3COM WX1200 3CRWX120695A, WX4400 3CRWX440095A, WX2200 3CRWX220095A, WXR100 3CRWXR10095A User Manual

Download

Wireless LAN Mobility System

Wireless LAN Switch and Controller Configuration Guide

WX4400 3CRWX440095A WX2200 3CRWX220095A WX1200 3CRWX120695A WXR100 3CRWXR10095A

http://www.3Com.com/

Part No. 10015909 Published June 2007

3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064

Copyright © 2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.

3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.

If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:

All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.

Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.

3Com is a registered trademark of 3Com Corporation. The 3Com logo is a trademark of 3Com Corporation. Mobility Domain, Managed Access Point, Mobility Profile, Mobility System, Mobility System Software, MP,

MSS, and SentrySweep are trademarks of Trapeze Networks, Inc. Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, Windows XP,

and Windows NT are registered trademarks of Microsoft Corporation. All other company and product names may be trademarks of the respective companies with which they are

associated.

ENVIRONMENTAL STATEMENT

It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed to:

Establishing environmental performance standards that comply with national legislation and regulations. Conserving energy, materials and natural resources in all operations. Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental

standards. Maximizing the recyclable and reusable content of all products. Ensuring that all products can be recycled, reused and disposed of safely. Ensuring that all products are labelled according to recognized environmental standards. Improving our environmental record on a continual basis.

End of Life Statement

3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.

Regulated Materials Statement

3Com products do not contain any hazardous or ozone-depleting material.

Environmental Statement about the Documentation

The documentation for this product is printed on paper that comes from sustainable, managed forests; it is fully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, and the inks are vegetable-based with a low heavy-metal content.

CONTENTS

ABOUT THIS GUIDE

Conventions 23 Documentation 24 Documentation Comments 25

1 USING THE COMMAND-LINE INTERFACE

Overview 27 CLI Conventions 27

Command Prompts 28 Syntax Notation 28 Text Entry Conventions and Allowed Characters 28 User Globs, MAC Address Globs, and VLAN Globs 30 Port Lists 32 Virtual LAN Identification 33

Command-Line Editing 33

Keyboard Shortcuts 33 History Buffer 34 Tabs 34 Single-Asterisk (*) Wildcard Character 34

Double-Asterisk (**) Wildcard Characters 34 Using CLI Help 34 Understanding Command Descriptions 36

2 WX SETUP METHODS

Overview 37

Quick Starts 37

3Com Wireless Switch Manager 38

CLI 38

Web Manager 38 How a WX Switch Gets its Configuration 39 Web Quick Start (WXR100, WX1200 and WX2200 Only) 40

Web Quick Start Parameters 40 Web Quick Start Requirements 41 Accessing the Web Quick Start 41

CLI quickstart Command 44

Quickstart Example 46 Remote WX Configuration 49 Opening the QuickStart Network Plan in 3Com Wireless Switch

Manager 49

3 CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS

Overview 51 Before You Start 54 About Administrative Access 54

Access Modes 54

Types of Administrative Access 54 First-Time Configuration via the Console 55

Enabling an Administrator 55

Setting the WX Switch Enable Password 56

Authenticating at the Console 57

Customizing AAA with “Globs” and Groups 58

Setting User Passwords 58

Adding and Clearing Local Users for Administrative Access 59 Configuring Accounting for Administrative Users 59 Displaying the AAA Configuration 61 Saving the Configuration 61 Administrative AAA Configuration Scenarios 62

Local Authentication 62

Local Authentication for Console Users and RADIUS Authentication for

Telnet Users 62

Authentication When RADIUS Servers Do Not Respond 63

Local Override and Backup Local Authentication 64

4 MANAGING USER PASSWORDS

Overview 65 Configuring Passwords 66

Setting Passwords for Local Users 66

Enabling Password Restrictions 67

Setting the Maximum Number of Login Attempts 67 Specifying Minimum Password Length 68 Configuring Password Expiration Time 69 Restoring Access to a Locked-Out User 70 Displaying Password Information 70

5 CONFIGURING AND MANAGING PORTS AND VLANS

Configuring and Managing Ports 71

Setting the Port Type 71 Configuring a Port Name 77 Configuring Interface Preference on a Dual-Interface Gigabit Ethernet

Port (WX4400 only) 78 Configuring Port Operating Parameters 79 Displaying Port Information 81 Configuring Load-Sharing Port Groups 85

Configuring and Managing VLANs 87

Understanding VLANs in 3Com MSS 87 Configuring a VLAN 91 Changing Tunneling Affinity 93 Restricting Layer 2 Forwarding Among Clients 94 Displaying VLAN Information 95

Managing the Layer 2 Forwarding Database 96

Types of Forwarding Database Entries 96 How Entries Enter the Forwarding Database 96 Displaying Forwarding Database Information 97 Adding an Entry to the Forwarding Database 98 Removing Entries from the Forwarding Database 98 Configuring the Aging Timeout Period 99

Port and VLAN Configuration Scenario 100

6 CONFIGURING AND MANAGING IP INTERFACES AND SERVICES

MTU Support 103 Configuring and Managing IP Interfaces 104

Adding an IP Interface 104 Disabling or Reenabling an IP Interface 107 Removing an IP Interface 107 Displaying IP Interface Information 107

Configuring the System IP Address 108

Designating the System IP Address 108

Displaying the System IP Address 108

Clearing the System IP Address 108 Configuring and Managing IP Routes 108

Displaying IP Routes 110

Adding a Static Route 111

Removing a Static Route 112 Managing the Management Services 113

Managing SSH 113

Managing Telnet 116

Managing HTTPS 118

Changing the Idle Timeout for CLI Management Sessions 119

Setting a Message of the Day (MOTD) Banner 120

Prompting the User to Acknowledge the MOTD Banner 120 Configuring and Managing DNS 121

Enabling or Disabling the DNS Client 121

Configuring DNS Servers 121

Configuring a Default Domain Name 122

Displaying DNS Server Information 122 Configuring and Managing Aliases 123

Adding an Alias 123

Removing an Alias 123

Displaying Aliases 123 Configuring and Managing Time Parameters 124

Setting the Time Zone 125

Configuring the Summertime Period 125

Statically Configuring the System Time and Date 127

Displaying the Time and Date 127

Configuring and Managing NTP 127

Adding an NTP Server 128

Removing an NTP Server 128

Changing the NTP Update Interval 128

Resetting the Update Interval to the Default 129

Enabling the NTP Client 129

Displaying NTP Information 129 Managing the ARP Table 130

Displaying ARP Table Entries 130

Adding an ARP Entry 131

Changing the Aging Timeout 131 Pinging Another Device 132 Logging In to a Remote Device 132 Tracing a Route 133 IP Interfaces and Services Configuration Scenario 135

7 CONFIGURING SNMP

Overview 139 Configuring SNMP 139

Setting the System Location and Contact Strings 140

Enabling SNMP Versions 140

Configuring Community Strings (SNMPv1 and SNMPv2c Only) 140

Creating a USM User for SNMPv3 141

Setting SNMP Security 143

Configuring a Notification Profile 144

Configuring a Notification Target 148

Enabling the SNMP Service 151 Displaying SNMP Information 151

Displaying SNMP Version and Status Information 151

Displaying the Configured SNMP Community Strings 151

Displaying USM Settings 151

Displaying Notification Profiles 152

Displaying Notification Targets 152

Displaying SNMP Statistics Counters 152

8 CONFIGURING AND MANAGING MOBILITY DOMAIN ROAMING

About the Mobility Domain Feature 153 Configuring a Mobility Domain 154

Configuring the Seed 154

Configuring Member WX Switches on the Seed 155

Configuring a Member 155

Configuring Mobility Domain Seed Redundancy 156

Displaying Mobility Domain Status 157

Displaying the Mobility Domain Configuration 157

Clearing a Mobility Domain from a WX Switch 157

Clearing a Mobility Domain Member from a Seed 157

Configuring WX-WX Security 158 Monitoring the VLANs and Tunnels in a Mobility Domain 159

Displaying Roaming Stations 159 Displaying Roaming VLANs and Their Affinities 160 Displaying Tunnel Information 160

Understanding the Sessions of Roaming Users 161

Requirements for Roaming to Succeed 161 Effects of Timers on Roaming 162 Monitoring Roaming Sessions 162

Mobility Domain Scenario 163

9 CONFIGURING NETWORK DOMAINS

About the Network Domain Feature 165

Network Domain Seed Affinity 168

Configuring a Network Domain 169

Configuring Network Domain Seeds 169 Specifying Network Domain Seed Peers 170 Configuring Network Domain Members 171 Displaying Network Domain Information 172 Clearing Network Domain Configuration from a WX Switch 173 Clearing a Network Domain Seed from a WX Switch 173 Clearing a Network Domain Peer from a Network Domain Seed 173 Clearing Network Domain Seed or Member Configuration from a WX

Switch 173

Network Domain Scenario 174

10 CONFIGURING MAP ACCESS POINTS

MAP Overview 177

Country of Operation 179 Directly Connected MAPs and Distributed MAPs 179 Boot Process for Distributed MAPs 189 Contacting a WX Switch 190 Loading and Activating an Operational Image 195 Obtaining Configuration Information from the WX Switch 195 Service Profiles 202 Radio Profiles 209

Configuring MAPs 213

Specifying the Country of Operation 213

Configuring an Auto-AP Profile for Automatic MAP Configuration 218

Configuring MAP Port Parameters 224

Configuring MAP-WX Security 229

Configuring a Service Profile 233

Configuring a Radio Profile 240

Configuring Radio-Specific Parameters 246

Mapping the Radio Profile to Service Profiles 249

Assigning a Radio Profile and Enabling Radios 249 Disabling or Reenabling Radios 250

Enabling or Disabling Individual Radios 250

Disabling or Reenabling All Radios Using a Profile 250

Resetting a Radio to its Factory Default Settings 251

Restarting a MAP 251 Configuring Local Packet Switching on MAPs 252

Configuring Local Switching 253 Displaying MAP Information 256

Displaying MAP Configuration Information 256

Displaying Connection Information for Distributed MAPs 257

Displaying a List of Distributed MAPs that Are Not Configured 258

Displaying Active Connection Information for Distributed MAPs 258

Displaying Service Profile Information 259

Displaying Radio Profile Information 260

Displaying MAP Status Information 260

Displaying Static IP Address Information for Distributed MAPs 261

Displaying MAP Statistics Counters 262

Displaying the Forwarding Database for a MAP 264

Displaying VLAN Information for a MAP 264

Displaying ACL Information for a MAP 265

11 CONFIGURING RF LOAD BALANCING FOR MAPS

RF Load Balancing Overview 267 Configuring RF Load Balancing 268

Disabling or Re-Enabling RF Load Balancing 268

Assigning Radios to Load Balancing Groups 269

Specifying Band Preference for RF Load Balancing 269

Setting Strictness for RF Load Balancing 270 Exempting an SSID from RF Load Balancing 271

Displaying RF Load Balancing Information 271

12 CONFIGURING WLAN MESH SERVICES

WLAN Mesh Services Overview 273 Configuring WLAN Mesh Services 274

Configuring the Mesh AP 275 Configuring the Service Profile for Mesh Services 276 Configuring Security 276 Enabling Link Calibration Packets on the Mesh Portal MAP 277

Deploying the Mesh AP 277 Configuring Wireless Bridging 278 Displaying WLAN Mesh Services Information 279

13 CONFIGURING USER ENCRYPTION

Overview 281 Configuring WPA 284

WPA Cipher Suites 284

TKIP Countermeasures 287

WPA Authentication Methods 288

WPA Information Element 288

Client Support 289

Configuring WPA 290 Configuring RSN (802.11i) 296

Creating a Service Profile for RSN 296

Enabling RSN 296

Specifying the RSN Cipher Suites 297

Changing the TKIP Countermeasures Timer Value 298

Enabling PSK Authentication 298

Displaying RSN Settings 298

Assigning the Service Profile to Radios and Enabling the Radios 298 Configuring WEP 299

Setting Static WEP Key Values 301

Assigning Static WEP Keys 301 Encryption Configuration Scenarios 302

Enabling WPA with TKIP 302

Enabling Dynamic WEP in a WPA Network 304 Configuring Encryption for MAC Clients 306

14 CONFIGURING RF AUTO-TUNING

Overview 311

Initial Channel and Power Assignment 311 Channel and Power Tuning 312 RF Auto-Tuning Parameters 314

Changing RF Auto-Tuning Settings 316

Selecting Available Channels on the 802.11a Radio 316 Changing Channel Tuning Settings 316

Changing Power Tuning Settings 317 Locking Down Tuned Settings 318 Displaying RF Auto-Tuning Information 319

Displaying RF Auto-Tuning Settings 319

Displaying RF Neighbors 320

Displaying RF Attributes 321

15 CONFIGURING MAPS TO BE AEROSCOUT LISTENERS

Configuring MAP Radios to Listen for AeroScout RFID Tags 324 Locating an RFID Tag 325

Using an AeroScout Engine 325

Using 3Com Wireless Switch Manager 325

16 CONFIGURING QUALITY OF SERVICE

About QoS 327

Summary of QoS Features 327

QoS Mode 330 WMM QoS Mode 331

WMM QoS on a MAP 337

Call Admission Control 340

Broadcast Control 341

Static CoS 341

Overriding CoS 341 Changing QoS Settings 342

Changing the QoS Mode 342

Enabling U-APSD Support 342 Configuring Call Admission Control 343 Configuring Static CoS 343

Changing CoS Mappings 344

Using the Client’s DSCP Value to Classify QoS Level 344 Enabling Broadcast Control 345

Displaying QoS Information 345

Displaying a Radio Profile’s QoS Settings 345 Displaying a Service Profile’s QoS Settings 346 Displaying CoS Mappings 347 Displaying the DSCP Table 349 Displaying MAP Forwarding Queue Statistics 349

17 CONFIGURING AND MANAGING SPANNING TREE PROTOCOL

Overview 351 Enabling the Spanning Tree Protocol 352 Changing Standard Spanning Tree Parameters 352

Bridge Priority 352 Port Cost 353 Port Priority 353 Changing the Bridge Priority 353 Changing STP Port Parameters 354 Changing Spanning Tree Timers 357

Configuring and Managing STP Fast Convergence Features 358

Configuring Port Fast Convergence 359 Displaying Port Fast Convergence Information 360 Configuring Backbone Fast Convergence 360 Displaying the Backbone Fast Convergence State 360 Configuring Uplink Fast Convergence 361 Displaying Uplink Fast Convergence Information 361

Displaying Spanning Tree Information 361

Displaying STP Bridge and Port Information 361 Displaying the STP Port Cost on a VLAN Basis 362 Displaying Blocked STP Ports 363 Displaying Spanning Tree Statistics 363 Clearing STP Statistics 365

Spanning Tree Configuration Scenario 365

18 CONFIGURING AND MANAGING IGMP SNOOPING

Overview 369 Disabling or Reenabling IGMP Snooping 369 Disabling or Reenabling Proxy Reporting 370 Enabling the Pseudo-Querier 370 Changing IGMP Timers 370

Changing the Query Interval 371

Changing the Other-Querier-

Present Interval 371

Changing the Query Response Interval 371

Changing the Last Member Query Interval 371

Changing Robustness 371 Enabling Router Solicitation 372

Changing the Router Solicitation Interval 372 Configuring Static Multicast Ports 372

Adding or Removing a Static Multicast Router Port 373

Adding or Removing a Static Multicast Receiver Port 373 Displaying Multicast Information 373

Displaying Multicast Configuration Information and Statistics 373

Displaying Multicast Queriers 375

Displaying Multicast Routers 375

Displaying Multicast Receivers 376

19 CONFIGURING AND MANAGING SECURITY ACLS

About Security Access Control Lists 377

Overview of Security ACL Commands 377

Security ACL Filters 378

Order in Which ACLs are Applied to Traffic 379 Creating and Committing a Security ACL 380

Setting a Source IP ACL 380

Setting an ICMP ACL 383

Setting TCP and UDP ACLs 385

Determining the ACE Order 386

Committing a Security ACL 387

Viewing Security ACL Information 387

Clearing Security ACLs 390

Mapping Security ACLs 390

Mapping User-Based Security ACLs 390 Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed

MAPs 392

Modifying a Security ACL 394

Adding Another ACE to a Security ACL 394 Placing One ACE before Another 395 Modifying an Existing Security ACL 396 Clearing Security ACLs from the Edit Buffer 397

