
Terminal Command Buffer24
Negating the Effect of Commands25
Command Completion25
Nomenclature25
Keyboard Shortcuts26
CLI Command Conventions27
Copying and Pasting Text27
AAA COMMANDS
aaa authentication login29
aaa authentication enable30
login authentication32
enable authentication33
ip http authentication33
ip https authentication34
show authentication methods35
password37
enable password37
username38
ACL COMMANDS
ip access-list41
permit (ip)41
deny (IP)45
mac access-list47
permit (MAC)48
deny (MAC)49
service-acl50
show access-lists51
show interfaces access-lists52
ADDRESS TABLE COMMANDS
bridge address55
bridge multicast filtering56
bridge multicast address57
bridge multicast forbidden address58
bridge multicast forward-all59
bridge multicast forbidden forward-all60
bridge aging-time62
clear bridge62
port security63
port security mode64
port security routed secure-address65
show bridge address-table66
show bridge address-table static67
show bridge address-table count68
show bridge multicast address-table70
show bridge multicast filtering72
show ports security73
show ports security addresses74
ETHERNET CONFIGURATION COMMANDS
interface ethernet77
interface range ethernet77
shutdown78
description79
speed80
duplex81
negotiation81
flowcontrol82
mdix83
clear counters84
set interface active85
show interfaces advertise85
show interfaces configuration87
show interfaces status88
show interfaces description90
show interfaces counters91
port storm-control include-multicast (GC)94
port storm-control include-multicast (IC)95
port storm-control broadcast enable96
port storm-control broadcast rate97
show ports storm-control97
LINE COMMANDS
line99
speed99
autobaud100
exec-timeout101
history102
history size102
terminal history103
terminal history size104
show line105
PHY DIAGNOSTICS COMMANDS
test copper-port tdr107
show copper-ports tdr108
show copper-ports cable-length109
show fiber-ports optical-transceiver110
PORT CHANNEL COMMANDS
interface port-channel113
interface range port-channel113
channel-group114
show interfaces port-channel115
QOS COMMANDS
qos117
show qos118
class-map118
show class-map120
match120
policy-map121
class122
show policy-map123
trust cos-dscp124
set125
police126
service-policy127
qos aggregate-policer128
show qos aggregate-policer129
police aggregate130
wrr-queue cos-map131
wrr-queue bandwidth132
priority-queue out num-of-queues133
traffic-shape134
rate-limit interface configuration135
show qos interface136
qos map policed-dscp138
qos map dscp-queue139
qos trust (Global)140
qos trust (Interface)141
qos cos142
qos dscp-mutation143
qos map dscp-mutation143
security-suite enable144
security-suite dos protect145
security-suite deny martian-addresses146
show rmon statistics167
rmon collection history169
show rmon collection history170
show rmon history172
rmon alarm175
show rmon alarm-table177
show rmon alarm178
rmon event180
show rmon events181
show rmon log182
rmon table-size183
IGMP SNOOPING COMMANDS
ip igmp snooping (Global)185
ip igmp snooping (Interface)185
ip igmp snooping mrouter learn-pim-dvmrp186
ip igmp snooping host-time-out187
ip igmp snooping mrouter-time-out188
ip igmp snooping leave-time-out189
show ip igmp snooping mrouter189
show ip igmp snooping interface190
show ip igmp snooping groups191
LACP COMMANDS
lacp system-priority193
lacp port-priority193
lacp timeout194
show lacp ethernet195
show lacp port-channel198
POWEROVER ETHERNETCOMMANDS
power inline201
power inline powered-device202
power inline priority202
power inline usage-threshold203
power inline traps enable204
show power inline204
snmp-server community283
snmp-server view284
snmp-server group286
snmp-server user287
snmp-server engineID local289
snmp-server enable traps291
snmp-server filter291
snmp-server host292
snmp-server v3-host294
snmp-server trap authentication295
snmp-server contact296
snmp-server location297
snmp-server set297
show snmp298
show snmp engineid300
show snmp views301
show snmp groups302
show snmp filters303
show snmp users304
IP ADDRESS COMMANDS
ip address307
ip address dhcp308
ip default-gateway309
show ip interface310
arp311
arp timeout312
clear arp-cache312
show arp313
ip domain-name314
ip name-server315
MANAGEMENT ACL COMMANDS