Using ACLs to Change CoS 399

Filtering Based on DSCP Values 399

Enabling Prioritization for Legacy Voice over IP 401

General Guidelines 402 Enabling VoIP Support for TeleSym VoIP 403

Enabling SVP Optimization for SpectraLink Phones 404 Restricting Client-To-Client Forwarding Among IP-Only Clients 409 Security ACL Configuration Scenario 410

20 MANAGING KEYS AND CERTIFICATES

Why Use Keys and Certificates? 413

Wireless Security through TLS 414

PEAP-MS-CHAP-V2 Security 414 About Keys and Certificates 415

Public Key Infrastructures 416

Public and Private Keys 416

Digital Certificates 416

PKCS #7, PKCS #10, and PKCS #12 Object Files 417 Certificates Automatically Generated by MSS 418 Creating Keys and Certificates 419

Choosing the Appropriate Certificate Installation Method for Your

Network 420

Creating Public-Private Key Pairs 421

Generating Self-Signed Certificates 422

Installing a Key Pair and Certificate from a PKCS #12 Object File 423

Creating a CSR and Installing a Certificate from a PKCS #7 Object

File 424

Installing a CA’s Own Certificate 425 Displaying Certificate and Key Information 426

Key and Certificate Configuration Scenarios 427

Creating Self-Signed Certificates 427 Installing CA-Signed Certificates from PKCS #12 Object Files 429 Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR) and a

PKCS #7 Object File 431

21 CONFIGURING AAA FOR NETWORK USERS

About AAA for Network Users 433

Authentication 433 Authorization 438 Accounting 440 Summary of AAA Features 440

AAA Tools for Network Users 441

“Globs” and Groups for Network User Classification 442 AAA Methods for IEEE 802.1X and Web Network Access 442 IEEE 802.1X Extensible Authentication Protocol Types 446 Ways a WX Switch Can Use EAP 447 Effects of Authentication Type on Encryption Method 448

Configuring 802.1X Authentication 449

Configuring EAP Offload 449 Using Pass-Through 450 Authenticating via a Local Database 450 Binding User Authentication to Machine Authentication 451

Configuring Authentication and Authorization by MAC Address 456

Adding and Clearing MAC Users and User Groups Locally 456 Configuring MAC Authentication and Authorization 457 Changing the MAC Authorization Password for RADIUS 459

Configuring Web Portal WebAAA 460

How WebAAA Portal Works 460 WebAAA Requirements and Recommendations 462 Configuring Web Portal WebAAA 467 Using a Custom Login Page 471 Using Dynamic Fields in WebAAA Redirect URLs 475 Using an ACL Other Than portalacl 476 Configuring the Web Portal WebAAA Session Timeout Period 477 Configuring the Web Portal Logout Function 478

Configuring Last-Resort Access 479

Configuring Last-Resort Access for Wired Authentication Ports 481 Configuring AAA for Users of Third-Party APs 482

Authentication Process for Users of a Third-Party AP 482

Requirements 483

Configuring Authentication for 802.1X Users of a Third-Party AP with

Tagged SSIDs 484

Configuring Authentication for Non-802.1X Users of a Third-Party AP

with Tagged SSIDs 487

Configuring Access for Any Users of a Non-Tagged SSID 487 Assigning Authorization Attributes 487

Assigning Attributes to Users and Groups 492

Assigning SSID Default Attributes to a Service Profile 493

Assigning a Security ACL to a User or a Group 494

Clearing a Security ACL from a User or Group 495

Assigning Encryption Types to Wireless Users 496

Keeping Users on the Same VLAN Even After Roaming 498 Overriding or Adding Attributes Locally with a Location Policy 499

About the Location Policy 500

How the Location Policy Differs from a Security ACL 500

Setting the Location Policy 501

Clearing Location Policy Rules and Disabling the Location Policy 503 Configuring Accounting for Wireless Network Users 504

Viewing Local Accounting Records 505

Viewing Roaming Accounting Records 505 Displaying the AAA Configuration 507 Avoiding AAA Problems in Configuration Order 508

Using the Wildcard “Any” as the SSID Name in Authentication

Rules 508

Using Authentication and Accounting Rules Together 508 Configuring a Mobility Profile 510 Network User Configuration Scenarios 512

General Use of Network User Commands 512

Enabling RADIUS Pass-Through Authentication 514

Enabling PEAP-MS-CHAP-V2 Authentication 514

Enabling PEAP-MS-CHAP-V2 Offload 515

Combining EAP Offload with Pass-Through Authentication 516

Overriding AAA-Assigned VLANs 516

22 CONFIGURING COMMUNICATION WITH RADIUS

RADIUS Overview 519 Before You Begin 521 Configuring RADIUS Servers 521

Configuring Global RADIUS Defaults 522 Setting the System IP Address as the Source Address 523 Configuring Individual RADIUS Servers 523 Deleting RADIUS Servers 524

Configuring RADIUS Server Groups 524

Creating Server Groups 525 Deleting a Server Group 527

RADIUS and Server Group Configuration Scenario 528

23 MANAGING 802.1X ON THE WX SWITCH

Managing 802.1X on Wired Authentication Ports 531

Enabling and Disabling 802.1X Globally 531 Setting 802.1X Port Control 532

Managing 802.1X Encryption Keys 533

Enabling 802.1X Key Transmission 533 Configuring 802.1X Key Transmission Time Intervals 533

Managing WEP Keys 534 Setting EAP Retransmission Attempts 535 Managing 802.1X Client Reauthentication 536

Enabling and Disabling 802.1X Reauthentication 536

Setting the Maximum Number of 802.1X Reauthentication

Attempts 536

Setting the 802.1X Reauthentication Period 537

Setting the Bonded Authentication Period 538 Managing Other Timers 538

Setting the 802.1X Quiet Period 538

Setting the 802.1X Timeout for an Authorization Server 539

Setting the 802.1X Timeout for a Client 539 Displaying 802.1X Information 540

Viewing 802.1X Clients 540

Viewing the 802.1X Configuration 540

Viewing 802.1X Statistics 541

24 CONFIGURING SODA ENDPOINT SECURITY FOR A WX SWITCH

About SODA Endpoint Security 543

SODA Endpoint Security Support on WX Switches 544 How SODA Functionality Works on WX Switches 545

Configuring SODA Functionality 546

Configuring Web Portal WebAAA for the Service Profile 547 Creating the SODA Agent with SODA Manager 547 Copying the SODA Agent to the WX Switch 549 Installing the SODA Agent Files on the WX Switch 549 Enabling SODA Functionality for the Service Profile 550 Disabling Enforcement of SODA Agent Checks 550 Specifying a SODA Agent Success Page 551 Specifying a SODA Agent Failure Page 551 Specifying a Remediation ACL 552 Specifying a SODA Agent Logout Page 553 Specifying an Alternate SODA Agent Directory for a Service Profile 554 Uninstalling the SODA Agent Files from the WX Switch 554 Displaying SODA Configuration Information 555

25 MANAGING SESSIONS

About the Session Manager 557 Displaying and Clearing Administrative Sessions 557

Displaying and Clearing All Administrative Sessions 558 Displaying and Clearing an Administrative Console Session 558 Displaying and Clearing Administrative Telnet Sessions 559 Displaying and Clearing Client Telnet Sessions 559

Displaying and Clearing Network Sessions 560

Displaying Verbose Network Session Information 561 Displaying and Clearing Network Sessions by Username 562 Displaying and Clearing Network Sessions by MAC Address 563 Displaying and Clearing Network Sessions by VLAN Name 563 Displaying and Clearing Network Sessions by Session ID 564

Displaying and Changing Network Session Timers 565

Disabling Keepalive Probes 566 Changing or Disabling the User Idle Timeout 566

26 ROGUE DETECTION AND COUNTERMEASURES

Overview 567 About Rogues and RF Detection 567

Rogue Access Points and Clients 567

RF Detection Scans 571

Countermeasures 572

Mobility Domain Requirement 572 Summary of Rogue Detection Features 573 Configuring Rogue Detection Lists 574

Configuring a Permitted Vendor List 574

Configuring a Permitted SSID List 576

Configuring a Client Black List 577

Configuring an Attack List 578

Configuring an Ignore List 579 Enabling Countermeasures 580

Using On-Demand Countermeasures in a Mobility Domain 581 Disabling or Reenabling Active Scan 582 Enabling MAP Signatures 582

Creating an Encrypted RF Fingerprint Key as a MAP Signature 583 Disabling or Reenabling Logging of Rogues 584 Enabling Rogue and Countermeasures Notifications 584 IDS and DoS Alerts 584

Flood Attacks 585

DoS Attacks 585

Netstumbler and Wellenreiter Applications 586

Wireless Bridge 586

Ad-Hoc Network 586

Weak WEP Key Used by Client 587

Disallowed Devices or SSIDs 587

Displaying Statistics Counters 587

IDS Log Message Examples 587 Displaying RF Detection Information 590

Displaying Rogue Clients 592

Displaying Rogue Detection Counters 593

Displaying SSID or BSSID Information for a Mobility Domain 594

Displaying RF Detect Data 596

Displaying the APs Detected by MAP Radio 596

Displaying Countermeasures Information 597

27 MANAGING SYSTEM FILES

About System Files 599

Displaying Software Version Information 599 Displaying Boot Information 601

Working with Files 602

Displaying a List of Files 602 Copying a File 604 Using an Image File’s MD5 Checksum To Verify Its Integrity 606 Deleting a File 607 Creating a Subdirectory 608 Removing a Subdirectory 608

Managing Configuration Files 609

Displaying the Running Configuration 609 Saving Configuration Changes 610 Specifying the Configuration File to Use After the Next Reboot 611 Loading a Configuration File 611 Specifying a Backup Configuration File 612 Resetting to the Factory Default Configuration 612

Backing Up and Restoring the System 613

Managing Configuration Changes 615 Backup and Restore Examples 615

Upgrading the System Image 616

Preparing the WX Switch for the Upgrade 616 Upgrading an Individual Switch Using the CLI 617 Command Changes During Upgrade 618

A TROUBLESHOOTING A WX SWITCH

Fixing Common WX Setup Problems 619 Recovering the System When the Enable Password is Lost 622

WXR100 622 WX1200, WX2200, or WX4400 622

Configuring and Managing the System Log 623

Log Message Components 623 Logging Destinations and Levels 623 Using Log Commands 625

Running Traces 631

Using the Trace Command 631

Displaying a Trace 632

Stopping a Trace 632

About Trace Results 633

Displaying Trace Results 633

Copying Trace Results to a Server 634

Clearing the Trace Log 634

List of Trace Areas 634 Using display Commands 635

Viewing VLAN Interfaces 635

Viewing AAA Session Statistics 635

Viewing FDB Information 636

Viewing ARP Information 636 Port Mirroring 637

Configuration Requirements 637

Configuring Port Mirroring 637

Displaying the Port Mirroring Configuration 637

Clearing the Port Mirroring Configuration 637 Remotely Monitoring Traffic 638

How Remote Traffic Monitoring Works 638

Best Practices for Remote Traffic Monitoring 639

Configuring a Snoop Filter 639

Mapping a Snoop Filter to a Radio 641

Enabling or Disabling a Snoop Filter 643

Displaying Remote Traffic Monitoring Statistics 643

Preparing an Observer and Capturing Traffic 643 Capturing System Information and Sending it to Technical Support 645

The display tech-support Command 645

Core Files 646

Debug Messages 647

Sending Information to 3Com Technical Support 648

B ENABLING AND LOGGING INTO WEB VIEW

System Requirements 649

Browser Requirements 649

WX Switch Requirements 649 Logging Into Web View 650

C SUPPORTED RADIUS ATTRIBUTES

Attributes 651 Supported Standard and Extended Attributes 652 3Com Vendor-Specific Attributes 659

D TRAFFIC PORTS USED BY MSS

E DHCP SERVER

How the MSS DHCP Server Works 664 Configuring the DHCP Server 665 Displaying DHCP Server Information 666

F OBTAINING SUPPORT FOR YOUR 3COM PRODUCTS

Register Your Product to Gain Service Benefits 667 Solve Problems Online 667 Purchase Extended Warranty and Professional Services 668 Access Software Downloads 668 Contact Us 668

Telephone Technical Support and Repair 669

GLOSSARY

INDEX

COMMAND INDEX

ABOUT THIS GUIDE

This guide describes the configuration commands for the 3Com Wireless LAN Switch WXR100, WX1200, or 3Com Wireless LAN Controller WX4400, WX2200.

This guide is intended for System integrators who are configuring the WXR100, WX1200, WX4400, or WX2200.

If release notes are shipped with your product and the information there differs from the information in this guide, follow the instructions in the release notes.

Most user guides and release notes are available in Adobe Acrobat Reader Portable Document Format (PDF) or HTML on the 3Com World Wide Web site:

http://www.3com.com/

Conventions Table 1 and Table 2 list conventions that are used throughout this guide.

Tab le 1 Notice Icons

Icon Notice Type Description

Information note Information that describes important features or

instructions

Caution Information that alerts you to potential loss of data or

potential damage to an application, system, or device

24 ABOUT THIS GUIDE

This manual uses the following text and syntax conventions:

Tab le 2 Text Conventions

Convention Description

Monospace text Sets off command syntax or sample commands and system

responses.

Bold text Highlights commands that you enter or items you select. Italic text Designates command variables that you replace with

appropriate values, or highlights publication titles or words

requiring special emphasis. [ ] (square brackets) Enclose optional parameters in command syntax. { } (curly brackets) Enclose mandatory parameters in command syntax. | (vertical bar) Separates mutually exclusive options in command syntax. Keyboard key names If you must press two or more keys simultaneously, the key

names are linked with a plus sign (+). Example:

Press Ctrl+Alt+Del

Words in italics Italics are used to:

 Emphasize a point.

 Denote a new term at the place where it is defined in the

text.

 Highlight an example string, such as a username or SSID.

Documentation The MSS documentation set includes the following documents.

 Wireless Switch Manager (3WXM) Release Notes

These notes provide information about the 3WXM software release, including new features and bug fixes.

 Wireless LAN Switch and Controller Release Notes

These notes provide information about the MSS software release, including new features and bug fixes.

 Wireless LAN Switch and Controller Quick Start Guide

This guide provides instructions for performing basic setup of secure (802.1X) and guest (WebAAA Domain for roaming, and for accessing a sample network plan in 3WXM for advanced configuration and management.

™) access, for configuring a Mobility

Documentation Comments 25

 Wireless Switch Manager Reference Manual

This manual shows you how to plan, configure, deploy, and manage a Mobility System wireless LAN (WLAN) using the 3Com Wireless Switch Manager (3WXM).

 Wireless Switch Manager User’s Guide

This manual shows you how to plan, configure, deploy, and manage the entire WLAN with the 3WXM tool suite. Read this guide to learn how to plan wireless services, how to configure and deploy 3Com equipment to provide those services, and how to optimize and manage your WLAN.

 Wireless LAN Switch and Controller Hardware Installation Guide

This guide provides instructions and specifications for installing a WX wireless switch in a Mobility System WLAN.

 Wireless LAN Switch and Controller Configuration Guide

This guide provides instructions for configuring and managing the system through the Mobility System Software (MSS) CLI.

 Wireless LAN Switch and Controller Command Reference

Documentation Comments

This reference provides syntax information for all MSS commands supported on WX switches.

Your suggestions are very important to us. They will help make our documentation more useful to you. Please e-mail comments about this document to 3Com at:

pddtechpubs_comments@3com.com

Please include the following information when contacting us:

 Document title  Document part number and revision (on the title page)  Page number (if appropriate)

Example:

 Wireless LAN Switch and Controller Configuration Guide  Part number 730-9502-0071, Revision B  Page 25

26 ABOUT THIS GUIDE

Please note that we can only respond to comments and questions about 3Com product documentation at this e-mail address. Questions related to technical support or sales should be directed in the first instance to your network supplier.

USING THE COMMAND-LINE

INTERFACE

Mobility System Software (MSS) operates a 3Com Mobility System wireless LAN (WLAN) consisting of 3Com Wireless Switch Manager software, Wireless LAN Switches (WX1200 or WXR100), Wireless LAN Controllers (WX4400 or WX2200), and Managed Access Points (MAPs). MSS has a command-line interface (CLI) on a WX switch that you can use to configure and manage the switch and its attached MAPs.

Overview You configure the WX switch and MAPs primarily with set, clear, and

display commands. Use set commands to change parameters. Use clear

commands to reset parameters to their defaults. In many cases, you can overwrite a parameter with another set command. Use display commands to display the current configuration and monitor the status of network operations.

The WX switch supports two connection modes:

 Administrative access mode, which enables the network administrator

to connect to the WX and configure the network

 Network access mode, which enables network users to connect

through the WX to access the network

CLI Conventions Be aware of the following MSS CLI conventions for command entry:

 “Command Prompts” on page 28  “Syntax Notation” on page 28  “Text Entry Conventions and Allowed Characters” on page 28  “User Globs, MAC Address Globs, and VLAN Globs” on page 30  “Port Lists” on page 32  “Virtual LAN Identification” on page 33

28 CHAPTER 1: USING THE COMMAND-LINE INTERFACE

Command Prompts By default, the MSS CLI provides the following prompt for restricted

users. The mmmm portion shows the WX model number (for example,

1200) and the nnnnnn portion shows the last 6 digits of the WX media access control (MAC) address.

WXmmmm>

After you become enabled as an administrative user by typing enable and supplying a suitable password, MSS displays the following prompt:

WXmmmm#

For information about changing the CLI prompt on a WX, see the set prompt command description in the Wireless LAN Switch and Controller

Command Reference.

Syntax Notation The MSS CLI uses standard syntax notation:

 Bold monospace font identifies the command and keywords you must

type. For example:

set enablepass

 Italic monospace font indicates a placeholder for a value. For example,

you replace vlan-id in the following command with a virtual LAN (VLAN) ID:

clear interface vlan-id ip

 Curly brackets ({ }) indicate a mandatory parameter, and square

brackets ([ ]) indicate an optional parameter. For example, you must enter dynamic or port and a port list in the following command, but a VLAN ID is optional:

clear fdb {dynamic | port port-list} [vlan vlan-id]

Text Entry

Conventions and

Allowed Characters

 A vertical bar (|) separates mutually exclusive options within a list of

possibilities. For example, you enter either enable or disable, not both, in the following command:

set port {enable | disable} port-list

Unless otherwise indicated, the MSS CLI accepts standard ASCII alphanumeric characters, except for tabs and spaces, and is case-insensitive.

CLI Conventions 29

The CLI has specific notation requirements for MAC addresses, IP addresses, and masks, and allows you to group usernames, MAC addresses, virtual LAN (VLAN) names, and ports in a single command.

3Com recommends that you do not use the same name with different capitalizations for VLANs or access control lists (ACLs). For example, do not configure two separate VLANs with the names red and RED.

The CLI does not support the use of special characters including the following in any named elements such as SSIDs and VLANs: ampersand (&), angle brackets (< >), number sign (#), question mark (?), or quotation marks (“”).

In addition, the CLI does not support the use of international characters such as the accented É in DÉCOR.

MAC Address Notation

MSS displays MAC addresses in hexadecimal numbers with a colon (:) delimiter between bytes—for example, 00:01:02:1a:00:01. You can enter MAC addresses with either hyphen (-) or colon (:) delimiters, but colons are preferred.

For shortcuts:

 You can exclude leading zeros when typing a MAC address. MSS

displays of MAC addresses include all leading zeros.

 In some specified commands, you can use the single-asterisk (*)

wildcard character to represent an entire MAC address or from 1 byte to 5 bytes of the address. (For more information, see “MAC Address Globs” on page 31.)

IP Address and Mask Notation

MSS displays IP addresses in dotted decimal notation—for example,

192.168.1.111. MSS makes use of both subnet masks and wildcard masks.

Subnet Masks Unless otherwise noted, use classless interdomain routing (CIDR) format to express subnet masks—for example,

192.168.1.112/24. You indicate the subnet mask with a forward slash (/) and specify the number of bits in the mask.

30 CHAPTER 1: USING THE COMMAND-LINE INTERFACE

Wildcard Masks Security access control lists (ACLs) use source and destination IP addresses and wildcard masks to determine whether the WX filters or forwards IP packets. Matching packets are either permitted or denied network access. The ACL checks the bits in IP addresses that correspond to any 0s (zeros) in the mask, but does not check the bits that correspond to 1s (ones) in the mask. You specify the wildcard mask in dotted decimal notation.

For example, the address 10.0.0.0 and mask 0.255.255.255 match all IP addresses that begin with 10 in the first octet.

The ACL mask must be a contiguous set of zeroes starting from the first bit. For

ACL masks.

example, 0.255.255.255, 0.0.255.255, and 0.0.0.255 are valid

However, 0.255.0.255 is not a valid ACL mask.

User Globs, MAC

Address Globs, and

VLAN Globs

Name “globbing” is a way of using a wildcard pattern to expand a single element into a list of elements that match the pattern. MSS accepts user globs, MAC address globs, and VLAN globs. The order in which globs appear in the configuration is important, because once a glob is matched, processing stops on the list of globs

User Globs

A user glob is shorthand method for matching an authentication, authorization, and accounting (AAA) command to either a single user or a set of users.

A user glob can be up to 80 characters long and cannot contain spaces or tabs. The double-asterisk (**) wildcard characters with no delimiter characters match all usernames. The single-asterisk (*) wildcard character matches any number of characters up to, but not including, a delimiter character in the glob. Valid user glob delimiter characters are the at (@) sign and the period (.).

For example, in Table 3, the following globs identify the following users:

Tab le 3 User Globs

User Glob User(s) Designated

jose@example.com User jose at example.com

CLI Conventions 31

Tab le 3 User Globs (continued)

User Glob User(s) Designated

*@example.com All users at example.com whose usernames do not

contain periods—for example, jose@example.com and tamara@example.com, but not nin.wong@example.com, because nin.wong contains a period

*@marketing.example.com All marketing users at example.com whose

usernames do not contain periods

*.*@marketing.example.com All marketing users at example.com whose

* All users with usernames that have no delimiters EXAMPLE\* All users in the Windows Domain EXAMPLE with

EXAMPLE\*.* All users in the Windows Domain EXAMPLE whose

** All users

usernames contain a period

usernames that have no delimiters

usernames contain a period

MAC Address Globs

A media access control (MAC) address glob is a similar method for matching some authentication, authorization, and accounting (AAA) and forwarding database (FDB) commands to one or more 6-byte MAC addresses. In a MAC address glob, you can use a single asterisk (*) as a wildcard to match all MAC addresses, or as follows to match from 1 byte to 5 bytes of the MAC address:

00:* 00:01:* 00:01:02:* 00:01:02:03:* 00:01:02:03:04:*

For example, the MAC address glob 02:06:8c* represents all MAC addresses starting with 02:06:8c. Specifying only the first 3 bytes of a MAC address allows you to apply commands to MAC addresses based on an organizationally unique identity (OUI).

VLAN Globs

A VLAN glob is a method for matching one of a set of local rules on a WX switch, known as the location policy, to one or more users. MSS compares the VLAN glob, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA, to determine whether to apply the rule.

32 CHAPTER 1: USING THE COMMAND-LINE INTERFACE

To m at ch all VLANs, use the double-asterisk (**) wildcard characters with no delimiters. To match any number of characters up to, but not including, a delimiter character in the glob, use the single-asterisk (*) wildcard. Valid VLAN glob delimiter characters are the at (@) sign and the period (.).

For example, the VLAN glob bldg4.* matches bldg4.security and bldg4.hr and all other VLAN names with bldg4. at the beginning.

Matching Order for Globs

In general, the order in which you enter AAA commands determines the order in which MSS matches the user, MAC address, or VLAN to a glob. To verify the order, view the output of the display aaa or display config command. MSS checks globs that appear higher in the list before items lower in the list and uses the first successful match.

Port Lists The physical Ethernet ports on a WX can be set for connection to MAPs,

authenticated wired users, or the network backbone. You can include a single port or multiple ports in one MSS CLI command by using the appropriate list format.

The ports on a WX are numbered 1 through as high as 22, depending on the WX model. No port 0 exists on the WX. You can include a single port or multiple ports in a command that includes port port-list. Use one of the following formats for port-list:

 A single port number. For example:

WX1200# set port enable 6

 A comma-separated list of port numbers, with no spaces. For

example:

WX1200# display port poe 1,2,4,6

 A hyphen-separated range of port numbers, with no spaces. For

example:

WX1200# reset port 1-8

 Any combination of single numbers, lists, and ranges. Hyphens take

precedence over commas. For example:

WX1200# display port status 1-3,5

Command-Line Editing 33

Virtual LAN

Identification

The names of virtual LANs (VLANs), which are used in Mobility Domain™ communications, are set by you and can be changed. In contrast, VLAN ID numbers, which the WX switch uses locally, are determined when the VLAN is first configured and cannot be changed. Unless otherwise indicated, you can refer to a VLAN by either its VLAN name or its VLAN number. CLI set and display commands use a VLAN’s name or number to uniquely identify the VLAN within the WX switch.

Command-Line Editing

MSS editing functions are similar to those of many other network operating systems.

Keyboard Shortcuts Table 4 lists the keyboard shortcuts available for entering and editing CLI

commands.

Tab le 4 CLI Keyboard Shortcuts

Keyboard Shortcut(s) Function

Ctrl+A Jumps to the first character of the command line. Ctrl+B or Left Arrow key Moves the cursor back one character. Ctrl+C Escapes and terminates prompts and tasks. Ctrl+D Deletes the character at the cursor. Ctrl+E Jumps to the end of the current command line. Ctrl+F or Right Arrow key Moves the cursor forward one character. Ctrl+K Deletes from the cursor to the end of the command

line. Ctrl+L or Ctrl+R Repeats the current command line on a new line. Ctrl+N or Down Arrow

key Ctrl+P or Up Arrow key Enters the previous command line in the history buffer. Ctrl+U or Ctrl+X Deletes characters from the cursor to the beginning of

Ctrl+W Deletes the last word typed. Esc B Moves the cursor back one word. Esc D Deletes characters from the cursor forward to the end

Delete key or Backspace key

Enters the next command line in the history buffer.

the command line.

of the word.

Erases mistake made during command entry. Reenter

the command after using this key.

34 CHAPTER 1: USING THE COMMAND-LINE INTERFACE

History Buffer The history buffer stores the last 63 commands you entered during a

terminal session. You can use the Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer.

Ta bs The MSS CLI uses the Tab key for command completion. You can type

the first few characters of a command and press the Tab key to display the command(s) that begin with those characters. For example:

WX1200# display i <Tab> ifm display interfaces maintained by the interface manager igmp display igmp information interface display interfaces ip display ip information

Single-Asterisk (*)

Wildcard Character

You can use the single-asterisk (*) wildcard character in globbing. (For details, see “User Globs, MAC Address Globs, and VLAN Globs” on page 30.)

Double-Asterisk (**)

Wildcard Characters

The double-asterisk (**) wildcard character matches all usernames. For details, see “User Globs” on page 30.

Using CLI Help The CLI provides online help. To see the full range of commands available

at your access level, type the following command:

WX1200# help Commands:

----------------------------------------------------------------------clear Clear, use 'clear help' for more information commit Commit the content of the ACL table copy Copy from filename (or url) to filename (or url) crypto Crypto, use 'crypto help' for more information delete Delete url dir display list of files on flash device disable Disable privileged mode display Display, use 'display help' for more information help display this help screen history display contents of history substitution buffer load Load, use 'load help' for more information logout Exit from the Admin session monitor Monitor, use 'monitor help' for more information ping Send echo packets to hosts quit Exit from the Admin session reset Reset, use 'reset help' for more information

Using CLI Help 35

rollback Remove changes to the edited ACL table save Save the running configuration to persistent storage set Set, use 'set help' for more information telnet telnet IP address [server port] traceroute Print the route packets take to network host

For more information on help, see the help command description in the

Wireless LAN Switch and Controller Command Reference.

To see a subset of the online help, type the command for which you want more information. For example, the following command displays all the commands that begin with the letter i:

WX1200# display i? ifm display interfaces maintained by the interface manager igmp display igmp information interface display interfaces ip display ip information

To see all the variations, type one of the commands followed by a question mark (?). For example:

WX1200# display ip ? alias display ip aliases dns display DNS status https display ip https route display ip route table telnet display ip telnet

To determine the port on which Telnet is running, type the following command:

WX1200# display ip telnet Server Status Port

---------------------------------Enabled 3

36 CHAPTER 1: USING THE COMMAND-LINE INTERFACE

Understanding Command Descriptions

Each command description in the Wireless LAN Switch and Controller

Command Reference contains the following elements:

 A command name, which shows the keywords but not the variables.

For example, the following command name appears at the top of a command description and in the index:

set ap The set ap name command has the following complete syntax:

set ap {apnumber | auto | security}

 A brief description of how the command functions.  The full command syntax.  Any command defaults.  The command access, which is either enabled or all. All indicates that

anyone can access this command. Enabled indicates that you must enter the enable password before entering the command.

 The command history, which identifies the MSS version in which the

command was introduced and the version numbers of any subsequent updates.

 Special tips for command usage. These are omitted if the command

requires no special usage.

 One or more examples of the command in context, with the

appropriate system prompt and response.

 One or more related commands.

WX SETUP METHODS

This chapter describes the methods you can use to configure a WX switch, and refers you to information for each method. Depending on your configuration needs, you can use one or a combination of these methods.

For easy installation, use one of the quick-start methods described in this chapter instead of using the CLI instructions in later chapters in the manual.

Overview MSS provides the following quick-start methods for new (unconfigured)

switches:

 Web Quick Start (WXR100, WX1200, and WX2200)  CLI quickstart command

You can use either quick-start method to configure a switch to provide wireless service. You also can use any of the following management applications to configure a new switch or to continue configuration of a partially configured switch:

 3Com Wireless Switch Manager  CLI  Web Manager

Quick Starts The Web Quick Start enables you to easily configure a WXR100, WX1200

or WX2200 switch to provide wireless access to up to 10 users. The Web Quick Start is accessible only on unconfigured WXR100, WX1200 or WX2200 switches. The interface is not available on other switch models or on any switch that is already configured.

The quickstart command enables you to configure a WXR100 switch to provide wireless access to any number of users.

38 CHAPTER 2: WX SETUP METHODS

3Com Wireless Switch

Manager

You can use 3Com Wireless Switch Manager to remotely configure a switch using one of the following techniques:

 Drop ship—On model WXR100 only, you can press the factory reset

switch during power on until the right LED above port 1 flashes for 3 seconds. Activating the factory reset causes the WXR100 to bypass the Web Quick Start and request its configuration from 3Com Wireless Switch Manager instead.

 Staged WX—On any switch model, you can stage the switch to

request its configuration from 3Com Wireless Switch Manager, by preconfiguring IP parameters and enabling the auto-config option.

(These options are described in more detail in “Remote WX Configuration” on page 49.)

You also can use 3Com Wireless Switch Manager to plan your network, create WX switches in the plan, then deploy the switch configurations to the real switches. For information, see the following:

 Wireless Switch Manager User’s Guide  Wireless Switch Manager Reference Manual

To open a sample network plan, see “Opening the QuickStart Network Plan in 3Com Wireless Switch Manager” on page 49.

CLI You can configure a switch using the CLI by attaching a PC to the switch’s

Console port.

After you configure the switch for SSH or Telnet access, you also can use these protocols to access the CLI.

Web Manager You can use a switch web management interface, Web Manager, to

configure the switch. For access information, see Appendix B, “Logging Into Web View” on page 650.

Web Manager is different from the Web Quick Start application. Web Manager is a web-based management application that is available at any time on a switch that already has IP connectivity. (Web Manager access also requires the switch’s HTTPS server to be enabled.) The Web Quick Start application is accessible only on unconfigured switches.

How a WX Switch Gets its Configuration 39

How a WX Switch Gets its Configuration

Switch is powered on.

Does switch have

a configuration?

Model WXR100?

Figure 1 shows how a WX switch gets a configuration when you power it on.

Figure 1 WX Switch Startup Algorithm

Yes

Switch boots using its configuration file.

Was factory reset pressed during power on?

Yes

Is auto-config enabled?

Yes

Switch contacts 3WXM to request configuration.

Switch displays CLI prompt.

Model WX1200

or WX2200?

Boots with no configuration.

You must use the CLI to start configuring the switch.

Yes

Web Quick Start is enabled.

Web Quick Start (WXR100, WX1200 and WX2200 Only) 40

Web Quick Start (WXR100, WX1200 and WX2200 Only)

Web Quick Start

Parameters

You can use the Web Quick Start to configure the switch to provide wireless access to up to ten network users.