management access-list317
permit (Management)318
deny (Management)319
management access-class320
show management access-list321
show management access-class322
WIRELESS ROGUE AP COMMANDS
rogue-detect enable (Radio)323
rogue-detect rogue-scan-interval324
wlan rogue-detect rogue-ap325
clear wlan rogue-ap326
show wlan rogue-aps configuration326
show wlan rogue-aps list327
show wlan rogue-aps neighborhood328
WIRELESS ESS COMMANDS
wlan ess create331
wlan ess configure331
ssid332
open vlan333
qos334
load-balancing334
mac-filtering action335
mac-filtering list336
security suite create337
security suite configure339
vlan (Security-Suite ESS)340
timer (Security-Suite ESS)341
update-gkey-on-leave (Security-Suite ESS)342
wpa2 pre-authentication343
show wlan ess344
show wlan ess mac-filtering lists347
show wlan ess counters348
WIRELESS AP GENERAL COMMANDS
clear wlan ap351
wlan ap active352
wlan ap key352
wlan ap config353
name354
tunnel priority355
wan enable355
interface ethernet356
vlan allowed357
vlan native358
wlan template ap configure358
set wlan copy359
show wlan aps360
show wlan ap interface radio364
show wlan ap interface ethernet365
show wlan aps counters366
show wlan aps discovered368
show wlan template aps369
SSH COMMANDS
ip ssh port371
ip ssh server372
crypto key generate dsa372
crypto key generate rsa373
ip ssh pubkey-auth374
crypto key pubkey-chain ssh374
user-key375
key-string376
show ip ssh378
show crypto key mypubkey379
show crypto key pubkey-chain ssh380
WEB SERVER COMMANDS
ip http server383
ip http port383
ip http exec-timeout384
ip https server385
ip https port385
crypto certificate generate386
crypto certificate request388
crypto certificate import389
ip https certificate390
show crypto certificate mycertificate391
show ip http392
show ip https393
TACACS+ COMMANDS
tacacs-server host395
tacacs-server key396
tacacs-server timeout397
tacacs-server source-ip398
show tacacs399
ping419
traceroute421
telnet424
resume427
reload428
hostname429
show users429
show sessions430
show system431
show version432
service cpu-utilization433
show cpu utilization434
wlan tx-power off501
wlan country-code502
wlan tx-power auto enable504
wlan tx-power auto interval505
wlan tx-power auto signal-strength506
wlan tx-power auto signal-loss506
wlan station idle-timeout507
clear wlan station508
show wlan509
show wlan auto-tx-power510
show wlan logging configuration511
show wlan stations512
show wlan stations counters513
TROUBLESHOOTING
Problem Management515
Troubleshooting Solutions515
USINGTHE CLI
1
OverviewThis document describes the Command Line Interface (CLI) used to
manage the 3Com Unified Gigabit Wireless PoE switch.
Most of the CLI commands are applicable to all devices.
This chapter describes how to start using the CLI and the CLI command
editing features.
CLI Command Modes
IntroductionTo assist in configuring the device, the Command Line Interface (CLI) is
divided into different command modes. Each command mode has its
own set of specific commands. Entering a question mark ? at the system
prompt (console prompt) displays a list of commands available for that
particular command mode.
From each mode, a specific command is used to navigate from one
command mode to another. The standard order to access the modes is as
follows: User EXEC mode, Privileged EXEC mode, Global Configuration
mode, and Interface Configuration mode.
When starting a session, the initial mode is the User EXEC mode. Only a
limited subset of commands are available in User EXEC mode. This level is
reserved for tasks that do not change the configuration. To enter the next
level, the Privileged EXEC mode, a password is required.
The Privileged EXEC mode gives access to commands that are restricted
on User EXEC mode and provides access to the device Configuration
mode.
The Global Configuration mode manages the device configuration on a
global level.
The Interface Configuration mode configures specific interfaces in the
device.
20CHAPTER 1: USINGTHE CLI
User EXEC ModeAfter logging into the device, the user is automatically in User EXEC
command mode unless the user is defined as a privileged user. In general,
the User EXEC commands allow the user to perform basic tests, and list
system information.