To access the Web Quick Start, attach a PC directly to port 1 or port 2 on the switch and use a web browser on the PC to access IP address

192.168.100.1. (For more detailed instructions, see “Accessing the Web Quick Start” on page 41.)

The Web Quick Start application is different from Web Manager. Web Manager is a web-based management application that is available at any time on a switch that already has IP connectivity. (Web Manager access also requires the switch’s HTTPS server to be enabled.) The Web Quick Start application is accessible only on unconfigured switches.

The Web Quick Start application is supported only on switch models WXR100, WX1200, and WX2200. After you finish the Web Quick Start, it will not be available again unless you clear (erase) the switch’s configuration.

The Web Quick Start enables you to configure basic wireless access for a small office. You can use the Web Quick Start to configure the following parameters:

 System name of the switch  Country code (the country where wireless access will be provided)  Administrator username and password  Management IP address and default router (gateway)  Time and date (statically configured or provided by an NTP server)  Management access  You can individually select Telnet, SSH, and Web View. You also can

secure the Console port. Access requires the administrator username and password.

 Power over Ethernet (PoE), for ports directly connected to MAPs  SSIDs and authentication types. The Web Quick Start enables you to

configure one secure SSID and one clear SSID. You can configure additional SSIDs using the CLI or 3Com Wireless Switch Manager.

 Usernames and passwords for your wireless users. You can configure

up to ten users with the Web Quick Start. To configure additional users, use the CLI or 3Com Wireless Switch Manager.

Web Quick Start (WXR100, WX1200 and WX2200 Only) 41

Web Quick Start

Requirements

Accessing the Web

Quick Start

To use the Web Quick Start, you need the following:

 AC power source for the switch  PC with an Ethernet port that you can connect directly to the switch  Category 5 (Cat 5) or higher Ethernet cable

If the PC is connected to the network, power down the PC or disable its network interface card (NIC), then unplug the PC from the network.

You can use a Layer 2 device between the switch and the PC. However, do not attach the switch to your network yet. The switch requires the PC you attach to it for configuration to be in the 192.168.100.x subnet, and uses the MSS DHCP server to assign the PC an address from this subnet. If you attach the unconfigured switch to your network, the switch disables the MSS DHCP server, if the switch detects another DHCP server on the network. If the network does not have a DCHP server, the switch’s DHCP server remains enabled and will offer IP addresses in the 192.168.100.x subnet in response to DHCP Requests.

To access the Web Quick Start:

1 Use a Category 5 (Cat 5) or higher Ethernet cable to connect the switch

directly to a PC that has a web browser.

2 Connect the switch to an AC power source.

If the green power LED is lit, the switch is receiving power.

If you are configuring a WXR100, do not press the factory reset switch during power on. Pressing this switch on an unconfigured switch causes the switch to attempt to contact a 3Com Wireless Switch Manager server instead of displaying the Web Quick Start. (Other switch models also have reset switches, but the reset switch simply restarts these other models without clearing the configuration.)

3 Enable the PC’s NIC that is connected to the switch, if not already

enabled.

4 Verify that the NIC is configured to use DHCP to obtain its IP address.

You will not be able to access the Web Quick Start if the IP address of the NIC is statically configured.

5 Use a web browser to access IP address 192.168.100.1.

42 CHAPTER 2: WX SETUP METHODS

This is a temporary, well-known address assigned to the unconfigured switch when you power it on. The Web Quick Start enables you to change this address.

The first page of the Quick Start Wizard appears.

6 Click Start to begin. The wizard screens guide you through the

configuration steps.

CAUTION: Use the wizard’s Next and Back buttons to navigate among the wizard pages. Using the browser’s navigation buttons, such as Back and Forward, can result in loss of information. Do not click the browser’s Refresh or Reload button at any time while using the wizard. If you do click Refresh or Reload, all the information you have entered in the wizard will be cleared.

7 After guiding you through the configuration, the wizard displays a

summary of the configuration values you selected.

Web Quick Start (WXR100, WX1200 and WX2200 Only) 43

Here is an example:

8 Review the configuration settings, then click Finish to save the changes

or click Back to change settings. If you want to quit for now and start over later, click Cancel.

If you click Finish, the wizard saves the configuration settings into the switch’s configuration file. If the switch is rebooted, the configuration settings are restored when the reboot is finished.

The switch is ready for operation. You do not need to restart the switch.

CAUTION: On a WXR100, do not press the factory reset switch for more than four seconds! On a WXR100 that is fully booted, the factory

reset switch erases the configuration if held for five seconds or more. If you do accidentally erase the configuration, you can use the Web Quick Start to reconfigure the switch.

44 CHAPTER 2: WX SETUP METHODS

CLI quickstart Command

The quickstart command runs a script that interactively helps you configure the following items:

 System name  Country code (regulatory domain)  System IP address  Default route  802.1Q tagging for ports in the default VLAN  Administrative users and passwords  Enable password  System time, date, and timezone  Unencrypted (clear) SSID names  Usernames and passwords for guest access using WebAAA  Encrypted (crypto) SSID names and dynamic WEP encryption for

encrypted SSIDs’ wireless traffic

 Usernames and passwords for secure access using 802.1X

authentication using PEAP-MSCHAP-V2 and secure wireless data encryption using dynamic Wired Equivalent Privacy (WEP)

 Directly connected MAPs  Distributed MAPs

The quickstart command displays a prompt for each of these items, and lists the default if applicable. You can advance to the next item, and accept the default if applicable, by pressing Enter.

The command also automatically generates a key pair for SSH.

Depending on your input, the command also automatically generates the following key pairs and self-signed certificates:

 SSH key pair (always generated)  Admin key pair and self-signed certificate (always generated)  EAP (802.1X) key pair and self-signed certificate (generated if you type

usernames and passwords for users of encrypted SSIDs)

 WebAAA key pair and self-signed certificate (generated if you type

usernames and passwords for users of unencrypted SSIDs)

CLI quickstart Command 45

The command automatically places all ports that are not used for directly connected MAPs into the default VLAN (VLAN 1).

The quickstart command prompts you for an administrative username and password for managing the switch over the network. The command automatically configures the same password as the switch’s enable password. You can change the enable password later using the

set enablepass command.

CAUTION: The quickstart command is for configuration of a new switch

only. After prompting you for verification, the command erases the switch’s configuration before continuing. If you run this command on a switch that already has a configuration, the configuration will be erased. In addition, error messages such as Critical AP Notice for directly connected MAPs can appear.

To r un the quickstart command:

1 Attach a PC to the WX switch’s serial console port. (Use these modem

settings: 9600 bps, 8 bits, 1 stop, no parity, hardware flow control disabled.)

2 Press Enter three times, to display a username prompt (Username:), a

password prompt (Password:), and then a command prompt such as the following:

WX1200-aabbcc>

(Each switch has a unique system name that contains the model number and the last half of the switch’s MAC address.)

3 Access the enabled level (the configuration level) of the CLI:

WX12000-aabbcc> enable

4 Press Enter at the Enter password prompt. 5 Ty pe quickstart. The command asks you a series of questions. You can

type ? for more help. To quit, press Ctrl+C. One of the questions the script asks is the country code. For a list of valid

country codes, see “Specifying the Country of Operation” on page 213. Another question the script asks is, “Do you wish to configure wireless?”

If you answer y, the script goes on to ask you for SSID and user information, for unencrypted and encrypted SSIDs. If you answer n, the script generates key pairs for SSH and the administrative users you entered, generates a self-signed administrative certificate, and then ends.

46 CHAPTER 2: WX SETUP METHODS

Quickstart Example This example configures the following parameters:

 System name: WX1200-Corp  Country code (regulatory domain): US  System IP address: 172.16.0.21, on IP interface 172.16.0.21

255.255.255.0

The quickstart script asks for an IP address and subnet mask for the system IP address, and converts the input into an IP interface with a subnet mask, and a system IP address that uses that interface. Likewise, if you configure this information manually instead of using the quickstart command, you must configure the interface and system IP address separately.

 Default route: 172.16.0.20  Administrative user wxadmin, with password letmein. The only

management access the switch allows by default is CLI access through the serial connection.

 System Time and date parameters:

 Date: 31st of March, 2007  Time: 4:36 PM  Timezone: PST (Pacific Standard Time), with an offset of -8 hours

from Universal Coordinated Time (UTC)

 Unencrypted SSID name: public  Username user1 and password pass1 for WebAAA  Encrypted SSID name: corporate  Username bob and password bobpass for 802.1X authentication  Directly connected MAPs on port 2, model AP2750

The IP addresses, usernames, and passwords in this document are examples. Use values that are appropriate for your organization.

CLI quickstart Command 47

If you configure time and date parameters, you will be required to enter a name for the timezone, and then enter the value of the timezone (the offset from UTC) separately. You can use a string of up to 32 alphabetic characters as the timezone name.

Figure 2 shows an example. Users bob and alice can access encrypted SSID corporate on either of the MAPs. Users user1 and user2 can use the same MAPs to access unencrypted SSID public. Although the same hardware supports both SSIDs and sets of users, AAA ensures that only the users who are authorized to access an SSID can access that SSID. Users of separate SSIDs can even be in the same VLAN, as they are in this example.

Figure 2 Single-Switch Deployment

alice

Console

Port

user1

WX1200-20-Corp

10.10.10.4

Port

user2

Backbone

Corporate resources

bob

WXR100-aabbcc# quickstart This will erase any existing config. Continue? [n]: y Answer the following questions. Enter '?' for help. ^C to break out System Name [WXR100]: WXR100-mrktg Country Code [US]: US System IP address []: 172.16.0.21 System IP address netmask []: 255.255.255.0 Default route []: 172.16.0.21 Do you need to use 802.1Q tagged default VLAN [Y/N]? Y: y Specify the port number that needs to be tagged [1-2, <CR> ends config]: 2 Specify the tagged value for port [2] [<CR> ends config:] 100

Internet

48 CHAPTER 2: WX SETUP METHODS

Specify the port number that needs to be tagged [1-2, <CR> ends config]: Admin username [admin]: wxadmin Admin password [optional]: letmein Enable password [optional]: enable Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 31/03/07 Is daylight saving time (DST) in effect [n]: n Enter the time (hh:mm:ss) []: 04:36:20 Enter the timezone []: PST Enter the offset (without DST) from GMT for 'PST' in hh:mm [0:0]: -8:0 Do you wish to configure wireless? [y]: y Enter a clear SSID to use: public Do you want Web Portal authentication? [y]: y Enter a username with which to do Web Portal, <cr> to exit:

user1

Enter a password for user1: user1pass1 Enter a username with which to do Web Portal, <cr> to exit: Do you want to do 802.1x and PEAP-MSCHAPv2? [y]: y Enter a crypto SSID to use: corporate Enter a username with which to do PEAP-MSCHAPv2, <cr> to exit: bob Enter a password for bob: bobpass Enter a username with which to do PEAP-MSCHAPv2, <cr> to exit: Do you wish to configure access points? [y]: y Enter a port number [1-2] on which an AP resides, <cr> to exit: 2 Enter AP model on port 2: ap3750 Enter a port number [1-2] on which an AP resides, <cr> to exit: Do you wish to configure distributed access points? [y]: y Enter a DAP serial number, <cr> to exit: 0422700351 Enter model of DAP with S/N 0422700351: ap3750 Enter a DAP serial number, <cr> to exit: success: created keypair for ssh success: Type “save config” to save the configuration WXR100-aabbcc# save config

6 Optionally, enable Telnet and enable the admin user to use Telnet.

WXR100-aabbcc# set ip telnet server enable WXR100-aabbcc# set user wxadmin attr service-type 6

7 Verify the configuration changes.

WXR100-aabbcc# display config

8 Save the configuration changes.

WXR100-aabbcc# save config

Remote WX Configuration 49

Remote WX Configuration

Opening the QuickStart Network Plan in 3Com Wireless Switch Manager

You can use 3Com Wireless Switch Manager Services running in your corporate network to configure WX switches in remote offices. The following remote configuration scenarios are supported:

 Drop ship—3Com Wireless Switch Manager Services running in the

corporate network can configure a WXR100 switch shipped directly to a remote office. This option does not require any preconfiguration of the switch.

 Staged—You can stage any model of switch by preconfiguring IP

connectivity and enabling auto-config, then sending the switch to the remote office. The switch contacts 3Com Wireless Switch Manager Services in the corporate network to complete its configuration.

The drop ship option is supported only for the WXR100. The staged option is supported for all switch models. Both options require 3Com Wireless Switch Manager Services.

(For more information, see the “Configuring WX Switches Remotely” chapter in the Wireless Switch Manager Reference Manual.

3Com Wireless Switch Manager comes with two sample network plans:

 QuickStart—Contains a two-floor building with two WX switches and

two MAPs on each switch. Each switch and its MAPs provide coverage for a floor. The 3Com equipment is configured to provide both clear (unencrypted) and secure (802.1X) wireless access.

 StarterKit—Contains a simple rectangle as a floor plan, but with one

WX switch and four MAPs. You can modify this plan to deploy the 3Com starter kit (STR-B-xx).

The QuickStart network plan contains a configuration similar to the one created by the CLI quickstart example in “Quickstart Example” on page 46. The plan differs from the sample configuration by using separate VLANs for WX management traffic, corporate users, and guest users. Otherwise, the configuration is the same.

50 CHAPTER 2: WX SETUP METHODS

To open the network plan:

1 Install 3WXM, if not already installed. (See the “Getting Started” chapter

of the Wireless Switch Manager User’s Guide or the “Installing 3WXM” chapter of the Wireless Switch Manager Reference Manual.)

2 Start 3WXM by doing one of the following:

 On Windows systems, select Start > Programs > 3Com > 3WXM

 On Linux systems, change directories to

If you are starting 3Com Wireless Switch Manager for the first time, or you have not entered license information previously, the License Information dialog box appears. Enter the serial number and License, then click OK.

3 When the 3Com Wireless Switch Manager Services Connection dialog

appears, enter the IP address and UDP port of 3Com Wireless Switch Manager Services (if installed on a different machine than the client), and click Next.

4 If the Certificate Check dialog appears, click Accept to complete the

connection to 3Com Wireless Switch Manager Services.

> 3WXM, or double-click the 3WXM icon on the desktop.

3WXM_installation_directory/bin, and enter ./3wxm.

5 Select File > Switch Network Plan. 6 Click Yes to close the plan that is currently open.

The Switch Network Plan dialog appears, listing the available network plans.

7 Select QuickStart and click Next.

CONFIGURING AAA FOR

ADMINISTRATIVE AND LOCAL ACCESS

3Com Mobility System Software (MSS) supports authentication, authorization, and accounting (AAA) for secure network connections. As administrator, you must establish administrative access for yourself and optionally other local users before you can configure the WX for operation.

Overview Here is an overview of configuration topics:

1 Console connection. By default, any administrator can connect to the

console port and manage the switch, because no authentication is enforced. (3Com recommends that you enforce authentication on the console port after initial connection.)

2 Telnet or SSH connection. Administrators cannot establish a Telnet or

Secure Shell (SSH) connection to the WX by default. To provide Telnet or SSH access, you must add a username and password entry to the local database or, optionally, set the authentication method for Telnet users to a Remote Authentication Dial-In User Service (RADIUS) server.

A CLI Telnet connection to the WX is not secure, unlike SSH, 3WXM and Web Manager connections. (For details, see Chapter 20, “Managing Keys and Certificates,” on page 413.)

3 Restricted mode. When you initially connect to the WX, your mode of

operation is restricted. In this mode, only a small subset of status and monitoring commands is available. Restricted mode is useful for administrators with basic monitoring privileges who are not allowed to change the configuration or run traces.

4 Enabled mode. To enter the enabled mode of operation, you type the

enable command at the command prompt. In enabled mode, you can

use all CLI commands. Although MSS does not require an enable password, 3Com highly recommends that you set one.

52 CHAPTER 3: CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS

5 Customized authentication. You can require authentication for all

users or for only a subset of users. Username globbing (see “User Globs, MAC Address Globs, and VLAN Globs” on page 30) allows different users or classes of user to be given different authentication treatments. You can configure console authentication and Telnet authentication separately, and you can apply different authentication methods to each.

For any user, authorization uses the same method(s) as authentication for that user.

6 Local override. A special authentication technique called local override

lets you attempt authentication via the local database before attempting authentication via a RADIUS server. The WX switch attempts administrative authentication in the local database first. If it finds no match, the WX attempts administrative authentication on the RADIUS server. (For information about setting a WX switch to use RADIUS servers, see Chapter 22, “Configuring Communication with RADIUS,” on page 519.)

7 Accounting for administrative access sessions. Accounting records

can be stored and displayed locally or sent to a RADIUS server. Accounting records provide an audit trail of the time an administrative user logged in, the administrator’s username, the number of bytes transferred, and the time the session started and ended.

Figure 3 illustrates a typical WX switch, MAPs, and network administrator in an enterprise network. As network administrator, you initially access the WX switch via the console. You can then optionally configure authentication, authorization, and accounting for administrative access mode.

3Com recommends enforcing authentication for administrative access using usernames and passwords stored either locally or on RADIUS servers.

loo

Figure 3 Typical 3Com Mobility System

uilding

Overview 53

MAP

Layer 2 switches

loo

Core router

loo

ata center

Layer 2 or Layer 3 switches

MAP

WX switches

MAP

WX switches

MAP

WX switch

MAP

RADIUS or AAA Servers

54 CHAPTER 3: CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS

Before You Start Before reading more of this chapter, read the Wireless LAN Switch and

Controller Quick Start Guide to set up a WX switch and the attached

MAPs for basic service.

About Administrative Access

Access Modes MSS provides AAA either locally or via remote servers to authenticate

Types of

Administrative Access

The authentication, authorization, and accounting (AAA) framework helps secure network connections by identifying who the user is, what the user can access, and the amount of network resources the user can consume.

valid users. MSS provides two modes of access:

 Administrative access mode — Allows a network administrator to

access the WX switch and configure it. You must establish administrative access in enabled mode before

adding users. See “Enabling an Administrator” on page 55.

 Network access mode — Allows network users to connect through

the WX switch. For information about configuring network users, see Chapter 21, “Configuring AAA for Network Users,” on page 433.

MSS allows you access to the WX switch with the following types of administrative access:

 Console — Access via only the console port. For more information,

see “First-Time Configuration via the Console” on page 55.

 Te l n et — Users who access MSS via the Telnet protocol. For information

about setting up a WX switch for Telnet access, see Chapter 6, “Configuring and Managing IP Interfaces and Services,” on page 103.

 Secure Shell (SSH) — Users who access MSS via the SSH protocol. For

information about setting up a WX switch for SSH access, see Chapter 6, “Configuring and Managing IP Interfaces and Services,” on page 103.

 3WXM — After you configure the WX switch as described in this

guide, you can further configure the WX switch using the 3WXM tool suite. For more information, see the Wireless Switch Manager

Reference Manual.

 Web View — A Web-based application for configuring and

managing a single WX switch through a Web browser. Web View uses a secure connection via Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS).

First-Time Configuration via the Console 55

First-Time Configuration via the Console

Enabling an

Administrator

Administrators must initially configure the WX switch with a computer or terminal connected to the WX console port through a serial cable. Telnet access is not initially enabled.

To configure a previously unconfigured WX switch via the console, you must complete the following tasks:

 Enable an administrator. (See “Enabling an Administrator” on

page 55.)

 Configure authentication. (See “Authenticating at the Console” on

page 57.)

 Optionally, configure accounting. (see “Configuring Accounting for

Administrative Users” on page 59.)

 Save the configuration. (See “Saving the Configuration” on page 61.)

To enable yourself as an administrator, you must log in to the WX switch from the console. Until you set the enable password and configure authentication, the default username and password are blank. Press Enter when prompted for them.

To enable an administrator:

1 Log in to the WX switch from the serial console, and press Enter when

the WX switch displays a username prompt:

Username:

2 Press Enter when the WX switch displays a password prompt.

Password:

3 Ty pe enable to go into enabled mode.

WX1200> enable

4 Press Enter to display an enabled-mode command prompt:

WX1200#

Once you see this prompt after you have typed the enable command, you have administrative privileges, which allow you to further configure the WX switch.

56 CHAPTER 3: CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS

Setting the WX

Switch Enable

Password

There is one enable password for the entire WX switch. You can optionally change the enable password from the default.

3Com recommends that you change the enable password from the default (no password) to prevent unauthorized users from entering configuration commands.

Setting the WX Enable Password for the First Time

To set the enable password for the first time:

1 At the enabled prompt, type set enablepass. 2 At the “Enter old password” prompt, press Enter. 3 At the “Enter new password” prompt, enter an enable password of up to

32 alphanumeric characters with no spaces. The password is not displayed as you type it.

The enable password is case-sensitive.

4 Type the password again to confirm it.

MSS lets you know the password is set.

WX1200# set enablepass Enter old password: Enter new password: Retype new password: Password changed

Be sure to use a password that you will remember. If you lose the enable password, the only way to restore it causes the system to return to its default settings and wipes out any saved configuration. (For details, see “Recovering the System When the Enable Password is Lost” on page 622.)

5 Store the configuration into nonvolatile memory by typing the following

command:

WX1200# save config success: configuration saved.

First-Time Configuration via the Console 57

3WXM Enable Password

If you use 3WXM to continue configuring the switch, you will need to enter the switch’s enable password when you upload the switch’s configuration into 3WXM. (For 3WXM information, see the Wireless

Switch Manager Reference Manual.)

Authenticating at the

Console

You can configure the console so that authentication is required, or so that no authentication is required. 3Com recommends that you enforce authentication on the console port.

To enforce console authentication, take the following steps:

1 Add a user in the local database by typing the following command with a

username and password:

WX1200# set user username password password success: change accepted.

2 To enforce the use of console authentication via the local database, type

the following command:

If you type this command before you have created a local username and password, you can lock yourself out of the WX switch. Before entering this command, you must configure a local username and password.

WX1200# set authentication console * local

3 To store this configuration into nonvolatile memory, type the following

command:

WX1200# save config success: configuration saved.

By default, no authentication is required at the console. If you have previously required authentication and have decided not to require it (during testing, for example), type the following command to configure the console so that it does not require username and password authentication:

WX1200# set authentication console * none

58 CHAPTER 3: CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS

The authentication method none you can specify for administrative access is different from the fallthru authentication type None, which applies only to network access. The authentication method none allows access to the WX switch by an administrator. The fallthru authentication type None denies access to a network user. (For information about the fallthru authentication types, see “Authentication Algorithm” on page 435.)

Customizing AAA

with “Globs” and

Groups

“Globbing” lets you classify users by username or media access control (MAC) address for different AAA treatments. A user glob is a string, possibly containing wildcards, for matching AAA and IEEE 802.1X authentication methods to a user or set of users. The WX switch supports the following wildcard characters for user globs:

 Single asterisk (*) matches the characters in a username up to but not

including a separator character, which can be an at (@) sign or a period (.).

 Double asterisk (**) matches all usernames.

In a similar fashion, MAC address globs match authentication methods to a MAC address or set of MAC addresses. For details, see “User Globs, MAC Address Globs, and VLAN Globs” on page 30.

A user group is a named collection of users or MAC addresses sharing a common authorization policy. For example, you might group all users on the first floor of building 17 into the group bldg-17-1st-floor, or group all users in the IT group into the group infotech-people. Individual user entries override group entries if they both configure the same attribute.

(For information about configuring users and user groups, see “Adding and Clearing Local Users for Administrative Access” on page 59.)

Setting User

Passwords

Like usernames, passwords are case-sensitive. To make passwords secure, make sure they contain uppercase and lowercase letters and numbers. 3Com recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack.

User passwords are automatically encrypted when entered in the local database. However, the encryption is not strong. It is designed only to discourage someone looking over your shoulder from memorizing your password as you display the configuration. To maintain security, MSS displays only the encrypted form of the password in display commands.

Configuring Accounting for Administrative Users 59

Although MSS allows you to configure a user password for the special “last-resort” guest user, the password has no effect. Last-resort users can never access a WX in administrative mode and never require a password.

Adding and Clearing

Local Users for

Administrative Access

Configuring Accounting for Administrative Users

Usernames and passwords can be stored locally on the WX switch. 3Com recommends that you enforce console authentication after the initial configuration to prevent anyone with unauthorized access to the console from logging in. The local database on the WX switch is the simplest way to store user information in a 3Com system.

To configure a user in the local database, type the following command:

set user username password [encrypted] password

For example, to configure user Jose with the password spRin9 in the local database on the WX switch, type the following command:

WX1200# set user Jose password spRin9 success: User Jose created

To clear a user from the local database, type the following command:

clear user username

Accounting allows you to track network resources. Accounting records can be updated for three important events: when the user is first connected, when the user roams from one MAP to another, and when the user terminates his or her session. The default for accounting is off.

To configure accounting for administrative logins, use the following command:

set accounting {admin | console} {user-glob} {start-stop | stop-only} method1 [method2] [method3] [method4]

To configure accounting for administrative logins over the network at EXAMPLE, enter the following command:

set accounting admin EXAMPLE\* {start-stop | stop-only} aaa-method

60 CHAPTER 3: CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS

You can select either start-stop or stop-only accounting modes. The stop-only mode sends only stop records, whereas start-stop sends both start and stop records, effectively doubling the number of accounting records. In most cases, stop-only is entirely adequate for administrative accounting, because a stop record contains all the information you might need about a session.

In the set accounting command, you must include AAA methods that specify whether to use the local database or RADIUS server to receive the accounting records. Specify local, which causes the processing to be done on the WX switch, or specify a RADIUS server group. For information about configuring a RADIUS server group, see “Configuring RADIUS Server Groups” on page 524.

For example, you can set accounting for administrative users using the start-stop mode via the local database:

WX1200# set accounting admin EXAMPLE\* start-stop local success: change accepted.

The accounting records show the date and time of activity, the user’s status and name, and other attributes. The display accounting statistics command displays accounting records for administrative users after they have logged in to the WX switch.

(For information about network user accounting, see “Configuring Accounting for Wireless Network Users” on page 504. For information and an output example for the display accounting statistics command, see the Wireless LAN Switch and Controller Command Reference.)

Displaying the AAA Configuration 61

Displaying the AAA

To display your AAA configuration, type the following command:

Configuration

WX1200# display aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State

------------------------------------------------------------------r1 192.168.253.1 1812 1813 5 3 0 UP Server groups

sg1: r1 set authentication console * local set authentication admin * local set accounting admin Geetha stop-only local set accounting admin * start-stop local user Geetha Password = 1214253d1d19 (encrypted)

(For information about the fields in the output, see the Wireless LAN

Switch and Controller Command Reference.)

Saving the Configuration

You must save the configuration for all commands that you enter and want to use for future sessions. After you enter the administrator’s AAA configuration, type the following command to maintain these commands in WX nonvolatile memory:

WX1200# save config success: configuration saved.

You can also specify a filename for the configuration—for example, configday. To do this, type the following command:

WX1200# save config configday Configuration saved to configday.

You must type the save config command to save all configuration changes since the last time you rebooted the WX switch or saved the configuration. If the WX switch is rebooted before you have saved the configuration, all changes are lost.

You can also type the load config command, which reloads the WX switch to the last saved configuration or loads a particular configuration filename. (For more information, see “Managing Configuration Files” on page 609.)

62 CHAPTER 3: CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS

Administrative AAA Configuration Scenarios

The following scenarios illustrate typical configurations for administrative and local authentication. For all scenarios, the administrator is Natasha with the password m@Jor. (For RADIUS server configuration details, see Chapter 22, “Configuring Communication with RADIUS,” on page 519.)

 “Local Authentication” on page 62  “Local Authentication for Console Users and RADIUS Authentication

for Telnet Users” on page 62

 “Local Override and Backup Local Authentication” on page 64  “Authentication When RADIUS Servers Do Not Respond” on page 63

Local Authentication The first time you access a WX switch, it requires no authentication. (For

more information, see “First-Time Configuration via the Console” on page 55.) In this scenario, after the initial configuration of the WX switch, Natasha is connected through the console and has enabled access.

To enable local authentication for a console user, you must configure a local username. Natasha types the following commands in this order:

WX1200# set user natasha password m@Jor User natasha created WX1200# set authentication console * local success: change accepted. WX1200# save config success: configuration saved.

Local Authentication

for Console Users and

RADIUS

Authentication for

Telnet Users

This scenario illustrates how to enable local authentication for console users and RADIUS authentication for Telnet administrative users. To do so, you configure at least one local username for console authentication and set up a RADIUS server for Telnet administrators. Natasha types the following commands in this order:

WX1200# set user natasha password m@Jor User natasha created WX1200# set authentication console * local success: change accepted. WX1200# set radius server r1 address 192.168.253.1 key sunFLOW#$ success: change accepted.

Administrative AAA Configuration Scenarios 63

Natasha also adds the RADIUS server (r1) to the RADIUS server group sg1, and configures Telnet administrative users for authentication through the group. She types the following commands in this order:

WX1200# set server group sg1 members r1 success: change accepted. WX1200# set user admin attr service-type 6 success: change accepted. WX1200# set authentication admin * sg1 success: change accepted. WX1200# save config success: configuration saved.

If the service-type is not set to 6 (Administrative), the user will not be able to enter “enable” mode commands.

Authentication When

RADIUS Servers Do

Not Respond

This scenario illustrates how to enable RADIUS authentication for both console and administrative users, but to unconditionally allow access for administrative and console users if the RADIUS server (in this case, server r1 in server group sg1) does not respond. To configure unconditional authentication, Natasha sets the authentication method to none. She types the following commands in this order:

WX1200# set user natasha password m@Jor User natasha created WX1200# set radius server r1 address 192.168.253.1 key

sunFLOW#$

success: change accepted. WX1200# set server group sg1 members r1 success: change accepted. WX1200# set authentication console * sg1 none success: change accepted. WX1200# set user admin attr service-type 6 success: change accepted. WX1200# set authentication admin * sg1 none success: change accepted. WX1200# save config success: configuration saved.

64 CHAPTER 3: CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS

Local Override and

Backup Local

Authentication

This scenario illustrates how to enable local override authentication for console users. Local override means that MSS attempts authentication first via the local database. If it finds no match for the user in the local database, MSS then tries a RADIUS server—in this case, server r1 in server group sg1. Natasha types the following commands in this order:

WX1200# set user natasha password m@Jor User natasha created WX1200# set radius server r1 address 192.168.253.1 key sunFLOW#$ success: change accepted. WX1200# set server group sg1 members r1 success: change accepted. WX1200# set authentication console * local sg1 success: change accepted. WX1200# save config success: configuration saved.

Natasha also enables backup RADIUS authentication for Telnet administrative users. If the RADIUS server does not respond, the user is authenticated by the local database in the WX switch. Natasha types the following commands:

WX1200# set authentication admin * sg1 local success: change accepted. WX1200# save config success: configuration saved.

The order in which Natasha enters authentication methods in the set authentication command determines the method MSS attempts first.

The local database is the first method attempted for console users and the last method attempted for Telnet administrators.

MANAGING USER PASSWORDS

This chapter describes how to manage user passwords, configure user passwords, and how to display password information.

Overview 3COM recommends that all users create passwords that are memorable

to themselves, difficult for others to guess, and not subject to a dictionary attack.

By default, user passwords are automatically encrypted when entered in the local database. However, the encryption is not strong. It is designed only to discourage someone looking over your shoulder from memorizing your password as you display the configuration. To maintain security, MSS displays only the encrypted form of the password in display commands.

Optionally, you can configure MSS so that the following additional restrictions apply to user passwords:

 Passwords must be a minimum of 10 characters in length, and a

mix of

characters, including at least two of each (for example, Tre%Pag32!).

 A user cannot reuse any of his or her 10 previous passwords (not

applicable to

 When a user changes his or her password, at least 4 characters

must be

 A user password expires after a configurable amount of time.

 A user is locked out of the system after a configurable number of

failed login attempts. When this happens, a trap is generated and an alert is logged.

 (Administrative users can gain access to the system through the

console even when the account is locked.)

uppercase letters, lowercase letters, numbers, and special

network users).

different from the previous password.

66 CHAPTER 4: MANAGING USER PASSWORDS

 Only one unsuccessful login attempt is allowed in a 10-second

period for a

 All administrative logins, logouts, logouts due to idle timeout, and

disconnects are logged.

 The audit log file on the WX switch (command_audit.cur) cannot

be deleted,

These restrictions are disabled by default.

user or session.

and attempts to delete log files are recorded.