The user-level prompt consists of the device host name followed by the
angle bracket (>).
Console>
The default host name is Console unless it has been changed using the
hostname command in the Global Configuration mode.
Privileged EXECPrivileged access is password protected to prevent unauthorized use
because many of the Privileged commands set operating system
parameters. The password is not displayed on the screen and is case
sensitive.
Privileged users enter directly into the Privileged EXEC mode. To enter the
Privileged EXEC mode from the User EXEC mode, perform the following
steps:
1 At the prompt enter the enable command and press <Enter>. A
password prompt is displayed.
2 Enter the password and press <Enter>. The password is displayed as *.
The Privileged EXEC mode prompt is displayed. The Privileged EXEC mode
prompt consists of the device host name followed by #.
3 To return from the Privileged EXEC mode to the User EXEC mode, use the
disable command.
The following example illustrates how to access the Privileged EXEC
mode and return to the User EXEC mode:
Console>
Enter Password: ******
Console#
Console#
Console>
enable
disable
4 The exit command is used to return from any mode to the previous
mode except when returning to the User EXEC mode from the Privileged
EXEC mode. For example, the exit command is used to return from the
Interface Configuration mode to the Global Configuration mode.
Overview21
Global Configuration
Mode
Global Configuration mode commands apply to features that affect the
system as a whole, rather than just a specific interface. The configure
Privileged EXEC mode command is used to enter the Global
Configuration mode.
To enter the Global Configuration mode perform the following steps:
1 At the Privileged EXEC mode prompt, enter the configure command and
press <Enter>. The Global Configuration mode prompt is displayed. The
Global Configuration mode prompt consists of the device host name
followed by (config) and #.
Console(config)#
2 To return from the Global Configuration mode to the Privileged EXEC
mode, the user can use one of the following commands:
■ exit
■ end
■ Ctrl+Z
The following example illustrates how to access the Global Configuration
mode and return to the Privileged EXEC mode:
Console#
Console#
Console(config)#
Console#
configure
exit
Interface
Configuration and
Specific
Configuration Modes
Interface Configuration mode commands modify specific interface
operations. The following are the Interface Configuration modes:
■ Line Interface — Contains commands to configure the management
connections. These include commands such as line timeout settings,
etc. The line Global Configuration mode command is used to enter
the Line Configuration command mode.
■ VLAN Database — Contains commands to create a VLAN as a
whole. The vlan database Global Configuration mode command is
used to enter the VLAN Database Interface Configuration mode.
■ Management Access List — Contains commands to define
management access-lists. The management access-list Global
Configuration mode command is used to enter the Management
Access List Configuration mode.
22CHAPTER 1: USINGTHE CLI
■ Ethernet — Contains commands to manage port configuration. The
■ Port Channel — Contains commands to configure port-channels, for
■ SSH Public Key-chain — Contains commands to manually specify
■ QoS — Contains commands related to service definitions. The qos
■ MAC Access-List — Configures conditions required to allow traffic
interface ethernet Global Configuration mode command is used to
enter the Interface Configuration mode to configure an Ethernet type
interface.
example, assigning ports to a port-channel. Most of these commands
are the same as the commands in the Ethernet interface mode, and
are used to manage the member ports as a single entity. The
interface port-channel Global Configuration mode command is
used to enter the Port Channel Interface Configuration mode.
other device SSH public keys. The crypto key pubkey-chain ssh
Global Configuration mode command is used to enter the SSH Public
Key-chain Configuration mode.
Global Configuration mode command is used to enter the QoS
services configuration mode.
based on MAC addresses. The mac access-list Global Configuration
mode command is used to enter the MAC access-list configuration
mode.
Starting the CLIThe device can be managed over a direct connection to the device
console port or via a Telnet connection. The device is managed by
entering command keywords and parameters at the prompt. Using the
device command-line interface (CLI) is very similar to entering commands
on a UNIX system.
If access is via a Telnet connection, ensure that the device has a defined IP
address, corresponding management access is granted, and the
workstation used to access the device is connected to the device prior to
using CLI commands.
The following instructions are for use on the console line only.
Editing Features23
To start using the CLI, perform the following steps:
1 Connect the DB9 null-modem or cross over cable to the RS-232 serial
port of the device to the RS-232 serial port of the terminal or computer
running the terminal emulation application.
a Set the data format to 8 data bits, 1 stop bit, and no parity.
b Set Flow Control to none.
c Under Properties, select VT100 for Emulation mode.
d Select Terminal keys for Function, Arrow, and Ctrl keys. Ensure
that the setting is for Terminal keys (not Windows keys).
Note: When using HyperTerminal with Microsoft® Windows 2000,
ensure that Windows® 2000 Service Pack 2 or later is installed.With
Windows 2000 Service Pack 2, the arrow keys function properly in
HyperTerminal’s VT100 emulation. Go to www.microsoft.com for
information on Windows 2000 service packs.
2 Enter the following commands to begin the configuration procedure:
Console>
Console#
Console(config)#
enable
configure
3 Configure the device and enter the necessary commands to complete the
required tasks.
4 When finished, exit the session with the exit command.
When a different user is required to log onto the system, use the login
Privileged EXEC mode command. This effectively logs off the current user
and logs on the new user.
Editing Features
Entering CommandsA CLI command is a series of keywords and arguments. Keywords identify
a command, and arguments specify configuration parameters. For
example, in the command show interfaces status ethernet g11,
show, interfaces and status are keywords, ethernet is an argument
that specifies the interface type, and g11 specifies the port.
24CHAPTER 1: USINGTHE CLI
To enter commands that require parameters, enter the required
parameters after the command keyword. For example, to set a password
for the administrator, enter:
Console(config)#
username
admin
password
alansmith
When working with the CLI, the command options are not displayed. The
command is not selected from a menu, but is manually entered. To see
what commands are available in each mode or within an Interface
Configuration, the CLI does provide a method of displaying the available
commands, the command syntax requirements and in some instances
parameters required to complete the command. The standard command
to request help is ?.
There are two instances where help information can be displayed:
■ Keyword lookup — The character ? is entered in place of a
command. A list of all valid commands and corresponding help
messages are is displayed.
■ Partial keyword lookup — If a command is incomplete and or the
character ? is entered in place of a parameter. The matched keyword
or parameters for this command are displayed.
To assist in using the CLI, there is an assortment of editing features. The
following features are described:
■ Terminal Command Buffer
■ Command Completion
■ Nomenclature
■ Keyboard Shortcuts
Terminal Command Buffer
Every time a command is entered in the CLI, it is recorded on an internally
managed Command History buffer. Commands stored in the buffer are
maintained on a First In First Out (FIFO) basis. These commands can be
recalled, reviewed, modified, and reissued. This buffer is not preserved
across device resets.
Table 1:KeywordTable 2:Description
Editing Features25
Up-arrow key
Ctrl+P
Down-arrow keyReturns to more recent commands in
Recalls commands in the history buffer,
beginning with the most recent
command. Repeats the key sequence
to recall successively older commands.
the history buffer after recalling
commands with the up-arrow key.
Repeating the key sequence will recall
successively more recent commands.
By default, the history buffer system is enabled, but it can be disabled at
any time. For information about the command syntax to enable or disable
the history buffer, see history.
There is a standard default number of commands that are stored in the
buffer. The standard number of 10 commands can be increased to 216.
By configuring 0, the effect is the same as disabling the history buffer
system. For information about the command syntax for configuring the
command history buffer, see history size.
To display the history buffer, see “show history”.
Negating the Effect of Commands
For many configuration commands, the prefix keyword no can be
entered to cancel the effect of a command or reset the configuration to
the default value. This guide describes the negation effect for all
applicable commands.
Command Completion
If the command entered is incomplete, invalid or has missing or invalid
parameters, then the appropriate error message is displayed. This assists
in entering the correct command. By pressing the <Tab> button, an
incomplete command is entered. If the characters already entered are not
enough for the system to identify a single matching command, press ? to
display the available commands matching the characters already entered.
Nomenclature
When referring to an Ethernet port in a CLI command, the following
format is used:
■ For an Ethernet port: Ethernet_type port_number
The Ethernet type may be Gigabit Ethernet (indicated by “g”).
For example, g3 stands for Gigabit Ethernet port 3 on the device.