Configuring Passwords

Setting Passwords for

Local Users

This section describes the following tasks:

 Setting a password for a user in the local database  Enabling restrictions on password usage  Setting the maximum number of failed login attempts for a user  Specifying the minimum allowable password length  Setting the length of time before password expiration  Restoring access to a user that has been locked out of the system

To configure a user’s password in the local database, type the following

command:

set user username password [encrypted] password

For example, to configure user Jose with the password spRin9 in the local database on the WX, type the following command:

WX# set user Jose password spRin9

success: User Jose created

The encrypted option indicates that the password string you are entering is the encrypted form of the password. Use this option only if you do not want MSS to encrypt the password for you.

By default, usernames and passwords in the local database are not case-sensitive; passwords can be made case-sensitive by activating password restrictions, as described in the following section.

To clear a user from the local database, type the following command:

clear user username

Configuring Passwords 67

Enabling Password

Restrictions

To activate password restrictions for network and administrative users, use the

set authentication password-restrict {enable | disable}

following command:

When this command is enabled, the following password restrictions take effect:

 Passwords must be a minimum of 10 characters in length, and a

mix of

uppercase letters, lowercase letters, numbers, and special

characters, including at least two of each (for example, Tre%Pag32!).

 A user cannot reuse any of his or her 10 previous passwords (not

applicable to

 When a user changes his or her password, at least 4 characters

must be

 The password restrictions are disabled by default. When you enable

network users).

different from the previous password.

them, MSS evaluates the passwords configured on the WX and displays a list of users whose password does not meet the restriction on length and character types.

For example, to enable password restrictions on the WX switch, type the following command:

WX# set authentication password-restrict enable

warning: the following users have passwords that do not have at least 2 each of upper-case letters, lower-case letters, numbers and special characters dan admin user1 user2 goofball dang success: change accepted.

Setting the Maximum

Number of Login

Attempts

To specify the maximum number of login attempts users can make before being locked out of the system, use the following command:

set authentication max-attempts number

For Telnet or SSH sessions, a maximum of 4 failed login attempts are allowed by default. For console or network sessions, an unlimited number of failed login attempts are allowed by default.

68 CHAPTER 4: MANAGING USER PASSWORDS

You can specify a number between 0 – 2147483647. Specifying 0 causes the number of allowable login attempts to reset to the default values.

If a user is locked out of the system, you can restore the user’s access with the clear user lockout command. (See “Restoring Access to a Locked-Out User” on page 70.)

For example, to allow users a maximum of 3 attempts to log into the system, type the following command:

WX# set authentication max-attempts 3

success: change accepted.

Specifying Minimum

Password Length

To specify the minimum allowable length for user passwords, use the following command:

set authentication minimum-password-length length

You can specify a minimum password length between 0 ñ 32 characters. Specifying 0 removes the restriction on password length. By default, there is no minimum length for user passwords. When this command is configured, you cannot configure a password shorter than the specified length.

When you enable this command, MSS evaluates the passwords configured on the WX switch and displays a list of users whose password does not meet the minimum length restriction.

For example, to set the minimum length for user passwords at 7 characters, type the following command:

WX# set authentication minimum-password-length 7

warning: the following users have passwords that are shorter than the minimum password length dan admin user2 goofball success: change accepted.

Configuring Passwords 69

Configuring

Password Expiration

Time

To specify how long a user’s password is valid before it must be reset, use the following command:

set user username expire-password-in time

To specify how long the passwords are valid for users in a user group, use the following command:

set usergroup group-name expire-password-in time

By default, user passwords do not expire. You can use this command to specify how long a specified user’s password is valid. After this amount of time, the user’s password expires, and a new password will have to be set. The amount of time can be specified in days (for example, 30 or 30d), hours (720h), or a combination of days and hours (30d12h)

For example, the following command sets user Student1ís password to be valid for 30 days:

WX# set user Student1 expire-password-in 30

success: change accepted.

The following command sets user Student1ís password to be valid for 30 days and 15 hours:

WX# set user Student1 expire-password-in 30d15h

success: change accepted.

The following command sets user Student1’s password to be valid for 720 hours:

WX# set user Student1 expire-password-in 720h

success: change accepted.

The following command sets the passwords for the users in user group cardiology to be valid for 30 days:

WX# set usergroup cardiology expire-password-in 30

success: change accepted.

70 CHAPTER 4: MANAGING USER PASSWORDS

Restoring Access to a

Locked-Out User

Displaying Password

Information

If a user’s password has expired, or the user is unable to log in within the

configured limit for login attempts, then the user is locked out of the system, and cannot gain access without the intervention of an administrator.

To restore access to a user who had been locked out of the system, use

following command:

the

clear user username lockout

If a user has been locked out of the system because of an expired password, you must first assign the user a new password before you can restore access to the user.

The following command restores access to user Nin, who had previously been locked out of the system:

WX# clear user Nin lockout

success: change accepted.

User password information can be displayed with the display aaa command. For example:

WX# display aaa ... ... set authentication password-restrict enable set authentication minimum-password-length 10 ... user bob Password = 00121a08015e1f (encrypted) Password-expires-in = 59 hours (2 days 11 hours) status = disabled

vlan-name = default

service-type = 7

(For details on displaying passwords, see the Wireless LAN Switch and

Controller Command Reference.

CONFIGURING AND MANAGING PORTS AND VLANS

This chapter describes how to configure and manage ports and VLANs.

Configuring and Managing Ports

Setting the Port Type A WX switch port can be one of the following types:

You can configure and display information for the following port parameters:

 Port type  Name  Speed and autonegotiation  Port state  Power over Ethernet (PoE) state  Load sharing

 Network port. A network port is a Layer 2 switch port that connects

the WX switch to other networking devices such as switches and routers.

 MAP access port. A MAP access port connects the WX switch to a

MAP. The port also can provide power to the MAP. Wireless users are authenticated to the network through a MAP access port.

A Distributed MAP, which is connected to WX switches through intermediate Layer 2 or Layer 3 networks, does not use a MAP access port. To configure for a Distributed MAP, see “Configuring a MAP Connection” on page 74 and Chapter 10, “Configuring MAP Access Points,” on page 177.

 Wired authentication port. A wired authentication port connects the

WX switch to user devices, such as workstations, that must be authenticated to access the network.

72 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

All WX switch ports are network ports by default. You must set the port type for ports directly connected to MAP access ports and to wired user stations that must be authenticated to access the network. When you change port type, MSS applies default settings appropriate for the port type. Table 5 lists the default settings applied for each port type. For example, the MAP column lists default settings that MSS applies when you change a port type to ap (MAP).

Tab le 5 Port Defaults Set by Port Type Change

Port Type

Parameter MAP Access Wired Authentication Network

VLAN membership

Spanning Tree Protocol (STP)

802.1X Uses

Port groups Not applicable Not applicable None IGMP snooping Enabled as users

Maximum user sessions

Removed from all VLANs. You cannot assign a MAP access port to a VLAN. MSS automatically assigns MAP access ports to VLANs based on user traffic.

Not applicable Not applicable Based on the STP

authentication parameters configured for users.

are authenticated and join VLANs.

Not applicable 1 (one) Not applicable

Removed from all VLANs. You cannot assign a wired authentication port to a VLAN. MSS automatically assigns wired authentication ports to VLANs based on user traffic.

Uses authentication parameters configured for users.

Enabled as users are authenticated and join VLANs.

None Note: If you clear a

port, MSS resets the port as a network port but does not add the port back to any VLANs. You must explicitly add the port to the desired VLAN(s).

states of the VLANs the port is in.

No authentication.

Enabled as the port is added to VLANs.

Table 6 lists how many MAPs you can configure on a WX switch, and how many MAPs a switch can boot. The numbers are for directly connected and Distributed MAPs combined.

Configuring and Managing Ports 73

Tab le 6 Maximum MAPs Supported Per Switch

WX Switch Model

WX4400 300 24, 48, 72, 96, or 120,

WX2200 320 24, 48, 72, 96, or 120,

WX1200 30 12 WXR100 8 3

Maximum Configured

Maximum Booted

depending on the license.

Setting a Port for a Directly Connected MAP

Before configuring a port as a MAP access port, you must use the set system countrycode command to set the IEEE 802.11 country-specific

regulations on the WX switch. (See “Specifying the Country of Operation” on page 213.)

Some MSS features that work with directly connected MAPs require a port number to be specified. For this purpose, you can optionally specify the port number attached to a directly connected MAP.

To set a port for a MAP, use the following command:

set port type ap port-list model {2330 | 2330A | AP2750 | AP3150 | AP3750 | mp-52 | mp-241 | mp-252 | mp-262 | mp-341 | mp-352 | mp-372 | mp-372-CN | mp-372-JP | mp422 | mp620} poe {enable | disable} [radiotype {11a | 11b | 11g}]

You must specify a port list of one or more port numbers, the MAP model number, and the PoE state. (For details about port lists, see “Port Lists” on page 32.)

MAP models AP2750, MP-241, and MP-341 have a single radio that can be configured for 802.11b/g. Other MAP models have two radios. On two-radio models, one radio is always 802.11a. The other radio is

802.11b/g, but can be configured for 802.11b or 802.11g exclusively. If the country of operation specified by the set system countrycode command does not allow 802.11g, the default is 802.11b.

Models MP-52, MP-241, MP-252, MP-262, MP-341, and MP-352 have been discontinued but are still supported by the command.

74 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

You cannot configure any gigabit Ethernet port, or port 7 or 8 on a WX1200 switch, or port 1 on a WXR100, as a MAP port. To manage a MAP on a switch model that does not have 10/100 Ethernet ports, configure a Distributed MAP connection on the switch. (See “Configuring a MAP Connection” on page 74.)

The radio models in MP-620 require external antenna, and model MP-262 requires an external antenna for the 802.11b/g radio. The following models have internal antennas but also have connectors for optional use of external antennas instead: AP2750, AP3150, AP3750, AP7250, AP8250, AP8750, MP-372, MP-372-CN, and MP-372-JP. (Antenna support on a specific model is limited to the antennas certified for use with that model.) To specify the antenna model, use the set {ap | dap} radio antennatype command.

To set ports 4 through 6 for MAP model AP2750 and enable PoE on the ports, type the following command:

WX1200# set ap <apnum> port <port> model <ap_type> [ poe <enable | disable> ]

This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted.

Additional configuration is required to place a MAP into operation. For information, see Chapter 10, “Configuring MAP Access Points,” on page 177.

Configuring a MAP Connection

To configure a connection for a MAP (referred to as a AP in the CLI), use the following command:

set ap apnumber serial-id serial-ID model {2230 | 2230A | AP7250 | AP3150 | AP3750 | mp-52 | mp-241 | mp-252 | mp-262 | mp-341 | mp-352 | mp-372 | mp-372-CN | mp-422 | mp620} [radiotype {11a | 11b| 11g}]

The apnumber refers to an index value that identifies the MAP on the WX switch. This value does not have to be related to the port to which the MAP is connected.

The range of valid apnumber values depends on the WX model. Table 7 lists the ranges for each WX model.

Configuring and Managing Ports 75

Tab le 7 Valid dap-num Values

Switch Model Valid Range

WX4400 1 to 300 WX1200 1 to 30 WXR100 1 to 8 WX2200 1 to 320

For the serial-id parameter, specify the serial ID of the MAP. The serial ID is listed on the MAP case. To display the serial ID using the CLI, use the display version details command.

The model and radiotype parameters have the same options as they do with the set port type ap command. Because the WX does not supply power to an indirectly connected MAP, the set ap command does not use the poe parameter.

To configure a connection for MAP 1, which is a MAP model MP-372 with serial-ID 0322199999, type the following command:

WX# set ap 1 serial-id 0322199999 model mp-372 success: change accepted.

Setting a Port for a Wired Authentication User

To set a port for a wired authentication user, use the following command:

set port type wired-auth port-list [tag tag-list] [max-sessions num]

You must specify a port list. Optionally, you also can specify a tag-list to subdivide the port into virtual ports, and set the maximum number of simultaneous user sessions that can be active on the port. By default, one user session can be active on the port at a time.

The fallthru authentication type is used if the user does not support

802.1X and is not authenticated by MAC authentication. The default is none, which means the user is automatically denied access if neither

802.1X authentication or MAC authentication is successful.

To set port 17 as a wired authentication port, type the following command:

WX1200# set port type wired-auth 7 success: change accepted

76 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

This command configures port 7 as a wired authentication port supporting one interface and one simultaneous user session.

For 802.1X clients, wired authentication works only if the clients are directly attached to the wired authentication port, or are attached through a hub that does not block forwarding of packets from the client to the PAE group address (01:80:c2:00:00:03). Wired authentication works in accordance with the 802.1X specification, which prohibits a client from sending traffic directly to an authenticator’s MAC address until the client is authenticated. Instead of sending traffic to the authenticator’s MAC address, the client sends packets to the PAE group address. The 802.1X specification prohibits networking devices from forwarding PAE group address packets, because this would make it possible for multiple authenticators to acquire the same client.

For non-802.1X clients, who use MAC authentication, WebAAA, or last-resort authentication, wired authentication works if the clients are directly attached or indirectly attached.

If clients are connected to a wired authentication port through a downstream third-party switch, the WX switch attempts to authenticate based on any traffic coming from the switch, such as Spanning Tree Protocol (STP) BPDUs. In this case, disable repetitive traffic emissions such as STP BPDUs from downstream switches. If you want to provide a management path to a downstream switch, use MAC authentication.

Clearing a Port

To change a port’s type from MAP access port or wired authentication port, you must first clear the port, then set the port type.

CAUTION: When you clear a port, MSS ends user sessions on the port.

Clearing a port removes all the port’s configuration settings and resets the port as a network port.

 If the port is a MAP access port, clearing the port disables PoE and

802.1X authentication.

 If the port is a wired authenticated port, clearing the port disables

802.1X authentication.

 If the port is a network port, the port must first be removed from all

VLANs, which removes the port from all spanning trees, load-sharing port groups, and so on.

Configuring and Managing Ports 77

A cleared port is not placed in any VLANs, not even the default VLAN (VLAN 1).

To clear a port, use the following command:

clear port type port-list

For example, to clear the port-related settings from port 5 and reset the port as a network port, type the following command:

WX1200# clear port type 5 This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted.

Clearing a Distributed MAP

To clear a Distributed MAP, use the following command:

clear ap apnumber

Configuring a Port

Name

Each WX switch port has a number but does not have a name by default.

Setting a Port Name

To set a port name, use the following command:

set port port name name

You can specify only a single port number with the command.

To set the name of port 2 to adminpool, type the following command:

WX1200# set port 2 name adminpool success: change accepted.

To avoid confusion, 3Com recommends that you do not use numbers as port names.

Removing a Port Name

To remove a port name, use the following command:

clear port port-list name

78 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

Configuring Interface

Preference on a

Dual-Interface

Gigabit Ethernet Port

(WX4400 only)

The gigabit Ethernet ports on a WX4400 have two physical interfaces: a 1000BASE-TX copper interface and a 1000BASE-SX or 1000BASE-LX fiber interface. The copper interface is provided by a built-in RJ-45 connector. The fiber interface is optional and requires insertion of a Gigabit interface converter (GBIC).

Only one interface can be active on a port. By default, MSS prefers the GBIC (fiber) interface. You can configure a port to prefer the RJ-45 (copper) interface instead.

If you set the preference to RJ-45 on a port that already has an active fiber link, MSS immediately changes the link to the copper interface.

To disable the fiber interface and enable the copper interface on a WX4400 port, use the following command:

set port media-type port-list rj45

To disable the copper interface and reenable the fiber interface on a WX4400 port, use the following command:

clear port media-type port-list

To display the enabled interface type for each port, use the following command:

display port media-type [port-list]

To disable the fiber interface and enable the copper interface of port 2 on a WX4400 switch and verify the change, type the following commands:

WX4400# set port media-type 2 rj45 WX4400# display port media-type Port Media Type =========================================================== 1 GBIC 2 RJ45 3 GBIC 4 GBIC

Configuring and Managing Ports 79

Configuring Port

Operating

Parameters

Autonegotiation is enabled by default on a WX switch’s 10/100 Ethernet ports and gigabit Ethernet ports.

You can configure the following port operating parameters:

 Speed  Autonegotiation  Port state  PoE state

All ports on the WX4400 switches support full-duplex operating mode only. They do not support half-duplex operation. Ports on the WX1200 switch support half-duplex and full-duplex operation.