26CHAPTER 1: USINGTHE CLI
The ports may be described on an individual basis or within a range. Use
format port number-port number to specify a set of consecutive ports
and port number, port number to indicates a set of non-consecutive
ports. For example, g1-3 stands for Gigabit Ethernet ports 1, 2 and 3, and
g1,5 stands for Gigabit Ethernet ports 1 and 5.
Keyboard Shortcuts
The CLI has a range of keyboard shortcuts to assist in editing the CLI
commands. The following table describes the CLI shortcuts.
Table 3:Keyboard KeyTable 4:Description
Up-arrow keyRecalls commands from the history
buffer, beginning with the most recent
command. Repeat the key sequence to
recall successively older commands.
Down-arrow keyReturns the most recent commands
from the history buffer after recalling
commands with the up arrow key.
Repeating the key sequence will recall
successively more recent commands.
Ctrl+AMoves the cursor to the beginning of
the command line.
Ctrl+EMoves the cursor to the end of the
command line.
Ctrl+Z / EndReturns back to the Privileged EXEC
mode from any configuration mode.
Backspace keyDeletes one character left to the cursor
position.
Editing Features27
CLI Command Conventions
When entering commands there are certain command entry standards
that apply to all commands. The following table describes the command
conventions.
ConventionDescription
[ ]In a command line, square brackets
{ }In a command line, curly brackets
Italic fontIndicates a parameter.
<Enter> Indicates an individual key on the
Ctrl+F4Any combination keys pressed
Screen Display
allWhen a parameter is required to define
indicates an optional entry.
indicate a selection of compulsory
parameters separated by the |
character. One option must be
selected. For example: flowcontrol
{auto|on|off} means that for the
flowcontrol command either auto,
on or off must be selected.
keyboard. For example, <Enter>
indicates the Enter key.
simultaneously on the keyboard.
Indicates system messages and
prompts appearing on the console.
a range of ports or parameters and all
is an option, the default for the
command is all when no parameters
are defined. For example, the
command interface range port-channel has the option of either
entering a range of channels, or
selecting all. When the command is
entered without a parameter, it
automatically defaults to all.
Copying and Pasting
Te xt
Up to 1000 lines of text (or commands) can be copied and pasted into
the device.
It is the user’s responsibility to ensure that the text copied into the device
consists of legal commands only.
This feature is dependent on the baud rate of the device.
When copying and pasting commands from a configuration file, make
sure that the following conditions exist:
28CHAPTER 1: USINGTHE CLI
■ A device Configuration mode has been accessed.
■ The commands contain no encrypted data, like encrypted passwords
or keys. Encrypted data cannot be copied and pasted into the device.
2
AAA COMMANDS
aaa authentication
login
The aaa authentication login Global Configuration mode command
defines login authentication. To restore defaults, use the no form of this
command.
■ default — Uses the listed authentication methods that follow this
argument as the default list of methods when a user logs in.
■ list-name — Character string used to name the list of authentication
methods activated when a user logs in. (Range: 1-12 characters)
■ method1 [method2...] — Specify at least one method from the
following list:
KeywordDescription
enableUses the enable password for authentication.
lineUses the line password for authentication.
localUses the local username database for authentication.
noneUses no authentication.
radiusUses the list of all RADIUS servers for authentication.
tacacsUses the list of all TACACS+ servers for authentication.
Default Configuration
The local user database is checked. This has the same effect as the
command aaa authentication login list-name local.
30CHAPTER 2: AAA COMMANDS
On the console, login succeeds without any authentication check if the
authentication method is not defined.
Command Mode
Global Configuration mode
User Guidelines
The default and optional list names created with the aaa authentication
login command are used with the login authentication command.
Create a list by entering the aaa authentication login list-name method
command for a particular protocol, where list-name is any character
string used to name this list. The method argument identifies the list of
methods that the authentication algorithm tries, in the given sequence.
The additional methods of authentication are used only if the previous
method returns an error, not if it fails. To ensure that the authentication
succeeds even if all methods return an error, specify none as the final
method in the command line.
Example
aaa authentication
enable
The following example configures the authentication login.
Console(config)#
login default radius tacacs enable line local none
aaa authentication
The aaaauthentication enable Global Configuration mode command
defines authentication method lists for accessing higher privilege levels.
To restore defaults, use the no form of this command.