3Com recommends that you do not configure the mode of a WX port so that one side of the link is set to autonegotiation while the other side is set to full-duplex. Although MSS allows this configuration, it can result in slow throughput on the link. The slow throughput occurs because the side that is configured for autonegotiation falls back to half-duplex. A stream of large packets sent to a WX port in such a configuration can cause forwarding on the link to stop.

You also can toggle a port’s administrative state and PoE setting off and back on to reset the port.

10/100 Ports—Autonegotiation and Port Speed

WX 10/100 Ethernet ports use autonegotiation by default to determine the appropriate port speed.

To explicitly set the port speed of a 10/100 port, use the following command:

set port speed port-list {10 | 100 | auto}

If you explicitly set the port speed (by selecting an option other than auto) of a 10/100 Ethernet port, the operating mode is set to full-duplex.

MSS allows the port speed of a gigabit port to be set to auto. However, this setting is invalid. If you set the port speed of a gigabit port to auto, the link will stop working.

80 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

To set the port speed on ports 1 and 3 through 5 to 10 Mbps, type the following command:

WX1200# set port speed 1,3-5 10

Gigabit Ports — Autonegotiation and Flow Control

WX gigabit ports use autonegotiation by default to determine capabilities for 802.3z flow control parameters. The gigabit ports can respond to IEEE

802.3z flow control packets. Some devices use this capability to prevent packet loss by temporarily pausing data transmission.

To disable flow control negotiation on a WX gigabit port, use the following command:

set port negotiation port-list {enable | disable}

Disabling or Reenabling a Port

All ports are enabled by default. To administratively disable a port, use the following command:

set port {enable | disable} port-list

A port that is administratively disabled cannot send or receive packets. This command does not affect the link state of the port.

Disabling or Reenabling Power over Ethernet

Power over Ethernet (PoE) supplies DC power to a device connected to a MAP access port. The PoE state depends on whether you enable or disable PoE when you set the port type. (See “Setting the Port Type” on page 71.)

CAUTION: Use the WX switch’s PoE only to power 3Com MAPs. If you enable PoE on ports connected to other devices, damage can result.

PoE is supported only on 10/100 Ethernet ports. PoE is not supported on any gigabit Ethernet ports, or on ports 7 and 8 on a WX1200 switch.

To change the PoE state on a port, use the following command:

set ap <apnum> port <portnumb> model <ap_type> poe {enable | disable}

Configuring and Managing Ports 81

Resetting a Port

You can reset a port by toggling its link state and PoE state. MSS disables the port’s link and PoE (if applicable) for at least one second, then reenables them. This feature is useful for forcing a MAP that is connected to two WX switches to reboot using the port connected to the other switch.

To reset a port, use the following command:

reset port port-list

Displaying Port

Information

You can use CLI commands to display the following port information:

 Port configuration and status  PoE state  Port statistics

You also can configure MSS to display and regularly update port statistics in a separate window.

Displaying Port Configuration and Status

To display port configuration and status information, use the following command:

display port status [port-list]

To display information for all ports, type the following command:

WX1200# display port status Port Name Admin Oper Config Actual Type Media ===============================================================================

1 1 up up auto 100/full network 10/100BaseTx

2 2 up down auto network 10/100BaseTx

3 3 up down auto network 10/100BaseTx

4 4 up down auto network 10/100BaseTx

5 5 up up auto 100/full ap 10/100BaseTx

6 6 up up auto 100/full network 10/100BaseTx

7 7 up down auto network 10/100BaseTx

8 8 up down auto network 10/100BaseTx

In this example, three of the switch’s ports, 1, 5, and 6, have an operational status of up, indicating the links on the ports are available. Ports 1 and 6 are network ports. Port 5 is a MAP access port.

(For more information about the fields in the output, see the Wireless

LAN Switch and Controller Command Reference.)

82 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

Displaying PoE State

To display the PoE state of a port, use the following command:

display port poe [port-list]

To display PoE information for ports 1 and 3, type the following command:

WX1200# display port poe 1,3

Link Port PoE PoE Port Name Status Type config Draw ===================================================

1 1 down MAP disabled off 3 3 up MAP enabled 1.44

In this example, PoE is disabled on port 1 and enabled on port 3. The MAP connected to port 3 is drawing 1.44 W of power from the WX switch.

(For more information about the fields in the output, see the Wireless

LAN Switch and Controller Command Reference.)

Displaying Port Statistics

To display port statistics, use the following command:

You can specify one statistic type with the command. For example, to display octet statistics for port 3, type the following command:

WX1200# display port counters octets port 3 Port Status Rx Octets Tx Octets ===============================================================================

3 Up 27965420 34886544

(For information about the fields in the output, see the Wireless LAN

Switch and Controller Command Reference.)

To display all types of statistics with the same command, use the monitor port counters command. (See “Monitoring Port Statistics” on page 83.)

Configuring and Managing Ports 83

Clearing Statistics Counters

To clear all port statistics counters, use the following command:

clear port counters

The counters begin incrementing again, starting from 0.

Monitoring Port Statistics

You can display port statistics in a format that continually updates the counters. When you enable monitoring of port statistics, MSS clears the CLI session window and displays the statistics at the top of the window. MSS refreshes the statistics every 5 seconds. This interval cannot be configured.

To monitor port statistics, use the following command:

Statistics types are displayed in the following order by default:

 Octets  Packets  Receive errors  Transmit errors  Collisions  Receive Ethernet statistics  Transmit Ethernet statistics

Each type of statistic is displayed separately. Press the Spacebar to cycle through the displays for each type.

If you use an option to specify a statistic type, the display begins with that statistic type. You can use one statistic option with the command.

84 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

Use the keys listed in Table 8 to control the monitor display.

Tab le 8 Key Controls for Monitor Port Counters Display

Key Effect on monitor display

Spacebar Advances to the next statistics type. Esc Exits the monitor. MSS stops displaying the statistics and

c Clears the statistics counters for the currently displayed

displays a new command prompt.

statistics type. The counters begin incrementing again.

To monitor port statistics beginning with octet statistics (the default), type the following command:

WX1200# monitor port counters

As soon as you press Enter, MSS clears the window and displays statistics at the top of the window. In this example, the octet statistics are displayed first.

Port Status Rx Octets Tx Octets ===============================================================================

1 Up 27965420 34886544

...

To cycle the display to the next set of statistics, press the Spacebar. In this example, packet statistics are displayed next:

Port Status Rx Unicast Rx NonUnicast Tx Unicast Tx NonUnicast ===============================================================================

1 Up 54620 62144 68318 62556

...

(For information about the fields in the output, see the Wireless LAN

Switch and Controller Command Reference.)

Configuring and Managing Ports 85

Configuring

Load-Sharing Port

Groups

A port group is a set of physical ports that function together as a single link and provide load sharing and link redundancy. Only network ports can participate in a port group.

You can configure up to 8 ports in a port group, in any combination of ports. The port numbers do not need to be contiguous and you can use 10/100 Ethernet ports and gigabit Ethernet ports in the same port group.

Load Sharing

A WX switch balances the port group traffic among the group’s physical ports by assigning traffic flows to ports based on the traffic’s source and destination MAC addresses. The switch assigns a traffic flow to an individual port and uses the same port for all subsequent traffic for that flow.

Link Redundancy

A port group ensures link stability by providing redundant connections for the same link. If an individual port in a group fails, the WX switch reassigns traffic to the remaining ports. When the failed port starts operating again, the WX switch begins using it for new traffic flows. Traffic that belonged to the port before it failed continues to be assigned to other ports.

Configuring a Port Group

To configure a port group, use the following command:

set port-group name group-name port-list mode {on | off}

Enter a name for the group and the ports contained in the group.

Do not use dashes or hyphens in a port group name. MSS will not display or save the port group. The port group name must start with a letter.

The mode parameter adds or removes ports for a group that is already configured. To modify a group:

 Adding ports — Enter the ports you want to add, then enter mode

on.

 Removing ports — Enter the ports you want to remove, then enter

mode off.

86 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

To configure a port group named server1 containing ports 1 through 5 and enable the link, type the following command:

WX1200# set port-group name server1 1-5 mode on success: change accepted.

After you configure a port group, you can use the port group name with commands that change Layer 2 configuration parameters to apply configuration changes to all ports in the port group. For example, Spanning Tree Protocol (STP) and VLAN membership changes affect the entire port group instead of individual ports. When you make Layer 2 configuration changes, you can use a port group name in place of the port list. Ethernet port statistics continue to apply to individual ports, not to port groups.

To configure a port group named server2 containing ports 2 and 5 and add the ports to the default VLAN, type the following commands:

WX1200# set port-group name server2 2,5 mode on success: change accepted. WX1200# set vlan default port server2 success: change accepted.

To verify the configuration change, type the following command:

WX1200# display vlan config

Admin VLAN Tunl Port

VLAN Name Status State Affin Port Tag State

---- ---------------- ------ ----- ----- ---------------- ----- ----1 default Up Up 5

server2 none Up 4094 web-aaa Up Up 0 2 4094 Up

The web-aaa VLAN is used by the WebAAA feature and is automatically configured by MSS.

To indicate that the ports are configured as a port group, the display vlan config output lists the port group name instead of the individual

port numbers.

Removing a Port Group

To remove a port group, use the following command:

clear port-group name name

Configuring and Managing VLANs 87

Displaying Port Group Information

To display port group information, use the following command:

display port-group [name group-name]

To display the configuration and status of port group server2, type the following command:

WX1200# display port-group name server2 Port group: server2 is up

Ports: 2, 5

Interoperating with Cisco Systems EtherChannel

Load-sharing port groups are interoperable with Cisco Systems EtherChannel capabilities. To configure a Cisco Catalyst switch to interoperate with a 3Com WX switch, use the following command on the Catalyst switch:

set port channel port-list mode on

Configuring and Managing VLANs

Understanding

VLANs in 3Com MSS

The CLI commands in this chapter configure VLANs on WX switch network ports. The commands do not configure VLAN membership for wireless or wired authentication users. To assign a user to a VLAN, configure the RADIUS Tunnel-Private-Group-ID attribute or the VLAN-Name vendor specific attribute (VSA) for that user. (For more information, see Chapter 21, “Configuring AAA for Network Users,” on page 433.)

A virtual LAN (VLAN) is a Layer 2 broadcast domain that can span multiple wired or wireless LAN segments. Each VLAN is a separate logical network and, if you configure IP interfaces on the VLANs, MSS treats each VLAN as a separate IP subnet.

Only network ports can be preconfigured to be members of one or more VLAN(s). You configure VLANs on a WX switch’s network ports by configuring them on the switch itself. You configure a VLAN by assigning a name and network ports to the VLAN. Optionally, you can assign VLAN tag values on individual network ports. You can configure multiple VLANs on a WX switch’s network ports. Optionally, each VLAN can have an IP address.

88 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

VLANs are not configured on MAP access ports or wired authentication ports, because the VLAN membership of these types of ports is determined dynamically through the authentication and authorization process. Users who require authentication connect through WX switch ports that are configured for MAPs or wired authentication access. Users are assigned to VLANs automatically through authentication and authorization mechanisms such as 802.1X.

By default, none of a WX switch’s ports are in VLANs. A switch cannot forward traffic on the network until you configure VLANs and add network ports to those VLANs.

A wireless client cannot join a VLAN if the physical network ports on the WX switch in the VLAN are down. However, a wireless client that is already in a VLAN whose physical network ports go down remains in the VLAN even though the VLAN is down.

VLANs, IP Subnets, and IP Addressing

Generally, VLANs are equivalent to IP subnets. If a WX switch is connected to the network by only one IP subnet, the switch must have at least one VLAN configured. Optionally, each VLAN can have its own IP address. However, no two IP addresses on the switch can belong to the same IP subnet.

You must assign the system IP address to one of the VLANs, for communications between WX switches and for unsolicited communications such as SNMP traps and RADIUS accounting messages. Any IP address configured on a WX switch can be used for management access unless explicitly restricted. (For more information about the system IP address, see Chapter 6, “Configuring and Managing IP Interfaces and Services,” on page 103.)

Users and VLANs

When a user successfully authenticates to the network, the user is assigned to a specific VLAN. A user remains associated with the same VLAN throughout the user’s session on the network, even when roaming from one WX switch to another within the Mobility Domain.

Configuring and Managing VLANs 89

You assign a user to a VLAN by setting one of the following attributes on the RADIUS servers or in the local user database:

 Tunnel-Private-Group-ID — This attribute is described in RFC 2868,

RADIUS Attributes for Tunnel Protocol Support.

 VLAN-Name — This attribute is a 3Com vendor-specific attribute

(VSA).

You cannot configure the Tunnel-Private-Group-ID attribute in the local user database.

Specify the VLAN name, not the VLAN number. The examples in this chapter assume the VLAN is assigned on a RADIUS server with either of the valid attributes. (For more information, see Chapter 21, “Configuring AAA for Network Users,” on page 433.)

VLAN Names

To create a VLAN, you must assign a name to it. VLAN names must be globally unique across a Mobility Domain to ensure the intended user connectivity as determined through authentication and authorization.

Every VLAN on a WX switch has both a VLAN name, used for authorization purposes, and a VLAN number. VLAN numbers can vary uniquely for each WX switch and are not related to 802.1Q tag values.

You cannot use a number as the first character in a VLAN name.

Roaming and VLANs

WX switches in a Mobility Domain contain a user’s traffic within the VLAN that the user is assigned to. For example, if you assign a user to VLAN red, the WX switches in the Mobility Domain contain the user’s traffic within VLAN red configured on the switches.

The WX switch through which a user is authenticated is not required to be a member of the VLAN the user is assigned to. You are not required to configure the VLAN on all WX switches in the Mobility Domain. When a user roams to a switch that is not a member of the VLAN the user is assigned to, the switch can tunnel traffic for the user through another switch that is a member of the VLAN. The traffic can be of any protocol type. (For more information about Mobility Domains, see Chapter 8, “Configuring and Managing Mobility Domain Roaming,” on page 153.)

90 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

Because the default VLAN (VLAN 1) might not be in the same subnet on each switch, 3Com recommends that you do not rename the default VLAN or use it for user traffic. Instead, configure other VLANs for user traffic.

Traffic Forwarding

A WX switch switches traffic at Layer 2 among ports in the same VLAN. For example, suppose you configure ports 4 and 5 to belong to VLAN 2 and ports 6 and 7 to belong to VLAN 3. As a result, traffic between port 4 and port 5 is switched, but traffic between port 4 and port 6 is not switched and needs to be routed by an external router.

802.1Q Tagging

The tagging capabilities of the WX switch are very flexible. You can assign

802.1Q tag values on a per-VLAN, per-port basis. The same VLAN can have different tag values on different ports. In addition, the same tag value can be used by different VLANs but on different network ports.

If you use a tag value, 3Com recommends that you use the same value as the VLAN number. MSS does not require the VLAN number and tag value to be the same, but some other devices do.

Do not assign the same VLAN multiple times using different tag values to the same network port. Although MSS does not prohibit you from doing so, the configuration is not supported.

MSS automatically assigns tag values to Distributed MAPs. Each of these tag values represents a unique combination of radio, encryption type, and VLAN. These tag values do not necessarily correspond to tag values you configure on the VLAN ports through which the Distributed MAP is connected to the WX.

Tunnel Affinity

WX switches configured as a Mobility Domain allow users to roam seamlessly across MAPs and even across WX switches. Although a switch that is not a member of a user’s VLAN cannot directly forward traffic for the user, the switch can tunnel the traffic to another WX switch that is a member of the user’s VLAN.

Configuring and Managing VLANs 91

If the WX switch that is not in the user’s VLAN has a choice of more than one other WX switch through which to tunnel the user’s traffic, the switch selects the other switch based on an affinity value. This is a numeric value that each WX switch within a Mobility Domain advertises, for each of its VLANs, to all other switches in the Mobility Domain. A switch outside the user’s VLAN selects the other operational switch that has the highest affinity value for the user’s VLAN to forward traffic for the user.

If more than one WX switch has the highest affinity value, MSS randomly selects one of the switches for the tunnel.

Configuring a VLAN You can configure the following VLAN parameters:

 VLAN number  VLAN name  Port list (the ports in the VLAN)  Per-port tag value (an 802.1Q value representing a virtual port in the

VLAN)

 Tunnel affinity (a value that influences tunneling connections for

roaming)

 MAC restriction list (if you want to prevent clients from

communicating with one another directly at Layer 2)

Creating a VLAN

To create a VLAN, use the following command:

set vlan vlan-num name name

Specify a VLAN number from 2 to 4093, and specify a name up to 16 alphabetic characters long.

You cannot use a number as the first character in a VLAN name. 3Com recommends that you do not use the same name with different capitalizations for VLANs or ACLs. For example, do not configure two separate VLANs with the names red and RED.

3Com recommends that you do not use the name default. This name is already used for VLAN 1. 3Com also recommends that you do not rename the default VLAN.

92 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

You must assign a name to a VLAN before you can add ports to the VLAN. You can configure the name and add ports with a single set vlan command or separate set vlan commands.

Once you assign a VLAN number to a VLAN, you cannot change the number. However, you can change a VLAN’s name.

For example, to assign the name red to VLAN 2, type the following command:

WX1200# set vlan 2 name red

After you create a VLAN, you can use the VLAN number or the VLAN name in commands. In addition, the VLAN name appears in CLI and 3Com Wireless Switch Manager displays.

Adding Ports to a VLAN

To add a port to a VLAN, use the following command:

set vlan vlan-id port port-list [tag tag-value]

You can specify a tag value from 1 through 4093.

MSS does not remove a port from other VLANs when you add the port to a new VLAN. If a new VLAN causes a configuration conflict with an older VLAN, remove the port from the older VLAN before adding the port to the new VLAN.

For example, to add ports 3 through 6 and port 8 to VLAN red, type the following command:

WX1200# set vlan red port 3-6,8 success: change accepted.

Optionally, you also can specify a tag value to be used on trunked 802.1Q ports.

To assign the name marigold to VLAN 4, add ports 1 through 4 and port 6, and assign tag value 11 to port 6, type the following commands:

WX1200# set vlan 4 name marigold port 1-4 success: change accepted. WX1200# set vlan 4 name marigold port 6 tag 11 success: change accepted.

Configuring and Managing VLANs 93

Removing an Entire VLAN or a VLAN Port

To remove an entire VLAN or a specific port and tag value from a VLAN, use the following command:

clear vlan vlan-id [port port-list [tag tag-value]]

CAUTION: When you remove a VLAN, MSS completely removes the VLAN from the configuration and also removes all configuration information that uses the VLAN. If you want to remove only a specific port from the VLAN, make sure you specify the port number in the command.

The clear vlan command with a VLAN ID but without a port list or tag value clears all ports and tag values from the VLAN.

To remove port 3 from VLAN red, type the following command:

WX1200# clear vlan red port 3 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.

Changing Tunneling

Affinity

To clear port 6, which uses tag value 11, from VLAN marigold, type the following command:

WX1200# clear vlan marigold port 6 tag 11 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.

To completely remove VLAN ecru, type the following command:

WX1200# clear vlan ecru This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.

You cannot remove the default VLAN (VLAN 1). However, you can add and remove ports. You can also rename the default VLAN, but 3Com recommends against it.

To change the tunneling affinity, use the following command:

set vlan vlan-id tunnel-affinity num

Specify a value from 1 through 10. The default is 5.

94 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

Restricting Layer 2

Forwarding Among

Clients

By default, clients within a VLAN are able to communicate with one another directly at Layer 2. You can enhance network security by restricting Layer 2 forwarding among clients in the same VLAN. When you restrict Layer 2 forwarding in a VLAN, MSS allows Layer 2 forwarding only between a client and a set of MAC addresses, generally the VLAN’s default routers. Clients within the VLAN are not permitted to communicate among themselves directly. To communicate with another client, the client must use one of the specified gateway routers.

For networks with IP-only clients, you can restrict client-to-client forwarding using ACLs. (See “Restricting Client-To-Client Forwarding Among IP-Only Clients” on page 409.)

To restrict Layer 2 forwarding in a VLAN, use the following command:

set security l2-restrict vlan vlan-id [mode {enable | disable}] [permit-mac mac-addr [mac-addr]]

You can specify multiple addresses by listing them on the same command line or by entering multiple commands.

Restriction of client traffic does not begin until you enable the permitted MAC list. Use the mode enable option with this command.

To change a MAC address, use the clear security l2-restrict command to remove it, then use the set security l2-restrict command to add the correct address.

clear security l2-restrict vlan vlan-id [permit-mac mac-addr [mac-addr] | all]

There can be a slight delay before functions such as pinging between clients become available again after Layer 2 restrictions are lifted. Even though packets are passed immediately once Layer 2 restrictions are gone, it can take 10 seconds or more for upper-layer protocols to update their ARP caches and regain their functionality.

To display configuration information and statistics for Layer 2 forwarding restriction, use the following command:

display security l2-restrict [vlan vlan-id | all]

Configuring and Managing VLANs 95

The following commands restrict Layer 2 forwarding of client data in VLAN abc_air to the default routers with MAC address aa:bb:cc:dd:ee:ff and 11:22:33:44:55:66, and display restriction information and statistics:

WX1200# set security l2-restrict vlan abc_air mode enable permit-mac aa:bb:cc:dd:ee:ff 11:22:33:44:55:66

success: change accepted. WX1200# display security l2-restrict VLAN Name En Drops Permit MAC Hits

---- ----------- -- ---------- ------------------- ---------1 abc_air Y 0 aa:bb:cc:dd:ee:ff 5947

11:22:33:44:55:66 9

The En field indicates whether restriction is enabled. The Drops field indicates how many packets were addressed directly from one client to another and dropped by MSS. The Hits field indicates how many packets the permitted default router has received from clients.

To reset the statistics counters, use the following command:

clear security l2-restrict counters [vlan vlan-id | all]

Displaying VLAN

Information

To display VLAN configuration information, use the following command:

display vlan config [vlan-id]

To display information for VLAN burgundy, type the following command:

WX1200# display vlan config burgundy

Admin VLAN Tunl Port

VLAN Name Status State Affin Port Tag State

---- ---------------- ------ ----- ----- ---------------- ----- ----2 burgundy Up Up 5

2 none Up 3 none Up 4 none Up

6 none Up 4094 web-aaa Up Up 0 2 4094 Up

The display can include MAP access ports and wired authentication ports, because MSS dynamically adds these ports to a VLAN when handling user traffic for the VLAN.

(For information about the fields in the output, see the Wireless LAN

Switch and Controller Command Reference.)

96 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

Managing the Layer 2 Forwarding Database

Types of Forwarding

Database Entries

How Entries Enter the

Forwarding Database

A WX switch uses a Layer 2 forwarding database (FDB) to forward traffic within a VLAN. The entries in the forwarding database map MAC addresses to the physical or virtual ports connected to those MAC addresses within a particular VLAN. To forward a packet to another device in a VLAN, the WX switch searches the forwarding database for the packet’s destination MAC address, then forwards the packet out the port associated with the MAC address.

The forwarding database can contain the following types of entries:

 Dynamic — A dynamic entry is a temporary entry that remains in the

database only until the entry is no longer used. By default, a dynamic entry ages out if it remains unused for 300 seconds (5 minutes). All dynamic entries are removed if the WX switch is powered down or rebooted.

 Static — A static entry does not age out, regardless of how often the

entry is used. However, like dynamic entries, static entries are removed if the WX switch is powered down or rebooted.

 Permanent — A permanent entry does not age out, regardless of

how often the entry is used. In addition, a permanent entry remains in the forwarding database even following a reboot or power cycle.

An entry enters the forwarding database in one of the following ways:

 Learned from traffic received by the WX switch — When the WX

switch receives a packet, the switch adds the packet’s source MAC address to the forwarding database if the database does not already contain an entry for that MAC address.

 Added by the system administrator — You can add static and

permanent unicast entries to the forwarding database. (You cannot add a multicast or broadcast address as a permanent or static forwarding database entry.)

 Added by the WX switch itself — For example, the authentication

protocols can add entries for wired and wireless authentication users. The WX switch also adds any static entries added by the system administrator and saved in the configuration file.

Managing the Layer 2 Forwarding Database 97

Displaying

Forwarding Database

Information

You can display the forwarding database size and the entries contained in the database.

Displaying the Size of the Forwarding Database

To display the number of entries contained in the forwarding database, use the following command:

display fdb count {perm | static | dynamic} [vlan vlan-id]

For example, to display the number of dynamic entries that the forwarding database contains, type the following command:

WX1200# display fdb count dynamic Total Matching Entries = 2

Displaying Forwarding Database Entries

To display the entries in the forwarding database, use either of the following commands:

display fdb [mac-addr-glob [vlan vlan-id]] display fdb {perm | static | dynamic | system | all} [port port-list | vlan vlan-id]

The mac-addr-glob parameter can be an individual address, or a portion of an address with the asterisk (*) wildcard character representing from 1 to 5 bytes. The wildcard allows the parameter to indicate a list of MAC addresses that match all the characters except the asterisk.

Use a colon between each byte in the address (for example, 11:22:33:aa:bb:cc or 11:22:33:*). You can enter the asterisk (*) at the beginning or end of the address as a wildcard, on any byte boundary.

To display all entries in the forwarding database, type the following command:

WX1200# display fdb all * = Static Entry. + = Permanent Entry. # = System Entry. VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type]

---- ---- ------------------ ----- -----------------------------------------

1 00:01:97:13:0b:1f 1 [ALL] 1 aa:bb:cc:dd:ee:ff * 3 [ALL] 1 00:0b:0e:02:76:f5 1 [ALL]

Total Matching FDB Entries Displayed = 3

98 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

To display all entries that begin with 00, type the following command:

WX1200# display fdb 00:* * = Static Entry. + = Permanent Entry. # = System Entry. VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type]

---- ---- ------------------ ----- ----------------------------------------1 00:01:97:13:0b:1f 1 [ALL] 1 00:0b:0e:02:76:f5 1 [ALL]

Total Matching FDB Entries Displayed = 2

(For information about the fields in the output, see the Wireless LAN

Switch and Controller Command Reference.)

Adding an Entry to

the Forwarding

Database

Removing Entries

from the Forwarding

Database

To add an entry to the forwarding database, use the following command:

set fdb {perm | static} mac-addr port port-list vlan vlan-id [tag tag-value]

To add a permanent entry for MAC address 00:bb:cc:dd:ee:ff on ports 3 and 5 in VLAN blue, type the following command:

WX1200# set fdb perm 00:bb:cc:dd:ee:ff port 3,5 vlan blue success: change accepted.

To add a static entry for MAC address 00:2b:3c:4d:5e:6f on port 1 in the default VLAN, type the following command:

WX1200# set fdb static 00:2b:3c:4d:5e:6f port 1 vlan default success: change accepted.

To remove an entry from the forwarding database, use the following command:

clear fdb {perm | static | dynamic | port port-list} [vlan vlan-id] [tag tag-value]

To clear all dynamic forwarding database entries that match all VLANs, type the following command:

WX1200# clear fdb dynamic success: change accepted.

To clear all dynamic forwarding database entries that match ports 3 and 5, type the following command:

WX1200# clear fdb port 3,5 success: change accepted.

Managing the Layer 2 Forwarding Database 99

Configuring the

Aging Timeout Period

The aging timeout period specifies how long a dynamic entry can remain unused before the software removes the entry from the database.

You can change the aging timeout period on an individual VLAN basis. You can change the timeout period to a value from 0 through 1,000,000 seconds. The default aging timeout period is 300 seconds (5 minutes). If you change the timeout period to 0, aging is disabled.

Displaying the Aging Timeout Period

To display the current setting of the aging timeout period, use the following command:

display fdb agingtime [vlan vlan-id]

For example, to display the aging timeout period for all configured VLANs, type the following command:

WX1200# display fdb agingtime VLAN 2 aging time = 300 sec VLAN 1 aging time = 300 sec

Changing the Aging Timeout Period

To change the aging timeout period, use the following command:

set fdb agingtime vlan-id age seconds

For example, to set the aging timeout period for VLAN 2 to 600 seconds, type the following command:

WX1200# set fdb agingtime 2 age 600 success: change accepted.

100 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS

Port and VLAN Configuration

This scenario assigns names to ports, and configures MAP access ports, wired authentication ports, a load-sharing port group, and VLANs.

Scenario

1 Assign names to ports to identify their functions, and verify the

configuration change. Type the following commands:

WX1200# set port 1 name mgmt success: change accepted. WX1200# set port 2 name finance success: change accepted. WX1200# set port 3 name accounting success: change accepted. WX1200# set port 4 name shipping success: change accepted. WX1200# set port 5-6 name lobby success: change accepted. WX1200# set port 7-8 name conf_room1 success: change accepted. WX1200# display port status Port Name Admin Oper Config Actual Type Media ===============================================================================

1 mgmt up up auto 100/full network 10/100BaseTx 2 finance up down auto network 10/100BaseTx 3 accounting up down auto network 10/100BaseTx 4 shipping up down auto network 10/100BaseTx 5 lobby up down auto network 10/100BaseTx 6 lobby up down auto network 10/100BaseTx 7 conf_room1 up down auto network 10/100BaseTx 8 conf_room1 up down auto network 10/100BaseTx

2 Configure the country code for operation in the US and verify the

configuration change. Type the following commands:

WX1200# set system countrycode US success: change accepted. WX1200# display system =============================================================================== Product Name: WX1200 System Name: WX1200 System Countrycode: US System Location: System Contact:

System IP: 0.0.0.0 System idle timeout: 3600

System MAC: 00:0B:0E:00:04:0C

3COM WX1200 3CRWX120695A, WX4400 3CRWX440095A, WX2200 3CRWX220095A, WXR100 3CRWXR10095A User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

ABOUT THIS GUIDE

Conventions Table 1 and Table 2 list conventions that are used throughout this guide.

Documentation The MSS documentation set includes the following documents.

Documentation Comments

Overview You configure the WX switch and MAPs primarily with set, clear, and

CLI Conventions Be aware of the following MSS CLI conventions for command entry:

Command Prompts By default, the MSS CLI provides the following prompt for restricted

Syntax Notation The MSS CLI uses standard syntax notation:

MAC Address Notation

IP Address and Mask Notation

User Globs

MAC Address Globs

VLAN Globs

Matching Order for Globs

Port Lists The physical Ethernet ports on a WX can be set for connection to MAPs,

Command-Line Editing

Keyboard Shortcuts Table 4 lists the keyboard shortcuts available for entering and editing CLI

History Buffer The history buffer stores the last 63 commands you entered during a

Ta bs The MSS CLI uses the Tab key for command completion. You can type

Using CLI Help The CLI provides online help. To see the full range of commands available

Understanding Command Descriptions

WX SETUP METHODS

Overview MSS provides the following quick-start methods for new (unconfigured)

Quick Starts The Web Quick Start enables you to easily configure a WXR100, WX1200

Web Manager You can use a switch web management interface, Web Manager, to

How a WX Switch Gets its Configuration

Web Quick Start (WXR100, WX1200 and WX2200 Only) 40

CLI quickstart Command

Quickstart Example This example configures the following parameters:

Remote WX Configuration

Opening the QuickStart Network Plan in 3Com Wireless Switch Manager

Overview Here is an overview of configuration topics:

Before You Start Before reading more of this chapter, read the Wireless LAN Switch and

About Administrative Access

Access Modes MSS provides AAA either locally or via remote servers to authenticate

First-Time Configuration via the Console

Setting the WX Enable Password for the First Time

3WXM Enable Password

Configuring Accounting for Administrative Users

Displaying the AAA Configuration 61

Saving the Configuration

Administrative AAA Configuration Scenarios

Local Authentication

MANAGING USER PASSWORDS

Overview 3COM recommends that all users create passwords that are memorable

Configuring Passwords

CONFIGURING AND MANAGING PORTS AND VLANS

Configuring and Managing Ports

Setting the Port Type A WX switch port can be one of the following types:

Setting a Port for a Directly Connected MAP

Configuring a MAP Connection

Setting a Port for a Wired Authentication User

Clearing a Port

Clearing a Distributed MAP

Setting a Port Name

Removing a Port Name

Disabling or Reenabling a Port

Disabling or Reenabling Power over Ethernet

Resetting a Port

Displaying Port Configuration and Status

Displaying PoE State

Displaying Port Statistics

Clearing Statistics Counters

Monitoring Port Statistics

Load Sharing

Link Redundancy

Configuring a Port Group

Removing a Port Group

Displaying Port Group Information

Interoperating with Cisco Systems EtherChannel

Configuring and Managing VLANs

VLANs, IP Subnets, and IP Addressing

Users and VLANs

VLAN Names

Roaming and VLANs

Traffic Forwarding